Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.9/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch b/queue-4.9/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
new file mode 100644 (file)
index 0000000..ce08b89
--- /dev/null
+++ b/queue-4.9/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
@@ -0,0 +1,48 @@
+From 281638f748b5af4d6303c7f417424b533f56d445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 15:25:21 -0500
+Subject: btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 7a9213a93546e7eaef90e6e153af6b8fc7553f10 ]
+
+A few BUG_ON()'s in replace_path are purely to keep us from making
+logical mistakes, so replace them with ASSERT()'s.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index cd5b86d80e7a..5caf4dbdd801 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1801,8 +1801,8 @@ int replace_path(struct btrfs_trans_handle *trans,
+       int ret;
+       int slot;
+ 
+-      BUG_ON(src->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+-      BUG_ON(dest->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(src->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(dest->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+ 
+       last_snapshot = btrfs_root_last_snapshot(&src->root_item);
+ again:
+@@ -1834,7 +1834,7 @@ again:
+       parent = eb;
+       while (1) {
+               level = btrfs_header_level(parent);
+-              BUG_ON(level < lowest_level);
++              ASSERT(level >= lowest_level);
+ 
+               ret = btrfs_bin_search(parent, &key, level, &slot);
+               if (ret && slot > 0)
+-- 
+2.30.2
+

diff --git a/queue-4.9/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch b/queue-4.9/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
new file mode 100644 (file)
index 0000000..9cb2f91
--- /dev/null
+++ b/queue-4.9/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
@@ -0,0 +1,38 @@
+From b28f07e41021c4ae433311b6b6ca2c5d8e7f8f5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 18:01:15 +0100
+Subject: clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 657d4d1934f75a2d978c3cf2086495eaa542e7a9 ]
+
+There is an error return path that is not kfree'ing socfpga_clk leading
+to a memory leak. Fix this by adding in the missing kfree call.
+
+Addresses-Coverity: ("Resource leak")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210406170115.430990-1-colin.king@canonical.com
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/socfpga/clk-gate-a10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c
+index c2d572748167..7913dbedba89 100644
+--- a/drivers/clk/socfpga/clk-gate-a10.c
++++ b/drivers/clk/socfpga/clk-gate-a10.c
+@@ -157,6 +157,7 @@ static void __init __socfpga_gate_init(struct device_node *node,
+               if (IS_ERR(socfpga_clk->sys_mgr_base_addr)) {
+                       pr_err("%s: failed to find altr,sys-mgr regmap!\n",
+                                       __func__);
++                      kfree(socfpga_clk);
+                       return;
+               }
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.9/drm-amdgpu-fix-null-pointer-dereference.patch b/queue-4.9/drm-amdgpu-fix-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..2d623fb
--- /dev/null
+++ b/queue-4.9/drm-amdgpu-fix-null-pointer-dereference.patch
@@ -0,0 +1,60 @@
+From 6413a0b7c1ed372d53ed87774f67ba1078106e14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 17:52:18 +0800
+Subject: drm/amdgpu: fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 3c3dc654333f6389803cdcaf03912e94173ae510 ]
+
+ttm->sg needs to be checked before accessing its child member.
+
+Call Trace:
+ amdgpu_ttm_backend_destroy+0x12/0x70 [amdgpu]
+ ttm_bo_cleanup_memtype_use+0x3a/0x60 [ttm]
+ ttm_bo_release+0x17d/0x300 [ttm]
+ amdgpu_bo_unref+0x1a/0x30 [amdgpu]
+ amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x78b/0x8b0 [amdgpu]
+ kfd_ioctl_alloc_memory_of_gpu+0x118/0x220 [amdgpu]
+ kfd_ioctl+0x222/0x400 [amdgpu]
+ ? kfd_dev_is_large_bar+0x90/0x90 [amdgpu]
+ __x64_sys_ioctl+0x8e/0xd0
+ ? __context_tracking_exit+0x52/0x90
+ do_syscall_64+0x33/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f97f264d317
+Code: b3 66 90 48 8b 05 71 4b 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 41 4b 2d 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffdb402c338 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f97f3cc63a0 RCX: 00007f97f264d317
+RDX: 00007ffdb402c380 RSI: 00000000c0284b16 RDI: 0000000000000003
+RBP: 00007ffdb402c380 R08: 00007ffdb402c428 R09: 00000000c4000004
+R10: 00000000c4000004 R11: 0000000000000246 R12: 00000000c0284b16
+R13: 0000000000000003 R14: 00007f97f3cc63a0 R15: 00007f8836200000
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+index 80c60a62d39e..7271e3f32d82 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -652,7 +652,7 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_tt *ttm)
+               DMA_BIDIRECTIONAL : DMA_TO_DEVICE;
+ 
+       /* double check that we don't free the table twice */
+-      if (!ttm->sg->sgl)
++      if (!ttm->sg || !ttm->sg->sgl)
+               return;
+ 
+       /* free the sg table and pages again */
+-- 
+2.30.2
+

diff --git a/queue-4.9/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch b/queue-4.9/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
new file mode 100644 (file)
index 0000000..55b1e36
--- /dev/null
+++ b/queue-4.9/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
@@ -0,0 +1,57 @@
+From 024c43d36858ad0614f31fa2cf5461d80d7bc8cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 23:47:24 +0200
+Subject: drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 2ad52bdb220de5ab348098e3482b01235d15a842 ]
+
+Leaving this at a close-to-maximum register value 0xFFF0 means it takes
+very long for the MDSS to generate a software vsync interrupt when the
+hardware TE interrupt doesn't arrive.  Configuring this to double the
+vtotal (like some downstream kernels) leads to a frame to take at most
+twice before the vsync signal, until hardware TE comes up.
+
+In this case the hardware interrupt responsible for providing this
+signal - "disp-te" gpio - is not hooked up to the mdp5 vsync/pp logic at
+all.  This solves severe panel update issues observed on at least the
+Xperia Loire and Tone series, until said gpio is properly hooked up to
+an irq.
+
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Link: https://lore.kernel.org/r/20210406214726.131534-2-marijn.suijten@somainline.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
+index c627ab6d0061..8ac54b9dcd39 100644
+--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
++++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
+@@ -128,9 +128,17 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+               | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN;
+       cfg |= MDP5_PP_SYNC_CONFIG_VSYNC_COUNT(vclks_line);
+ 
++      /*
++       * Tearcheck emits a blanking signal every vclks_line * vtotal * 2 ticks on
++       * the vsync_clk equating to roughly half the desired panel refresh rate.
++       * This is only necessary as stability fallback if interrupts from the
++       * panel arrive too late or not at all, but is currently used by default
++       * because these panel interrupts are not wired up yet.
++       */
+       mdp5_write(mdp5_kms, REG_MDP5_PP_SYNC_CONFIG_VSYNC(pp_id), cfg);
+       mdp5_write(mdp5_kms,
+-              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), 0xfff0);
++              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), (2 * mode->vtotal));
++
+       mdp5_write(mdp5_kms,
+               REG_MDP5_PP_VSYNC_INIT_VAL(pp_id), mode->vdisplay);
+       mdp5_write(mdp5_kms, REG_MDP5_PP_RD_PTR_IRQ(pp_id), mode->vdisplay + 1);
+-- 
+2.30.2
+

diff --git a/queue-4.9/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch b/queue-4.9/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
new file mode 100644 (file)
index 0000000..525496d
--- /dev/null
+++ b/queue-4.9/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
@@ -0,0 +1,96 @@
+From f834e40531dbf24ef3e0e01e8d4b00f31de2323a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Mar 2021 16:17:56 +0100
+Subject: extcon: arizona: Fix some issues when HPDET IRQ fires after the jack
+ has been unplugged
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit c309a3e8793f7e01c4a4ec7960658380572cb576 ]
+
+When the jack is partially inserted and then removed again it may be
+removed while the hpdet code is running. In this case the following
+may happen:
+
+1. The "JACKDET rise" or ""JACKDET fall" IRQ triggers
+2. arizona_jackdet runs and takes info->lock
+3. The "HPDET" IRQ triggers
+4. arizona_hpdet_irq runs, blocks on info->lock
+5. arizona_jackdet calls arizona_stop_mic() and clears info->hpdet_done
+6. arizona_jackdet releases info->lock
+7. arizona_hpdet_irq now can continue running and:
+7.1 Calls arizona_start_mic() (if a mic was detected)
+7.2 sets info->hpdet_done
+
+Step 7 is undesirable / a bug:
+7.1 causes the device to stay in a high power-state (with MICVDD enabled)
+7.2 causes hpdet to not run on the next jack insertion, which in turn
+    causes the EXTCON_JACK_HEADPHONE state to never get set
+
+This fixes both issues by skipping these 2 steps when arizona_hpdet_irq
+runs after the jack has been unplugged.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index 4c0b6df8b5dd..1d06d99b8bd9 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -601,7 +601,7 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+       struct arizona *arizona = info->arizona;
+       int id_gpio = arizona->pdata.hpdet_id_gpio;
+       unsigned int report = EXTCON_JACK_HEADPHONE;
+-      int ret, reading;
++      int ret, reading, state;
+       bool mic = false;
+ 
+       mutex_lock(&info->lock);
+@@ -614,12 +614,11 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+       }
+ 
+       /* If the cable was removed while measuring ignore the result */
+-      ret = extcon_get_state(info->edev, EXTCON_MECHANICAL);
+-      if (ret < 0) {
+-              dev_err(arizona->dev, "Failed to check cable state: %d\n",
+-                      ret);
++      state = extcon_get_state(info->edev, EXTCON_MECHANICAL);
++      if (state < 0) {
++              dev_err(arizona->dev, "Failed to check cable state: %d\n", state);
+               goto out;
+-      } else if (!ret) {
++      } else if (!state) {
+               dev_dbg(arizona->dev, "Ignoring HPDET for removed cable\n");
+               goto done;
+       }
+@@ -672,7 +671,7 @@ done:
+                          ARIZONA_ACCDET_MODE_MASK, ARIZONA_ACCDET_MODE_MIC);
+ 
+       /* If we have a mic then reenable MICDET */
+-      if (mic || info->mic)
++      if (state && (mic || info->mic))
+               arizona_start_mic(info);
+ 
+       if (info->hpdet_active) {
+@@ -680,7 +679,9 @@ done:
+               info->hpdet_active = false;
+       }
+ 
+-      info->hpdet_done = true;
++      /* Do not set hp_det done when the cable has been unplugged */
++      if (state)
++              info->hpdet_done = true;
+ 
+ out:
+       mutex_unlock(&info->lock);
+-- 
+2.30.2
+

diff --git a/queue-4.9/intel_th-consistency-and-off-by-one-fix.patch b/queue-4.9/intel_th-consistency-and-off-by-one-fix.patch
new file mode 100644 (file)
index 0000000..93ccfaa
--- /dev/null
+++ b/queue-4.9/intel_th-consistency-and-off-by-one-fix.patch
@@ -0,0 +1,49 @@
+From 6ae01dddd5efc70a9211401c03db6367264c4820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 20:12:49 +0300
+Subject: intel_th: Consistency and off-by-one fix
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit 18ffbc47d45a1489b664dd68fb3a7610a6e1dea3 ]
+
+Consistently use "< ... +1" in for loops.
+
+Fix of-by-one in for_each_set_bit().
+
+Signed-off-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Link: https://lore.kernel.org/lkml/20190724095841.GA6952@amd/
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210414171251.14672-6-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/intel_th/gth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c
+index 98a4cb5d4993..9c236c88bc7b 100644
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -485,7 +485,7 @@ static void intel_th_gth_disable(struct intel_th_device *thdev,
+       output->active = false;
+ 
+       for_each_set_bit(master, gth->output[output->port].master,
+-                       TH_CONFIGURABLE_MASTERS) {
++                       TH_CONFIGURABLE_MASTERS + 1) {
+               gth_master_set(gth, master, -1);
+       }
+       spin_unlock(&gth->gth_lock);
+@@ -605,7 +605,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev,
+       othdev->output.port = -1;
+       othdev->output.active = false;
+       gth->output[port].output = NULL;
+-      for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
++      for (master = 0; master < TH_CONFIGURABLE_MASTERS + 1; master++)
+               if (gth->master[master] == port)
+                       gth->master[master] = -1;
+       spin_unlock(&gth->gth_lock);
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch b/queue-4.9/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
new file mode 100644 (file)
index 0000000..2bae509
--- /dev/null
+++ b/queue-4.9/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
@@ -0,0 +1,43 @@
+From 31cd146ec94f6801a32cb3d692bfef3a38b99397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:42:46 +0200
+Subject: media: adv7604: fix possible use-after-free in adv76xx_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit fa56f5f1fe31c2050675fa63b84963ebd504a5b3 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7604.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
+index ce6f93074ae0..56b8b7bf759e 100644
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -3541,7 +3541,7 @@ static int adv76xx_remove(struct i2c_client *client)
+       io_write(sd, 0x6e, 0);
+       io_write(sd, 0x73, 0);
+ 
+-      cancel_delayed_work(&state->delayed_work_enable_hotplug);
++      cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+       v4l2_async_unregister_subdev(sd);
+       media_entity_cleanup(&sd->entity);
+       adv76xx_unregister_clients(to_state(sd));
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-4.9/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
new file mode 100644 (file)
index 0000000..d6d675d
--- /dev/null
+++ b/queue-4.9/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
@@ -0,0 +1,83 @@
+From d74d43c33655e0edc3fb1aae497ddfc2dfa332b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 21:32:19 +0200
+Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit b7cd0da982e3043f2eec7235ac5530cb18d6af1d ]
+
+syzbot reported memory leak in dvb-usb. The problem was
+in invalid error handling in dvb_usb_adapter_init().
+
+for (n = 0; n < d->props.num_adapters; n++) {
+....
+       if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+               (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+               (ret = dvb_usb_adapter_frontend_init(adap))) {
+               return ret;
+       }
+...
+       d->num_adapters_initialized++;
+...
+}
+
+In case of error in dvb_usb_adapter_dvb_init() or
+dvb_usb_adapter_dvb_init() d->num_adapters_initialized won't be
+incremented, but dvb_usb_adapter_exit() relies on it:
+
+       for (n = 0; n < d->num_adapters_initialized; n++)
+
+So, allocated objects won't be freed.
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+3c2be7424cea3b932b0e@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index b3413404f91a..690c1e06fbfa 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -82,11 +82,17 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+                       }
+               }
+ 
+-              if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+-                      (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+-                      (ret = dvb_usb_adapter_frontend_init(adap))) {
++              ret = dvb_usb_adapter_stream_init(adap);
++              if (ret)
+                       return ret;
+-              }
++
++              ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
++              if (ret)
++                      goto dvb_init_err;
++
++              ret = dvb_usb_adapter_frontend_init(adap);
++              if (ret)
++                      goto frontend_init_err;
+ 
+               /* use exclusive FE lock if there is multiple shared FEs */
+               if (adap->fe_adap[1].fe)
+@@ -106,6 +112,12 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+       }
+ 
+       return 0;
++
++frontend_init_err:
++      dvb_usb_adapter_dvb_exit(adap);
++dvb_init_err:
++      dvb_usb_adapter_stream_exit(adap);
++      return ret;
+ }
+ 
+ static int dvb_usb_adapter_exit(struct dvb_usb_device *d)
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-em28xx-fix-memory-leak.patch b/queue-4.9/media-em28xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..4cb1431
--- /dev/null
+++ b/queue-4.9/media-em28xx-fix-memory-leak.patch
@@ -0,0 +1,41 @@
+From e4a0f6dbca6fdc5d07d07a3e68de7954adba8feb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 19:07:53 +0100
+Subject: media: em28xx: fix memory leak
+
+From: Muhammad Usama Anjum <musamaanjum@gmail.com>
+
+[ Upstream commit 0ae10a7dc8992ee682ff0b1752ff7c83d472eef1 ]
+
+If some error occurs, URB buffers should also be freed. If they aren't
+freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB
+buffers as dvb is set to NULL. The function in which error occurs should
+do all the cleanup for the allocations it had done.
+
+Tested the patch with the reproducer provided by syzbot. This patch
+fixes the memleak.
+
+Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com
+Signed-off-by: Muhammad Usama Anjum <musamaanjum@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-dvb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
+index b0aea48907b7..7e259be47252 100644
+--- a/drivers/media/usb/em28xx/em28xx-dvb.c
++++ b/drivers/media/usb/em28xx/em28xx-dvb.c
+@@ -1967,6 +1967,7 @@ ret:
+       return result;
+ 
+ out_free:
++      em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE);
+       kfree(dvb);
+       dev->dvb = NULL;
+       goto ret;
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-gscpa-stv06xx-fix-memory-leak.patch b/queue-4.9/media-gscpa-stv06xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..40d14b6
--- /dev/null
+++ b/queue-4.9/media-gscpa-stv06xx-fix-memory-leak.patch
@@ -0,0 +1,84 @@
+From 7b3c999efdb0bb66f02dec6bd972223b2b00e82b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 12:31:20 +0200
+Subject: media: gscpa/stv06xx: fix memory leak
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ]
+
+For two of the supported sensors the stv06xx driver allocates memory which
+is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
+the probe() fails, then it isn't freed and so this leaks memory.
+
+Add a new probe_error() op that drivers can use to free any allocated
+memory in case there was a probe failure.
+
+Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
+of the memory leak.
+
+Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gspca.c           | 2 ++
+ drivers/media/usb/gspca/gspca.h           | 1 +
+ drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
+index d239075a6a65..79f1e8904e30 100644
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -2146,6 +2146,8 @@ out:
+ #endif
+       v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+       v4l2_device_unregister(&gspca_dev->v4l2_dev);
++      if (sd_desc->probe_error)
++              sd_desc->probe_error(gspca_dev);
+       kfree(gspca_dev->usb_buf);
+       kfree(gspca_dev);
+       return ret;
+diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h
+index d39adf90303b..bec8fccc2c94 100644
+--- a/drivers/media/usb/gspca/gspca.h
++++ b/drivers/media/usb/gspca/gspca.h
+@@ -101,6 +101,7 @@ struct sd_desc {
+       cam_cf_op config;       /* called on probe */
+       cam_op init;            /* called on probe and resume */
+       cam_op init_controls;   /* called on probe */
++      cam_v_op probe_error;   /* called if probe failed, do cleanup here */
+       cam_op start;           /* called on stream on after URBs creation */
+       cam_pkt_op pkt_scan;
+ /* optional operations */
+diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+index 7d255529ed4c..40d4c99debb8 100644
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+@@ -541,12 +541,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev,
+ static int stv06xx_config(struct gspca_dev *gspca_dev,
+                         const struct usb_device_id *id);
+ 
++static void stv06xx_probe_error(struct gspca_dev *gspca_dev)
++{
++      struct sd *sd = (struct sd *)gspca_dev;
++
++      kfree(sd->sensor_priv);
++      sd->sensor_priv = NULL;
++}
++
+ /* sub-driver description */
+ static const struct sd_desc sd_desc = {
+       .name = MODULE_NAME,
+       .config = stv06xx_config,
+       .init = stv06xx_init,
+       .init_controls = stv06xx_init_controls,
++      .probe_error = stv06xx_probe_error,
+       .start = stv06xx_start,
+       .stopN = stv06xx_stopN,
+       .pkt_scan = stv06xx_pkt_scan,
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-gspca-sq905.c-fix-uninitialized-variable.patch b/queue-4.9/media-gspca-sq905.c-fix-uninitialized-variable.patch
new file mode 100644 (file)
index 0000000..9fc3f2c
--- /dev/null
+++ b/queue-4.9/media-gspca-sq905.c-fix-uninitialized-variable.patch
@@ -0,0 +1,36 @@
+From 7f15242b75bd32bb638ada994150d0418eea388f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 15:46:40 +0100
+Subject: media: gspca/sq905.c: fix uninitialized variable
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit eaaea4681984c79d2b2b160387b297477f0c1aab ]
+
+act_len can be uninitialized if usb_bulk_msg() returns an error.
+Set it to 0 to avoid a KMSAN error.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/sq905.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c
+index a7ae0ec9fa91..03322d2b2e82 100644
+--- a/drivers/media/usb/gspca/sq905.c
++++ b/drivers/media/usb/gspca/sq905.c
+@@ -172,7 +172,7 @@ static int
+ sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock)
+ {
+       int ret;
+-      int act_len;
++      int act_len = 0;
+ 
+       gspca_dev->usb_buf[0] = '\0';
+       if (need_lock)
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch b/queue-4.9/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
new file mode 100644 (file)
index 0000000..5256b49
--- /dev/null
+++ b/queue-4.9/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
@@ -0,0 +1,44 @@
+From f4e62ac2cd4031f29eef31e9878562ab35324b82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:48:12 +0200
+Subject: media: i2c: adv7511-v4l2: fix possible use-after-free in
+ adv7511_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2c9541720c66899adf6f3600984cf3ef151295ad ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7511-v4l2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c
+index b87c9e7ff146..e81c4cca50c6 100644
+--- a/drivers/media/i2c/adv7511-v4l2.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -1976,7 +1976,7 @@ static int adv7511_remove(struct i2c_client *client)
+ 
+       adv7511_set_isr(sd, false);
+       adv7511_init_setup(sd);
+-      cancel_delayed_work(&state->edid_handler);
++      cancel_delayed_work_sync(&state->edid_handler);
+       i2c_unregister_device(state->i2c_edid);
+       if (state->i2c_cec)
+               i2c_unregister_device(state->i2c_cec);
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch b/queue-4.9/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
new file mode 100644 (file)
index 0000000..e1bc6ae
--- /dev/null
+++ b/queue-4.9/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
@@ -0,0 +1,43 @@
+From 32570b9eaf88d4317176f915080c23bbdf0a3d5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:50:53 +0200
+Subject: media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4a15275b6a18597079f18241c87511406575179a ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7842.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
+index cf3b42c9417e..d7af4fbcb84b 100644
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -3598,7 +3598,7 @@ static int adv7842_remove(struct i2c_client *client)
+       struct adv7842_state *state = to_state(sd);
+ 
+       adv7842_irq_enable(sd, false);
+-      cancel_delayed_work(&state->delayed_work_enable_hotplug);
++      cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+       v4l2_device_unregister_subdev(sd);
+       media_entity_cleanup(&sd->entity);
+       adv7842_unregister_clients(sd);
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-ite-cir-check-for-receive-overflow.patch b/queue-4.9/media-ite-cir-check-for-receive-overflow.patch
new file mode 100644 (file)
index 0000000..6d088de
--- /dev/null
+++ b/queue-4.9/media-ite-cir-check-for-receive-overflow.patch
@@ -0,0 +1,41 @@
+From 51e3d1e330e5b9929a31aaf339f3580f55d952b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 09:08:35 +0100
+Subject: media: ite-cir: check for receive overflow
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 28c7afb07ccfc0a939bb06ac1e7afe669901c65a ]
+
+It's best if this condition is reported.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ite-cir.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
+index 63165d324fff..7d3e50d94d86 100644
+--- a/drivers/media/rc/ite-cir.c
++++ b/drivers/media/rc/ite-cir.c
+@@ -292,8 +292,14 @@ static irqreturn_t ite_cir_isr(int irq, void *data)
+       /* read the interrupt flags */
+       iflags = dev->params.get_irq_causes(dev);
+ 
++      /* Check for RX overflow */
++      if (iflags & ITE_IRQ_RX_FIFO_OVERRUN) {
++              dev_warn(&dev->rdev->dev, "receive overflow\n");
++              ir_raw_event_reset(dev->rdev);
++      }
++
+       /* check for the receive interrupt */
+-      if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) {
++      if (iflags & ITE_IRQ_RX_FIFO) {
+               /* read the FIFO bytes */
+               rx_bytes =
+                       dev->params.get_rx_bytes(dev, rx_buf,
+-- 
+2.30.2
+

diff --git a/queue-4.9/media-media-saa7164-fix-saa7164_encoder_register-mem.patch b/queue-4.9/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
new file mode 100644 (file)
index 0000000..0d7768c
--- /dev/null
+++ b/queue-4.9/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
@@ -0,0 +1,87 @@
+From bb5123cc20013806ea6bcff568c50d9ff3c790e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 03:53:00 +0100
+Subject: media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
+
+From: Daniel Niv <danielniv3@gmail.com>
+
+[ Upstream commit c759b2970c561e3b56aa030deb13db104262adfe ]
+
+Add a fix for the memory leak bugs that can occur when the
+saa7164_encoder_register() function fails.
+The function allocates memory without explicitly freeing
+it when errors occur.
+Add a better error handling that deallocate the unused buffers before the
+function exits during a fail.
+
+Signed-off-by: Daniel Niv <danielniv3@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-encoder.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-encoder.c b/drivers/media/pci/saa7164/saa7164-encoder.c
+index 32a353d162e7..f2e6fbfa019f 100644
+--- a/drivers/media/pci/saa7164/saa7164-encoder.c
++++ b/drivers/media/pci/saa7164/saa7164-encoder.c
+@@ -1030,7 +1030,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+                      "(errno = %d), NO PCI configuration\n",
+                       __func__, result);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_pci;
+       }
+ 
+       /* Establish encoder defaults here */
+@@ -1084,7 +1084,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+                         100000, ENCODER_DEF_BITRATE);
+       if (hdl->error) {
+               result = hdl->error;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->std = V4L2_STD_NTSC_M;
+@@ -1102,7 +1102,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+               printk(KERN_INFO "%s: can't allocate mpeg device\n",
+                       dev->name);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->v4l_device->ctrl_handler = hdl;
+@@ -1113,10 +1113,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+       if (result < 0) {
+               printk(KERN_INFO "%s: can't register mpeg device\n",
+                       dev->name);
+-              /* TODO: We're going to leak here if we don't dealloc
+-               The buffers above. The unreg function can't deal wit it.
+-              */
+-              goto failed;
++              goto fail_reg;
+       }
+ 
+       printk(KERN_INFO "%s: registered device video%d [mpeg]\n",
+@@ -1138,9 +1135,14 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ 
+       saa7164_api_set_encoder(port);
+       saa7164_api_get_encoder(port);
++      return 0;
+ 
+-      result = 0;
+-failed:
++fail_reg:
++      video_device_release(port->v4l_device);
++      port->v4l_device = NULL;
++fail_hdl:
++      v4l2_ctrl_handler_free(hdl);
++fail_pci:
+       return result;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.9/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch b/queue-4.9/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
new file mode 100644 (file)
index 0000000..32f53ec
--- /dev/null
+++ b/queue-4.9/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
@@ -0,0 +1,72 @@
+From 764b1989a2cda9da5492b1f3448656ba2299c465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 16:51:40 +0100
+Subject: PCI: PM: Do not read power state in pci_enable_device_flags()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 4514d991d99211f225d83b7e640285f29f0755d0 ]
+
+It should not be necessary to update the current_state field of
+struct pci_dev in pci_enable_device_flags() before calling
+do_pci_enable_device() for the device, because none of the
+code between that point and the pci_set_power_state() call in
+do_pci_enable_device() invoked later depends on it.
+
+Moreover, doing that is actively harmful in some cases.  For example,
+if the given PCI device depends on an ACPI power resource whose _STA
+method initially returns 0 ("off"), but the config space of the PCI
+device is accessible and the power state retrieved from the
+PCI_PM_CTRL register is D0, the current_state field in the struct
+pci_dev representing that device will get out of sync with the
+power.state of its ACPI companion object and that will lead to
+power management issues going forward.
+
+To avoid such issues it is better to leave the current_state value
+as is until it is changed to PCI_D0 by do_pci_enable_device() as
+appropriate.  However, the power state of the device is not changed
+to PCI_D0 if it is already enabled when pci_enable_device_flags()
+gets called for it, so update its current_state in that case, but
+use pci_update_current_state() covering platform PM too for that.
+
+Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/
+Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index e09653c73ab4..acd89fa9820c 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1378,20 +1378,10 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
+       int err;
+       int i, bars = 0;
+ 
+-      /*
+-       * Power state could be unknown at this point, either due to a fresh
+-       * boot or a device removal call.  So get the current power state
+-       * so that things like MSI message writing will behave as expected
+-       * (e.g. if the device really is in D0 at enable time).
+-       */
+-      if (dev->pm_cap) {
+-              u16 pmcsr;
+-              pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
+-              dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+-      }
+-
+-      if (atomic_inc_return(&dev->enable_cnt) > 1)
++      if (atomic_inc_return(&dev->enable_cnt) > 1) {
++              pci_update_current_state(dev, dev->current_state);
+               return 0;               /* already enabled */
++      }
+ 
+       bridge = pci_upstream_bridge(dev);
+       if (bridge)
+-- 
+2.30.2
+

diff --git a/queue-4.9/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch b/queue-4.9/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
new file mode 100644 (file)
index 0000000..22d0a5d
--- /dev/null
+++ b/queue-4.9/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
@@ -0,0 +1,45 @@
+From b0d176b0149dece5904787a39cad5892d031e71b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:27:16 +0800
+Subject: phy: phy-twl4030-usb: Fix possible use-after-free in
+ twl4030_usb_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/phy-twl4030-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/phy-twl4030-usb.c b/drivers/phy/phy-twl4030-usb.c
+index ddb530ee2255..9d57695e1f21 100644
+--- a/drivers/phy/phy-twl4030-usb.c
++++ b/drivers/phy/phy-twl4030-usb.c
+@@ -798,7 +798,7 @@ static int twl4030_usb_remove(struct platform_device *pdev)
+ 
+       usb_remove_phy(&twl->phy);
+       pm_runtime_get_sync(twl->dev);
+-      cancel_delayed_work(&twl->id_workaround_work);
++      cancel_delayed_work_sync(&twl->id_workaround_work);
+       device_remove_file(twl->dev, &dev_attr_vbus);
+ 
+       /* set transceiver mode to power on defaults */
+-- 
+2.30.2
+

diff --git a/queue-4.9/power-supply-generic-adc-battery-fix-possible-use-af.patch b/queue-4.9/power-supply-generic-adc-battery-fix-possible-use-af.patch
new file mode 100644 (file)
index 0000000..2ba6f0d
--- /dev/null
+++ b/queue-4.9/power-supply-generic-adc-battery-fix-possible-use-af.patch
@@ -0,0 +1,43 @@
+From 2999beb8c0539768a6766dabcd9f3f67bb3c8253 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:17:06 +0800
+Subject: power: supply: generic-adc-battery: fix possible use-after-free in
+ gab_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/generic-adc-battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c
+index f627b39f64bf..b77fd751945d 100644
+--- a/drivers/power/supply/generic-adc-battery.c
++++ b/drivers/power/supply/generic-adc-battery.c
+@@ -384,7 +384,7 @@ static int gab_remove(struct platform_device *pdev)
+       }
+ 
+       kfree(adc_bat->psy_desc.properties);
+-      cancel_delayed_work(&adc_bat->bat_work);
++      cancel_delayed_work_sync(&adc_bat->bat_work);
+       return 0;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.9/power-supply-s3c_adc_battery-fix-possible-use-after-.patch b/queue-4.9/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
new file mode 100644 (file)
index 0000000..c96fdc3
--- /dev/null
+++ b/queue-4.9/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
@@ -0,0 +1,44 @@
+From 8822879cd72edd254244d21b9208692c9e9df049 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:19:03 +0800
+Subject: power: supply: s3c_adc_battery: fix possible use-after-free in
+ s3c_adc_bat_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/s3c_adc_battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c
+index 0ffe5cd3abf6..06b412c43aa7 100644
+--- a/drivers/power/supply/s3c_adc_battery.c
++++ b/drivers/power/supply/s3c_adc_battery.c
+@@ -392,7 +392,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev)
+               gpio_free(pdata->gpio_charge_finished);
+       }
+ 
+-      cancel_delayed_work(&bat_work);
++      cancel_delayed_work_sync(&bat_work);
+ 
+       if (pdata->exit)
+               pdata->exit();
+-- 
+2.30.2
+

diff --git a/queue-4.9/power-supply-use-irqf_oneshot.patch b/queue-4.9/power-supply-use-irqf_oneshot.patch
new file mode 100644 (file)
index 0000000..b053c08
--- /dev/null
+++ b/queue-4.9/power-supply-use-irqf_oneshot.patch
@@ -0,0 +1,83 @@
+From ecc81daf00b008092a81a968529d0b8f56beb98d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 19:21:33 +0800
+Subject: power: supply: Use IRQF_ONESHOT
+
+From: dongjian <dongjian@yulong.com>
+
+[ Upstream commit 2469b836fa835c67648acad17d62bc805236a6ea ]
+
+Fixes coccicheck error:
+
+drivers/power/supply/pm2301_charger.c:1089:7-27: ERROR:
+drivers/power/supply/lp8788-charger.c:502:8-28: ERROR:
+drivers/power/supply/tps65217_charger.c:239:8-33: ERROR:
+drivers/power/supply/tps65090-charger.c:303:8-33: ERROR:
+
+Threaded IRQ with no primary handler requested without IRQF_ONESHOT
+
+Signed-off-by: dongjian <dongjian@yulong.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/lp8788-charger.c   | 2 +-
+ drivers/power/supply/pm2301_charger.c   | 2 +-
+ drivers/power/supply/tps65090-charger.c | 2 +-
+ drivers/power/supply/tps65217_charger.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/power/supply/lp8788-charger.c b/drivers/power/supply/lp8788-charger.c
+index c3075ea011b6..e800beff1f8f 100644
+--- a/drivers/power/supply/lp8788-charger.c
++++ b/drivers/power/supply/lp8788-charger.c
+@@ -532,7 +532,7 @@ static int lp8788_set_irqs(struct platform_device *pdev,
+ 
+               ret = request_threaded_irq(virq, NULL,
+                                       lp8788_charger_irq_thread,
+-                                      0, name, pchg);
++                                      IRQF_ONESHOT, name, pchg);
+               if (ret)
+                       break;
+       }
+diff --git a/drivers/power/supply/pm2301_charger.c b/drivers/power/supply/pm2301_charger.c
+index 78561b6884fc..9ef218d76aa9 100644
+--- a/drivers/power/supply/pm2301_charger.c
++++ b/drivers/power/supply/pm2301_charger.c
+@@ -1098,7 +1098,7 @@ static int pm2xxx_wall_charger_probe(struct i2c_client *i2c_client,
+       ret = request_threaded_irq(gpio_to_irq(pm2->pdata->gpio_irq_number),
+                               NULL,
+                               pm2xxx_charger_irq[0].isr,
+-                              pm2->pdata->irq_type,
++                              pm2->pdata->irq_type | IRQF_ONESHOT,
+                               pm2xxx_charger_irq[0].name, pm2);
+ 
+       if (ret != 0) {
+diff --git a/drivers/power/supply/tps65090-charger.c b/drivers/power/supply/tps65090-charger.c
+index 1b4b5e09538e..297bf58f0d4f 100644
+--- a/drivers/power/supply/tps65090-charger.c
++++ b/drivers/power/supply/tps65090-charger.c
+@@ -311,7 +311,7 @@ static int tps65090_charger_probe(struct platform_device *pdev)
+ 
+       if (irq != -ENXIO) {
+               ret = devm_request_threaded_irq(&pdev->dev, irq, NULL,
+-                      tps65090_charger_isr, 0, "tps65090-charger", cdata);
++                      tps65090_charger_isr, IRQF_ONESHOT, "tps65090-charger", cdata);
+               if (ret) {
+                       dev_err(cdata->dev,
+                               "Unable to register irq %d err %d\n", irq,
+diff --git a/drivers/power/supply/tps65217_charger.c b/drivers/power/supply/tps65217_charger.c
+index 9fd019f9b88c..a6b4eb61b4bb 100644
+--- a/drivers/power/supply/tps65217_charger.c
++++ b/drivers/power/supply/tps65217_charger.c
+@@ -238,7 +238,7 @@ static int tps65217_charger_probe(struct platform_device *pdev)
+       if (irq != -ENXIO) {
+               ret = devm_request_threaded_irq(&pdev->dev, irq, NULL,
+                                               tps65217_charger_irq,
+-                                              0, "tps65217-charger",
++                                              IRQF_ONESHOT, "tps65217-charger",
+                                               charger);
+               if (ret) {
+                       dev_err(charger->dev,
+-- 
+2.30.2
+

diff --git a/queue-4.9/scsi-libfc-fix-a-format-specifier.patch b/queue-4.9/scsi-libfc-fix-a-format-specifier.patch
new file mode 100644 (file)
index 0000000..ba59a02
--- /dev/null
+++ b/queue-4.9/scsi-libfc-fix-a-format-specifier.patch
@@ -0,0 +1,45 @@
+From 13497254c248ab8ddc4f6eb506eb071580f3e87e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 15:08:13 -0700
+Subject: scsi: libfc: Fix a format specifier
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 90d6697810f06aceea9de71ad836a8c7669789cd ]
+
+Since the 'mfs' member has been declared as 'u32' in include/scsi/libfc.h,
+use the %u format specifier instead of %hu. This patch fixes the following
+clang compiler warning:
+
+warning: format specifies type
+      'unsigned short' but the argument has type 'u32' (aka 'unsigned int')
+      [-Wformat]
+                             "lport->mfs:%hu\n", mfs, lport->mfs);
+                                         ~~~          ^~~~~~~~~~
+                                         %u
+
+Link: https://lore.kernel.org/r/20210415220826.29438-8-bvanassche@acm.org
+Cc: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index ae93f45f9cd8..a36817fb0673 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -1751,7 +1751,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ 
+       if (mfs < FC_SP_MIN_MAX_PAYLOAD || mfs > FC_SP_MAX_MAX_PAYLOAD) {
+               FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, "
+-                           "lport->mfs:%hu\n", mfs, lport->mfs);
++                           "lport->mfs:%u\n", mfs, lport->mfs);
+               fc_lport_error(lport, fp);
+               goto out;
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.9/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch b/queue-4.9/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
new file mode 100644 (file)
index 0000000..713159d
--- /dev/null
+++ b/queue-4.9/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
@@ -0,0 +1,60 @@
+From 529c97d8e865562fdec47876bc991ba2c16d2463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:13 -0700
+Subject: scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
+ response
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit fffd18ec6579c2d9c72b212169259062fe747888 ]
+
+Fix a crash caused by a double put on the node when the driver completed an
+ACC for an unsolicted abort on the same node.  The second put was executed
+by lpfc_nlp_not_used() and is wrong because the completion routine executes
+the nlp_put when the iocbq was released.  Additionally, the driver is
+issuing a LOGO then immediately calls lpfc_nlp_set_state to put the node
+into NPR.  This call does nothing.
+
+Remove the lpfc_nlp_not_used call and additional set_state in the
+completion routine.  Remove the lpfc_nlp_set_state post issue_logo.  Isn't
+necessary.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-3-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 2 --
+ drivers/scsi/lpfc/lpfc_sli.c       | 1 -
+ 2 files changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index fefef2884d59..30b5f65b29d1 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -1606,8 +1606,6 @@ lpfc_cmpl_reglogin_reglogin_issue(struct lpfc_vport *vport,
+               ndlp->nlp_last_elscmd = ELS_CMD_PLOGI;
+ 
+               lpfc_issue_els_logo(vport, ndlp, 0);
+-              ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE;
+-              lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
+               return ndlp->nlp_state;
+       }
+ 
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 08c76c361e8d..0e7915ecb85a 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -15252,7 +15252,6 @@ lpfc_sli4_seq_abort_rsp_cmpl(struct lpfc_hba *phba,
+       if (cmd_iocbq) {
+               ndlp = (struct lpfc_nodelist *)cmd_iocbq->context1;
+               lpfc_nlp_put(ndlp);
+-              lpfc_nlp_not_used(ndlp);
+               lpfc_sli_release_iocbq(phba, cmd_iocbq);
+       }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.9/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch b/queue-4.9/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
new file mode 100644 (file)
index 0000000..fb2c2cd
--- /dev/null
+++ b/queue-4.9/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
@@ -0,0 +1,60 @@
+From 5aaa92a96b22a37c96f987831d575e56f9c1579d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Mar 2021 16:23:58 -0700
+Subject: scsi: qla2xxx: Always check the return value of
+ qla24xx_get_isp_stats()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a2b2cc660822cae08c351c7f6b452bfd1330a4f7 ]
+
+This patch fixes the following Coverity warning:
+
+    CID 361199 (#1 of 1): Unchecked return value (CHECKED_RETURN)
+    3. check_return: Calling qla24xx_get_isp_stats without checking return
+    value (as is done elsewhere 4 out of 5 times).
+
+Link: https://lore.kernel.org/r/20210320232359.941-7-bvanassche@acm.org
+Cc: Quinn Tran <qutran@marvell.com>
+Cc: Mike Christie <michael.christie@oracle.com>
+Cc: Himanshu Madhani <himanshu.madhani@oracle.com>
+Cc: Daniel Wagner <dwagner@suse.de>
+Cc: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 33f4181ba9f7..591e2e89ae9f 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -1909,6 +1909,8 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+       vha->qla_stats.jiffies_at_last_reset = get_jiffies_64();
+ 
+       if (IS_FWI2_CAPABLE(ha)) {
++              int rval;
++
+               stats = dma_alloc_coherent(&ha->pdev->dev,
+                   sizeof(*stats), &stats_dma, GFP_KERNEL);
+               if (!stats) {
+@@ -1918,7 +1920,11 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+               }
+ 
+               /* reset firmware statistics */
+-              qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++              rval = qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++              if (rval != QLA_SUCCESS)
++                      ql_log(ql_log_warn, vha, 0x70de,
++                             "Resetting ISP statistics failed: rval = %d\n",
++                             rval);
+ 
+               dma_free_coherent(&ha->pdev->dev, sizeof(*stats),
+                   stats, stats_dma);
+-- 
+2.30.2
+

diff --git a/queue-4.9/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch b/queue-4.9/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
new file mode 100644 (file)
index 0000000..57b0f38
--- /dev/null
+++ b/queue-4.9/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
@@ -0,0 +1,42 @@
+From e4b3d83c3c4fa6494bcd2052e0447affee91e2e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 16:11:54 -0400
+Subject: scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+[ Upstream commit bc3f2b42b70eb1b8576e753e7d0e117bbb674496 ]
+
+Some arrays return ILLEGAL_REQUEST with ASC 00h if they don't support the
+RTPG extended header so remove the check for INVALID FIELD IN CDB.
+
+Link: https://lore.kernel.org/r/20210331201154.20348-1-emilne@redhat.com
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 2bc3dc6244a5..dce885276235 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -564,10 +564,11 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
+                * even though it shouldn't according to T10.
+                * The retry without rtpg_ext_hdr_req set
+                * handles this.
++               * Note:  some arrays return a sense key of ILLEGAL_REQUEST
++               * with ASC 00h if they don't support the extended header.
+                */
+               if (!(pg->flags & ALUA_RTPG_EXT_HDR_UNSUPP) &&
+-                  sense_hdr.sense_key == ILLEGAL_REQUEST &&
+-                  sense_hdr.asc == 0x24 && sense_hdr.ascq == 0) {
++                  sense_hdr.sense_key == ILLEGAL_REQUEST) {
+                       pg->flags |= ALUA_RTPG_EXT_HDR_UNSUPP;
+                       goto retry;
+               }
+-- 
+2.30.2
+

diff --git a/queue-4.9/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch b/queue-4.9/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
new file mode 100644 (file)
index 0000000..4f497e9
--- /dev/null
+++ b/queue-4.9/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
@@ -0,0 +1,46 @@
+From 52ab04eef8c63355d31866db484a890dff7c1f21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Feb 2021 21:56:26 -0800
+Subject: scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+[ Upstream commit fd48c056a32ed6e7754c7c475490f3bed54ed378 ]
+
+This fixes a compilation warning in pscsi_complete_cmd():
+
+     drivers/target/target_core_pscsi.c: In function ‘pscsi_complete_cmd’:
+     drivers/target/target_core_pscsi.c:624:5: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+     ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
+
+Link: https://lore.kernel.org/r/20210228055645.22253-5-chaitanya.kulkarni@wdc.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pscsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index 079db0bd3917..089ba39f76a2 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -629,8 +629,9 @@ static void pscsi_transport_complete(struct se_cmd *cmd, struct scatterlist *sg,
+                       unsigned char *buf;
+ 
+                       buf = transport_kmap_data_sg(cmd);
+-                      if (!buf)
++                      if (!buf) {
+                               ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
++                      }
+ 
+                       if (cdb[0] == MODE_SENSE_10) {
+                               if (!(buf[3] & 0x80))
+-- 
+2.30.2
+

diff --git a/queue-4.9/series b/queue-4.9/series
index 4122d3ad47b45dab9fdf76038df842f379df5619..6b39019b60cb74d33c8c5e651762c76f3361d658 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -13,3 +13,35 @@ mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
 mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
 btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch
 fbdev-zero-fill-colormap-in-fbcmap.c.patch
+staging-wimax-i2400m-fix-byte-order-issue.patch
+usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
+usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
+usb-xhci-fix-port-minor-revision.patch
+pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
+x86-build-propagate-clang_flags-to-realmode_flags.patch
+spi-dln2-fix-reference-leak-to-master.patch
+spi-omap-100k-fix-reference-leak-to-master.patch
+intel_th-consistency-and-off-by-one-fix.patch
+phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
+btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
+scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
+media-ite-cir-check-for-receive-overflow.patch
+extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
+media-media-saa7164-fix-saa7164_encoder_register-mem.patch
+media-gspca-sq905.c-fix-uninitialized-variable.patch
+power-supply-use-irqf_oneshot.patch
+scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
+scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
+media-em28xx-fix-memory-leak.patch
+clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
+power-supply-generic-adc-battery-fix-possible-use-af.patch
+power-supply-s3c_adc_battery-fix-possible-use-after-.patch
+media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
+media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
+media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
+media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
+media-gscpa-stv06xx-fix-memory-leak.patch
+drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
+drm-amdgpu-fix-null-pointer-dereference.patch
+scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
+scsi-libfc-fix-a-format-specifier.patch

diff --git a/queue-4.9/spi-dln2-fix-reference-leak-to-master.patch b/queue-4.9/spi-dln2-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..95e9aa9
--- /dev/null
+++ b/queue-4.9/spi-dln2-fix-reference-leak-to-master.patch
@@ -0,0 +1,40 @@
+From 00f545612161b1f039279e37943643abf23b8ff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:55 +0000
+Subject: spi: dln2: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9b844b087124c1538d05f40fda8a4fec75af55be ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082955.2907950-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dln2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dln2.c b/drivers/spi/spi-dln2.c
+index b62a99caacc0..a41adea48618 100644
+--- a/drivers/spi/spi-dln2.c
++++ b/drivers/spi/spi-dln2.c
+@@ -783,7 +783,7 @@ exit_free_master:
+ 
+ static int dln2_spi_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct dln2_spi *dln2 = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+-- 
+2.30.2
+

diff --git a/queue-4.9/spi-omap-100k-fix-reference-leak-to-master.patch b/queue-4.9/spi-omap-100k-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..66db839
--- /dev/null
+++ b/queue-4.9/spi-omap-100k-fix-reference-leak-to-master.patch
@@ -0,0 +1,58 @@
+From 580f6b858ab75ff0a137eba95efc8ae0068cd64a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:54 +0000
+Subject: spi: omap-100k: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit a23faea76d4cf5f75decb574491e66f9ecd707e7 ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082954.2906933-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index 76a8425be227..1eccdc4a4581 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -435,7 +435,7 @@ err:
+ 
+ static int omap1_spi100k_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+@@ -449,7 +449,7 @@ static int omap1_spi100k_remove(struct platform_device *pdev)
+ #ifdef CONFIG_PM
+ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       clk_disable_unprepare(spi100k->ick);
+@@ -460,7 +460,7 @@ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ 
+ static int omap1_spi100k_runtime_resume(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+       int ret;
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.9/staging-wimax-i2400m-fix-byte-order-issue.patch b/queue-4.9/staging-wimax-i2400m-fix-byte-order-issue.patch
new file mode 100644 (file)
index 0000000..af5654f
--- /dev/null
+++ b/queue-4.9/staging-wimax-i2400m-fix-byte-order-issue.patch
@@ -0,0 +1,36 @@
+From b7aeb3cdbec5ac755fba8f5de825c87adee88635 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Feb 2021 21:01:05 +0530
+Subject: staging: wimax/i2400m: fix byte-order issue
+
+From: karthik alapati <mail@karthek.com>
+
+[ Upstream commit 0c37baae130df39b19979bba88bde2ee70a33355 ]
+
+fix sparse byte-order warnings by converting host byte-order
+type to __le16 byte-order types before assigning to hdr.length
+
+Signed-off-by: karthik alapati <mail@karthek.com>
+Link: https://lore.kernel.org/r/0ae5c5c4c646506d8be871e7be5705542671a1d5.1613921277.git.mail@karthek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c
+index dc6fe93ce71f..e8473047b2d1 100644
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -101,7 +101,7 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev,
+       if (cmd == NULL)
+               goto error_alloc;
+       cmd->hdr.type = cpu_to_le16(I2400M_MT_CMD_RF_CONTROL);
+-      cmd->hdr.length = sizeof(cmd->sw_rf);
++      cmd->hdr.length = cpu_to_le16(sizeof(cmd->sw_rf));
+       cmd->hdr.version = cpu_to_le16(I2400M_L3L4_VERSION);
+       cmd->sw_rf.hdr.type = cpu_to_le16(I2400M_TLV_RF_OPERATION);
+       cmd->sw_rf.hdr.length = cpu_to_le16(sizeof(cmd->sw_rf.status));
+-- 
+2.30.2
+

diff --git a/queue-4.9/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch b/queue-4.9/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
new file mode 100644 (file)
index 0000000..4c6ae53
--- /dev/null
+++ b/queue-4.9/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
@@ -0,0 +1,48 @@
+From bff19575ea3f164c709acf891760899a08baea25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 02:31:25 -0700
+Subject: usb: dwc3: gadget: Ignore EP queue requests during bus reset
+
+From: Wesley Cheng <wcheng@codeaurora.org>
+
+[ Upstream commit 71ca43f30df9c642970f9dc9b2d6f463f4967e7b ]
+
+The current dwc3_gadget_reset_interrupt() will stop any active
+transfers, but only addresses blocking of EP queuing for while we are
+coming from a disconnected scenario, i.e. after receiving the disconnect
+event.  If the host decides to issue a bus reset on the device, the
+connected parameter will still be set to true, allowing for EP queuing
+to continue while we are disabling the functions.  To avoid this, set the
+connected flag to false until the stop active transfers is complete.
+
+Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
+Link: https://lore.kernel.org/r/1616146285-19149-3-git-send-email-wcheng@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index e0fb7b3723c5..cca51553e0fb 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2409,6 +2409,15 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
+ 
+       dwc->connected = true;
+ 
++      /*
++       * Ideally, dwc3_reset_gadget() would trigger the function
++       * drivers to stop any active transfers through ep disable.
++       * However, for functions which defer ep disable, such as mass
++       * storage, we will need to rely on the call to stop active
++       * transfers here, and avoid allowing of request queuing.
++       */
++      dwc->connected = false;
++
+       /*
+        * WORKAROUND: DWC3 revisions <1.88a have an issue which
+        * would cause a missing Disconnect Event if there's a
+-- 
+2.30.2
+

diff --git a/queue-4.9/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch b/queue-4.9/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
new file mode 100644 (file)
index 0000000..79dbc89
--- /dev/null
+++ b/queue-4.9/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
@@ -0,0 +1,52 @@
+From 99e65c074d0a8b0996f68c48e1f8793828664a13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 13:53:38 +0100
+Subject: usb: gadget: uvc: add bInterval checking for HS mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 26adde04acdff14a1f28d4a5dce46a8513a3038b ]
+
+Patch adds extra checking for bInterval passed by configfs.
+The 5.6.4 chapter of USB Specification (rev. 2.0) say:
+"A high-bandwidth endpoint must specify a period of 1x125 µs
+(i.e., a bInterval value of 1)."
+
+The issue was observed during testing UVC class on CV.
+I treat this change as improvement because we can control
+bInterval by configfs.
+
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20210308125338.4824-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
+index f8a1881609a2..89da34ef7b3f 100644
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -625,7 +625,12 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
+ 
+       uvc_hs_streaming_ep.wMaxPacketSize =
+               cpu_to_le16(max_packet_size | ((max_packet_mult - 1) << 11));
+-      uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
++
++      /* A high-bandwidth endpoint must specify a bInterval value of 1 */
++      if (max_packet_mult > 1)
++              uvc_hs_streaming_ep.bInterval = 1;
++      else
++              uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
+ 
+       uvc_ss_streaming_ep.wMaxPacketSize = cpu_to_le16(max_packet_size);
+       uvc_ss_streaming_ep.bInterval = opts->streaming_interval;
+-- 
+2.30.2
+

diff --git a/queue-4.9/usb-xhci-fix-port-minor-revision.patch b/queue-4.9/usb-xhci-fix-port-minor-revision.patch
new file mode 100644 (file)
index 0000000..f3e85fd
--- /dev/null
+++ b/queue-4.9/usb-xhci-fix-port-minor-revision.patch
@@ -0,0 +1,51 @@
+From 4ecae9eac61acf811e61ff3bd7bd63519a37104e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 19:43:21 -0800
+Subject: usb: xhci: Fix port minor revision
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 64364bc912c01b33bba6c22e3ccb849bfca96398 ]
+
+Some hosts incorrectly use sub-minor version for minor version (i.e.
+0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 for bcdUSB 0x310).
+Currently the xHCI driver works around this by just checking for minor
+revision > 0x01 for USB 3.1 everywhere. With the addition of USB 3.2,
+checking this gets a bit cumbersome. Since there is no USB release with
+bcdUSB 0x301 to 0x309, we can assume that sub-minor version 01 to 09 is
+incorrect. Let's try to fix this and use the minor revision that matches
+with the USB/xHCI spec to help with the version checking within the
+driver.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/ed330e95a19dc367819c5b4d78bf7a541c35aa0a.1615432770.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 3cca60b845a8..9b30936904da 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -2159,6 +2159,15 @@ static void xhci_add_in_port(struct xhci_hcd *xhci, unsigned int num_ports,
+ 
+       if (major_revision == 0x03) {
+               rhub = &xhci->usb3_rhub;
++              /*
++               * Some hosts incorrectly use sub-minor version for minor
++               * version (i.e. 0x02 instead of 0x20 for bcdUSB 0x320 and 0x01
++               * for bcdUSB 0x310). Since there is no USB release with sub
++               * minor version 0x301 to 0x309, we can assume that they are
++               * incorrect and fix it here.
++               */
++              if (minor_revision > 0x00 && minor_revision < 0x10)
++                      minor_revision <<= 4;
+       } else if (major_revision <= 0x02) {
+               rhub = &xhci->usb2_rhub;
+       } else {
+-- 
+2.30.2
+

diff --git a/queue-4.9/x86-build-propagate-clang_flags-to-realmode_flags.patch b/queue-4.9/x86-build-propagate-clang_flags-to-realmode_flags.patch
new file mode 100644 (file)
index 0000000..8a635f6
--- /dev/null
+++ b/queue-4.9/x86-build-propagate-clang_flags-to-realmode_flags.patch
@@ -0,0 +1,66 @@
+From 51f191ef8e78f8232c24142fe9777a66096efc36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:04:33 -0700
+Subject: x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Millikin <john@john-millikin.com>
+
+[ Upstream commit 8abe7fc26ad8f28bfdf78adbed56acd1fa93f82d ]
+
+When cross-compiling with Clang, the `$(CLANG_FLAGS)' variable
+contains additional flags needed to build C and assembly sources
+for the target platform. Normally this variable is automatically
+included in `$(KBUILD_CFLAGS)' via the top-level Makefile.
+
+The x86 real-mode makefile builds `$(REALMODE_CFLAGS)' from a
+plain assignment and therefore drops the Clang flags. This causes
+Clang to not recognize x86-specific assembler directives:
+
+  arch/x86/realmode/rm/header.S:36:1: error: unknown directive
+  .type real_mode_header STT_OBJECT ; .size real_mode_header, .-real_mode_header
+  ^
+
+Explicit propagation of `$(CLANG_FLAGS)' to `$(REALMODE_CFLAGS)',
+which is inherited by real-mode make rules, fixes cross-compilation
+with Clang for x86 targets.
+
+Relevant flags:
+
+* `--target' sets the target architecture when cross-compiling. This
+  flag must be set for both compilation and assembly (`KBUILD_AFLAGS')
+  to support architecture-specific assembler directives.
+
+* `-no-integrated-as' tells clang to assemble with GNU Assembler
+  instead of its built-in LLVM assembler. This flag is set by default
+  unless `LLVM_IAS=1' is set, because the LLVM assembler can't yet
+  parse certain GNU extensions.
+
+Signed-off-by: John Millikin <john@john-millikin.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Link: https://lkml.kernel.org/r/20210326000435.4785-2-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 9ebbd4892557..0bc35e3e6c5c 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -40,6 +40,7 @@ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4))
++REALMODE_CFLAGS += $(CLANG_FLAGS)
+ export REALMODE_CFLAGS
+ 
+ # BITS is used as extension for files which are available in a 32 bit
+-- 
+2.30.2
+