--- /dev/null
+From f6eb84fa596abf28959fc7e0b626f925eb1196c7 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sat, 29 May 2021 18:46:46 +0300
+Subject: ASoC: tegra: Set driver_name=tegra for all machine drivers
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit f6eb84fa596abf28959fc7e0b626f925eb1196c7 upstream.
+
+The driver_name="tegra" is now required by the newer ALSA UCMs, otherwise
+Tegra UCMs don't match by the path/name.
+
+All Tegra machine drivers are specifying the card's name, but it has no
+effect if model name is specified in the device-tree since it overrides
+the card's name. We need to set the driver_name to "tegra" in order to
+get a usable lookup path for the updated ALSA UCMs. The new UCM lookup
+path has a form of driver_name/card_name.
+
+The old lookup paths that are based on driver module name continue to
+work as before. Note that UCM matching never worked for Tegra ASoC drivers
+if they were compiled as built-in, this is fixed by supporting the new
+naming scheme.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/20210529154649.25936-2-digetx@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/tegra/tegra_alc5632.c | 1 +
+ sound/soc/tegra/tegra_max98090.c | 1 +
+ sound/soc/tegra/tegra_rt5640.c | 1 +
+ sound/soc/tegra/tegra_rt5677.c | 1 +
+ sound/soc/tegra/tegra_sgtl5000.c | 1 +
+ sound/soc/tegra/tegra_wm8753.c | 1 +
+ sound/soc/tegra/tegra_wm8903.c | 1 +
+ sound/soc/tegra/tegra_wm9712.c | 1 +
+ sound/soc/tegra/trimslice.c | 1 +
+ 9 files changed, 9 insertions(+)
+
+--- a/sound/soc/tegra/tegra_alc5632.c
++++ b/sound/soc/tegra/tegra_alc5632.c
+@@ -149,6 +149,7 @@ static struct snd_soc_dai_link tegra_alc
+
+ static struct snd_soc_card snd_soc_tegra_alc5632 = {
+ .name = "tegra-alc5632",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .remove = tegra_alc5632_card_remove,
+ .dai_link = &tegra_alc5632_dai,
+--- a/sound/soc/tegra/tegra_max98090.c
++++ b/sound/soc/tegra/tegra_max98090.c
+@@ -205,6 +205,7 @@ static struct snd_soc_dai_link tegra_max
+
+ static struct snd_soc_card snd_soc_tegra_max98090 = {
+ .name = "tegra-max98090",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .remove = tegra_max98090_card_remove,
+ .dai_link = &tegra_max98090_dai,
+--- a/sound/soc/tegra/tegra_rt5640.c
++++ b/sound/soc/tegra/tegra_rt5640.c
+@@ -150,6 +150,7 @@ static struct snd_soc_dai_link tegra_rt5
+
+ static struct snd_soc_card snd_soc_tegra_rt5640 = {
+ .name = "tegra-rt5640",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .remove = tegra_rt5640_card_remove,
+ .dai_link = &tegra_rt5640_dai,
+--- a/sound/soc/tegra/tegra_rt5677.c
++++ b/sound/soc/tegra/tegra_rt5677.c
+@@ -198,6 +198,7 @@ static struct snd_soc_dai_link tegra_rt5
+
+ static struct snd_soc_card snd_soc_tegra_rt5677 = {
+ .name = "tegra-rt5677",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .remove = tegra_rt5677_card_remove,
+ .dai_link = &tegra_rt5677_dai,
+--- a/sound/soc/tegra/tegra_sgtl5000.c
++++ b/sound/soc/tegra/tegra_sgtl5000.c
+@@ -103,6 +103,7 @@ static struct snd_soc_dai_link tegra_sgt
+
+ static struct snd_soc_card snd_soc_tegra_sgtl5000 = {
+ .name = "tegra-sgtl5000",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_sgtl5000_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm8753.c
++++ b/sound/soc/tegra/tegra_wm8753.c
+@@ -110,6 +110,7 @@ static struct snd_soc_dai_link tegra_wm8
+
+ static struct snd_soc_card snd_soc_tegra_wm8753 = {
+ .name = "tegra-wm8753",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm8753_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm8903.c
++++ b/sound/soc/tegra/tegra_wm8903.c
+@@ -228,6 +228,7 @@ static struct snd_soc_dai_link tegra_wm8
+
+ static struct snd_soc_card snd_soc_tegra_wm8903 = {
+ .name = "tegra-wm8903",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm8903_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm9712.c
++++ b/sound/soc/tegra/tegra_wm9712.c
+@@ -59,6 +59,7 @@ static struct snd_soc_dai_link tegra_wm9
+
+ static struct snd_soc_card snd_soc_tegra_wm9712 = {
+ .name = "tegra-wm9712",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm9712_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/trimslice.c
++++ b/sound/soc/tegra/trimslice.c
+@@ -103,6 +103,7 @@ static struct snd_soc_dai_link trimslice
+
+ static struct snd_soc_card snd_soc_trimslice = {
+ .name = "tegra-trimslice",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &trimslice_tlv320aic23_dai,
+ .num_links = 1,
--- /dev/null
+From b6e58b5466b2959f83034bead2e2e1395cca8aeb Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Thu, 17 Jun 2021 15:45:47 +0800
+Subject: dm btree remove: assign new_root only when removal succeeds
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit b6e58b5466b2959f83034bead2e2e1395cca8aeb upstream.
+
+remove_raw() in dm_btree_remove() may fail due to IO read error
+(e.g. read the content of origin block fails during shadowing),
+and the value of shadow_spine::root is uninitialized, but
+the uninitialized value is still assign to new_root in the
+end of dm_btree_remove().
+
+For dm-thin, the value of pmd->details_root or pmd->root will become
+an uninitialized value, so if trying to read details_info tree again
+out-of-bound memory may occur as showed below:
+
+ general protection fault, probably for non-canonical address 0x3fdcb14c8d7520
+ CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6
+ Hardware name: QEMU Standard PC
+ RIP: 0010:metadata_ll_load_ie+0x14/0x30
+ Call Trace:
+ sm_metadata_count_is_more_than_one+0xb9/0xe0
+ dm_tm_shadow_block+0x52/0x1c0
+ shadow_step+0x59/0xf0
+ remove_raw+0xb2/0x170
+ dm_btree_remove+0xf4/0x1c0
+ dm_pool_delete_thin_device+0xc3/0x140
+ pool_message+0x218/0x2b0
+ target_message+0x251/0x290
+ ctl_ioctl+0x1c4/0x4d0
+ dm_ctl_ioctl+0xe/0x20
+ __x64_sys_ioctl+0x7b/0xb0
+ do_syscall_64+0x40/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixing it by only assign new_root when removal succeeds
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/persistent-data/dm-btree-remove.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree-remove.c
++++ b/drivers/md/persistent-data/dm-btree-remove.c
+@@ -549,7 +549,8 @@ int dm_btree_remove(struct dm_btree_info
+ delete_at(n, index);
+ }
+
+- *new_root = shadow_root(&spine);
++ if (!r)
++ *new_root = shadow_root(&spine);
+ exit_shadow_spine(&spine);
+
+ return r;
--- /dev/null
+From 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 Mon Sep 17 00:00:00 2001
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Date: Mon, 24 May 2021 02:32:05 -0700
+Subject: ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+commit 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 upstream.
+
+In the out_err_bus_register error branch of tpci200_pci_probe,
+tpci200->info->cfg_regs is freed by tpci200_uninstall()->
+tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
+in the first time.
+
+But later, iounmap() is called to free tpci200->info->cfg_regs
+again.
+
+My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall()
+to avoid the double free.
+
+Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Link: https://lore.kernel.org/r/20210524093205.8333-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/carriers/tpci200.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/ipack/carriers/tpci200.c
++++ b/drivers/ipack/carriers/tpci200.c
+@@ -591,8 +591,11 @@ static int tpci200_pci_probe(struct pci_
+
+ out_err_bus_register:
+ tpci200_uninstall(tpci200);
++ /* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */
++ tpci200->info->cfg_regs = NULL;
+ out_err_install:
+- iounmap(tpci200->info->cfg_regs);
++ if (tpci200->info->cfg_regs)
++ iounmap(tpci200->info->cfg_regs);
+ out_err_ioremap:
+ pci_release_region(pdev, TPCI200_CFG_MEM_BAR);
+ out_err_pci_request:
--- /dev/null
+From 2253042d86f57d90a621ac2513a7a7a13afcf809 Mon Sep 17 00:00:00 2001
+From: Petr Pavlu <petr.pavlu@suse.com>
+Date: Thu, 13 May 2021 14:26:36 +0200
+Subject: ipmi/watchdog: Stop watchdog timer when the current action is 'none'
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+commit 2253042d86f57d90a621ac2513a7a7a13afcf809 upstream.
+
+When an IPMI watchdog timer is being stopped in ipmi_close() or
+ipmi_ioctl(WDIOS_DISABLECARD), the current watchdog action is updated to
+WDOG_TIMEOUT_NONE and _ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB) is called
+to install this action. The latter function ends up invoking
+__ipmi_set_timeout() which makes the actual 'Set Watchdog Timer' IPMI
+request.
+
+For IPMI 1.0, this operation results in fully stopping the watchdog timer.
+For IPMI >= 1.5, function __ipmi_set_timeout() always specifies the "don't
+stop" flag in the prepared 'Set Watchdog Timer' IPMI request. This causes
+that the watchdog timer has its action correctly updated to 'none' but the
+timer continues to run. A problem is that IPMI firmware can then still log
+an expiration event when the configured timeout is reached, which is
+unexpected because the watchdog timer was requested to be stopped.
+
+The patch fixes this problem by not setting the "don't stop" flag in
+__ipmi_set_timeout() when the current action is WDOG_TIMEOUT_NONE which
+results in stopping the watchdog timer. This makes the behaviour for
+IPMI >= 1.5 consistent with IPMI 1.0. It also matches the logic in
+__ipmi_heartbeat() which does not allow to reset the watchdog if the
+current action is WDOG_TIMEOUT_NONE as that would start the timer.
+
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Message-Id: <10a41bdc-9c99-089c-8d89-fa98ce5ea080@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -393,16 +393,18 @@ static int i_ipmi_set_timeout(struct ipm
+ data[0] = 0;
+ WDOG_SET_TIMER_USE(data[0], WDOG_TIMER_USE_SMS_OS);
+
+- if ((ipmi_version_major > 1)
+- || ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
+- /* This is an IPMI 1.5-only feature. */
+- data[0] |= WDOG_DONT_STOP_ON_SET;
+- } else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
+- /*
+- * In ipmi 1.0, setting the timer stops the watchdog, we
+- * need to start it back up again.
+- */
+- hbnow = 1;
++ if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
++ if ((ipmi_version_major > 1) ||
++ ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
++ /* This is an IPMI 1.5-only feature. */
++ data[0] |= WDOG_DONT_STOP_ON_SET;
++ } else {
++ /*
++ * In ipmi 1.0, setting the timer stops the watchdog, we
++ * need to start it back up again.
++ */
++ hbnow = 1;
++ }
+ }
+
+ data[1] = 0;
--- /dev/null
+From f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sun, 27 Jun 2021 01:47:49 +0200
+Subject: power: supply: ab8500: Fix an old bug
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce upstream.
+
+Trying to get the AB8500 charging driver working I ran into a bit
+of bitrot: we haven't used the driver for a while so errors in
+refactorings won't be noticed.
+
+This one is pretty self evident: use argument to the macro or we
+end up with a random pointer to something else.
+
+Cc: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Marcus Cooper <codekipper@gmail.com>
+Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mfd/abx500/ux500_chargalg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/mfd/abx500/ux500_chargalg.h
++++ b/include/linux/mfd/abx500/ux500_chargalg.h
+@@ -15,7 +15,7 @@
+ * - POWER_SUPPLY_TYPE_USB,
+ * because only them store as drv_data pointer to struct ux500_charger.
+ */
+-#define psy_to_ux500_charger(x) power_supply_get_drvdata(psy)
++#define psy_to_ux500_charger(x) power_supply_get_drvdata(x)
+
+ /* Forward declaration */
+ struct ux500_charger;
--- /dev/null
+From fca41af18e10318e4de090db47d9fa7169e1bf2f Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 11 Feb 2021 12:42:58 -0700
+Subject: qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit fca41af18e10318e4de090db47d9fa7169e1bf2f upstream.
+
+fw_cfg_showrev() is called by an indirect call in kobj_attr_show(),
+which violates clang's CFI checking because fw_cfg_showrev()'s second
+parameter is 'struct attribute', whereas the ->show() member of 'struct
+kobj_structure' expects the second parameter to be of type 'struct
+kobj_attribute'.
+
+$ cat /sys/firmware/qemu_fw_cfg/rev
+3
+
+$ dmesg | grep "CFI failure"
+[ 26.016832] CFI failure (target: fw_cfg_showrev+0x0/0x8):
+
+Fix this by converting fw_cfg_rev_attr to 'struct kobj_attribute' where
+this would have been caught automatically by the incompatible pointer
+types compiler warning. Update fw_cfg_showrev() accordingly.
+
+Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1299
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210211194258.4137998-1-nathan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/qemu_fw_cfg.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -192,15 +192,13 @@ static int fw_cfg_do_platform_probe(stru
+ /* fw_cfg revision attribute, in /sys/firmware/qemu_fw_cfg top-level dir. */
+ static u32 fw_cfg_rev;
+
+-static ssize_t fw_cfg_showrev(struct kobject *k, struct attribute *a, char *buf)
++static ssize_t fw_cfg_showrev(struct kobject *k, struct kobj_attribute *a,
++ char *buf)
+ {
+ return sprintf(buf, "%u\n", fw_cfg_rev);
+ }
+
+-static const struct {
+- struct attribute attr;
+- ssize_t (*show)(struct kobject *k, struct attribute *a, char *buf);
+-} fw_cfg_rev_attr = {
++static const struct kobj_attribute fw_cfg_rev_attr = {
+ .attr = { .name = "rev", .mode = S_IRUSR },
+ .show = fw_cfg_showrev,
+ };
--- /dev/null
+From d3b16034a24a112bb83aeb669ac5b9b01f744bb7 Mon Sep 17 00:00:00 2001
+From: Yun Zhou <yun.zhou@windriver.com>
+Date: Sat, 26 Jun 2021 11:21:55 +0800
+Subject: seq_buf: Fix overflow in seq_buf_putmem_hex()
+
+From: Yun Zhou <yun.zhou@windriver.com>
+
+commit d3b16034a24a112bb83aeb669ac5b9b01f744bb7 upstream.
+
+There's two variables being increased in that loop (i and j), and i
+follows the raw data, and j follows what is being written into the buffer.
+We should compare 'i' to MAX_MEMHEX_BYTES or compare 'j' to HEX_CHARS.
+Otherwise, if 'j' goes bigger than HEX_CHARS, it will overflow the
+destination buffer.
+
+Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/
+Link: https://lkml.kernel.org/r/20210626032156.47889-1-yun.zhou@windriver.com
+
+Cc: stable@vger.kernel.org
+Fixes: 5e3ca0ec76fce ("ftrace: introduce the "hex" output method")
+Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/seq_buf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/seq_buf.c
++++ b/lib/seq_buf.c
+@@ -227,8 +227,10 @@ int seq_buf_putmem_hex(struct seq_buf *s
+
+ WARN_ON(s->size == 0);
+
++ BUILD_BUG_ON(MAX_MEMHEX_BYTES * 2 >= HEX_CHARS);
++
+ while (len) {
+- start_len = min(len, HEX_CHARS - 1);
++ start_len = min(len, MAX_MEMHEX_BYTES);
+ #ifdef __BIG_ENDIAN
+ for (i = 0, j = 0; i < start_len; i++) {
+ #else
mmc-sdhci-fix-warning-message-when-accessing-rpmb-in-hs400-mode.patch
mmc-core-clear-flags-before-allowing-to-retune.patch
ata-ahci_sunxi-disable-dipm.patch
+asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch
+qemu_fw_cfg-make-fw_cfg_rev_attr-a-proper-kobj_attribute.patch
+ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch
+power-supply-ab8500-fix-an-old-bug.patch
+seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch
+ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch
+dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
