From: Sasha Levin Date: Wed, 12 May 2021 11:50:04 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.4.119~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3146646f53d16b210b0bc843463e1c32d8979001;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-cppc-replace-cppc_attr-with-kobj_attribute.patch b/queue-4.14/acpi-cppc-replace-cppc_attr-with-kobj_attribute.patch new file mode 100644 index 00000000000..57ba5ac7065 --- /dev/null +++ b/queue-4.14/acpi-cppc-replace-cppc_attr-with-kobj_attribute.patch @@ -0,0 +1,90 @@ +From 712a0441fa92b465ae8f4eb142f8ff8f6a1cd387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 14:30:48 -0700 +Subject: ACPI: CPPC: Replace cppc_attr with kobj_attribute + +From: Nathan Chancellor + +[ Upstream commit 2bc6262c6117dd18106d5aa50d53e945b5d99c51 ] + +All of the CPPC sysfs show functions are called via indirect call in +kobj_attr_show(), where they should be of type + +ssize_t (*show)(struct kobject *kobj, struct kobj_attribute *attr, char *buf); + +because that is the type of the ->show() member in +'struct kobj_attribute' but they are actually of type + +ssize_t (*show)(struct kobject *kobj, struct attribute *attr, char *buf); + +because of the ->show() member in 'struct cppc_attr', resulting in a +Control Flow Integrity violation [1]. + +$ cat /sys/devices/system/cpu/cpu0/acpi_cppc/highest_perf +3400 + +$ dmesg | grep "CFI failure" +[ 175.970559] CFI failure (target: show_highest_perf+0x0/0x8): + +As far as I can tell, the only difference between 'struct cppc_attr' +and 'struct kobj_attribute' aside from the type of the attr parameter +is the type of the count parameter in the ->store() member (ssize_t vs. +size_t), which does not actually matter because all of these nodes are +read-only. + +Eliminate 'struct cppc_attr' in favor of 'struct kobj_attribute' to fix +the violation. + +[1]: https://lore.kernel.org/r/20210401233216.2540591-1-samitolvanen@google.com/ + +Fixes: 158c998ea44b ("ACPI / CPPC: add sysfs support to compute delivered performance") +Link: https://github.com/ClangBuiltLinux/linux/issues/1343 +Signed-off-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/cppc_acpi.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c +index 732549ee1fe3..5b2e58cbeb35 100644 +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -118,23 +118,15 @@ static DEFINE_PER_CPU(struct cpc_desc *, cpc_desc_ptr); + */ + #define NUM_RETRIES 500 + +-struct cppc_attr { +- struct attribute attr; +- ssize_t (*show)(struct kobject *kobj, +- struct attribute *attr, char *buf); +- ssize_t (*store)(struct kobject *kobj, +- struct attribute *attr, const char *c, ssize_t count); +-}; +- + #define define_one_cppc_ro(_name) \ +-static struct cppc_attr _name = \ ++static struct kobj_attribute _name = \ + __ATTR(_name, 0444, show_##_name, NULL) + + #define to_cpc_desc(a) container_of(a, struct cpc_desc, kobj) + + #define show_cppc_data(access_fn, struct_name, member_name) \ + static ssize_t show_##member_name(struct kobject *kobj, \ +- struct attribute *attr, char *buf) \ ++ struct kobj_attribute *attr, char *buf) \ + { \ + struct cpc_desc *cpc_ptr = to_cpc_desc(kobj); \ + struct struct_name st_name = {0}; \ +@@ -157,7 +149,7 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, reference_perf); + show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time); + + static ssize_t show_feedback_ctrs(struct kobject *kobj, +- struct attribute *attr, char *buf) ++ struct kobj_attribute *attr, char *buf) + { + struct cpc_desc *cpc_ptr = to_cpc_desc(kobj); + struct cppc_perf_fb_ctrs fb_ctrs = {0}; +-- +2.30.2 + diff --git a/queue-4.14/alsa-core-remove-redundant-spin_lock-pair-in-snd_car.patch b/queue-4.14/alsa-core-remove-redundant-spin_lock-pair-in-snd_car.patch new file mode 100644 index 00000000000..30ff246d25b --- /dev/null +++ b/queue-4.14/alsa-core-remove-redundant-spin_lock-pair-in-snd_car.patch @@ -0,0 +1,40 @@ +From 487d590e2d829b3f81f956d36f275c7fc17adf10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 13:19:23 +0200 +Subject: ALSA: core: remove redundant spin_lock pair in snd_card_disconnect + +From: Jia Zhou + +[ Upstream commit abc21649b3e5c34b143bf86f0c78e33d5815e250 ] + +modification in commit 2a3f7221acdd ("ALSA: core: Fix card races between +register and disconnect") resulting in this problem. + +Fixes: 2a3f7221acdd ("ALSA: core: Fix card races between register and disconnect") +Signed-off-by: Jia Zhou +Signed-off-by: Yi Wang +Link: https://lore.kernel.org/r/1616989007-34429-1-git-send-email-wang.yi59@zte.com.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/init.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sound/core/init.c b/sound/core/init.c +index dcb9199f5e4f..7fdeae4dc820 100644 +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -404,10 +404,8 @@ int snd_card_disconnect(struct snd_card *card) + return 0; + } + card->shutdown = 1; +- spin_unlock(&card->files_lock); + + /* replace file->f_op with special dummy operations */ +- spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ + /* we have no room to fail */ +-- +2.30.2 + diff --git a/queue-4.14/alsa-usb-audio-add-error-checks-for-usb_driver_claim.patch b/queue-4.14/alsa-usb-audio-add-error-checks-for-usb_driver_claim.patch new file mode 100644 index 00000000000..7e026082c7b --- /dev/null +++ b/queue-4.14/alsa-usb-audio-add-error-checks-for-usb_driver_claim.patch @@ -0,0 +1,136 @@ +From ad1e2074e486b00c83708e8f296bea79e3f30aab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 13:35:34 +0200 +Subject: ALSA: usb-audio: Add error checks for usb_driver_claim_interface() + calls + +From: Takashi Iwai + +[ Upstream commit 5fb45414ae03421255593fd5556aa2d1d82303aa ] + +There are a few calls of usb_driver_claim_interface() but all of those +miss the proper error checks, as reported by Coverity. This patch +adds those missing checks. + +Along with it, replace the magic pointer with -1 with a constant +USB_AUDIO_IFACE_UNUSED for better readability. + +Reported-by: coverity-bot +Addresses-Coverity-ID: 1475943 ("Error handling issues") +Addresses-Coverity-ID: 1475944 ("Error handling issues") +Addresses-Coverity-ID: 1475945 ("Error handling issues") +Fixes: b1ce7ba619d9 ("ALSA: usb-audio: claim autodetected PCM interfaces all at once") +Fixes: e5779998bf8b ("ALSA: usb-audio: refactor code") +Link: https://lore.kernel.org/r/202104051059.FB7F3016@keescook +Link: https://lore.kernel.org/r/20210406113534.30455-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/card.c | 14 +++++++------- + sound/usb/quirks.c | 16 ++++++++++++---- + sound/usb/usbaudio.h | 2 ++ + 3 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/sound/usb/card.c b/sound/usb/card.c +index 721f91f5766d..1a1cb73360a4 100644 +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -183,9 +183,8 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int + ctrlif, interface); + return -EINVAL; + } +- usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L); +- +- return 0; ++ return usb_driver_claim_interface(&usb_audio_driver, iface, ++ USB_AUDIO_IFACE_UNUSED); + } + + if ((altsd->bInterfaceClass != USB_CLASS_AUDIO && +@@ -205,7 +204,8 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int + + if (! snd_usb_parse_audio_interface(chip, interface)) { + usb_set_interface(dev, interface, 0); /* reset the current interface */ +- usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L); ++ return usb_driver_claim_interface(&usb_audio_driver, iface, ++ USB_AUDIO_IFACE_UNUSED); + } + + return 0; +@@ -665,7 +665,7 @@ static void usb_audio_disconnect(struct usb_interface *intf) + struct snd_card *card; + struct list_head *p; + +- if (chip == (void *)-1L) ++ if (chip == USB_AUDIO_IFACE_UNUSED) + return; + + card = chip->card; +@@ -765,7 +765,7 @@ static int usb_audio_suspend(struct usb_interface *intf, pm_message_t message) + struct usb_mixer_interface *mixer; + struct list_head *p; + +- if (chip == (void *)-1L) ++ if (chip == USB_AUDIO_IFACE_UNUSED) + return 0; + + if (!chip->num_suspended_intf++) { +@@ -795,7 +795,7 @@ static int __usb_audio_resume(struct usb_interface *intf, bool reset_resume) + struct list_head *p; + int err = 0; + +- if (chip == (void *)-1L) ++ if (chip == USB_AUDIO_IFACE_UNUSED) + return 0; + + atomic_inc(&chip->active); /* avoid autopm */ +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 6fc9ad067d82..182c9de4f255 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -66,8 +66,12 @@ static int create_composite_quirk(struct snd_usb_audio *chip, + if (!iface) + continue; + if (quirk->ifnum != probed_ifnum && +- !usb_interface_claimed(iface)) +- usb_driver_claim_interface(driver, iface, (void *)-1L); ++ !usb_interface_claimed(iface)) { ++ err = usb_driver_claim_interface(driver, iface, ++ USB_AUDIO_IFACE_UNUSED); ++ if (err < 0) ++ return err; ++ } + } + + return 0; +@@ -398,8 +402,12 @@ static int create_autodetect_quirks(struct snd_usb_audio *chip, + continue; + + err = create_autodetect_quirk(chip, iface, driver); +- if (err >= 0) +- usb_driver_claim_interface(driver, iface, (void *)-1L); ++ if (err >= 0) { ++ err = usb_driver_claim_interface(driver, iface, ++ USB_AUDIO_IFACE_UNUSED); ++ if (err < 0) ++ return err; ++ } + } + + return 0; +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index f4ee83c8e0b2..62456a806bb4 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -63,6 +63,8 @@ struct snd_usb_audio { + struct usb_host_interface *ctrl_intf; /* the audio control interface */ + }; + ++#define USB_AUDIO_IFACE_UNUSED ((void *)-1L) ++ + #define usb_audio_err(chip, fmt, args...) \ + dev_err(&(chip)->dev->dev, fmt, ##args) + #define usb_audio_warn(chip, fmt, args...) \ +-- +2.30.2 + diff --git a/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch new file mode 100644 index 00000000000..3ca0a2cfa7c --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch @@ -0,0 +1,42 @@ +From 93a7b12acca1df5256a1acd3b0460b80c429d39b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:25:22 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3 + family + +From: Krzysztof Kozlowski + +[ Upstream commit 6503c568e97a52f8b7a3109718db438e52e59485 ] + +The Maxim PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Additionally, the interrupt line is shared so using level sensitive +interrupt is here especially important to avoid races. + +Fixes: eea6653aae7b ("ARM: dts: Enable PMIC interrupts for exynos4412-odroid-common") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212534.216197-6-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos4412-odroid-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos4412-odroid-common.dtsi b/arch/arm/boot/dts/exynos4412-odroid-common.dtsi +index 0d516529bf54..8735c5428677 100644 +--- a/arch/arm/boot/dts/exynos4412-odroid-common.dtsi ++++ b/arch/arm/boot/dts/exynos4412-odroid-common.dtsi +@@ -265,7 +265,7 @@ + max77686: pmic@09 { + compatible = "maxim,max77686"; + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&max77686_irq>; + reg = <0x09>; +-- +2.30.2 + diff --git a/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-28183 b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-28183 new file mode 100644 index 00000000000..65255aae675 --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-28183 @@ -0,0 +1,41 @@ +From d48d38d55e2917fa42be658f601f78963204c485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:25:24 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250 + +From: Krzysztof Kozlowski + +[ Upstream commit f6368c60561370e4a92fac22982a3bd656172170 ] + +The Maxim PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Additionally, the interrupt line is shared so using level sensitive +interrupt is here especially important to avoid races. + +Fixes: 47580e8d94c2 ("ARM: dts: Specify MAX77686 pmic interrupt for exynos5250-smdk5250") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212534.216197-8-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5250-smdk5250.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5250-smdk5250.dts b/arch/arm/boot/dts/exynos5250-smdk5250.dts +index 062cba4c2c31..5065e6bf3778 100644 +--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts ++++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts +@@ -133,7 +133,7 @@ + compatible = "maxim,max77686"; + reg = <0x09>; + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&max77686_irq>; + wakeup-source; +-- +2.30.2 + diff --git a/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-2983 b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-2983 new file mode 100644 index 00000000000..c5e91f7627c --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-2983 @@ -0,0 +1,41 @@ +From ab0781013348c87ed43acc4d7d00e6ddc771d3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:25:25 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Snow + +From: Krzysztof Kozlowski + +[ Upstream commit 8987efbb17c2522be8615085df9a14da2ab53d34 ] + +The Maxim PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Additionally, the interrupt line is shared so using level sensitive +interrupt is here especially important to avoid races. + +Fixes: c61248afa819 ("ARM: dts: Add max77686 RTC interrupt to cros5250-common") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212534.216197-9-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5250-snow-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5250-snow-common.dtsi b/arch/arm/boot/dts/exynos5250-snow-common.dtsi +index 8788880e459d..134e6e54447f 100644 +--- a/arch/arm/boot/dts/exynos5250-snow-common.dtsi ++++ b/arch/arm/boot/dts/exynos5250-snow-common.dtsi +@@ -284,7 +284,7 @@ + max77686: max77686@09 { + compatible = "maxim,max77686"; + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&max77686_irq>; + wakeup-source; +-- +2.30.2 + diff --git a/queue-4.14/ata-libahci_platform-fix-irq-check.patch b/queue-4.14/ata-libahci_platform-fix-irq-check.patch new file mode 100644 index 00000000000..d4c572b90b7 --- /dev/null +++ b/queue-4.14/ata-libahci_platform-fix-irq-check.patch @@ -0,0 +1,44 @@ +From 6703af801e56265603f179b4dd24cec575222548 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 23:15:06 +0300 +Subject: ata: libahci_platform: fix IRQ check + +From: Sergey Shtylyov + +[ Upstream commit b30d0040f06159de97ad9c0b1536f47250719d7d ] + +Iff platform_get_irq() returns 0, ahci_platform_init_host() would return 0 +early (as if the call was successful). Override IRQ0 with -EINVAL instead +as the 'libata' regards 0 as "no IRQ" (thus polling) anyway... + +Fixes: c034640a32f8 ("ata: libahci: properly propagate return value of platform_get_irq()") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/4448c8cc-331f-2915-0e17-38ea34e251c8@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libahci_platform.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index 5929672b809e..19d495244ce8 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -518,11 +518,13 @@ int ahci_platform_init_host(struct platform_device *pdev, + int i, irq, n_ports, rc; + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) { ++ if (irq < 0) { + if (irq != -EPROBE_DEFER) + dev_err(dev, "no irq\n"); + return irq; + } ++ if (!irq) ++ return -EINVAL; + + hpriv->irq = irq; + +-- +2.30.2 + diff --git a/queue-4.14/ath9k-fix-error-check-in-ath9k_hw_read_revisions-for.patch b/queue-4.14/ath9k-fix-error-check-in-ath9k_hw_read_revisions-for.patch new file mode 100644 index 00000000000..7b5227e4fb9 --- /dev/null +++ b/queue-4.14/ath9k-fix-error-check-in-ath9k_hw_read_revisions-for.patch @@ -0,0 +1,61 @@ +From a7069fe39f638ce00c7309869e4f858beaca8ae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 19:08:19 +0100 +Subject: ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 7dd9a40fd6e0d0f1fd8e1931c007e080801dfdce ] + +When the error check in ath9k_hw_read_revisions() was added, it checked for +-EIO which is what ath9k_regread() in the ath9k_htc driver uses. However, +for plain ath9k, the register read function uses ioread32(), which just +returns -1 on error. So if such a read fails, it still gets passed through +and ends up as a weird mac revision in the log output. + +Fix this by changing ath9k_regread() to return -1 on error like ioread32() +does, and fix the error check to look for that instead of -EIO. + +Fixes: 2f90c7e5d094 ("ath9k: Check for errors when reading SREV register") +Signed-off-by: Toke Høiland-Jørgensen +Reviewed-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210326180819.142480-1-toke@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_init.c | 2 +- + drivers/net/wireless/ath/ath9k/hw.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c +index 66ef5cf16450..88e3b4a4de31 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c +@@ -246,7 +246,7 @@ static unsigned int ath9k_regread(void *hw_priv, u32 reg_offset) + if (unlikely(r)) { + ath_dbg(common, WMI, "REGISTER READ FAILED: (0x%04x, %d)\n", + reg_offset, r); +- return -EIO; ++ return -1; + } + + return be32_to_cpu(val); +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 406b52f114f0..933d4f49d6b0 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -285,7 +285,7 @@ static bool ath9k_hw_read_revisions(struct ath_hw *ah) + + srev = REG_READ(ah, AR_SREV); + +- if (srev == -EIO) { ++ if (srev == -1) { + ath_err(ath9k_hw_common(ah), + "Failed to read SREV register"); + return false; +-- +2.30.2 + diff --git a/queue-4.14/bug-remove-redundant-condition-check-in-report_bug.patch b/queue-4.14/bug-remove-redundant-condition-check-in-report_bug.patch new file mode 100644 index 00000000000..a2aa81bd2e1 --- /dev/null +++ b/queue-4.14/bug-remove-redundant-condition-check-in-report_bug.patch @@ -0,0 +1,79 @@ +From c0e805acb9dcc13fc2ee914b6d1d5805e54a4101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 14:33:07 +0000 +Subject: bug: Remove redundant condition check in report_bug + +From: Andrew Scull + +[ Upstream commit 3ad1a6cb0abc63d036fc866bd7c2c5983516dec5 ] + +report_bug() will return early if it cannot find a bug corresponding to +the provided address. The subsequent test for the bug will always be +true so remove it. + +Fixes: 1b4cfe3c0a30d ("lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()") +Signed-off-by: Andrew Scull +Cc: Peter Zijlstra +Cc: "Steven Rostedt (VMware)" +Reviewed-by: Steven Rostedt (VMware) +Acked-by: Will Deacon +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210318143311.839894-2-ascull@google.com +Signed-off-by: Sasha Levin +--- + lib/bug.c | 33 +++++++++++++++------------------ + 1 file changed, 15 insertions(+), 18 deletions(-) + +diff --git a/lib/bug.c b/lib/bug.c +index d2c9a099561a..cabecce6ffa7 100644 +--- a/lib/bug.c ++++ b/lib/bug.c +@@ -155,30 +155,27 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs) + + file = NULL; + line = 0; +- warning = 0; + +- if (bug) { + #ifdef CONFIG_DEBUG_BUGVERBOSE + #ifndef CONFIG_GENERIC_BUG_RELATIVE_POINTERS +- file = bug->file; ++ file = bug->file; + #else +- file = (const char *)bug + bug->file_disp; ++ file = (const char *)bug + bug->file_disp; + #endif +- line = bug->line; ++ line = bug->line; + #endif +- warning = (bug->flags & BUGFLAG_WARNING) != 0; +- once = (bug->flags & BUGFLAG_ONCE) != 0; +- done = (bug->flags & BUGFLAG_DONE) != 0; +- +- if (warning && once) { +- if (done) +- return BUG_TRAP_TYPE_WARN; +- +- /* +- * Since this is the only store, concurrency is not an issue. +- */ +- bug->flags |= BUGFLAG_DONE; +- } ++ warning = (bug->flags & BUGFLAG_WARNING) != 0; ++ once = (bug->flags & BUGFLAG_ONCE) != 0; ++ done = (bug->flags & BUGFLAG_DONE) != 0; ++ ++ if (warning && once) { ++ if (done) ++ return BUG_TRAP_TYPE_WARN; ++ ++ /* ++ * Since this is the only store, concurrency is not an issue. ++ */ ++ bug->flags |= BUGFLAG_DONE; + } + + if (warning) { +-- +2.30.2 + diff --git a/queue-4.14/bus-qcom-put-child-node-before-return.patch b/queue-4.14/bus-qcom-put-child-node-before-return.patch new file mode 100644 index 00000000000..2bac3a8870b --- /dev/null +++ b/queue-4.14/bus-qcom-put-child-node-before-return.patch @@ -0,0 +1,43 @@ +From 321cc7eb97fe5af86960ccc8cf86528f4f88e5d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 03:49:07 -0800 +Subject: bus: qcom: Put child node before return + +From: Pan Bian + +[ Upstream commit ac6ad7c2a862d682bb584a4bc904d89fa7721af8 ] + +Put child node before return to fix potential reference count leak. +Generally, the reference count of child is incremented and decremented +automatically in the macro for_each_available_child_of_node() and should +be decremented manually if the loop is broken in loop body. + +Reviewed-by: Linus Walleij +Fixes: 335a12754808 ("bus: qcom: add EBI2 driver") +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210121114907.109267-1-bianpan2016@163.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/bus/qcom-ebi2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/qcom-ebi2.c b/drivers/bus/qcom-ebi2.c +index a6444244c411..bfb67aa00bec 100644 +--- a/drivers/bus/qcom-ebi2.c ++++ b/drivers/bus/qcom-ebi2.c +@@ -357,8 +357,10 @@ static int qcom_ebi2_probe(struct platform_device *pdev) + + /* Figure out the chipselect */ + ret = of_property_read_u32(child, "reg", &csindex); +- if (ret) ++ if (ret) { ++ of_node_put(child); + return ret; ++ } + + if (csindex > 5) { + dev_err(dev, +-- +2.30.2 + diff --git a/queue-4.14/clk-uniphier-fix-potential-infinite-loop.patch b/queue-4.14/clk-uniphier-fix-potential-infinite-loop.patch new file mode 100644 index 00000000000..b9c8a139677 --- /dev/null +++ b/queue-4.14/clk-uniphier-fix-potential-infinite-loop.patch @@ -0,0 +1,47 @@ +From 8135ed189d9310b1dd873c947c57465a34c162c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 10:01:03 +0100 +Subject: clk: uniphier: Fix potential infinite loop + +From: Colin Ian King + +[ Upstream commit f6b1340dc751a6caa2a0567b667d0f4f4172cd58 ] + +The for-loop iterates with a u8 loop counter i and compares this +with the loop upper limit of num_parents that is an int type. +There is a potential infinite loop if num_parents is larger than +the u8 loop counter. Fix this by making the loop counter the same +type as num_parents. Also make num_parents an unsigned int to +match the return type of the call to clk_hw_get_num_parents. + +Addresses-Coverity: ("Infinite loop") +Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver") +Signed-off-by: Colin Ian King +Reviewed-by: Masahiro Yamada +Link: https://lore.kernel.org/r/20210409090104.629722-1-colin.king@canonical.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/uniphier/clk-uniphier-mux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/uniphier/clk-uniphier-mux.c b/drivers/clk/uniphier/clk-uniphier-mux.c +index 2c243a894f3b..3a52ab968ac2 100644 +--- a/drivers/clk/uniphier/clk-uniphier-mux.c ++++ b/drivers/clk/uniphier/clk-uniphier-mux.c +@@ -40,10 +40,10 @@ static int uniphier_clk_mux_set_parent(struct clk_hw *hw, u8 index) + static u8 uniphier_clk_mux_get_parent(struct clk_hw *hw) + { + struct uniphier_clk_mux *mux = to_uniphier_clk_mux(hw); +- int num_parents = clk_hw_get_num_parents(hw); ++ unsigned int num_parents = clk_hw_get_num_parents(hw); + int ret; + unsigned int val; +- u8 i; ++ unsigned int i; + + ret = regmap_read(mux->regmap, mux->reg, &val); + if (ret) +-- +2.30.2 + diff --git a/queue-4.14/crypto-qat-adf_status_pf_running-should-be-set-after.patch b/queue-4.14/crypto-qat-adf_status_pf_running-should-be-set-after.patch new file mode 100644 index 00000000000..9fb0daf9224 --- /dev/null +++ b/queue-4.14/crypto-qat-adf_status_pf_running-should-be-set-after.patch @@ -0,0 +1,96 @@ +From 201686c428ae04f57893469af2d49e78d5d0ca8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 23:40:00 -0400 +Subject: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init + +From: Tong Zhang + +[ Upstream commit 8609f5cfdc872fc3a462efa6a3eca5cb1e2f6446 ] + +ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown() +before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the +vf2pf_lock is initialized in adf_dev_init(), which can fail and when it +fail, the vf2pf_lock is either not initialized or destroyed, a subsequent +use of vf2pf_lock will cause issue. +To fix this issue, only set this flag if adf_dev_init() returns 0. + +[ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0 +[ 7.180345] Call Trace: +[ 7.182576] mutex_lock+0xc9/0xd0 +[ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] +[ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] +[ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] +[ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf] + +Signed-off-by: Tong Zhang +Reviewed-by: Andy Shevchenko +Fixes: 25c6ffb249f6 ("crypto: qat - check if PF is running") +Acked-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 4 ++-- + drivers/crypto/qat/qat_c62xvf/adf_drv.c | 4 ++-- + drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c +index 613c7d5644ce..e87b7c466bdb 100644 +--- a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c +@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (ret) + goto out_err_free_reg; + +- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status); +- + ret = adf_dev_init(accel_dev); + if (ret) + goto out_err_dev_shutdown; + ++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status); ++ + ret = adf_dev_start(accel_dev); + if (ret) + goto out_err_dev_stop; +diff --git a/drivers/crypto/qat/qat_c62xvf/adf_drv.c b/drivers/crypto/qat/qat_c62xvf/adf_drv.c +index 278452b8ef81..a8f3f2ecae70 100644 +--- a/drivers/crypto/qat/qat_c62xvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_c62xvf/adf_drv.c +@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (ret) + goto out_err_free_reg; + +- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status); +- + ret = adf_dev_init(accel_dev); + if (ret) + goto out_err_dev_shutdown; + ++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status); ++ + ret = adf_dev_start(accel_dev); + if (ret) + goto out_err_dev_stop; +diff --git a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c +index 3da0f951cb59..1b954abf67fb 100644 +--- a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c ++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c +@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (ret) + goto out_err_free_reg; + +- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status); +- + ret = adf_dev_init(accel_dev); + if (ret) + goto out_err_dev_shutdown; + ++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status); ++ + ret = adf_dev_start(accel_dev); + if (ret) + goto out_err_dev_stop; +-- +2.30.2 + diff --git a/queue-4.14/crypto-qat-don-t-release-uninitialized-resources.patch b/queue-4.14/crypto-qat-don-t-release-uninitialized-resources.patch new file mode 100644 index 00000000000..f77b003e611 --- /dev/null +++ b/queue-4.14/crypto-qat-don-t-release-uninitialized-resources.patch @@ -0,0 +1,68 @@ +From 63e9c541c21898cde5b4c9abe26f83e3e955c718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 23:39:59 -0400 +Subject: crypto: qat - don't release uninitialized resources + +From: Tong Zhang + +[ Upstream commit b66accaab3791e15ac99c92f236d0d3a6d5bd64e ] + +adf_vf_isr_resource_alloc() is not unwinding correctly when error +happens and it want to release uninitialized resources. +To fix this, only release initialized resources. + +[ 1.792845] Trying to free already-free IRQ 11 +[ 1.793091] WARNING: CPU: 0 PID: 182 at kernel/irq/manage.c:1821 free_irq+0x202/0x380 +[ 1.801340] Call Trace: +[ 1.801477] adf_vf_isr_resource_free+0x32/0xb0 [intel_qat] +[ 1.801785] adf_vf_isr_resource_alloc+0x14d/0x150 [intel_qat] +[ 1.802105] adf_dev_init+0xba/0x140 [intel_qat] + +Signed-off-by: Tong Zhang +Reviewed-by: Andy Shevchenko +Fixes: dd0f368398ea ("crypto: qat - Add qat dh895xcc VF driver") +Acked-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_vf_isr.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c +index 4a73fc70f7a9..df9a1f35b832 100644 +--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c ++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c +@@ -304,17 +304,26 @@ int adf_vf_isr_resource_alloc(struct adf_accel_dev *accel_dev) + goto err_out; + + if (adf_setup_pf2vf_bh(accel_dev)) +- goto err_out; ++ goto err_disable_msi; + + if (adf_setup_bh(accel_dev)) +- goto err_out; ++ goto err_cleanup_pf2vf_bh; + + if (adf_request_msi_irq(accel_dev)) +- goto err_out; ++ goto err_cleanup_bh; + + return 0; ++ ++err_cleanup_bh: ++ adf_cleanup_bh(accel_dev); ++ ++err_cleanup_pf2vf_bh: ++ adf_cleanup_pf2vf_bh(accel_dev); ++ ++err_disable_msi: ++ adf_disable_msi(accel_dev); ++ + err_out: +- adf_vf_isr_resource_free(accel_dev); + return -EFAULT; + } + EXPORT_SYMBOL_GPL(adf_vf_isr_resource_alloc); +-- +2.30.2 + diff --git a/queue-4.14/crypto-qat-fix-a-double-free-in-adf_create_ring.patch b/queue-4.14/crypto-qat-fix-a-double-free-in-adf_create_ring.patch new file mode 100644 index 00000000000..5e197a73fb7 --- /dev/null +++ b/queue-4.14/crypto-qat-fix-a-double-free-in-adf_create_ring.patch @@ -0,0 +1,40 @@ +From 383b97f6918793dc544425aaa796d383cad60fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 10:13:48 -0700 +Subject: crypto: qat - Fix a double free in adf_create_ring + +From: Lv Yunlong + +[ Upstream commit f7cae626cabb3350b23722b78fe34dd7a615ca04 ] + +In adf_create_ring, if the callee adf_init_ring() failed, the callee will +free the ring->base_addr by dma_free_coherent() and return -EFAULT. Then +adf_create_ring will goto err and the ring->base_addr will be freed again +in adf_cleanup_ring(). + +My patch sets ring->base_addr to NULL after the first freed to avoid the +double free. + +Fixes: a672a9dc872ec ("crypto: qat - Intel(R) QAT transport code") +Signed-off-by: Lv Yunlong +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_transport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_transport.c b/drivers/crypto/qat/qat_common/adf_transport.c +index 57d2622728a5..4c0067f8c079 100644 +--- a/drivers/crypto/qat/qat_common/adf_transport.c ++++ b/drivers/crypto/qat/qat_common/adf_transport.c +@@ -197,6 +197,7 @@ static int adf_init_ring(struct adf_etr_ring_data *ring) + dev_err(&GET_DEV(accel_dev), "Ring address not aligned\n"); + dma_free_coherent(&GET_DEV(accel_dev), ring_size_bytes, + ring->base_addr, ring->dma_addr); ++ ring->base_addr = NULL; + return -EFAULT; + } + +-- +2.30.2 + diff --git a/queue-4.14/crypto-qat-fix-error-path-in-adf_isr_resource_alloc.patch b/queue-4.14/crypto-qat-fix-error-path-in-adf_isr_resource_alloc.patch new file mode 100644 index 00000000000..7dddfba45ce --- /dev/null +++ b/queue-4.14/crypto-qat-fix-error-path-in-adf_isr_resource_alloc.patch @@ -0,0 +1,70 @@ +From e4bcb4d518a2c73582a17ab9ae6c0aad4c60354c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 08:34:18 +0000 +Subject: crypto: qat - fix error path in adf_isr_resource_alloc() + +From: Giovanni Cabiddu + +[ Upstream commit 83dc1173d73f80cbce2fee4d308f51f87b2f26ae ] + +The function adf_isr_resource_alloc() is not unwinding correctly in case +of error. +This patch fixes the error paths and propagate the errors to the caller. + +Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Marco Chiappero +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_isr.c | 29 ++++++++++++++++++------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_isr.c b/drivers/crypto/qat/qat_common/adf_isr.c +index 06d49017a52b..2c0be14309cf 100644 +--- a/drivers/crypto/qat/qat_common/adf_isr.c ++++ b/drivers/crypto/qat/qat_common/adf_isr.c +@@ -330,19 +330,32 @@ int adf_isr_resource_alloc(struct adf_accel_dev *accel_dev) + + ret = adf_isr_alloc_msix_entry_table(accel_dev); + if (ret) +- return ret; +- if (adf_enable_msix(accel_dev)) + goto err_out; + +- if (adf_setup_bh(accel_dev)) +- goto err_out; ++ ret = adf_enable_msix(accel_dev); ++ if (ret) ++ goto err_free_msix_table; + +- if (adf_request_irqs(accel_dev)) +- goto err_out; ++ ret = adf_setup_bh(accel_dev); ++ if (ret) ++ goto err_disable_msix; ++ ++ ret = adf_request_irqs(accel_dev); ++ if (ret) ++ goto err_cleanup_bh; + + return 0; ++ ++err_cleanup_bh: ++ adf_cleanup_bh(accel_dev); ++ ++err_disable_msix: ++ adf_disable_msix(&accel_dev->accel_pci_dev); ++ ++err_free_msix_table: ++ adf_isr_free_msix_entry_table(accel_dev); ++ + err_out: +- adf_isr_resource_free(accel_dev); +- return -EFAULT; ++ return ret; + } + EXPORT_SYMBOL_GPL(adf_isr_resource_alloc); +-- +2.30.2 + diff --git a/queue-4.14/drivers-hv-vmbus-increase-wait-time-for-vmbus-unload.patch b/queue-4.14/drivers-hv-vmbus-increase-wait-time-for-vmbus-unload.patch new file mode 100644 index 00000000000..2c6bc788dd6 --- /dev/null +++ b/queue-4.14/drivers-hv-vmbus-increase-wait-time-for-vmbus-unload.patch @@ -0,0 +1,98 @@ +From 936140000609131a4a08c301552ed27802d83a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Apr 2021 21:48:09 -0700 +Subject: Drivers: hv: vmbus: Increase wait time for VMbus unload + +From: Michael Kelley + +[ Upstream commit 77db0ec8b7764cb9b09b78066ebfd47b2c0c1909 ] + +When running in Azure, disks may be connected to a Linux VM with +read/write caching enabled. If a VM panics and issues a VMbus +UNLOAD request to Hyper-V, the response is delayed until all dirty +data in the disk cache is flushed. In extreme cases, this flushing +can take 10's of seconds, depending on the disk speed and the amount +of dirty data. If kdump is configured for the VM, the current 10 second +timeout in vmbus_wait_for_unload() may be exceeded, and the UNLOAD +complete message may arrive well after the kdump kernel is already +running, causing problems. Note that no problem occurs if kdump is +not enabled because Hyper-V waits for the cache flush before doing +a reboot through the BIOS/UEFI code. + +Fix this problem by increasing the timeout in vmbus_wait_for_unload() +to 100 seconds. Also output periodic messages so that if anyone is +watching the serial console, they won't think the VM is completely +hung. + +Fixes: 911e1987efc8 ("Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload") +Signed-off-by: Michael Kelley +Reviewed-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/1618894089-126662-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 3891d3c2cc00..bd79d958f7d6 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -768,6 +768,12 @@ static void init_vp_index(struct vmbus_channel *channel, u16 dev_type) + free_cpumask_var(available_mask); + } + ++#define UNLOAD_DELAY_UNIT_MS 10 /* 10 milliseconds */ ++#define UNLOAD_WAIT_MS (100*1000) /* 100 seconds */ ++#define UNLOAD_WAIT_LOOPS (UNLOAD_WAIT_MS/UNLOAD_DELAY_UNIT_MS) ++#define UNLOAD_MSG_MS (5*1000) /* Every 5 seconds */ ++#define UNLOAD_MSG_LOOPS (UNLOAD_MSG_MS/UNLOAD_DELAY_UNIT_MS) ++ + static void vmbus_wait_for_unload(void) + { + int cpu; +@@ -785,12 +791,17 @@ static void vmbus_wait_for_unload(void) + * vmbus_connection.unload_event. If not, the last thing we can do is + * read message pages for all CPUs directly. + * +- * Wait no more than 10 seconds so that the panic path can't get +- * hung forever in case the response message isn't seen. ++ * Wait up to 100 seconds since an Azure host must writeback any dirty ++ * data in its disk cache before the VMbus UNLOAD request will ++ * complete. This flushing has been empirically observed to take up ++ * to 50 seconds in cases with a lot of dirty data, so allow additional ++ * leeway and for inaccuracies in mdelay(). But eventually time out so ++ * that the panic path can't get hung forever in case the response ++ * message isn't seen. + */ +- for (i = 0; i < 1000; i++) { ++ for (i = 1; i <= UNLOAD_WAIT_LOOPS; i++) { + if (completion_done(&vmbus_connection.unload_event)) +- break; ++ goto completed; + + for_each_online_cpu(cpu) { + struct hv_per_cpu_context *hv_cpu +@@ -813,9 +824,18 @@ static void vmbus_wait_for_unload(void) + vmbus_signal_eom(msg, message_type); + } + +- mdelay(10); ++ /* ++ * Give a notice periodically so someone watching the ++ * serial output won't think it is completely hung. ++ */ ++ if (!(i % UNLOAD_MSG_LOOPS)) ++ pr_notice("Waiting for VMBus UNLOAD to complete\n"); ++ ++ mdelay(UNLOAD_DELAY_UNIT_MS); + } ++ pr_err("Continuing even though VMBus UNLOAD did not complete\n"); + ++completed: + /* + * We're crashing and already got the UNLOAD_RESPONSE, cleanup all + * maybe-pending messages on all CPUs to be able to receive new +-- +2.30.2 + diff --git a/queue-4.14/firmware-qcom-scm-fix-qcom_scm-configuration.patch b/queue-4.14/firmware-qcom-scm-fix-qcom_scm-configuration.patch new file mode 100644 index 00000000000..d1a316bdde4 --- /dev/null +++ b/queue-4.14/firmware-qcom-scm-fix-qcom_scm-configuration.patch @@ -0,0 +1,47 @@ +From 932fe4ea2fd6fa07b7b50ed1a9351433dd596f0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 05:42:00 -0400 +Subject: firmware: qcom-scm: Fix QCOM_SCM configuration + +From: He Ying + +[ Upstream commit 2954a6f12f250890ec2433cec03ba92784d613e8 ] + +When CONFIG_QCOM_SCM is y and CONFIG_HAVE_ARM_SMCCC +is not set, compiling errors are encountered as follows: + +drivers/firmware/qcom_scm-smc.o: In function `__scm_smc_do_quirk': +qcom_scm-smc.c:(.text+0x36): undefined reference to `__arm_smccc_smc' +drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call': +qcom_scm-legacy.c:(.text+0xe2): undefined reference to `__arm_smccc_smc' +drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call_atomic': +qcom_scm-legacy.c:(.text+0x1f0): undefined reference to `__arm_smccc_smc' + +Note that __arm_smccc_smc is defined when HAVE_ARM_SMCCC is y. +So add dependency on HAVE_ARM_SMCCC in QCOM_SCM configuration. + +Fixes: 916f743da354 ("firmware: qcom: scm: Move the scm driver to drivers/firmware") +Reported-by: Hulk Robot +Signed-off-by: He Ying +Link: https://lore.kernel.org/r/20210406094200.60952-1-heying24@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index 42c4ff75281b..89c5f3651c3b 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -206,6 +206,7 @@ config FW_CFG_SYSFS_CMDLINE + config QCOM_SCM + bool + depends on ARM || ARM64 ++ depends on HAVE_ARM_SMCCC + select RESET_CONTROLLER + + config QCOM_SCM_32 +-- +2.30.2 + diff --git a/queue-4.14/fotg210-udc-complete-out-requests-on-short-packets.patch b/queue-4.14/fotg210-udc-complete-out-requests-on-short-packets.patch new file mode 100644 index 00000000000..ed52d13b1f2 --- /dev/null +++ b/queue-4.14/fotg210-udc-complete-out-requests-on-short-packets.patch @@ -0,0 +1,47 @@ +From f7e7777c5e7acc05a9cdf6161307c97d0094bcbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:11:15 +0100 +Subject: fotg210-udc: Complete OUT requests on short packets + +From: Fabian Vogt + +[ Upstream commit 75bb93be0027123b5db6cbcce89eb62f0f6b3c5b ] + +A short packet indicates the end of a transfer and marks the request as +complete. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Signed-off-by: Fabian Vogt +Link: https://lore.kernel.org/r/20210324141115.9384-8-fabian@ritter-vogt.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index 315d0e485d32..9440973cdb44 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -856,12 +856,16 @@ static void fotg210_out_fifo_handler(struct fotg210_ep *ep) + { + struct fotg210_request *req = list_entry(ep->queue.next, + struct fotg210_request, queue); ++ int disgr1 = ioread32(ep->fotg210->reg + FOTG210_DISGR1); + + fotg210_start_dma(ep, req); + +- /* finish out transfer */ ++ /* Complete the request when it's full or a short packet arrived. ++ * Like other drivers, short_not_ok isn't handled. ++ */ ++ + if (req->req.length == req->req.actual || +- req->req.actual < ep->ep.maxpacket) ++ (disgr1 & DISGR1_SPK_INT(ep->epnum - 1))) + fotg210_done(ep, req, 0); + } + +-- +2.30.2 + diff --git a/queue-4.14/fotg210-udc-don-t-dma-more-than-the-buffer-can-take.patch b/queue-4.14/fotg210-udc-don-t-dma-more-than-the-buffer-can-take.patch new file mode 100644 index 00000000000..22cf6b4a6bb --- /dev/null +++ b/queue-4.14/fotg210-udc-don-t-dma-more-than-the-buffer-can-take.patch @@ -0,0 +1,40 @@ +From 03bd045b36aeca774312ce45909ea1d0508f8601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:11:14 +0100 +Subject: fotg210-udc: Don't DMA more than the buffer can take + +From: Fabian Vogt + +[ Upstream commit 3e7c2510bdfe89a9ec223dd7acd6bfc8bb1cbeb6 ] + +Before this, it wrote as much as available into the buffer, even if it +didn't fit. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Signed-off-by: Fabian Vogt +Link: https://lore.kernel.org/r/20210324141115.9384-7-fabian@ritter-vogt.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index d25cf5d44121..315d0e485d32 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -340,8 +340,9 @@ static void fotg210_start_dma(struct fotg210_ep *ep, + } else { + buffer = req->req.buf + req->req.actual; + length = ioread32(ep->fotg210->reg + +- FOTG210_FIBCR(ep->epnum - 1)); +- length &= FIBCR_BCFX; ++ FOTG210_FIBCR(ep->epnum - 1)) & FIBCR_BCFX; ++ if (length > req->req.length - req->req.actual) ++ length = req->req.length - req->req.actual; + } + } else { + buffer = req->req.buf + req->req.actual; +-- +2.30.2 + diff --git a/queue-4.14/fotg210-udc-fix-dma-on-ep0-for-length-max-packet-siz.patch b/queue-4.14/fotg210-udc-fix-dma-on-ep0-for-length-max-packet-siz.patch new file mode 100644 index 00000000000..8c449b11543 --- /dev/null +++ b/queue-4.14/fotg210-udc-fix-dma-on-ep0-for-length-max-packet-siz.patch @@ -0,0 +1,40 @@ +From d85702f1ce79e3b26385d61468276eda4dcc5f98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:11:09 +0100 +Subject: fotg210-udc: Fix DMA on EP0 for length > max packet size + +From: Fabian Vogt + +[ Upstream commit 755915fc28edfc608fa89a163014acb2f31c1e19 ] + +For a 75 Byte request, it would send the first 64 separately, then detect +that the remaining 11 Byte fit into a single DMA, but due to this bug set +the length to the original 75 Bytes. This leads to a DMA failure (which is +ignored...) and the request completes without the remaining bytes having +been sent. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Signed-off-by: Fabian Vogt +Link: https://lore.kernel.org/r/20210324141115.9384-2-fabian@ritter-vogt.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index 6866a0be249e..bc79bf46acc4 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -348,7 +348,7 @@ static void fotg210_start_dma(struct fotg210_ep *ep, + if (req->req.length - req->req.actual > ep->ep.maxpacket) + length = ep->ep.maxpacket; + else +- length = req->req.length; ++ length = req->req.length - req->req.actual; + } + + d = dma_map_single(NULL, buffer, length, +-- +2.30.2 + diff --git a/queue-4.14/fotg210-udc-fix-ep0-in-requests-bigger-than-two-pack.patch b/queue-4.14/fotg210-udc-fix-ep0-in-requests-bigger-than-two-pack.patch new file mode 100644 index 00000000000..edb3a7962e2 --- /dev/null +++ b/queue-4.14/fotg210-udc-fix-ep0-in-requests-bigger-than-two-pack.patch @@ -0,0 +1,38 @@ +From edb94d562efebd045f7eb790f427afc69927d100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:11:10 +0100 +Subject: fotg210-udc: Fix EP0 IN requests bigger than two packets + +From: Fabian Vogt + +[ Upstream commit 078ba935651e149c92c41161e0322e3372cc2705 ] + +For a 134 Byte packet, it sends the first two 64 Byte packets just fine, +but then notice that less than a packet is remaining and call fotg210_done +without actually sending the rest. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Signed-off-by: Fabian Vogt +Link: https://lore.kernel.org/r/20210324141115.9384-3-fabian@ritter-vogt.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index bc79bf46acc4..788ba50b223f 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -827,7 +827,7 @@ static void fotg210_ep0in(struct fotg210_udc *fotg210) + if (req->req.length) + fotg210_start_dma(ep, req); + +- if ((req->req.length - req->req.actual) < ep->ep.maxpacket) ++ if (req->req.actual == req->req.length) + fotg210_done(ep, req, 0); + } else { + fotg210_set_cxdone(fotg210); +-- +2.30.2 + diff --git a/queue-4.14/fotg210-udc-mask-grp2-interrupts-we-don-t-handle.patch b/queue-4.14/fotg210-udc-mask-grp2-interrupts-we-don-t-handle.patch new file mode 100644 index 00000000000..9f0646e2bd9 --- /dev/null +++ b/queue-4.14/fotg210-udc-mask-grp2-interrupts-we-don-t-handle.patch @@ -0,0 +1,42 @@ +From 2ce8756a1f8e60ff30c13085af9ae69fceb5e180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:11:12 +0100 +Subject: fotg210-udc: Mask GRP2 interrupts we don't handle + +From: Fabian Vogt + +[ Upstream commit 9aee3a23d6455200702f3a57e731fa11e8408667 ] + +Currently it leaves unhandled interrupts unmasked, but those are never +acked. In the case of a "device idle" interrupt, this leads to an +effectively frozen system until plugging it in. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Signed-off-by: Fabian Vogt +Link: https://lore.kernel.org/r/20210324141115.9384-5-fabian@ritter-vogt.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index dcdf92415064..d25cf5d44121 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -1033,6 +1033,12 @@ static void fotg210_init(struct fotg210_udc *fotg210) + value &= ~DMCR_GLINT_EN; + iowrite32(value, fotg210->reg + FOTG210_DMCR); + ++ /* enable only grp2 irqs we handle */ ++ iowrite32(~(DISGR2_DMA_ERROR | DISGR2_RX0BYTE_INT | DISGR2_TX0BYTE_INT ++ | DISGR2_ISO_SEQ_ABORT_INT | DISGR2_ISO_SEQ_ERR_INT ++ | DISGR2_RESM_INT | DISGR2_SUSP_INT | DISGR2_USBRST_INT), ++ fotg210->reg + FOTG210_DMISGR2); ++ + /* disable all fifo interrupt */ + iowrite32(~(u32)0, fotg210->reg + FOTG210_DMISGR1); + +-- +2.30.2 + diff --git a/queue-4.14/fotg210-udc-remove-a-dubious-condition-leading-to-fo.patch b/queue-4.14/fotg210-udc-remove-a-dubious-condition-leading-to-fo.patch new file mode 100644 index 00000000000..196d03d0954 --- /dev/null +++ b/queue-4.14/fotg210-udc-remove-a-dubious-condition-leading-to-fo.patch @@ -0,0 +1,40 @@ +From 7454d74e1403c4311558aee28b0651f984b9f32c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 15:11:11 +0100 +Subject: fotg210-udc: Remove a dubious condition leading to fotg210_done + +From: Fabian Vogt + +[ Upstream commit c7f755b243494d6043aadcd9a2989cb157958b95 ] + +When the EP0 IN request was not completed but less than a packet sent, +it would complete the request successfully. That doesn't make sense +and can't really happen as fotg210_start_dma always sends +min(length, maxpkt) bytes. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Signed-off-by: Fabian Vogt +Link: https://lore.kernel.org/r/20210324141115.9384-4-fabian@ritter-vogt.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index 788ba50b223f..dcdf92415064 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -385,8 +385,7 @@ static void fotg210_ep0_queue(struct fotg210_ep *ep, + } + if (ep->dir_in) { /* if IN */ + fotg210_start_dma(ep, req); +- if ((req->req.length == req->req.actual) || +- (req->req.actual < ep->ep.maxpacket)) ++ if (req->req.length == req->req.actual) + fotg210_done(ep, req, 0); + } else { /* OUT */ + u32 value = ioread32(ep->fotg210->reg + FOTG210_DMISGR0); +-- +2.30.2 + diff --git a/queue-4.14/hid-plantronics-workaround-for-double-volume-key-pre.patch b/queue-4.14/hid-plantronics-workaround-for-double-volume-key-pre.patch new file mode 100644 index 00000000000..e7e92665c4c --- /dev/null +++ b/queue-4.14/hid-plantronics-workaround-for-double-volume-key-pre.patch @@ -0,0 +1,181 @@ +From 0f549c1221e9f19560a05aa14579f8a47c5ef27d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Feb 2021 16:47:40 +0200 +Subject: HID: plantronics: Workaround for double volume key presses + +From: Maxim Mikityanskiy + +[ Upstream commit f567d6ef8606fb427636e824c867229ecb5aefab ] + +Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice +for each volume key press. This patch adds a quirk to hid-plantronics +for this product ID, which will ignore the second volume key press if +it happens within 5 ms from the last one that was handled. + +The patch was tested on the mentioned model only, it shouldn't affect +other models, however, this quirk might be needed for them too. +Auto-repeat (when a key is held pressed) is not affected, because the +rate is about 3 times per second, which is far less frequent than once +in 5 ms. + +Fixes: 81bb773faed7 ("HID: plantronics: Update to map volume up/down controls") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-plantronics.c | 60 +++++++++++++++++++++++++++++++++-- + include/linux/hid.h | 2 ++ + 3 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index be0707cfc0fd..e5f2958bc18c 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -859,6 +859,7 @@ + #define USB_DEVICE_ID_ORTEK_IHOME_IMAC_A210S 0x8003 + + #define USB_VENDOR_ID_PLANTRONICS 0x047f ++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056 + + #define USB_VENDOR_ID_PANASONIC 0x04da + #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044 +diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c +index 584b10d3fc3d..460711c1124a 100644 +--- a/drivers/hid/hid-plantronics.c ++++ b/drivers/hid/hid-plantronics.c +@@ -16,6 +16,7 @@ + + #include + #include ++#include + + #define PLT_HID_1_0_PAGE 0xffa00000 + #define PLT_HID_2_0_PAGE 0xffa20000 +@@ -39,6 +40,16 @@ + #define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \ + (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER) + ++#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0) ++ ++#define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */ ++ ++struct plt_drv_data { ++ unsigned long device_type; ++ unsigned long last_volume_key_ts; ++ u32 quirks; ++}; ++ + static int plantronics_input_mapping(struct hid_device *hdev, + struct hid_input *hi, + struct hid_field *field, +@@ -46,7 +57,8 @@ static int plantronics_input_mapping(struct hid_device *hdev, + unsigned long **bit, int *max) + { + unsigned short mapped_key; +- unsigned long plt_type = (unsigned long)hid_get_drvdata(hdev); ++ struct plt_drv_data *drv_data = hid_get_drvdata(hdev); ++ unsigned long plt_type = drv_data->device_type; + + /* special case for PTT products */ + if (field->application == HID_GD_JOYSTICK) +@@ -108,6 +120,30 @@ mapped: + return 1; + } + ++static int plantronics_event(struct hid_device *hdev, struct hid_field *field, ++ struct hid_usage *usage, __s32 value) ++{ ++ struct plt_drv_data *drv_data = hid_get_drvdata(hdev); ++ ++ if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) { ++ unsigned long prev_ts, cur_ts; ++ ++ /* Usages are filtered in plantronics_usages. */ ++ ++ if (!value) /* Handle key presses only. */ ++ return 0; ++ ++ prev_ts = drv_data->last_volume_key_ts; ++ cur_ts = jiffies; ++ if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT) ++ return 1; /* Ignore the repeated key. */ ++ ++ drv_data->last_volume_key_ts = cur_ts; ++ } ++ ++ return 0; ++} ++ + static unsigned long plantronics_device_type(struct hid_device *hdev) + { + unsigned i, col_page; +@@ -136,15 +172,24 @@ exit: + static int plantronics_probe(struct hid_device *hdev, + const struct hid_device_id *id) + { ++ struct plt_drv_data *drv_data; + int ret; + ++ drv_data = devm_kzalloc(&hdev->dev, sizeof(*drv_data), GFP_KERNEL); ++ if (!drv_data) ++ return -ENOMEM; ++ + ret = hid_parse(hdev); + if (ret) { + hid_err(hdev, "parse failed\n"); + goto err; + } + +- hid_set_drvdata(hdev, (void *)plantronics_device_type(hdev)); ++ drv_data->device_type = plantronics_device_type(hdev); ++ drv_data->quirks = id->driver_data; ++ drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT); ++ ++ hid_set_drvdata(hdev, drv_data); + + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT | + HID_CONNECT_HIDINPUT_FORCE | HID_CONNECT_HIDDEV_FORCE); +@@ -156,15 +201,26 @@ err: + } + + static const struct hid_device_id plantronics_devices[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, ++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES), ++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, + { } + }; + MODULE_DEVICE_TABLE(hid, plantronics_devices); + ++static const struct hid_usage_id plantronics_usages[] = { ++ { HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID }, ++ { HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID }, ++ { HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR } ++}; ++ + static struct hid_driver plantronics_driver = { + .name = "plantronics", + .id_table = plantronics_devices, ++ .usage_table = plantronics_usages, + .input_mapping = plantronics_input_mapping, ++ .event = plantronics_event, + .probe = plantronics_probe, + }; + module_hid_driver(plantronics_driver); +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 40409453ef3e..d07fe33a9045 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -263,6 +263,8 @@ struct hid_item { + #define HID_CP_SELECTION 0x000c0080 + #define HID_CP_MEDIASELECTION 0x000c0087 + #define HID_CP_SELECTDISC 0x000c00ba ++#define HID_CP_VOLUMEUP 0x000c00e9 ++#define HID_CP_VOLUMEDOWN 0x000c00ea + #define HID_CP_PLAYBACKSPEED 0x000c00f1 + #define HID_CP_PROXIMITY 0x000c0109 + #define HID_CP_SPEAKERSYSTEM 0x000c0160 +-- +2.30.2 + diff --git a/queue-4.14/hsi-core-fix-resource-leaks-in-hsi_add_client_from_d.patch b/queue-4.14/hsi-core-fix-resource-leaks-in-hsi_add_client_from_d.patch new file mode 100644 index 00000000000..b2efa5dabb3 --- /dev/null +++ b/queue-4.14/hsi-core-fix-resource-leaks-in-hsi_add_client_from_d.patch @@ -0,0 +1,46 @@ +From 632552be2633a9fefcb37e5c4fb2c4f1ea585a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 14:08:17 +0300 +Subject: HSI: core: fix resource leaks in hsi_add_client_from_dt() + +From: Dan Carpenter + +[ Upstream commit 5c08b0f75575648032f309a6f58294453423ed93 ] + +If some of the allocations fail between the dev_set_name() and the +device_register() then the name will not be freed. Fix this by +moving dev_set_name() directly in front of the call to device_register(). + +Fixes: a2aa24734d9d ("HSI: Add common DT binding for HSI client devices") +Signed-off-by: Dan Carpenter +Reviewed-by: Jason Gunthorpe +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/hsi_core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c +index 9065efd21851..71895da63810 100644 +--- a/drivers/hsi/hsi_core.c ++++ b/drivers/hsi/hsi_core.c +@@ -223,8 +223,6 @@ static void hsi_add_client_from_dt(struct hsi_port *port, + if (err) + goto err; + +- dev_set_name(&cl->device, "%s", name); +- + err = hsi_of_property_parse_mode(client, "hsi-mode", &mode); + if (err) { + err = hsi_of_property_parse_mode(client, "hsi-rx-mode", +@@ -306,6 +304,7 @@ static void hsi_add_client_from_dt(struct hsi_port *port, + cl->device.release = hsi_client_release; + cl->device.of_node = client; + ++ dev_set_name(&cl->device, "%s", name); + if (device_register(&cl->device) < 0) { + pr_err("hsi: failed to register client: %s\n", name); + put_device(&cl->device); +-- +2.30.2 + diff --git a/queue-4.14/i2c-cadence-add-irq-check.patch b/queue-4.14/i2c-cadence-add-irq-check.patch new file mode 100644 index 00000000000..9243ae5a3b9 --- /dev/null +++ b/queue-4.14/i2c-cadence-add-irq-check.patch @@ -0,0 +1,42 @@ +From e34b20b9432ecaf6e9a34406902389f56b67350e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Apr 2021 23:14:35 +0300 +Subject: i2c: cadence: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 5581c2c5d02bc63a0edb53e061c8e97cd490646e ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_irq() (which +takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding +an original error code. Stop calling devm_request_irq() with invalid +IRQ #s. + +Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index b13605718291..c5475bb4fae6 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -906,7 +906,10 @@ static int cdns_i2c_probe(struct platform_device *pdev) + if (IS_ERR(id->membase)) + return PTR_ERR(id->membase); + +- id->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ return ret; ++ id->irq = ret; + + id->adap.owner = THIS_MODULE; + id->adap.dev.of_node = pdev->dev.of_node; +-- +2.30.2 + diff --git a/queue-4.14/i2c-emev2-add-irq-check.patch b/queue-4.14/i2c-emev2-add-irq-check.patch new file mode 100644 index 00000000000..7fadd1f8839 --- /dev/null +++ b/queue-4.14/i2c-emev2-add-irq-check.patch @@ -0,0 +1,42 @@ +From 17b032a238df44899be15fa9ece696b6f948e1b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Apr 2021 23:16:41 +0300 +Subject: i2c: emev2: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit bb6129c32867baa7988f7fd2066cf18ed662d240 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_irq() (which +takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding +an original error code. Stop calling devm_request_irq() with invalid +IRQ #s. + +Fixes: 5faf6e1f58b4 ("i2c: emev2: add driver") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-emev2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-emev2.c b/drivers/i2c/busses/i2c-emev2.c +index dd97e5d9f49a..74f0d5f2dc30 100644 +--- a/drivers/i2c/busses/i2c-emev2.c ++++ b/drivers/i2c/busses/i2c-emev2.c +@@ -400,7 +400,10 @@ static int em_i2c_probe(struct platform_device *pdev) + + em_i2c_reset(&priv->adap); + +- priv->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto err_clk; ++ priv->irq = ret; + ret = devm_request_irq(&pdev->dev, priv->irq, em_i2c_irq_handler, 0, + "em_i2c", priv); + if (ret) +-- +2.30.2 + diff --git a/queue-4.14/i2c-jz4780-add-irq-check.patch b/queue-4.14/i2c-jz4780-add-irq-check.patch new file mode 100644 index 00000000000..670d36999b5 --- /dev/null +++ b/queue-4.14/i2c-jz4780-add-irq-check.patch @@ -0,0 +1,42 @@ +From f4e836a2233f8775e46755b6d2be50fdb03bfdc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Apr 2021 23:18:31 +0300 +Subject: i2c: jz4780: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit c5e5f7a8d931fb4beba245bdbc94734175fda9de ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_irq() (which +takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding +an original error code. Stop calling devm_request_irq() with invalid +IRQ #s. + +Fixes: ba92222ed63a ("i2c: jz4780: Add i2c bus controller driver for Ingenic JZ4780") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-jz4780.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-jz4780.c b/drivers/i2c/busses/i2c-jz4780.c +index 41ca9ff7b5da..4dd800c0db14 100644 +--- a/drivers/i2c/busses/i2c-jz4780.c ++++ b/drivers/i2c/busses/i2c-jz4780.c +@@ -760,7 +760,10 @@ static int jz4780_i2c_probe(struct platform_device *pdev) + + jz4780_i2c_writew(i2c, JZ4780_I2C_INTM, 0x0); + +- i2c->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto err; ++ i2c->irq = ret; + ret = devm_request_irq(&pdev->dev, i2c->irq, jz4780_i2c_irq, 0, + dev_name(&pdev->dev), i2c); + if (ret) +-- +2.30.2 + diff --git a/queue-4.14/i2c-sh7760-add-irq-check.patch b/queue-4.14/i2c-sh7760-add-irq-check.patch new file mode 100644 index 00000000000..b35702e6264 --- /dev/null +++ b/queue-4.14/i2c-sh7760-add-irq-check.patch @@ -0,0 +1,42 @@ +From 1e087abe71e1e0112c5fe27eb1236de0c291b0d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Apr 2021 23:25:10 +0300 +Subject: i2c: sh7760: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit e5b2e3e742015dd2aa6bc7bcef2cb59b2de1221c ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_irq() (which +takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding +an original error code. Stop calling devm_request_irq() with invalid +IRQ #s. + +Fixes: a26c20b1fa6d ("i2c: Renesas SH7760 I2C master driver") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-sh7760.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-sh7760.c b/drivers/i2c/busses/i2c-sh7760.c +index c2005c789d2b..c79c9f542c5a 100644 +--- a/drivers/i2c/busses/i2c-sh7760.c ++++ b/drivers/i2c/busses/i2c-sh7760.c +@@ -471,7 +471,10 @@ static int sh7760_i2c_probe(struct platform_device *pdev) + goto out2; + } + +- id->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ return ret; ++ id->irq = ret; + + id->adap.nr = pdev->id; + id->adap.algo = &sh7760_i2c_algo; +-- +2.30.2 + diff --git a/queue-4.14/i2c-sh7760-fix-irq-error-path.patch b/queue-4.14/i2c-sh7760-fix-irq-error-path.patch new file mode 100644 index 00000000000..ab0b8f64b7d --- /dev/null +++ b/queue-4.14/i2c-sh7760-fix-irq-error-path.patch @@ -0,0 +1,38 @@ +From 6ce682ec1c9c3ba55169c6b1108450fafa00a5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Apr 2021 22:05:05 +0300 +Subject: i2c: sh7760: fix IRQ error path + +From: Sergey Shtylyov + +[ Upstream commit 92dfb27240fea2776f61c5422472cb6defca7767 ] + +While adding the invalid IRQ check after calling platform_get_irq(), +I managed to overlook that the driver has a complex error path in its +probe() method, thus a simple *return* couldn't be used. Use a proper +*goto* instead! + +Fixes: e5b2e3e74201 ("i2c: sh7760: add IRQ check") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-sh7760.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-sh7760.c b/drivers/i2c/busses/i2c-sh7760.c +index c79c9f542c5a..319d1fa617c8 100644 +--- a/drivers/i2c/busses/i2c-sh7760.c ++++ b/drivers/i2c/busses/i2c-sh7760.c +@@ -473,7 +473,7 @@ static int sh7760_i2c_probe(struct platform_device *pdev) + + ret = platform_get_irq(pdev, 0); + if (ret < 0) +- return ret; ++ goto out3; + id->irq = ret; + + id->adap.nr = pdev->id; +-- +2.30.2 + diff --git a/queue-4.14/ib-hfi1-fix-error-return-code-in-parse_platform_conf.patch b/queue-4.14/ib-hfi1-fix-error-return-code-in-parse_platform_conf.patch new file mode 100644 index 00000000000..a50613a0823 --- /dev/null +++ b/queue-4.14/ib-hfi1-fix-error-return-code-in-parse_platform_conf.patch @@ -0,0 +1,37 @@ +From 4209c7d53495d58376555594b1a7241734d0c923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 11:31:40 +0000 +Subject: IB/hfi1: Fix error return code in parse_platform_config() + +From: Wang Wensheng + +[ Upstream commit 4c7d9c69adadfc31892c7e8e134deb3546552106 ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20210408113140.103032-1-wangwensheng4@huawei.com +Reported-by: Hulk Robot +Signed-off-by: Wang Wensheng +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/firmware.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/hfi1/firmware.c b/drivers/infiniband/hw/hfi1/firmware.c +index 5aea8f47e670..c54359376cda 100644 +--- a/drivers/infiniband/hw/hfi1/firmware.c ++++ b/drivers/infiniband/hw/hfi1/firmware.c +@@ -1885,6 +1885,7 @@ int parse_platform_config(struct hfi1_devdata *dd) + dd_dev_err(dd, "%s: Failed CRC check at offset %ld\n", + __func__, (ptr - + (u32 *)dd->platform_config.data)); ++ ret = -EINVAL; + goto bail; + } + /* Jump the CRC DWORD */ +-- +2.30.2 + diff --git a/queue-4.14/kfifo-fix-ternary-sign-extension-bugs.patch b/queue-4.14/kfifo-fix-ternary-sign-extension-bugs.patch new file mode 100644 index 00000000000..0c41cf29d19 --- /dev/null +++ b/queue-4.14/kfifo-fix-ternary-sign-extension-bugs.patch @@ -0,0 +1,120 @@ +From 6e40244a93002bddb51817ab38c297b8e2a8c7b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 22:54:15 -0700 +Subject: kfifo: fix ternary sign extension bugs + +From: Dan Carpenter + +[ Upstream commit 926ee00ea24320052b46745ef4b00d91c05bd03d ] + +The intent with this code was to return negative error codes but instead +it returns positives. + +The problem is how type promotion works with ternary operations. These +functions return long, "ret" is an int and "copied" is a u32. The +negative error code is first cast to u32 so it becomes a high positive and +then cast to long where it's still a positive. + +We could fix this by declaring "ret" as a ssize_t but let's just get rid +of the ternaries instead. + +Link: https://lkml.kernel.org/r/YIE+/cK1tBzSuQPU@mwanda +Fixes: 5bf2b19320ec ("kfifo: add example files to the kernel sample directory") +Signed-off-by: Dan Carpenter +Cc: Stefani Seibold +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + samples/kfifo/bytestream-example.c | 8 ++++++-- + samples/kfifo/inttype-example.c | 8 ++++++-- + samples/kfifo/record-example.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/samples/kfifo/bytestream-example.c b/samples/kfifo/bytestream-example.c +index 2fca916d9edf..a7f5ee8b6edc 100644 +--- a/samples/kfifo/bytestream-example.c ++++ b/samples/kfifo/bytestream-example.c +@@ -124,8 +124,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf, + ret = kfifo_from_user(&test, buf, count, &copied); + + mutex_unlock(&write_lock); ++ if (ret) ++ return ret; + +- return ret ? ret : copied; ++ return copied; + } + + static ssize_t fifo_read(struct file *file, char __user *buf, +@@ -140,8 +142,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf, + ret = kfifo_to_user(&test, buf, count, &copied); + + mutex_unlock(&read_lock); ++ if (ret) ++ return ret; + +- return ret ? ret : copied; ++ return copied; + } + + static const struct file_operations fifo_fops = { +diff --git a/samples/kfifo/inttype-example.c b/samples/kfifo/inttype-example.c +index 8dc3c2e7105a..a326a37e9163 100644 +--- a/samples/kfifo/inttype-example.c ++++ b/samples/kfifo/inttype-example.c +@@ -117,8 +117,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf, + ret = kfifo_from_user(&test, buf, count, &copied); + + mutex_unlock(&write_lock); ++ if (ret) ++ return ret; + +- return ret ? ret : copied; ++ return copied; + } + + static ssize_t fifo_read(struct file *file, char __user *buf, +@@ -133,8 +135,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf, + ret = kfifo_to_user(&test, buf, count, &copied); + + mutex_unlock(&read_lock); ++ if (ret) ++ return ret; + +- return ret ? ret : copied; ++ return copied; + } + + static const struct file_operations fifo_fops = { +diff --git a/samples/kfifo/record-example.c b/samples/kfifo/record-example.c +index 2d7529eeb294..deb87a2e4e6b 100644 +--- a/samples/kfifo/record-example.c ++++ b/samples/kfifo/record-example.c +@@ -131,8 +131,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf, + ret = kfifo_from_user(&test, buf, count, &copied); + + mutex_unlock(&write_lock); ++ if (ret) ++ return ret; + +- return ret ? ret : copied; ++ return copied; + } + + static ssize_t fifo_read(struct file *file, char __user *buf, +@@ -147,8 +149,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf, + ret = kfifo_to_user(&test, buf, count, &copied); + + mutex_unlock(&read_lock); ++ if (ret) ++ return ret; + +- return ret ? ret : copied; ++ return copied; + } + + static const struct file_operations fifo_fops = { +-- +2.30.2 + diff --git a/queue-4.14/liquidio-fix-unintented-sign-extension-of-a-left-shi.patch b/queue-4.14/liquidio-fix-unintented-sign-extension-of-a-left-shi.patch new file mode 100644 index 00000000000..3f06d66d9b9 --- /dev/null +++ b/queue-4.14/liquidio-fix-unintented-sign-extension-of-a-left-shi.patch @@ -0,0 +1,48 @@ +From bb4c2e7a9f2512b23db61e9f50256e7a7d771769 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 11:12:48 +0100 +Subject: liquidio: Fix unintented sign extension of a left shift of a u16 + +From: Colin Ian King + +[ Upstream commit 298b58f00c0f86868ea717426beb5c1198772f81 ] + +The macro CN23XX_PEM_BAR1_INDEX_REG is being used to shift oct->pcie_port +(a u16) left 24 places. There are two subtle issues here, first the +shift gets promoted to an signed int and then sign extended to a u64. +If oct->pcie_port is 0x80 or more then the upper bits get sign extended +to 1. Secondly shfiting a u16 24 bits will lead to an overflow so it +needs to be cast to a u64 for all the bits to not overflow. + +It is entirely possible that the u16 port value is never large enough +for this to fail, but it is useful to fix unintended overflows such +as this. + +Fix this by casting the port parameter to the macro to a u64 before +the shift. + +Addresses-Coverity: ("Unintended sign extension") +Fixes: 5bc67f587ba7 ("liquidio: CN23XX register definitions") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h +index e6d4ad99cc38..3f1c189646f4 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h +@@ -521,7 +521,7 @@ + #define CN23XX_BAR1_INDEX_OFFSET 3 + + #define CN23XX_PEM_BAR1_INDEX_REG(port, idx) \ +- (CN23XX_PEM_BAR1_INDEX_START + ((port) << CN23XX_PEM_OFFSET) + \ ++ (CN23XX_PEM_BAR1_INDEX_START + (((u64)port) << CN23XX_PEM_OFFSET) + \ + ((idx) << CN23XX_BAR1_INDEX_OFFSET)) + + /*############################ DPI #########################*/ +-- +2.30.2 + diff --git a/queue-4.14/mac80211-bail-out-if-cipher-schemes-are-invalid.patch b/queue-4.14/mac80211-bail-out-if-cipher-schemes-are-invalid.patch new file mode 100644 index 00000000000..0fda3037125 --- /dev/null +++ b/queue-4.14/mac80211-bail-out-if-cipher-schemes-are-invalid.patch @@ -0,0 +1,44 @@ +From 96f704fe462d5fe838a599d570414a414f87e72f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 14:31:50 +0200 +Subject: mac80211: bail out if cipher schemes are invalid + +From: Johannes Berg + +[ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ] + +If any of the cipher schemes specified by the driver are invalid, bail +out and fail the registration rather than just warning. Otherwise, we +might later crash when we try to use the invalid cipher scheme, e.g. +if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd +have an out-of-bounds access in RX validation. + +Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support") +Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 2136ce3b4489..a24acd0ee788 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1043,8 +1043,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + if (local->hw.wiphy->max_scan_ie_len) + local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len; + +- WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, +- local->hw.n_cipher_schemes)); ++ if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, ++ local->hw.n_cipher_schemes))) { ++ result = -EINVAL; ++ goto fail_workqueue; ++ } + + result = ieee80211_init_cipher_suites(local); + if (result < 0) +-- +2.30.2 + diff --git a/queue-4.14/media-m88rs6000t-avoid-potential-out-of-bounds-reads.patch b/queue-4.14/media-m88rs6000t-avoid-potential-out-of-bounds-reads.patch new file mode 100644 index 00000000000..c94e6b7402f --- /dev/null +++ b/queue-4.14/media-m88rs6000t-avoid-potential-out-of-bounds-reads.patch @@ -0,0 +1,56 @@ +From 7a9b2bc7084517b05128b697f062562a3d5f3b63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 14:16:28 +0200 +Subject: media: m88rs6000t: avoid potential out-of-bounds reads on arrays + +From: Colin Ian King + +[ Upstream commit 9baa3d64e8e2373ddd11c346439e5dfccb2cbb0d ] + +There a 3 array for-loops that don't check the upper bounds of the +index into arrays and this may lead to potential out-of-bounds +reads. Fix this by adding array size upper bounds checks to be +full safe. + +Addresses-Coverity: ("Out-of-bounds read") + +Link: https://lore.kernel.org/linux-media/20201007121628.20676-1-colin.king@canonical.com +Fixes: 333829110f1d ("[media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000") +Signed-off-by: Colin Ian King +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/m88rs6000t.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/tuners/m88rs6000t.c b/drivers/media/tuners/m88rs6000t.c +index 9f3e0fd4cad9..d4443f9c9fa3 100644 +--- a/drivers/media/tuners/m88rs6000t.c ++++ b/drivers/media/tuners/m88rs6000t.c +@@ -534,7 +534,7 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength) + PGA2_cri = PGA2_GC >> 2; + PGA2_crf = PGA2_GC & 0x03; + +- for (i = 0; i <= RF_GC; i++) ++ for (i = 0; i <= RF_GC && i < ARRAY_SIZE(RFGS); i++) + RFG += RFGS[i]; + + if (RF_GC == 0) +@@ -546,12 +546,12 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength) + if (RF_GC == 3) + RFG += 100; + +- for (i = 0; i <= IF_GC; i++) ++ for (i = 0; i <= IF_GC && i < ARRAY_SIZE(IFGS); i++) + IFG += IFGS[i]; + + TIAG = TIA_GC * TIA_GS; + +- for (i = 0; i <= BB_GC; i++) ++ for (i = 0; i <= BB_GC && i < ARRAY_SIZE(BBGS); i++) + BBG += BBGS[i]; + + PGA2G = PGA2_cri * PGA2_cri_GS + PGA2_crf * PGA2_crf_GS; +-- +2.30.2 + diff --git a/queue-4.14/media-omap4iss-return-error-code-when-omap4iss_get-f.patch b/queue-4.14/media-omap4iss-return-error-code-when-omap4iss_get-f.patch new file mode 100644 index 00000000000..a48349e33cd --- /dev/null +++ b/queue-4.14/media-omap4iss-return-error-code-when-omap4iss_get-f.patch @@ -0,0 +1,40 @@ +From 8d1a04eeca0835a18f5cf1eff08f020cd12f8e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Nov 2020 03:50:41 +0100 +Subject: media: omap4iss: return error code when omap4iss_get() failed + +From: Yang Yingliang + +[ Upstream commit 8938c48fa25b491842ece9eb38f0bea0fcbaca44 ] + +If omap4iss_get() failed, it need return error code in iss_probe(). + +Fixes: 59f0ad807681 ("[media] v4l: omap4iss: Add support for OMAP4...") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/omap4iss/iss.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/omap4iss/iss.c b/drivers/staging/media/omap4iss/iss.c +index c26c99fd4a24..1e10fe204d3b 100644 +--- a/drivers/staging/media/omap4iss/iss.c ++++ b/drivers/staging/media/omap4iss/iss.c +@@ -1244,8 +1244,10 @@ static int iss_probe(struct platform_device *pdev) + if (ret < 0) + goto error; + +- if (!omap4iss_get(iss)) ++ if (!omap4iss_get(iss)) { ++ ret = -EINVAL; + goto error; ++ } + + ret = iss_reset(iss); + if (ret < 0) +-- +2.30.2 + diff --git a/queue-4.14/media-vivid-fix-assignment-of-dev-fbuf_out_flags.patch b/queue-4.14/media-vivid-fix-assignment-of-dev-fbuf_out_flags.patch new file mode 100644 index 00000000000..d71bed8d37d --- /dev/null +++ b/queue-4.14/media-vivid-fix-assignment-of-dev-fbuf_out_flags.patch @@ -0,0 +1,41 @@ +From c13a034e4283335f95451af87ff14b0cd815f4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 16:43:27 +0100 +Subject: media: vivid: fix assignment of dev->fbuf_out_flags + +From: Colin Ian King + +[ Upstream commit 5cde22fcc7271812a7944c47b40100df15908358 ] + +Currently the chroma_flags and alpha_flags are being zero'd with a bit-wise +mask and the following statement should be bit-wise or'ing in the new flag +bits but instead is making a direct assignment. Fix this by using the |= +operator rather than an assignment. + +Addresses-Coverity: ("Unused value") + +Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts") +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vivid/vivid-vid-out.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/vivid/vivid-vid-out.c b/drivers/media/platform/vivid/vivid-vid-out.c +index 3e7a26d15074..4629679a0f3c 100644 +--- a/drivers/media/platform/vivid/vivid-vid-out.c ++++ b/drivers/media/platform/vivid/vivid-vid-out.c +@@ -1010,7 +1010,7 @@ int vivid_vid_out_s_fbuf(struct file *file, void *fh, + return -EINVAL; + } + dev->fbuf_out_flags &= ~(chroma_flags | alpha_flags); +- dev->fbuf_out_flags = a->flags & (chroma_flags | alpha_flags); ++ dev->fbuf_out_flags |= a->flags & (chroma_flags | alpha_flags); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.14/memory-gpmc-fix-out-of-bounds-read-and-dereference-o.patch b/queue-4.14/memory-gpmc-fix-out-of-bounds-read-and-dereference-o.patch new file mode 100644 index 00000000000..80f6c18448a --- /dev/null +++ b/queue-4.14/memory-gpmc-fix-out-of-bounds-read-and-dereference-o.patch @@ -0,0 +1,53 @@ +From d45559cd5c65bf022d6c3fb868c8dddc9526c457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Feb 2021 19:38:21 +0000 +Subject: memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] + +From: Colin Ian King + +[ Upstream commit e004c3e67b6459c99285b18366a71af467d869f5 ] + +Currently the array gpmc_cs is indexed by cs before it cs is range checked +and the pointer read from this out-of-index read is dereferenced. Fix this +by performing the range check on cs before the read and the following +pointer dereference. + +Addresses-Coverity: ("Negative array index read") +Fixes: 9ed7a776eb50 ("ARM: OMAP2+: Fix support for multiple devices on a GPMC chip select") +Signed-off-by: Colin Ian King +Reviewed-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210223193821.17232-1-colin.king@canonical.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index cc0da96d07ca..4eb1b8ebfd22 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -1028,8 +1028,8 @@ EXPORT_SYMBOL(gpmc_cs_request); + + void gpmc_cs_free(int cs) + { +- struct gpmc_cs_data *gpmc = &gpmc_cs[cs]; +- struct resource *res = &gpmc->mem; ++ struct gpmc_cs_data *gpmc; ++ struct resource *res; + + spin_lock(&gpmc_mem_lock); + if (cs >= gpmc_cs_num || cs < 0 || !gpmc_cs_reserved(cs)) { +@@ -1038,6 +1038,9 @@ void gpmc_cs_free(int cs) + spin_unlock(&gpmc_mem_lock); + return; + } ++ gpmc = &gpmc_cs[cs]; ++ res = &gpmc->mem; ++ + gpmc_cs_disable_mem(cs); + if (res->flags) + release_resource(res); +-- +2.30.2 + diff --git a/queue-4.14/mfd-stm32-timers-avoid-clearing-auto-reload-register.patch b/queue-4.14/mfd-stm32-timers-avoid-clearing-auto-reload-register.patch new file mode 100644 index 00000000000..4d257111a43 --- /dev/null +++ b/queue-4.14/mfd-stm32-timers-avoid-clearing-auto-reload-register.patch @@ -0,0 +1,58 @@ +From dc2f6752ba452b2625c736dd2492a8b429d76e82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 18:51:35 +0100 +Subject: mfd: stm32-timers: Avoid clearing auto reload register + +From: Fabrice Gasnier + +[ Upstream commit 4917e498c6894ba077867aff78f82cffd5ffbb5c ] + +The ARR register is cleared unconditionally upon probing, after the maximum +value has been read. This initial condition is rather not intuitive, when +considering the counter child driver. It rather expects the maximum value +by default: +- The counter interface shows a zero value by default for 'ceiling' + attribute. +- Enabling the counter without any prior configuration makes it doesn't + count. + +The reset value of ARR register is the maximum. So Choice here +is to backup it, and restore it then, instead of clearing its value. +It also fixes the initial condition seen by the counter driver. + +Fixes: d0f949e220fd ("mfd: Add STM32 Timers driver") +Signed-off-by: Fabrice Gasnier +Acked-by: William Breathitt Gray +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stm32-timers.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/stm32-timers.c b/drivers/mfd/stm32-timers.c +index a6675a449409..e280e0ff2dcc 100644 +--- a/drivers/mfd/stm32-timers.c ++++ b/drivers/mfd/stm32-timers.c +@@ -20,13 +20,18 @@ static const struct regmap_config stm32_timers_regmap_cfg = { + + static void stm32_timers_get_arr_size(struct stm32_timers *ddata) + { ++ u32 arr; ++ ++ /* Backup ARR to restore it after getting the maximum value */ ++ regmap_read(ddata->regmap, TIM_ARR, &arr); ++ + /* + * Only the available bits will be written so when readback + * we get the maximum value of auto reload register + */ + regmap_write(ddata->regmap, TIM_ARR, ~0L); + regmap_read(ddata->regmap, TIM_ARR, &ddata->max_arr); +- regmap_write(ddata->regmap, TIM_ARR, 0x0); ++ regmap_write(ddata->regmap, TIM_ARR, arr); + } + + static int stm32_timers_probe(struct platform_device *pdev) +-- +2.30.2 + diff --git a/queue-4.14/mips-pci-legacy-stop-using-of_pci_range_to_resource.patch b/queue-4.14/mips-pci-legacy-stop-using-of_pci_range_to_resource.patch new file mode 100644 index 00000000000..cb1408b8719 --- /dev/null +++ b/queue-4.14/mips-pci-legacy-stop-using-of_pci_range_to_resource.patch @@ -0,0 +1,62 @@ +From d118b4af6703ccdf468fd491baa3203fbda3c6e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Apr 2021 20:12:37 -0700 +Subject: MIPS: pci-legacy: stop using of_pci_range_to_resource + +From: Ilya Lipnitskiy + +[ Upstream commit 3ecb9dc1581eebecaee56decac70e35365260866 ] + +Mirror commit aeba3731b150 ("powerpc/pci: Fix IO space breakage after +of_pci_range_to_resource() change"). + +Most MIPS platforms do not define PCI_IOBASE, nor implement +pci_address_to_pio(). Moreover, IO_SPACE_LIMIT is 0xffff for most MIPS +platforms. of_pci_range_to_resource passes the _start address_ of the IO +range into pci_address_to_pio, which then checks it against +IO_SPACE_LIMIT and fails, because for MIPS platforms that use +pci-legacy (pci-lantiq, pci-rt3883, pci-mt7620), IO ranges start much +higher than 0xffff. + +In fact, pci-mt7621 in staging already works around this problem, see +commit 09dd629eeabb ("staging: mt7621-pci: fix io space and properly set +resource limits") + +So just stop using of_pci_range_to_resource, which does not work for +MIPS. + +Fixes PCI errors like: + pci_bus 0000:00: root bus resource [io 0xffffffff] + +Fixes: 0b0b0893d49b ("of/pci: Fix the conversion of IO ranges into IO resources") +Signed-off-by: Ilya Lipnitskiy +Cc: Liviu Dudau +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/pci/pci-legacy.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/pci/pci-legacy.c b/arch/mips/pci/pci-legacy.c +index 1ae6bc414e2b..c932ffa6e1d3 100644 +--- a/arch/mips/pci/pci-legacy.c ++++ b/arch/mips/pci/pci-legacy.c +@@ -169,8 +169,13 @@ void pci_load_of_ranges(struct pci_controller *hose, struct device_node *node) + res = hose->mem_resource; + break; + } +- if (res != NULL) +- of_pci_range_to_resource(&range, node, res); ++ if (res != NULL) { ++ res->name = node->full_name; ++ res->flags = range.flags; ++ res->start = range.cpu_addr; ++ res->end = range.cpu_addr + range.size - 1; ++ res->parent = res->child = res->sibling = NULL; ++ } + } + } + +-- +2.30.2 + diff --git a/queue-4.14/mt7601u-fix-always-true-expression.patch b/queue-4.14/mt7601u-fix-always-true-expression.patch new file mode 100644 index 00000000000..437b51cf17f --- /dev/null +++ b/queue-4.14/mt7601u-fix-always-true-expression.patch @@ -0,0 +1,47 @@ +From 311137ee183df8e0b3861d27b4ed241a3d061f99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 18:32:41 +0000 +Subject: mt7601u: fix always true expression + +From: Colin Ian King + +[ Upstream commit 87fce88658ba047ae62e83497d3f3c5dc22fa6f9 ] + +Currently the expression ~nic_conf1 is always true because nic_conf1 +is a u16 and according to 6.5.3.3 of the C standard the ~ operator +promotes the u16 to an integer before flipping all the bits. Thus +the top 16 bits of the integer result are all set so the expression +is always true. If the intention was to flip all the bits of nic_conf1 +then casting the integer result back to a u16 is a suitabel fix. + +Interestingly static analyzers seem to thing a bitwise ! should be +used instead of ~ for this scenario, so I think the original intent +of the expression may need some extra consideration. + +Addresses-Coverity: ("Logical vs. bitwise operator") +Fixes: c869f77d6abb ("add mt7601u driver") +Signed-off-by: Colin Ian King +Acked-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210225183241.1002129-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/eeprom.c b/drivers/net/wireless/mediatek/mt7601u/eeprom.c +index da6faea092d6..80d0f64205f8 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt7601u/eeprom.c +@@ -106,7 +106,7 @@ mt7601u_has_tssi(struct mt7601u_dev *dev, u8 *eeprom) + { + u16 nic_conf1 = get_unaligned_le16(eeprom + MT_EE_NIC_CONF_1); + +- return ~nic_conf1 && (nic_conf1 & MT_EE_NIC_CONF_1_TX_ALC_EN); ++ return (u16)~nic_conf1 && (nic_conf1 & MT_EE_NIC_CONF_1_TX_ALC_EN); + } + + static void +-- +2.30.2 + diff --git a/queue-4.14/mtd-rawnand-gpmi-fix-a-double-free-in-gpmi_nand_init.patch b/queue-4.14/mtd-rawnand-gpmi-fix-a-double-free-in-gpmi_nand_init.patch new file mode 100644 index 00000000000..7f3827c9629 --- /dev/null +++ b/queue-4.14/mtd-rawnand-gpmi-fix-a-double-free-in-gpmi_nand_init.patch @@ -0,0 +1,47 @@ +From a1c8c7c1c7184ab4b0e8763003623ff579b0e1bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 23:09:05 -0700 +Subject: mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init + +From: Lv Yunlong + +[ Upstream commit 076de75de1e53160e9b099f75872c1f9adf41a0b ] + +If the callee gpmi_alloc_dma_buffer() failed to alloc memory for +this->raw_buffer, gpmi_free_dma_buffer() will be called to free +this->auxiliary_virt. But this->auxiliary_virt is still a non-NULL +and valid ptr. + +Then gpmi_alloc_dma_buffer() returns err and gpmi_free_dma_buffer() +is called again to free this->auxiliary_virt in err_out. This causes +a double free. + +As gpmi_free_dma_buffer() has already called in gpmi_alloc_dma_buffer's +error path, so it should return err directly instead of releasing the dma +buffer again. + +Fixes: 4d02423e9afe6 ("mtd: nand: gpmi: Fix gpmi_nand_init() error path") +Signed-off-by: Lv Yunlong +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210403060905.5251-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +index c7d0d2eed6c2..5a694bdc4f75 100644 +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -2022,7 +2022,7 @@ static int gpmi_nand_init(struct gpmi_nand_data *this) + this->bch_geometry.auxiliary_size = 128; + ret = gpmi_alloc_dma_buffer(this); + if (ret) +- goto err_out; ++ return ret; + + ret = nand_scan_ident(mtd, GPMI_IS_MX6(this) ? 2 : 1, NULL); + if (ret) +-- +2.30.2 + diff --git a/queue-4.14/mtd-require-write-permissions-for-locking-and-badblo.patch b/queue-4.14/mtd-require-write-permissions-for-locking-and-badblo.patch new file mode 100644 index 00000000000..73c1c246f6e --- /dev/null +++ b/queue-4.14/mtd-require-write-permissions-for-locking-and-badblo.patch @@ -0,0 +1,69 @@ +From 07ce141627f04f1b4e8d011f8ab5066826d7fd7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 16:57:35 +0100 +Subject: mtd: require write permissions for locking and badblock ioctls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Walle + +[ Upstream commit 1e97743fd180981bef5f01402342bb54bf1c6366 ] + +MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require +write permission. Depending on the hardware MEMLOCK might even be +write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK +is always write-once. + +MEMSETBADBLOCK modifies the bad block table. + +Fixes: f7e6b19bc764 ("mtd: properly check all write ioctls for permissions") +Signed-off-by: Michael Walle +Reviewed-by: Greg Kroah-Hartman +Acked-by: Rafał Miłecki +Acked-by: Richard Weinberger +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210303155735.25887-1-michael@walle.cc +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdchar.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c +index 18dd333f2d40..0a109277b174 100644 +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -689,16 +689,12 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) + case MEMGETINFO: + case MEMREADOOB: + case MEMREADOOB64: +- case MEMLOCK: +- case MEMUNLOCK: + case MEMISLOCKED: + case MEMGETOOBSEL: + case MEMGETBADBLOCK: +- case MEMSETBADBLOCK: + case OTPSELECT: + case OTPGETREGIONCOUNT: + case OTPGETREGIONINFO: +- case OTPLOCK: + case ECCGETLAYOUT: + case ECCGETSTATS: + case MTDFILEMODE: +@@ -709,9 +705,13 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) + /* "dangerous" commands */ + case MEMERASE: + case MEMERASE64: ++ case MEMLOCK: ++ case MEMUNLOCK: ++ case MEMSETBADBLOCK: + case MEMWRITEOOB: + case MEMWRITEOOB64: + case MEMWRITE: ++ case OTPLOCK: + if (!(file->f_mode & FMODE_WRITE)) + return -EPERM; + break; +-- +2.30.2 + diff --git a/queue-4.14/mwl8k-fix-a-double-free-in-mwl8k_probe_hw.patch b/queue-4.14/mwl8k-fix-a-double-free-in-mwl8k_probe_hw.patch new file mode 100644 index 00000000000..fffde64b699 --- /dev/null +++ b/queue-4.14/mwl8k-fix-a-double-free-in-mwl8k_probe_hw.patch @@ -0,0 +1,43 @@ +From 88b5d616f6ac84aaa8474f1332661f79b82d35a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 11:26:27 -0700 +Subject: mwl8k: Fix a double Free in mwl8k_probe_hw + +From: Lv Yunlong + +[ Upstream commit a8e083ee8e2a6c94c29733835adae8bf5b832748 ] + +In mwl8k_probe_hw, hw->priv->txq is freed at the first time by +dma_free_coherent() in the call chain: +if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i). + +Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed +at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent(). + +My patch set txq->txd to NULL after the first free to avoid the +double free. + +Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") +Signed-off-by: Lv Yunlong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210402182627.4256-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index a87ccf9ceb67..e39aaee92add 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -1464,6 +1464,7 @@ static int mwl8k_txq_init(struct ieee80211_hw *hw, int index) + txq->skb = kcalloc(MWL8K_TX_DESCS, sizeof(*txq->skb), GFP_KERNEL); + if (txq->skb == NULL) { + pci_free_consistent(priv->pdev, size, txq->txd, txq->txd_dma); ++ txq->txd = NULL; + return -ENOMEM; + } + +-- +2.30.2 + diff --git a/queue-4.14/net-davinci_emac-fix-incorrect-masking-of-tx-and-rx-.patch b/queue-4.14/net-davinci_emac-fix-incorrect-masking-of-tx-and-rx-.patch new file mode 100644 index 00000000000..1ed1f7b0727 --- /dev/null +++ b/queue-4.14/net-davinci_emac-fix-incorrect-masking-of-tx-and-rx-.patch @@ -0,0 +1,48 @@ +From 683505557df4246e77a10a44cd05c00f183e55fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Apr 2021 18:16:14 +0100 +Subject: net: davinci_emac: Fix incorrect masking of tx and rx error channel + +From: Colin Ian King + +[ Upstream commit d83b8aa5207d81f9f6daec9888390f079cc5db3f ] + +The bit-masks used for the TXERRCH and RXERRCH (tx and rx error channels) +are incorrect and always lead to a zero result. The mask values are +currently the incorrect post-right shifted values, fix this by setting +them to the currect values. + +(I double checked these against the TMS320TCI6482 data sheet, section +5.30, page 127 to ensure I had the correct mask values for the TXERRCH +and RXERRCH fields in the MACSTATUS register). + +Addresses-Coverity: ("Operands don't affect result") +Fixes: a6286ee630f6 ("net: Add TI DaVinci EMAC driver") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_emac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index 47a096134043..32e7b87baaa7 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -183,11 +183,11 @@ static const char emac_version_string[] = "TI DaVinci EMAC Linux v6.1"; + /* EMAC mac_status register */ + #define EMAC_MACSTATUS_TXERRCODE_MASK (0xF00000) + #define EMAC_MACSTATUS_TXERRCODE_SHIFT (20) +-#define EMAC_MACSTATUS_TXERRCH_MASK (0x7) ++#define EMAC_MACSTATUS_TXERRCH_MASK (0x70000) + #define EMAC_MACSTATUS_TXERRCH_SHIFT (16) + #define EMAC_MACSTATUS_RXERRCODE_MASK (0xF000) + #define EMAC_MACSTATUS_RXERRCODE_SHIFT (12) +-#define EMAC_MACSTATUS_RXERRCH_MASK (0x7) ++#define EMAC_MACSTATUS_RXERRCH_MASK (0x700) + #define EMAC_MACSTATUS_RXERRCH_SHIFT (8) + + /* EMAC RX register masks */ +-- +2.30.2 + diff --git a/queue-4.14/net-emac-emac-mac-fix-a-use-after-free-in-emac_mac_t.patch b/queue-4.14/net-emac-emac-mac-fix-a-use-after-free-in-emac_mac_t.patch new file mode 100644 index 00000000000..e60eadd81f7 --- /dev/null +++ b/queue-4.14/net-emac-emac-mac-fix-a-use-after-free-in-emac_mac_t.patch @@ -0,0 +1,53 @@ +From 72a6ae663058e591d454be348f276809c3950169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Apr 2021 09:06:25 -0700 +Subject: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send + +From: Lv Yunlong + +[ Upstream commit 6d72e7c767acbbdd44ebc7d89c6690b405b32b57 ] + +In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). +If some error happens in emac_tx_fill_tpd(), the skb will be freed via +dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). +But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). + +As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, +thus my patch assigns skb->len to 'len' before the possible free and +use 'len' instead of skb->len later. + +Fixes: b9b17debc69d2 ("net: emac: emac gigabit ethernet controller driver") +Signed-off-by: Lv Yunlong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/emac/emac-mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qualcomm/emac/emac-mac.c b/drivers/net/ethernet/qualcomm/emac/emac-mac.c +index 44f797ab5d15..57f509a6c449 100644 +--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c +@@ -1458,6 +1458,7 @@ int emac_mac_tx_buf_send(struct emac_adapter *adpt, struct emac_tx_queue *tx_q, + { + struct emac_tpd tpd; + u32 prod_idx; ++ int len; + + memset(&tpd, 0, sizeof(tpd)); + +@@ -1477,9 +1478,10 @@ int emac_mac_tx_buf_send(struct emac_adapter *adpt, struct emac_tx_queue *tx_q, + if (skb_network_offset(skb) != ETH_HLEN) + TPD_TYP_SET(&tpd, 1); + ++ len = skb->len; + emac_tx_fill_tpd(adpt, tx_q, skb, &tpd); + +- netdev_sent_queue(adpt->netdev, skb->len); ++ netdev_sent_queue(adpt->netdev, len); + + /* Make sure the are enough free descriptors to hold one + * maximum-sized SKB. We need one desc for each fragment, +-- +2.30.2 + diff --git a/queue-4.14/net-lapbether-prevent-racing-when-checking-whether-t.patch b/queue-4.14/net-lapbether-prevent-racing-when-checking-whether-t.patch new file mode 100644 index 00000000000..8c32152da19 --- /dev/null +++ b/queue-4.14/net-lapbether-prevent-racing-when-checking-whether-t.patch @@ -0,0 +1,140 @@ +From 26943b1e8fbef2315626aba17e3b51f91705b298 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 23:23:09 -0800 +Subject: net: lapbether: Prevent racing when checking whether the netif is + running + +From: Xie He + +[ Upstream commit 5acd0cfbfbb5a688da1bfb1a2152b0c855115a35 ] + +There are two "netif_running" checks in this driver. One is in +"lapbeth_xmit" and the other is in "lapbeth_rcv". They serve to make +sure that the LAPB APIs called in these functions are called before +"lapb_unregister" is called by the "ndo_stop" function. + +However, these "netif_running" checks are unreliable, because it's +possible that immediately after "netif_running" returns true, "ndo_stop" +is called (which causes "lapb_unregister" to be called). + +This patch adds locking to make sure "lapbeth_xmit" and "lapbeth_rcv" can +reliably check and ensure the netif is running while doing their work. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xie He +Acked-by: Martin Schiller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index fad5fc8b9edb..3ec922bed2d8 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -56,6 +56,8 @@ struct lapbethdev { + struct list_head node; + struct net_device *ethdev; /* link to ethernet device */ + struct net_device *axdev; /* lapbeth device (lapb#) */ ++ bool up; ++ spinlock_t up_lock; /* Protects "up" */ + }; + + static LIST_HEAD(lapbeth_devices); +@@ -103,8 +105,9 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe + rcu_read_lock(); + lapbeth = lapbeth_get_x25_dev(dev); + if (!lapbeth) +- goto drop_unlock; +- if (!netif_running(lapbeth->axdev)) ++ goto drop_unlock_rcu; ++ spin_lock_bh(&lapbeth->up_lock); ++ if (!lapbeth->up) + goto drop_unlock; + + len = skb->data[0] + skb->data[1] * 256; +@@ -119,11 +122,14 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe + goto drop_unlock; + } + out: ++ spin_unlock_bh(&lapbeth->up_lock); + rcu_read_unlock(); + return 0; + drop_unlock: + kfree_skb(skb); + goto out; ++drop_unlock_rcu: ++ rcu_read_unlock(); + drop: + kfree_skb(skb); + return 0; +@@ -151,13 +157,11 @@ static int lapbeth_data_indication(struct net_device *dev, struct sk_buff *skb) + static netdev_tx_t lapbeth_xmit(struct sk_buff *skb, + struct net_device *dev) + { ++ struct lapbethdev *lapbeth = netdev_priv(dev); + int err; + +- /* +- * Just to be *really* sure not to send anything if the interface +- * is down, the ethernet device may have gone. +- */ +- if (!netif_running(dev)) ++ spin_lock_bh(&lapbeth->up_lock); ++ if (!lapbeth->up) + goto drop; + + /* There should be a pseudo header of 1 byte added by upper layers. +@@ -188,6 +192,7 @@ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb, + goto drop; + } + out: ++ spin_unlock_bh(&lapbeth->up_lock); + return NETDEV_TX_OK; + drop: + kfree_skb(skb); +@@ -279,6 +284,7 @@ static const struct lapb_register_struct lapbeth_callbacks = { + */ + static int lapbeth_open(struct net_device *dev) + { ++ struct lapbethdev *lapbeth = netdev_priv(dev); + int err; + + if ((err = lapb_register(dev, &lapbeth_callbacks)) != LAPB_OK) { +@@ -286,13 +292,22 @@ static int lapbeth_open(struct net_device *dev) + return -ENODEV; + } + ++ spin_lock_bh(&lapbeth->up_lock); ++ lapbeth->up = true; ++ spin_unlock_bh(&lapbeth->up_lock); ++ + return 0; + } + + static int lapbeth_close(struct net_device *dev) + { ++ struct lapbethdev *lapbeth = netdev_priv(dev); + int err; + ++ spin_lock_bh(&lapbeth->up_lock); ++ lapbeth->up = false; ++ spin_unlock_bh(&lapbeth->up_lock); ++ + if ((err = lapb_unregister(dev)) != LAPB_OK) + pr_err("lapb_unregister error: %d\n", err); + +@@ -350,6 +365,9 @@ static int lapbeth_new_device(struct net_device *dev) + dev_hold(dev); + lapbeth->ethdev = dev; + ++ lapbeth->up = false; ++ spin_lock_init(&lapbeth->up_lock); ++ + rc = -EIO; + if (register_netdevice(ndev)) + goto fail; +-- +2.30.2 + diff --git a/queue-4.14/net-nfc-digital-fix-a-double-free-in-digital_tg_recv.patch b/queue-4.14/net-nfc-digital-fix-a-double-free-in-digital_tg_recv.patch new file mode 100644 index 00000000000..bf530e2534e --- /dev/null +++ b/queue-4.14/net-nfc-digital-fix-a-double-free-in-digital_tg_recv.patch @@ -0,0 +1,41 @@ +From be92d913fd21bf8e669d70a54cb7027df5386146 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Apr 2021 09:22:58 -0700 +Subject: net:nfc:digital: Fix a double free in digital_tg_recv_dep_req + +From: Lv Yunlong + +[ Upstream commit 75258586793efc521e5dd52a5bf6c7a4cf7002be ] + +In digital_tg_recv_dep_req, it calls nfc_tm_data_received(..,resp). +If nfc_tm_data_received() failed, the callee will free the resp via +kfree_skb() and return error. But in the exit branch, the resp +will be freed again. + +My patch sets resp to NULL if nfc_tm_data_received() failed, to +avoid the double free. + +Fixes: 1c7a4c24fbfd9 ("NFC Digital: Add target NFC-DEP support") +Signed-off-by: Lv Yunlong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/digital_dep.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c +index 4f9a973988b2..1eed0cf59190 100644 +--- a/net/nfc/digital_dep.c ++++ b/net/nfc/digital_dep.c +@@ -1285,6 +1285,8 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg, + } + + rc = nfc_tm_data_received(ddev->nfc_dev, resp); ++ if (rc) ++ resp = NULL; + + exit: + kfree_skb(ddev->chaining_skb); +-- +2.30.2 + diff --git a/queue-4.14/net-thunderx-fix-unintentional-sign-extension-issue.patch b/queue-4.14/net-thunderx-fix-unintentional-sign-extension-issue.patch new file mode 100644 index 00000000000..67308f92921 --- /dev/null +++ b/queue-4.14/net-thunderx-fix-unintentional-sign-extension-issue.patch @@ -0,0 +1,42 @@ +From 90910250cac1993d30e06fb75c7eedc9be20f4b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 14:07:26 +0100 +Subject: net: thunderx: Fix unintentional sign extension issue + +From: Colin Ian King + +[ Upstream commit e701a25840360706fe4cf5de0015913ca19c274b ] + +The shifting of the u8 integers rq->caching by 26 bits to +the left will be promoted to a 32 bit signed int and then +sign-extended to a u64. In the event that rq->caching is +greater than 0x1f then all then all the upper 32 bits of +the u64 end up as also being set because of the int +sign-extension. Fix this by casting the u8 values to a +u64 before the 26 bit left shift. + +Addresses-Coverity: ("Unintended sign extension") +Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c +index 7ad1d56d8389..d44d9d0e9d06 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c +@@ -775,7 +775,7 @@ static void nicvf_rcv_queue_config(struct nicvf *nic, struct queue_set *qs, + mbx.rq.msg = NIC_MBOX_MSG_RQ_CFG; + mbx.rq.qs_num = qs->vnic_id; + mbx.rq.rq_num = qidx; +- mbx.rq.cfg = (rq->caching << 26) | (rq->cq_qs << 19) | ++ mbx.rq.cfg = ((u64)rq->caching << 26) | (rq->cq_qs << 19) | + (rq->cq_idx << 16) | (rq->cont_rbdr_qs << 9) | + (rq->cont_qs_rbdr_idx << 8) | + (rq->start_rbdr_qs << 1) | (rq->start_qs_rbdr_idx); +-- +2.30.2 + diff --git a/queue-4.14/nfc-pn533-prevent-potential-memory-corruption.patch b/queue-4.14/nfc-pn533-prevent-potential-memory-corruption.patch new file mode 100644 index 00000000000..2eee3be9d9b --- /dev/null +++ b/queue-4.14/nfc-pn533-prevent-potential-memory-corruption.patch @@ -0,0 +1,39 @@ +From f9e46e4b93662db9cf67ade9be133d68e7bcb5e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 14:44:42 +0300 +Subject: nfc: pn533: prevent potential memory corruption + +From: Dan Carpenter + +[ Upstream commit ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86 ] + +If the "type_a->nfcid_len" is too large then it would lead to memory +corruption in pn533_target_found_type_a() when we do: + + memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len); + +Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/pn533.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c +index c05cb637ba92..e3026e20f169 100644 +--- a/drivers/nfc/pn533/pn533.c ++++ b/drivers/nfc/pn533/pn533.c +@@ -692,6 +692,9 @@ static bool pn533_target_type_a_is_valid(struct pn533_target_type_a *type_a, + if (PN533_TYPE_A_SEL_CASCADE(type_a->sel_res) != 0) + return false; + ++ if (type_a->nfcid_len > NFC_NFCID1_MAXSIZE) ++ return false; ++ + return true; + } + +-- +2.30.2 + diff --git a/queue-4.14/pata_arasan_cf-fix-irq-check.patch b/queue-4.14/pata_arasan_cf-fix-irq-check.patch new file mode 100644 index 00000000000..a612c544d6d --- /dev/null +++ b/queue-4.14/pata_arasan_cf-fix-irq-check.patch @@ -0,0 +1,56 @@ +From dbdb680aa495d8f4152ab96259acbcf42644c497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 23:50:24 +0300 +Subject: pata_arasan_cf: fix IRQ check + +From: Sergey Shtylyov + +[ Upstream commit c7e8f404d56b99c80990b19a402c3f640d74be05 ] + +The driver's probe() method is written as if platform_get_irq() returns 0 +on error, while actually it returns a negative error code (with all the +other values considered valid IRQs). Rewrite the driver's IRQ checking code +to pass the positive IRQ #s to ata_host_activate(), propagate upstream +-EPROBE_DEFER, and set up the driver to polling mode on (negative) errors +and IRQ0 (libata treats IRQ #0 as a polling mode anyway)... + +Fixes: a480167b23ef ("pata_arasan_cf: Adding support for arasan compact flash host controller") +Signed-off-by: Sergey Shtylyov +Acked-by: Viresh Kumar +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_arasan_cf.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c +index b4d54771c9fe..623199fab8fe 100644 +--- a/drivers/ata/pata_arasan_cf.c ++++ b/drivers/ata/pata_arasan_cf.c +@@ -819,12 +819,19 @@ static int arasan_cf_probe(struct platform_device *pdev) + else + quirk = CF_BROKEN_UDMA; /* as it is on spear1340 */ + +- /* if irq is 0, support only PIO */ +- acdev->irq = platform_get_irq(pdev, 0); +- if (acdev->irq) ++ /* ++ * If there's an error getting IRQ (or we do get IRQ0), ++ * support only PIO ++ */ ++ ret = platform_get_irq(pdev, 0); ++ if (ret > 0) { ++ acdev->irq = ret; + irq_handler = arasan_cf_interrupt; +- else ++ } else if (ret == -EPROBE_DEFER) { ++ return ret; ++ } else { + quirk |= CF_BROKEN_MWDMA | CF_BROKEN_UDMA; ++ } + + acdev->pbase = res->start; + acdev->vbase = devm_ioremap_nocache(&pdev->dev, res->start, +-- +2.30.2 + diff --git a/queue-4.14/pata_ipx4xx_cf-fix-irq-check.patch b/queue-4.14/pata_ipx4xx_cf-fix-irq-check.patch new file mode 100644 index 00000000000..7ba7f74ff77 --- /dev/null +++ b/queue-4.14/pata_ipx4xx_cf-fix-irq-check.patch @@ -0,0 +1,45 @@ +From 91e4354367a6c9f2b19b5b802bcef9b4d9913b39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 23:51:10 +0300 +Subject: pata_ipx4xx_cf: fix IRQ check + +From: Sergey Shtylyov + +[ Upstream commit e379b40cc0f179403ce0b82b7e539f635a568da5 ] + +The driver's probe() method is written as if platform_get_irq() returns 0 +on error, while actually it returns a negative error code (with all the +other values considered valid IRQs). Rewrite the driver's IRQ checking +code to pass the positive IRQ #s to ata_host_activate(), propagate errors +upstream, and treat IRQ0 as error, returning -EINVAL, as the libata code +treats 0 as an indication that polling should be used anyway... + +Fixes: 0df0d0a0ea9f ("[libata] ARM: add ixp4xx PATA driver") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_ixp4xx_cf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/pata_ixp4xx_cf.c b/drivers/ata/pata_ixp4xx_cf.c +index 0b0d93065f5a..867621f8c387 100644 +--- a/drivers/ata/pata_ixp4xx_cf.c ++++ b/drivers/ata/pata_ixp4xx_cf.c +@@ -169,8 +169,12 @@ static int ixp4xx_pata_probe(struct platform_device *pdev) + return -ENOMEM; + + irq = platform_get_irq(pdev, 0); +- if (irq) ++ if (irq > 0) + irq_set_irq_type(irq, IRQ_TYPE_EDGE_RISING); ++ else if (irq < 0) ++ return irq; ++ else ++ return -EINVAL; + + /* Setup expansion bus chip selects */ + *data->cs0_cfg = data->cs0_bits; +-- +2.30.2 + diff --git a/queue-4.14/perf-symbols-fix-dso__fprintf_symbols_by_name-to-ret.patch b/queue-4.14/perf-symbols-fix-dso__fprintf_symbols_by_name-to-ret.patch new file mode 100644 index 00000000000..9e0872aba06 --- /dev/null +++ b/queue-4.14/perf-symbols-fix-dso__fprintf_symbols_by_name-to-ret.patch @@ -0,0 +1,44 @@ +From 6d1bc96f859b3e6ecd9b9f95d68a7421c01c3c97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 11:17:51 -0300 +Subject: perf symbols: Fix dso__fprintf_symbols_by_name() to return the number + of printed chars + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 210e4c89ef61432040c6cd828fefa441f4887186 ] + +The 'ret' variable was initialized to zero but then it was not updated +from the fprintf() return, fix it. + +Reported-by: Yang Li +cc: Alexander Shishkin +cc: Ingo Molnar +cc: Jiri Olsa +cc: Mark Rutland +cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Srikar Dronamraju +Fixes: 90f18e63fbd00513 ("perf symbols: List symbols in a dso in ascending name order") +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol_fprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/symbol_fprintf.c b/tools/perf/util/symbol_fprintf.c +index 6dd2cb88ccbe..d6ed44bd1eba 100644 +--- a/tools/perf/util/symbol_fprintf.c ++++ b/tools/perf/util/symbol_fprintf.c +@@ -66,7 +66,7 @@ size_t dso__fprintf_symbols_by_name(struct dso *dso, + + for (nd = rb_first(&dso->symbol_names[type]); nd; nd = rb_next(nd)) { + pos = rb_entry(nd, struct symbol_name_rb_node, rb_node); +- fprintf(fp, "%s\n", pos->sym.name); ++ ret += fprintf(fp, "%s\n", pos->sym.name); + } + + return ret; +-- +2.30.2 + diff --git a/queue-4.14/phy-marvell-armada375_usbcluster_phy-should-not-defa.patch b/queue-4.14/phy-marvell-armada375_usbcluster_phy-should-not-defa.patch new file mode 100644 index 00000000000..9b715cfdb92 --- /dev/null +++ b/queue-4.14/phy-marvell-armada375_usbcluster_phy-should-not-defa.patch @@ -0,0 +1,41 @@ +From 7f71dc04e1e5a300df6dee40bf8913d4499fbdef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Feb 2021 16:02:52 +0100 +Subject: phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, + unconditionally + +From: Geert Uytterhoeven + +[ Upstream commit 6cb17707aad869de163d7bf42c253caf501be4e2 ] + +Merely enabling CONFIG_COMPILE_TEST should not enable additional code. +To fix this, restrict the automatic enabling of ARMADA375_USBCLUSTER_PHY +to MACH_ARMADA_375, and ask the user in case of compile-testing. + +Fixes: eee47538ec1f2619 ("phy: add support for USB cluster on the Armada 375 SoC") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20210208150252.424706-1-geert+renesas@glider.be +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/marvell/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/marvell/Kconfig b/drivers/phy/marvell/Kconfig +index 68e321225400..ed4d3904e53f 100644 +--- a/drivers/phy/marvell/Kconfig ++++ b/drivers/phy/marvell/Kconfig +@@ -2,8 +2,8 @@ + # Phy drivers for Marvell platforms + # + config ARMADA375_USBCLUSTER_PHY +- def_bool y +- depends on MACH_ARMADA_375 || COMPILE_TEST ++ bool "Armada 375 USB cluster PHY support" if COMPILE_TEST ++ default y if MACH_ARMADA_375 + depends on OF && HAS_IOMEM + select GENERIC_PHY + +-- +2.30.2 + diff --git a/queue-4.14/platform-x86-pmc_atom-match-all-beckhoff-automation-.patch b/queue-4.14/platform-x86-pmc_atom-match-all-beckhoff-automation-.patch new file mode 100644 index 00000000000..099c8934c08 --- /dev/null +++ b/queue-4.14/platform-x86-pmc_atom-match-all-beckhoff-automation-.patch @@ -0,0 +1,74 @@ +From ff6000a8524b2e56fd03509011276582025a09d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Apr 2021 15:30:06 +0200 +Subject: platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards + with critclk_systems DMI table + +From: Steffen Dirkwinkel + +[ Upstream commit d21e5abd3a005253eb033090aab2e43bce090d89 ] + +pmc_plt_clk* clocks are used for ethernet controllers, so need to stay +turned on. This adds the affected board family to critclk_systems DMI +table, so the clocks are marked as CLK_CRITICAL and not turned off. + +This replaces the previously listed boards with a match for the whole +device family CBxx63. CBxx63 matches only baytrail devices. +There are new affected boards that would otherwise need to be listed. +There are unaffected boards in the family, but having the clocks +turned on is not an issue. + +Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") +Reviewed-by: Andy Shevchenko +Signed-off-by: Steffen Dirkwinkel +Link: https://lore.kernel.org/r/20210412133006.397679-1-linux-kernel-dev@beckhoff.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 28 ++-------------------------- + 1 file changed, 2 insertions(+), 26 deletions(-) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index 92205b90c25c..d1d5ec3c0f14 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -453,34 +453,10 @@ static const struct dmi_system_id critclk_systems[] = { + }, + { + /* pmc_plt_clk* - are used for ethernet controllers */ +- .ident = "Beckhoff CB3163", ++ .ident = "Beckhoff Baytrail", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), +- DMI_MATCH(DMI_BOARD_NAME, "CB3163"), +- }, +- }, +- { +- /* pmc_plt_clk* - are used for ethernet controllers */ +- .ident = "Beckhoff CB4063", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), +- DMI_MATCH(DMI_BOARD_NAME, "CB4063"), +- }, +- }, +- { +- /* pmc_plt_clk* - are used for ethernet controllers */ +- .ident = "Beckhoff CB6263", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), +- DMI_MATCH(DMI_BOARD_NAME, "CB6263"), +- }, +- }, +- { +- /* pmc_plt_clk* - are used for ethernet controllers */ +- .ident = "Beckhoff CB6363", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"), +- DMI_MATCH(DMI_BOARD_NAME, "CB6363"), ++ DMI_MATCH(DMI_PRODUCT_FAMILY, "CBxx63"), + }, + }, + { +-- +2.30.2 + diff --git a/queue-4.14/powerpc-52xx-fix-an-invalid-asm-expression-addi-used.patch b/queue-4.14/powerpc-52xx-fix-an-invalid-asm-expression-addi-used.patch new file mode 100644 index 00000000000..f68387e5c1b --- /dev/null +++ b/queue-4.14/powerpc-52xx-fix-an-invalid-asm-expression-addi-used.patch @@ -0,0 +1,47 @@ +From 87e2051ea43f11ea5db8aacd538855717bc5e64f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 17:24:03 +0000 +Subject: powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of + 'add') + +From: Christophe Leroy + +[ Upstream commit 8a87a507714386efc39c3ae6fa24d4f79846b522 ] + + AS arch/powerpc/platforms/52xx/lite5200_sleep.o +arch/powerpc/platforms/52xx/lite5200_sleep.S: Assembler messages: +arch/powerpc/platforms/52xx/lite5200_sleep.S:184: Warning: invalid register expression + +In the following code, 'addi' is wrong, has to be 'add' + + /* local udelay in sram is needed */ + udelay: /* r11 - tb_ticks_per_usec, r12 - usecs, overwrites r13 */ + mullw r12, r12, r11 + mftb r13 /* start */ + addi r12, r13, r12 /* end */ + +Fixes: ee983079ce04 ("[POWERPC] MPC5200 low power mode") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/cb4cec9131c8577803367f1699209a7e104cec2a.1619025821.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/52xx/lite5200_sleep.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/52xx/lite5200_sleep.S b/arch/powerpc/platforms/52xx/lite5200_sleep.S +index 3a9969c429b3..054f927bfef9 100644 +--- a/arch/powerpc/platforms/52xx/lite5200_sleep.S ++++ b/arch/powerpc/platforms/52xx/lite5200_sleep.S +@@ -181,7 +181,7 @@ sram_code: + udelay: /* r11 - tb_ticks_per_usec, r12 - usecs, overwrites r13 */ + mullw r12, r12, r11 + mftb r13 /* start */ +- addi r12, r13, r12 /* end */ ++ add r12, r13, r12 /* end */ + 1: + mftb r13 /* current */ + cmp cr0, r13, r12 +-- +2.30.2 + diff --git a/queue-4.14/powerpc-fix-have_hardlockup_detector_arch-build-conf.patch b/queue-4.14/powerpc-fix-have_hardlockup_detector_arch-build-conf.patch new file mode 100644 index 00000000000..a44f9534597 --- /dev/null +++ b/queue-4.14/powerpc-fix-have_hardlockup_detector_arch-build-conf.patch @@ -0,0 +1,54 @@ +From 938fde73e8cbad403f3226124e315be0557cb967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Mar 2021 09:49:00 +0000 +Subject: powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Huang + +[ Upstream commit 4fe529449d85e78972fa327999961ecc83a0b6db ] + +When compiling the powerpc with the SMP disabled, it shows the issue: + +arch/powerpc/kernel/watchdog.c: In function ‘watchdog_smp_panic’: +arch/powerpc/kernel/watchdog.c:177:4: error: implicit declaration of function ‘smp_send_nmi_ipi’; did you mean ‘smp_send_stop’? [-Werror=implicit-function-declaration] + 177 | smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000); + | ^~~~~~~~~~~~~~~~ + | smp_send_stop +cc1: all warnings being treated as errors +make[2]: *** [scripts/Makefile.build:273: arch/powerpc/kernel/watchdog.o] Error 1 +make[1]: *** [scripts/Makefile.build:534: arch/powerpc/kernel] Error 2 +make: *** [Makefile:1980: arch/powerpc] Error 2 +make: *** Waiting for unfinished jobs.... + +We found that powerpc used ipi to implement hardlockup watchdog, so the +HAVE_HARDLOCKUP_DETECTOR_ARCH should depend on the SMP. + +Fixes: 2104180a5369 ("powerpc/64s: implement arch-specific hardlockup watchdog") +Reported-by: Hulk Robot +Signed-off-by: Chen Huang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210327094900.938555-1-chenhuang5@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index fff11a5bb805..3fcfa8534156 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -208,7 +208,7 @@ config PPC + select HAVE_MEMBLOCK_NODE_MAP + select HAVE_MOD_ARCH_SPECIFIC + select HAVE_NMI if PERF_EVENTS || (PPC64 && PPC_BOOK3S) +- select HAVE_HARDLOCKUP_DETECTOR_ARCH if (PPC64 && PPC_BOOK3S) ++ select HAVE_HARDLOCKUP_DETECTOR_ARCH if PPC64 && PPC_BOOK3S && SMP + select HAVE_OPROFILE + select HAVE_OPTPROBES if PPC64 + select HAVE_PERF_EVENTS +-- +2.30.2 + diff --git a/queue-4.14/powerpc-iommu-fix-build-when-neither-pci-or-ibmvio-i.patch b/queue-4.14/powerpc-iommu-fix-build-when-neither-pci-or-ibmvio-i.patch new file mode 100644 index 00000000000..6f5574b263d --- /dev/null +++ b/queue-4.14/powerpc-iommu-fix-build-when-neither-pci-or-ibmvio-i.patch @@ -0,0 +1,44 @@ +From 4895f472a736783891d8d3d654f9f0c3320cc129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Apr 2021 12:26:23 -0700 +Subject: powerpc: iommu: fix build when neither PCI or IBMVIO is set + +From: Randy Dunlap + +[ Upstream commit b27dadecdf9102838331b9a0b41ffc1cfe288154 ] + +When neither CONFIG_PCI nor CONFIG_IBMVIO is set/enabled, iommu.c has a +build error. The fault injection code is not useful in that kernel config, +so make the FAIL_IOMMU option depend on PCI || IBMVIO. + +Prevents this build error (warning escalated to error): +../arch/powerpc/kernel/iommu.c:178:30: error: 'fail_iommu_bus_notifier' defined but not used [-Werror=unused-variable] + 178 | static struct notifier_block fail_iommu_bus_notifier = { + +Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection") +Reported-by: kernel test robot +Suggested-by: Michael Ellerman +Signed-off-by: Randy Dunlap +Acked-by: Randy Dunlap # build-tested +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210404192623.10697-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug +index be1c8c5beb61..762bb08b0f59 100644 +--- a/arch/powerpc/Kconfig.debug ++++ b/arch/powerpc/Kconfig.debug +@@ -349,6 +349,7 @@ config PPC_EARLY_DEBUG_CPM_ADDR + config FAIL_IOMMU + bool "Fault-injection capability for IOMMU" + depends on FAULT_INJECTION ++ depends on PCI || IBMVIO + help + Provide fault-injection capability for IOMMU. Each device can + be selectively enabled via the fail_iommu property. +-- +2.30.2 + diff --git a/queue-4.14/powerpc-perf-fix-pmu-constraint-check-for-ebb-events.patch b/queue-4.14/powerpc-perf-fix-pmu-constraint-check-for-ebb-events.patch new file mode 100644 index 00000000000..64c667f809d --- /dev/null +++ b/queue-4.14/powerpc-perf-fix-pmu-constraint-check-for-ebb-events.patch @@ -0,0 +1,66 @@ +From 09b05eb0e71892cd80b820ddfe076d02237251b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 12:16:01 -0400 +Subject: powerpc/perf: Fix PMU constraint check for EBB events + +From: Athira Rajeev + +[ Upstream commit 10f8f96179ecc7f69c927f6d231f6d02736cea83 ] + +The power PMU group constraints includes check for EBB events to make +sure all events in a group must agree on EBB. This will prevent +scheduling EBB and non-EBB events together. But in the existing check, +settings for constraint mask and value is interchanged. Patch fixes the +same. + +Before the patch, PMU selftest "cpu_event_pinned_vs_ebb_test" fails with +below in dmesg logs. This happens because EBB event gets enabled along +with a non-EBB cpu event. + + [35600.453346] cpu_event_pinne[41326]: illegal instruction (4) + at 10004a18 nip 10004a18 lr 100049f8 code 1 in + cpu_event_pinned_vs_ebb_test[10000000+10000] + +Test results after the patch: + + $ ./pmu/ebb/cpu_event_pinned_vs_ebb_test + test: cpu_event_pinned_vs_ebb + tags: git_version:v5.12-rc5-93-gf28c3125acd3-dirty + Binding to cpu 8 + EBB Handler is at 0x100050c8 + read error on event 0x7fffe6bd4040! + PM_RUN_INST_CMPL: result 9872 running/enabled 37930432 + success: cpu_event_pinned_vs_ebb + +This bug was hidden by other logic until commit 1908dc911792 (perf: +Tweak perf_event_attr::exclusive semantics). + +Fixes: 4df489991182 ("powerpc/perf: Add power8 EBB support") +Reported-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Athira Rajeev +[mpe: Mention commit 1908dc911792] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1617725761-1464-1-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/isa207-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c +index dd9f88fed63c..24a78565bca6 100644 +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -361,8 +361,8 @@ ebb_bhrb: + * EBB events are pinned & exclusive, so this should never actually + * hit, but we leave it as a fallback in case. + */ +- mask |= CNST_EBB_VAL(ebb); +- value |= CNST_EBB_MASK; ++ mask |= CNST_EBB_MASK; ++ value |= CNST_EBB_VAL(ebb); + + *maskp = mask; + *valp = value; +-- +2.30.2 + diff --git a/queue-4.14/powerpc-prom-mark-identical_pvr_fixup-as-__init.patch b/queue-4.14/powerpc-prom-mark-identical_pvr_fixup-as-__init.patch new file mode 100644 index 00000000000..ec7f6381a23 --- /dev/null +++ b/queue-4.14/powerpc-prom-mark-identical_pvr_fixup-as-__init.patch @@ -0,0 +1,60 @@ +From e20bc2690e957ac604a8a63a3d94ac9744163559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 13:08:29 -0700 +Subject: powerpc/prom: Mark identical_pvr_fixup as __init + +From: Nathan Chancellor + +[ Upstream commit 1ef1dd9c7ed27b080445e1576e8a05957e0e4dfc ] + +If identical_pvr_fixup() is not inlined, there are two modpost warnings: + +WARNING: modpost: vmlinux.o(.text+0x54e8): Section mismatch in reference +from the function identical_pvr_fixup() to the function +.init.text:of_get_flat_dt_prop() +The function identical_pvr_fixup() references +the function __init of_get_flat_dt_prop(). +This is often because identical_pvr_fixup lacks a __init +annotation or the annotation of of_get_flat_dt_prop is wrong. + +WARNING: modpost: vmlinux.o(.text+0x551c): Section mismatch in reference +from the function identical_pvr_fixup() to the function +.init.text:identify_cpu() +The function identical_pvr_fixup() references +the function __init identify_cpu(). +This is often because identical_pvr_fixup lacks a __init +annotation or the annotation of identify_cpu is wrong. + +identical_pvr_fixup() calls two functions marked as __init and is only +called by a function marked as __init so it should be marked as __init +as well. At the same time, remove the inline keywork as it is not +necessary to inline this function. The compiler is still free to do so +if it feels it is worthwhile since commit 889b3c1245de ("compiler: +remove CONFIG_OPTIMIZE_INLINING entirely"). + +Fixes: 14b3d926a22b ("[POWERPC] 4xx: update 440EP(x)/440GR(x) identical PVR issue workaround") +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://github.com/ClangBuiltLinux/linux/issues/1316 +Link: https://lore.kernel.org/r/20210302200829.2680663-1-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index bbe9c57dd1a3..99409d0420d2 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -265,7 +265,7 @@ static struct feature_property { + }; + + #if defined(CONFIG_44x) && defined(CONFIG_PPC_FPU) +-static inline void identical_pvr_fixup(unsigned long node) ++static __init void identical_pvr_fixup(unsigned long node) + { + unsigned int pvr; + const char *model = of_get_flat_dt_prop(node, "model", NULL); +-- +2.30.2 + diff --git a/queue-4.14/powerpc-pseries-extract-host-bridge-from-pci_bus-pri.patch b/queue-4.14/powerpc-pseries-extract-host-bridge-from-pci_bus-pri.patch new file mode 100644 index 00000000000..6526006bebf --- /dev/null +++ b/queue-4.14/powerpc-pseries-extract-host-bridge-from-pci_bus-pri.patch @@ -0,0 +1,51 @@ +From 86aee92df58c181973aa121018cc23fa5892eb1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 12:24:35 -0600 +Subject: powerpc/pseries: extract host bridge from pci_bus prior to bus + removal + +From: Tyrel Datwyler + +[ Upstream commit 38d0b1c9cec71e6d0f3bddef0bbce41d05a3e796 ] + +The pci_bus->bridge reference may no longer be valid after +pci_bus_remove() resulting in passing a bad value to device_unregister() +for the associated bridge device. + +Store the host_bridge reference in a separate variable prior to +pci_bus_remove(). + +Fixes: 7340056567e3 ("powerpc/pci: Reorder pci bus/bridge unregistration during PHB removal") +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210211182435.47968-1-tyreld@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/pci_dlpar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/pci_dlpar.c b/arch/powerpc/platforms/pseries/pci_dlpar.c +index 561917fa54a8..afca4b737e80 100644 +--- a/arch/powerpc/platforms/pseries/pci_dlpar.c ++++ b/arch/powerpc/platforms/pseries/pci_dlpar.c +@@ -66,6 +66,7 @@ EXPORT_SYMBOL_GPL(init_phb_dynamic); + int remove_phb_dynamic(struct pci_controller *phb) + { + struct pci_bus *b = phb->bus; ++ struct pci_host_bridge *host_bridge = to_pci_host_bridge(b->bridge); + struct resource *res; + int rc, i; + +@@ -92,7 +93,8 @@ int remove_phb_dynamic(struct pci_controller *phb) + /* Remove the PCI bus and unregister the bridge device from sysfs */ + phb->bus = NULL; + pci_remove_bus(b); +- device_unregister(b->bridge); ++ host_bridge->bus = NULL; ++ device_unregister(&host_bridge->dev); + + /* Now release the IO resource */ + if (res->flags & IORESOURCE_IO) +-- +2.30.2 + diff --git a/queue-4.14/rdma-i40iw-fix-error-unwinding-when-i40iw_hmc_sd_one.patch b/queue-4.14/rdma-i40iw-fix-error-unwinding-when-i40iw_hmc_sd_one.patch new file mode 100644 index 00000000000..6ed64d82d68 --- /dev/null +++ b/queue-4.14/rdma-i40iw-fix-error-unwinding-when-i40iw_hmc_sd_one.patch @@ -0,0 +1,58 @@ +From 8843f26d55cf7dd5ea6a4aee0155c121acc5a570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 19:21:04 -0500 +Subject: RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails + +From: Sindhu Devale + +[ Upstream commit 783a11bf2400e5d5c42a943c3083dc0330751842 ] + +When i40iw_hmc_sd_one fails, chunk is freed without the deletion of chunk +entry in the PBLE info list. + +Fix it by adding the chunk entry to the PBLE info list only after +successful addition of SD in i40iw_hmc_sd_one. + +This fixes a static checker warning reported here: + https://lore.kernel.org/linux-rdma/YHV4CFXzqTm23AOZ@mwanda/ + +Fixes: 9715830157be ("i40iw: add pble resource files") +Link: https://lore.kernel.org/r/20210416002104.323-1-shiraz.saleem@intel.com +Reported-by: Dan Carpenter +Signed-off-by: Sindhu Devale +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw_pble.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_pble.c b/drivers/infiniband/hw/i40iw/i40iw_pble.c +index 540aab5e502d..3fafc5424e76 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_pble.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_pble.c +@@ -392,12 +392,9 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev, + i40iw_debug(dev, I40IW_DEBUG_PBLE, "next_fpm_addr = %llx chunk_size[%u] = 0x%x\n", + pble_rsrc->next_fpm_addr, chunk->size, chunk->size); + pble_rsrc->unallocated_pble -= (chunk->size >> 3); +- list_add(&chunk->list, &pble_rsrc->pinfo.clist); + sd_reg_val = (sd_entry_type == I40IW_SD_TYPE_PAGED) ? + sd_entry->u.pd_table.pd_page_addr.pa : sd_entry->u.bp.addr.pa; +- if (sd_entry->valid) +- return 0; +- if (dev->is_pf) { ++ if (dev->is_pf && !sd_entry->valid) { + ret_code = i40iw_hmc_sd_one(dev, hmc_info->hmc_fn_id, + sd_reg_val, idx->sd_idx, + sd_entry->entry_type, true); +@@ -408,6 +405,7 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev, + } + + sd_entry->valid = true; ++ list_add(&chunk->list, &pble_rsrc->pinfo.clist); + return 0; + error: + kfree(chunk); +-- +2.30.2 + diff --git a/queue-4.14/rtlwifi-8821ae-upgrade-phy-and-rf-parameters.patch b/queue-4.14/rtlwifi-8821ae-upgrade-phy-and-rf-parameters.patch new file mode 100644 index 00000000000..096148fdd53 --- /dev/null +++ b/queue-4.14/rtlwifi-8821ae-upgrade-phy-and-rf-parameters.patch @@ -0,0 +1,830 @@ +From 9f4b7f7aa60307b56c97bf1f60f622432f22cca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Feb 2021 13:26:07 +0800 +Subject: rtlwifi: 8821ae: upgrade PHY and RF parameters + +From: Ping-Ke Shih + +[ Upstream commit 18fb0bedb5fc2fddc057dbe48b7360a6ffda34b3 ] + +The signal strength of 5G is quite low, so user can't connect to an AP far +away. New parameters with new format and its parser are updated by the commit +84d26fda52e2 ("rtlwifi: Update 8821ae new phy parameters and its parser."), but +some parameters are missing. Use this commit to update to the novel parameters +that use new format. + +Fixes: 84d26fda52e2 ("rtlwifi: Update 8821ae new phy parameters and its parser") +Signed-off-by: Ping-Ke Shih +Tested-by: Kai-Heng Feng +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210219052607.7323-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + .../realtek/rtlwifi/rtl8821ae/table.c | 500 +++++++++++++----- + 1 file changed, 370 insertions(+), 130 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c +index 408c4611e5de..607bb7601892 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c +@@ -273,7 +273,7 @@ u32 RTL8821AE_PHY_REG_ARRAY[] = { + 0x824, 0x00030FE0, + 0x828, 0x00000000, + 0x82C, 0x002081DD, +- 0x830, 0x2AAA8E24, ++ 0x830, 0x2AAAEEC8, + 0x834, 0x0037A706, + 0x838, 0x06489B44, + 0x83C, 0x0000095B, +@@ -348,10 +348,10 @@ u32 RTL8821AE_PHY_REG_ARRAY[] = { + 0x9D8, 0x00000000, + 0x9DC, 0x00000000, + 0x9E0, 0x00005D00, +- 0x9E4, 0x00000002, ++ 0x9E4, 0x00000003, + 0x9E8, 0x00000001, + 0xA00, 0x00D047C8, +- 0xA04, 0x01FF000C, ++ 0xA04, 0x01FF800C, + 0xA08, 0x8C8A8300, + 0xA0C, 0x2E68000F, + 0xA10, 0x9500BB78, +@@ -1347,7 +1347,11 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x083, 0x00021800, + 0x084, 0x00028000, + 0x085, 0x00048000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, ++ 0x086, 0x0009483A, ++ 0xA0000000, 0x00000000, + 0x086, 0x00094838, ++ 0xB0000000, 0x00000000, + 0x087, 0x00044980, + 0x088, 0x00048000, + 0x089, 0x0000D480, +@@ -1436,36 +1440,32 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x03C, 0x000CA000, + 0x0EF, 0x00000000, + 0x0EF, 0x00001100, +- 0xFF0F0104, 0xABCD, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0004ADF3, + 0x034, 0x00049DF0, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0004ADF3, + 0x034, 0x00049DF0, +- 0xFF0F0404, 0xCDEF, +- 0x034, 0x0004ADF3, +- 0x034, 0x00049DF0, +- 0xFF0F0200, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0004ADF5, + 0x034, 0x00049DF2, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x0004A0F3, ++ 0x034, 0x000490B1, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0004A0F3, + 0x034, 0x000490B1, +- 0xCDCDCDCD, 0xCDCD, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x0004ADF5, ++ 0x034, 0x00049DF2, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x0004ADF3, ++ 0x034, 0x00049DF0, ++ 0xA0000000, 0x00000000, + 0x034, 0x0004ADF7, + 0x034, 0x00049DF3, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0104, 0xABCD, +- 0x034, 0x00048DED, +- 0x034, 0x00047DEA, +- 0x034, 0x00046DE7, +- 0x034, 0x00045CE9, +- 0x034, 0x00044CE6, +- 0x034, 0x000438C6, +- 0x034, 0x00042886, +- 0x034, 0x00041486, +- 0x034, 0x00040447, +- 0xFF0F0204, 0xCDEF, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00048DED, + 0x034, 0x00047DEA, + 0x034, 0x00046DE7, +@@ -1475,7 +1475,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00042886, + 0x034, 0x00041486, + 0x034, 0x00040447, +- 0xFF0F0404, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00048DED, + 0x034, 0x00047DEA, + 0x034, 0x00046DE7, +@@ -1485,7 +1485,17 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00042886, + 0x034, 0x00041486, + 0x034, 0x00040447, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x000480AE, ++ 0x034, 0x000470AB, ++ 0x034, 0x0004608B, ++ 0x034, 0x00045069, ++ 0x034, 0x00044048, ++ 0x034, 0x00043045, ++ 0x034, 0x00042026, ++ 0x034, 0x00041023, ++ 0x034, 0x00040002, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x000480AE, + 0x034, 0x000470AB, + 0x034, 0x0004608B, +@@ -1495,7 +1505,17 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00042026, + 0x034, 0x00041023, + 0x034, 0x00040002, +- 0xCDCDCDCD, 0xCDCD, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x00048DED, ++ 0x034, 0x00047DEA, ++ 0x034, 0x00046DE7, ++ 0x034, 0x00045CE9, ++ 0x034, 0x00044CE6, ++ 0x034, 0x000438C6, ++ 0x034, 0x00042886, ++ 0x034, 0x00041486, ++ 0x034, 0x00040447, ++ 0xA0000000, 0x00000000, + 0x034, 0x00048DEF, + 0x034, 0x00047DEC, + 0x034, 0x00046DE9, +@@ -1505,38 +1525,36 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x0004248A, + 0x034, 0x0004108D, + 0x034, 0x0004008A, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0200, 0xABCD, ++ 0xB0000000, 0x00000000, ++ 0x80000210, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0002ADF4, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x0002A0F3, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0002A0F3, +- 0xCDCDCDCD, 0xCDCD, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x0002ADF4, ++ 0xA0000000, 0x00000000, + 0x034, 0x0002ADF7, +- 0xFF0F0200, 0xDEAD, +- 0xFF0F0104, 0xABCD, +- 0x034, 0x00029DF4, +- 0xFF0F0204, 0xCDEF, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00029DF4, +- 0xFF0F0404, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00029DF4, +- 0xFF0F0200, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00029DF1, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x000290F0, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x000290F0, +- 0xCDCDCDCD, 0xCDCD, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x00029DF1, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x00029DF4, ++ 0xA0000000, 0x00000000, + 0x034, 0x00029DF2, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0104, 0xABCD, +- 0x034, 0x00028DF1, +- 0x034, 0x00027DEE, +- 0x034, 0x00026DEB, +- 0x034, 0x00025CEC, +- 0x034, 0x00024CE9, +- 0x034, 0x000238CA, +- 0x034, 0x00022889, +- 0x034, 0x00021489, +- 0x034, 0x0002044A, +- 0xFF0F0204, 0xCDEF, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00028DF1, + 0x034, 0x00027DEE, + 0x034, 0x00026DEB, +@@ -1546,7 +1564,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00022889, + 0x034, 0x00021489, + 0x034, 0x0002044A, +- 0xFF0F0404, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00028DF1, + 0x034, 0x00027DEE, + 0x034, 0x00026DEB, +@@ -1556,7 +1574,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00022889, + 0x034, 0x00021489, + 0x034, 0x0002044A, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x000280AF, + 0x034, 0x000270AC, + 0x034, 0x0002608B, +@@ -1566,7 +1584,27 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00022026, + 0x034, 0x00021023, + 0x034, 0x00020002, +- 0xCDCDCDCD, 0xCDCD, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x000280AF, ++ 0x034, 0x000270AC, ++ 0x034, 0x0002608B, ++ 0x034, 0x00025069, ++ 0x034, 0x00024048, ++ 0x034, 0x00023045, ++ 0x034, 0x00022026, ++ 0x034, 0x00021023, ++ 0x034, 0x00020002, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x00028DF1, ++ 0x034, 0x00027DEE, ++ 0x034, 0x00026DEB, ++ 0x034, 0x00025CEC, ++ 0x034, 0x00024CE9, ++ 0x034, 0x000238CA, ++ 0x034, 0x00022889, ++ 0x034, 0x00021489, ++ 0x034, 0x0002044A, ++ 0xA0000000, 0x00000000, + 0x034, 0x00028DEE, + 0x034, 0x00027DEB, + 0x034, 0x00026CCD, +@@ -1576,27 +1614,24 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00022849, + 0x034, 0x00021449, + 0x034, 0x0002004D, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F02C0, 0xABCD, ++ 0xB0000000, 0x00000000, ++ 0x8000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x0000A0D7, ++ 0x034, 0x000090D3, ++ 0x034, 0x000080B1, ++ 0x034, 0x000070AE, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0000A0D7, + 0x034, 0x000090D3, + 0x034, 0x000080B1, + 0x034, 0x000070AE, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x034, 0x0000ADF7, + 0x034, 0x00009DF4, + 0x034, 0x00008DF1, + 0x034, 0x00007DEE, +- 0xFF0F02C0, 0xDEAD, +- 0xFF0F0104, 0xABCD, +- 0x034, 0x00006DEB, +- 0x034, 0x00005CEC, +- 0x034, 0x00004CE9, +- 0x034, 0x000038CA, +- 0x034, 0x00002889, +- 0x034, 0x00001489, +- 0x034, 0x0000044A, +- 0xFF0F0204, 0xCDEF, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00006DEB, + 0x034, 0x00005CEC, + 0x034, 0x00004CE9, +@@ -1604,7 +1639,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00002889, + 0x034, 0x00001489, + 0x034, 0x0000044A, +- 0xFF0F0404, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x00006DEB, + 0x034, 0x00005CEC, + 0x034, 0x00004CE9, +@@ -1612,7 +1647,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00002889, + 0x034, 0x00001489, + 0x034, 0x0000044A, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, + 0x034, 0x0000608D, + 0x034, 0x0000506B, + 0x034, 0x0000404A, +@@ -1620,7 +1655,23 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00002044, + 0x034, 0x00001025, + 0x034, 0x00000004, +- 0xCDCDCDCD, 0xCDCD, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x0000608D, ++ 0x034, 0x0000506B, ++ 0x034, 0x0000404A, ++ 0x034, 0x00003047, ++ 0x034, 0x00002044, ++ 0x034, 0x00001025, ++ 0x034, 0x00000004, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, ++ 0x034, 0x00006DEB, ++ 0x034, 0x00005CEC, ++ 0x034, 0x00004CE9, ++ 0x034, 0x000038CA, ++ 0x034, 0x00002889, ++ 0x034, 0x00001489, ++ 0x034, 0x0000044A, ++ 0xA0000000, 0x00000000, + 0x034, 0x00006DCD, + 0x034, 0x00005CCD, + 0x034, 0x00004CCA, +@@ -1628,11 +1679,11 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x034, 0x00002888, + 0x034, 0x00001488, + 0x034, 0x00000486, +- 0xFF0F0104, 0xDEAD, ++ 0xB0000000, 0x00000000, + 0x0EF, 0x00000000, + 0x018, 0x0001712A, + 0x0EF, 0x00000040, +- 0xFF0F0104, 0xABCD, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x035, 0x00000187, + 0x035, 0x00008187, + 0x035, 0x00010187, +@@ -1642,7 +1693,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x035, 0x00040188, + 0x035, 0x00048188, + 0x035, 0x00050188, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x035, 0x00000187, + 0x035, 0x00008187, + 0x035, 0x00010187, +@@ -1652,7 +1703,37 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x035, 0x00040188, + 0x035, 0x00048188, + 0x035, 0x00050188, +- 0xFF0F0404, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, ++ 0x035, 0x00000128, ++ 0x035, 0x00008128, ++ 0x035, 0x00010128, ++ 0x035, 0x000201C8, ++ 0x035, 0x000281C8, ++ 0x035, 0x000301C8, ++ 0x035, 0x000401C8, ++ 0x035, 0x000481C8, ++ 0x035, 0x000501C8, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x035, 0x00000145, ++ 0x035, 0x00008145, ++ 0x035, 0x00010145, ++ 0x035, 0x00020196, ++ 0x035, 0x00028196, ++ 0x035, 0x00030196, ++ 0x035, 0x000401C7, ++ 0x035, 0x000481C7, ++ 0x035, 0x000501C7, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x035, 0x00000128, ++ 0x035, 0x00008128, ++ 0x035, 0x00010128, ++ 0x035, 0x000201C8, ++ 0x035, 0x000281C8, ++ 0x035, 0x000301C8, ++ 0x035, 0x000401C8, ++ 0x035, 0x000481C8, ++ 0x035, 0x000501C8, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, + 0x035, 0x00000187, + 0x035, 0x00008187, + 0x035, 0x00010187, +@@ -1662,7 +1743,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x035, 0x00040188, + 0x035, 0x00048188, + 0x035, 0x00050188, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x035, 0x00000145, + 0x035, 0x00008145, + 0x035, 0x00010145, +@@ -1672,11 +1753,11 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x035, 0x000401C7, + 0x035, 0x000481C7, + 0x035, 0x000501C7, +- 0xFF0F0104, 0xDEAD, ++ 0xB0000000, 0x00000000, + 0x0EF, 0x00000000, + 0x018, 0x0001712A, + 0x0EF, 0x00000010, +- 0xFF0F0104, 0xABCD, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x036, 0x00085733, + 0x036, 0x0008D733, + 0x036, 0x00095733, +@@ -1689,7 +1770,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x036, 0x000CE4B4, + 0x036, 0x000D64B4, + 0x036, 0x000DE4B4, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x036, 0x00085733, + 0x036, 0x0008D733, + 0x036, 0x00095733, +@@ -1702,7 +1783,46 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x036, 0x000CE4B4, + 0x036, 0x000D64B4, + 0x036, 0x000DE4B4, +- 0xFF0F0404, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, ++ 0x036, 0x000063B5, ++ 0x036, 0x0000E3B5, ++ 0x036, 0x000163B5, ++ 0x036, 0x0001E3B5, ++ 0x036, 0x000263B5, ++ 0x036, 0x0002E3B5, ++ 0x036, 0x000363B5, ++ 0x036, 0x0003E3B5, ++ 0x036, 0x000463B5, ++ 0x036, 0x0004E3B5, ++ 0x036, 0x000563B5, ++ 0x036, 0x0005E3B5, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x036, 0x000056B3, ++ 0x036, 0x0000D6B3, ++ 0x036, 0x000156B3, ++ 0x036, 0x0001D6B3, ++ 0x036, 0x00026634, ++ 0x036, 0x0002E634, ++ 0x036, 0x00036634, ++ 0x036, 0x0003E634, ++ 0x036, 0x000467B4, ++ 0x036, 0x0004E7B4, ++ 0x036, 0x000567B4, ++ 0x036, 0x0005E7B4, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x036, 0x000063B5, ++ 0x036, 0x0000E3B5, ++ 0x036, 0x000163B5, ++ 0x036, 0x0001E3B5, ++ 0x036, 0x000263B5, ++ 0x036, 0x0002E3B5, ++ 0x036, 0x000363B5, ++ 0x036, 0x0003E3B5, ++ 0x036, 0x000463B5, ++ 0x036, 0x0004E3B5, ++ 0x036, 0x000563B5, ++ 0x036, 0x0005E3B5, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, + 0x036, 0x00085733, + 0x036, 0x0008D733, + 0x036, 0x00095733, +@@ -1715,7 +1835,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x036, 0x000CE4B4, + 0x036, 0x000D64B4, + 0x036, 0x000DE4B4, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x036, 0x000056B3, + 0x036, 0x0000D6B3, + 0x036, 0x000156B3, +@@ -1728,103 +1848,162 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x036, 0x0004E7B4, + 0x036, 0x000567B4, + 0x036, 0x0005E7B4, +- 0xFF0F0104, 0xDEAD, ++ 0xB0000000, 0x00000000, + 0x0EF, 0x00000000, + 0x0EF, 0x00000008, +- 0xFF0F0104, 0xABCD, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x03C, 0x000001C8, + 0x03C, 0x00000492, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x03C, 0x000001C8, + 0x03C, 0x00000492, +- 0xFF0F0404, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, ++ 0x03C, 0x000001B6, ++ 0x03C, 0x00000492, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x03C, 0x0000022A, ++ 0x03C, 0x00000594, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x03C, 0x000001B6, ++ 0x03C, 0x00000492, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, + 0x03C, 0x000001C8, + 0x03C, 0x00000492, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x03C, 0x0000022A, + 0x03C, 0x00000594, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0104, 0xABCD, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x03C, 0x00000800, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x03C, 0x00000800, +- 0xFF0F0404, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, + 0x03C, 0x00000800, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, + 0x03C, 0x00000820, +- 0xCDCDCDCD, 0xCDCD, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x03C, 0x00000820, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x03C, 0x00000800, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, ++ 0x03C, 0x00000800, ++ 0xA0000000, 0x00000000, + 0x03C, 0x00000900, +- 0xFF0F0104, 0xDEAD, ++ 0xB0000000, 0x00000000, + 0x0EF, 0x00000000, + 0x018, 0x0001712A, + 0x0EF, 0x00000002, +- 0xFF0F0104, 0xABCD, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x008, 0x0004E400, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x008, 0x0004E400, +- 0xFF0F0404, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, ++ 0x008, 0x00002000, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x008, 0x00002000, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x008, 0x00002000, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x008, 0x00002000, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, + 0x008, 0x0004E400, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x008, 0x00002000, +- 0xFF0F0104, 0xDEAD, ++ 0xB0000000, 0x00000000, + 0x0EF, 0x00000000, + 0x0DF, 0x000000C0, +- 0x01F, 0x00040064, +- 0xFF0F0104, 0xABCD, ++ 0x01F, 0x00000064, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x058, 0x000A7284, + 0x059, 0x000600EC, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x058, 0x000A7284, + 0x059, 0x000600EC, +- 0xFF0F0404, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x058, 0x00081184, ++ 0x059, 0x0006016C, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x058, 0x00081184, ++ 0x059, 0x0006016C, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x058, 0x00081184, ++ 0x059, 0x0006016C, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, + 0x058, 0x000A7284, + 0x059, 0x000600EC, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x058, 0x00081184, + 0x059, 0x0006016C, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0104, 0xABCD, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x061, 0x000E8D73, + 0x062, 0x00093FC5, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x061, 0x000E8D73, + 0x062, 0x00093FC5, +- 0xFF0F0404, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, ++ 0x061, 0x000EFD83, ++ 0x062, 0x00093FCC, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x061, 0x000EAD53, ++ 0x062, 0x00093BC4, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x061, 0x000EFD83, ++ 0x062, 0x00093FCC, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, + 0x061, 0x000E8D73, + 0x062, 0x00093FC5, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x061, 0x000EAD53, + 0x062, 0x00093BC4, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0104, 0xABCD, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, + 0x063, 0x000110E9, +- 0xFF0F0204, 0xCDEF, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, + 0x063, 0x000110E9, +- 0xFF0F0404, 0xCDEF, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, ++ 0x063, 0x000110EB, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, + 0x063, 0x000110E9, +- 0xFF0F0200, 0xCDEF, +- 0x063, 0x000710E9, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, + 0x063, 0x000110E9, +- 0xCDCDCDCD, 0xCDCD, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x063, 0x000110EB, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, ++ 0x063, 0x000110E9, ++ 0xA0000000, 0x00000000, + 0x063, 0x000714E9, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0104, 0xABCD, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, ++ 0x064, 0x0001C27C, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, ++ 0x064, 0x0001C27C, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, + 0x064, 0x0001C27C, +- 0xFF0F0204, 0xCDEF, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x064, 0x0001C67C, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, + 0x064, 0x0001C27C, +- 0xFF0F0404, 0xCDEF, ++ 0x90000410, 0x00000000, 0x40000000, 0x00000000, + 0x064, 0x0001C27C, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x064, 0x0001C67C, +- 0xFF0F0104, 0xDEAD, +- 0xFF0F0200, 0xABCD, ++ 0xB0000000, 0x00000000, ++ 0x80000111, 0x00000000, 0x40000000, 0x00000000, ++ 0x065, 0x00091016, ++ 0x90000110, 0x00000000, 0x40000000, 0x00000000, ++ 0x065, 0x00091016, ++ 0x90000210, 0x00000000, 0x40000000, 0x00000000, + 0x065, 0x00093016, +- 0xFF0F02C0, 0xCDEF, ++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000, + 0x065, 0x00093015, +- 0xCDCDCDCD, 0xCDCD, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, ++ 0x065, 0x00093015, ++ 0x90000200, 0x00000000, 0x40000000, 0x00000000, ++ 0x065, 0x00093016, ++ 0xA0000000, 0x00000000, + 0x065, 0x00091016, +- 0xFF0F0200, 0xDEAD, ++ 0xB0000000, 0x00000000, + 0x018, 0x00000006, + 0x0EF, 0x00002000, + 0x03B, 0x0003824B, +@@ -1922,9 +2101,10 @@ u32 RTL8821AE_RADIOA_ARRAY[] = { + 0x0B4, 0x0001214C, + 0x0B7, 0x0003000C, + 0x01C, 0x000539D2, ++ 0x0C4, 0x000AFE00, + 0x018, 0x0001F12A, +- 0x0FE, 0x00000000, +- 0x0FE, 0x00000000, ++ 0xFFE, 0x00000000, ++ 0xFFE, 0x00000000, + 0x018, 0x0001712A, + + }; +@@ -2044,6 +2224,7 @@ u32 RTL8812AE_MAC_REG_ARRAY[] = { + u32 RTL8812AE_MAC_1T_ARRAYLEN = sizeof(RTL8812AE_MAC_REG_ARRAY) / sizeof(u32); + + u32 RTL8821AE_MAC_REG_ARRAY[] = { ++ 0x421, 0x0000000F, + 0x428, 0x0000000A, + 0x429, 0x00000010, + 0x430, 0x00000000, +@@ -2513,7 +2694,7 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = { + 0x81C, 0xA6360001, + 0x81C, 0xA5380001, + 0x81C, 0xA43A0001, +- 0x81C, 0xA33C0001, ++ 0x81C, 0x683C0001, + 0x81C, 0x673E0001, + 0x81C, 0x66400001, + 0x81C, 0x65420001, +@@ -2547,7 +2728,66 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = { + 0x81C, 0x017A0001, + 0x81C, 0x017C0001, + 0x81C, 0x017E0001, +- 0xFF0F02C0, 0xABCD, ++ 0x8000020c, 0x00000000, 0x40000000, 0x00000000, ++ 0x81C, 0xFB000101, ++ 0x81C, 0xFA020101, ++ 0x81C, 0xF9040101, ++ 0x81C, 0xF8060101, ++ 0x81C, 0xF7080101, ++ 0x81C, 0xF60A0101, ++ 0x81C, 0xF50C0101, ++ 0x81C, 0xF40E0101, ++ 0x81C, 0xF3100101, ++ 0x81C, 0xF2120101, ++ 0x81C, 0xF1140101, ++ 0x81C, 0xF0160101, ++ 0x81C, 0xEF180101, ++ 0x81C, 0xEE1A0101, ++ 0x81C, 0xED1C0101, ++ 0x81C, 0xEC1E0101, ++ 0x81C, 0xEB200101, ++ 0x81C, 0xEA220101, ++ 0x81C, 0xE9240101, ++ 0x81C, 0xE8260101, ++ 0x81C, 0xE7280101, ++ 0x81C, 0xE62A0101, ++ 0x81C, 0xE52C0101, ++ 0x81C, 0xE42E0101, ++ 0x81C, 0xE3300101, ++ 0x81C, 0xA5320101, ++ 0x81C, 0xA4340101, ++ 0x81C, 0xA3360101, ++ 0x81C, 0x87380101, ++ 0x81C, 0x863A0101, ++ 0x81C, 0x853C0101, ++ 0x81C, 0x843E0101, ++ 0x81C, 0x69400101, ++ 0x81C, 0x68420101, ++ 0x81C, 0x67440101, ++ 0x81C, 0x66460101, ++ 0x81C, 0x49480101, ++ 0x81C, 0x484A0101, ++ 0x81C, 0x474C0101, ++ 0x81C, 0x2A4E0101, ++ 0x81C, 0x29500101, ++ 0x81C, 0x28520101, ++ 0x81C, 0x27540101, ++ 0x81C, 0x26560101, ++ 0x81C, 0x25580101, ++ 0x81C, 0x245A0101, ++ 0x81C, 0x235C0101, ++ 0x81C, 0x055E0101, ++ 0x81C, 0x04600101, ++ 0x81C, 0x03620101, ++ 0x81C, 0x02640101, ++ 0x81C, 0x01660101, ++ 0x81C, 0x01680101, ++ 0x81C, 0x016A0101, ++ 0x81C, 0x016C0101, ++ 0x81C, 0x016E0101, ++ 0x81C, 0x01700101, ++ 0x81C, 0x01720101, ++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000, + 0x81C, 0xFB000101, + 0x81C, 0xFA020101, + 0x81C, 0xF9040101, +@@ -2606,7 +2846,7 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = { + 0x81C, 0x016E0101, + 0x81C, 0x01700101, + 0x81C, 0x01720101, +- 0xCDCDCDCD, 0xCDCD, ++ 0xA0000000, 0x00000000, + 0x81C, 0xFF000101, + 0x81C, 0xFF020101, + 0x81C, 0xFE040101, +@@ -2665,7 +2905,7 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = { + 0x81C, 0x046E0101, + 0x81C, 0x03700101, + 0x81C, 0x02720101, +- 0xFF0F02C0, 0xDEAD, ++ 0xB0000000, 0x00000000, + 0x81C, 0x01740101, + 0x81C, 0x01760101, + 0x81C, 0x01780101, +-- +2.30.2 + diff --git a/queue-4.14/sata_mv-add-irq-checks.patch b/queue-4.14/sata_mv-add-irq-checks.patch new file mode 100644 index 00000000000..bc6f452cb6b --- /dev/null +++ b/queue-4.14/sata_mv-add-irq-checks.patch @@ -0,0 +1,47 @@ +From a012266521461b2369da02d8ff530a448985805f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Mar 2021 00:13:49 +0300 +Subject: sata_mv: add IRQ checks + +From: Sergey Shtylyov + +[ Upstream commit e6471a65fdd5efbb8dd2732dd0f063f960685ceb ] + +The function mv_platform_probe() neglects to check the results of the +calls to platform_get_irq() and irq_of_parse_and_map() and blithely +passes them to ata_host_activate() -- while the latter only checks +for IRQ0 (treating it as a polling mode indicattion) and passes the +negative values to devm_request_irq() causing it to fail as it takes +unsigned values for the IRQ #... + +Add to mv_platform_probe() the proper IRQ checks to pass the positive IRQ +#s to ata_host_activate(), propagate upstream the negative error codes, +and override the IRQ0 with -EINVAL (as we don't want the polling mode). + +Fixes: f351b2d638c3 ("sata_mv: Support SoC controllers") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/51436f00-27a1-e20b-c21b-0e817e0a7c86@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_mv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c +index d85965bab2e2..6059b030678b 100644 +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -4112,6 +4112,10 @@ static int mv_platform_probe(struct platform_device *pdev) + n_ports = mv_platform_data->n_ports; + irq = platform_get_irq(pdev, 0); + } ++ if (irq < 0) ++ return irq; ++ if (!irq) ++ return -EINVAL; + + host = ata_host_alloc_pinfo(&pdev->dev, ppi, n_ports); + hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL); +-- +2.30.2 + diff --git a/queue-4.14/scsi-jazz_esp-add-irq-check.patch b/queue-4.14/scsi-jazz_esp-add-irq-check.patch new file mode 100644 index 00000000000..c755ef6181d --- /dev/null +++ b/queue-4.14/scsi-jazz_esp-add-irq-check.patch @@ -0,0 +1,41 @@ +From e83ad3ed3a8c4c87e1c2c2fbf4312a6a3b117117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 20:43:23 +0300 +Subject: scsi: jazz_esp: Add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 38fca15c29db6ed06e894ac194502633e2a7d1fb ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to request_irq() (which takes +*unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real +error code. Stop calling request_irq() with the invalid IRQ #s. + +Link: https://lore.kernel.org/r/594aa9ae-2215-49f6-f73c-33bd38989912@omprussia.ru +Fixes: 352e921f0dd4 ("[SCSI] jazz_esp: converted to use esp_core") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/jazz_esp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/jazz_esp.c b/drivers/scsi/jazz_esp.c +index 9aaa74e349cc..65f0dbfc3a45 100644 +--- a/drivers/scsi/jazz_esp.c ++++ b/drivers/scsi/jazz_esp.c +@@ -170,7 +170,9 @@ static int esp_jazz_probe(struct platform_device *dev) + if (!esp->command_block) + goto fail_unmap_regs; + +- host->irq = platform_get_irq(dev, 0); ++ host->irq = err = platform_get_irq(dev, 0); ++ if (err < 0) ++ goto fail_unmap_command_block; + err = request_irq(host->irq, scsi_esp_intr, IRQF_SHARED, "ESP", esp); + if (err < 0) + goto fail_unmap_command_block; +-- +2.30.2 + diff --git a/queue-4.14/scsi-sni_53c710-add-irq-check.patch b/queue-4.14/scsi-sni_53c710-add-irq-check.patch new file mode 100644 index 00000000000..a53cbd5dc7c --- /dev/null +++ b/queue-4.14/scsi-sni_53c710-add-irq-check.patch @@ -0,0 +1,49 @@ +From 3e729516a0542ccb88f81002c1e6015ff228da30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 20:45:12 +0300 +Subject: scsi: sni_53c710: Add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 1160d61bc51e87e509cfaf9da50a0060f67b6de4 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to request_irq() (which takes +*unsigned* IRQ #s), causing it to fail with -EINVAL (overridden by -ENODEV +further below). Stop calling request_irq() with the invalid IRQ #s. + +Link: https://lore.kernel.org/r/8f4b8fa5-8251-b977-70a1-9099bcb4bb17@omprussia.ru +Fixes: c27d85f3f3c5 ("[SCSI] SNI RM 53c710 driver") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sni_53c710.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sni_53c710.c b/drivers/scsi/sni_53c710.c +index 3102a75984d3..aed91afb79b6 100644 +--- a/drivers/scsi/sni_53c710.c ++++ b/drivers/scsi/sni_53c710.c +@@ -71,6 +71,7 @@ static int snirm710_probe(struct platform_device *dev) + struct NCR_700_Host_Parameters *hostdata; + struct Scsi_Host *host; + struct resource *res; ++ int rc; + + res = platform_get_resource(dev, IORESOURCE_MEM, 0); + if (!res) +@@ -96,7 +97,9 @@ static int snirm710_probe(struct platform_device *dev) + goto out_kfree; + host->this_id = 7; + host->base = base; +- host->irq = platform_get_irq(dev, 0); ++ host->irq = rc = platform_get_irq(dev, 0); ++ if (rc < 0) ++ goto out_put_host; + if(request_irq(host->irq, NCR_700_intr, IRQF_SHARED, "snirm710", host)) { + printk(KERN_ERR "snirm710: request_irq failed!\n"); + goto out_put_host; +-- +2.30.2 + diff --git a/queue-4.14/scsi-sun3x_esp-add-irq-check.patch b/queue-4.14/scsi-sun3x_esp-add-irq-check.patch new file mode 100644 index 00000000000..85f165ea37f --- /dev/null +++ b/queue-4.14/scsi-sun3x_esp-add-irq-check.patch @@ -0,0 +1,41 @@ +From ee9a8fbabdf270560421994ec7ee8a729679ef55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 20:44:08 +0300 +Subject: scsi: sun3x_esp: Add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 14b321380eb333c82853d7d612d0995f05f88fdc ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to request_irq() (which takes +*unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real +error code. Stop calling request_irq() with the invalid IRQ #s. + +Link: https://lore.kernel.org/r/363eb4c8-a3bf-4dc9-2a9e-90f349030a15@omprussia.ru +Fixes: 0bb67f181834 ("[SCSI] sun3x_esp: convert to esp_scsi") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sun3x_esp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sun3x_esp.c b/drivers/scsi/sun3x_esp.c +index d50c5ed8f428..167ae2d29e47 100644 +--- a/drivers/scsi/sun3x_esp.c ++++ b/drivers/scsi/sun3x_esp.c +@@ -233,7 +233,9 @@ static int esp_sun3x_probe(struct platform_device *dev) + if (!esp->command_block) + goto fail_unmap_regs_dma; + +- host->irq = platform_get_irq(dev, 0); ++ host->irq = err = platform_get_irq(dev, 0); ++ if (err < 0) ++ goto fail_unmap_command_block; + err = request_irq(host->irq, scsi_esp_intr, IRQF_SHARED, + "SUN3X ESP", esp); + if (err < 0) +-- +2.30.2 + diff --git a/queue-4.14/serial-stm32-fix-incorrect-characters-on-console.patch b/queue-4.14/serial-stm32-fix-incorrect-characters-on-console.patch new file mode 100644 index 00000000000..4eb8f91f8f8 --- /dev/null +++ b/queue-4.14/serial-stm32-fix-incorrect-characters-on-console.patch @@ -0,0 +1,59 @@ +From d467bbaae539fc7003a2ea81161dd58f864ffd27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Mar 2021 17:22:58 +0100 +Subject: serial: stm32: fix incorrect characters on console + +From: Erwan Le Ray + +[ Upstream commit f264c6f6aece81a9f8fbdf912b20bd3feb476a7a ] + +Incorrect characters are observed on console during boot. This issue occurs +when init/main.c is modifying termios settings to open /dev/console on the +rootfs. + +This patch adds a waiting loop in set_termios to wait for TX shift register +empty (and TX FIFO if any) before stopping serial port. + +Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver") +Signed-off-by: Erwan Le Ray +Link: https://lore.kernel.org/r/20210304162308.8984-4-erwan.leray@foss.st.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/stm32-usart.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c +index 1e854e1851fb..6ad982cf31fc 100644 +--- a/drivers/tty/serial/stm32-usart.c ++++ b/drivers/tty/serial/stm32-usart.c +@@ -499,8 +499,9 @@ static void stm32_set_termios(struct uart_port *port, struct ktermios *termios, + unsigned int baud; + u32 usartdiv, mantissa, fraction, oversampling; + tcflag_t cflag = termios->c_cflag; +- u32 cr1, cr2, cr3; ++ u32 cr1, cr2, cr3, isr; + unsigned long flags; ++ int ret; + + if (!stm32_port->hw_flow_control) + cflag &= ~CRTSCTS; +@@ -509,6 +510,15 @@ static void stm32_set_termios(struct uart_port *port, struct ktermios *termios, + + spin_lock_irqsave(&port->lock, flags); + ++ ret = readl_relaxed_poll_timeout_atomic(port->membase + ofs->isr, ++ isr, ++ (isr & USART_SR_TC), ++ 10, 100000); ++ ++ /* Send the TC error message only when ISR_TC is not set. */ ++ if (ret) ++ dev_err(port->dev, "Transmission is not complete\n"); ++ + /* Stop serial port and reset value */ + writel_relaxed(0, port->membase + ofs->cr1); + +-- +2.30.2 + diff --git a/queue-4.14/serial-stm32-fix-tx_empty-condition.patch b/queue-4.14/serial-stm32-fix-tx_empty-condition.patch new file mode 100644 index 00000000000..4cf2e58613f --- /dev/null +++ b/queue-4.14/serial-stm32-fix-tx_empty-condition.patch @@ -0,0 +1,61 @@ +From ea12d624944cc311326dd85469ec63431865c91f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Mar 2021 17:23:07 +0100 +Subject: serial: stm32: fix tx_empty condition + +From: Erwan Le Ray + +[ Upstream commit 3db1d52466dc11dca4e47ef12a6e6e97f846af62 ] + +In "tx_empty", we should poll TC bit in both DMA and PIO modes (instead of +TXE) to check transmission data register has been transmitted independently +of the FIFO mode. TC indicates that both transmit register and shift +register are empty. When shift register is empty, tx_empty should return +TIOCSER_TEMT instead of TC value. + +Cleans the USART_CR_TC TCCF register define (transmission complete clear +flag) as it is duplicate of USART_ICR_TCCF. + +Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver") +Signed-off-by: Erwan Le Ray +Link: https://lore.kernel.org/r/20210304162308.8984-13-erwan.leray@foss.st.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/stm32-usart.c | 5 ++++- + drivers/tty/serial/stm32-usart.h | 3 --- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c +index 6ad982cf31fc..a10335e904ea 100644 +--- a/drivers/tty/serial/stm32-usart.c ++++ b/drivers/tty/serial/stm32-usart.c +@@ -365,7 +365,10 @@ static unsigned int stm32_tx_empty(struct uart_port *port) + struct stm32_port *stm32_port = to_stm32_port(port); + struct stm32_usart_offsets *ofs = &stm32_port->info->ofs; + +- return readl_relaxed(port->membase + ofs->isr) & USART_SR_TXE; ++ if (readl_relaxed(port->membase + ofs->isr) & USART_SR_TC) ++ return TIOCSER_TEMT; ++ ++ return 0; + } + + static void stm32_set_mctrl(struct uart_port *port, unsigned int mctrl) +diff --git a/drivers/tty/serial/stm32-usart.h b/drivers/tty/serial/stm32-usart.h +index 9d087881913a..55142df8e24b 100644 +--- a/drivers/tty/serial/stm32-usart.h ++++ b/drivers/tty/serial/stm32-usart.h +@@ -123,9 +123,6 @@ struct stm32_usart_info stm32h7_info = { + /* Dummy bits */ + #define USART_SR_DUMMY_RX BIT(16) + +-/* USART_ICR (F7) */ +-#define USART_CR_TC BIT(6) +- + /* USART_DR */ + #define USART_DR_MASK GENMASK(8, 0) + +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 21f64bfc82c..2c09b7f0245 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -139,3 +139,93 @@ kvm-s390-vsie-fix-mvpg-handling-for-prefixing-and-mso.patch kvm-s390-split-kvm_s390_real_to_abs.patch kvm-s390-extend-kvm_s390_shadow_fault-to-return-entry-pointer.patch usb-gadget-pch_udc-revert-d3cb25a12138-completely.patch +memory-gpmc-fix-out-of-bounds-read-and-dereference-o.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-28183 +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-2983 +serial-stm32-fix-incorrect-characters-on-console.patch +serial-stm32-fix-tx_empty-condition.patch +usb-typec-tcpci-check-role_control-while-interpretin.patch +x86-microcode-check-for-offline-cpus-before-requesti.patch +usb-gadget-pch_udc-replace-cpu_to_le32-by-lower_32_b.patch +usb-gadget-pch_udc-check-if-driver-is-present-before.patch +usb-gadget-pch_udc-check-for-dma-mapping-error.patch +crypto-qat-don-t-release-uninitialized-resources.patch +crypto-qat-adf_status_pf_running-should-be-set-after.patch +fotg210-udc-fix-dma-on-ep0-for-length-max-packet-siz.patch +fotg210-udc-fix-ep0-in-requests-bigger-than-two-pack.patch +fotg210-udc-remove-a-dubious-condition-leading-to-fo.patch +fotg210-udc-mask-grp2-interrupts-we-don-t-handle.patch +fotg210-udc-don-t-dma-more-than-the-buffer-can-take.patch +fotg210-udc-complete-out-requests-on-short-packets.patch +mtd-require-write-permissions-for-locking-and-badblo.patch +bus-qcom-put-child-node-before-return.patch +phy-marvell-armada375_usbcluster_phy-should-not-defa.patch +crypto-qat-fix-error-path-in-adf_isr_resource_alloc.patch +usb-gadget-udc-fix-wrong-pointer-passed-to-is_err-an.patch +mtd-rawnand-gpmi-fix-a-double-free-in-gpmi_nand_init.patch +staging-rtl8192u-fix-potential-infinite-loop.patch +staging-greybus-uart-fix-unprivileged-tioccserial.patch +spi-fix-use-after-free-with-devm_spi_alloc_.patch +soc-qcom-mdt_loader-validate-that-p_filesz-p_memsz.patch +soc-qcom-mdt_loader-detect-truncated-read-of-segment.patch +acpi-cppc-replace-cppc_attr-with-kobj_attribute.patch +crypto-qat-fix-a-double-free-in-adf_create_ring.patch +usb-gadget-r8a66597-add-missing-null-check-on-return.patch +usb-cdc-acm-fix-unprivileged-tioccserial.patch +tty-actually-undefine-superseded-async-flags.patch +tty-fix-return-value-for-unsupported-ioctls.patch +firmware-qcom-scm-fix-qcom_scm-configuration.patch +platform-x86-pmc_atom-match-all-beckhoff-automation-.patch +x86-platform-uv-fix-kexec-build-failure.patch +drivers-hv-vmbus-increase-wait-time-for-vmbus-unload.patch +ttyprintk-add-tty-hangup-callback.patch +media-vivid-fix-assignment-of-dev-fbuf_out_flags.patch +media-omap4iss-return-error-code-when-omap4iss_get-f.patch +media-m88rs6000t-avoid-potential-out-of-bounds-reads.patch +x86-kprobes-fix-to-check-non-boostable-prefixes-corr.patch +pata_arasan_cf-fix-irq-check.patch +pata_ipx4xx_cf-fix-irq-check.patch +sata_mv-add-irq-checks.patch +ata-libahci_platform-fix-irq-check.patch +vfio-mdev-do-not-allow-a-mdev_type-to-have-a-null-pa.patch +clk-uniphier-fix-potential-infinite-loop.patch +scsi-jazz_esp-add-irq-check.patch +scsi-sun3x_esp-add-irq-check.patch +scsi-sni_53c710-add-irq-check.patch +mfd-stm32-timers-avoid-clearing-auto-reload-register.patch +hsi-core-fix-resource-leaks-in-hsi_add_client_from_d.patch +x86-events-amd-iommu-fix-sysfs-type-mismatch.patch +hid-plantronics-workaround-for-double-volume-key-pre.patch +perf-symbols-fix-dso__fprintf_symbols_by_name-to-ret.patch +net-lapbether-prevent-racing-when-checking-whether-t.patch +powerpc-prom-mark-identical_pvr_fixup-as-__init.patch +powerpc-fix-have_hardlockup_detector_arch-build-conf.patch +alsa-core-remove-redundant-spin_lock-pair-in-snd_car.patch +bug-remove-redundant-condition-check-in-report_bug.patch +nfc-pn533-prevent-potential-memory-corruption.patch +alsa-usb-audio-add-error-checks-for-usb_driver_claim.patch +liquidio-fix-unintented-sign-extension-of-a-left-shi.patch +powerpc-perf-fix-pmu-constraint-check-for-ebb-events.patch +powerpc-iommu-fix-build-when-neither-pci-or-ibmvio-i.patch +mac80211-bail-out-if-cipher-schemes-are-invalid.patch +mt7601u-fix-always-true-expression.patch +ib-hfi1-fix-error-return-code-in-parse_platform_conf.patch +net-thunderx-fix-unintentional-sign-extension-issue.patch +i2c-cadence-add-irq-check.patch +i2c-emev2-add-irq-check.patch +i2c-jz4780-add-irq-check.patch +i2c-sh7760-add-irq-check.patch +mips-pci-legacy-stop-using-of_pci_range_to_resource.patch +powerpc-pseries-extract-host-bridge-from-pci_bus-pri.patch +rtlwifi-8821ae-upgrade-phy-and-rf-parameters.patch +i2c-sh7760-fix-irq-error-path.patch +mwl8k-fix-a-double-free-in-mwl8k_probe_hw.patch +vsock-vmci-log-once-the-failed-queue-pair-allocation.patch +rdma-i40iw-fix-error-unwinding-when-i40iw_hmc_sd_one.patch +net-davinci_emac-fix-incorrect-masking-of-tx-and-rx-.patch +ath9k-fix-error-check-in-ath9k_hw_read_revisions-for.patch +powerpc-52xx-fix-an-invalid-asm-expression-addi-used.patch +net-emac-emac-mac-fix-a-use-after-free-in-emac_mac_t.patch +net-nfc-digital-fix-a-double-free-in-digital_tg_recv.patch +kfifo-fix-ternary-sign-extension-bugs.patch diff --git a/queue-4.14/soc-qcom-mdt_loader-detect-truncated-read-of-segment.patch b/queue-4.14/soc-qcom-mdt_loader-detect-truncated-read-of-segment.patch new file mode 100644 index 00000000000..d90ba2076af --- /dev/null +++ b/queue-4.14/soc-qcom-mdt_loader-detect-truncated-read-of-segment.patch @@ -0,0 +1,48 @@ +From 41a10c364a485c9a4733287d4fc3d9c6ea630f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 15:25:26 -0800 +Subject: soc: qcom: mdt_loader: Detect truncated read of segments + +From: Bjorn Andersson + +[ Upstream commit 0648c55e3a21ccd816e99b6600d6199fbf39d23a ] + +Given that no validation of how much data the firmware loader read in +for a given segment truncated segment files would best case result in a +hash verification failure, without any indication of what went wrong. + +Improve this by validating that the firmware loader did return the +amount of data requested. + +Fixes: 445c2410a449 ("soc: qcom: mdt_loader: Use request_firmware_into_buf()") +Reviewed-by: Sibi Sankar +Link: https://lore.kernel.org/r/20210107232526.716989-1-bjorn.andersson@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/mdt_loader.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c +index 17cba12cdf61..9155b1c75cfb 100644 +--- a/drivers/soc/qcom/mdt_loader.c ++++ b/drivers/soc/qcom/mdt_loader.c +@@ -193,6 +193,15 @@ int qcom_mdt_load(struct device *dev, const struct firmware *fw, + break; + } + ++ if (seg_fw->size != phdr->p_filesz) { ++ dev_err(dev, ++ "failed to load segment %d from truncated file %s\n", ++ i, fw_name); ++ release_firmware(seg_fw); ++ ret = -EINVAL; ++ break; ++ } ++ + release_firmware(seg_fw); + } + +-- +2.30.2 + diff --git a/queue-4.14/soc-qcom-mdt_loader-validate-that-p_filesz-p_memsz.patch b/queue-4.14/soc-qcom-mdt_loader-validate-that-p_filesz-p_memsz.patch new file mode 100644 index 00000000000..324a8cfaa78 --- /dev/null +++ b/queue-4.14/soc-qcom-mdt_loader-validate-that-p_filesz-p_memsz.patch @@ -0,0 +1,45 @@ +From ed7eb8d80b065c2ab99e70db8f21d31b902fb19e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 15:31:19 -0800 +Subject: soc: qcom: mdt_loader: Validate that p_filesz < p_memsz + +From: Bjorn Andersson + +[ Upstream commit 84168d1b54e76a1bcb5192991adde5176abe02e3 ] + +The code validates that segments of p_memsz bytes of a segment will fit +in the provided memory region, but does not validate that p_filesz bytes +will, which means that an incorrectly crafted ELF header might write +beyond the provided memory region. + +Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") +Reviewed-by: Sibi Sankar +Link: https://lore.kernel.org/r/20210107233119.717173-1-bjorn.andersson@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/mdt_loader.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c +index 08bd8549242a..17cba12cdf61 100644 +--- a/drivers/soc/qcom/mdt_loader.c ++++ b/drivers/soc/qcom/mdt_loader.c +@@ -174,6 +174,14 @@ int qcom_mdt_load(struct device *dev, const struct firmware *fw, + break; + } + ++ if (phdr->p_filesz > phdr->p_memsz) { ++ dev_err(dev, ++ "refusing to load segment %d with p_filesz > p_memsz\n", ++ i); ++ ret = -EINVAL; ++ break; ++ } ++ + ptr = mem_region + offset; + + if (phdr->p_filesz) { +-- +2.30.2 + diff --git a/queue-4.14/spi-fix-use-after-free-with-devm_spi_alloc_.patch b/queue-4.14/spi-fix-use-after-free-with-devm_spi_alloc_.patch new file mode 100644 index 00000000000..a86ba1baa71 --- /dev/null +++ b/queue-4.14/spi-fix-use-after-free-with-devm_spi_alloc_.patch @@ -0,0 +1,96 @@ +From 3c24ff2a94d02a09ee1904dac035350b1e5346f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 02:55:27 -0700 +Subject: spi: Fix use-after-free with devm_spi_alloc_* + +From: William A. Kennington III + +[ Upstream commit 794aaf01444d4e765e2b067cba01cc69c1c68ed9 ] + +We can't rely on the contents of the devres list during +spi_unregister_controller(), as the list is already torn down at the +time we perform devres_find() for devm_spi_release_controller. This +causes devices registered with devm_spi_alloc_{master,slave}() to be +mistakenly identified as legacy, non-devm managed devices and have their +reference counters decremented below 0. + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174 +[] (refcount_warn_saturate) from [] (kobject_put+0x90/0x98) +[] (kobject_put) from [] (put_device+0x20/0x24) + r4:b6700140 +[] (put_device) from [] (devm_spi_release_controller+0x3c/0x40) +[] (devm_spi_release_controller) from [] (release_nodes+0x84/0xc4) + r5:b6700180 r4:b6700100 +[] (release_nodes) from [] (devres_release_all+0x5c/0x60) + r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10 +[] (devres_release_all) from [] (__device_release_driver+0x144/0x1ec) + r5:b117ad94 r4:b163dc10 +[] (__device_release_driver) from [] (device_driver_detach+0x84/0xa0) + r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10 +[] (device_driver_detach) from [] (unbind_store+0xe4/0xf8) + +Instead, determine the devm allocation state as a flag on the +controller which is guaranteed to be stable during cleanup. + +Fixes: 5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation") +Signed-off-by: William A. Kennington III +Link: https://lore.kernel.org/r/20210407095527.2771582-1-wak@google.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 9 ++------- + include/linux/spi/spi.h | 3 +++ + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index ca9970a63fdf..da71a53b0df7 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2076,6 +2076,7 @@ struct spi_controller *__devm_spi_alloc_controller(struct device *dev, + + ctlr = __spi_alloc_controller(dev, size, slave); + if (ctlr) { ++ ctlr->devm_allocated = true; + *ptr = ctlr; + devres_add(dev, ptr); + } else { +@@ -2304,11 +2305,6 @@ int devm_spi_register_controller(struct device *dev, + } + EXPORT_SYMBOL_GPL(devm_spi_register_controller); + +-static int devm_spi_match_controller(struct device *dev, void *res, void *ctlr) +-{ +- return *(struct spi_controller **)res == ctlr; +-} +- + static int __unregister(struct device *dev, void *null) + { + spi_unregister_device(to_spi_device(dev)); +@@ -2353,8 +2349,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) + /* Release the last reference on the controller if its driver + * has not yet been converted to devm_spi_alloc_master/slave(). + */ +- if (!devres_find(ctlr->dev.parent, devm_spi_release_controller, +- devm_spi_match_controller, ctlr)) ++ if (!ctlr->devm_allocated) + put_device(&ctlr->dev); + + /* free bus id */ +diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h +index 715bd276a041..a8f6606dd498 100644 +--- a/include/linux/spi/spi.h ++++ b/include/linux/spi/spi.h +@@ -452,6 +452,9 @@ struct spi_controller { + + #define SPI_MASTER_GPIO_SS BIT(5) /* GPIO CS must select slave */ + ++ /* flag indicating this is a non-devres managed controller */ ++ bool devm_allocated; ++ + /* flag indicating this is an SPI slave controller */ + bool slave; + +-- +2.30.2 + diff --git a/queue-4.14/staging-greybus-uart-fix-unprivileged-tioccserial.patch b/queue-4.14/staging-greybus-uart-fix-unprivileged-tioccserial.patch new file mode 100644 index 00000000000..a14e01cda3f --- /dev/null +++ b/queue-4.14/staging-greybus-uart-fix-unprivileged-tioccserial.patch @@ -0,0 +1,47 @@ +From 1aec9ccd2c50d2d8a4282bf73a01a81c51be6889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 12:23:24 +0200 +Subject: staging: greybus: uart: fix unprivileged TIOCCSERIAL + +From: Johan Hovold + +[ Upstream commit 60c6b305c11b5fd167ce5e2ce42f3a9098c388f0 ] + +TIOCSSERIAL is a horrid, underspecified, legacy interface which for most +serial devices is only useful for setting the close_delay and +closing_wait parameters. + +A non-privileged user has only ever been able to set the since long +deprecated ASYNC_SPD flags and trying to change any other *supported* +feature should result in -EPERM being returned. Setting the current +values for any supported features should return success. + +Fix the greybus implementation which instead indicated that the +TIOCSSERIAL ioctl was not even implemented when a non-privileged user +set the current values. + +Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-7-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/uart.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c +index 2b297df88bdd..b0b7d4a1cee4 100644 +--- a/drivers/staging/greybus/uart.c ++++ b/drivers/staging/greybus/uart.c +@@ -657,8 +657,6 @@ static int set_serial_info(struct gb_tty *gb_tty, + if ((close_delay != gb_tty->port.close_delay) || + (closing_wait != gb_tty->port.closing_wait)) + retval = -EPERM; +- else +- retval = -EOPNOTSUPP; + } else { + gb_tty->port.close_delay = close_delay; + gb_tty->port.closing_wait = closing_wait; +-- +2.30.2 + diff --git a/queue-4.14/staging-rtl8192u-fix-potential-infinite-loop.patch b/queue-4.14/staging-rtl8192u-fix-potential-infinite-loop.patch new file mode 100644 index 00000000000..fd67ab99b78 --- /dev/null +++ b/queue-4.14/staging-rtl8192u-fix-potential-infinite-loop.patch @@ -0,0 +1,41 @@ +From 55b47e0e8ded3ff3e1c99b74ef5c363621ca7e40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 16:03:08 +0100 +Subject: staging: rtl8192u: Fix potential infinite loop + +From: Colin Ian King + +[ Upstream commit f9b9263a25dc3d2eaaa829e207434db6951ca7bc ] + +The for-loop iterates with a u8 loop counter i and compares this +with the loop upper limit of riv->ieee80211->LinkDetectInfo.SlotNum +that is a u16 type. There is a potential infinite loop if SlotNum +is larger than the u8 loop counter. Fix this by making the loop +counter the same type as SlotNum. + +Addresses-Coverity: ("Infinite loop") +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210407150308.496623-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/r8192U_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c +index b5941ae410d9..89ec4bb19e48 100644 +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -3418,7 +3418,7 @@ static void rtl819x_update_rxcounts(struct r8192_priv *priv, u32 *TotalRxBcnNum, + u32 *TotalRxDataNum) + { + u16 SlotIndex; +- u8 i; ++ u16 i; + + *TotalRxBcnNum = 0; + *TotalRxDataNum = 0; +-- +2.30.2 + diff --git a/queue-4.14/tty-actually-undefine-superseded-async-flags.patch b/queue-4.14/tty-actually-undefine-superseded-async-flags.patch new file mode 100644 index 00000000000..522fdd145a9 --- /dev/null +++ b/queue-4.14/tty-actually-undefine-superseded-async-flags.patch @@ -0,0 +1,49 @@ +From 3677e62e4a030e11682a60850f12ef8f580fdf84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 11:52:01 +0200 +Subject: tty: actually undefine superseded ASYNC flags + +From: Johan Hovold + +[ Upstream commit d09845e98a05850a8094ea8fd6dd09a8e6824fff ] + +Some kernel-internal ASYNC flags have been superseded by tty-port flags +and should no longer be used by kernel drivers. + +Fix the misspelled "__KERNEL__" compile guards which failed their sole +purpose to break out-of-tree drivers that have not yet been updated. + +Fixes: 5c0517fefc92 ("tty: core: Undefine ASYNC_* flags superceded by TTY_PORT* flags") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407095208.31838-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/uapi/linux/tty_flags.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/tty_flags.h b/include/uapi/linux/tty_flags.h +index 6ac609a00dea..31e106168ebb 100644 +--- a/include/uapi/linux/tty_flags.h ++++ b/include/uapi/linux/tty_flags.h +@@ -39,7 +39,7 @@ + * WARNING: These flags are no longer used and have been superceded by the + * TTY_PORT_ flags in the iflags field (and not userspace-visible) + */ +-#ifndef _KERNEL_ ++#ifndef __KERNEL__ + #define ASYNCB_INITIALIZED 31 /* Serial port was initialized */ + #define ASYNCB_SUSPENDED 30 /* Serial port is suspended */ + #define ASYNCB_NORMAL_ACTIVE 29 /* Normal device is active */ +@@ -81,7 +81,7 @@ + #define ASYNC_SPD_WARP (ASYNC_SPD_HI|ASYNC_SPD_SHI) + #define ASYNC_SPD_MASK (ASYNC_SPD_HI|ASYNC_SPD_VHI|ASYNC_SPD_SHI) + +-#ifndef _KERNEL_ ++#ifndef __KERNEL__ + /* These flags are no longer used (and were always masked from userspace) */ + #define ASYNC_INITIALIZED (1U << ASYNCB_INITIALIZED) + #define ASYNC_NORMAL_ACTIVE (1U << ASYNCB_NORMAL_ACTIVE) +-- +2.30.2 + diff --git a/queue-4.14/tty-fix-return-value-for-unsupported-ioctls.patch b/queue-4.14/tty-fix-return-value-for-unsupported-ioctls.patch new file mode 100644 index 00000000000..af53b19e477 --- /dev/null +++ b/queue-4.14/tty-fix-return-value-for-unsupported-ioctls.patch @@ -0,0 +1,85 @@ +From 2a565c5bc3b691f4b6966e2394a6aa682a595a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 11:52:02 +0200 +Subject: tty: fix return value for unsupported ioctls + +From: Johan Hovold + +[ Upstream commit 1b8b20868a6d64cfe8174a21b25b74367bdf0560 ] + +Drivers should return -ENOTTY ("Inappropriate I/O control operation") +when an ioctl isn't supported, while -EINVAL is used for invalid +arguments. + +Fix up the TIOCMGET, TIOCMSET and TIOCGICOUNT helpers which returned +-EINVAL when a tty driver did not implement the corresponding +operations. + +Note that the TIOCMGET and TIOCMSET helpers predate git and do not get a +corresponding Fixes tag below. + +Fixes: d281da7ff6f7 ("tty: Make tiocgicount a handler") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407095208.31838-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_io.c | 8 ++++---- + include/linux/tty_driver.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index d7e56de19c58..ae3af8debf67 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2424,14 +2424,14 @@ out: + * @p: pointer to result + * + * Obtain the modem status bits from the tty driver if the feature +- * is supported. Return -EINVAL if it is not available. ++ * is supported. Return -ENOTTY if it is not available. + * + * Locking: none (up to the driver) + */ + + static int tty_tiocmget(struct tty_struct *tty, int __user *p) + { +- int retval = -EINVAL; ++ int retval = -ENOTTY; + + if (tty->ops->tiocmget) { + retval = tty->ops->tiocmget(tty); +@@ -2449,7 +2449,7 @@ static int tty_tiocmget(struct tty_struct *tty, int __user *p) + * @p: pointer to desired bits + * + * Set the modem status bits from the tty driver if the feature +- * is supported. Return -EINVAL if it is not available. ++ * is supported. Return -ENOTTY if it is not available. + * + * Locking: none (up to the driver) + */ +@@ -2461,7 +2461,7 @@ static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd, + unsigned int set, clear, val; + + if (tty->ops->tiocmset == NULL) +- return -EINVAL; ++ return -ENOTTY; + + retval = get_user(val, p); + if (retval) +diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h +index 31c2b5b166de..ebca9e4a2fed 100644 +--- a/include/linux/tty_driver.h ++++ b/include/linux/tty_driver.h +@@ -236,7 +236,7 @@ + * + * Called when the device receives a TIOCGICOUNT ioctl. Passed a kernel + * structure to complete. This method is optional and will only be called +- * if provided (otherwise EINVAL will be returned). ++ * if provided (otherwise ENOTTY will be returned). + */ + + #include +-- +2.30.2 + diff --git a/queue-4.14/ttyprintk-add-tty-hangup-callback.patch b/queue-4.14/ttyprintk-add-tty-hangup-callback.patch new file mode 100644 index 00000000000..38b916e6c91 --- /dev/null +++ b/queue-4.14/ttyprintk-add-tty-hangup-callback.patch @@ -0,0 +1,87 @@ +From f2eca4367bd34cb5ed56b0699ee48227fdfd742f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 09:22:22 +0900 +Subject: ttyprintk: Add TTY hangup callback. + +From: Tetsuo Handa + +[ Upstream commit c0070e1e60270f6a1e09442a9ab2335f3eaeaad2 ] + +syzbot is reporting hung task due to flood of + + tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__, + port->count); + +message [1], for ioctl(TIOCVHANGUP) prevents tty_port_close() from +decrementing port->count due to tty_hung_up_p() == true. + +---------- +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + int i; + int fd[10]; + + for (i = 0; i < 10; i++) + fd[i] = open("/dev/ttyprintk", O_WRONLY); + ioctl(fd[0], TIOCVHANGUP); + for (i = 0; i < 10; i++) + close(fd[i]); + close(open("/dev/ttyprintk", O_WRONLY)); + return 0; +} +---------- + +When TTY hangup happens, port->count needs to be reset via +"struct tty_operations"->hangup callback. + +[1] https://syzkaller.appspot.com/bug?id=39ea6caa479af471183997376dc7e90bc7d64a6a + +Reported-by: syzbot +Reported-by: syzbot +Tested-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 24b4b67d17c308aa ("add ttyprintk driver") +Link: https://lore.kernel.org/r/17e0652d-89b7-c8c0-fb53-e7566ac9add4@i-love.sakura.ne.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/ttyprintk.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/char/ttyprintk.c b/drivers/char/ttyprintk.c +index 774748497ace..e56ac5adb5fc 100644 +--- a/drivers/char/ttyprintk.c ++++ b/drivers/char/ttyprintk.c +@@ -159,12 +159,23 @@ static int tpk_ioctl(struct tty_struct *tty, + return 0; + } + ++/* ++ * TTY operations hangup function. ++ */ ++static void tpk_hangup(struct tty_struct *tty) ++{ ++ struct ttyprintk_port *tpkp = tty->driver_data; ++ ++ tty_port_hangup(&tpkp->port); ++} ++ + static const struct tty_operations ttyprintk_ops = { + .open = tpk_open, + .close = tpk_close, + .write = tpk_write, + .write_room = tpk_write_room, + .ioctl = tpk_ioctl, ++ .hangup = tpk_hangup, + }; + + static const struct tty_port_operations null_ops = { }; +-- +2.30.2 + diff --git a/queue-4.14/usb-cdc-acm-fix-unprivileged-tioccserial.patch b/queue-4.14/usb-cdc-acm-fix-unprivileged-tioccserial.patch new file mode 100644 index 00000000000..93bb99d757a --- /dev/null +++ b/queue-4.14/usb-cdc-acm-fix-unprivileged-tioccserial.patch @@ -0,0 +1,48 @@ +From 883d89df17d0824c9c60ac0d3cd6a9bb8dc8e0ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 15:16:01 +0200 +Subject: USB: cdc-acm: fix unprivileged TIOCCSERIAL + +From: Johan Hovold + +[ Upstream commit dd5619582d60007139f0447382d2839f4f9e339b ] + +TIOCSSERIAL is a horrid, underspecified, legacy interface which for most +serial devices is only useful for setting the close_delay and +closing_wait parameters. + +A non-privileged user has only ever been able to set the since long +deprecated ASYNC_SPD flags and trying to change any other *supported* +feature should result in -EPERM being returned. Setting the current +values for any supported features should return success. + +Fix the cdc-acm implementation which instead indicated that the +TIOCSSERIAL ioctl was not even implemented when a non-privileged user +set the current values. + +Fixes: ba2d8ce9db0a ("cdc-acm: implement TIOCSSERIAL to avoid blocking close(2)") +Acked-by: Oliver Neukum +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210408131602.27956-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/class/cdc-acm.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 22a7f67e70e7..fbf7cb8d34e7 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -999,8 +999,6 @@ static int set_serial_info(struct acm *acm, + if ((new_serial.close_delay != old_close_delay) || + (new_serial.closing_wait != old_closing_wait)) + retval = -EPERM; +- else +- retval = -EOPNOTSUPP; + } else { + acm->port.close_delay = close_delay; + acm->port.closing_wait = closing_wait; +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-pch_udc-check-for-dma-mapping-error.patch b/queue-4.14/usb-gadget-pch_udc-check-for-dma-mapping-error.patch new file mode 100644 index 00000000000..c176d75cfb7 --- /dev/null +++ b/queue-4.14/usb-gadget-pch_udc-check-for-dma-mapping-error.patch @@ -0,0 +1,39 @@ +From 207442722676c2a8617aebd3dbace7844d3d8fb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Mar 2021 17:36:22 +0200 +Subject: usb: gadget: pch_udc: Check for DMA mapping error + +From: Andy Shevchenko + +[ Upstream commit 4a28d77e359009b846951b06f7c0d8eec8dce298 ] + +DMA mapping might fail, we have to check it with dma_mapping_error(). +Otherwise DMA-API is not happy: + + DMA-API: pch_udc 0000:02:02.4: device driver failed to check map error[device address=0x00000000027ee678] [size=64 bytes] [mapped as single] + +Fixes: abab0c67c061 ("usb: pch_udc: Fixed issue which does not work with g_serial") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210323153626.54908-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/pch_udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c +index 1090b846df38..d165c1f67541 100644 +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -2977,7 +2977,7 @@ static int init_dma_pools(struct pch_udc_dev *dev) + dev->dma_addr = dma_map_single(&dev->pdev->dev, ep0out_buf, + UDC_EP0OUT_BUFF_SIZE * 4, + DMA_FROM_DEVICE); +- return 0; ++ return dma_mapping_error(&dev->pdev->dev, dev->dma_addr); + } + + static int pch_udc_start(struct usb_gadget *g, +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-pch_udc-check-if-driver-is-present-before.patch b/queue-4.14/usb-gadget-pch_udc-check-if-driver-is-present-before.patch new file mode 100644 index 00000000000..6ae9e7245be --- /dev/null +++ b/queue-4.14/usb-gadget-pch_udc-check-if-driver-is-present-before.patch @@ -0,0 +1,99 @@ +From 1dffde5574a6059eca0ce57c337fbe9c9c86b79b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Mar 2021 17:36:21 +0200 +Subject: usb: gadget: pch_udc: Check if driver is present before calling + ->setup() + +From: Andy Shevchenko + +[ Upstream commit fbdbbe6d3ee502b3bdeb4f255196bb45003614be ] + +Since we have a separate routine for VBUS sense, the interrupt may occur +before gadget driver is present. Hence, ->setup() call may oops the kernel: + +[ 55.245843] BUG: kernel NULL pointer dereference, address: 00000010 +... +[ 55.245843] EIP: pch_udc_isr.cold+0x162/0x33f +... +[ 55.245843] +[ 55.245843] ? pch_udc_svc_data_out+0x160/0x160 + +Check if driver is present before calling ->setup(). + +Fixes: f646cf94520e ("USB device driver of Topcliff PCH") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210323153626.54908-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/pch_udc.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c +index e9c2f67a8b10..1090b846df38 100644 +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -2329,6 +2329,21 @@ static void pch_udc_svc_data_out(struct pch_udc_dev *dev, int ep_num) + pch_udc_set_dma(dev, DMA_DIR_RX); + } + ++static int pch_udc_gadget_setup(struct pch_udc_dev *dev) ++ __must_hold(&dev->lock) ++{ ++ int rc; ++ ++ /* In some cases we can get an interrupt before driver gets setup */ ++ if (!dev->driver) ++ return -ESHUTDOWN; ++ ++ spin_unlock(&dev->lock); ++ rc = dev->driver->setup(&dev->gadget, &dev->setup_data); ++ spin_lock(&dev->lock); ++ return rc; ++} ++ + /** + * pch_udc_svc_control_in() - Handle Control IN endpoint interrupts + * @dev: Reference to the device structure +@@ -2400,15 +2415,12 @@ static void pch_udc_svc_control_out(struct pch_udc_dev *dev) + dev->gadget.ep0 = &dev->ep[UDC_EP0IN_IDX].ep; + else /* OUT */ + dev->gadget.ep0 = &ep->ep; +- spin_lock(&dev->lock); + /* If Mass storage Reset */ + if ((dev->setup_data.bRequestType == 0x21) && + (dev->setup_data.bRequest == 0xFF)) + dev->prot_stall = 0; + /* call gadget with setup data received */ +- setup_supported = dev->driver->setup(&dev->gadget, +- &dev->setup_data); +- spin_unlock(&dev->lock); ++ setup_supported = pch_udc_gadget_setup(dev); + + if (dev->setup_data.bRequestType & USB_DIR_IN) { + ep->td_data->status = (ep->td_data->status & +@@ -2656,9 +2668,7 @@ static void pch_udc_svc_intf_interrupt(struct pch_udc_dev *dev) + dev->ep[i].halted = 0; + } + dev->stall = 0; +- spin_unlock(&dev->lock); +- dev->driver->setup(&dev->gadget, &dev->setup_data); +- spin_lock(&dev->lock); ++ pch_udc_gadget_setup(dev); + } + + /** +@@ -2693,9 +2703,7 @@ static void pch_udc_svc_cfg_interrupt(struct pch_udc_dev *dev) + dev->stall = 0; + + /* call gadget zero with setup data received */ +- spin_unlock(&dev->lock); +- dev->driver->setup(&dev->gadget, &dev->setup_data); +- spin_lock(&dev->lock); ++ pch_udc_gadget_setup(dev); + } + + /** +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-pch_udc-replace-cpu_to_le32-by-lower_32_b.patch b/queue-4.14/usb-gadget-pch_udc-replace-cpu_to_le32-by-lower_32_b.patch new file mode 100644 index 00000000000..c5c8f225d13 --- /dev/null +++ b/queue-4.14/usb-gadget-pch_udc-replace-cpu_to_le32-by-lower_32_b.patch @@ -0,0 +1,42 @@ +From 8d6467653dd584fe5102d8666a0e7ab4964f9a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Mar 2021 17:36:20 +0200 +Subject: usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() + +From: Andy Shevchenko + +[ Upstream commit 91356fed6afd1c83bf0d3df1fc336d54e38f0458 ] + +Either way ~0 will be in the correct byte order, hence +replace cpu_to_le32() by lower_32_bits(). Moreover, +it makes sparse happy, otherwise it complains: + +.../pch_udc.c:1813:27: warning: incorrect type in assignment (different base types) +.../pch_udc.c:1813:27: expected unsigned int [usertype] dataptr +.../pch_udc.c:1813:27: got restricted __le32 [usertype] + +Fixes: f646cf94520e ("USB device driver of Topcliff PCH") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210323153626.54908-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/pch_udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c +index 8d3cbca9f926..e9c2f67a8b10 100644 +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -1786,7 +1786,7 @@ static struct usb_request *pch_udc_alloc_request(struct usb_ep *usbep, + } + /* prevent from using desc. - set HOST BUSY */ + dma_desc->status |= PCH_UDC_BS_HST_BSY; +- dma_desc->dataptr = cpu_to_le32(DMA_ADDR_INVALID); ++ dma_desc->dataptr = lower_32_bits(DMA_ADDR_INVALID); + req->td_data = dma_desc; + req->td_data_last = dma_desc; + req->chain_len = 1; +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-r8a66597-add-missing-null-check-on-return.patch b/queue-4.14/usb-gadget-r8a66597-add-missing-null-check-on-return.patch new file mode 100644 index 00000000000..e9c052af291 --- /dev/null +++ b/queue-4.14/usb-gadget-r8a66597-add-missing-null-check-on-return.patch @@ -0,0 +1,39 @@ +From 07ea5444954439c96867627dbea59e05301bea66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 19:45:10 +0100 +Subject: usb: gadget: r8a66597: Add missing null check on return from + platform_get_resource + +From: Colin Ian King + +[ Upstream commit 9c2076090c2815fe7c49676df68dde7e60a9b9fc ] + +The call to platform_get_resource can potentially return a NULL pointer +on failure, so add this check and return -EINVAL if it fails. + +Fixes: c41442474a26 ("usb: gadget: R8A66597 peripheral controller support.") +Signed-off-by: Colin Ian King +Addresses-Coverity: ("Dereference null return") +Link: https://lore.kernel.org/r/20210406184510.433497-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/r8a66597-udc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/udc/r8a66597-udc.c b/drivers/usb/gadget/udc/r8a66597-udc.c +index 84b227ede082..cf92f6aca433 100644 +--- a/drivers/usb/gadget/udc/r8a66597-udc.c ++++ b/drivers/usb/gadget/udc/r8a66597-udc.c +@@ -1855,6 +1855,8 @@ static int r8a66597_probe(struct platform_device *pdev) + return PTR_ERR(reg); + + ires = platform_get_resource(pdev, IORESOURCE_IRQ, 0); ++ if (!ires) ++ return -EINVAL; + irq = ires->start; + irq_trigger = ires->flags & IRQF_TRIGGER_MASK; + +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-udc-fix-wrong-pointer-passed-to-is_err-an.patch b/queue-4.14/usb-gadget-udc-fix-wrong-pointer-passed-to-is_err-an.patch new file mode 100644 index 00000000000..a5b4e1672b6 --- /dev/null +++ b/queue-4.14/usb-gadget-udc-fix-wrong-pointer-passed-to-is_err-an.patch @@ -0,0 +1,40 @@ +From f7ad9ae3c71e66f49981265960540e005623f5d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 21:01:59 +0800 +Subject: USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() + +From: Yang Yingliang + +[ Upstream commit 2e3d055bf27d70204cae349335a62a4f9b7c165a ] + +IS_ERR() and PTR_ERR() use wrong pointer, it should be +udc->virt_addr, fix it. + +Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform driver") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210330130159.1051979-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/snps_udc_plat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/snps_udc_plat.c b/drivers/usb/gadget/udc/snps_udc_plat.c +index e8a5fdaee37d..204f7acf89a4 100644 +--- a/drivers/usb/gadget/udc/snps_udc_plat.c ++++ b/drivers/usb/gadget/udc/snps_udc_plat.c +@@ -122,8 +122,8 @@ static int udc_plat_probe(struct platform_device *pdev) + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + udc->virt_addr = devm_ioremap_resource(dev, res); +- if (IS_ERR(udc->regs)) +- return PTR_ERR(udc->regs); ++ if (IS_ERR(udc->virt_addr)) ++ return PTR_ERR(udc->virt_addr); + + /* udc csr registers base */ + udc->csr = udc->virt_addr + UDC_CSR_ADDR; +-- +2.30.2 + diff --git a/queue-4.14/usb-typec-tcpci-check-role_control-while-interpretin.patch b/queue-4.14/usb-typec-tcpci-check-role_control-while-interpretin.patch new file mode 100644 index 00000000000..b792dc95273 --- /dev/null +++ b/queue-4.14/usb-typec-tcpci-check-role_control-while-interpretin.patch @@ -0,0 +1,98 @@ +From 7e3b81a243b19eeb352e3d94de2512a651cfb2ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 23:09:31 -0800 +Subject: usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS + +From: Badhri Jagan Sridharan + +[ Upstream commit 19c234a14eafca78e0bc14ffb8be3891096ce147 ] + +While interpreting CC_STATUS, ROLE_CONTROL has to be read to make +sure that CC1/CC2 is not forced presenting Rp/Rd. + +>From the TCPCI spec: + +4.4.5.2 ROLE_CONTROL (Normative): +The TCPM shall write B6 (DRP) = 0b and B3..0 (CC1/CC2) if it wishes +to control the Rp/Rd directly instead of having the TCPC perform +DRP toggling autonomously. When controlling Rp/Rd directly, the +TCPM writes to B3..0 (CC1/CC2) each time it wishes to change the +CC1/CC2 values. This control is used for TCPM-TCPC implementing +Source or Sink only as well as when a connection has been detected +via DRP toggling but the TCPM wishes to attempt Try.Src or Try.Snk. + +Table 4-22. CC_STATUS Register Definition: +If (ROLE_CONTROL.CC1 = Rd) or ConnectResult=1) +00b: SNK.Open (Below maximum vRa) +01b: SNK.Default (Above minimum vRd-Connect) +10b: SNK.Power1.5 (Above minimum vRd-Connect) Detects Rp-1.5A +11b: SNK.Power3.0 (Above minimum vRd-Connect) Detects Rp-3.0A + +If (ROLE_CONTROL.CC2=Rd) or (ConnectResult=1) +00b: SNK.Open (Below maximum vRa) +01b: SNK.Default (Above minimum vRd-Connect) +10b: SNK.Power1.5 (Above minimum vRd-Connect) Detects Rp 1.5A +11b: SNK.Power3.0 (Above minimum vRd-Connect) Detects Rp 3.0A + +Fixes: 74e656d6b0551 ("staging: typec: Type-C Port Controller Interface driver (tcpci)") +Acked-by: Heikki Krogerus +Signed-off-by: Badhri Jagan Sridharan +Link: https://lore.kernel.org/r/20210304070931.1947316-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/typec/tcpci.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/typec/tcpci.c b/drivers/staging/typec/tcpci.c +index df72d8b01e73..39e2aee0b1a3 100644 +--- a/drivers/staging/typec/tcpci.c ++++ b/drivers/staging/typec/tcpci.c +@@ -28,6 +28,15 @@ + + #define PD_RETRY_COUNT 3 + ++#define tcpc_presenting_cc1_rd(reg) \ ++ (!(TCPC_ROLE_CTRL_DRP & (reg)) && \ ++ (((reg) & (TCPC_ROLE_CTRL_CC1_MASK << TCPC_ROLE_CTRL_CC1_SHIFT)) == \ ++ (TCPC_ROLE_CTRL_CC_RD << TCPC_ROLE_CTRL_CC1_SHIFT))) ++#define tcpc_presenting_cc2_rd(reg) \ ++ (!(TCPC_ROLE_CTRL_DRP & (reg)) && \ ++ (((reg) & (TCPC_ROLE_CTRL_CC2_MASK << TCPC_ROLE_CTRL_CC2_SHIFT)) == \ ++ (TCPC_ROLE_CTRL_CC_RD << TCPC_ROLE_CTRL_CC2_SHIFT))) ++ + struct tcpci { + struct device *dev; + struct i2c_client *client; +@@ -149,19 +158,25 @@ static int tcpci_get_cc(struct tcpc_dev *tcpc, + enum typec_cc_status *cc1, enum typec_cc_status *cc2) + { + struct tcpci *tcpci = tcpc_to_tcpci(tcpc); +- unsigned int reg; ++ unsigned int reg, role_control; + int ret; + ++ ret = regmap_read(tcpci->regmap, TCPC_ROLE_CTRL, &role_control); ++ if (ret < 0) ++ return ret; ++ + ret = regmap_read(tcpci->regmap, TCPC_CC_STATUS, ®); + if (ret < 0) + return ret; + + *cc1 = tcpci_to_typec_cc((reg >> TCPC_CC_STATUS_CC1_SHIFT) & + TCPC_CC_STATUS_CC1_MASK, +- reg & TCPC_CC_STATUS_TERM); ++ reg & TCPC_CC_STATUS_TERM || ++ tcpc_presenting_cc1_rd(role_control)); + *cc2 = tcpci_to_typec_cc((reg >> TCPC_CC_STATUS_CC2_SHIFT) & + TCPC_CC_STATUS_CC2_MASK, +- reg & TCPC_CC_STATUS_TERM); ++ reg & TCPC_CC_STATUS_TERM || ++ tcpc_presenting_cc2_rd(role_control)); + + return 0; + } +-- +2.30.2 + diff --git a/queue-4.14/vfio-mdev-do-not-allow-a-mdev_type-to-have-a-null-pa.patch b/queue-4.14/vfio-mdev-do-not-allow-a-mdev_type-to-have-a-null-pa.patch new file mode 100644 index 00000000000..1bb2429a050 --- /dev/null +++ b/queue-4.14/vfio-mdev-do-not-allow-a-mdev_type-to-have-a-null-pa.patch @@ -0,0 +1,56 @@ +From b94093203ab37c9780c85a228db9ce1d3cd8d189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 16:40:25 -0300 +Subject: vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer + +From: Jason Gunthorpe + +[ Upstream commit b5a1f8921d5040bb788492bf33a66758021e4be5 ] + +There is a small race where the parent is NULL even though the kobj has +already been made visible in sysfs. + +For instance the attribute_group is made visible in sysfs_create_files() +and the mdev_type_attr_show() does: + + ret = attr->show(kobj, type->parent->dev, buf); + +Which will crash on NULL parent. Move the parent setup to before the type +pointer leaves the stack frame. + +Fixes: 7b96953bc640 ("vfio: Mediated device Core driver") +Reviewed-by: Christoph Hellwig +Reviewed-by: Kevin Tian +Reviewed-by: Max Gurtovoy +Reviewed-by: Cornelia Huck +Signed-off-by: Jason Gunthorpe +Message-Id: <2-v2-d36939638fc6+d54-vfio2_jgg@nvidia.com> +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/mdev/mdev_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/mdev/mdev_sysfs.c b/drivers/vfio/mdev/mdev_sysfs.c +index 7e474e41c85e..2dbdefd7b683 100644 +--- a/drivers/vfio/mdev/mdev_sysfs.c ++++ b/drivers/vfio/mdev/mdev_sysfs.c +@@ -108,6 +108,7 @@ struct mdev_type *add_mdev_supported_type(struct mdev_parent *parent, + return ERR_PTR(-ENOMEM); + + type->kobj.kset = parent->mdev_types_kset; ++ type->parent = parent; + + ret = kobject_init_and_add(&type->kobj, &mdev_type_ktype, NULL, + "%s-%s", dev_driver_string(parent->dev), +@@ -135,7 +136,6 @@ struct mdev_type *add_mdev_supported_type(struct mdev_parent *parent, + } + + type->group = group; +- type->parent = parent; + return type; + + attrs_failed: +-- +2.30.2 + diff --git a/queue-4.14/vsock-vmci-log-once-the-failed-queue-pair-allocation.patch b/queue-4.14/vsock-vmci-log-once-the-failed-queue-pair-allocation.patch new file mode 100644 index 00000000000..bacfbc190fb --- /dev/null +++ b/queue-4.14/vsock-vmci-log-once-the-failed-queue-pair-allocation.patch @@ -0,0 +1,50 @@ +From 1f42134d06c2d89d4f80c47b5b99264d846fbeba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Apr 2021 12:44:16 +0200 +Subject: vsock/vmci: log once the failed queue pair allocation + +From: Stefano Garzarella + +[ Upstream commit e16edc99d658cd41c60a44cc14d170697aa3271f ] + +VMCI feature is not supported in conjunction with the vSphere Fault +Tolerance (FT) feature. + +VMware Tools can repeatedly try to create a vsock connection. If FT is +enabled the kernel logs is flooded with the following messages: + + qp_alloc_hypercall result = -20 + Could not attach to queue pair with -20 + +"qp_alloc_hypercall result = -20" was hidden by commit e8266c4c3307 +("VMCI: Stop log spew when qp allocation isn't possible"), but "Could +not attach to queue pair with -20" is still there flooding the log. + +Since the error message can be useful in some cases, print it only once. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Stefano Garzarella +Reviewed-by: Jorgen Hansen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/vmci_transport.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c +index ba4cb18c4b9a..c1da1ce3d36e 100644 +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -585,8 +585,7 @@ vmci_transport_queue_pair_alloc(struct vmci_qp **qpair, + peer, flags, VMCI_NO_PRIVILEGE_FLAGS); + out: + if (err < 0) { +- pr_err("Could not attach to queue pair with %d\n", +- err); ++ pr_err_once("Could not attach to queue pair with %d\n", err); + err = vmci_transport_error_to_vsock_error(err); + } + +-- +2.30.2 + diff --git a/queue-4.14/x86-events-amd-iommu-fix-sysfs-type-mismatch.patch b/queue-4.14/x86-events-amd-iommu-fix-sysfs-type-mismatch.patch new file mode 100644 index 00000000000..fbb0e1650f4 --- /dev/null +++ b/queue-4.14/x86-events-amd-iommu-fix-sysfs-type-mismatch.patch @@ -0,0 +1,55 @@ +From f86e35a1a0979d76e23f976ee21f660c32d916eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 17:11:11 -0700 +Subject: x86/events/amd/iommu: Fix sysfs type mismatch + +From: Nathan Chancellor + +[ Upstream commit de5bc7b425d4c27ae5faa00ea7eb6b9780b9a355 ] + +dev_attr_show() calls _iommu_event_show() via an indirect call but +_iommu_event_show()'s type does not currently match the type of the +show() member in 'struct device_attribute', resulting in a Control Flow +Integrity violation. + +$ cat /sys/devices/amd_iommu_1/events/mem_dte_hit +csource=0x0a + +$ dmesg | grep "CFI failure" +[ 3526.735140] CFI failure (target: _iommu_event_show...): + +Change _iommu_event_show() and 'struct amd_iommu_event_desc' to +'struct device_attribute' so that there is no more CFI violation. + +Fixes: 7be6296fdd75 ("perf/x86/amd: AMD IOMMU Performance Counter PERF uncore PMU implementation") +Signed-off-by: Nathan Chancellor +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20210415001112.3024673-1-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/iommu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/events/amd/iommu.c b/arch/x86/events/amd/iommu.c +index 3641e24fdac5..5a372b8902f4 100644 +--- a/arch/x86/events/amd/iommu.c ++++ b/arch/x86/events/amd/iommu.c +@@ -84,12 +84,12 @@ static struct attribute_group amd_iommu_events_group = { + }; + + struct amd_iommu_event_desc { +- struct kobj_attribute attr; ++ struct device_attribute attr; + const char *event; + }; + +-static ssize_t _iommu_event_show(struct kobject *kobj, +- struct kobj_attribute *attr, char *buf) ++static ssize_t _iommu_event_show(struct device *dev, ++ struct device_attribute *attr, char *buf) + { + struct amd_iommu_event_desc *event = + container_of(attr, struct amd_iommu_event_desc, attr); +-- +2.30.2 + diff --git a/queue-4.14/x86-kprobes-fix-to-check-non-boostable-prefixes-corr.patch b/queue-4.14/x86-kprobes-fix-to-check-non-boostable-prefixes-corr.patch new file mode 100644 index 00000000000..8d475b44465 --- /dev/null +++ b/queue-4.14/x86-kprobes-fix-to-check-non-boostable-prefixes-corr.patch @@ -0,0 +1,73 @@ +From 6eab87b20e2defc90700576cf8cca6689da70b20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 19:08:31 +0900 +Subject: x86/kprobes: Fix to check non boostable prefixes correctly + +From: Masami Hiramatsu + +[ Upstream commit 6dd3b8c9f58816a1354be39559f630cd1bd12159 ] + +There are 2 bugs in the can_boost() function because of using +x86 insn decoder. Since the insn->opcode never has a prefix byte, +it can not find CS override prefix in it. And the insn->attr is +the attribute of the opcode, thus inat_is_address_size_prefix( +insn->attr) always returns false. + +Fix those by checking each prefix bytes with for_each_insn_prefix +loop and getting the correct attribute for each prefix byte. +Also, this removes unlikely, because this is a slow path. + +Fixes: a8d11cd0714f ("kprobes/x86: Consolidate insn decoder users for copying code") +Signed-off-by: Masami Hiramatsu +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/161666691162.1120877.2808435205294352583.stgit@devnote2 +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kprobes/core.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 700d434f5bda..cfd8269ab4cd 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -173,6 +173,8 @@ NOKPROBE_SYMBOL(skip_prefixes); + int can_boost(struct insn *insn, void *addr) + { + kprobe_opcode_t opcode; ++ insn_byte_t prefix; ++ int i; + + if (search_exception_tables((unsigned long)addr)) + return 0; /* Page fault may occur on this address. */ +@@ -185,9 +187,14 @@ int can_boost(struct insn *insn, void *addr) + if (insn->opcode.nbytes != 1) + return 0; + +- /* Can't boost Address-size override prefix */ +- if (unlikely(inat_is_address_size_prefix(insn->attr))) +- return 0; ++ for_each_insn_prefix(insn, i, prefix) { ++ insn_attr_t attr; ++ ++ attr = inat_get_opcode_attribute(prefix); ++ /* Can't boost Address-size override prefix and CS override prefix */ ++ if (prefix == 0x2e || inat_is_address_size_prefix(attr)) ++ return 0; ++ } + + opcode = insn->opcode.bytes[0]; + +@@ -212,8 +219,8 @@ int can_boost(struct insn *insn, void *addr) + /* clear and set flags are boostable */ + return (opcode == 0xf5 || (0xf7 < opcode && opcode < 0xfe)); + default: +- /* CS override prefix and call are not boostable */ +- return (opcode != 0x2e && opcode != 0x9a); ++ /* call is not boostable */ ++ return opcode != 0x9a; + } + } + +-- +2.30.2 + diff --git a/queue-4.14/x86-microcode-check-for-offline-cpus-before-requesti.patch b/queue-4.14/x86-microcode-check-for-offline-cpus-before-requesti.patch new file mode 100644 index 00000000000..b690ee9afea --- /dev/null +++ b/queue-4.14/x86-microcode-check-for-offline-cpus-before-requesti.patch @@ -0,0 +1,90 @@ +From 4aaf6c3705f7ed961b89d0d23553c5956f4a642c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 09:55:15 -0700 +Subject: x86/microcode: Check for offline CPUs before requesting new microcode + +From: Otavio Pontes + +[ Upstream commit 7189b3c11903667808029ec9766a6e96de5012a5 ] + +Currently, the late microcode loading mechanism checks whether any CPUs +are offlined, and, in such a case, aborts the load attempt. + +However, this must be done before the kernel caches new microcode from +the filesystem. Otherwise, when offlined CPUs are onlined later, those +cores are going to be updated through the CPU hotplug notifier callback +with the new microcode, while CPUs previously onine will continue to run +with the older microcode. + +For example: + +Turn off one core (2 threads): + + echo 0 > /sys/devices/system/cpu/cpu3/online + echo 0 > /sys/devices/system/cpu/cpu1/online + +Install the ucode fails because a primary SMT thread is offline: + + cp intel-ucode/06-8e-09 /lib/firmware/intel-ucode/ + echo 1 > /sys/devices/system/cpu/microcode/reload + bash: echo: write error: Invalid argument + +Turn the core back on + + echo 1 > /sys/devices/system/cpu/cpu3/online + echo 1 > /sys/devices/system/cpu/cpu1/online + cat /proc/cpuinfo |grep microcode + microcode : 0x30 + microcode : 0xde + microcode : 0x30 + microcode : 0xde + +The rationale for why the update is aborted when at least one primary +thread is offline is because even if that thread is soft-offlined +and idle, it will still have to participate in broadcasted MCE's +synchronization dance or enter SMM, and in both examples it will execute +instructions so it better have the same microcode revision as the other +cores. + + [ bp: Heavily edit and extend commit message with the reasoning behind all + this. ] + +Fixes: 30ec26da9967 ("x86/microcode: Do not upload microcode if CPUs are offline") +Signed-off-by: Otavio Pontes +Signed-off-by: Borislav Petkov +Reviewed-by: Tony Luck +Acked-by: Ashok Raj +Link: https://lkml.kernel.org/r/20210319165515.9240-2-otavio.pontes@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/microcode/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c +index 93c22e7ee424..51583a5d656d 100644 +--- a/arch/x86/kernel/cpu/microcode/core.c ++++ b/arch/x86/kernel/cpu/microcode/core.c +@@ -627,16 +627,16 @@ static ssize_t reload_store(struct device *dev, + if (val != 1) + return size; + +- tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev, true); +- if (tmp_ret != UCODE_NEW) +- return size; +- + get_online_cpus(); + + ret = check_online_cpus(); + if (ret) + goto put; + ++ tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev, true); ++ if (tmp_ret != UCODE_NEW) ++ goto put; ++ + mutex_lock(µcode_mutex); + ret = microcode_reload_late(); + mutex_unlock(µcode_mutex); +-- +2.30.2 + diff --git a/queue-4.14/x86-platform-uv-fix-kexec-build-failure.patch b/queue-4.14/x86-platform-uv-fix-kexec-build-failure.patch new file mode 100644 index 00000000000..93cac258610 --- /dev/null +++ b/queue-4.14/x86-platform-uv-fix-kexec-build-failure.patch @@ -0,0 +1,64 @@ +From f03519978200120a2e787bdf5b8451f11328274d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Apr 2021 09:47:42 +0200 +Subject: x86/platform/uv: Fix !KEXEC build failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ingo Molnar + +[ Upstream commit c2209ea55612efac75de0a58ef5f7394fae7fa0f ] + +When KEXEC is disabled, the UV build fails: + + arch/x86/platform/uv/uv_nmi.c:875:14: error: ‘uv_nmi_kexec_failed’ undeclared (first use in this function) + +Since uv_nmi_kexec_failed is only defined in the KEXEC_CORE #ifdef branch, +this code cannot ever have been build tested: + + if (main) + pr_err("UV: NMI kdump: KEXEC not supported in this kernel\n"); + atomic_set(&uv_nmi_kexec_failed, 1); + +Nor is this use possible in uv_handle_nmi(): + + atomic_set(&uv_nmi_kexec_failed, 0); + +These bugs were introduced in this commit: + + d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails") + +Which added the uv_nmi_kexec_failed assignments to !KEXEC code, while making the +definition KEXEC-only - apparently without testing the !KEXEC case. + +Instead of complicating the #ifdef maze, simplify the code by requiring X86_UV +to depend on KEXEC_CORE. This pattern is present in other architectures as well. + +( We'll remove the untested, 7 years old !KEXEC complications from the file in a + separate commit. ) + +Fixes: d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails") +Signed-off-by: Ingo Molnar +Cc: Mike Travis +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index c55870ac907e..64edc125c122 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -526,6 +526,7 @@ config X86_UV + depends on X86_EXTENDED_PLATFORM + depends on NUMA + depends on EFI ++ depends on KEXEC_CORE + depends on X86_X2APIC + depends on PCI + ---help--- +-- +2.30.2 +