From: Sasha Levin Date: Sun, 16 Aug 2020 13:50:48 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.19.140~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19ba39326dc4bd023e2fcf701b96d8d4d67b8fdd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpica-do-not-increment-operation_region-reference-c.patch b/queue-4.14/acpica-do-not-increment-operation_region-reference-c.patch new file mode 100644 index 00000000000..107e76b67d3 --- /dev/null +++ b/queue-4.14/acpica-do-not-increment-operation_region-reference-c.patch @@ -0,0 +1,81 @@ +From 2efaab384dfdcb6d7bc086a23f8b3f6162d21297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 10:31:20 -0700 +Subject: ACPICA: Do not increment operation_region reference counts for field + units + +From: Erik Kaneda + +[ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ] + +ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 + +Object reference counts are used as a part of ACPICA's garbage +collection mechanism. This mechanism keeps track of references to +heap-allocated structures such as the ACPI operand objects. + +Recent server firmware has revealed that this reference count can +overflow on large servers that declare many field units under the +same operation_region. This occurs because each field unit declaration +will add a reference count to the source operation_region. + +This change solves the reference count overflow for operation_regions +objects by preventing fieldunits from incrementing their +operation_region's reference count. Each operation_region's reference +count will not be changed by named objects declared under the Field +operator. During namespace deletion, the operation_region namespace +node will be deleted and each fieldunit will be deleted without +touching the deleted operation_region object. + +Link: https://github.com/acpica/acpica/commit/e17b28cf +Signed-off-by: Erik Kaneda +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exprep.c | 4 ---- + drivers/acpi/acpica/utdelete.c | 6 +----- + 2 files changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index 8de060664204e..e23f3d54bb31c 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -507,10 +507,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + (u8)access_byte_width; + } + } +- /* An additional reference for the container */ +- +- acpi_ut_add_reference(obj_desc->field.region_obj); +- + ACPI_DEBUG_PRINT((ACPI_DB_BFIELD, + "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n", + obj_desc->field.start_field_bit_offset, +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index c6eb9fae70f9a..61a979d0fbc5a 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -593,11 +593,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + next_object = object->buffer_field.buffer_obj; + break; + +- case ACPI_TYPE_LOCAL_REGION_FIELD: +- +- next_object = object->field.region_obj; +- break; +- + case ACPI_TYPE_LOCAL_BANK_FIELD: + + next_object = object->bank_field.bank_obj; +@@ -638,6 +633,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + } + break; + ++ case ACPI_TYPE_LOCAL_REGION_FIELD: + case ACPI_TYPE_REGION: + default: + +-- +2.25.1 + diff --git a/queue-4.14/agp-intel-fix-a-memory-leak-on-module-initialisation.patch b/queue-4.14/agp-intel-fix-a-memory-leak-on-module-initialisation.patch new file mode 100644 index 00000000000..5a6c80db79d --- /dev/null +++ b/queue-4.14/agp-intel-fix-a-memory-leak-on-module-initialisation.patch @@ -0,0 +1,43 @@ +From 7c74cee9307f3f261975d576d65e34770f916134 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 09:34:51 +0100 +Subject: agp/intel: Fix a memory leak on module initialisation failure + +From: Qiushi Wu + +[ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ] + +In intel_gtt_setup_scratch_page(), pointer "page" is not released if +pci_dma_mapping_error() return an error, leading to a memory leak on +module initialisation failure. Simply fix this issue by freeing "page" +before return. + +Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page") +Signed-off-by: Qiushi Wu +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/char/agp/intel-gtt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c +index 7516ba981b635..34cc853772bc4 100644 +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -304,8 +304,10 @@ static int intel_gtt_setup_scratch_page(void) + if (intel_private.needs_dmar) { + dma_addr = pci_map_page(intel_private.pcidev, page, 0, + PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); +- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) ++ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) { ++ __free_page(page); + return -EINVAL; ++ } + + intel_private.scratch_page_dma = dma_addr; + } else +-- +2.25.1 + diff --git a/queue-4.14/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch b/queue-4.14/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch new file mode 100644 index 00000000000..570742c9391 --- /dev/null +++ b/queue-4.14/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch @@ -0,0 +1,64 @@ +From 4162369e4b99c96c13e5a82ecdc143f52484ba0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:33:01 +0800 +Subject: ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() + +From: yu kuai + +[ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ] + +if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have +a corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM") +Signed-off-by: yu kuai +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com +Signed-off-by: Sasha Levin +--- + arch/arm/mach-at91/pm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 849014c01cf4d..bebaa0b0aef40 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -456,13 +456,13 @@ static void __init at91_pm_sram_init(void) + sram_pool = gen_pool_get(&pdev->dev, NULL); + if (!sram_pool) { + pr_warn("%s: sram pool unavailable!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz); + if (!sram_base) { + pr_warn("%s: unable to alloc sram!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base); +@@ -470,12 +470,17 @@ static void __init at91_pm_sram_init(void) + at91_pm_suspend_in_sram_sz, false); + if (!at91_suspend_sram_fn) { + pr_warn("SRAM: Could not map\n"); +- return; ++ goto out_put_device; + } + + /* Copy the pm suspend handler to SRAM */ + at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn, + &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz); ++ return; ++ ++out_put_device: ++ put_device(&pdev->dev); ++ return; + } + + static void __init at91_pm_backup_init(void) +-- +2.25.1 + diff --git a/queue-4.14/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch b/queue-4.14/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch new file mode 100644 index 00000000000..fa8d8ebdeff --- /dev/null +++ b/queue-4.14/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch @@ -0,0 +1,64 @@ +From e751b293dfb637c1abf964f17a130c4c0abb80ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 21:45:51 +0800 +Subject: ARM: socfpga: PM: add missing put_device() call in + socfpga_setup_ocram_self_refresh() + +From: Yu Kuai + +[ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ] + +if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh +doesn't have a corresponding put_device(). Thus add a jump target to +fix the exception handling for this function implementation. + +Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram") +Signed-off-by: Yu Kuai +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/arm/mach-socfpga/pm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c +index c378ab0c24317..93f2245c97750 100644 +--- a/arch/arm/mach-socfpga/pm.c ++++ b/arch/arm/mach-socfpga/pm.c +@@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!suspend_ocram_base) { + pr_warn("%s: __arm_ioremap_exec failed!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + /* Copy the code that puts DDR in self refresh to ocram */ +@@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!socfpga_sdram_self_refresh_in_ocram) + ret = -EFAULT; + ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(np); + +-- +2.25.1 + diff --git a/queue-4.14/arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch b/queue-4.14/arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch new file mode 100644 index 00000000000..20427855c13 --- /dev/null +++ b/queue-4.14/arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch @@ -0,0 +1,37 @@ +From 92d763b057c4c312260f4fb53d1c76fe731e69b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jul 2020 12:39:17 +0530 +Subject: arm64: dts: exynos: Fix silent hang after boot on Espresso + +From: Alim Akhtar + +[ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ] + +Once regulators are disabled after kernel boot, on Espresso board silent +hang observed because of LDO7 being disabled. LDO7 actually provide +power to CPU cores and non-cpu blocks circuitries. Keep this regulator +always-on to fix this hang. + +Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") +Signed-off-by: Alim Akhtar +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +index 4a8b1fb51243c..c8824b918693d 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts ++++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +@@ -155,6 +155,7 @@ ldo7_reg: LDO7 { + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1150000>; + regulator-enable-ramp-delay = <125>; ++ regulator-always-on; + }; + + ldo8_reg: LDO8 { +-- +2.25.1 + diff --git a/queue-4.14/arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch b/queue-4.14/arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch new file mode 100644 index 00000000000..62b7c2fd62e --- /dev/null +++ b/queue-4.14/arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch @@ -0,0 +1,72 @@ +From 8a1ce02a0c62643be34954d439b0a08851f6ca87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 08:33:06 +0200 +Subject: arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT + binding +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Cañuelo + +[ Upstream commit bbe28fc3cbabbef781bcdf847615d52ce2e26e42 ] + +hi3660-hikey960.dts: + Define a 'ports' node for 'adv7533: adv7533@39' and the + 'adi,dsi-lanes' property to make it compliant with the adi,adv7533 DT + binding. + + This fills the requirements to meet the binding requirements, + remote endpoints are not defined. + +hi6220-hikey.dts: + Change property name s/pd-gpio/pd-gpios, gpio properties should be + plural. This is just a cosmetic change. + +Signed-off-by: Ricardo Cañuelo +Acked-by: Laurent Pinchart +Signed-off-by: Wei Xu +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts | 11 +++++++++++ + arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts | 2 +- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts b/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts +index e9f87cb61ade7..8587912e1eb00 100644 +--- a/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts ++++ b/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts +@@ -210,6 +210,17 @@ adv7533: adv7533@39 { + status = "ok"; + compatible = "adi,adv7533"; + reg = <0x39>; ++ adi,dsi-lanes = <4>; ++ ports { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ port@0 { ++ reg = <0>; ++ }; ++ port@1 { ++ reg = <1>; ++ }; ++ }; + }; + }; + +diff --git a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts +index 6887cc1a743d4..f78e6468b02fc 100644 +--- a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts ++++ b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts +@@ -513,7 +513,7 @@ adv7533: adv7533@39 { + reg = <0x39>; + interrupt-parent = <&gpio1>; + interrupts = <1 2>; +- pd-gpio = <&gpio0 4 0>; ++ pd-gpios = <&gpio0 4 0>; + adi,dsi-lanes = <4>; + #sound-dai-cells = <0>; + +-- +2.25.1 + diff --git a/queue-4.14/arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch b/queue-4.14/arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch new file mode 100644 index 00000000000..176e011b7ee --- /dev/null +++ b/queue-4.14/arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch @@ -0,0 +1,81 @@ +From a1da7f10ddc107beb70a50130485adc44dc0c4f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 20:59:14 +0200 +Subject: arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property + +From: Stephan Gerhold + +[ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ] + +msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio +pin configurations. This was likely copied from the qcom kernel fork +where the same property was used for these audio pins. + +However, "bias-pull-none" actually does not exist at all - not in +mainline and not in downstream. I can only guess that the original +intention was to configure "no pull", i.e. bias-disable. + +Change it to that instead. + +Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls") +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200605185916.318494-2-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index 4cb0b58341432..69ba1d79bcd5d 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -542,7 +542,7 @@ pinconf { + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + cdc_pdm_lines_sus: pdm_lines_off { +@@ -571,7 +571,7 @@ pinconf { + pins = "gpio113", "gpio114", "gpio115", + "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -599,7 +599,7 @@ pinmux { + pinconf { + pins = "gpio110"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -625,7 +625,7 @@ pinmux { + pinconf { + pins = "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_mclk_tlmm_lines_sus: mclk_lines_off { +@@ -653,7 +653,7 @@ pinconf { + pins = "gpio112", "gpio117", "gpio118", + "gpio119"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_sec_tlmm_lines_sus: tlmm_lines_off { +-- +2.25.1 + diff --git a/queue-4.14/arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch b/queue-4.14/arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch new file mode 100644 index 00000000000..8d033166edb --- /dev/null +++ b/queue-4.14/arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch @@ -0,0 +1,43 @@ +From fb1e4fc99be63b11e0239111c3017d74860fe252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 15:28:36 +0200 +Subject: arm64: dts: rockchip: fix rk3399-puma gmac reset gpio + +From: Heiko Stuebner + +[ Upstream commit 8a445086f8af0b7b9bd8d1901d6f306bb154f70d ] + +The puma gmac node currently uses opposite active-values for the +gmac phy reset pin. The gpio-declaration uses active-high while the +separate snps,reset-active-low property marks the pin as active low. + +While on the kernel side this works ok, other DT users may get +confused - as seen with uboot right now. + +So bring this in line and make both properties match, similar to the +other Rockchip board. + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20200603132836.362519-1-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +index b08a998ca1024..0d5679380b2a6 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -193,7 +193,7 @@ &gmac { + phy-mode = "rgmii"; + pinctrl-names = "default"; + pinctrl-0 = <&rgmii_pins>; +- snps,reset-gpio = <&gpio3 RK_PC0 GPIO_ACTIVE_HIGH>; ++ snps,reset-gpio = <&gpio3 RK_PC0 GPIO_ACTIVE_LOW>; + snps,reset-active-low; + snps,reset-delays-us = <0 10000 50000>; + tx_delay = <0x10>; +-- +2.25.1 + diff --git a/queue-4.14/arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch b/queue-4.14/arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch new file mode 100644 index 00000000000..0d01d199871 --- /dev/null +++ b/queue-4.14/arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch @@ -0,0 +1,43 @@ +From 9cf4ace3982d72149340546282a2da750438cf30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 11:12:39 +0200 +Subject: arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio + +From: Heiko Stuebner + +[ Upstream commit 7a7184f6cfa9279f1a1c10a1845d247d7fad54ff ] + +The puma vcc5v0_host regulator node currently uses opposite active-values +for the enable pin. The gpio-declaration uses active-high while the +separate enable-active-low property marks the pin as active low. + +While on the kernel side this works ok, other DT users may get +confused - as seen with uboot right now. + +So bring this in line and make both properties match, similar to the +gmac fix. + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20200604091239.424318-1-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +index 1fc5060d7027e..b08a998ca1024 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -138,7 +138,7 @@ vcc3v3_sys: vcc3v3-sys { + + vcc5v0_host: vcc5v0-host-regulator { + compatible = "regulator-fixed"; +- gpio = <&gpio4 RK_PA3 GPIO_ACTIVE_HIGH>; ++ gpio = <&gpio4 RK_PA3 GPIO_ACTIVE_LOW>; + enable-active-low; + pinctrl-names = "default"; + pinctrl-0 = <&vcc5v0_host_en>; +-- +2.25.1 + diff --git a/queue-4.14/asoc-intel-bxt_rt298-add-missing-.owner-field.patch b/queue-4.14/asoc-intel-bxt_rt298-add-missing-.owner-field.patch new file mode 100644 index 00000000000..77b70b97c0a --- /dev/null +++ b/queue-4.14/asoc-intel-bxt_rt298-add-missing-.owner-field.patch @@ -0,0 +1,50 @@ +From 1becd92a3a2f9dcb11a5124660a07dbe0d7b746e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 14:12:55 -0500 +Subject: ASoC: Intel: bxt_rt298: add missing .owner field + +From: Pierre-Louis Bossart + +[ Upstream commit 88cee34b776f80d2da04afb990c2a28c36799c43 ] + +This field is required for ASoC cards. Not setting it will result in a +module->name pointer being NULL and generate problems such as + +cat /proc/asound/modules + 0 (efault) + +Fixes: 76016322ec56 ('ASoC: Intel: Add Broxton-P machine driver') +Reported-by: Jaroslav Kysela +Suggested-by: Takashi Iwai +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200625191308.3322-5-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bxt_rt298.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c +index 7843104fadcbf..1b01bc318fd25 100644 +--- a/sound/soc/intel/boards/bxt_rt298.c ++++ b/sound/soc/intel/boards/bxt_rt298.c +@@ -529,6 +529,7 @@ static int bxt_card_late_probe(struct snd_soc_card *card) + /* broxton audio machine driver for SPT + RT298S */ + static struct snd_soc_card broxton_rt298 = { + .name = "broxton-rt298", ++ .owner = THIS_MODULE, + .dai_link = broxton_rt298_dais, + .num_links = ARRAY_SIZE(broxton_rt298_dais), + .controls = broxton_controls, +@@ -544,6 +545,7 @@ static struct snd_soc_card broxton_rt298 = { + + static struct snd_soc_card geminilake_rt298 = { + .name = "geminilake-rt298", ++ .owner = THIS_MODULE, + .dai_link = broxton_rt298_dais, + .num_links = ARRAY_SIZE(broxton_rt298_dais), + .controls = broxton_controls, +-- +2.25.1 + diff --git a/queue-4.14/bcache-fix-super-block-seq-numbers-comparision-in-re.patch b/queue-4.14/bcache-fix-super-block-seq-numbers-comparision-in-re.patch new file mode 100644 index 00000000000..b4260f3567b --- /dev/null +++ b/queue-4.14/bcache-fix-super-block-seq-numbers-comparision-in-re.patch @@ -0,0 +1,79 @@ +From e29d5f7b34c2997abeedf92a8aff8e7fc9e4bc98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 20:00:26 +0800 +Subject: bcache: fix super block seq numbers comparision in + register_cache_set() + +From: Coly Li + +[ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ] + +In register_cache_set(), c is pointer to struct cache_set, and ca is +pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this +registering cache has up to date version and other members, the in- +memory version and other members should be updated to the newer value. + +But current implementation makes a cache set only has a single cache +device, so the above assumption works well except for a special case. +The execption is when a cache device new created and both ca->sb.seq and +c->sb.seq are 0, because the super block is never flushed out yet. In +the location for the following if() check, +2156 if (ca->sb.seq > c->sb.seq) { +2157 c->sb.version = ca->sb.version; +2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); +2159 c->sb.flags = ca->sb.flags; +2160 c->sb.seq = ca->sb.seq; +2161 pr_debug("set version = %llu\n", c->sb.version); +2162 } +c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0, +the if() check will fail (because both values are 0), and the cache set +version, set_uuid, flags and seq won't be updated. + +The above problem is hiden for current code, because the bucket size is +compatible among different super block version. And the next time when +running cache set again, ca->sb.seq will be larger than 0 and cache set +super block version will be updated properly. + +But if the large bucket feature is enabled, sb->bucket_size is the low +16bits of the bucket size. For a power of 2 value, when the actual +bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then +read_super_common() will fail because the if() check to +is_power_of_2(sb->bucket_size) is false. This is how the long time +hidden bug is triggered. + +This patch modifies the if() check to the following way, +2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { +Then cache set's version, set_uuid, flags and seq will always be updated +corectly including for a new created cache device. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 690aeb09bbf55..32498b912ce7c 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1780,7 +1780,14 @@ static const char *register_cache_set(struct cache *ca) + sysfs_create_link(&c->kobj, &ca->kobj, buf)) + goto err; + +- if (ca->sb.seq > c->sb.seq) { ++ /* ++ * A special case is both ca->sb.seq and c->sb.seq are 0, ++ * such condition happens on a new created cache device whose ++ * super block is never flushed yet. In this case c->sb.version ++ * and other members should be updated too, otherwise we will ++ * have a mistaken super block version in cache set. ++ */ ++ if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { + c->sb.version = ca->sb.version; + memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); + c->sb.flags = ca->sb.flags; +-- +2.25.1 + diff --git a/queue-4.14/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch b/queue-4.14/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch new file mode 100644 index 00000000000..96a80ea2d1a --- /dev/null +++ b/queue-4.14/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch @@ -0,0 +1,92 @@ +From a3bc0e6565c80267dfef1e4097da9d7db2171999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 13:07:42 -0400 +Subject: bdc: Fix bug causing crash after multiple disconnects + +From: Sasi Kumar + +[ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ] + +Multiple connects/disconnects can cause a crash on the second +disconnect. The driver had a problem where it would try to send +endpoint commands after it was disconnected which is not allowed +by the hardware. The fix is to only allow the endpoint commands +when the endpoint is connected. This will also fix issues that +showed up when using configfs to create gadgets. + +Signed-off-by: Sasi Kumar +Signed-off-by: Al Cooper +Acked-by: Florian Fainelli +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/bdc/bdc_core.c | 4 ++++ + drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++++++++++------ + 2 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index 7a8af4b916cff..2660cc2e42a08 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -288,6 +288,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + * in that case reinit is passed as 1 + */ + if (reinit) { ++ int i; + /* Enable interrupts */ + temp = bdc_readl(bdc->regs, BDC_BDCSC); + temp |= BDC_GIE; +@@ -297,6 +298,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + /* Initialize SRR to 0 */ + memset(bdc->srr.sr_bds, 0, + NUM_SR_ENTRIES * sizeof(struct bdc_bd)); ++ /* clear ep flags to avoid post disconnect stops/deconfigs */ ++ for (i = 1; i < bdc->num_eps; ++i) ++ bdc->bdc_ep_array[i]->flags = 0; + } else { + /* One time initiaization only */ + /* Enable status report function pointers */ +diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c +index be9f40bc9c12b..bb2d5ebd97b52 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c +@@ -621,7 +621,6 @@ int bdc_ep_enable(struct bdc_ep *ep) + } + bdc_dbg_bd_list(bdc, ep); + /* only for ep0: config ep is called for ep0 from connect event */ +- ep->flags |= BDC_EP_ENABLED; + if (ep->ep_num == 1) + return ret; + +@@ -765,10 +764,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req) + __func__, ep->name, start_bdi, end_bdi); + dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n", + ep, (void *)ep->usb_ep.desc); +- /* Stop the ep to see where the HW is ? */ +- ret = bdc_stop_ep(bdc, ep->ep_num); +- /* if there is an issue with stopping ep, then no need to go further */ +- if (ret) ++ /* if still connected, stop the ep to see where the HW is ? */ ++ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) { ++ ret = bdc_stop_ep(bdc, ep->ep_num); ++ /* if there is an issue, then no need to go further */ ++ if (ret) ++ return 0; ++ } else + return 0; + + /* +@@ -1917,7 +1919,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep) + __func__, ep->name, ep->flags); + + if (!(ep->flags & BDC_EP_ENABLED)) { +- dev_warn(bdc->dev, "%s is already disabled\n", ep->name); ++ if (bdc->gadget.speed != USB_SPEED_UNKNOWN) ++ dev_warn(bdc->dev, "%s is already disabled\n", ++ ep->name); + return 0; + } + spin_lock_irqsave(&bdc->lock, flags); +-- +2.25.1 + diff --git a/queue-4.14/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch b/queue-4.14/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch new file mode 100644 index 00000000000..8d867716270 --- /dev/null +++ b/queue-4.14/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch @@ -0,0 +1,142 @@ +From 5df584e7b4808a343d6a99c19982ce6025dfdb4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 20:28:41 +0800 +Subject: Bluetooth: add a mutex lock to avoid UAF in do_enale_set + +From: Lihong Kou + +[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] + +In the case we set or free the global value listen_chan in +different threads, we can encounter the UAF problems because +the method is not protected by any lock, add one to avoid +this bug. + +BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 +net/bluetooth/l2cap_core.c:730 +Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 + +CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 +Workqueue: events do_enable_set +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1fb/0x318 lib/dump_stack.c:118 + print_address_description+0x74/0x5c0 mm/kasan/report.c:374 + __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 + kasan_report+0x26/0x50 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 + do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Allocated by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 + chan_create net/bluetooth/6lowpan.c:640 [inline] + bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] + do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Freed by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10d/0x220 mm/slab.c:3757 + l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] + kref_put include/linux/kref.h:65 [inline] + l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 + do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +The buggy address belongs to the object at ffff888096950000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 0 bytes inside of + 2048-byte region [ffff888096950000, ffff888096950800) +The buggy address belongs to the page: +page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 +raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com +Signed-off-by: Lihong Kou +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 357475cceec61..9a75f9b00b512 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -57,6 +57,7 @@ static bool enable_6lowpan; + /* We are listening incoming connections via this channel + */ + static struct l2cap_chan *listen_chan; ++static DEFINE_MUTEX(set_lock); + + struct lowpan_peer { + struct list_head list; +@@ -1082,12 +1083,14 @@ static void do_enable_set(struct work_struct *work) + + enable_6lowpan = set_enable->flag; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + } + + listen_chan = bt_6lowpan_listen(); ++ mutex_unlock(&set_lock); + + kfree(set_enable); + } +@@ -1139,11 +1142,13 @@ static ssize_t lowpan_control_write(struct file *fp, + if (ret == -EINVAL) + return ret; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + listen_chan = NULL; + } ++ mutex_unlock(&set_lock); + + if (conn) { + struct lowpan_peer *peer; +-- +2.25.1 + diff --git a/queue-4.14/bluetooth-hci_serdev-only-unregister-device-if-it-wa.patch b/queue-4.14/bluetooth-hci_serdev-only-unregister-device-if-it-wa.patch new file mode 100644 index 00000000000..92e4cf30a2b --- /dev/null +++ b/queue-4.14/bluetooth-hci_serdev-only-unregister-device-if-it-wa.patch @@ -0,0 +1,37 @@ +From d648cb55f009380f3062eb9fc65474f633d50659 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 10:37:16 +0800 +Subject: Bluetooth: hci_serdev: Only unregister device if it was registered + +From: Nicolas Boichat + +[ Upstream commit 202798db9570104728dce8bb57dfeed47ce764bc ] + +We should not call hci_unregister_dev if the device was not +successfully registered. + +Fixes: c34dc3bfa7642fd ("Bluetooth: hci_serdev: Introduce hci_uart_unregister_device()") +Signed-off-by: Nicolas Boichat +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_serdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index 69c00a3db5382..72cf2d97b682c 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -361,7 +361,8 @@ void hci_uart_unregister_device(struct hci_uart *hu) + struct hci_dev *hdev = hu->hdev; + + clear_bit(HCI_UART_PROTO_READY, &hu->flags); +- hci_unregister_dev(hdev); ++ if (test_bit(HCI_UART_REGISTERED, &hu->flags)) ++ hci_unregister_dev(hdev); + hci_free_dev(hdev); + + cancel_work_sync(&hu->write_work); +-- +2.25.1 + diff --git a/queue-4.14/brcmfmac-set-state-of-hanger-slot-to-free-when-flush.patch b/queue-4.14/brcmfmac-set-state-of-hanger-slot-to-free-when-flush.patch new file mode 100644 index 00000000000..c846ecef1a2 --- /dev/null +++ b/queue-4.14/brcmfmac-set-state-of-hanger-slot-to-free-when-flush.patch @@ -0,0 +1,80 @@ +From e155c5daa38690a43b89a753d2bde1a91001e913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 04:16:07 -0500 +Subject: brcmfmac: set state of hanger slot to FREE when flushing PSQ + +From: Wright Feng + +[ Upstream commit fcdd7a875def793c38d7369633af3eba6c7cf089 ] + +When USB or SDIO device got abnormal bus disconnection, host driver +tried to clean up the skbs in PSQ and TXQ (The skb's pointer in hanger +slot linked to PSQ and TSQ), so we should set the state of skb hanger slot +to BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb. +In brcmf_fws_bus_txq_cleanup it already sets +BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb, therefore we add the +same thing in brcmf_fws_psq_flush to avoid following warning message. + + [ 1580.012880] ------------ [ cut here ]------------ + [ 1580.017550] WARNING: CPU: 3 PID: 3065 at +drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 +brcmu_pkt_buf_free_skb+0x21/0x30 [brcmutil] + [ 1580.184017] Call Trace: + [ 1580.186514] brcmf_fws_cleanup+0x14e/0x190 [brcmfmac] + [ 1580.191594] brcmf_fws_del_interface+0x70/0x90 [brcmfmac] + [ 1580.197029] brcmf_proto_bcdc_del_if+0xe/0x10 [brcmfmac] + [ 1580.202418] brcmf_remove_interface+0x69/0x190 [brcmfmac] + [ 1580.207888] brcmf_detach+0x90/0xe0 [brcmfmac] + [ 1580.212385] brcmf_usb_disconnect+0x76/0xb0 [brcmfmac] + [ 1580.217557] usb_unbind_interface+0x72/0x260 + [ 1580.221857] device_release_driver_internal+0x141/0x200 + [ 1580.227152] device_release_driver+0x12/0x20 + [ 1580.231460] bus_remove_device+0xfd/0x170 + [ 1580.235504] device_del+0x1d9/0x300 + [ 1580.239041] usb_disable_device+0x9e/0x270 + [ 1580.243160] usb_disconnect+0x94/0x270 + [ 1580.246980] hub_event+0x76d/0x13b0 + [ 1580.250499] process_one_work+0x144/0x360 + [ 1580.254564] worker_thread+0x4d/0x3c0 + [ 1580.258247] kthread+0x109/0x140 + [ 1580.261515] ? rescuer_thread+0x340/0x340 + [ 1580.265543] ? kthread_park+0x60/0x60 + [ 1580.269237] ? SyS_exit_group+0x14/0x20 + [ 1580.273118] ret_from_fork+0x25/0x30 + [ 1580.300446] ------------ [ cut here ]------------ + +Acked-by: Arend van Spriel +Signed-off-by: Wright Feng +Signed-off-by: Chi-hsien Lin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200624091608.25154-2-wright.feng@cypress.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +index 2370060ef980a..0807331284895 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +@@ -653,6 +653,7 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h, + static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, + int ifidx) + { ++ struct brcmf_fws_hanger_item *hi; + bool (*matchfn)(struct sk_buff *, void *) = NULL; + struct sk_buff *skb; + int prec; +@@ -664,6 +665,9 @@ static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, + skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx); + while (skb) { + hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT); ++ hi = &fws->hanger.items[hslot]; ++ WARN_ON(skb != hi->pkt); ++ hi->state = BRCMF_FWS_HANGER_ITEM_STATE_FREE; + brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb, + true); + brcmu_pkt_buf_free_skb(skb); +-- +2.25.1 + diff --git a/queue-4.14/brcmfmac-to-fix-bss-info-flag-definition-bug.patch b/queue-4.14/brcmfmac-to-fix-bss-info-flag-definition-bug.patch new file mode 100644 index 00000000000..1b269d0a8ca --- /dev/null +++ b/queue-4.14/brcmfmac-to-fix-bss-info-flag-definition-bug.patch @@ -0,0 +1,39 @@ +From abddcec51dbaf47166cd559a94ede63bb8982810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 02:18:35 -0500 +Subject: brcmfmac: To fix Bss Info flag definition Bug + +From: Prasanna Kerekoppa + +[ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] + +Bss info flag definition need to be fixed from 0x2 to 0x4 +This flag is for rssi info received on channel. +All Firmware branches defined as 0x4 and this is bug in brcmfmac. + +Signed-off-by: Prasanna Kerekoppa +Signed-off-by: Chi-hsien Lin +Signed-off-by: Wright Feng +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +index e0d22fedb2b45..05bd636011ec9 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +@@ -30,7 +30,7 @@ + #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008 + + #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */ +-#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002 ++#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004 + + #define BRCMF_STA_WME 0x00000002 /* WMM association */ + #define BRCMF_STA_AUTHE 0x00000008 /* Authenticated */ +-- +2.25.1 + diff --git a/queue-4.14/console-newport_con-fix-an-issue-about-leak-related-.patch b/queue-4.14/console-newport_con-fix-an-issue-about-leak-related-.patch new file mode 100644 index 00000000000..9d7ec14443e --- /dev/null +++ b/queue-4.14/console-newport_con-fix-an-issue-about-leak-related-.patch @@ -0,0 +1,91 @@ +From e193d400d3b1b4d0365e379a3a0060469a9d4bb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 00:42:51 +0800 +Subject: console: newport_con: fix an issue about leak related system + resources + +From: Dejin Zheng + +[ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ] + +A call of the function do_take_over_console() can fail here. +The corresponding system resources were not released then. +Thus add a call of iounmap() and release_mem_region() +together with the check of a failure predicate. and also +add release_mem_region() on device removal. + +Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding") +Suggested-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Dejin Zheng +Reviewed-by: Andy Shevchenko +Cc: Greg Kroah-Hartman +cc: Thomas Gleixner +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/console/newport_con.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c +index 42d02a206059b..d3b0850391e0d 100644 +--- a/drivers/video/console/newport_con.c ++++ b/drivers/video/console/newport_con.c +@@ -31,6 +31,8 @@ + #include + #include + ++#define NEWPORT_LEN 0x10000 ++ + #define FONT_DATA ((unsigned char *)font_vga_8x16.data) + + /* borrowed from fbcon.c */ +@@ -42,6 +44,7 @@ + static unsigned char *font_data[MAX_NR_CONSOLES]; + + static struct newport_regs *npregs; ++static unsigned long newport_addr; + + static int logo_active; + static int topscan; +@@ -701,7 +704,6 @@ const struct consw newport_con = { + static int newport_probe(struct gio_device *dev, + const struct gio_device_id *id) + { +- unsigned long newport_addr; + int err; + + if (!dev->resource.start) +@@ -711,7 +713,7 @@ static int newport_probe(struct gio_device *dev, + return -EBUSY; /* we only support one Newport as console */ + + newport_addr = dev->resource.start + 0xF0000; +- if (!request_mem_region(newport_addr, 0x10000, "Newport")) ++ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport")) + return -ENODEV; + + npregs = (struct newport_regs *)/* ioremap cannot fail */ +@@ -719,6 +721,11 @@ static int newport_probe(struct gio_device *dev, + console_lock(); + err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1); + console_unlock(); ++ ++ if (err) { ++ iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); ++ } + return err; + } + +@@ -726,6 +733,7 @@ static void newport_remove(struct gio_device *dev) + { + give_up_console(&newport_con); + iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); + } + + static struct gio_device_id newport_ids[] = { +-- +2.25.1 + diff --git a/queue-4.14/coresight-tmc-fix-tmc-mode-read-in-tmc_read_unprepar.patch b/queue-4.14/coresight-tmc-fix-tmc-mode-read-in-tmc_read_unprepar.patch new file mode 100644 index 00000000000..3fa0ab2b6af --- /dev/null +++ b/queue-4.14/coresight-tmc-fix-tmc-mode-read-in-tmc_read_unprepar.patch @@ -0,0 +1,80 @@ +From 265fd2a6e40bc468bacdeb858b240385b306367e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 11:57:42 -0600 +Subject: coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb() + +From: Sai Prakash Ranjan + +[ Upstream commit d021f5c5ff679432c5e9faee0fd7350db2efb97c ] + +Reading TMC mode register without proper coresight power +management can lead to exceptions like the one in the call +trace below in tmc_read_unprepare_etb() when the trace data +is read after the sink is disabled. So fix this by having +a check for coresight sysfs mode before reading TMC mode +management register in tmc_read_unprepare_etb() similar to +tmc_read_prepare_etb(). + + SError Interrupt on CPU6, code 0xbe000411 -- SError + pstate: 80400089 (Nzcv daIf +PAN -UAO) + pc : tmc_read_unprepare_etb+0x74/0x108 + lr : tmc_read_unprepare_etb+0x54/0x108 + sp : ffffff80d9507c30 + x29: ffffff80d9507c30 x28: ffffff80b3569a0c + x27: 0000000000000000 x26: 00000000000a0001 + x25: ffffff80cbae9550 x24: 0000000000000010 + x23: ffffffd07296b0f0 x22: ffffffd0109ee028 + x21: 0000000000000000 x20: ffffff80d19e70e0 + x19: ffffff80d19e7080 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: dfffffd000000001 + x9 : 0000000000000000 x8 : 0000000000000002 + x7 : ffffffd071d0fe78 x6 : 0000000000000000 + x5 : 0000000000000080 x4 : 0000000000000001 + x3 : ffffffd071d0fe98 x2 : 0000000000000000 + x1 : 0000000000000004 x0 : 0000000000000001 + Kernel panic - not syncing: Asynchronous SError Interrupt + +Fixes: 4525412a5046 ("coresight: tmc: making prepare/unprepare functions generic") +Reported-by: Mike Leach +Signed-off-by: Sai Prakash Ranjan +Tested-by: Mike Leach +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200716175746.3338735-14-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-tmc-etf.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c +index 0a00f4e941fbb..9bddbfbfbe03b 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c +@@ -587,15 +587,14 @@ int tmc_read_unprepare_etb(struct tmc_drvdata *drvdata) + + spin_lock_irqsave(&drvdata->spinlock, flags); + +- /* There is no point in reading a TMC in HW FIFO mode */ +- mode = readl_relaxed(drvdata->base + TMC_MODE); +- if (mode != TMC_MODE_CIRCULAR_BUFFER) { +- spin_unlock_irqrestore(&drvdata->spinlock, flags); +- return -EINVAL; +- } +- + /* Re-enable the TMC if need be */ + if (drvdata->mode == CS_MODE_SYSFS) { ++ /* There is no point in reading a TMC in HW FIFO mode */ ++ mode = readl_relaxed(drvdata->base + TMC_MODE); ++ if (mode != TMC_MODE_CIRCULAR_BUFFER) { ++ spin_unlock_irqrestore(&drvdata->spinlock, flags); ++ return -EINVAL; ++ } + /* + * The trace run will continue with the same allocated trace + * buffer. As such zero-out the buffer so that we don't end +-- +2.25.1 + diff --git a/queue-4.14/cxl-fix-kobject-memleak.patch b/queue-4.14/cxl-fix-kobject-memleak.patch new file mode 100644 index 00000000000..0227a9a70d9 --- /dev/null +++ b/queue-4.14/cxl-fix-kobject-memleak.patch @@ -0,0 +1,44 @@ +From acff28c03d9a51b63a5a08c1847d5fb4c8ebd090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 20:07:33 +0800 +Subject: cxl: Fix kobject memleak + +From: Wang Hai + +[ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Fix it by adding a call to kobject_put() in the error path of +kobject_init_and_add(). + +Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c +index 393a80bdb846a..b0285c5d8d381 100644 +--- a/drivers/misc/cxl/sysfs.c ++++ b/drivers/misc/cxl/sysfs.c +@@ -606,7 +606,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c + rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type, + &afu->dev.kobj, "cr%i", cr->cr); + if (rc) +- goto err; ++ goto err1; + + rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr); + if (rc) +-- +2.25.1 + diff --git a/queue-4.14/dlm-fix-kobject-memleak.patch b/queue-4.14/dlm-fix-kobject-memleak.patch new file mode 100644 index 00000000000..1520d87a880 --- /dev/null +++ b/queue-4.14/dlm-fix-kobject-memleak.patch @@ -0,0 +1,52 @@ +From aff0493f036a11530a0674151e9f537c75f3166d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 11:25:33 +0800 +Subject: dlm: Fix kobject memleak + +From: Wang Hai + +[ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Set do_unreg = 1 before kobject_init_and_add() to ensure that +kobject_put() can be called in its error patch. + +Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index 9c8c9a09b4a6d..7a6b0327ceb0b 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -633,6 +633,9 @@ static int new_lockspace(const char *name, const char *cluster, + wait_event(ls->ls_recover_lock_wait, + test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags)); + ++ /* let kobject handle freeing of ls if there's an error */ ++ do_unreg = 1; ++ + ls->ls_kobj.kset = dlm_kset; + error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL, + "%s", ls->ls_name); +@@ -640,9 +643,6 @@ static int new_lockspace(const char *name, const char *cluster, + goto out_recoverd; + kobject_uevent(&ls->ls_kobj, KOBJ_ADD); + +- /* let kobject handle freeing of ls if there's an error */ +- do_unreg = 1; +- + /* This uevent triggers dlm_controld in userspace to add us to the + group of nodes that are members of this lockspace (managed by the + cluster infrastructure.) Once it's done that, it tells us who the +-- +2.25.1 + diff --git a/queue-4.14/drm-arm-fix-unintentional-integer-overflow-on-left-s.patch b/queue-4.14/drm-arm-fix-unintentional-integer-overflow-on-left-s.patch new file mode 100644 index 00000000000..3125ec8e897 --- /dev/null +++ b/queue-4.14/drm-arm-fix-unintentional-integer-overflow-on-left-s.patch @@ -0,0 +1,41 @@ +From 51f92a99d6bce6980d653a0e0548c8798e55a07c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 11:04:00 +0100 +Subject: drm/arm: fix unintentional integer overflow on left shift + +From: Colin Ian King + +[ Upstream commit 5f368ddea6fec519bdb93b5368f6a844b6ea27a6 ] + +Shifting the integer value 1 is evaluated using 32-bit arithmetic +and then used in an expression that expects a long value leads to +a potential integer overflow. Fix this by using the BIT macro to +perform the shift to avoid the overflow. + +Addresses-Coverity: ("Unintentional integer overflow") +Fixes: ad49f8602fe8 ("drm/arm: Add support for Mali Display Processors") +Signed-off-by: Colin Ian King +Acked-by: Liviu Dudau +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20200618100400.11464-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/arm/malidp_planes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/arm/malidp_planes.c b/drivers/gpu/drm/arm/malidp_planes.c +index 16b8b310ae5c7..7072d738b072b 100644 +--- a/drivers/gpu/drm/arm/malidp_planes.c ++++ b/drivers/gpu/drm/arm/malidp_planes.c +@@ -369,7 +369,7 @@ int malidp_de_planes_init(struct drm_device *drm) + const struct malidp_hw_regmap *map = &malidp->dev->map; + struct malidp_plane *plane = NULL; + enum drm_plane_type plane_type; +- unsigned long crtcs = 1 << drm->mode_config.num_crtc; ++ unsigned long crtcs = BIT(drm->mode_config.num_crtc); + unsigned long flags = DRM_MODE_ROTATE_0 | DRM_MODE_ROTATE_90 | DRM_MODE_ROTATE_180 | + DRM_MODE_ROTATE_270 | DRM_MODE_REFLECT_X | DRM_MODE_REFLECT_Y; + u32 *formats; +-- +2.25.1 + diff --git a/queue-4.14/drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch b/queue-4.14/drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch new file mode 100644 index 00000000000..66d474e15ea --- /dev/null +++ b/queue-4.14/drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch @@ -0,0 +1,49 @@ +From c8cc6d113290890071dc80dd879a5d8281033354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jul 2020 08:24:53 -0700 +Subject: drm/bridge: sil_sii8620: initialize return of sii8620_readb + +From: Tom Rix + +[ Upstream commit 02cd2d3144653e6e2a0c7ccaa73311e48e2dc686 ] + +clang static analysis flags this error + +sil-sii8620.c:184:2: warning: Undefined or garbage value + returned to caller [core.uninitialized.UndefReturn] + return ret; + ^~~~~~~~~~ + +sii8620_readb calls sii8620_read_buf. +sii8620_read_buf can return without setting its output +pararmeter 'ret'. + +So initialize ret. + +Fixes: ce6e153f414a ("drm/bridge: add Silicon Image SiI8620 driver") +Signed-off-by: Tom Rix +Reviewed-by: Laurent Pinchart +Reviewed-by: Andrzej Hajda +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200712152453.27510-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/sil-sii8620.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c +index 0cb69ee94ac16..b93486892f4ae 100644 +--- a/drivers/gpu/drm/bridge/sil-sii8620.c ++++ b/drivers/gpu/drm/bridge/sil-sii8620.c +@@ -167,7 +167,7 @@ static void sii8620_read_buf(struct sii8620 *ctx, u16 addr, u8 *buf, int len) + + static u8 sii8620_readb(struct sii8620 *ctx, u16 addr) + { +- u8 ret; ++ u8 ret = 0; + + sii8620_read_buf(ctx, addr, &ret, 1); + return ret; +-- +2.25.1 + diff --git a/queue-4.14/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch b/queue-4.14/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch new file mode 100644 index 00000000000..0b5ab82fcf8 --- /dev/null +++ b/queue-4.14/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch @@ -0,0 +1,51 @@ +From 3d1d0dc75eb4847cb33b978dc2df5a27832a57d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2017 12:43:07 +0200 +Subject: drm/debugfs: fix plain echo to connector "force" attribute + +From: Michael Tretter + +[ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ] + +Using plain echo to set the "force" connector attribute fails with +-EINVAL, because echo appends a newline to the output. + +Replace strcmp with sysfs_streq to also accept strings that end with a +newline. + +v2: use sysfs_streq instead of stripping trailing whitespace + +Signed-off-by: Michael Tretter +Reviewed-by: Jani Nikula +Signed-off-by: Emil Velikov +Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c +index c1807d5754b2a..454deba13ee5b 100644 +--- a/drivers/gpu/drm/drm_debugfs.c ++++ b/drivers/gpu/drm/drm_debugfs.c +@@ -250,13 +250,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf, + + buf[len] = '\0'; + +- if (!strcmp(buf, "on")) ++ if (sysfs_streq(buf, "on")) + connector->force = DRM_FORCE_ON; +- else if (!strcmp(buf, "digital")) ++ else if (sysfs_streq(buf, "digital")) + connector->force = DRM_FORCE_ON_DIGITAL; +- else if (!strcmp(buf, "off")) ++ else if (sysfs_streq(buf, "off")) + connector->force = DRM_FORCE_OFF; +- else if (!strcmp(buf, "unspecified")) ++ else if (sysfs_streq(buf, "unspecified")) + connector->force = DRM_FORCE_UNSPECIFIED; + else + return -EINVAL; +-- +2.25.1 + diff --git a/queue-4.14/drm-imx-tve-fix-regulator_disable-error-path.patch b/queue-4.14/drm-imx-tve-fix-regulator_disable-error-path.patch new file mode 100644 index 00000000000..31929b89566 --- /dev/null +++ b/queue-4.14/drm-imx-tve-fix-regulator_disable-error-path.patch @@ -0,0 +1,70 @@ +From 3a17aa109bdc5e0195fcb576600d02bc7a09500e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 14:43:32 +0200 +Subject: drm/imx: tve: fix regulator_disable error path + +From: Marco Felsch + +[ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ] + +Add missing regulator_disable() as devm_action to avoid dedicated +unbind() callback and fix the missing error handling. + +Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") +Signed-off-by: Marco Felsch +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/imx-tve.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c +index bc27c26994641..c22c3e6e9b7ac 100644 +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -498,6 +498,13 @@ static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve) + return 0; + } + ++static void imx_tve_disable_regulator(void *data) ++{ ++ struct imx_tve *tve = data; ++ ++ regulator_disable(tve->dac_reg); ++} ++ + static bool imx_tve_readable_reg(struct device *dev, unsigned int reg) + { + return (reg % 4 == 0) && (reg <= 0xdc); +@@ -622,6 +629,9 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + ret = regulator_enable(tve->dac_reg); + if (ret) + return ret; ++ ret = devm_add_action_or_reset(dev, imx_tve_disable_regulator, tve); ++ if (ret) ++ return ret; + } + + tve->clk = devm_clk_get(dev, "tve"); +@@ -668,18 +678,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + return 0; + } + +-static void imx_tve_unbind(struct device *dev, struct device *master, +- void *data) +-{ +- struct imx_tve *tve = dev_get_drvdata(dev); +- +- if (!IS_ERR(tve->dac_reg)) +- regulator_disable(tve->dac_reg); +-} +- + static const struct component_ops imx_tve_ops = { + .bind = imx_tve_bind, +- .unbind = imx_tve_unbind, + }; + + static int imx_tve_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-4.14/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch b/queue-4.14/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch new file mode 100644 index 00000000000..55294599d71 --- /dev/null +++ b/queue-4.14/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch @@ -0,0 +1,50 @@ +From 9cf3cb567e5516066a505236ff1ad881d61a31ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 17:03:29 +0100 +Subject: drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline + +From: Emil Velikov + +[ Upstream commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 ] + +The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently +using the generic write. This does not look right. + +Perhaps some platforms don't distinguish between the two writers? + +Cc: Robert Chiras +Cc: Vinay Simha BN +Cc: Jani Nikula +Cc: Thierry Reding +Fixes: e83950816367 ("drm/dsi: Implement set tear scanline") +Signed-off-by: Emil Velikov +Reviewed-by: Thierry Reding +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200505160329.2976059-3-emil.l.velikov@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index 4b47226b90d4b..6f0de951b75d5 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -1029,11 +1029,11 @@ EXPORT_SYMBOL(mipi_dsi_dcs_set_pixel_format); + */ + int mipi_dsi_dcs_set_tear_scanline(struct mipi_dsi_device *dsi, u16 scanline) + { +- u8 payload[3] = { MIPI_DCS_SET_TEAR_SCANLINE, scanline >> 8, +- scanline & 0xff }; ++ u8 payload[2] = { scanline >> 8, scanline & 0xff }; + ssize_t err; + +- err = mipi_dsi_generic_write(dsi, payload, sizeof(payload)); ++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_TEAR_SCANLINE, payload, ++ sizeof(payload)); + if (err < 0) + return err; + +-- +2.25.1 + diff --git a/queue-4.14/drm-nouveau-fix-multiple-instances-of-reference-coun.patch b/queue-4.14/drm-nouveau-fix-multiple-instances-of-reference-coun.patch new file mode 100644 index 00000000000..f1bcd25b59f --- /dev/null +++ b/queue-4.14/drm-nouveau-fix-multiple-instances-of-reference-coun.patch @@ -0,0 +1,68 @@ +From a63a5238d85d335923ef95513ae39b61d00e4d15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:41:56 -0500 +Subject: drm/nouveau: fix multiple instances of reference count leaks + +From: Aditya Pakki + +[ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 8 ++++++-- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index d00524a5d7f08..fb6b1d0f7fef3 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -840,8 +840,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv) + + /* need to bring up power immediately if opening device */ + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + get_task_comm(tmpname, current); + snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid)); +@@ -930,8 +932,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + long ret; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) { + case DRM_NOUVEAU_NVIF: +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index 60ffb70bb9089..c6149b5be073e 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -42,8 +42,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (WARN_ON(ret < 0 && ret != -EACCES)) ++ if (WARN_ON(ret < 0 && ret != -EACCES)) { ++ pm_runtime_put_autosuspend(dev); + return; ++ } + + if (gem->import_attach) + drm_prime_gem_destroy(gem, nvbo->bo.sg); +-- +2.25.1 + diff --git a/queue-4.14/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch b/queue-4.14/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch new file mode 100644 index 00000000000..0fa412eab17 --- /dev/null +++ b/queue-4.14/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch @@ -0,0 +1,37 @@ +From 8510300bbb77fa068c50af1ee44fbdb2a07fb20a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jul 2020 01:53:17 +0300 +Subject: drm: panel: simple: Fix bpc for LG LB070WV8 panel + +From: Laurent Pinchart + +[ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] + +The LG LB070WV8 panel incorrectly reports a 16 bits per component value, +while the panel uses 8 bits per component. Fix it. + +Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index c1daed3fe8428..6df312ba1826b 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1253,7 +1253,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = { + static const struct panel_desc lg_lb070wv8 = { + .modes = &lg_lb070wv8_mode, + .num_modes = 1, +- .bpc = 16, ++ .bpc = 8, + .size = { + .width = 151, + .height = 91, +-- +2.25.1 + diff --git a/queue-4.14/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch b/queue-4.14/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch new file mode 100644 index 00000000000..eb16654571b --- /dev/null +++ b/queue-4.14/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch @@ -0,0 +1,39 @@ +From 65892f31a341e07183505c7d46566104116e344f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 13:07:10 +0100 +Subject: drm/radeon: fix array out-of-bounds read and write issues + +From: Colin Ian King + +[ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ] + +There is an off-by-one bounds check on the index into arrays +table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that +can lead to reads and writes outside of arrays. Fix the bound checking +off-by-one error. + +Addresses-Coverity: ("Out-of-bounds read/write") +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Signed-off-by: Colin Ian King +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 6e607cc7b6e5a..81bc2b89222f2 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -4342,7 +4342,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] |= 0x100; + } + j++; +- if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + + if (!pi->mem_gddr5) { +-- +2.25.1 + diff --git a/queue-4.14/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch b/queue-4.14/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch new file mode 100644 index 00000000000..7e1a80c60f7 --- /dev/null +++ b/queue-4.14/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch @@ -0,0 +1,74 @@ +From 285c7903892aa929dd31f761fa7ec58905d98058 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 21:21:22 -0500 +Subject: drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync + +From: Aditya Pakki + +[ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Acked-by: Evan Quan +Signed-off-by: Aditya Pakki +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 4 +++- + drivers/gpu/drm/radeon/radeon_drv.c | 4 +++- + drivers/gpu/drm/radeon/radeon_kms.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index d86110cdf0852..b2334349799d1 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -627,8 +627,10 @@ radeon_crtc_set_config(struct drm_mode_set *set, + dev = set->crtc->dev; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_crtc_helper_set_config(set, ctx); + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index f6908e2f9e55a..41e8abd099784 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -496,8 +496,10 @@ long radeon_drm_ioctl(struct file *filp, + long ret; + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_ioctl(filp, cmd, arg); + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index dfee8f7d94ae5..2e28cf8118404 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -659,8 +659,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + file_priv->driver_priv = NULL; + + r = pm_runtime_get_sync(dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return r; ++ } + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +-- +2.25.1 + diff --git a/queue-4.14/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch b/queue-4.14/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch new file mode 100644 index 00000000000..942ed7a8346 --- /dev/null +++ b/queue-4.14/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch @@ -0,0 +1,51 @@ +From b71f653c531d2d5b701e566f0b819d1902dc2f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 13:42:32 +0300 +Subject: drm/tilcdc: fix leak & null ref in panel_connector_get_modes + +From: Tomi Valkeinen + +[ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ] + +If videomode_from_timings() returns true, the mode allocated with +drm_mode_create will be leaked. + +Also, the return value of drm_mode_create() is never checked, and thus +could cause NULL deref. + +Fix these two issues. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com +Reviewed-by: Jyri Sarha +Acked-by: Sam Ravnborg +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +index 1813a3623ce60..0484b2cf0e2b5 100644 +--- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c ++++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +@@ -152,12 +152,16 @@ static int panel_connector_get_modes(struct drm_connector *connector) + int i; + + for (i = 0; i < timings->num_timings; i++) { +- struct drm_display_mode *mode = drm_mode_create(dev); ++ struct drm_display_mode *mode; + struct videomode vm; + + if (videomode_from_timings(timings, &vm, i)) + break; + ++ mode = drm_mode_create(dev); ++ if (!mode) ++ break; ++ + drm_display_mode_from_videomode(&vm, mode); + + mode->type = DRM_MODE_TYPE_DRIVER; +-- +2.25.1 + diff --git a/queue-4.14/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch b/queue-4.14/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch new file mode 100644 index 00000000000..c8bf70b403e --- /dev/null +++ b/queue-4.14/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch @@ -0,0 +1,101 @@ +From ea483625f15e3925a2b33f9c0202f9d997c4e075 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 17:10:47 -0600 +Subject: dyndbg: fix a BUG_ON in ddebug_describe_flags + +From: Jim Cromie + +[ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] + +ddebug_describe_flags() currently fills a caller provided string buffer, +after testing its size (also passed) in a BUG_ON. Fix this by +replacing them with a known-big-enough string buffer wrapped in a +struct, and passing that instead. + +Also simplify ddebug_describe_flags() flags parameter from a struct to +a member in that struct, and hoist the member deref up to the caller. +This makes the function reusable (soon) where flags are unpacked. + +Acked-by: +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index c7c96bc7654af..91c451e0f4741 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -85,22 +85,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = { + { _DPRINTK_FLAGS_NONE, '_' }, + }; + ++struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; }; ++ + /* format a string into buf[] which describes the _ddebug's flags */ +-static char *ddebug_describe_flags(struct _ddebug *dp, char *buf, +- size_t maxlen) ++static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb) + { +- char *p = buf; ++ char *p = fb->buf; + int i; + +- BUG_ON(maxlen < 6); + for (i = 0; i < ARRAY_SIZE(opt_array); ++i) +- if (dp->flags & opt_array[i].flag) ++ if (flags & opt_array[i].flag) + *p++ = opt_array[i].opt_char; +- if (p == buf) ++ if (p == fb->buf) + *p++ = '_'; + *p = '\0'; + +- return buf; ++ return fb->buf; + } + + #define vpr_info(fmt, ...) \ +@@ -142,7 +142,7 @@ static int ddebug_change(const struct ddebug_query *query, + struct ddebug_table *dt; + unsigned int newflags; + unsigned int nfound = 0; +- char flagbuf[10]; ++ struct flagsbuf fbuf; + + /* search for matching ddebugs */ + mutex_lock(&ddebug_lock); +@@ -199,8 +199,7 @@ static int ddebug_change(const struct ddebug_query *query, + vpr_info("changed %s:%d [%s]%s =%s\n", + trim_prefix(dp->filename), dp->lineno, + dt->mod_name, dp->function, +- ddebug_describe_flags(dp, flagbuf, +- sizeof(flagbuf))); ++ ddebug_describe_flags(dp->flags, &fbuf)); + } + } + mutex_unlock(&ddebug_lock); +@@ -779,7 +778,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + { + struct ddebug_iter *iter = m->private; + struct _ddebug *dp = p; +- char flagsbuf[10]; ++ struct flagsbuf flags; + + vpr_info("called m=%p p=%p\n", m, p); + +@@ -792,7 +791,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + seq_printf(m, "%s:%u [%s]%s =%s \"", + trim_prefix(dp->filename), dp->lineno, + iter->table->mod_name, dp->function, +- ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf))); ++ ddebug_describe_flags(dp->flags, &flags)); + seq_escape(m, dp->format, "\t\r\n\""); + seq_puts(m, "\"\n"); + +-- +2.25.1 + diff --git a/queue-4.14/edac-fix-reference-count-leaks.patch b/queue-4.14/edac-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..7c4b30fd3e4 --- /dev/null +++ b/queue-4.14/edac-fix-reference-count-leaks.patch @@ -0,0 +1,59 @@ +From ea95f191272006c2cf120ddb567ab6cb11e40835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 15:22:37 -0500 +Subject: EDAC: Fix reference count leaks + +From: Qiushi Wu + +[ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] + +When kobject_init_and_add() returns an error, it should be handled +because kobject_init_and_add() takes a reference even when it fails. If +this function returns an error, kobject_put() must be called to properly +clean up the memory associated with the object. + +Therefore, replace calling kfree() and call kobject_put() and add a +missing kobject_put() in the edac_device_register_sysfs_main_kobj() +error path. + + [ bp: Massage and merge into a single patch. ] + +Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add") +Signed-off-by: Qiushi Wu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu +Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_device_sysfs.c | 1 + + drivers/edac/edac_pci_sysfs.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c +index 0e7ea3591b781..5e75937537997 100644 +--- a/drivers/edac/edac_device_sysfs.c ++++ b/drivers/edac/edac_device_sysfs.c +@@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev) + + /* Error exit stack */ + err_kobj_reg: ++ kobject_put(&edac_dev->kobj); + module_put(edac_dev->owner); + + err_out: +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index 72c9eb9fdffbe..53042af7262e2 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void) + + /* Error unwind statck */ + kobject_init_and_add_fail: +- kfree(edac_pci_top_main_kobj); ++ kobject_put(edac_pci_top_main_kobj); + + kzalloc_fail: + module_put(THIS_MODULE); +-- +2.25.1 + diff --git a/queue-4.14/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch b/queue-4.14/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch new file mode 100644 index 00000000000..5fd7e65a471 --- /dev/null +++ b/queue-4.14/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch @@ -0,0 +1,62 @@ +From 07c83d0e5ba5aaf7c3fe0ab0b7d8c389a18a5b97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 14:15:37 -0700 +Subject: fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls + +From: Paul E. McKenney + +[ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ] + +Very large I/Os can cause the following RCU CPU stall warning: + +RIP: 0010:rb_prev+0x8/0x50 +Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = +89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48 +RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13 +RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0 +RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630 +RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238 +R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001 +R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0 + __lookup_extent_mapping+0xa0/0x110 + try_release_extent_mapping+0xdc/0x220 + btrfs_releasepage+0x45/0x70 + shrink_page_list+0xa39/0xb30 + shrink_inactive_list+0x18f/0x3b0 + shrink_lruvec+0x38e/0x6b0 + shrink_node+0x14d/0x690 + do_try_to_free_pages+0xc6/0x3e0 + try_to_free_mem_cgroup_pages+0xe6/0x1e0 + reclaim_high.constprop.73+0x87/0xc0 + mem_cgroup_handle_over_high+0x66/0x150 + exit_to_usermode_loop+0x82/0xd0 + do_syscall_64+0xd4/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +On a PREEMPT=n kernel, the try_release_extent_mapping() function's +"while" loop might run for a very long time on a large I/O. This commit +therefore adds a cond_resched() to this loop, providing RCU any needed +quiescent states. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 6d2bfbb63d9ba..ef1fd6a09d8e5 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4323,6 +4323,8 @@ int try_release_extent_mapping(struct extent_map_tree *map, + + /* once for us */ + free_extent_map(em); ++ ++ cond_resched(); /* Allow large-extent preemption. */ + } + } + return try_release_extent_state(map, tree, page, mask); +-- +2.25.1 + diff --git a/queue-4.14/fsl-fman-check-dereferencing-null-pointer.patch b/queue-4.14/fsl-fman-check-dereferencing-null-pointer.patch new file mode 100644 index 00000000000..b332fa33cc9 --- /dev/null +++ b/queue-4.14/fsl-fman-check-dereferencing-null-pointer.patch @@ -0,0 +1,72 @@ +From 5457b3f6f75a8cc3d220dfcd117c0e2f583ec566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:33 +0300 +Subject: fsl/fman: check dereferencing null pointer + +From: Florinel Iordache + +[ Upstream commit cc5d229a122106733a85c279d89d7703f21e4d4f ] + +Add a safe check to avoid dereferencing null pointer + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_dtsec.c | 4 ++-- + drivers/net/ethernet/freescale/fman/fman_memac.c | 2 +- + drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_dtsec.c b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +index 7af31ddd093f8..61238b3af2041 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +@@ -1159,7 +1159,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->multicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +@@ -1172,7 +1172,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->unicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index 1fbeb991bcdf1..460f9e58e9877 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -956,7 +956,7 @@ int memac_del_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr) + + list_for_each(pos, &memac->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c +index e575259d20f40..c8ad9b8a75f8e 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c +@@ -585,7 +585,7 @@ int tgec_del_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr) + + list_for_each(pos, &tgec->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +-- +2.25.1 + diff --git a/queue-4.14/fsl-fman-fix-dereference-null-return-value.patch b/queue-4.14/fsl-fman-fix-dereference-null-return-value.patch new file mode 100644 index 00000000000..8908cd996a6 --- /dev/null +++ b/queue-4.14/fsl-fman-fix-dereference-null-return-value.patch @@ -0,0 +1,50 @@ +From 0b1d6189a1eed1908a57df4b579d177bad229654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:31 +0300 +Subject: fsl/fman: fix dereference null return value + +From: Florinel Iordache + +[ Upstream commit 0572054617f32670abab4b4e89a876954d54b704 ] + +Check before using returned value to avoid dereferencing null pointer. + +Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_port.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c +index 495190764155a..ac3d791f52821 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_port.c ++++ b/drivers/net/ethernet/freescale/fman/fman_port.c +@@ -1744,6 +1744,7 @@ static int fman_port_probe(struct platform_device *of_dev) + struct fman_port *port; + struct fman *fman; + struct device_node *fm_node, *port_node; ++ struct platform_device *fm_pdev; + struct resource res; + struct resource *dev_res; + u32 val; +@@ -1768,8 +1769,14 @@ static int fman_port_probe(struct platform_device *of_dev) + goto return_err; + } + +- fman = dev_get_drvdata(&of_find_device_by_node(fm_node)->dev); ++ fm_pdev = of_find_device_by_node(fm_node); + of_node_put(fm_node); ++ if (!fm_pdev) { ++ err = -EINVAL; ++ goto return_err; ++ } ++ ++ fman = dev_get_drvdata(&fm_pdev->dev); + if (!fman) { + err = -EINVAL; + goto return_err; +-- +2.25.1 + diff --git a/queue-4.14/fsl-fman-fix-eth-hash-table-allocation.patch b/queue-4.14/fsl-fman-fix-eth-hash-table-allocation.patch new file mode 100644 index 00000000000..db41e2d0aaf --- /dev/null +++ b/queue-4.14/fsl-fman-fix-eth-hash-table-allocation.patch @@ -0,0 +1,38 @@ +From 97200d0aec06217b3b55852ca752e7ebd0e4aa04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:34 +0300 +Subject: fsl/fman: fix eth hash table allocation + +From: Florinel Iordache + +[ Upstream commit 3207f715c34317d08e798e11a10ce816feb53c0f ] + +Fix memory allocation for ethernet address hash table. +The code was wrongly allocating an array for eth hash table which +is incorrect because this is the main structure for eth hash table +(struct eth_hash_t) that contains inside a number of elements. + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_mac.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_mac.h b/drivers/net/ethernet/freescale/fman/fman_mac.h +index dd6d0526f6c1f..19f327efdaff3 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_mac.h ++++ b/drivers/net/ethernet/freescale/fman/fman_mac.h +@@ -252,7 +252,7 @@ static inline struct eth_hash_t *alloc_hash_table(u16 size) + struct eth_hash_t *hash; + + /* Allocate address hash table */ +- hash = kmalloc_array(size, sizeof(struct eth_hash_t *), GFP_KERNEL); ++ hash = kmalloc(sizeof(*hash), GFP_KERNEL); + if (!hash) + return NULL; + +-- +2.25.1 + diff --git a/queue-4.14/fsl-fman-fix-unreachable-code.patch b/queue-4.14/fsl-fman-fix-unreachable-code.patch new file mode 100644 index 00000000000..77ea93b8abe --- /dev/null +++ b/queue-4.14/fsl-fman-fix-unreachable-code.patch @@ -0,0 +1,35 @@ +From c2f1132bcdd3921d9fffb2de3cfbcc8687f4824f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:32 +0300 +Subject: fsl/fman: fix unreachable code + +From: Florinel Iordache + +[ Upstream commit cc79fd8f557767de90ff199d3b6fb911df43160a ] + +The parameter 'priority' is incorrectly forced to zero which ultimately +induces logically dead code in the subsequent lines. + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_memac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index b33650a897f18..1fbeb991bcdf1 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -855,7 +855,6 @@ int memac_set_tx_pause_frames(struct fman_mac *memac, u8 priority, + + tmp = ioread32be(®s->command_config); + tmp &= ~CMD_CFG_PFC_MODE; +- priority = 0; + + iowrite32be(tmp, ®s->command_config); + +-- +2.25.1 + diff --git a/queue-4.14/fsl-fman-use-32-bit-unsigned-integer.patch b/queue-4.14/fsl-fman-use-32-bit-unsigned-integer.patch new file mode 100644 index 00000000000..5d7dbf70e8a --- /dev/null +++ b/queue-4.14/fsl-fman-use-32-bit-unsigned-integer.patch @@ -0,0 +1,41 @@ +From 5f4f825421af61fe9ee1ec98bf8e4ff8b6ace18e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:30 +0300 +Subject: fsl/fman: use 32-bit unsigned integer + +From: Florinel Iordache + +[ Upstream commit 99f47abd9f7bf6e365820d355dc98f6955a562df ] + +Potentially overflowing expression (ts_freq << 16 and intgr << 16) +declared as type u32 (32-bit unsigned) is evaluated using 32-bit +arithmetic and then used in a context that expects an expression of +type u64 (64-bit unsigned) which ultimately is used as 16-bit +unsigned by typecasting to u16. Fixed by using an unsigned 32-bit +integer since the value is truncated anyway in the end. + +Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c +index 9080d2332d030..cdd48b1cc84a7 100644 +--- a/drivers/net/ethernet/freescale/fman/fman.c ++++ b/drivers/net/ethernet/freescale/fman/fman.c +@@ -1396,8 +1396,7 @@ static void enable_time_stamp(struct fman *fman) + { + struct fman_fpm_regs __iomem *fpm_rg = fman->fpm_regs; + u16 fm_clk_freq = fman->state->fm_clk_freq; +- u32 tmp, intgr, ts_freq; +- u64 frac; ++ u32 tmp, intgr, ts_freq, frac; + + ts_freq = (u32)(1 << fman->state->count1_micro_bit); + /* configure timestamp so that bit 8 will count 1 microsecond +-- +2.25.1 + diff --git a/queue-4.14/gpu-host1x-debug-fix-multiple-channels-emitting-mess.patch b/queue-4.14/gpu-host1x-debug-fix-multiple-channels-emitting-mess.patch new file mode 100644 index 00000000000..1397d7ea685 --- /dev/null +++ b/queue-4.14/gpu-host1x-debug-fix-multiple-channels-emitting-mess.patch @@ -0,0 +1,54 @@ +From 6c39d31a0148bf5b272cacc6cae265504aea270c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 06:18:41 +0300 +Subject: gpu: host1x: debug: Fix multiple channels emitting messages + simultaneously + +From: Dmitry Osipenko + +[ Upstream commit 35681862808472a0a4b9a8817ae2789c0b5b3edc ] + +Once channel's job is hung, it dumps the channel's state into KMSG before +tearing down the offending job. If multiple channels hang at once, then +they dump messages simultaneously, making the debug info unreadable, and +thus, useless. This patch adds mutex which allows only one channel to emit +debug messages at a time. + +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/debug.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/host1x/debug.c b/drivers/gpu/host1x/debug.c +index 2aae0e63214c2..0b8c23c399c2a 100644 +--- a/drivers/gpu/host1x/debug.c ++++ b/drivers/gpu/host1x/debug.c +@@ -25,6 +25,8 @@ + #include "debug.h" + #include "channel.h" + ++static DEFINE_MUTEX(debug_lock); ++ + unsigned int host1x_debug_trace_cmdbuf; + + static pid_t host1x_debug_force_timeout_pid; +@@ -49,12 +51,14 @@ static int show_channel(struct host1x_channel *ch, void *data, bool show_fifo) + struct output *o = data; + + mutex_lock(&ch->cdma.lock); ++ mutex_lock(&debug_lock); + + if (show_fifo) + host1x_hw_show_channel_fifo(m, ch, o); + + host1x_hw_show_channel_cdma(m, ch, o); + ++ mutex_unlock(&debug_lock); + mutex_unlock(&ch->cdma.lock); + + return 0; +-- +2.25.1 + diff --git a/queue-4.14/iio-improve-iio_concentration-channel-type-descripti.patch b/queue-4.14/iio-improve-iio_concentration-channel-type-descripti.patch new file mode 100644 index 00000000000..a0f31b28fb0 --- /dev/null +++ b/queue-4.14/iio-improve-iio_concentration-channel-type-descripti.patch @@ -0,0 +1,43 @@ +From 50931f3753501310a52d0f022bbefba133185cbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 18:15:52 +0200 +Subject: iio: improve IIO_CONCENTRATION channel type description + +From: Tomasz Duszynski + +[ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ] + +IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting +raw concentrations of pollutants. Raw value should be meaningless +before being properly scaled. Because of that description shouldn't +mention raw value unit whatsoever. + +Fix this by rephrasing existing description so it follows conventions +used throughout IIO ABI docs. + +Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type") +Signed-off-by: Tomasz Duszynski +Acked-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index 64e65450f4833..e21e2ca3e4f91 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -1524,7 +1524,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw + KernelVersion: 4.3 + Contact: linux-iio@vger.kernel.org + Description: +- Raw (unscaled no offset etc.) percentage reading of a substance. ++ Raw (unscaled no offset etc.) reading of a substance. Units ++ after application of scale and offset are percents. + + What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw + What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw +-- +2.25.1 + diff --git a/queue-4.14/ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch b/queue-4.14/ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch new file mode 100644 index 00000000000..0bdbb4a88bc --- /dev/null +++ b/queue-4.14/ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch @@ -0,0 +1,130 @@ +From b1c21519306d41e40c19ef5a44debd4c8b711f1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 18:17:19 +0300 +Subject: ipvs: allow connection reuse for unconfirmed conntrack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Julian Anastasov + +[ Upstream commit f0a5e4d7a594e0fe237d3dfafb069bb82f80f42f ] + +YangYuxi is reporting that connection reuse +is causing one-second delay when SYN hits +existing connection in TIME_WAIT state. +Such delay was added to give time to expire +both the IPVS connection and the corresponding +conntrack. This was considered a rare case +at that time but it is causing problem for +some environments such as Kubernetes. + +As nf_conntrack_tcp_packet() can decide to +release the conntrack in TIME_WAIT state and +to replace it with a fresh NEW conntrack, we +can use this to allow rescheduling just by +tuning our check: if the conntrack is +confirmed we can not schedule it to different +real server and the one-second delay still +applies but if new conntrack was created, +we are free to select new real server without +any delays. + +YangYuxi lists some of the problem reports: + +- One second connection delay in masquerading mode: +https://marc.info/?t=151683118100004&r=1&w=2 + +- IPVS low throughput #70747 +https://github.com/kubernetes/kubernetes/issues/70747 + +- Apache Bench can fill up ipvs service proxy in seconds #544 +https://github.com/cloudnativelabs/kube-router/issues/544 + +- Additional 1s latency in `host -> service IP -> pod` +https://github.com/kubernetes/kubernetes/issues/90854 + +Fixes: f719e3754ee2 ("ipvs: drop first packet to redirect conntrack") +Co-developed-by: YangYuxi +Signed-off-by: YangYuxi +Signed-off-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/ip_vs.h | 10 ++++------ + net/netfilter/ipvs/ip_vs_core.c | 12 +++++++----- + 2 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index f4e5ac8aa3668..1fb79c78e2007 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -1607,18 +1607,16 @@ static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp) + } + #endif /* CONFIG_IP_VS_NFCT */ + +-/* Really using conntrack? */ +-static inline bool ip_vs_conn_uses_conntrack(struct ip_vs_conn *cp, +- struct sk_buff *skb) ++/* Using old conntrack that can not be redirected to another real server? */ ++static inline bool ip_vs_conn_uses_old_conntrack(struct ip_vs_conn *cp, ++ struct sk_buff *skb) + { + #ifdef CONFIG_IP_VS_NFCT + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + +- if (!(cp->flags & IP_VS_CONN_F_NFCT)) +- return false; + ct = nf_ct_get(skb, &ctinfo); +- if (ct) ++ if (ct && nf_ct_is_confirmed(ct)) + return true; + #endif + return false; +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 2156571455dbf..a95fe5fe9f046 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1916,14 +1916,14 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int + + conn_reuse_mode = sysctl_conn_reuse_mode(ipvs); + if (conn_reuse_mode && !iph.fragoffs && is_new_conn(skb, &iph) && cp) { +- bool uses_ct = false, resched = false; ++ bool old_ct = false, resched = false; + + if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp->dest && + unlikely(!atomic_read(&cp->dest->weight))) { + resched = true; +- uses_ct = ip_vs_conn_uses_conntrack(cp, skb); ++ old_ct = ip_vs_conn_uses_old_conntrack(cp, skb); + } else if (is_new_conn_expected(cp, conn_reuse_mode)) { +- uses_ct = ip_vs_conn_uses_conntrack(cp, skb); ++ old_ct = ip_vs_conn_uses_old_conntrack(cp, skb); + if (!atomic_read(&cp->n_control)) { + resched = true; + } else { +@@ -1931,15 +1931,17 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int + * that uses conntrack while it is still + * referenced by controlled connection(s). + */ +- resched = !uses_ct; ++ resched = !old_ct; + } + } + + if (resched) { ++ if (!old_ct) ++ cp->flags &= ~IP_VS_CONN_F_NFCT; + if (!atomic_read(&cp->n_control)) + ip_vs_conn_expire_now(cp); + __ip_vs_conn_put(cp); +- if (uses_ct) ++ if (old_ct) + return NF_DROP; + cp = NULL; + } +-- +2.25.1 + diff --git a/queue-4.14/irqchip-irq-mtk-sysirq-replace-spinlock-with-raw_spi.patch b/queue-4.14/irqchip-irq-mtk-sysirq-replace-spinlock-with-raw_spi.patch new file mode 100644 index 00000000000..28991c87202 --- /dev/null +++ b/queue-4.14/irqchip-irq-mtk-sysirq-replace-spinlock-with-raw_spi.patch @@ -0,0 +1,97 @@ +From 2cce29dc3d3e629b846a5c5daa5022b222d8de9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 09:44:45 +0200 +Subject: irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock + +From: Bartosz Golaszewski + +[ Upstream commit 6eeb997ab5075e770a002c51351fa4ec2c6b5c39 ] + +This driver may take a regular spinlock when a raw spinlock +(irq_desc->lock) is already taken which results in the following +lockdep splat: + +============================= +[ BUG: Invalid wait context ] +5.7.0-rc7 #1 Not tainted +----------------------------- +swapper/0/0 is trying to lock: +ffffff800303b798 (&chip_data->lock){....}-{3:3}, at: mtk_sysirq_set_type+0x48/0xc0 +other info that might help us debug this: +context-{5:5} +2 locks held by swapper/0/0: + #0: ffffff800302ee68 (&desc->request_mutex){....}-{4:4}, at: __setup_irq+0xc4/0x8a0 + #1: ffffff800302ecf0 (&irq_desc_lock_class){....}-{2:2}, at: __setup_irq+0xe4/0x8a0 +stack backtrace: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc7 #1 +Hardware name: Pumpkin MT8516 (DT) +Call trace: + dump_backtrace+0x0/0x180 + show_stack+0x14/0x20 + dump_stack+0xd0/0x118 + __lock_acquire+0x8c8/0x2270 + lock_acquire+0xf8/0x470 + _raw_spin_lock_irqsave+0x50/0x78 + mtk_sysirq_set_type+0x48/0xc0 + __irq_set_trigger+0x58/0x170 + __setup_irq+0x420/0x8a0 + request_threaded_irq+0xd8/0x190 + timer_of_init+0x1e8/0x2c4 + mtk_gpt_init+0x5c/0x1dc + timer_probe+0x74/0xf4 + time_init+0x14/0x44 + start_kernel+0x394/0x4f0 + +Replace the spinlock_t with raw_spinlock_t to avoid this warning. + +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20200615074445.3579-1-brgl@bgdev.pl +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mtk-sysirq.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-mtk-sysirq.c b/drivers/irqchip/irq-mtk-sysirq.c +index 90aaf190157f7..42455f31b0611 100644 +--- a/drivers/irqchip/irq-mtk-sysirq.c ++++ b/drivers/irqchip/irq-mtk-sysirq.c +@@ -23,7 +23,7 @@ + #include + + struct mtk_sysirq_chip_data { +- spinlock_t lock; ++ raw_spinlock_t lock; + u32 nr_intpol_bases; + void __iomem **intpol_bases; + u32 *intpol_words; +@@ -45,7 +45,7 @@ static int mtk_sysirq_set_type(struct irq_data *data, unsigned int type) + reg_index = chip_data->which_word[hwirq]; + offset = hwirq & 0x1f; + +- spin_lock_irqsave(&chip_data->lock, flags); ++ raw_spin_lock_irqsave(&chip_data->lock, flags); + value = readl_relaxed(base + reg_index * 4); + if (type == IRQ_TYPE_LEVEL_LOW || type == IRQ_TYPE_EDGE_FALLING) { + if (type == IRQ_TYPE_LEVEL_LOW) +@@ -61,7 +61,7 @@ static int mtk_sysirq_set_type(struct irq_data *data, unsigned int type) + + data = data->parent_data; + ret = data->chip->irq_set_type(data, type); +- spin_unlock_irqrestore(&chip_data->lock, flags); ++ raw_spin_unlock_irqrestore(&chip_data->lock, flags); + return ret; + } + +@@ -220,7 +220,7 @@ static int __init mtk_sysirq_of_init(struct device_node *node, + ret = -ENOMEM; + goto out_free_which_word; + } +- spin_lock_init(&chip_data->lock); ++ raw_spin_lock_init(&chip_data->lock); + + return 0; + +-- +2.25.1 + diff --git a/queue-4.14/iwlegacy-check-the-return-value-of-pcie_capability_r.patch b/queue-4.14/iwlegacy-check-the-return-value-of-pcie_capability_r.patch new file mode 100644 index 00000000000..aa6c5bc994b --- /dev/null +++ b/queue-4.14/iwlegacy-check-the-return-value-of-pcie_capability_r.patch @@ -0,0 +1,45 @@ +From 70291dba5a30b7bfa14fb7edc4a7b4d3622acf93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 19:55:27 +0200 +Subject: iwlegacy: Check the return value of pcie_capability_read_*() + +From: Bolarinwa Olayemi Saheed + +[ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] + +On failure pcie_capability_read_dword() sets it's last parameter, val +to 0. However, with Patch 14/14, it is possible that val is set to ~0 on +failure. This would introduce a bug because (x & x) == (~0 & x). + +This bug can be avoided without changing the function's behaviour if the +return value of pcie_capability_read_dword is checked to confirm success. + +Check the return value of pcie_capability_read_dword() to ensure success. + +Suggested-by: Bjorn Helgaas +Signed-off-by: Bolarinwa Olayemi Saheed +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index 6e6b124f0d5e3..3ca84577803cc 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -4302,8 +4302,8 @@ il_apm_init(struct il_priv *il) + * power savings, even without L1. + */ + if (il->cfg->set_l0s) { +- pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); +- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { ++ ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); ++ if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) { + /* L1-ASPM enabled; disable(!) L0S */ + il_set_bit(il, CSR_GIO_REG, + CSR_GIO_REG_VAL_L0S_ENABLED); +-- +2.25.1 + diff --git a/queue-4.14/leds-core-flush-scheduled-work-for-system-suspend.patch b/queue-4.14/leds-core-flush-scheduled-work-for-system-suspend.patch new file mode 100644 index 00000000000..9d502bcbb05 --- /dev/null +++ b/queue-4.14/leds-core-flush-scheduled-work-for-system-suspend.patch @@ -0,0 +1,42 @@ +From 83f3cf36f7ce78a26185503fa9fee9a59c40b18f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 13:45:00 +0800 +Subject: leds: core: Flush scheduled work for system suspend + +From: Kai-Heng Feng + +[ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ] + +Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon +system suspend. + +led_set_brightness_nopm() uses schedule_work() to set LED brightness. +However, there's no guarantee that the scheduled work gets executed +because no one flushes the work. + +So flush the scheduled work to make sure LED gets turned off. + +Signed-off-by: Kai-Heng Feng +Acked-by: Jacek Anaszewski +Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions") +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/led-class.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c +index b0e2d55acbd6f..6c7269fcfa77c 100644 +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -173,6 +173,7 @@ void led_classdev_suspend(struct led_classdev *led_cdev) + { + led_cdev->flags |= LED_SUSPENDED; + led_set_brightness_nopm(led_cdev, 0); ++ flush_work(&led_cdev->set_brightness_work); + } + EXPORT_SYMBOL_GPL(led_classdev_suspend); + +-- +2.25.1 + diff --git a/queue-4.14/leds-lm355x-avoid-enum-conversion-warning.patch b/queue-4.14/leds-lm355x-avoid-enum-conversion-warning.patch new file mode 100644 index 00000000000..ba4a2807678 --- /dev/null +++ b/queue-4.14/leds-lm355x-avoid-enum-conversion-warning.patch @@ -0,0 +1,60 @@ +From 8aa3ef881c328c3ce2d9789ed08710f0cad22722 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 16:19:17 +0200 +Subject: leds: lm355x: avoid enum conversion warning + +From: Arnd Bergmann + +[ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ] + +clang points out that doing arithmetic between diffent enums is usually +a mistake: + +drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ +drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ + +In this driver, it is intentional, so add a cast to hide the false-positive +warning. It appears to be the only instance of this warning at the moment. + +Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips") +Signed-off-by: Arnd Bergmann +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lm355x.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c +index 6cb94f9a2f3f3..b9c60dd2b1327 100644 +--- a/drivers/leds/leds-lm355x.c ++++ b/drivers/leds/leds-lm355x.c +@@ -168,18 +168,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip) + /* input and output pins configuration */ + switch (chip->type) { + case CHIP_LM3554: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin; + ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val); + if (ret < 0) + goto out; +- reg_val = pdata->pass_mode; ++ reg_val = (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val); + if (ret < 0) + goto out; + break; + + case CHIP_LM3556: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin | ++ (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val); + if (ret < 0) + goto out; +-- +2.25.1 + diff --git a/queue-4.14/liquidio-fix-wrong-return-value-in-cn23xx_get_pf_num.patch b/queue-4.14/liquidio-fix-wrong-return-value-in-cn23xx_get_pf_num.patch new file mode 100644 index 00000000000..627f5e83f3e --- /dev/null +++ b/queue-4.14/liquidio-fix-wrong-return-value-in-cn23xx_get_pf_num.patch @@ -0,0 +1,37 @@ +From 9a9589178f5debd70807a9100420fdef7768ead0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:44 +0800 +Subject: liquidio: Fix wrong return value in cn23xx_get_pf_num() + +From: Tianjia Zhang + +[ Upstream commit aa027850a292ea65524b8fab83eb91a124ad362c ] + +On an error exit path, a negative error code should be returned +instead of a positive return value. + +Fixes: 0c45d7fe12c7e ("liquidio: fix use of pf in pass-through mode in a virtual machine") +Cc: Rick Farrington +Signed-off-by: Tianjia Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +index 2e089b5ff8f32..30f0e54f658e9 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +@@ -1167,7 +1167,7 @@ static int cn23xx_get_pf_num(struct octeon_device *oct) + oct->pf_num = ((fdl_bit >> CN23XX_PCIE_SRIOV_FDL_BIT_POS) & + CN23XX_PCIE_SRIOV_FDL_MASK); + } else { +- ret = EINVAL; ++ ret = -EINVAL; + + /* Under some virtual environments, extended PCI regs are + * inaccessible, in which case the above read will have failed. +-- +2.25.1 + diff --git a/queue-4.14/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch b/queue-4.14/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch new file mode 100644 index 00000000000..feef3c2fa5d --- /dev/null +++ b/queue-4.14/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch @@ -0,0 +1,70 @@ +From 9367670fe37127b575c8819f762707d7e7814e9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: m68k: mac: Don't send IOP message until channel is idle + +From: Finn Thain + +[ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ] + +In the following sequence of calls, iop_do_send() gets called when the +"send" channel is not in the IOP_MSG_IDLE state: + + iop_ism_irq() + iop_handle_send() + (msg->handler)() + iop_send_message() + iop_do_send() + +Avoid this by testing the channel state before calling iop_do_send(). + +When sending, and iop_send_queue is empty, call iop_do_send() because +the channel is idle. If iop_send_queue is not empty, iop_do_send() will +get called later by iop_handle_send(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/iop.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index 4c1e606e7d03b..fb61af5ac4ab8 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -416,7 +416,8 @@ static void iop_handle_send(uint iop_num, uint chan) + msg->status = IOP_MSGSTATUS_UNUSED; + msg = msg->next; + iop_send_queue[iop_num][chan] = msg; +- if (msg) iop_do_send(msg); ++ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) ++ iop_do_send(msg); + } + + /* +@@ -490,16 +491,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata, + + if (!(q = iop_send_queue[iop_num][chan])) { + iop_send_queue[iop_num][chan] = msg; ++ iop_do_send(msg); + } else { + while (q->next) q = q->next; + q->next = msg; + } + +- if (iop_readb(iop_base[iop_num], +- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) { +- iop_do_send(msg); +- } +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.14/m68k-mac-fix-iop-status-control-register-writes.patch b/queue-4.14/m68k-mac-fix-iop-status-control-register-writes.patch new file mode 100644 index 00000000000..d59144ab90d --- /dev/null +++ b/queue-4.14/m68k-mac-fix-iop-status-control-register-writes.patch @@ -0,0 +1,79 @@ +From ed8e3d038bad6e4300984d681dbe86e2efadaa62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: m68k: mac: Fix IOP status/control register writes + +From: Finn Thain + +[ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ] + +When writing values to the IOP status/control register make sure those +values do not have any extraneous bits that will clear interrupt flags. + +To place the SCC IOP into bypass mode would be desirable but this is not +achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS +to the control register. Drop this ineffective register write. + +Remove the flawed and unused iop_bypass() function. Make use of the +unused iop_stop() function. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/iop.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index fb61af5ac4ab8..0b94f6672c5f3 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -183,7 +183,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8 + + static __inline__ void iop_stop(volatile struct mac_iop *iop) + { +- iop->status_ctrl &= ~IOP_RUN; ++ iop->status_ctrl = IOP_AUTOINC; + } + + static __inline__ void iop_start(volatile struct mac_iop *iop) +@@ -191,14 +191,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop) + iop->status_ctrl = IOP_RUN | IOP_AUTOINC; + } + +-static __inline__ void iop_bypass(volatile struct mac_iop *iop) +-{ +- iop->status_ctrl |= IOP_BYPASS; +-} +- + static __inline__ void iop_interrupt(volatile struct mac_iop *iop) + { +- iop->status_ctrl |= IOP_IRQ; ++ iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC; + } + + static int iop_alive(volatile struct mac_iop *iop) +@@ -244,7 +239,6 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_SCC]->status_ctrl = 0x87; + iop_scc_present = 1; + } else { + iop_base[IOP_NUM_SCC] = NULL; +@@ -256,7 +250,7 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_ISM]->status_ctrl = 0; ++ iop_stop(iop_base[IOP_NUM_ISM]); + iop_ism_present = 1; + } else { + iop_base[IOP_NUM_ISM] = NULL; +-- +2.25.1 + diff --git a/queue-4.14/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch b/queue-4.14/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch new file mode 100644 index 00000000000..d860b85bb12 --- /dev/null +++ b/queue-4.14/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch @@ -0,0 +1,72 @@ +From bb03a35ddf9fcad6b2a09ca4003e4ee2d34310ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 11:29:29 +0800 +Subject: md-cluster: fix wild pointer of unlock_all_bitmaps() + +From: Zhao Heming + +[ Upstream commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 ] + +reproduction steps: +``` +node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda +/dev/sdb +node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb +node1 # mdadm -G /dev/md0 -b none +mdadm: failed to remove clustered bitmap. +node1 # mdadm -S --scan +^C <==== mdadm hung & kernel crash +``` + +kernel stack: +``` +[ 335.230657] general protection fault: 0000 [#1] SMP NOPTI +[...] +[ 335.230848] Call Trace: +[ 335.230873] ? unlock_all_bitmaps+0x5/0x70 [md_cluster] +[ 335.230886] unlock_all_bitmaps+0x3d/0x70 [md_cluster] +[ 335.230899] leave+0x10f/0x190 [md_cluster] +[ 335.230932] ? md_super_wait+0x93/0xa0 [md_mod] +[ 335.230947] ? leave+0x5/0x190 [md_cluster] +[ 335.230973] md_cluster_stop+0x1a/0x30 [md_mod] +[ 335.230999] md_bitmap_free+0x142/0x150 [md_mod] +[ 335.231013] ? _cond_resched+0x15/0x40 +[ 335.231025] ? mutex_lock+0xe/0x30 +[ 335.231056] __md_stop+0x1c/0xa0 [md_mod] +[ 335.231083] do_md_stop+0x160/0x580 [md_mod] +[ 335.231119] ? 0xffffffffc05fb078 +[ 335.231148] md_ioctl+0xa04/0x1930 [md_mod] +[ 335.231165] ? filename_lookup+0xf2/0x190 +[ 335.231179] blkdev_ioctl+0x93c/0xa10 +[ 335.231205] ? _cond_resched+0x15/0x40 +[ 335.231214] ? __check_object_size+0xd4/0x1a0 +[ 335.231224] block_ioctl+0x39/0x40 +[ 335.231243] do_vfs_ioctl+0xa0/0x680 +[ 335.231253] ksys_ioctl+0x70/0x80 +[ 335.231261] __x64_sys_ioctl+0x16/0x20 +[ 335.231271] do_syscall_64+0x65/0x1f0 +[ 335.231278] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +``` + +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-cluster.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c +index 10057ac85476e..035d5ec8e677f 100644 +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -1423,6 +1423,7 @@ static void unlock_all_bitmaps(struct mddev *mddev) + } + } + kfree(cinfo->other_bitmap_lockres); ++ cinfo->other_bitmap_lockres = NULL; + } + } + +-- +2.25.1 + diff --git a/queue-4.14/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch b/queue-4.14/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch new file mode 100644 index 00000000000..becad3eeb19 --- /dev/null +++ b/queue-4.14/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch @@ -0,0 +1,38 @@ +From 9421af254b601d1fb549502d7eb24b9d4fabe0d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 08:41:47 +0200 +Subject: media: exynos4-is: Add missed check for pinctrl_lookup_state() + +From: Chuhong Yuan + +[ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ] + +fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). +Add the missed check to fix it. + +Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") +Signed-off-by: Chuhong Yuan +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index b2eb830c0360a..f772c9b92d9ba 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1258,6 +1258,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); ++ if (IS_ERR(pctl->state_idle)) ++ return PTR_ERR(pctl->state_idle); ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.14/media-firewire-using-uninitialized-values-in-node_pr.patch b/queue-4.14/media-firewire-using-uninitialized-values-in-node_pr.patch new file mode 100644 index 00000000000..1b4d5b53112 --- /dev/null +++ b/queue-4.14/media-firewire-using-uninitialized-values-in-node_pr.patch @@ -0,0 +1,40 @@ +From 0ccfefe1fe2dd94a2fde093ccfd1fc97afa6fd5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 16:40:22 +0200 +Subject: media: firewire: Using uninitialized values in node_probe() + +From: Dan Carpenter + +[ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] + +If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So +then the "strlen(model_names[i]) <= name_len" is true because strlen() +is unsigned and -ENOENT is type promoted to a very high positive value. +Then the "strncmp(name, model_names[i], name_len)" uses uninitialized +data because "name" is uninitialized. + +Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-fw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 247f0e7cb5f7f..5d634706a7eaa 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); ++ if (name_len < 0) ++ return name_len; + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.25.1 + diff --git a/queue-4.14/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch b/queue-4.14/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch new file mode 100644 index 00000000000..ec9f9b9ed29 --- /dev/null +++ b/queue-4.14/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch @@ -0,0 +1,49 @@ +From 8848889d278664b3e2f602deae9325feaecf462a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 18:41:22 +0200 +Subject: media: omap3isp: Add missed v4l2_ctrl_handler_free() for + preview_init_entities() + +From: Chuhong Yuan + +[ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] + +preview_init_entities() does not call v4l2_ctrl_handler_free() when +it fails. +Add the missed function to fix it. + +Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") +Signed-off-by: Chuhong Yuan +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isppreview.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c +index e981eb2330f18..ac005ae4d21b4 100644 +--- a/drivers/media/platform/omap3isp/isppreview.c ++++ b/drivers/media/platform/omap3isp/isppreview.c +@@ -2290,7 +2290,7 @@ static int preview_init_entities(struct isp_prev_device *prev) + me->ops = &preview_media_ops; + ret = media_entity_pads_init(me, PREV_PADS_NUM, pads); + if (ret < 0) +- return ret; ++ goto error_handler_free; + + preview_init_formats(sd, NULL); + +@@ -2323,6 +2323,8 @@ static int preview_init_entities(struct isp_prev_device *prev) + omap3isp_video_cleanup(&prev->video_in); + error_video_in: + media_entity_cleanup(&prev->subdev.entity); ++error_handler_free: ++ v4l2_ctrl_handler_free(&prev->ctrls); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.14/mips-octeon-add-missing-put_device-call-in-dwc3_octe.patch b/queue-4.14/mips-octeon-add-missing-put_device-call-in-dwc3_octe.patch new file mode 100644 index 00000000000..480d75cb6ba --- /dev/null +++ b/queue-4.14/mips-octeon-add-missing-put_device-call-in-dwc3_octe.patch @@ -0,0 +1,49 @@ +From f2e0d189fe0ebe690f4bbfd2af54c64d98b2553c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 21:47:18 +0800 +Subject: MIPS: OCTEON: add missing put_device() call in + dwc3_octeon_device_init() + +From: Yu Kuai + +[ Upstream commit e8b9fc10f2615b9a525fce56981e40b489528355 ] + +if of_find_device_by_node() succeed, dwc3_octeon_device_init() doesn't have +a corresponding put_device(). Thus add put_device() to fix the exception +handling for this function implementation. + +Fixes: 93e502b3c2d4 ("MIPS: OCTEON: Platform support for OCTEON III USB controller") +Signed-off-by: Yu Kuai +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-usb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/cavium-octeon/octeon-usb.c b/arch/mips/cavium-octeon/octeon-usb.c +index bfdfaf32d2c49..75189ff2f3c78 100644 +--- a/arch/mips/cavium-octeon/octeon-usb.c ++++ b/arch/mips/cavium-octeon/octeon-usb.c +@@ -517,6 +517,7 @@ static int __init dwc3_octeon_device_init(void) + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (res == NULL) { ++ put_device(&pdev->dev); + dev_err(&pdev->dev, "No memory resources\n"); + return -ENXIO; + } +@@ -528,8 +529,10 @@ static int __init dwc3_octeon_device_init(void) + * know the difference. + */ + base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(base)) ++ if (IS_ERR(base)) { ++ put_device(&pdev->dev); + return PTR_ERR(base); ++ } + + mutex_lock(&dwc3_octeon_clocks_mutex); + dwc3_octeon_clocks_start(&pdev->dev, (u64)base); +-- +2.25.1 + diff --git a/queue-4.14/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch b/queue-4.14/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch new file mode 100644 index 00000000000..d9db370e2de --- /dev/null +++ b/queue-4.14/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch @@ -0,0 +1,83 @@ +From 5cdfeea457c2846c86eddad5e172564f63a347d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 16:46:10 -0700 +Subject: mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls + +From: Paul E. McKenney + +[ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ] + +A large process running on a heavily loaded system can encounter the +following RCU CPU stall warning: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190 + (t=21013 jiffies g=1005461 q=132576) + NMI backtrace for cpu 3 + CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1 + Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016 + Call Trace: + + dump_stack+0x46/0x60 + nmi_cpu_backtrace.cold.3+0x13/0x50 + ? lapic_can_unplug_cpu.cold.27+0x34/0x34 + nmi_trigger_cpumask_backtrace+0xba/0xca + rcu_dump_cpu_stacks+0x99/0xc7 + rcu_sched_clock_irq.cold.87+0x1aa/0x397 + ? tick_sched_do_timer+0x60/0x60 + update_process_times+0x28/0x60 + tick_sched_timer+0x37/0x70 + __hrtimer_run_queues+0xfe/0x270 + hrtimer_interrupt+0xf4/0x210 + smp_apic_timer_interrupt+0x5e/0x120 + apic_timer_interrupt+0xf/0x20 + + RIP: 0010:kmem_cache_free+0x223/0x300 + Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65 + RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 + RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030 + RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18 + RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff + R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f + R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00 + ? remove_vma+0x4f/0x60 + remove_vma+0x4f/0x60 + exit_mmap+0xd6/0x160 + mmput+0x4a/0x110 + do_exit+0x278/0xae0 + ? syscall_trace_enter+0x1d3/0x2b0 + ? handle_mm_fault+0xaa/0x1c0 + do_group_exit+0x3a/0xa0 + __x64_sys_exit_group+0x14/0x20 + do_syscall_64+0x42/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run +for a very long time given a large process. This commit therefore adds +a cond_resched() to this loop, providing RCU any needed quiescent states. + +Cc: Andrew Morton +Cc: +Reviewed-by: Shakeel Butt +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + mm/mmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 8c6ed06983f9e..724b7c4f1a5b5 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3065,6 +3065,7 @@ void exit_mmap(struct mm_struct *mm) + if (vma->vm_flags & VM_ACCOUNT) + nr_accounted += vma_pages(vma); + vma = remove_vma(vma); ++ cond_resched(); + } + vm_unacct_memory(nr_accounted); + } +-- +2.25.1 + diff --git a/queue-4.14/mwifiex-prevent-memory-corruption-handling-keys.patch b/queue-4.14/mwifiex-prevent-memory-corruption-handling-keys.patch new file mode 100644 index 00000000000..f3955b15f9e --- /dev/null +++ b/queue-4.14/mwifiex-prevent-memory-corruption-handling-keys.patch @@ -0,0 +1,82 @@ +From 32ce7001a056d53d36f1cb161d04cf01531c0ad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:58:57 +0300 +Subject: mwifiex: Prevent memory corruption handling keys + +From: Dan Carpenter + +[ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ] + +The length of the key comes from the network and it's a 16 bit number. It +needs to be capped to prevent a buffer overflow. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Dan Carpenter +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda +Signed-off-by: Sasha Levin +--- + .../wireless/marvell/mwifiex/sta_cmdresp.c | 22 +++++++++++++------ + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 0fba5b10ef2d7..19ce279df24d9 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -585,6 +585,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + { + struct host_cmd_ds_802_11_key_material *key = + &resp->params.key_material; ++ int len; ++ ++ len = le16_to_cpu(key->key_param_set.key_len); ++ if (len > sizeof(key->key_param_set.key)) ++ return -EINVAL; + + if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) { +@@ -598,9 +603,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + + memset(priv->aes_key.key_param_set.key, 0, + sizeof(key->key_param_set.key)); +- priv->aes_key.key_param_set.key_len = key->key_param_set.key_len; +- memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, +- le16_to_cpu(priv->aes_key.key_param_set.key_len)); ++ priv->aes_key.key_param_set.key_len = cpu_to_le16(len); ++ memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len); + + return 0; + } +@@ -615,9 +619,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + struct host_cmd_ds_command *resp) + { + struct host_cmd_ds_802_11_key_material_v2 *key_v2; +- __le16 len; ++ int len; + + key_v2 = &resp->params.key_material_v2; ++ ++ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); ++ if (len > WLAN_KEY_LEN_CCMP) ++ return -EINVAL; ++ + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) { + mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n"); +@@ -633,10 +642,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, + WLAN_KEY_LEN_CCMP); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = +- key_v2->key_param_set.key_params.aes.key_len; +- len = priv->aes_key_v2.key_param_set.key_params.aes.key_len; ++ cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +- key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len)); ++ key_v2->key_param_set.key_params.aes.key, len); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.14/net-dsa-mv88e6xxx-mv88e6097-does-not-support-jumbo-c.patch b/queue-4.14/net-dsa-mv88e6xxx-mv88e6097-does-not-support-jumbo-c.patch new file mode 100644 index 00000000000..1ba0b3f98aa --- /dev/null +++ b/queue-4.14/net-dsa-mv88e6xxx-mv88e6097-does-not-support-jumbo-c.patch @@ -0,0 +1,38 @@ +From 6be35d6dd3992b61d8016d23c3efecf6360a2972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 11:21:20 +1200 +Subject: net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration + +From: Chris Packham + +[ Upstream commit 0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f ] + +The MV88E6097 chip does not support configuring jumbo frames. Prior to +commit 5f4366660d65 only the 6352, 6351, 6165 and 6320 chips configured +jumbo mode. The refactor accidentally added the function for the 6097. +Remove the erroneous function pointer assignment. + +Fixes: 5f4366660d65 ("net: dsa: mv88e6xxx: Refactor setting of jumbo frames") +Signed-off-by: Chris Packham +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 10ea01459a36b..f4268f0322663 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2450,7 +2450,6 @@ static const struct mv88e6xxx_ops mv88e6097_ops = { + .port_set_frame_mode = mv88e6351_port_set_frame_mode, + .port_set_egress_floods = mv88e6352_port_set_egress_floods, + .port_set_ether_type = mv88e6351_port_set_ether_type, +- .port_set_jumbo_size = mv88e6165_port_set_jumbo_size, + .port_egress_rate_limiting = mv88e6095_port_egress_rate_limiting, + .port_pause_limit = mv88e6097_port_pause_limit, + .port_disable_learn_limit = mv88e6xxx_port_disable_learn_limit, +-- +2.25.1 + diff --git a/queue-4.14/net-ethernet-aquantia-fix-wrong-return-value.patch b/queue-4.14/net-ethernet-aquantia-fix-wrong-return-value.patch new file mode 100644 index 00000000000..8d9e32e8078 --- /dev/null +++ b/queue-4.14/net-ethernet-aquantia-fix-wrong-return-value.patch @@ -0,0 +1,37 @@ +From ec8412956d0442ef16689f0662a176e513d303e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:37 +0800 +Subject: net: ethernet: aquantia: Fix wrong return value + +From: Tianjia Zhang + +[ Upstream commit 0470a48880f8bc42ce26962b79c7b802c5a695ec ] + +In function hw_atl_a0_hw_multicast_list_set(), when an invalid +request is encountered, a negative error code should be returned. + +Fixes: bab6de8fd180b ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions") +Cc: David VomLehn +Signed-off-by: Tianjia Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c +index b83ee74d28391..77e5c69268146 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c +@@ -746,7 +746,7 @@ static int hw_atl_a0_hw_multicast_list_set(struct aq_hw_s *self, + int err = 0; + + if (count > (HW_ATL_A0_MAC_MAX - HW_ATL_A0_MAC_MIN)) { +- err = EBADRQC; ++ err = -EBADRQC; + goto err_exit; + } + for (self->aq_nic_cfg->mc_list_count = 0U; +-- +2.25.1 + diff --git a/queue-4.14/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch b/queue-4.14/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch new file mode 100644 index 00000000000..28170a89392 --- /dev/null +++ b/queue-4.14/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch @@ -0,0 +1,39 @@ +From ef8fb19383a4e07cb7012cf12e3b2b6516a328bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 15:53:33 +0200 +Subject: net: spider_net: Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in +'spider_net_init_chain()'. + +Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/spider_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c +index da136b8843dd9..a0fed9035f537 100644 +--- a/drivers/net/ethernet/toshiba/spider_net.c ++++ b/drivers/net/ethernet/toshiba/spider_net.c +@@ -296,8 +296,8 @@ spider_net_free_chain(struct spider_net_card *card, + descr = descr->next; + } while (descr != chain->ring); + +- dma_free_coherent(&card->pdev->dev, chain->num_desc, +- chain->hwring, chain->dma_addr); ++ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr), ++ chain->hwring, chain->dma_addr); + } + + /** +-- +2.25.1 + diff --git a/queue-4.14/pci-aspm-add-missing-newline-in-sysfs-policy.patch b/queue-4.14/pci-aspm-add-missing-newline-in-sysfs-policy.patch new file mode 100644 index 00000000000..ae4bcb84c05 --- /dev/null +++ b/queue-4.14/pci-aspm-add-missing-newline-in-sysfs-policy.patch @@ -0,0 +1,40 @@ +From e4123efc9a49e12af597f6253949dde15d13a770 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 15:59:25 +0800 +Subject: PCI/ASPM: Add missing newline in sysfs 'policy' + +From: Xiongfeng Wang + +[ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ] + +When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a +newline for easy reading. Other sysfs attributes already include a +newline. + + [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy + [default] performance powersave powersupersave [root@localhost ~]# + +Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") +Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com +Signed-off-by: Xiongfeng Wang +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 04d5c62588b77..f41c105adfbd4 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -1111,6 +1111,7 @@ static int pcie_aspm_get_policy(char *buffer, struct kernel_param *kp) + cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]); + else + cnt += sprintf(buffer + cnt, "%s ", policy_str[i]); ++ cnt += sprintf(buffer + cnt, "\n"); + return cnt; + } + +-- +2.25.1 + diff --git a/queue-4.14/pci-fix-pci_cfg_wait-queue-locking-problem.patch b/queue-4.14/pci-fix-pci_cfg_wait-queue-locking-problem.patch new file mode 100644 index 00000000000..b7e1e869d25 --- /dev/null +++ b/queue-4.14/pci-fix-pci_cfg_wait-queue-locking-problem.patch @@ -0,0 +1,72 @@ +From 2ac0426eea9a8e981a9daa8240de02eaf7fd66b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 18:14:55 -0500 +Subject: PCI: Fix pci_cfg_wait queue locking problem + +From: Bjorn Helgaas + +[ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ] + +The pci_cfg_wait queue is used to prevent user-space config accesses to +devices while they are recovering from reset. + +Previously we used these operations on pci_cfg_wait: + + __add_wait_queue(&pci_cfg_wait, ...) + __remove_wait_queue(&pci_cfg_wait, ...) + wake_up_all(&pci_cfg_wait) + +The wake_up acquires the wait queue lock, but the add and remove do not. + +Originally these were all protected by the pci_lock, but cdcb33f98244 +("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved +wake_up_all() outside pci_lock, so it could race with add/remove +operations, which caused occasional kernel panics, e.g., during vfio-pci +hotplug/unplug testing: + + Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000 + +Resolve this by using wait_event() instead of __add_wait_queue() and +__remove_wait_queue(). The wait queue lock is held by both wait_event() +and wake_up_all(), so it provides mutual exclusion. + +Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock") +Link: https://lore.kernel.org/linux-pci/79827f2f-9b43-4411-1376-b9063b67aee3@huawei.com/T/#u +Based-on: https://lore.kernel.org/linux-pci/20191210031527.40136-1-zhengxiang9@huawei.com/ +Based-on-patch-by: Xiang Zheng +Signed-off-by: Bjorn Helgaas +Tested-by: Xiang Zheng +Cc: Heyi Guo +Cc: Biaoxiang Ye +Signed-off-by: Sasha Levin +--- + drivers/pci/access.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/access.c b/drivers/pci/access.c +index 913d6722ece98..8c585e7ca5209 100644 +--- a/drivers/pci/access.c ++++ b/drivers/pci/access.c +@@ -205,17 +205,13 @@ EXPORT_SYMBOL(pci_bus_set_ops); + static DECLARE_WAIT_QUEUE_HEAD(pci_cfg_wait); + + static noinline void pci_wait_cfg(struct pci_dev *dev) ++ __must_hold(&pci_lock) + { +- DECLARE_WAITQUEUE(wait, current); +- +- __add_wait_queue(&pci_cfg_wait, &wait); + do { +- set_current_state(TASK_UNINTERRUPTIBLE); + raw_spin_unlock_irq(&pci_lock); +- schedule(); ++ wait_event(pci_cfg_wait, !dev->block_cfg_access); + raw_spin_lock_irq(&pci_lock); + } while (dev->block_cfg_access); +- __remove_wait_queue(&pci_cfg_wait, &wait); + } + + /* Returns 0 on success, negative values indicate error. */ +-- +2.25.1 + diff --git a/queue-4.14/pci-release-ivrs-table-in-amd-acs-quirk.patch b/queue-4.14/pci-release-ivrs-table-in-amd-acs-quirk.patch new file mode 100644 index 00000000000..942ebcd1b5f --- /dev/null +++ b/queue-4.14/pci-release-ivrs-table-in-amd-acs-quirk.patch @@ -0,0 +1,40 @@ +From c06fe80f5c6364efa79ee2ee7d5d2df1874fd2f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 17:44:28 +0800 +Subject: PCI: Release IVRS table in AMD ACS quirk + +From: Hanjun Guo + +[ Upstream commit 090688fa4e448284aaa16136372397d7d10814db ] + +The acpi_get_table() should be coupled with acpi_put_table() if the mapped +table is not used at runtime to release the table mapping. + +In pci_quirk_amd_sb_acs(), IVRS table is just used for checking AMD IOMMU +is supported, not used at runtime, so put the table after using it. + +Fixes: 15b100dfd1c9 ("PCI: Claim ACS support for AMD southbridge devices") +Link: https://lore.kernel.org/r/1595411068-15440-1-git-send-email-guohanjun@huawei.com +Signed-off-by: Hanjun Guo +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 243b16ce0c8eb..da790f26d2950 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4307,6 +4307,8 @@ static int pci_quirk_amd_sb_acs(struct pci_dev *dev, u16 acs_flags) + if (ACPI_FAILURE(status)) + return -ENODEV; + ++ acpi_put_table(header); ++ + /* Filter out flags not applicable to multifunction */ + acs_flags &= (PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_EC | PCI_ACS_DT); + +-- +2.25.1 + diff --git a/queue-4.14/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch b/queue-4.14/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch new file mode 100644 index 00000000000..b75b1b66789 --- /dev/null +++ b/queue-4.14/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch @@ -0,0 +1,143 @@ +From ae1d1cf1af7693af6b45e3b56ddb1b80b4193279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 14:51:43 +0200 +Subject: pinctrl-single: fix pcs_parse_pinconf() return value + +From: Drew Fustini + +[ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ] + +This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no +pinctrl_map is added. The current behavior is to return 0 when +!PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry() +incorrectly assumes that a map was added and sets num_maps = 2. + +Analysis: +========= +The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf() +if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf() +returns 0 to indicate there was no error and num_maps is then set to 2: + + 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + 981 struct device_node *np, + 982 struct pinctrl_map **map, + 983 unsigned *num_maps, + 984 const char **pgnames) + 985 { + +1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP; +1054 (*map)->data.mux.group = np->name; +1055 (*map)->data.mux.function = np->name; +1056 +1057 if (PCS_HAS_PINCONF && function) { +1058 res = pcs_parse_pinconf(pcs, np, function, map); +1059 if (res) +1060 goto free_pingroups; +1061 *num_maps = 2; +1062 } else { +1063 *num_maps = 1; +1064 } + +However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or +!nconfs. I believe these conditions should indicate that no map was +added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry() +will set num_maps = 2 even though no maps were successfully added, as +it does not reach "m++" on line 940: + + 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + 896 struct pcs_function *func, + 897 struct pinctrl_map **map) + 898 + 899 { + 900 struct pinctrl_map *m = *map; + + 917 /* If pinconf isn't supported, don't parse properties in below. */ + 918 if (!PCS_HAS_PINCONF) + 919 return 0; + 920 + 921 /* cacluate how much properties are supported in current node */ + 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) { + 923 if (of_find_property(np, prop2[i].name, NULL)) + 924 nconfs++; + 925 } + 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) { + 927 if (of_find_property(np, prop4[i].name, NULL)) + 928 nconfs++; + 929 } + 930 if (!nconfs) + 919 return 0; + 932 + 933 func->conf = devm_kcalloc(pcs->dev, + 934 nconfs, sizeof(struct pcs_conf_vals), + 935 GFP_KERNEL); + 936 if (!func->conf) + 937 return -ENOMEM; + 938 func->nconfs = nconfs; + 939 conf = &(func->conf[0]); + 940 m++; + +This situtation will cause a boot failure [0] on the BeagleBone Black +(AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi +has compatible = "pinconf-single" instead of "pinctrl-single". + +The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF +or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no +map was added. + +Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish +between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps +is set to 1 as it is valid for pinconf to be enabled and a given pin +group to not any pinconf properties. + +[0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/ + +Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf") +Signed-off-by: Drew Fustini +Acked-by: Tony Lindgren +Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1 +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index b8b3d932cd73a..f751b5c3bf7e8 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -888,7 +888,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + + /* If pinconf isn't supported, don't parse properties in below. */ + if (!PCS_HAS_PINCONF) +- return 0; ++ return -ENOTSUPP; + + /* cacluate how much properties are supported in current node */ + for (i = 0; i < ARRAY_SIZE(prop2); i++) { +@@ -900,7 +900,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + nconfs++; + } + if (!nconfs) +- return 0; ++ return -ENOTSUPP; + + func->conf = devm_kzalloc(pcs->dev, + sizeof(struct pcs_conf_vals) * nconfs, +@@ -1024,9 +1024,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + + if (PCS_HAS_PINCONF) { + res = pcs_parse_pinconf(pcs, np, function, map); +- if (res) ++ if (res == 0) ++ *num_maps = 2; ++ else if (res == -ENOTSUPP) ++ *num_maps = 1; ++ else + goto free_pingroups; +- *num_maps = 2; + } else { + *num_maps = 1; + } +-- +2.25.1 + diff --git a/queue-4.14/platform-x86-intel-hid-fix-return-value-check-in-che.patch b/queue-4.14/platform-x86-intel-hid-fix-return-value-check-in-che.patch new file mode 100644 index 00000000000..f86139c2725 --- /dev/null +++ b/queue-4.14/platform-x86-intel-hid-fix-return-value-check-in-che.patch @@ -0,0 +1,38 @@ +From f2442492188bd89b27871787a5c8ab35b6047082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 17:30:17 +0800 +Subject: platform/x86: intel-hid: Fix return value check in check_acpi_dev() + +From: Lu Wei + +[ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ] + +In the function check_acpi_dev(), if it fails to create +platform device, the return value is ERR_PTR() or NULL. +Thus it must use IS_ERR_OR_NULL() to check return value. + +Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys") +Reported-by: Hulk Robot +Signed-off-by: Lu Wei +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-hid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c +index e34fd70b67afe..3add7b3f9658b 100644 +--- a/drivers/platform/x86/intel-hid.c ++++ b/drivers/platform/x86/intel-hid.c +@@ -366,7 +366,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-hid: created platform device\n"); + +-- +2.25.1 + diff --git a/queue-4.14/platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch b/queue-4.14/platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch new file mode 100644 index 00000000000..a4cb402ce6f --- /dev/null +++ b/queue-4.14/platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch @@ -0,0 +1,38 @@ +From c1b74dab4b534e7b2d6e14c01a2ec86fd019e820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 17:30:18 +0800 +Subject: platform/x86: intel-vbtn: Fix return value check in check_acpi_dev() + +From: Lu Wei + +[ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ] + +In the function check_acpi_dev(), if it fails to create +platform device, the return value is ERR_PTR() or NULL. +Thus it must use IS_ERR_OR_NULL() to check return value. + +Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button") +Reported-by: Hulk Robot +Signed-off-by: Lu Wei +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index 58c5ff36523ab..d7fa2b88d27ab 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -178,7 +178,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-vbtn: created platform device\n"); + +-- +2.25.1 + diff --git a/queue-4.14/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch b/queue-4.14/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch new file mode 100644 index 00000000000..080598d222a --- /dev/null +++ b/queue-4.14/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch @@ -0,0 +1,58 @@ +From 8cbc4f852a22dff18f6062e953c99374c78413ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jul 2020 12:23:51 -0700 +Subject: power: supply: check if calc_soc succeeded in pm860x_init_battery + +From: Tom Rix + +[ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ] + +clang static analysis flags this error + +88pm860x_battery.c:522:19: warning: Assigned value is + garbage or undefined [core.uninitialized.Assign] + info->start_soc = soc; + ^ ~~~ +soc is set by calling calc_soc. +But calc_soc can return without setting soc. + +So check the return status and bail similarly to other +checks in pm860x_init_battery and initialize soc to +silence the warning. + +Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x") + +Signed-off-by: Tom Rix +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/88pm860x_battery.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/88pm860x_battery.c b/drivers/power/supply/88pm860x_battery.c +index 63c57dc82ac1d..4eda5065b5bbc 100644 +--- a/drivers/power/supply/88pm860x_battery.c ++++ b/drivers/power/supply/88pm860x_battery.c +@@ -436,7 +436,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + int ret; + int data; + int bat_remove; +- int soc; ++ int soc = 0; + + /* measure enable on GPADC1 */ + data = MEAS1_GP1; +@@ -499,7 +499,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + } + mutex_unlock(&info->lock); + +- calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ ret = calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ if (ret < 0) ++ goto out; + + data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG); + bat_remove = data & BAT_WU_LOG; +-- +2.25.1 + diff --git a/queue-4.14/powerpc-vdso-fix-vdso-cpu-truncation.patch b/queue-4.14/powerpc-vdso-fix-vdso-cpu-truncation.patch new file mode 100644 index 00000000000..3d6c049abd7 --- /dev/null +++ b/queue-4.14/powerpc-vdso-fix-vdso-cpu-truncation.patch @@ -0,0 +1,45 @@ +From 3fe3f6b94a8f48e7e8dbe5d7f5c4070a88e363db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 09:37:04 +1000 +Subject: powerpc/vdso: Fix vdso cpu truncation + +From: Milton Miller + +[ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ] + +The code in vdso_cpu_init that exposes the cpu and numa node to +userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means +that any kernel running on a box with more than 4096 threads (NR_CPUS +advertises a limit of of 8192 cpus) would expose userspace to two cpu +contexts running at the same time with the same cpu number. + +Note: I'm not aware of any distro shipping a kernel with support for more +than 4096 threads today, nor of any system image that currently exceeds +4096 threads. Found via code browsing. + +Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu") +Signed-off-by: Milton Miller +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/vdso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c +index 22b01a3962f06..3edaee28b6383 100644 +--- a/arch/powerpc/kernel/vdso.c ++++ b/arch/powerpc/kernel/vdso.c +@@ -704,7 +704,7 @@ int vdso_getcpu_init(void) + node = cpu_to_node(cpu); + WARN_ON_ONCE(node > 0xffff); + +- val = (cpu & 0xfff) | ((node & 0xffff) << 16); ++ val = (cpu & 0xffff) | ((node & 0xffff) << 16); + mtspr(SPRN_SPRG_VDSO_WRITE, val); + get_paca()->sprg_vdso = val; + +-- +2.25.1 + diff --git a/queue-4.14/s390-qeth-don-t-process-empty-bridge-port-events.patch b/queue-4.14/s390-qeth-don-t-process-empty-bridge-port-events.patch new file mode 100644 index 00000000000..5da96423214 --- /dev/null +++ b/queue-4.14/s390-qeth-don-t-process-empty-bridge-port-events.patch @@ -0,0 +1,40 @@ +From 979f511bcbfd4fee4cc36ca37a7309b63355aa78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 17:01:20 +0200 +Subject: s390/qeth: don't process empty bridge port events + +From: Julian Wiedmann + +[ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ] + +Discard events that don't contain any entries. This shouldn't happen, +but subsequent code relies on being able to use entry 0. So better +be safe than accessing garbage. + +Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control") +Signed-off-by: Julian Wiedmann +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_l2_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 6fa07c2469150..ae310d5ced105 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1559,6 +1559,10 @@ static void qeth_bridge_state_change(struct qeth_card *card, + int extrasize; + + QETH_CARD_TEXT(card, 2, "brstchng"); ++ if (qports->num_entries == 0) { ++ QETH_CARD_TEXT(card, 2, "BPempty"); ++ return; ++ } + if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) { + QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length); + return; +-- +2.25.1 + diff --git a/queue-4.14/sched-correct-sd_flags-returned-by-tl-sd_flags.patch b/queue-4.14/sched-correct-sd_flags-returned-by-tl-sd_flags.patch new file mode 100644 index 00000000000..78ba89465fb --- /dev/null +++ b/queue-4.14/sched-correct-sd_flags-returned-by-tl-sd_flags.patch @@ -0,0 +1,40 @@ +From 77faa49a828e84b5e338439ff925834d1914f630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 23:09:36 +0800 +Subject: sched: correct SD_flags returned by tl->sd_flags() + +From: Peng Liu + +[ Upstream commit 9b1b234bb86bcdcdb142e900d39b599185465dbb ] + +During sched domain init, we check whether non-topological SD_flags are +returned by tl->sd_flags(), if found, fire a waning and correct the +violation, but the code failed to correct the violation. Correct this. + +Fixes: 143e1e28cb40 ("sched: Rework sched_domain topology definition") +Signed-off-by: Peng Liu +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Reviewed-by: Valentin Schneider +Link: https://lkml.kernel.org/r/20200609150936.GA13060@iZj6chx1xj0e0buvshuecpZ +Signed-off-by: Sasha Levin +--- + kernel/sched/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 867d173dab482..152ffe0c24330 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -1117,7 +1117,7 @@ sd_init(struct sched_domain_topology_level *tl, + sd_flags = (*tl->sd_flags)(); + if (WARN_ONCE(sd_flags & ~TOPOLOGY_SD_FLAGS, + "wrong sd_flags in topology description\n")) +- sd_flags &= ~TOPOLOGY_SD_FLAGS; ++ sd_flags &= TOPOLOGY_SD_FLAGS; + + *sd = (struct sched_domain){ + .min_interval = sd_weight, +-- +2.25.1 + diff --git a/queue-4.14/scsi-cumana_2-fix-different-dev_id-between-request_i.patch b/queue-4.14/scsi-cumana_2-fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000000..c4f5d7ee0b0 --- /dev/null +++ b/queue-4.14/scsi-cumana_2-fix-different-dev_id-between-request_i.patch @@ -0,0 +1,39 @@ +From 8646a5e8f2d1c28b8c3e76d07d5e06c3a51bc930 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 22:47:30 +0200 +Subject: scsi: cumana_2: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' +in both cases. + +Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Acked-by: Russell King +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/cumana_2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c +index edce5f3cfdba0..93ba83e3148eb 100644 +--- a/drivers/scsi/arm/cumana_2.c ++++ b/drivers/scsi/arm/cumana_2.c +@@ -454,7 +454,7 @@ static int cumanascsi2_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.25.1 + diff --git a/queue-4.14/scsi-eesox-fix-different-dev_id-between-request_irq-.patch b/queue-4.14/scsi-eesox-fix-different-dev_id-between-request_irq-.patch new file mode 100644 index 00000000000..91be635ca5c --- /dev/null +++ b/queue-4.14/scsi-eesox-fix-different-dev_id-between-request_irq-.patch @@ -0,0 +1,38 @@ +From a8d88fcb369913273269e64ea68dc59fccb89755 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 06:05:53 +0200 +Subject: scsi: eesox: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/eesox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c +index e93e047f43165..65bb34ce93b94 100644 +--- a/drivers/scsi/arm/eesox.c ++++ b/drivers/scsi/arm/eesox.c +@@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id) + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_remove: + fas216_remove(host); +-- +2.25.1 + diff --git a/queue-4.14/scsi-mesh-fix-panic-after-host-or-bus-reset.patch b/queue-4.14/scsi-mesh-fix-panic-after-host-or-bus-reset.patch new file mode 100644 index 00000000000..45cf0e5eb5a --- /dev/null +++ b/queue-4.14/scsi-mesh-fix-panic-after-host-or-bus-reset.patch @@ -0,0 +1,109 @@ +From 160706f441736d6314e9a708a06c460982951a59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 09:25:51 +1000 +Subject: scsi: mesh: Fix panic after host or bus reset + +From: Finn Thain + +[ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ] + +Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus +results in EH measures and a panic: + +[ 25.499838] mesh: configured for synchronous 5 MB/s +[ 25.787154] mesh: performing initial bus reset... +[ 29.867115] scsi host0: MESH +[ 29.929527] mesh: target 0 synchronous at 3.6 MB/s +[ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS +[ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB) +[ 32.070975] sd 0:0:0:0: [sda] Write Protect is off +[ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08 +[ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA +[ 32.332708] sda: [mac] sda1 sda2 sda3 +[ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk +... snip ... +[ 76.687067] mesh_abort((ptrval)) +[ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 76.880720] dma stat=84e0 cmdptr=1f73d000 +[ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.005567] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.130512] mesh_abort((ptrval)) +[ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 77.325778] dma stat=84e0 cmdptr=1f73d000 +[ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.453665] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.582902] mesh_host_reset +[ 88.187083] Kernel panic - not syncing: mesh: double DMA start ! +[ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1 +[ 88.323302] Call Trace: +[ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable) +[ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414 +[ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70 +[ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384 +[ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8 +[ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178 +[ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8 +[ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520 +[ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8 +[ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c +[ 89.044112] Rebooting in 180 seconds.. + +In theory, a panic can happen after a bus or host reset with dma_started +flag set. Fix this by halting the DMA before reinitializing the host. +Don't assume that ms->current_req is set when halt_dma() is invoked as it +may not hold for bus or host reset. + +BTW, this particular Conner drive can be made to work by inhibiting +disconnect/reselect with 'mesh.resel_targets=0'. + +Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Paul Mackerras +Reported-and-tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mesh.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c +index 1753e42826dd9..a880abf5abaad 100644 +--- a/drivers/scsi/mesh.c ++++ b/drivers/scsi/mesh.c +@@ -1044,6 +1044,8 @@ static void handle_error(struct mesh_state *ms) + while ((in_8(&mr->bus_status1) & BS1_RST) != 0) + udelay(1); + printk("done\n"); ++ if (ms->dma_started) ++ halt_dma(ms); + handle_reset(ms); + /* request_q is empty, no point in mesh_start() */ + return; +@@ -1356,7 +1358,8 @@ static void halt_dma(struct mesh_state *ms) + ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd), + ms->tgts[ms->conn_tgt].data_goes_out); + } +- scsi_dma_unmap(cmd); ++ if (cmd) ++ scsi_dma_unmap(cmd); + ms->dma_started = 0; + } + +@@ -1711,6 +1714,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd) + + spin_lock_irqsave(ms->host->host_lock, flags); + ++ if (ms->dma_started) ++ halt_dma(ms); ++ + /* Reset the controller & dbdma channel */ + out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */ + out_8(&mr->exception, 0xff); /* clear all exception bits */ +-- +2.25.1 + diff --git a/queue-4.14/scsi-powertec-fix-different-dev_id-between-request_i.patch b/queue-4.14/scsi-powertec-fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000000..cbb4c527bb5 --- /dev/null +++ b/queue-4.14/scsi-powertec-fix-different-dev_id-between-request_i.patch @@ -0,0 +1,38 @@ +From f7a4b3d3405b3db89973cd987fceb08d3979ec88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 05:59:48 +0200 +Subject: scsi: powertec: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/powertec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c +index 79aa88911b7f3..b5e4a25ea1ef3 100644 +--- a/drivers/scsi/arm/powertec.c ++++ b/drivers/scsi/arm/powertec.c +@@ -382,7 +382,7 @@ static int powertecscsi_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.25.1 + diff --git a/queue-4.14/scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch b/queue-4.14/scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch new file mode 100644 index 00000000000..2ce254bdbd9 --- /dev/null +++ b/queue-4.14/scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch @@ -0,0 +1,92 @@ +From 80fe2e04ef2b995b64841389a07fdc4033977a57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 20:23:19 +0800 +Subject: scsi: scsi_debug: Add check for sdebug_max_queue during module init + +From: John Garry + +[ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ] + +sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like +this can be triggered by passing an out-of-range value: + +Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 + pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--) + pc : schedule_resp+0x2a4/0xa70 [scsi_debug] + lr : schedule_resp+0x52c/0xa70 [scsi_debug] + sp : ffff800022ab36f0 + x29: ffff800022ab36f0 x28: ffff0023a935a610 + x27: ffff800008e0a648 x26: 0000000000000003 + x25: ffff0023e84f3200 x24: 00000000003d0900 + x23: 0000000000000000 x22: 0000000000000000 + x21: ffff0023be60a320 x20: ffff0023be60b538 + x19: ffff800008e13000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 + x9 : 0000000000000001 x8 : 0000000000000000 + x7 : 0000000000000000 x6 : 00000000000000c1 + x5 : 0000020000200000 x4 : dead0000000000ff + x3 : 0000000000000200 x2 : 0000000000000200 + x1 : ffff800008e13d88 x0 : 0000000000000000 + Call trace: +schedule_resp+0x2a4/0xa70 [scsi_debug] +scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug] +scsi_queue_rq+0x698/0x840 +__blk_mq_try_issue_directly+0x108/0x228 +blk_mq_request_issue_directly+0x58/0x98 +blk_mq_try_issue_list_directly+0x5c/0xf0 +blk_mq_sched_insert_requests+0x18c/0x200 +blk_mq_flush_plug_list+0x11c/0x190 +blk_flush_plug_list+0xdc/0x110 +blk_finish_plug+0x38/0x210 +blkdev_direct_IO+0x450/0x4d8 +generic_file_read_iter+0x84/0x180 +blkdev_read_iter+0x3c/0x50 +aio_read+0xc0/0x170 +io_submit_one+0x5c8/0xc98 +__arm64_sys_io_submit+0x1b0/0x258 +el0_svc_common.constprop.3+0x68/0x170 +do_el0_svc+0x24/0x90 +el0_sync_handler+0x13c/0x1a8 +el0_sync+0x158/0x180 + Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340) + +In addition, it should not be less than 1. + +So add checks for these, and fail the module init for those cases. + +[mkp: changed if condition to match error message] + +Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com +Fixes: c483739430f1 ("scsi_debug: add multiple queue support") +Reviewed-by: Ming Lei +Acked-by: Douglas Gilbert +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index ac936b5ca74e5..aba1a3396890b 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -4993,6 +4993,12 @@ static int __init scsi_debug_init(void) + pr_err("submit_queues must be 1 or more\n"); + return -EINVAL; + } ++ ++ if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) { ++ pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE); ++ return -EINVAL; ++ } ++ + sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue), + GFP_KERNEL); + if (sdebug_q_arr == NULL) +-- +2.25.1 + diff --git a/queue-4.14/selftests-powerpc-fix-cpu-affinity-for-child-process.patch b/queue-4.14/selftests-powerpc-fix-cpu-affinity-for-child-process.patch new file mode 100644 index 00000000000..19ff7322e14 --- /dev/null +++ b/queue-4.14/selftests-powerpc-fix-cpu-affinity-for-child-process.patch @@ -0,0 +1,82 @@ +From 828f79c748e0d9d85c1c7e0526c5b20e3f3c1ee3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 13:44:23 +0530 +Subject: selftests/powerpc: Fix CPU affinity for child process + +From: Harish + +[ Upstream commit 854eb5022be04f81e318765f089f41a57c8e5d83 ] + +On systems with large number of cpus, test fails trying to set +affinity by calling sched_setaffinity() with smaller size for affinity +mask. This patch fixes it by making sure that the size of allocated +affinity mask is dependent on the number of CPUs as reported by +get_nprocs(). + +Fixes: 00b7ec5c9cf3 ("selftests/powerpc: Import Anton's context_switch2 benchmark") +Reported-by: Shirisha Ganta +Signed-off-by: Sandipan Das +Signed-off-by: Harish +Reviewed-by: Kamalesh Babulal +Reviewed-by: Satheesh Rajendran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200609081423.529664-1-harish@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../powerpc/benchmarks/context_switch.c | 21 ++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/benchmarks/context_switch.c b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +index f4241339edd2a..7136eae2170b7 100644 +--- a/tools/testing/selftests/powerpc/benchmarks/context_switch.c ++++ b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -97,8 +98,9 @@ static void start_thread_on(void *(*fn)(void *), void *arg, unsigned long cpu) + + static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + { +- int pid; +- cpu_set_t cpuset; ++ int pid, ncpus; ++ cpu_set_t *cpuset; ++ size_t size; + + pid = fork(); + if (pid == -1) { +@@ -109,14 +111,23 @@ static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + if (pid) + return; + +- CPU_ZERO(&cpuset); +- CPU_SET(cpu, &cpuset); ++ ncpus = get_nprocs(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ cpuset = CPU_ALLOC(ncpus); ++ if (!cpuset) { ++ perror("malloc"); ++ exit(1); ++ } ++ CPU_ZERO_S(size, cpuset); ++ CPU_SET_S(cpu, size, cpuset); + +- if (sched_setaffinity(0, sizeof(cpuset), &cpuset)) { ++ if (sched_setaffinity(0, size, cpuset)) { + perror("sched_setaffinity"); ++ CPU_FREE(cpuset); + exit(1); + } + ++ CPU_FREE(cpuset); + fn(arg); + + exit(0); +-- +2.25.1 + diff --git a/queue-4.14/selftests-powerpc-fix-online-cpu-selection.patch b/queue-4.14/selftests-powerpc-fix-online-cpu-selection.patch new file mode 100644 index 00000000000..5d3bf13b71f --- /dev/null +++ b/queue-4.14/selftests-powerpc-fix-online-cpu-selection.patch @@ -0,0 +1,93 @@ +From 4557c8368fde098680242a5329a6b4e2d8539122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 10:38:46 +0530 +Subject: selftests/powerpc: Fix online CPU selection + +From: Sandipan Das + +[ Upstream commit dfa03fff86027e58c8dba5c03ae68150d4e513ad ] + +The size of the CPU affinity mask must be large enough for +systems with a very large number of CPUs. Otherwise, tests +which try to determine the first online CPU by calling +sched_getaffinity() will fail. This makes sure that the size +of the allocated affinity mask is dependent on the number of +CPUs as reported by get_nprocs_conf(). + +Fixes: 3752e453f6ba ("selftests/powerpc: Add tests of PMU EBBs") +Reported-by: Shirisha Ganta +Signed-off-by: Sandipan Das +Reviewed-by: Kamalesh Babulal +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/a408c4b8e9a23bb39b539417a21eb0ff47bb5127.1596084858.git.sandipan@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/utils.c | 37 +++++++++++++++++-------- + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/utils.c b/tools/testing/selftests/powerpc/utils.c +index d46916867a6fb..77db4f6ecf2f0 100644 +--- a/tools/testing/selftests/powerpc/utils.c ++++ b/tools/testing/selftests/powerpc/utils.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -81,26 +82,38 @@ void *get_auxv_entry(int type) + + int pick_online_cpu(void) + { +- cpu_set_t mask; +- int cpu; ++ int ncpus, cpu = -1; ++ cpu_set_t *mask; ++ size_t size; ++ ++ ncpus = get_nprocs_conf(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ mask = CPU_ALLOC(ncpus); ++ if (!mask) { ++ perror("malloc"); ++ return -1; ++ } + +- CPU_ZERO(&mask); ++ CPU_ZERO_S(size, mask); + +- if (sched_getaffinity(0, sizeof(mask), &mask)) { ++ if (sched_getaffinity(0, size, mask)) { + perror("sched_getaffinity"); +- return -1; ++ goto done; + } + + /* We prefer a primary thread, but skip 0 */ +- for (cpu = 8; cpu < CPU_SETSIZE; cpu += 8) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = 8; cpu < ncpus; cpu += 8) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + /* Search for anything, but in reverse */ +- for (cpu = CPU_SETSIZE - 1; cpu >= 0; cpu--) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = ncpus - 1; cpu >= 0; cpu--) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + printf("No cpus in affinity mask?!\n"); +- return -1; ++ ++done: ++ CPU_FREE(mask); ++ return cpu; + } +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 1ebd031735e..a4b935a4a48 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -43,3 +43,94 @@ smack-fix-use-after-free-in-smk_write_relabel_self.patch tracepoint-mark-__tracepoint_string-s-__used.patch hid-input-fix-devices-that-return-multiple-bytes-in-battery-report.patch cgroup-add-missing-skcd-no_refcnt-check-in-cgroup_sk.patch +x86-mce-inject-fix-a-wrong-assignment-of-i_mce.statu.patch +sched-correct-sd_flags-returned-by-tl-sd_flags.patch +arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch +arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch +edac-fix-reference-count-leaks.patch +arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch +arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch +m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch +m68k-mac-fix-iop-status-control-register-writes.patch +platform-x86-intel-hid-fix-return-value-check-in-che.patch +platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch +arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch +spi-lantiq-fix-rx-overflow-error-in-full-duplex-mode.patch +arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch +drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch +bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch +fs-btrfs-add-cond_resched-for-try_release_extent_map.patch +drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch +video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch +md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch +arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch +drm-nouveau-fix-multiple-instances-of-reference-coun.patch +drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch +irqchip-irq-mtk-sysirq-replace-spinlock-with-raw_spi.patch +mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch +brcmfmac-to-fix-bss-info-flag-definition-bug.patch +brcmfmac-set-state-of-hanger-slot-to-free-when-flush.patch +iwlegacy-check-the-return-value-of-pcie_capability_r.patch +gpu-host1x-debug-fix-multiple-channels-emitting-mess.patch +usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch +bdc-fix-bug-causing-crash-after-multiple-disconnects.patch +usb-bdc-halt-controller-on-suspend.patch +dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch +bcache-fix-super-block-seq-numbers-comparision-in-re.patch +acpica-do-not-increment-operation_region-reference-c.patch +agp-intel-fix-a-memory-leak-on-module-initialisation.patch +video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch +console-newport_con-fix-an-issue-about-leak-related-.patch +video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch +iio-improve-iio_concentration-channel-type-descripti.patch +drm-arm-fix-unintentional-integer-overflow-on-left-s.patch +leds-lm355x-avoid-enum-conversion-warning.patch +media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch +asoc-intel-bxt_rt298-add-missing-.owner-field.patch +scsi-cumana_2-fix-different-dev_id-between-request_i.patch +drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch +cxl-fix-kobject-memleak.patch +drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch +scsi-powertec-fix-different-dev_id-between-request_i.patch +scsi-eesox-fix-different-dev_id-between-request_irq-.patch +ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch +media-firewire-using-uninitialized-values-in-node_pr.patch +media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch +xfs-fix-reflink-quota-reservation-accounting-error.patch +pci-fix-pci_cfg_wait-queue-locking-problem.patch +leds-core-flush-scheduled-work-for-system-suspend.patch +drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch +drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch +scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch +mwifiex-prevent-memory-corruption-handling-keys.patch +powerpc-vdso-fix-vdso-cpu-truncation.patch +staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch +pci-aspm-add-missing-newline-in-sysfs-policy.patch +drm-imx-tve-fix-regulator_disable-error-path.patch +usb-serial-iuu_phoenix-fix-led-activity-helpers.patch +thermal-ti-soc-thermal-fix-reversed-condition-in-ti_.patch +coresight-tmc-fix-tmc-mode-read-in-tmc_read_unprepar.patch +mips-octeon-add-missing-put_device-call-in-dwc3_octe.patch +usb-dwc2-fix-error-path-in-gadget-registration.patch +scsi-mesh-fix-panic-after-host-or-bus-reset.patch +net-dsa-mv88e6xxx-mv88e6097-does-not-support-jumbo-c.patch +smack-fix-another-vsscanf-out-of-bounds.patch +smack-prevent-underflow-in-smk_set_cipso.patch +power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch +bluetooth-hci_serdev-only-unregister-device-if-it-wa.patch +selftests-powerpc-fix-cpu-affinity-for-child-process.patch +pci-release-ivrs-table-in-amd-acs-quirk.patch +selftests-powerpc-fix-online-cpu-selection.patch +s390-qeth-don-t-process-empty-bridge-port-events.patch +wl1251-fix-always-return-0-error.patch +tools-build-propagate-build-failures-from-tools-buil.patch +net-ethernet-aquantia-fix-wrong-return-value.patch +liquidio-fix-wrong-return-value-in-cn23xx_get_pf_num.patch +net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch +fsl-fman-use-32-bit-unsigned-integer.patch +fsl-fman-fix-dereference-null-return-value.patch +fsl-fman-fix-unreachable-code.patch +fsl-fman-check-dereferencing-null-pointer.patch +fsl-fman-fix-eth-hash-table-allocation.patch +dlm-fix-kobject-memleak.patch +pinctrl-single-fix-pcs_parse_pinconf-return-value.patch diff --git a/queue-4.14/smack-fix-another-vsscanf-out-of-bounds.patch b/queue-4.14/smack-fix-another-vsscanf-out-of-bounds.patch new file mode 100644 index 00000000000..b8d47424e1f --- /dev/null +++ b/queue-4.14/smack-fix-another-vsscanf-out-of-bounds.patch @@ -0,0 +1,39 @@ +From 63b653a551b61e980a4ffb6787308ed4348fe26b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:22:19 +0300 +Subject: Smack: fix another vsscanf out of bounds + +From: Dan Carpenter + +[ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ] + +This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in +vsscanf") where we added a bounds check on "rule". + +Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com +Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 10ee51d044926..981f582539acf 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -933,6 +933,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + for (i = 0; i < catlen; i++) { + rule += SMK_DIGITLEN; ++ if (rule > data + count) { ++ rc = -EOVERFLOW; ++ goto out; ++ } + ret = sscanf(rule, "%u", &cat); + if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) + goto out; +-- +2.25.1 + diff --git a/queue-4.14/smack-prevent-underflow-in-smk_set_cipso.patch b/queue-4.14/smack-prevent-underflow-in-smk_set_cipso.patch new file mode 100644 index 00000000000..9552cb3e1d5 --- /dev/null +++ b/queue-4.14/smack-prevent-underflow-in-smk_set_cipso.patch @@ -0,0 +1,36 @@ +From 59e1b21bfb7b195c212ec3bf598685b8364bf63b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:23:05 +0300 +Subject: Smack: prevent underflow in smk_set_cipso() + +From: Dan Carpenter + +[ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ] + +We have an upper bound on "maplevel" but forgot to check for negative +values. + +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 981f582539acf..accd3846f1e3e 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -912,7 +912,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &maplevel); +- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) ++ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) + goto out; + + rule += SMK_DIGITLEN; +-- +2.25.1 + diff --git a/queue-4.14/spi-lantiq-fix-rx-overflow-error-in-full-duplex-mode.patch b/queue-4.14/spi-lantiq-fix-rx-overflow-error-in-full-duplex-mode.patch new file mode 100644 index 00000000000..cbdc0859748 --- /dev/null +++ b/queue-4.14/spi-lantiq-fix-rx-overflow-error-in-full-duplex-mode.patch @@ -0,0 +1,66 @@ +From 041619c39d6e098d1295947cafa72313b804dba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 14:27:50 +0800 +Subject: spi: lantiq: fix: Rx overflow error in full duplex mode + +From: Dilip Kota + +[ Upstream commit 661ccf2b3f1360be50242726f7c26ced6a9e7d52 ] + +In full duplex mode, rx overflow error is observed. To overcome the error, +wait until the complete data got received and proceed further. + +Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller") +Signed-off-by: Dilip Kota +Link: https://lore.kernel.org/r/efb650b0faa49a00788c4e0ca8ef7196bdba851d.1594957019.git.eswara.kota@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-lantiq-ssc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/spi/spi-lantiq-ssc.c b/drivers/spi/spi-lantiq-ssc.c +index d5976615d924b..dc740b5f720ba 100644 +--- a/drivers/spi/spi-lantiq-ssc.c ++++ b/drivers/spi/spi-lantiq-ssc.c +@@ -187,6 +187,7 @@ struct lantiq_ssc_spi { + unsigned int tx_fifo_size; + unsigned int rx_fifo_size; + unsigned int base_cs; ++ unsigned int fdx_tx_level; + }; + + static u32 lantiq_ssc_readl(const struct lantiq_ssc_spi *spi, u32 reg) +@@ -484,6 +485,7 @@ static void tx_fifo_write(struct lantiq_ssc_spi *spi) + u32 data; + unsigned int tx_free = tx_fifo_free(spi); + ++ spi->fdx_tx_level = 0; + while (spi->tx_todo && tx_free) { + switch (spi->bits_per_word) { + case 2 ... 8: +@@ -512,6 +514,7 @@ static void tx_fifo_write(struct lantiq_ssc_spi *spi) + + lantiq_ssc_writel(spi, data, LTQ_SPI_TB); + tx_free--; ++ spi->fdx_tx_level++; + } + } + +@@ -523,6 +526,13 @@ static void rx_fifo_read_full_duplex(struct lantiq_ssc_spi *spi) + u32 data; + unsigned int rx_fill = rx_fifo_level(spi); + ++ /* ++ * Wait until all expected data to be shifted in. ++ * Otherwise, rx overrun may occur. ++ */ ++ while (rx_fill != spi->fdx_tx_level) ++ rx_fill = rx_fifo_level(spi); ++ + while (rx_fill) { + data = lantiq_ssc_readl(spi, LTQ_SPI_RB); + +-- +2.25.1 + diff --git a/queue-4.14/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch b/queue-4.14/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch new file mode 100644 index 00000000000..9b7d3ee26d1 --- /dev/null +++ b/queue-4.14/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch @@ -0,0 +1,42 @@ +From b3b73129609dbbad3730a02ec65605cc87940050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 16:47:20 +0100 +Subject: staging: rtl8192u: fix a dubious looking mask before a shift + +From: Colin Ian King + +[ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ] + +Currently the masking of ret with 0xff and followed by a right shift +of 8 bits always leaves a zero result. It appears the mask of 0xff +is incorrect and should be 0xff00, but I don't have the hardware to +test this. Fix this to mask the upper 8 bits before shifting. + +[ Not tested ] + +Addresses-Coverity: ("Operands don't affect result") +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200716154720.1710252-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/r8192U_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c +index fbbd1b59dc11d..b5941ae410d9a 100644 +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -2519,7 +2519,7 @@ static int rtl8192_read_eeprom_info(struct net_device *dev) + ret = eprom_read(dev, (EEPROM_TxPwIndex_CCK >> 1)); + if (ret < 0) + return ret; +- priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff) >> 8; ++ priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff00) >> 8; + } else + priv->EEPROMTxPowerLevelCCK = 0x10; + RT_TRACE(COMP_EPROM, "CCK Tx Power Levl: 0x%02x\n", priv->EEPROMTxPowerLevelCCK); +-- +2.25.1 + diff --git a/queue-4.14/thermal-ti-soc-thermal-fix-reversed-condition-in-ti_.patch b/queue-4.14/thermal-ti-soc-thermal-fix-reversed-condition-in-ti_.patch new file mode 100644 index 00000000000..724e2c36ad5 --- /dev/null +++ b/queue-4.14/thermal-ti-soc-thermal-fix-reversed-condition-in-ti_.patch @@ -0,0 +1,37 @@ +From 048e8a2b5a7204ed31c9b6d3ba9022134b30415d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 12:19:49 +0300 +Subject: thermal: ti-soc-thermal: Fix reversed condition in + ti_thermal_expose_sensor() + +From: Dan Carpenter + +[ Upstream commit 0f348db01fdf128813fdd659fcc339038fb421a4 ] + +This condition is reversed and will cause breakage. + +Fixes: 7440f518dad9 ("thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200616091949.GA11940@mwanda +Signed-off-by: Sasha Levin +--- + drivers/thermal/ti-soc-thermal/ti-thermal-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c +index fa98c398d70f3..d43fbe4ad767e 100644 +--- a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c ++++ b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c +@@ -183,7 +183,7 @@ int ti_thermal_expose_sensor(struct ti_bandgap *bgp, int id, + + data = ti_bandgap_get_sensor_data(bgp, id); + +- if (!IS_ERR_OR_NULL(data)) ++ if (IS_ERR_OR_NULL(data)) + data = ti_thermal_build_data(bgp, id); + + if (!data) +-- +2.25.1 + diff --git a/queue-4.14/tools-build-propagate-build-failures-from-tools-buil.patch b/queue-4.14/tools-build-propagate-build-failures-from-tools-buil.patch new file mode 100644 index 00000000000..7640d0bc5e5 --- /dev/null +++ b/queue-4.14/tools-build-propagate-build-failures-from-tools-buil.patch @@ -0,0 +1,52 @@ +From f2d46c1fd036a9fcbee92df96a8828185a43eae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 19:42:44 -0700 +Subject: tools, build: Propagate build failures from + tools/build/Makefile.build + +From: Andrii Nakryiko + +[ Upstream commit a278f3d8191228212c553a5d4303fa603214b717 ] + +The '&&' command seems to have a bad effect when $(cmd_$(1)) exits with +non-zero effect: the command failure is masked (despite `set -e`) and all but +the first command of $(dep-cmd) is executed (successfully, as they are mostly +printfs), thus overall returning 0 in the end. + +This means in practice that despite compilation errors, tools's build Makefile +will return success. We see this very reliably with libbpf's Makefile, which +doesn't get compilation error propagated properly. This in turns causes issues +with selftests build, as well as bpftool and other projects that rely on +building libbpf. + +The fix is simple: don't use &&. Given `set -e`, we don't need to chain +commands with &&. The shell will exit on first failure, giving desired +behavior and propagating error properly. + +Fixes: 275e2d95591e ("tools build: Move dependency copy into function") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20200731024244.872574-1-andriin@fb.com +Signed-off-by: Sasha Levin +--- + tools/build/Build.include | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/build/Build.include b/tools/build/Build.include +index d9048f145f97a..63bb9752612a8 100644 +--- a/tools/build/Build.include ++++ b/tools/build/Build.include +@@ -74,7 +74,8 @@ dep-cmd = $(if $(wildcard $(fixdep)), + # dependencies in the cmd file + if_changed_dep = $(if $(strip $(any-prereq) $(arg-check)), \ + @set -e; \ +- $(echo-cmd) $(cmd_$(1)) && $(dep-cmd)) ++ $(echo-cmd) $(cmd_$(1)); \ ++ $(dep-cmd)) + + # if_changed - execute command if any prerequisite is newer than + # target, or command line has changed +-- +2.25.1 + diff --git a/queue-4.14/usb-bdc-halt-controller-on-suspend.patch b/queue-4.14/usb-bdc-halt-controller-on-suspend.patch new file mode 100644 index 00000000000..d025fd89bbf --- /dev/null +++ b/queue-4.14/usb-bdc-halt-controller-on-suspend.patch @@ -0,0 +1,51 @@ +From f377c36505a28f8f4f27ff3a440fba2765d620a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 13:07:45 -0400 +Subject: usb: bdc: Halt controller on suspend + +From: Danesh Petigara + +[ Upstream commit 5fc453d7de3d0c345812453823a3a56783c5f82c ] + +GISB bus error kernel panics have been observed during S2 transition +tests on the 7271t platform. The errors are a result of the BDC +interrupt handler trying to access BDC register space after the +system's suspend callbacks have completed. + +Adding a suspend hook to the BDC driver that halts the controller before +S2 entry thus preventing unwanted access to the BDC register space during +this transition. + +Signed-off-by: Danesh Petigara +Signed-off-by: Al Cooper +Acked-by: Florian Fainelli +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/bdc/bdc_core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index 2660cc2e42a08..58ba04d858bab 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -613,9 +613,14 @@ static int bdc_remove(struct platform_device *pdev) + static int bdc_suspend(struct device *dev) + { + struct bdc *bdc = dev_get_drvdata(dev); ++ int ret; + +- clk_disable_unprepare(bdc->clk); +- return 0; ++ /* Halt the controller */ ++ ret = bdc_stop(bdc); ++ if (!ret) ++ clk_disable_unprepare(bdc->clk); ++ ++ return ret; + } + + static int bdc_resume(struct device *dev) +-- +2.25.1 + diff --git a/queue-4.14/usb-dwc2-fix-error-path-in-gadget-registration.patch b/queue-4.14/usb-dwc2-fix-error-path-in-gadget-registration.patch new file mode 100644 index 00000000000..2c996484d4c --- /dev/null +++ b/queue-4.14/usb-dwc2-fix-error-path-in-gadget-registration.patch @@ -0,0 +1,97 @@ +From ec1775400754a282b9e94e702361cd2df6e407a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 14:09:48 +0200 +Subject: usb: dwc2: Fix error path in gadget registration + +From: Marek Szyprowski + +[ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ] + +When gadget registration fails, one should not call usb_del_gadget_udc(). +Ensure this by setting gadget->udc to NULL. Also in case of a failure +there is no need to disable low-level hardware, so return immiedetly +instead of jumping to error_init label. + +This fixes the following kernel NULL ptr dereference on gadget failure +(can be easily triggered with g_mass_storage without any module +parameters): + +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1 +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024 +dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM +Mass Storage Function, version: 2009/09/11 +LUN: removable file: (no medium) +no file given for LUN0 +g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22 +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000104 +pgd = (ptrval) +[00000104] *pgd=00000000 +Internal error: Oops: 805 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133 +Hardware name: Samsung Exynos (Flattened Device Tree) +Workqueue: events deferred_probe_work_func +PC is at usb_del_gadget_udc+0x38/0xc4 +LR is at __mutex_lock+0x31c/0xb18 +... +Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval)) +Stack: (0xef121db0 to 0xef122000) +... +[] (usb_del_gadget_udc) from [] (dwc2_hsotg_remove+0x10/0x20) +[] (dwc2_hsotg_remove) from [] (dwc2_driver_probe+0x57c/0x69c) +[] (dwc2_driver_probe) from [] (platform_drv_probe+0x6c/0xa4) +[] (platform_drv_probe) from [] (really_probe+0x200/0x48c) +[] (really_probe) from [] (driver_probe_device+0x78/0x1fc) +[] (driver_probe_device) from [] (bus_for_each_drv+0x74/0xb8) +[] (bus_for_each_drv) from [] (__device_attach+0xd4/0x16c) +[] (__device_attach) from [] (bus_probe_device+0x88/0x90) +[] (bus_probe_device) from [] (deferred_probe_work_func+0x3c/0xd0) +[] (deferred_probe_work_func) from [] (process_one_work+0x234/0x7dc) +[] (process_one_work) from [] (worker_thread+0x44/0x51c) +[] (worker_thread) from [] (kthread+0x158/0x1a0) +[] (kthread) from [] (ret_from_fork+0x14/0x20) +Exception stack(0xef121fb0 to 0xef121ff8) +... +---[ end trace 9724c2fc7cc9c982 ]--- + +While fixing this also fix the double call to dwc2_lowlevel_hw_disable() +if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level +hardware is already disabled before calling usb_add_gadget_udc(). That +function correctly preserves low-level hardware state, there is no need +for the second unconditional dwc2_lowlevel_hw_disable() call. + +Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver") +Acked-by: Minas Harutyunyan +Signed-off-by: Marek Szyprowski +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/platform.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c +index 442cb93935dd4..405dccf92a315 100644 +--- a/drivers/usb/dwc2/platform.c ++++ b/drivers/usb/dwc2/platform.c +@@ -459,6 +459,7 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (hsotg->gadget_enabled) { + retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget); + if (retval) { ++ hsotg->gadget.udc = NULL; + dwc2_hsotg_remove(hsotg); + goto error; + } +@@ -467,7 +468,8 @@ static int dwc2_driver_probe(struct platform_device *dev) + return 0; + + error: +- dwc2_lowlevel_hw_disable(hsotg); ++ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL) ++ dwc2_lowlevel_hw_disable(hsotg); + return retval; + } + +-- +2.25.1 + diff --git a/queue-4.14/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch b/queue-4.14/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch new file mode 100644 index 00000000000..0b745d66a4c --- /dev/null +++ b/queue-4.14/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch @@ -0,0 +1,42 @@ +From 09a25d65080ff8d2d69ab15c5d7bc32d521969af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 23:15:58 +0300 +Subject: usb: gadget: net2280: fix memory leak on probe error handling paths + +From: Evgeny Novikov + +[ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ] + +Driver does not release memory for device on error handling paths in +net2280_probe() when gadget_release() is not registered yet. + +The patch fixes the bug like in other similar drivers. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/net2280.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 170327f84ea19..f1ac9a49e2bf1 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -3786,8 +3786,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + done: +- if (dev) ++ if (dev) { + net2280_remove(pdev); ++ kfree(dev); ++ } + return retval; + } + +-- +2.25.1 + diff --git a/queue-4.14/usb-serial-iuu_phoenix-fix-led-activity-helpers.patch b/queue-4.14/usb-serial-iuu_phoenix-fix-led-activity-helpers.patch new file mode 100644 index 00000000000..34e86740dd3 --- /dev/null +++ b/queue-4.14/usb-serial-iuu_phoenix-fix-led-activity-helpers.patch @@ -0,0 +1,70 @@ +From dc3e02f6e83951eed2152caee6b00236c207ebc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 10:50:55 +0200 +Subject: USB: serial: iuu_phoenix: fix led-activity helpers + +From: Johan Hovold + +[ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ] + +The set-led command is eight bytes long and starts with a command byte +followed by six bytes of RGB data and ends with a byte encoding a +frequency (see iuu_led() and iuu_rgbf_fill_buffer()). + +The led activity helpers had a few long-standing bugs which corrupted +the command packets by inserting a second command byte and thereby +offsetting the RGB data and dropping the frequency in non-xmas mode. + +In xmas mode, a related off-by-one error left the frequency field +uninitialised. + +Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver") +Reported-by: George Spelvin +Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/iuu_phoenix.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c +index a1a11f8bb2a3d..0c9e24b217f7d 100644 +--- a/drivers/usb/serial/iuu_phoenix.c ++++ b/drivers/usb/serial/iuu_phoenix.c +@@ -359,10 +359,11 @@ static void iuu_led_activity_on(struct urb *urb) + struct usb_serial_port *port = urb->context; + int result; + char *buf_ptr = port->write_urb->transfer_buffer; +- *buf_ptr++ = IUU_SET_LED; ++ + if (xmas) { +- get_random_bytes(buf_ptr, 6); +- *(buf_ptr+7) = 1; ++ buf_ptr[0] = IUU_SET_LED; ++ get_random_bytes(buf_ptr + 1, 6); ++ buf_ptr[7] = 1; + } else { + iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255); + } +@@ -380,13 +381,14 @@ static void iuu_led_activity_off(struct urb *urb) + struct usb_serial_port *port = urb->context; + int result; + char *buf_ptr = port->write_urb->transfer_buffer; ++ + if (xmas) { + iuu_rxcmd(urb); + return; +- } else { +- *buf_ptr++ = IUU_SET_LED; +- iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); + } ++ ++ iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); ++ + usb_fill_bulk_urb(port->write_urb, port->serial->dev, + usb_sndbulkpipe(port->serial->dev, + port->bulk_out_endpointAddress), +-- +2.25.1 + diff --git a/queue-4.14/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch b/queue-4.14/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch new file mode 100644 index 00000000000..7f5acc2b542 --- /dev/null +++ b/queue-4.14/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch @@ -0,0 +1,46 @@ +From 007dca24c01e9dec6e5dbc229b18a8ca95dd310e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 22:54:51 +0300 +Subject: video: fbdev: neofb: fix memory leak in neo_scan_monitor() + +From: Evgeny Novikov + +[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ] + +neofb_probe() calls neo_scan_monitor() that can successfully allocate a +memory for info->monspecs.modedb and proceed to case 0x03. There it does +not free the memory and returns -1. neofb_probe() goes to label +err_scan_monitor, thus, it does not free this memory through calling +fb_destroy_modedb() as well. We can not go to label err_init_hw since +neo_scan_monitor() can fail during memory allocation. So, the patch frees +the memory directly for case 0x03. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Cc: Jani Nikula +Cc: Mike Rapoport +Cc: Daniel Vetter +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/neofb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c +index 5d3a444083f74..2018e1ca33eb6 100644 +--- a/drivers/video/fbdev/neofb.c ++++ b/drivers/video/fbdev/neofb.c +@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info) + #else + printk(KERN_ERR + "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n"); ++ kfree(info->monspecs.modedb); + return -1; + #endif + default: +-- +2.25.1 + diff --git a/queue-4.14/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch b/queue-4.14/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch new file mode 100644 index 00000000000..f1bc298035e --- /dev/null +++ b/queue-4.14/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch @@ -0,0 +1,42 @@ +From 3d29646dea655f59e9678743142ba6593a947ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 00:07:19 +0800 +Subject: video: fbdev: sm712fb: fix an issue about iounmap for a wrong address + +From: Dejin Zheng + +[ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ] + +the sfb->fb->screen_base is not save the value get by iounmap() when +the chip id is 0x720. so iounmap() for address sfb->fb->screen_base +is not right. + +Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev") +Cc: Andy Shevchenko +Cc: Sudip Mukherjee +Cc: Teddy Wang +Cc: Greg Kroah-Hartman +Signed-off-by: Dejin Zheng +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sm712fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c +index f1dcc6766d1ef..1781ca697f66b 100644 +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -1429,6 +1429,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb, + static void smtc_unmap_smem(struct smtcfb_info *sfb) + { + if (sfb && sfb->fb->screen_base) { ++ if (sfb->chip_id == 0x720) ++ sfb->fb->screen_base -= 0x00200000; + iounmap(sfb->fb->screen_base); + sfb->fb->screen_base = NULL; + } +-- +2.25.1 + diff --git a/queue-4.14/video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch b/queue-4.14/video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch new file mode 100644 index 00000000000..693bd07c751 --- /dev/null +++ b/queue-4.14/video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch @@ -0,0 +1,49 @@ +From 66302f80803f6adff998bc68baf14c4025934df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 10:45:05 +0200 +Subject: video: pxafb: Fix the function used to balance a + 'dma_alloc_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ] + +'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()' +not 'dma_free_wc()'. +The correct dma_free_ function is already used in the error handling path +of the probe function. + +Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable") +Signed-off-by: Christophe JAILLET +Cc: Sumit Semwal +Cc: Rafael J. Wysocki +Cc: Jonathan Corbet +Cc: Viresh Kumar +Cc: Jani Nikula +cc: Mauro Carvalho Chehab +Cc: Eric Miao +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxafb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c +index 29f00eccdd015..08ee77d5df8b2 100644 +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2449,8 +2449,8 @@ static int pxafb_remove(struct platform_device *dev) + + free_pages_exact(fbi->video_mem, fbi->video_mem_size); + +- dma_free_wc(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, +- fbi->dma_buff_phys); ++ dma_free_coherent(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, ++ fbi->dma_buff_phys); + + iounmap(fbi->mmio_base); + +-- +2.25.1 + diff --git a/queue-4.14/wl1251-fix-always-return-0-error.patch b/queue-4.14/wl1251-fix-always-return-0-error.patch new file mode 100644 index 00000000000..92bd73f6f6f --- /dev/null +++ b/queue-4.14/wl1251-fix-always-return-0-error.patch @@ -0,0 +1,38 @@ +From 416c707cc0aee4fd82ac62053e71290a98a7d29d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 15:39:39 +0800 +Subject: wl1251: fix always return 0 error + +From: Wang Hai + +[ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ] + +wl1251_event_ps_report() should not always return 0 because +wl1251_ps_set_mode() may fail. Change it to return 'ret'. + +Fixes: f7ad1eed4d4b ("wl1251: retry power save entry") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c +index f5acd24d0e2b1..988abb49771f9 100644 +--- a/drivers/net/wireless/ti/wl1251/event.c ++++ b/drivers/net/wireless/ti/wl1251/event.c +@@ -84,7 +84,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl, + break; + } + +- return 0; ++ return ret; + } + + static void wl1251_event_mbox_dump(struct event_mailbox *mbox) +-- +2.25.1 + diff --git a/queue-4.14/x86-mce-inject-fix-a-wrong-assignment-of-i_mce.statu.patch b/queue-4.14/x86-mce-inject-fix-a-wrong-assignment-of-i_mce.statu.patch new file mode 100644 index 00000000000..3db7d9a2003 --- /dev/null +++ b/queue-4.14/x86-mce-inject-fix-a-wrong-assignment-of-i_mce.statu.patch @@ -0,0 +1,38 @@ +From 3ff82d250b2854bc316fca0395d69719b481adc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 10:32:38 +0800 +Subject: x86/mce/inject: Fix a wrong assignment of i_mce.status + +From: Zhenzhong Duan + +[ Upstream commit 5d7f7d1d5e01c22894dee7c9c9266500478dca99 ] + +The original code is a nop as i_mce.status is or'ed with part of itself, +fix it. + +Fixes: a1300e505297 ("x86/ras/mce_amd_inj: Trigger deferred and thresholding errors interrupts") +Signed-off-by: Zhenzhong Duan +Signed-off-by: Borislav Petkov +Acked-by: Yazen Ghannam +Link: https://lkml.kernel.org/r/20200611023238.3830-1-zhenzhong.duan@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c +index e57b59762f9f5..94aa91b09c288 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c ++++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c +@@ -518,7 +518,7 @@ static void do_inject(void) + */ + if (inj_type == DFR_INT_INJ) { + i_mce.status |= MCI_STATUS_DEFERRED; +- i_mce.status |= (i_mce.status & ~MCI_STATUS_UC); ++ i_mce.status &= ~MCI_STATUS_UC; + } + + /* +-- +2.25.1 + diff --git a/queue-4.14/xfs-fix-reflink-quota-reservation-accounting-error.patch b/queue-4.14/xfs-fix-reflink-quota-reservation-accounting-error.patch new file mode 100644 index 00000000000..d2564bd0cbd --- /dev/null +++ b/queue-4.14/xfs-fix-reflink-quota-reservation-accounting-error.patch @@ -0,0 +1,64 @@ +From d7665c8a23bf61c0f5a22990d7958109f13a2d80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 14:47:18 -0700 +Subject: xfs: fix reflink quota reservation accounting error + +From: Darrick J. Wong + +[ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ] + +Quota reservations are supposed to account for the blocks that might be +allocated due to a bmap btree split. Reflink doesn't do this, so fix +this to make the quota accounting more accurate before we start +rearranging things. + +Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another") +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_reflink.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c +index db7f9fdd20a30..4d37f1b59436c 100644 +--- a/fs/xfs/xfs_reflink.c ++++ b/fs/xfs/xfs_reflink.c +@@ -1076,6 +1076,7 @@ xfs_reflink_remap_extent( + xfs_filblks_t rlen; + xfs_filblks_t unmap_len; + xfs_off_t newlen; ++ int64_t qres; + int error; + + unmap_len = irec->br_startoff + irec->br_blockcount - destoff; +@@ -1098,13 +1099,19 @@ xfs_reflink_remap_extent( + xfs_ilock(ip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, ip, 0); + +- /* If we're not just clearing space, then do we have enough quota? */ +- if (real_extent) { +- error = xfs_trans_reserve_quota_nblks(tp, ip, +- irec->br_blockcount, 0, XFS_QMOPT_RES_REGBLKS); +- if (error) +- goto out_cancel; +- } ++ /* ++ * Reserve quota for this operation. We don't know if the first unmap ++ * in the dest file will cause a bmap btree split, so we always reserve ++ * at least enough blocks for that split. If the extent being mapped ++ * in is written, we need to reserve quota for that too. ++ */ ++ qres = XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK); ++ if (real_extent) ++ qres += irec->br_blockcount; ++ error = xfs_trans_reserve_quota_nblks(tp, ip, qres, 0, ++ XFS_QMOPT_RES_REGBLKS); ++ if (error) ++ goto out_cancel; + + trace_xfs_reflink_remap(ip, irec->br_startoff, + irec->br_blockcount, irec->br_startblock); +-- +2.25.1 +