--- /dev/null
+From be1e1e076f6e4251b8a3e5d29e53f7865fd13334 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2020 17:03:48 +0200
+Subject: ASoC: stm32: sai: Add missing cleanup
+
+From: Julia Lawall <Julia.Lawall@inria.fr>
+
+[ Upstream commit 7506baeed8d05fc164254c64af14cfed2ac14446 ]
+
+The commit 0d6defc7e0e4 ("ASoC: stm32: sai: manage rebind issue")
+converts some function calls to their non-devm equivalents. The
+appropriate cleanup code was added to the remove function, but not
+to the probe function. Add a call to snd_dmaengine_pcm_unregister
+to compensate for the call to snd_dmaengine_pcm_register in case
+of subsequent failure.
+
+Fixes: commit 0d6defc7e0e4 ("ASoC: stm32: sai: manage rebind issue")
+Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
+
+Acked-by: Olivier Moysan <olivier.moysan@st.com>
+Link: https://lore.kernel.org/r/1586099028-5104-1-git-send-email-Julia.Lawall@inria.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_sai_sub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c
+index 10eb4b8e8e7ee..d3259de43712b 100644
+--- a/sound/soc/stm/stm32_sai_sub.c
++++ b/sound/soc/stm/stm32_sai_sub.c
+@@ -1551,8 +1551,10 @@ static int stm32_sai_sub_probe(struct platform_device *pdev)
+
+ ret = snd_soc_register_component(&pdev->dev, &stm32_component,
+ &sai->cpu_dai_drv, 1);
+- if (ret)
++ if (ret) {
++ snd_dmaengine_pcm_unregister(&pdev->dev);
+ return ret;
++ }
+
+ if (STM_SAI_PROTOCOL_IS_SPDIF(sai))
+ conf = &stm32_sai_pcm_config_spdif;
+--
+2.20.1
+
--- /dev/null
+From f4738e0ba1bd82a797ac2fce5bec35db55005520 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Mar 2020 18:03:23 +0200
+Subject: bpf: Fix tnum constraints for 32-bit comparisons
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 604dca5e3af1db98bd123b7bfc02b017af99e3a0 ]
+
+The BPF verifier tried to track values based on 32-bit comparisons by
+(ab)using the tnum state via 581738a681b6 ("bpf: Provide better register
+bounds after jmp32 instructions"). The idea is that after a check like
+this:
+
+ if ((u32)r0 > 3)
+ exit
+
+We can't meaningfully constrain the arithmetic-range-based tracking, but
+we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003).
+However, the implementation from 581738a681b6 didn't compute the tnum
+constraint based on the fixed operand, but instead derives it from the
+arithmetic-range-based tracking. This means that after the following
+sequence of operations:
+
+ if (r0 >= 0x1'0000'0001)
+ exit
+ if ((u32)r0 > 7)
+ exit
+
+The verifier assumed that the lower half of r0 is in the range (0, 0)
+and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus
+causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was
+incorrect. Provide a fixed implementation.
+
+Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@iogearbox.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 108 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 72 insertions(+), 36 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index a0b76b360d6f7..013780ef0bd7d 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5325,6 +5325,70 @@ static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg)
+ reg->smax_value <= 0 && reg->smin_value >= S32_MIN);
+ }
+
++/* Constrain the possible values of @reg with unsigned upper bound @bound.
++ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive.
++ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits
++ * of @reg.
++ */
++static void set_upper_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32,
++ bool is_exclusive)
++{
++ if (is_exclusive) {
++ /* There are no values for `reg` that make `reg<0` true. */
++ if (bound == 0)
++ return;
++ bound--;
++ }
++ if (is_jmp32) {
++ /* Constrain the register's value in the tnum representation.
++ * For 64-bit comparisons this happens later in
++ * __reg_bound_offset(), but for 32-bit comparisons, we can be
++ * more precise than what can be derived from the updated
++ * numeric bounds.
++ */
++ struct tnum t = tnum_range(0, bound);
++
++ t.mask |= ~0xffffffffULL; /* upper half is unknown */
++ reg->var_off = tnum_intersect(reg->var_off, t);
++
++ /* Compute the 64-bit bound from the 32-bit bound. */
++ bound += gen_hi_max(reg->var_off);
++ }
++ reg->umax_value = min(reg->umax_value, bound);
++}
++
++/* Constrain the possible values of @reg with unsigned lower bound @bound.
++ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive.
++ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits
++ * of @reg.
++ */
++static void set_lower_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32,
++ bool is_exclusive)
++{
++ if (is_exclusive) {
++ /* There are no values for `reg` that make `reg>MAX` true. */
++ if (bound == (is_jmp32 ? U32_MAX : U64_MAX))
++ return;
++ bound++;
++ }
++ if (is_jmp32) {
++ /* Constrain the register's value in the tnum representation.
++ * For 64-bit comparisons this happens later in
++ * __reg_bound_offset(), but for 32-bit comparisons, we can be
++ * more precise than what can be derived from the updated
++ * numeric bounds.
++ */
++ struct tnum t = tnum_range(bound, U32_MAX);
++
++ t.mask |= ~0xffffffffULL; /* upper half is unknown */
++ reg->var_off = tnum_intersect(reg->var_off, t);
++
++ /* Compute the 64-bit bound from the 32-bit bound. */
++ bound += gen_hi_min(reg->var_off);
++ }
++ reg->umin_value = max(reg->umin_value, bound);
++}
++
+ /* Adjusts the register min/max values in the case that the dst_reg is the
+ * variable register that we are working on, and src_reg is a constant or we're
+ * simply doing a BPF_K check.
+@@ -5380,15 +5444,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
+ case BPF_JGE:
+ case BPF_JGT:
+ {
+- u64 false_umax = opcode == BPF_JGT ? val : val - 1;
+- u64 true_umin = opcode == BPF_JGT ? val + 1 : val;
+-
+- if (is_jmp32) {
+- false_umax += gen_hi_max(false_reg->var_off);
+- true_umin += gen_hi_min(true_reg->var_off);
+- }
+- false_reg->umax_value = min(false_reg->umax_value, false_umax);
+- true_reg->umin_value = max(true_reg->umin_value, true_umin);
++ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JGE);
++ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JGT);
+ break;
+ }
+ case BPF_JSGE:
+@@ -5409,15 +5466,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
+ case BPF_JLE:
+ case BPF_JLT:
+ {
+- u64 false_umin = opcode == BPF_JLT ? val : val + 1;
+- u64 true_umax = opcode == BPF_JLT ? val - 1 : val;
+-
+- if (is_jmp32) {
+- false_umin += gen_hi_min(false_reg->var_off);
+- true_umax += gen_hi_max(true_reg->var_off);
+- }
+- false_reg->umin_value = max(false_reg->umin_value, false_umin);
+- true_reg->umax_value = min(true_reg->umax_value, true_umax);
++ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JLE);
++ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JLT);
+ break;
+ }
+ case BPF_JSLE:
+@@ -5492,15 +5542,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
+ case BPF_JGE:
+ case BPF_JGT:
+ {
+- u64 false_umin = opcode == BPF_JGT ? val : val + 1;
+- u64 true_umax = opcode == BPF_JGT ? val - 1 : val;
+-
+- if (is_jmp32) {
+- false_umin += gen_hi_min(false_reg->var_off);
+- true_umax += gen_hi_max(true_reg->var_off);
+- }
+- false_reg->umin_value = max(false_reg->umin_value, false_umin);
+- true_reg->umax_value = min(true_reg->umax_value, true_umax);
++ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JGE);
++ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JGT);
+ break;
+ }
+ case BPF_JSGE:
+@@ -5518,15 +5561,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
+ case BPF_JLE:
+ case BPF_JLT:
+ {
+- u64 false_umax = opcode == BPF_JLT ? val : val - 1;
+- u64 true_umin = opcode == BPF_JLT ? val + 1 : val;
+-
+- if (is_jmp32) {
+- false_umax += gen_hi_max(false_reg->var_off);
+- true_umin += gen_hi_min(true_reg->var_off);
+- }
+- false_reg->umax_value = min(false_reg->umax_value, false_umax);
+- true_reg->umin_value = max(true_reg->umin_value, true_umin);
++ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JLE);
++ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JLT);
+ break;
+ }
+ case BPF_JSLE:
+--
+2.20.1
+
--- /dev/null
+From 8534dcff395176ff6badfa5695b2a1c5f615ee5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 15:04:33 +0200
+Subject: efi/x86: Fix the deletion of variables in mixed mode
+
+From: Gary Lin <glin@suse.com>
+
+[ Upstream commit a4b81ccfd4caba017d2b84720b6de4edd16911a0 ]
+
+efi_thunk_set_variable() treated the NULL "data" pointer as an invalid
+parameter, and this broke the deletion of variables in mixed mode.
+This commit fixes the check of data so that the userspace program can
+delete a variable in mixed mode.
+
+Fixes: 8319e9d5ad98ffcc ("efi/x86: Handle by-ref arguments covering multiple pages in mixed mode")
+Signed-off-by: Gary Lin <glin@suse.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20200408081606.1504-1-glin@suse.com
+Link: https://lore.kernel.org/r/20200409130434.6736-9-ardb@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/efi_64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
+index fe0e647411daf..e39c930cfbd1e 100644
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -834,7 +834,7 @@ efi_thunk_set_variable(efi_char16_t *name, efi_guid_t *vendor,
+ phys_vendor = virt_to_phys_or_null(vnd);
+ phys_data = virt_to_phys_or_null_size(data, data_size);
+
+- if (!phys_name || !phys_data)
++ if (!phys_name || (data && !phys_data))
+ status = EFI_INVALID_PARAMETER;
+ else
+ status = efi_thunk(set_variable, phys_name, phys_vendor,
+@@ -865,7 +865,7 @@ efi_thunk_set_variable_nonblocking(efi_char16_t *name, efi_guid_t *vendor,
+ phys_vendor = virt_to_phys_or_null(vnd);
+ phys_data = virt_to_phys_or_null_size(data, data_size);
+
+- if (!phys_name || !phys_data)
++ if (!phys_name || (data && !phys_data))
+ status = EFI_INVALID_PARAMETER;
+ else
+ status = efi_thunk(set_variable, phys_name, phys_vendor,
+--
+2.20.1
+
--- /dev/null
+From 15b03676d52046a26a6863ec74a8719827e96b00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2020 16:51:58 +0200
+Subject: mfd: dln2: Fix sanity checking for endpoints
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit fb945c95a482200876993977008b67ea658bd938 ]
+
+While the commit 2b8bd606b1e6 ("mfd: dln2: More sanity checking for endpoints")
+tries to harden the sanity checks it made at the same time a regression,
+i.e. mixed in and out endpoints. Obviously it should have been not tested on
+real hardware at that time, but unluckily it didn't happen.
+
+So, fix above mentioned typo and make device being enumerated again.
+
+While here, introduce an enumerator for magic values to prevent similar issue
+to happen in the future.
+
+Fixes: 2b8bd606b1e6 ("mfd: dln2: More sanity checking for endpoints")
+Cc: Oliver Neukum <oneukum@suse.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/dln2.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
+index 7841c11411d08..4faa8d2e5d045 100644
+--- a/drivers/mfd/dln2.c
++++ b/drivers/mfd/dln2.c
+@@ -90,6 +90,11 @@ struct dln2_mod_rx_slots {
+ spinlock_t lock;
+ };
+
++enum dln2_endpoint {
++ DLN2_EP_OUT = 0,
++ DLN2_EP_IN = 1,
++};
++
+ struct dln2_dev {
+ struct usb_device *usb_dev;
+ struct usb_interface *interface;
+@@ -733,10 +738,10 @@ static int dln2_probe(struct usb_interface *interface,
+ hostif->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
+- epin = &hostif->endpoint[0].desc;
+- epout = &hostif->endpoint[1].desc;
++ epout = &hostif->endpoint[DLN2_EP_OUT].desc;
+ if (!usb_endpoint_is_bulk_out(epout))
+ return -ENODEV;
++ epin = &hostif->endpoint[DLN2_EP_IN].desc;
+ if (!usb_endpoint_is_bulk_in(epin))
+ return -ENODEV;
+
+--
+2.20.1
+
--- /dev/null
+From acaffb5b05c47518e638baa9a06d6773cee33057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2019 15:03:58 -0800
+Subject: scsi: lpfc: fix inlining of lpfc_sli4_cleanup_poll_list()
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit d480e57809a043333a3b9e755c0bdd43e10a9f12 ]
+
+Compilation can fail due to having an inline function reference where the
+function body is not present.
+
+Fix by removing the inline tag.
+
+Fixes: 93a4d6f40198 ("scsi: lpfc: Add registration for CPU Offline/Online events")
+
+Link: https://lore.kernel.org/r/20191111230401.12958-4-jsmart2021@gmail.com
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_crtn.h | 2 +-
+ drivers/scsi/lpfc/lpfc_sli.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h
+index a03efe9ad2a42..0f019e889ba6b 100644
+--- a/drivers/scsi/lpfc/lpfc_crtn.h
++++ b/drivers/scsi/lpfc/lpfc_crtn.h
+@@ -215,7 +215,7 @@ irqreturn_t lpfc_sli_fp_intr_handler(int, void *);
+ irqreturn_t lpfc_sli4_intr_handler(int, void *);
+ irqreturn_t lpfc_sli4_hba_intr_handler(int, void *);
+
+-inline void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba);
++void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba);
+ int lpfc_sli4_poll_eq(struct lpfc_queue *q, uint8_t path);
+ void lpfc_sli4_poll_hbtimer(struct timer_list *t);
+ void lpfc_sli4_start_polling(struct lpfc_queue *q);
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index fb2b0dc52d9bc..0717e850bcbfd 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -14384,7 +14384,7 @@ static inline void lpfc_sli4_remove_from_poll_list(struct lpfc_queue *eq)
+ del_timer_sync(&phba->cpuhp_poll_timer);
+ }
+
+-inline void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba)
++void lpfc_sli4_cleanup_poll_list(struct lpfc_hba *phba)
+ {
+ struct lpfc_queue *eq, *next;
+
+--
+2.20.1
+
powerpc-kasan-fix-kasan_remap_early_shadow_ro.patch
mmc-sdhci-convert-sdhci_set_timeout_irq-to-non-stati.patch
mmc-sdhci-refactor-sdhci_set_timeout.patch
+bpf-fix-tnum-constraints-for-32-bit-comparisons.patch
+mfd-dln2-fix-sanity-checking-for-endpoints.patch
+efi-x86-fix-the-deletion-of-variables-in-mixed-mode.patch
+asoc-stm32-sai-add-missing-cleanup.patch
+scsi-lpfc-fix-inlining-of-lpfc_sli4_cleanup_poll_lis.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
