From: Sasha Levin Date: Mon, 19 Jul 2021 13:16:49 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v5.13.4~29^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca7c65452a3bbbf10aa0cabdbdd65c54836709ab;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/alsa-bebob-add-support-for-toneweal-fw66.patch b/queue-4.4/alsa-bebob-add-support-for-toneweal-fw66.patch new file mode 100644 index 00000000000..c9373fbc5f2 --- /dev/null +++ b/queue-4.4/alsa-bebob-add-support-for-toneweal-fw66.patch @@ -0,0 +1,105 @@ +From 2d63664de23974de8977117690f70d7bbf7e392c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 17:39:22 +0900 +Subject: ALSA: bebob: add support for ToneWeal FW66 + +From: Takashi Sakamoto + +[ Upstream commit 50ebe56222bfa0911a932930f9229ee5995508d9 ] + +A user of FFADO project reported the issue of ToneWeal FW66. As a result, +the device is identified as one of applications of BeBoB solution. + +I note that in the report the device returns contradictory result in plug +discovery process for audio subunit. Fortunately ALSA BeBoB driver doesn't +perform it thus it's likely to handle the device without issues. + +I receive no reaction to test request for this patch yet, however it would +be worth to add support for it. + +daniel@gibbonmoon:/sys/bus/firewire/devices/fw1$ grep -r . * +Binary file config_rom matches +dev:244:1 +guid:0x0023270002000000 +hardware_version:0x000002 +is_local:0 +model:0x020002 +model_name:FW66 +power/runtime_active_time:0 +power/runtime_active_kids:0 +power/runtime_usage:0 +power/runtime_status:unsupported +power/async:disabled +power/runtime_suspended_time:0 +power/runtime_enabled:disabled +power/control:auto +subsystem/drivers_autoprobe:1 +uevent:MAJOR=244 +uevent:MINOR=1 +uevent:DEVNAME=fw1 +units:0x00a02d:0x010001 +vendor:0x002327 +vendor_name:ToneWeal +fw1.0/uevent:MODALIAS=ieee1394:ven00002327mo00020002sp0000A02Dver00010001 +fw1.0/power/runtime_active_time:0 +fw1.0/power/runtime_active_kids:0 +fw1.0/power/runtime_usage:0 +fw1.0/power/runtime_status:unsupported +fw1.0/power/async:disabled +fw1.0/power/runtime_suspended_time:0 +fw1.0/power/runtime_enabled:disabled +fw1.0/power/control:auto +fw1.0/model:0x020002 +fw1.0/rom_index:15 +fw1.0/specifier_id:0x00a02d +fw1.0/model_name:FW66 +fw1.0/version:0x010001 +fw1.0/modalias:ieee1394:ven00002327mo00020002sp0000A02Dver00010001 + +Cc: Daniel Jozsef +Reference: https://lore.kernel.org/alsa-devel/20200119164335.GA11974@workstation/ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210619083922.16060-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/Kconfig | 1 + + sound/firewire/bebob/bebob.c | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/sound/firewire/Kconfig b/sound/firewire/Kconfig +index 4199cfc4a96a..850315d1abca 100644 +--- a/sound/firewire/Kconfig ++++ b/sound/firewire/Kconfig +@@ -117,6 +117,7 @@ config SND_BEBOB + * M-Audio Ozonic/NRV10/ProfireLightBridge + * M-Audio FireWire 1814/ProjectMix IO + * Digidesign Mbox 2 Pro ++ * ToneWeal FW66 + + To compile this driver as a module, choose M here: the module + will be called snd-bebob. +diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c +index 64dca7931272..c3c14e383e73 100644 +--- a/sound/firewire/bebob/bebob.c ++++ b/sound/firewire/bebob/bebob.c +@@ -60,6 +60,7 @@ static DECLARE_BITMAP(devices_used, SNDRV_CARDS); + #define VEN_MAUDIO1 0x00000d6c + #define VEN_MAUDIO2 0x000007f5 + #define VEN_DIGIDESIGN 0x00a07e ++#define OUI_SHOUYO 0x002327 + + #define MODEL_FOCUSRITE_SAFFIRE_BOTH 0x00000000 + #define MODEL_MAUDIO_AUDIOPHILE_BOTH 0x00010060 +@@ -461,6 +462,8 @@ static const struct ieee1394_device_id bebob_id_table[] = { + &maudio_special_spec), + /* Digidesign Mbox 2 Pro */ + SND_BEBOB_DEV_ENTRY(VEN_DIGIDESIGN, 0x0000a9, &spec_normal), ++ // Toneweal FW66. ++ SND_BEBOB_DEV_ENTRY(OUI_SHOUYO, 0x020002, &spec_normal), + /* IDs are unknown but able to be supported */ + /* Apogee, Mini-ME Firewire */ + /* Apogee, Mini-DAC Firewire */ +-- +2.30.2 + diff --git a/queue-4.4/alsa-hda-add-irq-check-for-platform_get_irq.patch b/queue-4.4/alsa-hda-add-irq-check-for-platform_get_irq.patch new file mode 100644 index 00000000000..6bcd2429a97 --- /dev/null +++ b/queue-4.4/alsa-hda-add-irq-check-for-platform_get_irq.patch @@ -0,0 +1,45 @@ +From e8e4eee5ea0451a417c1395ab85d03f0009aa173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jun 2021 21:19:42 +0800 +Subject: ALSA: hda: Add IRQ check for platform_get_irq() + +From: Jiajun Cao + +[ Upstream commit 8c13212443230d03ff25014514ec0d53498c0912 ] + +The function hda_tegra_first_init() neglects to check the return +value after executing platform_get_irq(). + +hda_tegra_first_init() should check the return value (if negative +error number) for errors so as to not pass a negative value to +the devm_request_irq(). + +Fix it by adding a check for the return value irq_id. + +Signed-off-by: Jiajun Cao +Signed-off-by: Xin Tan +Reviewed-by: Thierry Reding +Link: https://lore.kernel.org/r/20210622131947.94346-1-jjcao20@fudan.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_tegra.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c +index 039fbbb1e53c..89359a962e47 100644 +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -363,6 +363,9 @@ static int hda_tegra_first_init(struct azx *chip, struct platform_device *pdev) + unsigned short gcap; + int irq_id = platform_get_irq(pdev, 0); + ++ if (irq_id < 0) ++ return irq_id; ++ + err = hda_tegra_init_chip(chip, pdev); + if (err) + return err; +-- +2.30.2 + diff --git a/queue-4.4/alsa-isa-fix-error-return-code-in-snd_cmi8330_probe.patch b/queue-4.4/alsa-isa-fix-error-return-code-in-snd_cmi8330_probe.patch new file mode 100644 index 00000000000..be786582866 --- /dev/null +++ b/queue-4.4/alsa-isa-fix-error-return-code-in-snd_cmi8330_probe.patch @@ -0,0 +1,39 @@ +From fff3486e31e0d1ea0755c1584fbb665ffec5156a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 15:40:51 +0800 +Subject: ALSA: isa: Fix error return code in snd_cmi8330_probe() + +From: Zhen Lei + +[ Upstream commit 31028cbed26a8afa25533a10425ffa2ab794c76c ] + +When 'SB_HW_16' check fails, the error code -ENODEV instead of 0 should be +returned, which is the same as that returned when 'WSS_HW_CMI8330' check +fails. + +Fixes: 43bcd973d6d0 ("[ALSA] Add snd_card_set_generic_dev() call to ISA drivers") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210707074051.2663-1-thunder.leizhen@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/cmi8330.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/isa/cmi8330.c b/sound/isa/cmi8330.c +index dfedfd85f205..463906882b95 100644 +--- a/sound/isa/cmi8330.c ++++ b/sound/isa/cmi8330.c +@@ -564,7 +564,7 @@ static int snd_cmi8330_probe(struct snd_card *card, int dev) + } + if (acard->sb->hardware != SB_HW_16) { + snd_printk(KERN_ERR PFX "SB16 not found during probe\n"); +- return err; ++ return -ENODEV; + } + + snd_wss_out(acard->wss, CS4231_MISC_INFO, 0x40); /* switch on MODE2 */ +-- +2.30.2 + diff --git a/queue-4.4/alsa-ppc-fix-error-return-code-in-snd_pmac_probe.patch b/queue-4.4/alsa-ppc-fix-error-return-code-in-snd_pmac_probe.patch new file mode 100644 index 00000000000..39adc0dc1e8 --- /dev/null +++ b/queue-4.4/alsa-ppc-fix-error-return-code-in-snd_pmac_probe.patch @@ -0,0 +1,41 @@ +From 58c0e7ef4c9cc3ee2e6e374d62273edd96c4ff45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 10:11:21 +0800 +Subject: ALSA: ppc: fix error return code in snd_pmac_probe() + +From: Yang Yingliang + +[ Upstream commit 80b9c1be567c3c6bbe0d4b290af578e630485b5d ] + +If snd_pmac_tumbler_init() or snd_pmac_tumbler_post_init() fails, +snd_pmac_probe() need return error code. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210616021121.1991502-1-yangyingliang@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/ppc/powermac.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/ppc/powermac.c b/sound/ppc/powermac.c +index 33c6be9fb388..7c70ba5e2540 100644 +--- a/sound/ppc/powermac.c ++++ b/sound/ppc/powermac.c +@@ -90,7 +90,11 @@ static int snd_pmac_probe(struct platform_device *devptr) + sprintf(card->shortname, "PowerMac %s", name_ext); + sprintf(card->longname, "%s (Dev %d) Sub-frame %d", + card->shortname, chip->device_id, chip->subframe); +- if ( snd_pmac_tumbler_init(chip) < 0 || snd_pmac_tumbler_post_init() < 0) ++ err = snd_pmac_tumbler_init(chip); ++ if (err < 0) ++ goto __error; ++ err = snd_pmac_tumbler_post_init(); ++ if (err < 0) + goto __error; + break; + case PMAC_AWACS: +-- +2.30.2 + diff --git a/queue-4.4/alsa-sb-fix-potential-double-free-of-csp-mixer-eleme.patch b/queue-4.4/alsa-sb-fix-potential-double-free-of-csp-mixer-eleme.patch new file mode 100644 index 00000000000..91ac4203b45 --- /dev/null +++ b/queue-4.4/alsa-sb-fix-potential-double-free-of-csp-mixer-eleme.patch @@ -0,0 +1,47 @@ +From 776eeffab8824b8f46954b72116deebfd658669f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 16:04:37 +0200 +Subject: ALSA: sb: Fix potential double-free of CSP mixer elements + +From: Takashi Iwai + +[ Upstream commit c305366a37441c2ac90b08711cb6f032b43672f2 ] + +snd_sb_qsound_destroy() contains the calls of removing the previously +created mixer controls, but it doesn't clear the pointers. As +snd_sb_qsound_destroy() itself may be repeatedly called via ioctl, +this could lead to double-free potentially. + +Fix it by clearing the struct fields properly afterwards. + +Link: https://lore.kernel.org/r/20210608140540.17885-4-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/sb/sb16_csp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/isa/sb/sb16_csp.c b/sound/isa/sb/sb16_csp.c +index 2cc068be7d3b..90fa57ad14c0 100644 +--- a/sound/isa/sb/sb16_csp.c ++++ b/sound/isa/sb/sb16_csp.c +@@ -1086,10 +1086,14 @@ static void snd_sb_qsound_destroy(struct snd_sb_csp * p) + card = p->chip->card; + + down_write(&card->controls_rwsem); +- if (p->qsound_switch) ++ if (p->qsound_switch) { + snd_ctl_remove(card, p->qsound_switch); +- if (p->qsound_space) ++ p->qsound_switch = NULL; ++ } ++ if (p->qsound_space) { + snd_ctl_remove(card, p->qsound_space); ++ p->qsound_space = NULL; ++ } + up_write(&card->controls_rwsem); + + /* cancel pending transfer of QSound parameters */ +-- +2.30.2 + diff --git a/queue-4.4/arm-9087-1-kprobes-test-thumb-fix-for-llvm_ias-1.patch b/queue-4.4/arm-9087-1-kprobes-test-thumb-fix-for-llvm_ias-1.patch new file mode 100644 index 00000000000..697396f5d34 --- /dev/null +++ b/queue-4.4/arm-9087-1-kprobes-test-thumb-fix-for-llvm_ias-1.patch @@ -0,0 +1,71 @@ +From 781a2c624bdf5e1c0bc94ff9cb0033787fb35a49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 20:29:26 +0100 +Subject: ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 + +From: Nick Desaulniers + +[ Upstream commit 8b95a7d90ce8160ac5cffd5bace6e2eba01a871e ] + +There's a few instructions that GAS infers operands but Clang doesn't; +from what I can tell the Arm ARM doesn't say these are optional. + +F5.1.257 TBB, TBH T1 Halfword variant +F5.1.238 STREXD T1 variant +F5.1.84 LDREXD T1 variant + +Link: https://github.com/ClangBuiltLinux/linux/issues/1309 + +Signed-off-by: Nick Desaulniers +Reviewed-by: Jian Cai +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/test-thumb.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/probes/kprobes/test-thumb.c b/arch/arm/probes/kprobes/test-thumb.c +index b683b4517458..4254391f3906 100644 +--- a/arch/arm/probes/kprobes/test-thumb.c ++++ b/arch/arm/probes/kprobes/test-thumb.c +@@ -444,21 +444,21 @@ void kprobe_thumb32_test_cases(void) + "3: mvn r0, r0 \n\t" + "2: nop \n\t") + +- TEST_RX("tbh [pc, r",7, (9f-(1f+4))>>1,"]", ++ TEST_RX("tbh [pc, r",7, (9f-(1f+4))>>1,", lsl #1]", + "9: \n\t" + ".short (2f-1b-4)>>1 \n\t" + ".short (3f-1b-4)>>1 \n\t" + "3: mvn r0, r0 \n\t" + "2: nop \n\t") + +- TEST_RX("tbh [pc, r",12, ((9f-(1f+4))>>1)+1,"]", ++ TEST_RX("tbh [pc, r",12, ((9f-(1f+4))>>1)+1,", lsl #1]", + "9: \n\t" + ".short (2f-1b-4)>>1 \n\t" + ".short (3f-1b-4)>>1 \n\t" + "3: mvn r0, r0 \n\t" + "2: nop \n\t") + +- TEST_RRX("tbh [r",1,9f, ", r",14,1,"]", ++ TEST_RRX("tbh [r",1,9f, ", r",14,1,", lsl #1]", + "9: \n\t" + ".short (2f-1b-4)>>1 \n\t" + ".short (3f-1b-4)>>1 \n\t" +@@ -471,10 +471,10 @@ void kprobe_thumb32_test_cases(void) + + TEST_UNSUPPORTED("strexb r0, r1, [r2]") + TEST_UNSUPPORTED("strexh r0, r1, [r2]") +- TEST_UNSUPPORTED("strexd r0, r1, [r2]") ++ TEST_UNSUPPORTED("strexd r0, r1, r2, [r2]") + TEST_UNSUPPORTED("ldrexb r0, [r1]") + TEST_UNSUPPORTED("ldrexh r0, [r1]") +- TEST_UNSUPPORTED("ldrexd r0, [r1]") ++ TEST_UNSUPPORTED("ldrexd r0, r1, [r1]") + + TEST_GROUP("Data-processing (shifted register) and (modified immediate)") + +-- +2.30.2 + diff --git a/queue-4.4/arm-dts-exynos-fix-pwm-led-max-brightness-on-odroid-.patch b/queue-4.4/arm-dts-exynos-fix-pwm-led-max-brightness-on-odroid-.patch new file mode 100644 index 00000000000..a9b0080708e --- /dev/null +++ b/queue-4.4/arm-dts-exynos-fix-pwm-led-max-brightness-on-odroid-.patch @@ -0,0 +1,37 @@ +From ea825ad90d2d3b19e5b62b79016b1e02546df291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 09:59:41 -0400 +Subject: ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 + +From: Krzysztof Kozlowski + +[ Upstream commit fd2f1717966535b7d0b6fe45cf0d79e94330da5f ] + +There is no "max_brightness" property as pointed out by dtschema: + + arch/arm/boot/dts/exynos5422-odroidxu4.dt.yaml: led-controller: led-1: 'max-brightness' is a required property + +Fixes: 6658356014cb ("ARM: dts: Add support Odroid XU4 board for exynos5422-odroidxu4") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20210505135941.59898-5-krzysztof.kozlowski@canonical.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5422-odroidxu4.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5422-odroidxu4.dts b/arch/arm/boot/dts/exynos5422-odroidxu4.dts +index 2faf88627a48..b45e2a0c3908 100644 +--- a/arch/arm/boot/dts/exynos5422-odroidxu4.dts ++++ b/arch/arm/boot/dts/exynos5422-odroidxu4.dts +@@ -26,7 +26,7 @@ + label = "blue:heartbeat"; + pwms = <&pwm 2 2000000 0>; + pwm-names = "pwm2"; +- max_brightness = <255>; ++ max-brightness = <255>; + linux,default-trigger = "heartbeat"; + }; + }; +-- +2.30.2 + diff --git a/queue-4.4/asoc-soc-core-fix-the-error-return-code-in-snd_soc_o.patch b/queue-4.4/asoc-soc-core-fix-the-error-return-code-in-snd_soc_o.patch new file mode 100644 index 00000000000..0df23fb915b --- /dev/null +++ b/queue-4.4/asoc-soc-core-fix-the-error-return-code-in-snd_soc_o.patch @@ -0,0 +1,37 @@ +From c8915d74dec1e0d614f54b8087e2f77dc4d2a6a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 18:37:29 +0800 +Subject: ASoC: soc-core: Fix the error return code in + snd_soc_of_parse_audio_routing() + +From: Zhen Lei + +[ Upstream commit 7d3865a10b9ff2669c531d5ddd60bf46b3d48f1e ] + +When devm_kcalloc() fails, the error code -ENOMEM should be returned +instead of -EINVAL. + +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210617103729.1918-1-thunder.leizhen@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index b927f9c81d92..e69a7f8b6163 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -3394,7 +3394,7 @@ int snd_soc_of_parse_audio_routing(struct snd_soc_card *card, + if (!routes) { + dev_err(card->dev, + "ASoC: Could not allocate DAPM route table\n"); +- return -EINVAL; ++ return -ENOMEM; + } + + for (i = 0; i < num_routes; i++) { +-- +2.30.2 + diff --git a/queue-4.4/backlight-lm3630a-fix-return-code-of-.update_status-.patch b/queue-4.4/backlight-lm3630a-fix-return-code-of-.update_status-.patch new file mode 100644 index 00000000000..408bc9da0da --- /dev/null +++ b/queue-4.4/backlight-lm3630a-fix-return-code-of-.update_status-.patch @@ -0,0 +1,74 @@ +From 5e28df511d43ad2f6fd840b853d2daa708b8ff06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 14:21:47 +0200 +Subject: backlight: lm3630a: Fix return code of .update_status() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit b9481a667a90ec739995e85f91f3672ca44d6ffa ] + +According to .update_status() is supposed to +return 0 on success and a negative error code otherwise. Adapt +lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status() to +actually do it. + +While touching that also add the error code to the failure message. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lm3630a_bl.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c +index 5ef6f9d420a2..ab882c04f975 100644 +--- a/drivers/video/backlight/lm3630a_bl.c ++++ b/drivers/video/backlight/lm3630a_bl.c +@@ -183,7 +183,7 @@ static int lm3630a_bank_a_update_status(struct backlight_device *bl) + if ((pwm_ctrl & LM3630A_PWM_BANK_A) != 0) { + lm3630a_pwm_ctrl(pchip, bl->props.brightness, + bl->props.max_brightness); +- return bl->props.brightness; ++ return 0; + } + + /* disable sleep */ +@@ -203,8 +203,8 @@ static int lm3630a_bank_a_update_status(struct backlight_device *bl) + return 0; + + out_i2c_err: +- dev_err(pchip->dev, "i2c failed to access\n"); +- return bl->props.brightness; ++ dev_err(pchip->dev, "i2c failed to access (%pe)\n", ERR_PTR(ret)); ++ return ret; + } + + static int lm3630a_bank_a_get_brightness(struct backlight_device *bl) +@@ -260,7 +260,7 @@ static int lm3630a_bank_b_update_status(struct backlight_device *bl) + if ((pwm_ctrl & LM3630A_PWM_BANK_B) != 0) { + lm3630a_pwm_ctrl(pchip, bl->props.brightness, + bl->props.max_brightness); +- return bl->props.brightness; ++ return 0; + } + + /* disable sleep */ +@@ -280,8 +280,8 @@ static int lm3630a_bank_b_update_status(struct backlight_device *bl) + return 0; + + out_i2c_err: +- dev_err(pchip->dev, "i2c failed to access REG_CTRL\n"); +- return bl->props.brightness; ++ dev_err(pchip->dev, "i2c failed to access (%pe)\n", ERR_PTR(ret)); ++ return ret; + } + + static int lm3630a_bank_b_get_brightness(struct backlight_device *bl) +-- +2.30.2 + diff --git a/queue-4.4/ceph-remove-bogus-checks-and-warn_ons-from-ceph_set_.patch b/queue-4.4/ceph-remove-bogus-checks-and-warn_ons-from-ceph_set_.patch new file mode 100644 index 00000000000..bbb688e2c18 --- /dev/null +++ b/queue-4.4/ceph-remove-bogus-checks-and-warn_ons-from-ceph_set_.patch @@ -0,0 +1,56 @@ +From d7ec02a934edb85792c546ca52dac8cb6ad8148d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 10:08:30 -0400 +Subject: ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty + +From: Jeff Layton + +[ Upstream commit 22d41cdcd3cfd467a4af074165357fcbea1c37f5 ] + +The checks for page->mapping are odd, as set_page_dirty is an +address_space operation, and I don't see where it would be called on a +non-pagecache page. + +The warning about the page lock also seems bogus. The comment over +set_page_dirty() says that it can be called without the page lock in +some rare cases. I don't think we want to warn if that's the case. + +Reported-by: Matthew Wilcox +Signed-off-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/addr.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c +index fbf383048409..26de74684c17 100644 +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -72,10 +72,6 @@ static int ceph_set_page_dirty(struct page *page) + struct inode *inode; + struct ceph_inode_info *ci; + struct ceph_snap_context *snapc; +- int ret; +- +- if (unlikely(!mapping)) +- return !TestSetPageDirty(page); + + if (PageDirty(page)) { + dout("%p set_page_dirty %p idx %lu -- already dirty\n", +@@ -121,11 +117,7 @@ static int ceph_set_page_dirty(struct page *page) + page->private = (unsigned long)snapc; + SetPagePrivate(page); + +- ret = __set_page_dirty_nobuffers(page); +- WARN_ON(!PageLocked(page)); +- WARN_ON(!page->mapping); +- +- return ret; ++ return __set_page_dirty_nobuffers(page); + } + + /* +-- +2.30.2 + diff --git a/queue-4.4/fs-jfs-fix-missing-error-code-in-lmloginit.patch b/queue-4.4/fs-jfs-fix-missing-error-code-in-lmloginit.patch new file mode 100644 index 00000000000..7676c428173 --- /dev/null +++ b/queue-4.4/fs-jfs-fix-missing-error-code-in-lmloginit.patch @@ -0,0 +1,39 @@ +From 50ff3b7aa303096c0c8a9b0b053db7d8fcd26686 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 19:07:10 +0800 +Subject: fs/jfs: Fix missing error code in lmLogInit() + +From: Jiapeng Chong + +[ Upstream commit 492109333c29e1bb16d8732e1d597b02e8e0bf2e ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'rc. + +Eliminate the follow smatch warning: + +fs/jfs/jfs_logmgr.c:1327 lmLogInit() warn: missing error code 'rc'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_logmgr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c +index a69bdf2a1085..d19542a88c2c 100644 +--- a/fs/jfs/jfs_logmgr.c ++++ b/fs/jfs/jfs_logmgr.c +@@ -1339,6 +1339,7 @@ int lmLogInit(struct jfs_log * log) + } else { + if (memcmp(logsuper->uuid, log->uuid, 16)) { + jfs_warn("wrong uuid on JFS log device"); ++ rc = -EINVAL; + goto errout20; + } + log->size = le32_to_cpu(logsuper->size); +-- +2.30.2 + diff --git a/queue-4.4/gpio-zynq-check-return-value-of-pm_runtime_get_sync.patch b/queue-4.4/gpio-zynq-check-return-value-of-pm_runtime_get_sync.patch new file mode 100644 index 00000000000..5b7275867cf --- /dev/null +++ b/queue-4.4/gpio-zynq-check-return-value-of-pm_runtime_get_sync.patch @@ -0,0 +1,40 @@ +From 4f1bf90854094062471735036e85d09d0fb9fd65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Apr 2021 19:38:05 +0530 +Subject: gpio: zynq: Check return value of pm_runtime_get_sync + +From: Srinivas Neeli + +[ Upstream commit a51b2fb94b04ab71e53a71b9fad03fa826941254 ] + +Return value of "pm_runtime_get_sync" API was neither captured nor checked. +Fixed it by capturing the return value and then checking for any warning. + +Addresses-Coverity: "check_return" +Signed-off-by: Srinivas Neeli +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-zynq.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c +index 8abeacac5885..ccfdf5a45998 100644 +--- a/drivers/gpio/gpio-zynq.c ++++ b/drivers/gpio/gpio-zynq.c +@@ -764,8 +764,11 @@ err_disable_clk: + static int zynq_gpio_remove(struct platform_device *pdev) + { + struct zynq_gpio *gpio = platform_get_drvdata(pdev); ++ int ret; + +- pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_get_sync(&pdev->dev); ++ if (ret < 0) ++ dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n"); + gpiochip_remove(&gpio->chip); + clk_disable_unprepare(gpio->clk); + device_set_wakeup_capable(&pdev->dev, 0); +-- +2.30.2 + diff --git a/queue-4.4/hexagon-use-common-discards-macro.patch b/queue-4.4/hexagon-use-common-discards-macro.patch new file mode 100644 index 00000000000..cfba278186a --- /dev/null +++ b/queue-4.4/hexagon-use-common-discards-macro.patch @@ -0,0 +1,62 @@ +From f4443218f6061c6e44b131c032e8ab16892fbe25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 18:07:41 -0700 +Subject: hexagon: use common DISCARDS macro + +From: Nathan Chancellor + +[ Upstream commit 681ba73c72302214686401e707e2087ed11a6556 ] + +ld.lld warns that the '.modinfo' section is not currently handled: + +ld.lld: warning: kernel/built-in.a(workqueue.o):(.modinfo) is being placed in '.modinfo' +ld.lld: warning: kernel/built-in.a(printk/printk.o):(.modinfo) is being placed in '.modinfo' +ld.lld: warning: kernel/built-in.a(irq/spurious.o):(.modinfo) is being placed in '.modinfo' +ld.lld: warning: kernel/built-in.a(rcu/update.o):(.modinfo) is being placed in '.modinfo' + +The '.modinfo' section was added in commit 898490c010b5 ("moduleparam: +Save information about built-in modules in separate file") to the DISCARDS +macro but Hexagon has never used that macro. The unification of DISCARDS +happened in commit 023bf6f1b8bf ("linker script: unify usage of discard +definition") in 2009, prior to Hexagon being added in 2011. + +Switch Hexagon over to the DISCARDS macro so that anything that is +expected to be discarded gets discarded. + +Link: https://lkml.kernel.org/r/20210521011239.1332345-3-nathan@kernel.org +Fixes: e95bf452a9e2 ("Hexagon: Add configuration and makefiles for the Hexagon architecture.") +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Acked-by: Brian Cain +Cc: David Rientjes +Cc: Oliver Glitta +Cc: Vlastimil Babka +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/hexagon/kernel/vmlinux.lds.S | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/hexagon/kernel/vmlinux.lds.S b/arch/hexagon/kernel/vmlinux.lds.S +index 5f268c1071b3..b5c050fe23a5 100644 +--- a/arch/hexagon/kernel/vmlinux.lds.S ++++ b/arch/hexagon/kernel/vmlinux.lds.S +@@ -70,13 +70,8 @@ SECTIONS + + _end = .; + +- /DISCARD/ : { +- EXIT_TEXT +- EXIT_DATA +- EXIT_CALL +- } +- + STABS_DEBUG + DWARF_DEBUG + ++ DISCARDS + } +-- +2.30.2 + diff --git a/queue-4.4/lib-decompress_unlz4.c-correctly-handle-zero-padding.patch b/queue-4.4/lib-decompress_unlz4.c-correctly-handle-zero-padding.patch new file mode 100644 index 00000000000..9aa1162b9d7 --- /dev/null +++ b/queue-4.4/lib-decompress_unlz4.c-correctly-handle-zero-padding.patch @@ -0,0 +1,99 @@ +From c15525ae0019668de8973056df813c78f1608851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:56:16 -0700 +Subject: lib/decompress_unlz4.c: correctly handle zero-padding around initrds. + +From: Dimitri John Ledkov + +[ Upstream commit 2c484419efc09e7234c667aa72698cb79ba8d8ed ] + +lz4 compatible decompressor is simple. The format is underspecified and +relies on EOF notification to determine when to stop. Initramfs buffer +format[1] explicitly states that it can have arbitrary number of zero +padding. Thus when operating without a fill function, be extra careful to +ensure that sizes less than 4, or apperantly empty chunksizes are treated +as EOF. + +To test this I have created two cpio initrds, first a normal one, +main.cpio. And second one with just a single /test-file with content +"second" second.cpio. Then i compressed both of them with gzip, and with +lz4 -l. Then I created a padding of 4 bytes (dd if=/dev/zero of=pad4 bs=1 +count=4). To create four testcase initrds: + + 1) main.cpio.gzip + extra.cpio.gzip = pad0.gzip + 2) main.cpio.lz4 + extra.cpio.lz4 = pad0.lz4 + 3) main.cpio.gzip + pad4 + extra.cpio.gzip = pad4.gzip + 4) main.cpio.lz4 + pad4 + extra.cpio.lz4 = pad4.lz4 + +The pad4 test-cases replicate the initrd load by grub, as it pads and +aligns every initrd it loads. + +All of the above boot, however /test-file was not accessible in the initrd +for the testcase #4, as decoding in lz4 decompressor failed. Also an +error message printed which usually is harmless. + +Whith a patched kernel, all of the above testcases now pass, and +/test-file is accessible. + +This fixes lz4 initrd decompress warning on every boot with grub. And +more importantly this fixes inability to load multiple lz4 compressed +initrds with grub. This patch has been shipping in Ubuntu kernels since +January 2021. + +[1] ./Documentation/driver-api/early-userspace/buffer-format.rst + +BugLink: https://bugs.launchpad.net/bugs/1835660 +Link: https://lore.kernel.org/lkml/20210114200256.196589-1-xnox@ubuntu.com/ # v0 +Link: https://lkml.kernel.org/r/20210513104831.432975-1-dimitri.ledkov@canonical.com +Signed-off-by: Dimitri John Ledkov +Cc: Kyungsik Lee +Cc: Yinghai Lu +Cc: Bongkyu Kim +Cc: Kees Cook +Cc: Sven Schmidt <4sschmid@informatik.uni-hamburg.de> +Cc: Rajat Asthana +Cc: Nick Terrell +Cc: Gao Xiang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/decompress_unlz4.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/decompress_unlz4.c b/lib/decompress_unlz4.c +index 036fc882cd72..f1449244fdd4 100644 +--- a/lib/decompress_unlz4.c ++++ b/lib/decompress_unlz4.c +@@ -115,6 +115,9 @@ STATIC inline int INIT unlz4(u8 *input, long in_len, + error("data corrupted"); + goto exit_2; + } ++ } else if (size < 4) { ++ /* empty or end-of-file */ ++ goto exit_3; + } + + chunksize = get_unaligned_le32(inp); +@@ -128,6 +131,10 @@ STATIC inline int INIT unlz4(u8 *input, long in_len, + continue; + } + ++ if (!fill && chunksize == 0) { ++ /* empty or end-of-file */ ++ goto exit_3; ++ } + + if (posp) + *posp += 4; +@@ -184,6 +191,7 @@ STATIC inline int INIT unlz4(u8 *input, long in_len, + } + } + ++exit_3: + ret = 0; + exit_2: + if (!input) +-- +2.30.2 + diff --git a/queue-4.4/memory-fsl_ifc-fix-leak-of-io-mapping-on-probe-failu.patch b/queue-4.4/memory-fsl_ifc-fix-leak-of-io-mapping-on-probe-failu.patch new file mode 100644 index 00000000000..8476928b84f --- /dev/null +++ b/queue-4.4/memory-fsl_ifc-fix-leak-of-io-mapping-on-probe-failu.patch @@ -0,0 +1,48 @@ +From 4bea78116645623d070dabb916d26fedea31ffc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 11:43:21 -0400 +Subject: memory: fsl_ifc: fix leak of IO mapping on probe failure + +From: Krzysztof Kozlowski + +[ Upstream commit 3b132ab67fc7a358fff35e808fa65d4bea452521 ] + +On probe error the driver should unmap the IO memory. Smatch reports: + + drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298. + +Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20210527154322.81253-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl_ifc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c +index acd1460cf787..040be4638140 100644 +--- a/drivers/memory/fsl_ifc.c ++++ b/drivers/memory/fsl_ifc.c +@@ -228,8 +228,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + fsl_ifc_ctrl_dev->regs = of_iomap(dev->dev.of_node, 0); + if (!fsl_ifc_ctrl_dev->regs) { + dev_err(&dev->dev, "failed to get memory region\n"); +- ret = -ENODEV; +- goto err; ++ return -ENODEV; + } + + version = ifc_in32(&fsl_ifc_ctrl_dev->regs->ifc_rev) & +@@ -306,6 +305,7 @@ err_irq: + free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev); + irq_dispose_mapping(fsl_ifc_ctrl_dev->irq); + err: ++ iounmap(fsl_ifc_ctrl_dev->gregs); + return ret; + } + +-- +2.30.2 + diff --git a/queue-4.4/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch b/queue-4.4/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch new file mode 100644 index 00000000000..684bd603f8f --- /dev/null +++ b/queue-4.4/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch @@ -0,0 +1,45 @@ +From e33a25ce7259a31a6ce87ec461347ae60ed0e4a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 11:43:22 -0400 +Subject: memory: fsl_ifc: fix leak of private memory on probe failure + +From: Krzysztof Kozlowski + +[ Upstream commit 8e0d09b1232d0538066c40ed4c13086faccbdff6 ] + +On probe error the driver should free the memory allocated for private +structure. Fix this by using resource-managed allocation. + +Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20210527154322.81253-2-krzysztof.kozlowski@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl_ifc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c +index 040be4638140..65b984d64350 100644 +--- a/drivers/memory/fsl_ifc.c ++++ b/drivers/memory/fsl_ifc.c +@@ -107,7 +107,6 @@ static int fsl_ifc_ctrl_remove(struct platform_device *dev) + iounmap(ctrl->regs); + + dev_set_drvdata(&dev->dev, NULL); +- kfree(ctrl); + + return 0; + } +@@ -218,7 +217,8 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + + dev_info(&dev->dev, "Freescale Integrated Flash Controller\n"); + +- fsl_ifc_ctrl_dev = kzalloc(sizeof(*fsl_ifc_ctrl_dev), GFP_KERNEL); ++ fsl_ifc_ctrl_dev = devm_kzalloc(&dev->dev, sizeof(*fsl_ifc_ctrl_dev), ++ GFP_KERNEL); + if (!fsl_ifc_ctrl_dev) + return -ENOMEM; + +-- +2.30.2 + diff --git a/queue-4.4/mfd-da9052-stmpe-add-and-modify-module_device_table.patch b/queue-4.4/mfd-da9052-stmpe-add-and-modify-module_device_table.patch new file mode 100644 index 00000000000..e7d6abdb473 --- /dev/null +++ b/queue-4.4/mfd-da9052-stmpe-add-and-modify-module_device_table.patch @@ -0,0 +1,50 @@ +From e5e2caa0d55b31b7d81b1064a0b3569ed2591c39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 14:33:46 +0800 +Subject: mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit 4700ef326556ed74aba188f12396740a8c1c21dd ] + +This patch adds/modifies MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/da9052-i2c.c | 1 + + drivers/mfd/stmpe-i2c.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/da9052-i2c.c b/drivers/mfd/da9052-i2c.c +index 2697ffb08009..2992fd94bc0c 100644 +--- a/drivers/mfd/da9052-i2c.c ++++ b/drivers/mfd/da9052-i2c.c +@@ -118,6 +118,7 @@ static const struct i2c_device_id da9052_i2c_id[] = { + {"da9053-bc", DA9053_BC}, + {} + }; ++MODULE_DEVICE_TABLE(i2c, da9052_i2c_id); + + #ifdef CONFIG_OF + static const struct of_device_id dialog_dt_ids[] = { +diff --git a/drivers/mfd/stmpe-i2c.c b/drivers/mfd/stmpe-i2c.c +index c3f4aab53b07..663a6c1c3d0d 100644 +--- a/drivers/mfd/stmpe-i2c.c ++++ b/drivers/mfd/stmpe-i2c.c +@@ -107,7 +107,7 @@ static const struct i2c_device_id stmpe_i2c_id[] = { + { "stmpe2403", STMPE2403 }, + { } + }; +-MODULE_DEVICE_TABLE(i2c, stmpe_id); ++MODULE_DEVICE_TABLE(i2c, stmpe_i2c_id); + + static struct i2c_driver stmpe_i2c_driver = { + .driver = { +-- +2.30.2 + diff --git a/queue-4.4/mips-disable-branch-profiling-in-boot-decompress.o.patch b/queue-4.4/mips-disable-branch-profiling-in-boot-decompress.o.patch new file mode 100644 index 00000000000..3110ea14b1d --- /dev/null +++ b/queue-4.4/mips-disable-branch-profiling-in-boot-decompress.o.patch @@ -0,0 +1,48 @@ +From d8b28fbc6918a744455c2dfcd0deb290601dd189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jul 2021 16:02:11 -0700 +Subject: mips: disable branch profiling in boot/decompress.o + +From: Randy Dunlap + +[ Upstream commit 97e488073cfca0eea84450169ca4cbfcc64e33e3 ] + +Use DISABLE_BRANCH_PROFILING for arch/mips/boot/compressed/decompress.o +to prevent linkage errors. + +mips64-linux-ld: arch/mips/boot/compressed/decompress.o: in function `LZ4_decompress_fast_extDict': +decompress.c:(.text+0x8c): undefined reference to `ftrace_likely_update' +mips64-linux-ld: decompress.c:(.text+0xf4): undefined reference to `ftrace_likely_update' +mips64-linux-ld: decompress.c:(.text+0x200): undefined reference to `ftrace_likely_update' +mips64-linux-ld: decompress.c:(.text+0x230): undefined reference to `ftrace_likely_update' +mips64-linux-ld: decompress.c:(.text+0x320): undefined reference to `ftrace_likely_update' +mips64-linux-ld: arch/mips/boot/compressed/decompress.o:decompress.c:(.text+0x3f4): more undefined references to `ftrace_likely_update' follow + +Fixes: e76e1fdfa8f8 ("lib: add support for LZ4-compressed kernel") +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Kyungsik Lee +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/boot/compressed/decompress.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/mips/boot/compressed/decompress.c b/arch/mips/boot/compressed/decompress.c +index 080cd53bac36..a1a54a3af03b 100644 +--- a/arch/mips/boot/compressed/decompress.c ++++ b/arch/mips/boot/compressed/decompress.c +@@ -11,6 +11,8 @@ + * option) any later version. + */ + ++#define DISABLE_BRANCH_PROFILING ++ + #include + #include + #include +-- +2.30.2 + diff --git a/queue-4.4/mips-vdso-invalid-gic-access-through-vdso.patch b/queue-4.4/mips-vdso-invalid-gic-access-through-vdso.patch new file mode 100644 index 00000000000..3d035aa8a8f --- /dev/null +++ b/queue-4.4/mips-vdso-invalid-gic-access-through-vdso.patch @@ -0,0 +1,65 @@ +From f684892186086766db956fc5aec62fe68c099937 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 02:03:54 +0200 +Subject: MIPS: vdso: Invalid GIC access through VDSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Fäcknitz + +[ Upstream commit 47ce8527fbba145a7723685bc9a27d9855e06491 ] + +Accessing raw timers (currently only CLOCK_MONOTONIC_RAW) through VDSO +doesn't return the correct time when using the GIC as clock source. +The address of the GIC mapped page is in this case not calculated +correctly. The GIC mapped page is calculated from the VDSO data by +subtracting PAGE_SIZE: + + void *get_gic(const struct vdso_data *data) { + return (void __iomem *)data - PAGE_SIZE; + } + +However, the data pointer is not page aligned for raw clock sources. +This is because the VDSO data for raw clock sources (CS_RAW = 1) is +stored after the VDSO data for coarse clock sources (CS_HRES_COARSE = 0). +Therefore, only the VDSO data for CS_HRES_COARSE is page aligned: + + +--------------------+ + | | + | vd[CS_RAW] | ---+ + | vd[CS_HRES_COARSE] | | + +--------------------+ | -PAGE_SIZE + | | | + | GIC mapped page | <--+ + | | + +--------------------+ + +When __arch_get_hw_counter() is called with &vd[CS_RAW], get_gic returns +the wrong address (somewhere inside the GIC mapped page). The GIC counter +values are not returned which results in an invalid time. + +Fixes: a7f4df4e21dd ("MIPS: VDSO: Add implementations of gettimeofday() and clock_gettime()") +Signed-off-by: Martin Fäcknitz +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/vdso/vdso.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/vdso/vdso.h b/arch/mips/vdso/vdso.h +index cfb1be441dec..921589b45bc2 100644 +--- a/arch/mips/vdso/vdso.h ++++ b/arch/mips/vdso/vdso.h +@@ -81,7 +81,7 @@ static inline const union mips_vdso_data *get_vdso_data(void) + + static inline void __iomem *get_gic(const union mips_vdso_data *data) + { +- return (void __iomem *)data - PAGE_SIZE; ++ return (void __iomem *)((unsigned long)data & PAGE_MASK) - PAGE_SIZE; + } + + #endif /* CONFIG_CLKSRC_MIPS_GIC */ +-- +2.30.2 + diff --git a/queue-4.4/misc-libmasm-module-fix-two-use-after-free-in-ibmasm.patch b/queue-4.4/misc-libmasm-module-fix-two-use-after-free-in-ibmasm.patch new file mode 100644 index 00000000000..855dc8fb12a --- /dev/null +++ b/queue-4.4/misc-libmasm-module-fix-two-use-after-free-in-ibmasm.patch @@ -0,0 +1,58 @@ +From 1e610d354615c13632e15554bbfcc037431b3ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Apr 2021 10:06:20 -0700 +Subject: misc/libmasm/module: Fix two use after free in ibmasm_init_one + +From: Lv Yunlong + +[ Upstream commit 7272b591c4cb9327c43443f67b8fbae7657dd9ae ] + +In ibmasm_init_one, it calls ibmasm_init_remote_input_dev(). +Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are +allocated by input_allocate_device(), and assigned to +sp->remote.mouse_dev and sp->remote.keybd_dev respectively. + +In the err_free_devices error branch of ibmasm_init_one, +mouse_dev and keybd_dev are freed by input_free_device(), and return +error. Then the execution runs into error_send_message error branch +of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called +to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev. + +My patch add a "error_init_remote" label to handle the error of +ibmasm_init_remote_input_dev(), to avoid the uaf bugs. + +Signed-off-by: Lv Yunlong +Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ibmasm/module.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c +index 6b3bf9ab051d..706decef68a0 100644 +--- a/drivers/misc/ibmasm/module.c ++++ b/drivers/misc/ibmasm/module.c +@@ -123,7 +123,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + result = ibmasm_init_remote_input_dev(sp); + if (result) { + dev_err(sp->dev, "Failed to initialize remote queue\n"); +- goto error_send_message; ++ goto error_init_remote; + } + + result = ibmasm_send_driver_vpd(sp); +@@ -143,8 +143,9 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + error_send_message: +- disable_sp_interrupts(sp->base_address); + ibmasm_free_remote_input_dev(sp); ++error_init_remote: ++ disable_sp_interrupts(sp->base_address); + free_irq(sp->irq, (void *)sp); + error_request_irq: + iounmap(sp->base_address); +-- +2.30.2 + diff --git a/queue-4.4/nfs-fix-acl-memory-leak-of-posix_acl_create.patch b/queue-4.4/nfs-fix-acl-memory-leak-of-posix_acl_create.patch new file mode 100644 index 00000000000..616740cf9cd --- /dev/null +++ b/queue-4.4/nfs-fix-acl-memory-leak-of-posix_acl_create.patch @@ -0,0 +1,50 @@ +From 800880c3bcdb1f55b9acf1e79ece0d48bda2d01b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 12:20:55 +0800 +Subject: nfs: fix acl memory leak of posix_acl_create() + +From: Gao Xiang + +[ Upstream commit 1fcb6fcd74a222d9ead54d405842fc763bb86262 ] + +When looking into another nfs xfstests report, I found acl and +default_acl in nfs3_proc_create() and nfs3_proc_mknod() error +paths are possibly leaked. Fix them in advance. + +Fixes: 013cdf1088d7 ("nfs: use generic posix ACL infrastructure for v3 Posix ACLs") +Cc: Trond Myklebust +Cc: Anna Schumaker +Cc: Christoph Hellwig +Cc: Joseph Qi +Signed-off-by: Gao Xiang +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c +index cb28cceefebe..9f365b004453 100644 +--- a/fs/nfs/nfs3proc.c ++++ b/fs/nfs/nfs3proc.c +@@ -363,7 +363,7 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr, + break; + + case NFS3_CREATE_UNCHECKED: +- goto out; ++ goto out_release_acls; + } + nfs_fattr_init(data->res.dir_attr); + nfs_fattr_init(data->res.fattr); +@@ -708,7 +708,7 @@ nfs3_proc_mknod(struct inode *dir, struct dentry *dentry, struct iattr *sattr, + break; + default: + status = -EINVAL; +- goto out; ++ goto out_release_acls; + } + + status = nfs3_do_create(dir, dentry, data); +-- +2.30.2 + diff --git a/queue-4.4/pci-sysfs-fix-dsm_label_utf16s_to_utf8s-buffer-overr.patch b/queue-4.4/pci-sysfs-fix-dsm_label_utf16s_to_utf8s-buffer-overr.patch new file mode 100644 index 00000000000..e65a7da3fe1 --- /dev/null +++ b/queue-4.4/pci-sysfs-fix-dsm_label_utf16s_to_utf8s-buffer-overr.patch @@ -0,0 +1,47 @@ +From 94e4a8a8e555ff26e8408404bae02c3db236ece7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 00:01:12 +0000 +Subject: PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Wilczyński + +[ Upstream commit bdcdaa13ad96f1a530711c29e6d4b8311eff767c ] + +"utf16s_to_utf8s(..., buf, PAGE_SIZE)" puts up to PAGE_SIZE bytes into +"buf" and returns the number of bytes it actually put there. If it wrote +PAGE_SIZE bytes, the newline added by dsm_label_utf16s_to_utf8s() would +overrun "buf". + +Reduce the size available for utf16s_to_utf8s() to use so there is always +space for the newline. + +[bhelgaas: reorder patch in series, commit log] +Fixes: 6058989bad05 ("PCI: Export ACPI _DSM provided firmware instance number and string name to sysfs") +Link: https://lore.kernel.org/r/20210603000112.703037-7-kw@linux.com +Reported-by: Joe Perches +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-label.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pci-label.c b/drivers/pci/pci-label.c +index 024b5c179348..7d200a88cd74 100644 +--- a/drivers/pci/pci-label.c ++++ b/drivers/pci/pci-label.c +@@ -157,7 +157,7 @@ static void dsm_label_utf16s_to_utf8s(union acpi_object *obj, char *buf) + len = utf16s_to_utf8s((const wchar_t *)obj->buffer.pointer, + obj->buffer.length, + UTF16_LITTLE_ENDIAN, +- buf, PAGE_SIZE); ++ buf, PAGE_SIZE - 1); + buf[len] = '\n'; + } + +-- +2.30.2 + diff --git a/queue-4.4/power-reset-gpio-poweroff-add-missing-module_device_.patch b/queue-4.4/power-reset-gpio-poweroff-add-missing-module_device_.patch new file mode 100644 index 00000000000..ec2a10061d4 --- /dev/null +++ b/queue-4.4/power-reset-gpio-poweroff-add-missing-module_device_.patch @@ -0,0 +1,36 @@ +From b181057a6650631f5eee4f7cb743e1cda7e92186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:14:59 +0800 +Subject: power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE + +From: Bixuan Cui + +[ Upstream commit ed3443fb4df4e140a22f65144546c8a8e1e27f4e ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/gpio-poweroff.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/reset/gpio-poweroff.c b/drivers/power/reset/gpio-poweroff.c +index be3d81ff51cc..a44e3427fdeb 100644 +--- a/drivers/power/reset/gpio-poweroff.c ++++ b/drivers/power/reset/gpio-poweroff.c +@@ -84,6 +84,7 @@ static const struct of_device_id of_gpio_poweroff_match[] = { + { .compatible = "gpio-poweroff", }, + {}, + }; ++MODULE_DEVICE_TABLE(of, of_gpio_poweroff_match); + + static struct platform_driver gpio_poweroff_driver = { + .probe = gpio_poweroff_probe, +-- +2.30.2 + diff --git a/queue-4.4/power-supply-ab8500-add-missing-module_device_table.patch b/queue-4.4/power-supply-ab8500-add-missing-module_device_table.patch new file mode 100644 index 00000000000..8ca7de097b0 --- /dev/null +++ b/queue-4.4/power-supply-ab8500-add-missing-module_device_table.patch @@ -0,0 +1,62 @@ +From 039bca84c49c08f2f92f5d805c9ac25d3748a7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jun 2021 09:21:41 +0800 +Subject: power: supply: ab8500: add missing MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit dfe52db13ab8d24857a9840ec7ca75eef800c26c ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/ab8500_btemp.c | 1 + + drivers/power/ab8500_charger.c | 1 + + drivers/power/ab8500_fg.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/drivers/power/ab8500_btemp.c b/drivers/power/ab8500_btemp.c +index 8f8044e1acf3..24732df01cf9 100644 +--- a/drivers/power/ab8500_btemp.c ++++ b/drivers/power/ab8500_btemp.c +@@ -1186,6 +1186,7 @@ static const struct of_device_id ab8500_btemp_match[] = { + { .compatible = "stericsson,ab8500-btemp", }, + { }, + }; ++MODULE_DEVICE_TABLE(of, ab8500_btemp_match); + + static struct platform_driver ab8500_btemp_driver = { + .probe = ab8500_btemp_probe, +diff --git a/drivers/power/ab8500_charger.c b/drivers/power/ab8500_charger.c +index 98724c3a28e5..1a7013ec0caf 100644 +--- a/drivers/power/ab8500_charger.c ++++ b/drivers/power/ab8500_charger.c +@@ -3756,6 +3756,7 @@ static const struct of_device_id ab8500_charger_match[] = { + { .compatible = "stericsson,ab8500-charger", }, + { }, + }; ++MODULE_DEVICE_TABLE(of, ab8500_charger_match); + + static struct platform_driver ab8500_charger_driver = { + .probe = ab8500_charger_probe, +diff --git a/drivers/power/ab8500_fg.c b/drivers/power/ab8500_fg.c +index d91111200dde..c58b496ca05a 100644 +--- a/drivers/power/ab8500_fg.c ++++ b/drivers/power/ab8500_fg.c +@@ -3239,6 +3239,7 @@ static const struct of_device_id ab8500_fg_match[] = { + { .compatible = "stericsson,ab8500-fg", }, + { }, + }; ++MODULE_DEVICE_TABLE(of, ab8500_fg_match); + + static struct platform_driver ab8500_fg_driver = { + .probe = ab8500_fg_probe, +-- +2.30.2 + diff --git a/queue-4.4/power-supply-ab8500-avoid-null-pointers.patch b/queue-4.4/power-supply-ab8500-avoid-null-pointers.patch new file mode 100644 index 00000000000..efaab7e6bb9 --- /dev/null +++ b/queue-4.4/power-supply-ab8500-avoid-null-pointers.patch @@ -0,0 +1,60 @@ +From 25dc9abfc4fdcb9a5f8bc575059b51c01b1f3cca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 May 2021 00:50:41 +0200 +Subject: power: supply: ab8500: Avoid NULL pointers + +From: Linus Walleij + +[ Upstream commit 5bcb5087c9dd3dca1ff0ebd8002c5313c9332b56 ] + +Sometimes the code will crash because we haven't enabled +AC or USB charging and thus not created the corresponding +psy device. Fix it by checking that it is there before +notifying. + +Signed-off-by: Linus Walleij +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/ab8500_charger.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/ab8500_charger.c b/drivers/power/ab8500_charger.c +index e388171f4e58..98724c3a28e5 100644 +--- a/drivers/power/ab8500_charger.c ++++ b/drivers/power/ab8500_charger.c +@@ -409,6 +409,14 @@ disable_otp: + static void ab8500_power_supply_changed(struct ab8500_charger *di, + struct power_supply *psy) + { ++ /* ++ * This happens if we get notifications or interrupts and ++ * the platform has been configured not to support one or ++ * other type of charging. ++ */ ++ if (!psy) ++ return; ++ + if (di->autopower_cfg) { + if (!di->usb.charger_connected && + !di->ac.charger_connected && +@@ -435,7 +443,15 @@ static void ab8500_charger_set_usb_connected(struct ab8500_charger *di, + if (!connected) + di->flags.vbus_drop_end = false; + +- sysfs_notify(&di->usb_chg.psy->dev.kobj, NULL, "present"); ++ /* ++ * Sometimes the platform is configured not to support ++ * USB charging and no psy has been created, but we still ++ * will get these notifications. ++ */ ++ if (di->usb_chg.psy) { ++ sysfs_notify(&di->usb_chg.psy->dev.kobj, NULL, ++ "present"); ++ } + + if (connected) { + mutex_lock(&di->charger_attached_mutex); +-- +2.30.2 + diff --git a/queue-4.4/power-supply-charger-manager-add-missing-module_devi.patch b/queue-4.4/power-supply-charger-manager-add-missing-module_devi.patch new file mode 100644 index 00000000000..0de44d5262b --- /dev/null +++ b/queue-4.4/power-supply-charger-manager-add-missing-module_devi.patch @@ -0,0 +1,36 @@ +From 51b8878c2f15b44815ffa1168e5a97aaaf36b6d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jun 2021 09:21:54 +0800 +Subject: power: supply: charger-manager: add missing MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit 073b5d5b1f9cc94a3eea25279fbafee3f4f5f097 ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/charger-manager.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c +index 1ea5d1aa268b..6656f847ed93 100644 +--- a/drivers/power/charger-manager.c ++++ b/drivers/power/charger-manager.c +@@ -1490,6 +1490,7 @@ static const struct of_device_id charger_manager_match[] = { + }, + {}, + }; ++MODULE_DEVICE_TABLE(of, charger_manager_match); + + static struct charger_desc *of_cm_parse_desc(struct device *dev) + { +-- +2.30.2 + diff --git a/queue-4.4/powerpc-boot-fixup-device-tree-on-little-endian.patch b/queue-4.4/powerpc-boot-fixup-device-tree-on-little-endian.patch new file mode 100644 index 00000000000..ddd332d27dc --- /dev/null +++ b/queue-4.4/powerpc-boot-fixup-device-tree-on-little-endian.patch @@ -0,0 +1,243 @@ +From 51c3ec9cbed0252b80b9c51605b6e5abc96916dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 13:49:00 +1000 +Subject: powerpc/boot: Fixup device-tree on little endian + +From: Benjamin Herrenschmidt + +[ Upstream commit c93f80849bdd9b45d834053ae1336e28f0026c84 ] + +This fixes the core devtree.c functions and the ns16550 UART backend. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Paul Mackerras +Reviewed-by: Segher Boessenkool +Acked-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/YMwXrPT8nc4YUdJ9@thinks.paulus.ozlabs.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/devtree.c | 59 +++++++++++++++++++++---------------- + arch/powerpc/boot/ns16550.c | 9 ++++-- + 2 files changed, 41 insertions(+), 27 deletions(-) + +diff --git a/arch/powerpc/boot/devtree.c b/arch/powerpc/boot/devtree.c +index a7e21a35c03a..27c84b82b588 100644 +--- a/arch/powerpc/boot/devtree.c ++++ b/arch/powerpc/boot/devtree.c +@@ -17,6 +17,7 @@ + #include "string.h" + #include "stdio.h" + #include "ops.h" ++#include "of.h" + + void dt_fixup_memory(u64 start, u64 size) + { +@@ -27,21 +28,25 @@ void dt_fixup_memory(u64 start, u64 size) + root = finddevice("/"); + if (getprop(root, "#address-cells", &naddr, sizeof(naddr)) < 0) + naddr = 2; ++ else ++ naddr = be32_to_cpu(naddr); + if (naddr < 1 || naddr > 2) + fatal("Can't cope with #address-cells == %d in /\n\r", naddr); + + if (getprop(root, "#size-cells", &nsize, sizeof(nsize)) < 0) + nsize = 1; ++ else ++ nsize = be32_to_cpu(nsize); + if (nsize < 1 || nsize > 2) + fatal("Can't cope with #size-cells == %d in /\n\r", nsize); + + i = 0; + if (naddr == 2) +- memreg[i++] = start >> 32; +- memreg[i++] = start & 0xffffffff; ++ memreg[i++] = cpu_to_be32(start >> 32); ++ memreg[i++] = cpu_to_be32(start & 0xffffffff); + if (nsize == 2) +- memreg[i++] = size >> 32; +- memreg[i++] = size & 0xffffffff; ++ memreg[i++] = cpu_to_be32(size >> 32); ++ memreg[i++] = cpu_to_be32(size & 0xffffffff); + + memory = finddevice("/memory"); + if (! memory) { +@@ -49,9 +54,9 @@ void dt_fixup_memory(u64 start, u64 size) + setprop_str(memory, "device_type", "memory"); + } + +- printf("Memory <- <0x%x", memreg[0]); ++ printf("Memory <- <0x%x", be32_to_cpu(memreg[0])); + for (i = 1; i < (naddr + nsize); i++) +- printf(" 0x%x", memreg[i]); ++ printf(" 0x%x", be32_to_cpu(memreg[i])); + printf("> (%ldMB)\n\r", (unsigned long)(size >> 20)); + + setprop(memory, "reg", memreg, (naddr + nsize)*sizeof(u32)); +@@ -69,10 +74,10 @@ void dt_fixup_cpu_clocks(u32 cpu, u32 tb, u32 bus) + printf("CPU bus-frequency <- 0x%x (%dMHz)\n\r", bus, MHZ(bus)); + + while ((devp = find_node_by_devtype(devp, "cpu"))) { +- setprop_val(devp, "clock-frequency", cpu); +- setprop_val(devp, "timebase-frequency", tb); ++ setprop_val(devp, "clock-frequency", cpu_to_be32(cpu)); ++ setprop_val(devp, "timebase-frequency", cpu_to_be32(tb)); + if (bus > 0) +- setprop_val(devp, "bus-frequency", bus); ++ setprop_val(devp, "bus-frequency", cpu_to_be32(bus)); + } + + timebase_period_ns = 1000000000 / tb; +@@ -84,7 +89,7 @@ void dt_fixup_clock(const char *path, u32 freq) + + if (devp) { + printf("%s: clock-frequency <- %x (%dMHz)\n\r", path, freq, MHZ(freq)); +- setprop_val(devp, "clock-frequency", freq); ++ setprop_val(devp, "clock-frequency", cpu_to_be32(freq)); + } + } + +@@ -137,8 +142,12 @@ void dt_get_reg_format(void *node, u32 *naddr, u32 *nsize) + { + if (getprop(node, "#address-cells", naddr, 4) != 4) + *naddr = 2; ++ else ++ *naddr = be32_to_cpu(*naddr); + if (getprop(node, "#size-cells", nsize, 4) != 4) + *nsize = 1; ++ else ++ *nsize = be32_to_cpu(*nsize); + } + + static void copy_val(u32 *dest, u32 *src, int naddr) +@@ -167,9 +176,9 @@ static int add_reg(u32 *reg, u32 *add, int naddr) + int i, carry = 0; + + for (i = MAX_ADDR_CELLS - 1; i >= MAX_ADDR_CELLS - naddr; i--) { +- u64 tmp = (u64)reg[i] + add[i] + carry; ++ u64 tmp = (u64)be32_to_cpu(reg[i]) + be32_to_cpu(add[i]) + carry; + carry = tmp >> 32; +- reg[i] = (u32)tmp; ++ reg[i] = cpu_to_be32((u32)tmp); + } + + return !carry; +@@ -184,18 +193,18 @@ static int compare_reg(u32 *reg, u32 *range, u32 *rangesize) + u32 end; + + for (i = 0; i < MAX_ADDR_CELLS; i++) { +- if (reg[i] < range[i]) ++ if (be32_to_cpu(reg[i]) < be32_to_cpu(range[i])) + return 0; +- if (reg[i] > range[i]) ++ if (be32_to_cpu(reg[i]) > be32_to_cpu(range[i])) + break; + } + + for (i = 0; i < MAX_ADDR_CELLS; i++) { +- end = range[i] + rangesize[i]; ++ end = be32_to_cpu(range[i]) + be32_to_cpu(rangesize[i]); + +- if (reg[i] < end) ++ if (be32_to_cpu(reg[i]) < end) + break; +- if (reg[i] > end) ++ if (be32_to_cpu(reg[i]) > end) + return 0; + } + +@@ -244,7 +253,6 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr, + return 0; + + dt_get_reg_format(parent, &naddr, &nsize); +- + if (nsize > 2) + return 0; + +@@ -256,10 +264,10 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr, + + copy_val(last_addr, prop_buf + offset, naddr); + +- ret_size = prop_buf[offset + naddr]; ++ ret_size = be32_to_cpu(prop_buf[offset + naddr]); + if (nsize == 2) { + ret_size <<= 32; +- ret_size |= prop_buf[offset + naddr + 1]; ++ ret_size |= be32_to_cpu(prop_buf[offset + naddr + 1]); + } + + for (;;) { +@@ -282,7 +290,6 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr, + + offset = find_range(last_addr, prop_buf, prev_naddr, + naddr, prev_nsize, buflen / 4); +- + if (offset < 0) + return 0; + +@@ -300,8 +307,7 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr, + if (naddr > 2) + return 0; + +- ret_addr = ((u64)last_addr[2] << 32) | last_addr[3]; +- ++ ret_addr = ((u64)be32_to_cpu(last_addr[2]) << 32) | be32_to_cpu(last_addr[3]); + if (sizeof(void *) == 4 && + (ret_addr >= 0x100000000ULL || ret_size > 0x100000000ULL || + ret_addr + ret_size > 0x100000000ULL)) +@@ -354,11 +360,14 @@ int dt_is_compatible(void *node, const char *compat) + int dt_get_virtual_reg(void *node, void **addr, int nres) + { + unsigned long xaddr; +- int n; ++ int n, i; + + n = getprop(node, "virtual-reg", addr, nres * 4); +- if (n > 0) ++ if (n > 0) { ++ for (i = 0; i < n/4; i ++) ++ ((u32 *)addr)[i] = be32_to_cpu(((u32 *)addr)[i]); + return n / 4; ++ } + + for (n = 0; n < nres; n++) { + if (!dt_xlate_reg(node, n, &xaddr, NULL)) +diff --git a/arch/powerpc/boot/ns16550.c b/arch/powerpc/boot/ns16550.c +index 8c9ead94be06..cea34a20085c 100644 +--- a/arch/powerpc/boot/ns16550.c ++++ b/arch/powerpc/boot/ns16550.c +@@ -14,6 +14,7 @@ + #include "stdio.h" + #include "io.h" + #include "ops.h" ++#include "of.h" + + #define UART_DLL 0 /* Out: Divisor Latch Low */ + #define UART_DLM 1 /* Out: Divisor Latch High */ +@@ -57,16 +58,20 @@ int ns16550_console_init(void *devp, struct serial_console_data *scdp) + int n; + u32 reg_offset; + +- if (dt_get_virtual_reg(devp, (void **)®_base, 1) < 1) ++ if (dt_get_virtual_reg(devp, (void **)®_base, 1) < 1) { ++ printf("virt reg parse fail...\r\n"); + return -1; ++ } + + n = getprop(devp, "reg-offset", ®_offset, sizeof(reg_offset)); + if (n == sizeof(reg_offset)) +- reg_base += reg_offset; ++ reg_base += be32_to_cpu(reg_offset); + + n = getprop(devp, "reg-shift", ®_shift, sizeof(reg_shift)); + if (n != sizeof(reg_shift)) + reg_shift = 0; ++ else ++ reg_shift = be32_to_cpu(reg_shift); + + scdp->open = ns16550_open; + scdp->putc = ns16550_putc; +-- +2.30.2 + diff --git a/queue-4.4/powerpc-ps3-add-dma_mask-to-ps3_dma_region.patch b/queue-4.4/powerpc-ps3-add-dma_mask-to-ps3_dma_region.patch new file mode 100644 index 00000000000..3f470416afa --- /dev/null +++ b/queue-4.4/powerpc-ps3-add-dma_mask-to-ps3_dma_region.patch @@ -0,0 +1,93 @@ +From 7e8f1b6bc3cd9b1aaa5eb1d7dba20da2a4b3459a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 19:17:02 +0000 +Subject: powerpc/ps3: Add dma_mask to ps3_dma_region + +From: Geoff Levand + +[ Upstream commit 9733862e50fdba55e7f1554e4286fcc5302ff28e ] + +Commit f959dcd6ddfd29235030e8026471ac1b022ad2b0 (dma-direct: Fix +potential NULL pointer dereference) added a null check on the +dma_mask pointer of the kernel's device structure. + +Add a dma_mask variable to the ps3_dma_region structure and set +the device structure's dma_mask pointer to point to this new variable. + +Fixes runtime errors like these: +# WARNING: Fixes tag on line 10 doesn't match correct format +# WARNING: Fixes tag on line 10 doesn't match correct format + + ps3_system_bus_match:349: dev=8.0(sb_01), drv=8.0(ps3flash): match + WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:151 .dma_map_page_attrs+0x34/0x1e0 + ps3flash sb_01: ps3stor_setup:193: map DMA region failed + +Signed-off-by: Geoff Levand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/562d0c9ea0100a30c3b186bcc7adb34b0bbd2cd7.1622746428.git.geoff@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/ps3.h | 2 ++ + arch/powerpc/platforms/ps3/mm.c | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/arch/powerpc/include/asm/ps3.h b/arch/powerpc/include/asm/ps3.h +index a1bc7e758422..2d729b53a556 100644 +--- a/arch/powerpc/include/asm/ps3.h ++++ b/arch/powerpc/include/asm/ps3.h +@@ -83,6 +83,7 @@ struct ps3_dma_region_ops; + * @bus_addr: The 'translated' bus address of the region. + * @len: The length in bytes of the region. + * @offset: The offset from the start of memory of the region. ++ * @dma_mask: Device dma_mask. + * @ioid: The IOID of the device who owns this region + * @chunk_list: Opaque variable used by the ioc page manager. + * @region_ops: struct ps3_dma_region_ops - dma region operations +@@ -97,6 +98,7 @@ struct ps3_dma_region { + enum ps3_dma_region_type region_type; + unsigned long len; + unsigned long offset; ++ u64 dma_mask; + + /* driver variables (set by ps3_dma_region_create) */ + unsigned long bus_addr; +diff --git a/arch/powerpc/platforms/ps3/mm.c b/arch/powerpc/platforms/ps3/mm.c +index 19bae78b1f25..76cbf1be9962 100644 +--- a/arch/powerpc/platforms/ps3/mm.c ++++ b/arch/powerpc/platforms/ps3/mm.c +@@ -18,6 +18,7 @@ + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + ++#include + #include + #include + #include +@@ -1132,6 +1133,7 @@ int ps3_dma_region_init(struct ps3_system_bus_device *dev, + enum ps3_dma_region_type region_type, void *addr, unsigned long len) + { + unsigned long lpar_addr; ++ int result; + + lpar_addr = addr ? ps3_mm_phys_to_lpar(__pa(addr)) : 0; + +@@ -1143,6 +1145,16 @@ int ps3_dma_region_init(struct ps3_system_bus_device *dev, + r->offset -= map.r1.offset; + r->len = len ? len : _ALIGN_UP(map.total, 1 << r->page_size); + ++ dev->core.dma_mask = &r->dma_mask; ++ ++ result = dma_set_mask_and_coherent(&dev->core, DMA_BIT_MASK(32)); ++ ++ if (result < 0) { ++ dev_err(&dev->core, "%s:%d: dma_set_mask_and_coherent failed: %d\n", ++ __func__, __LINE__, result); ++ return result; ++ } ++ + switch (dev->dev_type) { + case PS3_DEVICE_TYPE_SB: + r->region_ops = (USE_DYNAMIC_DMA) +-- +2.30.2 + diff --git a/queue-4.4/pwm-spear-don-t-modify-hw-state-in-.remove-callback.patch b/queue-4.4/pwm-spear-don-t-modify-hw-state-in-.remove-callback.patch new file mode 100644 index 00000000000..30d3236b7f1 --- /dev/null +++ b/queue-4.4/pwm-spear-don-t-modify-hw-state-in-.remove-callback.patch @@ -0,0 +1,45 @@ +From db09ca7140404450c92ef945f4ef496ba4c075f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 11:05:24 +0200 +Subject: pwm: spear: Don't modify HW state in .remove callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit b601a18f12383001e7a8da238de7ca1559ebc450 ] + +A consumer is expected to disable a PWM before calling pwm_put(). And if +they didn't there is hopefully a good reason (or the consumer needs +fixing). Also if disabling an enabled PWM was the right thing to do, +this should better be done in the framework instead of in each low level +driver. + +So drop the hardware modification from the .remove() callback. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-spear.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/pwm/pwm-spear.c b/drivers/pwm/pwm-spear.c +index 6c6b44fd3f43..2d11ac277de8 100644 +--- a/drivers/pwm/pwm-spear.c ++++ b/drivers/pwm/pwm-spear.c +@@ -231,10 +231,6 @@ static int spear_pwm_probe(struct platform_device *pdev) + static int spear_pwm_remove(struct platform_device *pdev) + { + struct spear_pwm_chip *pc = platform_get_drvdata(pdev); +- int i; +- +- for (i = 0; i < NUM_PWM; i++) +- pwm_disable(&pc->chip.pwms[i]); + + /* clk was prepared in probe, hence unprepare it here */ + clk_unprepare(pc->clk); +-- +2.30.2 + diff --git a/queue-4.4/revert-alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-.patch b/queue-4.4/revert-alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-.patch new file mode 100644 index 00000000000..ce99d585fae --- /dev/null +++ b/queue-4.4/revert-alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-.patch @@ -0,0 +1,80 @@ +From 916489b5285bbed93336bd0fd4cc602a9f771829 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 17:45:47 +0900 +Subject: Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" + +From: Takashi Sakamoto + +[ Upstream commit 5d6fb80a142b5994355ce675c517baba6089d199 ] + +This reverts commit 0edabdfe89581669609eaac5f6a8d0ae6fe95e7f. + +I've explained that optional FireWire card for d.2 is also built-in to +d.2 Pro, however it's wrong. The optional card uses DM1000 ASIC and has +'Mackie DJ Mixer' in its model name of configuration ROM. On the other +hand, built-in FireWire card for d.2 Pro and d.4 Pro uses OXFW971 ASIC +and has 'd.Pro' in its model name according to manuals and user +experiences. The former card is not the card for d.2 Pro. They are similar +in appearance but different internally. + +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210518084557.102681-2-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/Kconfig | 4 ++-- + sound/firewire/bebob/bebob.c | 2 +- + sound/firewire/oxfw/oxfw.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/firewire/Kconfig b/sound/firewire/Kconfig +index fdc01466d143..4199cfc4a96a 100644 +--- a/sound/firewire/Kconfig ++++ b/sound/firewire/Kconfig +@@ -36,7 +36,7 @@ config SND_OXFW + * Mackie(Loud) Onyx-i series (former models) + * Mackie(Loud) Onyx Satellite + * Mackie(Loud) Tapco Link.Firewire +- * Mackie(Loud) d.4 pro ++ * Mackie(Loud) d.2 pro/d.4 pro (built-in FireWire card with OXFW971 ASIC) + * Mackie(Loud) U.420/U.420d + * TASCAM FireOne + +@@ -91,7 +91,7 @@ config SND_BEBOB + * PreSonus FIREBOX/FIREPOD/FP10/Inspire1394 + * BridgeCo RDAudio1/Audio5 + * Mackie Onyx 1220/1620/1640 (FireWire I/O Card) +- * Mackie d.2 (FireWire Option) and d.2 Pro ++ * Mackie d.2 (optional FireWire card with DM1000 ASIC) + * Stanton FinalScratch 2 (ScratchAmp) + * Tascam IF-FW/DM + * Behringer XENIX UFX 1204/1604 +diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c +index 088250ff2429..64dca7931272 100644 +--- a/sound/firewire/bebob/bebob.c ++++ b/sound/firewire/bebob/bebob.c +@@ -362,7 +362,7 @@ static const struct ieee1394_device_id bebob_id_table[] = { + SND_BEBOB_DEV_ENTRY(VEN_BRIDGECO, 0x00010049, &spec_normal), + /* Mackie, Onyx 1220/1620/1640 (Firewire I/O Card) */ + SND_BEBOB_DEV_ENTRY(VEN_MACKIE2, 0x00010065, &spec_normal), +- // Mackie, d.2 (Firewire option card) and d.2 Pro (the card is built-in). ++ // Mackie, d.2 (optional Firewire card with DM1000). + SND_BEBOB_DEV_ENTRY(VEN_MACKIE1, 0x00010067, &spec_normal), + /* Stanton, ScratchAmp */ + SND_BEBOB_DEV_ENTRY(VEN_STANTON, 0x00000001, &spec_normal), +diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c +index 2d310bf2f2b2..c700e11ab327 100644 +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -320,7 +320,7 @@ static const struct ieee1394_device_id oxfw_id_table[] = { + * Onyx-i series (former models): 0x081216 + * Mackie Onyx Satellite: 0x00200f + * Tapco LINK.firewire 4x6: 0x000460 +- * d.4 pro: Unknown ++ * d.2 pro/d.4 pro (built-in card): Unknown + * U.420: Unknown + * U.420d: Unknown + */ +-- +2.30.2 + diff --git a/queue-4.4/rtc-fix-snprintf-checking-in-is_rtc_hctosys.patch b/queue-4.4/rtc-fix-snprintf-checking-in-is_rtc_hctosys.patch new file mode 100644 index 00000000000..c230e392015 --- /dev/null +++ b/queue-4.4/rtc-fix-snprintf-checking-in-is_rtc_hctosys.patch @@ -0,0 +1,44 @@ +From cf45095adafe4bacab576d8125b192eb831e236e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 10:19:26 +0300 +Subject: rtc: fix snprintf() checking in is_rtc_hctosys() + +From: Dan Carpenter + +[ Upstream commit 54b909436ede47e0ee07f1765da27ec2efa41e84 ] + +The scnprintf() function silently truncates the printf() and returns +the number bytes that it was able to copy (not counting the NUL +terminator). Thus, the highest value it can return here is +"NAME_SIZE - 1" and the overflow check is dead code. Fix this by +using the snprintf() function which returns the number of bytes that +would have been copied if there was enough space and changing the +condition from "> NAME_SIZE" to ">= NAME_SIZE". + +Fixes: 92589c986b33 ("rtc-proc: permit the /proc/driver/rtc device to use other devices") +Signed-off-by: Dan Carpenter +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/YJov/pcGmhLi2pEl@mwanda +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-proc.c b/drivers/rtc/rtc-proc.c +index ffa69e1c9245..4f10cb1561cc 100644 +--- a/drivers/rtc/rtc-proc.c ++++ b/drivers/rtc/rtc-proc.c +@@ -26,8 +26,8 @@ static bool is_rtc_hctosys(struct rtc_device *rtc) + int size; + char name[NAME_SIZE]; + +- size = scnprintf(name, NAME_SIZE, "rtc%d", rtc->id); +- if (size > NAME_SIZE) ++ size = snprintf(name, NAME_SIZE, "rtc%d", rtc->id); ++ if (size >= NAME_SIZE) + return false; + + return !strncmp(name, CONFIG_RTC_HCTOSYS_DEVICE, NAME_SIZE); +-- +2.30.2 + diff --git a/queue-4.4/scsi-be2iscsi-fix-an-error-handling-path-in-beiscsi_.patch b/queue-4.4/scsi-be2iscsi-fix-an-error-handling-path-in-beiscsi_.patch new file mode 100644 index 00000000000..b4e0850d762 --- /dev/null +++ b/queue-4.4/scsi-be2iscsi-fix-an-error-handling-path-in-beiscsi_.patch @@ -0,0 +1,37 @@ +From 9a9e9e1d31b9b462c7768f18f1e3f21eabbcd34b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 09:18:34 +0200 +Subject: scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() + +From: Christophe JAILLET + +[ Upstream commit 030e4138d11fced3b831c2761e4cecf347bae99c ] + +If an error occurs after a pci_enable_pcie_error_reporting() call, it must +be undone by a corresponding pci_disable_pcie_error_reporting() call, as +already done in the remove function. + +Link: https://lore.kernel.org/r/77adb02cfea7f1364e5603ecf3930d8597ae356e.1623482155.git.christophe.jaillet@wanadoo.fr +Fixes: 3567f36a09d1 ("[SCSI] be2iscsi: Fix AER handling in driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/be2iscsi/be_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c +index 758f76e88704..c89aab5e0ef8 100644 +--- a/drivers/scsi/be2iscsi/be_main.c ++++ b/drivers/scsi/be2iscsi/be_main.c +@@ -5812,6 +5812,7 @@ hba_free: + pci_disable_msix(phba->pcidev); + pci_dev_put(phba->pcidev); + iscsi_host_free(phba->shost); ++ pci_disable_pcie_error_reporting(pcidev); + pci_set_drvdata(pcidev, NULL); + disable_pci: + pci_release_regions(pcidev); +-- +2.30.2 + diff --git a/queue-4.4/scsi-iscsi-add-iscsi_cls_conn-refcount-helpers.patch b/queue-4.4/scsi-iscsi-add-iscsi_cls_conn-refcount-helpers.patch new file mode 100644 index 00000000000..fdc1897036f --- /dev/null +++ b/queue-4.4/scsi-iscsi-add-iscsi_cls_conn-refcount-helpers.patch @@ -0,0 +1,97 @@ +From dced1efc39afd7b80c011880afef75d94614c138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 13:18:03 -0500 +Subject: scsi: iscsi: Add iscsi_cls_conn refcount helpers + +From: Mike Christie + +[ Upstream commit b1d19e8c92cfb0ded180ef3376c20e130414e067 ] + +There are a couple places where we could free the iscsi_cls_conn while it's +still in use. This adds some helpers to get/put a refcount on the struct +and converts an exiting user. Subsequent commits will then use the helpers +to fix 2 bugs in the eh code. + +Link: https://lore.kernel.org/r/20210525181821.7617-11-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 7 ++----- + drivers/scsi/scsi_transport_iscsi.c | 12 ++++++++++++ + include/scsi/scsi_transport_iscsi.h | 2 ++ + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 18b8d86ef74b..0713d02cf112 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1384,7 +1384,6 @@ void iscsi_session_failure(struct iscsi_session *session, + enum iscsi_err err) + { + struct iscsi_conn *conn; +- struct device *dev; + + spin_lock_bh(&session->frwd_lock); + conn = session->leadconn; +@@ -1393,10 +1392,8 @@ void iscsi_session_failure(struct iscsi_session *session, + return; + } + +- dev = get_device(&conn->cls_conn->dev); ++ iscsi_get_conn(conn->cls_conn); + spin_unlock_bh(&session->frwd_lock); +- if (!dev) +- return; + /* + * if the host is being removed bypass the connection + * recovery initialization because we are going to kill +@@ -1406,7 +1403,7 @@ void iscsi_session_failure(struct iscsi_session *session, + iscsi_conn_error_event(conn->cls_conn, err); + else + iscsi_conn_failure(conn, err); +- put_device(dev); ++ iscsi_put_conn(conn->cls_conn); + } + EXPORT_SYMBOL_GPL(iscsi_session_failure); + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 42bc4b71b0ba..e0159e6a1065 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2328,6 +2328,18 @@ int iscsi_destroy_conn(struct iscsi_cls_conn *conn) + } + EXPORT_SYMBOL_GPL(iscsi_destroy_conn); + ++void iscsi_put_conn(struct iscsi_cls_conn *conn) ++{ ++ put_device(&conn->dev); ++} ++EXPORT_SYMBOL_GPL(iscsi_put_conn); ++ ++void iscsi_get_conn(struct iscsi_cls_conn *conn) ++{ ++ get_device(&conn->dev); ++} ++EXPORT_SYMBOL_GPL(iscsi_get_conn); ++ + /* + * iscsi interface functions + */ +diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h +index 6183d20a01fb..e673c7c9c5fb 100644 +--- a/include/scsi/scsi_transport_iscsi.h ++++ b/include/scsi/scsi_transport_iscsi.h +@@ -437,6 +437,8 @@ extern void iscsi_free_session(struct iscsi_cls_session *session); + extern int iscsi_destroy_session(struct iscsi_cls_session *session); + extern struct iscsi_cls_conn *iscsi_create_conn(struct iscsi_cls_session *sess, + int dd_size, uint32_t cid); ++extern void iscsi_put_conn(struct iscsi_cls_conn *conn); ++extern void iscsi_get_conn(struct iscsi_cls_conn *conn); + extern int iscsi_destroy_conn(struct iscsi_cls_conn *conn); + extern void iscsi_unblock_session(struct iscsi_cls_session *session); + extern void iscsi_block_session(struct iscsi_cls_session *session); +-- +2.30.2 + diff --git a/queue-4.4/scsi-lpfc-fix-unexpected-timeout-error-in-direct-att.patch b/queue-4.4/scsi-lpfc-fix-unexpected-timeout-error-in-direct-att.patch new file mode 100644 index 00000000000..967ae418687 --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-unexpected-timeout-error-in-direct-att.patch @@ -0,0 +1,53 @@ +From 87fcd376fc59c23996ee56fe7cbd8e561431a2cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 12:55:51 -0700 +Subject: scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology + +From: James Smart + +[ Upstream commit e30d55137edef47434c40d7570276a0846fe922c ] + +An 'unexpected timeout' message may be seen in a point-2-point topology. +The message occurs when a PLOGI is received before the driver is notified +of FLOGI completion. The FLOGI completion failure causes discovery to be +triggered for a second time. The discovery timer is restarted but no new +discovery activity is initiated, thus the timeout message eventually +appears. + +In point-2-point, when discovery has progressed before the FLOGI completion +is processed, it is not a failure. Add code to FLOGI completion to detect +that discovery has progressed and exit the FLOGI handling (noop'ing it). + +Link: https://lore.kernel.org/r/20210514195559.119853-4-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 5be938b47f48..b66b1ed6d2af 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -1142,6 +1142,15 @@ stop_rr_fcf_flogi: + phba->fcf.fcf_redisc_attempted = 0; /* reset */ + goto out; + } ++ } else if (vport->port_state > LPFC_FLOGI && ++ vport->fc_flag & FC_PT2PT) { ++ /* ++ * In a p2p topology, it is possible that discovery has ++ * already progressed, and this completion can be ignored. ++ * Recheck the indicated topology. ++ */ ++ if (!sp->cmn.fPort) ++ goto out; + } + + flogifail: +-- +2.30.2 + diff --git a/queue-4.4/selftests-powerpc-fix-no_handler-ebb-selftest.patch b/queue-4.4/selftests-powerpc-fix-no_handler-ebb-selftest.patch new file mode 100644 index 00000000000..228acca3e0c --- /dev/null +++ b/queue-4.4/selftests-powerpc-fix-no_handler-ebb-selftest.patch @@ -0,0 +1,45 @@ +From 52ea5c167b3d489d9c817b3b9a20785a4118b831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 09:51:42 -0400 +Subject: selftests/powerpc: Fix "no_handler" EBB selftest + +From: Athira Rajeev + +[ Upstream commit 45677c9aebe926192e59475b35a1ff35ff2d4217 ] + +The "no_handler_test" in ebb selftests attempts to read the PMU +registers twice via helper function "dump_ebb_state". First dump is +just before closing of event and the second invocation is done after +closing of the event. The original intention of second +dump_ebb_state was to dump the state of registers at the end of +the test when the counters are frozen. But this will be achieved +with the first call itself since sample period is set to low value +and PMU will be frozen by then. Hence patch removes the +dump which was done before closing of the event. + +Reported-by: Shirisha Ganta +Signed-off-by: Athira Rajeev +Tested-by: Nageswara R Sastry > +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1621950703-1532-2-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c b/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c +index 8341d7778d5e..87630d44fb4c 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c +@@ -50,8 +50,6 @@ static int no_handler_test(void) + + event_close(&event); + +- dump_ebb_state(); +- + /* The real test is that we never took an EBB at 0x0 */ + + return 0; +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index 10ed8337a82..7a52b41f85d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -140,3 +140,49 @@ media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch jfs-fix-gpf-in-difree.patch kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch +tty-serial-fsl_lpuart-fix-the-potential-risk-of-divi.patch +misc-libmasm-module-fix-two-use-after-free-in-ibmasm.patch +revert-alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-.patch +scsi-lpfc-fix-unexpected-timeout-error-in-direct-att.patch +tty-serial-8250-serial_cs-fix-a-memory-leak-in-error.patch +fs-jfs-fix-missing-error-code-in-lmloginit.patch +scsi-iscsi-add-iscsi_cls_conn-refcount-helpers.patch +mfd-da9052-stmpe-add-and-modify-module_device_table.patch +alsa-sb-fix-potential-double-free-of-csp-mixer-eleme.patch +powerpc-ps3-add-dma_mask-to-ps3_dma_region.patch +gpio-zynq-check-return-value-of-pm_runtime_get_sync.patch +alsa-ppc-fix-error-return-code-in-snd_pmac_probe.patch +selftests-powerpc-fix-no_handler-ebb-selftest.patch +asoc-soc-core-fix-the-error-return-code-in-snd_soc_o.patch +alsa-bebob-add-support-for-toneweal-fw66.patch +usb-gadget-f_hid-fix-endianness-issue-with-descripto.patch +usb-gadget-hid-fix-error-return-code-in-hid_bind.patch +powerpc-boot-fixup-device-tree-on-little-endian.patch +backlight-lm3630a-fix-return-code-of-.update_status-.patch +alsa-hda-add-irq-check-for-platform_get_irq.patch +lib-decompress_unlz4.c-correctly-handle-zero-padding.patch +pwm-spear-don-t-modify-hw-state-in-.remove-callback.patch +power-supply-ab8500-avoid-null-pointers.patch +power-reset-gpio-poweroff-add-missing-module_device_.patch +arm-9087-1-kprobes-test-thumb-fix-for-llvm_ias-1.patch +watchdog-fix-possible-use-after-free-in-wdt_startup.patch +watchdog-sc520_wdt-fix-possible-use-after-free-in-wd.patch +watchdog-fix-possible-use-after-free-by-calling-del_.patch +ceph-remove-bogus-checks-and-warn_ons-from-ceph_set_.patch +power-supply-charger-manager-add-missing-module_devi.patch +power-supply-ab8500-add-missing-module_device_table.patch +virtio-blk-fix-memory-leak-among-suspend-resume-proc.patch +virtio_console-assure-used-length-from-device-is-lim.patch +pci-sysfs-fix-dsm_label_utf16s_to_utf8s-buffer-overr.patch +um-fix-error-return-code-in-slip_open.patch +um-fix-error-return-code-in-winch_tramp.patch +nfs-fix-acl-memory-leak-of-posix_acl_create.patch +alsa-isa-fix-error-return-code-in-snd_cmi8330_probe.patch +hexagon-use-common-discards-macro.patch +arm-dts-exynos-fix-pwm-led-max-brightness-on-odroid-.patch +rtc-fix-snprintf-checking-in-is_rtc_hctosys.patch +memory-fsl_ifc-fix-leak-of-io-mapping-on-probe-failu.patch +memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch +scsi-be2iscsi-fix-an-error-handling-path-in-beiscsi_.patch +mips-disable-branch-profiling-in-boot-decompress.o.patch +mips-vdso-invalid-gic-access-through-vdso.patch diff --git a/queue-4.4/tty-serial-8250-serial_cs-fix-a-memory-leak-in-error.patch b/queue-4.4/tty-serial-8250-serial_cs-fix-a-memory-leak-in-error.patch new file mode 100644 index 00000000000..b4d526f935c --- /dev/null +++ b/queue-4.4/tty-serial-8250-serial_cs-fix-a-memory-leak-in-error.patch @@ -0,0 +1,55 @@ +From 1bb6857d6db7ba312b74baa4c4e26f61e216ece7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 21:44:04 +0200 +Subject: tty: serial: 8250: serial_cs: Fix a memory leak in error handling + path + +From: Christophe JAILLET + +[ Upstream commit fad92b11047a748c996ebd6cfb164a63814eeb2e ] + +In the probe function, if the final 'serial_config()' fails, 'info' is +leaking. + +Add a resource handling path to free this memory. + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/dc25f96b7faebf42e60fe8d02963c941cf4d8124.1621971720.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/serial_cs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/serial_cs.c b/drivers/tty/serial/8250/serial_cs.c +index bf5feb2ea35a..92c64ed12295 100644 +--- a/drivers/tty/serial/8250/serial_cs.c ++++ b/drivers/tty/serial/8250/serial_cs.c +@@ -305,6 +305,7 @@ static int serial_resume(struct pcmcia_device *link) + static int serial_probe(struct pcmcia_device *link) + { + struct serial_info *info; ++ int ret; + + dev_dbg(&link->dev, "serial_attach()\n"); + +@@ -319,7 +320,15 @@ static int serial_probe(struct pcmcia_device *link) + if (do_sound) + link->config_flags |= CONF_ENABLE_SPKR; + +- return serial_config(link); ++ ret = serial_config(link); ++ if (ret) ++ goto free_info; ++ ++ return 0; ++ ++free_info: ++ kfree(info); ++ return ret; + } + + static void serial_detach(struct pcmcia_device *link) +-- +2.30.2 + diff --git a/queue-4.4/tty-serial-fsl_lpuart-fix-the-potential-risk-of-divi.patch b/queue-4.4/tty-serial-fsl_lpuart-fix-the-potential-risk-of-divi.patch new file mode 100644 index 00000000000..fae291d0d42 --- /dev/null +++ b/queue-4.4/tty-serial-fsl_lpuart-fix-the-potential-risk-of-divi.patch @@ -0,0 +1,41 @@ +From fc452ff711658c42c620af5b31ed7d609c1a38e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Apr 2021 10:12:26 +0800 +Subject: tty: serial: fsl_lpuart: fix the potential risk of division or modulo + by zero + +From: Sherry Sun + +[ Upstream commit fcb10ee27fb91b25b68d7745db9817ecea9f1038 ] + +We should be very careful about the register values that will be used +for division or modulo operations, althrough the possibility that the +UARTBAUD register value is zero is very low, but we had better to deal +with the "bad data" of hardware in advance to avoid division or modulo +by zero leading to undefined kernel behavior. + +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20210427021226.27468-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 1544a7cc76ff..1319f3dd5b70 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1681,6 +1681,9 @@ lpuart32_console_get_options(struct lpuart_port *sport, int *baud, + + bd = lpuart32_read(sport->port.membase + UARTBAUD); + bd &= UARTBAUD_SBR_MASK; ++ if (!bd) ++ return; ++ + sbr = bd; + uartclk = clk_get_rate(sport->clk); + /* +-- +2.30.2 + diff --git a/queue-4.4/um-fix-error-return-code-in-slip_open.patch b/queue-4.4/um-fix-error-return-code-in-slip_open.patch new file mode 100644 index 00000000000..ad9d0e5f65c --- /dev/null +++ b/queue-4.4/um-fix-error-return-code-in-slip_open.patch @@ -0,0 +1,39 @@ +From 817ddd02389cf99133ffea029f3d734a962a6741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:13:54 +0800 +Subject: um: fix error return code in slip_open() + +From: Zhen Lei + +[ Upstream commit b77e81fbe5f5fb4ad9a61ec80f6d1e30b6da093a ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: a3c77c67a443 ("[PATCH] uml: slirp and slip driver cleanups and fixes") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Acked-By: anton.ivanov@cambridgegreys.com +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/slip_user.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/um/drivers/slip_user.c b/arch/um/drivers/slip_user.c +index 0d6b66c64a81..76d155631c5d 100644 +--- a/arch/um/drivers/slip_user.c ++++ b/arch/um/drivers/slip_user.c +@@ -145,7 +145,8 @@ static int slip_open(void *data) + } + sfd = err; + +- if (set_up_tty(sfd)) ++ err = set_up_tty(sfd); ++ if (err) + goto out_close2; + + pri->slave = sfd; +-- +2.30.2 + diff --git a/queue-4.4/um-fix-error-return-code-in-winch_tramp.patch b/queue-4.4/um-fix-error-return-code-in-winch_tramp.patch new file mode 100644 index 00000000000..95aaa2cabd7 --- /dev/null +++ b/queue-4.4/um-fix-error-return-code-in-winch_tramp.patch @@ -0,0 +1,39 @@ +From f59db04eb244b10ef224e7a5f4a7df15cbf3d6ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:22:39 +0800 +Subject: um: fix error return code in winch_tramp() + +From: Zhen Lei + +[ Upstream commit ccf1236ecac476d9d2704866d9a476c86e387971 ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 89df6bfc0405 ("uml: DEBUG_SHIRQ fixes") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Acked-By: anton.ivanov@cambridgegreys.com +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/chan_user.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/um/drivers/chan_user.c b/arch/um/drivers/chan_user.c +index 3fd7c3efdb18..feb7f5ab4084 100644 +--- a/arch/um/drivers/chan_user.c ++++ b/arch/um/drivers/chan_user.c +@@ -256,7 +256,8 @@ static int winch_tramp(int fd, struct tty_port *port, int *fd_out, + goto out_close; + } + +- if (os_set_fd_block(*fd_out, 0)) { ++ err = os_set_fd_block(*fd_out, 0); ++ if (err) { + printk(UM_KERN_ERR "winch_tramp: failed to set thread_fd " + "non-blocking.\n"); + goto out_close; +-- +2.30.2 + diff --git a/queue-4.4/usb-gadget-f_hid-fix-endianness-issue-with-descripto.patch b/queue-4.4/usb-gadget-f_hid-fix-endianness-issue-with-descripto.patch new file mode 100644 index 00000000000..763e3958e27 --- /dev/null +++ b/queue-4.4/usb-gadget-f_hid-fix-endianness-issue-with-descripto.patch @@ -0,0 +1,45 @@ +From c67625b448832988cb257e1ffed05c97dd7f8ba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 19:27:55 +0300 +Subject: usb: gadget: f_hid: fix endianness issue with descriptors + +From: Ruslan Bilovol + +[ Upstream commit 33cb46c4676d01956811b68a29157ea969a5df70 ] + +Running sparse checker it shows warning message about +incorrect endianness used for descriptor initialization: + +| f_hid.c:91:43: warning: incorrect type in initializer (different base types) +| f_hid.c:91:43: expected restricted __le16 [usertype] bcdHID +| f_hid.c:91:43: got int + +Fixing issue with cpu_to_le16() macro, however this is not a real issue +as the value is the same both endians. + +Cc: Fabien Chouteau +Cc: Segiy Stetsyuk +Signed-off-by: Ruslan Bilovol +Link: https://lore.kernel.org/r/20210617162755.29676-1-ruslan.bilovol@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_hid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c +index a5dae5bb62ab..590e056d3618 100644 +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -91,7 +91,7 @@ static struct usb_interface_descriptor hidg_interface_desc = { + static struct hid_descriptor hidg_desc = { + .bLength = sizeof hidg_desc, + .bDescriptorType = HID_DT_HID, +- .bcdHID = 0x0101, ++ .bcdHID = cpu_to_le16(0x0101), + .bCountryCode = 0x00, + .bNumDescriptors = 0x1, + /*.desc[0].bDescriptorType = DYNAMIC */ +-- +2.30.2 + diff --git a/queue-4.4/usb-gadget-hid-fix-error-return-code-in-hid_bind.patch b/queue-4.4/usb-gadget-hid-fix-error-return-code-in-hid_bind.patch new file mode 100644 index 00000000000..46bd0af25a9 --- /dev/null +++ b/queue-4.4/usb-gadget-hid-fix-error-return-code-in-hid_bind.patch @@ -0,0 +1,40 @@ +From 957343139f2e6224eb1586fdf5de81b6c13dcf99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 12:38:35 +0800 +Subject: usb: gadget: hid: fix error return code in hid_bind() + +From: Yang Yingliang + +[ Upstream commit 88693f770bb09c196b1eb5f06a484a254ecb9924 ] + +Fix to return a negative error code from the error handling +case instead of 0. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210618043835.2641360-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/hid.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c +index 7e5d2c48476e..97329ba5d382 100644 +--- a/drivers/usb/gadget/legacy/hid.c ++++ b/drivers/usb/gadget/legacy/hid.c +@@ -175,8 +175,10 @@ static int hid_bind(struct usb_composite_dev *cdev) + struct usb_descriptor_header *usb_desc; + + usb_desc = usb_otg_descriptor_alloc(gadget); +- if (!usb_desc) ++ if (!usb_desc) { ++ status = -ENOMEM; + goto put; ++ } + usb_otg_descriptor_init(gadget, usb_desc); + otg_desc[0] = usb_desc; + otg_desc[1] = NULL; +-- +2.30.2 + diff --git a/queue-4.4/virtio-blk-fix-memory-leak-among-suspend-resume-proc.patch b/queue-4.4/virtio-blk-fix-memory-leak-among-suspend-resume-proc.patch new file mode 100644 index 00000000000..39e6b936974 --- /dev/null +++ b/queue-4.4/virtio-blk-fix-memory-leak-among-suspend-resume-proc.patch @@ -0,0 +1,37 @@ +From 642029f29741c21dab8b857a314f82a5b9c5c82f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:43:32 +0800 +Subject: virtio-blk: Fix memory leak among suspend/resume procedure + +From: Xie Yongji + +[ Upstream commit b71ba22e7c6c6b279c66f53ee7818709774efa1f ] + +The vblk->vqs should be freed before we call init_vqs() +in virtblk_restore(). + +Signed-off-by: Xie Yongji +Link: https://lore.kernel.org/r/20210517084332.280-1-xieyongji@bytedance.com +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/block/virtio_blk.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c +index bdc3efacd0d2..2bcc2bc64149 100644 +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -808,6 +808,8 @@ static int virtblk_freeze(struct virtio_device *vdev) + blk_mq_stop_hw_queues(vblk->disk->queue); + + vdev->config->del_vqs(vdev); ++ kfree(vblk->vqs); ++ + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.4/virtio_console-assure-used-length-from-device-is-lim.patch b/queue-4.4/virtio_console-assure-used-length-from-device-is-lim.patch new file mode 100644 index 00000000000..4d0e72c6954 --- /dev/null +++ b/queue-4.4/virtio_console-assure-used-length-from-device-is-lim.patch @@ -0,0 +1,47 @@ +From 8709034d558f280c40785a8d2887618a6ebc7e32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 20:56:22 +0800 +Subject: virtio_console: Assure used length from device is limited + +From: Xie Yongji + +[ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ] + +The buf->len might come from an untrusted device. This +ensures the value would not exceed the size of the buffer +to avoid data corruption or loss. + +Signed-off-by: Xie Yongji +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/20210525125622.1203-1-xieyongji@bytedance.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/char/virtio_console.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 226ccb7891d4..c2f1c921cb2c 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -487,7 +487,7 @@ static struct port_buffer *get_inbuf(struct port *port) + + buf = virtqueue_get_buf(port->in_vq, &len); + if (buf) { +- buf->len = len; ++ buf->len = min_t(size_t, len, buf->size); + buf->offset = 0; + port->stats.bytes_received += len; + } +@@ -1752,7 +1752,7 @@ static void control_work_handler(struct work_struct *work) + while ((buf = virtqueue_get_buf(vq, &len))) { + spin_unlock(&portdev->c_ivq_lock); + +- buf->len = len; ++ buf->len = min_t(size_t, len, buf->size); + buf->offset = 0; + + handle_control_message(vq->vdev, portdev, buf); +-- +2.30.2 + diff --git a/queue-4.4/watchdog-fix-possible-use-after-free-by-calling-del_.patch b/queue-4.4/watchdog-fix-possible-use-after-free-by-calling-del_.patch new file mode 100644 index 00000000000..37480ba0589 --- /dev/null +++ b/queue-4.4/watchdog-fix-possible-use-after-free-by-calling-del_.patch @@ -0,0 +1,59 @@ +From b26ac737fa701ccdf2c403ebd55e37aae5a80902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 14:57:56 +0800 +Subject: watchdog: Fix possible use-after-free by calling del_timer_sync() + +From: Zou Wei + +[ Upstream commit d0212f095ab56672f6f36aabc605bda205e1e0bf ] + +This driver's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Reviewed-by: Guenter Roeck +Acked-by: Vladimir Zapolskiy +Link: https://lore.kernel.org/r/1620802676-19701-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/lpc18xx_wdt.c | 2 +- + drivers/watchdog/w83877f_wdt.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c +index ab7b8b185d99..fbdc0f32e666 100644 +--- a/drivers/watchdog/lpc18xx_wdt.c ++++ b/drivers/watchdog/lpc18xx_wdt.c +@@ -309,7 +309,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev) + unregister_restart_handler(&lpc18xx_wdt->restart_handler); + + dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n"); +- del_timer(&lpc18xx_wdt->timer); ++ del_timer_sync(&lpc18xx_wdt->timer); + + watchdog_unregister_device(&lpc18xx_wdt->wdt_dev); + clk_disable_unprepare(lpc18xx_wdt->wdt_clk); +diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c +index f0483c75ed32..4b52cf321747 100644 +--- a/drivers/watchdog/w83877f_wdt.c ++++ b/drivers/watchdog/w83877f_wdt.c +@@ -170,7 +170,7 @@ static void wdt_startup(void) + static void wdt_turnoff(void) + { + /* Stop the timer */ +- del_timer(&timer); ++ del_timer_sync(&timer); + + wdt_change(WDT_DISABLE); + +-- +2.30.2 + diff --git a/queue-4.4/watchdog-fix-possible-use-after-free-in-wdt_startup.patch b/queue-4.4/watchdog-fix-possible-use-after-free-in-wdt_startup.patch new file mode 100644 index 00000000000..dec6e71d9b5 --- /dev/null +++ b/queue-4.4/watchdog-fix-possible-use-after-free-in-wdt_startup.patch @@ -0,0 +1,44 @@ +From f5c0115ea21be91fa82805fca4efa0c1d4db821b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 15:01:35 +0800 +Subject: watchdog: Fix possible use-after-free in wdt_startup() + +From: Zou Wei + +[ Upstream commit c08a6b31e4917034f0ed0cb457c3bb209576f542 ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/1620716495-108352-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/sbc60xxwdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/sbc60xxwdt.c b/drivers/watchdog/sbc60xxwdt.c +index 2eef58a0cf05..152db059d5aa 100644 +--- a/drivers/watchdog/sbc60xxwdt.c ++++ b/drivers/watchdog/sbc60xxwdt.c +@@ -152,7 +152,7 @@ static void wdt_startup(void) + static void wdt_turnoff(void) + { + /* Stop the timer */ +- del_timer(&timer); ++ del_timer_sync(&timer); + inb_p(wdt_stop); + pr_info("Watchdog timer is now disabled...\n"); + } +-- +2.30.2 + diff --git a/queue-4.4/watchdog-sc520_wdt-fix-possible-use-after-free-in-wd.patch b/queue-4.4/watchdog-sc520_wdt-fix-possible-use-after-free-in-wd.patch new file mode 100644 index 00000000000..10dd4533317 --- /dev/null +++ b/queue-4.4/watchdog-sc520_wdt-fix-possible-use-after-free-in-wd.patch @@ -0,0 +1,44 @@ +From ee8abc886dfb196bba9808d2698f4d4c8fb00455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 15:04:51 +0800 +Subject: watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() + +From: Zou Wei + +[ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ] + +This module's remove path calls del_timer(). However, that function +does not wait until the timer handler finishes. This means that the +timer handler may still be running after the driver's remove function +has finished, which would result in a use-after-free. + +Fix by calling del_timer_sync(), which makes sure the timer handler +has finished, and unable to re-schedule itself. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/sc520_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c +index 1cfd3f6a13d5..08500db8324f 100644 +--- a/drivers/watchdog/sc520_wdt.c ++++ b/drivers/watchdog/sc520_wdt.c +@@ -190,7 +190,7 @@ static int wdt_startup(void) + static int wdt_turnoff(void) + { + /* Stop the timer */ +- del_timer(&timer); ++ del_timer_sync(&timer); + + /* Stop the watchdog */ + wdt_config(0); +-- +2.30.2 +