Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch b/queue-4.14/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
new file mode 100644 (file)
index 0000000..0a24c91
--- /dev/null
+++ b/queue-4.14/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
@@ -0,0 +1,48 @@
+From dd1af128b7823d7f3263b1eda488d10fb11cd871 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 15:25:21 -0500
+Subject: btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 7a9213a93546e7eaef90e6e153af6b8fc7553f10 ]
+
+A few BUG_ON()'s in replace_path are purely to keep us from making
+logical mistakes, so replace them with ASSERT()'s.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index c01239d1f1e6..313547442a6e 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1808,8 +1808,8 @@ int replace_path(struct btrfs_trans_handle *trans,
+       int ret;
+       int slot;
+ 
+-      BUG_ON(src->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+-      BUG_ON(dest->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(src->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(dest->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+ 
+       last_snapshot = btrfs_root_last_snapshot(&src->root_item);
+ again:
+@@ -1841,7 +1841,7 @@ again:
+       parent = eb;
+       while (1) {
+               level = btrfs_header_level(parent);
+-              BUG_ON(level < lowest_level);
++              ASSERT(level >= lowest_level);
+ 
+               ret = btrfs_bin_search(parent, &key, level, &slot);
+               if (ret && slot > 0)
+-- 
+2.30.2
+

diff --git a/queue-4.14/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch b/queue-4.14/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
new file mode 100644 (file)
index 0000000..8f4aae1
--- /dev/null
+++ b/queue-4.14/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
@@ -0,0 +1,38 @@
+From 0dd3327566a289559bcbf18a8cc6ecafd30e77bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 18:01:15 +0100
+Subject: clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 657d4d1934f75a2d978c3cf2086495eaa542e7a9 ]
+
+There is an error return path that is not kfree'ing socfpga_clk leading
+to a memory leak. Fix this by adding in the missing kfree call.
+
+Addresses-Coverity: ("Resource leak")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210406170115.430990-1-colin.king@canonical.com
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/socfpga/clk-gate-a10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c
+index 36376c542055..637e26babf89 100644
+--- a/drivers/clk/socfpga/clk-gate-a10.c
++++ b/drivers/clk/socfpga/clk-gate-a10.c
+@@ -157,6 +157,7 @@ static void __init __socfpga_gate_init(struct device_node *node,
+               if (IS_ERR(socfpga_clk->sys_mgr_base_addr)) {
+                       pr_err("%s: failed to find altr,sys-mgr regmap!\n",
+                                       __func__);
++                      kfree(socfpga_clk);
+                       return;
+               }
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.14/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch b/queue-4.14/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch
new file mode 100644 (file)
index 0000000..2c808fb
--- /dev/null
+++ b/queue-4.14/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch
@@ -0,0 +1,149 @@
+From c792b8c281ce01a20e99ba56d8edc8118517bdd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 21:33:03 +0100
+Subject: crypto: api - check for ERR pointers in crypto_destroy_tfm()
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ]
+
+Given that crypto_alloc_tfm() may return ERR pointers, and to avoid
+crashes on obscure error paths where such pointers are presented to
+crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there
+before dereferencing the second argument as a struct crypto_tfm
+pointer.
+
+[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/
+
+Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/api.c               | 2 +-
+ include/crypto/acompress.h | 2 ++
+ include/crypto/aead.h      | 2 ++
+ include/crypto/akcipher.h  | 2 ++
+ include/crypto/hash.h      | 4 ++++
+ include/crypto/kpp.h       | 2 ++
+ include/crypto/rng.h       | 2 ++
+ include/crypto/skcipher.h  | 2 ++
+ 8 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/api.c b/crypto/api.c
+index 187795a6687d..99bd438fa4a4 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -567,7 +567,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
+ {
+       struct crypto_alg *alg;
+ 
+-      if (unlikely(!mem))
++      if (IS_ERR_OR_NULL(mem))
+               return;
+ 
+       alg = tfm->__crt_alg;
+diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h
+index e328b52425a8..1ff78365607c 100644
+--- a/include/crypto/acompress.h
++++ b/include/crypto/acompress.h
+@@ -152,6 +152,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req)
+  * crypto_free_acomp() -- free ACOMPRESS tfm handle
+  *
+  * @tfm:      ACOMPRESS tfm handle allocated with crypto_alloc_acomp()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_acomp(struct crypto_acomp *tfm)
+ {
+diff --git a/include/crypto/aead.h b/include/crypto/aead.h
+index 03b97629442c..0e257ebf12cc 100644
+--- a/include/crypto/aead.h
++++ b/include/crypto/aead.h
+@@ -187,6 +187,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm)
+ /**
+  * crypto_free_aead() - zeroize and free aead handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_aead(struct crypto_aead *tfm)
+ {
+diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h
+index b5e11de4d497..9817f2e5bff8 100644
+--- a/include/crypto/akcipher.h
++++ b/include/crypto/akcipher.h
+@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm(
+  * crypto_free_akcipher() - free AKCIPHER tfm handle
+  *
+  * @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_akcipher(struct crypto_akcipher *tfm)
+ {
+diff --git a/include/crypto/hash.h b/include/crypto/hash.h
+index 74827781593c..493ed025f0ca 100644
+--- a/include/crypto/hash.h
++++ b/include/crypto/hash.h
+@@ -253,6 +253,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm)
+ /**
+  * crypto_free_ahash() - zeroize and free the ahash handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_ahash(struct crypto_ahash *tfm)
+ {
+@@ -689,6 +691,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm)
+ /**
+  * crypto_free_shash() - zeroize and free the message digest handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_shash(struct crypto_shash *tfm)
+ {
+diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h
+index 1bde0a6514fa..1a34630fc371 100644
+--- a/include/crypto/kpp.h
++++ b/include/crypto/kpp.h
+@@ -159,6 +159,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags)
+  * crypto_free_kpp() - free KPP tfm handle
+  *
+  * @tfm: KPP tfm handle allocated with crypto_alloc_kpp()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_kpp(struct crypto_kpp *tfm)
+ {
+diff --git a/include/crypto/rng.h b/include/crypto/rng.h
+index b95ede354a66..a788c1e5a121 100644
+--- a/include/crypto/rng.h
++++ b/include/crypto/rng.h
+@@ -116,6 +116,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm)
+ /**
+  * crypto_free_rng() - zeroize and free RNG handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_rng(struct crypto_rng *tfm)
+ {
+diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
+index 562001cb412b..32aca5f4e4f0 100644
+--- a/include/crypto/skcipher.h
++++ b/include/crypto/skcipher.h
+@@ -206,6 +206,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm(
+ /**
+  * crypto_free_skcipher() - zeroize and free cipher handle
+  * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+  */
+ static inline void crypto_free_skcipher(struct crypto_skcipher *tfm)
+ {
+-- 
+2.30.2
+

diff --git a/queue-4.14/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch b/queue-4.14/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch
new file mode 100644 (file)
index 0000000..44eae48
--- /dev/null
+++ b/queue-4.14/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch
@@ -0,0 +1,37 @@
+From f586e767dcc8d68bb531ae557273f33006f7a1ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 10:30:15 -0500
+Subject: drm/amdgpu : Fix asic reset regression issue introduce by
+ 8f211fe8ac7c4f
+
+From: shaoyunl <shaoyun.liu@amd.com>
+
+[ Upstream commit c8941550aa66b2a90f4b32c45d59e8571e33336e ]
+
+This recent change introduce SDMA interrupt info printing with irq->process function.
+These functions do not require a set function to enable/disable the irq
+
+Signed-off-by: shaoyunl <shaoyun.liu@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+index 538e5f27d120..fb9361590754 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+@@ -437,7 +437,7 @@ void amdgpu_irq_gpu_reset_resume_helper(struct amdgpu_device *adev)
+               for (j = 0; j < AMDGPU_MAX_IRQ_SRC_ID; ++j) {
+                       struct amdgpu_irq_src *src = adev->irq.client[i].sources[j];
+ 
+-                      if (!src)
++                      if (!src || !src->funcs || !src->funcs->set)
+                               continue;
+                       for (k = 0; k < src->num_types; k++)
+                               amdgpu_irq_update(adev, src, k);
+-- 
+2.30.2
+

diff --git a/queue-4.14/drm-amdgpu-fix-null-pointer-dereference.patch b/queue-4.14/drm-amdgpu-fix-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..43bbd30
--- /dev/null
+++ b/queue-4.14/drm-amdgpu-fix-null-pointer-dereference.patch
@@ -0,0 +1,60 @@
+From 2634b3fb33d22e80547a6f67c78824964b64384e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 17:52:18 +0800
+Subject: drm/amdgpu: fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 3c3dc654333f6389803cdcaf03912e94173ae510 ]
+
+ttm->sg needs to be checked before accessing its child member.
+
+Call Trace:
+ amdgpu_ttm_backend_destroy+0x12/0x70 [amdgpu]
+ ttm_bo_cleanup_memtype_use+0x3a/0x60 [ttm]
+ ttm_bo_release+0x17d/0x300 [ttm]
+ amdgpu_bo_unref+0x1a/0x30 [amdgpu]
+ amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x78b/0x8b0 [amdgpu]
+ kfd_ioctl_alloc_memory_of_gpu+0x118/0x220 [amdgpu]
+ kfd_ioctl+0x222/0x400 [amdgpu]
+ ? kfd_dev_is_large_bar+0x90/0x90 [amdgpu]
+ __x64_sys_ioctl+0x8e/0xd0
+ ? __context_tracking_exit+0x52/0x90
+ do_syscall_64+0x33/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f97f264d317
+Code: b3 66 90 48 8b 05 71 4b 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 41 4b 2d 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffdb402c338 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f97f3cc63a0 RCX: 00007f97f264d317
+RDX: 00007ffdb402c380 RSI: 00000000c0284b16 RDI: 0000000000000003
+RBP: 00007ffdb402c380 R08: 00007ffdb402c428 R09: 00000000c4000004
+R10: 00000000c4000004 R11: 0000000000000246 R12: 00000000c0284b16
+R13: 0000000000000003 R14: 00007f97f3cc63a0 R15: 00007f8836200000
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+index ae700e445fbc..d057bc29bf4c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -742,7 +742,7 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_tt *ttm)
+               DMA_BIDIRECTIONAL : DMA_TO_DEVICE;
+ 
+       /* double check that we don't free the table twice */
+-      if (!ttm->sg->sgl)
++      if (!ttm->sg || !ttm->sg->sgl)
+               return;
+ 
+       /* free the sg table and pages again */
+-- 
+2.30.2
+

diff --git a/queue-4.14/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch b/queue-4.14/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
new file mode 100644 (file)
index 0000000..225c104
--- /dev/null
+++ b/queue-4.14/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
@@ -0,0 +1,57 @@
+From ce886ca829d3518b47a39ebc4d9cb0d2092f190f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 23:47:24 +0200
+Subject: drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 2ad52bdb220de5ab348098e3482b01235d15a842 ]
+
+Leaving this at a close-to-maximum register value 0xFFF0 means it takes
+very long for the MDSS to generate a software vsync interrupt when the
+hardware TE interrupt doesn't arrive.  Configuring this to double the
+vtotal (like some downstream kernels) leads to a frame to take at most
+twice before the vsync signal, until hardware TE comes up.
+
+In this case the hardware interrupt responsible for providing this
+signal - "disp-te" gpio - is not hooked up to the mdp5 vsync/pp logic at
+all.  This solves severe panel update issues observed on at least the
+Xperia Loire and Tone series, until said gpio is properly hooked up to
+an irq.
+
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Link: https://lore.kernel.org/r/20210406214726.131534-2-marijn.suijten@somainline.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
+index 60790df91bfa..397e71481129 100644
+--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
++++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
+@@ -78,9 +78,17 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+               | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN;
+       cfg |= MDP5_PP_SYNC_CONFIG_VSYNC_COUNT(vclks_line);
+ 
++      /*
++       * Tearcheck emits a blanking signal every vclks_line * vtotal * 2 ticks on
++       * the vsync_clk equating to roughly half the desired panel refresh rate.
++       * This is only necessary as stability fallback if interrupts from the
++       * panel arrive too late or not at all, but is currently used by default
++       * because these panel interrupts are not wired up yet.
++       */
+       mdp5_write(mdp5_kms, REG_MDP5_PP_SYNC_CONFIG_VSYNC(pp_id), cfg);
+       mdp5_write(mdp5_kms,
+-              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), 0xfff0);
++              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), (2 * mode->vtotal));
++
+       mdp5_write(mdp5_kms,
+               REG_MDP5_PP_VSYNC_INIT_VAL(pp_id), mode->vdisplay);
+       mdp5_write(mdp5_kms, REG_MDP5_PP_RD_PTR_IRQ(pp_id), mode->vdisplay + 1);
+-- 
+2.30.2
+

diff --git a/queue-4.14/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch b/queue-4.14/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
new file mode 100644 (file)
index 0000000..dce8e05
--- /dev/null
+++ b/queue-4.14/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
@@ -0,0 +1,96 @@
+From cbb8a5da5c2cdc119c9a70eb7c0fd1eb2f0ad45f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Mar 2021 16:17:56 +0100
+Subject: extcon: arizona: Fix some issues when HPDET IRQ fires after the jack
+ has been unplugged
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit c309a3e8793f7e01c4a4ec7960658380572cb576 ]
+
+When the jack is partially inserted and then removed again it may be
+removed while the hpdet code is running. In this case the following
+may happen:
+
+1. The "JACKDET rise" or ""JACKDET fall" IRQ triggers
+2. arizona_jackdet runs and takes info->lock
+3. The "HPDET" IRQ triggers
+4. arizona_hpdet_irq runs, blocks on info->lock
+5. arizona_jackdet calls arizona_stop_mic() and clears info->hpdet_done
+6. arizona_jackdet releases info->lock
+7. arizona_hpdet_irq now can continue running and:
+7.1 Calls arizona_start_mic() (if a mic was detected)
+7.2 sets info->hpdet_done
+
+Step 7 is undesirable / a bug:
+7.1 causes the device to stay in a high power-state (with MICVDD enabled)
+7.2 causes hpdet to not run on the next jack insertion, which in turn
+    causes the EXTCON_JACK_HEADPHONE state to never get set
+
+This fixes both issues by skipping these 2 steps when arizona_hpdet_irq
+runs after the jack has been unplugged.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index 4937a404fee8..2cfd5db75625 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -602,7 +602,7 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+       struct arizona *arizona = info->arizona;
+       int id_gpio = arizona->pdata.hpdet_id_gpio;
+       unsigned int report = EXTCON_JACK_HEADPHONE;
+-      int ret, reading;
++      int ret, reading, state;
+       bool mic = false;
+ 
+       mutex_lock(&info->lock);
+@@ -615,12 +615,11 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+       }
+ 
+       /* If the cable was removed while measuring ignore the result */
+-      ret = extcon_get_state(info->edev, EXTCON_MECHANICAL);
+-      if (ret < 0) {
+-              dev_err(arizona->dev, "Failed to check cable state: %d\n",
+-                      ret);
++      state = extcon_get_state(info->edev, EXTCON_MECHANICAL);
++      if (state < 0) {
++              dev_err(arizona->dev, "Failed to check cable state: %d\n", state);
+               goto out;
+-      } else if (!ret) {
++      } else if (!state) {
+               dev_dbg(arizona->dev, "Ignoring HPDET for removed cable\n");
+               goto done;
+       }
+@@ -673,7 +672,7 @@ done:
+                          ARIZONA_ACCDET_MODE_MASK, ARIZONA_ACCDET_MODE_MIC);
+ 
+       /* If we have a mic then reenable MICDET */
+-      if (mic || info->mic)
++      if (state && (mic || info->mic))
+               arizona_start_mic(info);
+ 
+       if (info->hpdet_active) {
+@@ -681,7 +680,9 @@ done:
+               info->hpdet_active = false;
+       }
+ 
+-      info->hpdet_done = true;
++      /* Do not set hp_det done when the cable has been unplugged */
++      if (state)
++              info->hpdet_done = true;
+ 
+ out:
+       mutex_unlock(&info->lock);
+-- 
+2.30.2
+

diff --git a/queue-4.14/intel_th-consistency-and-off-by-one-fix.patch b/queue-4.14/intel_th-consistency-and-off-by-one-fix.patch
new file mode 100644 (file)
index 0000000..4aa5169
--- /dev/null
+++ b/queue-4.14/intel_th-consistency-and-off-by-one-fix.patch
@@ -0,0 +1,49 @@
+From 1fec5e9aa9ad2a9a6abbc8c47a2005c96a75edc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 20:12:49 +0300
+Subject: intel_th: Consistency and off-by-one fix
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit 18ffbc47d45a1489b664dd68fb3a7610a6e1dea3 ]
+
+Consistently use "< ... +1" in for loops.
+
+Fix of-by-one in for_each_set_bit().
+
+Signed-off-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Link: https://lore.kernel.org/lkml/20190724095841.GA6952@amd/
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210414171251.14672-6-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/intel_th/gth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c
+index 2a3ae9006c58..79473ba48d0c 100644
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -485,7 +485,7 @@ static void intel_th_gth_disable(struct intel_th_device *thdev,
+       output->active = false;
+ 
+       for_each_set_bit(master, gth->output[output->port].master,
+-                       TH_CONFIGURABLE_MASTERS) {
++                       TH_CONFIGURABLE_MASTERS + 1) {
+               gth_master_set(gth, master, -1);
+       }
+       spin_unlock(&gth->gth_lock);
+@@ -624,7 +624,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev,
+       othdev->output.port = -1;
+       othdev->output.active = false;
+       gth->output[port].output = NULL;
+-      for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
++      for (master = 0; master < TH_CONFIGURABLE_MASTERS + 1; master++)
+               if (gth->master[master] == port)
+                       gth->master[master] = -1;
+       spin_unlock(&gth->gth_lock);
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch b/queue-4.14/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
new file mode 100644 (file)
index 0000000..1c2f8bc
--- /dev/null
+++ b/queue-4.14/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
@@ -0,0 +1,43 @@
+From c46b18a24a98f6a719cff8d8729a092dd52e5e40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:42:46 +0200
+Subject: media: adv7604: fix possible use-after-free in adv76xx_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit fa56f5f1fe31c2050675fa63b84963ebd504a5b3 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7604.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
+index 26c3ec573a56..3078d47d090a 100644
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -3557,7 +3557,7 @@ static int adv76xx_remove(struct i2c_client *client)
+       io_write(sd, 0x6e, 0);
+       io_write(sd, 0x73, 0);
+ 
+-      cancel_delayed_work(&state->delayed_work_enable_hotplug);
++      cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+       v4l2_async_unregister_subdev(sd);
+       media_entity_cleanup(&sd->entity);
+       adv76xx_unregister_clients(to_state(sd));
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-4.14/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
new file mode 100644 (file)
index 0000000..d8dda06
--- /dev/null
+++ b/queue-4.14/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
@@ -0,0 +1,83 @@
+From bdc98f2c910744de42c693e8460c3572b303ce81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 21:32:19 +0200
+Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit b7cd0da982e3043f2eec7235ac5530cb18d6af1d ]
+
+syzbot reported memory leak in dvb-usb. The problem was
+in invalid error handling in dvb_usb_adapter_init().
+
+for (n = 0; n < d->props.num_adapters; n++) {
+....
+       if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+               (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+               (ret = dvb_usb_adapter_frontend_init(adap))) {
+               return ret;
+       }
+...
+       d->num_adapters_initialized++;
+...
+}
+
+In case of error in dvb_usb_adapter_dvb_init() or
+dvb_usb_adapter_dvb_init() d->num_adapters_initialized won't be
+incremented, but dvb_usb_adapter_exit() relies on it:
+
+       for (n = 0; n < d->num_adapters_initialized; n++)
+
+So, allocated objects won't be freed.
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+3c2be7424cea3b932b0e@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index b3413404f91a..690c1e06fbfa 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -82,11 +82,17 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+                       }
+               }
+ 
+-              if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+-                      (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+-                      (ret = dvb_usb_adapter_frontend_init(adap))) {
++              ret = dvb_usb_adapter_stream_init(adap);
++              if (ret)
+                       return ret;
+-              }
++
++              ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
++              if (ret)
++                      goto dvb_init_err;
++
++              ret = dvb_usb_adapter_frontend_init(adap);
++              if (ret)
++                      goto frontend_init_err;
+ 
+               /* use exclusive FE lock if there is multiple shared FEs */
+               if (adap->fe_adap[1].fe)
+@@ -106,6 +112,12 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+       }
+ 
+       return 0;
++
++frontend_init_err:
++      dvb_usb_adapter_dvb_exit(adap);
++dvb_init_err:
++      dvb_usb_adapter_stream_exit(adap);
++      return ret;
+ }
+ 
+ static int dvb_usb_adapter_exit(struct dvb_usb_device *d)
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-em28xx-fix-memory-leak.patch b/queue-4.14/media-em28xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..f22fedb
--- /dev/null
+++ b/queue-4.14/media-em28xx-fix-memory-leak.patch
@@ -0,0 +1,41 @@
+From 0f301148746d4c40e7aee1c891ce8e487db4322f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 19:07:53 +0100
+Subject: media: em28xx: fix memory leak
+
+From: Muhammad Usama Anjum <musamaanjum@gmail.com>
+
+[ Upstream commit 0ae10a7dc8992ee682ff0b1752ff7c83d472eef1 ]
+
+If some error occurs, URB buffers should also be freed. If they aren't
+freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB
+buffers as dvb is set to NULL. The function in which error occurs should
+do all the cleanup for the allocations it had done.
+
+Tested the patch with the reproducer provided by syzbot. This patch
+fixes the memleak.
+
+Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com
+Signed-off-by: Muhammad Usama Anjum <musamaanjum@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-dvb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
+index 29cdaaf1ed90..3667373f14d2 100644
+--- a/drivers/media/usb/em28xx/em28xx-dvb.c
++++ b/drivers/media/usb/em28xx/em28xx-dvb.c
+@@ -2056,6 +2056,7 @@ ret:
+       return result;
+ 
+ out_free:
++      em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE);
+       kfree(dvb);
+       dev->dvb = NULL;
+       goto ret;
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-gscpa-stv06xx-fix-memory-leak.patch b/queue-4.14/media-gscpa-stv06xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..9d52fcc
--- /dev/null
+++ b/queue-4.14/media-gscpa-stv06xx-fix-memory-leak.patch
@@ -0,0 +1,84 @@
+From d81fd818a4ad49e746075626114bb284b0cab57c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 12:31:20 +0200
+Subject: media: gscpa/stv06xx: fix memory leak
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ]
+
+For two of the supported sensors the stv06xx driver allocates memory which
+is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
+the probe() fails, then it isn't freed and so this leaks memory.
+
+Add a new probe_error() op that drivers can use to free any allocated
+memory in case there was a probe failure.
+
+Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
+of the memory leak.
+
+Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gspca.c           | 2 ++
+ drivers/media/usb/gspca/gspca.h           | 1 +
+ drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
+index 66543518938b..a384d5d83026 100644
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -2141,6 +2141,8 @@ out:
+ #endif
+       v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+       v4l2_device_unregister(&gspca_dev->v4l2_dev);
++      if (sd_desc->probe_error)
++              sd_desc->probe_error(gspca_dev);
+       kfree(gspca_dev->usb_buf);
+       kfree(gspca_dev);
+       return ret;
+diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h
+index 9e0cf711642b..2550af00d6fb 100644
+--- a/drivers/media/usb/gspca/gspca.h
++++ b/drivers/media/usb/gspca/gspca.h
+@@ -102,6 +102,7 @@ struct sd_desc {
+       cam_cf_op config;       /* called on probe */
+       cam_op init;            /* called on probe and resume */
+       cam_op init_controls;   /* called on probe */
++      cam_v_op probe_error;   /* called if probe failed, do cleanup here */
+       cam_op start;           /* called on stream on after URBs creation */
+       cam_pkt_op pkt_scan;
+ /* optional operations */
+diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+index 9caa5ef9d9e0..b14f30a8f3bd 100644
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+@@ -534,12 +534,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev,
+ static int stv06xx_config(struct gspca_dev *gspca_dev,
+                         const struct usb_device_id *id);
+ 
++static void stv06xx_probe_error(struct gspca_dev *gspca_dev)
++{
++      struct sd *sd = (struct sd *)gspca_dev;
++
++      kfree(sd->sensor_priv);
++      sd->sensor_priv = NULL;
++}
++
+ /* sub-driver description */
+ static const struct sd_desc sd_desc = {
+       .name = MODULE_NAME,
+       .config = stv06xx_config,
+       .init = stv06xx_init,
+       .init_controls = stv06xx_init_controls,
++      .probe_error = stv06xx_probe_error,
+       .start = stv06xx_start,
+       .stopN = stv06xx_stopN,
+       .pkt_scan = stv06xx_pkt_scan,
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-gspca-sq905.c-fix-uninitialized-variable.patch b/queue-4.14/media-gspca-sq905.c-fix-uninitialized-variable.patch
new file mode 100644 (file)
index 0000000..e950a57
--- /dev/null
+++ b/queue-4.14/media-gspca-sq905.c-fix-uninitialized-variable.patch
@@ -0,0 +1,36 @@
+From 3d3298278ccc941ca756550337d3304a8bb39f5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 15:46:40 +0100
+Subject: media: gspca/sq905.c: fix uninitialized variable
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit eaaea4681984c79d2b2b160387b297477f0c1aab ]
+
+act_len can be uninitialized if usb_bulk_msg() returns an error.
+Set it to 0 to avoid a KMSAN error.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/sq905.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c
+index f1da34a10ce8..ec03d18e057f 100644
+--- a/drivers/media/usb/gspca/sq905.c
++++ b/drivers/media/usb/gspca/sq905.c
+@@ -167,7 +167,7 @@ static int
+ sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock)
+ {
+       int ret;
+-      int act_len;
++      int act_len = 0;
+ 
+       gspca_dev->usb_buf[0] = '\0';
+       if (need_lock)
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch b/queue-4.14/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
new file mode 100644 (file)
index 0000000..71154e8
--- /dev/null
+++ b/queue-4.14/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
@@ -0,0 +1,44 @@
+From 89f15f52332305f0b9131698655f6507dbb5d408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:48:12 +0200
+Subject: media: i2c: adv7511-v4l2: fix possible use-after-free in
+ adv7511_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2c9541720c66899adf6f3600984cf3ef151295ad ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7511-v4l2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c
+index ef1144668809..2148a29909e0 100644
+--- a/drivers/media/i2c/adv7511-v4l2.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -1976,7 +1976,7 @@ static int adv7511_remove(struct i2c_client *client)
+ 
+       adv7511_set_isr(sd, false);
+       adv7511_init_setup(sd);
+-      cancel_delayed_work(&state->edid_handler);
++      cancel_delayed_work_sync(&state->edid_handler);
+       i2c_unregister_device(state->i2c_edid);
+       if (state->i2c_cec)
+               i2c_unregister_device(state->i2c_cec);
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch b/queue-4.14/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
new file mode 100644 (file)
index 0000000..c8732bd
--- /dev/null
+++ b/queue-4.14/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
@@ -0,0 +1,43 @@
+From b969c9852c300dcc8160a9bd2176206cd328e7f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:50:53 +0200
+Subject: media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4a15275b6a18597079f18241c87511406575179a ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7842.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
+index dcce8d030e5d..c28bf94a7409 100644
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -3599,7 +3599,7 @@ static int adv7842_remove(struct i2c_client *client)
+       struct adv7842_state *state = to_state(sd);
+ 
+       adv7842_irq_enable(sd, false);
+-      cancel_delayed_work(&state->delayed_work_enable_hotplug);
++      cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+       v4l2_device_unregister_subdev(sd);
+       media_entity_cleanup(&sd->entity);
+       adv7842_unregister_clients(sd);
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-ite-cir-check-for-receive-overflow.patch b/queue-4.14/media-ite-cir-check-for-receive-overflow.patch
new file mode 100644 (file)
index 0000000..1b9a563
--- /dev/null
+++ b/queue-4.14/media-ite-cir-check-for-receive-overflow.patch
@@ -0,0 +1,41 @@
+From be2a47f30e5950d16ba077451116c6aa6bf91295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 09:08:35 +0100
+Subject: media: ite-cir: check for receive overflow
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 28c7afb07ccfc0a939bb06ac1e7afe669901c65a ]
+
+It's best if this condition is reported.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ite-cir.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
+index 65e104c7ddfc..c7eea16225e7 100644
+--- a/drivers/media/rc/ite-cir.c
++++ b/drivers/media/rc/ite-cir.c
+@@ -285,8 +285,14 @@ static irqreturn_t ite_cir_isr(int irq, void *data)
+       /* read the interrupt flags */
+       iflags = dev->params.get_irq_causes(dev);
+ 
++      /* Check for RX overflow */
++      if (iflags & ITE_IRQ_RX_FIFO_OVERRUN) {
++              dev_warn(&dev->rdev->dev, "receive overflow\n");
++              ir_raw_event_reset(dev->rdev);
++      }
++
+       /* check for the receive interrupt */
+-      if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) {
++      if (iflags & ITE_IRQ_RX_FIFO) {
+               /* read the FIFO bytes */
+               rx_bytes =
+                       dev->params.get_rx_bytes(dev, rx_buf,
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-media-saa7164-fix-saa7164_encoder_register-mem.patch b/queue-4.14/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
new file mode 100644 (file)
index 0000000..0e9c8f4
--- /dev/null
+++ b/queue-4.14/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
@@ -0,0 +1,87 @@
+From 742334fa7fa21358e20fb60a348cca775d4188ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 03:53:00 +0100
+Subject: media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
+
+From: Daniel Niv <danielniv3@gmail.com>
+
+[ Upstream commit c759b2970c561e3b56aa030deb13db104262adfe ]
+
+Add a fix for the memory leak bugs that can occur when the
+saa7164_encoder_register() function fails.
+The function allocates memory without explicitly freeing
+it when errors occur.
+Add a better error handling that deallocate the unused buffers before the
+function exits during a fail.
+
+Signed-off-by: Daniel Niv <danielniv3@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-encoder.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-encoder.c b/drivers/media/pci/saa7164/saa7164-encoder.c
+index f21c245a54f7..c6aeac4db17f 100644
+--- a/drivers/media/pci/saa7164/saa7164-encoder.c
++++ b/drivers/media/pci/saa7164/saa7164-encoder.c
+@@ -1024,7 +1024,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+               printk(KERN_ERR "%s() failed (errno = %d), NO PCI configuration\n",
+                       __func__, result);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_pci;
+       }
+ 
+       /* Establish encoder defaults here */
+@@ -1078,7 +1078,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+                         100000, ENCODER_DEF_BITRATE);
+       if (hdl->error) {
+               result = hdl->error;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->std = V4L2_STD_NTSC_M;
+@@ -1096,7 +1096,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+               printk(KERN_INFO "%s: can't allocate mpeg device\n",
+                       dev->name);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->v4l_device->ctrl_handler = hdl;
+@@ -1107,10 +1107,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+       if (result < 0) {
+               printk(KERN_INFO "%s: can't register mpeg device\n",
+                       dev->name);
+-              /* TODO: We're going to leak here if we don't dealloc
+-               The buffers above. The unreg function can't deal wit it.
+-              */
+-              goto failed;
++              goto fail_reg;
+       }
+ 
+       printk(KERN_INFO "%s: registered device video%d [mpeg]\n",
+@@ -1132,9 +1129,14 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ 
+       saa7164_api_set_encoder(port);
+       saa7164_api_get_encoder(port);
++      return 0;
+ 
+-      result = 0;
+-failed:
++fail_reg:
++      video_device_release(port->v4l_device);
++      port->v4l_device = NULL;
++fail_hdl:
++      v4l2_ctrl_handler_free(hdl);
++fail_pci:
+       return result;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.14/media-vivid-update-edid.patch b/queue-4.14/media-vivid-update-edid.patch
new file mode 100644 (file)
index 0000000..dcd79f9
--- /dev/null
+++ b/queue-4.14/media-vivid-update-edid.patch
@@ -0,0 +1,56 @@
+From f259127203ee0a546042bc59432f1a07709cd6eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 08:48:21 +0100
+Subject: media: vivid: update EDID
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 443ec4bbc6116f6f492a7a1282bfd8422c862158 ]
+
+The EDID had a few mistakes as reported by edid-decode:
+
+Block 1, CTA-861 Extension Block:
+  Video Data Block: For improved preferred timing interoperability, set 'Native detailed modes' to 1.
+  Video Capability Data Block: S_PT is equal to S_IT and S_CE, so should be set to 0 instead.
+
+Fixed those.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-core.c b/drivers/media/platform/vivid/vivid-core.c
+index 5f316a5e38db..6754e5fcc4c4 100644
+--- a/drivers/media/platform/vivid/vivid-core.c
++++ b/drivers/media/platform/vivid/vivid-core.c
+@@ -186,13 +186,13 @@ static const u8 vivid_hdmi_edid[256] = {
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7b,
+ 
+-      0x02, 0x03, 0x3f, 0xf0, 0x51, 0x61, 0x60, 0x5f,
++      0x02, 0x03, 0x3f, 0xf1, 0x51, 0x61, 0x60, 0x5f,
+       0x5e, 0x5d, 0x10, 0x1f, 0x04, 0x13, 0x22, 0x21,
+       0x20, 0x05, 0x14, 0x02, 0x11, 0x01, 0x23, 0x09,
+       0x07, 0x07, 0x83, 0x01, 0x00, 0x00, 0x6d, 0x03,
+       0x0c, 0x00, 0x10, 0x00, 0x00, 0x3c, 0x21, 0x00,
+       0x60, 0x01, 0x02, 0x03, 0x67, 0xd8, 0x5d, 0xc4,
+-      0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xea, 0xe3,
++      0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xca, 0xe3,
+       0x05, 0x00, 0x00, 0xe3, 0x06, 0x01, 0x00, 0x4d,
+       0xd0, 0x00, 0xa0, 0xf0, 0x70, 0x3e, 0x80, 0x30,
+       0x20, 0x35, 0x00, 0xc0, 0x1c, 0x32, 0x00, 0x00,
+@@ -201,7 +201,7 @@ static const u8 vivid_hdmi_edid[256] = {
+       0x00, 0x00, 0x1a, 0x1a, 0x1d, 0x00, 0x80, 0x51,
+       0xd0, 0x1c, 0x20, 0x40, 0x80, 0x35, 0x00, 0xc0,
+       0x1c, 0x32, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00,
+-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63,
++      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x82,
+ };
+ 
+ static int vidioc_querycap(struct file *file, void  *priv,
+-- 
+2.30.2
+

diff --git a/queue-4.14/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch b/queue-4.14/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
new file mode 100644 (file)
index 0000000..e03562b
--- /dev/null
+++ b/queue-4.14/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
@@ -0,0 +1,72 @@
+From d9a6d1e5b117da59d32c3049116abe21dacbf4b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 16:51:40 +0100
+Subject: PCI: PM: Do not read power state in pci_enable_device_flags()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 4514d991d99211f225d83b7e640285f29f0755d0 ]
+
+It should not be necessary to update the current_state field of
+struct pci_dev in pci_enable_device_flags() before calling
+do_pci_enable_device() for the device, because none of the
+code between that point and the pci_set_power_state() call in
+do_pci_enable_device() invoked later depends on it.
+
+Moreover, doing that is actively harmful in some cases.  For example,
+if the given PCI device depends on an ACPI power resource whose _STA
+method initially returns 0 ("off"), but the config space of the PCI
+device is accessible and the power state retrieved from the
+PCI_PM_CTRL register is D0, the current_state field in the struct
+pci_dev representing that device will get out of sync with the
+power.state of its ACPI companion object and that will lead to
+power management issues going forward.
+
+To avoid such issues it is better to leave the current_state value
+as is until it is changed to PCI_D0 by do_pci_enable_device() as
+appropriate.  However, the power state of the device is not changed
+to PCI_D0 if it is already enabled when pci_enable_device_flags()
+gets called for it, so update its current_state in that case, but
+use pci_update_current_state() covering platform PM too for that.
+
+Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/
+Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index c847b5554db6..1993e5e28ea7 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1378,20 +1378,10 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
+       int err;
+       int i, bars = 0;
+ 
+-      /*
+-       * Power state could be unknown at this point, either due to a fresh
+-       * boot or a device removal call.  So get the current power state
+-       * so that things like MSI message writing will behave as expected
+-       * (e.g. if the device really is in D0 at enable time).
+-       */
+-      if (dev->pm_cap) {
+-              u16 pmcsr;
+-              pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
+-              dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+-      }
+-
+-      if (atomic_inc_return(&dev->enable_cnt) > 1)
++      if (atomic_inc_return(&dev->enable_cnt) > 1) {
++              pci_update_current_state(dev, dev->current_state);
+               return 0;               /* already enabled */
++      }
+ 
+       bridge = pci_upstream_bridge(dev);
+       if (bridge)
+-- 
+2.30.2
+

diff --git a/queue-4.14/perf-arm_pmu_platform-fix-error-handling.patch b/queue-4.14/perf-arm_pmu_platform-fix-error-handling.patch
new file mode 100644 (file)
index 0000000..847ba15
--- /dev/null
+++ b/queue-4.14/perf-arm_pmu_platform-fix-error-handling.patch
@@ -0,0 +1,36 @@
+From 809632b106d797ea373b7d41cd2171fcc8eb87d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 16:02:41 +0000
+Subject: perf/arm_pmu_platform: Fix error handling
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit e338cb6bef254821a8c095018fd27254d74bfd6a ]
+
+If we're aborting after failing to register the PMU device,
+we probably don't want to leak the IRQs that we've claimed.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/53031a607fc8412a60024bfb3bb8cd7141f998f5.1616774562.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_pmu_platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm_pmu_platform.c b/drivers/perf/arm_pmu_platform.c
+index 4428852e1da1..bd5af219ca9b 100644
+--- a/drivers/perf/arm_pmu_platform.c
++++ b/drivers/perf/arm_pmu_platform.c
+@@ -222,7 +222,7 @@ int arm_pmu_device_probe(struct platform_device *pdev,
+ 
+       ret = armpmu_register(pmu);
+       if (ret)
+-              goto out_free;
++              goto out_free_irqs;
+ 
+       return 0;
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.14/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch b/queue-4.14/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
new file mode 100644 (file)
index 0000000..7f21ab9
--- /dev/null
+++ b/queue-4.14/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
@@ -0,0 +1,45 @@
+From 4228f5083174ab5fad3ad4b9d7ddc87eea6e0d43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:27:16 +0800
+Subject: phy: phy-twl4030-usb: Fix possible use-after-free in
+ twl4030_usb_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-twl4030-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c
+index c267afb68f07..ea7564392108 100644
+--- a/drivers/phy/ti/phy-twl4030-usb.c
++++ b/drivers/phy/ti/phy-twl4030-usb.c
+@@ -801,7 +801,7 @@ static int twl4030_usb_remove(struct platform_device *pdev)
+ 
+       usb_remove_phy(&twl->phy);
+       pm_runtime_get_sync(twl->dev);
+-      cancel_delayed_work(&twl->id_workaround_work);
++      cancel_delayed_work_sync(&twl->id_workaround_work);
+       device_remove_file(twl->dev, &dev_attr_vbus);
+ 
+       /* set transceiver mode to power on defaults */
+-- 
+2.30.2
+

diff --git a/queue-4.14/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch b/queue-4.14/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch
new file mode 100644 (file)
index 0000000..7d5be62
--- /dev/null
+++ b/queue-4.14/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch
@@ -0,0 +1,134 @@
+From 1605681e0b59f42818d15c040a60c9f5ee853315 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 10:54:19 +0100
+Subject: power: supply: bq27xxx: fix power_avg for newer ICs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit c4d57c22ac65bd503716062a06fad55a01569cac ]
+
+On all newer bq27xxx ICs, the AveragePower register contains a signed
+value; in addition to handling the raw value as unsigned, the driver
+code also didn't convert it to µW as expected.
+
+At least for the BQ28Z610, the reference manual incorrectly states that
+the value is in units of 1mW and not 10mW. I have no way of knowing
+whether the manuals of other supported ICs contain the same error, or if
+there are models that actually use 1mW. At least, the new code shouldn't
+be *less* correct than the old version for any device.
+
+power_avg is removed from the cache structure, se we don't have to
+extend it to store both a signed value and an error code. Always getting
+an up-to-date value may be desirable anyways, as it avoids inconsistent
+current and power readings when switching between charging and
+discharging.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 51 ++++++++++++++------------
+ include/linux/power/bq27xxx_battery.h  |  1 -
+ 2 files changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c
+index a7d8cadf172c..3e8466064bb2 100644
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1445,27 +1445,6 @@ static int bq27xxx_battery_read_time(struct bq27xxx_device_info *di, u8 reg)
+       return tval * 60;
+ }
+ 
+-/*
+- * Read an average power register.
+- * Return < 0 if something fails.
+- */
+-static int bq27xxx_battery_read_pwr_avg(struct bq27xxx_device_info *di)
+-{
+-      int tval;
+-
+-      tval = bq27xxx_read(di, BQ27XXX_REG_AP, false);
+-      if (tval < 0) {
+-              dev_err(di->dev, "error reading average power register  %02x: %d\n",
+-                      BQ27XXX_REG_AP, tval);
+-              return tval;
+-      }
+-
+-      if (di->opts & BQ27XXX_O_ZERO)
+-              return (tval * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS;
+-      else
+-              return tval;
+-}
+-
+ /*
+  * Returns true if a battery over temperature condition is detected
+  */
+@@ -1562,8 +1541,6 @@ void bq27xxx_battery_update(struct bq27xxx_device_info *di)
+               }
+               if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR)
+                       cache.cycle_count = bq27xxx_battery_read_cyct(di);
+-              if (di->regs[BQ27XXX_REG_AP] != INVALID_REG_ADDR)
+-                      cache.power_avg = bq27xxx_battery_read_pwr_avg(di);
+ 
+               /* We only have to read charge design full once */
+               if (di->charge_design_full <= 0)
+@@ -1625,6 +1602,32 @@ static int bq27xxx_battery_current(struct bq27xxx_device_info *di,
+       return 0;
+ }
+ 
++/*
++ * Get the average power in µW
++ * Return < 0 if something fails.
++ */
++static int bq27xxx_battery_pwr_avg(struct bq27xxx_device_info *di,
++                                 union power_supply_propval *val)
++{
++      int power;
++
++      power = bq27xxx_read(di, BQ27XXX_REG_AP, false);
++      if (power < 0) {
++              dev_err(di->dev,
++                      "error reading average power register %02x: %d\n",
++                      BQ27XXX_REG_AP, power);
++              return power;
++      }
++
++      if (di->opts & BQ27XXX_O_ZERO)
++              val->intval = (power * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS;
++      else
++              /* Other gauges return a signed value in units of 10mW */
++              val->intval = (int)((s16)power) * 10000;
++
++      return 0;
++}
++
+ static int bq27xxx_battery_status(struct bq27xxx_device_info *di,
+                                 union power_supply_propval *val)
+ {
+@@ -1790,7 +1793,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy,
+               ret = bq27xxx_simple_value(di->cache.energy, val);
+               break;
+       case POWER_SUPPLY_PROP_POWER_AVG:
+-              ret = bq27xxx_simple_value(di->cache.power_avg, val);
++              ret = bq27xxx_battery_pwr_avg(di, val);
+               break;
+       case POWER_SUPPLY_PROP_HEALTH:
+               ret = bq27xxx_simple_value(di->cache.health, val);
+diff --git a/include/linux/power/bq27xxx_battery.h b/include/linux/power/bq27xxx_battery.h
+index e6187f524f2c..534a8080c6a3 100644
+--- a/include/linux/power/bq27xxx_battery.h
++++ b/include/linux/power/bq27xxx_battery.h
+@@ -47,7 +47,6 @@ struct bq27xxx_reg_cache {
+       int capacity;
+       int energy;
+       int flags;
+-      int power_avg;
+       int health;
+ };
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.14/power-supply-generic-adc-battery-fix-possible-use-af.patch b/queue-4.14/power-supply-generic-adc-battery-fix-possible-use-af.patch
new file mode 100644 (file)
index 0000000..0ea3df9
--- /dev/null
+++ b/queue-4.14/power-supply-generic-adc-battery-fix-possible-use-af.patch
@@ -0,0 +1,43 @@
+From 0a011cbd6f1b7f93400ba7ae7fcf756cc04c840b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:17:06 +0800
+Subject: power: supply: generic-adc-battery: fix possible use-after-free in
+ gab_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/generic-adc-battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c
+index 371b5ec70087..c5bde3c24c31 100644
+--- a/drivers/power/supply/generic-adc-battery.c
++++ b/drivers/power/supply/generic-adc-battery.c
+@@ -384,7 +384,7 @@ static int gab_remove(struct platform_device *pdev)
+       }
+ 
+       kfree(adc_bat->psy_desc.properties);
+-      cancel_delayed_work(&adc_bat->bat_work);
++      cancel_delayed_work_sync(&adc_bat->bat_work);
+       return 0;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.14/power-supply-s3c_adc_battery-fix-possible-use-after-.patch b/queue-4.14/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
new file mode 100644 (file)
index 0000000..cf5a078
--- /dev/null
+++ b/queue-4.14/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
@@ -0,0 +1,44 @@
+From f3020a90a219f5e923d6bbc77710f13bb7636b32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:19:03 +0800
+Subject: power: supply: s3c_adc_battery: fix possible use-after-free in
+ s3c_adc_bat_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/s3c_adc_battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c
+index 0ffe5cd3abf6..06b412c43aa7 100644
+--- a/drivers/power/supply/s3c_adc_battery.c
++++ b/drivers/power/supply/s3c_adc_battery.c
+@@ -392,7 +392,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev)
+               gpio_free(pdata->gpio_charge_finished);
+       }
+ 
+-      cancel_delayed_work(&bat_work);
++      cancel_delayed_work_sync(&bat_work);
+ 
+       if (pdata->exit)
+               pdata->exit();
+-- 
+2.30.2
+

diff --git a/queue-4.14/power-supply-use-irqf_oneshot.patch b/queue-4.14/power-supply-use-irqf_oneshot.patch
new file mode 100644 (file)
index 0000000..4a566e3
--- /dev/null
+++ b/queue-4.14/power-supply-use-irqf_oneshot.patch
@@ -0,0 +1,83 @@
+From 94dc39300c5f305ccc5cd7443e08168844eea944 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 19:21:33 +0800
+Subject: power: supply: Use IRQF_ONESHOT
+
+From: dongjian <dongjian@yulong.com>
+
+[ Upstream commit 2469b836fa835c67648acad17d62bc805236a6ea ]
+
+Fixes coccicheck error:
+
+drivers/power/supply/pm2301_charger.c:1089:7-27: ERROR:
+drivers/power/supply/lp8788-charger.c:502:8-28: ERROR:
+drivers/power/supply/tps65217_charger.c:239:8-33: ERROR:
+drivers/power/supply/tps65090-charger.c:303:8-33: ERROR:
+
+Threaded IRQ with no primary handler requested without IRQF_ONESHOT
+
+Signed-off-by: dongjian <dongjian@yulong.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/lp8788-charger.c   | 2 +-
+ drivers/power/supply/pm2301_charger.c   | 2 +-
+ drivers/power/supply/tps65090-charger.c | 2 +-
+ drivers/power/supply/tps65217_charger.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/power/supply/lp8788-charger.c b/drivers/power/supply/lp8788-charger.c
+index b8f7dac7ac3f..6dcabbeccde1 100644
+--- a/drivers/power/supply/lp8788-charger.c
++++ b/drivers/power/supply/lp8788-charger.c
+@@ -529,7 +529,7 @@ static int lp8788_set_irqs(struct platform_device *pdev,
+ 
+               ret = request_threaded_irq(virq, NULL,
+                                       lp8788_charger_irq_thread,
+-                                      0, name, pchg);
++                                      IRQF_ONESHOT, name, pchg);
+               if (ret)
+                       break;
+       }
+diff --git a/drivers/power/supply/pm2301_charger.c b/drivers/power/supply/pm2301_charger.c
+index 78561b6884fc..9ef218d76aa9 100644
+--- a/drivers/power/supply/pm2301_charger.c
++++ b/drivers/power/supply/pm2301_charger.c
+@@ -1098,7 +1098,7 @@ static int pm2xxx_wall_charger_probe(struct i2c_client *i2c_client,
+       ret = request_threaded_irq(gpio_to_irq(pm2->pdata->gpio_irq_number),
+                               NULL,
+                               pm2xxx_charger_irq[0].isr,
+-                              pm2->pdata->irq_type,
++                              pm2->pdata->irq_type | IRQF_ONESHOT,
+                               pm2xxx_charger_irq[0].name, pm2);
+ 
+       if (ret != 0) {
+diff --git a/drivers/power/supply/tps65090-charger.c b/drivers/power/supply/tps65090-charger.c
+index 1b4b5e09538e..297bf58f0d4f 100644
+--- a/drivers/power/supply/tps65090-charger.c
++++ b/drivers/power/supply/tps65090-charger.c
+@@ -311,7 +311,7 @@ static int tps65090_charger_probe(struct platform_device *pdev)
+ 
+       if (irq != -ENXIO) {
+               ret = devm_request_threaded_irq(&pdev->dev, irq, NULL,
+-                      tps65090_charger_isr, 0, "tps65090-charger", cdata);
++                      tps65090_charger_isr, IRQF_ONESHOT, "tps65090-charger", cdata);
+               if (ret) {
+                       dev_err(cdata->dev,
+                               "Unable to register irq %d err %d\n", irq,
+diff --git a/drivers/power/supply/tps65217_charger.c b/drivers/power/supply/tps65217_charger.c
+index 1f5234098aaf..7295c1b13f93 100644
+--- a/drivers/power/supply/tps65217_charger.c
++++ b/drivers/power/supply/tps65217_charger.c
+@@ -250,7 +250,7 @@ static int tps65217_charger_probe(struct platform_device *pdev)
+       for (i = 0; i < NUM_CHARGER_IRQS; i++) {
+               ret = devm_request_threaded_irq(&pdev->dev, irq[i], NULL,
+                                               tps65217_charger_irq,
+-                                              0, "tps65217-charger",
++                                              IRQF_ONESHOT, "tps65217-charger",
+                                               charger);
+               if (ret) {
+                       dev_err(charger->dev,
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-libfc-fix-a-format-specifier.patch b/queue-4.14/scsi-libfc-fix-a-format-specifier.patch
new file mode 100644 (file)
index 0000000..789781e
--- /dev/null
+++ b/queue-4.14/scsi-libfc-fix-a-format-specifier.patch
@@ -0,0 +1,45 @@
+From 37af80b41cc2ea770294371937ef17c39c3ecfa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 15:08:13 -0700
+Subject: scsi: libfc: Fix a format specifier
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 90d6697810f06aceea9de71ad836a8c7669789cd ]
+
+Since the 'mfs' member has been declared as 'u32' in include/scsi/libfc.h,
+use the %u format specifier instead of %hu. This patch fixes the following
+clang compiler warning:
+
+warning: format specifies type
+      'unsigned short' but the argument has type 'u32' (aka 'unsigned int')
+      [-Wformat]
+                             "lport->mfs:%hu\n", mfs, lport->mfs);
+                                         ~~~          ^~~~~~~~~~
+                                         %u
+
+Link: https://lore.kernel.org/r/20210415220826.29438-8-bvanassche@acm.org
+Cc: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index ca7967e390f1..5c0aa2c5fd55 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -1754,7 +1754,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ 
+       if (mfs < FC_SP_MIN_MAX_PAYLOAD || mfs > FC_SP_MAX_MAX_PAYLOAD) {
+               FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, "
+-                           "lport->mfs:%hu\n", mfs, lport->mfs);
++                           "lport->mfs:%u\n", mfs, lport->mfs);
+               fc_lport_error(lport, fp);
+               goto out;
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch b/queue-4.14/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
new file mode 100644 (file)
index 0000000..3df3d02
--- /dev/null
+++ b/queue-4.14/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
@@ -0,0 +1,60 @@
+From 2adbcd769bfd3d413da5b1f6915bd716dff8c63e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:13 -0700
+Subject: scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
+ response
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit fffd18ec6579c2d9c72b212169259062fe747888 ]
+
+Fix a crash caused by a double put on the node when the driver completed an
+ACC for an unsolicted abort on the same node.  The second put was executed
+by lpfc_nlp_not_used() and is wrong because the completion routine executes
+the nlp_put when the iocbq was released.  Additionally, the driver is
+issuing a LOGO then immediately calls lpfc_nlp_set_state to put the node
+into NPR.  This call does nothing.
+
+Remove the lpfc_nlp_not_used call and additional set_state in the
+completion routine.  Remove the lpfc_nlp_set_state post issue_logo.  Isn't
+necessary.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-3-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 2 --
+ drivers/scsi/lpfc/lpfc_sli.c       | 1 -
+ 2 files changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 40c6d6eacea9..da6685700b04 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -1707,8 +1707,6 @@ lpfc_cmpl_reglogin_reglogin_issue(struct lpfc_vport *vport,
+               ndlp->nlp_last_elscmd = ELS_CMD_PLOGI;
+ 
+               lpfc_issue_els_logo(vport, ndlp, 0);
+-              ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE;
+-              lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
+               return ndlp->nlp_state;
+       }
+ 
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 45445dafc80c..27578816d852 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -16637,7 +16637,6 @@ lpfc_sli4_seq_abort_rsp_cmpl(struct lpfc_hba *phba,
+       if (cmd_iocbq) {
+               ndlp = (struct lpfc_nodelist *)cmd_iocbq->context1;
+               lpfc_nlp_put(ndlp);
+-              lpfc_nlp_not_used(ndlp);
+               lpfc_sli_release_iocbq(phba, cmd_iocbq);
+       }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch b/queue-4.14/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch
new file mode 100644 (file)
index 0000000..f36a132
--- /dev/null
+++ b/queue-4.14/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch
@@ -0,0 +1,41 @@
+From ea8fadb6cd776f0c1613cb08d7146871d05c34af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 09:18:00 -0800
+Subject: scsi: lpfc: Fix incorrect dbde assignment when building target abts
+ wqe
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 9302154c07bff4e7f7f43c506a1ac84540303d06 ]
+
+The wqe_dbde field indicates whether a Data BDE is present in Words 0:2 and
+should therefore should be clear in the abts request wqe. By setting the
+bit we can be misleading fw into error cases.
+
+Clear the wqe_dbde field.
+
+Link: https://lore.kernel.org/r/20210301171821.3427-2-jsmart2021@gmail.com
+Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nvmet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c
+index eacdcb931bda..fa0d0d15e82c 100644
+--- a/drivers/scsi/lpfc/lpfc_nvmet.c
++++ b/drivers/scsi/lpfc/lpfc_nvmet.c
+@@ -2554,7 +2554,6 @@ lpfc_nvmet_unsol_issue_abort(struct lpfc_hba *phba,
+       bf_set(wqe_rcvoxid, &wqe_abts->xmit_sequence.wqe_com, xri);
+ 
+       /* Word 10 */
+-      bf_set(wqe_dbde, &wqe_abts->xmit_sequence.wqe_com, 1);
+       bf_set(wqe_iod, &wqe_abts->xmit_sequence.wqe_com, LPFC_WQE_IOD_WRITE);
+       bf_set(wqe_lenloc, &wqe_abts->xmit_sequence.wqe_com,
+              LPFC_WQE_LENLOC_WORD12);
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch b/queue-4.14/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch
new file mode 100644 (file)
index 0000000..1384ee8
--- /dev/null
+++ b/queue-4.14/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch
@@ -0,0 +1,50 @@
+From 017429a91e30c1016d1c9b277397936c1586f9e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 09:18:06 -0800
+Subject: scsi: lpfc: Fix pt2pt connection does not recover after LOGO
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit bd4f5100424d17d4e560d6653902ef8e49b2fc1f ]
+
+On a pt2pt setup, between 2 initiators, if one side issues a a LOGO, there
+is no relogin attempt. The FC specs are grey in this area on which port
+(higher wwn or not) is to re-login.
+
+As there is no spec guidance, unconditionally re-PLOGI after the logout to
+ensure a login is re-established.
+
+Link: https://lore.kernel.org/r/20210301171821.3427-8-jsmart2021@gmail.com
+Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 96411754aa43..40c6d6eacea9 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -708,9 +708,14 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+               }
+       } else if ((!(ndlp->nlp_type & NLP_FABRIC) &&
+               ((ndlp->nlp_type & NLP_FCP_TARGET) ||
+-              !(ndlp->nlp_type & NLP_FCP_INITIATOR))) ||
++              (ndlp->nlp_type & NLP_NVME_TARGET) ||
++              (vport->fc_flag & FC_PT2PT))) ||
+               (ndlp->nlp_state == NLP_STE_ADISC_ISSUE)) {
+-              /* Only try to re-login if this is NOT a Fabric Node */
++              /* Only try to re-login if this is NOT a Fabric Node
++               * AND the remote NPORT is a FCP/NVME Target or we
++               * are in pt2pt mode. NLP_STE_ADISC_ISSUE is a special
++               * case for LOGO as a response to ADISC behavior.
++               */
+               mod_timer(&ndlp->nlp_delayfunc,
+                         jiffies + msecs_to_jiffies(1000 * 1));
+               spin_lock_irq(shost->host_lock);
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch b/queue-4.14/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch
new file mode 100644 (file)
index 0000000..6558988
--- /dev/null
+++ b/queue-4.14/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch
@@ -0,0 +1,431 @@
+From e0c86ba69c872cb975fb728f33d241610d801d09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:22 -0700
+Subject: scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit b62232ba8caccaf1954e197058104a6478fac1af ]
+
+SLI-4 does not contain a PORT_CAPABILITIES mailbox command (only SLI-3
+does, and SLI-3 doesn't use it), yet there are SLI-4 code paths that have
+code to issue the command.  The command will always fail.
+
+Remove the code for the mailbox command and leave only the resulting
+"failure path" logic.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-12-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_crtn.h |   3 -
+ drivers/scsi/lpfc/lpfc_hw4.h  | 174 +---------------------------------
+ drivers/scsi/lpfc/lpfc_init.c | 103 +-------------------
+ drivers/scsi/lpfc/lpfc_mbox.c |  36 -------
+ 4 files changed, 3 insertions(+), 313 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h
+index 7e300734b345..697e87a25f38 100644
+--- a/drivers/scsi/lpfc/lpfc_crtn.h
++++ b/drivers/scsi/lpfc/lpfc_crtn.h
+@@ -56,9 +56,6 @@ void lpfc_register_new_vport(struct lpfc_hba *, struct lpfc_vport *,
+ void lpfc_unreg_vpi(struct lpfc_hba *, uint16_t, LPFC_MBOXQ_t *);
+ void lpfc_init_link(struct lpfc_hba *, LPFC_MBOXQ_t *, uint32_t, uint32_t);
+ void lpfc_request_features(struct lpfc_hba *, struct lpfcMboxq *);
+-void lpfc_supported_pages(struct lpfcMboxq *);
+-void lpfc_pc_sli4_params(struct lpfcMboxq *);
+-int lpfc_pc_sli4_params_get(struct lpfc_hba *, LPFC_MBOXQ_t *);
+ int lpfc_sli4_mbox_rsrc_extent(struct lpfc_hba *, struct lpfcMboxq *,
+                          uint16_t, uint16_t, bool);
+ int lpfc_get_sli4_parameters(struct lpfc_hba *, LPFC_MBOXQ_t *);
+diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h
+index 2b145966c73f..f44cdc0153a5 100644
+--- a/drivers/scsi/lpfc/lpfc_hw4.h
++++ b/drivers/scsi/lpfc/lpfc_hw4.h
+@@ -121,6 +121,7 @@ struct lpfc_sli_intf {
+ /* Define SLI4 Alignment requirements. */
+ #define LPFC_ALIGN_16_BYTE    16
+ #define LPFC_ALIGN_64_BYTE    64
++#define SLI4_PAGE_SIZE                4096
+ 
+ /* Define SLI4 specific definitions. */
+ #define LPFC_MQ_CQE_BYTE_OFFSET       256
+@@ -2788,62 +2789,6 @@ struct lpfc_mbx_request_features {
+ #define lpfc_mbx_rq_ftr_rsp_mrqp_WORD         word3
+ };
+ 
+-struct lpfc_mbx_supp_pages {
+-      uint32_t word1;
+-#define qs_SHIFT                              0
+-#define qs_MASK                                       0x00000001
+-#define qs_WORD                                       word1
+-#define wr_SHIFT                              1
+-#define wr_MASK                               0x00000001
+-#define wr_WORD                                       word1
+-#define pf_SHIFT                              8
+-#define pf_MASK                                       0x000000ff
+-#define pf_WORD                                       word1
+-#define cpn_SHIFT                             16
+-#define cpn_MASK                              0x000000ff
+-#define cpn_WORD                              word1
+-      uint32_t word2;
+-#define list_offset_SHIFT                     0
+-#define list_offset_MASK                      0x000000ff
+-#define list_offset_WORD                      word2
+-#define next_offset_SHIFT                     8
+-#define next_offset_MASK                      0x000000ff
+-#define next_offset_WORD                      word2
+-#define elem_cnt_SHIFT                                16
+-#define elem_cnt_MASK                         0x000000ff
+-#define elem_cnt_WORD                         word2
+-      uint32_t word3;
+-#define pn_0_SHIFT                            24
+-#define pn_0_MASK                             0x000000ff
+-#define pn_0_WORD                             word3
+-#define pn_1_SHIFT                            16
+-#define pn_1_MASK                             0x000000ff
+-#define pn_1_WORD                             word3
+-#define pn_2_SHIFT                            8
+-#define pn_2_MASK                             0x000000ff
+-#define pn_2_WORD                             word3
+-#define pn_3_SHIFT                            0
+-#define pn_3_MASK                             0x000000ff
+-#define pn_3_WORD                             word3
+-      uint32_t word4;
+-#define pn_4_SHIFT                            24
+-#define pn_4_MASK                             0x000000ff
+-#define pn_4_WORD                             word4
+-#define pn_5_SHIFT                            16
+-#define pn_5_MASK                             0x000000ff
+-#define pn_5_WORD                             word4
+-#define pn_6_SHIFT                            8
+-#define pn_6_MASK                             0x000000ff
+-#define pn_6_WORD                             word4
+-#define pn_7_SHIFT                            0
+-#define pn_7_MASK                             0x000000ff
+-#define pn_7_WORD                             word4
+-      uint32_t rsvd[27];
+-#define LPFC_SUPP_PAGES                       0
+-#define LPFC_BLOCK_GUARD_PROFILES     1
+-#define LPFC_SLI4_PARAMETERS          2
+-};
+-
+ struct lpfc_mbx_memory_dump_type3 {
+       uint32_t word1;
+ #define lpfc_mbx_memory_dump_type3_type_SHIFT    0
+@@ -3060,121 +3005,6 @@ struct user_eeprom {
+       uint8_t reserved191[57];
+ };
+ 
+-struct lpfc_mbx_pc_sli4_params {
+-      uint32_t word1;
+-#define qs_SHIFT                              0
+-#define qs_MASK                                       0x00000001
+-#define qs_WORD                                       word1
+-#define wr_SHIFT                              1
+-#define wr_MASK                                       0x00000001
+-#define wr_WORD                                       word1
+-#define pf_SHIFT                              8
+-#define pf_MASK                                       0x000000ff
+-#define pf_WORD                                       word1
+-#define cpn_SHIFT                             16
+-#define cpn_MASK                              0x000000ff
+-#define cpn_WORD                              word1
+-      uint32_t word2;
+-#define if_type_SHIFT                         0
+-#define if_type_MASK                          0x00000007
+-#define if_type_WORD                          word2
+-#define sli_rev_SHIFT                         4
+-#define sli_rev_MASK                          0x0000000f
+-#define sli_rev_WORD                          word2
+-#define sli_family_SHIFT                      8
+-#define sli_family_MASK                               0x000000ff
+-#define sli_family_WORD                               word2
+-#define featurelevel_1_SHIFT                  16
+-#define featurelevel_1_MASK                   0x000000ff
+-#define featurelevel_1_WORD                   word2
+-#define featurelevel_2_SHIFT                  24
+-#define featurelevel_2_MASK                   0x0000001f
+-#define featurelevel_2_WORD                   word2
+-      uint32_t word3;
+-#define fcoe_SHIFT                            0
+-#define fcoe_MASK                             0x00000001
+-#define fcoe_WORD                             word3
+-#define fc_SHIFT                              1
+-#define fc_MASK                                       0x00000001
+-#define fc_WORD                                       word3
+-#define nic_SHIFT                             2
+-#define nic_MASK                              0x00000001
+-#define nic_WORD                              word3
+-#define iscsi_SHIFT                           3
+-#define iscsi_MASK                            0x00000001
+-#define iscsi_WORD                            word3
+-#define rdma_SHIFT                            4
+-#define rdma_MASK                             0x00000001
+-#define rdma_WORD                             word3
+-      uint32_t sge_supp_len;
+-#define SLI4_PAGE_SIZE 4096
+-      uint32_t word5;
+-#define if_page_sz_SHIFT                      0
+-#define if_page_sz_MASK                               0x0000ffff
+-#define if_page_sz_WORD                               word5
+-#define loopbk_scope_SHIFT                    24
+-#define loopbk_scope_MASK                     0x0000000f
+-#define loopbk_scope_WORD                     word5
+-#define rq_db_window_SHIFT                    28
+-#define rq_db_window_MASK                     0x0000000f
+-#define rq_db_window_WORD                     word5
+-      uint32_t word6;
+-#define eq_pages_SHIFT                                0
+-#define eq_pages_MASK                         0x0000000f
+-#define eq_pages_WORD                         word6
+-#define eqe_size_SHIFT                                8
+-#define eqe_size_MASK                         0x000000ff
+-#define eqe_size_WORD                         word6
+-      uint32_t word7;
+-#define cq_pages_SHIFT                                0
+-#define cq_pages_MASK                         0x0000000f
+-#define cq_pages_WORD                         word7
+-#define cqe_size_SHIFT                                8
+-#define cqe_size_MASK                         0x000000ff
+-#define cqe_size_WORD                         word7
+-      uint32_t word8;
+-#define mq_pages_SHIFT                                0
+-#define mq_pages_MASK                         0x0000000f
+-#define mq_pages_WORD                         word8
+-#define mqe_size_SHIFT                                8
+-#define mqe_size_MASK                         0x000000ff
+-#define mqe_size_WORD                         word8
+-#define mq_elem_cnt_SHIFT                     16
+-#define mq_elem_cnt_MASK                      0x000000ff
+-#define mq_elem_cnt_WORD                      word8
+-      uint32_t word9;
+-#define wq_pages_SHIFT                                0
+-#define wq_pages_MASK                         0x0000ffff
+-#define wq_pages_WORD                         word9
+-#define wqe_size_SHIFT                                8
+-#define wqe_size_MASK                         0x000000ff
+-#define wqe_size_WORD                         word9
+-      uint32_t word10;
+-#define rq_pages_SHIFT                                0
+-#define rq_pages_MASK                         0x0000ffff
+-#define rq_pages_WORD                         word10
+-#define rqe_size_SHIFT                                8
+-#define rqe_size_MASK                         0x000000ff
+-#define rqe_size_WORD                         word10
+-      uint32_t word11;
+-#define hdr_pages_SHIFT                               0
+-#define hdr_pages_MASK                                0x0000000f
+-#define hdr_pages_WORD                                word11
+-#define hdr_size_SHIFT                                8
+-#define hdr_size_MASK                         0x0000000f
+-#define hdr_size_WORD                         word11
+-#define hdr_pp_align_SHIFT                    16
+-#define hdr_pp_align_MASK                     0x0000ffff
+-#define hdr_pp_align_WORD                     word11
+-      uint32_t word12;
+-#define sgl_pages_SHIFT                               0
+-#define sgl_pages_MASK                                0x0000000f
+-#define sgl_pages_WORD                                word12
+-#define sgl_pp_align_SHIFT                    16
+-#define sgl_pp_align_MASK                     0x0000ffff
+-#define sgl_pp_align_WORD                     word12
+-      uint32_t rsvd_13_63[51];
+-};
+ #define SLI4_PAGE_ALIGN(addr) (((addr)+((SLI4_PAGE_SIZE)-1)) \
+                              &(~((SLI4_PAGE_SIZE)-1)))
+ 
+@@ -3710,8 +3540,6 @@ struct lpfc_mqe {
+               struct lpfc_mbx_post_hdr_tmpl hdr_tmpl;
+               struct lpfc_mbx_query_fw_config query_fw_cfg;
+               struct lpfc_mbx_set_beacon_config beacon_config;
+-              struct lpfc_mbx_supp_pages supp_pages;
+-              struct lpfc_mbx_pc_sli4_params sli4_params;
+               struct lpfc_mbx_get_sli4_parameters get_sli4_parameters;
+               struct lpfc_mbx_set_link_diag_state link_diag_state;
+               struct lpfc_mbx_set_link_diag_loopback link_diag_loopback;
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index 9fc5507ee39e..3e9574eede20 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -5807,8 +5807,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+       LPFC_MBOXQ_t *mboxq;
+       MAILBOX_t *mb;
+       int rc, i, max_buf_size;
+-      uint8_t pn_page[LPFC_MAX_SUPPORTED_PAGES] = {0};
+-      struct lpfc_mqe *mqe;
+       int longs;
+       int fof_vectors = 0;
+       uint64_t wwn;
+@@ -6096,32 +6094,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+ 
+       lpfc_nvme_mod_param_dep(phba);
+ 
+-      /* Get the Supported Pages if PORT_CAPABILITIES is supported by port. */
+-      lpfc_supported_pages(mboxq);
+-      rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL);
+-      if (!rc) {
+-              mqe = &mboxq->u.mqe;
+-              memcpy(&pn_page[0], ((uint8_t *)&mqe->un.supp_pages.word3),
+-                     LPFC_MAX_SUPPORTED_PAGES);
+-              for (i = 0; i < LPFC_MAX_SUPPORTED_PAGES; i++) {
+-                      switch (pn_page[i]) {
+-                      case LPFC_SLI4_PARAMETERS:
+-                              phba->sli4_hba.pc_sli4_params.supported = 1;
+-                              break;
+-                      default:
+-                              break;
+-                      }
+-              }
+-              /* Read the port's SLI4 Parameters capabilities if supported. */
+-              if (phba->sli4_hba.pc_sli4_params.supported)
+-                      rc = lpfc_pc_sli4_params_get(phba, mboxq);
+-              if (rc) {
+-                      mempool_free(mboxq, phba->mbox_mem_pool);
+-                      rc = -EIO;
+-                      goto out_free_bsmbx;
+-              }
+-      }
+-
+       /*
+        * Get sli4 parameters that override parameters from Port capabilities.
+        * If this call fails, it isn't critical unless the SLI4 parameters come
+@@ -10237,78 +10209,6 @@ lpfc_sli4_hba_unset(struct lpfc_hba *phba)
+       phba->pport->work_port_events = 0;
+ }
+ 
+- /**
+- * lpfc_pc_sli4_params_get - Get the SLI4_PARAMS port capabilities.
+- * @phba: Pointer to HBA context object.
+- * @mboxq: Pointer to the mailboxq memory for the mailbox command response.
+- *
+- * This function is called in the SLI4 code path to read the port's
+- * sli4 capabilities.
+- *
+- * This function may be be called from any context that can block-wait
+- * for the completion.  The expectation is that this routine is called
+- * typically from probe_one or from the online routine.
+- **/
+-int
+-lpfc_pc_sli4_params_get(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+-{
+-      int rc;
+-      struct lpfc_mqe *mqe;
+-      struct lpfc_pc_sli4_params *sli4_params;
+-      uint32_t mbox_tmo;
+-
+-      rc = 0;
+-      mqe = &mboxq->u.mqe;
+-
+-      /* Read the port's SLI4 Parameters port capabilities */
+-      lpfc_pc_sli4_params(mboxq);
+-      if (!phba->sli4_hba.intr_enable)
+-              rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL);
+-      else {
+-              mbox_tmo = lpfc_mbox_tmo_val(phba, mboxq);
+-              rc = lpfc_sli_issue_mbox_wait(phba, mboxq, mbox_tmo);
+-      }
+-
+-      if (unlikely(rc))
+-              return 1;
+-
+-      sli4_params = &phba->sli4_hba.pc_sli4_params;
+-      sli4_params->if_type = bf_get(if_type, &mqe->un.sli4_params);
+-      sli4_params->sli_rev = bf_get(sli_rev, &mqe->un.sli4_params);
+-      sli4_params->sli_family = bf_get(sli_family, &mqe->un.sli4_params);
+-      sli4_params->featurelevel_1 = bf_get(featurelevel_1,
+-                                           &mqe->un.sli4_params);
+-      sli4_params->featurelevel_2 = bf_get(featurelevel_2,
+-                                           &mqe->un.sli4_params);
+-      sli4_params->proto_types = mqe->un.sli4_params.word3;
+-      sli4_params->sge_supp_len = mqe->un.sli4_params.sge_supp_len;
+-      sli4_params->if_page_sz = bf_get(if_page_sz, &mqe->un.sli4_params);
+-      sli4_params->rq_db_window = bf_get(rq_db_window, &mqe->un.sli4_params);
+-      sli4_params->loopbk_scope = bf_get(loopbk_scope, &mqe->un.sli4_params);
+-      sli4_params->eq_pages_max = bf_get(eq_pages, &mqe->un.sli4_params);
+-      sli4_params->eqe_size = bf_get(eqe_size, &mqe->un.sli4_params);
+-      sli4_params->cq_pages_max = bf_get(cq_pages, &mqe->un.sli4_params);
+-      sli4_params->cqe_size = bf_get(cqe_size, &mqe->un.sli4_params);
+-      sli4_params->mq_pages_max = bf_get(mq_pages, &mqe->un.sli4_params);
+-      sli4_params->mqe_size = bf_get(mqe_size, &mqe->un.sli4_params);
+-      sli4_params->mq_elem_cnt = bf_get(mq_elem_cnt, &mqe->un.sli4_params);
+-      sli4_params->wq_pages_max = bf_get(wq_pages, &mqe->un.sli4_params);
+-      sli4_params->wqe_size = bf_get(wqe_size, &mqe->un.sli4_params);
+-      sli4_params->rq_pages_max = bf_get(rq_pages, &mqe->un.sli4_params);
+-      sli4_params->rqe_size = bf_get(rqe_size, &mqe->un.sli4_params);
+-      sli4_params->hdr_pages_max = bf_get(hdr_pages, &mqe->un.sli4_params);
+-      sli4_params->hdr_size = bf_get(hdr_size, &mqe->un.sli4_params);
+-      sli4_params->hdr_pp_align = bf_get(hdr_pp_align, &mqe->un.sli4_params);
+-      sli4_params->sgl_pages_max = bf_get(sgl_pages, &mqe->un.sli4_params);
+-      sli4_params->sgl_pp_align = bf_get(sgl_pp_align, &mqe->un.sli4_params);
+-
+-      /* Make sure that sge_supp_len can be handled by the driver */
+-      if (sli4_params->sge_supp_len > LPFC_MAX_SGE_SIZE)
+-              sli4_params->sge_supp_len = LPFC_MAX_SGE_SIZE;
+-
+-      return rc;
+-}
+-
+ /**
+  * lpfc_get_sli4_parameters - Get the SLI4 Config PARAMETERS.
+  * @phba: Pointer to HBA context object.
+@@ -10366,7 +10266,8 @@ lpfc_get_sli4_parameters(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+       else
+               phba->sli3_options &= ~LPFC_SLI4_PHWQ_ENABLED;
+       sli4_params->sge_supp_len = mbx_sli4_parameters->sge_supp_len;
+-      sli4_params->loopbk_scope = bf_get(loopbk_scope, mbx_sli4_parameters);
++      sli4_params->loopbk_scope = bf_get(cfg_loopbk_scope,
++                                         mbx_sli4_parameters);
+       sli4_params->oas_supported = bf_get(cfg_oas, mbx_sli4_parameters);
+       sli4_params->cqv = bf_get(cfg_cqv, mbx_sli4_parameters);
+       sli4_params->mqv = bf_get(cfg_mqv, mbx_sli4_parameters);
+diff --git a/drivers/scsi/lpfc/lpfc_mbox.c b/drivers/scsi/lpfc/lpfc_mbox.c
+index 81fb92967b11..afad9cc18d88 100644
+--- a/drivers/scsi/lpfc/lpfc_mbox.c
++++ b/drivers/scsi/lpfc/lpfc_mbox.c
+@@ -2620,39 +2620,3 @@ lpfc_resume_rpi(struct lpfcMboxq *mbox, struct lpfc_nodelist *ndlp)
+       resume_rpi->event_tag = ndlp->phba->fc_eventTag;
+ }
+ 
+-/**
+- * lpfc_supported_pages - Initialize the PORT_CAPABILITIES supported pages
+- *                        mailbox command.
+- * @mbox: pointer to lpfc mbox command to initialize.
+- *
+- * The PORT_CAPABILITIES supported pages mailbox command is issued to
+- * retrieve the particular feature pages supported by the port.
+- **/
+-void
+-lpfc_supported_pages(struct lpfcMboxq *mbox)
+-{
+-      struct lpfc_mbx_supp_pages *supp_pages;
+-
+-      memset(mbox, 0, sizeof(*mbox));
+-      supp_pages = &mbox->u.mqe.un.supp_pages;
+-      bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES);
+-      bf_set(cpn, supp_pages, LPFC_SUPP_PAGES);
+-}
+-
+-/**
+- * lpfc_pc_sli4_params - Initialize the PORT_CAPABILITIES SLI4 Params mbox cmd.
+- * @mbox: pointer to lpfc mbox command to initialize.
+- *
+- * The PORT_CAPABILITIES SLI4 parameters mailbox command is issued to
+- * retrieve the particular SLI4 features supported by the port.
+- **/
+-void
+-lpfc_pc_sli4_params(struct lpfcMboxq *mbox)
+-{
+-      struct lpfc_mbx_pc_sli4_params *sli4_params;
+-
+-      memset(mbox, 0, sizeof(*mbox));
+-      sli4_params = &mbox->u.mqe.un.sli4_params;
+-      bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES);
+-      bf_set(cpn, sli4_params, LPFC_SLI4_PARAMETERS);
+-}
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch b/queue-4.14/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
new file mode 100644 (file)
index 0000000..8f24bc0
--- /dev/null
+++ b/queue-4.14/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
@@ -0,0 +1,60 @@
+From 8db025cc08e7548166e43c3baf896fd599dcd497 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Mar 2021 16:23:58 -0700
+Subject: scsi: qla2xxx: Always check the return value of
+ qla24xx_get_isp_stats()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a2b2cc660822cae08c351c7f6b452bfd1330a4f7 ]
+
+This patch fixes the following Coverity warning:
+
+    CID 361199 (#1 of 1): Unchecked return value (CHECKED_RETURN)
+    3. check_return: Calling qla24xx_get_isp_stats without checking return
+    value (as is done elsewhere 4 out of 5 times).
+
+Link: https://lore.kernel.org/r/20210320232359.941-7-bvanassche@acm.org
+Cc: Quinn Tran <qutran@marvell.com>
+Cc: Mike Christie <michael.christie@oracle.com>
+Cc: Himanshu Madhani <himanshu.madhani@oracle.com>
+Cc: Daniel Wagner <dwagner@suse.de>
+Cc: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 656253285db9..dbfd703d0f46 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -1914,6 +1914,8 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+       vha->qla_stats.jiffies_at_last_reset = get_jiffies_64();
+ 
+       if (IS_FWI2_CAPABLE(ha)) {
++              int rval;
++
+               stats = dma_alloc_coherent(&ha->pdev->dev,
+                   sizeof(*stats), &stats_dma, GFP_KERNEL);
+               if (!stats) {
+@@ -1923,7 +1925,11 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+               }
+ 
+               /* reset firmware statistics */
+-              qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++              rval = qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++              if (rval != QLA_SUCCESS)
++                      ql_log(ql_log_warn, vha, 0x70de,
++                             "Resetting ISP statistics failed: rval = %d\n",
++                             rval);
+ 
+               dma_free_coherent(&ha->pdev->dev, sizeof(*stats),
+                   stats, stats_dma);
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-qla2xxx-fix-use-after-free-in-bsg.patch b/queue-4.14/scsi-qla2xxx-fix-use-after-free-in-bsg.patch
new file mode 100644 (file)
index 0000000..fc0b042
--- /dev/null
+++ b/queue-4.14/scsi-qla2xxx-fix-use-after-free-in-bsg.patch
@@ -0,0 +1,61 @@
+From 0532f9cc5287358e065937f30890874f7e2c972c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 01:52:22 -0700
+Subject: scsi: qla2xxx: Fix use after free in bsg
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit 2ce35c0821afc2acd5ee1c3f60d149f8b2520ce8 ]
+
+On bsg command completion, bsg_job_done() was called while qla driver
+continued to access the bsg_job buffer. bsg_job_done() would free up
+resources that ended up being reused by other task while the driver
+continued to access the buffers. As a result, driver was reading garbage
+data.
+
+localhost kernel: BUG: KASAN: use-after-free in sg_next+0x64/0x80
+localhost kernel: Read of size 8 at addr ffff8883228a3330 by task swapper/26/0
+localhost kernel:
+localhost kernel: CPU: 26 PID: 0 Comm: swapper/26 Kdump:
+loaded Tainted: G          OE    --------- -  - 4.18.0-193.el8.x86_64+debug #1
+localhost kernel: Hardware name: HP ProLiant DL360
+Gen9/ProLiant DL360 Gen9, BIOS P89 08/12/2016
+localhost kernel: Call Trace:
+localhost kernel: <IRQ>
+localhost kernel: dump_stack+0x9a/0xf0
+localhost kernel: print_address_description.cold.3+0x9/0x23b
+localhost kernel: kasan_report.cold.4+0x65/0x95
+localhost kernel: debug_dma_unmap_sg.part.12+0x10d/0x2d0
+localhost kernel: qla2x00_bsg_sp_free+0xaf6/0x1010 [qla2xxx]
+
+Link: https://lore.kernel.org/r/20210329085229.4367-6-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
+index c1ca21a88a09..06063a841726 100644
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -19,10 +19,11 @@ qla2x00_bsg_job_done(void *ptr, int res)
+       struct bsg_job *bsg_job = sp->u.bsg_job;
+       struct fc_bsg_reply *bsg_reply = bsg_job->reply;
+ 
++      sp->free(sp);
++
+       bsg_reply->result = res;
+       bsg_job_done(bsg_job, bsg_reply->result,
+                      bsg_reply->reply_payload_rcv_len);
+-      sp->free(sp);
+ }
+ 
+ void
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch b/queue-4.14/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
new file mode 100644 (file)
index 0000000..b37a952
--- /dev/null
+++ b/queue-4.14/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
@@ -0,0 +1,42 @@
+From 325768e3f4235ec154ae38968a2ce3e802faa710 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 16:11:54 -0400
+Subject: scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+[ Upstream commit bc3f2b42b70eb1b8576e753e7d0e117bbb674496 ]
+
+Some arrays return ILLEGAL_REQUEST with ASC 00h if they don't support the
+RTPG extended header so remove the check for INVALID FIELD IN CDB.
+
+Link: https://lore.kernel.org/r/20210331201154.20348-1-emilne@redhat.com
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index ba68454109ba..2cf5579a9ad9 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -560,10 +560,11 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
+                * even though it shouldn't according to T10.
+                * The retry without rtpg_ext_hdr_req set
+                * handles this.
++               * Note:  some arrays return a sense key of ILLEGAL_REQUEST
++               * with ASC 00h if they don't support the extended header.
+                */
+               if (!(pg->flags & ALUA_RTPG_EXT_HDR_UNSUPP) &&
+-                  sense_hdr.sense_key == ILLEGAL_REQUEST &&
+-                  sense_hdr.asc == 0x24 && sense_hdr.ascq == 0) {
++                  sense_hdr.sense_key == ILLEGAL_REQUEST) {
+                       pg->flags |= ALUA_RTPG_EXT_HDR_UNSUPP;
+                       goto retry;
+               }
+-- 
+2.30.2
+

diff --git a/queue-4.14/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch b/queue-4.14/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
new file mode 100644 (file)
index 0000000..94d103b
--- /dev/null
+++ b/queue-4.14/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
@@ -0,0 +1,46 @@
+From 2c89ecace8a69a916c4732d1d4eaad3c51f3680b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Feb 2021 21:56:26 -0800
+Subject: scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+[ Upstream commit fd48c056a32ed6e7754c7c475490f3bed54ed378 ]
+
+This fixes a compilation warning in pscsi_complete_cmd():
+
+     drivers/target/target_core_pscsi.c: In function ‘pscsi_complete_cmd’:
+     drivers/target/target_core_pscsi.c:624:5: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+     ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
+
+Link: https://lore.kernel.org/r/20210228055645.22253-5-chaitanya.kulkarni@wdc.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pscsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index f80b31b35a0d..a127608a4809 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -633,8 +633,9 @@ static void pscsi_complete_cmd(struct se_cmd *cmd, u8 scsi_status,
+                       unsigned char *buf;
+ 
+                       buf = transport_kmap_data_sg(cmd);
+-                      if (!buf)
++                      if (!buf) {
+                               ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
++                      }
+ 
+                       if (cdb[0] == MODE_SENSE_10) {
+                               if (!(buf[3] & 0x80))
+-- 
+2.30.2
+

diff --git a/queue-4.14/series b/queue-4.14/series
index 59c14898619f13f7b6108f106358b78e29d9255e..60eb1b3da230d82c706d765f9e7a48cc13663426 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -27,3 +27,46 @@ cifs-return-correct-error-code-from-smb2_get_enc_key.patch
 btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch
 intel_th-pci-add-rocket-lake-cpu-support.patch
 fbdev-zero-fill-colormap-in-fbcmap.c.patch
+staging-wimax-i2400m-fix-byte-order-issue.patch
+crypto-api-check-for-err-pointers-in-crypto_destroy_.patch
+usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
+usb-gadget-f_uac1-validate-input-parameters.patch
+usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
+usb-xhci-fix-port-minor-revision.patch
+pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
+x86-build-propagate-clang_flags-to-realmode_flags.patch
+tee-optee-do-not-check-memref-size-on-return-from-se.patch
+perf-arm_pmu_platform-fix-error-handling.patch
+spi-dln2-fix-reference-leak-to-master.patch
+spi-omap-100k-fix-reference-leak-to-master.patch
+intel_th-consistency-and-off-by-one-fix.patch
+phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
+btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
+scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch
+scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch
+scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
+media-ite-cir-check-for-receive-overflow.patch
+power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch
+extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
+media-media-saa7164-fix-saa7164_encoder_register-mem.patch
+media-gspca-sq905.c-fix-uninitialized-variable.patch
+power-supply-use-irqf_oneshot.patch
+drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch
+scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
+scsi-qla2xxx-fix-use-after-free-in-bsg.patch
+scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
+media-em28xx-fix-memory-leak.patch
+media-vivid-update-edid.patch
+clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
+power-supply-generic-adc-battery-fix-possible-use-af.patch
+power-supply-s3c_adc_battery-fix-possible-use-after-.patch
+media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
+media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
+media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
+media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
+media-gscpa-stv06xx-fix-memory-leak.patch
+drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
+drm-amdgpu-fix-null-pointer-dereference.patch
+scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
+scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch
+scsi-libfc-fix-a-format-specifier.patch

diff --git a/queue-4.14/spi-dln2-fix-reference-leak-to-master.patch b/queue-4.14/spi-dln2-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..3940abc
--- /dev/null
+++ b/queue-4.14/spi-dln2-fix-reference-leak-to-master.patch
@@ -0,0 +1,40 @@
+From fbe5cb376de4756fc63a932a5aae42b92c69ec92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:55 +0000
+Subject: spi: dln2: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9b844b087124c1538d05f40fda8a4fec75af55be ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082955.2907950-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dln2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dln2.c b/drivers/spi/spi-dln2.c
+index b62a99caacc0..a41adea48618 100644
+--- a/drivers/spi/spi-dln2.c
++++ b/drivers/spi/spi-dln2.c
+@@ -783,7 +783,7 @@ exit_free_master:
+ 
+ static int dln2_spi_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct dln2_spi *dln2 = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+-- 
+2.30.2
+

diff --git a/queue-4.14/spi-omap-100k-fix-reference-leak-to-master.patch b/queue-4.14/spi-omap-100k-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..347fddb
--- /dev/null
+++ b/queue-4.14/spi-omap-100k-fix-reference-leak-to-master.patch
@@ -0,0 +1,58 @@
+From 943eff25652df5078687a1350c9dc769f8dc658f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:54 +0000
+Subject: spi: omap-100k: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit a23faea76d4cf5f75decb574491e66f9ecd707e7 ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082954.2906933-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index 76a8425be227..1eccdc4a4581 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -435,7 +435,7 @@ err:
+ 
+ static int omap1_spi100k_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+@@ -449,7 +449,7 @@ static int omap1_spi100k_remove(struct platform_device *pdev)
+ #ifdef CONFIG_PM
+ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       clk_disable_unprepare(spi100k->ick);
+@@ -460,7 +460,7 @@ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ 
+ static int omap1_spi100k_runtime_resume(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+       int ret;
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.14/staging-wimax-i2400m-fix-byte-order-issue.patch b/queue-4.14/staging-wimax-i2400m-fix-byte-order-issue.patch
new file mode 100644 (file)
index 0000000..f6e551d
--- /dev/null
+++ b/queue-4.14/staging-wimax-i2400m-fix-byte-order-issue.patch
@@ -0,0 +1,36 @@
+From 237bdaea5e4876dc36de9e3084a80ec489fa2ffe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Feb 2021 21:01:05 +0530
+Subject: staging: wimax/i2400m: fix byte-order issue
+
+From: karthik alapati <mail@karthek.com>
+
+[ Upstream commit 0c37baae130df39b19979bba88bde2ee70a33355 ]
+
+fix sparse byte-order warnings by converting host byte-order
+type to __le16 byte-order types before assigning to hdr.length
+
+Signed-off-by: karthik alapati <mail@karthek.com>
+Link: https://lore.kernel.org/r/0ae5c5c4c646506d8be871e7be5705542671a1d5.1613921277.git.mail@karthek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c
+index dc6fe93ce71f..e8473047b2d1 100644
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -101,7 +101,7 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev,
+       if (cmd == NULL)
+               goto error_alloc;
+       cmd->hdr.type = cpu_to_le16(I2400M_MT_CMD_RF_CONTROL);
+-      cmd->hdr.length = sizeof(cmd->sw_rf);
++      cmd->hdr.length = cpu_to_le16(sizeof(cmd->sw_rf));
+       cmd->hdr.version = cpu_to_le16(I2400M_L3L4_VERSION);
+       cmd->sw_rf.hdr.type = cpu_to_le16(I2400M_TLV_RF_OPERATION);
+       cmd->sw_rf.hdr.length = cpu_to_le16(sizeof(cmd->sw_rf.status));
+-- 
+2.30.2
+

diff --git a/queue-4.14/tee-optee-do-not-check-memref-size-on-return-from-se.patch b/queue-4.14/tee-optee-do-not-check-memref-size-on-return-from-se.patch
new file mode 100644 (file)
index 0000000..85dfd46
--- /dev/null
+++ b/queue-4.14/tee-optee-do-not-check-memref-size-on-return-from-se.patch
@@ -0,0 +1,54 @@
+From 625c4ac72dbccfa1d8edf0fc239bcfc25125374d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 11:40:37 +0100
+Subject: tee: optee: do not check memref size on return from Secure World
+
+From: Jerome Forissier <jerome@forissier.org>
+
+[ Upstream commit c650b8dc7a7910eb25af0aac1720f778b29e679d ]
+
+When Secure World returns, it may have changed the size attribute of the
+memory references passed as [in/out] parameters. The GlobalPlatform TEE
+Internal Core API specification does not restrict the values that this
+size can take. In particular, Secure World may increase the value to be
+larger than the size of the input buffer to indicate that it needs more.
+
+Therefore, the size check in optee_from_msg_param() is incorrect and
+needs to be removed. This fixes a number of failed test cases in the
+GlobalPlatform TEE Initial Configuratiom Test Suite v2_0_0_0-2017_06_09
+when OP-TEE is compiled without dynamic shared memory support
+(CFG_CORE_DYN_SHM=n).
+
+Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
+Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Jerome Forissier <jerome@forissier.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tee/optee/core.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
+index 834884c370c5..63187b07dde0 100644
+--- a/drivers/tee/optee/core.c
++++ b/drivers/tee/optee/core.c
+@@ -86,16 +86,6 @@ int optee_from_msg_param(struct tee_param *params, size_t num_params,
+                               return rc;
+                       p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa;
+                       p->u.memref.shm = shm;
+-
+-                      /* Check that the memref is covered by the shm object */
+-                      if (p->u.memref.size) {
+-                              size_t o = p->u.memref.shm_offs +
+-                                         p->u.memref.size - 1;
+-
+-                              rc = tee_shm_get_pa(shm, o, NULL);
+-                              if (rc)
+-                                      return rc;
+-                      }
+                       break;
+               default:
+                       return -EINVAL;
+-- 
+2.30.2
+

diff --git a/queue-4.14/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch b/queue-4.14/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
new file mode 100644 (file)
index 0000000..bdccc19
--- /dev/null
+++ b/queue-4.14/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
@@ -0,0 +1,48 @@
+From 8b9ddff2a1d7695702ae964e8cd7be4fa6464d77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 02:31:25 -0700
+Subject: usb: dwc3: gadget: Ignore EP queue requests during bus reset
+
+From: Wesley Cheng <wcheng@codeaurora.org>
+
+[ Upstream commit 71ca43f30df9c642970f9dc9b2d6f463f4967e7b ]
+
+The current dwc3_gadget_reset_interrupt() will stop any active
+transfers, but only addresses blocking of EP queuing for while we are
+coming from a disconnected scenario, i.e. after receiving the disconnect
+event.  If the host decides to issue a bus reset on the device, the
+connected parameter will still be set to true, allowing for EP queuing
+to continue while we are disabling the functions.  To avoid this, set the
+connected flag to false until the stop active transfers is complete.
+
+Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
+Link: https://lore.kernel.org/r/1616146285-19149-3-git-send-email-wcheng@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 510ed406fb0b..909e8aafd580 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2695,6 +2695,15 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
+ 
+       dwc->connected = true;
+ 
++      /*
++       * Ideally, dwc3_reset_gadget() would trigger the function
++       * drivers to stop any active transfers through ep disable.
++       * However, for functions which defer ep disable, such as mass
++       * storage, we will need to rely on the call to stop active
++       * transfers here, and avoid allowing of request queuing.
++       */
++      dwc->connected = false;
++
+       /*
+        * WORKAROUND: DWC3 revisions <1.88a have an issue which
+        * would cause a missing Disconnect Event if there's a
+-- 
+2.30.2
+

diff --git a/queue-4.14/usb-gadget-f_uac1-validate-input-parameters.patch b/queue-4.14/usb-gadget-f_uac1-validate-input-parameters.patch
new file mode 100644 (file)
index 0000000..131854a
--- /dev/null
+++ b/queue-4.14/usb-gadget-f_uac1-validate-input-parameters.patch
@@ -0,0 +1,113 @@
+From c1a7dbe66aae9cf2d8163eccc025859c0c38d404 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 13:49:34 +0200
+Subject: usb: gadget: f_uac1: validate input parameters
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+[ Upstream commit a59c68a6a3d1b18e2494f526eb19893a34fa6ec6 ]
+
+Currently user can configure UAC1 function with
+parameters that violate UAC1 spec or are not supported
+by UAC1 gadget implementation.
+
+This can lead to incorrect behavior if such gadget
+is connected to the host - like enumeration failure
+or other issues depending on host's UAC1 driver
+implementation, bringing user to a long hours
+of debugging the issue.
+
+Instead of silently accept these parameters, throw
+an error if they are not valid.
+
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Link: https://lore.kernel.org/r/1614599375-8803-5-git-send-email-ruslan.bilovol@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac1.c | 43 ++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c
+index 3f4ee28e7896..edbb3b9a9709 100644
+--- a/drivers/usb/gadget/function/f_uac1.c
++++ b/drivers/usb/gadget/function/f_uac1.c
+@@ -23,6 +23,9 @@
+ #include "u_audio.h"
+ #include "u_uac1.h"
+ 
++/* UAC1 spec: 3.7.2.3 Audio Channel Cluster Format */
++#define UAC1_CHANNEL_MASK 0x0FFF
++
+ struct f_uac1 {
+       struct g_audio g_audio;
+       u8 ac_intf, as_in_intf, as_out_intf;
+@@ -34,6 +37,11 @@ static inline struct f_uac1 *func_to_uac1(struct usb_function *f)
+       return container_of(f, struct f_uac1, g_audio.func);
+ }
+ 
++static inline struct f_uac1_opts *g_audio_to_uac1_opts(struct g_audio *audio)
++{
++      return container_of(audio->func.fi, struct f_uac1_opts, func_inst);
++}
++
+ /*
+  * DESCRIPTORS ... most are static, but strings and full
+  * configuration descriptors are built on demand.
+@@ -509,11 +517,42 @@ static void f_audio_disable(struct usb_function *f)
+ 
+ /*-------------------------------------------------------------------------*/
+ 
++static int f_audio_validate_opts(struct g_audio *audio, struct device *dev)
++{
++      struct f_uac1_opts *opts = g_audio_to_uac1_opts(audio);
++
++      if (!opts->p_chmask && !opts->c_chmask) {
++              dev_err(dev, "Error: no playback and capture channels\n");
++              return -EINVAL;
++      } else if (opts->p_chmask & ~UAC1_CHANNEL_MASK) {
++              dev_err(dev, "Error: unsupported playback channels mask\n");
++              return -EINVAL;
++      } else if (opts->c_chmask & ~UAC1_CHANNEL_MASK) {
++              dev_err(dev, "Error: unsupported capture channels mask\n");
++              return -EINVAL;
++      } else if ((opts->p_ssize < 1) || (opts->p_ssize > 4)) {
++              dev_err(dev, "Error: incorrect playback sample size\n");
++              return -EINVAL;
++      } else if ((opts->c_ssize < 1) || (opts->c_ssize > 4)) {
++              dev_err(dev, "Error: incorrect capture sample size\n");
++              return -EINVAL;
++      } else if (!opts->p_srate) {
++              dev_err(dev, "Error: incorrect playback sampling rate\n");
++              return -EINVAL;
++      } else if (!opts->c_srate) {
++              dev_err(dev, "Error: incorrect capture sampling rate\n");
++              return -EINVAL;
++      }
++
++      return 0;
++}
++
+ /* audio function driver setup/binding */
+ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f)
+ {
+       struct usb_composite_dev        *cdev = c->cdev;
+       struct usb_gadget               *gadget = cdev->gadget;
++      struct device                   *dev = &gadget->dev;
+       struct f_uac1                   *uac1 = func_to_uac1(f);
+       struct g_audio                  *audio = func_to_g_audio(f);
+       struct f_uac1_opts              *audio_opts;
+@@ -523,6 +562,10 @@ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f)
+       int                             rate;
+       int                             status;
+ 
++      status = f_audio_validate_opts(audio, dev);
++      if (status)
++              return status;
++
+       audio_opts = container_of(f->fi, struct f_uac1_opts, func_inst);
+ 
+       us = usb_gstrings_attach(cdev, uac1_strings, ARRAY_SIZE(strings_uac1));
+-- 
+2.30.2
+

diff --git a/queue-4.14/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch b/queue-4.14/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
new file mode 100644 (file)
index 0000000..089f768
--- /dev/null
+++ b/queue-4.14/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
@@ -0,0 +1,52 @@
+From 349b3fb433cd97ecb8ddbb1272ec1218c85a160e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 13:53:38 +0100
+Subject: usb: gadget: uvc: add bInterval checking for HS mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 26adde04acdff14a1f28d4a5dce46a8513a3038b ]
+
+Patch adds extra checking for bInterval passed by configfs.
+The 5.6.4 chapter of USB Specification (rev. 2.0) say:
+"A high-bandwidth endpoint must specify a period of 1x125 µs
+(i.e., a bInterval value of 1)."
+
+The issue was observed during testing UVC class on CV.
+I treat this change as improvement because we can control
+bInterval by configfs.
+
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20210308125338.4824-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
+index f8a1881609a2..89da34ef7b3f 100644
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -625,7 +625,12 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
+ 
+       uvc_hs_streaming_ep.wMaxPacketSize =
+               cpu_to_le16(max_packet_size | ((max_packet_mult - 1) << 11));
+-      uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
++
++      /* A high-bandwidth endpoint must specify a bInterval value of 1 */
++      if (max_packet_mult > 1)
++              uvc_hs_streaming_ep.bInterval = 1;
++      else
++              uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
+ 
+       uvc_ss_streaming_ep.wMaxPacketSize = cpu_to_le16(max_packet_size);
+       uvc_ss_streaming_ep.bInterval = opts->streaming_interval;
+-- 
+2.30.2
+

diff --git a/queue-4.14/usb-xhci-fix-port-minor-revision.patch b/queue-4.14/usb-xhci-fix-port-minor-revision.patch
new file mode 100644 (file)
index 0000000..bfb24d1
--- /dev/null
+++ b/queue-4.14/usb-xhci-fix-port-minor-revision.patch
@@ -0,0 +1,51 @@
+From 5b4308995f898d3d3e3b07e3c2b4a165b8217d3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 19:43:21 -0800
+Subject: usb: xhci: Fix port minor revision
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 64364bc912c01b33bba6c22e3ccb849bfca96398 ]
+
+Some hosts incorrectly use sub-minor version for minor version (i.e.
+0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 for bcdUSB 0x310).
+Currently the xHCI driver works around this by just checking for minor
+revision > 0x01 for USB 3.1 everywhere. With the addition of USB 3.2,
+checking this gets a bit cumbersome. Since there is no USB release with
+bcdUSB 0x301 to 0x309, we can assume that sub-minor version 01 to 09 is
+incorrect. Let's try to fix this and use the minor revision that matches
+with the USB/xHCI spec to help with the version checking within the
+driver.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/ed330e95a19dc367819c5b4d78bf7a541c35aa0a.1615432770.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 70452c881e56..5fd1e95f5400 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -2085,6 +2085,15 @@ static void xhci_add_in_port(struct xhci_hcd *xhci, unsigned int num_ports,
+ 
+       if (major_revision == 0x03) {
+               rhub = &xhci->usb3_rhub;
++              /*
++               * Some hosts incorrectly use sub-minor version for minor
++               * version (i.e. 0x02 instead of 0x20 for bcdUSB 0x320 and 0x01
++               * for bcdUSB 0x310). Since there is no USB release with sub
++               * minor version 0x301 to 0x309, we can assume that they are
++               * incorrect and fix it here.
++               */
++              if (minor_revision > 0x00 && minor_revision < 0x10)
++                      minor_revision <<= 4;
+       } else if (major_revision <= 0x02) {
+               rhub = &xhci->usb2_rhub;
+       } else {
+-- 
+2.30.2
+

diff --git a/queue-4.14/x86-build-propagate-clang_flags-to-realmode_flags.patch b/queue-4.14/x86-build-propagate-clang_flags-to-realmode_flags.patch
new file mode 100644 (file)
index 0000000..0b2dcf0
--- /dev/null
+++ b/queue-4.14/x86-build-propagate-clang_flags-to-realmode_flags.patch
@@ -0,0 +1,66 @@
+From 06d6614d3ba6f520b81957605f429a0cf469ec91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:04:33 -0700
+Subject: x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Millikin <john@john-millikin.com>
+
+[ Upstream commit 8abe7fc26ad8f28bfdf78adbed56acd1fa93f82d ]
+
+When cross-compiling with Clang, the `$(CLANG_FLAGS)' variable
+contains additional flags needed to build C and assembly sources
+for the target platform. Normally this variable is automatically
+included in `$(KBUILD_CFLAGS)' via the top-level Makefile.
+
+The x86 real-mode makefile builds `$(REALMODE_CFLAGS)' from a
+plain assignment and therefore drops the Clang flags. This causes
+Clang to not recognize x86-specific assembler directives:
+
+  arch/x86/realmode/rm/header.S:36:1: error: unknown directive
+  .type real_mode_header STT_OBJECT ; .size real_mode_header, .-real_mode_header
+  ^
+
+Explicit propagation of `$(CLANG_FLAGS)' to `$(REALMODE_CFLAGS)',
+which is inherited by real-mode make rules, fixes cross-compilation
+with Clang for x86 targets.
+
+Relevant flags:
+
+* `--target' sets the target architecture when cross-compiling. This
+  flag must be set for both compilation and assembly (`KBUILD_AFLAGS')
+  to support architecture-specific assembler directives.
+
+* `-no-integrated-as' tells clang to assemble with GNU Assembler
+  instead of its built-in LLVM assembler. This flag is set by default
+  unless `LLVM_IAS=1' is set, because the LLVM assembler can't yet
+  parse certain GNU extensions.
+
+Signed-off-by: John Millikin <john@john-millikin.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Link: https://lkml.kernel.org/r/20210326000435.4785-2-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 146aadeb7c8e..844d5a72d2ad 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -41,6 +41,7 @@ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4))
++REALMODE_CFLAGS += $(CLANG_FLAGS)
+ export REALMODE_CFLAGS
+ 
+ # BITS is used as extension for files which are available in a 32 bit
+-- 
+2.30.2
+