From: Sasha Levin Date: Thu, 21 May 2020 14:04:52 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.225~67^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf1a199799bc0681de209ad0023629ac43d50d19;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/aquantia-fix-the-media-type-of-aqc100-ethernet-contr.patch b/queue-4.19/aquantia-fix-the-media-type-of-aqc100-ethernet-contr.patch new file mode 100644 index 00000000000..9beed243490 --- /dev/null +++ b/queue-4.19/aquantia-fix-the-media-type-of-aqc100-ethernet-contr.patch @@ -0,0 +1,39 @@ +From 5c5f7467b8e30aa7cdcc47e5bc5fa67d2787d063 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 08:58:11 +0800 +Subject: aquantia: Fix the media type of AQC100 ethernet controller in the + driver + +From: Richard Clark + +[ Upstream commit 6de556c31061e3b9c36546ffaaac5fdb679a2f14 ] + +The Aquantia AQC100 controller enables a SFP+ port, so the driver should +configure the media type as '_TYPE_FIBRE' instead of '_TYPE_TP'. + +Signed-off-by: Richard Clark +Cc: Igor Russkikh +Cc: "David S. Miller" +Acked-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c +index 750007513f9d..43dbfb228b0e 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c +@@ -60,7 +60,7 @@ static const struct aq_board_revision_s hw_atl_boards[] = { + { AQ_DEVICE_ID_D108, AQ_HWREV_2, &hw_atl_ops_b0, &hw_atl_b0_caps_aqc108, }, + { AQ_DEVICE_ID_D109, AQ_HWREV_2, &hw_atl_ops_b0, &hw_atl_b0_caps_aqc109, }, + +- { AQ_DEVICE_ID_AQC100, AQ_HWREV_ANY, &hw_atl_ops_b1, &hw_atl_b0_caps_aqc107, }, ++ { AQ_DEVICE_ID_AQC100, AQ_HWREV_ANY, &hw_atl_ops_b1, &hw_atl_b0_caps_aqc100, }, + { AQ_DEVICE_ID_AQC107, AQ_HWREV_ANY, &hw_atl_ops_b1, &hw_atl_b0_caps_aqc107, }, + { AQ_DEVICE_ID_AQC108, AQ_HWREV_ANY, &hw_atl_ops_b1, &hw_atl_b0_caps_aqc108, }, + { AQ_DEVICE_ID_AQC109, AQ_HWREV_ANY, &hw_atl_ops_b1, &hw_atl_b0_caps_aqc109, }, +-- +2.25.1 + diff --git a/queue-4.19/arm-futex-address-build-warning.patch b/queue-4.19/arm-futex-address-build-warning.patch new file mode 100644 index 00000000000..764b4a24c46 --- /dev/null +++ b/queue-4.19/arm-futex-address-build-warning.patch @@ -0,0 +1,70 @@ +From f19cea0570b7d4e0818d7c34aa70afe5c3a5b4ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Apr 2020 11:07:22 +0200 +Subject: ARM: futex: Address build warning + +From: Thomas Gleixner + +[ Upstream commit 8101b5a1531f3390b3a69fa7934c70a8fd6566ad ] + +Stephen reported the following build warning on a ARM multi_v7_defconfig +build with GCC 9.2.1: + +kernel/futex.c: In function 'do_futex': +kernel/futex.c:1676:17: warning: 'oldval' may be used uninitialized in this function [-Wmaybe-uninitialized] + 1676 | return oldval == cmparg; + | ~~~~~~~^~~~~~~~~ +kernel/futex.c:1652:6: note: 'oldval' was declared here + 1652 | int oldval, ret; + | ^~~~~~ + +introduced by commit a08971e9488d ("futex: arch_futex_atomic_op_inuser() +calling conventions change"). + +While that change should not make any difference it confuses GCC which +fails to work out that oldval is not referenced when the return value is +not zero. + +GCC fails to properly analyze arch_futex_atomic_op_inuser(). It's not the +early return, the issue is with the assembly macros. GCC fails to detect +that those either set 'ret' to 0 and set oldval or set 'ret' to -EFAULT +which makes oldval uninteresting. The store to the callsite supplied oldval +pointer is conditional on ret == 0. + +The straight forward way to solve this is to make the store unconditional. + +Aside of addressing the build warning this makes sense anyway because it +removes the conditional from the fastpath. In the error case the stored +value is uninteresting and the extra store does not matter at all. + +Reported-by: Stephen Rothwell +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/87pncao2ph.fsf@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/futex.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h +index ffebe7b7a5b7..91ca80035fc4 100644 +--- a/arch/arm/include/asm/futex.h ++++ b/arch/arm/include/asm/futex.h +@@ -163,8 +163,13 @@ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + preempt_enable(); + #endif + +- if (!ret) +- *oval = oldval; ++ /* ++ * Store unconditionally. If ret != 0 the extra store is the least ++ * of the worries but GCC cannot figure out that __futex_atomic_op() ++ * is either setting ret to -EFAULT or storing the old value in ++ * oldval which results in a uninitialized warning at the call site. ++ */ ++ *oval = oldval; + + return ret; + } +-- +2.25.1 + diff --git a/queue-4.19/ceph-fix-double-unlock-in-handle_cap_export.patch b/queue-4.19/ceph-fix-double-unlock-in-handle_cap_export.patch new file mode 100644 index 00000000000..af2584cc19f --- /dev/null +++ b/queue-4.19/ceph-fix-double-unlock-in-handle_cap_export.patch @@ -0,0 +1,37 @@ +From 47f86747e0a6eb9c7308e6804149ba0c7d5ff21a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 14:12:49 +0800 +Subject: ceph: fix double unlock in handle_cap_export() + +From: Wu Bo + +[ Upstream commit 4d8e28ff3106b093d98bfd2eceb9b430c70a8758 ] + +If the ceph_mdsc_open_export_target_session() return fails, it will +do a "goto retry", but the session mutex has already been unlocked. +Re-lock the mutex in that case to ensure that we don't unlock it +twice. + +Signed-off-by: Wu Bo +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 5241102b81a8..a2d4eed27f80 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -3632,6 +3632,7 @@ retry: + WARN_ON(1); + tsession = NULL; + target = -1; ++ mutex_lock(&session->s_mutex); + } + goto retry; + +-- +2.25.1 + diff --git a/queue-4.19/component-silence-bind-error-on-eprobe_defer.patch b/queue-4.19/component-silence-bind-error-on-eprobe_defer.patch new file mode 100644 index 00000000000..5cc7eb19802 --- /dev/null +++ b/queue-4.19/component-silence-bind-error-on-eprobe_defer.patch @@ -0,0 +1,53 @@ +From 54a6cdb87d3ea174b0c0c694b2ade78dc036a163 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Apr 2020 13:02:41 -0600 +Subject: component: Silence bind error on -EPROBE_DEFER + +From: James Hilliard + +[ Upstream commit 7706b0a76a9697021e2bf395f3f065c18f51043d ] + +If a component fails to bind due to -EPROBE_DEFER we should not log an +error as this is not a real failure. + +Fixes messages like: +vc4-drm soc:gpu: failed to bind 3f902000.hdmi (ops vc4_hdmi_ops): -517 +vc4-drm soc:gpu: master bind failed: -517 + +Signed-off-by: James Hilliard +Link: https://lore.kernel.org/r/20200411190241.89404-1-james.hilliard1@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/component.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/component.c b/drivers/base/component.c +index 7f7c4233cd31..ee4d3b388f44 100644 +--- a/drivers/base/component.c ++++ b/drivers/base/component.c +@@ -235,7 +235,8 @@ static int try_to_bring_up_master(struct master *master, + ret = master->ops->bind(master->dev); + if (ret < 0) { + devres_release_group(master->dev, NULL); +- dev_info(master->dev, "master bind failed: %d\n", ret); ++ if (ret != -EPROBE_DEFER) ++ dev_info(master->dev, "master bind failed: %d\n", ret); + return ret; + } + +@@ -506,8 +507,9 @@ static int component_bind(struct component *component, struct master *master, + devres_release_group(component->dev, NULL); + devres_release_group(master->dev, NULL); + +- dev_err(master->dev, "failed to bind %s (ops %ps): %d\n", +- dev_name(component->dev), component->ops, ret); ++ if (ret != -EPROBE_DEFER) ++ dev_err(master->dev, "failed to bind %s (ops %ps): %d\n", ++ dev_name(component->dev), component->ops, ret); + } + + return ret; +-- +2.25.1 + diff --git a/queue-4.19/configfs-fix-config_item-refcnt-leak-in-configfs_rmd.patch b/queue-4.19/configfs-fix-config_item-refcnt-leak-in-configfs_rmd.patch new file mode 100644 index 00000000000..2597c3202d0 --- /dev/null +++ b/queue-4.19/configfs-fix-config_item-refcnt-leak-in-configfs_rmd.patch @@ -0,0 +1,47 @@ +From ed2f6e9605ed5c74be77a497d939421fdb207b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 20:52:26 +0800 +Subject: configfs: fix config_item refcnt leak in configfs_rmdir() + +From: Xiyu Yang + +[ Upstream commit 8aebfffacfa379ba400da573a5bf9e49634e38cb ] + +configfs_rmdir() invokes configfs_get_config_item(), which returns a +reference of the specified config_item object to "parent_item" with +increased refcnt. + +When configfs_rmdir() returns, local variable "parent_item" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +configfs_rmdir(). When down_write_killable() fails, the function forgets +to decrease the refcnt increased by configfs_get_config_item(), causing +a refcnt leak. + +Fix this issue by calling config_item_put() when down_write_killable() +fails. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/dir.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index 2cc6b1c49d34..f9628fc20fec 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -1537,6 +1537,7 @@ static int configfs_rmdir(struct inode *dir, struct dentry *dentry) + spin_lock(&configfs_dirent_lock); + configfs_detach_rollback(dentry); + spin_unlock(&configfs_dirent_lock); ++ config_item_put(parent_item); + return -EINTR; + } + frag->frag_dead = true; +-- +2.25.1 + diff --git a/queue-4.19/evm-check-also-if-tfm-is-an-error-pointer-in-init_de.patch b/queue-4.19/evm-check-also-if-tfm-is-an-error-pointer-in-init_de.patch new file mode 100644 index 00000000000..7f8a9e1a991 --- /dev/null +++ b/queue-4.19/evm-check-also-if-tfm-is-an-error-pointer-in-init_de.patch @@ -0,0 +1,49 @@ +From d8cd240792f9cb76c0a01306189fcca58323e1fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 12:28:56 +0200 +Subject: evm: Check also if *tfm is an error pointer in init_desc() + +From: Roberto Sassu + +[ Upstream commit 53de3b080d5eae31d0de219617155dcc34e7d698 ] + +This patch avoids a kernel panic due to accessing an error pointer set by +crypto_alloc_shash(). It occurs especially when there are many files that +require an unsupported algorithm, as it would increase the likelihood of +the following race condition: + +Task A: *tfm = crypto_alloc_shash() <= error pointer +Task B: if (*tfm == NULL) <= *tfm is not NULL, use it +Task B: rc = crypto_shash_init(desc) <= panic +Task A: *tfm = NULL + +This patch uses the IS_ERR_OR_NULL macro to determine whether or not a new +crypto context must be created. + +Cc: stable@vger.kernel.org +Fixes: d46eb3699502b ("evm: crypto hash replaced by shash") +Co-developed-by: Krzysztof Struczynski +Signed-off-by: Krzysztof Struczynski +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c +index 6a314fb0d480..f0878d81dcef 100644 +--- a/security/integrity/evm/evm_crypto.c ++++ b/security/integrity/evm/evm_crypto.c +@@ -96,7 +96,7 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo) + algo = hash_algo_name[hash_algo]; + } + +- if (*tfm == NULL) { ++ if (IS_ERR_OR_NULL(*tfm)) { + mutex_lock(&mutex); + if (*tfm) + goto out; +-- +2.25.1 + diff --git a/queue-4.19/fix-multiplication-overflow-in-copy_fdtable.patch b/queue-4.19/fix-multiplication-overflow-in-copy_fdtable.patch new file mode 100644 index 00000000000..10da1a74736 --- /dev/null +++ b/queue-4.19/fix-multiplication-overflow-in-copy_fdtable.patch @@ -0,0 +1,40 @@ +From f1cca073e98458eee948d319151c2d502b7d6153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 17:48:52 -0400 +Subject: fix multiplication overflow in copy_fdtable() + +From: Al Viro + +[ Upstream commit 4e89b7210403fa4a8acafe7c602b6212b7af6c3b ] + +cpy and set really should be size_t; we won't get an overflow on that, +since sysctl_nr_open can't be set above ~(size_t)0 / sizeof(void *), +so nr that would've managed to overflow size_t on that multiplication +won't get anywhere near copy_fdtable() - we'll fail with EMFILE +before that. + +Cc: stable@kernel.org # v2.6.25+ +Fixes: 9cfe015aa424 (get rid of NR_OPEN and introduce a sysctl_nr_open) +Reported-by: Thiago Macieira +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/file.c b/fs/file.c +index 780d29e58847..3762a3f136fd 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -70,7 +70,7 @@ static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt, + */ + static void copy_fdtable(struct fdtable *nfdt, struct fdtable *ofdt) + { +- unsigned int cpy, set; ++ size_t cpy, set; + + BUG_ON(nfdt->max_fds < ofdt->max_fds); + +-- +2.25.1 + diff --git a/queue-4.19/gcc-common.h-update-for-gcc-10.patch b/queue-4.19/gcc-common.h-update-for-gcc-10.patch new file mode 100644 index 00000000000..a765c6d6149 --- /dev/null +++ b/queue-4.19/gcc-common.h-update-for-gcc-10.patch @@ -0,0 +1,90 @@ +From 43296d0c025293d23abd9528f5db6079964906ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2020 13:32:59 +0200 +Subject: gcc-common.h: Update for GCC 10 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frédéric Pierret (fepitre) + +[ Upstream commit c7527373fe28f97d8a196ab562db5589be0d34b9 ] + +Remove "params.h" include, which has been dropped in GCC 10. + +Remove is_a_helper() macro, which is now defined in gimple.h, as seen +when running './scripts/gcc-plugin.sh g++ g++ gcc': + +In file included from :1: +./gcc-plugins/gcc-common.h:852:13: error: redefinition of ‘static bool is_a_helper::test(U*) [with U = const gimple; T = const ggoto*]’ + 852 | inline bool is_a_helper::test(const_gimple gs) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from ./gcc-plugins/gcc-common.h:125, + from :1: +/usr/lib/gcc/x86_64-redhat-linux/10/plugin/include/gimple.h:1037:1: note: ‘static bool is_a_helper::test(U*) [with U = const gimple; T = const ggoto*]’ previously declared here + 1037 | is_a_helper ::test (const gimple *gs) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add -Wno-format-diag to scripts/gcc-plugins/Makefile to avoid +meaningless warnings from error() formats used by plugins: + +scripts/gcc-plugins/structleak_plugin.c: In function ‘int plugin_init(plugin_name_args*, plugin_gcc_version*)’: +scripts/gcc-plugins/structleak_plugin.c:253:12: warning: unquoted sequence of 2 consecutive punctuation characters ‘'-’ in format [-Wformat-diag] + 253 | error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Frédéric Pierret (fepitre) +Link: https://lore.kernel.org/r/20200407113259.270172-1-frederic.pierret@qubes-os.org +[kees: include -Wno-format-diag for plugin builds] +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/Makefile | 1 + + scripts/gcc-plugins/gcc-common.h | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile +index aa0d0ec6936d..9e95862f2788 100644 +--- a/scripts/gcc-plugins/Makefile ++++ b/scripts/gcc-plugins/Makefile +@@ -11,6 +11,7 @@ else + HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti + HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb + HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable ++ HOST_EXTRACXXFLAGS += -Wno-format-diag + export HOST_EXTRACXXFLAGS + endif + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 17f06079a712..9ad76b7f3f10 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -35,7 +35,9 @@ + #include "ggc.h" + #include "timevar.h" + ++#if BUILDING_GCC_VERSION < 10000 + #include "params.h" ++#endif + + #if BUILDING_GCC_VERSION <= 4009 + #include "pointer-set.h" +@@ -847,6 +849,7 @@ static inline gimple gimple_build_assign_with_ops(enum tree_code subcode, tree l + return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT); + } + ++#if BUILDING_GCC_VERSION < 10000 + template <> + template <> + inline bool is_a_helper::test(const_gimple gs) +@@ -860,6 +863,7 @@ inline bool is_a_helper::test(const_gimple gs) + { + return gs->code == GIMPLE_RETURN; + } ++#endif + + static inline gasm *as_a_gasm(gimple stmt) + { +-- +2.25.1 + diff --git a/queue-4.19/gtp-set-nlm_f_multi-flag-in-gtp_genl_dump_pdp.patch b/queue-4.19/gtp-set-nlm_f_multi-flag-in-gtp_genl_dump_pdp.patch new file mode 100644 index 00000000000..d4d3e8c6235 --- /dev/null +++ b/queue-4.19/gtp-set-nlm_f_multi-flag-in-gtp_genl_dump_pdp.patch @@ -0,0 +1,61 @@ +From a0a228f588f1c54d8742bb7b6182427c957af75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 14:01:36 +0900 +Subject: gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() + +From: Yoshiyuki Kurauchi + +[ Upstream commit 846c68f7f1ac82c797a2f1db3344a2966c0fe2e1 ] + +In drivers/net/gtp.c, gtp_genl_dump_pdp() should set NLM_F_MULTI +flag since it returns multipart message. +This patch adds a new arg "flags" in gtp_genl_fill_info() so that +flags can be set by the callers. + +Signed-off-by: Yoshiyuki Kurauchi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index eab9984f73a8..d73850ebb671 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1177,11 +1177,11 @@ out_unlock: + static struct genl_family gtp_genl_family; + + static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq, +- u32 type, struct pdp_ctx *pctx) ++ int flags, u32 type, struct pdp_ctx *pctx) + { + void *genlh; + +- genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, 0, ++ genlh = genlmsg_put(skb, snd_portid, snd_seq, >p_genl_family, flags, + type); + if (genlh == NULL) + goto nlmsg_failure; +@@ -1235,8 +1235,8 @@ static int gtp_genl_get_pdp(struct sk_buff *skb, struct genl_info *info) + goto err_unlock; + } + +- err = gtp_genl_fill_info(skb2, NETLINK_CB(skb).portid, +- info->snd_seq, info->nlhdr->nlmsg_type, pctx); ++ err = gtp_genl_fill_info(skb2, NETLINK_CB(skb).portid, info->snd_seq, ++ 0, info->nlhdr->nlmsg_type, pctx); + if (err < 0) + goto err_unlock_free; + +@@ -1279,6 +1279,7 @@ static int gtp_genl_dump_pdp(struct sk_buff *skb, + gtp_genl_fill_info(skb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, ++ NLM_F_MULTI, + cb->nlh->nlmsg_type, pctx)) { + cb->args[0] = i; + cb->args[1] = j; +-- +2.25.1 + diff --git a/queue-4.19/hid-alps-add-aui1657-device-id.patch b/queue-4.19/hid-alps-add-aui1657-device-id.patch new file mode 100644 index 00000000000..f13864b2fc2 --- /dev/null +++ b/queue-4.19/hid-alps-add-aui1657-device-id.patch @@ -0,0 +1,48 @@ +From 9a1943c39ef503c2e53d142da131960ba11b81d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 03:55:15 +0400 +Subject: HID: alps: Add AUI1657 device ID + +From: Artem Borisov + +[ Upstream commit 640e403b1fd24e7f31ac6f29f0b6a21d285ed729 ] + +This device is used on Lenovo V130-15IKB variants and uses +the same registers as U1. + +Signed-off-by: Artem Borisov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-alps.c | 1 + + drivers/hid/hid-ids.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-alps.c b/drivers/hid/hid-alps.c +index 895f49b565ee..28ca21014bbe 100644 +--- a/drivers/hid/hid-alps.c ++++ b/drivers/hid/hid-alps.c +@@ -806,6 +806,7 @@ static int alps_probe(struct hid_device *hdev, const struct hid_device_id *id) + break; + case HID_DEVICE_ID_ALPS_U1_DUAL: + case HID_DEVICE_ID_ALPS_U1: ++ case HID_DEVICE_ID_ALPS_1657: + data->dev_type = U1; + break; + default: +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index ae145bdcd83d..53ac5e1ab4bc 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -83,7 +83,7 @@ + #define HID_DEVICE_ID_ALPS_U1 0x1215 + #define HID_DEVICE_ID_ALPS_T4_BTNLESS 0x120C + #define HID_DEVICE_ID_ALPS_1222 0x1222 +- ++#define HID_DEVICE_ID_ALPS_1657 0x121E + + #define USB_VENDOR_ID_AMI 0x046b + #define USB_DEVICE_ID_AMI_VIRT_KEYBOARD_AND_MOUSE 0xff10 +-- +2.25.1 + diff --git a/queue-4.19/hid-alps-alps_1657-is-too-specific-use-u1_unicorn_le.patch b/queue-4.19/hid-alps-alps_1657-is-too-specific-use-u1_unicorn_le.patch new file mode 100644 index 00000000000..aee2bd8c2cb --- /dev/null +++ b/queue-4.19/hid-alps-alps_1657-is-too-specific-use-u1_unicorn_le.patch @@ -0,0 +1,55 @@ +From 31d6f17f85b5356db06f2cd31170f64d0d15433c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Apr 2020 14:51:42 +0200 +Subject: HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead + +From: Jiri Kosina + +[ Upstream commit 185af3e775b693f773d9a4b5a8c3cda69fc8ca0f ] + +HID_DEVICE_ID_ALPS_1657 PID is too specific, as there are many other +ALPS hardware IDs using this particular touchpad. + +Rename the identifier to HID_DEVICE_ID_ALPS_U1_UNICORN_LEGACY in order +to describe reality better. + +Fixes: 640e403b1fd24 ("HID: alps: Add AUI1657 device ID") +Reported-by: Xiaojian Cao +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-alps.c | 2 +- + drivers/hid/hid-ids.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-alps.c b/drivers/hid/hid-alps.c +index 28ca21014bbe..3489f0af7409 100644 +--- a/drivers/hid/hid-alps.c ++++ b/drivers/hid/hid-alps.c +@@ -806,7 +806,7 @@ static int alps_probe(struct hid_device *hdev, const struct hid_device_id *id) + break; + case HID_DEVICE_ID_ALPS_U1_DUAL: + case HID_DEVICE_ID_ALPS_U1: +- case HID_DEVICE_ID_ALPS_1657: ++ case HID_DEVICE_ID_ALPS_U1_UNICORN_LEGACY: + data->dev_type = U1; + break; + default: +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 53ac5e1ab4bc..2a9cec9764cf 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -81,9 +81,9 @@ + #define HID_DEVICE_ID_ALPS_U1_DUAL_PTP 0x121F + #define HID_DEVICE_ID_ALPS_U1_DUAL_3BTN_PTP 0x1220 + #define HID_DEVICE_ID_ALPS_U1 0x1215 ++#define HID_DEVICE_ID_ALPS_U1_UNICORN_LEGACY 0x121E + #define HID_DEVICE_ID_ALPS_T4_BTNLESS 0x120C + #define HID_DEVICE_ID_ALPS_1222 0x1222 +-#define HID_DEVICE_ID_ALPS_1657 0x121E + + #define USB_VENDOR_ID_AMI 0x046b + #define USB_DEVICE_ID_AMI_VIRT_KEYBOARD_AND_MOUSE 0xff10 +-- +2.25.1 + diff --git a/queue-4.19/hid-i2c-hid-reset-synaptics-syna2393-on-resume.patch b/queue-4.19/hid-i2c-hid-reset-synaptics-syna2393-on-resume.patch new file mode 100644 index 00000000000..90d7de1f509 --- /dev/null +++ b/queue-4.19/hid-i2c-hid-reset-synaptics-syna2393-on-resume.patch @@ -0,0 +1,55 @@ +From 72d114ec547f2b237ef0e969588ed39d3059c8fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 20:58:17 +1000 +Subject: HID: i2c-hid: reset Synaptics SYNA2393 on resume + +From: Daniel Playfair Cal + +[ Upstream commit 538f67407e2c0e5ed2a46e7d7ffa52f2e30c7ef8 ] + +On the Dell XPS 9570, the Synaptics SYNA2393 touchpad generates spurious +interrupts after resuming from suspend until it receives some input or +is reset. Add it to the quirk I2C_HID_QUIRK_RESET_ON_RESUME so that it +is reset when resuming from suspend. + +More information about the bug can be found in this mailing list +discussion: https://www.spinics.net/lists/linux-input/msg59530.html + +Signed-off-by: Daniel Playfair Cal +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/i2c-hid/i2c-hid-core.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 2a9cec9764cf..e071fd3c6b2b 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1064,6 +1064,9 @@ + #define USB_DEVICE_ID_SYMBOL_SCANNER_2 0x1300 + #define USB_DEVICE_ID_SYMBOL_SCANNER_3 0x1200 + ++#define I2C_VENDOR_ID_SYNAPTICS 0x06cb ++#define I2C_PRODUCT_ID_SYNAPTICS_SYNA2393 0x7a13 ++ + #define USB_VENDOR_ID_SYNAPTICS 0x06cb + #define USB_DEVICE_ID_SYNAPTICS_TP 0x0001 + #define USB_DEVICE_ID_SYNAPTICS_INT_TP 0x0002 +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index f2c8c59fc582..f17ebbe53abf 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -187,6 +187,8 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_BOGUS_IRQ }, + { USB_VENDOR_ID_ALPS_JP, HID_ANY_ID, + I2C_HID_QUIRK_RESET_ON_RESUME }, ++ { I2C_VENDOR_ID_SYNAPTICS, I2C_PRODUCT_ID_SYNAPTICS_SYNA2393, ++ I2C_HID_QUIRK_RESET_ON_RESUME }, + { USB_VENDOR_ID_ITE, I2C_DEVICE_ID_ITE_LENOVO_LEGION_Y720, + I2C_HID_QUIRK_BAD_INPUT_SIZE }, + { 0, 0 } +-- +2.25.1 + diff --git a/queue-4.19/hid-multitouch-add-egalaxtouch-p80h84-support.patch b/queue-4.19/hid-multitouch-add-egalaxtouch-p80h84-support.patch new file mode 100644 index 00000000000..25a78629247 --- /dev/null +++ b/queue-4.19/hid-multitouch-add-egalaxtouch-p80h84-support.patch @@ -0,0 +1,53 @@ +From 34fdd7c551d347acd9fe8c52db7238f5c343d40d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Apr 2020 18:02:37 +0200 +Subject: HID: multitouch: add eGalaxTouch P80H84 support + +From: Sebastian Reichel + +[ Upstream commit f9e82295eec141a0569649d400d249333d74aa91 ] + +Add support for P80H84 touchscreen from eGalaxy: + + idVendor 0x0eef D-WAV Scientific Co., Ltd + idProduct 0xc002 + iManufacturer 1 eGalax Inc. + iProduct 2 eGalaxTouch P80H84 2019 vDIVA_1204_T01 k4.02.146 + +Signed-off-by: Sebastian Reichel +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-multitouch.c | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index b2fff44c8109..ae145bdcd83d 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -378,6 +378,7 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_7349 0x7349 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_73F7 0x73f7 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 ++#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002 + + #define USB_VENDOR_ID_ELAN 0x04f3 + #define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401 +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 19dfd8acd0da..8baf10beb1d5 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1909,6 +1909,9 @@ static const struct hid_device_id mt_devices[] = { + { .driver_data = MT_CLS_EGALAX_SERIAL, + MT_USB_DEVICE(USB_VENDOR_ID_DWAV, + USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001) }, ++ { .driver_data = MT_CLS_EGALAX, ++ MT_USB_DEVICE(USB_VENDOR_ID_DWAV, ++ USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002) }, + + /* Elitegroup panel */ + { .driver_data = MT_CLS_SERIAL, +-- +2.25.1 + diff --git a/queue-4.19/hid-quirks-add-hid_quirk_no_init_reports-quirk-for-d.patch b/queue-4.19/hid-quirks-add-hid_quirk_no_init_reports-quirk-for-d.patch new file mode 100644 index 00000000000..3dbc3336d5e --- /dev/null +++ b/queue-4.19/hid-quirks-add-hid_quirk_no_init_reports-quirk-for-d.patch @@ -0,0 +1,53 @@ +From da599df169877c256934a66e708a7e5e136aa0bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 May 2020 20:18:42 +0200 +Subject: HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A + keyboard-dock + +From: Hans de Goede + +[ Upstream commit 1e189f267015a098bdcb82cc652d13fbf2203fa0 ] + +Add a HID_QUIRK_NO_INIT_REPORTS quirk for the Dell K12A keyboard-dock, +which can be used with various Dell Venue 11 models. + +Without this quirk the keyboard/touchpad combo works fine when connected +at boot, but when hotplugged 9 out of 10 times it will not work properly. +Adding the quirk fixes this. + +Cc: Mario Limonciello +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index e071fd3c6b2b..c1fed1aaecdf 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1081,6 +1081,7 @@ + #define USB_DEVICE_ID_SYNAPTICS_LTS2 0x1d10 + #define USB_DEVICE_ID_SYNAPTICS_HD 0x0ac3 + #define USB_DEVICE_ID_SYNAPTICS_QUAD_HD 0x1ac3 ++#define USB_DEVICE_ID_SYNAPTICS_DELL_K12A 0x2819 + #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012 0x2968 + #define USB_DEVICE_ID_SYNAPTICS_TP_V103 0x5710 + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index b9529bed4d76..e5beee3e8582 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -163,6 +163,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS2), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_QUAD_HD), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_TP_V103), HID_QUIRK_NO_INIT_REPORTS }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_DELL_K12A), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_TOPMAX, USB_DEVICE_ID_TOPMAX_COBRAPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_TOUCHPACK, USB_DEVICE_ID_TOUCHPACK_RTS), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_TPV, USB_DEVICE_ID_TPV_OPTICAL_TOUCHSCREEN_8882), HID_QUIRK_NOGET }, +-- +2.25.1 + diff --git a/queue-4.19/i2c-mux-demux-pinctrl-fix-an-error-handling-path-in-.patch b/queue-4.19/i2c-mux-demux-pinctrl-fix-an-error-handling-path-in-.patch new file mode 100644 index 00000000000..ac4a397b7cf --- /dev/null +++ b/queue-4.19/i2c-mux-demux-pinctrl-fix-an-error-handling-path-in-.patch @@ -0,0 +1,36 @@ +From a7325eedec13a549c499f67ba83f9a1315a06e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 21:21:00 +0200 +Subject: i2c: mux: demux-pinctrl: Fix an error handling path in + 'i2c_demux_pinctrl_probe()' + +From: Christophe JAILLET + +[ Upstream commit e9d1a0a41d4486955e96552293c1fcf1fce61602 ] + +A call to 'i2c_demux_deactivate_master()' is missing in the error handling +path, as already done in the remove function. + +Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/muxes/i2c-demux-pinctrl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/muxes/i2c-demux-pinctrl.c b/drivers/i2c/muxes/i2c-demux-pinctrl.c +index 035032e20327..9ba9ce5696e1 100644 +--- a/drivers/i2c/muxes/i2c-demux-pinctrl.c ++++ b/drivers/i2c/muxes/i2c-demux-pinctrl.c +@@ -273,6 +273,7 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev) + err_rollback_available: + device_remove_file(&pdev->dev, &dev_attr_available_masters); + err_rollback: ++ i2c_demux_deactivate_master(priv); + for (j = 0; j < i; j++) { + of_node_put(priv->chan[j].parent_np); + of_changeset_destroy(&priv->chan[j].chgset); +-- +2.25.1 + diff --git a/queue-4.19/ima-fix-return-value-of-ima_write_policy.patch b/queue-4.19/ima-fix-return-value-of-ima_write_policy.patch new file mode 100644 index 00000000000..a75b228203e --- /dev/null +++ b/queue-4.19/ima-fix-return-value-of-ima_write_policy.patch @@ -0,0 +1,43 @@ +From e4c6e6707131beb732006cd2d2ed5e86d3352e15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 12:31:28 +0200 +Subject: ima: Fix return value of ima_write_policy() + +From: Roberto Sassu + +[ Upstream commit 2e3a34e9f409ebe83d1af7cd2f49fca7af97dfac ] + +This patch fixes the return value of ima_write_policy() when a new policy +is directly passed to IMA and the current policy requires appraisal of the +file containing the policy. Currently, if appraisal is not in ENFORCE mode, +ima_write_policy() returns 0 and leads user space applications to an +endless loop. Fix this issue by denying the operation regardless of the +appraisal mode. + +Cc: stable@vger.kernel.org # 4.10.x +Fixes: 19f8a84713edc ("ima: measure and appraise the IMA policy itself") +Signed-off-by: Roberto Sassu +Reviewed-by: Krzysztof Struczynski +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_fs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c +index cfb8cc3b975e..604cdac63d84 100644 +--- a/security/integrity/ima/ima_fs.c ++++ b/security/integrity/ima/ima_fs.c +@@ -343,8 +343,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, + "policy_update", "signed policy required", + 1, 0); +- if (ima_appraise & IMA_APPRAISE_ENFORCE) +- result = -EACCES; ++ result = -EACCES; + } else { + result = ima_parse_add_rule(data); + } +-- +2.25.1 + diff --git a/queue-4.19/ima-set-file-f_mode-instead-of-file-f_flags-in-ima_c.patch b/queue-4.19/ima-set-file-f_mode-instead-of-file-f_flags-in-ima_c.patch new file mode 100644 index 00000000000..6d3b419e9ef --- /dev/null +++ b/queue-4.19/ima-set-file-f_mode-instead-of-file-f_flags-in-ima_c.patch @@ -0,0 +1,73 @@ +From 5ef25a29e1f6e09b8eae9ea838b86af29bc68f8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 12:28:55 +0200 +Subject: ima: Set file->f_mode instead of file->f_flags in + ima_calc_file_hash() + +From: Roberto Sassu + +[ Upstream commit 0014cc04e8ec077dc482f00c87dfd949cfe2b98f ] + +Commit a408e4a86b36 ("ima: open a new file instance if no read +permissions") tries to create a new file descriptor to calculate a file +digest if the file has not been opened with O_RDONLY flag. However, if a +new file descriptor cannot be obtained, it sets the FMODE_READ flag to +file->f_flags instead of file->f_mode. + +This patch fixes this issue by replacing f_flags with f_mode as it was +before that commit. + +Cc: stable@vger.kernel.org # 4.20.x +Fixes: a408e4a86b36 ("ima: open a new file instance if no read permissions") +Signed-off-by: Roberto Sassu +Reviewed-by: Goldwyn Rodrigues +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_crypto.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c +index f63b4bd45d60..6a6d19ada66a 100644 +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -415,7 +415,7 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash) + loff_t i_size; + int rc; + struct file *f = file; +- bool new_file_instance = false, modified_flags = false; ++ bool new_file_instance = false, modified_mode = false; + + /* + * For consistency, fail file's opened with the O_DIRECT flag on +@@ -435,13 +435,13 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash) + f = dentry_open(&file->f_path, flags, file->f_cred); + if (IS_ERR(f)) { + /* +- * Cannot open the file again, lets modify f_flags ++ * Cannot open the file again, lets modify f_mode + * of original and continue + */ + pr_info_ratelimited("Unable to reopen file for reading.\n"); + f = file; +- f->f_flags |= FMODE_READ; +- modified_flags = true; ++ f->f_mode |= FMODE_READ; ++ modified_mode = true; + } else { + new_file_instance = true; + } +@@ -459,8 +459,8 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash) + out: + if (new_file_instance) + fput(f); +- else if (modified_flags) +- f->f_flags &= ~FMODE_READ; ++ else if (modified_mode) ++ f->f_mode &= ~FMODE_READ; + return rc; + } + +-- +2.25.1 + diff --git a/queue-4.19/iommu-amd-fix-over-read-of-acpi-uid-from-ivrs-table.patch b/queue-4.19/iommu-amd-fix-over-read-of-acpi-uid-from-ivrs-table.patch new file mode 100644 index 00000000000..31c953cdadc --- /dev/null +++ b/queue-4.19/iommu-amd-fix-over-read-of-acpi-uid-from-ivrs-table.patch @@ -0,0 +1,82 @@ +From 173d143637579a8f8613a88ad4de4208f59d96ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 10:23:52 +0000 +Subject: iommu/amd: Fix over-read of ACPI UID from IVRS table + +From: Alexander Monakov + +[ Upstream commit e461b8c991b9202b007ea2059d953e264240b0c9 ] + +IVRS parsing code always tries to read 255 bytes from memory when +retrieving ACPI device path, and makes an assumption that firmware +provides a zero-terminated string. Both of those are bugs: the entry +is likely to be shorter than 255 bytes, and zero-termination is not +guaranteed. + +With Acer SF314-42 firmware these issues manifest visibly in dmesg: + +AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR0\xf0\xa5, rdevid:160 +AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR1\xf0\xa5, rdevid:160 +AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR2\xf0\xa5, rdevid:160 +AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR3>\x83e\x8d\x9a\xd1... + +The first three lines show how the code over-reads adjacent table +entries into the UID, and in the last line it even reads garbage data +beyond the end of the IVRS table itself. + +Since each entry has the length of the UID (uidl member of ivhd_entry +struct), use that for memcpy, and manually add a zero terminator. + +Avoid zero-filling hid and uid arrays up front, and instead ensure +the uid array is always zero-terminated. No change needed for the hid +array, as it was already properly zero-terminated. + +Fixes: 2a0cb4e2d423c ("iommu/amd: Add new map for storing IVHD dev entry type HID") + +Signed-off-by: Alexander Monakov +Cc: Joerg Roedel +Cc: iommu@lists.linux-foundation.org +Link: https://lore.kernel.org/r/20200511102352.1831-1-amonakov@ispras.ru +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_init.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 2557ed112bc2..c7d0bb3b4a30 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -1334,8 +1334,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu, + } + case IVHD_DEV_ACPI_HID: { + u16 devid; +- u8 hid[ACPIHID_HID_LEN] = {0}; +- u8 uid[ACPIHID_UID_LEN] = {0}; ++ u8 hid[ACPIHID_HID_LEN]; ++ u8 uid[ACPIHID_UID_LEN]; + int ret; + + if (h->type != 0x40) { +@@ -1352,6 +1352,7 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu, + break; + } + ++ uid[0] = '\0'; + switch (e->uidf) { + case UID_NOT_PRESENT: + +@@ -1366,8 +1367,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu, + break; + case UID_IS_CHARACTER: + +- memcpy(uid, (u8 *)(&e->uid), ACPIHID_UID_LEN - 1); +- uid[ACPIHID_UID_LEN - 1] = '\0'; ++ memcpy(uid, &e->uid, e->uidl); ++ uid[e->uidl] = '\0'; + + break; + default: +-- +2.25.1 + diff --git a/queue-4.19/mtd-spinand-propagate-ecc-information-to-the-mtd-str.patch b/queue-4.19/mtd-spinand-propagate-ecc-information-to-the-mtd-str.patch new file mode 100644 index 00000000000..122439f7555 --- /dev/null +++ b/queue-4.19/mtd-spinand-propagate-ecc-information-to-the-mtd-str.patch @@ -0,0 +1,41 @@ +From f1498f303c2d5c49ffc0971b4ce6c351ff6f06c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 15:10:29 +0200 +Subject: mtd: spinand: Propagate ECC information to the MTD structure + +From: Miquel Raynal + +[ Upstream commit 3507273d5a4d3c2e46f9d3f9ed9449805f5dff07 ] + +This is done by default in the raw NAND core (nand_base.c) but was +missing in the SPI-NAND core. Without these two lines the ecc_strength +and ecc_step_size values are not exported to the user through sysfs. + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Boris Brezillon +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/spi/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c +index a2f38b3b9776..1d61ae7aaa66 100644 +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -1045,6 +1045,10 @@ static int spinand_init(struct spinand_device *spinand) + + mtd->oobavail = ret; + ++ /* Propagate ECC information to mtd_info */ ++ mtd->ecc_strength = nand->eccreq.strength; ++ mtd->ecc_step_size = nand->eccreq.step_size; ++ + return 0; + + err_cleanup_nanddev: +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-asus-nb-wmi-do-not-load-on-asus-t100ta-.patch b/queue-4.19/platform-x86-asus-nb-wmi-do-not-load-on-asus-t100ta-.patch new file mode 100644 index 00000000000..379827afa74 --- /dev/null +++ b/queue-4.19/platform-x86-asus-nb-wmi-do-not-load-on-asus-t100ta-.patch @@ -0,0 +1,73 @@ +From f5e0d2df7409edf9aeee6d040801994ac3ba73b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 00:05:59 +0200 +Subject: platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA + +From: Hans de Goede + +[ Upstream commit 3bd12da7f50b8bc191fcb3bab1f55c582234df59 ] + +asus-nb-wmi does not add any extra functionality on these Asus +Transformer books. They have detachable keyboards, so the hotkeys are +send through a HID device (and handled by the hid-asus driver) and also +the rfkill functionality is not used on these devices. + +Besides not adding any extra functionality, initializing the WMI interface +on these devices actually has a negative side-effect. For some reason +the \_SB.ATKD.INIT() function which asus_wmi_platform_init() calls drives +GPO2 (INT33FC:02) pin 8, which is connected to the front facing webcam LED, +high and there is no (WMI or other) interface to drive this low again +causing the LED to be permanently on, even during suspend. + +This commit adds a blacklist of DMI system_ids on which not to load the +asus-nb-wmi and adds these Transformer books to this list. This fixes +the webcam LED being permanently on under Linux. + +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index 59f3a37a44d7..8db2dc05b8cf 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -517,9 +517,33 @@ static struct asus_wmi_driver asus_nb_wmi_driver = { + .detect_quirks = asus_nb_wmi_quirks, + }; + ++static const struct dmi_system_id asus_nb_wmi_blacklist[] __initconst = { ++ { ++ /* ++ * asus-nb-wm adds no functionality. The T100TA has a detachable ++ * USB kbd, so no hotkeys and it has no WMI rfkill; and loading ++ * asus-nb-wm causes the camera LED to turn and _stay_ on. ++ */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TA"), ++ }, ++ }, ++ { ++ /* The Asus T200TA has the same issue as the T100TA */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T200TA"), ++ }, ++ }, ++ {} /* Terminating entry */ ++}; + + static int __init asus_nb_wmi_init(void) + { ++ if (dmi_check_system(asus_nb_wmi_blacklist)) ++ return -ENODEV; ++ + return asus_wmi_register_driver(&asus_nb_wmi_driver); + } + +-- +2.25.1 + diff --git a/queue-4.19/scsi-ibmvscsi-fix-warn_on-during-event-pool-release.patch b/queue-4.19/scsi-ibmvscsi-fix-warn_on-during-event-pool-release.patch new file mode 100644 index 00000000000..d61b59b878f --- /dev/null +++ b/queue-4.19/scsi-ibmvscsi-fix-warn_on-during-event-pool-release.patch @@ -0,0 +1,94 @@ +From e593a17e167490b07073c73095a4874d638297a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 15:49:53 -0700 +Subject: scsi: ibmvscsi: Fix WARN_ON during event pool release + +From: Tyrel Datwyler + +[ Upstream commit b36522150e5b85045f868768d46fbaaa034174b2 ] + +While removing an ibmvscsi client adapter a WARN_ON like the following is +seen in the kernel log: + +drmgr: drmgr: -r -c slot -s U9080.M9S.783AEC8-V11-C11 -w 5 -d 1 +WARNING: CPU: 9 PID: 24062 at ../kernel/dma/mapping.c:311 dma_free_attrs+0x78/0x110 +Supported: No, Unreleased kernel +CPU: 9 PID: 24062 Comm: drmgr Kdump: loaded Tainted: G X 5.3.18-12-default +NIP: c0000000001fa758 LR: c0000000001fa744 CTR: c0000000001fa6e0 +REGS: c0000002173375d0 TRAP: 0700 Tainted: G X (5.3.18-12-default) +MSR: 8000000000029033 CR: 28088282 XER: 20000000 +CFAR: c0000000001fbf0c IRQMASK: 1 +GPR00: c0000000001fa744 c000000217337860 c00000000161ab00 0000000000000000 +GPR04: 0000000000000000 c000011e12250000 0000000018010000 0000000000000000 +GPR08: 0000000000000000 0000000000000001 0000000000000001 c0080000190f4fa8 +GPR12: c0000000001fa6e0 c000000007fc2a00 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +GPR24: 000000011420e310 0000000000000000 0000000000000000 0000000018010000 +GPR28: c00000000159de50 c000011e12250000 0000000000006600 c000011e5c994848 +NIP [c0000000001fa758] dma_free_attrs+0x78/0x110 +LR [c0000000001fa744] dma_free_attrs+0x64/0x110 +Call Trace: +[c000000217337860] [000000011420e310] 0x11420e310 (unreliable) +[c0000002173378b0] [c0080000190f0280] release_event_pool+0xd8/0x120 [ibmvscsi] +[c000000217337930] [c0080000190f3f74] ibmvscsi_remove+0x6c/0x160 [ibmvscsi] +[c000000217337960] [c0000000000f3cac] vio_bus_remove+0x5c/0x100 +[c0000002173379a0] [c00000000087a0a4] device_release_driver_internal+0x154/0x280 +[c0000002173379e0] [c0000000008777cc] bus_remove_device+0x11c/0x220 +[c000000217337a60] [c000000000870fc4] device_del+0x1c4/0x470 +[c000000217337b10] [c0000000008712a0] device_unregister+0x30/0xa0 +[c000000217337b80] [c0000000000f39ec] vio_unregister_device+0x2c/0x60 +[c000000217337bb0] [c00800001a1d0964] dlpar_remove_slot+0x14c/0x250 [rpadlpar_io] +[c000000217337c50] [c00800001a1d0bcc] remove_slot_store+0xa4/0x110 [rpadlpar_io] +[c000000217337cd0] [c000000000c091a0] kobj_attr_store+0x30/0x50 +[c000000217337cf0] [c00000000057c934] sysfs_kf_write+0x64/0x90 +[c000000217337d10] [c00000000057be10] kernfs_fop_write+0x1b0/0x290 +[c000000217337d60] [c000000000488c4c] __vfs_write+0x3c/0x70 +[c000000217337d80] [c00000000048c648] vfs_write+0xd8/0x260 +[c000000217337dd0] [c00000000048ca8c] ksys_write+0xdc/0x130 +[c000000217337e20] [c00000000000b488] system_call+0x5c/0x70 +Instruction dump: +7c840074 f8010010 f821ffb1 20840040 eb830218 7c8407b4 48002019 60000000 +2fa30000 409e003c 892d0988 792907e0 <0b090000> 2fbd0000 419e0028 2fbc0000 +---[ end trace 5955b3c0cc079942 ]--- +rpadlpar_io: slot U9080.M9S.783AEC8-V11-C11 removed + +This is tripped as a result of irqs being disabled during the call to +dma_free_coherent() by release_event_pool(). At this point in the code path +we have quiesced the adapter and it is overly paranoid to be holding the +host lock. + +[mkp: fixed build warning reported by sfr] + +Link: https://lore.kernel.org/r/1588027793-17952-1-git-send-email-tyreld@linux.ibm.com +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c +index e60822f07653..b99ded6b9e0b 100644 +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -2296,16 +2296,12 @@ static int ibmvscsi_probe(struct vio_dev *vdev, const struct vio_device_id *id) + static int ibmvscsi_remove(struct vio_dev *vdev) + { + struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev); +- unsigned long flags; + + srp_remove_host(hostdata->host); + scsi_remove_host(hostdata->host); + + purge_requests(hostdata, DID_ERROR); +- +- spin_lock_irqsave(hostdata->host->host_lock, flags); + release_event_pool(&hostdata->pool, hostdata); +- spin_unlock_irqrestore(hostdata->host->host_lock, flags); + + ibmvscsi_release_crq_queue(&hostdata->queue, hostdata, + max_events); +-- +2.25.1 + diff --git a/queue-4.19/scsi-qla2xxx-delete-all-sessions-before-unregister-l.patch b/queue-4.19/scsi-qla2xxx-delete-all-sessions-before-unregister-l.patch new file mode 100644 index 00000000000..b27a9c145fd --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-delete-all-sessions-before-unregister-l.patch @@ -0,0 +1,66 @@ +From 60b8ebca76156d9535be5617eb56d78eb3fa2418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2020 03:40:15 -0700 +Subject: scsi: qla2xxx: Delete all sessions before unregister local nvme port + +From: Quinn Tran + +[ Upstream commit c48f849d3f7a4ec1025105f446e29d395c4dcc2f ] + +Delete all sessions before unregistering local nvme port. This allows nvme +layer to decrement all active rport count down to zero. Once the count is +down to zero, nvme would call qla to continue with the npiv port deletion. + +PID: 27448 TASK: ffff9e34b777c1c0 CPU: 0 COMMAND: "qaucli" + 0 [ffff9e25e84abbd8] __schedule at ffffffff977858ca + 1 [ffff9e25e84abc68] schedule at ffffffff97785d79 + 2 [ffff9e25e84abc78] schedule_timeout at ffffffff97783881 + 3 [ffff9e25e84abd28] wait_for_completion at ffffffff9778612d + 4 [ffff9e25e84abd88] qla_nvme_delete at ffffffffc0e3024e [qla2xxx] + 5 [ffff9e25e84abda8] qla24xx_vport_delete at ffffffffc0e024b9 [qla2xxx] + 6 [ffff9e25e84abdf0] fc_vport_terminate at ffffffffc011c247 [scsi_transport_fc] + 7 [ffff9e25e84abe28] store_fc_host_vport_delete at ffffffffc011cd94 [scsi_transport_fc] + 8 [ffff9e25e84abe70] dev_attr_store at ffffffff974b376b + 9 [ffff9e25e84abe80] sysfs_kf_write at ffffffff972d9a92 +10 [ffff9e25e84abe90] kernfs_fop_write at ffffffff972d907b +11 [ffff9e25e84abec8] vfs_write at ffffffff9724c790 +12 [ffff9e25e84abf08] sys_write at ffffffff9724d55f +13 [ffff9e25e84abf50] system_call_fastpath at ffffffff97792ed2 + RIP: 00007fc0bd81a6fd RSP: 00007ffff78d9648 RFLAGS: 00010202 + RAX: 0000000000000001 RBX: 0000000000000022 RCX: 00007ffff78d96e0 + RDX: 0000000000000022 RSI: 00007ffff78d94e0 RDI: 0000000000000008 + RBP: 00007ffff78d9440 R8: 0000000000000000 R9: 00007fc0bd48b2cd + R10: 0000000000000017 R11: 0000000000000293 R12: 0000000000000000 + R13: 00005624e4dac840 R14: 00005624e4da9a10 R15: 0000000000000000 + ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b + +Link: https://lore.kernel.org/r/20200331104015.24868-4-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index b008d583dd6e..0ab9d2fd4a14 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2162,11 +2162,11 @@ qla24xx_vport_delete(struct fc_vport *fc_vport) + test_bit(FCPORT_UPDATE_NEEDED, &vha->dpc_flags)) + msleep(1000); + +- qla_nvme_delete(vha); + + qla24xx_disable_vp(vha); + qla2x00_wait_for_sess_deletion(vha); + ++ qla_nvme_delete(vha); + vha->flags.delete_progress = 1; + + qlt_remove_target(ha, vha); +-- +2.25.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-hang-when-issuing-nvme-disconnect-a.patch b/queue-4.19/scsi-qla2xxx-fix-hang-when-issuing-nvme-disconnect-a.patch new file mode 100644 index 00000000000..35680d11bfe --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-hang-when-issuing-nvme-disconnect-a.patch @@ -0,0 +1,42 @@ +From b0cedb3c4a9ecd0c60078e2be4a178679ab9a0a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2020 03:40:14 -0700 +Subject: scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV + +From: Arun Easi + +[ Upstream commit 45a76264c26fd8cfd0c9746196892d9b7e2657ee ] + +In NPIV environment, a NPIV host may use a queue pair created by base host +or other NPIVs, so the check for a queue pair created by this NPIV is not +correct, and can cause an abort to fail, which in turn means the NVME +command not returned. This leads to hang in nvme_fc layer in +nvme_fc_delete_association() which waits for all I/Os to be returned, which +is seen as hang in the application. + +Link: https://lore.kernel.org/r/20200331104015.24868-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_mbx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c +index bef9faea5eee..ac5d2d34aeea 100644 +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -3077,7 +3077,7 @@ qla24xx_abort_command(srb_t *sp) + ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x108c, + "Entered %s.\n", __func__); + +- if (vha->flags.qpairs_available && sp->qpair) ++ if (sp->qpair) + req = sp->qpair->req; + + if (ql2xasynctmfenable) +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 1caeb34f6b3..c1b002dd3a1 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,3 +1,32 @@ i2c-dev-fix-the-race-between-the-release-of-i2c_dev-and-cdev.patch kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch riscv-set-max_pfn-to-the-pfn-of-the-last-page.patch +ima-set-file-f_mode-instead-of-file-f_flags-in-ima_c.patch +evm-check-also-if-tfm-is-an-error-pointer-in-init_de.patch +ima-fix-return-value-of-ima_write_policy.patch +mtd-spinand-propagate-ecc-information-to-the-mtd-str.patch +fix-multiplication-overflow-in-copy_fdtable.patch +ubifs-remove-broken-lazytime-support.patch +iommu-amd-fix-over-read-of-acpi-uid-from-ivrs-table.patch +i2c-mux-demux-pinctrl-fix-an-error-handling-path-in-.patch +ubi-fix-seq_file-usage-in-detailed_erase_block_info-.patch +gcc-common.h-update-for-gcc-10.patch +hid-multitouch-add-egalaxtouch-p80h84-support.patch +hid-alps-add-aui1657-device-id.patch +hid-alps-alps_1657-is-too-specific-use-u1_unicorn_le.patch +scsi-qla2xxx-fix-hang-when-issuing-nvme-disconnect-a.patch +scsi-qla2xxx-delete-all-sessions-before-unregister-l.patch +configfs-fix-config_item-refcnt-leak-in-configfs_rmd.patch +vhost-vsock-fix-packet-delivery-order-to-monitoring-.patch +aquantia-fix-the-media-type-of-aqc100-ethernet-contr.patch +component-silence-bind-error-on-eprobe_defer.patch +scsi-ibmvscsi-fix-warn_on-during-event-pool-release.patch +hid-i2c-hid-reset-synaptics-syna2393-on-resume.patch +x86-apic-move-tsc-deadline-timer-debug-printk.patch +gtp-set-nlm_f_multi-flag-in-gtp_genl_dump_pdp.patch +hid-quirks-add-hid_quirk_no_init_reports-quirk-for-d.patch +ceph-fix-double-unlock-in-handle_cap_export.patch +stmmac-fix-pointer-check-after-utilization-in-stmmac.patch +usb-core-fix-misleading-driver-bug-report.patch +platform-x86-asus-nb-wmi-do-not-load-on-asus-t100ta-.patch +arm-futex-address-build-warning.patch diff --git a/queue-4.19/stmmac-fix-pointer-check-after-utilization-in-stmmac.patch b/queue-4.19/stmmac-fix-pointer-check-after-utilization-in-stmmac.patch new file mode 100644 index 00000000000..9d9c2baed9c --- /dev/null +++ b/queue-4.19/stmmac-fix-pointer-check-after-utilization-in-stmmac.patch @@ -0,0 +1,51 @@ +From 3a4a01643eaed1f5599f01e84bf838d65b7a515e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 09:26:43 +0300 +Subject: stmmac: fix pointer check after utilization in stmmac_interrupt + +From: Maxim Petrov + +[ Upstream commit f42234ffd531ca6b13d9da02faa60b72eccf8334 ] + +The paranoidal pointer check in IRQ handler looks very strange - it +really protects us only against bogus drivers which request IRQ line +with null pointer dev_id. However, the code fragment is incorrect +because the dev pointer is used before the actual check which leads +to undefined behavior. Remove the check to avoid confusing people +with incorrect code. + +Signed-off-by: Maxim Petrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 9c7b1d8e8220..c41879a955b5 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3684,7 +3684,7 @@ static int stmmac_set_features(struct net_device *netdev, + /** + * stmmac_interrupt - main ISR + * @irq: interrupt number. +- * @dev_id: to pass the net device pointer. ++ * @dev_id: to pass the net device pointer (must be valid). + * Description: this is the main driver interrupt service routine. + * It can call: + * o DMA service routine (to manage incoming frame reception and transmission +@@ -3708,11 +3708,6 @@ static irqreturn_t stmmac_interrupt(int irq, void *dev_id) + if (priv->irq_wake) + pm_wakeup_event(priv->device, 0); + +- if (unlikely(!dev)) { +- netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__); +- return IRQ_NONE; +- } +- + /* Check if adapter is up */ + if (test_bit(STMMAC_DOWN, &priv->state)) + return IRQ_HANDLED; +-- +2.25.1 + diff --git a/queue-4.19/ubi-fix-seq_file-usage-in-detailed_erase_block_info-.patch b/queue-4.19/ubi-fix-seq_file-usage-in-detailed_erase_block_info-.patch new file mode 100644 index 00000000000..43e622bb423 --- /dev/null +++ b/queue-4.19/ubi-fix-seq_file-usage-in-detailed_erase_block_info-.patch @@ -0,0 +1,60 @@ +From c1b11c24bfc79abc560572fe3cbcc161338325d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 May 2020 14:48:02 +0200 +Subject: ubi: Fix seq_file usage in detailed_erase_block_info debugfs file + +From: Richard Weinberger + +[ Upstream commit 0e7572cffe442290c347e779bf8bd4306bb0aa7c ] + +3bfa7e141b0b ("fs/seq_file.c: seq_read(): add info message about buggy .next functions") +showed that we don't use seq_file correctly. +So make sure that our ->next function always updates the position. + +Fixes: 7bccd12d27b7 ("ubi: Add debugfs file for tracking PEB state") +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/debug.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/mtd/ubi/debug.c b/drivers/mtd/ubi/debug.c +index 7bc96294ae4d..b108e1f04bf6 100644 +--- a/drivers/mtd/ubi/debug.c ++++ b/drivers/mtd/ubi/debug.c +@@ -405,9 +405,6 @@ static void *eraseblk_count_seq_start(struct seq_file *s, loff_t *pos) + { + struct ubi_device *ubi = s->private; + +- if (*pos == 0) +- return SEQ_START_TOKEN; +- + if (*pos < ubi->peb_count) + return pos; + +@@ -421,8 +418,6 @@ static void *eraseblk_count_seq_next(struct seq_file *s, void *v, loff_t *pos) + { + struct ubi_device *ubi = s->private; + +- if (v == SEQ_START_TOKEN) +- return pos; + (*pos)++; + + if (*pos < ubi->peb_count) +@@ -444,11 +439,8 @@ static int eraseblk_count_seq_show(struct seq_file *s, void *iter) + int err; + + /* If this is the start, print a header */ +- if (iter == SEQ_START_TOKEN) { +- seq_puts(s, +- "physical_block_number\terase_count\tblock_status\tread_status\n"); +- return 0; +- } ++ if (*block_number == 0) ++ seq_puts(s, "physical_block_number\terase_count\n"); + + err = ubi_io_is_bad(ubi, *block_number); + if (err) +-- +2.25.1 + diff --git a/queue-4.19/ubifs-remove-broken-lazytime-support.patch b/queue-4.19/ubifs-remove-broken-lazytime-support.patch new file mode 100644 index 00000000000..4aa148fa255 --- /dev/null +++ b/queue-4.19/ubifs-remove-broken-lazytime-support.patch @@ -0,0 +1,53 @@ +From a19fc73857088f2b7d7369e9d7160bd614ae1a7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 13:33:05 +0200 +Subject: ubifs: remove broken lazytime support + +From: Christoph Hellwig + +[ Upstream commit ecf84096a526f2632ee85c32a3d05de3fa60ce80 ] + +When "ubifs: introduce UBIFS_ATIME_SUPPORT to ubifs" introduced atime +support to ubifs, it also added lazytime support. As far as I can tell +the lazytime support is terminally broken, as it causes +mark_inode_dirty_sync to be called from __writeback_single_inode, which +will then trigger the locking assert in ubifs_dirty_inode. Just remove +the broken lazytime support for now, it can be added back later, +especially as some infrastructure changes should make that easier soon. + +Fixes: 8c1c5f263833 ("ubifs: introduce UBIFS_ATIME_SUPPORT to ubifs") +Signed-off-by: Christoph Hellwig +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/file.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c +index 65b4f63349c7..d7d2fdda4bbd 100644 +--- a/fs/ubifs/file.c ++++ b/fs/ubifs/file.c +@@ -1391,7 +1391,6 @@ int ubifs_update_time(struct inode *inode, struct timespec64 *time, + struct ubifs_info *c = inode->i_sb->s_fs_info; + struct ubifs_budget_req req = { .dirtied_ino = 1, + .dirtied_ino_d = ALIGN(ui->data_len, 8) }; +- int iflags = I_DIRTY_TIME; + int err, release; + + err = ubifs_budget_space(c, &req); +@@ -1406,11 +1405,8 @@ int ubifs_update_time(struct inode *inode, struct timespec64 *time, + if (flags & S_MTIME) + inode->i_mtime = *time; + +- if (!(inode->i_sb->s_flags & SB_LAZYTIME)) +- iflags |= I_DIRTY_SYNC; +- + release = ui->dirty; +- __mark_inode_dirty(inode, iflags); ++ __mark_inode_dirty(inode, I_DIRTY_SYNC); + mutex_unlock(&ui->ui_mutex); + if (release) + ubifs_release_budget(c, &req); +-- +2.25.1 + diff --git a/queue-4.19/usb-core-fix-misleading-driver-bug-report.patch b/queue-4.19/usb-core-fix-misleading-driver-bug-report.patch new file mode 100644 index 00000000000..1cdb1bec93b --- /dev/null +++ b/queue-4.19/usb-core-fix-misleading-driver-bug-report.patch @@ -0,0 +1,69 @@ +From 7a8270264e3ea6d29835cbc6cf13dc20cde258d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 May 2020 16:07:28 -0400 +Subject: USB: core: Fix misleading driver bug report + +From: Alan Stern + +[ Upstream commit ac854131d9844f79e2fdcef67a7707227538d78a ] + +The syzbot fuzzer found a race between URB submission to endpoint 0 +and device reset. Namely, during the reset we call usb_ep0_reinit() +because the characteristics of ep0 may have changed (if the reset +follows a firmware update, for example). While usb_ep0_reinit() is +running there is a brief period during which the pointers stored in +udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is +submitted to ep0 during that period, usb_urb_ep_type_check() will +report it as a driver bug. In the absence of those pointers, the +routine thinks that the endpoint doesn't exist. The log message looks +like this: + +------------[ cut here ]------------ +usb 2-1: BOGUS urb xfer, pipe 2 != type 2 +WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478 +usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478 + +Now, although submitting an URB while the device is being reset is a +questionable thing to do, it shouldn't count as a driver bug as severe +as submitting an URB for an endpoint that doesn't exist. Indeed, +endpoint 0 always exists, even while the device is in its unconfigured +state. + +To prevent these misleading driver bug reports, this patch updates +usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[] +pointers when the endpoint being disabled is ep0. There's no danger +of leaving a stale pointer in place, because the usb_host_endpoint +structure being pointed to is stored permanently in udev->ep0; it +doesn't get deallocated until the entire usb_device structure does. + +Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com +Signed-off-by: Alan Stern + +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/message.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index fcf84bfc08e3..f705ea52eb97 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1143,11 +1143,11 @@ void usb_disable_endpoint(struct usb_device *dev, unsigned int epaddr, + + if (usb_endpoint_out(epaddr)) { + ep = dev->ep_out[epnum]; +- if (reset_hardware) ++ if (reset_hardware && epnum != 0) + dev->ep_out[epnum] = NULL; + } else { + ep = dev->ep_in[epnum]; +- if (reset_hardware) ++ if (reset_hardware && epnum != 0) + dev->ep_in[epnum] = NULL; + } + if (ep) { +-- +2.25.1 + diff --git a/queue-4.19/vhost-vsock-fix-packet-delivery-order-to-monitoring-.patch b/queue-4.19/vhost-vsock-fix-packet-delivery-order-to-monitoring-.patch new file mode 100644 index 00000000000..fe63f434dba --- /dev/null +++ b/queue-4.19/vhost-vsock-fix-packet-delivery-order-to-monitoring-.patch @@ -0,0 +1,47 @@ +From 3f2745158b003d6c499426e5337f2a86d75bd074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 17:08:29 +0200 +Subject: vhost/vsock: fix packet delivery order to monitoring devices + +From: Stefano Garzarella + +[ Upstream commit 107bc0766b9feb5113074c753735a3f115c2141f ] + +We want to deliver packets to monitoring devices before it is +put in the virtqueue, to avoid that replies can appear in the +packet capture before the transmitted packet. + +Signed-off-by: Stefano Garzarella +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/vhost/vsock.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c +index bac1365cc81b..7891bd40ebd8 100644 +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -182,14 +182,14 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock, + break; + } + +- vhost_add_used(vq, head, sizeof(pkt->hdr) + payload_len); +- added = true; +- +- /* Deliver to monitoring devices all correctly transmitted +- * packets. ++ /* Deliver to monitoring devices all packets that we ++ * will transmit. + */ + virtio_transport_deliver_tap_pkt(pkt); + ++ vhost_add_used(vq, head, sizeof(pkt->hdr) + payload_len); ++ added = true; ++ + pkt->off += payload_len; + total_len += payload_len; + +-- +2.25.1 + diff --git a/queue-4.19/x86-apic-move-tsc-deadline-timer-debug-printk.patch b/queue-4.19/x86-apic-move-tsc-deadline-timer-debug-printk.patch new file mode 100644 index 00000000000..26ce08d575e --- /dev/null +++ b/queue-4.19/x86-apic-move-tsc-deadline-timer-debug-printk.patch @@ -0,0 +1,132 @@ +From ecc793eeed3e8ecc4333f4c204b608625ccaaa45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 16:55:57 +0200 +Subject: x86/apic: Move TSC deadline timer debug printk + +From: Thomas Gleixner + +[ Upstream commit c84cb3735fd53c91101ccdb191f2e3331a9262cb ] + +Leon reported that the printk_once() in __setup_APIC_LVTT() triggers a +lockdep splat due to a lock order violation between hrtimer_base::lock and +console_sem, when the 'once' condition is reset via +/sys/kernel/debug/clear_warn_once after boot. + +The initial printk cannot trigger this because that happens during boot +when the local APIC timer is set up on the boot CPU. + +Prevent it by moving the printk to a place which is guaranteed to be only +called once during boot. + +Mark the deadline timer check related functions and data __init while at +it. + +Reported-by: Leon Romanovsky +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/87y2qhoshi.fsf@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/apic.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 1ca76ca944ba..53dc8492f02f 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -345,8 +345,6 @@ static void __setup_APIC_LVTT(unsigned int clocks, int oneshot, int irqen) + * According to Intel, MFENCE can do the serialization here. + */ + asm volatile("mfence" : : : "memory"); +- +- printk_once(KERN_DEBUG "TSC deadline timer enabled\n"); + return; + } + +@@ -545,7 +543,7 @@ static DEFINE_PER_CPU(struct clock_event_device, lapic_events); + #define DEADLINE_MODEL_MATCH_REV(model, rev) \ + { X86_VENDOR_INTEL, 6, model, X86_FEATURE_ANY, (unsigned long)rev } + +-static u32 hsx_deadline_rev(void) ++static __init u32 hsx_deadline_rev(void) + { + switch (boot_cpu_data.x86_stepping) { + case 0x02: return 0x3a; /* EP */ +@@ -555,7 +553,7 @@ static u32 hsx_deadline_rev(void) + return ~0U; + } + +-static u32 bdx_deadline_rev(void) ++static __init u32 bdx_deadline_rev(void) + { + switch (boot_cpu_data.x86_stepping) { + case 0x02: return 0x00000011; +@@ -567,7 +565,7 @@ static u32 bdx_deadline_rev(void) + return ~0U; + } + +-static u32 skx_deadline_rev(void) ++static __init u32 skx_deadline_rev(void) + { + switch (boot_cpu_data.x86_stepping) { + case 0x03: return 0x01000136; +@@ -580,7 +578,7 @@ static u32 skx_deadline_rev(void) + return ~0U; + } + +-static const struct x86_cpu_id deadline_match[] = { ++static const struct x86_cpu_id deadline_match[] __initconst = { + DEADLINE_MODEL_MATCH_FUNC( INTEL_FAM6_HASWELL_X, hsx_deadline_rev), + DEADLINE_MODEL_MATCH_REV ( INTEL_FAM6_BROADWELL_X, 0x0b000020), + DEADLINE_MODEL_MATCH_FUNC( INTEL_FAM6_BROADWELL_XEON_D, bdx_deadline_rev), +@@ -602,18 +600,19 @@ static const struct x86_cpu_id deadline_match[] = { + {}, + }; + +-static void apic_check_deadline_errata(void) ++static __init bool apic_validate_deadline_timer(void) + { + const struct x86_cpu_id *m; + u32 rev; + +- if (!boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER) || +- boot_cpu_has(X86_FEATURE_HYPERVISOR)) +- return; ++ if (!boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER)) ++ return false; ++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) ++ return true; + + m = x86_match_cpu(deadline_match); + if (!m) +- return; ++ return true; + + /* + * Function pointers will have the MSB set due to address layout, +@@ -625,11 +624,12 @@ static void apic_check_deadline_errata(void) + rev = (u32)m->driver_data; + + if (boot_cpu_data.microcode >= rev) +- return; ++ return true; + + setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + pr_err(FW_BUG "TSC_DEADLINE disabled due to Errata; " + "please update microcode to version: 0x%x (or later)\n", rev); ++ return false; + } + + /* +@@ -2023,7 +2023,8 @@ void __init init_apic_mappings(void) + { + unsigned int new_apicid; + +- apic_check_deadline_errata(); ++ if (apic_validate_deadline_timer()) ++ pr_debug("TSC deadline timer available\n"); + + if (x2apic_mode) { + boot_cpu_physical_apicid = read_apic_id(); +-- +2.25.1 +