From: Greg Kroah-Hartman Date: Sun, 15 Dec 2019 13:52:31 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.4.4~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b711d3d5776e23be1804cede390fc47bf8bdb086;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch acpi-osl-only-free-map-once-in-osl.c.patch acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch ar5523-check-null-before-memcpy-in-ar5523_cmd.patch arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch cgroup-pids-use-atomic64_t-for-pids-limit.patch cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch intel_th-fix-a-double-put_device-in-error-path.patch intel_th-pci-add-ice-lake-cpu-support.patch intel_th-pci-add-tiger-lake-cpu-support.patch media-bdisp-fix-memleak-on-release.patch media-cec.h-cec_op_rec_flag_-values-were-swapped.patch media-radio-wl1273-fix-interrupt-masking-on-release.patch mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch perf-tests-fix-out-of-bounds-memory-access.patch pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch pm-devfreq-lock-devfreq-in-trans_stat_show.patch ppdev-fix-ppgettime-ppsettime-ioctls.patch s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch --- diff --git a/queue-4.14/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch b/queue-4.14/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch new file mode 100644 index 00000000000..c14fde5d530 --- /dev/null +++ b/queue-4.14/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch @@ -0,0 +1,59 @@ +From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001 +From: Vamshi K Sthambamkadi +Date: Thu, 28 Nov 2019 15:58:29 +0530 +Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() + +From: Vamshi K Sthambamkadi + +commit 627ead724eff33673597216f5020b72118827de4 upstream. + +kmemleak reported backtrace: + [] kmem_cache_alloc_trace+0x128/0x260 + [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0 + [<1180f4fc>] i2c_register_adapter+0x186/0x400 + [<6083baf7>] i2c_add_adapter+0x4e/0x70 + [] intel_gmbus_setup+0x1a2/0x2c0 [i915] + [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915] + [<81911d4b>] i915_pci_probe+0x48/0x160 [i915] + [<4b159af1>] pci_device_probe+0xdc/0x160 + [] really_probe+0x1ee/0x450 + [] driver_probe_device+0x142/0x1b0 + [] device_driver_attach+0x49/0x50 + [] __driver_attach+0xc9/0x150 + [] bus_for_each_dev+0x56/0xa0 + [<80089bba>] driver_attach+0x19/0x20 + [] bus_add_driver+0x177/0x220 + [<7b29d8c7>] driver_register+0x56/0xf0 + +In i2c_acpi_remove_space_handler(), a leak occurs whenever the +"data" parameter is initialized to 0 before being passed to +acpi_bus_get_private_data(). + +This is because the NULL pointer check in acpi_bus_get_private_data() +(condition->if(!*data)) returns EINVAL and, in consequence, memory is +never freed in i2c_acpi_remove_space_handler(). + +Fix the NULL pointer check in acpi_bus_get_private_data() to follow +the analogous check in acpi_get_data_full(). + +Signed-off-by: Vamshi K Sthambamkadi +[ rjw: Subject & changelog ] +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -196,7 +196,7 @@ int acpi_bus_get_private_data(acpi_handl + { + acpi_status status; + +- if (!*data) ++ if (!data) + return -EINVAL; + + status = acpi_get_data(handle, acpi_bus_private_data_handler, data); diff --git a/queue-4.14/acpi-osl-only-free-map-once-in-osl.c.patch b/queue-4.14/acpi-osl-only-free-map-once-in-osl.c.patch new file mode 100644 index 00000000000..4fefb08cc92 --- /dev/null +++ b/queue-4.14/acpi-osl-only-free-map-once-in-osl.c.patch @@ -0,0 +1,111 @@ +From 833a426cc471b6088011b3d67f1dc4e147614647 Mon Sep 17 00:00:00 2001 +From: Francesco Ruggeri +Date: Tue, 19 Nov 2019 21:47:27 -0800 +Subject: ACPI: OSL: only free map once in osl.c + +From: Francesco Ruggeri + +commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream. + +acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock +before freeing the map. This creates a race condition the can result +in the map being freed more than once. +A panic can be caused by running + +for ((i=0; i<10; i++)) +do + for ((j=0; j<100000; j++)) + do + cat /sys/firmware/acpi/tables/data/BERT >/dev/null + done & +done + +This patch makes sure that only the process that drops the reference +to 0 does the freeing. + +Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c") +Signed-off-by: Francesco Ruggeri +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/osl.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -371,19 +371,21 @@ void *__ref acpi_os_map_memory(acpi_phys + } + EXPORT_SYMBOL_GPL(acpi_os_map_memory); + +-static void acpi_os_drop_map_ref(struct acpi_ioremap *map) ++/* Must be called with mutex_lock(&acpi_ioremap_lock) */ ++static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map) + { +- if (!--map->refcount) ++ unsigned long refcount = --map->refcount; ++ ++ if (!refcount) + list_del_rcu(&map->list); ++ return refcount; + } + + static void acpi_os_map_cleanup(struct acpi_ioremap *map) + { +- if (!map->refcount) { +- synchronize_rcu_expedited(); +- acpi_unmap(map->phys, map->virt); +- kfree(map); +- } ++ synchronize_rcu_expedited(); ++ acpi_unmap(map->phys, map->virt); ++ kfree(map); + } + + /** +@@ -403,6 +405,7 @@ static void acpi_os_map_cleanup(struct a + void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size) + { + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (!acpi_permanent_mmap) { + __acpi_unmap_table(virt, size); +@@ -416,10 +419,11 @@ void __ref acpi_os_unmap_iomem(void __io + WARN(true, PREFIX "%s: bad address %p\n", __func__, virt); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem); + +@@ -454,6 +458,7 @@ void acpi_os_unmap_generic_address(struc + { + u64 addr; + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY) + return; +@@ -469,10 +474,11 @@ void acpi_os_unmap_generic_address(struc + mutex_unlock(&acpi_ioremap_lock); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL(acpi_os_unmap_generic_address); + diff --git a/queue-4.14/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/queue-4.14/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch new file mode 100644 index 00000000000..14f95e4f2b9 --- /dev/null +++ b/queue-4.14/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch @@ -0,0 +1,53 @@ +From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 4 Dec 2019 02:54:27 +0100 +Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices + +From: Rafael J. Wysocki + +commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream. + +Certain ACPI-enumerated devices represented as platform devices in +Linux, like fans, require special low-level power management handling +implemented by their drivers that is not in agreement with the ACPI +PM domain behavior. That leads to problems with managing ACPI fans +during system-wide suspend and resume. + +For this reason, make acpi_dev_pm_attach() skip the affected devices +by adding a list of device IDs to avoid to it and putting the IDs of +the affected devices into that list. + +Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems) +Reported-by: Zhang Rui +Tested-by: Todd Brandt +Cc: 3.10+ # 3.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/device_pm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -1154,9 +1154,19 @@ static void acpi_dev_pm_detach(struct de + */ + int acpi_dev_pm_attach(struct device *dev, bool power_on) + { ++ /* ++ * Skip devices whose ACPI companions match the device IDs below, ++ * because they require special power management handling incompatible ++ * with the generic ACPI PM domain. ++ */ ++ static const struct acpi_device_id special_pm_ids[] = { ++ {"PNP0C0B", }, /* Generic ACPI fan */ ++ {"INT3404", }, /* Fan */ ++ {} ++ }; + struct acpi_device *adev = ACPI_COMPANION(dev); + +- if (!adev) ++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids)) + return -ENODEV; + + if (dev->pm_domain) diff --git a/queue-4.14/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch b/queue-4.14/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch new file mode 100644 index 00000000000..f6bdacaf136 --- /dev/null +++ b/queue-4.14/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch @@ -0,0 +1,40 @@ +From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Mon, 30 Sep 2019 23:31:47 +0300 +Subject: ar5523: check NULL before memcpy() in ar5523_cmd() + +From: Denis Efremov + +commit 315cee426f87658a6799815845788fde965ddaad upstream. + +memcpy() call with "idata == NULL && ilen == 0" results in undefined +behavior in ar5523_cmd(). For example, NULL is passed in callchain +"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch +adds ilen check before memcpy() call in ar5523_cmd() to prevent an +undefined behavior. + +Cc: Pontus Fuchs +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: David Laight +Cc: stable@vger.kernel.org +Signed-off-by: Denis Efremov +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, + + if (flags & AR5523_CMD_FLAG_MAGIC) + hdr->magic = cpu_to_be32(1 << 24); +- memcpy(hdr + 1, idata, ilen); ++ if (ilen) ++ memcpy(hdr + 1, idata, ilen); + + cmd->odata = odata; + cmd->olen = olen; diff --git a/queue-4.14/arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch b/queue-4.14/arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch new file mode 100644 index 00000000000..de0e95ef238 --- /dev/null +++ b/queue-4.14/arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch @@ -0,0 +1,45 @@ +From 287897f9aaa2ad1c923d9875914f57c4dc9159c8 Mon Sep 17 00:00:00 2001 +From: Jarkko Nikula +Date: Sat, 16 Nov 2019 17:16:51 +0200 +Subject: ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity + +From: Jarkko Nikula + +commit 287897f9aaa2ad1c923d9875914f57c4dc9159c8 upstream. + +The MMC card detection GPIO polarity is active low on TAO3530, like in many +other similar boards. Now the card is not detected and it is unable to +mount rootfs from an SD card. + +Fix this by using the correct polarity. + +This incorrect polarity was defined already in the commit 30d95c6d7092 +("ARM: dts: omap3: Add Technexion TAO3530 SOM omap3-tao3530.dtsi") in v3.18 +kernel and later changed to use defined GPIO constants in v4.4 kernel by +the commit 3a637e008e54 ("ARM: dts: Use defined GPIO constants in flags +cell for OMAP2+ boards"). + +While the latter commit did not introduce the issue I'm marking it with +Fixes tag due the v4.4 kernels still being maintained. + +Fixes: 3a637e008e54 ("ARM: dts: Use defined GPIO constants in flags cell for OMAP2+ boards") +Cc: linux-stable # 4.4+ +Signed-off-by: Jarkko Nikula +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-tao3530.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/omap3-tao3530.dtsi ++++ b/arch/arm/boot/dts/omap3-tao3530.dtsi +@@ -224,7 +224,7 @@ + pinctrl-0 = <&mmc1_pins>; + vmmc-supply = <&vmmc1>; + vqmmc-supply = <&vsim>; +- cd-gpios = <&twl_gpio 0 GPIO_ACTIVE_HIGH>; ++ cd-gpios = <&twl_gpio 0 GPIO_ACTIVE_LOW>; + bus-width = <8>; + }; + diff --git a/queue-4.14/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch b/queue-4.14/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch new file mode 100644 index 00000000000..69932ff3360 --- /dev/null +++ b/queue-4.14/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch @@ -0,0 +1,37 @@ +From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001 +From: Pawel Harlozinski +Date: Tue, 12 Nov 2019 14:02:36 +0100 +Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report + +From: Pawel Harlozinski + +commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream. + +Check for existance of jack before tracing. +NULL pointer dereference has been reported by KASAN while unloading +machine driver (snd_soc_cnl_rt274). + +Signed-off-by: Pawel Harlozinski +Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-jack.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -127,10 +127,9 @@ void snd_soc_jack_report(struct snd_soc_ + unsigned int sync = 0; + int enable; + +- trace_snd_soc_jack_report(jack, mask, status); +- + if (!jack) + return; ++ trace_snd_soc_jack_report(jack, mask, status); + + dapm = &jack->card->dapm; + diff --git a/queue-4.14/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch b/queue-4.14/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch new file mode 100644 index 00000000000..9f6c9a5663a --- /dev/null +++ b/queue-4.14/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch @@ -0,0 +1,61 @@ +From 8962842ca5abdcf98e22ab3b2b45a103f0408b95 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sat, 2 Nov 2019 16:02:15 +0800 +Subject: blk-mq: avoid sysfs buffer overflow with too many CPU cores + +From: Ming Lei + +commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream. + +It is reported that sysfs buffer overflow can be triggered if the system +has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of +hctx via /sys/block/$DEV/mq/$N/cpu_list. + +Use snprintf to avoid the potential buffer overflow. + +This version doesn't change the attribute format, and simply stops +showing CPU numbers if the buffer is going to overflow. + +Cc: stable@vger.kernel.org +Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load") +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq-sysfs.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -145,20 +145,25 @@ static ssize_t blk_mq_hw_sysfs_nr_reserv + + static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page) + { ++ const size_t size = PAGE_SIZE - 1; + unsigned int i, first = 1; +- ssize_t ret = 0; ++ int ret = 0, pos = 0; + + for_each_cpu(i, hctx->cpumask) { + if (first) +- ret += sprintf(ret + page, "%u", i); ++ ret = snprintf(pos + page, size - pos, "%u", i); + else +- ret += sprintf(ret + page, ", %u", i); ++ ret = snprintf(pos + page, size - pos, ", %u", i); ++ ++ if (ret >= size - pos) ++ break; + + first = 0; ++ pos += ret; + } + +- ret += sprintf(ret + page, "\n"); +- return ret; ++ ret = snprintf(pos + page, size - pos, "\n"); ++ return pos + ret; + } + + static struct attribute *default_ctx_attrs[] = { diff --git a/queue-4.14/cgroup-pids-use-atomic64_t-for-pids-limit.patch b/queue-4.14/cgroup-pids-use-atomic64_t-for-pids-limit.patch new file mode 100644 index 00000000000..3654bcc8c77 --- /dev/null +++ b/queue-4.14/cgroup-pids-use-atomic64_t-for-pids-limit.patch @@ -0,0 +1,78 @@ +From a713af394cf382a30dd28a1015cbe572f1b9ca75 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 17 Oct 2019 02:50:01 +1100 +Subject: cgroup: pids: use atomic64_t for pids->limit + +From: Aleksa Sarai + +commit a713af394cf382a30dd28a1015cbe572f1b9ca75 upstream. + +Because pids->limit can be changed concurrently (but we don't want to +take a lock because it would be needlessly expensive), use atomic64_ts +instead. + +Fixes: commit 49b786ea146f ("cgroup: implement the PIDs subsystem") +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Aleksa Sarai +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/pids.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/cgroup/pids.c ++++ b/kernel/cgroup/pids.c +@@ -48,7 +48,7 @@ struct pids_cgroup { + * %PIDS_MAX = (%PID_MAX_LIMIT + 1). + */ + atomic64_t counter; +- int64_t limit; ++ atomic64_t limit; + + /* Handle for "pids.events" */ + struct cgroup_file events_file; +@@ -76,8 +76,8 @@ pids_css_alloc(struct cgroup_subsys_stat + if (!pids) + return ERR_PTR(-ENOMEM); + +- pids->limit = PIDS_MAX; + atomic64_set(&pids->counter, 0); ++ atomic64_set(&pids->limit, PIDS_MAX); + atomic64_set(&pids->events_limit, 0); + return &pids->css; + } +@@ -149,13 +149,14 @@ static int pids_try_charge(struct pids_c + + for (p = pids; parent_pids(p); p = parent_pids(p)) { + int64_t new = atomic64_add_return(num, &p->counter); ++ int64_t limit = atomic64_read(&p->limit); + + /* + * Since new is capped to the maximum number of pid_t, if + * p->limit is %PIDS_MAX then we know that this test will never + * fail. + */ +- if (new > p->limit) ++ if (new > limit) + goto revert; + } + +@@ -280,7 +281,7 @@ set_limit: + * Limit updates don't need to be mutex'd, since it isn't + * critical that any racing fork()s follow the new limit. + */ +- pids->limit = limit; ++ atomic64_set(&pids->limit, limit); + return nbytes; + } + +@@ -288,7 +289,7 @@ static int pids_max_show(struct seq_file + { + struct cgroup_subsys_state *css = seq_css(sf); + struct pids_cgroup *pids = css_pids(css); +- int64_t limit = pids->limit; ++ int64_t limit = atomic64_read(&pids->limit); + + if (limit >= PIDS_MAX) + seq_printf(sf, "%s\n", PIDS_MAX_STR); diff --git a/queue-4.14/cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch b/queue-4.14/cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch new file mode 100644 index 00000000000..503929ba383 --- /dev/null +++ b/queue-4.14/cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch @@ -0,0 +1,81 @@ +From db0d32d84031188443e25edbd50a71a6e7ac5d1d Mon Sep 17 00:00:00 2001 +From: John Hubbard +Date: Wed, 30 Oct 2019 22:21:59 -0700 +Subject: cpufreq: powernv: fix stack bloat and hard limit on number of CPUs + +From: John Hubbard + +commit db0d32d84031188443e25edbd50a71a6e7ac5d1d upstream. + +The following build warning occurred on powerpc 64-bit builds: + +drivers/cpufreq/powernv-cpufreq.c: In function 'init_chip_info': +drivers/cpufreq/powernv-cpufreq.c:1070:1: warning: the frame size of +1040 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +This is with a cross-compiler based on gcc 8.1.0, which I got from: + https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/8.1.0/ + +The warning is due to putting 1024 bytes on the stack: + + unsigned int chip[256]; + +...and it's also undesirable to have a hard limit on the number of +CPUs here. + +Fix both problems by dynamically allocating based on num_possible_cpus, +as recommended by Michael Ellerman. + +Fixes: 053819e0bf840 ("cpufreq: powernv: Handle throttling due to Pmax capping at chip level") +Signed-off-by: John Hubbard +Acked-by: Viresh Kumar +Cc: 4.10+ # 4.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/powernv-cpufreq.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -1002,9 +1002,14 @@ static struct cpufreq_driver powernv_cpu + + static int init_chip_info(void) + { +- unsigned int chip[256]; ++ unsigned int *chip; + unsigned int cpu, i; + unsigned int prev_chip_id = UINT_MAX; ++ int ret = 0; ++ ++ chip = kcalloc(num_possible_cpus(), sizeof(*chip), GFP_KERNEL); ++ if (!chip) ++ return -ENOMEM; + + for_each_possible_cpu(cpu) { + unsigned int id = cpu_to_chip_id(cpu); +@@ -1016,8 +1021,10 @@ static int init_chip_info(void) + } + + chips = kcalloc(nr_chips, sizeof(struct chip), GFP_KERNEL); +- if (!chips) +- return -ENOMEM; ++ if (!chips) { ++ ret = -ENOMEM; ++ goto free_and_return; ++ } + + for (i = 0; i < nr_chips; i++) { + chips[i].id = chip[i]; +@@ -1027,7 +1034,9 @@ static int init_chip_info(void) + per_cpu(chip_info, cpu) = &chips[i]; + } + +- return 0; ++free_and_return: ++ kfree(chip); ++ return ret; + } + + static inline void clean_chip_info(void) diff --git a/queue-4.14/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch b/queue-4.14/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch new file mode 100644 index 00000000000..0dd587edfc7 --- /dev/null +++ b/queue-4.14/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch @@ -0,0 +1,58 @@ +From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Wed, 23 Oct 2019 09:57:14 +0800 +Subject: cpuidle: Do not unset the driver if it is there already + +From: Zhenzhong Duan + +commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream. + +Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has +a driver different from drv already and, if so, return -EBUSY before +updating any cpuidle_drivers per-CPU pointers. + +Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support") +Cc: 3.11+ # 3.11+ +Signed-off-by: Zhenzhong Duan +[ rjw: Subject & changelog ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/driver.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/cpuidle/driver.c ++++ b/drivers/cpuidle/driver.c +@@ -62,24 +62,23 @@ static inline void __cpuidle_unset_drive + * __cpuidle_set_driver - set per CPU driver variables for the given driver. + * @drv: a valid pointer to a struct cpuidle_driver + * +- * For each CPU in the driver's cpumask, unset the registered driver per CPU +- * to @drv. +- * +- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already. ++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver ++ * different from drv already. + */ + static inline int __cpuidle_set_driver(struct cpuidle_driver *drv) + { + int cpu; + + for_each_cpu(cpu, drv->cpumask) { ++ struct cpuidle_driver *old_drv; + +- if (__cpuidle_get_cpu_driver(cpu)) { +- __cpuidle_unset_driver(drv); ++ old_drv = __cpuidle_get_cpu_driver(cpu); ++ if (old_drv && old_drv != drv) + return -EBUSY; +- } ++ } + ++ for_each_cpu(cpu, drv->cpumask) + per_cpu(cpuidle_drivers, cpu) = drv; +- } + + return 0; + } diff --git a/queue-4.14/intel_th-fix-a-double-put_device-in-error-path.patch b/queue-4.14/intel_th-fix-a-double-put_device-in-error-path.patch new file mode 100644 index 00000000000..8be02acf8a0 --- /dev/null +++ b/queue-4.14/intel_th-fix-a-double-put_device-in-error-path.patch @@ -0,0 +1,54 @@ +From 512592779a337feb5905d8fcf9498dbf33672d4a Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 20 Nov 2019 15:08:04 +0200 +Subject: intel_th: Fix a double put_device() in error path + +From: Alexander Shishkin + +commit 512592779a337feb5905d8fcf9498dbf33672d4a upstream. + +Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +factored out intel_th_subdevice_alloc() from intel_th_populate(), but got +the error path wrong, resulting in two instances of a double put_device() +on a freshly initialized, but not 'added' device. + +Fix this by only doing one put_device() in the error path. + +Signed-off-by: Alexander Shishkin +Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +Reported-by: Wen Yang +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20191120130806.44028-2-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -628,10 +628,8 @@ intel_th_subdevice_alloc(struct intel_th + } + + err = intel_th_device_add_resources(thdev, res, subdev->nres); +- if (err) { +- put_device(&thdev->dev); ++ if (err) + goto fail_put_device; +- } + + if (subdev->type == INTEL_TH_OUTPUT) { + thdev->dev.devt = MKDEV(th->major, th->num_thdevs); +@@ -644,10 +642,8 @@ intel_th_subdevice_alloc(struct intel_th + } + + err = device_add(&thdev->dev); +- if (err) { +- put_device(&thdev->dev); ++ if (err) + goto fail_free_res; +- } + + /* need switch driver to be loaded to enumerate the rest */ + if (subdev->type == INTEL_TH_SWITCH && !req) { diff --git a/queue-4.14/intel_th-pci-add-ice-lake-cpu-support.patch b/queue-4.14/intel_th-pci-add-ice-lake-cpu-support.patch new file mode 100644 index 00000000000..bba0f68a7df --- /dev/null +++ b/queue-4.14/intel_th-pci-add-ice-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From 6a1743422a7c0fda26764a544136cac13e5ae486 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 20 Nov 2019 15:08:05 +0200 +Subject: intel_th: pci: Add Ice Lake CPU support + +From: Alexander Shishkin + +commit 6a1743422a7c0fda26764a544136cac13e5ae486 upstream. + +This adds support for the Trace Hub in Ice Lake CPU. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191120130806.44028-3-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -194,6 +194,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Ice Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x8a29), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Tiger Lake PCH */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.14/intel_th-pci-add-tiger-lake-cpu-support.patch b/queue-4.14/intel_th-pci-add-tiger-lake-cpu-support.patch new file mode 100644 index 00000000000..9459374e4a0 --- /dev/null +++ b/queue-4.14/intel_th-pci-add-tiger-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From 6e6c18bcb78c0dc0601ebe216bed12c844492d0c Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 20 Nov 2019 15:08:06 +0200 +Subject: intel_th: pci: Add Tiger Lake CPU support + +From: Alexander Shishkin + +commit 6e6c18bcb78c0dc0601ebe216bed12c844492d0c upstream. + +This adds support for the Trace Hub in Tiger Lake CPU. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191120130806.44028-4-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -199,6 +199,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Tiger Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9a33), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Tiger Lake PCH */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.14/media-bdisp-fix-memleak-on-release.patch b/queue-4.14/media-bdisp-fix-memleak-on-release.patch new file mode 100644 index 00000000000..96388aacf42 --- /dev/null +++ b/queue-4.14/media-bdisp-fix-memleak-on-release.patch @@ -0,0 +1,40 @@ +From 11609a7e21f8cea42630350aa57662928fa4dc63 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 10 Oct 2019 10:13:31 -0300 +Subject: media: bdisp: fix memleak on release + +From: Johan Hovold + +commit 11609a7e21f8cea42630350aa57662928fa4dc63 upstream. + +If a process is interrupted while accessing the video device and the +device lock is contended, release() could return early and fail to free +related resources. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework") +Cc: stable # 4.2 +Signed-off-by: Johan Hovold +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -651,8 +651,7 @@ static int bdisp_release(struct file *fi + + dev_dbg(bdisp->dev, "%s\n", __func__); + +- if (mutex_lock_interruptible(&bdisp->lock)) +- return -ERESTARTSYS; ++ mutex_lock(&bdisp->lock); + + v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); + diff --git a/queue-4.14/media-cec.h-cec_op_rec_flag_-values-were-swapped.patch b/queue-4.14/media-cec.h-cec_op_rec_flag_-values-were-swapped.patch new file mode 100644 index 00000000000..bc85223559c --- /dev/null +++ b/queue-4.14/media-cec.h-cec_op_rec_flag_-values-were-swapped.patch @@ -0,0 +1,35 @@ +From 806e0cdfee0b99efbb450f9f6e69deb7118602fc Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 16 Sep 2019 02:47:41 -0300 +Subject: media: cec.h: CEC_OP_REC_FLAG_ values were swapped + +From: Hans Verkuil + +commit 806e0cdfee0b99efbb450f9f6e69deb7118602fc upstream. + +CEC_OP_REC_FLAG_NOT_USED is 0 and CEC_OP_REC_FLAG_USED is 1, not the +other way around. + +Signed-off-by: Hans Verkuil +Reported-by: Jiunn Chang +Cc: # for v4.10 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/cec.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/cec.h ++++ b/include/uapi/linux/cec.h +@@ -789,8 +789,8 @@ struct cec_event { + #define CEC_MSG_SELECT_DIGITAL_SERVICE 0x93 + #define CEC_MSG_TUNER_DEVICE_STATUS 0x07 + /* Recording Flag Operand (rec_flag) */ +-#define CEC_OP_REC_FLAG_USED 0 +-#define CEC_OP_REC_FLAG_NOT_USED 1 ++#define CEC_OP_REC_FLAG_NOT_USED 0 ++#define CEC_OP_REC_FLAG_USED 1 + /* Tuner Display Info Operand (tuner_display_info) */ + #define CEC_OP_TUNER_DISPLAY_INFO_DIGITAL 0 + #define CEC_OP_TUNER_DISPLAY_INFO_NONE 1 diff --git a/queue-4.14/media-radio-wl1273-fix-interrupt-masking-on-release.patch b/queue-4.14/media-radio-wl1273-fix-interrupt-masking-on-release.patch new file mode 100644 index 00000000000..443ef7d0947 --- /dev/null +++ b/queue-4.14/media-radio-wl1273-fix-interrupt-masking-on-release.patch @@ -0,0 +1,40 @@ +From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 10 Oct 2019 10:13:32 -0300 +Subject: media: radio: wl1273: fix interrupt masking on release + +From: Johan Hovold + +commit 1091eb830627625dcf79958d99353c2391f41708 upstream. + +If a process is interrupted while accessing the radio device and the +core lock is contended, release() could return early and fail to update +the interrupt mask. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver") +Cc: stable # 2.6.38 +Cc: Matti Aaltonen +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/radio/radio-wl1273.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/radio/radio-wl1273.c ++++ b/drivers/media/radio/radio-wl1273.c +@@ -1156,8 +1156,7 @@ static int wl1273_fm_fops_release(struct + if (radio->rds_users > 0) { + radio->rds_users--; + if (radio->rds_users == 0) { +- if (mutex_lock_interruptible(&core->lock)) +- return -EINTR; ++ mutex_lock(&core->lock); + + radio->irq_flags &= ~WL1273_RDS_EVENT; + diff --git a/queue-4.14/mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch b/queue-4.14/mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch new file mode 100644 index 00000000000..f3446e1352a --- /dev/null +++ b/queue-4.14/mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch @@ -0,0 +1,73 @@ +From f6498b922e57aecbe3b7fa30a308d9d586c0c369 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Thu, 7 Nov 2019 11:30:37 +0100 +Subject: mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card + +From: H. Nikolaus Schaller + +commit f6498b922e57aecbe3b7fa30a308d9d586c0c369 upstream. + +Pandora_wl1251_init_card was used to do special pdata based +setup of the sdio mmc interface. This does no longer work with +v4.7 and later. A fix requires a device tree based mmc3 setup. + +Therefore we move the special setup to omap_hsmmc.c instead +of calling some pdata supplied init_card function. + +The new code checks for a DT child node compatible to wl1251 +so it will not affect other MMC3 use cases. + +Generally, this code was and still is a hack and should be +moved to mmc core to e.g. read such properties from optional +DT child nodes. + +Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel") +Signed-off-by: H. Nikolaus Schaller +Cc: # v4.7+ +[Ulf: Fixed up some checkpatch complaints] +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/omap_hsmmc.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1678,6 +1678,36 @@ static void omap_hsmmc_init_card(struct + + if (mmc_pdata(host)->init_card) + mmc_pdata(host)->init_card(card); ++ else if (card->type == MMC_TYPE_SDIO || ++ card->type == MMC_TYPE_SD_COMBO) { ++ struct device_node *np = mmc_dev(mmc)->of_node; ++ ++ /* ++ * REVISIT: should be moved to sdio core and made more ++ * general e.g. by expanding the DT bindings of child nodes ++ * to provide a mechanism to provide this information: ++ * Documentation/devicetree/bindings/mmc/mmc-card.txt ++ */ ++ ++ np = of_get_compatible_child(np, "ti,wl1251"); ++ if (np) { ++ /* ++ * We have TI wl1251 attached to MMC3. Pass this ++ * information to the SDIO core because it can't be ++ * probed by normal methods. ++ */ ++ ++ dev_info(host->dev, "found wl1251\n"); ++ card->quirks |= MMC_QUIRK_NONSTD_SDIO; ++ card->cccr.wide_bus = 1; ++ card->cis.vendor = 0x104c; ++ card->cis.device = 0x9066; ++ card->cis.blksize = 512; ++ card->cis.max_dtr = 24000000; ++ card->ocr = 0x80; ++ of_node_put(np); ++ } ++ } + } + + static void omap_hsmmc_enable_sdio_irq(struct mmc_host *mmc, int enable) diff --git a/queue-4.14/perf-tests-fix-out-of-bounds-memory-access.patch b/queue-4.14/perf-tests-fix-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..8fe95580e6e --- /dev/null +++ b/queue-4.14/perf-tests-fix-out-of-bounds-memory-access.patch @@ -0,0 +1,94 @@ +From af8490eb2b33684e26a0a927a9d93ae43cd08890 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Thu, 7 Nov 2019 10:02:44 +0800 +Subject: perf tests: Fix out of bounds memory access + +From: Leo Yan + +commit af8490eb2b33684e26a0a927a9d93ae43cd08890 upstream. + +The test case 'Read backward ring buffer' failed on 32-bit architectures +which were found by LKFT perf testing. The test failed on arm32 x15 +device, qemu_arm32, qemu_i386, and found intermittent failure on i386; +the failure log is as below: + + 50: Read backward ring buffer : + --- start --- + test child forked, pid 510 + Using CPUID GenuineIntel-6-9E-9 + mmap size 1052672B + mmap size 8192B + Finished reading overwrite ring buffer: rewind + free(): invalid next size (fast) + test child interrupted + ---- end ---- + Read backward ring buffer: FAILED! + +The log hints there have issue for memory usage, thus free() reports +error 'invalid next size' and directly exit for the case. Finally, this +issue is root caused as out of bounds memory access for the data array +'evsel->id'. + +The backward ring buffer test invokes do_test() twice. 'evsel->id' is +allocated at the first call with the flow: + + test__backward_ring_buffer() + `-> do_test() + `-> evlist__mmap() + `-> evlist__mmap_ex() + `-> perf_evsel__alloc_id() + +So 'evsel->id' is allocated with one item, and it will be used in +function perf_evlist__id_add(): + + evsel->id[0] = id + evsel->ids = 1 + +At the second call for do_test(), it skips to initialize 'evsel->id' +and reuses the array which is allocated in the first call. But +'evsel->ids' contains the stale value. Thus: + + evsel->id[1] = id -> out of bound access + evsel->ids = 2 + +To fix this issue, we will use evlist__open() and evlist__close() pair +functions to prepare and cleanup context for evlist; so 'evsel->id' and +'evsel->ids' can be initialized properly when invoke do_test() and avoid +the out of bounds memory access. + +Fixes: ee74701ed8ad ("perf tests: Add test to check backward ring buffer") +Signed-off-by: Leo Yan +Reviewed-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Naresh Kamboju +Cc: Peter Zijlstra +Cc: Wang Nan +Cc: stable@vger.kernel.org # v4.10+ +Link: http://lore.kernel.org/lkml/20191107020244.2427-1-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/tests/backward-ring-buffer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/tools/perf/tests/backward-ring-buffer.c ++++ b/tools/perf/tests/backward-ring-buffer.c +@@ -142,6 +142,15 @@ int test__backward_ring_buffer(struct te + goto out_delete_evlist; + } + ++ evlist__close(evlist); ++ ++ err = evlist__open(evlist); ++ if (err < 0) { ++ pr_debug("perf_evlist__open: %s\n", ++ str_error_r(errno, sbuf, sizeof(sbuf))); ++ goto out_delete_evlist; ++ } ++ + err = do_test(evlist, 1, &sample_count, &comm_count); + if (err != TEST_OK) + goto out_delete_evlist; diff --git a/queue-4.14/pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch b/queue-4.14/pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch new file mode 100644 index 00000000000..2ad92b651cd --- /dev/null +++ b/queue-4.14/pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch @@ -0,0 +1,39 @@ +From 3d2557ab75d4c568c79eefa2e550e0d80348a6bd Mon Sep 17 00:00:00 2001 +From: Nishka Dasgupta +Date: Sun, 4 Aug 2019 21:32:00 +0530 +Subject: pinctrl: samsung: Add of_node_put() before return in error path + +From: Nishka Dasgupta + +commit 3d2557ab75d4c568c79eefa2e550e0d80348a6bd upstream. + +Each iteration of for_each_child_of_node puts the previous node, but in +the case of a return from the middle of the loop, there is no put, thus +causing a memory leak. Hence add an of_node_put before the return of +exynos_eint_wkup_init() error path. +Issue found with Coccinelle. + +Signed-off-by: Nishka Dasgupta +Cc: +Fixes: 14c255d35b25 ("pinctrl: exynos: Add irq_chip instance for Exynos7 wakeup interrupts") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-exynos.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-exynos.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos.c +@@ -467,8 +467,10 @@ int exynos_eint_wkup_init(struct samsung + if (match) { + irq_chip = kmemdup(match->data, + sizeof(*irq_chip), GFP_KERNEL); +- if (!irq_chip) ++ if (!irq_chip) { ++ of_node_put(np); + return -ENOMEM; ++ } + wkup_np = np; + break; + } diff --git a/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch b/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch new file mode 100644 index 00000000000..8660955bf82 --- /dev/null +++ b/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch @@ -0,0 +1,58 @@ +From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:10 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in init code + +From: Krzysztof Kozlowski + +commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream. + +Several functions use for_each_child_of_node() loop with a break to find +a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -277,6 +277,7 @@ static int samsung_dt_node_to_map(struct + &reserved_maps, num_maps); + if (ret < 0) { + samsung_dt_free_map(pctldev, *map, *num_maps); ++ of_node_put(np); + return ret; + } + } +@@ -761,8 +762,10 @@ static struct samsung_pmx_func *samsung_ + if (!of_get_child_count(cfg_np)) { + ret = samsung_pinctrl_create_function(dev, drvdata, + cfg_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; +@@ -773,8 +776,11 @@ static struct samsung_pmx_func *samsung_ + for_each_child_of_node(cfg_np, func_np) { + ret = samsung_pinctrl_create_function(dev, drvdata, + func_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(func_np); ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; diff --git a/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch b/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch new file mode 100644 index 00000000000..92004ad88eb --- /dev/null +++ b/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch @@ -0,0 +1,52 @@ +From 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:08 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init + +From: Krzysztof Kozlowski + +commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream. + +In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a +break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-s3c24xx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c ++++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c +@@ -495,8 +495,10 @@ static int s3c24xx_eint_init(struct sams + return -ENODEV; + + eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL); +- if (!eint_data) ++ if (!eint_data) { ++ of_node_put(eint_np); + return -ENOMEM; ++ } + + eint_data->drvdata = d; + +@@ -508,12 +510,14 @@ static int s3c24xx_eint_init(struct sams + irq = irq_of_parse_and_map(eint_np, i); + if (!irq) { + dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i); ++ of_node_put(eint_np); + return -ENXIO; + } + + eint_data->parents[i] = irq; + irq_set_chained_handler_and_data(irq, handlers[i], eint_data); + } ++ of_node_put(eint_np); + + bank = d->pin_banks; + for (i = 0; i < d->nr_banks; ++i, ++bank) { diff --git a/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch b/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch new file mode 100644 index 00000000000..9bf21a98963 --- /dev/null +++ b/queue-4.14/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch @@ -0,0 +1,53 @@ +From 7f028caadf6c37580d0f59c6c094ed09afc04062 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:09 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init + +From: Krzysztof Kozlowski + +commit 7f028caadf6c37580d0f59c6c094ed09afc04062 upstream. + +In s3c64xx_eint_eint0_init() the for_each_child_of_node() loop is used +with a break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: 61dd72613177 ("pinctrl: Add pinctrl-s3c64xx driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-s3c64xx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-s3c64xx.c ++++ b/drivers/pinctrl/samsung/pinctrl-s3c64xx.c +@@ -709,8 +709,10 @@ static int s3c64xx_eint_eint0_init(struc + return -ENODEV; + + data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL); +- if (!data) ++ if (!data) { ++ of_node_put(eint0_np); + return -ENOMEM; ++ } + data->drvdata = d; + + for (i = 0; i < NUM_EINT0_IRQ; ++i) { +@@ -719,6 +721,7 @@ static int s3c64xx_eint_eint0_init(struc + irq = irq_of_parse_and_map(eint0_np, i); + if (!irq) { + dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i); ++ of_node_put(eint0_np); + return -ENXIO; + } + +@@ -726,6 +729,7 @@ static int s3c64xx_eint_eint0_init(struc + s3c64xx_eint0_handlers[i], + data); + } ++ of_node_put(eint0_np); + + bank = d->pin_banks; + for (i = 0; i < d->nr_banks; ++i, ++bank) { diff --git a/queue-4.14/pm-devfreq-lock-devfreq-in-trans_stat_show.patch b/queue-4.14/pm-devfreq-lock-devfreq-in-trans_stat_show.patch new file mode 100644 index 00000000000..b284751c687 --- /dev/null +++ b/queue-4.14/pm-devfreq-lock-devfreq-in-trans_stat_show.patch @@ -0,0 +1,59 @@ +From 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Tue, 24 Sep 2019 10:52:23 +0300 +Subject: PM / devfreq: Lock devfreq in trans_stat_show + +From: Leonard Crestez + +commit 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 upstream. + +There is no locking in this sysfs show function so stats printing can +race with a devfreq_update_status called as part of freq switching or +with initialization. + +Also add an assert in devfreq_update_status to make it clear that lock +must be held by caller. + +Fixes: 39688ce6facd ("PM / devfreq: account suspend/resume for stats") +Cc: stable@vger.kernel.org +Signed-off-by: Leonard Crestez +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Chanwoo Choi +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/devfreq/devfreq.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -133,6 +133,7 @@ int devfreq_update_status(struct devfreq + int lev, prev_lev, ret = 0; + unsigned long cur_time; + ++ lockdep_assert_held(&devfreq->lock); + cur_time = jiffies; + + /* Immediately exit if previous_freq is not initialized yet. */ +@@ -1161,12 +1162,17 @@ static ssize_t trans_stat_show(struct de + int i, j; + unsigned int max_state = devfreq->profile->max_state; + +- if (!devfreq->stop_polling && +- devfreq_update_status(devfreq, devfreq->previous_freq)) +- return 0; + if (max_state == 0) + return sprintf(buf, "Not Supported.\n"); + ++ mutex_lock(&devfreq->lock); ++ if (!devfreq->stop_polling && ++ devfreq_update_status(devfreq, devfreq->previous_freq)) { ++ mutex_unlock(&devfreq->lock); ++ return 0; ++ } ++ mutex_unlock(&devfreq->lock); ++ + len = sprintf(buf, " From : To\n"); + len += sprintf(buf + len, " :"); + for (i = 0; i < max_state; i++) diff --git a/queue-4.14/ppdev-fix-ppgettime-ppsettime-ioctls.patch b/queue-4.14/ppdev-fix-ppgettime-ppsettime-ioctls.patch new file mode 100644 index 00000000000..5032b8f41b5 --- /dev/null +++ b/queue-4.14/ppdev-fix-ppgettime-ppsettime-ioctls.patch @@ -0,0 +1,76 @@ +From 998174042da229e2cf5841f574aba4a743e69650 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 8 Nov 2019 21:34:30 +0100 +Subject: ppdev: fix PPGETTIME/PPSETTIME ioctls + +From: Arnd Bergmann + +commit 998174042da229e2cf5841f574aba4a743e69650 upstream. + +Going through the uses of timeval in the user space API, +I noticed two bugs in ppdev that were introduced in the y2038 +conversion: + +* The range check was accidentally moved from ppsettime to + ppgettime + +* On sparc64, the microseconds are in the other half of the + 64-bit word. + +Fix both, and mark the fix for stable backports. + +Cc: stable@vger.kernel.org +Fixes: 3b9ab374a1e6 ("ppdev: convert to y2038 safe") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20191108203435.112759-8-arnd@arndb.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ppdev.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/char/ppdev.c ++++ b/drivers/char/ppdev.c +@@ -623,20 +623,27 @@ static int pp_do_ioctl(struct file *file + if (copy_from_user(time32, argp, sizeof(time32))) + return -EFAULT; + ++ if ((time32[0] < 0) || (time32[1] < 0)) ++ return -EINVAL; ++ + return pp_set_timeout(pp->pdev, time32[0], time32[1]); + + case PPSETTIME64: + if (copy_from_user(time64, argp, sizeof(time64))) + return -EFAULT; + ++ if ((time64[0] < 0) || (time64[1] < 0)) ++ return -EINVAL; ++ ++ if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall()) ++ time64[1] >>= 32; ++ + return pp_set_timeout(pp->pdev, time64[0], time64[1]); + + case PPGETTIME32: + jiffies_to_timespec64(pp->pdev->timeout, &ts); + time32[0] = ts.tv_sec; + time32[1] = ts.tv_nsec / NSEC_PER_USEC; +- if ((time32[0] < 0) || (time32[1] < 0)) +- return -EINVAL; + + if (copy_to_user(argp, time32, sizeof(time32))) + return -EFAULT; +@@ -647,8 +654,9 @@ static int pp_do_ioctl(struct file *file + jiffies_to_timespec64(pp->pdev->timeout, &ts); + time64[0] = ts.tv_sec; + time64[1] = ts.tv_nsec / NSEC_PER_USEC; +- if ((time64[0] < 0) || (time64[1] < 0)) +- return -EINVAL; ++ ++ if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall()) ++ time64[1] <<= 32; + + if (copy_to_user(argp, time64, sizeof(time64))) + return -EFAULT; diff --git a/queue-4.14/s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch b/queue-4.14/s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch new file mode 100644 index 00000000000..924a4615ac3 --- /dev/null +++ b/queue-4.14/s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch @@ -0,0 +1,65 @@ +From ab874f22d35a8058d8fdee5f13eb69d8867efeae Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 11 Sep 2019 19:42:23 +0200 +Subject: s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported + +From: Gerald Schaefer + +commit ab874f22d35a8058d8fdee5f13eb69d8867efeae upstream. + +On older HW or under a hypervisor, w/o the instruction-execution- +protection (IEP) facility, and also w/o EDAT-1, a translation-specification +exception may be recognized when bit 55 of a pte is one (_PAGE_NOEXEC). + +The current code tries to prevent setting _PAGE_NOEXEC in such cases, +by removing it within set_pte_at(). However, ptep_set_access_flags() +will modify a pte directly, w/o using set_pte_at(). There is at least +one scenario where this can result in an active pte with _PAGE_NOEXEC +set, which would then lead to a panic due to a translation-specification +exception (write to swapped out page): + +do_swap_page + pte = mk_pte (with _PAGE_NOEXEC bit) + set_pte_at (will remove _PAGE_NOEXEC bit in page table, but keep it + in local variable pte) + vmf->orig_pte = pte (pte still contains _PAGE_NOEXEC bit) + do_wp_page + wp_page_reuse + entry = vmf->orig_pte (still with _PAGE_NOEXEC bit) + ptep_set_access_flags (writes entry with _PAGE_NOEXEC bit) + +Fix this by clearing _PAGE_NOEXEC already in mk_pte_phys(), where the +pgprot value is applied, so that no pte with _PAGE_NOEXEC will ever be +visible, if it is not supported. The check in set_pte_at() can then also +be removed. + +Cc: # 4.11+ +Fixes: 57d7f939e7bd ("s390: add no-execute support") +Signed-off-by: Gerald Schaefer +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -1126,8 +1126,6 @@ int pgste_perform_essa(struct mm_struct + static inline void set_pte_at(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, pte_t entry) + { +- if (!MACHINE_HAS_NX) +- pte_val(entry) &= ~_PAGE_NOEXEC; + if (pte_present(entry)) + pte_val(entry) &= ~_PAGE_UNUSED; + if (mm_has_pgste(mm)) +@@ -1144,6 +1142,8 @@ static inline pte_t mk_pte_phys(unsigned + { + pte_t __pte; + pte_val(__pte) = physpage + pgprot_val(pgprot); ++ if (!MACHINE_HAS_NX) ++ pte_val(__pte) &= ~_PAGE_NOEXEC; + return pte_mkyoung(__pte); + } + diff --git a/queue-4.14/series b/queue-4.14/series index dd36f2af1b5..44fbb85e1a1 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -200,3 +200,28 @@ hwrng-omap-fix-rng-wait-loop-timeout.patch dm-zoned-reduce-overhead-of-backing-device-checks.patch workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch workqueue-fix-pwq-ref-leak-in-rescuer_thread.patch +asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch +blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch +cgroup-pids-use-atomic64_t-for-pids-limit.patch +ar5523-check-null-before-memcpy-in-ar5523_cmd.patch +s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch +media-bdisp-fix-memleak-on-release.patch +media-radio-wl1273-fix-interrupt-masking-on-release.patch +media-cec.h-cec_op_rec_flag_-values-were-swapped.patch +cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch +perf-tests-fix-out-of-bounds-memory-access.patch +intel_th-fix-a-double-put_device-in-error-path.patch +intel_th-pci-add-ice-lake-cpu-support.patch +intel_th-pci-add-tiger-lake-cpu-support.patch +pm-devfreq-lock-devfreq-in-trans_stat_show.patch +cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch +acpi-osl-only-free-map-once-in-osl.c.patch +acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch +acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch +pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch +mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch +arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch +ppdev-fix-ppgettime-ppsettime-ioctls.patch