From: Sasha Levin Date: Sat, 8 May 2021 03:21:18 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.4.118~77 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8c3622139a4cf63d41467d0f8ab23fe1f3449b7c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch b/queue-4.14/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch new file mode 100644 index 00000000000..0a24c91170e --- /dev/null +++ b/queue-4.14/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch @@ -0,0 +1,48 @@ +From dd1af128b7823d7f3263b1eda488d10fb11cd871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 15:25:21 -0500 +Subject: btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s + +From: Josef Bacik + +[ Upstream commit 7a9213a93546e7eaef90e6e153af6b8fc7553f10 ] + +A few BUG_ON()'s in replace_path are purely to keep us from making +logical mistakes, so replace them with ASSERT()'s. + +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/relocation.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index c01239d1f1e6..313547442a6e 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1808,8 +1808,8 @@ int replace_path(struct btrfs_trans_handle *trans, + int ret; + int slot; + +- BUG_ON(src->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID); +- BUG_ON(dest->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID); ++ ASSERT(src->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID); ++ ASSERT(dest->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID); + + last_snapshot = btrfs_root_last_snapshot(&src->root_item); + again: +@@ -1841,7 +1841,7 @@ again: + parent = eb; + while (1) { + level = btrfs_header_level(parent); +- BUG_ON(level < lowest_level); ++ ASSERT(level >= lowest_level); + + ret = btrfs_bin_search(parent, &key, level, &slot); + if (ret && slot > 0) +-- +2.30.2 + diff --git a/queue-4.14/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch b/queue-4.14/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch new file mode 100644 index 00000000000..8f4aae1084a --- /dev/null +++ b/queue-4.14/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch @@ -0,0 +1,38 @@ +From 0dd3327566a289559bcbf18a8cc6ecafd30e77bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 18:01:15 +0100 +Subject: clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return + +From: Colin Ian King + +[ Upstream commit 657d4d1934f75a2d978c3cf2086495eaa542e7a9 ] + +There is an error return path that is not kfree'ing socfpga_clk leading +to a memory leak. Fix this by adding in the missing kfree call. + +Addresses-Coverity: ("Resource leak") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210406170115.430990-1-colin.king@canonical.com +Acked-by: Dinh Nguyen +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/socfpga/clk-gate-a10.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c +index 36376c542055..637e26babf89 100644 +--- a/drivers/clk/socfpga/clk-gate-a10.c ++++ b/drivers/clk/socfpga/clk-gate-a10.c +@@ -157,6 +157,7 @@ static void __init __socfpga_gate_init(struct device_node *node, + if (IS_ERR(socfpga_clk->sys_mgr_base_addr)) { + pr_err("%s: failed to find altr,sys-mgr regmap!\n", + __func__); ++ kfree(socfpga_clk); + return; + } + } +-- +2.30.2 + diff --git a/queue-4.14/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch b/queue-4.14/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch new file mode 100644 index 00000000000..2c808fbb348 --- /dev/null +++ b/queue-4.14/crypto-api-check-for-err-pointers-in-crypto_destroy_.patch @@ -0,0 +1,149 @@ +From c792b8c281ce01a20e99ba56d8edc8118517bdd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 21:33:03 +0100 +Subject: crypto: api - check for ERR pointers in crypto_destroy_tfm() + +From: Ard Biesheuvel + +[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ] + +Given that crypto_alloc_tfm() may return ERR pointers, and to avoid +crashes on obscure error paths where such pointers are presented to +crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there +before dereferencing the second argument as a struct crypto_tfm +pointer. + +[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/ + +Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com +Reviewed-by: Eric Biggers +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/api.c | 2 +- + include/crypto/acompress.h | 2 ++ + include/crypto/aead.h | 2 ++ + include/crypto/akcipher.h | 2 ++ + include/crypto/hash.h | 4 ++++ + include/crypto/kpp.h | 2 ++ + include/crypto/rng.h | 2 ++ + include/crypto/skcipher.h | 2 ++ + 8 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/crypto/api.c b/crypto/api.c +index 187795a6687d..99bd438fa4a4 100644 +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -567,7 +567,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm) + { + struct crypto_alg *alg; + +- if (unlikely(!mem)) ++ if (IS_ERR_OR_NULL(mem)) + return; + + alg = tfm->__crt_alg; +diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h +index e328b52425a8..1ff78365607c 100644 +--- a/include/crypto/acompress.h ++++ b/include/crypto/acompress.h +@@ -152,6 +152,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req) + * crypto_free_acomp() -- free ACOMPRESS tfm handle + * + * @tfm: ACOMPRESS tfm handle allocated with crypto_alloc_acomp() ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_acomp(struct crypto_acomp *tfm) + { +diff --git a/include/crypto/aead.h b/include/crypto/aead.h +index 03b97629442c..0e257ebf12cc 100644 +--- a/include/crypto/aead.h ++++ b/include/crypto/aead.h +@@ -187,6 +187,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm) + /** + * crypto_free_aead() - zeroize and free aead handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_aead(struct crypto_aead *tfm) + { +diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h +index b5e11de4d497..9817f2e5bff8 100644 +--- a/include/crypto/akcipher.h ++++ b/include/crypto/akcipher.h +@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm( + * crypto_free_akcipher() - free AKCIPHER tfm handle + * + * @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher() ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_akcipher(struct crypto_akcipher *tfm) + { +diff --git a/include/crypto/hash.h b/include/crypto/hash.h +index 74827781593c..493ed025f0ca 100644 +--- a/include/crypto/hash.h ++++ b/include/crypto/hash.h +@@ -253,6 +253,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm) + /** + * crypto_free_ahash() - zeroize and free the ahash handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_ahash(struct crypto_ahash *tfm) + { +@@ -689,6 +691,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm) + /** + * crypto_free_shash() - zeroize and free the message digest handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_shash(struct crypto_shash *tfm) + { +diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h +index 1bde0a6514fa..1a34630fc371 100644 +--- a/include/crypto/kpp.h ++++ b/include/crypto/kpp.h +@@ -159,6 +159,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags) + * crypto_free_kpp() - free KPP tfm handle + * + * @tfm: KPP tfm handle allocated with crypto_alloc_kpp() ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_kpp(struct crypto_kpp *tfm) + { +diff --git a/include/crypto/rng.h b/include/crypto/rng.h +index b95ede354a66..a788c1e5a121 100644 +--- a/include/crypto/rng.h ++++ b/include/crypto/rng.h +@@ -116,6 +116,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm) + /** + * crypto_free_rng() - zeroize and free RNG handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_rng(struct crypto_rng *tfm) + { +diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h +index 562001cb412b..32aca5f4e4f0 100644 +--- a/include/crypto/skcipher.h ++++ b/include/crypto/skcipher.h +@@ -206,6 +206,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm( + /** + * crypto_free_skcipher() - zeroize and free cipher handle + * @tfm: cipher handle to be freed ++ * ++ * If @tfm is a NULL or error pointer, this function does nothing. + */ + static inline void crypto_free_skcipher(struct crypto_skcipher *tfm) + { +-- +2.30.2 + diff --git a/queue-4.14/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch b/queue-4.14/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch new file mode 100644 index 00000000000..44eae48f0c8 --- /dev/null +++ b/queue-4.14/drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch @@ -0,0 +1,37 @@ +From f586e767dcc8d68bb531ae557273f33006f7a1ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 10:30:15 -0500 +Subject: drm/amdgpu : Fix asic reset regression issue introduce by + 8f211fe8ac7c4f + +From: shaoyunl + +[ Upstream commit c8941550aa66b2a90f4b32c45d59e8571e33336e ] + +This recent change introduce SDMA interrupt info printing with irq->process function. +These functions do not require a set function to enable/disable the irq + +Signed-off-by: shaoyunl +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +index 538e5f27d120..fb9361590754 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c +@@ -437,7 +437,7 @@ void amdgpu_irq_gpu_reset_resume_helper(struct amdgpu_device *adev) + for (j = 0; j < AMDGPU_MAX_IRQ_SRC_ID; ++j) { + struct amdgpu_irq_src *src = adev->irq.client[i].sources[j]; + +- if (!src) ++ if (!src || !src->funcs || !src->funcs->set) + continue; + for (k = 0; k < src->num_types; k++) + amdgpu_irq_update(adev, src, k); +-- +2.30.2 + diff --git a/queue-4.14/drm-amdgpu-fix-null-pointer-dereference.patch b/queue-4.14/drm-amdgpu-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..43bbd30bbd8 --- /dev/null +++ b/queue-4.14/drm-amdgpu-fix-null-pointer-dereference.patch @@ -0,0 +1,60 @@ +From 2634b3fb33d22e80547a6f67c78824964b64384e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 17:52:18 +0800 +Subject: drm/amdgpu: fix NULL pointer dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guchun Chen + +[ Upstream commit 3c3dc654333f6389803cdcaf03912e94173ae510 ] + +ttm->sg needs to be checked before accessing its child member. + +Call Trace: + amdgpu_ttm_backend_destroy+0x12/0x70 [amdgpu] + ttm_bo_cleanup_memtype_use+0x3a/0x60 [ttm] + ttm_bo_release+0x17d/0x300 [ttm] + amdgpu_bo_unref+0x1a/0x30 [amdgpu] + amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x78b/0x8b0 [amdgpu] + kfd_ioctl_alloc_memory_of_gpu+0x118/0x220 [amdgpu] + kfd_ioctl+0x222/0x400 [amdgpu] + ? kfd_dev_is_large_bar+0x90/0x90 [amdgpu] + __x64_sys_ioctl+0x8e/0xd0 + ? __context_tracking_exit+0x52/0x90 + do_syscall_64+0x33/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7f97f264d317 +Code: b3 66 90 48 8b 05 71 4b 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 41 4b 2d 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffdb402c338 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f97f3cc63a0 RCX: 00007f97f264d317 +RDX: 00007ffdb402c380 RSI: 00000000c0284b16 RDI: 0000000000000003 +RBP: 00007ffdb402c380 R08: 00007ffdb402c428 R09: 00000000c4000004 +R10: 00000000c4000004 R11: 0000000000000246 R12: 00000000c0284b16 +R13: 0000000000000003 R14: 00007f97f3cc63a0 R15: 00007f8836200000 + +Signed-off-by: Guchun Chen +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index ae700e445fbc..d057bc29bf4c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -742,7 +742,7 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_tt *ttm) + DMA_BIDIRECTIONAL : DMA_TO_DEVICE; + + /* double check that we don't free the table twice */ +- if (!ttm->sg->sgl) ++ if (!ttm->sg || !ttm->sg->sgl) + return; + + /* free the sg table and pages again */ +-- +2.30.2 + diff --git a/queue-4.14/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch b/queue-4.14/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch new file mode 100644 index 00000000000..225c1041705 --- /dev/null +++ b/queue-4.14/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch @@ -0,0 +1,57 @@ +From ce886ca829d3518b47a39ebc4d9cb0d2092f190f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 23:47:24 +0200 +Subject: drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal + +From: Marijn Suijten + +[ Upstream commit 2ad52bdb220de5ab348098e3482b01235d15a842 ] + +Leaving this at a close-to-maximum register value 0xFFF0 means it takes +very long for the MDSS to generate a software vsync interrupt when the +hardware TE interrupt doesn't arrive. Configuring this to double the +vtotal (like some downstream kernels) leads to a frame to take at most +twice before the vsync signal, until hardware TE comes up. + +In this case the hardware interrupt responsible for providing this +signal - "disp-te" gpio - is not hooked up to the mdp5 vsync/pp logic at +all. This solves severe panel update issues observed on at least the +Xperia Loire and Tone series, until said gpio is properly hooked up to +an irq. + +Suggested-by: AngeloGioacchino Del Regno +Signed-off-by: Marijn Suijten +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20210406214726.131534-2-marijn.suijten@somainline.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c +index 60790df91bfa..397e71481129 100644 +--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c ++++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c +@@ -78,9 +78,17 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder, + | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN; + cfg |= MDP5_PP_SYNC_CONFIG_VSYNC_COUNT(vclks_line); + ++ /* ++ * Tearcheck emits a blanking signal every vclks_line * vtotal * 2 ticks on ++ * the vsync_clk equating to roughly half the desired panel refresh rate. ++ * This is only necessary as stability fallback if interrupts from the ++ * panel arrive too late or not at all, but is currently used by default ++ * because these panel interrupts are not wired up yet. ++ */ + mdp5_write(mdp5_kms, REG_MDP5_PP_SYNC_CONFIG_VSYNC(pp_id), cfg); + mdp5_write(mdp5_kms, +- REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), 0xfff0); ++ REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), (2 * mode->vtotal)); ++ + mdp5_write(mdp5_kms, + REG_MDP5_PP_VSYNC_INIT_VAL(pp_id), mode->vdisplay); + mdp5_write(mdp5_kms, REG_MDP5_PP_RD_PTR_IRQ(pp_id), mode->vdisplay + 1); +-- +2.30.2 + diff --git a/queue-4.14/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch b/queue-4.14/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch new file mode 100644 index 00000000000..dce8e05d663 --- /dev/null +++ b/queue-4.14/extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch @@ -0,0 +1,96 @@ +From cbb8a5da5c2cdc119c9a70eb7c0fd1eb2f0ad45f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Mar 2021 16:17:56 +0100 +Subject: extcon: arizona: Fix some issues when HPDET IRQ fires after the jack + has been unplugged + +From: Hans de Goede + +[ Upstream commit c309a3e8793f7e01c4a4ec7960658380572cb576 ] + +When the jack is partially inserted and then removed again it may be +removed while the hpdet code is running. In this case the following +may happen: + +1. The "JACKDET rise" or ""JACKDET fall" IRQ triggers +2. arizona_jackdet runs and takes info->lock +3. The "HPDET" IRQ triggers +4. arizona_hpdet_irq runs, blocks on info->lock +5. arizona_jackdet calls arizona_stop_mic() and clears info->hpdet_done +6. arizona_jackdet releases info->lock +7. arizona_hpdet_irq now can continue running and: +7.1 Calls arizona_start_mic() (if a mic was detected) +7.2 sets info->hpdet_done + +Step 7 is undesirable / a bug: +7.1 causes the device to stay in a high power-state (with MICVDD enabled) +7.2 causes hpdet to not run on the next jack insertion, which in turn + causes the EXTCON_JACK_HEADPHONE state to never get set + +This fixes both issues by skipping these 2 steps when arizona_hpdet_irq +runs after the jack has been unplugged. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Acked-by: Charles Keepax +Tested-by: Charles Keepax +Acked-by: Chanwoo Choi +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-arizona.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c +index 4937a404fee8..2cfd5db75625 100644 +--- a/drivers/extcon/extcon-arizona.c ++++ b/drivers/extcon/extcon-arizona.c +@@ -602,7 +602,7 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data) + struct arizona *arizona = info->arizona; + int id_gpio = arizona->pdata.hpdet_id_gpio; + unsigned int report = EXTCON_JACK_HEADPHONE; +- int ret, reading; ++ int ret, reading, state; + bool mic = false; + + mutex_lock(&info->lock); +@@ -615,12 +615,11 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data) + } + + /* If the cable was removed while measuring ignore the result */ +- ret = extcon_get_state(info->edev, EXTCON_MECHANICAL); +- if (ret < 0) { +- dev_err(arizona->dev, "Failed to check cable state: %d\n", +- ret); ++ state = extcon_get_state(info->edev, EXTCON_MECHANICAL); ++ if (state < 0) { ++ dev_err(arizona->dev, "Failed to check cable state: %d\n", state); + goto out; +- } else if (!ret) { ++ } else if (!state) { + dev_dbg(arizona->dev, "Ignoring HPDET for removed cable\n"); + goto done; + } +@@ -673,7 +672,7 @@ done: + ARIZONA_ACCDET_MODE_MASK, ARIZONA_ACCDET_MODE_MIC); + + /* If we have a mic then reenable MICDET */ +- if (mic || info->mic) ++ if (state && (mic || info->mic)) + arizona_start_mic(info); + + if (info->hpdet_active) { +@@ -681,7 +680,9 @@ done: + info->hpdet_active = false; + } + +- info->hpdet_done = true; ++ /* Do not set hp_det done when the cable has been unplugged */ ++ if (state) ++ info->hpdet_done = true; + + out: + mutex_unlock(&info->lock); +-- +2.30.2 + diff --git a/queue-4.14/intel_th-consistency-and-off-by-one-fix.patch b/queue-4.14/intel_th-consistency-and-off-by-one-fix.patch new file mode 100644 index 00000000000..4aa516944c6 --- /dev/null +++ b/queue-4.14/intel_th-consistency-and-off-by-one-fix.patch @@ -0,0 +1,49 @@ +From 1fec5e9aa9ad2a9a6abbc8c47a2005c96a75edc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Apr 2021 20:12:49 +0300 +Subject: intel_th: Consistency and off-by-one fix + +From: Pavel Machek + +[ Upstream commit 18ffbc47d45a1489b664dd68fb3a7610a6e1dea3 ] + +Consistently use "< ... +1" in for loops. + +Fix of-by-one in for_each_set_bit(). + +Signed-off-by: Pavel Machek +Signed-off-by: Alexander Shishkin +Link: https://lore.kernel.org/lkml/20190724095841.GA6952@amd/ +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210414171251.14672-6-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/intel_th/gth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c +index 2a3ae9006c58..79473ba48d0c 100644 +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -485,7 +485,7 @@ static void intel_th_gth_disable(struct intel_th_device *thdev, + output->active = false; + + for_each_set_bit(master, gth->output[output->port].master, +- TH_CONFIGURABLE_MASTERS) { ++ TH_CONFIGURABLE_MASTERS + 1) { + gth_master_set(gth, master, -1); + } + spin_unlock(>h->gth_lock); +@@ -624,7 +624,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev, + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master < TH_CONFIGURABLE_MASTERS + 1; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); +-- +2.30.2 + diff --git a/queue-4.14/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch b/queue-4.14/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch new file mode 100644 index 00000000000..1c2f8bc3626 --- /dev/null +++ b/queue-4.14/media-adv7604-fix-possible-use-after-free-in-adv76xx.patch @@ -0,0 +1,43 @@ +From c46b18a24a98f6a719cff8d8729a092dd52e5e40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:42:46 +0200 +Subject: media: adv7604: fix possible use-after-free in adv76xx_remove() + +From: Yang Yingliang + +[ Upstream commit fa56f5f1fe31c2050675fa63b84963ebd504a5b3 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7604.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c +index 26c3ec573a56..3078d47d090a 100644 +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -3557,7 +3557,7 @@ static int adv76xx_remove(struct i2c_client *client) + io_write(sd, 0x6e, 0); + io_write(sd, 0x73, 0); + +- cancel_delayed_work(&state->delayed_work_enable_hotplug); ++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); + v4l2_async_unregister_subdev(sd); + media_entity_cleanup(&sd->entity); + adv76xx_unregister_clients(to_state(sd)); +-- +2.30.2 + diff --git a/queue-4.14/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-4.14/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch new file mode 100644 index 00000000000..d8dda060fb3 --- /dev/null +++ b/queue-4.14/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch @@ -0,0 +1,83 @@ +From bdc98f2c910744de42c693e8460c3572b303ce81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Mar 2021 21:32:19 +0200 +Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init + +From: Pavel Skripkin + +[ Upstream commit b7cd0da982e3043f2eec7235ac5530cb18d6af1d ] + +syzbot reported memory leak in dvb-usb. The problem was +in invalid error handling in dvb_usb_adapter_init(). + +for (n = 0; n < d->props.num_adapters; n++) { +.... + if ((ret = dvb_usb_adapter_stream_init(adap)) || + (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) || + (ret = dvb_usb_adapter_frontend_init(adap))) { + return ret; + } +... + d->num_adapters_initialized++; +... +} + +In case of error in dvb_usb_adapter_dvb_init() or +dvb_usb_adapter_dvb_init() d->num_adapters_initialized won't be +incremented, but dvb_usb_adapter_exit() relies on it: + + for (n = 0; n < d->num_adapters_initialized; n++) + +So, allocated objects won't be freed. + +Signed-off-by: Pavel Skripkin +Reported-by: syzbot+3c2be7424cea3b932b0e@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dvb-usb-init.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c +index b3413404f91a..690c1e06fbfa 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c +@@ -82,11 +82,17 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + } + } + +- if ((ret = dvb_usb_adapter_stream_init(adap)) || +- (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) || +- (ret = dvb_usb_adapter_frontend_init(adap))) { ++ ret = dvb_usb_adapter_stream_init(adap); ++ if (ret) + return ret; +- } ++ ++ ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs); ++ if (ret) ++ goto dvb_init_err; ++ ++ ret = dvb_usb_adapter_frontend_init(adap); ++ if (ret) ++ goto frontend_init_err; + + /* use exclusive FE lock if there is multiple shared FEs */ + if (adap->fe_adap[1].fe) +@@ -106,6 +112,12 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + } + + return 0; ++ ++frontend_init_err: ++ dvb_usb_adapter_dvb_exit(adap); ++dvb_init_err: ++ dvb_usb_adapter_stream_exit(adap); ++ return ret; + } + + static int dvb_usb_adapter_exit(struct dvb_usb_device *d) +-- +2.30.2 + diff --git a/queue-4.14/media-em28xx-fix-memory-leak.patch b/queue-4.14/media-em28xx-fix-memory-leak.patch new file mode 100644 index 00000000000..f22fedbbc14 --- /dev/null +++ b/queue-4.14/media-em28xx-fix-memory-leak.patch @@ -0,0 +1,41 @@ +From 0f301148746d4c40e7aee1c891ce8e487db4322f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Mar 2021 19:07:53 +0100 +Subject: media: em28xx: fix memory leak + +From: Muhammad Usama Anjum + +[ Upstream commit 0ae10a7dc8992ee682ff0b1752ff7c83d472eef1 ] + +If some error occurs, URB buffers should also be freed. If they aren't +freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB +buffers as dvb is set to NULL. The function in which error occurs should +do all the cleanup for the allocations it had done. + +Tested the patch with the reproducer provided by syzbot. This patch +fixes the memleak. + +Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com +Signed-off-by: Muhammad Usama Anjum +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-dvb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c +index 29cdaaf1ed90..3667373f14d2 100644 +--- a/drivers/media/usb/em28xx/em28xx-dvb.c ++++ b/drivers/media/usb/em28xx/em28xx-dvb.c +@@ -2056,6 +2056,7 @@ ret: + return result; + + out_free: ++ em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE); + kfree(dvb); + dev->dvb = NULL; + goto ret; +-- +2.30.2 + diff --git a/queue-4.14/media-gscpa-stv06xx-fix-memory-leak.patch b/queue-4.14/media-gscpa-stv06xx-fix-memory-leak.patch new file mode 100644 index 00000000000..9d52fccfe14 --- /dev/null +++ b/queue-4.14/media-gscpa-stv06xx-fix-memory-leak.patch @@ -0,0 +1,84 @@ +From d81fd818a4ad49e746075626114bb284b0cab57c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Apr 2021 12:31:20 +0200 +Subject: media: gscpa/stv06xx: fix memory leak + +From: Hans Verkuil + +[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ] + +For two of the supported sensors the stv06xx driver allocates memory which +is stored in sd->sensor_priv. This memory is freed on a disconnect, but if +the probe() fails, then it isn't freed and so this leaks memory. + +Add a new probe_error() op that drivers can use to free any allocated +memory in case there was a probe failure. + +Thanks to Pavel Skripkin for discovering the cause +of the memory leak. + +Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/gspca.c | 2 ++ + drivers/media/usb/gspca/gspca.h | 1 + + drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++ + 3 files changed, 12 insertions(+) + +diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c +index 66543518938b..a384d5d83026 100644 +--- a/drivers/media/usb/gspca/gspca.c ++++ b/drivers/media/usb/gspca/gspca.c +@@ -2141,6 +2141,8 @@ out: + #endif + v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); + v4l2_device_unregister(&gspca_dev->v4l2_dev); ++ if (sd_desc->probe_error) ++ sd_desc->probe_error(gspca_dev); + kfree(gspca_dev->usb_buf); + kfree(gspca_dev); + return ret; +diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h +index 9e0cf711642b..2550af00d6fb 100644 +--- a/drivers/media/usb/gspca/gspca.h ++++ b/drivers/media/usb/gspca/gspca.h +@@ -102,6 +102,7 @@ struct sd_desc { + cam_cf_op config; /* called on probe */ + cam_op init; /* called on probe and resume */ + cam_op init_controls; /* called on probe */ ++ cam_v_op probe_error; /* called if probe failed, do cleanup here */ + cam_op start; /* called on stream on after URBs creation */ + cam_pkt_op pkt_scan; + /* optional operations */ +diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c +index 9caa5ef9d9e0..b14f30a8f3bd 100644 +--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c ++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c +@@ -534,12 +534,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev, + static int stv06xx_config(struct gspca_dev *gspca_dev, + const struct usb_device_id *id); + ++static void stv06xx_probe_error(struct gspca_dev *gspca_dev) ++{ ++ struct sd *sd = (struct sd *)gspca_dev; ++ ++ kfree(sd->sensor_priv); ++ sd->sensor_priv = NULL; ++} ++ + /* sub-driver description */ + static const struct sd_desc sd_desc = { + .name = MODULE_NAME, + .config = stv06xx_config, + .init = stv06xx_init, + .init_controls = stv06xx_init_controls, ++ .probe_error = stv06xx_probe_error, + .start = stv06xx_start, + .stopN = stv06xx_stopN, + .pkt_scan = stv06xx_pkt_scan, +-- +2.30.2 + diff --git a/queue-4.14/media-gspca-sq905.c-fix-uninitialized-variable.patch b/queue-4.14/media-gspca-sq905.c-fix-uninitialized-variable.patch new file mode 100644 index 00000000000..e950a5719f7 --- /dev/null +++ b/queue-4.14/media-gspca-sq905.c-fix-uninitialized-variable.patch @@ -0,0 +1,36 @@ +From 3d3298278ccc941ca756550337d3304a8bb39f5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 15:46:40 +0100 +Subject: media: gspca/sq905.c: fix uninitialized variable + +From: Hans Verkuil + +[ Upstream commit eaaea4681984c79d2b2b160387b297477f0c1aab ] + +act_len can be uninitialized if usb_bulk_msg() returns an error. +Set it to 0 to avoid a KMSAN error. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/sq905.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c +index f1da34a10ce8..ec03d18e057f 100644 +--- a/drivers/media/usb/gspca/sq905.c ++++ b/drivers/media/usb/gspca/sq905.c +@@ -167,7 +167,7 @@ static int + sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock) + { + int ret; +- int act_len; ++ int act_len = 0; + + gspca_dev->usb_buf[0] = '\0'; + if (need_lock) +-- +2.30.2 + diff --git a/queue-4.14/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch b/queue-4.14/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch new file mode 100644 index 00000000000..71154e895c6 --- /dev/null +++ b/queue-4.14/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch @@ -0,0 +1,44 @@ +From 89f15f52332305f0b9131698655f6507dbb5d408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:48:12 +0200 +Subject: media: i2c: adv7511-v4l2: fix possible use-after-free in + adv7511_remove() + +From: Yang Yingliang + +[ Upstream commit 2c9541720c66899adf6f3600984cf3ef151295ad ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7511-v4l2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c +index ef1144668809..2148a29909e0 100644 +--- a/drivers/media/i2c/adv7511-v4l2.c ++++ b/drivers/media/i2c/adv7511-v4l2.c +@@ -1976,7 +1976,7 @@ static int adv7511_remove(struct i2c_client *client) + + adv7511_set_isr(sd, false); + adv7511_init_setup(sd); +- cancel_delayed_work(&state->edid_handler); ++ cancel_delayed_work_sync(&state->edid_handler); + i2c_unregister_device(state->i2c_edid); + if (state->i2c_cec) + i2c_unregister_device(state->i2c_cec); +-- +2.30.2 + diff --git a/queue-4.14/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch b/queue-4.14/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch new file mode 100644 index 00000000000..c8732bd4f54 --- /dev/null +++ b/queue-4.14/media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch @@ -0,0 +1,43 @@ +From b969c9852c300dcc8160a9bd2176206cd328e7f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 15:50:53 +0200 +Subject: media: i2c: adv7842: fix possible use-after-free in adv7842_remove() + +From: Yang Yingliang + +[ Upstream commit 4a15275b6a18597079f18241c87511406575179a ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7842.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c +index dcce8d030e5d..c28bf94a7409 100644 +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -3599,7 +3599,7 @@ static int adv7842_remove(struct i2c_client *client) + struct adv7842_state *state = to_state(sd); + + adv7842_irq_enable(sd, false); +- cancel_delayed_work(&state->delayed_work_enable_hotplug); ++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); + v4l2_device_unregister_subdev(sd); + media_entity_cleanup(&sd->entity); + adv7842_unregister_clients(sd); +-- +2.30.2 + diff --git a/queue-4.14/media-ite-cir-check-for-receive-overflow.patch b/queue-4.14/media-ite-cir-check-for-receive-overflow.patch new file mode 100644 index 00000000000..1b9a563ced8 --- /dev/null +++ b/queue-4.14/media-ite-cir-check-for-receive-overflow.patch @@ -0,0 +1,41 @@ +From be2a47f30e5950d16ba077451116c6aa6bf91295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Feb 2021 09:08:35 +0100 +Subject: media: ite-cir: check for receive overflow + +From: Sean Young + +[ Upstream commit 28c7afb07ccfc0a939bb06ac1e7afe669901c65a ] + +It's best if this condition is reported. + +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ite-cir.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c +index 65e104c7ddfc..c7eea16225e7 100644 +--- a/drivers/media/rc/ite-cir.c ++++ b/drivers/media/rc/ite-cir.c +@@ -285,8 +285,14 @@ static irqreturn_t ite_cir_isr(int irq, void *data) + /* read the interrupt flags */ + iflags = dev->params.get_irq_causes(dev); + ++ /* Check for RX overflow */ ++ if (iflags & ITE_IRQ_RX_FIFO_OVERRUN) { ++ dev_warn(&dev->rdev->dev, "receive overflow\n"); ++ ir_raw_event_reset(dev->rdev); ++ } ++ + /* check for the receive interrupt */ +- if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) { ++ if (iflags & ITE_IRQ_RX_FIFO) { + /* read the FIFO bytes */ + rx_bytes = + dev->params.get_rx_bytes(dev, rx_buf, +-- +2.30.2 + diff --git a/queue-4.14/media-media-saa7164-fix-saa7164_encoder_register-mem.patch b/queue-4.14/media-media-saa7164-fix-saa7164_encoder_register-mem.patch new file mode 100644 index 00000000000..0e9c8f43b57 --- /dev/null +++ b/queue-4.14/media-media-saa7164-fix-saa7164_encoder_register-mem.patch @@ -0,0 +1,87 @@ +From 742334fa7fa21358e20fb60a348cca775d4188ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 03:53:00 +0100 +Subject: media: media/saa7164: fix saa7164_encoder_register() memory leak bugs + +From: Daniel Niv + +[ Upstream commit c759b2970c561e3b56aa030deb13db104262adfe ] + +Add a fix for the memory leak bugs that can occur when the +saa7164_encoder_register() function fails. +The function allocates memory without explicitly freeing +it when errors occur. +Add a better error handling that deallocate the unused buffers before the +function exits during a fail. + +Signed-off-by: Daniel Niv +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7164/saa7164-encoder.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/pci/saa7164/saa7164-encoder.c b/drivers/media/pci/saa7164/saa7164-encoder.c +index f21c245a54f7..c6aeac4db17f 100644 +--- a/drivers/media/pci/saa7164/saa7164-encoder.c ++++ b/drivers/media/pci/saa7164/saa7164-encoder.c +@@ -1024,7 +1024,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + printk(KERN_ERR "%s() failed (errno = %d), NO PCI configuration\n", + __func__, result); + result = -ENOMEM; +- goto failed; ++ goto fail_pci; + } + + /* Establish encoder defaults here */ +@@ -1078,7 +1078,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + 100000, ENCODER_DEF_BITRATE); + if (hdl->error) { + result = hdl->error; +- goto failed; ++ goto fail_hdl; + } + + port->std = V4L2_STD_NTSC_M; +@@ -1096,7 +1096,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + printk(KERN_INFO "%s: can't allocate mpeg device\n", + dev->name); + result = -ENOMEM; +- goto failed; ++ goto fail_hdl; + } + + port->v4l_device->ctrl_handler = hdl; +@@ -1107,10 +1107,7 @@ int saa7164_encoder_register(struct saa7164_port *port) + if (result < 0) { + printk(KERN_INFO "%s: can't register mpeg device\n", + dev->name); +- /* TODO: We're going to leak here if we don't dealloc +- The buffers above. The unreg function can't deal wit it. +- */ +- goto failed; ++ goto fail_reg; + } + + printk(KERN_INFO "%s: registered device video%d [mpeg]\n", +@@ -1132,9 +1129,14 @@ int saa7164_encoder_register(struct saa7164_port *port) + + saa7164_api_set_encoder(port); + saa7164_api_get_encoder(port); ++ return 0; + +- result = 0; +-failed: ++fail_reg: ++ video_device_release(port->v4l_device); ++ port->v4l_device = NULL; ++fail_hdl: ++ v4l2_ctrl_handler_free(hdl); ++fail_pci: + return result; + } + +-- +2.30.2 + diff --git a/queue-4.14/media-vivid-update-edid.patch b/queue-4.14/media-vivid-update-edid.patch new file mode 100644 index 00000000000..dcd79f915ec --- /dev/null +++ b/queue-4.14/media-vivid-update-edid.patch @@ -0,0 +1,56 @@ +From f259127203ee0a546042bc59432f1a07709cd6eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 08:48:21 +0100 +Subject: media: vivid: update EDID + +From: Hans Verkuil + +[ Upstream commit 443ec4bbc6116f6f492a7a1282bfd8422c862158 ] + +The EDID had a few mistakes as reported by edid-decode: + +Block 1, CTA-861 Extension Block: + Video Data Block: For improved preferred timing interoperability, set 'Native detailed modes' to 1. + Video Capability Data Block: S_PT is equal to S_IT and S_CE, so should be set to 0 instead. + +Fixed those. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vivid/vivid-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/vivid/vivid-core.c b/drivers/media/platform/vivid/vivid-core.c +index 5f316a5e38db..6754e5fcc4c4 100644 +--- a/drivers/media/platform/vivid/vivid-core.c ++++ b/drivers/media/platform/vivid/vivid-core.c +@@ -186,13 +186,13 @@ static const u8 vivid_hdmi_edid[256] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7b, + +- 0x02, 0x03, 0x3f, 0xf0, 0x51, 0x61, 0x60, 0x5f, ++ 0x02, 0x03, 0x3f, 0xf1, 0x51, 0x61, 0x60, 0x5f, + 0x5e, 0x5d, 0x10, 0x1f, 0x04, 0x13, 0x22, 0x21, + 0x20, 0x05, 0x14, 0x02, 0x11, 0x01, 0x23, 0x09, + 0x07, 0x07, 0x83, 0x01, 0x00, 0x00, 0x6d, 0x03, + 0x0c, 0x00, 0x10, 0x00, 0x00, 0x3c, 0x21, 0x00, + 0x60, 0x01, 0x02, 0x03, 0x67, 0xd8, 0x5d, 0xc4, +- 0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xea, 0xe3, ++ 0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xca, 0xe3, + 0x05, 0x00, 0x00, 0xe3, 0x06, 0x01, 0x00, 0x4d, + 0xd0, 0x00, 0xa0, 0xf0, 0x70, 0x3e, 0x80, 0x30, + 0x20, 0x35, 0x00, 0xc0, 0x1c, 0x32, 0x00, 0x00, +@@ -201,7 +201,7 @@ static const u8 vivid_hdmi_edid[256] = { + 0x00, 0x00, 0x1a, 0x1a, 0x1d, 0x00, 0x80, 0x51, + 0xd0, 0x1c, 0x20, 0x40, 0x80, 0x35, 0x00, 0xc0, + 0x1c, 0x32, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x82, + }; + + static int vidioc_querycap(struct file *file, void *priv, +-- +2.30.2 + diff --git a/queue-4.14/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch b/queue-4.14/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch new file mode 100644 index 00000000000..e03562bd0ef --- /dev/null +++ b/queue-4.14/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch @@ -0,0 +1,72 @@ +From d9a6d1e5b117da59d32c3049116abe21dacbf4b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Mar 2021 16:51:40 +0100 +Subject: PCI: PM: Do not read power state in pci_enable_device_flags() + +From: Rafael J. Wysocki + +[ Upstream commit 4514d991d99211f225d83b7e640285f29f0755d0 ] + +It should not be necessary to update the current_state field of +struct pci_dev in pci_enable_device_flags() before calling +do_pci_enable_device() for the device, because none of the +code between that point and the pci_set_power_state() call in +do_pci_enable_device() invoked later depends on it. + +Moreover, doing that is actively harmful in some cases. For example, +if the given PCI device depends on an ACPI power resource whose _STA +method initially returns 0 ("off"), but the config space of the PCI +device is accessible and the power state retrieved from the +PCI_PM_CTRL register is D0, the current_state field in the struct +pci_dev representing that device will get out of sync with the +power.state of its ACPI companion object and that will lead to +power management issues going forward. + +To avoid such issues it is better to leave the current_state value +as is until it is changed to PCI_D0 by do_pci_enable_device() as +appropriate. However, the power state of the device is not changed +to PCI_D0 if it is already enabled when pci_enable_device_flags() +gets called for it, so update its current_state in that case, but +use pci_update_current_state() covering platform PM too for that. + +Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/ +Reported-by: Maximilian Luz +Tested-by: Maximilian Luz +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index c847b5554db6..1993e5e28ea7 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1378,20 +1378,10 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags) + int err; + int i, bars = 0; + +- /* +- * Power state could be unknown at this point, either due to a fresh +- * boot or a device removal call. So get the current power state +- * so that things like MSI message writing will behave as expected +- * (e.g. if the device really is in D0 at enable time). +- */ +- if (dev->pm_cap) { +- u16 pmcsr; +- pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr); +- dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK); +- } +- +- if (atomic_inc_return(&dev->enable_cnt) > 1) ++ if (atomic_inc_return(&dev->enable_cnt) > 1) { ++ pci_update_current_state(dev, dev->current_state); + return 0; /* already enabled */ ++ } + + bridge = pci_upstream_bridge(dev); + if (bridge) +-- +2.30.2 + diff --git a/queue-4.14/perf-arm_pmu_platform-fix-error-handling.patch b/queue-4.14/perf-arm_pmu_platform-fix-error-handling.patch new file mode 100644 index 00000000000..847ba151edc --- /dev/null +++ b/queue-4.14/perf-arm_pmu_platform-fix-error-handling.patch @@ -0,0 +1,36 @@ +From 809632b106d797ea373b7d41cd2171fcc8eb87d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Mar 2021 16:02:41 +0000 +Subject: perf/arm_pmu_platform: Fix error handling + +From: Robin Murphy + +[ Upstream commit e338cb6bef254821a8c095018fd27254d74bfd6a ] + +If we're aborting after failing to register the PMU device, +we probably don't want to leak the IRQs that we've claimed. + +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/53031a607fc8412a60024bfb3bb8cd7141f998f5.1616774562.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm_pmu_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/arm_pmu_platform.c b/drivers/perf/arm_pmu_platform.c +index 4428852e1da1..bd5af219ca9b 100644 +--- a/drivers/perf/arm_pmu_platform.c ++++ b/drivers/perf/arm_pmu_platform.c +@@ -222,7 +222,7 @@ int arm_pmu_device_probe(struct platform_device *pdev, + + ret = armpmu_register(pmu); + if (ret) +- goto out_free; ++ goto out_free_irqs; + + return 0; + +-- +2.30.2 + diff --git a/queue-4.14/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch b/queue-4.14/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch new file mode 100644 index 00000000000..7f21ab93628 --- /dev/null +++ b/queue-4.14/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch @@ -0,0 +1,45 @@ +From 4228f5083174ab5fad3ad4b9d7ddc87eea6e0d43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 17:27:16 +0800 +Subject: phy: phy-twl4030-usb: Fix possible use-after-free in + twl4030_usb_remove() + +From: Yang Yingliang + +[ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/phy/ti/phy-twl4030-usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c +index c267afb68f07..ea7564392108 100644 +--- a/drivers/phy/ti/phy-twl4030-usb.c ++++ b/drivers/phy/ti/phy-twl4030-usb.c +@@ -801,7 +801,7 @@ static int twl4030_usb_remove(struct platform_device *pdev) + + usb_remove_phy(&twl->phy); + pm_runtime_get_sync(twl->dev); +- cancel_delayed_work(&twl->id_workaround_work); ++ cancel_delayed_work_sync(&twl->id_workaround_work); + device_remove_file(twl->dev, &dev_attr_vbus); + + /* set transceiver mode to power on defaults */ +-- +2.30.2 + diff --git a/queue-4.14/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch b/queue-4.14/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch new file mode 100644 index 00000000000..7d5be62bdef --- /dev/null +++ b/queue-4.14/power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch @@ -0,0 +1,134 @@ +From 1605681e0b59f42818d15c040a60c9f5ee853315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Mar 2021 10:54:19 +0100 +Subject: power: supply: bq27xxx: fix power_avg for newer ICs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthias Schiffer + +[ Upstream commit c4d57c22ac65bd503716062a06fad55a01569cac ] + +On all newer bq27xxx ICs, the AveragePower register contains a signed +value; in addition to handling the raw value as unsigned, the driver +code also didn't convert it to µW as expected. + +At least for the BQ28Z610, the reference manual incorrectly states that +the value is in units of 1mW and not 10mW. I have no way of knowing +whether the manuals of other supported ICs contain the same error, or if +there are models that actually use 1mW. At least, the new code shouldn't +be *less* correct than the old version for any device. + +power_avg is removed from the cache structure, se we don't have to +extend it to store both a signed value and an error code. Always getting +an up-to-date value may be desirable anyways, as it avoids inconsistent +current and power readings when switching between charging and +discharging. + +Signed-off-by: Matthias Schiffer +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 51 ++++++++++++++------------ + include/linux/power/bq27xxx_battery.h | 1 - + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index a7d8cadf172c..3e8466064bb2 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1445,27 +1445,6 @@ static int bq27xxx_battery_read_time(struct bq27xxx_device_info *di, u8 reg) + return tval * 60; + } + +-/* +- * Read an average power register. +- * Return < 0 if something fails. +- */ +-static int bq27xxx_battery_read_pwr_avg(struct bq27xxx_device_info *di) +-{ +- int tval; +- +- tval = bq27xxx_read(di, BQ27XXX_REG_AP, false); +- if (tval < 0) { +- dev_err(di->dev, "error reading average power register %02x: %d\n", +- BQ27XXX_REG_AP, tval); +- return tval; +- } +- +- if (di->opts & BQ27XXX_O_ZERO) +- return (tval * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS; +- else +- return tval; +-} +- + /* + * Returns true if a battery over temperature condition is detected + */ +@@ -1562,8 +1541,6 @@ void bq27xxx_battery_update(struct bq27xxx_device_info *di) + } + if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR) + cache.cycle_count = bq27xxx_battery_read_cyct(di); +- if (di->regs[BQ27XXX_REG_AP] != INVALID_REG_ADDR) +- cache.power_avg = bq27xxx_battery_read_pwr_avg(di); + + /* We only have to read charge design full once */ + if (di->charge_design_full <= 0) +@@ -1625,6 +1602,32 @@ static int bq27xxx_battery_current(struct bq27xxx_device_info *di, + return 0; + } + ++/* ++ * Get the average power in µW ++ * Return < 0 if something fails. ++ */ ++static int bq27xxx_battery_pwr_avg(struct bq27xxx_device_info *di, ++ union power_supply_propval *val) ++{ ++ int power; ++ ++ power = bq27xxx_read(di, BQ27XXX_REG_AP, false); ++ if (power < 0) { ++ dev_err(di->dev, ++ "error reading average power register %02x: %d\n", ++ BQ27XXX_REG_AP, power); ++ return power; ++ } ++ ++ if (di->opts & BQ27XXX_O_ZERO) ++ val->intval = (power * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS; ++ else ++ /* Other gauges return a signed value in units of 10mW */ ++ val->intval = (int)((s16)power) * 10000; ++ ++ return 0; ++} ++ + static int bq27xxx_battery_status(struct bq27xxx_device_info *di, + union power_supply_propval *val) + { +@@ -1790,7 +1793,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy, + ret = bq27xxx_simple_value(di->cache.energy, val); + break; + case POWER_SUPPLY_PROP_POWER_AVG: +- ret = bq27xxx_simple_value(di->cache.power_avg, val); ++ ret = bq27xxx_battery_pwr_avg(di, val); + break; + case POWER_SUPPLY_PROP_HEALTH: + ret = bq27xxx_simple_value(di->cache.health, val); +diff --git a/include/linux/power/bq27xxx_battery.h b/include/linux/power/bq27xxx_battery.h +index e6187f524f2c..534a8080c6a3 100644 +--- a/include/linux/power/bq27xxx_battery.h ++++ b/include/linux/power/bq27xxx_battery.h +@@ -47,7 +47,6 @@ struct bq27xxx_reg_cache { + int capacity; + int energy; + int flags; +- int power_avg; + int health; + }; + +-- +2.30.2 + diff --git a/queue-4.14/power-supply-generic-adc-battery-fix-possible-use-af.patch b/queue-4.14/power-supply-generic-adc-battery-fix-possible-use-af.patch new file mode 100644 index 00000000000..0ea3df964fa --- /dev/null +++ b/queue-4.14/power-supply-generic-adc-battery-fix-possible-use-af.patch @@ -0,0 +1,43 @@ +From 0a011cbd6f1b7f93400ba7ae7fcf756cc04c840b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 17:17:06 +0800 +Subject: power: supply: generic-adc-battery: fix possible use-after-free in + gab_remove() + +From: Yang Yingliang + +[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/generic-adc-battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c +index 371b5ec70087..c5bde3c24c31 100644 +--- a/drivers/power/supply/generic-adc-battery.c ++++ b/drivers/power/supply/generic-adc-battery.c +@@ -384,7 +384,7 @@ static int gab_remove(struct platform_device *pdev) + } + + kfree(adc_bat->psy_desc.properties); +- cancel_delayed_work(&adc_bat->bat_work); ++ cancel_delayed_work_sync(&adc_bat->bat_work); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.14/power-supply-s3c_adc_battery-fix-possible-use-after-.patch b/queue-4.14/power-supply-s3c_adc_battery-fix-possible-use-after-.patch new file mode 100644 index 00000000000..cf5a0789642 --- /dev/null +++ b/queue-4.14/power-supply-s3c_adc_battery-fix-possible-use-after-.patch @@ -0,0 +1,44 @@ +From f3020a90a219f5e923d6bbc77710f13bb7636b32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Apr 2021 17:19:03 +0800 +Subject: power: supply: s3c_adc_battery: fix possible use-after-free in + s3c_adc_bat_remove() + +From: Yang Yingliang + +[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ] + +This driver's remove path calls cancel_delayed_work(). However, that +function does not wait until the work function finishes. This means +that the callback function may still be running after the driver's +remove function has finished, which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +the work is properly cancelled, no longer running, and unable +to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/s3c_adc_battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c +index 0ffe5cd3abf6..06b412c43aa7 100644 +--- a/drivers/power/supply/s3c_adc_battery.c ++++ b/drivers/power/supply/s3c_adc_battery.c +@@ -392,7 +392,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev) + gpio_free(pdata->gpio_charge_finished); + } + +- cancel_delayed_work(&bat_work); ++ cancel_delayed_work_sync(&bat_work); + + if (pdata->exit) + pdata->exit(); +-- +2.30.2 + diff --git a/queue-4.14/power-supply-use-irqf_oneshot.patch b/queue-4.14/power-supply-use-irqf_oneshot.patch new file mode 100644 index 00000000000..4a566e39ad8 --- /dev/null +++ b/queue-4.14/power-supply-use-irqf_oneshot.patch @@ -0,0 +1,83 @@ +From 94dc39300c5f305ccc5cd7443e08168844eea944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 19:21:33 +0800 +Subject: power: supply: Use IRQF_ONESHOT + +From: dongjian + +[ Upstream commit 2469b836fa835c67648acad17d62bc805236a6ea ] + +Fixes coccicheck error: + +drivers/power/supply/pm2301_charger.c:1089:7-27: ERROR: +drivers/power/supply/lp8788-charger.c:502:8-28: ERROR: +drivers/power/supply/tps65217_charger.c:239:8-33: ERROR: +drivers/power/supply/tps65090-charger.c:303:8-33: ERROR: + +Threaded IRQ with no primary handler requested without IRQF_ONESHOT + +Signed-off-by: dongjian +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/lp8788-charger.c | 2 +- + drivers/power/supply/pm2301_charger.c | 2 +- + drivers/power/supply/tps65090-charger.c | 2 +- + drivers/power/supply/tps65217_charger.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/power/supply/lp8788-charger.c b/drivers/power/supply/lp8788-charger.c +index b8f7dac7ac3f..6dcabbeccde1 100644 +--- a/drivers/power/supply/lp8788-charger.c ++++ b/drivers/power/supply/lp8788-charger.c +@@ -529,7 +529,7 @@ static int lp8788_set_irqs(struct platform_device *pdev, + + ret = request_threaded_irq(virq, NULL, + lp8788_charger_irq_thread, +- 0, name, pchg); ++ IRQF_ONESHOT, name, pchg); + if (ret) + break; + } +diff --git a/drivers/power/supply/pm2301_charger.c b/drivers/power/supply/pm2301_charger.c +index 78561b6884fc..9ef218d76aa9 100644 +--- a/drivers/power/supply/pm2301_charger.c ++++ b/drivers/power/supply/pm2301_charger.c +@@ -1098,7 +1098,7 @@ static int pm2xxx_wall_charger_probe(struct i2c_client *i2c_client, + ret = request_threaded_irq(gpio_to_irq(pm2->pdata->gpio_irq_number), + NULL, + pm2xxx_charger_irq[0].isr, +- pm2->pdata->irq_type, ++ pm2->pdata->irq_type | IRQF_ONESHOT, + pm2xxx_charger_irq[0].name, pm2); + + if (ret != 0) { +diff --git a/drivers/power/supply/tps65090-charger.c b/drivers/power/supply/tps65090-charger.c +index 1b4b5e09538e..297bf58f0d4f 100644 +--- a/drivers/power/supply/tps65090-charger.c ++++ b/drivers/power/supply/tps65090-charger.c +@@ -311,7 +311,7 @@ static int tps65090_charger_probe(struct platform_device *pdev) + + if (irq != -ENXIO) { + ret = devm_request_threaded_irq(&pdev->dev, irq, NULL, +- tps65090_charger_isr, 0, "tps65090-charger", cdata); ++ tps65090_charger_isr, IRQF_ONESHOT, "tps65090-charger", cdata); + if (ret) { + dev_err(cdata->dev, + "Unable to register irq %d err %d\n", irq, +diff --git a/drivers/power/supply/tps65217_charger.c b/drivers/power/supply/tps65217_charger.c +index 1f5234098aaf..7295c1b13f93 100644 +--- a/drivers/power/supply/tps65217_charger.c ++++ b/drivers/power/supply/tps65217_charger.c +@@ -250,7 +250,7 @@ static int tps65217_charger_probe(struct platform_device *pdev) + for (i = 0; i < NUM_CHARGER_IRQS; i++) { + ret = devm_request_threaded_irq(&pdev->dev, irq[i], NULL, + tps65217_charger_irq, +- 0, "tps65217-charger", ++ IRQF_ONESHOT, "tps65217-charger", + charger); + if (ret) { + dev_err(charger->dev, +-- +2.30.2 + diff --git a/queue-4.14/scsi-libfc-fix-a-format-specifier.patch b/queue-4.14/scsi-libfc-fix-a-format-specifier.patch new file mode 100644 index 00000000000..789781e94d0 --- /dev/null +++ b/queue-4.14/scsi-libfc-fix-a-format-specifier.patch @@ -0,0 +1,45 @@ +From 37af80b41cc2ea770294371937ef17c39c3ecfa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 15:08:13 -0700 +Subject: scsi: libfc: Fix a format specifier + +From: Bart Van Assche + +[ Upstream commit 90d6697810f06aceea9de71ad836a8c7669789cd ] + +Since the 'mfs' member has been declared as 'u32' in include/scsi/libfc.h, +use the %u format specifier instead of %hu. This patch fixes the following +clang compiler warning: + +warning: format specifies type + 'unsigned short' but the argument has type 'u32' (aka 'unsigned int') + [-Wformat] + "lport->mfs:%hu\n", mfs, lport->mfs); + ~~~ ^~~~~~~~~~ + %u + +Link: https://lore.kernel.org/r/20210415220826.29438-8-bvanassche@acm.org +Cc: Hannes Reinecke +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_lport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c +index ca7967e390f1..5c0aa2c5fd55 100644 +--- a/drivers/scsi/libfc/fc_lport.c ++++ b/drivers/scsi/libfc/fc_lport.c +@@ -1754,7 +1754,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + + if (mfs < FC_SP_MIN_MAX_PAYLOAD || mfs > FC_SP_MAX_MAX_PAYLOAD) { + FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, " +- "lport->mfs:%hu\n", mfs, lport->mfs); ++ "lport->mfs:%u\n", mfs, lport->mfs); + fc_lport_error(lport, fp); + goto out; + } +-- +2.30.2 + diff --git a/queue-4.14/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch b/queue-4.14/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch new file mode 100644 index 00000000000..3df3d02d426 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch @@ -0,0 +1,60 @@ +From 2adbcd769bfd3d413da5b1f6915bd716dff8c63e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Apr 2021 18:31:13 -0700 +Subject: scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO + response + +From: James Smart + +[ Upstream commit fffd18ec6579c2d9c72b212169259062fe747888 ] + +Fix a crash caused by a double put on the node when the driver completed an +ACC for an unsolicted abort on the same node. The second put was executed +by lpfc_nlp_not_used() and is wrong because the completion routine executes +the nlp_put when the iocbq was released. Additionally, the driver is +issuing a LOGO then immediately calls lpfc_nlp_set_state to put the node +into NPR. This call does nothing. + +Remove the lpfc_nlp_not_used call and additional set_state in the +completion routine. Remove the lpfc_nlp_set_state post issue_logo. Isn't +necessary. + +Link: https://lore.kernel.org/r/20210412013127.2387-3-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 2 -- + drivers/scsi/lpfc/lpfc_sli.c | 1 - + 2 files changed, 3 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 40c6d6eacea9..da6685700b04 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -1707,8 +1707,6 @@ lpfc_cmpl_reglogin_reglogin_issue(struct lpfc_vport *vport, + ndlp->nlp_last_elscmd = ELS_CMD_PLOGI; + + lpfc_issue_els_logo(vport, ndlp, 0); +- ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE; +- lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE); + return ndlp->nlp_state; + } + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 45445dafc80c..27578816d852 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -16637,7 +16637,6 @@ lpfc_sli4_seq_abort_rsp_cmpl(struct lpfc_hba *phba, + if (cmd_iocbq) { + ndlp = (struct lpfc_nodelist *)cmd_iocbq->context1; + lpfc_nlp_put(ndlp); +- lpfc_nlp_not_used(ndlp); + lpfc_sli_release_iocbq(phba, cmd_iocbq); + } + +-- +2.30.2 + diff --git a/queue-4.14/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch b/queue-4.14/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch new file mode 100644 index 00000000000..f36a1320002 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch @@ -0,0 +1,41 @@ +From ea8fadb6cd776f0c1613cb08d7146871d05c34af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 09:18:00 -0800 +Subject: scsi: lpfc: Fix incorrect dbde assignment when building target abts + wqe + +From: James Smart + +[ Upstream commit 9302154c07bff4e7f7f43c506a1ac84540303d06 ] + +The wqe_dbde field indicates whether a Data BDE is present in Words 0:2 and +should therefore should be clear in the abts request wqe. By setting the +bit we can be misleading fw into error cases. + +Clear the wqe_dbde field. + +Link: https://lore.kernel.org/r/20210301171821.3427-2-jsmart2021@gmail.com +Co-developed-by: Dick Kennedy +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c +index eacdcb931bda..fa0d0d15e82c 100644 +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -2554,7 +2554,6 @@ lpfc_nvmet_unsol_issue_abort(struct lpfc_hba *phba, + bf_set(wqe_rcvoxid, &wqe_abts->xmit_sequence.wqe_com, xri); + + /* Word 10 */ +- bf_set(wqe_dbde, &wqe_abts->xmit_sequence.wqe_com, 1); + bf_set(wqe_iod, &wqe_abts->xmit_sequence.wqe_com, LPFC_WQE_IOD_WRITE); + bf_set(wqe_lenloc, &wqe_abts->xmit_sequence.wqe_com, + LPFC_WQE_LENLOC_WORD12); +-- +2.30.2 + diff --git a/queue-4.14/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch b/queue-4.14/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch new file mode 100644 index 00000000000..1384ee82168 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch @@ -0,0 +1,50 @@ +From 017429a91e30c1016d1c9b277397936c1586f9e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 09:18:06 -0800 +Subject: scsi: lpfc: Fix pt2pt connection does not recover after LOGO + +From: James Smart + +[ Upstream commit bd4f5100424d17d4e560d6653902ef8e49b2fc1f ] + +On a pt2pt setup, between 2 initiators, if one side issues a a LOGO, there +is no relogin attempt. The FC specs are grey in this area on which port +(higher wwn or not) is to re-login. + +As there is no spec guidance, unconditionally re-PLOGI after the logout to +ensure a login is re-established. + +Link: https://lore.kernel.org/r/20210301171821.3427-8-jsmart2021@gmail.com +Co-developed-by: Dick Kennedy +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 96411754aa43..40c6d6eacea9 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -708,9 +708,14 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + } + } else if ((!(ndlp->nlp_type & NLP_FABRIC) && + ((ndlp->nlp_type & NLP_FCP_TARGET) || +- !(ndlp->nlp_type & NLP_FCP_INITIATOR))) || ++ (ndlp->nlp_type & NLP_NVME_TARGET) || ++ (vport->fc_flag & FC_PT2PT))) || + (ndlp->nlp_state == NLP_STE_ADISC_ISSUE)) { +- /* Only try to re-login if this is NOT a Fabric Node */ ++ /* Only try to re-login if this is NOT a Fabric Node ++ * AND the remote NPORT is a FCP/NVME Target or we ++ * are in pt2pt mode. NLP_STE_ADISC_ISSUE is a special ++ * case for LOGO as a response to ADISC behavior. ++ */ + mod_timer(&ndlp->nlp_delayfunc, + jiffies + msecs_to_jiffies(1000 * 1)); + spin_lock_irq(shost->host_lock); +-- +2.30.2 + diff --git a/queue-4.14/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch b/queue-4.14/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch new file mode 100644 index 00000000000..6558988eb4c --- /dev/null +++ b/queue-4.14/scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch @@ -0,0 +1,431 @@ +From e0c86ba69c872cb975fb728f33d241610d801d09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Apr 2021 18:31:22 -0700 +Subject: scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic + +From: James Smart + +[ Upstream commit b62232ba8caccaf1954e197058104a6478fac1af ] + +SLI-4 does not contain a PORT_CAPABILITIES mailbox command (only SLI-3 +does, and SLI-3 doesn't use it), yet there are SLI-4 code paths that have +code to issue the command. The command will always fail. + +Remove the code for the mailbox command and leave only the resulting +"failure path" logic. + +Link: https://lore.kernel.org/r/20210412013127.2387-12-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_crtn.h | 3 - + drivers/scsi/lpfc/lpfc_hw4.h | 174 +--------------------------------- + drivers/scsi/lpfc/lpfc_init.c | 103 +------------------- + drivers/scsi/lpfc/lpfc_mbox.c | 36 ------- + 4 files changed, 3 insertions(+), 313 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h +index 7e300734b345..697e87a25f38 100644 +--- a/drivers/scsi/lpfc/lpfc_crtn.h ++++ b/drivers/scsi/lpfc/lpfc_crtn.h +@@ -56,9 +56,6 @@ void lpfc_register_new_vport(struct lpfc_hba *, struct lpfc_vport *, + void lpfc_unreg_vpi(struct lpfc_hba *, uint16_t, LPFC_MBOXQ_t *); + void lpfc_init_link(struct lpfc_hba *, LPFC_MBOXQ_t *, uint32_t, uint32_t); + void lpfc_request_features(struct lpfc_hba *, struct lpfcMboxq *); +-void lpfc_supported_pages(struct lpfcMboxq *); +-void lpfc_pc_sli4_params(struct lpfcMboxq *); +-int lpfc_pc_sli4_params_get(struct lpfc_hba *, LPFC_MBOXQ_t *); + int lpfc_sli4_mbox_rsrc_extent(struct lpfc_hba *, struct lpfcMboxq *, + uint16_t, uint16_t, bool); + int lpfc_get_sli4_parameters(struct lpfc_hba *, LPFC_MBOXQ_t *); +diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h +index 2b145966c73f..f44cdc0153a5 100644 +--- a/drivers/scsi/lpfc/lpfc_hw4.h ++++ b/drivers/scsi/lpfc/lpfc_hw4.h +@@ -121,6 +121,7 @@ struct lpfc_sli_intf { + /* Define SLI4 Alignment requirements. */ + #define LPFC_ALIGN_16_BYTE 16 + #define LPFC_ALIGN_64_BYTE 64 ++#define SLI4_PAGE_SIZE 4096 + + /* Define SLI4 specific definitions. */ + #define LPFC_MQ_CQE_BYTE_OFFSET 256 +@@ -2788,62 +2789,6 @@ struct lpfc_mbx_request_features { + #define lpfc_mbx_rq_ftr_rsp_mrqp_WORD word3 + }; + +-struct lpfc_mbx_supp_pages { +- uint32_t word1; +-#define qs_SHIFT 0 +-#define qs_MASK 0x00000001 +-#define qs_WORD word1 +-#define wr_SHIFT 1 +-#define wr_MASK 0x00000001 +-#define wr_WORD word1 +-#define pf_SHIFT 8 +-#define pf_MASK 0x000000ff +-#define pf_WORD word1 +-#define cpn_SHIFT 16 +-#define cpn_MASK 0x000000ff +-#define cpn_WORD word1 +- uint32_t word2; +-#define list_offset_SHIFT 0 +-#define list_offset_MASK 0x000000ff +-#define list_offset_WORD word2 +-#define next_offset_SHIFT 8 +-#define next_offset_MASK 0x000000ff +-#define next_offset_WORD word2 +-#define elem_cnt_SHIFT 16 +-#define elem_cnt_MASK 0x000000ff +-#define elem_cnt_WORD word2 +- uint32_t word3; +-#define pn_0_SHIFT 24 +-#define pn_0_MASK 0x000000ff +-#define pn_0_WORD word3 +-#define pn_1_SHIFT 16 +-#define pn_1_MASK 0x000000ff +-#define pn_1_WORD word3 +-#define pn_2_SHIFT 8 +-#define pn_2_MASK 0x000000ff +-#define pn_2_WORD word3 +-#define pn_3_SHIFT 0 +-#define pn_3_MASK 0x000000ff +-#define pn_3_WORD word3 +- uint32_t word4; +-#define pn_4_SHIFT 24 +-#define pn_4_MASK 0x000000ff +-#define pn_4_WORD word4 +-#define pn_5_SHIFT 16 +-#define pn_5_MASK 0x000000ff +-#define pn_5_WORD word4 +-#define pn_6_SHIFT 8 +-#define pn_6_MASK 0x000000ff +-#define pn_6_WORD word4 +-#define pn_7_SHIFT 0 +-#define pn_7_MASK 0x000000ff +-#define pn_7_WORD word4 +- uint32_t rsvd[27]; +-#define LPFC_SUPP_PAGES 0 +-#define LPFC_BLOCK_GUARD_PROFILES 1 +-#define LPFC_SLI4_PARAMETERS 2 +-}; +- + struct lpfc_mbx_memory_dump_type3 { + uint32_t word1; + #define lpfc_mbx_memory_dump_type3_type_SHIFT 0 +@@ -3060,121 +3005,6 @@ struct user_eeprom { + uint8_t reserved191[57]; + }; + +-struct lpfc_mbx_pc_sli4_params { +- uint32_t word1; +-#define qs_SHIFT 0 +-#define qs_MASK 0x00000001 +-#define qs_WORD word1 +-#define wr_SHIFT 1 +-#define wr_MASK 0x00000001 +-#define wr_WORD word1 +-#define pf_SHIFT 8 +-#define pf_MASK 0x000000ff +-#define pf_WORD word1 +-#define cpn_SHIFT 16 +-#define cpn_MASK 0x000000ff +-#define cpn_WORD word1 +- uint32_t word2; +-#define if_type_SHIFT 0 +-#define if_type_MASK 0x00000007 +-#define if_type_WORD word2 +-#define sli_rev_SHIFT 4 +-#define sli_rev_MASK 0x0000000f +-#define sli_rev_WORD word2 +-#define sli_family_SHIFT 8 +-#define sli_family_MASK 0x000000ff +-#define sli_family_WORD word2 +-#define featurelevel_1_SHIFT 16 +-#define featurelevel_1_MASK 0x000000ff +-#define featurelevel_1_WORD word2 +-#define featurelevel_2_SHIFT 24 +-#define featurelevel_2_MASK 0x0000001f +-#define featurelevel_2_WORD word2 +- uint32_t word3; +-#define fcoe_SHIFT 0 +-#define fcoe_MASK 0x00000001 +-#define fcoe_WORD word3 +-#define fc_SHIFT 1 +-#define fc_MASK 0x00000001 +-#define fc_WORD word3 +-#define nic_SHIFT 2 +-#define nic_MASK 0x00000001 +-#define nic_WORD word3 +-#define iscsi_SHIFT 3 +-#define iscsi_MASK 0x00000001 +-#define iscsi_WORD word3 +-#define rdma_SHIFT 4 +-#define rdma_MASK 0x00000001 +-#define rdma_WORD word3 +- uint32_t sge_supp_len; +-#define SLI4_PAGE_SIZE 4096 +- uint32_t word5; +-#define if_page_sz_SHIFT 0 +-#define if_page_sz_MASK 0x0000ffff +-#define if_page_sz_WORD word5 +-#define loopbk_scope_SHIFT 24 +-#define loopbk_scope_MASK 0x0000000f +-#define loopbk_scope_WORD word5 +-#define rq_db_window_SHIFT 28 +-#define rq_db_window_MASK 0x0000000f +-#define rq_db_window_WORD word5 +- uint32_t word6; +-#define eq_pages_SHIFT 0 +-#define eq_pages_MASK 0x0000000f +-#define eq_pages_WORD word6 +-#define eqe_size_SHIFT 8 +-#define eqe_size_MASK 0x000000ff +-#define eqe_size_WORD word6 +- uint32_t word7; +-#define cq_pages_SHIFT 0 +-#define cq_pages_MASK 0x0000000f +-#define cq_pages_WORD word7 +-#define cqe_size_SHIFT 8 +-#define cqe_size_MASK 0x000000ff +-#define cqe_size_WORD word7 +- uint32_t word8; +-#define mq_pages_SHIFT 0 +-#define mq_pages_MASK 0x0000000f +-#define mq_pages_WORD word8 +-#define mqe_size_SHIFT 8 +-#define mqe_size_MASK 0x000000ff +-#define mqe_size_WORD word8 +-#define mq_elem_cnt_SHIFT 16 +-#define mq_elem_cnt_MASK 0x000000ff +-#define mq_elem_cnt_WORD word8 +- uint32_t word9; +-#define wq_pages_SHIFT 0 +-#define wq_pages_MASK 0x0000ffff +-#define wq_pages_WORD word9 +-#define wqe_size_SHIFT 8 +-#define wqe_size_MASK 0x000000ff +-#define wqe_size_WORD word9 +- uint32_t word10; +-#define rq_pages_SHIFT 0 +-#define rq_pages_MASK 0x0000ffff +-#define rq_pages_WORD word10 +-#define rqe_size_SHIFT 8 +-#define rqe_size_MASK 0x000000ff +-#define rqe_size_WORD word10 +- uint32_t word11; +-#define hdr_pages_SHIFT 0 +-#define hdr_pages_MASK 0x0000000f +-#define hdr_pages_WORD word11 +-#define hdr_size_SHIFT 8 +-#define hdr_size_MASK 0x0000000f +-#define hdr_size_WORD word11 +-#define hdr_pp_align_SHIFT 16 +-#define hdr_pp_align_MASK 0x0000ffff +-#define hdr_pp_align_WORD word11 +- uint32_t word12; +-#define sgl_pages_SHIFT 0 +-#define sgl_pages_MASK 0x0000000f +-#define sgl_pages_WORD word12 +-#define sgl_pp_align_SHIFT 16 +-#define sgl_pp_align_MASK 0x0000ffff +-#define sgl_pp_align_WORD word12 +- uint32_t rsvd_13_63[51]; +-}; + #define SLI4_PAGE_ALIGN(addr) (((addr)+((SLI4_PAGE_SIZE)-1)) \ + &(~((SLI4_PAGE_SIZE)-1))) + +@@ -3710,8 +3540,6 @@ struct lpfc_mqe { + struct lpfc_mbx_post_hdr_tmpl hdr_tmpl; + struct lpfc_mbx_query_fw_config query_fw_cfg; + struct lpfc_mbx_set_beacon_config beacon_config; +- struct lpfc_mbx_supp_pages supp_pages; +- struct lpfc_mbx_pc_sli4_params sli4_params; + struct lpfc_mbx_get_sli4_parameters get_sli4_parameters; + struct lpfc_mbx_set_link_diag_state link_diag_state; + struct lpfc_mbx_set_link_diag_loopback link_diag_loopback; +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 9fc5507ee39e..3e9574eede20 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -5807,8 +5807,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + LPFC_MBOXQ_t *mboxq; + MAILBOX_t *mb; + int rc, i, max_buf_size; +- uint8_t pn_page[LPFC_MAX_SUPPORTED_PAGES] = {0}; +- struct lpfc_mqe *mqe; + int longs; + int fof_vectors = 0; + uint64_t wwn; +@@ -6096,32 +6094,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + + lpfc_nvme_mod_param_dep(phba); + +- /* Get the Supported Pages if PORT_CAPABILITIES is supported by port. */ +- lpfc_supported_pages(mboxq); +- rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL); +- if (!rc) { +- mqe = &mboxq->u.mqe; +- memcpy(&pn_page[0], ((uint8_t *)&mqe->un.supp_pages.word3), +- LPFC_MAX_SUPPORTED_PAGES); +- for (i = 0; i < LPFC_MAX_SUPPORTED_PAGES; i++) { +- switch (pn_page[i]) { +- case LPFC_SLI4_PARAMETERS: +- phba->sli4_hba.pc_sli4_params.supported = 1; +- break; +- default: +- break; +- } +- } +- /* Read the port's SLI4 Parameters capabilities if supported. */ +- if (phba->sli4_hba.pc_sli4_params.supported) +- rc = lpfc_pc_sli4_params_get(phba, mboxq); +- if (rc) { +- mempool_free(mboxq, phba->mbox_mem_pool); +- rc = -EIO; +- goto out_free_bsmbx; +- } +- } +- + /* + * Get sli4 parameters that override parameters from Port capabilities. + * If this call fails, it isn't critical unless the SLI4 parameters come +@@ -10237,78 +10209,6 @@ lpfc_sli4_hba_unset(struct lpfc_hba *phba) + phba->pport->work_port_events = 0; + } + +- /** +- * lpfc_pc_sli4_params_get - Get the SLI4_PARAMS port capabilities. +- * @phba: Pointer to HBA context object. +- * @mboxq: Pointer to the mailboxq memory for the mailbox command response. +- * +- * This function is called in the SLI4 code path to read the port's +- * sli4 capabilities. +- * +- * This function may be be called from any context that can block-wait +- * for the completion. The expectation is that this routine is called +- * typically from probe_one or from the online routine. +- **/ +-int +-lpfc_pc_sli4_params_get(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) +-{ +- int rc; +- struct lpfc_mqe *mqe; +- struct lpfc_pc_sli4_params *sli4_params; +- uint32_t mbox_tmo; +- +- rc = 0; +- mqe = &mboxq->u.mqe; +- +- /* Read the port's SLI4 Parameters port capabilities */ +- lpfc_pc_sli4_params(mboxq); +- if (!phba->sli4_hba.intr_enable) +- rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL); +- else { +- mbox_tmo = lpfc_mbox_tmo_val(phba, mboxq); +- rc = lpfc_sli_issue_mbox_wait(phba, mboxq, mbox_tmo); +- } +- +- if (unlikely(rc)) +- return 1; +- +- sli4_params = &phba->sli4_hba.pc_sli4_params; +- sli4_params->if_type = bf_get(if_type, &mqe->un.sli4_params); +- sli4_params->sli_rev = bf_get(sli_rev, &mqe->un.sli4_params); +- sli4_params->sli_family = bf_get(sli_family, &mqe->un.sli4_params); +- sli4_params->featurelevel_1 = bf_get(featurelevel_1, +- &mqe->un.sli4_params); +- sli4_params->featurelevel_2 = bf_get(featurelevel_2, +- &mqe->un.sli4_params); +- sli4_params->proto_types = mqe->un.sli4_params.word3; +- sli4_params->sge_supp_len = mqe->un.sli4_params.sge_supp_len; +- sli4_params->if_page_sz = bf_get(if_page_sz, &mqe->un.sli4_params); +- sli4_params->rq_db_window = bf_get(rq_db_window, &mqe->un.sli4_params); +- sli4_params->loopbk_scope = bf_get(loopbk_scope, &mqe->un.sli4_params); +- sli4_params->eq_pages_max = bf_get(eq_pages, &mqe->un.sli4_params); +- sli4_params->eqe_size = bf_get(eqe_size, &mqe->un.sli4_params); +- sli4_params->cq_pages_max = bf_get(cq_pages, &mqe->un.sli4_params); +- sli4_params->cqe_size = bf_get(cqe_size, &mqe->un.sli4_params); +- sli4_params->mq_pages_max = bf_get(mq_pages, &mqe->un.sli4_params); +- sli4_params->mqe_size = bf_get(mqe_size, &mqe->un.sli4_params); +- sli4_params->mq_elem_cnt = bf_get(mq_elem_cnt, &mqe->un.sli4_params); +- sli4_params->wq_pages_max = bf_get(wq_pages, &mqe->un.sli4_params); +- sli4_params->wqe_size = bf_get(wqe_size, &mqe->un.sli4_params); +- sli4_params->rq_pages_max = bf_get(rq_pages, &mqe->un.sli4_params); +- sli4_params->rqe_size = bf_get(rqe_size, &mqe->un.sli4_params); +- sli4_params->hdr_pages_max = bf_get(hdr_pages, &mqe->un.sli4_params); +- sli4_params->hdr_size = bf_get(hdr_size, &mqe->un.sli4_params); +- sli4_params->hdr_pp_align = bf_get(hdr_pp_align, &mqe->un.sli4_params); +- sli4_params->sgl_pages_max = bf_get(sgl_pages, &mqe->un.sli4_params); +- sli4_params->sgl_pp_align = bf_get(sgl_pp_align, &mqe->un.sli4_params); +- +- /* Make sure that sge_supp_len can be handled by the driver */ +- if (sli4_params->sge_supp_len > LPFC_MAX_SGE_SIZE) +- sli4_params->sge_supp_len = LPFC_MAX_SGE_SIZE; +- +- return rc; +-} +- + /** + * lpfc_get_sli4_parameters - Get the SLI4 Config PARAMETERS. + * @phba: Pointer to HBA context object. +@@ -10366,7 +10266,8 @@ lpfc_get_sli4_parameters(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) + else + phba->sli3_options &= ~LPFC_SLI4_PHWQ_ENABLED; + sli4_params->sge_supp_len = mbx_sli4_parameters->sge_supp_len; +- sli4_params->loopbk_scope = bf_get(loopbk_scope, mbx_sli4_parameters); ++ sli4_params->loopbk_scope = bf_get(cfg_loopbk_scope, ++ mbx_sli4_parameters); + sli4_params->oas_supported = bf_get(cfg_oas, mbx_sli4_parameters); + sli4_params->cqv = bf_get(cfg_cqv, mbx_sli4_parameters); + sli4_params->mqv = bf_get(cfg_mqv, mbx_sli4_parameters); +diff --git a/drivers/scsi/lpfc/lpfc_mbox.c b/drivers/scsi/lpfc/lpfc_mbox.c +index 81fb92967b11..afad9cc18d88 100644 +--- a/drivers/scsi/lpfc/lpfc_mbox.c ++++ b/drivers/scsi/lpfc/lpfc_mbox.c +@@ -2620,39 +2620,3 @@ lpfc_resume_rpi(struct lpfcMboxq *mbox, struct lpfc_nodelist *ndlp) + resume_rpi->event_tag = ndlp->phba->fc_eventTag; + } + +-/** +- * lpfc_supported_pages - Initialize the PORT_CAPABILITIES supported pages +- * mailbox command. +- * @mbox: pointer to lpfc mbox command to initialize. +- * +- * The PORT_CAPABILITIES supported pages mailbox command is issued to +- * retrieve the particular feature pages supported by the port. +- **/ +-void +-lpfc_supported_pages(struct lpfcMboxq *mbox) +-{ +- struct lpfc_mbx_supp_pages *supp_pages; +- +- memset(mbox, 0, sizeof(*mbox)); +- supp_pages = &mbox->u.mqe.un.supp_pages; +- bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES); +- bf_set(cpn, supp_pages, LPFC_SUPP_PAGES); +-} +- +-/** +- * lpfc_pc_sli4_params - Initialize the PORT_CAPABILITIES SLI4 Params mbox cmd. +- * @mbox: pointer to lpfc mbox command to initialize. +- * +- * The PORT_CAPABILITIES SLI4 parameters mailbox command is issued to +- * retrieve the particular SLI4 features supported by the port. +- **/ +-void +-lpfc_pc_sli4_params(struct lpfcMboxq *mbox) +-{ +- struct lpfc_mbx_pc_sli4_params *sli4_params; +- +- memset(mbox, 0, sizeof(*mbox)); +- sli4_params = &mbox->u.mqe.un.sli4_params; +- bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES); +- bf_set(cpn, sli4_params, LPFC_SLI4_PARAMETERS); +-} +-- +2.30.2 + diff --git a/queue-4.14/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch b/queue-4.14/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch new file mode 100644 index 00000000000..8f24bc0ac09 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch @@ -0,0 +1,60 @@ +From 8db025cc08e7548166e43c3baf896fd599dcd497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Mar 2021 16:23:58 -0700 +Subject: scsi: qla2xxx: Always check the return value of + qla24xx_get_isp_stats() + +From: Bart Van Assche + +[ Upstream commit a2b2cc660822cae08c351c7f6b452bfd1330a4f7 ] + +This patch fixes the following Coverity warning: + + CID 361199 (#1 of 1): Unchecked return value (CHECKED_RETURN) + 3. check_return: Calling qla24xx_get_isp_stats without checking return + value (as is done elsewhere 4 out of 5 times). + +Link: https://lore.kernel.org/r/20210320232359.941-7-bvanassche@acm.org +Cc: Quinn Tran +Cc: Mike Christie +Cc: Himanshu Madhani +Cc: Daniel Wagner +Cc: Lee Duncan +Reviewed-by: Daniel Wagner +Reviewed-by: Himanshu Madhani +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_attr.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index 656253285db9..dbfd703d0f46 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -1914,6 +1914,8 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost) + vha->qla_stats.jiffies_at_last_reset = get_jiffies_64(); + + if (IS_FWI2_CAPABLE(ha)) { ++ int rval; ++ + stats = dma_alloc_coherent(&ha->pdev->dev, + sizeof(*stats), &stats_dma, GFP_KERNEL); + if (!stats) { +@@ -1923,7 +1925,11 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost) + } + + /* reset firmware statistics */ +- qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0); ++ rval = qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0); ++ if (rval != QLA_SUCCESS) ++ ql_log(ql_log_warn, vha, 0x70de, ++ "Resetting ISP statistics failed: rval = %d\n", ++ rval); + + dma_free_coherent(&ha->pdev->dev, sizeof(*stats), + stats, stats_dma); +-- +2.30.2 + diff --git a/queue-4.14/scsi-qla2xxx-fix-use-after-free-in-bsg.patch b/queue-4.14/scsi-qla2xxx-fix-use-after-free-in-bsg.patch new file mode 100644 index 00000000000..fc0b0420165 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-use-after-free-in-bsg.patch @@ -0,0 +1,61 @@ +From 0532f9cc5287358e065937f30890874f7e2c972c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 01:52:22 -0700 +Subject: scsi: qla2xxx: Fix use after free in bsg + +From: Quinn Tran + +[ Upstream commit 2ce35c0821afc2acd5ee1c3f60d149f8b2520ce8 ] + +On bsg command completion, bsg_job_done() was called while qla driver +continued to access the bsg_job buffer. bsg_job_done() would free up +resources that ended up being reused by other task while the driver +continued to access the buffers. As a result, driver was reading garbage +data. + +localhost kernel: BUG: KASAN: use-after-free in sg_next+0x64/0x80 +localhost kernel: Read of size 8 at addr ffff8883228a3330 by task swapper/26/0 +localhost kernel: +localhost kernel: CPU: 26 PID: 0 Comm: swapper/26 Kdump: +loaded Tainted: G OE --------- - - 4.18.0-193.el8.x86_64+debug #1 +localhost kernel: Hardware name: HP ProLiant DL360 +Gen9/ProLiant DL360 Gen9, BIOS P89 08/12/2016 +localhost kernel: Call Trace: +localhost kernel: +localhost kernel: dump_stack+0x9a/0xf0 +localhost kernel: print_address_description.cold.3+0x9/0x23b +localhost kernel: kasan_report.cold.4+0x65/0x95 +localhost kernel: debug_dma_unmap_sg.part.12+0x10d/0x2d0 +localhost kernel: qla2x00_bsg_sp_free+0xaf6/0x1010 [qla2xxx] + +Link: https://lore.kernel.org/r/20210329085229.4367-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_bsg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c +index c1ca21a88a09..06063a841726 100644 +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -19,10 +19,11 @@ qla2x00_bsg_job_done(void *ptr, int res) + struct bsg_job *bsg_job = sp->u.bsg_job; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; + ++ sp->free(sp); ++ + bsg_reply->result = res; + bsg_job_done(bsg_job, bsg_reply->result, + bsg_reply->reply_payload_rcv_len); +- sp->free(sp); + } + + void +-- +2.30.2 + diff --git a/queue-4.14/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch b/queue-4.14/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch new file mode 100644 index 00000000000..b37a9528ae3 --- /dev/null +++ b/queue-4.14/scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch @@ -0,0 +1,42 @@ +From 325768e3f4235ec154ae38968a2ce3e802faa710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Mar 2021 16:11:54 -0400 +Subject: scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() + +From: Ewan D. Milne + +[ Upstream commit bc3f2b42b70eb1b8576e753e7d0e117bbb674496 ] + +Some arrays return ILLEGAL_REQUEST with ASC 00h if they don't support the +RTPG extended header so remove the check for INVALID FIELD IN CDB. + +Link: https://lore.kernel.org/r/20210331201154.20348-1-emilne@redhat.com +Reviewed-by: Hannes Reinecke +Signed-off-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index ba68454109ba..2cf5579a9ad9 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -560,10 +560,11 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + * even though it shouldn't according to T10. + * The retry without rtpg_ext_hdr_req set + * handles this. ++ * Note: some arrays return a sense key of ILLEGAL_REQUEST ++ * with ASC 00h if they don't support the extended header. + */ + if (!(pg->flags & ALUA_RTPG_EXT_HDR_UNSUPP) && +- sense_hdr.sense_key == ILLEGAL_REQUEST && +- sense_hdr.asc == 0x24 && sense_hdr.ascq == 0) { ++ sense_hdr.sense_key == ILLEGAL_REQUEST) { + pg->flags |= ALUA_RTPG_EXT_HDR_UNSUPP; + goto retry; + } +-- +2.30.2 + diff --git a/queue-4.14/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch b/queue-4.14/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch new file mode 100644 index 00000000000..94d103bee3f --- /dev/null +++ b/queue-4.14/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch @@ -0,0 +1,46 @@ +From 2c89ecace8a69a916c4732d1d4eaad3c51f3680b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Feb 2021 21:56:26 -0800 +Subject: scsi: target: pscsi: Fix warning in pscsi_complete_cmd() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chaitanya Kulkarni + +[ Upstream commit fd48c056a32ed6e7754c7c475490f3bed54ed378 ] + +This fixes a compilation warning in pscsi_complete_cmd(): + + drivers/target/target_core_pscsi.c: In function ‘pscsi_complete_cmd’: + drivers/target/target_core_pscsi.c:624:5: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */ + +Link: https://lore.kernel.org/r/20210228055645.22253-5-chaitanya.kulkarni@wdc.com +Reviewed-by: Mike Christie +Reviewed-by: Johannes Thumshirn +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_pscsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index f80b31b35a0d..a127608a4809 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -633,8 +633,9 @@ static void pscsi_complete_cmd(struct se_cmd *cmd, u8 scsi_status, + unsigned char *buf; + + buf = transport_kmap_data_sg(cmd); +- if (!buf) ++ if (!buf) { + ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */ ++ } + + if (cdb[0] == MODE_SENSE_10) { + if (!(buf[3] & 0x80)) +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 59c14898619..60eb1b3da23 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -27,3 +27,46 @@ cifs-return-correct-error-code-from-smb2_get_enc_key.patch btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch intel_th-pci-add-rocket-lake-cpu-support.patch fbdev-zero-fill-colormap-in-fbcmap.c.patch +staging-wimax-i2400m-fix-byte-order-issue.patch +crypto-api-check-for-err-pointers-in-crypto_destroy_.patch +usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch +usb-gadget-f_uac1-validate-input-parameters.patch +usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch +usb-xhci-fix-port-minor-revision.patch +pci-pm-do-not-read-power-state-in-pci_enable_device_.patch +x86-build-propagate-clang_flags-to-realmode_flags.patch +tee-optee-do-not-check-memref-size-on-return-from-se.patch +perf-arm_pmu_platform-fix-error-handling.patch +spi-dln2-fix-reference-leak-to-master.patch +spi-omap-100k-fix-reference-leak-to-master.patch +intel_th-consistency-and-off-by-one-fix.patch +phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch +btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch +scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch +scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch +scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch +media-ite-cir-check-for-receive-overflow.patch +power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch +extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch +media-media-saa7164-fix-saa7164_encoder_register-mem.patch +media-gspca-sq905.c-fix-uninitialized-variable.patch +power-supply-use-irqf_oneshot.patch +drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch +scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch +scsi-qla2xxx-fix-use-after-free-in-bsg.patch +scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch +media-em28xx-fix-memory-leak.patch +media-vivid-update-edid.patch +clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch +power-supply-generic-adc-battery-fix-possible-use-af.patch +power-supply-s3c_adc_battery-fix-possible-use-after-.patch +media-adv7604-fix-possible-use-after-free-in-adv76xx.patch +media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch +media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch +media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch +media-gscpa-stv06xx-fix-memory-leak.patch +drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch +drm-amdgpu-fix-null-pointer-dereference.patch +scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch +scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch +scsi-libfc-fix-a-format-specifier.patch diff --git a/queue-4.14/spi-dln2-fix-reference-leak-to-master.patch b/queue-4.14/spi-dln2-fix-reference-leak-to-master.patch new file mode 100644 index 00000000000..3940abc2378 --- /dev/null +++ b/queue-4.14/spi-dln2-fix-reference-leak-to-master.patch @@ -0,0 +1,40 @@ +From fbe5cb376de4756fc63a932a5aae42b92c69ec92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 08:29:55 +0000 +Subject: spi: dln2: Fix reference leak to master + +From: Wei Yongjun + +[ Upstream commit 9b844b087124c1538d05f40fda8a4fec75af55be ] + +Call spi_master_get() holds the reference count to master device, thus +we need an additional spi_master_put() call to reduce the reference +count, otherwise we will leak a reference to master. + +This commit fix it by removing the unnecessary spi_master_get(). + +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20210409082955.2907950-1-weiyongjun1@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dln2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-dln2.c b/drivers/spi/spi-dln2.c +index b62a99caacc0..a41adea48618 100644 +--- a/drivers/spi/spi-dln2.c ++++ b/drivers/spi/spi-dln2.c +@@ -783,7 +783,7 @@ exit_free_master: + + static int dln2_spi_remove(struct platform_device *pdev) + { +- struct spi_master *master = spi_master_get(platform_get_drvdata(pdev)); ++ struct spi_master *master = platform_get_drvdata(pdev); + struct dln2_spi *dln2 = spi_master_get_devdata(master); + + pm_runtime_disable(&pdev->dev); +-- +2.30.2 + diff --git a/queue-4.14/spi-omap-100k-fix-reference-leak-to-master.patch b/queue-4.14/spi-omap-100k-fix-reference-leak-to-master.patch new file mode 100644 index 00000000000..347fddba39d --- /dev/null +++ b/queue-4.14/spi-omap-100k-fix-reference-leak-to-master.patch @@ -0,0 +1,58 @@ +From 943eff25652df5078687a1350c9dc769f8dc658f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 08:29:54 +0000 +Subject: spi: omap-100k: Fix reference leak to master + +From: Wei Yongjun + +[ Upstream commit a23faea76d4cf5f75decb574491e66f9ecd707e7 ] + +Call spi_master_get() holds the reference count to master device, thus +we need an additional spi_master_put() call to reduce the reference +count, otherwise we will leak a reference to master. + +This commit fix it by removing the unnecessary spi_master_get(). + +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20210409082954.2906933-1-weiyongjun1@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap-100k.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index 76a8425be227..1eccdc4a4581 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -435,7 +435,7 @@ err: + + static int omap1_spi100k_remove(struct platform_device *pdev) + { +- struct spi_master *master = spi_master_get(platform_get_drvdata(pdev)); ++ struct spi_master *master = platform_get_drvdata(pdev); + struct omap1_spi100k *spi100k = spi_master_get_devdata(master); + + pm_runtime_disable(&pdev->dev); +@@ -449,7 +449,7 @@ static int omap1_spi100k_remove(struct platform_device *pdev) + #ifdef CONFIG_PM + static int omap1_spi100k_runtime_suspend(struct device *dev) + { +- struct spi_master *master = spi_master_get(dev_get_drvdata(dev)); ++ struct spi_master *master = dev_get_drvdata(dev); + struct omap1_spi100k *spi100k = spi_master_get_devdata(master); + + clk_disable_unprepare(spi100k->ick); +@@ -460,7 +460,7 @@ static int omap1_spi100k_runtime_suspend(struct device *dev) + + static int omap1_spi100k_runtime_resume(struct device *dev) + { +- struct spi_master *master = spi_master_get(dev_get_drvdata(dev)); ++ struct spi_master *master = dev_get_drvdata(dev); + struct omap1_spi100k *spi100k = spi_master_get_devdata(master); + int ret; + +-- +2.30.2 + diff --git a/queue-4.14/staging-wimax-i2400m-fix-byte-order-issue.patch b/queue-4.14/staging-wimax-i2400m-fix-byte-order-issue.patch new file mode 100644 index 00000000000..f6e551d2c13 --- /dev/null +++ b/queue-4.14/staging-wimax-i2400m-fix-byte-order-issue.patch @@ -0,0 +1,36 @@ +From 237bdaea5e4876dc36de9e3084a80ec489fa2ffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Feb 2021 21:01:05 +0530 +Subject: staging: wimax/i2400m: fix byte-order issue + +From: karthik alapati + +[ Upstream commit 0c37baae130df39b19979bba88bde2ee70a33355 ] + +fix sparse byte-order warnings by converting host byte-order +type to __le16 byte-order types before assigning to hdr.length + +Signed-off-by: karthik alapati +Link: https://lore.kernel.org/r/0ae5c5c4c646506d8be871e7be5705542671a1d5.1613921277.git.mail@karthek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/net/wimax/i2400m/op-rfkill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c +index dc6fe93ce71f..e8473047b2d1 100644 +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -101,7 +101,7 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev, + if (cmd == NULL) + goto error_alloc; + cmd->hdr.type = cpu_to_le16(I2400M_MT_CMD_RF_CONTROL); +- cmd->hdr.length = sizeof(cmd->sw_rf); ++ cmd->hdr.length = cpu_to_le16(sizeof(cmd->sw_rf)); + cmd->hdr.version = cpu_to_le16(I2400M_L3L4_VERSION); + cmd->sw_rf.hdr.type = cpu_to_le16(I2400M_TLV_RF_OPERATION); + cmd->sw_rf.hdr.length = cpu_to_le16(sizeof(cmd->sw_rf.status)); +-- +2.30.2 + diff --git a/queue-4.14/tee-optee-do-not-check-memref-size-on-return-from-se.patch b/queue-4.14/tee-optee-do-not-check-memref-size-on-return-from-se.patch new file mode 100644 index 00000000000..85dfd4611be --- /dev/null +++ b/queue-4.14/tee-optee-do-not-check-memref-size-on-return-from-se.patch @@ -0,0 +1,54 @@ +From 625c4ac72dbccfa1d8edf0fc239bcfc25125374d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Mar 2021 11:40:37 +0100 +Subject: tee: optee: do not check memref size on return from Secure World + +From: Jerome Forissier + +[ Upstream commit c650b8dc7a7910eb25af0aac1720f778b29e679d ] + +When Secure World returns, it may have changed the size attribute of the +memory references passed as [in/out] parameters. The GlobalPlatform TEE +Internal Core API specification does not restrict the values that this +size can take. In particular, Secure World may increase the value to be +larger than the size of the input buffer to indicate that it needs more. + +Therefore, the size check in optee_from_msg_param() is incorrect and +needs to be removed. This fixes a number of failed test cases in the +GlobalPlatform TEE Initial Configuratiom Test Suite v2_0_0_0-2017_06_09 +when OP-TEE is compiled without dynamic shared memory support +(CFG_CORE_DYN_SHM=n). + +Reviewed-by: Sumit Garg +Suggested-by: Jens Wiklander +Signed-off-by: Jerome Forissier +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +--- + drivers/tee/optee/core.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c +index 834884c370c5..63187b07dde0 100644 +--- a/drivers/tee/optee/core.c ++++ b/drivers/tee/optee/core.c +@@ -86,16 +86,6 @@ int optee_from_msg_param(struct tee_param *params, size_t num_params, + return rc; + p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa; + p->u.memref.shm = shm; +- +- /* Check that the memref is covered by the shm object */ +- if (p->u.memref.size) { +- size_t o = p->u.memref.shm_offs + +- p->u.memref.size - 1; +- +- rc = tee_shm_get_pa(shm, o, NULL); +- if (rc) +- return rc; +- } + break; + default: + return -EINVAL; +-- +2.30.2 + diff --git a/queue-4.14/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch b/queue-4.14/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch new file mode 100644 index 00000000000..bdccc199256 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch @@ -0,0 +1,48 @@ +From 8b9ddff2a1d7695702ae964e8cd7be4fa6464d77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 02:31:25 -0700 +Subject: usb: dwc3: gadget: Ignore EP queue requests during bus reset + +From: Wesley Cheng + +[ Upstream commit 71ca43f30df9c642970f9dc9b2d6f463f4967e7b ] + +The current dwc3_gadget_reset_interrupt() will stop any active +transfers, but only addresses blocking of EP queuing for while we are +coming from a disconnected scenario, i.e. after receiving the disconnect +event. If the host decides to issue a bus reset on the device, the +connected parameter will still be set to true, allowing for EP queuing +to continue while we are disabling the functions. To avoid this, set the +connected flag to false until the stop active transfers is complete. + +Signed-off-by: Wesley Cheng +Link: https://lore.kernel.org/r/1616146285-19149-3-git-send-email-wcheng@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 510ed406fb0b..909e8aafd580 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2695,6 +2695,15 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc) + + dwc->connected = true; + ++ /* ++ * Ideally, dwc3_reset_gadget() would trigger the function ++ * drivers to stop any active transfers through ep disable. ++ * However, for functions which defer ep disable, such as mass ++ * storage, we will need to rely on the call to stop active ++ * transfers here, and avoid allowing of request queuing. ++ */ ++ dwc->connected = false; ++ + /* + * WORKAROUND: DWC3 revisions <1.88a have an issue which + * would cause a missing Disconnect Event if there's a +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-f_uac1-validate-input-parameters.patch b/queue-4.14/usb-gadget-f_uac1-validate-input-parameters.patch new file mode 100644 index 00000000000..131854a00fe --- /dev/null +++ b/queue-4.14/usb-gadget-f_uac1-validate-input-parameters.patch @@ -0,0 +1,113 @@ +From c1a7dbe66aae9cf2d8163eccc025859c0c38d404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 13:49:34 +0200 +Subject: usb: gadget: f_uac1: validate input parameters + +From: Ruslan Bilovol + +[ Upstream commit a59c68a6a3d1b18e2494f526eb19893a34fa6ec6 ] + +Currently user can configure UAC1 function with +parameters that violate UAC1 spec or are not supported +by UAC1 gadget implementation. + +This can lead to incorrect behavior if such gadget +is connected to the host - like enumeration failure +or other issues depending on host's UAC1 driver +implementation, bringing user to a long hours +of debugging the issue. + +Instead of silently accept these parameters, throw +an error if they are not valid. + +Signed-off-by: Ruslan Bilovol +Link: https://lore.kernel.org/r/1614599375-8803-5-git-send-email-ruslan.bilovol@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uac1.c | 43 ++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c +index 3f4ee28e7896..edbb3b9a9709 100644 +--- a/drivers/usb/gadget/function/f_uac1.c ++++ b/drivers/usb/gadget/function/f_uac1.c +@@ -23,6 +23,9 @@ + #include "u_audio.h" + #include "u_uac1.h" + ++/* UAC1 spec: 3.7.2.3 Audio Channel Cluster Format */ ++#define UAC1_CHANNEL_MASK 0x0FFF ++ + struct f_uac1 { + struct g_audio g_audio; + u8 ac_intf, as_in_intf, as_out_intf; +@@ -34,6 +37,11 @@ static inline struct f_uac1 *func_to_uac1(struct usb_function *f) + return container_of(f, struct f_uac1, g_audio.func); + } + ++static inline struct f_uac1_opts *g_audio_to_uac1_opts(struct g_audio *audio) ++{ ++ return container_of(audio->func.fi, struct f_uac1_opts, func_inst); ++} ++ + /* + * DESCRIPTORS ... most are static, but strings and full + * configuration descriptors are built on demand. +@@ -509,11 +517,42 @@ static void f_audio_disable(struct usb_function *f) + + /*-------------------------------------------------------------------------*/ + ++static int f_audio_validate_opts(struct g_audio *audio, struct device *dev) ++{ ++ struct f_uac1_opts *opts = g_audio_to_uac1_opts(audio); ++ ++ if (!opts->p_chmask && !opts->c_chmask) { ++ dev_err(dev, "Error: no playback and capture channels\n"); ++ return -EINVAL; ++ } else if (opts->p_chmask & ~UAC1_CHANNEL_MASK) { ++ dev_err(dev, "Error: unsupported playback channels mask\n"); ++ return -EINVAL; ++ } else if (opts->c_chmask & ~UAC1_CHANNEL_MASK) { ++ dev_err(dev, "Error: unsupported capture channels mask\n"); ++ return -EINVAL; ++ } else if ((opts->p_ssize < 1) || (opts->p_ssize > 4)) { ++ dev_err(dev, "Error: incorrect playback sample size\n"); ++ return -EINVAL; ++ } else if ((opts->c_ssize < 1) || (opts->c_ssize > 4)) { ++ dev_err(dev, "Error: incorrect capture sample size\n"); ++ return -EINVAL; ++ } else if (!opts->p_srate) { ++ dev_err(dev, "Error: incorrect playback sampling rate\n"); ++ return -EINVAL; ++ } else if (!opts->c_srate) { ++ dev_err(dev, "Error: incorrect capture sampling rate\n"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /* audio function driver setup/binding */ + static int f_audio_bind(struct usb_configuration *c, struct usb_function *f) + { + struct usb_composite_dev *cdev = c->cdev; + struct usb_gadget *gadget = cdev->gadget; ++ struct device *dev = &gadget->dev; + struct f_uac1 *uac1 = func_to_uac1(f); + struct g_audio *audio = func_to_g_audio(f); + struct f_uac1_opts *audio_opts; +@@ -523,6 +562,10 @@ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f) + int rate; + int status; + ++ status = f_audio_validate_opts(audio, dev); ++ if (status) ++ return status; ++ + audio_opts = container_of(f->fi, struct f_uac1_opts, func_inst); + + us = usb_gstrings_attach(cdev, uac1_strings, ARRAY_SIZE(strings_uac1)); +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch b/queue-4.14/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch new file mode 100644 index 00000000000..089f768e62b --- /dev/null +++ b/queue-4.14/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch @@ -0,0 +1,52 @@ +From 349b3fb433cd97ecb8ddbb1272ec1218c85a160e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 13:53:38 +0100 +Subject: usb: gadget: uvc: add bInterval checking for HS mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pawel Laszczak + +[ Upstream commit 26adde04acdff14a1f28d4a5dce46a8513a3038b ] + +Patch adds extra checking for bInterval passed by configfs. +The 5.6.4 chapter of USB Specification (rev. 2.0) say: +"A high-bandwidth endpoint must specify a period of 1x125 µs +(i.e., a bInterval value of 1)." + +The issue was observed during testing UVC class on CV. +I treat this change as improvement because we can control +bInterval by configfs. + +Reviewed-by: Peter Chen +Reviewed-by: Laurent Pinchart +Signed-off-by: Pawel Laszczak +Link: https://lore.kernel.org/r/20210308125338.4824-1-pawell@gli-login.cadence.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uvc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c +index f8a1881609a2..89da34ef7b3f 100644 +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -625,7 +625,12 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) + + uvc_hs_streaming_ep.wMaxPacketSize = + cpu_to_le16(max_packet_size | ((max_packet_mult - 1) << 11)); +- uvc_hs_streaming_ep.bInterval = opts->streaming_interval; ++ ++ /* A high-bandwidth endpoint must specify a bInterval value of 1 */ ++ if (max_packet_mult > 1) ++ uvc_hs_streaming_ep.bInterval = 1; ++ else ++ uvc_hs_streaming_ep.bInterval = opts->streaming_interval; + + uvc_ss_streaming_ep.wMaxPacketSize = cpu_to_le16(max_packet_size); + uvc_ss_streaming_ep.bInterval = opts->streaming_interval; +-- +2.30.2 + diff --git a/queue-4.14/usb-xhci-fix-port-minor-revision.patch b/queue-4.14/usb-xhci-fix-port-minor-revision.patch new file mode 100644 index 00000000000..bfb24d13b93 --- /dev/null +++ b/queue-4.14/usb-xhci-fix-port-minor-revision.patch @@ -0,0 +1,51 @@ +From 5b4308995f898d3d3e3b07e3c2b4a165b8217d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 19:43:21 -0800 +Subject: usb: xhci: Fix port minor revision + +From: Thinh Nguyen + +[ Upstream commit 64364bc912c01b33bba6c22e3ccb849bfca96398 ] + +Some hosts incorrectly use sub-minor version for minor version (i.e. +0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 for bcdUSB 0x310). +Currently the xHCI driver works around this by just checking for minor +revision > 0x01 for USB 3.1 everywhere. With the addition of USB 3.2, +checking this gets a bit cumbersome. Since there is no USB release with +bcdUSB 0x301 to 0x309, we can assume that sub-minor version 01 to 09 is +incorrect. Let's try to fix this and use the minor revision that matches +with the USB/xHCI spec to help with the version checking within the +driver. + +Acked-by: Mathias Nyman +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/ed330e95a19dc367819c5b4d78bf7a541c35aa0a.1615432770.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 70452c881e56..5fd1e95f5400 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2085,6 +2085,15 @@ static void xhci_add_in_port(struct xhci_hcd *xhci, unsigned int num_ports, + + if (major_revision == 0x03) { + rhub = &xhci->usb3_rhub; ++ /* ++ * Some hosts incorrectly use sub-minor version for minor ++ * version (i.e. 0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 ++ * for bcdUSB 0x310). Since there is no USB release with sub ++ * minor version 0x301 to 0x309, we can assume that they are ++ * incorrect and fix it here. ++ */ ++ if (minor_revision > 0x00 && minor_revision < 0x10) ++ minor_revision <<= 4; + } else if (major_revision <= 0x02) { + rhub = &xhci->usb2_rhub; + } else { +-- +2.30.2 + diff --git a/queue-4.14/x86-build-propagate-clang_flags-to-realmode_flags.patch b/queue-4.14/x86-build-propagate-clang_flags-to-realmode_flags.patch new file mode 100644 index 00000000000..0b2dcf0eba0 --- /dev/null +++ b/queue-4.14/x86-build-propagate-clang_flags-to-realmode_flags.patch @@ -0,0 +1,66 @@ +From 06d6614d3ba6f520b81957605f429a0cf469ec91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 17:04:33 -0700 +Subject: x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Millikin + +[ Upstream commit 8abe7fc26ad8f28bfdf78adbed56acd1fa93f82d ] + +When cross-compiling with Clang, the `$(CLANG_FLAGS)' variable +contains additional flags needed to build C and assembly sources +for the target platform. Normally this variable is automatically +included in `$(KBUILD_CFLAGS)' via the top-level Makefile. + +The x86 real-mode makefile builds `$(REALMODE_CFLAGS)' from a +plain assignment and therefore drops the Clang flags. This causes +Clang to not recognize x86-specific assembler directives: + +  arch/x86/realmode/rm/header.S:36:1: error: unknown directive +  .type real_mode_header STT_OBJECT ; .size real_mode_header, .-real_mode_header +  ^ + +Explicit propagation of `$(CLANG_FLAGS)' to `$(REALMODE_CFLAGS)', +which is inherited by real-mode make rules, fixes cross-compilation +with Clang for x86 targets. + +Relevant flags: + +* `--target' sets the target architecture when cross-compiling. This +  flag must be set for both compilation and assembly (`KBUILD_AFLAGS') +  to support architecture-specific assembler directives. + +* `-no-integrated-as' tells clang to assemble with GNU Assembler +  instead of its built-in LLVM assembler. This flag is set by default +  unless `LLVM_IAS=1' is set, because the LLVM assembler can't yet +  parse certain GNU extensions. + +Signed-off-by: John Millikin +Signed-off-by: Nathan Chancellor +Signed-off-by: Borislav Petkov +Acked-by: Ard Biesheuvel +Tested-by: Sedat Dilek +Link: https://lkml.kernel.org/r/20210326000435.4785-2-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 146aadeb7c8e..844d5a72d2ad 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -41,6 +41,7 @@ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector) + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member) + REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4)) ++REALMODE_CFLAGS += $(CLANG_FLAGS) + export REALMODE_CFLAGS + + # BITS is used as extension for files which are available in a 32 bit +-- +2.30.2 +