Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/amdgpu-avoid-incorrect-hu-format-string.patch b/queue-4.19/amdgpu-avoid-incorrect-hu-format-string.patch
new file mode 100644 (file)
index 0000000..6c56f23
--- /dev/null
+++ b/queue-4.19/amdgpu-avoid-incorrect-hu-format-string.patch
@@ -0,0 +1,50 @@
+From 83a318b8bf9b75a6450dd9261526e7d5cf2e37fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 12:54:42 +0100
+Subject: amdgpu: avoid incorrect %hu format string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7d98d416c2cc1c1f7d9508e887de4630e521d797 ]
+
+clang points out that the %hu format string does not match the type
+of the variables here:
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c:263:7: warning: format specifies type 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+                                  version_major, version_minor);
+                                  ^~~~~~~~~~~~~
+include/drm/drm_print.h:498:19: note: expanded from macro 'DRM_ERROR'
+        __drm_err(fmt, ##__VA_ARGS__)
+                  ~~~    ^~~~~~~~~~~
+
+Change it to a regular %u, the same way a previous patch did for
+another instance of the same warning.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
+index e5a6db6beab7..8c5f39beee7c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
+@@ -231,7 +231,7 @@ int amdgpu_uvd_sw_init(struct amdgpu_device *adev)
+               if ((adev->asic_type == CHIP_POLARIS10 ||
+                    adev->asic_type == CHIP_POLARIS11) &&
+                   (adev->uvd.fw_version < FW_1_66_16))
+-                      DRM_ERROR("POLARIS10/11 UVD firmware version %hu.%hu is too old.\n",
++                      DRM_ERROR("POLARIS10/11 UVD firmware version %u.%u is too old.\n",
+                                 version_major, version_minor);
+       } else {
+               unsigned int enc_major, enc_minor, dec_minor;
+-- 
+2.30.2
+

diff --git a/queue-4.19/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch b/queue-4.19/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
new file mode 100644 (file)
index 0000000..7222682
--- /dev/null
+++ b/queue-4.19/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
@@ -0,0 +1,48 @@
+From abfc4619987d79d7fa0ab5c29dacf8e2a4de7c91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 15:25:21 -0500
+Subject: btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 7a9213a93546e7eaef90e6e153af6b8fc7553f10 ]
+
+A few BUG_ON()'s in replace_path are purely to keep us from making
+logical mistakes, so replace them with ASSERT()'s.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index e6e4e6fb2add..06c6a66a991f 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1755,8 +1755,8 @@ int replace_path(struct btrfs_trans_handle *trans,
+       int ret;
+       int slot;
+ 
+-      BUG_ON(src->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+-      BUG_ON(dest->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(src->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(dest->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+ 
+       last_snapshot = btrfs_root_last_snapshot(&src->root_item);
+ again:
+@@ -1790,7 +1790,7 @@ again:
+               struct btrfs_key first_key;
+ 
+               level = btrfs_header_level(parent);
+-              BUG_ON(level < lowest_level);
++              ASSERT(level >= lowest_level);
+ 
+               ret = btrfs_bin_search(parent, &key, level, &slot);
+               if (ret && slot > 0)
+-- 
+2.30.2
+

diff --git a/queue-4.19/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch b/queue-4.19/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
new file mode 100644 (file)
index 0000000..c0fab41
--- /dev/null
+++ b/queue-4.19/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
@@ -0,0 +1,38 @@
+From 4810f04c14bd78a7b242b399449ff1fb3a73909e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 18:01:15 +0100
+Subject: clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 657d4d1934f75a2d978c3cf2086495eaa542e7a9 ]
+
+There is an error return path that is not kfree'ing socfpga_clk leading
+to a memory leak. Fix this by adding in the missing kfree call.
+
+Addresses-Coverity: ("Resource leak")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210406170115.430990-1-colin.king@canonical.com
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/socfpga/clk-gate-a10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c
+index 36376c542055..637e26babf89 100644
+--- a/drivers/clk/socfpga/clk-gate-a10.c
++++ b/drivers/clk/socfpga/clk-gate-a10.c
+@@ -157,6 +157,7 @@ static void __init __socfpga_gate_init(struct device_node *node,
+               if (IS_ERR(socfpga_clk->sys_mgr_base_addr)) {
+                       pr_err("%s: failed to find altr,sys-mgr regmap!\n",
+                                       __func__);
++                      kfree(socfpga_clk);
+                       return;
+               }
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.19/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch b/queue-4.19/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch
new file mode 100644 (file)
index 0000000..8739d3f
--- /dev/null
+++ b/queue-4.19/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch
@@ -0,0 +1,149 @@
+From 70bde224d6a3de9058649f358a84d7af41cb98b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 21:33:03 +0100
+Subject: crypto: api - check for ERR pointers in crypto_destroy_tfm()
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ]
+
+Given that crypto_alloc_tfm() may return ERR pointers, and to avoid
+crashes on obscure error paths where such pointers are presented to
+crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there
+before dereferencing the second argument as a struct crypto_tfm
+pointer.
+
+[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/
+
+Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/api.c               | 2 +-
+ include/crypto/acompress.h | 2 ++
+ include/crypto/aead.h      | 2 ++
+ include/crypto/akcipher.h  | 2 ++
+ include/crypto/hash.h      | 4 ++++
+ include/crypto/kpp.h       | 2 ++
+ include/crypto/rng.h       | 2 ++
+ include/crypto/skcipher.h  | 2 ++
+ 8 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/api.c b/crypto/api.c
+index 1909195b2c70..5efd4d6e6312 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -571,7 +571,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
+ {
+       struct crypto_alg *alg;
+ 
+-      if (unlikely(!mem))
++      if (IS_ERR_OR_NULL(mem))
+               return;
+ 
+       alg = tfm->__crt_alg;
+diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h
+index e328b52425a8..1ff78365607c 100644
+--- a/include/crypto/acompress.h
++++ b/include/crypto/acompress.h
+@@ -152,6 +152,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req)
+  * crypto_free_acomp() -- free ACOMPRESS tfm handle
+  *
+  * @tfm:      ACOMPRESS tfm handle allocated with crypto_alloc_acomp()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_acomp(struct crypto_acomp *tfm)
+ {
+diff --git a/include/crypto/aead.h b/include/crypto/aead.h
+index 1e26f790b03f..c69c545ba39a 100644
+--- a/include/crypto/aead.h
++++ b/include/crypto/aead.h
+@@ -187,6 +187,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm)
+ /**
+  * crypto_free_aead() - zeroize and free aead handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_aead(struct crypto_aead *tfm)
+ {
+diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h
+index b5e11de4d497..9817f2e5bff8 100644
+--- a/include/crypto/akcipher.h
++++ b/include/crypto/akcipher.h
+@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm(
+  * crypto_free_akcipher() - free AKCIPHER tfm handle
+  *
+  * @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_akcipher(struct crypto_akcipher *tfm)
+ {
+diff --git a/include/crypto/hash.h b/include/crypto/hash.h
+index 76e432cab75d..552517dcf9e4 100644
+--- a/include/crypto/hash.h
++++ b/include/crypto/hash.h
+@@ -257,6 +257,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm)
+ /**
+  * crypto_free_ahash() - zeroize and free the ahash handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_ahash(struct crypto_ahash *tfm)
+ {
+@@ -692,6 +694,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm)
+ /**
+  * crypto_free_shash() - zeroize and free the message digest handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_shash(struct crypto_shash *tfm)
+ {
+diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h
+index 1bde0a6514fa..1a34630fc371 100644
+--- a/include/crypto/kpp.h
++++ b/include/crypto/kpp.h
+@@ -159,6 +159,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags)
+  * crypto_free_kpp() - free KPP tfm handle
+  *
+  * @tfm: KPP tfm handle allocated with crypto_alloc_kpp()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_kpp(struct crypto_kpp *tfm)
+ {
+diff --git a/include/crypto/rng.h b/include/crypto/rng.h
+index b95ede354a66..a788c1e5a121 100644
+--- a/include/crypto/rng.h
++++ b/include/crypto/rng.h
+@@ -116,6 +116,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm)
+ /**
+  * crypto_free_rng() - zeroize and free RNG handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_rng(struct crypto_rng *tfm)
+ {
+diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
+index 2f327f090c3e..c7553f8b1bb6 100644
+--- a/include/crypto/skcipher.h
++++ b/include/crypto/skcipher.h
+@@ -206,6 +206,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm(
+ /**
+  * crypto_free_skcipher() - zeroize and free cipher handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_skcipher(struct crypto_skcipher *tfm)
+ {
+-- 
+2.30.2
+

diff --git a/queue-4.19/crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch b/queue-4.19/crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch
new file mode 100644 (file)
index 0000000..7e94cd4
--- /dev/null
+++ b/queue-4.19/crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch
@@ -0,0 +1,55 @@
+From 936529dd0dc33682c44260c24b139ae51a0653cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 15:18:39 +0800
+Subject: crypto: omap-aes - Fix PM reference leak on omap-aes.c
+
+From: Shixin Liu <liushixin2@huawei.com>
+
+[ Upstream commit 1f34cc4a8da34fbb250efb928f9b8c6fe7ee0642 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Signed-off-by: Shixin Liu <liushixin2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-aes.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
+index a5d6e1a0192b..2288fa6a939e 100644
+--- a/drivers/crypto/omap-aes.c
++++ b/drivers/crypto/omap-aes.c
+@@ -107,7 +107,7 @@ static int omap_aes_hw_init(struct omap_aes_dev *dd)
+               dd->err = 0;
+       }
+ 
+-      err = pm_runtime_get_sync(dd->dev);
++      err = pm_runtime_resume_and_get(dd->dev);
+       if (err < 0) {
+               dev_err(dd->dev, "failed to get sync: %d\n", err);
+               return err;
+@@ -1159,7 +1159,7 @@ static int omap_aes_probe(struct platform_device *pdev)
+       pm_runtime_set_autosuspend_delay(dev, DEFAULT_AUTOSUSPEND_DELAY);
+ 
+       pm_runtime_enable(dev);
+-      err = pm_runtime_get_sync(dev);
++      err = pm_runtime_resume_and_get(dev);
+       if (err < 0) {
+               dev_err(dev, "%s: failed to get_sync(%d)\n",
+                       __func__, err);
+@@ -1327,7 +1327,7 @@ static int omap_aes_suspend(struct device *dev)
+ 
+ static int omap_aes_resume(struct device *dev)
+ {
+-      pm_runtime_get_sync(dev);
++      pm_runtime_resume_and_get(dev);
+       return 0;
+ }
+ #endif
+-- 
+2.30.2
+

diff --git a/queue-4.19/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch b/queue-4.19/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch
new file mode 100644 (file)
index 0000000..aeacf84
--- /dev/null
+++ b/queue-4.19/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch
@@ -0,0 +1,37 @@
+From ef5e060fb01a525a5e6c2b3ca9c562d674547b92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 10:30:15 -0500
+Subject: drm/amdgpu : Fix asic reset regression issue introduce by
+ 8f211fe8ac7c4f
+
+From: shaoyunl <shaoyun.liu@amd.com>
+
+[ Upstream commit c8941550aa66b2a90f4b32c45d59e8571e33336e ]
+
+This recent change introduce SDMA interrupt info printing with irq->process function.
+These functions do not require a set function to enable/disable the irq
+
+Signed-off-by: shaoyunl <shaoyun.liu@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+index 1abf5b5bac9e..18402a6ba8fe 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+@@ -447,7 +447,7 @@ void amdgpu_irq_gpu_reset_resume_helper(struct amdgpu_device *adev)
+               for (j = 0; j < AMDGPU_MAX_IRQ_SRC_ID; ++j) {
+                       struct amdgpu_irq_src *src = adev->irq.client[i].sources[j];
+ 
+-                      if (!src)
++                      if (!src || !src->funcs || !src->funcs->set)
+                               continue;
+                       for (k = 0; k < src->num_types; k++)
+                               amdgpu_irq_update(adev, src, k);
+-- 
+2.30.2
+

diff --git a/queue-4.19/drm-amdgpu-fix-null-pointer-dereference.patch b/queue-4.19/drm-amdgpu-fix-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..813969a
--- /dev/null
+++ b/queue-4.19/drm-amdgpu-fix-null-pointer-dereference.patch
@@ -0,0 +1,60 @@
+From 200a7d0705f9430f1fc22a26bf3709019e1c9c9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 17:52:18 +0800
+Subject: drm/amdgpu: fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 3c3dc654333f6389803cdcaf03912e94173ae510 ]
+
+ttm->sg needs to be checked before accessing its child member.
+
+Call Trace:
+ amdgpu_ttm_backend_destroy+0x12/0x70 [amdgpu]
+ ttm_bo_cleanup_memtype_use+0x3a/0x60 [ttm]
+ ttm_bo_release+0x17d/0x300 [ttm]
+ amdgpu_bo_unref+0x1a/0x30 [amdgpu]
+ amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x78b/0x8b0 [amdgpu]
+ kfd_ioctl_alloc_memory_of_gpu+0x118/0x220 [amdgpu]
+ kfd_ioctl+0x222/0x400 [amdgpu]
+ ? kfd_dev_is_large_bar+0x90/0x90 [amdgpu]
+ __x64_sys_ioctl+0x8e/0xd0
+ ? __context_tracking_exit+0x52/0x90
+ do_syscall_64+0x33/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f97f264d317
+Code: b3 66 90 48 8b 05 71 4b 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 41 4b 2d 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffdb402c338 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f97f3cc63a0 RCX: 00007f97f264d317
+RDX: 00007ffdb402c380 RSI: 00000000c0284b16 RDI: 0000000000000003
+RBP: 00007ffdb402c380 R08: 00007ffdb402c428 R09: 00000000c4000004
+R10: 00000000c4000004 R11: 0000000000000246 R12: 00000000c0284b16
+R13: 0000000000000003 R14: 00007f97f3cc63a0 R15: 00007f8836200000
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+index abad7460084f..757fa486aac4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -971,7 +971,7 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_tt *ttm)
+               DMA_BIDIRECTIONAL : DMA_TO_DEVICE;
+ 
+       /* double check that we don't free the table twice */
+-      if (!ttm->sg->sgl)
++      if (!ttm->sg || !ttm->sg->sgl)
+               return;
+ 
+       /* unmap the pages mapped to the device */
+-- 
+2.30.2
+

diff --git a/queue-4.19/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch b/queue-4.19/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
new file mode 100644 (file)
index 0000000..89817af
--- /dev/null
+++ b/queue-4.19/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
@@ -0,0 +1,57 @@
+From 1f5ffac89133c6f30e78c545b5619dd421750605 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 23:47:24 +0200
+Subject: drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 2ad52bdb220de5ab348098e3482b01235d15a842 ]
+
+Leaving this at a close-to-maximum register value 0xFFF0 means it takes
+very long for the MDSS to generate a software vsync interrupt when the
+hardware TE interrupt doesn't arrive.  Configuring this to double the
+vtotal (like some downstream kernels) leads to a frame to take at most
+twice before the vsync signal, until hardware TE comes up.
+
+In this case the hardware interrupt responsible for providing this
+signal - "disp-te" gpio - is not hooked up to the mdp5 vsync/pp logic at
+all.  This solves severe panel update issues observed on at least the
+Xperia Loire and Tone series, until said gpio is properly hooked up to
+an irq.
+
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Link: https://lore.kernel.org/r/20210406214726.131534-2-marijn.suijten@somainline.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
+index d6f79dc755b4..14e2ce87bab1 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
+@@ -78,9 +78,17 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+               | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN;
+       cfg |= MDP5_PP_SYNC_CONFIG_VSYNC_COUNT(vclks_line);
+ 
++      /*
++       * Tearcheck emits a blanking signal every vclks_line * vtotal * 2 ticks on
++       * the vsync_clk equating to roughly half the desired panel refresh rate.
++       * This is only necessary as stability fallback if interrupts from the
++       * panel arrive too late or not at all, but is currently used by default
++       * because these panel interrupts are not wired up yet.
++       */
+       mdp5_write(mdp5_kms, REG_MDP5_PP_SYNC_CONFIG_VSYNC(pp_id), cfg);
+       mdp5_write(mdp5_kms,
+-              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), 0xfff0);
++              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), (2 * mode->vtotal));
++
+       mdp5_write(mdp5_kms,
+               REG_MDP5_PP_VSYNC_INIT_VAL(pp_id), mode->vdisplay);
+       mdp5_write(mdp5_kms, REG_MDP5_PP_RD_PTR_IRQ(pp_id), mode->vdisplay + 1);
+-- 
+2.30.2
+

diff --git a/queue-4.19/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch b/queue-4.19/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
new file mode 100644 (file)
index 0000000..badff94
--- /dev/null
+++ b/queue-4.19/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
@@ -0,0 +1,96 @@
+From 6b736000c18b2c6853852af88b4bdab3d6aea64c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Mar 2021 16:17:56 +0100
+Subject: extcon: arizona: Fix some issues when HPDET IRQ fires after the jack
+ has been unplugged
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit c309a3e8793f7e01c4a4ec7960658380572cb576 ]
+
+When the jack is partially inserted and then removed again it may be
+removed while the hpdet code is running. In this case the following
+may happen:
+
+1. The "JACKDET rise" or ""JACKDET fall" IRQ triggers
+2. arizona_jackdet runs and takes info->lock
+3. The "HPDET" IRQ triggers
+4. arizona_hpdet_irq runs, blocks on info->lock
+5. arizona_jackdet calls arizona_stop_mic() and clears info->hpdet_done
+6. arizona_jackdet releases info->lock
+7. arizona_hpdet_irq now can continue running and:
+7.1 Calls arizona_start_mic() (if a mic was detected)
+7.2 sets info->hpdet_done
+
+Step 7 is undesirable / a bug:
+7.1 causes the device to stay in a high power-state (with MICVDD enabled)
+7.2 causes hpdet to not run on the next jack insertion, which in turn
+    causes the EXTCON_JACK_HEADPHONE state to never get set
+
+This fixes both issues by skipping these 2 steps when arizona_hpdet_irq
+runs after the jack has been unplugged.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index 9327479c719c..c857120c00d9 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -602,7 +602,7 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+       struct arizona *arizona = info->arizona;
+       int id_gpio = arizona->pdata.hpdet_id_gpio;
+       unsigned int report = EXTCON_JACK_HEADPHONE;
+-      int ret, reading;
++      int ret, reading, state;
+       bool mic = false;
+ 
+       mutex_lock(&info->lock);
+@@ -615,12 +615,11 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+       }
+ 
+       /* If the cable was removed while measuring ignore the result */
+-      ret = extcon_get_state(info->edev, EXTCON_MECHANICAL);
+-      if (ret < 0) {
+-              dev_err(arizona->dev, "Failed to check cable state: %d\n",
+-                      ret);
++      state = extcon_get_state(info->edev, EXTCON_MECHANICAL);
++      if (state < 0) {
++              dev_err(arizona->dev, "Failed to check cable state: %d\n", state);
+               goto out;
+-      } else if (!ret) {
++      } else if (!state) {
+               dev_dbg(arizona->dev, "Ignoring HPDET for removed cable\n");
+               goto done;
+       }
+@@ -673,7 +672,7 @@ done:
+                          ARIZONA_ACCDET_MODE_MASK, ARIZONA_ACCDET_MODE_MIC);
+ 
+       /* If we have a mic then reenable MICDET */
+-      if (mic || info->mic)
++      if (state && (mic || info->mic))
+               arizona_start_mic(info);
+ 
+       if (info->hpdet_active) {
+@@ -681,7 +680,9 @@ done:
+               info->hpdet_active = false;
+       }
+ 
+-      info->hpdet_done = true;
++      /* Do not set hp_det done when the cable has been unplugged */
++      if (state)
++              info->hpdet_done = true;
+ 
+ out:
+       mutex_unlock(&info->lock);
+-- 
+2.30.2
+

diff --git a/queue-4.19/genirq-matrix-prevent-allocation-counter-corruption.patch b/queue-4.19/genirq-matrix-prevent-allocation-counter-corruption.patch
new file mode 100644 (file)
index 0000000..9fa67ef
--- /dev/null
+++ b/queue-4.19/genirq-matrix-prevent-allocation-counter-corruption.patch
@@ -0,0 +1,51 @@
+From 0a741d5351ee43eb1dbffe31cee7fb8d254bc643 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 12:18:23 +0100
+Subject: genirq/matrix: Prevent allocation counter corruption
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit c93a5e20c3c2dabef8ea360a3d3f18c6f68233ab ]
+
+When irq_matrix_free() is called for an unallocated vector the
+managed_allocated and total_allocated counters get out of sync with the
+real state of the matrix. Later, when the last interrupt is freed, these
+counters will underflow resulting in UINTMAX because the counters are
+unsigned.
+
+While this is certainly a problem of the calling code, this can be catched
+in the allocator by checking the allocation bit for the to be freed vector
+which simplifies debugging.
+
+An example of the problem described above:
+https://lore.kernel.org/lkml/20210318192819.636943062@linutronix.de/
+
+Add the missing sanity check and emit a warning when it triggers.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20210319111823.1105248-1-vkuznets@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/matrix.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c
+index 651a4ad6d711..8e586858bcf4 100644
+--- a/kernel/irq/matrix.c
++++ b/kernel/irq/matrix.c
+@@ -423,7 +423,9 @@ void irq_matrix_free(struct irq_matrix *m, unsigned int cpu,
+       if (WARN_ON_ONCE(bit < m->alloc_start || bit >= m->alloc_end))
+               return;
+ 
+-      clear_bit(bit, cm->alloc_map);
++      if (WARN_ON_ONCE(!test_and_clear_bit(bit, cm->alloc_map)))
++              return;
++
+       cm->allocated--;
+       if(managed)
+               cm->managed_allocated--;
+-- 
+2.30.2
+

diff --git a/queue-4.19/intel_th-consistency-and-off-by-one-fix.patch b/queue-4.19/intel_th-consistency-and-off-by-one-fix.patch
new file mode 100644 (file)
index 0000000..4b9310b
--- /dev/null
+++ b/queue-4.19/intel_th-consistency-and-off-by-one-fix.patch
@@ -0,0 +1,49 @@
+From 2c3a75c0a7f42a02383322e311c6f1e529c2fccf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 20:12:49 +0300
+Subject: intel_th: Consistency and off-by-one fix
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit 18ffbc47d45a1489b664dd68fb3a7610a6e1dea3 ]
+
+Consistently use "< ... +1" in for loops.
+
+Fix of-by-one in for_each_set_bit().
+
+Signed-off-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Link: https://lore.kernel.org/lkml/20190724095841.GA6952@amd/
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210414171251.14672-6-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/intel_th/gth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c
+index edc52d75e6bd..5041fe7fee9e 100644
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -477,7 +477,7 @@ static void intel_th_gth_disable(struct intel_th_device *thdev,
+       output->active = false;
+ 
+       for_each_set_bit(master, gth->output[output->port].master,
+-                       TH_CONFIGURABLE_MASTERS) {
++                       TH_CONFIGURABLE_MASTERS + 1) {
+               gth_master_set(gth, master, -1);
+       }
+       spin_unlock(&gth->gth_lock);
+@@ -616,7 +616,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev,
+       othdev->output.port = -1;
+       othdev->output.active = false;
+       gth->output[port].output = NULL;
+-      for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
++      for (master = 0; master < TH_CONFIGURABLE_MASTERS + 1; master++)
+               if (gth->master[master] == port)
+                       gth->master[master] = -1;
+       spin_unlock(&gth->gth_lock);
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch b/queue-4.19/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
new file mode 100644 (file)
index 0000000..620c55a
--- /dev/null
+++ b/queue-4.19/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
@@ -0,0 +1,43 @@
+From e1b369a9cc2937816488cef4a0a98d71ec2ff95b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:42:46 +0200
+Subject: media: adv7604: fix possible use-after-free in adv76xx_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit fa56f5f1fe31c2050675fa63b84963ebd504a5b3 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7604.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
+index a4b0a89c7e7e..04577d409e63 100644
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -3560,7 +3560,7 @@ static int adv76xx_remove(struct i2c_client *client)
+       io_write(sd, 0x6e, 0);
+       io_write(sd, 0x73, 0);
+ 
+-      cancel_delayed_work(&state->delayed_work_enable_hotplug);
++      cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+       v4l2_async_unregister_subdev(sd);
+       media_entity_cleanup(&sd->entity);
+       adv76xx_unregister_clients(to_state(sd));
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch b/queue-4.19/media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch
new file mode 100644 (file)
index 0000000..d5596cf
--- /dev/null
+++ b/queue-4.19/media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch
@@ -0,0 +1,45 @@
+From ca56376210f7cac283a50c320b34d90635f144a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Feb 2021 09:06:58 +0100
+Subject: media: drivers: media: pci: sta2x11: fix Kconfig dependency on
+ GPIOLIB
+
+From: Julian Braha <julianbraha@gmail.com>
+
+[ Upstream commit 24df8b74c8b2fb42c49ffe8585562da0c96446ff ]
+
+When STA2X11_VIP is enabled, and GPIOLIB is disabled,
+Kbuild gives the following warning:
+
+WARNING: unmet direct dependencies detected for VIDEO_ADV7180
+  Depends on [n]: MEDIA_SUPPORT [=y] && GPIOLIB [=n] && VIDEO_V4L2 [=y] && I2C [=y]
+  Selected by [y]:
+  - STA2X11_VIP [=y] && MEDIA_SUPPORT [=y] && MEDIA_PCI_SUPPORT [=y] && MEDIA_CAMERA_SUPPORT [=y] && PCI [=y] && VIDEO_V4L2 [=y] && VIRT_TO_BUS [=y] && I2C [=y] && (STA2X11 [=n] || COMPILE_TEST [=y]) && MEDIA_SUBDRV_AUTOSELECT [=y]
+
+This is because STA2X11_VIP selects VIDEO_ADV7180
+without selecting or depending on GPIOLIB,
+despite VIDEO_ADV7180 depending on GPIOLIB.
+
+Signed-off-by: Julian Braha <julianbraha@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/sta2x11/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/pci/sta2x11/Kconfig b/drivers/media/pci/sta2x11/Kconfig
+index 4407b9f881e4..bd690613fe68 100644
+--- a/drivers/media/pci/sta2x11/Kconfig
++++ b/drivers/media/pci/sta2x11/Kconfig
+@@ -1,6 +1,7 @@
+ config STA2X11_VIP
+       tristate "STA2X11 VIP Video For Linux"
+       depends on STA2X11 || COMPILE_TEST
++      select GPIOLIB if MEDIA_SUBDRV_AUTOSELECT
+       select VIDEO_ADV7180 if MEDIA_SUBDRV_AUTOSELECT
+       select VIDEOBUF2_DMA_CONTIG
+       depends on PCI && VIDEO_V4L2 && VIRT_TO_BUS
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-4.19/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
new file mode 100644 (file)
index 0000000..be87b02
--- /dev/null
+++ b/queue-4.19/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
@@ -0,0 +1,83 @@
+From 673bfe3d4e2a29810b83c9aa9149a040d225f450 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 21:32:19 +0200
+Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit b7cd0da982e3043f2eec7235ac5530cb18d6af1d ]
+
+syzbot reported memory leak in dvb-usb. The problem was
+in invalid error handling in dvb_usb_adapter_init().
+
+for (n = 0; n < d->props.num_adapters; n++) {
+....
+       if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+               (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+               (ret = dvb_usb_adapter_frontend_init(adap))) {
+               return ret;
+       }
+...
+       d->num_adapters_initialized++;
+...
+}
+
+In case of error in dvb_usb_adapter_dvb_init() or
+dvb_usb_adapter_dvb_init() d->num_adapters_initialized won't be
+incremented, but dvb_usb_adapter_exit() relies on it:
+
+       for (n = 0; n < d->num_adapters_initialized; n++)
+
+So, allocated objects won't be freed.
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+3c2be7424cea3b932b0e@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 39ac22486bcd..4b1445d806e5 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -82,11 +82,17 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+                       }
+               }
+ 
+-              if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+-                      (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+-                      (ret = dvb_usb_adapter_frontend_init(adap))) {
++              ret = dvb_usb_adapter_stream_init(adap);
++              if (ret)
+                       return ret;
+-              }
++
++              ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
++              if (ret)
++                      goto dvb_init_err;
++
++              ret = dvb_usb_adapter_frontend_init(adap);
++              if (ret)
++                      goto frontend_init_err;
+ 
+               /* use exclusive FE lock if there is multiple shared FEs */
+               if (adap->fe_adap[1].fe)
+@@ -106,6 +112,12 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+       }
+ 
+       return 0;
++
++frontend_init_err:
++      dvb_usb_adapter_dvb_exit(adap);
++dvb_init_err:
++      dvb_usb_adapter_stream_exit(adap);
++      return ret;
+ }
+ 
+ static int dvb_usb_adapter_exit(struct dvb_usb_device *d)
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-em28xx-fix-memory-leak.patch b/queue-4.19/media-em28xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..6d6a793
--- /dev/null
+++ b/queue-4.19/media-em28xx-fix-memory-leak.patch
@@ -0,0 +1,41 @@
+From 7ee70ae04119542190bce76b7f8d9cf443e69ba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 19:07:53 +0100
+Subject: media: em28xx: fix memory leak
+
+From: Muhammad Usama Anjum <musamaanjum@gmail.com>
+
+[ Upstream commit 0ae10a7dc8992ee682ff0b1752ff7c83d472eef1 ]
+
+If some error occurs, URB buffers should also be freed. If they aren't
+freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB
+buffers as dvb is set to NULL. The function in which error occurs should
+do all the cleanup for the allocations it had done.
+
+Tested the patch with the reproducer provided by syzbot. This patch
+fixes the memleak.
+
+Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com
+Signed-off-by: Muhammad Usama Anjum <musamaanjum@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-dvb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
+index a73faf12f7e4..e1946237ac8c 100644
+--- a/drivers/media/usb/em28xx/em28xx-dvb.c
++++ b/drivers/media/usb/em28xx/em28xx-dvb.c
+@@ -1924,6 +1924,7 @@ ret:
+       return result;
+ 
+ out_free:
++      em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE);
+       kfree(dvb);
+       dev->dvb = NULL;
+       goto ret;
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-gscpa-stv06xx-fix-memory-leak.patch b/queue-4.19/media-gscpa-stv06xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..a800cd9
--- /dev/null
+++ b/queue-4.19/media-gscpa-stv06xx-fix-memory-leak.patch
@@ -0,0 +1,84 @@
+From 6ad6236f8ef90c2458ca587864cfe2e2eb6b6d17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 12:31:20 +0200
+Subject: media: gscpa/stv06xx: fix memory leak
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ]
+
+For two of the supported sensors the stv06xx driver allocates memory which
+is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
+the probe() fails, then it isn't freed and so this leaks memory.
+
+Add a new probe_error() op that drivers can use to free any allocated
+memory in case there was a probe failure.
+
+Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
+of the memory leak.
+
+Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gspca.c           | 2 ++
+ drivers/media/usb/gspca/gspca.h           | 1 +
+ drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
+index 93212ed80bf8..f0562b8eef56 100644
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -1586,6 +1586,8 @@ out:
+ #endif
+       v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+       v4l2_device_unregister(&gspca_dev->v4l2_dev);
++      if (sd_desc->probe_error)
++              sd_desc->probe_error(gspca_dev);
+       kfree(gspca_dev->usb_buf);
+       kfree(gspca_dev);
+       return ret;
+diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h
+index b0ced2e14006..a6554d5e9e1a 100644
+--- a/drivers/media/usb/gspca/gspca.h
++++ b/drivers/media/usb/gspca/gspca.h
+@@ -105,6 +105,7 @@ struct sd_desc {
+       cam_cf_op config;       /* called on probe */
+       cam_op init;            /* called on probe and resume */
+       cam_op init_controls;   /* called on probe */
++      cam_v_op probe_error;   /* called if probe failed, do cleanup here */
+       cam_op start;           /* called on stream on after URBs creation */
+       cam_pkt_op pkt_scan;
+ /* optional operations */
+diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+index b7ea4f982964..ccec6138f678 100644
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+@@ -538,12 +538,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev,
+ static int stv06xx_config(struct gspca_dev *gspca_dev,
+                         const struct usb_device_id *id);
+ 
++static void stv06xx_probe_error(struct gspca_dev *gspca_dev)
++{
++      struct sd *sd = (struct sd *)gspca_dev;
++
++      kfree(sd->sensor_priv);
++      sd->sensor_priv = NULL;
++}
++
+ /* sub-driver description */
+ static const struct sd_desc sd_desc = {
+       .name = MODULE_NAME,
+       .config = stv06xx_config,
+       .init = stv06xx_init,
+       .init_controls = stv06xx_init_controls,
++      .probe_error = stv06xx_probe_error,
+       .start = stv06xx_start,
+       .stopN = stv06xx_stopN,
+       .pkt_scan = stv06xx_pkt_scan,
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-gspca-sq905.c-fix-uninitialized-variable.patch b/queue-4.19/media-gspca-sq905.c-fix-uninitialized-variable.patch
new file mode 100644 (file)
index 0000000..973f4a3
--- /dev/null
+++ b/queue-4.19/media-gspca-sq905.c-fix-uninitialized-variable.patch
@@ -0,0 +1,36 @@
+From 64ffe85b7b72f938fde205db25aa0a8021facf36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 15:46:40 +0100
+Subject: media: gspca/sq905.c: fix uninitialized variable
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit eaaea4681984c79d2b2b160387b297477f0c1aab ]
+
+act_len can be uninitialized if usb_bulk_msg() returns an error.
+Set it to 0 to avoid a KMSAN error.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/sq905.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c
+index ffea9c35b0a0..13676af42cfc 100644
+--- a/drivers/media/usb/gspca/sq905.c
++++ b/drivers/media/usb/gspca/sq905.c
+@@ -167,7 +167,7 @@ static int
+ sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock)
+ {
+       int ret;
+-      int act_len;
++      int act_len = 0;
+ 
+       gspca_dev->usb_buf[0] = '\0';
+       if (need_lock)
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch b/queue-4.19/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
new file mode 100644 (file)
index 0000000..8364182
--- /dev/null
+++ b/queue-4.19/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
@@ -0,0 +1,44 @@
+From f10f9c3df8d95349edf56eabdf9d164beb510d53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:48:12 +0200
+Subject: media: i2c: adv7511-v4l2: fix possible use-after-free in
+ adv7511_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2c9541720c66899adf6f3600984cf3ef151295ad ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7511-v4l2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c
+index 6869bb593a68..4052abeead50 100644
+--- a/drivers/media/i2c/adv7511-v4l2.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -1965,7 +1965,7 @@ static int adv7511_remove(struct i2c_client *client)
+ 
+       adv7511_set_isr(sd, false);
+       adv7511_init_setup(sd);
+-      cancel_delayed_work(&state->edid_handler);
++      cancel_delayed_work_sync(&state->edid_handler);
+       i2c_unregister_device(state->i2c_edid);
+       if (state->i2c_cec)
+               i2c_unregister_device(state->i2c_cec);
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch b/queue-4.19/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
new file mode 100644 (file)
index 0000000..94526df
--- /dev/null
+++ b/queue-4.19/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
@@ -0,0 +1,43 @@
+From 6ddc5fad75afa88d37df7d03422cae2e7f49f28e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:50:53 +0200
+Subject: media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4a15275b6a18597079f18241c87511406575179a ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7842.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
+index 58662ba92d4f..d0ed20652ddb 100644
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -3585,7 +3585,7 @@ static int adv7842_remove(struct i2c_client *client)
+       struct adv7842_state *state = to_state(sd);
+ 
+       adv7842_irq_enable(sd, false);
+-      cancel_delayed_work(&state->delayed_work_enable_hotplug);
++      cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+       v4l2_device_unregister_subdev(sd);
+       media_entity_cleanup(&sd->entity);
+       adv7842_unregister_clients(sd);
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-ite-cir-check-for-receive-overflow.patch b/queue-4.19/media-ite-cir-check-for-receive-overflow.patch
new file mode 100644 (file)
index 0000000..185022e
--- /dev/null
+++ b/queue-4.19/media-ite-cir-check-for-receive-overflow.patch
@@ -0,0 +1,41 @@
+From 986a478e68dc77d3ee15e91ab00eb59dff2efb63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 09:08:35 +0100
+Subject: media: ite-cir: check for receive overflow
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 28c7afb07ccfc0a939bb06ac1e7afe669901c65a ]
+
+It's best if this condition is reported.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ite-cir.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
+index de77d22c30a7..18f3718315a8 100644
+--- a/drivers/media/rc/ite-cir.c
++++ b/drivers/media/rc/ite-cir.c
+@@ -285,8 +285,14 @@ static irqreturn_t ite_cir_isr(int irq, void *data)
+       /* read the interrupt flags */
+       iflags = dev->params.get_irq_causes(dev);
+ 
++      /* Check for RX overflow */
++      if (iflags & ITE_IRQ_RX_FIFO_OVERRUN) {
++              dev_warn(&dev->rdev->dev, "receive overflow\n");
++              ir_raw_event_reset(dev->rdev);
++      }
++
+       /* check for the receive interrupt */
+-      if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) {
++      if (iflags & ITE_IRQ_RX_FIFO) {
+               /* read the FIFO bytes */
+               rx_bytes =
+                       dev->params.get_rx_bytes(dev, rx_buf,
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-media-saa7164-fix-saa7164_encoder_register-mem.patch b/queue-4.19/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
new file mode 100644 (file)
index 0000000..4d8c6b8
--- /dev/null
+++ b/queue-4.19/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
@@ -0,0 +1,87 @@
+From 6366a19cdf9a105d5a7ad0a326c5708c7a3b19a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 03:53:00 +0100
+Subject: media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
+
+From: Daniel Niv <danielniv3@gmail.com>
+
+[ Upstream commit c759b2970c561e3b56aa030deb13db104262adfe ]
+
+Add a fix for the memory leak bugs that can occur when the
+saa7164_encoder_register() function fails.
+The function allocates memory without explicitly freeing
+it when errors occur.
+Add a better error handling that deallocate the unused buffers before the
+function exits during a fail.
+
+Signed-off-by: Daniel Niv <danielniv3@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-encoder.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-encoder.c b/drivers/media/pci/saa7164/saa7164-encoder.c
+index 32136ebe4f61..962f8eb73b05 100644
+--- a/drivers/media/pci/saa7164/saa7164-encoder.c
++++ b/drivers/media/pci/saa7164/saa7164-encoder.c
+@@ -1024,7 +1024,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+               printk(KERN_ERR "%s() failed (errno = %d), NO PCI configuration\n",
+                       __func__, result);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_pci;
+       }
+ 
+       /* Establish encoder defaults here */
+@@ -1078,7 +1078,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+                         100000, ENCODER_DEF_BITRATE);
+       if (hdl->error) {
+               result = hdl->error;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->std = V4L2_STD_NTSC_M;
+@@ -1096,7 +1096,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+               printk(KERN_INFO "%s: can't allocate mpeg device\n",
+                       dev->name);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->v4l_device->ctrl_handler = hdl;
+@@ -1107,10 +1107,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+       if (result < 0) {
+               printk(KERN_INFO "%s: can't register mpeg device\n",
+                       dev->name);
+-              /* TODO: We're going to leak here if we don't dealloc
+-               The buffers above. The unreg function can't deal wit it.
+-              */
+-              goto failed;
++              goto fail_reg;
+       }
+ 
+       printk(KERN_INFO "%s: registered device video%d [mpeg]\n",
+@@ -1132,9 +1129,14 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ 
+       saa7164_api_set_encoder(port);
+       saa7164_api_get_encoder(port);
++      return 0;
+ 
+-      result = 0;
+-failed:
++fail_reg:
++      video_device_release(port->v4l_device);
++      port->v4l_device = NULL;
++fail_hdl:
++      v4l2_ctrl_handler_free(hdl);
++fail_pci:
+       return result;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-tc358743-fix-possible-use-after-free-in-tc3587.patch b/queue-4.19/media-tc358743-fix-possible-use-after-free-in-tc3587.patch
new file mode 100644 (file)
index 0000000..bb1aa90
--- /dev/null
+++ b/queue-4.19/media-tc358743-fix-possible-use-after-free-in-tc3587.patch
@@ -0,0 +1,43 @@
+From 969e422c98145bd41f66c442cb85437713f11257 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:39:29 +0200
+Subject: media: tc358743: fix possible use-after-free in tc358743_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6107a4fdf8554a7aa9488bdc835bb010062fa8a9 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index d9bc3851bf63..041b16965b96 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -2192,7 +2192,7 @@ static int tc358743_remove(struct i2c_client *client)
+               del_timer_sync(&state->timer);
+               flush_work(&state->work_i2c_poll);
+       }
+-      cancel_delayed_work(&state->delayed_work_enable_hotplug);
++      cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+       cec_unregister_adapter(state->cec_adap);
+       v4l2_async_unregister_subdev(sd);
+       v4l2_device_unregister_subdev(sd);
+-- 
+2.30.2
+

diff --git a/queue-4.19/media-vivid-update-edid.patch b/queue-4.19/media-vivid-update-edid.patch
new file mode 100644 (file)
index 0000000..75574e6
--- /dev/null
+++ b/queue-4.19/media-vivid-update-edid.patch
@@ -0,0 +1,56 @@
+From 72e8a4efdcd470b9acb68b32c9c9f689318fe59b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 08:48:21 +0100
+Subject: media: vivid: update EDID
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 443ec4bbc6116f6f492a7a1282bfd8422c862158 ]
+
+The EDID had a few mistakes as reported by edid-decode:
+
+Block 1, CTA-861 Extension Block:
+  Video Data Block: For improved preferred timing interoperability, set 'Native detailed modes' to 1.
+  Video Capability Data Block: S_PT is equal to S_IT and S_CE, so should be set to 0 instead.
+
+Fixed those.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-core.c b/drivers/media/platform/vivid/vivid-core.c
+index 31db363602e5..b603ca412387 100644
+--- a/drivers/media/platform/vivid/vivid-core.c
++++ b/drivers/media/platform/vivid/vivid-core.c
+@@ -174,13 +174,13 @@ static const u8 vivid_hdmi_edid[256] = {
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7b,
+ 
+-      0x02, 0x03, 0x3f, 0xf0, 0x51, 0x61, 0x60, 0x5f,
++      0x02, 0x03, 0x3f, 0xf1, 0x51, 0x61, 0x60, 0x5f,
+       0x5e, 0x5d, 0x10, 0x1f, 0x04, 0x13, 0x22, 0x21,
+       0x20, 0x05, 0x14, 0x02, 0x11, 0x01, 0x23, 0x09,
+       0x07, 0x07, 0x83, 0x01, 0x00, 0x00, 0x6d, 0x03,
+       0x0c, 0x00, 0x10, 0x00, 0x00, 0x3c, 0x21, 0x00,
+       0x60, 0x01, 0x02, 0x03, 0x67, 0xd8, 0x5d, 0xc4,
+-      0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xea, 0xe3,
++      0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xca, 0xe3,
+       0x05, 0x00, 0x00, 0xe3, 0x06, 0x01, 0x00, 0x4d,
+       0xd0, 0x00, 0xa0, 0xf0, 0x70, 0x3e, 0x80, 0x30,
+       0x20, 0x35, 0x00, 0xc0, 0x1c, 0x32, 0x00, 0x00,
+@@ -189,7 +189,7 @@ static const u8 vivid_hdmi_edid[256] = {
+       0x00, 0x00, 0x1a, 0x1a, 0x1d, 0x00, 0x80, 0x51,
+       0xd0, 0x1c, 0x20, 0x40, 0x80, 0x35, 0x00, 0xc0,
+       0x1c, 0x32, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00,
+-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63,
++      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x82,
+ };
+ 
+ static int vidioc_querycap(struct file *file, void  *priv,
+-- 
+2.30.2
+

diff --git a/queue-4.19/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch b/queue-4.19/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
new file mode 100644 (file)
index 0000000..08e0730
--- /dev/null
+++ b/queue-4.19/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
@@ -0,0 +1,72 @@
+From 81e3d9bdaba88f267827f3385ceaeed9717405ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 16:51:40 +0100
+Subject: PCI: PM: Do not read power state in pci_enable_device_flags()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 4514d991d99211f225d83b7e640285f29f0755d0 ]
+
+It should not be necessary to update the current_state field of
+struct pci_dev in pci_enable_device_flags() before calling
+do_pci_enable_device() for the device, because none of the
+code between that point and the pci_set_power_state() call in
+do_pci_enable_device() invoked later depends on it.
+
+Moreover, doing that is actively harmful in some cases.  For example,
+if the given PCI device depends on an ACPI power resource whose _STA
+method initially returns 0 ("off"), but the config space of the PCI
+device is accessible and the power state retrieved from the
+PCI_PM_CTRL register is D0, the current_state field in the struct
+pci_dev representing that device will get out of sync with the
+power.state of its ACPI companion object and that will lead to
+power management issues going forward.
+
+To avoid such issues it is better to leave the current_state value
+as is until it is changed to PCI_D0 by do_pci_enable_device() as
+appropriate.  However, the power state of the device is not changed
+to PCI_D0 if it is already enabled when pci_enable_device_flags()
+gets called for it, so update its current_state in that case, but
+use pci_update_current_state() covering platform PM too for that.
+
+Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/
+Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 9ebf32de8575..3d59bbe4a5d5 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1585,20 +1585,10 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
+       int err;
+       int i, bars = 0;
+ 
+-      /*
+-       * Power state could be unknown at this point, either due to a fresh
+-       * boot or a device removal call.  So get the current power state
+-       * so that things like MSI message writing will behave as expected
+-       * (e.g. if the device really is in D0 at enable time).
+-       */
+-      if (dev->pm_cap) {
+-              u16 pmcsr;
+-              pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
+-              dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+-      }
+-
+-      if (atomic_inc_return(&dev->enable_cnt) > 1)
++      if (atomic_inc_return(&dev->enable_cnt) > 1) {
++              pci_update_current_state(dev, dev->current_state);
+               return 0;               /* already enabled */
++      }
+ 
+       bridge = pci_upstream_bridge(dev);
+       if (bridge)
+-- 
+2.30.2
+

diff --git a/queue-4.19/perf-arm_pmu_platform-fix-error-handling.patch b/queue-4.19/perf-arm_pmu_platform-fix-error-handling.patch
new file mode 100644 (file)
index 0000000..e88d564
--- /dev/null
+++ b/queue-4.19/perf-arm_pmu_platform-fix-error-handling.patch
@@ -0,0 +1,36 @@
+From 247db939cb1ed23932de1a694c8cdc72445a0196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 16:02:41 +0000
+Subject: perf/arm_pmu_platform: Fix error handling
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit e338cb6bef254821a8c095018fd27254d74bfd6a ]
+
+If we're aborting after failing to register the PMU device,
+we probably don't want to leak the IRQs that we've claimed.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/53031a607fc8412a60024bfb3bb8cd7141f998f5.1616774562.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_pmu_platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm_pmu_platform.c b/drivers/perf/arm_pmu_platform.c
+index 96075cecb0ae..199293450acf 100644
+--- a/drivers/perf/arm_pmu_platform.c
++++ b/drivers/perf/arm_pmu_platform.c
+@@ -236,7 +236,7 @@ int arm_pmu_device_probe(struct platform_device *pdev,
+ 
+       ret = armpmu_register(pmu);
+       if (ret)
+-              goto out_free;
++              goto out_free_irqs;
+ 
+       return 0;
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.19/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch b/queue-4.19/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
new file mode 100644 (file)
index 0000000..bb84f2d
--- /dev/null
+++ b/queue-4.19/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
@@ -0,0 +1,45 @@
+From 2aebb03ad25ecf5ad6d0be70449f63f752b61b30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:27:16 +0800
+Subject: phy: phy-twl4030-usb: Fix possible use-after-free in
+ twl4030_usb_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-twl4030-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c
+index c267afb68f07..ea7564392108 100644
+--- a/drivers/phy/ti/phy-twl4030-usb.c
++++ b/drivers/phy/ti/phy-twl4030-usb.c
+@@ -801,7 +801,7 @@ static int twl4030_usb_remove(struct platform_device *pdev)
+ 
+       usb_remove_phy(&twl->phy);
+       pm_runtime_get_sync(twl->dev);
+-      cancel_delayed_work(&twl->id_workaround_work);
++      cancel_delayed_work_sync(&twl->id_workaround_work);
+       device_remove_file(twl->dev, &dev_attr_vbus);
+ 
+       /* set transceiver mode to power on defaults */
+-- 
+2.30.2
+

diff --git a/queue-4.19/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch b/queue-4.19/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch
new file mode 100644 (file)
index 0000000..939a866
--- /dev/null
+++ b/queue-4.19/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch
@@ -0,0 +1,134 @@
+From d1d9031c16ea9ea47270c019bd2763e261cf605d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 10:54:19 +0100
+Subject: power: supply: bq27xxx: fix power_avg for newer ICs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit c4d57c22ac65bd503716062a06fad55a01569cac ]
+
+On all newer bq27xxx ICs, the AveragePower register contains a signed
+value; in addition to handling the raw value as unsigned, the driver
+code also didn't convert it to µW as expected.
+
+At least for the BQ28Z610, the reference manual incorrectly states that
+the value is in units of 1mW and not 10mW. I have no way of knowing
+whether the manuals of other supported ICs contain the same error, or if
+there are models that actually use 1mW. At least, the new code shouldn't
+be *less* correct than the old version for any device.
+
+power_avg is removed from the cache structure, se we don't have to
+extend it to store both a signed value and an error code. Always getting
+an up-to-date value may be desirable anyways, as it avoids inconsistent
+current and power readings when switching between charging and
+discharging.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 51 ++++++++++++++------------
+ include/linux/power/bq27xxx_battery.h  |  1 -
+ 2 files changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c
+index 93e3d9c747aa..b7dc88126866 100644
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1490,27 +1490,6 @@ static int bq27xxx_battery_read_time(struct bq27xxx_device_info *di, u8 reg)
+       return tval * 60;
+ }
+ 
+-/*
+- * Read an average power register.
+- * Return < 0 if something fails.
+- */
+-static int bq27xxx_battery_read_pwr_avg(struct bq27xxx_device_info *di)
+-{
+-      int tval;
+-
+-      tval = bq27xxx_read(di, BQ27XXX_REG_AP, false);
+-      if (tval < 0) {
+-              dev_err(di->dev, "error reading average power register  %02x: %d\n",
+-                      BQ27XXX_REG_AP, tval);
+-              return tval;
+-      }
+-
+-      if (di->opts & BQ27XXX_O_ZERO)
+-              return (tval * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS;
+-      else
+-              return tval;
+-}
+-
+ /*
+  * Returns true if a battery over temperature condition is detected
+  */
+@@ -1607,8 +1586,6 @@ void bq27xxx_battery_update(struct bq27xxx_device_info *di)
+               }
+               if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR)
+                       cache.cycle_count = bq27xxx_battery_read_cyct(di);
+-              if (di->regs[BQ27XXX_REG_AP] != INVALID_REG_ADDR)
+-                      cache.power_avg = bq27xxx_battery_read_pwr_avg(di);
+ 
+               /* We only have to read charge design full once */
+               if (di->charge_design_full <= 0)
+@@ -1670,6 +1647,32 @@ static int bq27xxx_battery_current(struct bq27xxx_device_info *di,
+       return 0;
+ }
+ 
++/*
++ * Get the average power in µW
++ * Return < 0 if something fails.
++ */
++static int bq27xxx_battery_pwr_avg(struct bq27xxx_device_info *di,
++                                 union power_supply_propval *val)
++{
++      int power;
++
++      power = bq27xxx_read(di, BQ27XXX_REG_AP, false);
++      if (power < 0) {
++              dev_err(di->dev,
++                      "error reading average power register %02x: %d\n",
++                      BQ27XXX_REG_AP, power);
++              return power;
++      }
++
++      if (di->opts & BQ27XXX_O_ZERO)
++              val->intval = (power * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS;
++      else
++              /* Other gauges return a signed value in units of 10mW */
++              val->intval = (int)((s16)power) * 10000;
++
++      return 0;
++}
++
+ static int bq27xxx_battery_status(struct bq27xxx_device_info *di,
+                                 union power_supply_propval *val)
+ {
+@@ -1837,7 +1840,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy,
+               ret = bq27xxx_simple_value(di->cache.energy, val);
+               break;
+       case POWER_SUPPLY_PROP_POWER_AVG:
+-              ret = bq27xxx_simple_value(di->cache.power_avg, val);
++              ret = bq27xxx_battery_pwr_avg(di, val);
+               break;
+       case POWER_SUPPLY_PROP_HEALTH:
+               ret = bq27xxx_simple_value(di->cache.health, val);
+diff --git a/include/linux/power/bq27xxx_battery.h b/include/linux/power/bq27xxx_battery.h
+index d6355f49fbae..13d5dd4eb40b 100644
+--- a/include/linux/power/bq27xxx_battery.h
++++ b/include/linux/power/bq27xxx_battery.h
+@@ -49,7 +49,6 @@ struct bq27xxx_reg_cache {
+       int capacity;
+       int energy;
+       int flags;
+-      int power_avg;
+       int health;
+ };
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.19/power-supply-generic-adc-battery-fix-possible-use-af.patch b/queue-4.19/power-supply-generic-adc-battery-fix-possible-use-af.patch
new file mode 100644 (file)
index 0000000..7c8b1af
--- /dev/null
+++ b/queue-4.19/power-supply-generic-adc-battery-fix-possible-use-af.patch
@@ -0,0 +1,43 @@
+From 2edcad1485606881644b41e398e5286c5373fb9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:17:06 +0800
+Subject: power: supply: generic-adc-battery: fix possible use-after-free in
+ gab_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/generic-adc-battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c
+index bc462d1ec963..97b0e873e87d 100644
+--- a/drivers/power/supply/generic-adc-battery.c
++++ b/drivers/power/supply/generic-adc-battery.c
+@@ -382,7 +382,7 @@ static int gab_remove(struct platform_device *pdev)
+       }
+ 
+       kfree(adc_bat->psy_desc.properties);
+-      cancel_delayed_work(&adc_bat->bat_work);
++      cancel_delayed_work_sync(&adc_bat->bat_work);
+       return 0;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.19/power-supply-s3c_adc_battery-fix-possible-use-after-.patch b/queue-4.19/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
new file mode 100644 (file)
index 0000000..1a7b83d
--- /dev/null
+++ b/queue-4.19/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
@@ -0,0 +1,44 @@
+From 183f219092c3a2553b2afcc70aebe120afe0fb12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:19:03 +0800
+Subject: power: supply: s3c_adc_battery: fix possible use-after-free in
+ s3c_adc_bat_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/s3c_adc_battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c
+index 3d00b35cafc9..8be31f80035c 100644
+--- a/drivers/power/supply/s3c_adc_battery.c
++++ b/drivers/power/supply/s3c_adc_battery.c
+@@ -394,7 +394,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev)
+               gpio_free(pdata->gpio_charge_finished);
+       }
+ 
+-      cancel_delayed_work(&bat_work);
++      cancel_delayed_work_sync(&bat_work);
+ 
+       if (pdata->exit)
+               pdata->exit();
+-- 
+2.30.2
+

diff --git a/queue-4.19/power-supply-use-irqf_oneshot.patch b/queue-4.19/power-supply-use-irqf_oneshot.patch
new file mode 100644 (file)
index 0000000..6ba8eda
--- /dev/null
+++ b/queue-4.19/power-supply-use-irqf_oneshot.patch
@@ -0,0 +1,83 @@
+From 4643887c1a280e5485b19ebbfb1eba981f0ed0bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 19:21:33 +0800
+Subject: power: supply: Use IRQF_ONESHOT
+
+From: dongjian <dongjian@yulong.com>
+
+[ Upstream commit 2469b836fa835c67648acad17d62bc805236a6ea ]
+
+Fixes coccicheck error:
+
+drivers/power/supply/pm2301_charger.c:1089:7-27: ERROR:
+drivers/power/supply/lp8788-charger.c:502:8-28: ERROR:
+drivers/power/supply/tps65217_charger.c:239:8-33: ERROR:
+drivers/power/supply/tps65090-charger.c:303:8-33: ERROR:
+
+Threaded IRQ with no primary handler requested without IRQF_ONESHOT
+
+Signed-off-by: dongjian <dongjian@yulong.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/lp8788-charger.c   | 2 +-
+ drivers/power/supply/pm2301_charger.c   | 2 +-
+ drivers/power/supply/tps65090-charger.c | 2 +-
+ drivers/power/supply/tps65217_charger.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/power/supply/lp8788-charger.c b/drivers/power/supply/lp8788-charger.c
+index b8f7dac7ac3f..6dcabbeccde1 100644
+--- a/drivers/power/supply/lp8788-charger.c
++++ b/drivers/power/supply/lp8788-charger.c
+@@ -529,7 +529,7 @@ static int lp8788_set_irqs(struct platform_device *pdev,
+ 
+               ret = request_threaded_irq(virq, NULL,
+                                       lp8788_charger_irq_thread,
+-                                      0, name, pchg);
++                                      IRQF_ONESHOT, name, pchg);
+               if (ret)
+                       break;
+       }
+diff --git a/drivers/power/supply/pm2301_charger.c b/drivers/power/supply/pm2301_charger.c
+index 78561b6884fc..9ef218d76aa9 100644
+--- a/drivers/power/supply/pm2301_charger.c
++++ b/drivers/power/supply/pm2301_charger.c
+@@ -1098,7 +1098,7 @@ static int pm2xxx_wall_charger_probe(struct i2c_client *i2c_client,
+       ret = request_threaded_irq(gpio_to_irq(pm2->pdata->gpio_irq_number),
+                               NULL,
+                               pm2xxx_charger_irq[0].isr,
+-                              pm2->pdata->irq_type,
++                              pm2->pdata->irq_type | IRQF_ONESHOT,
+                               pm2xxx_charger_irq[0].name, pm2);
+ 
+       if (ret != 0) {
+diff --git a/drivers/power/supply/tps65090-charger.c b/drivers/power/supply/tps65090-charger.c
+index 1b4b5e09538e..297bf58f0d4f 100644
+--- a/drivers/power/supply/tps65090-charger.c
++++ b/drivers/power/supply/tps65090-charger.c
+@@ -311,7 +311,7 @@ static int tps65090_charger_probe(struct platform_device *pdev)
+ 
+       if (irq != -ENXIO) {
+               ret = devm_request_threaded_irq(&pdev->dev, irq, NULL,
+-                      tps65090_charger_isr, 0, "tps65090-charger", cdata);
++                      tps65090_charger_isr, IRQF_ONESHOT, "tps65090-charger", cdata);
+               if (ret) {
+                       dev_err(cdata->dev,
+                               "Unable to register irq %d err %d\n", irq,
+diff --git a/drivers/power/supply/tps65217_charger.c b/drivers/power/supply/tps65217_charger.c
+index 814c2b81fdfe..ba33d1617e0b 100644
+--- a/drivers/power/supply/tps65217_charger.c
++++ b/drivers/power/supply/tps65217_charger.c
+@@ -238,7 +238,7 @@ static int tps65217_charger_probe(struct platform_device *pdev)
+       for (i = 0; i < NUM_CHARGER_IRQS; i++) {
+               ret = devm_request_threaded_irq(&pdev->dev, irq[i], NULL,
+                                               tps65217_charger_irq,
+-                                              0, "tps65217-charger",
++                                              IRQF_ONESHOT, "tps65217-charger",
+                                               charger);
+               if (ret) {
+                       dev_err(charger->dev,
+-- 
+2.30.2
+

diff --git a/queue-4.19/s390-archrandom-add-parameter-check-for-s390_arch_ra.patch b/queue-4.19/s390-archrandom-add-parameter-check-for-s390_arch_ra.patch
new file mode 100644 (file)
index 0000000..24fc4b4
--- /dev/null
+++ b/queue-4.19/s390-archrandom-add-parameter-check-for-s390_arch_ra.patch
@@ -0,0 +1,45 @@
+From 65175f9f4098f251efd4b7b7ddfd076299c7bc21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 08:23:12 +0200
+Subject: s390/archrandom: add parameter check for s390_arch_random_generate
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 28096067686c5a5cbd4c35b079749bd805df5010 ]
+
+A review of the code showed, that this function which is exposed
+within the whole kernel should do a parameter check for the
+amount of bytes requested. If this requested bytes is too high
+an unsigned int overflow could happen causing this function to
+try to memcpy a really big memory chunk.
+
+This is not a security issue as there are only two invocations
+of this function from arch/s390/include/asm/archrandom.h and both
+are not exposed to userland.
+
+Reported-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/crypto/arch_random.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/s390/crypto/arch_random.c b/arch/s390/crypto/arch_random.c
+index dd95cdbd22ce..4cbb4b6d85a8 100644
+--- a/arch/s390/crypto/arch_random.c
++++ b/arch/s390/crypto/arch_random.c
+@@ -53,6 +53,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer);
+ 
+ bool s390_arch_random_generate(u8 *buf, unsigned int nbytes)
+ {
++      /* max hunk is ARCH_RNG_BUF_SIZE */
++      if (nbytes > ARCH_RNG_BUF_SIZE)
++              return false;
++
+       /* lock rng buffer */
+       if (!spin_trylock(&arch_rng_lock))
+               return false;
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-libfc-fix-a-format-specifier.patch b/queue-4.19/scsi-libfc-fix-a-format-specifier.patch
new file mode 100644 (file)
index 0000000..1c4ae54
--- /dev/null
+++ b/queue-4.19/scsi-libfc-fix-a-format-specifier.patch
@@ -0,0 +1,45 @@
+From 0d26c9fa361131e82c6fd393376c20ceae58f072 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 15:08:13 -0700
+Subject: scsi: libfc: Fix a format specifier
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 90d6697810f06aceea9de71ad836a8c7669789cd ]
+
+Since the 'mfs' member has been declared as 'u32' in include/scsi/libfc.h,
+use the %u format specifier instead of %hu. This patch fixes the following
+clang compiler warning:
+
+warning: format specifies type
+      'unsigned short' but the argument has type 'u32' (aka 'unsigned int')
+      [-Wformat]
+                             "lport->mfs:%hu\n", mfs, lport->mfs);
+                                         ~~~          ^~~~~~~~~~
+                                         %u
+
+Link: https://lore.kernel.org/r/20210415220826.29438-8-bvanassche@acm.org
+Cc: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index ff943f477d6f..f653109d56af 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -1741,7 +1741,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ 
+       if (mfs < FC_SP_MIN_MAX_PAYLOAD || mfs > FC_SP_MAX_MAX_PAYLOAD) {
+               FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, "
+-                           "lport->mfs:%hu\n", mfs, lport->mfs);
++                           "lport->mfs:%u\n", mfs, lport->mfs);
+               fc_lport_error(lport, fp);
+               goto out;
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch b/queue-4.19/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
new file mode 100644 (file)
index 0000000..de052c9
--- /dev/null
+++ b/queue-4.19/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
@@ -0,0 +1,60 @@
+From 7665e837a9abf6b957ad45df5a4276d154ada16e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:13 -0700
+Subject: scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
+ response
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit fffd18ec6579c2d9c72b212169259062fe747888 ]
+
+Fix a crash caused by a double put on the node when the driver completed an
+ACC for an unsolicted abort on the same node.  The second put was executed
+by lpfc_nlp_not_used() and is wrong because the completion routine executes
+the nlp_put when the iocbq was released.  Additionally, the driver is
+issuing a LOGO then immediately calls lpfc_nlp_set_state to put the node
+into NPR.  This call does nothing.
+
+Remove the lpfc_nlp_not_used call and additional set_state in the
+completion routine.  Remove the lpfc_nlp_set_state post issue_logo.  Isn't
+necessary.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-3-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 2 --
+ drivers/scsi/lpfc/lpfc_sli.c       | 1 -
+ 2 files changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 518bdae24543..9442fb30e7cd 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -1743,8 +1743,6 @@ lpfc_cmpl_reglogin_reglogin_issue(struct lpfc_vport *vport,
+               ndlp->nlp_last_elscmd = ELS_CMD_PLOGI;
+ 
+               lpfc_issue_els_logo(vport, ndlp, 0);
+-              ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE;
+-              lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
+               return ndlp->nlp_state;
+       }
+ 
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index a7b14875af5f..f4633c9f8183 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -17018,7 +17018,6 @@ lpfc_sli4_seq_abort_rsp_cmpl(struct lpfc_hba *phba,
+       if (cmd_iocbq) {
+               ndlp = (struct lpfc_nodelist *)cmd_iocbq->context1;
+               lpfc_nlp_put(ndlp);
+-              lpfc_nlp_not_used(ndlp);
+               lpfc_sli_release_iocbq(phba, cmd_iocbq);
+       }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch b/queue-4.19/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch
new file mode 100644 (file)
index 0000000..8a45b35
--- /dev/null
+++ b/queue-4.19/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch
@@ -0,0 +1,41 @@
+From f8ea693102aa845df323cf380900e4e775d362a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 09:18:00 -0800
+Subject: scsi: lpfc: Fix incorrect dbde assignment when building target abts
+ wqe
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 9302154c07bff4e7f7f43c506a1ac84540303d06 ]
+
+The wqe_dbde field indicates whether a Data BDE is present in Words 0:2 and
+should therefore should be clear in the abts request wqe. By setting the
+bit we can be misleading fw into error cases.
+
+Clear the wqe_dbde field.
+
+Link: https://lore.kernel.org/r/20210301171821.3427-2-jsmart2021@gmail.com
+Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nvmet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c
+index 5bc33817568e..23ead17e60fe 100644
+--- a/drivers/scsi/lpfc/lpfc_nvmet.c
++++ b/drivers/scsi/lpfc/lpfc_nvmet.c
+@@ -2912,7 +2912,6 @@ lpfc_nvmet_unsol_issue_abort(struct lpfc_hba *phba,
+       bf_set(wqe_rcvoxid, &wqe_abts->xmit_sequence.wqe_com, xri);
+ 
+       /* Word 10 */
+-      bf_set(wqe_dbde, &wqe_abts->xmit_sequence.wqe_com, 1);
+       bf_set(wqe_iod, &wqe_abts->xmit_sequence.wqe_com, LPFC_WQE_IOD_WRITE);
+       bf_set(wqe_lenloc, &wqe_abts->xmit_sequence.wqe_com,
+              LPFC_WQE_LENLOC_WORD12);
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch b/queue-4.19/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch
new file mode 100644 (file)
index 0000000..c07da99
--- /dev/null
+++ b/queue-4.19/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch
@@ -0,0 +1,50 @@
+From c762ebfd6cd4018fb2366d0cbbf7faf9ba11ade7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 09:18:06 -0800
+Subject: scsi: lpfc: Fix pt2pt connection does not recover after LOGO
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit bd4f5100424d17d4e560d6653902ef8e49b2fc1f ]
+
+On a pt2pt setup, between 2 initiators, if one side issues a a LOGO, there
+is no relogin attempt. The FC specs are grey in this area on which port
+(higher wwn or not) is to re-login.
+
+As there is no spec guidance, unconditionally re-PLOGI after the logout to
+ensure a login is re-established.
+
+Link: https://lore.kernel.org/r/20210301171821.3427-8-jsmart2021@gmail.com
+Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 3dfed191252c..518bdae24543 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -708,9 +708,14 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+               }
+       } else if ((!(ndlp->nlp_type & NLP_FABRIC) &&
+               ((ndlp->nlp_type & NLP_FCP_TARGET) ||
+-              !(ndlp->nlp_type & NLP_FCP_INITIATOR))) ||
++              (ndlp->nlp_type & NLP_NVME_TARGET) ||
++              (vport->fc_flag & FC_PT2PT))) ||
+               (ndlp->nlp_state == NLP_STE_ADISC_ISSUE)) {
+-              /* Only try to re-login if this is NOT a Fabric Node */
++              /* Only try to re-login if this is NOT a Fabric Node
++               * AND the remote NPORT is a FCP/NVME Target or we
++               * are in pt2pt mode. NLP_STE_ADISC_ISSUE is a special
++               * case for LOGO as a response to ADISC behavior.
++               */
+               mod_timer(&ndlp->nlp_delayfunc,
+                         jiffies + msecs_to_jiffies(1000 * 1));
+               spin_lock_irq(shost->host_lock);
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch b/queue-4.19/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch
new file mode 100644 (file)
index 0000000..d1d6949
--- /dev/null
+++ b/queue-4.19/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch
@@ -0,0 +1,431 @@
+From 947f3d96ca4f52e6ff29edf9155eb7820b7e4013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:22 -0700
+Subject: scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit b62232ba8caccaf1954e197058104a6478fac1af ]
+
+SLI-4 does not contain a PORT_CAPABILITIES mailbox command (only SLI-3
+does, and SLI-3 doesn't use it), yet there are SLI-4 code paths that have
+code to issue the command.  The command will always fail.
+
+Remove the code for the mailbox command and leave only the resulting
+"failure path" logic.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-12-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_crtn.h |   3 -
+ drivers/scsi/lpfc/lpfc_hw4.h  | 174 +---------------------------------
+ drivers/scsi/lpfc/lpfc_init.c | 103 +-------------------
+ drivers/scsi/lpfc/lpfc_mbox.c |  36 -------
+ 4 files changed, 3 insertions(+), 313 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h
+index bea24bc4410a..1a0b1cb9de78 100644
+--- a/drivers/scsi/lpfc/lpfc_crtn.h
++++ b/drivers/scsi/lpfc/lpfc_crtn.h
+@@ -56,9 +56,6 @@ void lpfc_register_new_vport(struct lpfc_hba *, struct lpfc_vport *,
+ void lpfc_unreg_vpi(struct lpfc_hba *, uint16_t, LPFC_MBOXQ_t *);
+ void lpfc_init_link(struct lpfc_hba *, LPFC_MBOXQ_t *, uint32_t, uint32_t);
+ void lpfc_request_features(struct lpfc_hba *, struct lpfcMboxq *);
+-void lpfc_supported_pages(struct lpfcMboxq *);
+-void lpfc_pc_sli4_params(struct lpfcMboxq *);
+-int lpfc_pc_sli4_params_get(struct lpfc_hba *, LPFC_MBOXQ_t *);
+ int lpfc_sli4_mbox_rsrc_extent(struct lpfc_hba *, struct lpfcMboxq *,
+                          uint16_t, uint16_t, bool);
+ int lpfc_get_sli4_parameters(struct lpfc_hba *, LPFC_MBOXQ_t *);
+diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h
+index 083f8c8706e5..a9bd12bfc15e 100644
+--- a/drivers/scsi/lpfc/lpfc_hw4.h
++++ b/drivers/scsi/lpfc/lpfc_hw4.h
+@@ -122,6 +122,7 @@ struct lpfc_sli_intf {
+ /* Define SLI4 Alignment requirements. */
+ #define LPFC_ALIGN_16_BYTE    16
+ #define LPFC_ALIGN_64_BYTE    64
++#define SLI4_PAGE_SIZE                4096
+ 
+ /* Define SLI4 specific definitions. */
+ #define LPFC_MQ_CQE_BYTE_OFFSET       256
+@@ -2886,62 +2887,6 @@ struct lpfc_mbx_request_features {
+ #define lpfc_mbx_rq_ftr_rsp_mrqp_WORD         word3
+ };
+ 
+-struct lpfc_mbx_supp_pages {
+-      uint32_t word1;
+-#define qs_SHIFT                              0
+-#define qs_MASK                                       0x00000001
+-#define qs_WORD                                       word1
+-#define wr_SHIFT                              1
+-#define wr_MASK                               0x00000001
+-#define wr_WORD                                       word1
+-#define pf_SHIFT                              8
+-#define pf_MASK                                       0x000000ff
+-#define pf_WORD                                       word1
+-#define cpn_SHIFT                             16
+-#define cpn_MASK                              0x000000ff
+-#define cpn_WORD                              word1
+-      uint32_t word2;
+-#define list_offset_SHIFT                     0
+-#define list_offset_MASK                      0x000000ff
+-#define list_offset_WORD                      word2
+-#define next_offset_SHIFT                     8
+-#define next_offset_MASK                      0x000000ff
+-#define next_offset_WORD                      word2
+-#define elem_cnt_SHIFT                                16
+-#define elem_cnt_MASK                         0x000000ff
+-#define elem_cnt_WORD                         word2
+-      uint32_t word3;
+-#define pn_0_SHIFT                            24
+-#define pn_0_MASK                             0x000000ff
+-#define pn_0_WORD                             word3
+-#define pn_1_SHIFT                            16
+-#define pn_1_MASK                             0x000000ff
+-#define pn_1_WORD                             word3
+-#define pn_2_SHIFT                            8
+-#define pn_2_MASK                             0x000000ff
+-#define pn_2_WORD                             word3
+-#define pn_3_SHIFT                            0
+-#define pn_3_MASK                             0x000000ff
+-#define pn_3_WORD                             word3
+-      uint32_t word4;
+-#define pn_4_SHIFT                            24
+-#define pn_4_MASK                             0x000000ff
+-#define pn_4_WORD                             word4
+-#define pn_5_SHIFT                            16
+-#define pn_5_MASK                             0x000000ff
+-#define pn_5_WORD                             word4
+-#define pn_6_SHIFT                            8
+-#define pn_6_MASK                             0x000000ff
+-#define pn_6_WORD                             word4
+-#define pn_7_SHIFT                            0
+-#define pn_7_MASK                             0x000000ff
+-#define pn_7_WORD                             word4
+-      uint32_t rsvd[27];
+-#define LPFC_SUPP_PAGES                       0
+-#define LPFC_BLOCK_GUARD_PROFILES     1
+-#define LPFC_SLI4_PARAMETERS          2
+-};
+-
+ struct lpfc_mbx_memory_dump_type3 {
+       uint32_t word1;
+ #define lpfc_mbx_memory_dump_type3_type_SHIFT    0
+@@ -3158,121 +3103,6 @@ struct user_eeprom {
+       uint8_t reserved191[57];
+ };
+ 
+-struct lpfc_mbx_pc_sli4_params {
+-      uint32_t word1;
+-#define qs_SHIFT                              0
+-#define qs_MASK                                       0x00000001
+-#define qs_WORD                                       word1
+-#define wr_SHIFT                              1
+-#define wr_MASK                                       0x00000001
+-#define wr_WORD                                       word1
+-#define pf_SHIFT                              8
+-#define pf_MASK                                       0x000000ff
+-#define pf_WORD                                       word1
+-#define cpn_SHIFT                             16
+-#define cpn_MASK                              0x000000ff
+-#define cpn_WORD                              word1
+-      uint32_t word2;
+-#define if_type_SHIFT                         0
+-#define if_type_MASK                          0x00000007
+-#define if_type_WORD                          word2
+-#define sli_rev_SHIFT                         4
+-#define sli_rev_MASK                          0x0000000f
+-#define sli_rev_WORD                          word2
+-#define sli_family_SHIFT                      8
+-#define sli_family_MASK                               0x000000ff
+-#define sli_family_WORD                               word2
+-#define featurelevel_1_SHIFT                  16
+-#define featurelevel_1_MASK                   0x000000ff
+-#define featurelevel_1_WORD                   word2
+-#define featurelevel_2_SHIFT                  24
+-#define featurelevel_2_MASK                   0x0000001f
+-#define featurelevel_2_WORD                   word2
+-      uint32_t word3;
+-#define fcoe_SHIFT                            0
+-#define fcoe_MASK                             0x00000001
+-#define fcoe_WORD                             word3
+-#define fc_SHIFT                              1
+-#define fc_MASK                                       0x00000001
+-#define fc_WORD                                       word3
+-#define nic_SHIFT                             2
+-#define nic_MASK                              0x00000001
+-#define nic_WORD                              word3
+-#define iscsi_SHIFT                           3
+-#define iscsi_MASK                            0x00000001
+-#define iscsi_WORD                            word3
+-#define rdma_SHIFT                            4
+-#define rdma_MASK                             0x00000001
+-#define rdma_WORD                             word3
+-      uint32_t sge_supp_len;
+-#define SLI4_PAGE_SIZE 4096
+-      uint32_t word5;
+-#define if_page_sz_SHIFT                      0
+-#define if_page_sz_MASK                               0x0000ffff
+-#define if_page_sz_WORD                               word5
+-#define loopbk_scope_SHIFT                    24
+-#define loopbk_scope_MASK                     0x0000000f
+-#define loopbk_scope_WORD                     word5
+-#define rq_db_window_SHIFT                    28
+-#define rq_db_window_MASK                     0x0000000f
+-#define rq_db_window_WORD                     word5
+-      uint32_t word6;
+-#define eq_pages_SHIFT                                0
+-#define eq_pages_MASK                         0x0000000f
+-#define eq_pages_WORD                         word6
+-#define eqe_size_SHIFT                                8
+-#define eqe_size_MASK                         0x000000ff
+-#define eqe_size_WORD                         word6
+-      uint32_t word7;
+-#define cq_pages_SHIFT                                0
+-#define cq_pages_MASK                         0x0000000f
+-#define cq_pages_WORD                         word7
+-#define cqe_size_SHIFT                                8
+-#define cqe_size_MASK                         0x000000ff
+-#define cqe_size_WORD                         word7
+-      uint32_t word8;
+-#define mq_pages_SHIFT                                0
+-#define mq_pages_MASK                         0x0000000f
+-#define mq_pages_WORD                         word8
+-#define mqe_size_SHIFT                                8
+-#define mqe_size_MASK                         0x000000ff
+-#define mqe_size_WORD                         word8
+-#define mq_elem_cnt_SHIFT                     16
+-#define mq_elem_cnt_MASK                      0x000000ff
+-#define mq_elem_cnt_WORD                      word8
+-      uint32_t word9;
+-#define wq_pages_SHIFT                                0
+-#define wq_pages_MASK                         0x0000ffff
+-#define wq_pages_WORD                         word9
+-#define wqe_size_SHIFT                                8
+-#define wqe_size_MASK                         0x000000ff
+-#define wqe_size_WORD                         word9
+-      uint32_t word10;
+-#define rq_pages_SHIFT                                0
+-#define rq_pages_MASK                         0x0000ffff
+-#define rq_pages_WORD                         word10
+-#define rqe_size_SHIFT                                8
+-#define rqe_size_MASK                         0x000000ff
+-#define rqe_size_WORD                         word10
+-      uint32_t word11;
+-#define hdr_pages_SHIFT                               0
+-#define hdr_pages_MASK                                0x0000000f
+-#define hdr_pages_WORD                                word11
+-#define hdr_size_SHIFT                                8
+-#define hdr_size_MASK                         0x0000000f
+-#define hdr_size_WORD                         word11
+-#define hdr_pp_align_SHIFT                    16
+-#define hdr_pp_align_MASK                     0x0000ffff
+-#define hdr_pp_align_WORD                     word11
+-      uint32_t word12;
+-#define sgl_pages_SHIFT                               0
+-#define sgl_pages_MASK                                0x0000000f
+-#define sgl_pages_WORD                                word12
+-#define sgl_pp_align_SHIFT                    16
+-#define sgl_pp_align_MASK                     0x0000ffff
+-#define sgl_pp_align_WORD                     word12
+-      uint32_t rsvd_13_63[51];
+-};
+ #define SLI4_PAGE_ALIGN(addr) (((addr)+((SLI4_PAGE_SIZE)-1)) \
+                              &(~((SLI4_PAGE_SIZE)-1)))
+ 
+@@ -3854,8 +3684,6 @@ struct lpfc_mqe {
+               struct lpfc_mbx_post_hdr_tmpl hdr_tmpl;
+               struct lpfc_mbx_query_fw_config query_fw_cfg;
+               struct lpfc_mbx_set_beacon_config beacon_config;
+-              struct lpfc_mbx_supp_pages supp_pages;
+-              struct lpfc_mbx_pc_sli4_params sli4_params;
+               struct lpfc_mbx_get_sli4_parameters get_sli4_parameters;
+               struct lpfc_mbx_set_link_diag_state link_diag_state;
+               struct lpfc_mbx_set_link_diag_loopback link_diag_loopback;
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index 57510a831735..c6caacaa3e7a 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -5854,8 +5854,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+       LPFC_MBOXQ_t *mboxq;
+       MAILBOX_t *mb;
+       int rc, i, max_buf_size;
+-      uint8_t pn_page[LPFC_MAX_SUPPORTED_PAGES] = {0};
+-      struct lpfc_mqe *mqe;
+       int longs;
+       int fof_vectors = 0;
+       int extra;
+@@ -6150,32 +6148,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+ 
+       lpfc_nvme_mod_param_dep(phba);
+ 
+-      /* Get the Supported Pages if PORT_CAPABILITIES is supported by port. */
+-      lpfc_supported_pages(mboxq);
+-      rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL);
+-      if (!rc) {
+-              mqe = &mboxq->u.mqe;
+-              memcpy(&pn_page[0], ((uint8_t *)&mqe->un.supp_pages.word3),
+-                     LPFC_MAX_SUPPORTED_PAGES);
+-              for (i = 0; i < LPFC_MAX_SUPPORTED_PAGES; i++) {
+-                      switch (pn_page[i]) {
+-                      case LPFC_SLI4_PARAMETERS:
+-                              phba->sli4_hba.pc_sli4_params.supported = 1;
+-                              break;
+-                      default:
+-                              break;
+-                      }
+-              }
+-              /* Read the port's SLI4 Parameters capabilities if supported. */
+-              if (phba->sli4_hba.pc_sli4_params.supported)
+-                      rc = lpfc_pc_sli4_params_get(phba, mboxq);
+-              if (rc) {
+-                      mempool_free(mboxq, phba->mbox_mem_pool);
+-                      rc = -EIO;
+-                      goto out_free_bsmbx;
+-              }
+-      }
+-
+       /*
+        * Get sli4 parameters that override parameters from Port capabilities.
+        * If this call fails, it isn't critical unless the SLI4 parameters come
+@@ -10517,78 +10489,6 @@ lpfc_sli4_hba_unset(struct lpfc_hba *phba)
+       phba->pport->work_port_events = 0;
+ }
+ 
+- /**
+- * lpfc_pc_sli4_params_get - Get the SLI4_PARAMS port capabilities.
+- * @phba: Pointer to HBA context object.
+- * @mboxq: Pointer to the mailboxq memory for the mailbox command response.
+- *
+- * This function is called in the SLI4 code path to read the port's
+- * sli4 capabilities.
+- *
+- * This function may be be called from any context that can block-wait
+- * for the completion.  The expectation is that this routine is called
+- * typically from probe_one or from the online routine.
+- **/
+-int
+-lpfc_pc_sli4_params_get(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+-{
+-      int rc;
+-      struct lpfc_mqe *mqe;
+-      struct lpfc_pc_sli4_params *sli4_params;
+-      uint32_t mbox_tmo;
+-
+-      rc = 0;
+-      mqe = &mboxq->u.mqe;
+-
+-      /* Read the port's SLI4 Parameters port capabilities */
+-      lpfc_pc_sli4_params(mboxq);
+-      if (!phba->sli4_hba.intr_enable)
+-              rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL);
+-      else {
+-              mbox_tmo = lpfc_mbox_tmo_val(phba, mboxq);
+-              rc = lpfc_sli_issue_mbox_wait(phba, mboxq, mbox_tmo);
+-      }
+-
+-      if (unlikely(rc))
+-              return 1;
+-
+-      sli4_params = &phba->sli4_hba.pc_sli4_params;
+-      sli4_params->if_type = bf_get(if_type, &mqe->un.sli4_params);
+-      sli4_params->sli_rev = bf_get(sli_rev, &mqe->un.sli4_params);
+-      sli4_params->sli_family = bf_get(sli_family, &mqe->un.sli4_params);
+-      sli4_params->featurelevel_1 = bf_get(featurelevel_1,
+-                                           &mqe->un.sli4_params);
+-      sli4_params->featurelevel_2 = bf_get(featurelevel_2,
+-                                           &mqe->un.sli4_params);
+-      sli4_params->proto_types = mqe->un.sli4_params.word3;
+-      sli4_params->sge_supp_len = mqe->un.sli4_params.sge_supp_len;
+-      sli4_params->if_page_sz = bf_get(if_page_sz, &mqe->un.sli4_params);
+-      sli4_params->rq_db_window = bf_get(rq_db_window, &mqe->un.sli4_params);
+-      sli4_params->loopbk_scope = bf_get(loopbk_scope, &mqe->un.sli4_params);
+-      sli4_params->eq_pages_max = bf_get(eq_pages, &mqe->un.sli4_params);
+-      sli4_params->eqe_size = bf_get(eqe_size, &mqe->un.sli4_params);
+-      sli4_params->cq_pages_max = bf_get(cq_pages, &mqe->un.sli4_params);
+-      sli4_params->cqe_size = bf_get(cqe_size, &mqe->un.sli4_params);
+-      sli4_params->mq_pages_max = bf_get(mq_pages, &mqe->un.sli4_params);
+-      sli4_params->mqe_size = bf_get(mqe_size, &mqe->un.sli4_params);
+-      sli4_params->mq_elem_cnt = bf_get(mq_elem_cnt, &mqe->un.sli4_params);
+-      sli4_params->wq_pages_max = bf_get(wq_pages, &mqe->un.sli4_params);
+-      sli4_params->wqe_size = bf_get(wqe_size, &mqe->un.sli4_params);
+-      sli4_params->rq_pages_max = bf_get(rq_pages, &mqe->un.sli4_params);
+-      sli4_params->rqe_size = bf_get(rqe_size, &mqe->un.sli4_params);
+-      sli4_params->hdr_pages_max = bf_get(hdr_pages, &mqe->un.sli4_params);
+-      sli4_params->hdr_size = bf_get(hdr_size, &mqe->un.sli4_params);
+-      sli4_params->hdr_pp_align = bf_get(hdr_pp_align, &mqe->un.sli4_params);
+-      sli4_params->sgl_pages_max = bf_get(sgl_pages, &mqe->un.sli4_params);
+-      sli4_params->sgl_pp_align = bf_get(sgl_pp_align, &mqe->un.sli4_params);
+-
+-      /* Make sure that sge_supp_len can be handled by the driver */
+-      if (sli4_params->sge_supp_len > LPFC_MAX_SGE_SIZE)
+-              sli4_params->sge_supp_len = LPFC_MAX_SGE_SIZE;
+-
+-      return rc;
+-}
+-
+ /**
+  * lpfc_get_sli4_parameters - Get the SLI4 Config PARAMETERS.
+  * @phba: Pointer to HBA context object.
+@@ -10647,7 +10547,8 @@ lpfc_get_sli4_parameters(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+       else
+               phba->sli3_options &= ~LPFC_SLI4_PHWQ_ENABLED;
+       sli4_params->sge_supp_len = mbx_sli4_parameters->sge_supp_len;
+-      sli4_params->loopbk_scope = bf_get(loopbk_scope, mbx_sli4_parameters);
++      sli4_params->loopbk_scope = bf_get(cfg_loopbk_scope,
++                                         mbx_sli4_parameters);
+       sli4_params->oas_supported = bf_get(cfg_oas, mbx_sli4_parameters);
+       sli4_params->cqv = bf_get(cfg_cqv, mbx_sli4_parameters);
+       sli4_params->mqv = bf_get(cfg_mqv, mbx_sli4_parameters);
+diff --git a/drivers/scsi/lpfc/lpfc_mbox.c b/drivers/scsi/lpfc/lpfc_mbox.c
+index e6bf5e8bc767..a4c382d2ce79 100644
+--- a/drivers/scsi/lpfc/lpfc_mbox.c
++++ b/drivers/scsi/lpfc/lpfc_mbox.c
+@@ -2622,39 +2622,3 @@ lpfc_resume_rpi(struct lpfcMboxq *mbox, struct lpfc_nodelist *ndlp)
+       resume_rpi->event_tag = ndlp->phba->fc_eventTag;
+ }
+ 
+-/**
+- * lpfc_supported_pages - Initialize the PORT_CAPABILITIES supported pages
+- *                        mailbox command.
+- * @mbox: pointer to lpfc mbox command to initialize.
+- *
+- * The PORT_CAPABILITIES supported pages mailbox command is issued to
+- * retrieve the particular feature pages supported by the port.
+- **/
+-void
+-lpfc_supported_pages(struct lpfcMboxq *mbox)
+-{
+-      struct lpfc_mbx_supp_pages *supp_pages;
+-
+-      memset(mbox, 0, sizeof(*mbox));
+-      supp_pages = &mbox->u.mqe.un.supp_pages;
+-      bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES);
+-      bf_set(cpn, supp_pages, LPFC_SUPP_PAGES);
+-}
+-
+-/**
+- * lpfc_pc_sli4_params - Initialize the PORT_CAPABILITIES SLI4 Params mbox cmd.
+- * @mbox: pointer to lpfc mbox command to initialize.
+- *
+- * The PORT_CAPABILITIES SLI4 parameters mailbox command is issued to
+- * retrieve the particular SLI4 features supported by the port.
+- **/
+-void
+-lpfc_pc_sli4_params(struct lpfcMboxq *mbox)
+-{
+-      struct lpfc_mbx_pc_sli4_params *sli4_params;
+-
+-      memset(mbox, 0, sizeof(*mbox));
+-      sli4_params = &mbox->u.mqe.un.sli4_params;
+-      bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES);
+-      bf_set(cpn, sli4_params, LPFC_SLI4_PARAMETERS);
+-}
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch b/queue-4.19/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
new file mode 100644 (file)
index 0000000..eb2e2a7
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
@@ -0,0 +1,60 @@
+From dbeeab17dbbf7e47689b64778c6b3c5f820d90e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Mar 2021 16:23:58 -0700
+Subject: scsi: qla2xxx: Always check the return value of
+ qla24xx_get_isp_stats()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a2b2cc660822cae08c351c7f6b452bfd1330a4f7 ]
+
+This patch fixes the following Coverity warning:
+
+    CID 361199 (#1 of 1): Unchecked return value (CHECKED_RETURN)
+    3. check_return: Calling qla24xx_get_isp_stats without checking return
+    value (as is done elsewhere 4 out of 5 times).
+
+Link: https://lore.kernel.org/r/20210320232359.941-7-bvanassche@acm.org
+Cc: Quinn Tran <qutran@marvell.com>
+Cc: Mike Christie <michael.christie@oracle.com>
+Cc: Himanshu Madhani <himanshu.madhani@oracle.com>
+Cc: Daniel Wagner <dwagner@suse.de>
+Cc: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 0ab9d2fd4a14..d46a10d24ed4 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -1934,6 +1934,8 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+       vha->qla_stats.jiffies_at_last_reset = get_jiffies_64();
+ 
+       if (IS_FWI2_CAPABLE(ha)) {
++              int rval;
++
+               stats = dma_alloc_coherent(&ha->pdev->dev,
+                   sizeof(*stats), &stats_dma, GFP_KERNEL);
+               if (!stats) {
+@@ -1943,7 +1945,11 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+               }
+ 
+               /* reset firmware statistics */
+-              qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++              rval = qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++              if (rval != QLA_SUCCESS)
++                      ql_log(ql_log_warn, vha, 0x70de,
++                             "Resetting ISP statistics failed: rval = %d\n",
++                             rval);
+ 
+               dma_free_coherent(&ha->pdev->dev, sizeof(*stats),
+                   stats, stats_dma);
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-qla2xxx-fix-use-after-free-in-bsg.patch b/queue-4.19/scsi-qla2xxx-fix-use-after-free-in-bsg.patch
new file mode 100644 (file)
index 0000000..4b8a772
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-fix-use-after-free-in-bsg.patch
@@ -0,0 +1,61 @@
+From cb600369621bc6768610aefd8f68759d87b64f63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 01:52:22 -0700
+Subject: scsi: qla2xxx: Fix use after free in bsg
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit 2ce35c0821afc2acd5ee1c3f60d149f8b2520ce8 ]
+
+On bsg command completion, bsg_job_done() was called while qla driver
+continued to access the bsg_job buffer. bsg_job_done() would free up
+resources that ended up being reused by other task while the driver
+continued to access the buffers. As a result, driver was reading garbage
+data.
+
+localhost kernel: BUG: KASAN: use-after-free in sg_next+0x64/0x80
+localhost kernel: Read of size 8 at addr ffff8883228a3330 by task swapper/26/0
+localhost kernel:
+localhost kernel: CPU: 26 PID: 0 Comm: swapper/26 Kdump:
+loaded Tainted: G          OE    --------- -  - 4.18.0-193.el8.x86_64+debug #1
+localhost kernel: Hardware name: HP ProLiant DL360
+Gen9/ProLiant DL360 Gen9, BIOS P89 08/12/2016
+localhost kernel: Call Trace:
+localhost kernel: <IRQ>
+localhost kernel: dump_stack+0x9a/0xf0
+localhost kernel: print_address_description.cold.3+0x9/0x23b
+localhost kernel: kasan_report.cold.4+0x65/0x95
+localhost kernel: debug_dma_unmap_sg.part.12+0x10d/0x2d0
+localhost kernel: qla2x00_bsg_sp_free+0xaf6/0x1010 [qla2xxx]
+
+Link: https://lore.kernel.org/r/20210329085229.4367-6-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
+index 47f062e96e62..eae166572964 100644
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -19,10 +19,11 @@ qla2x00_bsg_job_done(void *ptr, int res)
+       struct bsg_job *bsg_job = sp->u.bsg_job;
+       struct fc_bsg_reply *bsg_reply = bsg_job->reply;
+ 
++      sp->free(sp);
++
+       bsg_reply->result = res;
+       bsg_job_done(bsg_job, bsg_reply->result,
+                      bsg_reply->reply_payload_rcv_len);
+-      sp->free(sp);
+ }
+ 
+ void
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch b/queue-4.19/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
new file mode 100644 (file)
index 0000000..cc22d89
--- /dev/null
+++ b/queue-4.19/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
@@ -0,0 +1,42 @@
+From 36f58fb7deb53c94b10eee2608de20fd970cab14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 16:11:54 -0400
+Subject: scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+[ Upstream commit bc3f2b42b70eb1b8576e753e7d0e117bbb674496 ]
+
+Some arrays return ILLEGAL_REQUEST with ASC 00h if they don't support the
+RTPG extended header so remove the check for INVALID FIELD IN CDB.
+
+Link: https://lore.kernel.org/r/20210331201154.20348-1-emilne@redhat.com
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 60c48dc5d945..efd2b4312528 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -579,10 +579,11 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
+                * even though it shouldn't according to T10.
+                * The retry without rtpg_ext_hdr_req set
+                * handles this.
++               * Note:  some arrays return a sense key of ILLEGAL_REQUEST
++               * with ASC 00h if they don't support the extended header.
+                */
+               if (!(pg->flags & ALUA_RTPG_EXT_HDR_UNSUPP) &&
+-                  sense_hdr.sense_key == ILLEGAL_REQUEST &&
+-                  sense_hdr.asc == 0x24 && sense_hdr.ascq == 0) {
++                  sense_hdr.sense_key == ILLEGAL_REQUEST) {
+                       pg->flags |= ALUA_RTPG_EXT_HDR_UNSUPP;
+                       goto retry;
+               }
+-- 
+2.30.2
+

diff --git a/queue-4.19/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch b/queue-4.19/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
new file mode 100644 (file)
index 0000000..821776b
--- /dev/null
+++ b/queue-4.19/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
@@ -0,0 +1,46 @@
+From 68d9931e7b6a1998ef6d212496346e21e649d95c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Feb 2021 21:56:26 -0800
+Subject: scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+[ Upstream commit fd48c056a32ed6e7754c7c475490f3bed54ed378 ]
+
+This fixes a compilation warning in pscsi_complete_cmd():
+
+     drivers/target/target_core_pscsi.c: In function ‘pscsi_complete_cmd’:
+     drivers/target/target_core_pscsi.c:624:5: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+     ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
+
+Link: https://lore.kernel.org/r/20210228055645.22253-5-chaitanya.kulkarni@wdc.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pscsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index 02c4e3beb264..1b52cd4d793f 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -633,8 +633,9 @@ static void pscsi_complete_cmd(struct se_cmd *cmd, u8 scsi_status,
+                       unsigned char *buf;
+ 
+                       buf = transport_kmap_data_sg(cmd);
+-                      if (!buf)
++                      if (!buf) {
+                               ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
++                      }
+ 
+                       if (cdb[0] == MODE_SENSE_10) {
+                               if (!(buf[3] & 0x80))
+-- 
+2.30.2
+

diff --git a/queue-4.19/series b/queue-4.19/series
index b2a3e7d090d72b84d0de59de60fa118d90cc7c9a..2802d620f4faf53a8fda2d0131b7c58268c02512 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -20,3 +20,55 @@ cifs-return-correct-error-code-from-smb2_get_enc_key.patch
 btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch
 intel_th-pci-add-rocket-lake-cpu-support.patch
 fbdev-zero-fill-colormap-in-fbcmap.c.patch
+staging-wimax-i2400m-fix-byte-order-issue.patch
+crypto-api-check-for-err-pointers-in-crypto_destroy_.patch
+usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
+genirq-matrix-prevent-allocation-counter-corruption.patch
+usb-gadget-f_uac1-validate-input-parameters.patch
+usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
+usb-xhci-fix-port-minor-revision.patch
+pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
+x86-build-propagate-clang_flags-to-realmode_flags.patch
+tee-optee-do-not-check-memref-size-on-return-from-se.patch
+perf-arm_pmu_platform-fix-error-handling.patch
+usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch
+xhci-check-control-context-is-valid-before-dereferen.patch
+xhci-fix-potential-array-out-of-bounds-with-several-.patch
+spi-dln2-fix-reference-leak-to-master.patch
+spi-omap-100k-fix-reference-leak-to-master.patch
+intel_th-consistency-and-off-by-one-fix.patch
+phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
+crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch
+btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
+scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch
+scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch
+scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
+media-ite-cir-check-for-receive-overflow.patch
+media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch
+power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch
+extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
+media-media-saa7164-fix-saa7164_encoder_register-mem.patch
+media-gspca-sq905.c-fix-uninitialized-variable.patch
+power-supply-use-irqf_oneshot.patch
+drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch
+scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
+scsi-qla2xxx-fix-use-after-free-in-bsg.patch
+scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
+media-em28xx-fix-memory-leak.patch
+media-vivid-update-edid.patch
+clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
+power-supply-generic-adc-battery-fix-possible-use-af.patch
+power-supply-s3c_adc_battery-fix-possible-use-after-.patch
+media-tc358743-fix-possible-use-after-free-in-tc3587.patch
+media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
+media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
+media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
+media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
+media-gscpa-stv06xx-fix-memory-leak.patch
+drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
+amdgpu-avoid-incorrect-hu-format-string.patch
+drm-amdgpu-fix-null-pointer-dereference.patch
+scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
+scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch
+scsi-libfc-fix-a-format-specifier.patch
+s390-archrandom-add-parameter-check-for-s390_arch_ra.patch

diff --git a/queue-4.19/spi-dln2-fix-reference-leak-to-master.patch b/queue-4.19/spi-dln2-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..eca20e1
--- /dev/null
+++ b/queue-4.19/spi-dln2-fix-reference-leak-to-master.patch
@@ -0,0 +1,40 @@
+From 49c31e5f77d6bc63a7b7b81db6866f76a252f02c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:55 +0000
+Subject: spi: dln2: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9b844b087124c1538d05f40fda8a4fec75af55be ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082955.2907950-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dln2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dln2.c b/drivers/spi/spi-dln2.c
+index b62a99caacc0..a41adea48618 100644
+--- a/drivers/spi/spi-dln2.c
++++ b/drivers/spi/spi-dln2.c
+@@ -783,7 +783,7 @@ exit_free_master:
+ 
+ static int dln2_spi_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct dln2_spi *dln2 = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+-- 
+2.30.2
+

diff --git a/queue-4.19/spi-omap-100k-fix-reference-leak-to-master.patch b/queue-4.19/spi-omap-100k-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..d9d52e8
--- /dev/null
+++ b/queue-4.19/spi-omap-100k-fix-reference-leak-to-master.patch
@@ -0,0 +1,58 @@
+From 49f3eae25592a5e6ea87289873a9d325c4f3ce2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:54 +0000
+Subject: spi: omap-100k: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit a23faea76d4cf5f75decb574491e66f9ecd707e7 ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082954.2906933-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index 76a8425be227..1eccdc4a4581 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -435,7 +435,7 @@ err:
+ 
+ static int omap1_spi100k_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+@@ -449,7 +449,7 @@ static int omap1_spi100k_remove(struct platform_device *pdev)
+ #ifdef CONFIG_PM
+ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       clk_disable_unprepare(spi100k->ick);
+@@ -460,7 +460,7 @@ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ 
+ static int omap1_spi100k_runtime_resume(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+       int ret;
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.19/staging-wimax-i2400m-fix-byte-order-issue.patch b/queue-4.19/staging-wimax-i2400m-fix-byte-order-issue.patch
new file mode 100644 (file)
index 0000000..ee252f9
--- /dev/null
+++ b/queue-4.19/staging-wimax-i2400m-fix-byte-order-issue.patch
@@ -0,0 +1,36 @@
+From aaff7ed9340abcb71358496d1ac8a8c63b015a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Feb 2021 21:01:05 +0530
+Subject: staging: wimax/i2400m: fix byte-order issue
+
+From: karthik alapati <mail@karthek.com>
+
+[ Upstream commit 0c37baae130df39b19979bba88bde2ee70a33355 ]
+
+fix sparse byte-order warnings by converting host byte-order
+type to __le16 byte-order types before assigning to hdr.length
+
+Signed-off-by: karthik alapati <mail@karthek.com>
+Link: https://lore.kernel.org/r/0ae5c5c4c646506d8be871e7be5705542671a1d5.1613921277.git.mail@karthek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c
+index dc6fe93ce71f..e8473047b2d1 100644
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -101,7 +101,7 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev,
+       if (cmd == NULL)
+               goto error_alloc;
+       cmd->hdr.type = cpu_to_le16(I2400M_MT_CMD_RF_CONTROL);
+-      cmd->hdr.length = sizeof(cmd->sw_rf);
++      cmd->hdr.length = cpu_to_le16(sizeof(cmd->sw_rf));
+       cmd->hdr.version = cpu_to_le16(I2400M_L3L4_VERSION);
+       cmd->sw_rf.hdr.type = cpu_to_le16(I2400M_TLV_RF_OPERATION);
+       cmd->sw_rf.hdr.length = cpu_to_le16(sizeof(cmd->sw_rf.status));
+-- 
+2.30.2
+

diff --git a/queue-4.19/tee-optee-do-not-check-memref-size-on-return-from-se.patch b/queue-4.19/tee-optee-do-not-check-memref-size-on-return-from-se.patch
new file mode 100644 (file)
index 0000000..2b7b06a
--- /dev/null
+++ b/queue-4.19/tee-optee-do-not-check-memref-size-on-return-from-se.patch
@@ -0,0 +1,54 @@
+From 7870482acee573d6f6cc80d4d2ced86ede270597 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 11:40:37 +0100
+Subject: tee: optee: do not check memref size on return from Secure World
+
+From: Jerome Forissier <jerome@forissier.org>
+
+[ Upstream commit c650b8dc7a7910eb25af0aac1720f778b29e679d ]
+
+When Secure World returns, it may have changed the size attribute of the
+memory references passed as [in/out] parameters. The GlobalPlatform TEE
+Internal Core API specification does not restrict the values that this
+size can take. In particular, Secure World may increase the value to be
+larger than the size of the input buffer to indicate that it needs more.
+
+Therefore, the size check in optee_from_msg_param() is incorrect and
+needs to be removed. This fixes a number of failed test cases in the
+GlobalPlatform TEE Initial Configuratiom Test Suite v2_0_0_0-2017_06_09
+when OP-TEE is compiled without dynamic shared memory support
+(CFG_CORE_DYN_SHM=n).
+
+Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
+Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Jerome Forissier <jerome@forissier.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tee/optee/core.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
+index 2f254f957b0a..1d71fcb13dba 100644
+--- a/drivers/tee/optee/core.c
++++ b/drivers/tee/optee/core.c
+@@ -87,16 +87,6 @@ int optee_from_msg_param(struct tee_param *params, size_t num_params,
+                               return rc;
+                       p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa;
+                       p->u.memref.shm = shm;
+-
+-                      /* Check that the memref is covered by the shm object */
+-                      if (p->u.memref.size) {
+-                              size_t o = p->u.memref.shm_offs +
+-                                         p->u.memref.size - 1;
+-
+-                              rc = tee_shm_get_pa(shm, o, NULL);
+-                              if (rc)
+-                                      return rc;
+-                      }
+                       break;
+               case OPTEE_MSG_ATTR_TYPE_RMEM_INPUT:
+               case OPTEE_MSG_ATTR_TYPE_RMEM_OUTPUT:
+-- 
+2.30.2
+

diff --git a/queue-4.19/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch b/queue-4.19/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
new file mode 100644 (file)
index 0000000..59d2f4d
--- /dev/null
+++ b/queue-4.19/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
@@ -0,0 +1,48 @@
+From 35bbeae240b73b1371077002d01a6dc7aab39314 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 02:31:25 -0700
+Subject: usb: dwc3: gadget: Ignore EP queue requests during bus reset
+
+From: Wesley Cheng <wcheng@codeaurora.org>
+
+[ Upstream commit 71ca43f30df9c642970f9dc9b2d6f463f4967e7b ]
+
+The current dwc3_gadget_reset_interrupt() will stop any active
+transfers, but only addresses blocking of EP queuing for while we are
+coming from a disconnected scenario, i.e. after receiving the disconnect
+event.  If the host decides to issue a bus reset on the device, the
+connected parameter will still be set to true, allowing for EP queuing
+to continue while we are disabling the functions.  To avoid this, set the
+connected flag to false until the stop active transfers is complete.
+
+Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
+Link: https://lore.kernel.org/r/1616146285-19149-3-git-send-email-wcheng@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index a0806dca3de9..f28eb541fad3 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2717,6 +2717,15 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
+ 
+       dwc->connected = true;
+ 
++      /*
++       * Ideally, dwc3_reset_gadget() would trigger the function
++       * drivers to stop any active transfers through ep disable.
++       * However, for functions which defer ep disable, such as mass
++       * storage, we will need to rely on the call to stop active
++       * transfers here, and avoid allowing of request queuing.
++       */
++      dwc->connected = false;
++
+       /*
+        * WORKAROUND: DWC3 revisions <1.88a have an issue which
+        * would cause a missing Disconnect Event if there's a
+-- 
+2.30.2
+

diff --git a/queue-4.19/usb-gadget-f_uac1-validate-input-parameters.patch b/queue-4.19/usb-gadget-f_uac1-validate-input-parameters.patch
new file mode 100644 (file)
index 0000000..9712fea
--- /dev/null
+++ b/queue-4.19/usb-gadget-f_uac1-validate-input-parameters.patch
@@ -0,0 +1,113 @@
+From 194d6e83d9e94a3adda563415432862e437f7e90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 13:49:34 +0200
+Subject: usb: gadget: f_uac1: validate input parameters
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+[ Upstream commit a59c68a6a3d1b18e2494f526eb19893a34fa6ec6 ]
+
+Currently user can configure UAC1 function with
+parameters that violate UAC1 spec or are not supported
+by UAC1 gadget implementation.
+
+This can lead to incorrect behavior if such gadget
+is connected to the host - like enumeration failure
+or other issues depending on host's UAC1 driver
+implementation, bringing user to a long hours
+of debugging the issue.
+
+Instead of silently accept these parameters, throw
+an error if they are not valid.
+
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Link: https://lore.kernel.org/r/1614599375-8803-5-git-send-email-ruslan.bilovol@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac1.c | 43 ++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c
+index a215c836eba4..41e7b29f58df 100644
+--- a/drivers/usb/gadget/function/f_uac1.c
++++ b/drivers/usb/gadget/function/f_uac1.c
+@@ -19,6 +19,9 @@
+ #include "u_audio.h"
+ #include "u_uac1.h"
+ 
++/* UAC1 spec: 3.7.2.3 Audio Channel Cluster Format */
++#define UAC1_CHANNEL_MASK 0x0FFF
++
+ struct f_uac1 {
+       struct g_audio g_audio;
+       u8 ac_intf, as_in_intf, as_out_intf;
+@@ -30,6 +33,11 @@ static inline struct f_uac1 *func_to_uac1(struct usb_function *f)
+       return container_of(f, struct f_uac1, g_audio.func);
+ }
+ 
++static inline struct f_uac1_opts *g_audio_to_uac1_opts(struct g_audio *audio)
++{
++      return container_of(audio->func.fi, struct f_uac1_opts, func_inst);
++}
++
+ /*
+  * DESCRIPTORS ... most are static, but strings and full
+  * configuration descriptors are built on demand.
+@@ -505,11 +513,42 @@ static void f_audio_disable(struct usb_function *f)
+ 
+ /*-------------------------------------------------------------------------*/
+ 
++static int f_audio_validate_opts(struct g_audio *audio, struct device *dev)
++{
++      struct f_uac1_opts *opts = g_audio_to_uac1_opts(audio);
++
++      if (!opts->p_chmask && !opts->c_chmask) {
++              dev_err(dev, "Error: no playback and capture channels\n");
++              return -EINVAL;
++      } else if (opts->p_chmask & ~UAC1_CHANNEL_MASK) {
++              dev_err(dev, "Error: unsupported playback channels mask\n");
++              return -EINVAL;
++      } else if (opts->c_chmask & ~UAC1_CHANNEL_MASK) {
++              dev_err(dev, "Error: unsupported capture channels mask\n");
++              return -EINVAL;
++      } else if ((opts->p_ssize < 1) || (opts->p_ssize > 4)) {
++              dev_err(dev, "Error: incorrect playback sample size\n");
++              return -EINVAL;
++      } else if ((opts->c_ssize < 1) || (opts->c_ssize > 4)) {
++              dev_err(dev, "Error: incorrect capture sample size\n");
++              return -EINVAL;
++      } else if (!opts->p_srate) {
++              dev_err(dev, "Error: incorrect playback sampling rate\n");
++              return -EINVAL;
++      } else if (!opts->c_srate) {
++              dev_err(dev, "Error: incorrect capture sampling rate\n");
++              return -EINVAL;
++      }
++
++      return 0;
++}
++
+ /* audio function driver setup/binding */
+ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f)
+ {
+       struct usb_composite_dev        *cdev = c->cdev;
+       struct usb_gadget               *gadget = cdev->gadget;
++      struct device                   *dev = &gadget->dev;
+       struct f_uac1                   *uac1 = func_to_uac1(f);
+       struct g_audio                  *audio = func_to_g_audio(f);
+       struct f_uac1_opts              *audio_opts;
+@@ -519,6 +558,10 @@ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f)
+       int                             rate;
+       int                             status;
+ 
++      status = f_audio_validate_opts(audio, dev);
++      if (status)
++              return status;
++
+       audio_opts = container_of(f->fi, struct f_uac1_opts, func_inst);
+ 
+       us = usb_gstrings_attach(cdev, uac1_strings, ARRAY_SIZE(strings_uac1));
+-- 
+2.30.2
+

diff --git a/queue-4.19/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch b/queue-4.19/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
new file mode 100644 (file)
index 0000000..ad485d6
--- /dev/null
+++ b/queue-4.19/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
@@ -0,0 +1,52 @@
+From c193e53c0407452ed31f5329a45331d47df8b8d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 13:53:38 +0100
+Subject: usb: gadget: uvc: add bInterval checking for HS mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 26adde04acdff14a1f28d4a5dce46a8513a3038b ]
+
+Patch adds extra checking for bInterval passed by configfs.
+The 5.6.4 chapter of USB Specification (rev. 2.0) say:
+"A high-bandwidth endpoint must specify a period of 1x125 µs
+(i.e., a bInterval value of 1)."
+
+The issue was observed during testing UVC class on CV.
+I treat this change as improvement because we can control
+bInterval by configfs.
+
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20210308125338.4824-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
+index d8ce7868fe22..169e73ed128c 100644
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -645,7 +645,12 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
+ 
+       uvc_hs_streaming_ep.wMaxPacketSize =
+               cpu_to_le16(max_packet_size | ((max_packet_mult - 1) << 11));
+-      uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
++
++      /* A high-bandwidth endpoint must specify a bInterval value of 1 */
++      if (max_packet_mult > 1)
++              uvc_hs_streaming_ep.bInterval = 1;
++      else
++              uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
+ 
+       uvc_ss_streaming_ep.wMaxPacketSize = cpu_to_le16(max_packet_size);
+       uvc_ss_streaming_ep.bInterval = opts->streaming_interval;
+-- 
+2.30.2
+

diff --git a/queue-4.19/usb-xhci-fix-port-minor-revision.patch b/queue-4.19/usb-xhci-fix-port-minor-revision.patch
new file mode 100644 (file)
index 0000000..5bd8f72
--- /dev/null
+++ b/queue-4.19/usb-xhci-fix-port-minor-revision.patch
@@ -0,0 +1,51 @@
+From ffb188f78b3e2c3535670cf31bc3724be8df7f79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 19:43:21 -0800
+Subject: usb: xhci: Fix port minor revision
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 64364bc912c01b33bba6c22e3ccb849bfca96398 ]
+
+Some hosts incorrectly use sub-minor version for minor version (i.e.
+0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 for bcdUSB 0x310).
+Currently the xHCI driver works around this by just checking for minor
+revision > 0x01 for USB 3.1 everywhere. With the addition of USB 3.2,
+checking this gets a bit cumbersome. Since there is no USB release with
+bcdUSB 0x301 to 0x309, we can assume that sub-minor version 01 to 09 is
+incorrect. Let's try to fix this and use the minor revision that matches
+with the USB/xHCI spec to help with the version checking within the
+driver.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/ed330e95a19dc367819c5b4d78bf7a541c35aa0a.1615432770.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 9e87c282a743..2461be2a8748 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -2134,6 +2134,15 @@ static void xhci_add_in_port(struct xhci_hcd *xhci, unsigned int num_ports,
+ 
+       if (major_revision == 0x03) {
+               rhub = &xhci->usb3_rhub;
++              /*
++               * Some hosts incorrectly use sub-minor version for minor
++               * version (i.e. 0x02 instead of 0x20 for bcdUSB 0x320 and 0x01
++               * for bcdUSB 0x310). Since there is no USB release with sub
++               * minor version 0x301 to 0x309, we can assume that they are
++               * incorrect and fix it here.
++               */
++              if (minor_revision > 0x00 && minor_revision < 0x10)
++                      minor_revision <<= 4;
+       } else if (major_revision <= 0x02) {
+               rhub = &xhci->usb2_rhub;
+       } else {
+-- 
+2.30.2
+

diff --git a/queue-4.19/usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch b/queue-4.19/usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch
new file mode 100644 (file)
index 0000000..f2a738e
--- /dev/null
+++ b/queue-4.19/usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch
@@ -0,0 +1,58 @@
+From 2383ac19ca62be34af38c3d4e5ddb423c06fcf6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 17:05:53 +0800
+Subject: usb: xhci-mtk: support quirk to disable usb2 lpm
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+[ Upstream commit bee1f89aad2a51cd3339571bc8eadbb0dc88a683 ]
+
+The xHCI driver support usb2 HW LPM by default, here add support
+XHCI_HW_LPM_DISABLE quirk, then we can disable usb2 lpm when
+need it.
+
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/1617181553-3503-4-git-send-email-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mtk.c | 3 +++
+ drivers/usb/host/xhci-mtk.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mtk.c b/drivers/usb/host/xhci-mtk.c
+index 09d5a789fcd5..f4b2e766f195 100644
+--- a/drivers/usb/host/xhci-mtk.c
++++ b/drivers/usb/host/xhci-mtk.c
+@@ -395,6 +395,8 @@ static void xhci_mtk_quirks(struct device *dev, struct xhci_hcd *xhci)
+       xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
+       if (mtk->lpm_support)
+               xhci->quirks |= XHCI_LPM_SUPPORT;
++      if (mtk->u2_lpm_disable)
++              xhci->quirks |= XHCI_HW_LPM_DISABLE;
+ 
+       /*
+        * MTK xHCI 0.96: PSA is 1 by default even if doesn't support stream,
+@@ -467,6 +469,7 @@ static int xhci_mtk_probe(struct platform_device *pdev)
+               return ret;
+ 
+       mtk->lpm_support = of_property_read_bool(node, "usb3-lpm-capable");
++      mtk->u2_lpm_disable = of_property_read_bool(node, "usb2-lpm-disable");
+       /* optional property, ignore the error if it does not exist */
+       of_property_read_u32(node, "mediatek,u3p-dis-msk",
+                            &mtk->u3p_dis_msk);
+diff --git a/drivers/usb/host/xhci-mtk.h b/drivers/usb/host/xhci-mtk.h
+index cc59d80b663b..1601ca9a388e 100644
+--- a/drivers/usb/host/xhci-mtk.h
++++ b/drivers/usb/host/xhci-mtk.h
+@@ -123,6 +123,7 @@ struct xhci_hcd_mtk {
+       struct phy **phys;
+       int num_phys;
+       bool lpm_support;
++      bool u2_lpm_disable;
+       /* usb remote wakeup */
+       bool uwk_en;
+       struct regmap *uwk;
+-- 
+2.30.2
+

diff --git a/queue-4.19/x86-build-propagate-clang_flags-to-realmode_flags.patch b/queue-4.19/x86-build-propagate-clang_flags-to-realmode_flags.patch
new file mode 100644 (file)
index 0000000..64e978c
--- /dev/null
+++ b/queue-4.19/x86-build-propagate-clang_flags-to-realmode_flags.patch
@@ -0,0 +1,66 @@
+From c402fe02554d4f2828a90a88002cbae4397ffb65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:04:33 -0700
+Subject: x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Millikin <john@john-millikin.com>
+
+[ Upstream commit 8abe7fc26ad8f28bfdf78adbed56acd1fa93f82d ]
+
+When cross-compiling with Clang, the `$(CLANG_FLAGS)' variable
+contains additional flags needed to build C and assembly sources
+for the target platform. Normally this variable is automatically
+included in `$(KBUILD_CFLAGS)' via the top-level Makefile.
+
+The x86 real-mode makefile builds `$(REALMODE_CFLAGS)' from a
+plain assignment and therefore drops the Clang flags. This causes
+Clang to not recognize x86-specific assembler directives:
+
+  arch/x86/realmode/rm/header.S:36:1: error: unknown directive
+  .type real_mode_header STT_OBJECT ; .size real_mode_header, .-real_mode_header
+  ^
+
+Explicit propagation of `$(CLANG_FLAGS)' to `$(REALMODE_CFLAGS)',
+which is inherited by real-mode make rules, fixes cross-compilation
+with Clang for x86 targets.
+
+Relevant flags:
+
+* `--target' sets the target architecture when cross-compiling. This
+  flag must be set for both compilation and assembly (`KBUILD_AFLAGS')
+  to support architecture-specific assembler directives.
+
+* `-no-integrated-as' tells clang to assemble with GNU Assembler
+  instead of its built-in LLVM assembler. This flag is set by default
+  unless `LLVM_IAS=1' is set, because the LLVM assembler can't yet
+  parse certain GNU extensions.
+
+Signed-off-by: John Millikin <john@john-millikin.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Link: https://lkml.kernel.org/r/20210326000435.4785-2-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 6ebdbad21fb2..65a8722e784c 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -40,6 +40,7 @@ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4))
++REALMODE_CFLAGS += $(CLANG_FLAGS)
+ export REALMODE_CFLAGS
+ 
+ # BITS is used as extension for files which are available in a 32 bit
+-- 
+2.30.2
+

diff --git a/queue-4.19/xhci-check-control-context-is-valid-before-dereferen.patch b/queue-4.19/xhci-check-control-context-is-valid-before-dereferen.patch
new file mode 100644 (file)
index 0000000..dcc0a47
--- /dev/null
+++ b/queue-4.19/xhci-check-control-context-is-valid-before-dereferen.patch
@@ -0,0 +1,42 @@
+From 01583bf39139c5e4e92d45f9f74df6c292ca687c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 10:02:06 +0300
+Subject: xhci: check control context is valid before dereferencing it.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 597899d2f7c5619c87185ee7953d004bd37fd0eb ]
+
+Don't dereference ctrl_ctx before checking it's valid.
+Issue reported by Klockwork
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210406070208.3406266-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 6c508d0313f7..fc07d68fdd15 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3148,6 +3148,14 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd,
+ 
+       /* config ep command clears toggle if add and drop ep flags are set */
+       ctrl_ctx = xhci_get_input_control_ctx(cfg_cmd->in_ctx);
++      if (!ctrl_ctx) {
++              spin_unlock_irqrestore(&xhci->lock, flags);
++              xhci_free_command(xhci, cfg_cmd);
++              xhci_warn(xhci, "%s: Could not get input context, bad type.\n",
++                              __func__);
++              goto cleanup;
++      }
++
+       xhci_setup_input_ctx_for_config_ep(xhci, cfg_cmd->in_ctx, vdev->out_ctx,
+                                          ctrl_ctx, ep_flag, ep_flag);
+       xhci_endpoint_copy(xhci, cfg_cmd->in_ctx, vdev->out_ctx, ep_index);
+-- 
+2.30.2
+

diff --git a/queue-4.19/xhci-fix-potential-array-out-of-bounds-with-several-.patch b/queue-4.19/xhci-fix-potential-array-out-of-bounds-with-several-.patch
new file mode 100644 (file)
index 0000000..0e955b6
--- /dev/null
+++ b/queue-4.19/xhci-fix-potential-array-out-of-bounds-with-several-.patch
@@ -0,0 +1,54 @@
+From 50228f5561a43ea88edc32770b203de6e4323320 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 10:02:07 +0300
+Subject: xhci: fix potential array out of bounds with several interrupters
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 286fd02fd54b6acab65809549cf5fb3f2a886696 ]
+
+The Max Interrupters supported by the controller is given in a 10bit
+wide bitfield, but the driver uses a fixed 128 size array to index these
+interrupters.
+
+Klockwork reports a possible array out of bounds case which in theory
+is possible. In practice this hasn't been hit as a common number of Max
+Interrupters for new controllers is 8, not even close to 128.
+
+This needs to be fixed anyway
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210406070208.3406266-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index fc07d68fdd15..9ca59f3fffde 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -227,6 +227,7 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
+       struct device *dev = xhci_to_hcd(xhci)->self.sysdev;
+       int err, i;
+       u64 val;
++      u32 intrs;
+ 
+       /*
+        * Some Renesas controllers get into a weird state if they are
+@@ -265,7 +266,10 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
+       if (upper_32_bits(val))
+               xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring);
+ 
+-      for (i = 0; i < HCS_MAX_INTRS(xhci->hcs_params1); i++) {
++      intrs = min_t(u32, HCS_MAX_INTRS(xhci->hcs_params1),
++                    ARRAY_SIZE(xhci->run_regs->ir_set));
++
++      for (i = 0; i < intrs; i++) {
+               struct xhci_intr_reg __iomem *ir;
+ 
+               ir = &xhci->run_regs->ir_set[i];
+-- 
+2.30.2
+