From: Sasha Levin Date: Fri, 5 Mar 2021 03:36:48 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.4.260~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=41b0e7da707134fa29a9561f4640c194b6c928d4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/ath10k-fix-wmi-mgmt-tx-queue-full-due-to-race-condit.patch b/queue-4.14/ath10k-fix-wmi-mgmt-tx-queue-full-due-to-race-condit.patch new file mode 100644 index 00000000000..e38cfe84e07 --- /dev/null +++ b/queue-4.14/ath10k-fix-wmi-mgmt-tx-queue-full-due-to-race-condit.patch @@ -0,0 +1,93 @@ +From ebe6ac396b7a78e9dd066ae3ff0f92e168538fc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Dec 2020 14:34:47 +0800 +Subject: ath10k: fix wmi mgmt tx queue full due to race condition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miaoqing Pan + +[ Upstream commit b55379e343a3472c35f4a1245906db5158cab453 ] + +Failed to transmit wmi management frames: + +[84977.840894] ath10k_snoc a000000.wifi: wmi mgmt tx queue is full +[84977.840913] ath10k_snoc a000000.wifi: failed to transmit packet, dropping: -28 +[84977.840924] ath10k_snoc a000000.wifi: failed to submit frame: -28 +[84977.840932] ath10k_snoc a000000.wifi: failed to transmit frame: -28 + +This issue is caused by race condition between skb_dequeue and +__skb_queue_tail. The queue of ‘wmi_mgmt_tx_queue’ is protected by a +different lock: ar->data_lock vs list->lock, the result is no protection. +So when ath10k_mgmt_over_wmi_tx_work() and ath10k_mac_tx_wmi_mgmt() +running concurrently on different CPUs, there appear to be a rare corner +cases when the queue length is 1, + + CPUx (skb_deuque) CPUy (__skb_queue_tail) + next=list + prev=list + struct sk_buff *skb = skb_peek(list); WRITE_ONCE(newsk->next, next); + WRITE_ONCE(list->qlen, list->qlen - 1);WRITE_ONCE(newsk->prev, prev); + next = skb->next; WRITE_ONCE(next->prev, newsk); + prev = skb->prev; WRITE_ONCE(prev->next, newsk); + skb->next = skb->prev = NULL; list->qlen++; + WRITE_ONCE(next->prev, prev); + WRITE_ONCE(prev->next, next); + +If the instruction ‘next = skb->next’ is executed before +‘WRITE_ONCE(prev->next, newsk)’, newsk will be lost, as CPUx get the +old ‘next’ pointer, but the length is still added by one. The final +result is the length of the queue will reach the maximum value but +the queue is empty. + +So remove ar->data_lock, and use 'skb_queue_tail' instead of +'__skb_queue_tail' to prevent the potential race condition. Also switch +to use skb_queue_len_lockless, in case we queue a few SKBs simultaneously. + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.1.c2-00033-QCAHLSWMTPLZ-1 + +Signed-off-by: Miaoqing Pan +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1608618887-8857-1-git-send-email-miaoqing@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index be4420ff52b8..aa5bec5a3676 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3545,23 +3545,16 @@ bool ath10k_mac_tx_frm_has_freq(struct ath10k *ar) + static int ath10k_mac_tx_wmi_mgmt(struct ath10k *ar, struct sk_buff *skb) + { + struct sk_buff_head *q = &ar->wmi_mgmt_tx_queue; +- int ret = 0; +- +- spin_lock_bh(&ar->data_lock); + +- if (skb_queue_len(q) == ATH10K_MAX_NUM_MGMT_PENDING) { ++ if (skb_queue_len_lockless(q) >= ATH10K_MAX_NUM_MGMT_PENDING) { + ath10k_warn(ar, "wmi mgmt tx queue is full\n"); +- ret = -ENOSPC; +- goto unlock; ++ return -ENOSPC; + } + +- __skb_queue_tail(q, skb); ++ skb_queue_tail(q, skb); + ieee80211_queue_work(ar->hw, &ar->wmi_mgmt_tx_work); + +-unlock: +- spin_unlock_bh(&ar->data_lock); +- +- return ret; ++ return 0; + } + + static enum ath10k_mac_tx_path +-- +2.30.1 + diff --git a/queue-4.14/bluetooth-fix-null-pointer-dereference-in-amp_read_l.patch b/queue-4.14/bluetooth-fix-null-pointer-dereference-in-amp_read_l.patch new file mode 100644 index 00000000000..079ae6c2e00 --- /dev/null +++ b/queue-4.14/bluetooth-fix-null-pointer-dereference-in-amp_read_l.patch @@ -0,0 +1,57 @@ +From 24c4bc9f2831e9c2bcd7f7f13c7843a37e8535b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 15:12:30 +0530 +Subject: Bluetooth: Fix null pointer dereference in + amp_read_loc_assoc_final_data + +From: Gopal Tiwari + +[ Upstream commit e8bd76ede155fd54d8c41d045dda43cd3174d506 ] + +kernel panic trace looks like: + + #5 [ffffb9e08698fc80] do_page_fault at ffffffffb666e0d7 + #6 [ffffb9e08698fcb0] page_fault at ffffffffb70010fe + [exception RIP: amp_read_loc_assoc_final_data+63] + RIP: ffffffffc06ab54f RSP: ffffb9e08698fd68 RFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff8c8845a5a000 RCX: 0000000000000004 + RDX: 0000000000000000 RSI: ffff8c8b9153d000 RDI: ffff8c8845a5a000 + RBP: ffffb9e08698fe40 R8: 00000000000330e0 R9: ffffffffc0675c94 + R10: ffffb9e08698fe58 R11: 0000000000000001 R12: ffff8c8b9cbf6200 + R13: 0000000000000000 R14: 0000000000000000 R15: ffff8c8b2026da0b + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #7 [ffffb9e08698fda8] hci_event_packet at ffffffffc0676904 [bluetooth] + #8 [ffffb9e08698fe50] hci_rx_work at ffffffffc06629ac [bluetooth] + #9 [ffffb9e08698fe98] process_one_work at ffffffffb66f95e7 + +hcon->amp_mgr seems NULL triggered kernel panic in following line inside +function amp_read_loc_assoc_final_data + + set_bit(READ_LOC_AMP_ASSOC_FINAL, &mgr->state); + +Fixed by checking NULL for mgr. + +Signed-off-by: Gopal Tiwari +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/amp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c +index ebcab5bbadd7..9f645a1d0202 100644 +--- a/net/bluetooth/amp.c ++++ b/net/bluetooth/amp.c +@@ -305,6 +305,9 @@ void amp_read_loc_assoc_final_data(struct hci_dev *hdev, + struct hci_request req; + int err; + ++ if (!mgr) ++ return; ++ + cp.phy_handle = hcon->handle; + cp.len_so_far = cpu_to_le16(0); + cp.max_len = cpu_to_le16(hdev->amp_assoc_size); +-- +2.30.1 + diff --git a/queue-4.14/f2fs-handle-unallocated-section-and-zone-on-pinned-a.patch b/queue-4.14/f2fs-handle-unallocated-section-and-zone-on-pinned-a.patch new file mode 100644 index 00000000000..66af5b708cd --- /dev/null +++ b/queue-4.14/f2fs-handle-unallocated-section-and-zone-on-pinned-a.patch @@ -0,0 +1,44 @@ +From 10f76064a45cef40110ac6905c377912c8c054a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Dec 2020 11:44:25 -0800 +Subject: f2fs: handle unallocated section and zone on pinned/atgc + +From: Jaegeuk Kim + +[ Upstream commit 632faca72938f9f63049e48a8c438913828ac7a9 ] + +If we have large section/zone, unallocated segment makes them corrupted. + +E.g., + + - Pinned file: -1 119304647 119304647 + - ATGC data: -1 119304647 119304647 + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 0d46e936d54e..00c415131b06 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -91,11 +91,11 @@ + #define BLKS_PER_SEC(sbi) \ + ((sbi)->segs_per_sec * (sbi)->blocks_per_seg) + #define GET_SEC_FROM_SEG(sbi, segno) \ +- ((segno) / (sbi)->segs_per_sec) ++ (((segno) == -1) ? -1: (segno) / (sbi)->segs_per_sec) + #define GET_SEG_FROM_SEC(sbi, secno) \ + ((secno) * (sbi)->segs_per_sec) + #define GET_ZONE_FROM_SEC(sbi, secno) \ +- ((secno) / (sbi)->secs_per_zone) ++ (((secno) == -1) ? -1: (secno) / (sbi)->secs_per_zone) + #define GET_ZONE_FROM_SEG(sbi, segno) \ + GET_ZONE_FROM_SEC(sbi, GET_SEC_FROM_SEG(sbi, segno)) + +-- +2.30.1 + diff --git a/queue-4.14/media-uvcvideo-allow-entities-with-no-pads.patch b/queue-4.14/media-uvcvideo-allow-entities-with-no-pads.patch new file mode 100644 index 00000000000..7ae2e6f250d --- /dev/null +++ b/queue-4.14/media-uvcvideo-allow-entities-with-no-pads.patch @@ -0,0 +1,48 @@ +From 6abf44d8be9623012744aea6a38b056f4e583538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Dec 2020 14:35:19 +0100 +Subject: media: uvcvideo: Allow entities with no pads + +From: Ricardo Ribalda + +[ Upstream commit 7532dad6634031d083df7af606fac655b8d08b5c ] + +Avoid an underflow while calculating the number of inputs for entities +with zero pads. + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 5899593dabaf..aaaee039fb30 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -904,7 +904,10 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, + unsigned int i; + + extra_size = roundup(extra_size, sizeof(*entity->pads)); +- num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1; ++ if (num_pads) ++ num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; ++ else ++ num_inputs = 0; + size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads + + num_inputs; + entity = kzalloc(size, GFP_KERNEL); +@@ -920,7 +923,7 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, + + for (i = 0; i < num_inputs; ++i) + entity->pads[i].flags = MEDIA_PAD_FL_SINK; +- if (!UVC_ENTITY_IS_OTERM(entity)) ++ if (!UVC_ENTITY_IS_OTERM(entity) && num_pads) + entity->pads[num_pads-1].flags = MEDIA_PAD_FL_SOURCE; + + entity->bNrInPins = num_inputs; +-- +2.30.1 + diff --git a/queue-4.14/parisc-bump-64-bit-irq-stack-size-to-64-kb.patch b/queue-4.14/parisc-bump-64-bit-irq-stack-size-to-64-kb.patch new file mode 100644 index 00000000000..2a74e71e4b1 --- /dev/null +++ b/queue-4.14/parisc-bump-64-bit-irq-stack-size-to-64-kb.patch @@ -0,0 +1,41 @@ +From e09b7e51fb157d5c57f003403f512482eb85ec7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 18:12:30 -0500 +Subject: parisc: Bump 64-bit IRQ stack size to 64 KB + +From: John David Anglin + +[ Upstream commit 31680c1d1595a59e17c14ec036b192a95f8e5f4a ] + +Bump 64-bit IRQ stack size to 64 KB. + +I had a kernel IRQ stack overflow on the mx3210 debian buildd machine. This patch increases the +64-bit IRQ stack size to 64 KB. The 64-bit stack size needs to be larger than the 32-bit stack +size since registers are twice as big. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/irq.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c +index 0ca254085a66..c152c30c2d06 100644 +--- a/arch/parisc/kernel/irq.c ++++ b/arch/parisc/kernel/irq.c +@@ -380,7 +380,11 @@ static inline int eirr_to_irq(unsigned long eirr) + /* + * IRQ STACK - used for irq handler + */ ++#ifdef CONFIG_64BIT ++#define IRQ_STACK_SIZE (4096 << 4) /* 64k irq stack size */ ++#else + #define IRQ_STACK_SIZE (4096 << 3) /* 32k irq stack size */ ++#endif + + union irq_stack_union { + unsigned long stack[IRQ_STACK_SIZE/sizeof(unsigned long)]; +-- +2.30.1 + diff --git a/queue-4.14/pktgen-fix-misuse-of-bug_on-in-pktgen_thread_worker.patch b/queue-4.14/pktgen-fix-misuse-of-bug_on-in-pktgen_thread_worker.patch new file mode 100644 index 00000000000..3b1faa122c3 --- /dev/null +++ b/queue-4.14/pktgen-fix-misuse-of-bug_on-in-pktgen_thread_worker.patch @@ -0,0 +1,43 @@ +From 55b7f8173e1ea32e399487d6f2b883707ad9294a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 20:42:29 +0800 +Subject: pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() + +From: Di Zhu + +[ Upstream commit 275b1e88cabb34dbcbe99756b67e9939d34a99b6 ] + +pktgen create threads for all online cpus and bond these threads to +relevant cpu repecivtily. when this thread firstly be woken up, it +will compare cpu currently running with the cpu specified at the time +of creation and if the two cpus are not equal, BUG_ON() will take effect +causing panic on the system. +Notice that these threads could be migrated to other cpus before start +running because of the cpu hotplug after these threads have created. so the +BUG_ON() used here seems unreasonable and we can replace it with WARN_ON() +to just printf a warning other than panic the system. + +Signed-off-by: Di Zhu +Link: https://lore.kernel.org/r/20210125124229.19334-1-zhudi21@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/pktgen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index 884afb8e9fc4..b3132f11afeb 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3555,7 +3555,7 @@ static int pktgen_thread_worker(void *arg) + struct pktgen_dev *pkt_dev = NULL; + int cpu = t->cpu; + +- BUG_ON(smp_processor_id() != cpu); ++ WARN_ON(smp_processor_id() != cpu); + + init_waitqueue_head(&t->queue); + complete(&t->start_done); +-- +2.30.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 50a225e65a0..24632c2f91b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -16,3 +16,15 @@ net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch mm-hugetlb.c-fix-unnecessary-address-expansion-of-pmd-sharing.patch net-bridge-use-switchdev-for-port-flags-set-through-sysfs-too.patch dt-bindings-net-btusb-dt-fix-s-interrupt-name-interrupt-names.patch +staging-fwserial-fix-error-handling-in-fwserial_crea.patch +x86-reboot-add-zotac-zbox-ci327-nano-pci-reboot-quir.patch +vt-consolemap-do-font-sum-unsigned.patch +wlcore-fix-command-execute-failure-19-for-wl12xx.patch +pktgen-fix-misuse-of-bug_on-in-pktgen_thread_worker.patch +ath10k-fix-wmi-mgmt-tx-queue-full-due-to-race-condit.patch +x86-build-treat-r_386_plt32-relocation-as-r_386_pc32.patch +bluetooth-fix-null-pointer-dereference-in-amp_read_l.patch +staging-most-sound-add-sanity-check-for-function-arg.patch +media-uvcvideo-allow-entities-with-no-pads.patch +f2fs-handle-unallocated-section-and-zone-on-pinned-a.patch +parisc-bump-64-bit-irq-stack-size-to-64-kb.patch diff --git a/queue-4.14/staging-fwserial-fix-error-handling-in-fwserial_crea.patch b/queue-4.14/staging-fwserial-fix-error-handling-in-fwserial_crea.patch new file mode 100644 index 00000000000..573fefe9d5a --- /dev/null +++ b/queue-4.14/staging-fwserial-fix-error-handling-in-fwserial_crea.patch @@ -0,0 +1,45 @@ +From 2ecbd8ed5bef6670c7194d3acddf338bc11b37b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Dec 2020 20:24:35 +0800 +Subject: staging: fwserial: Fix error handling in fwserial_create + +From: Dinghao Liu + +[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ] + +When fw_core_add_address_handler() fails, we need to destroy +the port by tty_port_destroy(). Also we need to unregister +the address handler by fw_core_remove_address_handler() on +failure. + +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao.liu@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fwserial/fwserial.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/fwserial/fwserial.c b/drivers/staging/fwserial/fwserial.c +index 41a49c8194e5..b19c46bd2557 100644 +--- a/drivers/staging/fwserial/fwserial.c ++++ b/drivers/staging/fwserial/fwserial.c +@@ -2249,6 +2249,7 @@ static int fwserial_create(struct fw_unit *unit) + err = fw_core_add_address_handler(&port->rx_handler, + &fw_high_memory_region); + if (err) { ++ tty_port_destroy(&port->port); + kfree(port); + goto free_ports; + } +@@ -2331,6 +2332,7 @@ unregister_ttys: + + free_ports: + for (--i; i >= 0; --i) { ++ fw_core_remove_address_handler(&serial->ports[i]->rx_handler); + tty_port_destroy(&serial->ports[i]->port); + kfree(serial->ports[i]); + } +-- +2.30.1 + diff --git a/queue-4.14/staging-most-sound-add-sanity-check-for-function-arg.patch b/queue-4.14/staging-most-sound-add-sanity-check-for-function-arg.patch new file mode 100644 index 00000000000..45257c84ce8 --- /dev/null +++ b/queue-4.14/staging-most-sound-add-sanity-check-for-function-arg.patch @@ -0,0 +1,37 @@ +From 34721aac3a02b4714ab47461ebb199c82de04210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Feb 2021 17:21:05 +0100 +Subject: staging: most: sound: add sanity check for function argument + +From: Christian Gromm + +[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ] + +This patch checks the function parameter 'bytes' before doing the +subtraction to prevent memory corruption. + +Signed-off-by: Christian Gromm +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gromm@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/most/aim-sound/sound.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/most/aim-sound/sound.c b/drivers/staging/most/aim-sound/sound.c +index ea1366a44008..e259bf4956ab 100644 +--- a/drivers/staging/most/aim-sound/sound.c ++++ b/drivers/staging/most/aim-sound/sound.c +@@ -92,6 +92,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned int bytes) + { + unsigned int i = 0; + ++ if (bytes < 2) ++ return; + while (i < bytes - 2) { + dest[i] = source[i + 2]; + dest[i + 1] = source[i + 1]; +-- +2.30.1 + diff --git a/queue-4.14/vt-consolemap-do-font-sum-unsigned.patch b/queue-4.14/vt-consolemap-do-font-sum-unsigned.patch new file mode 100644 index 00000000000..758c4e5eb1a --- /dev/null +++ b/queue-4.14/vt-consolemap-do-font-sum-unsigned.patch @@ -0,0 +1,38 @@ +From c4d1facfa06224f1033baa857c2714b96c0b9df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:02:34 +0100 +Subject: vt/consolemap: do font sum unsigned + +From: Jiri Slaby + +[ Upstream commit 9777f8e60e718f7b022a94f2524f967d8def1931 ] + +The constant 20 makes the font sum computation signed which can lead to +sign extensions and signed wraps. It's not much of a problem as we build +with -fno-strict-overflow. But if we ever decide not to, be ready, so +switch the constant to unsigned. + +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20210105120239.28031-7-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/consolemap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c +index a5f88cf0f61d..a2c1a02f0407 100644 +--- a/drivers/tty/vt/consolemap.c ++++ b/drivers/tty/vt/consolemap.c +@@ -493,7 +493,7 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) + + p2[unicode & 0x3f] = fontpos; + +- p->sum += (fontpos << 20) + unicode; ++ p->sum += (fontpos << 20U) + unicode; + + return 0; + } +-- +2.30.1 + diff --git a/queue-4.14/wlcore-fix-command-execute-failure-19-for-wl12xx.patch b/queue-4.14/wlcore-fix-command-execute-failure-19-for-wl12xx.patch new file mode 100644 index 00000000000..23aca559d7d --- /dev/null +++ b/queue-4.14/wlcore-fix-command-execute-failure-19-for-wl12xx.patch @@ -0,0 +1,127 @@ +From b84a712bded7049fe473e1e1b254d11f50a515c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 08:56:13 +0200 +Subject: wlcore: Fix command execute failure 19 for wl12xx + +From: Tony Lindgren + +[ Upstream commit cb88d01b67383a095e3f7caeb4cdade5a6cf0417 ] + +We can currently get a "command execute failure 19" error on beacon loss +if the signal is weak: + +wlcore: Beacon loss detected. roles:0xff +wlcore: Connection loss work (role_id: 0). +... +wlcore: ERROR command execute failure 19 +... +WARNING: CPU: 0 PID: 1552 at drivers/net/wireless/ti/wlcore/main.c:803 +... +(wl12xx_queue_recovery_work.part.0 [wlcore]) +(wl12xx_cmd_role_start_sta [wlcore]) +(wl1271_op_bss_info_changed [wlcore]) +(ieee80211_prep_connection [mac80211]) + +Error 19 is defined as CMD_STATUS_WRONG_NESTING from the wlcore firmware, +and seems to mean that the firmware no longer wants to see the quirk +handling for WLCORE_QUIRK_START_STA_FAILS done. + +This quirk got added with commit 18eab430700d ("wlcore: workaround +start_sta problem in wl12xx fw"), and it seems that this already got fixed +in the firmware long time ago back in 2012 as wl18xx never had this quirk +in place to start with. + +As we no longer even support firmware that early, to me it seems that it's +safe to just drop WLCORE_QUIRK_START_STA_FAILS to fix the error. Looks +like earlier firmware got disabled back in 2013 with commit 0e284c074ef9 +("wl12xx: increase minimum singlerole firmware version required"). + +If it turns out we still need WLCORE_QUIRK_START_STA_FAILS with any +firmware that the driver works with, we can simply revert this patch and +add extra checks for firmware version used. + +With this fix wlcore reconnects properly after a beacon loss. + +Cc: Raz Bouganim +Signed-off-by: Tony Lindgren +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210115065613.7731-1-tony@atomide.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl12xx/main.c | 3 --- + drivers/net/wireless/ti/wlcore/main.c | 15 +-------------- + drivers/net/wireless/ti/wlcore/wlcore.h | 3 --- + 3 files changed, 1 insertion(+), 20 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c +index 22009e14a8fc..9bd635ec7827 100644 +--- a/drivers/net/wireless/ti/wl12xx/main.c ++++ b/drivers/net/wireless/ti/wl12xx/main.c +@@ -648,7 +648,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + wl->quirks |= WLCORE_QUIRK_LEGACY_NVS | + WLCORE_QUIRK_DUAL_PROBE_TMPL | + WLCORE_QUIRK_TKIP_HEADER_SPACE | +- WLCORE_QUIRK_START_STA_FAILS | + WLCORE_QUIRK_AP_ZERO_SESSION_ID; + wl->sr_fw_name = WL127X_FW_NAME_SINGLE; + wl->mr_fw_name = WL127X_FW_NAME_MULTI; +@@ -672,7 +671,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + wl->quirks |= WLCORE_QUIRK_LEGACY_NVS | + WLCORE_QUIRK_DUAL_PROBE_TMPL | + WLCORE_QUIRK_TKIP_HEADER_SPACE | +- WLCORE_QUIRK_START_STA_FAILS | + WLCORE_QUIRK_AP_ZERO_SESSION_ID; + wl->plt_fw_name = WL127X_PLT_FW_NAME; + wl->sr_fw_name = WL127X_FW_NAME_SINGLE; +@@ -701,7 +699,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl) + wl->quirks |= WLCORE_QUIRK_TX_BLOCKSIZE_ALIGN | + WLCORE_QUIRK_DUAL_PROBE_TMPL | + WLCORE_QUIRK_TKIP_HEADER_SPACE | +- WLCORE_QUIRK_START_STA_FAILS | + WLCORE_QUIRK_AP_ZERO_SESSION_ID; + + wlcore_set_min_fw_ver(wl, WL128X_CHIP_VER, +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index eb3a7971c1d3..9f568034deb3 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -2832,21 +2832,8 @@ static int wlcore_join(struct wl1271 *wl, struct wl12xx_vif *wlvif) + + if (is_ibss) + ret = wl12xx_cmd_role_start_ibss(wl, wlvif); +- else { +- if (wl->quirks & WLCORE_QUIRK_START_STA_FAILS) { +- /* +- * TODO: this is an ugly workaround for wl12xx fw +- * bug - we are not able to tx/rx after the first +- * start_sta, so make dummy start+stop calls, +- * and then call start_sta again. +- * this should be fixed in the fw. +- */ +- wl12xx_cmd_role_start_sta(wl, wlvif); +- wl12xx_cmd_role_stop_sta(wl, wlvif); +- } +- ++ else + ret = wl12xx_cmd_role_start_sta(wl, wlvif); +- } + + return ret; + } +diff --git a/drivers/net/wireless/ti/wlcore/wlcore.h b/drivers/net/wireless/ti/wlcore/wlcore.h +index 95fbedc8ea34..a75b43f5a6c2 100644 +--- a/drivers/net/wireless/ti/wlcore/wlcore.h ++++ b/drivers/net/wireless/ti/wlcore/wlcore.h +@@ -560,9 +560,6 @@ wlcore_set_min_fw_ver(struct wl1271 *wl, unsigned int chip, + /* Each RX/TX transaction requires an end-of-transaction transfer */ + #define WLCORE_QUIRK_END_OF_TRANSACTION BIT(0) + +-/* the first start_role(sta) sometimes doesn't work on wl12xx */ +-#define WLCORE_QUIRK_START_STA_FAILS BIT(1) +- + /* wl127x and SPI don't support SDIO block size alignment */ + #define WLCORE_QUIRK_TX_BLOCKSIZE_ALIGN BIT(2) + +-- +2.30.1 + diff --git a/queue-4.14/x86-build-treat-r_386_plt32-relocation-as-r_386_pc32.patch b/queue-4.14/x86-build-treat-r_386_plt32-relocation-as-r_386_pc32.patch new file mode 100644 index 00000000000..9229cf901f6 --- /dev/null +++ b/queue-4.14/x86-build-treat-r_386_plt32-relocation-as-r_386_pc32.patch @@ -0,0 +1,111 @@ +From 71eabc361f5a6577aff2af46c60fd0e9041d903b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jan 2021 12:56:00 -0800 +Subject: x86/build: Treat R_386_PLT32 relocation as R_386_PC32 + +From: Fangrui Song + +[ Upstream commit bb73d07148c405c293e576b40af37737faf23a6a ] + +This is similar to commit + + b21ebf2fb4cd ("x86: Treat R_X86_64_PLT32 as R_X86_64_PC32") + +but for i386. As far as the kernel is concerned, R_386_PLT32 can be +treated the same as R_386_PC32. + +R_386_PLT32/R_X86_64_PLT32 are PC-relative relocation types which +can only be used by branches. If the referenced symbol is defined +externally, a PLT will be used. + +R_386_PC32/R_X86_64_PC32 are PC-relative relocation types which can be +used by address taking operations and branches. If the referenced symbol +is defined externally, a copy relocation/canonical PLT entry will be +created in the executable. + +On x86-64, there is no PIC vs non-PIC PLT distinction and an +R_X86_64_PLT32 relocation is produced for both `call/jmp foo` and +`call/jmp foo@PLT` with newer (2018) GNU as/LLVM integrated assembler. +This avoids canonical PLT entries (st_shndx=0, st_value!=0). + +On i386, there are 2 types of PLTs, PIC and non-PIC. Currently, +the GCC/GNU as convention is to use R_386_PC32 for non-PIC PLT and +R_386_PLT32 for PIC PLT. Copy relocations/canonical PLT entries +are possible ABI issues but GCC/GNU as will likely keep the status +quo because (1) the ABI is legacy (2) the change will drop a GNU +ld diagnostic for non-default visibility ifunc in shared objects. + +clang-12 -fno-pic (since [1]) can emit R_386_PLT32 for compiler +generated function declarations, because preventing canonical PLT +entries is weighed over the rare ifunc diagnostic. + +Further info for the more interested: + + https://github.com/ClangBuiltLinux/linux/issues/1210 + https://sourceware.org/bugzilla/show_bug.cgi?id=27169 + https://github.com/llvm/llvm-project/commit/a084c0388e2a59b9556f2de0083333232da3f1d6 [1] + + [ bp: Massage commit message. ] + +Reported-by: Arnd Bergmann +Signed-off-by: Fangrui Song +Signed-off-by: Borislav Petkov +Reviewed-by: Nick Desaulniers +Reviewed-by: Nathan Chancellor +Tested-by: Nick Desaulniers +Tested-by: Nathan Chancellor +Tested-by: Sedat Dilek +Link: https://lkml.kernel.org/r/20210127205600.1227437-1-maskray@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/module.c | 1 + + arch/x86/tools/relocs.c | 12 ++++++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c +index f58336af095c..1ccfe6bb9122 100644 +--- a/arch/x86/kernel/module.c ++++ b/arch/x86/kernel/module.c +@@ -126,6 +126,7 @@ int apply_relocate(Elf32_Shdr *sechdrs, + *location += sym->st_value; + break; + case R_386_PC32: ++ case R_386_PLT32: + /* Add the value, subtract its position */ + *location += sym->st_value - (uint32_t)location; + break; +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c +index 220e97841e49..c58b63178123 100644 +--- a/arch/x86/tools/relocs.c ++++ b/arch/x86/tools/relocs.c +@@ -840,9 +840,11 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + case R_386_PC32: + case R_386_PC16: + case R_386_PC8: ++ case R_386_PLT32: + /* +- * NONE can be ignored and PC relative relocations don't +- * need to be adjusted. ++ * NONE can be ignored and PC relative relocations don't need ++ * to be adjusted. Because sym must be defined, R_386_PLT32 can ++ * be treated the same way as R_386_PC32. + */ + break; + +@@ -883,9 +885,11 @@ static int do_reloc_real(struct section *sec, Elf_Rel *rel, Elf_Sym *sym, + case R_386_PC32: + case R_386_PC16: + case R_386_PC8: ++ case R_386_PLT32: + /* +- * NONE can be ignored and PC relative relocations don't +- * need to be adjusted. ++ * NONE can be ignored and PC relative relocations don't need ++ * to be adjusted. Because sym must be defined, R_386_PLT32 can ++ * be treated the same way as R_386_PC32. + */ + break; + +-- +2.30.1 + diff --git a/queue-4.14/x86-reboot-add-zotac-zbox-ci327-nano-pci-reboot-quir.patch b/queue-4.14/x86-reboot-add-zotac-zbox-ci327-nano-pci-reboot-quir.patch new file mode 100644 index 00000000000..8e1523ab95c --- /dev/null +++ b/queue-4.14/x86-reboot-add-zotac-zbox-ci327-nano-pci-reboot-quir.patch @@ -0,0 +1,52 @@ +From df6925d5041a37c5e679a67917a0fffd8cd2b2f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Dec 2020 12:39:57 +0100 +Subject: x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk + +From: Heiner Kallweit + +[ Upstream commit 4b2d8ca9208be636b30e924b1cbcb267b0740c93 ] + +On this system the M.2 PCIe WiFi card isn't detected after reboot, only +after cold boot. reboot=pci fixes this behavior. In [0] the same issue +is described, although on another system and with another Intel WiFi +card. In case it's relevant, both systems have Celeron CPUs. + +Add a PCI reboot quirk on affected systems until a more generic fix is +available. + +[0] https://bugzilla.kernel.org/show_bug.cgi?id=202399 + + [ bp: Massage commit message. ] + +Signed-off-by: Heiner Kallweit +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/1524eafd-f89c-cfa4-ed70-0bde9e45eec9@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/reboot.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 0d52c9050113..729e288718cc 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -477,6 +477,15 @@ static const struct dmi_system_id reboot_dmi_table[] __initconst = { + }, + }, + ++ { /* PCIe Wifi card isn't detected after reboot otherwise */ ++ .callback = set_pci_reboot, ++ .ident = "Zotac ZBOX CI327 nano", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "NA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ZBOX-CI327NANO-GS-01"), ++ }, ++ }, ++ + /* Sony */ + { /* Handle problems with rebooting on Sony VGN-Z540N */ + .callback = set_bios_reboot, +-- +2.30.1 +