From: Sasha Levin Date: Sun, 22 Dec 2019 02:37:23 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v4.14.161~49 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ecc60cb7a4f6931b9213aef2acec70400a9e494a;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-timer-limit-max-amount-of-slave-instances.patch b/queue-4.14/alsa-timer-limit-max-amount-of-slave-instances.patch new file mode 100644 index 00000000000..0c6b06f016c --- /dev/null +++ b/queue-4.14/alsa-timer-limit-max-amount-of-slave-instances.patch @@ -0,0 +1,70 @@ +From 2ff7aa7e2b59b1e35747ffe2698c80851ba03e82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 16:42:57 +0100 +Subject: ALSA: timer: Limit max amount of slave instances + +From: Takashi Iwai + +[ Upstream commit fdea53fe5de532969a332d6e5e727f2ad8bf084d ] + +The fuzzer tries to open the timer instances as much as possible, and +this may cause a system hiccup easily. We've already introduced the +cap for the max number of available instances for the h/w timers, and +we should put such a limit also to the slave timers, too. + +This patch introduces the limit to the multiple opened slave timers. +The upper limit is hard-coded to 1000 for now, which should suffice +for any practical usages up to now. + +Link: https://lore.kernel.org/r/20191106154257.5853-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/timer.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index c60dfd52e8a6..22589a073423 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -88,6 +88,9 @@ static LIST_HEAD(snd_timer_slave_list); + /* lock for slave active lists */ + static DEFINE_SPINLOCK(slave_active_lock); + ++#define MAX_SLAVE_INSTANCES 1000 ++static int num_slaves; ++ + static DEFINE_MUTEX(register_mutex); + + static int snd_timer_free(struct snd_timer *timer); +@@ -266,6 +269,10 @@ int snd_timer_open(struct snd_timer_instance **ti, + err = -EINVAL; + goto unlock; + } ++ if (num_slaves >= MAX_SLAVE_INSTANCES) { ++ err = -EBUSY; ++ goto unlock; ++ } + timeri = snd_timer_instance_new(owner, NULL); + if (!timeri) { + err = -ENOMEM; +@@ -275,6 +282,7 @@ int snd_timer_open(struct snd_timer_instance **ti, + timeri->slave_id = tid->device; + timeri->flags |= SNDRV_TIMER_IFLG_SLAVE; + list_add_tail(&timeri->open_list, &snd_timer_slave_list); ++ num_slaves++; + err = snd_timer_check_slave(timeri); + if (err < 0) { + snd_timer_close_locked(timeri, &card_dev_to_put); +@@ -364,6 +372,8 @@ static int snd_timer_close_locked(struct snd_timer_instance *timeri, + struct snd_timer_instance *slave, *tmp; + + list_del(&timeri->open_list); ++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) ++ num_slaves--; + + /* force to stop the timer */ + snd_timer_stop(timeri); +-- +2.20.1 + diff --git a/queue-4.14/arm64-psci-reduce-the-waiting-time-for-cpu_psci_cpu_.patch b/queue-4.14/arm64-psci-reduce-the-waiting-time-for-cpu_psci_cpu_.patch new file mode 100644 index 00000000000..03c564bf6fc --- /dev/null +++ b/queue-4.14/arm64-psci-reduce-the-waiting-time-for-cpu_psci_cpu_.patch @@ -0,0 +1,73 @@ +From 136bbf0e953cd0f769e9df7de6af5d0c344d7e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 19:31:21 +0800 +Subject: arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() + +From: Yunfeng Ye + +[ Upstream commit bfcef4ab1d7ee8921bc322109b1692036cc6cbe0 ] + +In cases like suspend-to-disk and suspend-to-ram, a large number of CPU +cores need to be shut down. At present, the CPU hotplug operation is +serialised, and the CPU cores can only be shut down one by one. In this +process, if PSCI affinity_info() does not return LEVEL_OFF quickly, +cpu_psci_cpu_kill() needs to wait for 10ms. If hundreds of CPU cores +need to be shut down, it will take a long time. + +Normally, there is no need to wait 10ms in cpu_psci_cpu_kill(). So +change the wait interval from 10 ms to max 1 ms and use usleep_range() +instead of msleep() for more accurate timer. + +In addition, reducing the time interval will increase the messages +output, so remove the "Retry ..." message, instead, track time and +output to the the sucessful message. + +Signed-off-by: Yunfeng Ye +Reviewed-by: Sudeep Holla +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/psci.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/kernel/psci.c b/arch/arm64/kernel/psci.c +index e8edbf13302a..3856d51c645b 100644 +--- a/arch/arm64/kernel/psci.c ++++ b/arch/arm64/kernel/psci.c +@@ -84,7 +84,8 @@ static void cpu_psci_cpu_die(unsigned int cpu) + + static int cpu_psci_cpu_kill(unsigned int cpu) + { +- int err, i; ++ int err; ++ unsigned long start, end; + + if (!psci_ops.affinity_info) + return 0; +@@ -94,16 +95,18 @@ static int cpu_psci_cpu_kill(unsigned int cpu) + * while it is dying. So, try again a few times. + */ + +- for (i = 0; i < 10; i++) { ++ start = jiffies; ++ end = start + msecs_to_jiffies(100); ++ do { + err = psci_ops.affinity_info(cpu_logical_map(cpu), 0); + if (err == PSCI_0_2_AFFINITY_LEVEL_OFF) { +- pr_info("CPU%d killed.\n", cpu); ++ pr_info("CPU%d killed (polled %d ms)\n", cpu, ++ jiffies_to_msecs(jiffies - start)); + return 0; + } + +- msleep(10); +- pr_info("Retrying again to check for CPU kill\n"); +- } ++ usleep_range(100, 1000); ++ } while (time_before(jiffies, end)); + + pr_warn("CPU%d may not have shut down cleanly (AFFINITY_INFO reports %d)\n", + cpu, err); +-- +2.20.1 + diff --git a/queue-4.14/asoc-intel-kbl_rt5663_rt5514_max98927-add-dmic-forma.patch b/queue-4.14/asoc-intel-kbl_rt5663_rt5514_max98927-add-dmic-forma.patch new file mode 100644 index 00000000000..383398a6a82 --- /dev/null +++ b/queue-4.14/asoc-intel-kbl_rt5663_rt5514_max98927-add-dmic-forma.patch @@ -0,0 +1,40 @@ +From 103cfd7e093775c7b208b924a2c89e342cd7c687 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 00:29:40 +0800 +Subject: ASoC: Intel: kbl_rt5663_rt5514_max98927: Add dmic format constraint + +From: Yu-Hsuan Hsu + +[ Upstream commit e2db787bdcb4f2722ecf410168f0583764634e45 ] + +On KBL platform, the microphone is attached to external codec(rt5514) +instead of PCH. However, TDM slot between PCH and codec is 16 bits only. +In order to avoid setting wrong format, we should add a constraint to +force to use 16 bits format forever. + +Signed-off-by: Yu-Hsuan Hsu +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20190923162940.199580-1-yuhsuan@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c +index 41cb1fefbd42..405196283688 100644 +--- a/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c ++++ b/sound/soc/intel/boards/kbl_rt5663_rt5514_max98927.c +@@ -422,6 +422,9 @@ static int kabylake_dmic_startup(struct snd_pcm_substream *substream) + snd_pcm_hw_constraint_list(runtime, 0, SNDRV_PCM_HW_PARAM_CHANNELS, + dmic_constraints); + ++ runtime->hw.formats = SNDRV_PCM_FMTBIT_S16_LE; ++ snd_pcm_hw_constraint_msbits(runtime, 0, 16, 16); ++ + return snd_pcm_hw_constraint_list(substream->runtime, 0, + SNDRV_PCM_HW_PARAM_RATE, &constraints_rates); + } +-- +2.20.1 + diff --git a/queue-4.14/asoc-rt5677-mark-reg-rt5677_pwr_anlg2-as-volatile.patch b/queue-4.14/asoc-rt5677-mark-reg-rt5677_pwr_anlg2-as-volatile.patch new file mode 100644 index 00000000000..21943822433 --- /dev/null +++ b/queue-4.14/asoc-rt5677-mark-reg-rt5677_pwr_anlg2-as-volatile.patch @@ -0,0 +1,43 @@ +From aaab4368a401c02410b62ef4e22e5a388637f3eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 17:13:30 -0800 +Subject: ASoC: rt5677: Mark reg RT5677_PWR_ANLG2 as volatile + +From: Ben Zhang + +[ Upstream commit eabf424f7b60246c76dcb0ea6f1e83ef9abbeaa6 ] + +The codec dies when RT5677_PWR_ANLG2(MX-64h) is set to 0xACE1 +while it's streaming audio over SPI. The DSP firmware turns +on PLL2 (MX-64 bit 8) when SPI streaming starts. However regmap +does not believe that register can change by itself. When +BST1 (bit 15) is turned on with regmap_update_bits(), it doesn't +read the register first before write, so PLL2 power bit is +cleared by accident. + +Marking MX-64h as volatile in regmap solved the issue. + +Signed-off-by: Ben Zhang +Signed-off-by: Curtis Malainey +Link: https://lore.kernel.org/r/20191106011335.223061-6-cujomalainey@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5677.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/rt5677.c b/sound/soc/codecs/rt5677.c +index 1cd20b88a3a9..82ee8f4b965b 100644 +--- a/sound/soc/codecs/rt5677.c ++++ b/sound/soc/codecs/rt5677.c +@@ -297,6 +297,7 @@ static bool rt5677_volatile_register(struct device *dev, unsigned int reg) + case RT5677_I2C_MASTER_CTRL7: + case RT5677_I2C_MASTER_CTRL8: + case RT5677_HAP_GENE_CTRL2: ++ case RT5677_PWR_ANLG2: /* Modified by DSP firmware */ + case RT5677_PWR_DSP_ST: + case RT5677_PRIV_DATA: + case RT5677_ASRC_22: +-- +2.20.1 + diff --git a/queue-4.14/ath10k-fix-get-invalid-tx-rate-for-mesh-metric.patch b/queue-4.14/ath10k-fix-get-invalid-tx-rate-for-mesh-metric.patch new file mode 100644 index 00000000000..1037741807a --- /dev/null +++ b/queue-4.14/ath10k-fix-get-invalid-tx-rate-for-mesh-metric.patch @@ -0,0 +1,42 @@ +From ce9e413fa90389d5ae4ddade4f42c40e669e997b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 20:04:37 +0200 +Subject: ath10k: fix get invalid tx rate for Mesh metric + +From: Miaoqing Pan + +[ Upstream commit 05a11003a56507023f18d3249a4d4d119c0a3e9c ] + +ath10k does not provide transmit rate info per MSDU +in tx completion, mark that as -1 so mac80211 +will ignore the rates. This fixes mac80211 update Mesh +link metric with invalid transmit rate info. + +Tested HW: QCA9984 +Tested FW: 10.4-3.9.0.2-00035 + +Signed-off-by: Hou Bao Hou +Signed-off-by: Anilkumar Kolli +Signed-off-by: Miaoqing Pan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/txrx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c +index d4986f626c35..9999c8c40269 100644 +--- a/drivers/net/wireless/ath/ath10k/txrx.c ++++ b/drivers/net/wireless/ath/ath10k/txrx.c +@@ -100,6 +100,8 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt, + + info = IEEE80211_SKB_CB(msdu); + memset(&info->status, 0, sizeof(info->status)); ++ info->status.rates[0].idx = -1; ++ + trace_ath10k_txrx_tx_unref(ar, tx_done->msdu_id); + + if (tx_done->status == HTT_TX_COMPL_STATE_DISCARD) { +-- +2.20.1 + diff --git a/queue-4.14/ath10k-fix-offchannel-tx-failure-when-no-ath10k_mac_.patch b/queue-4.14/ath10k-fix-offchannel-tx-failure-when-no-ath10k_mac_.patch new file mode 100644 index 00000000000..9e41f6e83cd --- /dev/null +++ b/queue-4.14/ath10k-fix-offchannel-tx-failure-when-no-ath10k_mac_.patch @@ -0,0 +1,120 @@ +From 4b5d63d3b7c926f17ca0b07c919a8ac130de980f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2017 17:03:12 -0700 +Subject: ath10k: fix offchannel tx failure when no ath10k_mac_tx_frm_has_freq + +From: Ben Greear + +[ Upstream commit cc6df017e55764ffef9819dd9554053182535ffd ] + +Offchannel management frames were failing: + +[18099.253732] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e3780 +[18102.293686] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e3780 +[18105.333653] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e3780 +[18108.373712] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e3780 +[18111.413687] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e36c0 +[18114.453726] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e3f00 +[18117.493773] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e36c0 +[18120.533631] ath10k_pci 0000:01:00.0: timed out waiting for offchannel skb cf0e3f00 + +This bug appears to have been added between 4.0 (which works for us), +and 4.4, which does not work. + +I think this is because the tx-offchannel logic gets in a loop when +ath10k_mac_tx_frm_has_freq(ar) is false, so pkt is never actually +sent to the firmware for transmit. + +This patch fixes the problem on 4.9 for me, and now HS20 clients +can work again with my firmware. + +Antonio: tested with 10.4-3.5.3-00057 on QCA4019 and QCA9888 + +Signed-off-by: Ben Greear +Tested-by: Antonio Quartulli +[kvalo@codeaurora.org: improve commit log, remove unneeded parenthesis] +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index dff34448588f..ea47ad4b2343 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3627,7 +3627,7 @@ static int ath10k_mac_tx(struct ath10k *ar, + struct ieee80211_vif *vif, + enum ath10k_hw_txrx_mode txmode, + enum ath10k_mac_tx_path txpath, +- struct sk_buff *skb) ++ struct sk_buff *skb, bool noque_offchan) + { + struct ieee80211_hw *hw = ar->hw; + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); +@@ -3655,10 +3655,10 @@ static int ath10k_mac_tx(struct ath10k *ar, + } + } + +- if (info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) { ++ if (!noque_offchan && info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) { + if (!ath10k_mac_tx_frm_has_freq(ar)) { +- ath10k_dbg(ar, ATH10K_DBG_MAC, "queued offchannel skb %pK\n", +- skb); ++ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac queued offchannel skb %pK len %d\n", ++ skb, skb->len); + + skb_queue_tail(&ar->offchan_tx_queue, skb); + ieee80211_queue_work(hw, &ar->offchan_tx_work); +@@ -3720,8 +3720,8 @@ void ath10k_offchan_tx_work(struct work_struct *work) + + mutex_lock(&ar->conf_mutex); + +- ath10k_dbg(ar, ATH10K_DBG_MAC, "mac offchannel skb %pK\n", +- skb); ++ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac offchannel skb %pK len %d\n", ++ skb, skb->len); + + hdr = (struct ieee80211_hdr *)skb->data; + peer_addr = ieee80211_get_DA(hdr); +@@ -3767,7 +3767,7 @@ void ath10k_offchan_tx_work(struct work_struct *work) + txmode = ath10k_mac_tx_h_get_txmode(ar, vif, sta, skb); + txpath = ath10k_mac_tx_h_get_txpath(ar, skb, txmode); + +- ret = ath10k_mac_tx(ar, vif, txmode, txpath, skb); ++ ret = ath10k_mac_tx(ar, vif, txmode, txpath, skb, true); + if (ret) { + ath10k_warn(ar, "failed to transmit offchannel frame: %d\n", + ret); +@@ -3777,8 +3777,8 @@ void ath10k_offchan_tx_work(struct work_struct *work) + time_left = + wait_for_completion_timeout(&ar->offchan_tx_completed, 3 * HZ); + if (time_left == 0) +- ath10k_warn(ar, "timed out waiting for offchannel skb %pK\n", +- skb); ++ ath10k_warn(ar, "timed out waiting for offchannel skb %pK, len: %d\n", ++ skb, skb->len); + + if (!peer && tmp_peer_created) { + ret = ath10k_peer_delete(ar, vdev_id, peer_addr); +@@ -3957,7 +3957,7 @@ int ath10k_mac_tx_push_txq(struct ieee80211_hw *hw, + spin_unlock_bh(&ar->htt.tx_lock); + } + +- ret = ath10k_mac_tx(ar, vif, txmode, txpath, skb); ++ ret = ath10k_mac_tx(ar, vif, txmode, txpath, skb, false); + if (unlikely(ret)) { + ath10k_warn(ar, "failed to push frame: %d\n", ret); + +@@ -4239,7 +4239,7 @@ static void ath10k_mac_op_tx(struct ieee80211_hw *hw, + spin_unlock_bh(&ar->htt.tx_lock); + } + +- ret = ath10k_mac_tx(ar, vif, txmode, txpath, skb); ++ ret = ath10k_mac_tx(ar, vif, txmode, txpath, skb, false); + if (ret) { + ath10k_warn(ar, "failed to transmit frame: %d\n", ret); + if (is_htt) { +-- +2.20.1 + diff --git a/queue-4.14/block-fix-writeback-throttling-w-1-compiler-warnings.patch b/queue-4.14/block-fix-writeback-throttling-w-1-compiler-warnings.patch new file mode 100644 index 00000000000..f8e60344dab --- /dev/null +++ b/queue-4.14/block-fix-writeback-throttling-w-1-compiler-warnings.patch @@ -0,0 +1,128 @@ +From 07c786b67a70e76d8072deddf81aeec46b5e488a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 16:00:41 -0700 +Subject: block: Fix writeback throttling W=1 compiler warnings + +From: Bart Van Assche + +[ Upstream commit 1d200e9d6f635ae894993a7d0f1b9e0b6e522e3b ] + +Fix the following compiler warnings: + +In file included from ./include/linux/bitmap.h:9, + from ./include/linux/cpumask.h:12, + from ./arch/x86/include/asm/cpumask.h:5, + from ./arch/x86/include/asm/msr.h:11, + from ./arch/x86/include/asm/processor.h:21, + from ./arch/x86/include/asm/cpufeature.h:5, + from ./arch/x86/include/asm/thread_info.h:53, + from ./include/linux/thread_info.h:38, + from ./arch/x86/include/asm/preempt.h:7, + from ./include/linux/preempt.h:78, + from ./include/linux/spinlock.h:51, + from ./include/linux/mmzone.h:8, + from ./include/linux/gfp.h:6, + from ./include/linux/mm.h:10, + from ./include/linux/bvec.h:13, + from ./include/linux/blk_types.h:10, + from block/blk-wbt.c:23: +In function 'strncpy', + inlined from 'perf_trace_wbt_stat' at ./include/trace/events/wbt.h:15:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'perf_trace_wbt_lat' at ./include/trace/events/wbt.h:58:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'perf_trace_wbt_step' at ./include/trace/events/wbt.h:87:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'perf_trace_wbt_timer' at ./include/trace/events/wbt.h:126:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'trace_event_raw_event_wbt_stat' at ./include/trace/events/wbt.h:15:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'trace_event_raw_event_wbt_lat' at ./include/trace/events/wbt.h:58:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'trace_event_raw_event_wbt_timer' at ./include/trace/events/wbt.h:126:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'trace_event_raw_event_wbt_step' at ./include/trace/events/wbt.h:87:1: +./include/linux/string.h:260:9: warning: '__builtin_strncpy' specified bound 32 equals destination size [-Wstringop-truncation] + return __builtin_strncpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Hannes Reinecke +Cc: Johannes Thumshirn +Fixes: e34cbd307477 ("blk-wbt: add general throttling mechanism"; v4.10). +Signed-off-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/trace/events/wbt.h | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/wbt.h b/include/trace/events/wbt.h +index b048694070e2..37342a13c9cb 100644 +--- a/include/trace/events/wbt.h ++++ b/include/trace/events/wbt.h +@@ -33,7 +33,8 @@ TRACE_EVENT(wbt_stat, + ), + + TP_fast_assign( +- strncpy(__entry->name, dev_name(bdi->dev), 32); ++ strlcpy(__entry->name, dev_name(bdi->dev), ++ ARRAY_SIZE(__entry->name)); + __entry->rmean = stat[0].mean; + __entry->rmin = stat[0].min; + __entry->rmax = stat[0].max; +@@ -67,7 +68,8 @@ TRACE_EVENT(wbt_lat, + ), + + TP_fast_assign( +- strncpy(__entry->name, dev_name(bdi->dev), 32); ++ strlcpy(__entry->name, dev_name(bdi->dev), ++ ARRAY_SIZE(__entry->name)); + __entry->lat = div_u64(lat, 1000); + ), + +@@ -103,7 +105,8 @@ TRACE_EVENT(wbt_step, + ), + + TP_fast_assign( +- strncpy(__entry->name, dev_name(bdi->dev), 32); ++ strlcpy(__entry->name, dev_name(bdi->dev), ++ ARRAY_SIZE(__entry->name)); + __entry->msg = msg; + __entry->step = step; + __entry->window = div_u64(window, 1000); +@@ -138,7 +141,8 @@ TRACE_EVENT(wbt_timer, + ), + + TP_fast_assign( +- strncpy(__entry->name, dev_name(bdi->dev), 32); ++ strlcpy(__entry->name, dev_name(bdi->dev), ++ ARRAY_SIZE(__entry->name)); + __entry->status = status; + __entry->step = step; + __entry->inflight = inflight; +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-fix-advertising-duplicated-flags.patch b/queue-4.14/bluetooth-fix-advertising-duplicated-flags.patch new file mode 100644 index 00000000000..c4626908903 --- /dev/null +++ b/queue-4.14/bluetooth-fix-advertising-duplicated-flags.patch @@ -0,0 +1,60 @@ +From 850871fa207bbe0b003060e83818645cbcc67e06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Nov 2019 23:58:15 +0200 +Subject: Bluetooth: Fix advertising duplicated flags + +From: Luiz Augusto von Dentz + +[ Upstream commit 6012b9346d8959194c239fd60a62dfec98d43048 ] + +Instances may have flags set as part of its data in which case the code +should not attempt to add it again otherwise it can cause duplication: + +< HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 + Handle: 0x00 + Operation: Complete extended advertising data (0x03) + Fragment preference: Minimize fragmentation (0x01) + Data length: 0x06 + Flags: 0x04 + BR/EDR Not Supported + Flags: 0x06 + LE General Discoverable Mode + BR/EDR Not Supported + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_request.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c +index b73ac149de34..759329bec399 100644 +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -1095,6 +1095,14 @@ static u8 create_instance_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr) + + instance_flags = get_adv_instance_flags(hdev, instance); + ++ /* If instance already has the flags set skip adding it once ++ * again. ++ */ ++ if (adv_instance && eir_get_data(adv_instance->adv_data, ++ adv_instance->adv_data_len, EIR_FLAGS, ++ NULL)) ++ goto skip_flags; ++ + /* The Add Advertising command allows userspace to set both the general + * and limited discoverable flags. + */ +@@ -1127,6 +1135,7 @@ static u8 create_instance_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr) + } + } + ++skip_flags: + if (adv_instance) { + memcpy(ptr, adv_instance->adv_data, + adv_instance->adv_data_len); +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-hci_core-fix-init-for-hci_user_channel.patch b/queue-4.14/bluetooth-hci_core-fix-init-for-hci_user_channel.patch new file mode 100644 index 00000000000..5e18a3f7ca7 --- /dev/null +++ b/queue-4.14/bluetooth-hci_core-fix-init-for-hci_user_channel.patch @@ -0,0 +1,52 @@ +From 13f28e3267fff6125daaef8d86f1e59a4e9c0ffc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 20:20:39 -0700 +Subject: Bluetooth: hci_core: fix init for HCI_USER_CHANNEL + +From: Mattijs Korpershoek + +[ Upstream commit eb8c101e28496888a0dcfe16ab86a1bee369e820 ] + +During the setup() stage, HCI device drivers expect the chip to +acknowledge its setup() completion via vendor specific frames. + +If userspace opens() such HCI device in HCI_USER_CHANNEL [1] mode, +the vendor specific frames are never tranmitted to the driver, as +they are filtered in hci_rx_work(). + +Allow HCI devices which operate in HCI_USER_CHANNEL mode to receive +frames if the HCI device is is HCI_INIT state. + +[1] https://www.spinics.net/lists/linux-bluetooth/msg37345.html + +Fixes: 23500189d7e0 ("Bluetooth: Introduce new HCI socket channel for user operation") +Signed-off-by: Mattijs Korpershoek +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index d6d7364838f4..ff80a9d41ce1 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4215,7 +4215,14 @@ static void hci_rx_work(struct work_struct *work) + hci_send_to_sock(hdev, skb); + } + +- if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { ++ /* If the device has been opened in HCI_USER_CHANNEL, ++ * the userspace has exclusive access to device. ++ * When device is HCI_INIT, we still need to process ++ * the data packets to the driver in order ++ * to complete its setup(). ++ */ ++ if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && ++ !test_bit(HCI_INIT, &hdev->flags)) { + kfree_skb(skb); + continue; + } +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-missed-cpu_to_le16-conversion-in-hci_init4.patch b/queue-4.14/bluetooth-missed-cpu_to_le16-conversion-in-hci_init4.patch new file mode 100644 index 00000000000..1ec1ec9d1da --- /dev/null +++ b/queue-4.14/bluetooth-missed-cpu_to_le16-conversion-in-hci_init4.patch @@ -0,0 +1,48 @@ +From 802405a92b5d4a522b2699db081de39ffee4367f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 12:39:43 +0100 +Subject: Bluetooth: missed cpu_to_le16 conversion in hci_init4_req + +From: Ben Dooks (Codethink) + +[ Upstream commit 727ea61a5028f8ac96f75ab34cb1b56e63fd9227 ] + +It looks like in hci_init4_req() the request is being +initialised from cpu-endian data but the packet is specified +to be little-endian. This causes an warning from sparse due +to __le16 to u16 conversion. + +Fix this by using cpu_to_le16() on the two fields in the packet. + +net/bluetooth/hci_core.c:845:27: warning: incorrect type in assignment (different base types) +net/bluetooth/hci_core.c:845:27: expected restricted __le16 [usertype] tx_len +net/bluetooth/hci_core.c:845:27: got unsigned short [usertype] le_max_tx_len +net/bluetooth/hci_core.c:846:28: warning: incorrect type in assignment (different base types) +net/bluetooth/hci_core.c:846:28: expected restricted __le16 [usertype] tx_time +net/bluetooth/hci_core.c:846:28: got unsigned short [usertype] le_max_tx_time + +Signed-off-by: Ben Dooks +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 6bc679cd3481..d6d7364838f4 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -802,8 +802,8 @@ static int hci_init4_req(struct hci_request *req, unsigned long opt) + if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) { + struct hci_cp_le_write_def_data_len cp; + +- cp.tx_len = hdev->le_max_tx_len; +- cp.tx_time = hdev->le_max_tx_time; ++ cp.tx_len = cpu_to_le16(hdev->le_max_tx_len); ++ cp.tx_time = cpu_to_le16(hdev->le_max_tx_time); + hci_req_add(req, HCI_OP_LE_WRITE_DEF_DATA_LEN, sizeof(cp), &cp); + } + +-- +2.20.1 + diff --git a/queue-4.14/bnx2x-fix-pf-vf-communication-over-multi-cos-queues.patch b/queue-4.14/bnx2x-fix-pf-vf-communication-over-multi-cos-queues.patch new file mode 100644 index 00000000000..2a5ddb77b8d --- /dev/null +++ b/queue-4.14/bnx2x-fix-pf-vf-communication-over-multi-cos-queues.patch @@ -0,0 +1,54 @@ +From 5189cb296018da758d25912b2c99ef25b9f61ecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 21:51:11 -0800 +Subject: bnx2x: Fix PF-VF communication over multi-cos queues. + +From: Manish Chopra + +[ Upstream commit dc5a3d79c345871439ffe72550b604fcde9770e1 ] + +PF driver doesn't enable tx-switching for all cos queues/clients, +which causes packets drop from PF to VF. Fix this by enabling +tx-switching on all cos queues/clients. + +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +index 9ca994d0bab6..1977e0c552df 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c +@@ -2389,15 +2389,21 @@ static int bnx2x_set_pf_tx_switching(struct bnx2x *bp, bool enable) + /* send the ramrod on all the queues of the PF */ + for_each_eth_queue(bp, i) { + struct bnx2x_fastpath *fp = &bp->fp[i]; ++ int tx_idx; + + /* Set the appropriate Queue object */ + q_params.q_obj = &bnx2x_sp_obj(bp, fp).q_obj; + +- /* Update the Queue state */ +- rc = bnx2x_queue_state_change(bp, &q_params); +- if (rc) { +- BNX2X_ERR("Failed to configure Tx switching\n"); +- return rc; ++ for (tx_idx = FIRST_TX_COS_INDEX; ++ tx_idx < fp->max_cos; tx_idx++) { ++ q_params.params.update.cid_index = tx_idx; ++ ++ /* Update the Queue state */ ++ rc = bnx2x_queue_state_change(bp, &q_params); ++ if (rc) { ++ BNX2X_ERR("Failed to configure Tx switching\n"); ++ return rc; ++ } + } + } + +-- +2.20.1 + diff --git a/queue-4.14/btrfs-don-t-prematurely-free-work-in-end_workqueue_f.patch b/queue-4.14/btrfs-don-t-prematurely-free-work-in-end_workqueue_f.patch new file mode 100644 index 00000000000..9e9aeb4ee46 --- /dev/null +++ b/queue-4.14/btrfs-don-t-prematurely-free-work-in-end_workqueue_f.patch @@ -0,0 +1,54 @@ +From 2c7301401a595904805c08a5b08f0ca946dff37c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2019 11:30:54 -0700 +Subject: btrfs: don't prematurely free work in end_workqueue_fn() + +From: Omar Sandoval + +[ Upstream commit 9be490f1e15c34193b1aae17da58e14dd9f55a95 ] + +Currently, end_workqueue_fn() frees the end_io_wq entry (which embeds +the work item) and then calls bio_endio(). This is another potential +instance of the bug in "btrfs: don't prematurely free work in +run_ordered_work()". + +In particular, the endio call may depend on other work items. For +example, btrfs_end_dio_bio() can call btrfs_subio_endio_read() -> +__btrfs_correct_data_nocsum() -> dio_read_error() -> +submit_dio_repair_bio(), which submits a bio that is also completed +through a end_workqueue_fn() work item. However, +__btrfs_correct_data_nocsum() waits for the newly submitted bio to +complete, thus it depends on another work item. + +This example currently usually works because we use different workqueue +helper functions for BTRFS_WQ_ENDIO_DATA and BTRFS_WQ_ENDIO_DIO_REPAIR. +However, it may deadlock with stacked filesystems and is fragile +overall. The proper fix is to free the work item at the very end of the +work function, so let's do that. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Omar Sandoval +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 813834552aa1..a8ea56218d6b 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1679,8 +1679,8 @@ static void end_workqueue_fn(struct btrfs_work *work) + bio->bi_status = end_io_wq->status; + bio->bi_private = end_io_wq->private; + bio->bi_end_io = end_io_wq->end_io; +- kmem_cache_free(btrfs_end_io_wq_cache, end_io_wq); + bio_endio(bio); ++ kmem_cache_free(btrfs_end_io_wq_cache, end_io_wq); + } + + static int cleaner_kthread(void *arg) +-- +2.20.1 + diff --git a/queue-4.14/btrfs-don-t-prematurely-free-work-in-reada_start_mac.patch b/queue-4.14/btrfs-don-t-prematurely-free-work-in-reada_start_mac.patch new file mode 100644 index 00000000000..f12445ab102 --- /dev/null +++ b/queue-4.14/btrfs-don-t-prematurely-free-work-in-reada_start_mac.patch @@ -0,0 +1,66 @@ +From 2e46b7ae5cfdd1278b9141a90a71c47146beac5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2019 11:30:55 -0700 +Subject: btrfs: don't prematurely free work in reada_start_machine_worker() + +From: Omar Sandoval + +[ Upstream commit e732fe95e4cad35fc1df278c23a32903341b08b3 ] + +Currently, reada_start_machine_worker() frees the reada_machine_work and +then calls __reada_start_machine() to do readahead. This is another +potential instance of the bug in "btrfs: don't prematurely free work in +run_ordered_work()". + +There _might_ already be a deadlock here: reada_start_machine_worker() +can depend on itself through stacked filesystems (__read_start_machine() +-> reada_start_machine_dev() -> reada_tree_block_flagged() -> +read_extent_buffer_pages() -> submit_one_bio() -> +btree_submit_bio_hook() -> btrfs_map_bio() -> submit_stripe_bio() -> +submit_bio() onto a loop device can trigger readahead on the lower +filesystem). + +Either way, let's fix it by freeing the work at the end. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Omar Sandoval +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/reada.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/reada.c b/fs/btrfs/reada.c +index 3a4e15b39cc1..440c0d5d2050 100644 +--- a/fs/btrfs/reada.c ++++ b/fs/btrfs/reada.c +@@ -734,21 +734,19 @@ static int reada_start_machine_dev(struct btrfs_device *dev) + static void reada_start_machine_worker(struct btrfs_work *work) + { + struct reada_machine_work *rmw; +- struct btrfs_fs_info *fs_info; + int old_ioprio; + + rmw = container_of(work, struct reada_machine_work, work); +- fs_info = rmw->fs_info; +- +- kfree(rmw); + + old_ioprio = IOPRIO_PRIO_VALUE(task_nice_ioclass(current), + task_nice_ioprio(current)); + set_task_ioprio(current, BTRFS_IOPRIO_READA); +- __reada_start_machine(fs_info); ++ __reada_start_machine(rmw->fs_info); + set_task_ioprio(current, old_ioprio); + +- atomic_dec(&fs_info->reada_works_cnt); ++ atomic_dec(&rmw->fs_info->reada_works_cnt); ++ ++ kfree(rmw); + } + + static void __reada_start_machine(struct btrfs_fs_info *fs_info) +-- +2.20.1 + diff --git a/queue-4.14/btrfs-don-t-prematurely-free-work-in-run_ordered_wor.patch b/queue-4.14/btrfs-don-t-prematurely-free-work-in-run_ordered_wor.patch new file mode 100644 index 00000000000..f5fb32b11dc --- /dev/null +++ b/queue-4.14/btrfs-don-t-prematurely-free-work-in-run_ordered_wor.patch @@ -0,0 +1,154 @@ +From fce2f6225e35b7a9509bc931a46823baa9f42415 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2019 11:30:53 -0700 +Subject: btrfs: don't prematurely free work in run_ordered_work() + +From: Omar Sandoval + +[ Upstream commit c495dcd6fbe1dce51811a76bb85b4675f6494938 ] + +We hit the following very strange deadlock on a system with Btrfs on a +loop device backed by another Btrfs filesystem: + +1. The top (loop device) filesystem queues an async_cow work item from + cow_file_range_async(). We'll call this work X. +2. Worker thread A starts work X (normal_work_helper()). +3. Worker thread A executes the ordered work for the top filesystem + (run_ordered_work()). +4. Worker thread A finishes the ordered work for work X and frees X + (work->ordered_free()). +5. Worker thread A executes another ordered work and gets blocked on I/O + to the bottom filesystem (still in run_ordered_work()). +6. Meanwhile, the bottom filesystem allocates and queues an async_cow + work item which happens to be the recently-freed X. +7. The workqueue code sees that X is already being executed by worker + thread A, so it schedules X to be executed _after_ worker thread A + finishes (see the find_worker_executing_work() call in + process_one_work()). + +Now, the top filesystem is waiting for I/O on the bottom filesystem, but +the bottom filesystem is waiting for the top filesystem to finish, so we +deadlock. + +This happens because we are breaking the workqueue assumption that a +work item cannot be recycled while it still depends on other work. Fix +it by waiting to free the work item until we are done with all of the +related ordered work. + +P.S.: + +One might ask why the workqueue code doesn't try to detect a recycled +work item. It actually does try by checking whether the work item has +the same work function (find_worker_executing_work()), but in our case +the function is the same. This is the only key that the workqueue code +has available to compare, short of adding an additional, layer-violating +"custom key". Considering that we're the only ones that have ever hit +this, we should just play by the rules. + +Unfortunately, we haven't been able to create a minimal reproducer other +than our full container setup using a compress-force=zstd filesystem on +top of another compress-force=zstd filesystem. + +Suggested-by: Tejun Heo +Reviewed-by: Johannes Thumshirn +Signed-off-by: Omar Sandoval +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/async-thread.c | 56 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 44 insertions(+), 12 deletions(-) + +diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c +index e00c8a9fd5bb..72d7589072f5 100644 +--- a/fs/btrfs/async-thread.c ++++ b/fs/btrfs/async-thread.c +@@ -265,16 +265,17 @@ out: + } + } + +-static void run_ordered_work(struct __btrfs_workqueue *wq) ++static void run_ordered_work(struct __btrfs_workqueue *wq, ++ struct btrfs_work *self) + { + struct list_head *list = &wq->ordered_list; + struct btrfs_work *work; + spinlock_t *lock = &wq->list_lock; + unsigned long flags; ++ void *wtag; ++ bool free_self = false; + + while (1) { +- void *wtag; +- + spin_lock_irqsave(lock, flags); + if (list_empty(list)) + break; +@@ -300,16 +301,47 @@ static void run_ordered_work(struct __btrfs_workqueue *wq) + list_del(&work->ordered_list); + spin_unlock_irqrestore(lock, flags); + +- /* +- * We don't want to call the ordered free functions with the +- * lock held though. Save the work as tag for the trace event, +- * because the callback could free the structure. +- */ +- wtag = work; +- work->ordered_free(work); +- trace_btrfs_all_work_done(wq->fs_info, wtag); ++ if (work == self) { ++ /* ++ * This is the work item that the worker is currently ++ * executing. ++ * ++ * The kernel workqueue code guarantees non-reentrancy ++ * of work items. I.e., if a work item with the same ++ * address and work function is queued twice, the second ++ * execution is blocked until the first one finishes. A ++ * work item may be freed and recycled with the same ++ * work function; the workqueue code assumes that the ++ * original work item cannot depend on the recycled work ++ * item in that case (see find_worker_executing_work()). ++ * ++ * Note that the work of one Btrfs filesystem may depend ++ * on the work of another Btrfs filesystem via, e.g., a ++ * loop device. Therefore, we must not allow the current ++ * work item to be recycled until we are really done, ++ * otherwise we break the above assumption and can ++ * deadlock. ++ */ ++ free_self = true; ++ } else { ++ /* ++ * We don't want to call the ordered free functions with ++ * the lock held though. Save the work as tag for the ++ * trace event, because the callback could free the ++ * structure. ++ */ ++ wtag = work; ++ work->ordered_free(work); ++ trace_btrfs_all_work_done(wq->fs_info, wtag); ++ } + } + spin_unlock_irqrestore(lock, flags); ++ ++ if (free_self) { ++ wtag = self; ++ self->ordered_free(self); ++ trace_btrfs_all_work_done(wq->fs_info, wtag); ++ } + } + + static void normal_work_helper(struct btrfs_work *work) +@@ -337,7 +369,7 @@ static void normal_work_helper(struct btrfs_work *work) + work->func(work); + if (need_order) { + set_bit(WORK_DONE_BIT, &work->flags); +- run_ordered_work(wq); ++ run_ordered_work(wq, work); + } + if (!need_order) + trace_btrfs_all_work_done(wq->fs_info, wtag); +-- +2.20.1 + diff --git a/queue-4.14/btrfs-don-t-prematurely-free-work-in-scrub_missing_r.patch b/queue-4.14/btrfs-don-t-prematurely-free-work-in-scrub_missing_r.patch new file mode 100644 index 00000000000..49b84038cb4 --- /dev/null +++ b/queue-4.14/btrfs-don-t-prematurely-free-work-in-scrub_missing_r.patch @@ -0,0 +1,47 @@ +From f30fa2c32f0d9c06976e2400a22dec742197927b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2019 11:30:56 -0700 +Subject: btrfs: don't prematurely free work in scrub_missing_raid56_worker() + +From: Omar Sandoval + +[ Upstream commit 57d4f0b863272ba04ba85f86bfdc0f976f0af91c ] + +Currently, scrub_missing_raid56_worker() puts and potentially frees +sblock (which embeds the work item) and then submits a bio through +scrub_wr_submit(). This is another potential instance of the bug in +"btrfs: don't prematurely free work in run_ordered_work()". Fix it by +dropping the reference after we submit the bio. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Omar Sandoval +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index 61192c536e6c..2ebae9773978 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2421,14 +2421,13 @@ static void scrub_missing_raid56_worker(struct btrfs_work *work) + scrub_write_block_to_dev_replace(sblock); + } + +- scrub_block_put(sblock); +- + if (sctx->is_dev_replace && sctx->flush_all_writes) { + mutex_lock(&sctx->wr_lock); + scrub_wr_submit(sctx); + mutex_unlock(&sctx->wr_lock); + } + ++ scrub_block_put(sblock); + scrub_pending_bio_dec(sctx); + } + +-- +2.20.1 + diff --git a/queue-4.14/cpufreq-register-drivers-only-after-cpu-devices-have.patch b/queue-4.14/cpufreq-register-drivers-only-after-cpu-devices-have.patch new file mode 100644 index 00000000000..cc977c48b8e --- /dev/null +++ b/queue-4.14/cpufreq-register-drivers-only-after-cpu-devices-have.patch @@ -0,0 +1,69 @@ +From d8e6afaa4bb9150b8754034d4f185bb0e41b9f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 09:06:17 +0530 +Subject: cpufreq: Register drivers only after CPU devices have been registered + +From: Viresh Kumar + +[ Upstream commit 46770be0cf94149ca48be87719bda1d951066644 ] + +The cpufreq core heavily depends on the availability of the struct +device for CPUs and if they aren't available at the time cpufreq driver +is registered, we will never succeed in making cpufreq work. + +This happens due to following sequence of events: + +- cpufreq_register_driver() + - subsys_interface_register() + - return 0; //successful registration of driver + +... at a later point of time + +- register_cpu(); + - device_register(); + - bus_probe_device(); + - sif->add_dev(); + - cpufreq_add_dev(); + - get_cpu_device(); //FAILS + - per_cpu(cpu_sys_devices, num) = &cpu->dev; //used by get_cpu_device() + - return 0; //CPU registered successfully + +Because the per-cpu variable cpu_sys_devices is set only after the CPU +device is regsitered, cpufreq will never be able to get it when +cpufreq_add_dev() is called. + +This patch avoids this failure by making sure device structure of at +least CPU0 is available when the cpufreq driver is registered, else +return -EPROBE_DEFER. + +Reported-by: Bjorn Andersson +Co-developed-by: Amit Kucheria +Signed-off-by: Viresh Kumar +Tested-by: Amit Kucheria +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 480e8c13567c..c798a1233e6a 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2475,6 +2475,13 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) + if (cpufreq_disabled()) + return -ENODEV; + ++ /* ++ * The cpufreq core depends heavily on the availability of device ++ * structure, make sure they are available before proceeding further. ++ */ ++ if (!get_cpu_device(0)) ++ return -EPROBE_DEFER; ++ + if (!driver_data || !driver_data->verify || !driver_data->init || + !(driver_data->setpolicy || driver_data->target_index || + driver_data->target) || +-- +2.20.1 + diff --git a/queue-4.14/crypto-sun4i-ss-fix-64-bit-size_t-warnings-on-sun4i-.patch b/queue-4.14/crypto-sun4i-ss-fix-64-bit-size_t-warnings-on-sun4i-.patch new file mode 100644 index 00000000000..305ee447529 --- /dev/null +++ b/queue-4.14/crypto-sun4i-ss-fix-64-bit-size_t-warnings-on-sun4i-.patch @@ -0,0 +1,61 @@ +From 8fbf0b94af4dc3950c611425f1ac122a04782162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 11:49:06 +0100 +Subject: crypto: sun4i-ss - Fix 64-bit size_t warnings on sun4i-ss-hash.c + +From: Corentin Labbe + +[ Upstream commit a7126603d46fe8f01aeedf589e071c6aaa6c6c39 ] + +If you try to compile this driver on a 64-bit platform then you +will get warnings because it mixes size_t with unsigned int which +only works on 32-bit. + +This patch fixes all of the warnings on sun4i-ss-hash.c. +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +index f6936bb3b7be..1a724263761b 100644 +--- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +@@ -276,8 +276,8 @@ static int sun4i_hash(struct ahash_request *areq) + */ + while (op->len < 64 && i < end) { + /* how many bytes we can read from current SG */ +- in_r = min3(mi.length - in_i, end - i, +- 64 - op->len); ++ in_r = min(end - i, 64 - op->len); ++ in_r = min_t(size_t, mi.length - in_i, in_r); + memcpy(op->buf + op->len, mi.addr + in_i, in_r); + op->len += in_r; + i += in_r; +@@ -297,8 +297,8 @@ static int sun4i_hash(struct ahash_request *areq) + } + if (mi.length - in_i > 3 && i < end) { + /* how many bytes we can read from current SG */ +- in_r = min3(mi.length - in_i, areq->nbytes - i, +- ((mi.length - in_i) / 4) * 4); ++ in_r = min_t(size_t, mi.length - in_i, areq->nbytes - i); ++ in_r = min_t(size_t, ((mi.length - in_i) / 4) * 4, in_r); + /* how many bytes we can write in the device*/ + todo = min3((u32)(end - i) / 4, rx_cnt, (u32)in_r / 4); + writesl(ss->base + SS_RXFIFO, mi.addr + in_i, todo); +@@ -324,8 +324,8 @@ static int sun4i_hash(struct ahash_request *areq) + if ((areq->nbytes - i) < 64) { + while (i < areq->nbytes && in_i < mi.length && op->len < 64) { + /* how many bytes we can read from current SG */ +- in_r = min3(mi.length - in_i, areq->nbytes - i, +- 64 - op->len); ++ in_r = min(areq->nbytes - i, 64 - op->len); ++ in_r = min_t(size_t, mi.length - in_i, in_r); + memcpy(op->buf + op->len, mi.addr + in_i, in_r); + op->len += in_r; + i += in_r; +-- +2.20.1 + diff --git a/queue-4.14/crypto-sun4i-ss-fix-64-bit-size_t-warnings.patch b/queue-4.14/crypto-sun4i-ss-fix-64-bit-size_t-warnings.patch new file mode 100644 index 00000000000..18863fb6d6e --- /dev/null +++ b/queue-4.14/crypto-sun4i-ss-fix-64-bit-size_t-warnings.patch @@ -0,0 +1,102 @@ +From 63f51d5ff7aed0a1bc34f2b93ca514088c5a4eea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 10:38:34 +0800 +Subject: crypto: sun4i-ss - Fix 64-bit size_t warnings + +From: Herbert Xu + +[ Upstream commit d6e9da21ee8246b5e556b3b153401ab045adb986 ] + +If you try to compile this driver on a 64-bit platform then you +will get warnings because it mixes size_t with unsigned int which +only works on 32-bit. + +This patch fixes all of the warnings. + +Signed-off-by: Herbert Xu +Acked-by: Corentin Labbe +Tested-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +index 5cf64746731a..22e491857925 100644 +--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +@@ -81,7 +81,8 @@ static int sun4i_ss_opti_poll(struct skcipher_request *areq) + oi = 0; + oo = 0; + do { +- todo = min3(rx_cnt, ileft, (mi.length - oi) / 4); ++ todo = min(rx_cnt, ileft); ++ todo = min_t(size_t, todo, (mi.length - oi) / 4); + if (todo) { + ileft -= todo; + writesl(ss->base + SS_RXFIFO, mi.addr + oi, todo); +@@ -96,7 +97,8 @@ static int sun4i_ss_opti_poll(struct skcipher_request *areq) + rx_cnt = SS_RXFIFO_SPACES(spaces); + tx_cnt = SS_TXFIFO_SPACES(spaces); + +- todo = min3(tx_cnt, oleft, (mo.length - oo) / 4); ++ todo = min(tx_cnt, oleft); ++ todo = min_t(size_t, todo, (mo.length - oo) / 4); + if (todo) { + oleft -= todo; + readsl(ss->base + SS_TXFIFO, mo.addr + oo, todo); +@@ -220,7 +222,8 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + * todo is the number of consecutive 4byte word that we + * can read from current SG + */ +- todo = min3(rx_cnt, ileft / 4, (mi.length - oi) / 4); ++ todo = min(rx_cnt, ileft / 4); ++ todo = min_t(size_t, todo, (mi.length - oi) / 4); + if (todo && !ob) { + writesl(ss->base + SS_RXFIFO, mi.addr + oi, + todo); +@@ -234,8 +237,8 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + * we need to be able to write all buf in one + * pass, so it is why we min() with rx_cnt + */ +- todo = min3(rx_cnt * 4 - ob, ileft, +- mi.length - oi); ++ todo = min(rx_cnt * 4 - ob, ileft); ++ todo = min_t(size_t, todo, mi.length - oi); + memcpy(buf + ob, mi.addr + oi, todo); + ileft -= todo; + oi += todo; +@@ -255,7 +258,8 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + spaces = readl(ss->base + SS_FCSR); + rx_cnt = SS_RXFIFO_SPACES(spaces); + tx_cnt = SS_TXFIFO_SPACES(spaces); +- dev_dbg(ss->dev, "%x %u/%u %u/%u cnt=%u %u/%u %u/%u cnt=%u %u\n", ++ dev_dbg(ss->dev, ++ "%x %u/%zu %u/%u cnt=%u %u/%zu %u/%u cnt=%u %u\n", + mode, + oi, mi.length, ileft, areq->cryptlen, rx_cnt, + oo, mo.length, oleft, areq->cryptlen, tx_cnt, ob); +@@ -263,7 +267,8 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + if (!tx_cnt) + continue; + /* todo in 4bytes word */ +- todo = min3(tx_cnt, oleft / 4, (mo.length - oo) / 4); ++ todo = min(tx_cnt, oleft / 4); ++ todo = min_t(size_t, todo, (mo.length - oo) / 4); + if (todo) { + readsl(ss->base + SS_TXFIFO, mo.addr + oo, todo); + oleft -= todo * 4; +@@ -287,7 +292,8 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + * no more than remaining buffer + * no need to test against oleft + */ +- todo = min(mo.length - oo, obl - obo); ++ todo = min_t(size_t, ++ mo.length - oo, obl - obo); + memcpy(mo.addr + oo, bufo + obo, todo); + oleft -= todo; + obo += todo; +-- +2.20.1 + diff --git a/queue-4.14/crypto-virtio-deal-with-unsupported-input-sizes.patch b/queue-4.14/crypto-virtio-deal-with-unsupported-input-sizes.patch new file mode 100644 index 00000000000..ceaad8f6ca4 --- /dev/null +++ b/queue-4.14/crypto-virtio-deal-with-unsupported-input-sizes.patch @@ -0,0 +1,67 @@ +From ea140500d5d56826e0670cb0051f91a28897c41e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Nov 2019 18:09:27 +0100 +Subject: crypto: virtio - deal with unsupported input sizes + +From: Ard Biesheuvel + +[ Upstream commit 19c5da7d4a2662e85ea67d2d81df57e038fde3ab ] + +Return -EINVAL for input sizes that are not a multiple of the AES +block size, since they are not supported by our CBC chaining mode. + +While at it, remove the pr_err() that reports unsupported key sizes +being used: we shouldn't spam the kernel log with that. + +Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver") +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Gonglei +Cc: virtualization@lists.linux-foundation.org +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_algs.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c +index 5035b0dc1e40..e2231a1a05a1 100644 +--- a/drivers/crypto/virtio/virtio_crypto_algs.c ++++ b/drivers/crypto/virtio/virtio_crypto_algs.c +@@ -110,8 +110,6 @@ virtio_crypto_alg_validate_key(int key_len, uint32_t *alg) + *alg = VIRTIO_CRYPTO_CIPHER_AES_CBC; + break; + default: +- pr_err("virtio_crypto: Unsupported key length: %d\n", +- key_len); + return -EINVAL; + } + return 0; +@@ -485,6 +483,11 @@ static int virtio_crypto_ablkcipher_encrypt(struct ablkcipher_request *req) + /* Use the first data virtqueue as default */ + struct data_queue *data_vq = &vcrypto->data_vq[0]; + ++ if (!req->nbytes) ++ return 0; ++ if (req->nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + vc_req->dataq = data_vq; + vc_req->alg_cb = virtio_crypto_dataq_sym_callback; + vc_sym_req->ablkcipher_ctx = ctx; +@@ -505,6 +508,11 @@ static int virtio_crypto_ablkcipher_decrypt(struct ablkcipher_request *req) + /* Use the first data virtqueue as default */ + struct data_queue *data_vq = &vcrypto->data_vq[0]; + ++ if (!req->nbytes) ++ return 0; ++ if (req->nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + vc_req->dataq = data_vq; + vc_req->alg_cb = virtio_crypto_dataq_sym_callback; + vc_sym_req->ablkcipher_ctx = ctx; +-- +2.20.1 + diff --git a/queue-4.14/crypto-vmx-avoid-weird-build-failures.patch b/queue-4.14/crypto-vmx-avoid-weird-build-failures.patch new file mode 100644 index 00000000000..c7ef1dd7521 --- /dev/null +++ b/queue-4.14/crypto-vmx-avoid-weird-build-failures.patch @@ -0,0 +1,67 @@ +From 94715f0a9867470412b583156d0b65797f7b41df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2019 22:27:38 +1100 +Subject: crypto: vmx - Avoid weird build failures + +From: Michael Ellerman + +[ Upstream commit 4ee812f6143d78d8ba1399671d78c8d78bf2817c ] + +In the vmx crypto Makefile we assign to a variable called TARGET and +pass that to the aesp8-ppc.pl and ghashp8-ppc.pl scripts. + +The variable is meant to describe what flavour of powerpc we're +building for, eg. either 32 or 64-bit, and big or little endian. + +Unfortunately TARGET is a fairly common name for a make variable, and +if it happens that TARGET is specified as a command line parameter to +make, the value specified on the command line will override our value. + +In particular this can happen if the kernel Makefile is driven by an +external Makefile that uses TARGET for something. + +This leads to weird build failures, eg: + nonsense at /build/linux/drivers/crypto/vmx/ghashp8-ppc.pl line 45. + /linux/drivers/crypto/vmx/Makefile:20: recipe for target 'drivers/crypto/vmx/ghashp8-ppc.S' failed + +Which shows that we passed an empty value for $(TARGET) to the perl +script, confirmed with make V=1: + + perl /linux/drivers/crypto/vmx/ghashp8-ppc.pl > drivers/crypto/vmx/ghashp8-ppc.S + +We can avoid this confusion by using override, to tell make that we +don't want anything to override our variable, even a value specified +on the command line. We can also use a less common name, given the +script calls it "flavour", let's use that. + +Signed-off-by: Michael Ellerman +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/vmx/Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/vmx/Makefile b/drivers/crypto/vmx/Makefile +index cab32cfec9c4..709670d2b553 100644 +--- a/drivers/crypto/vmx/Makefile ++++ b/drivers/crypto/vmx/Makefile +@@ -3,13 +3,13 @@ obj-$(CONFIG_CRYPTO_DEV_VMX_ENCRYPT) += vmx-crypto.o + vmx-crypto-objs := vmx.o aesp8-ppc.o ghashp8-ppc.o aes.o aes_cbc.o aes_ctr.o aes_xts.o ghash.o + + ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y) +-TARGET := linux-ppc64le ++override flavour := linux-ppc64le + else +-TARGET := linux-ppc64 ++override flavour := linux-ppc64 + endif + + quiet_cmd_perl = PERL $@ +- cmd_perl = $(PERL) $(<) $(TARGET) > $(@) ++ cmd_perl = $(PERL) $(<) $(flavour) > $(@) + + targets += aesp8-ppc.S ghashp8-ppc.S + +-- +2.20.1 + diff --git a/queue-4.14/drm-amdgpu-fix-potential-double-drop-fence-reference.patch b/queue-4.14/drm-amdgpu-fix-potential-double-drop-fence-reference.patch new file mode 100644 index 00000000000..b198017f6c6 --- /dev/null +++ b/queue-4.14/drm-amdgpu-fix-potential-double-drop-fence-reference.patch @@ -0,0 +1,48 @@ +From a8db3839f31a928870547497dbd5cc6d1ebff63a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 17:14:45 +0800 +Subject: drm/amdgpu: fix potential double drop fence reference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pan Bian + +[ Upstream commit 946ab8db6953535a3a88c957db8328beacdfed9d ] + +The object fence is not set to NULL after its reference is dropped. As a +result, its reference may be dropped again if error occurs after that, +which may lead to a use after free bug. To avoid the issue, fence is +explicitly set to NULL after dropping its reference. + +Acked-by: Christian König +Signed-off-by: Pan Bian +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_test.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c +index ed8c3739015b..b35b0741fd97 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_test.c +@@ -125,6 +125,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev) + } + + dma_fence_put(fence); ++ fence = NULL; + + r = amdgpu_bo_kmap(vram_obj, &vram_map); + if (r) { +@@ -170,6 +171,7 @@ static void amdgpu_do_test_moves(struct amdgpu_device *adev) + } + + dma_fence_put(fence); ++ fence = NULL; + + r = amdgpu_bo_kmap(gtt_obj[i], >t_map); + if (r) { +-- +2.20.1 + diff --git a/queue-4.14/drm-bridge-analogix-anx78xx-silence-eprobe_defer-war.patch b/queue-4.14/drm-bridge-analogix-anx78xx-silence-eprobe_defer-war.patch new file mode 100644 index 00000000000..3550ceccc54 --- /dev/null +++ b/queue-4.14/drm-bridge-analogix-anx78xx-silence-eprobe_defer-war.patch @@ -0,0 +1,50 @@ +From 691ee89362cb8a6b7de45cf16047a2f14b931327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 20:48:46 -0400 +Subject: drm/bridge: analogix-anx78xx: silence -EPROBE_DEFER warnings + +From: Brian Masney + +[ Upstream commit 2708e876272d89bbbff811d12834adbeef85f022 ] + +Silence two warning messages that occur due to -EPROBE_DEFER errors to +help cleanup the system boot log. + +Signed-off-by: Brian Masney +Reviewed-by: Linus Walleij +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20190815004854.19860-4-masneyb@onstation.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/analogix-anx78xx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/analogix-anx78xx.c b/drivers/gpu/drm/bridge/analogix-anx78xx.c +index 9385eb0b1ee4..cd2bfd7bf048 100644 +--- a/drivers/gpu/drm/bridge/analogix-anx78xx.c ++++ b/drivers/gpu/drm/bridge/analogix-anx78xx.c +@@ -725,7 +725,9 @@ static int anx78xx_init_pdata(struct anx78xx *anx78xx) + /* 1.0V digital core power regulator */ + pdata->dvdd10 = devm_regulator_get(dev, "dvdd10"); + if (IS_ERR(pdata->dvdd10)) { +- DRM_ERROR("DVDD10 regulator not found\n"); ++ if (PTR_ERR(pdata->dvdd10) != -EPROBE_DEFER) ++ DRM_ERROR("DVDD10 regulator not found\n"); ++ + return PTR_ERR(pdata->dvdd10); + } + +@@ -1344,7 +1346,9 @@ static int anx78xx_i2c_probe(struct i2c_client *client, + + err = anx78xx_init_pdata(anx78xx); + if (err) { +- DRM_ERROR("Failed to initialize pdata: %d\n", err); ++ if (err != -EPROBE_DEFER) ++ DRM_ERROR("Failed to initialize pdata: %d\n", err); ++ + return err; + } + +-- +2.20.1 + diff --git a/queue-4.14/drm-bridge-dw-hdmi-refuse-ddc-ci-transfers-on-the-in.patch b/queue-4.14/drm-bridge-dw-hdmi-refuse-ddc-ci-transfers-on-the-in.patch new file mode 100644 index 00000000000..cec5ab1ba34 --- /dev/null +++ b/queue-4.14/drm-bridge-dw-hdmi-refuse-ddc-ci-transfers-on-the-in.patch @@ -0,0 +1,61 @@ +From 9e55a585b906af2c413eb3751dd66db8943c8c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 12:44:06 -0700 +Subject: drm/bridge: dw-hdmi: Refuse DDC/CI transfers on the internal I2C + controller + +From: Matthias Kaehlcke + +[ Upstream commit bee447e224b2645911c5d06e35dc90d8433fcef6 ] + +The DDC/CI protocol involves sending a multi-byte request to the +display via I2C, which is typically followed by a multi-byte +response. The internal I2C controller only allows single byte +reads/writes or reads of 8 sequential bytes, hence DDC/CI is not +supported when the internal I2C controller is used. The I2C +transfers complete without errors, however the data in the response +is garbage. Abort transfers to/from slave address 0x37 (DDC) with +-EOPNOTSUPP, to make it evident that the communication is failing. + +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Douglas Anderson +Reviewed-by: Sean Paul +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20191002124354.v2.1.I709dfec496f5f0b44a7b61dcd4937924da8d8382@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +index 4db31b89507c..0febaafb8d89 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +@@ -39,6 +39,7 @@ + + #include + ++#define DDC_CI_ADDR 0x37 + #define DDC_SEGMENT_ADDR 0x30 + + #define HDMI_EDID_LEN 512 +@@ -320,6 +321,15 @@ static int dw_hdmi_i2c_xfer(struct i2c_adapter *adap, + u8 addr = msgs[0].addr; + int i, ret = 0; + ++ if (addr == DDC_CI_ADDR) ++ /* ++ * The internal I2C controller does not support the multi-byte ++ * read and write operations needed for DDC/CI. ++ * TOFIX: Blacklist the DDC/CI address until we filter out ++ * unsupported I2C operations. ++ */ ++ return -EOPNOTSUPP; ++ + dev_dbg(hdmi->dev, "xfer: num: %d, addr: %#x\n", num, addr); + + for (i = 0; i < num; i++) { +-- +2.20.1 + diff --git a/queue-4.14/drm-bridge-dw-hdmi-restore-audio-when-setting-a-mode.patch b/queue-4.14/drm-bridge-dw-hdmi-restore-audio-when-setting-a-mode.patch new file mode 100644 index 00000000000..3594eb94d65 --- /dev/null +++ b/queue-4.14/drm-bridge-dw-hdmi-restore-audio-when-setting-a-mode.patch @@ -0,0 +1,47 @@ +From 2f6d7130ad4dcd17e5c628fdec44370c25b65792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 18:21:45 +0800 +Subject: drm/bridge: dw-hdmi: Restore audio when setting a mode + +From: Daniel Kurtz + +[ Upstream commit fadfee3f9d8f114435a8a3e9f83a227600d89de7 ] + +When setting a new display mode, dw_hdmi_setup() calls +dw_hdmi_enable_video_path(), which disables all hdmi clocks, including +the audio clock. + +We should only (re-)enable the audio clock if audio was already enabled +when setting the new mode. + +Without this patch, on RK3288, there will be HDMI audio on some monitors +if i2s was played to headphone when the monitor was plugged. +ACER H277HU and ASUS PB278 are two of the monitors showing this issue. + +Signed-off-by: Cheng-Yi Chiang +Signed-off-by: Daniel Kurtz +Signed-off-by: Yakir Yang +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20191008102145.55134-1-cychiang@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +index 0febaafb8d89..cc1094f90125 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +@@ -1743,7 +1743,7 @@ static int dw_hdmi_setup(struct dw_hdmi *hdmi, struct drm_display_mode *mode) + + /* HDMI Initialization Step E - Configure audio */ + hdmi_clk_regenerator_update_pixel_clock(hdmi); +- hdmi_enable_audio_clk(hdmi, true); ++ hdmi_enable_audio_clk(hdmi, hdmi->audio_enable); + } + + /* not for DVI mode */ +-- +2.20.1 + diff --git a/queue-4.14/drm-gma500-fix-memory-disclosures-due-to-uninitializ.patch b/queue-4.14/drm-gma500-fix-memory-disclosures-due-to-uninitializ.patch new file mode 100644 index 00000000000..62d95abe037 --- /dev/null +++ b/queue-4.14/drm-gma500-fix-memory-disclosures-due-to-uninitializ.patch @@ -0,0 +1,44 @@ +From 2dfbd1ac033e00782466cd9723dd5b0d544c568a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 23:41:50 -0500 +Subject: drm/gma500: fix memory disclosures due to uninitialized bytes + +From: Kangjie Lu + +[ Upstream commit ec3b7b6eb8c90b52f61adff11b6db7a8db34de19 ] + +"clock" may be copied to "best_clock". Initializing best_clock +is not sufficient. The fix initializes clock as well to avoid +memory disclosures and informaiton leaks. + +Signed-off-by: Kangjie Lu +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191018044150.1899-1-kjlu@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_crtc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_crtc.c b/drivers/gpu/drm/gma500/oaktrail_crtc.c +index 0fff269d3fe6..42785f3df60f 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_crtc.c ++++ b/drivers/gpu/drm/gma500/oaktrail_crtc.c +@@ -139,6 +139,7 @@ static bool mrst_sdvo_find_best_pll(const struct gma_limit_t *limit, + s32 freq_error, min_error = 100000; + + memset(best_clock, 0, sizeof(*best_clock)); ++ memset(&clock, 0, sizeof(clock)); + + for (clock.m = limit->m.min; clock.m <= limit->m.max; clock.m++) { + for (clock.n = limit->n.min; clock.n <= limit->n.max; +@@ -195,6 +196,7 @@ static bool mrst_lvds_find_best_pll(const struct gma_limit_t *limit, + int err = target; + + memset(best_clock, 0, sizeof(*best_clock)); ++ memset(&clock, 0, sizeof(clock)); + + for (clock.m = limit->m.min; clock.m <= limit->m.max; clock.m++) { + for (clock.p1 = limit->p1.min; clock.p1 <= limit->p1.max; +-- +2.20.1 + diff --git a/queue-4.14/drm-mst-fix-query_payload-ack-reply-struct.patch b/queue-4.14/drm-mst-fix-query_payload-ack-reply-struct.patch new file mode 100644 index 00000000000..a8d94338c03 --- /dev/null +++ b/queue-4.14/drm-mst-fix-query_payload-ack-reply-struct.patch @@ -0,0 +1,47 @@ +From 3529b57d1acdfa2b0a6003da38b1b4948b958a7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 12:52:19 -0400 +Subject: drm: mst: Fix query_payload ack reply struct + +From: Sean Paul + +[ Upstream commit 268de6530aa18fe5773062367fd119f0045f6e88 ] + +Spec says[1] Allocated_PBN is 16 bits + +[1]- DisplayPort 1.2 Spec, Section 2.11.9.8, Table 2-98 + +Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)") +Cc: Lyude Paul +Cc: Todd Previte +Cc: Dave Airlie +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: Sean Paul +Cc: David Airlie +Cc: Daniel Vetter +Cc: dri-devel@lists.freedesktop.org +Reviewed-by: Lyude Paul +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190829165223.129662-1-sean@poorly.run +Signed-off-by: Sasha Levin +--- + include/drm/drm_dp_mst_helper.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/drm/drm_dp_mst_helper.h b/include/drm/drm_dp_mst_helper.h +index d55abb75f29a..eec6cba204ea 100644 +--- a/include/drm/drm_dp_mst_helper.h ++++ b/include/drm/drm_dp_mst_helper.h +@@ -313,7 +313,7 @@ struct drm_dp_resource_status_notify { + + struct drm_dp_query_payload_ack_reply { + u8 port_number; +- u8 allocated_pbn; ++ u16 allocated_pbn; + }; + + struct drm_dp_sideband_msg_req_body { +-- +2.20.1 + diff --git a/queue-4.14/edac-ghes-fix-grain-calculation.patch b/queue-4.14/edac-ghes-fix-grain-calculation.patch new file mode 100644 index 00000000000..afd1e672df2 --- /dev/null +++ b/queue-4.14/edac-ghes-fix-grain-calculation.patch @@ -0,0 +1,95 @@ +From 2f5f84c4aaa532ab8c67a503ec2b7ef66a1fb288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 09:33:23 +0000 +Subject: EDAC/ghes: Fix grain calculation + +From: Robert Richter + +[ Upstream commit 7088e29e0423d3195e09079b4f849ec4837e5a75 ] + +The current code to convert a physical address mask to a grain +(defined as granularity in bytes) is: + + e->grain = ~(mem_err->physical_addr_mask & ~PAGE_MASK); + +This is broken in several ways: + +1) It calculates to wrong grain values. E.g., a physical address mask +of ~0xfff should give a grain of 0x1000. Without considering +PAGE_MASK, there is an off-by-one. Things are worse when also +filtering it with ~PAGE_MASK. This will calculate to a grain with the +upper bits set. In the example it even calculates to ~0. + +2) The grain does not depend on and is unrelated to the kernel's +page-size. The page-size only matters when unmapping memory in +memory_failure(). Smaller grains are wrongly rounded up to the +page-size, on architectures with a configurable page-size (e.g. arm64) +this could round up to the even bigger page-size of the hypervisor. + +Fix this with: + + e->grain = ~mem_err->physical_addr_mask + 1; + +The grain_bits are defined as: + + grain = 1 << grain_bits; + +Change also the grain_bits calculation accordingly, it is the same +formula as in edac_mc.c now and the code can be unified. + +The value in ->physical_addr_mask coming from firmware is assumed to +be contiguous, but this is not sanity-checked. However, in case the +mask is non-contiguous, a conversion to grain_bits effectively +converts the grain bit mask to a power of 2 by rounding it up. + +Suggested-by: James Morse +Signed-off-by: Robert Richter +Signed-off-by: Borislav Petkov +Reviewed-by: Mauro Carvalho Chehab +Cc: "linux-edac@vger.kernel.org" +Cc: Tony Luck +Link: https://lkml.kernel.org/r/20191106093239.25517-11-rrichter@marvell.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ghes_edac.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/edac/ghes_edac.c b/drivers/edac/ghes_edac.c +index 6f80eb65c26c..acae39278669 100644 +--- a/drivers/edac/ghes_edac.c ++++ b/drivers/edac/ghes_edac.c +@@ -187,6 +187,7 @@ void ghes_edac_report_mem_error(struct ghes *ghes, int sev, + /* Cleans the error report buffer */ + memset(e, 0, sizeof (*e)); + e->error_count = 1; ++ e->grain = 1; + strcpy(e->label, "unknown label"); + e->msg = pvt->msg; + e->other_detail = pvt->other_detail; +@@ -282,7 +283,7 @@ void ghes_edac_report_mem_error(struct ghes *ghes, int sev, + + /* Error grain */ + if (mem_err->validation_bits & CPER_MEM_VALID_PA_MASK) +- e->grain = ~(mem_err->physical_addr_mask & ~PAGE_MASK); ++ e->grain = ~mem_err->physical_addr_mask + 1; + + /* Memory error location, mapped on e->location */ + p = e->location; +@@ -389,8 +390,13 @@ void ghes_edac_report_mem_error(struct ghes *ghes, int sev, + if (p > pvt->other_detail) + *(p - 1) = '\0'; + ++ /* Sanity-check driver-supplied grain value. */ ++ if (WARN_ON_ONCE(!e->grain)) ++ e->grain = 1; ++ ++ grain_bits = fls_long(e->grain - 1); ++ + /* Generate the trace event */ +- grain_bits = fls_long(e->grain); + snprintf(pvt->detail_location, sizeof(pvt->detail_location), + "APEI location: %s %s", e->location, e->other_detail); + trace_mc_event(type, e->msg, e->label, e->error_count, +-- +2.20.1 + diff --git a/queue-4.14/extcon-sm5502-reset-registers-during-initialization.patch b/queue-4.14/extcon-sm5502-reset-registers-during-initialization.patch new file mode 100644 index 00000000000..50455226261 --- /dev/null +++ b/queue-4.14/extcon-sm5502-reset-registers-during-initialization.patch @@ -0,0 +1,63 @@ +From 1713cf312eea52205a2decb3e50d5696833295ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2019 17:47:20 +0200 +Subject: extcon: sm5502: Reset registers during initialization + +From: Stephan Gerhold + +[ Upstream commit 6942635032cfd3e003e980d2dfa4e6323a3ce145 ] + +On some devices (e.g. Samsung Galaxy A5 (2015)), the bootloader +seems to keep interrupts enabled for SM5502 when booting Linux. +Changing the cable state (i.e. plugging in a cable) - until the driver +is loaded - will therefore produce an interrupt that is never read. + +In this situation, the cable state will be stuck forever on the +initial state because SM5502 stops sending interrupts. +This can be avoided by clearing those pending interrupts after +the driver has been loaded. + +One way to do this is to reset all registers to default state +by writing to SM5502_REG_RESET. This ensures that we start from +a clean state, with all interrupts disabled. + +Suggested-by: Chanwoo Choi +Signed-off-by: Stephan Gerhold +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-sm5502.c | 4 ++++ + drivers/extcon/extcon-sm5502.h | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/extcon/extcon-sm5502.c b/drivers/extcon/extcon-sm5502.c +index 106ef0297b53..1a1ee3db3455 100644 +--- a/drivers/extcon/extcon-sm5502.c ++++ b/drivers/extcon/extcon-sm5502.c +@@ -69,6 +69,10 @@ struct sm5502_muic_info { + /* Default value of SM5502 register to bring up MUIC device. */ + static struct reg_data sm5502_reg_data[] = { + { ++ .reg = SM5502_REG_RESET, ++ .val = SM5502_REG_RESET_MASK, ++ .invert = true, ++ }, { + .reg = SM5502_REG_CONTROL, + .val = SM5502_REG_CONTROL_MASK_INT_MASK, + .invert = false, +diff --git a/drivers/extcon/extcon-sm5502.h b/drivers/extcon/extcon-sm5502.h +index 974b53222f56..12f8b01e5753 100644 +--- a/drivers/extcon/extcon-sm5502.h ++++ b/drivers/extcon/extcon-sm5502.h +@@ -241,6 +241,8 @@ enum sm5502_reg { + #define DM_DP_SWITCH_UART ((DM_DP_CON_SWITCH_UART < +Date: Wed, 20 Nov 2019 11:57:12 +0200 +Subject: fbtft: Make sure string is NULL terminated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko + +[ Upstream commit 21f585480deb4bcf0d92b08879c35d066dfee030 ] + +New GCC warns about inappropriate use of strncpy(): + +drivers/staging/fbtft/fbtft-core.c: In function ‘fbtft_framebuffer_alloc’: +drivers/staging/fbtft/fbtft-core.c:665:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation] + 665 | strncpy(info->fix.id, dev->driver->name, 16); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Later on the copy is being used with the assumption to be NULL terminated. +Make sure string is NULL terminated by switching to snprintf(). + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20191120095716.26628-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fbtft/fbtft-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c +index 0cbcbad8f074..b81c6dfa5b24 100644 +--- a/drivers/staging/fbtft/fbtft-core.c ++++ b/drivers/staging/fbtft/fbtft-core.c +@@ -780,7 +780,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display, + fbdefio->deferred_io = fbtft_deferred_io; + fb_deferred_io_init(info); + +- strncpy(info->fix.id, dev->driver->name, 16); ++ snprintf(info->fix.id, sizeof(info->fix.id), "%s", dev->driver->name); + info->fix.type = FB_TYPE_PACKED_PIXELS; + info->fix.visual = FB_VISUAL_TRUECOLOR; + info->fix.xpanstep = 0; +-- +2.20.1 + diff --git a/queue-4.14/fsi-core-fix-small-accesses-and-unaligned-offsets-vi.patch b/queue-4.14/fsi-core-fix-small-accesses-and-unaligned-offsets-vi.patch new file mode 100644 index 00000000000..d88440e48a0 --- /dev/null +++ b/queue-4.14/fsi-core-fix-small-accesses-and-unaligned-offsets-vi.patch @@ -0,0 +1,110 @@ +From 575412a595df0fd06072d15aaf77588c7f1af911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2019 15:49:39 +1030 +Subject: fsi: core: Fix small accesses and unaligned offsets via sysfs + +From: Andrew Jeffery + +[ Upstream commit 9f4c2b516b4f031e3cd0e45957f4150b3c1a083d ] + +Subtracting the offset delta from four-byte alignment lead to wrapping +of the requested length where `count` is less than `off`. Generalise the +length handling to enable and optimise aligned access sizes for all +offset and size combinations. The new formula produces the following +results for given offset and count values: + + offset count | length + --------------+------- + 0 1 | 1 + 0 2 | 2 + 0 3 | 2 + 0 4 | 4 + 0 5 | 4 + 1 1 | 1 + 1 2 | 1 + 1 3 | 1 + 1 4 | 1 + 1 5 | 1 + 2 1 | 1 + 2 2 | 2 + 2 3 | 2 + 2 4 | 2 + 2 5 | 2 + 3 1 | 1 + 3 2 | 1 + 3 3 | 1 + 3 4 | 1 + 3 5 | 1 + +We might need something like this for the cfam chardevs as well, for +example we don't currently implement any alignment restrictions / +handling in the hardware master driver. + +Signed-off-by: Andrew Jeffery +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20191108051945.7109-6-joel@jms.id.au +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-core.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c +index 4ea63d9bd131..8feca59c1f6b 100644 +--- a/drivers/fsi/fsi-core.c ++++ b/drivers/fsi/fsi-core.c +@@ -419,6 +419,31 @@ static int fsi_slave_scan(struct fsi_slave *slave) + return 0; + } + ++static unsigned long aligned_access_size(size_t offset, size_t count) ++{ ++ unsigned long offset_unit, count_unit; ++ ++ /* Criteria: ++ * ++ * 1. Access size must be less than or equal to the maximum access ++ * width or the highest power-of-two factor of offset ++ * 2. Access size must be less than or equal to the amount specified by ++ * count ++ * ++ * The access width is optimal if we can calculate 1 to be strictly ++ * equal while still satisfying 2. ++ */ ++ ++ /* Find 1 by the bottom bit of offset (with a 4 byte access cap) */ ++ offset_unit = BIT(__builtin_ctzl(offset | 4)); ++ ++ /* Find 2 by the top bit of count */ ++ count_unit = BIT(8 * sizeof(unsigned long) - 1 - __builtin_clzl(count)); ++ ++ /* Constrain the maximum access width to the minimum of both criteria */ ++ return BIT(__builtin_ctzl(offset_unit | count_unit)); ++} ++ + static ssize_t fsi_slave_sysfs_raw_read(struct file *file, + struct kobject *kobj, struct bin_attribute *attr, char *buf, + loff_t off, size_t count) +@@ -434,8 +459,7 @@ static ssize_t fsi_slave_sysfs_raw_read(struct file *file, + return -EINVAL; + + for (total_len = 0; total_len < count; total_len += read_len) { +- read_len = min_t(size_t, count, 4); +- read_len -= off & 0x3; ++ read_len = aligned_access_size(off, count - total_len); + + rc = fsi_slave_read(slave, off, buf + total_len, read_len); + if (rc) +@@ -462,8 +486,7 @@ static ssize_t fsi_slave_sysfs_raw_write(struct file *file, + return -EINVAL; + + for (total_len = 0; total_len < count; total_len += write_len) { +- write_len = min_t(size_t, count, 4); +- write_len -= off & 0x3; ++ write_len = aligned_access_size(off, count - total_len); + + rc = fsi_slave_write(slave, off, buf + total_len, write_len); + if (rc) +-- +2.20.1 + diff --git a/queue-4.14/gpu-host1x-allocate-gather-copy-for-host1x.patch b/queue-4.14/gpu-host1x-allocate-gather-copy-for-host1x.patch new file mode 100644 index 00000000000..ad461ec260e --- /dev/null +++ b/queue-4.14/gpu-host1x-allocate-gather-copy-for-host1x.patch @@ -0,0 +1,75 @@ +From 955b3912f94bd8106a9c91c327809680441c0ca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 13:37:12 +0100 +Subject: gpu: host1x: Allocate gather copy for host1x + +From: Thierry Reding + +[ Upstream commit b78e70c04c149299bd210759d7c7af7c86b89ca8 ] + +Currently when the gather buffers are copied, they are copied to a +buffer that is allocated for the host1x client that wants to execute the +command streams in the buffers. However, the gather buffers will be read +by the host1x device, which causes SMMU faults if the DMA API is backed +by an IOMMU. + +Fix this by allocating the gather buffer copy for the host1x device, +which makes sure that it will be mapped into the host1x's IOVA space if +the DMA API is backed by an IOMMU. + +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/job.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/host1x/job.c b/drivers/gpu/host1x/job.c +index acd99783bbca..67f3c050c4cf 100644 +--- a/drivers/gpu/host1x/job.c ++++ b/drivers/gpu/host1x/job.c +@@ -545,7 +545,8 @@ out: + return err; + } + +-static inline int copy_gathers(struct host1x_job *job, struct device *dev) ++static inline int copy_gathers(struct device *host, struct host1x_job *job, ++ struct device *dev) + { + struct host1x_firewall fw; + size_t size = 0; +@@ -570,12 +571,12 @@ static inline int copy_gathers(struct host1x_job *job, struct device *dev) + * Try a non-blocking allocation from a higher priority pools first, + * as awaiting for the allocation here is a major performance hit. + */ +- job->gather_copy_mapped = dma_alloc_wc(dev, size, &job->gather_copy, ++ job->gather_copy_mapped = dma_alloc_wc(host, size, &job->gather_copy, + GFP_NOWAIT); + + /* the higher priority allocation failed, try the generic-blocking */ + if (!job->gather_copy_mapped) +- job->gather_copy_mapped = dma_alloc_wc(dev, size, ++ job->gather_copy_mapped = dma_alloc_wc(host, size, + &job->gather_copy, + GFP_KERNEL); + if (!job->gather_copy_mapped) +@@ -636,7 +637,7 @@ int host1x_job_pin(struct host1x_job *job, struct device *dev) + goto out; + + if (IS_ENABLED(CONFIG_TEGRA_HOST1X_FIREWALL)) { +- err = copy_gathers(job, dev); ++ err = copy_gathers(host->dev, job, dev); + if (err) + goto out; + } +@@ -701,7 +702,7 @@ void host1x_job_unpin(struct host1x_job *job) + job->num_unpins = 0; + + if (job->gather_copy_size) +- dma_free_wc(job->channel->dev, job->gather_copy_size, ++ dma_free_wc(host->dev, job->gather_copy_size, + job->gather_copy_mapped, job->gather_copy); + } + EXPORT_SYMBOL(host1x_job_unpin); +-- +2.20.1 + diff --git a/queue-4.14/hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-o.patch b/queue-4.14/hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-o.patch new file mode 100644 index 00000000000..34ea256f307 --- /dev/null +++ b/queue-4.14/hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-o.patch @@ -0,0 +1,50 @@ +From 02aec1ff51b80fc27789b70fd05b9a63a7954954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Sep 2019 14:02:56 -0700 +Subject: hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not + idled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tony Lindgren + +[ Upstream commit eaecce12f5f0d2c35d278e41e1bc4522393861ab ] + +When unloading omap3-rom-rng, we'll get the following: + +WARNING: CPU: 0 PID: 100 at drivers/clk/clk.c:948 clk_core_disable + +This is because the clock may be already disabled by omap3_rom_rng_idle(). +Let's fix the issue by checking for rng_idle on exit. + +Cc: Aaro Koskinen +Cc: Adam Ford +Cc: Pali Rohár +Cc: Sebastian Reichel +Cc: Tero Kristo +Fixes: 1c6b7c2108bd ("hwrng: OMAP3 ROM Random Number Generator support") +Signed-off-by: Tony Lindgren +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/omap3-rom-rng.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/omap3-rom-rng.c b/drivers/char/hw_random/omap3-rom-rng.c +index 38b719017186..648e39ce6bd9 100644 +--- a/drivers/char/hw_random/omap3-rom-rng.c ++++ b/drivers/char/hw_random/omap3-rom-rng.c +@@ -121,7 +121,8 @@ static int omap3_rom_rng_remove(struct platform_device *pdev) + { + cancel_delayed_work_sync(&idle_work); + hwrng_unregister(&omap3_rom_rng_ops); +- clk_disable_unprepare(rng_clk); ++ if (!rng_idle) ++ clk_disable_unprepare(rng_clk); + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/ib-iser-bound-protection_sg-size-by-data_sg-size.patch b/queue-4.14/ib-iser-bound-protection_sg-size-by-data_sg-size.patch new file mode 100644 index 00000000000..e6e2a99b795 --- /dev/null +++ b/queue-4.14/ib-iser-bound-protection_sg-size-by-data_sg-size.patch @@ -0,0 +1,40 @@ +From ae6884878f32b8190b1e2c4bcc7e79c9b118fc49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 00:03:47 +0300 +Subject: IB/iser: bound protection_sg size by data_sg size + +From: Max Gurtovoy + +[ Upstream commit 7718cf03c3ce4b6ebd90107643ccd01c952a1fce ] + +In case we don't set the sg_prot_tablesize, the scsi layer assign the +default size (65535 entries). We should limit this size since we should +take into consideration the underlaying device capability. This cap is +considered when calculating the sg_tablesize. Otherwise, for example, +we can get that /sys/block/sdb/queue/max_segments is 128 and +/sys/block/sdb/queue/max_integrity_segments is 65535. + +Link: https://lore.kernel.org/r/1569359027-10987-1-git-send-email-maxg@mellanox.com +Signed-off-by: Max Gurtovoy +Reviewed-by: Sagi Grimberg +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/iser/iscsi_iser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.c b/drivers/infiniband/ulp/iser/iscsi_iser.c +index 19624e023ebd..b5a789567b4e 100644 +--- a/drivers/infiniband/ulp/iser/iscsi_iser.c ++++ b/drivers/infiniband/ulp/iser/iscsi_iser.c +@@ -648,6 +648,7 @@ iscsi_iser_session_create(struct iscsi_endpoint *ep, + if (ib_conn->pi_support) { + u32 sig_caps = ib_conn->device->ib_device->attrs.sig_prot_cap; + ++ shost->sg_prot_tablesize = shost->sg_tablesize; + scsi_host_set_prot(shost, iser_dif_prot_caps(sig_caps)); + scsi_host_set_guard(shost, SHOST_DIX_GUARD_IP | + SHOST_DIX_GUARD_CRC); +-- +2.20.1 + diff --git a/queue-4.14/iio-adc-max1027-reset-the-device-at-probe-time.patch b/queue-4.14/iio-adc-max1027-reset-the-device-at-probe-time.patch new file mode 100644 index 00000000000..b44db230d08 --- /dev/null +++ b/queue-4.14/iio-adc-max1027-reset-the-device-at-probe-time.patch @@ -0,0 +1,42 @@ +From 59f34cc022fae8c613fb0b3e38cc4a2dd0fd73f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2019 16:43:42 +0200 +Subject: iio: adc: max1027: Reset the device at probe time + +From: Miquel Raynal + +[ Upstream commit db033831b4f5589f9fcbadb837614a7c4eac0308 ] + +All the registers are configured by the driver, let's reset the chip +at probe time, avoiding any conflict with a possible earlier +configuration. + +Signed-off-by: Miquel Raynal +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/max1027.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/iio/adc/max1027.c b/drivers/iio/adc/max1027.c +index ebc715927e63..03af02769370 100644 +--- a/drivers/iio/adc/max1027.c ++++ b/drivers/iio/adc/max1027.c +@@ -462,6 +462,14 @@ static int max1027_probe(struct spi_device *spi) + goto fail_dev_register; + } + ++ /* Internal reset */ ++ st->reg = MAX1027_RST_REG; ++ ret = spi_write(st->spi, &st->reg, 1); ++ if (ret < 0) { ++ dev_err(&indio_dev->dev, "Failed to reset the ADC\n"); ++ return ret; ++ } ++ + /* Disable averaging */ + st->reg = MAX1027_AVG_REG; + ret = spi_write(st->spi, &st->reg, 1); +-- +2.20.1 + diff --git a/queue-4.14/iio-dln2-adc-fix-iio_triggered_buffer_postenable-pos.patch b/queue-4.14/iio-dln2-adc-fix-iio_triggered_buffer_postenable-pos.patch new file mode 100644 index 00000000000..b3585febf6c --- /dev/null +++ b/queue-4.14/iio-dln2-adc-fix-iio_triggered_buffer_postenable-pos.patch @@ -0,0 +1,95 @@ +From f6267eccbaa58ca5e81b38c5a35fe2880cabe319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 11:26:34 +0300 +Subject: iio: dln2-adc: fix iio_triggered_buffer_postenable() position + +From: Alexandru Ardelean + +[ Upstream commit a7bddfe2dfce1d8859422124abe1964e0ecd386e ] + +The iio_triggered_buffer_postenable() hook should be called first to +attach the poll function. The iio_triggered_buffer_predisable() hook is +called last (as is it should). + +This change moves iio_triggered_buffer_postenable() to be called first. It +adds iio_triggered_buffer_predisable() on the error paths of the postenable +hook. +For the predisable hook, some code-paths have been changed to make sure +that the iio_triggered_buffer_predisable() hook gets called in case there +is an error before it. + +Signed-off-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/dln2-adc.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/adc/dln2-adc.c b/drivers/iio/adc/dln2-adc.c +index ab8d6aed5085..2a299bbd6acf 100644 +--- a/drivers/iio/adc/dln2-adc.c ++++ b/drivers/iio/adc/dln2-adc.c +@@ -528,6 +528,10 @@ static int dln2_adc_triggered_buffer_postenable(struct iio_dev *indio_dev) + u16 conflict; + unsigned int trigger_chan; + ++ ret = iio_triggered_buffer_postenable(indio_dev); ++ if (ret) ++ return ret; ++ + mutex_lock(&dln2->mutex); + + /* Enable ADC */ +@@ -541,6 +545,7 @@ static int dln2_adc_triggered_buffer_postenable(struct iio_dev *indio_dev) + (int)conflict); + ret = -EBUSY; + } ++ iio_triggered_buffer_predisable(indio_dev); + return ret; + } + +@@ -554,6 +559,7 @@ static int dln2_adc_triggered_buffer_postenable(struct iio_dev *indio_dev) + mutex_unlock(&dln2->mutex); + if (ret < 0) { + dev_dbg(&dln2->pdev->dev, "Problem in %s\n", __func__); ++ iio_triggered_buffer_predisable(indio_dev); + return ret; + } + } else { +@@ -561,12 +567,12 @@ static int dln2_adc_triggered_buffer_postenable(struct iio_dev *indio_dev) + mutex_unlock(&dln2->mutex); + } + +- return iio_triggered_buffer_postenable(indio_dev); ++ return 0; + } + + static int dln2_adc_triggered_buffer_predisable(struct iio_dev *indio_dev) + { +- int ret; ++ int ret, ret2; + struct dln2_adc *dln2 = iio_priv(indio_dev); + + mutex_lock(&dln2->mutex); +@@ -581,12 +587,14 @@ static int dln2_adc_triggered_buffer_predisable(struct iio_dev *indio_dev) + ret = dln2_adc_set_port_enabled(dln2, false, NULL); + + mutex_unlock(&dln2->mutex); +- if (ret < 0) { ++ if (ret < 0) + dev_dbg(&dln2->pdev->dev, "Problem in %s\n", __func__); +- return ret; +- } + +- return iio_triggered_buffer_predisable(indio_dev); ++ ret2 = iio_triggered_buffer_predisable(indio_dev); ++ if (ret == 0) ++ ret = ret2; ++ ++ return ret; + } + + static const struct iio_buffer_setup_ops dln2_adc_buffer_setup_ops = { +-- +2.20.1 + diff --git a/queue-4.14/iio-light-bh1750-resolve-compiler-warning-and-make-c.patch b/queue-4.14/iio-light-bh1750-resolve-compiler-warning-and-make-c.patch new file mode 100644 index 00000000000..a06d3387ab3 --- /dev/null +++ b/queue-4.14/iio-light-bh1750-resolve-compiler-warning-and-make-c.patch @@ -0,0 +1,55 @@ +From 974eb944c848f60b152e0abe0a650925b87c400b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2019 22:24:13 +0200 +Subject: iio: light: bh1750: Resolve compiler warning and make code more + readable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Wilczynski + +[ Upstream commit f552fde983d378e7339f9ea74a25f918563bf0d3 ] + +Separate the declaration of struct bh1750_chip_info from definition +of bh1750_chip_info_tbl[] in a single statement as it makes the code +hard to read, and with the extra newline it makes it look as if the +bh1750_chip_info_tbl[] had no explicit type. + +This change also resolves the following compiler warning about the +unusual position of the static keyword that can be seen when building +with warnings enabled (W=1): + +drivers/iio/light/bh1750.c:64:1: warning: + ‘static’ is not at beginning of declaration [-Wold-style-declaration] + +Related to commit 3a11fbb037a1 ("iio: light: add support for ROHM +BH1710/BH1715/BH1721/BH1750/BH1751 ambient light sensors"). + +Signed-off-by: Krzysztof Wilczynski +Acked-by: Uwe Kleine-König +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/bh1750.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/light/bh1750.c b/drivers/iio/light/bh1750.c +index 6c61187e630f..0b7ba02c8d16 100644 +--- a/drivers/iio/light/bh1750.c ++++ b/drivers/iio/light/bh1750.c +@@ -62,9 +62,9 @@ struct bh1750_chip_info { + + u16 int_time_low_mask; + u16 int_time_high_mask; +-} ++}; + +-static const bh1750_chip_info_tbl[] = { ++static const struct bh1750_chip_info bh1750_chip_info_tbl[] = { + [BH1710] = { 140, 1022, 300, 400, 250000000, 2, 0x001F, 0x03E0 }, + [BH1721] = { 140, 1020, 300, 400, 250000000, 2, 0x0010, 0x03E0 }, + [BH1750] = { 31, 254, 69, 1740, 57500000, 1, 0x001F, 0x00E0 }, +-- +2.20.1 + diff --git a/queue-4.14/iwlwifi-check-kasprintf-return-value.patch b/queue-4.14/iwlwifi-check-kasprintf-return-value.patch new file mode 100644 index 00000000000..cfb72dce2bf --- /dev/null +++ b/queue-4.14/iwlwifi-check-kasprintf-return-value.patch @@ -0,0 +1,52 @@ +From 739e17d18a592f2c3eada4ecb1e650a63e9571e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 14:50:32 +0100 +Subject: iwlwifi: check kasprintf() return value + +From: Johannes Berg + +[ Upstream commit 5974fbb5e10b018fdbe3c3b81cb4cc54e1105ab9 ] + +kasprintf() can fail, we should check the return value. + +Fixes: 5ed540aecc2a ("iwlwifi: use mac80211 throughput trigger") +Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/led.c | 3 +++ + drivers/net/wireless/intel/iwlwifi/mvm/led.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/led.c b/drivers/net/wireless/intel/iwlwifi/dvm/led.c +index 1bbd17ada974..20e16c423990 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/led.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/led.c +@@ -185,6 +185,9 @@ void iwl_leds_init(struct iwl_priv *priv) + + priv->led.name = kasprintf(GFP_KERNEL, "%s-led", + wiphy_name(priv->hw->wiphy)); ++ if (!priv->led.name) ++ return; ++ + priv->led.brightness_set = iwl_led_brightness_set; + priv->led.blink_set = iwl_led_blink_set; + priv->led.max_brightness = 1; +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/led.c b/drivers/net/wireless/intel/iwlwifi/mvm/led.c +index b27269504a62..072f80c90ce4 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/led.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/led.c +@@ -131,6 +131,9 @@ int iwl_mvm_leds_init(struct iwl_mvm *mvm) + + mvm->led.name = kasprintf(GFP_KERNEL, "%s-led", + wiphy_name(mvm->hw->wiphy)); ++ if (!mvm->led.name) ++ return -ENOMEM; ++ + mvm->led.brightness_set = iwl_led_brightness_set; + mvm->led.max_brightness = 1; + +-- +2.20.1 + diff --git a/queue-4.14/iwlwifi-mvm-fix-unaligned-read-of-rx_pkt_status.patch b/queue-4.14/iwlwifi-mvm-fix-unaligned-read-of-rx_pkt_status.patch new file mode 100644 index 00000000000..cb938353b57 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-unaligned-read-of-rx_pkt_status.patch @@ -0,0 +1,50 @@ +From 0a2aa8627ce9d77bbbc067eeadcc6984649a917a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 09:28:02 +0200 +Subject: iwlwifi: mvm: fix unaligned read of rx_pkt_status + +From: Wang Xuerui + +[ Upstream commit c5aaa8be29b25dfe1731e9a8b19fd91b7b789ee3 ] + +This is present since the introduction of iwlmvm. +Example stack trace on MIPS: + +[] iwl_mvm_rx_rx_mpdu+0xa8/0xb88 [iwlmvm] +[] iwl_pcie_rx_handle+0x420/0xc48 [iwlwifi] + +Tested with a Wireless AC 7265 for ~6 months, confirmed to fix the +problem. No other unaligned accesses are spotted yet. + +Signed-off-by: Wang Xuerui +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c +index c73e4be9bde3..c31303d13069 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c +@@ -62,6 +62,7 @@ + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + *****************************************************************************/ ++#include + #include + #include + #include "iwl-trans.h" +@@ -290,7 +291,7 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct napi_struct *napi, + rx_res = (struct iwl_rx_mpdu_res_start *)pkt->data; + hdr = (struct ieee80211_hdr *)(pkt->data + sizeof(*rx_res)); + len = le16_to_cpu(rx_res->byte_count); +- rx_pkt_status = le32_to_cpup((__le32 *) ++ rx_pkt_status = get_unaligned_le32((__le32 *) + (pkt->data + sizeof(*rx_res) + len)); + + /* Dont use dev_alloc_skb(), we'll have enough headroom once +-- +2.20.1 + diff --git a/queue-4.14/ixgbe-protect-tx-timestamping-from-api-misuse.patch b/queue-4.14/ixgbe-protect-tx-timestamping-from-api-misuse.patch new file mode 100644 index 00000000000..c1d31bac084 --- /dev/null +++ b/queue-4.14/ixgbe-protect-tx-timestamping-from-api-misuse.patch @@ -0,0 +1,46 @@ +From b2b0a24660e4f047f3f1bf1329cce058d16ae631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Oct 2019 08:20:03 -0700 +Subject: ixgbe: protect TX timestamping from API misuse + +From: Manjunath Patil + +[ Upstream commit 07066d9dc3d2326fbad8f7b0cb0120cff7b7dedb ] + +HW timestamping can only be requested for a packet if the NIC is first +setup via ioctl(SIOCSHWTSTAMP). If this step was skipped, then the ixgbe +driver still allowed TX packets to request HW timestamping. In this +situation, we see 'clearing Tx Timestamp hang' noise in the log. + +Fix this by checking that the NIC is configured for HW TX timestamping +before accepting a HW TX timestamping request. + +Similar-to: + commit 26bd4e2db06b ("igb: protect TX timestamping from API misuse") + commit 0a6f2f05a2f5 ("igb: Fix a test with HWTSTAMP_TX_ON") + +Signed-off-by: Manjunath Patil +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 4801d96c4fa9..0edfd199937d 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -8379,7 +8379,8 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb, + + if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && + adapter->ptp_clock) { +- if (!test_and_set_bit_lock(__IXGBE_PTP_TX_IN_PROGRESS, ++ if (adapter->tstamp_config.tx_type == HWTSTAMP_TX_ON && ++ !test_and_set_bit_lock(__IXGBE_PTP_TX_IN_PROGRESS, + &adapter->state)) { + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + tx_flags |= IXGBE_TX_FLAGS_TSTAMP; +-- +2.20.1 + diff --git a/queue-4.14/libata-ensure-ata_port-probe-has-completed-before-de.patch b/queue-4.14/libata-ensure-ata_port-probe-has-completed-before-de.patch new file mode 100644 index 00000000000..21bfa77917c --- /dev/null +++ b/queue-4.14/libata-ensure-ata_port-probe-has-completed-before-de.patch @@ -0,0 +1,95 @@ +From 69a027aa9d44b3b1f70eb82e80e4ab4704b54c7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 18:19:52 +0800 +Subject: libata: Ensure ata_port probe has completed before detach + +From: John Garry + +[ Upstream commit 130f4caf145c3562108b245a576db30b916199d2 ] + +With CONFIG_DEBUG_TEST_DRIVER_REMOVE set, we may find the following WARN: + +[ 23.452574] ------------[ cut here ]------------ +[ 23.457190] WARNING: CPU: 59 PID: 1 at drivers/ata/libata-core.c:6676 ata_host_detach+0x15c/0x168 +[ 23.466047] Modules linked in: +[ 23.469092] CPU: 59 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00010-g5b83fd27752b-dirty #296 +[ 23.477776] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 +[ 23.486286] pstate: a0c00009 (NzCv daif +PAN +UAO) +[ 23.491065] pc : ata_host_detach+0x15c/0x168 +[ 23.495322] lr : ata_host_detach+0x88/0x168 +[ 23.499491] sp : ffff800011cabb50 +[ 23.502792] x29: ffff800011cabb50 x28: 0000000000000007 +[ 23.508091] x27: ffff80001137f068 x26: ffff8000112c0c28 +[ 23.513390] x25: 0000000000003848 x24: ffff0023ea185300 +[ 23.518689] x23: 0000000000000001 x22: 00000000000014c0 +[ 23.523987] x21: 0000000000013740 x20: ffff0023bdc20000 +[ 23.529286] x19: 0000000000000000 x18: 0000000000000004 +[ 23.534584] x17: 0000000000000001 x16: 00000000000000f0 +[ 23.539883] x15: ffff0023eac13790 x14: ffff0023eb76c408 +[ 23.545181] x13: 0000000000000000 x12: ffff0023eac13790 +[ 23.550480] x11: ffff0023eb76c228 x10: 0000000000000000 +[ 23.555779] x9 : ffff0023eac13798 x8 : 0000000040000000 +[ 23.561077] x7 : 0000000000000002 x6 : 0000000000000001 +[ 23.566376] x5 : 0000000000000002 x4 : 0000000000000000 +[ 23.571674] x3 : ffff0023bf08a0bc x2 : 0000000000000000 +[ 23.576972] x1 : 3099674201f72700 x0 : 0000000000400284 +[ 23.582272] Call trace: +[ 23.584706] ata_host_detach+0x15c/0x168 +[ 23.588616] ata_pci_remove_one+0x10/0x18 +[ 23.592615] ahci_remove_one+0x20/0x40 +[ 23.596356] pci_device_remove+0x3c/0xe0 +[ 23.600267] really_probe+0xdc/0x3e0 +[ 23.603830] driver_probe_device+0x58/0x100 +[ 23.608000] device_driver_attach+0x6c/0x90 +[ 23.612169] __driver_attach+0x84/0xc8 +[ 23.615908] bus_for_each_dev+0x74/0xc8 +[ 23.619730] driver_attach+0x20/0x28 +[ 23.623292] bus_add_driver+0x148/0x1f0 +[ 23.627115] driver_register+0x60/0x110 +[ 23.630938] __pci_register_driver+0x40/0x48 +[ 23.635199] ahci_pci_driver_init+0x20/0x28 +[ 23.639372] do_one_initcall+0x5c/0x1b0 +[ 23.643199] kernel_init_freeable+0x1a4/0x24c +[ 23.647546] kernel_init+0x10/0x108 +[ 23.651023] ret_from_fork+0x10/0x18 +[ 23.654590] ---[ end trace 634a14b675b71c13 ]--- + +With KASAN also enabled, we may also get many use-after-free reports. + +The issue is that when CONFIG_DEBUG_TEST_DRIVER_REMOVE is set, we may +attempt to detach the ata_port before it has been probed. + +This is because the ata_ports are async probed, meaning that there is no +guarantee that the ata_port has probed prior to detach. When the ata_port +does probe in this scenario, we get all sorts of issues as the detach may +have already happened. + +Fix by ensuring synchronisation with async_synchronize_full(). We could +alternatively use the cookie returned from the ata_port probe +async_schedule() call, but that means managing the cookie, so more +complicated. + +Signed-off-by: John Garry +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index cbb162b683b6..08f67c109429 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6676,6 +6676,9 @@ void ata_host_detach(struct ata_host *host) + { + int i; + ++ /* Ensure ata_port probe has completed */ ++ async_synchronize_full(); ++ + for (i = 0; i < host->n_ports; i++) + ata_port_detach(host->ports[i]); + +-- +2.20.1 + diff --git a/queue-4.14/libertas-fix-a-potential-null-pointer-dereference.patch b/queue-4.14/libertas-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..0d2bbfe4a00 --- /dev/null +++ b/queue-4.14/libertas-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,45 @@ +From 066bf8f335752b4d5ab057b2b1eb6336ec5b0b7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2019 22:05:00 +0530 +Subject: libertas: fix a potential NULL pointer dereference + +From: Allen Pais + +[ Upstream commit 7da413a18583baaf35dd4a8eb414fa410367d7f2 ] + +alloc_workqueue is not checked for errors and as a result, +a potential NULL dereference could occur. + +Signed-off-by: Allen Pais +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_sdio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c +index 39bf85d0ade0..c7f8a29d2606 100644 +--- a/drivers/net/wireless/marvell/libertas/if_sdio.c ++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c +@@ -1183,6 +1183,10 @@ static int if_sdio_probe(struct sdio_func *func, + + spin_lock_init(&card->lock); + card->workqueue = alloc_workqueue("libertas_sdio", WQ_MEM_RECLAIM, 0); ++ if (unlikely(!card->workqueue)) { ++ ret = -ENOMEM; ++ goto err_queue; ++ } + INIT_WORK(&card->packet_worker, if_sdio_host_to_card_worker); + init_waitqueue_head(&card->pwron_waitq); + +@@ -1234,6 +1238,7 @@ err_activate_card: + lbs_remove_card(priv); + free: + destroy_workqueue(card->workqueue); ++err_queue: + while (card->packets) { + packet = card->packets; + card->packets = card->packets->next; +-- +2.20.1 + diff --git a/queue-4.14/libsubcmd-use-o0-with-debug-1.patch b/queue-4.14/libsubcmd-use-o0-with-debug-1.patch new file mode 100644 index 00000000000..7c523557603 --- /dev/null +++ b/queue-4.14/libsubcmd-use-o0-with-debug-1.patch @@ -0,0 +1,46 @@ +From c5f64c4bc5ff9009bd147a70b92a8a7a5d876bf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 11:34:01 +0000 +Subject: libsubcmd: Use -O0 with DEBUG=1 + +From: James Clark + +[ Upstream commit 22bd8f1b5a1dd168ba4eba27cb17643a11012f5d ] + +When a 'make DEBUG=1' build is done, the command parser is still built +with -O6 and is hard to step through, fix it making it use -O0 in that +case. + +Signed-off-by: James Clark +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Josh Poimboeuf +Cc: Namhyung Kim +Cc: nd +Link: http://lore.kernel.org/lkml/20191028113340.4282-1-james.clark@arm.com +[ split from a larger patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/subcmd/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/subcmd/Makefile b/tools/lib/subcmd/Makefile +index 5b2cd5e58df0..5dbb0dde208c 100644 +--- a/tools/lib/subcmd/Makefile ++++ b/tools/lib/subcmd/Makefile +@@ -28,7 +28,9 @@ ifeq ($(DEBUG),0) + endif + endif + +-ifeq ($(CC_NO_CLANG), 0) ++ifeq ($(DEBUG),1) ++ CFLAGS += -O0 ++else ifeq ($(CC_NO_CLANG), 0) + CFLAGS += -O3 + else + CFLAGS += -O6 +-- +2.20.1 + diff --git a/queue-4.14/libtraceevent-fix-memory-leakage-in-copy_filter_type.patch b/queue-4.14/libtraceevent-fix-memory-leakage-in-copy_filter_type.patch new file mode 100644 index 00000000000..15b90645db0 --- /dev/null +++ b/queue-4.14/libtraceevent-fix-memory-leakage-in-copy_filter_type.patch @@ -0,0 +1,55 @@ +From 5fe3d79fb88724f2088824c525b74a359ed2d79b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 20:44:15 -0500 +Subject: libtraceevent: Fix memory leakage in copy_filter_type + +From: Hewenliang + +[ Upstream commit 10992af6bf46a2048ad964985a5b77464e5563b1 ] + +It is necessary to free the memory that we have allocated when error occurs. + +Fixes: ef3072cd1d5c ("tools lib traceevent: Get rid of die in add_filter_type()") +Signed-off-by: Hewenliang +Reviewed-by: Steven Rostedt (VMware) +Cc: Tzvetomir Stoyanov +Link: http://lore.kernel.org/lkml/20191119014415.57210-1-hewenliang4@huawei.com +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/parse-filter.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/traceevent/parse-filter.c b/tools/lib/traceevent/parse-filter.c +index 5e10ba796a6f..569bceff5f51 100644 +--- a/tools/lib/traceevent/parse-filter.c ++++ b/tools/lib/traceevent/parse-filter.c +@@ -1492,8 +1492,10 @@ static int copy_filter_type(struct event_filter *filter, + if (strcmp(str, "TRUE") == 0 || strcmp(str, "FALSE") == 0) { + /* Add trivial event */ + arg = allocate_arg(); +- if (arg == NULL) ++ if (arg == NULL) { ++ free(str); + return -1; ++ } + + arg->type = FILTER_ARG_BOOLEAN; + if (strcmp(str, "TRUE") == 0) +@@ -1502,8 +1504,11 @@ static int copy_filter_type(struct event_filter *filter, + arg->boolean.value = 0; + + filter_type = add_filter_type(filter, event->id); +- if (filter_type == NULL) ++ if (filter_type == NULL) { ++ free(str); ++ free_arg(arg); + return -1; ++ } + + filter_type->filter = arg; + +-- +2.20.1 + diff --git a/queue-4.14/loop-fix-no-unmap-write-zeroes-request-behavior.patch b/queue-4.14/loop-fix-no-unmap-write-zeroes-request-behavior.patch new file mode 100644 index 00000000000..91afb395d11 --- /dev/null +++ b/queue-4.14/loop-fix-no-unmap-write-zeroes-request-behavior.patch @@ -0,0 +1,83 @@ +From 0abfa2c325f3ea82f8fe2b2f9b7ced81c53ab82c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 20:29:48 -0700 +Subject: loop: fix no-unmap write-zeroes request behavior + +From: Darrick J. Wong + +[ Upstream commit efcfec579f6139528c9e6925eca2bc4a36da65c6 ] + +Currently, if the loop device receives a WRITE_ZEROES request, it asks +the underlying filesystem to punch out the range. This behavior is +correct if unmapping is allowed. However, a NOUNMAP request means that +the caller doesn't want us to free the storage backing the range, so +punching out the range is incorrect behavior. + +To satisfy a NOUNMAP | WRITE_ZEROES request, loop should ask the +underlying filesystem to FALLOC_FL_ZERO_RANGE, which is (according to +the fallocate documentation) required to ensure that the entire range is +backed by real storage, which suffices for our purposes. + +Fixes: 19372e2769179dd ("loop: implement REQ_OP_WRITE_ZEROES") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index ec61dd873c93..453e3728e657 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -414,18 +414,20 @@ out_free_page: + return ret; + } + +-static int lo_discard(struct loop_device *lo, struct request *rq, loff_t pos) ++static int lo_fallocate(struct loop_device *lo, struct request *rq, loff_t pos, ++ int mode) + { + /* +- * We use punch hole to reclaim the free space used by the +- * image a.k.a. discard. However we do not support discard if +- * encryption is enabled, because it may give an attacker +- * useful information. ++ * We use fallocate to manipulate the space mappings used by the image ++ * a.k.a. discard/zerorange. However we do not support this if ++ * encryption is enabled, because it may give an attacker useful ++ * information. + */ + struct file *file = lo->lo_backing_file; +- int mode = FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE; + int ret; + ++ mode |= FALLOC_FL_KEEP_SIZE; ++ + if ((!file->f_op->fallocate) || lo->lo_encrypt_key_size) { + ret = -EOPNOTSUPP; + goto out; +@@ -565,9 +567,17 @@ static int do_req_filebacked(struct loop_device *lo, struct request *rq) + switch (req_op(rq)) { + case REQ_OP_FLUSH: + return lo_req_flush(lo, rq); +- case REQ_OP_DISCARD: + case REQ_OP_WRITE_ZEROES: +- return lo_discard(lo, rq, pos); ++ /* ++ * If the caller doesn't want deallocation, call zeroout to ++ * write zeroes the range. Otherwise, punch them out. ++ */ ++ return lo_fallocate(lo, rq, pos, ++ (rq->cmd_flags & REQ_NOUNMAP) ? ++ FALLOC_FL_ZERO_RANGE : ++ FALLOC_FL_PUNCH_HOLE); ++ case REQ_OP_DISCARD: ++ return lo_fallocate(lo, rq, pos, FALLOC_FL_PUNCH_HOLE); + case REQ_OP_WRITE: + if (lo->transfer) + return lo_write_transfer(lo, rq, pos); +-- +2.20.1 + diff --git a/queue-4.14/mac80211-consider-qos-null-frames-for-sta_nullfunc_a.patch b/queue-4.14/mac80211-consider-qos-null-frames-for-sta_nullfunc_a.patch new file mode 100644 index 00000000000..f2d8af69039 --- /dev/null +++ b/queue-4.14/mac80211-consider-qos-null-frames-for-sta_nullfunc_a.patch @@ -0,0 +1,50 @@ +From b57c829b6ef61750a8e239f21cf785e2d6a456e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 21:35:38 -0800 +Subject: mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED + +From: Thomas Pedersen + +[ Upstream commit 08a5bdde3812993cb8eb7aa9124703df0de28e4b ] + +Commit 7b6ddeaf27ec ("mac80211: use QoS NDP for AP probing") +let STAs send QoS Null frames as PS triggers if the AP was +a QoS STA. However, the mac80211 PS stack relies on an +interface flag IEEE80211_STA_NULLFUNC_ACKED for +determining trigger frame ACK, which was not being set for +acked non-QoS Null frames. The effect is an inability to +trigger hardware sleep via IEEE80211_CONF_PS since the QoS +Null frame was seemingly never acked. + +This bug only applies to drivers which set both +IEEE80211_HW_REPORTS_TX_ACK_STATUS and +IEEE80211_HW_PS_NULLFUNC_STACK. + +Detect the acked QoS Null frame to restore STA power save. + +Fixes: 7b6ddeaf27ec ("mac80211: use QoS NDP for AP probing") +Signed-off-by: Thomas Pedersen +Link: https://lore.kernel.org/r/20191119053538.25979-4-thomas@adapt-ip.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/status.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/status.c b/net/mac80211/status.c +index b18466cf466c..fbe7354aeac7 100644 +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -856,7 +856,8 @@ static void __ieee80211_tx_status(struct ieee80211_hw *hw, + I802_DEBUG_INC(local->dot11FailedCount); + } + +- if (ieee80211_is_nullfunc(fc) && ieee80211_has_pm(fc) && ++ if ((ieee80211_is_nullfunc(fc) || ieee80211_is_qos_nullfunc(fc)) && ++ ieee80211_has_pm(fc) && + ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS) && + !(info->flags & IEEE80211_TX_CTL_INJECTED) && + local->ps_sdata && !(local->scanning)) { +-- +2.20.1 + diff --git a/queue-4.14/media-am437x-vpfe-setting-std-to-current-value-is-no.patch b/queue-4.14/media-am437x-vpfe-setting-std-to-current-value-is-no.patch new file mode 100644 index 00000000000..28b65af2ae6 --- /dev/null +++ b/queue-4.14/media-am437x-vpfe-setting-std-to-current-value-is-no.patch @@ -0,0 +1,40 @@ +From 32c326f2def8c51ce0f02e47cd77d029464a8dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2019 14:05:48 -0300 +Subject: media: am437x-vpfe: Setting STD to current value is not an error + +From: Benoit Parrot + +[ Upstream commit 13aa21cfe92ce9ebb51824029d89f19c33f81419 ] + +VIDIOC_S_STD should not return an error if the value is identical +to the current one. +This error was highlighted by the v4l2-compliance test. + +Signed-off-by: Benoit Parrot +Acked-by: Lad Prabhakar +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/am437x/am437x-vpfe.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/platform/am437x/am437x-vpfe.c b/drivers/media/platform/am437x/am437x-vpfe.c +index dfcc484cab89..e92c5b56be42 100644 +--- a/drivers/media/platform/am437x/am437x-vpfe.c ++++ b/drivers/media/platform/am437x/am437x-vpfe.c +@@ -1848,6 +1848,10 @@ static int vpfe_s_std(struct file *file, void *priv, v4l2_std_id std_id) + if (!(sdinfo->inputs[0].capabilities & V4L2_IN_CAP_STD)) + return -ENODATA; + ++ /* if trying to set the same std then nothing to do */ ++ if (vpfe_standards[vpfe->std_index].std_id == std_id) ++ return 0; ++ + /* If streaming is started, return error */ + if (vb2_is_busy(&vpfe->buffer_queue)) { + vpfe_err(vpfe, "%s device busy\n", __func__); +-- +2.20.1 + diff --git a/queue-4.14/media-cec-funcs.h-add-status_req-checks.patch b/queue-4.14/media-cec-funcs.h-add-status_req-checks.patch new file mode 100644 index 00000000000..b81fe482d7d --- /dev/null +++ b/queue-4.14/media-cec-funcs.h-add-status_req-checks.patch @@ -0,0 +1,54 @@ +From e97a8e0f3cc4504d48c7d243e4437fb450597f48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 04:56:38 -0300 +Subject: media: cec-funcs.h: add status_req checks + +From: Hans Verkuil + +[ Upstream commit 9b211f9c5a0b67afc435b86f75d78273b97db1c5 ] + +The CEC_MSG_GIVE_DECK_STATUS and CEC_MSG_GIVE_TUNER_DEVICE_STATUS commands +both have a status_req argument: ON, OFF, ONCE. If ON or ONCE, then the +follower will reply with a STATUS message. Either once or whenever the +status changes (status_req == ON). + +If status_req == OFF, then it will stop sending continuous status updates, +but the follower will *not* send a STATUS message in that case. + +This means that if status_req == OFF, then msg->reply should be 0 as well +since no reply is expected in that case. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + include/uapi/linux/cec-funcs.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/cec-funcs.h b/include/uapi/linux/cec-funcs.h +index 28e8a2a86e16..2a114f7a24d4 100644 +--- a/include/uapi/linux/cec-funcs.h ++++ b/include/uapi/linux/cec-funcs.h +@@ -952,7 +952,8 @@ static inline void cec_msg_give_deck_status(struct cec_msg *msg, + msg->len = 3; + msg->msg[1] = CEC_MSG_GIVE_DECK_STATUS; + msg->msg[2] = status_req; +- msg->reply = reply ? CEC_MSG_DECK_STATUS : 0; ++ msg->reply = (reply && status_req != CEC_OP_STATUS_REQ_OFF) ? ++ CEC_MSG_DECK_STATUS : 0; + } + + static inline void cec_ops_give_deck_status(const struct cec_msg *msg, +@@ -1056,7 +1057,8 @@ static inline void cec_msg_give_tuner_device_status(struct cec_msg *msg, + msg->len = 3; + msg->msg[1] = CEC_MSG_GIVE_TUNER_DEVICE_STATUS; + msg->msg[2] = status_req; +- msg->reply = reply ? CEC_MSG_TUNER_DEVICE_STATUS : 0; ++ msg->reply = (reply && status_req != CEC_OP_STATUS_REQ_OFF) ? ++ CEC_MSG_TUNER_DEVICE_STATUS : 0; + } + + static inline void cec_ops_give_tuner_device_status(const struct cec_msg *msg, +-- +2.20.1 + diff --git a/queue-4.14/media-cx88-fix-some-error-handling-path-in-cx8800_in.patch b/queue-4.14/media-cx88-fix-some-error-handling-path-in-cx8800_in.patch new file mode 100644 index 00000000000..e99f1b95713 --- /dev/null +++ b/queue-4.14/media-cx88-fix-some-error-handling-path-in-cx8800_in.patch @@ -0,0 +1,76 @@ +From 8f476e4aaf22addec228edaa6dc1dc33d487a570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Sep 2019 04:41:23 -0300 +Subject: media: cx88: Fix some error handling path in 'cx8800_initdev()' + +From: Christophe JAILLET + +[ Upstream commit e1444e9b0424c70def6352580762d660af50e03f ] + +A call to 'pci_disable_device()' is missing in the error handling path. +In some cases, a call to 'free_irq()' may also be missing. + +Reorder the error handling path, add some new labels and fix the 2 issues +mentionned above. + +This way, the error handling path in more in line with 'cx8800_finidev()' +(i.e. the remove function) + +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx88/cx88-video.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c +index 7d25ecd4404b..1748812bd7e5 100644 +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -1310,7 +1310,7 @@ static int cx8800_initdev(struct pci_dev *pci_dev, + core = cx88_core_get(dev->pci); + if (!core) { + err = -EINVAL; +- goto fail_free; ++ goto fail_disable; + } + dev->core = core; + +@@ -1356,7 +1356,7 @@ static int cx8800_initdev(struct pci_dev *pci_dev, + cc->step, cc->default_value); + if (!vc) { + err = core->audio_hdl.error; +- goto fail_core; ++ goto fail_irq; + } + vc->priv = (void *)cc; + } +@@ -1370,7 +1370,7 @@ static int cx8800_initdev(struct pci_dev *pci_dev, + cc->step, cc->default_value); + if (!vc) { + err = core->video_hdl.error; +- goto fail_core; ++ goto fail_irq; + } + vc->priv = (void *)cc; + if (vc->id == V4L2_CID_CHROMA_AGC) +@@ -1533,11 +1533,14 @@ static int cx8800_initdev(struct pci_dev *pci_dev, + + fail_unreg: + cx8800_unregister_video(dev); +- free_irq(pci_dev->irq, dev); + mutex_unlock(&core->lock); ++fail_irq: ++ free_irq(pci_dev->irq, dev); + fail_core: + core->v4ldev = NULL; + cx88_core_put(core, dev->pci); ++fail_disable: ++ pci_disable_device(pci_dev); + fail_free: + kfree(dev); + return err; +-- +2.20.1 + diff --git a/queue-4.14/media-flexcop-usb-fix-null-ptr-deref-in-flexcop_usb_.patch b/queue-4.14/media-flexcop-usb-fix-null-ptr-deref-in-flexcop_usb_.patch new file mode 100644 index 00000000000..c9e36cd68ff --- /dev/null +++ b/queue-4.14/media-flexcop-usb-fix-null-ptr-deref-in-flexcop_usb_.patch @@ -0,0 +1,46 @@ +From 6ddbb35f9ed919bbe3b6fb567f1105c6ddb94eda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 06:49:04 -0300 +Subject: media: flexcop-usb: fix NULL-ptr deref in flexcop_usb_transfer_init() + +From: Yang Yingliang + +[ Upstream commit 649cd16c438f51d4cd777e71ca1f47f6e0c5e65d ] + +If usb_set_interface() failed, iface->cur_altsetting will +not be assigned and it will be used in flexcop_usb_transfer_init() +It may lead a NULL pointer dereference. + +Check usb_set_interface() return value in flexcop_usb_init() +and return failed to avoid using this NULL pointer. + +Signed-off-by: Yang Yingliang +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/b2c2/flexcop-usb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c +index ac4fddfd0a43..f1807c16438d 100644 +--- a/drivers/media/usb/b2c2/flexcop-usb.c ++++ b/drivers/media/usb/b2c2/flexcop-usb.c +@@ -503,7 +503,13 @@ urb_error: + static int flexcop_usb_init(struct flexcop_usb *fc_usb) + { + /* use the alternate setting with the larges buffer */ +- usb_set_interface(fc_usb->udev,0,1); ++ int ret = usb_set_interface(fc_usb->udev, 0, 1); ++ ++ if (ret) { ++ err("set interface failed."); ++ return ret; ++ } ++ + switch (fc_usb->udev->speed) { + case USB_SPEED_LOW: + err("cannot handle USB speed because it is too slow."); +-- +2.20.1 + diff --git a/queue-4.14/media-i2c-ov2659-fix-missing-720p-register-config.patch b/queue-4.14/media-i2c-ov2659-fix-missing-720p-register-config.patch new file mode 100644 index 00000000000..149c0ec9a9f --- /dev/null +++ b/queue-4.14/media-i2c-ov2659-fix-missing-720p-register-config.patch @@ -0,0 +1,48 @@ +From b049fc69981af236685af4b1acf52f027ee60826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 10:06:43 -0300 +Subject: media: i2c: ov2659: Fix missing 720p register config + +From: Benoit Parrot + +[ Upstream commit 9d669fbfca20e6035ead814e55d9ef1a6b500540 ] + +The initial registers sequence is only loaded at probe +time. Afterward only the resolution and format specific +register are modified. Care must be taken to make sure +registers modified by one resolution setting are reverted +back when another resolution is programmed. + +This was not done properly for the 720p case. + +Signed-off-by: Benoit Parrot +Acked-by: Lad, Prabhakar +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2659.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c +index 04d493aea45e..44b0584eb8a6 100644 +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -419,10 +419,14 @@ static struct sensor_register ov2659_720p[] = { + { REG_TIMING_YINC, 0x11 }, + { REG_TIMING_VERT_FORMAT, 0x80 }, + { REG_TIMING_HORIZ_FORMAT, 0x00 }, ++ { 0x370a, 0x12 }, + { 0x3a03, 0xe8 }, + { 0x3a09, 0x6f }, + { 0x3a0b, 0x5d }, + { 0x3a15, 0x9a }, ++ { REG_VFIFO_READ_START_H, 0x00 }, ++ { REG_VFIFO_READ_START_L, 0x80 }, ++ { REG_ISP_CTRL02, 0x00 }, + { REG_NULL, 0x00 }, + }; + +-- +2.20.1 + diff --git a/queue-4.14/media-i2c-ov2659-fix-s_stream-return-value.patch b/queue-4.14/media-i2c-ov2659-fix-s_stream-return-value.patch new file mode 100644 index 00000000000..0de6801dfbc --- /dev/null +++ b/queue-4.14/media-i2c-ov2659-fix-s_stream-return-value.patch @@ -0,0 +1,49 @@ +From 799e2e18b384d32d0345c4d5a7804d65adee9731 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Sep 2019 10:06:40 -0300 +Subject: media: i2c: ov2659: fix s_stream return value + +From: Benoit Parrot + +[ Upstream commit 85c4043f1d403c222d481dfc91846227d66663fb ] + +In ov2659_s_stream() return value for invoked function should be checked +and propagated. + +Signed-off-by: Benoit Parrot +Acked-by: Lad, Prabhakar +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov2659.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c +index ce23f436e130..04d493aea45e 100644 +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -1203,11 +1203,15 @@ static int ov2659_s_stream(struct v4l2_subdev *sd, int on) + goto unlock; + } + +- ov2659_set_pixel_clock(ov2659); +- ov2659_set_frame_size(ov2659); +- ov2659_set_format(ov2659); +- ov2659_set_streaming(ov2659, 1); +- ov2659->streaming = on; ++ ret = ov2659_set_pixel_clock(ov2659); ++ if (!ret) ++ ret = ov2659_set_frame_size(ov2659); ++ if (!ret) ++ ret = ov2659_set_format(ov2659); ++ if (!ret) { ++ ov2659_set_streaming(ov2659, 1); ++ ov2659->streaming = on; ++ } + + unlock: + mutex_unlock(&ov2659->lock); +-- +2.20.1 + diff --git a/queue-4.14/media-ov6650-fix-crop-rectangle-alignment-not-passed.patch b/queue-4.14/media-ov6650-fix-crop-rectangle-alignment-not-passed.patch new file mode 100644 index 00000000000..db421abef80 --- /dev/null +++ b/queue-4.14/media-ov6650-fix-crop-rectangle-alignment-not-passed.patch @@ -0,0 +1,93 @@ +From 7b5db56facbdd5ab28d944fe8cc6cfa645e7258e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2019 17:11:38 -0300 +Subject: media: ov6650: Fix crop rectangle alignment not passed back + +From: Janusz Krzysztofik + +[ Upstream commit 7b188d6ba27a131e7934a51a14ece331c0491f18 ] + +Commit 4f996594ceaf ("[media] v4l2: make vidioc_s_crop const") +introduced a writable copy of constified user requested crop rectangle +in order to be able to perform hardware alignments on it. Later +on, commit 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video +ops") replaced s_crop() video operation using that const argument with +set_selection() pad operation which had a corresponding argument not +constified, however the original behavior of the driver was not +restored. Since that time, any hardware alignment applied on a user +requested crop rectangle is not passed back to the user calling +.set_selection() as it should be. + +Fix the issue by dropping the copy and replacing all references to it +with references to the crop rectangle embedded in the user argument. + +Fixes: 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video ops") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov6650.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c +index 025869eec2ac..98080d420444 100644 +--- a/drivers/media/i2c/ov6650.c ++++ b/drivers/media/i2c/ov6650.c +@@ -469,38 +469,37 @@ static int ov6650_set_selection(struct v4l2_subdev *sd, + { + struct i2c_client *client = v4l2_get_subdevdata(sd); + struct ov6650 *priv = to_ov6650(client); +- struct v4l2_rect rect = sel->r; + int ret; + + if (sel->which != V4L2_SUBDEV_FORMAT_ACTIVE || + sel->target != V4L2_SEL_TGT_CROP) + return -EINVAL; + +- v4l_bound_align_image(&rect.width, 2, W_CIF, 1, +- &rect.height, 2, H_CIF, 1, 0); +- v4l_bound_align_image(&rect.left, DEF_HSTRT << 1, +- (DEF_HSTRT << 1) + W_CIF - (__s32)rect.width, 1, +- &rect.top, DEF_VSTRT << 1, +- (DEF_VSTRT << 1) + H_CIF - (__s32)rect.height, 1, +- 0); ++ v4l_bound_align_image(&sel->r.width, 2, W_CIF, 1, ++ &sel->r.height, 2, H_CIF, 1, 0); ++ v4l_bound_align_image(&sel->r.left, DEF_HSTRT << 1, ++ (DEF_HSTRT << 1) + W_CIF - (__s32)sel->r.width, 1, ++ &sel->r.top, DEF_VSTRT << 1, ++ (DEF_VSTRT << 1) + H_CIF - (__s32)sel->r.height, ++ 1, 0); + +- ret = ov6650_reg_write(client, REG_HSTRT, rect.left >> 1); ++ ret = ov6650_reg_write(client, REG_HSTRT, sel->r.left >> 1); + if (!ret) { +- priv->rect.left = rect.left; ++ priv->rect.left = sel->r.left; + ret = ov6650_reg_write(client, REG_HSTOP, +- (rect.left + rect.width) >> 1); ++ (sel->r.left + sel->r.width) >> 1); + } + if (!ret) { +- priv->rect.width = rect.width; +- ret = ov6650_reg_write(client, REG_VSTRT, rect.top >> 1); ++ priv->rect.width = sel->r.width; ++ ret = ov6650_reg_write(client, REG_VSTRT, sel->r.top >> 1); + } + if (!ret) { +- priv->rect.top = rect.top; ++ priv->rect.top = sel->r.top; + ret = ov6650_reg_write(client, REG_VSTOP, +- (rect.top + rect.height) >> 1); ++ (sel->r.top + sel->r.height) >> 1); + } + if (!ret) +- priv->rect.height = rect.height; ++ priv->rect.height = sel->r.height; + + return ret; + } +-- +2.20.1 + diff --git a/queue-4.14/media-ov6650-fix-stored-crop-rectangle-not-in-sync-w.patch b/queue-4.14/media-ov6650-fix-stored-crop-rectangle-not-in-sync-w.patch new file mode 100644 index 00000000000..b84d27e2599 --- /dev/null +++ b/queue-4.14/media-ov6650-fix-stored-crop-rectangle-not-in-sync-w.patch @@ -0,0 +1,58 @@ +From 9f25cf3cc9f2c7073bb382cacd2979f5b9894e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2019 17:11:44 -0300 +Subject: media: ov6650: Fix stored crop rectangle not in sync with hardware + +From: Janusz Krzysztofik + +[ Upstream commit 1463b371aff0682c70141f7521db13cc4bbf3016 ] + +The driver stores crop rectangle settings supposed to be in line with +hardware state in a device private structure. Since the driver initial +submission, crop rectangle width and height settings are not updated +correctly when rectangle offset settings are applied on hardware. If +an error occurs while the device is updated, the stored settings my no +longer reflect hardware state and consecutive calls to .get_selection() +as well as .get/set_fmt() may return incorrect information. That in +turn may affect ability of a bridge device to use correct DMA transfer +settings if such incorrect informamtion on active frame format returned +by .get/set_fmt() is used. + +Assuming a failed update of the device means its actual settings haven't +changed, update crop rectangle width and height settings stored in the +device private structure correctly while the rectangle offset is +successfully applied on hardware so the stored values always reflect +actual hardware state to the extent possible. + +Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov6650.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c +index 81fa21ed2599..348296be4925 100644 +--- a/drivers/media/i2c/ov6650.c ++++ b/drivers/media/i2c/ov6650.c +@@ -485,6 +485,7 @@ static int ov6650_set_selection(struct v4l2_subdev *sd, + + ret = ov6650_reg_write(client, REG_HSTRT, sel->r.left >> 1); + if (!ret) { ++ priv->rect.width += priv->rect.left - sel->r.left; + priv->rect.left = sel->r.left; + ret = ov6650_reg_write(client, REG_HSTOP, + (sel->r.left + sel->r.width) >> 1); +@@ -494,6 +495,7 @@ static int ov6650_set_selection(struct v4l2_subdev *sd, + ret = ov6650_reg_write(client, REG_VSTRT, sel->r.top >> 1); + } + if (!ret) { ++ priv->rect.height += priv->rect.top - sel->r.top; + priv->rect.top = sel->r.top; + ret = ov6650_reg_write(client, REG_VSTOP, + (sel->r.top + sel->r.height) >> 1); +-- +2.20.1 + diff --git a/queue-4.14/media-ov6650-fix-stored-frame-format-not-in-sync-wit.patch b/queue-4.14/media-ov6650-fix-stored-frame-format-not-in-sync-wit.patch new file mode 100644 index 00000000000..fe7b2ddacae --- /dev/null +++ b/queue-4.14/media-ov6650-fix-stored-frame-format-not-in-sync-wit.patch @@ -0,0 +1,71 @@ +From e5d85a69e71378380fb09c8daafad810b0d6343a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2019 17:11:43 -0300 +Subject: media: ov6650: Fix stored frame format not in sync with hardware + +From: Janusz Krzysztofik + +[ Upstream commit 3143b459de4cdcce67b36827476c966e93c1cf01 ] + +The driver stores frame format settings supposed to be in line with +hardware state in a device private structure. Since the driver initial +submission, those settings are updated before they are actually applied +on hardware. If an error occurs on device update, the stored settings +my not reflect hardware state anymore and consecutive calls to +.get_fmt() may return incorrect information. That in turn may affect +ability of a bridge device to use correct DMA transfer settings if such +incorrect informmation on active frame format returned by .get_fmt() is +used. + +Assuming a failed device update means its state hasn't changed, update +frame format related settings stored in the device private structure +only after they are successfully applied so the stored values always +reflect hardware state as closely as possible. + +Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov6650.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c +index 98080d420444..81fa21ed2599 100644 +--- a/drivers/media/i2c/ov6650.c ++++ b/drivers/media/i2c/ov6650.c +@@ -613,7 +613,6 @@ static int ov6650_s_fmt(struct v4l2_subdev *sd, struct v4l2_mbus_framefmt *mf) + dev_err(&client->dev, "Pixel format not handled: 0x%x\n", code); + return -EINVAL; + } +- priv->code = code; + + if (code == MEDIA_BUS_FMT_Y8_1X8 || + code == MEDIA_BUS_FMT_SBGGR8_1X8) { +@@ -639,7 +638,6 @@ static int ov6650_s_fmt(struct v4l2_subdev *sd, struct v4l2_mbus_framefmt *mf) + dev_dbg(&client->dev, "max resolution: CIF\n"); + coma_mask |= COMA_QCIF; + } +- priv->half_scale = half_scale; + + clkrc = CLKRC_12MHz; + mclk = 12000000; +@@ -657,8 +655,13 @@ static int ov6650_s_fmt(struct v4l2_subdev *sd, struct v4l2_mbus_framefmt *mf) + ret = ov6650_reg_rmw(client, REG_COMA, coma_set, coma_mask); + if (!ret) + ret = ov6650_reg_write(client, REG_CLKRC, clkrc); +- if (!ret) ++ if (!ret) { ++ priv->half_scale = half_scale; ++ + ret = ov6650_reg_rmw(client, REG_COML, coml_set, coml_mask); ++ } ++ if (!ret) ++ priv->code = code; + + if (!ret) { + mf->colorspace = priv->colorspace; +-- +2.20.1 + diff --git a/queue-4.14/media-pvrusb2-fix-oops-on-tear-down-when-radio-suppo.patch b/queue-4.14/media-pvrusb2-fix-oops-on-tear-down-when-radio-suppo.patch new file mode 100644 index 00000000000..2341358be19 --- /dev/null +++ b/queue-4.14/media-pvrusb2-fix-oops-on-tear-down-when-radio-suppo.patch @@ -0,0 +1,60 @@ +From 2523a0882ec4959903915241ca6d3f2211fb81ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 12:11:14 +0100 +Subject: media: pvrusb2: Fix oops on tear-down when radio support is not + present + +From: Mike Isely + +[ Upstream commit 7f404ae9cf2a285f73b3c18ab9303d54b7a3d8e1 ] + +In some device configurations there's no radio or radio support in the +driver. That's OK, as the driver sets itself up accordingly. However +on tear-down in these caes it's still trying to tear down radio +related context when there isn't anything there, leading to +dereferences through a null pointer and chaos follows. + +How this bug survived unfixed for 11 years in the pvrusb2 driver is a +mystery to me. + +[hverkuil: fix two checkpatch warnings] + +Signed-off-by: Mike Isely +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +index 4320bda9352d..e0413db26781 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +@@ -915,8 +915,12 @@ static void pvr2_v4l2_internal_check(struct pvr2_channel *chp) + pvr2_v4l2_dev_disassociate_parent(vp->dev_video); + pvr2_v4l2_dev_disassociate_parent(vp->dev_radio); + if (!list_empty(&vp->dev_video->devbase.fh_list) || +- !list_empty(&vp->dev_radio->devbase.fh_list)) ++ (vp->dev_radio && ++ !list_empty(&vp->dev_radio->devbase.fh_list))) { ++ pvr2_trace(PVR2_TRACE_STRUCT, ++ "pvr2_v4l2 internal_check exit-empty id=%p", vp); + return; ++ } + pvr2_v4l2_destroy_no_lock(vp); + } + +@@ -990,7 +994,8 @@ static int pvr2_v4l2_release(struct file *file) + kfree(fhp); + if (vp->channel.mc_head->disconnect_flag && + list_empty(&vp->dev_video->devbase.fh_list) && +- list_empty(&vp->dev_radio->devbase.fh_list)) { ++ (!vp->dev_radio || ++ list_empty(&vp->dev_radio->devbase.fh_list))) { + pvr2_v4l2_destroy_no_lock(vp); + } + return 0; +-- +2.20.1 + diff --git a/queue-4.14/media-rcar_drif-fix-a-memory-disclosure.patch b/queue-4.14/media-rcar_drif-fix-a-memory-disclosure.patch new file mode 100644 index 00000000000..57b52b11ecb --- /dev/null +++ b/queue-4.14/media-rcar_drif-fix-a-memory-disclosure.patch @@ -0,0 +1,37 @@ +From b55143788ed8766f3243080543b2a8bcaedb1ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 01:47:00 -0300 +Subject: media: rcar_drif: fix a memory disclosure + +From: Kangjie Lu + +[ Upstream commit d39083234c60519724c6ed59509a2129fd2aed41 ] + +"f->fmt.sdr.reserved" is uninitialized. As other peer drivers +like msi2500 and airspy do, the fix initializes it to avoid +memory disclosures. + +Signed-off-by: Kangjie Lu +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar_drif.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c +index 522364ff0d5d..3871ed6a1fcb 100644 +--- a/drivers/media/platform/rcar_drif.c ++++ b/drivers/media/platform/rcar_drif.c +@@ -915,6 +915,7 @@ static int rcar_drif_g_fmt_sdr_cap(struct file *file, void *priv, + { + struct rcar_drif_sdr *sdr = video_drvdata(file); + ++ memset(f->fmt.sdr.reserved, 0, sizeof(f->fmt.sdr.reserved)); + f->fmt.sdr.pixelformat = sdr->fmt->pixelformat; + f->fmt.sdr.buffersize = sdr->fmt->buffersize; + +-- +2.20.1 + diff --git a/queue-4.14/media-si470x-i2c-add-missed-operations-in-remove.patch b/queue-4.14/media-si470x-i2c-add-missed-operations-in-remove.patch new file mode 100644 index 00000000000..eba9f1b77fd --- /dev/null +++ b/queue-4.14/media-si470x-i2c-add-missed-operations-in-remove.patch @@ -0,0 +1,37 @@ +From 86d0e698a1f5f8c759521b728a90bd0bacb36c99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 07:28:15 +0100 +Subject: media: si470x-i2c: add missed operations in remove + +From: Chuhong Yuan + +[ Upstream commit 2df200ab234a86836a8879a05a8007d6b884eb14 ] + +The driver misses calling v4l2_ctrl_handler_free and +v4l2_device_unregister in remove like what is done in probe failure. +Add the calls to fix it. + +Signed-off-by: Chuhong Yuan +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c +index 8ce6f9cff746..b60fb6ed5aeb 100644 +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -455,6 +455,8 @@ static int si470x_i2c_remove(struct i2c_client *client) + video_unregister_device(&radio->videodev); + kfree(radio); + ++ v4l2_ctrl_handler_free(&radio->hdl); ++ v4l2_device_unregister(&radio->v4l2_dev); + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/media-ti-vpe-vpe-ensure-buffers-are-cleaned-up-prope.patch b/queue-4.14/media-ti-vpe-vpe-ensure-buffers-are-cleaned-up-prope.patch new file mode 100644 index 00000000000..f37c3eb6360 --- /dev/null +++ b/queue-4.14/media-ti-vpe-vpe-ensure-buffers-are-cleaned-up-prope.patch @@ -0,0 +1,127 @@ +From c9838f9f5eba77a2a9601dcc42d3f6991feada10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 12:10:01 -0300 +Subject: media: ti-vpe: vpe: ensure buffers are cleaned up properly in abort + cases + +From: Benoit Parrot + +[ Upstream commit cf6acb73b050e98b5cc435fae0e8ae0157520410 ] + +v4l2-compliance fails with this message: + + fail: v4l2-test-buffers.cpp(691): ret == 0 + fail: v4l2-test-buffers.cpp(974): captureBufs(node, q, m2m_q, +frame_count, true) + test MMAP: FAIL + +This caused the following Kernel Warning: + +WARNING: CPU: 0 PID: 961 at +drivers/media/v4l2-core/videobuf2-core.c:1658 +__vb2_queue_cancel+0x174/0x1d8 +... +CPU: 0 PID: 961 Comm: v4l2-compliance Not tainted +4.14.62-01720-g20ecd717e87a #6 +Hardware name: Generic DRA72X (Flattened Device Tree) +Backtrace: +[] (dump_backtrace) from [] (show_stack+0x18/0x1c) + r7:00000009 r6:60070013 r5:00000000 r4:c1053824 +[] (show_stack) from [] (dump_stack+0x90/0xa4) +[] (dump_stack) from [] (__warn+0xec/0x104) + r7:00000009 r6:c0c0ad50 r5:00000000 r4:00000000 +[] (__warn) from [] (warn_slowpath_null+0x28/0x30) + r9:00000008 r8:00000000 r7:eced4808 r6:edbc9bac r5:eced4844 +r4:eced4808 +[] (warn_slowpath_null) from [] +(__vb2_queue_cancel+0x174/0x1d8) +[] (__vb2_queue_cancel) from [] +(vb2_core_queue_release+0x20/0x40) + r10:ecc7bd70 r9:00000008 r8:00000000 r7:edb73010 r6:edbc9bac +r5:eced4844 + r4:eced4808 r3:00000004 +[] (vb2_core_queue_release) from [] +(vb2_queue_release+0x10/0x14) + r5:edbc9810 r4:eced4800 +[] (vb2_queue_release) from [] +(v4l2_m2m_ctx_release+0x1c/0x30) +[] (v4l2_m2m_ctx_release) from [] +(vpe_release+0x74/0xb0 [ti_vpe]) + r5:edbc9810 r4:ed67a400 +[] (vpe_release [ti_vpe]) from [] +(v4l2_release+0x3c/0x80) + r7:edb73010 r6:ed176aa0 r5:edbc9868 r4:ed5119c0 +[] (v4l2_release) from [] (__fput+0x8c/0x1dc) + r5:ecc7bd70 r4:ed5119c0 +[] (__fput) from [] (____fput+0x10/0x14) + r10:00000000 r9:ed5119c0 r8:ece392d0 r7:c1059544 r6:ece38d80 +r5:ece392b4 + r4:00000000 +[] (____fput) from [] (task_work_run+0x98/0xb8) +[] (task_work_run) from [] (do_exit+0x170/0xa80) + r9:ece351fc r8:00000000 r7:ecde3f58 r6:ffffe000 r5:ece351c0 +r4:ece38d80 +[] (do_exit) from [] (do_group_exit+0x48/0xc4) + r7:000000f8 +[] (do_group_exit) from [] +(__wake_up_parent+0x0/0x28) + r7:000000f8 r6:b6c6a798 r5:00000001 r4:00000001 +[] (SyS_exit_group) from [] +(ret_fast_syscall+0x0/0x4c) + +These warnings are caused by buffers which not properly cleaned +up/release during an abort use case. + +In the abort cases the VPDMA desc buffers would still be mapped and the +in-flight VB2 buffers would not be released properly causing a kernel +warning from being generated by the videobuf2-core level. + +Signed-off-by: Benoit Parrot +Reviewed-by: Tomi Valkeinen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 5adafee98e4c..7af66fe95a54 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -1435,9 +1435,6 @@ static irqreturn_t vpe_irq(int irq_vpe, void *data) + /* the previous dst mv buffer becomes the next src mv buffer */ + ctx->src_mv_buf_selector = !ctx->src_mv_buf_selector; + +- if (ctx->aborting) +- goto finished; +- + s_vb = ctx->src_vbs[0]; + d_vb = ctx->dst_vb; + +@@ -1502,6 +1499,9 @@ static irqreturn_t vpe_irq(int irq_vpe, void *data) + ctx->src_vbs[0] = NULL; + ctx->dst_vb = NULL; + ++ if (ctx->aborting) ++ goto finished; ++ + ctx->bufs_completed++; + if (ctx->bufs_completed < ctx->bufs_per_job && job_ready(ctx)) { + device_run(ctx); +@@ -2400,6 +2400,12 @@ static int vpe_release(struct file *file) + + mutex_lock(&dev->dev_mutex); + free_mv_buffers(ctx); ++ ++ vpdma_unmap_desc_buf(dev->vpdma, &ctx->desc_list.buf); ++ vpdma_unmap_desc_buf(dev->vpdma, &ctx->mmr_adb); ++ vpdma_unmap_desc_buf(dev->vpdma, &ctx->sc_coeff_h); ++ vpdma_unmap_desc_buf(dev->vpdma, &ctx->sc_coeff_v); ++ + vpdma_free_desc_list(&ctx->desc_list); + vpdma_free_desc_buf(&ctx->mmr_adb); + +-- +2.20.1 + diff --git a/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch new file mode 100644 index 00000000000..a72d9c4b5e4 --- /dev/null +++ b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch @@ -0,0 +1,51 @@ +From e2eddb78c0bc996cbd074654f29ae667e99422fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 12:10:00 -0300 +Subject: media: ti-vpe: vpe: fix a v4l2-compliance failure about frame + sequence number + +From: Benoit Parrot + +[ Upstream commit 2444846c0dbfa4ead21b621e4300ec32c90fbf38 ] + +v4l2-compliance fails with this message: + + fail: v4l2-test-buffers.cpp(294): \ + (int)g_sequence() < seq.last_seq + 1 + fail: v4l2-test-buffers.cpp(740): \ + buf.check(m2m_q, last_m2m_seq) + fail: v4l2-test-buffers.cpp(974): \ + captureBufs(node, q, m2m_q, frame_count, true) + test MMAP: FAIL + +The driver is failing to update the source frame sequence number in the +vb2 buffer object. Only the destination frame sequence was being +updated. + +This is only a reporting issue if the user space app actually cares +about the frame sequence number. But it is fixed nonetheless. + +Signed-off-by: Benoit Parrot +Reviewed-by: Tomi Valkeinen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 4dc08f5a6081..8a5c0d3e733e 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -1448,6 +1448,7 @@ static irqreturn_t vpe_irq(int irq_vpe, void *data) + d_vb->timecode = s_vb->timecode; + + d_vb->sequence = ctx->sequence; ++ s_vb->sequence = ctx->sequence; + + d_q_data = &ctx->q_data[Q_DATA_DST]; + if (d_q_data->flags & Q_IS_INTERLACED) { +-- +2.20.1 + diff --git a/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch-7973 b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch-7973 new file mode 100644 index 00000000000..cbf976874f3 --- /dev/null +++ b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch-7973 @@ -0,0 +1,65 @@ +From 8be750bdaa9de03065552cafb2cc892279bef5b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 12:09:59 -0300 +Subject: media: ti-vpe: vpe: fix a v4l2-compliance failure about invalid + sizeimage + +From: Benoit Parrot + +[ Upstream commit 0bac73adea4df8d34048b38f6ff24dc3e73e90b6 ] + +v4l2-compliance fails with this message: + + fail: v4l2-test-formats.cpp(463): !pfmt.sizeimage + fail: v4l2-test-formats.cpp(736): \ + Video Capture Multiplanar is valid, \ + but TRY_FMT failed to return a format + test VIDIOC_TRY_FMT: FAIL + +This failure is causd by the driver failing to handle out range +'bytesperline' values from user space applications. + +VPDMA hardware is limited to 64k line stride (16 bytes aligned, so 65520 +bytes). So make sure the provided or calculated 'bytesperline' is +smaller than the maximum value. + +Signed-off-by: Benoit Parrot +Reviewed-by: Tomi Valkeinen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpdma.h | 1 + + drivers/media/platform/ti-vpe/vpe.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/media/platform/ti-vpe/vpdma.h b/drivers/media/platform/ti-vpe/vpdma.h +index 7e611501c291..f29074c84915 100644 +--- a/drivers/media/platform/ti-vpe/vpdma.h ++++ b/drivers/media/platform/ti-vpe/vpdma.h +@@ -60,6 +60,7 @@ struct vpdma_data_format { + * line stride of source and dest + * buffers should be 16 byte aligned + */ ++#define VPDMA_MAX_STRIDE 65520 /* Max line stride 16 byte aligned */ + #define VPDMA_DTD_DESC_SIZE 32 /* 8 words */ + #define VPDMA_CFD_CTD_DESC_SIZE 16 /* 4 words */ + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 7af66fe95a54..2e8970c7e22d 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -1702,6 +1702,10 @@ static int __vpe_try_fmt(struct vpe_ctx *ctx, struct v4l2_format *f, + if (stride > plane_fmt->bytesperline) + plane_fmt->bytesperline = stride; + ++ plane_fmt->bytesperline = clamp_t(u32, plane_fmt->bytesperline, ++ stride, ++ VPDMA_MAX_STRIDE); ++ + plane_fmt->bytesperline = ALIGN(plane_fmt->bytesperline, + VPDMA_STRIDE_ALIGN); + +-- +2.20.1 + diff --git a/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-causi.patch b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-causi.patch new file mode 100644 index 00000000000..2180b4006bc --- /dev/null +++ b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-causi.patch @@ -0,0 +1,62 @@ +From c3b26724132ed649379175da06292d83df5e8fa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 12:09:56 -0300 +Subject: media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel + panic + +From: Benoit Parrot + +[ Upstream commit a37980ac5be29b83da67bf7d571c6bd9f90f8e45 ] + +v4l2-compliance fails with this message: + + warn: v4l2-test-formats.cpp(717): \ + TRY_FMT cannot handle an invalid pixelformat. + test VIDIOC_TRY_FMT: FAIL + +This causes the following kernel panic: + +Unable to handle kernel paging request at virtual address 56595561 +pgd = ecd80e00 +*pgd=00000000 +Internal error: Oops: 205 [#1] PREEMPT SMP ARM +... +CPU: 0 PID: 930 Comm: v4l2-compliance Not tainted \ + 4.14.62-01715-gc8cd67f49a19 #1 +Hardware name: Generic DRA72X (Flattened Device Tree) +task: ece44d80 task.stack: ecc6e000 +PC is at __vpe_try_fmt+0x18c/0x2a8 [ti_vpe] +LR is at 0x8 + +Because the driver fails to properly check the 'num_planes' values for +proper ranges it ends up accessing out of bound data causing the kernel +panic. + +Since this driver only handle single or dual plane pixel format, make +sure the provided value does not exceed 2 planes. + +Signed-off-by: Benoit Parrot +Reviewed-by: Tomi Valkeinen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index a136fb14bf1a..5adafee98e4c 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -1663,7 +1663,7 @@ static int __vpe_try_fmt(struct vpe_ctx *ctx, struct v4l2_format *f, + &pix->height, MIN_H, MAX_H, H_ALIGN, + S_ALIGN); + +- if (!pix->num_planes) ++ if (!pix->num_planes || pix->num_planes > 2) + pix->num_planes = fmt->coplanar ? 2 : 1; + else if (pix->num_planes > 1 && !fmt->coplanar) + pix->num_planes = 1; +-- +2.20.1 + diff --git a/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-warning-about.patch b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-warning-about.patch new file mode 100644 index 00000000000..1a4a111817f --- /dev/null +++ b/queue-4.14/media-ti-vpe-vpe-fix-a-v4l2-compliance-warning-about.patch @@ -0,0 +1,82 @@ +From d180311bf17772da77309169d88bc1a146e4423b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 12:09:57 -0300 +Subject: media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel + format + +From: Benoit Parrot + +[ Upstream commit 06bec72b250b2cb3ba96fa45c2b8e0fb83745517 ] + +v4l2-compliance warns with this message: + + warn: v4l2-test-formats.cpp(717): \ + TRY_FMT cannot handle an invalid pixelformat. + warn: v4l2-test-formats.cpp(718): \ + This may or may not be a problem. For more information see: + warn: v4l2-test-formats.cpp(719): \ + http://www.mail-archive.com/linux-media@vger.kernel.org/msg56550.html + ... + test VIDIOC_TRY_FMT: FAIL + +We need to make sure that the returns a valid pixel format in all +instance. Based on the v4l2 framework convention drivers must return a +valid pixel format when the requested pixel format is either invalid or +not supported. + +Signed-off-by: Benoit Parrot +Reviewed-by: Tomi Valkeinen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 19c0a2614635..4dc08f5a6081 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -352,20 +352,25 @@ enum { + }; + + /* find our format description corresponding to the passed v4l2_format */ +-static struct vpe_fmt *find_format(struct v4l2_format *f) ++static struct vpe_fmt *__find_format(u32 fourcc) + { + struct vpe_fmt *fmt; + unsigned int k; + + for (k = 0; k < ARRAY_SIZE(vpe_formats); k++) { + fmt = &vpe_formats[k]; +- if (fmt->fourcc == f->fmt.pix.pixelformat) ++ if (fmt->fourcc == fourcc) + return fmt; + } + + return NULL; + } + ++static struct vpe_fmt *find_format(struct v4l2_format *f) ++{ ++ return __find_format(f->fmt.pix.pixelformat); ++} ++ + /* + * there is one vpe_dev structure in the driver, it is shared by + * all instances. +@@ -1608,9 +1613,9 @@ static int __vpe_try_fmt(struct vpe_ctx *ctx, struct v4l2_format *f, + unsigned int stride = 0; + + if (!fmt || !(fmt->types & type)) { +- vpe_err(ctx->dev, "Fourcc format (0x%08x) invalid.\n", ++ vpe_dbg(ctx->dev, "Fourcc format (0x%08x) invalid.\n", + pix->pixelformat); +- return -EINVAL; ++ fmt = __find_format(V4L2_PIX_FMT_YUYV); + } + + if (pix->field != V4L2_FIELD_NONE && pix->field != V4L2_FIELD_ALTERNATE +-- +2.20.1 + diff --git a/queue-4.14/media-ti-vpe-vpe-fix-motion-vector-vpdma-stride.patch b/queue-4.14/media-ti-vpe-vpe-fix-motion-vector-vpdma-stride.patch new file mode 100644 index 00000000000..6358086fab7 --- /dev/null +++ b/queue-4.14/media-ti-vpe-vpe-fix-motion-vector-vpdma-stride.patch @@ -0,0 +1,105 @@ +From f0112e0923501df551fdb56bcd6bfa04c4d10971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 12:09:50 -0300 +Subject: media: ti-vpe: vpe: Fix Motion Vector vpdma stride + +From: Benoit Parrot + +[ Upstream commit 102af9b9922f658f705a4b0deaccabac409131bf ] + +commit 3dc2046ca78b ("[media] media: ti-vpe: vpe: allow use of user +specified stride") and commit da4414eaed15 ("[media] media: ti-vpe: vpdma: +add support for user specified stride") resulted in the Motion Vector +stride to be the same as the image stride. + +This caused memory corruption in the output image as mentioned in +commit 00db969964c8 ("[media] media: ti-vpe: vpe: Fix line stride +for output motion vector"). + +Fixes: 3dc2046ca78b ("[media] media: ti-vpe: vpe: allow use of user specified stride") +Fixes: da4414eaed15 ("[media] media: ti-vpe: vpdma: add support for user specified stride") +Signed-off-by: Benoit Parrot +Acked-by: Nikhil Devshatwar +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 45bd10544189..19c0a2614635 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -1044,11 +1044,14 @@ static void add_out_dtd(struct vpe_ctx *ctx, int port) + dma_addr_t dma_addr; + u32 flags = 0; + u32 offset = 0; ++ u32 stride; + + if (port == VPE_PORT_MV_OUT) { + vpdma_fmt = &vpdma_misc_fmts[VPDMA_DATA_FMT_MV]; + dma_addr = ctx->mv_buf_dma[mv_buf_selector]; + q_data = &ctx->q_data[Q_DATA_SRC]; ++ stride = ALIGN((q_data->width * vpdma_fmt->depth) >> 3, ++ VPDMA_STRIDE_ALIGN); + } else { + /* to incorporate interleaved formats */ + int plane = fmt->coplanar ? p_data->vb_part : 0; +@@ -1075,6 +1078,7 @@ static void add_out_dtd(struct vpe_ctx *ctx, int port) + } + /* Apply the offset */ + dma_addr += offset; ++ stride = q_data->bytesperline[VPE_LUMA]; + } + + if (q_data->flags & Q_DATA_FRAME_1D) +@@ -1086,7 +1090,7 @@ static void add_out_dtd(struct vpe_ctx *ctx, int port) + MAX_W, MAX_H); + + vpdma_add_out_dtd(&ctx->desc_list, q_data->width, +- q_data->bytesperline[VPE_LUMA], &q_data->c_rect, ++ stride, &q_data->c_rect, + vpdma_fmt, dma_addr, MAX_OUT_WIDTH_REG1, + MAX_OUT_HEIGHT_REG1, p_data->channel, flags); + } +@@ -1105,10 +1109,13 @@ static void add_in_dtd(struct vpe_ctx *ctx, int port) + dma_addr_t dma_addr; + u32 flags = 0; + u32 offset = 0; ++ u32 stride; + + if (port == VPE_PORT_MV_IN) { + vpdma_fmt = &vpdma_misc_fmts[VPDMA_DATA_FMT_MV]; + dma_addr = ctx->mv_buf_dma[mv_buf_selector]; ++ stride = ALIGN((q_data->width * vpdma_fmt->depth) >> 3, ++ VPDMA_STRIDE_ALIGN); + } else { + /* to incorporate interleaved formats */ + int plane = fmt->coplanar ? p_data->vb_part : 0; +@@ -1135,6 +1142,7 @@ static void add_in_dtd(struct vpe_ctx *ctx, int port) + } + /* Apply the offset */ + dma_addr += offset; ++ stride = q_data->bytesperline[VPE_LUMA]; + + if (q_data->flags & Q_DATA_INTERLACED_SEQ_TB) { + /* +@@ -1170,10 +1178,10 @@ static void add_in_dtd(struct vpe_ctx *ctx, int port) + if (p_data->vb_part && fmt->fourcc == V4L2_PIX_FMT_NV12) + frame_height /= 2; + +- vpdma_add_in_dtd(&ctx->desc_list, q_data->width, +- q_data->bytesperline[VPE_LUMA], &q_data->c_rect, +- vpdma_fmt, dma_addr, p_data->channel, field, flags, frame_width, +- frame_height, 0, 0); ++ vpdma_add_in_dtd(&ctx->desc_list, q_data->width, stride, ++ &q_data->c_rect, vpdma_fmt, dma_addr, ++ p_data->channel, field, flags, frame_width, ++ frame_height, 0, 0); + } + + /* +-- +2.20.1 + diff --git a/queue-4.14/media-ti-vpe-vpe-make-sure-yuyv-is-set-as-default-fo.patch b/queue-4.14/media-ti-vpe-vpe-make-sure-yuyv-is-set-as-default-fo.patch new file mode 100644 index 00000000000..431d767bf10 --- /dev/null +++ b/queue-4.14/media-ti-vpe-vpe-make-sure-yuyv-is-set-as-default-fo.patch @@ -0,0 +1,53 @@ +From 41bec8237b45485bb8180f232a5037fe848c28fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 12:09:58 -0300 +Subject: media: ti-vpe: vpe: Make sure YUYV is set as default format + +From: Benoit Parrot + +[ Upstream commit e20b248051ca0f90d84b4d9378e4780bc31f16c6 ] + +v4l2-compliance fails with this message: + + fail: v4l2-test-formats.cpp(672): \ + Video Capture Multiplanar: TRY_FMT(G_FMT) != G_FMT + fail: v4l2-test-formats.cpp(672): \ + Video Output Multiplanar: TRY_FMT(G_FMT) != G_FMT + ... + test VIDIOC_TRY_FMT: FAIL + +The default pixel format was setup as pointing to a specific offset in +the vpe_formats table assuming it was pointing to the V4L2_PIX_FMT_YUYV +entry. This became false after the addition on the NV21 format (see +above commid-id) + +So instead of hard-coding an offset which might change over time we need +to use a lookup helper instead so we know the default will always be what +we intended. + +Signed-off-by: Benoit Parrot +Fixes: 40cc823f7005 ("media: ti-vpe: Add support for NV21 format") +Reviewed-by: Tomi Valkeinen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 8a5c0d3e733e..a136fb14bf1a 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -2322,7 +2322,7 @@ static int vpe_open(struct file *file) + v4l2_ctrl_handler_setup(hdl); + + s_q_data = &ctx->q_data[Q_DATA_SRC]; +- s_q_data->fmt = &vpe_formats[2]; ++ s_q_data->fmt = __find_format(V4L2_PIX_FMT_YUYV); + s_q_data->width = 1920; + s_q_data->height = 1080; + s_q_data->nplanes = 1; +-- +2.20.1 + diff --git a/queue-4.14/media-v4l2-core-fix-touch-support-in-v4l_g_fmt.patch b/queue-4.14/media-v4l2-core-fix-touch-support-in-v4l_g_fmt.patch new file mode 100644 index 00000000000..72bfb7f083c --- /dev/null +++ b/queue-4.14/media-v4l2-core-fix-touch-support-in-v4l_g_fmt.patch @@ -0,0 +1,87 @@ +From a6e8abb0900b49798e26fef6613b387bad0e79b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 04:51:40 -0300 +Subject: media: v4l2-core: fix touch support in v4l_g_fmt + +From: Vandana BN + +[ Upstream commit 545b618cfb5cadacd00c25066b9a36540e5ca9e9 ] + +v4l_s_fmt, for VFL_TYPE_TOUCH, sets unneeded members of +the v4l2_pix_format structure to default values.This was +missing in v4l_g_fmt, which would lead to failures in +v4l2-compliance tests. + +Signed-off-by: Vandana BN +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 33 +++++++++++++++------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index 681eef972e63..7cafc8a57950 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -1363,10 +1363,26 @@ static int v4l_enum_fmt(const struct v4l2_ioctl_ops *ops, + return ret; + } + ++static void v4l_pix_format_touch(struct v4l2_pix_format *p) ++{ ++ /* ++ * The v4l2_pix_format structure contains fields that make no sense for ++ * touch. Set them to default values in this case. ++ */ ++ ++ p->field = V4L2_FIELD_NONE; ++ p->colorspace = V4L2_COLORSPACE_RAW; ++ p->flags = 0; ++ p->ycbcr_enc = 0; ++ p->quantization = 0; ++ p->xfer_func = 0; ++} ++ + static int v4l_g_fmt(const struct v4l2_ioctl_ops *ops, + struct file *file, void *fh, void *arg) + { + struct v4l2_format *p = arg; ++ struct video_device *vfd = video_devdata(file); + int ret = check_fmt(file, p->type); + + if (ret) +@@ -1404,6 +1420,8 @@ static int v4l_g_fmt(const struct v4l2_ioctl_ops *ops, + ret = ops->vidioc_g_fmt_vid_cap(file, fh, arg); + /* just in case the driver zeroed it again */ + p->fmt.pix.priv = V4L2_PIX_FMT_PRIV_MAGIC; ++ if (vfd->vfl_type == VFL_TYPE_TOUCH) ++ v4l_pix_format_touch(&p->fmt.pix); + return ret; + case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE: + return ops->vidioc_g_fmt_vid_cap_mplane(file, fh, arg); +@@ -1439,21 +1457,6 @@ static int v4l_g_fmt(const struct v4l2_ioctl_ops *ops, + return -EINVAL; + } + +-static void v4l_pix_format_touch(struct v4l2_pix_format *p) +-{ +- /* +- * The v4l2_pix_format structure contains fields that make no sense for +- * touch. Set them to default values in this case. +- */ +- +- p->field = V4L2_FIELD_NONE; +- p->colorspace = V4L2_COLORSPACE_RAW; +- p->flags = 0; +- p->ycbcr_enc = 0; +- p->quantization = 0; +- p->xfer_func = 0; +-} +- + static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops, + struct file *file, void *fh, void *arg) + { +-- +2.20.1 + diff --git a/queue-4.14/media-venus-core-fix-msm8996-frequency-table.patch b/queue-4.14/media-venus-core-fix-msm8996-frequency-table.patch new file mode 100644 index 00000000000..a68686cc465 --- /dev/null +++ b/queue-4.14/media-venus-core-fix-msm8996-frequency-table.patch @@ -0,0 +1,62 @@ +From 336c10469d1f8e731a311c7b06b1f675c3178f3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2019 11:45:59 -0300 +Subject: media: venus: core: Fix msm8996 frequency table + +From: Loic Poulain + +[ Upstream commit c690435ed07901737e5c007a65ec59f53b33eb71 ] + +In downstream driver, there are two frequency tables defined, +one for the encoder and one for the decoder: + +/* Encoders / +<972000 490000000 0x55555555>, / 4k UHD @ 30 / +<489600 320000000 0x55555555>, / 1080p @ 60 / +<244800 150000000 0x55555555>, / 1080p @ 30 / +<108000 75000000 0x55555555>, / 720p @ 30 */ + +/* Decoders / +<1944000 490000000 0xffffffff>, / 4k UHD @ 60 / +< 972000 320000000 0xffffffff>, / 4k UHD @ 30 / +< 489600 150000000 0xffffffff>, / 1080p @ 60 / +< 244800 75000000 0xffffffff>; / 1080p @ 30 */ + +It shows that encoder always needs a higher clock than decoder. + +In current venus driver, the unified frequency table is aligned +with the downstream decoder table which causes performance issues +in encoding scenarios. Fix that by aligning frequency table on +worst case (encoding). + +Signed-off-by: Loic Poulain +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index 769e9e68562d..9360b36b82cd 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -345,10 +345,11 @@ static const struct venus_resources msm8916_res = { + }; + + static const struct freq_tbl msm8996_freq_table[] = { +- { 1944000, 490000000 }, /* 4k UHD @ 60 */ +- { 972000, 320000000 }, /* 4k UHD @ 30 */ +- { 489600, 150000000 }, /* 1080p @ 60 */ +- { 244800, 75000000 }, /* 1080p @ 30 */ ++ { 1944000, 520000000 }, /* 4k UHD @ 60 (decode only) */ ++ { 972000, 520000000 }, /* 4k UHD @ 30 */ ++ { 489600, 346666667 }, /* 1080p @ 60 */ ++ { 244800, 150000000 }, /* 1080p @ 30 */ ++ { 108000, 75000000 }, /* 720p @ 30 */ + }; + + static const struct reg_val msm8996_reg_preset[] = { +-- +2.20.1 + diff --git a/queue-4.14/mips-fix-build-when-48-bits-virtual-memory-is-enable.patch b/queue-4.14/mips-fix-build-when-48-bits-virtual-memory-is-enable.patch new file mode 100644 index 00000000000..5a5924a4b9e --- /dev/null +++ b/queue-4.14/mips-fix-build-when-48-bits-virtual-memory-is-enable.patch @@ -0,0 +1,81 @@ +From 49db2c7dfefe28b67b0b5584dd2c758def199311 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 18:21:31 +0200 +Subject: mips: fix build when "48 bits virtual memory" is enabled + +From: Mike Rapoport + +[ Upstream commit 3ed6751bb8fa89c3014399bb0414348499ee202a ] + +With CONFIG_MIPS_VA_BITS_48=y the build fails miserably: + + CC arch/mips/kernel/asm-offsets.s +In file included from arch/mips/include/asm/pgtable.h:644, + from include/linux/mm.h:99, + from arch/mips/kernel/asm-offsets.c:15: +include/asm-generic/pgtable.h:16:2: error: #error CONFIG_PGTABLE_LEVELS is not consistent with __PAGETABLE_{P4D,PUD,PMD}_FOLDED + #error CONFIG_PGTABLE_LEVELS is not consistent with __PAGETABLE_{P4D,PUD,PMD}_FOLDED + ^~~~~ +include/asm-generic/pgtable.h:390:28: error: unknown type name 'p4d_t'; did you mean 'pmd_t'? + static inline int p4d_same(p4d_t p4d_a, p4d_t p4d_b) + ^~~~~ + pmd_t + +[ ... more such errors ... ] + +scripts/Makefile.build:99: recipe for target 'arch/mips/kernel/asm-offsets.s' failed +make[2]: *** [arch/mips/kernel/asm-offsets.s] Error 1 + +This happens because when CONFIG_MIPS_VA_BITS_48 enables 4th level of the +page tables, but neither pgtable-nop4d.h nor 5level-fixup.h are included to +cope with the 5th level. + +Replace #ifdef conditions around includes of the pgtable-nop{m,u}d.h with +explicit CONFIG_PGTABLE_LEVELS and add include of 5level-fixup.h for the +case when CONFIG_PGTABLE_LEVELS==4 + +Signed-off-by: Mike Rapoport +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: linux-mm@kvack.org +Cc: Mike Rapoport +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/pgtable-64.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h +index a2252c2a9ded..d0b9912fb63f 100644 +--- a/arch/mips/include/asm/pgtable-64.h ++++ b/arch/mips/include/asm/pgtable-64.h +@@ -18,10 +18,12 @@ + #include + + #define __ARCH_USE_5LEVEL_HACK +-#if defined(CONFIG_PAGE_SIZE_64KB) && !defined(CONFIG_MIPS_VA_BITS_48) ++#if CONFIG_PGTABLE_LEVELS == 2 + #include +-#elif !(defined(CONFIG_PAGE_SIZE_4KB) && defined(CONFIG_MIPS_VA_BITS_48)) ++#elif CONFIG_PGTABLE_LEVELS == 3 + #include ++#else ++#include + #endif + + /* +@@ -222,6 +224,9 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) + return pgd_val(pgd); + } + ++#define pgd_phys(pgd) virt_to_phys((void *)pgd_val(pgd)) ++#define pgd_page(pgd) (pfn_to_page(pgd_phys(pgd) >> PAGE_SHIFT)) ++ + static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) + { + return (pud_t *)pgd_page_vaddr(*pgd) + pud_index(address); +-- +2.20.1 + diff --git a/queue-4.14/mmc-tmio-add-mmc_cap_erase-to-allow-erase-discard-tr.patch b/queue-4.14/mmc-tmio-add-mmc_cap_erase-to-allow-erase-discard-tr.patch new file mode 100644 index 00000000000..f7a3c1ae8a6 --- /dev/null +++ b/queue-4.14/mmc-tmio-add-mmc_cap_erase-to-allow-erase-discard-tr.patch @@ -0,0 +1,73 @@ +From 2f4fe59196314c522e8bc7a25ad098fbecf5893f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 14:44:30 +0100 +Subject: mmc: tmio: Add MMC_CAP_ERASE to allow erase/discard/trim requests + +From: Eugeniu Rosca + +[ Upstream commit c91843463e9e821dc3b48fe37e3155fa38299f6e ] + +Isolated initially to renesas_sdhi_internal_dmac [1], Ulf suggested +adding MMC_CAP_ERASE to the TMIO mmc core: + +On Fri, Nov 15, 2019 at 10:27:25AM +0100, Ulf Hansson wrote: + -- snip -- + This test and due to the discussions with Wolfram and you in this + thread, I would actually suggest that you enable MMC_CAP_ERASE for all + tmio variants, rather than just for this particular one. + + In other words, set the cap in tmio_mmc_host_probe() should be fine, + as it seems none of the tmio variants supports HW busy detection at + this point. + -- snip -- + +Testing on R-Car H3ULCB-KF doesn't reveal any issues (v5.4-rc7): + +root@rcar-gen3:~# lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT +mmcblk0 179:0 0 59.2G 0 disk <--- eMMC +mmcblk0boot0 179:8 0 4M 1 disk +mmcblk0boot1 179:16 0 4M 1 disk +mmcblk1 179:24 0 30G 0 disk <--- SD card + +root@rcar-gen3:~# time blkdiscard /dev/mmcblk0 +real 0m8.659s +user 0m0.001s +sys 0m1.920s + +root@rcar-gen3:~# time blkdiscard /dev/mmcblk1 +real 0m1.176s +user 0m0.001s +sys 0m0.124s + +[1] https://lore.kernel.org/linux-renesas-soc/20191112134808.23546-1-erosca@de.adit-jv.com/ + +Cc: Wolfram Sang +Cc: Masahiro Yamada +Cc: Andrew Gabbasov +Originally-by: Harish Jenny K N +Suggested-by: Ulf Hansson +Signed-off-by: Eugeniu Rosca +Reviewed-by: Wolfram Sang +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/tmio_mmc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/tmio_mmc_core.c b/drivers/mmc/host/tmio_mmc_core.c +index 2fd862dc9770..a09aad9155a5 100644 +--- a/drivers/mmc/host/tmio_mmc_core.c ++++ b/drivers/mmc/host/tmio_mmc_core.c +@@ -1220,7 +1220,7 @@ int tmio_mmc_host_probe(struct tmio_mmc_host *_host, + _host->start_signal_voltage_switch; + mmc->ops = &tmio_mmc_ops; + +- mmc->caps |= MMC_CAP_4_BIT_DATA | pdata->capabilities; ++ mmc->caps |= MMC_CAP_ERASE | MMC_CAP_4_BIT_DATA | pdata->capabilities; + mmc->caps2 |= pdata->capabilities2; + mmc->max_segs = pdata->max_segs ? : 32; + mmc->max_blk_size = 512; +-- +2.20.1 + diff --git a/queue-4.14/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_init_ev.patch b/queue-4.14/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_init_ev.patch new file mode 100644 index 00000000000..47a17158c19 --- /dev/null +++ b/queue-4.14/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_init_ev.patch @@ -0,0 +1,42 @@ +From 2c84577043a0328cf34639d4df260dacc62af5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 15:16:48 -0500 +Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring + +From: Navid Emamdoost + +[ Upstream commit d10dcb615c8e29d403a24d35f8310a7a53e3050c ] + +In mwifiex_pcie_init_evt_ring, a new skb is allocated which should be +released if mwifiex_map_pci_memory() fails. The release for skb and +card->evtbd_ring_vbase is added. + +Fixes: 0732484b47b5 ("mwifiex: separate ring initialization and ring creation routines") +Signed-off-by: Navid Emamdoost +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c +index 9511f5fe62f4..9d0d790a1319 100644 +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -677,8 +677,11 @@ static int mwifiex_pcie_init_evt_ring(struct mwifiex_adapter *adapter) + skb_put(skb, MAX_EVENT_SIZE); + + if (mwifiex_map_pci_memory(adapter, skb, MAX_EVENT_SIZE, +- PCI_DMA_FROMDEVICE)) ++ PCI_DMA_FROMDEVICE)) { ++ kfree_skb(skb); ++ kfree(card->evtbd_ring_vbase); + return -1; ++ } + + buf_pa = MWIFIEX_SKB_DMA_ADDR(skb); + +-- +2.20.1 + diff --git a/queue-4.14/net-dsa-lan9303-select-regmap-when-lan9303-enable.patch b/queue-4.14/net-dsa-lan9303-select-regmap-when-lan9303-enable.patch new file mode 100644 index 00000000000..8c4cc863320 --- /dev/null +++ b/queue-4.14/net-dsa-lan9303-select-regmap-when-lan9303-enable.patch @@ -0,0 +1,43 @@ +From 0468a72a54520bc4ddc29f1131ee4a87d88a7ce2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2019 10:21:39 +0800 +Subject: net: dsa: LAN9303: select REGMAP when LAN9303 enable + +From: Mao Wenan + +[ Upstream commit b6989d248a2d13f02895bae1a9321b3bbccc0283 ] + +When NET_DSA_SMSC_LAN9303=y and NET_DSA_SMSC_LAN9303_MDIO=y, +below errors can be seen: +drivers/net/dsa/lan9303_mdio.c:87:23: error: REGMAP_ENDIAN_LITTLE +undeclared here (not in a function) + .reg_format_endian = REGMAP_ENDIAN_LITTLE, +drivers/net/dsa/lan9303_mdio.c:93:3: error: const struct regmap_config +has no member named reg_read + .reg_read = lan9303_mdio_read, + +It should select REGMAP in config NET_DSA_SMSC_LAN9303. + +Fixes: dc7005831523 ("net: dsa: LAN9303: add MDIO managed mode support") +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/dsa/Kconfig b/drivers/net/dsa/Kconfig +index 83a9bc892a3b..6ae13f2419e3 100644 +--- a/drivers/net/dsa/Kconfig ++++ b/drivers/net/dsa/Kconfig +@@ -55,6 +55,7 @@ config NET_DSA_QCA8K + config NET_DSA_SMSC_LAN9303 + tristate + select NET_DSA_TAG_LAN9303 ++ select REGMAP + ---help--- + This enables support for the SMSC/Microchip LAN9303 3 port ethernet + switch chips. +-- +2.20.1 + diff --git a/queue-4.14/net-phy-dp83867-enable-robust-auto-mdix.patch b/queue-4.14/net-phy-dp83867-enable-robust-auto-mdix.patch new file mode 100644 index 00000000000..6428cbb2eec --- /dev/null +++ b/queue-4.14/net-phy-dp83867-enable-robust-auto-mdix.patch @@ -0,0 +1,69 @@ +From b967f341bde2a2b42c78074083e8ba42cd502e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 17:48:45 +0300 +Subject: net: phy: dp83867: enable robust auto-mdix + +From: Grygorii Strashko + +[ Upstream commit 5a7f08c2abb0efc9d17aff2fc75d6d3b85e622e4 ] + +The link detection timeouts can be observed (or link might not be detected +at all) when dp83867 PHY is configured in manual mode (speed/duplex). + +CFG3[9] Robust Auto-MDIX option allows to significantly improve link detection +in case dp83867 is configured in manual mode and reduce link detection +time. +As per DM: "If link partners are configured to operational modes that are +not supported by normal Auto MDI/MDIX mode (like Auto-Neg versus Force +100Base-TX or Force 100Base-TX versus Force 100Base-TX), this Robust Auto +MDI/MDIX mode allows MDI/MDIX resolution and prevents deadlock." + +Hence, enable this option by default as there are no known reasons +not to do so. + +Signed-off-by: Grygorii Strashko +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83867.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c +index e03e91d5f1b1..0cbcced0870e 100644 +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -84,6 +84,10 @@ + #define DP83867_IO_MUX_CFG_IO_IMPEDANCE_MAX 0x0 + #define DP83867_IO_MUX_CFG_IO_IMPEDANCE_MIN 0x1f + ++/* CFG3 bits */ ++#define DP83867_CFG3_INT_OE BIT(7) ++#define DP83867_CFG3_ROBUST_AUTO_MDIX BIT(9) ++ + /* CFG4 bits */ + #define DP83867_CFG4_PORT_MIRROR_EN BIT(0) + +@@ -320,12 +324,13 @@ static int dp83867_config_init(struct phy_device *phydev) + return ret; + } + ++ val = phy_read(phydev, DP83867_CFG3); + /* Enable Interrupt output INT_OE in CFG3 register */ +- if (phy_interrupt_is_valid(phydev)) { +- val = phy_read(phydev, DP83867_CFG3); +- val |= BIT(7); +- phy_write(phydev, DP83867_CFG3, val); +- } ++ if (phy_interrupt_is_valid(phydev)) ++ val |= DP83867_CFG3_INT_OE; ++ ++ val |= DP83867_CFG3_ROBUST_AUTO_MDIX; ++ phy_write(phydev, DP83867_CFG3, val); + + if (dp83867->port_mirroring != DP83867_PORT_MIRROING_KEEP) + dp83867_config_port_mirroring(phydev); +-- +2.20.1 + diff --git a/queue-4.14/net-phy-initialise-phydev-speed-and-duplex-sanely.patch b/queue-4.14/net-phy-initialise-phydev-speed-and-duplex-sanely.patch new file mode 100644 index 00000000000..2ed860161c9 --- /dev/null +++ b/queue-4.14/net-phy-initialise-phydev-speed-and-duplex-sanely.patch @@ -0,0 +1,46 @@ +From ec698a0bbc9831446be313016d08a31b98f55f64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2019 15:23:23 +0000 +Subject: net: phy: initialise phydev speed and duplex sanely + +From: Russell King + +[ Upstream commit a5d66f810061e2dd70fb7a108dcd14e535bc639f ] + +When a phydev is created, the speed and duplex are set to zero and +-1 respectively, rather than using the predefined SPEED_UNKNOWN and +DUPLEX_UNKNOWN constants. + +There is a window at initialisation time where we may report link +down using the 0/-1 values. Tidy this up and use the predefined +constants, so debug doesn't complain with: + +"Unsupported (update phy-core.c)/Unsupported (update phy-core.c)" + +when the speed and duplex settings are printed. + +Signed-off-by: Russell King +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index ed7e3c70b511..a98c227a4c2e 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -367,8 +367,8 @@ struct phy_device *phy_device_create(struct mii_bus *bus, int addr, int phy_id, + mdiodev->device_free = phy_mdio_device_free; + mdiodev->device_remove = phy_mdio_device_remove; + +- dev->speed = 0; +- dev->duplex = -1; ++ dev->speed = SPEED_UNKNOWN; ++ dev->duplex = DUPLEX_UNKNOWN; + dev->pause = 0; + dev->asym_pause = 0; + dev->link = 1; +-- +2.20.1 + diff --git a/queue-4.14/parport-load-lowlevel-driver-if-ports-not-found.patch b/queue-4.14/parport-load-lowlevel-driver-if-ports-not-found.patch new file mode 100644 index 00000000000..c7c4d784724 --- /dev/null +++ b/queue-4.14/parport-load-lowlevel-driver-if-ports-not-found.patch @@ -0,0 +1,72 @@ +From 90a829a26569238424fd5eb4efe467d3e0c55f9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 15:45:39 +0100 +Subject: parport: load lowlevel driver if ports not found + +From: Sudip Mukherjee + +[ Upstream commit 231ec2f24dad18d021b361045bbd618ba62a274e ] + +Usually all the distro will load the parport low level driver as part +of their initialization. But we can get into a situation where all the +parallel port drivers are built as module and we unload all the modules +at a later time. Then if we just do "modprobe parport" it will only +load the parport module and will not load the low level driver which +will actually register the ports. So, check the bus if there is any +parport registered, if not, load the low level driver. + +We can get into the above situation with all distro but only Suse has +setup the alias for "parport_lowlevel" and so it only works in Suse. +Users of Debian based distro will need to load the lowlevel module +manually. + +Signed-off-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/20191016144540.18810-3-sudipm.mukherjee@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/parport/share.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/parport/share.c b/drivers/parport/share.c +index 7b4ee33c1935..15c81cffd2de 100644 +--- a/drivers/parport/share.c ++++ b/drivers/parport/share.c +@@ -230,6 +230,18 @@ static int port_check(struct device *dev, void *dev_drv) + return 0; + } + ++/* ++ * Iterates through all the devices connected to the bus and return 1 ++ * if the device is a parallel port. ++ */ ++ ++static int port_detect(struct device *dev, void *dev_drv) ++{ ++ if (is_parport(dev)) ++ return 1; ++ return 0; ++} ++ + /** + * parport_register_driver - register a parallel port device driver + * @drv: structure describing the driver +@@ -282,6 +294,15 @@ int __parport_register_driver(struct parport_driver *drv, struct module *owner, + if (ret) + return ret; + ++ /* ++ * check if bus has any parallel port registered, if ++ * none is found then load the lowlevel driver. ++ */ ++ ret = bus_for_each_dev(&parport_bus_type, NULL, NULL, ++ port_detect); ++ if (!ret) ++ get_lowlevel_driver(); ++ + mutex_lock(®istration_lock); + if (drv->match_port) + bus_for_each_dev(&parport_bus_type, NULL, drv, +-- +2.20.1 + diff --git a/queue-4.14/perf-intel-bts-does-not-support-aux-area-sampling.patch b/queue-4.14/perf-intel-bts-does-not-support-aux-area-sampling.patch new file mode 100644 index 00000000000..e3e807e471f --- /dev/null +++ b/queue-4.14/perf-intel-bts-does-not-support-aux-area-sampling.patch @@ -0,0 +1,54 @@ +From ba31959805882904861c4fb23ea621b52d0ae907 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 14:42:25 +0200 +Subject: perf intel-bts: Does not support AUX area sampling + +From: Adrian Hunter + +[ Upstream commit 32a1ece4bdbde24734ab16484bad7316f03fc42d ] + +Add an error message because Intel BTS does not support AUX area +sampling. + +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20191115124225.5247-16-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/auxtrace.c | 2 ++ + tools/perf/arch/x86/util/intel-bts.c | 5 +++++ + 2 files changed, 7 insertions(+) + +diff --git a/tools/perf/arch/x86/util/auxtrace.c b/tools/perf/arch/x86/util/auxtrace.c +index 6aa3f2a38321..98db6f5ca08b 100644 +--- a/tools/perf/arch/x86/util/auxtrace.c ++++ b/tools/perf/arch/x86/util/auxtrace.c +@@ -36,6 +36,8 @@ struct auxtrace_record *auxtrace_record__init_intel(struct perf_evlist *evlist, + + intel_pt_pmu = perf_pmu__find(INTEL_PT_PMU_NAME); + intel_bts_pmu = perf_pmu__find(INTEL_BTS_PMU_NAME); ++ if (intel_bts_pmu) ++ intel_bts_pmu->auxtrace = true; + + if (evlist) { + evlist__for_each_entry(evlist, evsel) { +diff --git a/tools/perf/arch/x86/util/intel-bts.c b/tools/perf/arch/x86/util/intel-bts.c +index 781df40b2966..b6120ef8b4a4 100644 +--- a/tools/perf/arch/x86/util/intel-bts.c ++++ b/tools/perf/arch/x86/util/intel-bts.c +@@ -118,6 +118,11 @@ static int intel_bts_recording_options(struct auxtrace_record *itr, + const struct cpu_map *cpus = evlist->cpus; + bool privileged = geteuid() == 0 || perf_event_paranoid() < 0; + ++ if (opts->auxtrace_sample_mode) { ++ pr_err("Intel BTS does not support AUX area sampling\n"); ++ return -EINVAL; ++ } ++ + btsr->evlist = evlist; + btsr->snapshot_mode = opts->auxtrace_snapshot_mode; + +-- +2.20.1 + diff --git a/queue-4.14/perf-parse-fix-potential-memory-leak-when-handling-t.patch b/queue-4.14/perf-parse-fix-potential-memory-leak-when-handling-t.patch new file mode 100644 index 00000000000..5462da88305 --- /dev/null +++ b/queue-4.14/perf-parse-fix-potential-memory-leak-when-handling-t.patch @@ -0,0 +1,85 @@ +From e9dcd4f57568ed3a4198a56fb739f2ec87dcc87b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2019 10:09:25 -0800 +Subject: perf parse: Fix potential memory leak when handling tracepoint errors + +From: Ian Rogers + +[ Upstream commit 4584f084aa9d8033d5911935837dbee7b082d0e9 ] + +An error may be in place when tracepoint_error is called, use +parse_events__handle_error to avoid a memory leak and to capture the +first and last error. Error detected by LLVM's libFuzzer using the +following event: + +$ perf stat -e 'msr/event/,f:e' +event syntax error: 'msr/event/,f:e' + \___ can't access trace events + +Error: No permissions to read /sys/kernel/debug/tracing/events/f/e +Hint: Try 'sudo mount -o remount,mode=755 /sys/kernel/debug/tracing/' + +Initial error: +event syntax error: 'msr/event/,f:e' + \___ no value assigned for term +Run 'perf list' for a list of valid events + + Usage: perf stat [] [] + + -e, --event event selector. use 'perf list' to list available events + +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: clang-built-linux@googlegroups.com +Link: http://lore.kernel.org/lkml/20191120180925.21787-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/parse-events.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 096c52f296d7..6a9ae16cd098 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -451,6 +451,7 @@ int parse_events_add_cache(struct list_head *list, int *idx, + static void tracepoint_error(struct parse_events_error *e, int err, + const char *sys, const char *name) + { ++ const char *str; + char help[BUFSIZ]; + + if (!e) +@@ -464,18 +465,18 @@ static void tracepoint_error(struct parse_events_error *e, int err, + + switch (err) { + case EACCES: +- e->str = strdup("can't access trace events"); ++ str = "can't access trace events"; + break; + case ENOENT: +- e->str = strdup("unknown tracepoint"); ++ str = "unknown tracepoint"; + break; + default: +- e->str = strdup("failed to add tracepoint"); ++ str = "failed to add tracepoint"; + break; + } + + tracing_path__strerror_open_tp(err, help, sizeof(help), sys, name); +- e->help = strdup(help); ++ parse_events__handle_error(e, 0, strdup(str), strdup(help)); + } + + static int add_tracepoint(struct list_head *list, int *idx, +-- +2.20.1 + diff --git a/queue-4.14/perf-parse-if-pmu-configuration-fails-free-terms.patch b/queue-4.14/perf-parse-if-pmu-configuration-fails-free-terms.patch new file mode 100644 index 00000000000..56552ca46c1 --- /dev/null +++ b/queue-4.14/perf-parse-if-pmu-configuration-fails-free-terms.patch @@ -0,0 +1,62 @@ +From 3e365d3b884798302f2f130ad5b58e312bdfdb9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 15:34:46 -0700 +Subject: perf parse: If pmu configuration fails free terms + +From: Ian Rogers + +[ Upstream commit 38f2c4226e6bc3e8c41c318242821ba5dc825aba ] + +Avoid a memory leak when the configuration fails. + +Signed-off-by: Ian Rogers +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexei Starovoitov +Cc: Andi Kleen +Cc: Daniel Borkmann +Cc: Jin Yao +Cc: John Garry +Cc: Kan Liang +Cc: Mark Rutland +Cc: Martin KaFai Lau +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Cc: Yonghong Song +Cc: bpf@vger.kernel.org +Cc: clang-built-linux@googlegroups.com +Cc: netdev@vger.kernel.org +Link: http://lore.kernel.org/lkml/20191030223448.12930-9-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/parse-events.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 29e2bb304168..096c52f296d7 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -1253,8 +1253,15 @@ static int __parse_events_add_pmu(struct parse_events_state *parse_state, + if (get_config_terms(head_config, &config_terms)) + return -ENOMEM; + +- if (perf_pmu__config(pmu, &attr, head_config, parse_state->error)) ++ if (perf_pmu__config(pmu, &attr, head_config, parse_state->error)) { ++ struct perf_evsel_config_term *pos, *tmp; ++ ++ list_for_each_entry_safe(pos, tmp, &config_terms, list) { ++ list_del_init(&pos->list); ++ free(pos); ++ } + return -EINVAL; ++ } + + evsel = __add_event(list, &parse_state->idx, &attr, + get_config_name(head_config), pmu, +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-filter-out-instances-except-for-inlined-s.patch b/queue-4.14/perf-probe-filter-out-instances-except-for-inlined-s.patch new file mode 100644 index 00000000000..d3dd0b9f77a --- /dev/null +++ b/queue-4.14/perf-probe-filter-out-instances-except-for-inlined-s.patch @@ -0,0 +1,122 @@ +From 28eedcfbf4c03db8998b09f0e379539b12eaccc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 16:09:30 +0900 +Subject: perf probe: Filter out instances except for inlined subroutine and + subprogram + +From: Masami Hiramatsu + +[ Upstream commit da6cb952a89efe24bb76c4971370d485737a2d85 ] + +Filter out instances except for inlined_subroutine and subprogram DIE in +die_walk_instances() and die_is_func_instance(). + +This fixes an issue that perf probe sets some probes on calling address +instead of a target function itself. + +When perf probe walks on instances of an abstruct origin (a kind of +function prototype of inlined function), die_walk_instances() can also +pass a GNU_call_site (a GNU extension for call site) to callback. Since +it is not an inlined instance of target function, we have to filter out +when searching a probe point. + +Without this patch, perf probe sets probes on call site address too.This +can happen on some function which is marked "inlined", but has actual +symbol. (I'm not sure why GCC mark it "inlined"): + + # perf probe -D vfs_read + p:probe/vfs_read _text+2500017 + p:probe/vfs_read_1 _text+2499468 + p:probe/vfs_read_2 _text+2499563 + p:probe/vfs_read_3 _text+2498876 + p:probe/vfs_read_4 _text+2498512 + p:probe/vfs_read_5 _text+2498627 + +With this patch: + +Slightly different results, similar tho: + + # perf probe -D vfs_read + p:probe/vfs_read _text+2498512 + +Committer testing: + + # uname -a + Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + +Before: + + # perf probe -D vfs_read + p:probe/vfs_read _text+3131557 + p:probe/vfs_read_1 _text+3130975 + p:probe/vfs_read_2 _text+3131047 + p:probe/vfs_read_3 _text+3130380 + p:probe/vfs_read_4 _text+3130000 + # uname -a + Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + # + +After: + + # perf probe -D vfs_read + p:probe/vfs_read _text+3130000 + # + +Fixes: db0d2c6420ee ("perf probe: Search concrete out-of-line instances") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157241937063.32002.11024544873990816590.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index d48bd5eaa0f2..50903f30289f 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -325,18 +325,22 @@ bool die_is_func_def(Dwarf_Die *dw_die) + * @dw_die: a DIE + * + * Ensure that this DIE is an instance (which has an entry address). +- * This returns true if @dw_die is a function instance. If not, you need to +- * call die_walk_instances() to find actual instances. ++ * This returns true if @dw_die is a function instance. If not, the @dw_die ++ * must be a prototype. You can use die_walk_instances() to find actual ++ * instances. + **/ + bool die_is_func_instance(Dwarf_Die *dw_die) + { + Dwarf_Addr tmp; + Dwarf_Attribute attr_mem; ++ int tag = dwarf_tag(dw_die); + +- /* Actually gcc optimizes non-inline as like as inlined */ +- return !dwarf_func_inline(dw_die) && +- (dwarf_entrypc(dw_die, &tmp) == 0 || +- dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL); ++ if (tag != DW_TAG_subprogram && ++ tag != DW_TAG_inlined_subroutine) ++ return false; ++ ++ return dwarf_entrypc(dw_die, &tmp) == 0 || ++ dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL; + } + + /** +@@ -615,6 +619,9 @@ static int __die_walk_instances_cb(Dwarf_Die *inst, void *data) + Dwarf_Die *origin; + int tmp; + ++ if (!die_is_func_instance(inst)) ++ return DIE_FIND_CB_CONTINUE; ++ + attr = dwarf_attr(inst, DW_AT_abstract_origin, &attr_mem); + if (attr == NULL) + return DIE_FIND_CB_CONTINUE; +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-fix-to-find-range-only-function-instance.patch b/queue-4.14/perf-probe-fix-to-find-range-only-function-instance.patch new file mode 100644 index 00000000000..4e07940cc4e --- /dev/null +++ b/queue-4.14/perf-probe-fix-to-find-range-only-function-instance.patch @@ -0,0 +1,50 @@ +From 9676bcf20c755c9908722fc646ade945e72c43d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 18:12:36 +0900 +Subject: perf probe: Fix to find range-only function instance + +From: Masami Hiramatsu + +[ Upstream commit b77afa1f810f37bd8a36cb1318178dfe2d7af6b6 ] + +Fix die_is_func_instance() to find range-only function instance. + +In some case, a function instance can be made without any low PC or +entry PC, but only with address ranges by optimization. (e.g. cold text +partially in "text.unlikely" section) To find such function instance, we +have to check the range attribute too. + +Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions") +Signed-off-by: Masami Hiramatsu +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157190835669.1859.8368628035930950596.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index f5acda13dcfa..bc52b3840706 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -331,10 +331,14 @@ bool die_is_func_def(Dwarf_Die *dw_die) + bool die_is_func_instance(Dwarf_Die *dw_die) + { + Dwarf_Addr tmp; ++ Dwarf_Attribute attr_mem; + + /* Actually gcc optimizes non-inline as like as inlined */ +- return !dwarf_func_inline(dw_die) && dwarf_entrypc(dw_die, &tmp) == 0; ++ return !dwarf_func_inline(dw_die) && ++ (dwarf_entrypc(dw_die, &tmp) == 0 || ++ dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL); + } ++ + /** + * die_get_data_member_location - Get the data-member offset + * @mb_die: a DIE of a member of a data structure +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-fix-to-list-probe-event-with-correct-line.patch b/queue-4.14/perf-probe-fix-to-list-probe-event-with-correct-line.patch new file mode 100644 index 00000000000..cc0098dd1e9 --- /dev/null +++ b/queue-4.14/perf-probe-fix-to-list-probe-event-with-correct-line.patch @@ -0,0 +1,78 @@ +From fde14b2dfd478b0552e647103a43082773eb573e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 17:46:52 +0900 +Subject: perf probe: Fix to list probe event with correct line number + +From: Masami Hiramatsu + +[ Upstream commit 3895534dd78f0fd4d3f9e05ee52b9cdd444a743e ] + +Since debuginfo__find_probe_point() uses dwarf_entrypc() for finding the +entry address of the function on which a probe is, it will fail when the +function DIE has only ranges attribute. + +To fix this issue, use die_entrypc() instead of dwarf_entrypc(). + +Without this fix, perf probe -l shows incorrect offset: + + # perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579263632@work/linux/linux/kernel/cpu.c) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask+18446744071579263752@work/linux/linux/kernel/cpu.c) + +With this: + + # perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@work/linux/linux/kernel/cpu.c) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:21@work/linux/linux/kernel/cpu.c) + +Committer testing: + +Before: + + [root@quaco ~]# perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579765152@kernel/cpu.c) + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c) + [root@quaco ~]# + +Fixes: 1d46ea2a6a40 ("perf probe: Fix listing incorrect line number with inline function") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157199321227.8075.14655572419136993015.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index a5731de0e5eb..5fee71e960a6 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1570,7 +1570,7 @@ int debuginfo__find_probe_point(struct debuginfo *dbg, unsigned long addr, + /* Get function entry information */ + func = basefunc = dwarf_diename(&spdie); + if (!func || +- dwarf_entrypc(&spdie, &baseaddr) != 0 || ++ die_entrypc(&spdie, &baseaddr) != 0 || + dwarf_decl_line(&spdie, &baseline) != 0) { + lineno = 0; + goto post; +@@ -1587,7 +1587,7 @@ int debuginfo__find_probe_point(struct debuginfo *dbg, unsigned long addr, + while (die_find_top_inlinefunc(&spdie, (Dwarf_Addr)addr, + &indie)) { + /* There is an inline function */ +- if (dwarf_entrypc(&indie, &_addr) == 0 && ++ if (die_entrypc(&indie, &_addr) == 0 && + _addr == addr) { + /* + * addr is at an inline function entry. +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-fix-to-probe-a-function-which-has-no-entr.patch b/queue-4.14/perf-probe-fix-to-probe-a-function-which-has-no-entr.patch new file mode 100644 index 00000000000..4120f58c283 --- /dev/null +++ b/queue-4.14/perf-probe-fix-to-probe-a-function-which-has-no-entr.patch @@ -0,0 +1,96 @@ +From 6f76caf4fc6bb394ef7c7c873830508e5f52878c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 17:46:34 +0900 +Subject: perf probe: Fix to probe a function which has no entry pc + +From: Masami Hiramatsu + +[ Upstream commit 5d16dbcc311d91267ddb45c6da4f187be320ecee ] + +Fix 'perf probe' to probe a function which has no entry pc or low pc but +only has ranges attribute. + +probe_point_search_cb() uses dwarf_entrypc() to get the probe address, +but that doesn't work for the function DIE which has only ranges +attribute. Use die_entrypc() instead. + +Without this fix: + + # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0 + Probe point 'clear_tasks_mm_cpumask' not found. + Error: Failed to add events. + +With this: + + # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0 + p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0 + +Committer testing: + +Before: + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0 + Probe point 'clear_tasks_mm_cpumask' not found. + Error: Failed to add events. + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0 + Added new event: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1 + + [root@quaco ~]# + +Using it with 'perf trace': + + [root@quaco ~]# perf trace -e probe:clear_tasks_mm_cpumask + +Doesn't seem to be used in x86_64: + + $ find . -name "*.c" | xargs grep clear_tasks_mm_cpumask + ./kernel/cpu.c: * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU + ./kernel/cpu.c:void clear_tasks_mm_cpumask(int cpu) + ./arch/xtensa/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/csky/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/sh/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/arm/kernel/smp.c: clear_tasks_mm_cpumask(cpu); + ./arch/powerpc/mm/nohash/mmu_context.c: clear_tasks_mm_cpumask(cpu); + $ find . -name "*.h" | xargs grep clear_tasks_mm_cpumask + ./include/linux/cpu.h:void clear_tasks_mm_cpumask(int cpu); + $ find . -name "*.S" | xargs grep clear_tasks_mm_cpumask + $ + +Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions") +Reported-by: Arnaldo Carvalho de Melo +Tested-by: Arnaldo Carvalho de Melo +Signed-off-by: Masami Hiramatsu +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157199319438.8075.4695576954550638618.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index b06b05bd488e..aa6b35726976 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1005,7 +1005,7 @@ static int probe_point_search_cb(Dwarf_Die *sp_die, void *data) + param->retval = find_probe_point_by_line(pf); + } else if (die_is_func_instance(sp_die)) { + /* Instances always have the entry address */ +- dwarf_entrypc(sp_die, &pf->addr); ++ die_entrypc(sp_die, &pf->addr); + /* But in some case the entry address is 0 */ + if (pf->addr == 0) { + pr_debug("%s has no entry PC. Skipped\n", +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-fix-to-probe-an-inline-function-which-has.patch b/queue-4.14/perf-probe-fix-to-probe-an-inline-function-which-has.patch new file mode 100644 index 00000000000..553310940b4 --- /dev/null +++ b/queue-4.14/perf-probe-fix-to-probe-an-inline-function-which-has.patch @@ -0,0 +1,72 @@ +From 4e8168c45112fb83a1b062eb430cb1a9a00699aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 17:46:43 +0900 +Subject: perf probe: Fix to probe an inline function which has no entry pc + +From: Masami Hiramatsu + +[ Upstream commit eb6933b29d20bf2c3053883d409a53f462c1a3ac ] + +Fix perf probe to probe an inlne function which has no entry pc +or low pc but only has ranges attribute. + +This seems very rare case, but I could find a few examples, as +same as probe_point_search_cb(), use die_entrypc() to get the +entry address in probe_point_inline_cb() too. + +Without this patch: + + # perf probe -D __amd_put_nb_event_constraints + Failed to get entry address of __amd_put_nb_event_constraints. + Probe point '__amd_put_nb_event_constraints' not found. + Error: Failed to add events. + +With this patch: + + # perf probe -D __amd_put_nb_event_constraints + p:probe/__amd_put_nb_event_constraints amd_put_event_constraints+43 + +Committer testing: + +Before: + + [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints + Failed to get entry address of __amd_put_nb_event_constraints. + Probe point '__amd_put_nb_event_constraints' not found. + Error: Failed to add events. + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints + p:probe/__amd_put_nb_event_constraints _text+33789 + [root@quaco ~]# + +Fixes: 4ea42b181434 ("perf: Add perf probe subcommand, a kprobe-event setup helper") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157199320336.8075.16189530425277588587.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index 5fee71e960a6..b06b05bd488e 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -953,7 +953,7 @@ static int probe_point_inline_cb(Dwarf_Die *in_die, void *data) + ret = find_probe_point_lazy(in_die, pf); + else { + /* Get probe address */ +- if (dwarf_entrypc(in_die, &addr) != 0) { ++ if (die_entrypc(in_die, &addr) != 0) { + pr_warning("Failed to get entry address of %s.\n", + dwarf_diename(in_die)); + return -ENOENT; +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-fix-to-show-calling-lines-of-inlined-func.patch b/queue-4.14/perf-probe-fix-to-show-calling-lines-of-inlined-func.patch new file mode 100644 index 00000000000..451f1821fd5 --- /dev/null +++ b/queue-4.14/perf-probe-fix-to-show-calling-lines-of-inlined-func.patch @@ -0,0 +1,122 @@ +From 0ec17f739204c558773963c99142e46a86313691 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 16:09:40 +0900 +Subject: perf probe: Fix to show calling lines of inlined functions + +From: Masami Hiramatsu + +[ Upstream commit 86c0bf8539e7f46d91bd105e55eda96e0064caef ] + +Fix to show calling lines of inlined functions (where an inline function +is called). + +die_walk_lines() filtered out the lines inside inlined functions based +on the address. However this also filtered out the lines which call +those inlined functions from the target function. + +To solve this issue, check the call_file and call_line attributes and do +not filter out if it matches to the line information. + +Without this fix, perf probe -L doesn't show some lines correctly. +(don't see the lines after 17) + + # perf probe -L vfs_read + + 0 ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) + 1 { + 2 ssize_t ret; + + 4 if (!(file->f_mode & FMODE_READ)) + return -EBADF; + 6 if (!(file->f_mode & FMODE_CAN_READ)) + return -EINVAL; + 8 if (unlikely(!access_ok(buf, count))) + return -EFAULT; + + 11 ret = rw_verify_area(READ, file, pos, count); + 12 if (!ret) { + 13 if (count > MAX_RW_COUNT) + count = MAX_RW_COUNT; + 15 ret = __vfs_read(file, buf, count, pos); + 16 if (ret > 0) { + fsnotify_access(file); + add_rchar(current, ret); + } + +With this fix: + + # perf probe -L vfs_read + + 0 ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) + 1 { + 2 ssize_t ret; + + 4 if (!(file->f_mode & FMODE_READ)) + return -EBADF; + 6 if (!(file->f_mode & FMODE_CAN_READ)) + return -EINVAL; + 8 if (unlikely(!access_ok(buf, count))) + return -EFAULT; + + 11 ret = rw_verify_area(READ, file, pos, count); + 12 if (!ret) { + 13 if (count > MAX_RW_COUNT) + count = MAX_RW_COUNT; + 15 ret = __vfs_read(file, buf, count, pos); + 16 if (ret > 0) { + 17 fsnotify_access(file); + 18 add_rchar(current, ret); + } + 20 inc_syscr(current); + } + +Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157241937995.32002.17899884017011512577.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index 0a5de865563c..49f9c65f1a9c 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -768,7 +768,7 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data) + Dwarf_Lines *lines; + Dwarf_Line *line; + Dwarf_Addr addr; +- const char *fname, *decf = NULL; ++ const char *fname, *decf = NULL, *inf = NULL; + int lineno, ret = 0; + int decl = 0, inl; + Dwarf_Die die_mem, *cu_die; +@@ -812,13 +812,21 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data) + */ + if (!dwarf_haspc(rt_die, addr)) + continue; ++ + if (die_find_inlinefunc(rt_die, addr, &die_mem)) { ++ /* Call-site check */ ++ inf = die_get_call_file(&die_mem); ++ if ((inf && !strcmp(inf, decf)) && ++ die_get_call_lineno(&die_mem) == lineno) ++ goto found; ++ + dwarf_decl_line(&die_mem, &inl); + if (inl != decl || + decf != dwarf_decl_file(&die_mem)) + continue; + } + } ++found: + /* Get source line */ + fname = dwarf_linesrc(line, NULL, NULL); + +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-fix-to-show-inlined-function-callsite-wit.patch b/queue-4.14/perf-probe-fix-to-show-inlined-function-callsite-wit.patch new file mode 100644 index 00000000000..9c1c558f90d --- /dev/null +++ b/queue-4.14/perf-probe-fix-to-show-inlined-function-callsite-wit.patch @@ -0,0 +1,112 @@ +From c56e8c1cdcfb334861b4c8ca0a30f42e429bcd1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 17:47:01 +0900 +Subject: perf probe: Fix to show inlined function callsite without entry_pc + +From: Masami Hiramatsu + +[ Upstream commit 18e21eb671dc87a4f0546ba505a89ea93598a634 ] + +Fix 'perf probe --line' option to show inlined function callsite lines +even if the function DIE has only ranges. + +Without this: + + # perf probe -L amd_put_event_constraints + ... + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + __amd_put_nb_event_constraints(cpuc, event); + 5 } + +With this patch: + + # perf probe -L amd_put_event_constraints + ... + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + 4 __amd_put_nb_event_constraints(cpuc, event); + 5 } + +Committer testing: + +Before: + + [root@quaco ~]# perf probe -L amd_put_event_constraints + + 0 static void amd_put_event_constraints(struct cpu_hw_events *cpuc, + struct perf_event *event) + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + __amd_put_nb_event_constraints(cpuc, event); + 5 } + + PMU_FORMAT_ATTR(event, "config:0-7,32-35"); + PMU_FORMAT_ATTR(umask, "config:8-15" ); + + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe -L amd_put_event_constraints + + 0 static void amd_put_event_constraints(struct cpu_hw_events *cpuc, + struct perf_event *event) + 2 { + 3 if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw)) + 4 __amd_put_nb_event_constraints(cpuc, event); + 5 } + + PMU_FORMAT_ATTR(event, "config:0-7,32-35"); + PMU_FORMAT_ATTR(umask, "config:8-15" ); + + [root@quaco ~]# perf probe amd_put_event_constraints:4 + Added new event: + probe:amd_put_event_constraints (on amd_put_event_constraints:4) + + You can now use it in all perf tools, such as: + + perf record -e probe:amd_put_event_constraints -aR sleep 1 + + [root@quaco ~]# + + [root@quaco ~]# perf probe -l + probe:amd_put_event_constraints (on amd_put_event_constraints:4@arch/x86/events/amd/core.c) + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c) + [root@quaco ~]# + +Using it: + + [root@quaco ~]# perf trace -e probe:* + ^C[root@quaco ~]# + +Ok, Intel system here... :-) + +Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157199322107.8075.12659099000567865708.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index 21c2ed42ad6b..0a5de865563c 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -686,7 +686,7 @@ static int __die_walk_funclines_cb(Dwarf_Die *in_die, void *data) + if (dwarf_tag(in_die) == DW_TAG_inlined_subroutine) { + fname = die_get_call_file(in_die); + lineno = die_get_call_lineno(in_die); +- if (fname && lineno > 0 && dwarf_entrypc(in_die, &addr) == 0) { ++ if (fname && lineno > 0 && die_entrypc(in_die, &addr) == 0) { + lw->retval = lw->callback(fname, lineno, addr, lw->data); + if (lw->retval != 0) + return DIE_FIND_CB_END; +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-fix-to-show-ranges-of-variables-in-functi.patch b/queue-4.14/perf-probe-fix-to-show-ranges-of-variables-in-functi.patch new file mode 100644 index 00000000000..86d88bb39a0 --- /dev/null +++ b/queue-4.14/perf-probe-fix-to-show-ranges-of-variables-in-functi.patch @@ -0,0 +1,98 @@ +From a223f4a0971f28db95364a33e9bf2bb7a7bba211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 17:47:10 +0900 +Subject: perf probe: Fix to show ranges of variables in functions without + entry_pc + +From: Masami Hiramatsu + +[ Upstream commit af04dd2f8ebaa8fbd46f698714acbf43da14da45 ] + +Fix to show ranges of variables (--range and --vars option) in functions +which DIE has only ranges but no entry_pc attribute. + +Without this fix: + + # perf probe --range -V clear_tasks_mm_cpumask + Available variables at clear_tasks_mm_cpumask + @ + (No matched variables) + +With this fix: + + # perf probe --range -V clear_tasks_mm_cpumask + Available variables at clear_tasks_mm_cpumask + @ + [VAL] int cpu @ + +Committer testing: + +Before: + + [root@quaco ~]# perf probe --range -V clear_tasks_mm_cpumask + Available variables at clear_tasks_mm_cpumask + @ + (No matched variables) + [root@quaco ~]# + +After: + + [root@quaco ~]# perf probe --range -V clear_tasks_mm_cpumask + Available variables at clear_tasks_mm_cpumask + @ + [VAL] int cpu @ + [root@quaco ~]# + +Using it: + + [root@quaco ~]# perf probe clear_tasks_mm_cpumask cpu + Added new event: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask with cpu) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1 + + [root@quaco ~]# perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c with cpu) + [root@quaco ~]# + [root@quaco ~]# perf trace -e probe:*cpumask + ^C[root@quaco ~]# + +Fixes: 349e8d261131 ("perf probe: Add --range option to show a variable's location range") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157199323018.8075.8179744380479673672.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index e5406e5adb68..21c2ed42ad6b 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -1010,7 +1010,7 @@ static int die_get_var_innermost_scope(Dwarf_Die *sp_die, Dwarf_Die *vr_die, + bool first = true; + const char *name; + +- ret = dwarf_entrypc(sp_die, &entry); ++ ret = die_entrypc(sp_die, &entry); + if (ret) + return ret; + +@@ -1073,7 +1073,7 @@ int die_get_var_range(Dwarf_Die *sp_die, Dwarf_Die *vr_die, struct strbuf *buf) + bool first = true; + const char *name; + +- ret = dwarf_entrypc(sp_die, &entry); ++ ret = die_entrypc(sp_die, &entry); + if (ret) + return ret; + +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-return-a-better-scope-die-if-there-is-no-.patch b/queue-4.14/perf-probe-return-a-better-scope-die-if-there-is-no-.patch new file mode 100644 index 00000000000..c8f91c6dee0 --- /dev/null +++ b/queue-4.14/perf-probe-return-a-better-scope-die-if-there-is-no-.patch @@ -0,0 +1,84 @@ +From 5b214a114c80c3b4ef3aa2fe54b5a7bd499a59f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 09:16:49 +0900 +Subject: perf probe: Return a better scope DIE if there is no best scope + +From: Masami Hiramatsu + +[ Upstream commit c701636aeec4c173208697d68da6e4271125564b ] + +Make find_best_scope() returns innermost DIE at given address if there +is no best matched scope DIE. Since Gcc sometimes generates intuitively +strange line info which is out of inlined function address range, we +need this fixup. + +Without this, sometimes perf probe failed to probe on a line inside an +inlined function: + + # perf probe -D ksys_open:3 + Failed to find scope of probe point. + Error: Failed to add events. + +With this fix, 'perf probe' can probe it: + + # perf probe -D ksys_open:3 + p:probe/ksys_open _text+25707308 + p:probe/ksys_open_1 _text+25710596 + p:probe/ksys_open_2 _text+25711114 + p:probe/ksys_open_3 _text+25711343 + p:probe/ksys_open_4 _text+25714058 + p:probe/ksys_open_5 _text+2819653 + p:probe/ksys_open_6 _text+2819701 + +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Namhyung Kim +Cc: Ravi Bangoria +Cc: Steven Rostedt (VMware) +Cc: Tom Zanussi +Link: http://lore.kernel.org/lkml/157291300887.19771.14936015360963292236.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index e1d0bbf7735b..30a5e92b67bd 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -767,6 +767,16 @@ static int find_best_scope_cb(Dwarf_Die *fn_die, void *data) + return 0; + } + ++/* Return innermost DIE */ ++static int find_inner_scope_cb(Dwarf_Die *fn_die, void *data) ++{ ++ struct find_scope_param *fsp = data; ++ ++ memcpy(fsp->die_mem, fn_die, sizeof(Dwarf_Die)); ++ fsp->found = true; ++ return 1; ++} ++ + /* Find an appropriate scope fits to given conditions */ + static Dwarf_Die *find_best_scope(struct probe_finder *pf, Dwarf_Die *die_mem) + { +@@ -778,8 +788,13 @@ static Dwarf_Die *find_best_scope(struct probe_finder *pf, Dwarf_Die *die_mem) + .die_mem = die_mem, + .found = false, + }; ++ int ret; + +- cu_walk_functions_at(&pf->cu_die, pf->addr, find_best_scope_cb, &fsp); ++ ret = cu_walk_functions_at(&pf->cu_die, pf->addr, find_best_scope_cb, ++ &fsp); ++ if (!ret && !fsp.found) ++ cu_walk_functions_at(&pf->cu_die, pf->addr, ++ find_inner_scope_cb, &fsp); + + return fsp.found ? die_mem : NULL; + } +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-skip-end-of-sequence-and-non-statement-li.patch b/queue-4.14/perf-probe-skip-end-of-sequence-and-non-statement-li.patch new file mode 100644 index 00000000000..d96022a4054 --- /dev/null +++ b/queue-4.14/perf-probe-skip-end-of-sequence-and-non-statement-li.patch @@ -0,0 +1,145 @@ +From 91f1fb989286f6f1eac1972ce02f587fab88d2aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 16:09:21 +0900 +Subject: perf probe: Skip end-of-sequence and non statement lines +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Masami Hiramatsu + +[ Upstream commit f4d99bdfd124823a81878b44b5e8750b97f73902 ] + +Skip end-of-sequence and non-statement lines while walking through lines +list. + +The "end-of-sequence" line information means: + + "the current address is that of the first byte after the + end of a sequence of target machine instructions." + (DWARF version 4 spec 6.2.2) + +This actually means out of scope and we can not probe on it. + +On the other hand, the statement lines (is_stmt) means: + + "the current instruction is a recommended breakpoint location. + A recommended breakpoint location is intended to “represent” + a line, a statement and/or a semantically distinct subpart + of a statement." + + (DWARF version 4 spec 6.2.2) + +So, non-statement line info also should be skipped. + +These can reduce unneeded probe points and also avoid an error. + +E.g. without this patch: + + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new events: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_3 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_4 (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask_4 -aR sleep 1 + + # + +This puts 5 probes on one line, but acutally it's not inlined function. +This is because there are many non statement instructions at the +function prologue. + +With this patch: + + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new event: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1 + + # + +Now perf-probe skips unneeded addresses. + +Committer testing: + +Slightly different results, but similar: + +Before: + + # uname -a + Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + # + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new events: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1) + probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask_2 -aR sleep 1 + + # + +After: + + # perf probe -a "clear_tasks_mm_cpumask:1" + Added new event: + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1) + + You can now use it in all perf tools, such as: + + perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1 + + # perf probe -l + probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c) + # + +Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157241936090.32002.12156347518596111660.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index 49f9c65f1a9c..d48bd5eaa0f2 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -773,6 +773,7 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data) + int decl = 0, inl; + Dwarf_Die die_mem, *cu_die; + size_t nlines, i; ++ bool flag; + + /* Get the CU die */ + if (dwarf_tag(rt_die) != DW_TAG_compile_unit) { +@@ -803,6 +804,12 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data) + "Possible error in debuginfo.\n"); + continue; + } ++ /* Skip end-of-sequence */ ++ if (dwarf_lineendsequence(line, &flag) != 0 || flag) ++ continue; ++ /* Skip Non statement line-info */ ++ if (dwarf_linebeginstatement(line, &flag) != 0 || !flag) ++ continue; + /* Filter lines based on address */ + if (rt_die != cu_die) { + /* +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-skip-overlapped-location-on-searching-var.patch b/queue-4.14/perf-probe-skip-overlapped-location-on-searching-var.patch new file mode 100644 index 00000000000..1e79c1858f0 --- /dev/null +++ b/queue-4.14/perf-probe-skip-overlapped-location-on-searching-var.patch @@ -0,0 +1,104 @@ +From 7aa412a86eeef85d10f28cde9e6a481be0086857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 16:09:49 +0900 +Subject: perf probe: Skip overlapped location on searching variables + +From: Masami Hiramatsu + +[ Upstream commit dee36a2abb67c175265d49b9a8c7dfa564463d9a ] + +Since debuginfo__find_probes() callback function can be called with the +location which already passed, the callback function must filter out +such overlapped locations. + +add_probe_trace_event() has already done it by commit 1a375ae7659a +("perf probe: Skip same probe address for a given line"), but +add_available_vars() doesn't. Thus perf probe -v shows same address +repeatedly as below: + + # perf probe -V vfs_read:18 + Available variables at vfs_read:18 + @ + char* buf + loff_t* pos + ssize_t ret + struct file* file + @ + char* buf + loff_t* pos + ssize_t ret + struct file* file + @ + char* buf + loff_t* pos + ssize_t ret + struct file* file + +With this fix, perf probe -V shows it correctly: + + # perf probe -V vfs_read:18 + Available variables at vfs_read:18 + @ + char* buf + loff_t* pos + ssize_t ret + struct file* file + @ + char* buf + loff_t* pos + ssize_t ret + struct file* file + +Fixes: cf6eb489e5c0 ("perf probe: Show accessible local variables") +Signed-off-by: Masami Hiramatsu +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157241938927.32002.4026859017790562751.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index aa6b35726976..e1d0bbf7735b 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1417,6 +1417,18 @@ error: + return DIE_FIND_CB_END; + } + ++static bool available_var_finder_overlap(struct available_var_finder *af) ++{ ++ int i; ++ ++ for (i = 0; i < af->nvls; i++) { ++ if (af->pf.addr == af->vls[i].point.address) ++ return true; ++ } ++ return false; ++ ++} ++ + /* Add a found vars into available variables list */ + static int add_available_vars(Dwarf_Die *sc_die, struct probe_finder *pf) + { +@@ -1427,6 +1439,14 @@ static int add_available_vars(Dwarf_Die *sc_die, struct probe_finder *pf) + Dwarf_Die die_mem; + int ret; + ++ /* ++ * For some reason (e.g. different column assigned to same address), ++ * this callback can be called with the address which already passed. ++ * Ignore it first. ++ */ ++ if (available_var_finder_overlap(af)) ++ return 0; ++ + /* Check number of tevs */ + if (af->nvls == af->max_vls) { + pr_warning("Too many( > %d) probe point found.\n", af->max_vls); +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-walk-function-lines-in-lexical-blocks.patch b/queue-4.14/perf-probe-walk-function-lines-in-lexical-blocks.patch new file mode 100644 index 00000000000..233e769cd71 --- /dev/null +++ b/queue-4.14/perf-probe-walk-function-lines-in-lexical-blocks.patch @@ -0,0 +1,76 @@ +From e5d05d8569fe32a0de8e26e9256ca74554fad239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 18:12:45 +0900 +Subject: perf probe: Walk function lines in lexical blocks + +From: Masami Hiramatsu + +[ Upstream commit acb6a7047ac2146b723fef69ee1ab6b7143546bf ] + +Since some inlined functions are in lexical blocks of given function, we +have to recursively walk through the DIE tree. Without this fix, +perf-probe -L can miss the inlined functions which is in a lexical block +(like if (..) { func() } case.) + +However, even though, to walk the lines in a given function, we don't +need to follow the children DIE of inlined functions because those do +not have any lines in the specified function. + +We need to walk though whole trees only if we walk all lines in a given +file, because an inlined function can include another inlined function +in the same file. + +Fixes: b0e9cb2802d4 ("perf probe: Fix to search nested inlined functions in CU") +Signed-off-by: Masami Hiramatsu +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/157190836514.1859.15996864849678136353.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index bc52b3840706..e5406e5adb68 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -691,10 +691,9 @@ static int __die_walk_funclines_cb(Dwarf_Die *in_die, void *data) + if (lw->retval != 0) + return DIE_FIND_CB_END; + } ++ if (!lw->recursive) ++ return DIE_FIND_CB_SIBLING; + } +- if (!lw->recursive) +- /* Don't need to search recursively */ +- return DIE_FIND_CB_SIBLING; + + if (addr) { + fname = dwarf_decl_file(in_die); +@@ -741,6 +740,10 @@ static int __die_walk_culines_cb(Dwarf_Die *sp_die, void *data) + { + struct __line_walk_param *lw = data; + ++ /* ++ * Since inlined function can include another inlined function in ++ * the same file, we need to walk in it recursively. ++ */ + lw->retval = __die_walk_funclines(sp_die, true, lw->callback, lw->data); + if (lw->retval != 0) + return DWARF_CB_ABORT; +@@ -830,8 +833,9 @@ int die_walk_lines(Dwarf_Die *rt_die, line_walk_callback_t callback, void *data) + */ + if (rt_die != cu_die) + /* +- * Don't need walk functions recursively, because nested +- * inlined functions don't have lines of the specified DIE. ++ * Don't need walk inlined functions recursively, because ++ * inner inlined functions don't have the lines of the ++ * specified function. + */ + ret = __die_walk_funclines(rt_die, false, callback, data); + else { +-- +2.20.1 + diff --git a/queue-4.14/perf-report-add-warning-when-libunwind-not-compiled-.patch b/queue-4.14/perf-report-add-warning-when-libunwind-not-compiled-.patch new file mode 100644 index 00000000000..d26131ff06c --- /dev/null +++ b/queue-4.14/perf-report-add-warning-when-libunwind-not-compiled-.patch @@ -0,0 +1,58 @@ +From f9fea8c4f2ac931889b46df1709f98b1308b2b76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2019 10:21:22 +0800 +Subject: perf report: Add warning when libunwind not compiled in + +From: Jin Yao + +[ Upstream commit 800d3f561659b5436f8c57e7c26dd1f6928b5615 ] + +We received a user report that call-graph DWARF mode was enabled in +'perf record' but 'perf report' didn't unwind the callstack correctly. +The reason was, libunwind was not compiled in. + +We can use 'perf -vv' to check the compiled libraries but it would be +valuable to report a warning to user directly (especially valuable for +a perf newbie). + +The warning is: + +Warning: +Please install libunwind development packages during the perf build. + +Both TUI and stdio are supported. + +Signed-off-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20191011022122.26369-1-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 4ddb0726eebc..fd4dd12b8f9d 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -342,6 +342,13 @@ static int report__setup_sample_type(struct report *rep) + PERF_SAMPLE_BRANCH_ANY)) + rep->nonany_branch_mode = true; + ++#ifndef HAVE_LIBUNWIND_SUPPORT ++ if (dwarf_callchain_users) { ++ ui__warning("Please install libunwind development packages " ++ "during the perf build.\n"); ++ } ++#endif ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/perf-test-report-failure-for-mmap-events.patch b/queue-4.14/perf-test-report-failure-for-mmap-events.patch new file mode 100644 index 00000000000..d1551662cb5 --- /dev/null +++ b/queue-4.14/perf-test-report-failure-for-mmap-events.patch @@ -0,0 +1,43 @@ +From e2d8dbbe8e5a87cb150c5be1a82bb79e57ee3e61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2019 17:19:41 +0800 +Subject: perf test: Report failure for mmap events + +From: Leo Yan + +[ Upstream commit 6add129c5d9210ada25217abc130df0b7096ee02 ] + +When fail to mmap events in task exit case, it misses to set 'err' to +-1; thus the testing will not report failure for it. + +This patch sets 'err' to -1 when fails to mmap events, thus Perf tool +can report correct result. + +Fixes: d723a55096b8 ("perf test: Add test case for checking number of EXIT events") +Signed-off-by: Leo Yan +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Link: http://lore.kernel.org/lkml/20191011091942.29841-1-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/task-exit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/task-exit.c b/tools/perf/tests/task-exit.c +index 89c8e1604ca7..94fe5464bc6f 100644 +--- a/tools/perf/tests/task-exit.c ++++ b/tools/perf/tests/task-exit.c +@@ -104,6 +104,7 @@ int test__task_exit(struct test *test __maybe_unused, int subtest __maybe_unused + if (perf_evlist__mmap(evlist, 128, true) < 0) { + pr_debug("failed to mmap events: %d (%s)\n", errno, + str_error_r(errno, sbuf, sizeof(sbuf))); ++ err = -1; + goto out_delete_evlist; + } + +-- +2.20.1 + diff --git a/queue-4.14/perf-trace-filter-own-pid-to-avoid-a-feedback-look-i.patch b/queue-4.14/perf-trace-filter-own-pid-to-avoid-a-feedback-look-i.patch new file mode 100644 index 00000000000..7f3d7b34d4e --- /dev/null +++ b/queue-4.14/perf-trace-filter-own-pid-to-avoid-a-feedback-look-i.patch @@ -0,0 +1,96 @@ +From cb32ebf6b888012a6e374ce70fe796d11e3252e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 20:13:51 -0300 +Subject: perf trace: Filter own pid to avoid a feedback look in 'perf trace + record -a' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 7fbfe22cf4cfe01a88704dd76ca65d108039d297 ] + +When doing a system wide 'perf trace record' we need, just like in 'perf +trace' live mode, to filter out perf trace's own pid, so set up a +tracepoint filter for the raw_syscalls tracepoints right after adding +them to the argv array that is set up to then call cmd_record(). + +Reported-by: Andi Kleen +Cc: Adrian Hunter +Cc: David Ahern +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-uysx5w8f2y5ndoln5cq370tv@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index b224bf3f2b99..63a35036321b 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -2055,21 +2055,23 @@ static int trace__record(struct trace *trace, int argc, const char **argv) + "-m", "1024", + "-c", "1", + }; +- ++ pid_t pid = getpid(); ++ char *filter = asprintf__tp_filter_pids(1, &pid); + const char * const sc_args[] = { "-e", }; + unsigned int sc_args_nr = ARRAY_SIZE(sc_args); + const char * const majpf_args[] = { "-e", "major-faults" }; + unsigned int majpf_args_nr = ARRAY_SIZE(majpf_args); + const char * const minpf_args[] = { "-e", "minor-faults" }; + unsigned int minpf_args_nr = ARRAY_SIZE(minpf_args); ++ int err = -1; + +- /* +1 is for the event string below */ +- rec_argc = ARRAY_SIZE(record_args) + sc_args_nr + 1 + ++ /* +3 is for the event string below and the pid filter */ ++ rec_argc = ARRAY_SIZE(record_args) + sc_args_nr + 3 + + majpf_args_nr + minpf_args_nr + argc; + rec_argv = calloc(rec_argc + 1, sizeof(char *)); + +- if (rec_argv == NULL) +- return -ENOMEM; ++ if (rec_argv == NULL || filter == NULL) ++ goto out_free; + + j = 0; + for (i = 0; i < ARRAY_SIZE(record_args); i++) +@@ -2086,11 +2088,13 @@ static int trace__record(struct trace *trace, int argc, const char **argv) + rec_argv[j++] = "syscalls:sys_enter,syscalls:sys_exit"; + else { + pr_err("Neither raw_syscalls nor syscalls events exist.\n"); +- free(rec_argv); +- return -1; ++ goto out_free; + } + } + ++ rec_argv[j++] = "--filter"; ++ rec_argv[j++] = filter; ++ + if (trace->trace_pgfaults & TRACE_PFMAJ) + for (i = 0; i < majpf_args_nr; i++) + rec_argv[j++] = majpf_args[i]; +@@ -2102,7 +2106,11 @@ static int trace__record(struct trace *trace, int argc, const char **argv) + for (i = 0; i < (unsigned int)argc; i++) + rec_argv[j++] = argv[i]; + +- return cmd_record(j, rec_argv); ++ err = cmd_record(j, rec_argv); ++out_free: ++ free(filter); ++ free(rec_argv); ++ return err; + } + + static size_t trace__fprintf_thread_summary(struct trace *trace, FILE *fp); +-- +2.20.1 + diff --git a/queue-4.14/phy-qcom-usb-hs-fix-extcon-double-register-after-pow.patch b/queue-4.14/phy-qcom-usb-hs-fix-extcon-double-register-after-pow.patch new file mode 100644 index 00000000000..5ca660906db --- /dev/null +++ b/queue-4.14/phy-qcom-usb-hs-fix-extcon-double-register-after-pow.patch @@ -0,0 +1,71 @@ +From 4e4a57ecd9385f5041e1d5f13ce24c9fba1c2531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 13:52:08 +0200 +Subject: phy: qcom-usb-hs: Fix extcon double register after power cycle + +From: Stephan Gerhold + +[ Upstream commit 64f86b9978449ff05bfa6c64b4c5439e21e9c80b ] + +Commit f0b5c2c96370 ("phy: qcom-usb-hs: Replace the extcon API") +switched from extcon_register_notifier() to the resource-managed +API, i.e. devm_extcon_register_notifier(). + +This is problematic in this case, because the extcon notifier +is dynamically registered/unregistered whenever the PHY is powered +on/off. The resource-managed API does not unregister the notifier +until the driver is removed, so as soon as the PHY is power cycled, +attempting to register the notifier again results in: + + double register detected + WARNING: CPU: 1 PID: 182 at kernel/notifier.c:26 notifier_chain_register+0x74/0xa0 + Call trace: + ... + extcon_register_notifier+0x74/0xb8 + devm_extcon_register_notifier+0x54/0xb8 + qcom_usb_hs_phy_power_on+0x1fc/0x208 + ... + +... and USB stops working after plugging the cable out and in +another time. + +The easiest way to fix this is to make a partial revert of +commit f0b5c2c96370 ("phy: qcom-usb-hs: Replace the extcon API") +and avoid using the resource-managed API in this case. + +Fixes: f0b5c2c96370 ("phy: qcom-usb-hs: Replace the extcon API") +Signed-off-by: Stephan Gerhold +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-usb-hs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-usb-hs.c b/drivers/phy/qualcomm/phy-qcom-usb-hs.c +index 2d0c70b5589f..643934a2a70c 100644 +--- a/drivers/phy/qualcomm/phy-qcom-usb-hs.c ++++ b/drivers/phy/qualcomm/phy-qcom-usb-hs.c +@@ -159,8 +159,8 @@ static int qcom_usb_hs_phy_power_on(struct phy *phy) + /* setup initial state */ + qcom_usb_hs_phy_vbus_notifier(&uphy->vbus_notify, state, + uphy->vbus_edev); +- ret = devm_extcon_register_notifier(&ulpi->dev, uphy->vbus_edev, +- EXTCON_USB, &uphy->vbus_notify); ++ ret = extcon_register_notifier(uphy->vbus_edev, EXTCON_USB, ++ &uphy->vbus_notify); + if (ret) + goto err_ulpi; + } +@@ -181,6 +181,9 @@ static int qcom_usb_hs_phy_power_off(struct phy *phy) + { + struct qcom_usb_hs_phy *uphy = phy_get_drvdata(phy); + ++ if (uphy->vbus_edev) ++ extcon_unregister_notifier(uphy->vbus_edev, EXTCON_USB, ++ &uphy->vbus_notify); + regulator_disable(uphy->v3p3); + regulator_disable(uphy->v1p8); + clk_disable_unprepare(uphy->sleep_clk); +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-amd-fix-__iomem-annotation-in-amd_gpio_irq_h.patch b/queue-4.14/pinctrl-amd-fix-__iomem-annotation-in-amd_gpio_irq_h.patch new file mode 100644 index 00000000000..90925a3c8e2 --- /dev/null +++ b/queue-4.14/pinctrl-amd-fix-__iomem-annotation-in-amd_gpio_irq_h.patch @@ -0,0 +1,50 @@ +From 9cb9db38f29be065df2288b3507a10a20d5e6fa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 16:11:54 +0100 +Subject: pinctrl: amd: fix __iomem annotation in amd_gpio_irq_handler() + +From: Ben Dooks (Codethink) + +[ Upstream commit 10ff58aa3c2e2a093b6ad615a7e3d8bb0dc613e5 ] + +The regs pointer in amd_gpio_irq_handler() should have __iomem +on it, so add that to fix the following sparse warnings: + +drivers/pinctrl/pinctrl-amd.c:555:14: warning: incorrect type in assignment (different address spaces) +drivers/pinctrl/pinctrl-amd.c:555:14: expected unsigned int [usertype] *regs +drivers/pinctrl/pinctrl-amd.c:555:14: got void [noderef] *base +drivers/pinctrl/pinctrl-amd.c:563:34: warning: incorrect type in argument 1 (different address spaces) +drivers/pinctrl/pinctrl-amd.c:563:34: expected void const volatile [noderef] *addr +drivers/pinctrl/pinctrl-amd.c:563:34: got unsigned int [usertype] * +drivers/pinctrl/pinctrl-amd.c:580:34: warning: incorrect type in argument 1 (different address spaces) +drivers/pinctrl/pinctrl-amd.c:580:34: expected void const volatile [noderef] *addr +drivers/pinctrl/pinctrl-amd.c:580:34: got unsigned int [usertype] * +drivers/pinctrl/pinctrl-amd.c:587:25: warning: incorrect type in argument 2 (different address spaces) +drivers/pinctrl/pinctrl-amd.c:587:25: expected void volatile [noderef] *addr +drivers/pinctrl/pinctrl-amd.c:587:25: got unsigned int [usertype] * + +Signed-off-by: Ben Dooks (Codethink) +Link: https://lore.kernel.org/r/20191022151154.5986-1-ben.dooks@codethink.co.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index b78f42abff2f..7385cd81498c 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -509,7 +509,8 @@ static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) + irqreturn_t ret = IRQ_NONE; + unsigned int i, irqnr; + unsigned long flags; +- u32 *regs, regval; ++ u32 __iomem *regs; ++ u32 regval; + u64 status, mask; + + /* Read the wake status */ +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-devicetree-avoid-taking-direct-reference-to-.patch b/queue-4.14/pinctrl-devicetree-avoid-taking-direct-reference-to-.patch new file mode 100644 index 00000000000..924cea5f5ad --- /dev/null +++ b/queue-4.14/pinctrl-devicetree-avoid-taking-direct-reference-to-.patch @@ -0,0 +1,112 @@ +From 629056274e550a5a1be112c6b7b79743a62ac35c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 13:42:06 +0100 +Subject: pinctrl: devicetree: Avoid taking direct reference to device name + string + +From: Will Deacon + +[ Upstream commit be4c60b563edee3712d392aaeb0943a768df7023 ] + +When populating the pinctrl mapping table entries for a device, the +'dev_name' field for each entry is initialised to point directly at the +string returned by 'dev_name()' for the device and subsequently used by +'create_pinctrl()' when looking up the mappings for the device being +probed. + +This is unreliable in the presence of calls to 'dev_set_name()', which may +reallocate the device name string leaving the pinctrl mappings with a +dangling reference. This then leads to a use-after-free every time the +name is dereferenced by a device probe: + + | BUG: KASAN: invalid-access in strcmp+0x20/0x64 + | Read of size 1 at addr 13ffffc153494b00 by task modprobe/590 + | Pointer tag: [13], memory tag: [fe] + | + | Call trace: + | __kasan_report+0x16c/0x1dc + | kasan_report+0x10/0x18 + | check_memory_region + | __hwasan_load1_noabort+0x4c/0x54 + | strcmp+0x20/0x64 + | create_pinctrl+0x18c/0x7f4 + | pinctrl_get+0x90/0x114 + | devm_pinctrl_get+0x44/0x98 + | pinctrl_bind_pins+0x5c/0x450 + | really_probe+0x1c8/0x9a4 + | driver_probe_device+0x120/0x1d8 + +Follow the example of sysfs, and duplicate the device name string before +stashing it away in the pinctrl mapping entries. + +Cc: Linus Walleij +Reported-by: Elena Petrova +Tested-by: Elena Petrova +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191002124206.22928-1-will@kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/devicetree.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c +index c4aa411f5935..3a7c2d6e4d5f 100644 +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -40,6 +40,13 @@ struct pinctrl_dt_map { + static void dt_free_map(struct pinctrl_dev *pctldev, + struct pinctrl_map *map, unsigned num_maps) + { ++ int i; ++ ++ for (i = 0; i < num_maps; ++i) { ++ kfree_const(map[i].dev_name); ++ map[i].dev_name = NULL; ++ } ++ + if (pctldev) { + const struct pinctrl_ops *ops = pctldev->desc->pctlops; + if (ops->dt_free_map) +@@ -74,7 +81,13 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + + /* Initialize common mapping table entry fields */ + for (i = 0; i < num_maps; i++) { +- map[i].dev_name = dev_name(p->dev); ++ const char *devname; ++ ++ devname = kstrdup_const(dev_name(p->dev), GFP_KERNEL); ++ if (!devname) ++ goto err_free_map; ++ ++ map[i].dev_name = devname; + map[i].name = statename; + if (pctldev) + map[i].ctrl_dev_name = dev_name(pctldev->dev); +@@ -82,10 +95,8 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + + /* Remember the converted mapping table entries */ + dt_map = kzalloc(sizeof(*dt_map), GFP_KERNEL); +- if (!dt_map) { +- dt_free_map(pctldev, map, num_maps); +- return -ENOMEM; +- } ++ if (!dt_map) ++ goto err_free_map; + + dt_map->pctldev = pctldev; + dt_map->map = map; +@@ -93,6 +104,10 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + list_add_tail(&dt_map->node, &p->dt_maps); + + return pinctrl_register_map(map, num_maps, false); ++ ++err_free_map: ++ dt_free_map(pctldev, map, num_maps); ++ return -ENOMEM; + } + + struct pinctrl_dev *of_pinctrl_get(struct device_node *np) +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-sh-pfc-sh7734-fix-duplicate-tclk1_b.patch b/queue-4.14/pinctrl-sh-pfc-sh7734-fix-duplicate-tclk1_b.patch new file mode 100644 index 00000000000..a4e2effac86 --- /dev/null +++ b/queue-4.14/pinctrl-sh-pfc-sh7734-fix-duplicate-tclk1_b.patch @@ -0,0 +1,64 @@ +From 4a7ef81ff103cc942b307a2320cf643e2507671a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 15:13:08 +0200 +Subject: pinctrl: sh-pfc: sh7734: Fix duplicate TCLK1_B + +From: Geert Uytterhoeven + +[ Upstream commit 884caadad128efad8e00c1cdc3177bc8912ee8ec ] + +The definitions for bit field [19:18] of the Peripheral Function Select +Register 3 were accidentally copied from bit field [20], leading to +duplicates for the TCLK1_B function, and missing TCLK0, CAN_CLK_B, and +ET0_ETXD4 functions. + +Fix this by adding the missing GPIO_FN_CAN_CLK_B and GPIO_FN_ET0_ETXD4 +enum values, and correcting the functions. + +Reported-by: Ben Dooks +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191024131308.16659-1-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/sh/include/cpu-sh4/cpu/sh7734.h | 2 +- + drivers/pinctrl/sh-pfc/pfc-sh7734.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/sh/include/cpu-sh4/cpu/sh7734.h b/arch/sh/include/cpu-sh4/cpu/sh7734.h +index 96f0246ad2f2..82b63208135a 100644 +--- a/arch/sh/include/cpu-sh4/cpu/sh7734.h ++++ b/arch/sh/include/cpu-sh4/cpu/sh7734.h +@@ -134,7 +134,7 @@ enum { + GPIO_FN_EX_WAIT1, GPIO_FN_SD1_DAT0_A, GPIO_FN_DREQ2, GPIO_FN_CAN1_TX_C, + GPIO_FN_ET0_LINK_C, GPIO_FN_ET0_ETXD5_A, + GPIO_FN_EX_WAIT0, GPIO_FN_TCLK1_B, +- GPIO_FN_RD_WR, GPIO_FN_TCLK0, ++ GPIO_FN_RD_WR, GPIO_FN_TCLK0, GPIO_FN_CAN_CLK_B, GPIO_FN_ET0_ETXD4, + GPIO_FN_EX_CS5, GPIO_FN_SD1_CMD_A, GPIO_FN_ATADIR, GPIO_FN_QSSL_B, + GPIO_FN_ET0_ETXD3_A, + GPIO_FN_EX_CS4, GPIO_FN_SD1_WP_A, GPIO_FN_ATAWR, GPIO_FN_QMI_QIO1_B, +diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7734.c b/drivers/pinctrl/sh-pfc/pfc-sh7734.c +index 33232041ee86..3eccc9b3ca84 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-sh7734.c ++++ b/drivers/pinctrl/sh-pfc/pfc-sh7734.c +@@ -1453,7 +1453,7 @@ static const struct pinmux_func pinmux_func_gpios[] = { + GPIO_FN(ET0_ETXD2_A), + GPIO_FN(EX_CS5), GPIO_FN(SD1_CMD_A), GPIO_FN(ATADIR), GPIO_FN(QSSL_B), + GPIO_FN(ET0_ETXD3_A), +- GPIO_FN(RD_WR), GPIO_FN(TCLK1_B), ++ GPIO_FN(RD_WR), GPIO_FN(TCLK0), GPIO_FN(CAN_CLK_B), GPIO_FN(ET0_ETXD4), + GPIO_FN(EX_WAIT0), GPIO_FN(TCLK1_B), + GPIO_FN(EX_WAIT1), GPIO_FN(SD1_DAT0_A), GPIO_FN(DREQ2), + GPIO_FN(CAN1_TX_C), GPIO_FN(ET0_LINK_C), GPIO_FN(ET0_ETXD5_A), +@@ -1949,7 +1949,7 @@ static const struct pinmux_cfg_reg pinmux_config_regs[] = { + /* IP3_20 [1] */ + FN_EX_WAIT0, FN_TCLK1_B, + /* IP3_19_18 [2] */ +- FN_RD_WR, FN_TCLK1_B, 0, 0, ++ FN_RD_WR, FN_TCLK0, FN_CAN_CLK_B, FN_ET0_ETXD4, + /* IP3_17_15 [3] */ + FN_EX_CS5, FN_SD1_CMD_A, FN_ATADIR, FN_QSSL_B, + FN_ET0_ETXD3_A, 0, 0, 0, +-- +2.20.1 + diff --git a/queue-4.14/rdma-qedr-fix-memory-leak-in-user-qp-and-mr.patch b/queue-4.14/rdma-qedr-fix-memory-leak-in-user-qp-and-mr.patch new file mode 100644 index 00000000000..331849f004e --- /dev/null +++ b/queue-4.14/rdma-qedr-fix-memory-leak-in-user-qp-and-mr.patch @@ -0,0 +1,55 @@ +From 9443943e9cab68a7ba06399a483e034a46f432c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Oct 2019 22:04:51 +0200 +Subject: RDMA/qedr: Fix memory leak in user qp and mr + +From: Michal Kalderon + +[ Upstream commit 24e412c1e00ebfe73619e6b88cbc26c2c7d41b85 ] + +User QPs pbl's weren't freed properly. +MR pbls weren't freed properly. + +Fixes: e0290cce6ac0 ("qedr: Add support for memory registeration verbs") +Link: https://lore.kernel.org/r/20191027200451.28187-5-michal.kalderon@marvell.com +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 7f4cc9336442..656e7c1a4449 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1343,6 +1343,14 @@ static void qedr_cleanup_user(struct qedr_dev *dev, struct qedr_qp *qp) + if (qp->urq.umem) + ib_umem_release(qp->urq.umem); + qp->urq.umem = NULL; ++ ++ if (rdma_protocol_roce(&dev->ibdev, 1)) { ++ qedr_free_pbl(dev, &qp->usq.pbl_info, qp->usq.pbl_tbl); ++ qedr_free_pbl(dev, &qp->urq.pbl_info, qp->urq.pbl_tbl); ++ } else { ++ kfree(qp->usq.pbl_tbl); ++ kfree(qp->urq.pbl_tbl); ++ } + } + + static int qedr_create_user_qp(struct qedr_dev *dev, +@@ -2331,8 +2339,8 @@ int qedr_dereg_mr(struct ib_mr *ib_mr) + + dev->ops->rdma_free_tid(dev->rdma_ctx, mr->hw_mr.itid); + +- if ((mr->type != QEDR_MR_DMA) && (mr->type != QEDR_MR_FRMR)) +- qedr_free_pbl(dev, &mr->info.pbl_info, mr->info.pbl_table); ++ if (mr->type != QEDR_MR_DMA) ++ free_mr_info(dev, &mr->info); + + /* it could be user registered memory. */ + if (mr->umem) +-- +2.20.1 + diff --git a/queue-4.14/regulator-max8907-fix-the-usage-of-uninitialized-var.patch b/queue-4.14/regulator-max8907-fix-the-usage-of-uninitialized-var.patch new file mode 100644 index 00000000000..0ab8e6e0a85 --- /dev/null +++ b/queue-4.14/regulator-max8907-fix-the-usage-of-uninitialized-var.patch @@ -0,0 +1,65 @@ +From e762562aa4dd2e32fd7c4d4ca01518a943541e84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Oct 2019 10:58:13 -0700 +Subject: regulator: max8907: Fix the usage of uninitialized variable in + max8907_regulator_probe() + +From: Yizhuo + +[ Upstream commit 472b39c3d1bba0616eb0e9a8fa3ad0f56927c7d7 ] + +Inside function max8907_regulator_probe(), variable val could +be uninitialized if regmap_read() fails. However, val is used +later in the if statement to decide the content written to +"pmic", which is potentially unsafe. + +Signed-off-by: Yizhuo +Link: https://lore.kernel.org/r/20191003175813.16415-1-yzhai003@ucr.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/max8907-regulator.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/max8907-regulator.c b/drivers/regulator/max8907-regulator.c +index 860400d2cd85..a8f2f07239fb 100644 +--- a/drivers/regulator/max8907-regulator.c ++++ b/drivers/regulator/max8907-regulator.c +@@ -299,7 +299,10 @@ static int max8907_regulator_probe(struct platform_device *pdev) + memcpy(pmic->desc, max8907_regulators, sizeof(pmic->desc)); + + /* Backwards compatibility with MAX8907B; SD1 uses different voltages */ +- regmap_read(max8907->regmap_gen, MAX8907_REG_II2RR, &val); ++ ret = regmap_read(max8907->regmap_gen, MAX8907_REG_II2RR, &val); ++ if (ret) ++ return ret; ++ + if ((val & MAX8907_II2RR_VERSION_MASK) == + MAX8907_II2RR_VERSION_REV_B) { + pmic->desc[MAX8907_SD1].min_uV = 637500; +@@ -336,14 +339,20 @@ static int max8907_regulator_probe(struct platform_device *pdev) + } + + if (pmic->desc[i].ops == &max8907_ldo_ops) { +- regmap_read(config.regmap, pmic->desc[i].enable_reg, ++ ret = regmap_read(config.regmap, pmic->desc[i].enable_reg, + &val); ++ if (ret) ++ return ret; ++ + if ((val & MAX8907_MASK_LDO_SEQ) != + MAX8907_MASK_LDO_SEQ) + pmic->desc[i].ops = &max8907_ldo_hwctl_ops; + } else if (pmic->desc[i].ops == &max8907_out5v_ops) { +- regmap_read(config.regmap, pmic->desc[i].enable_reg, ++ ret = regmap_read(config.regmap, pmic->desc[i].enable_reg, + &val); ++ if (ret) ++ return ret; ++ + if ((val & (MAX8907_MASK_OUT5V_VINEN | + MAX8907_MASK_OUT5V_ENSRC)) != + MAX8907_MASK_OUT5V_ENSRC) +-- +2.20.1 + diff --git a/queue-4.14/rfkill-allocate-static-minor.patch b/queue-4.14/rfkill-allocate-static-minor.patch new file mode 100644 index 00000000000..afd5b29d778 --- /dev/null +++ b/queue-4.14/rfkill-allocate-static-minor.patch @@ -0,0 +1,68 @@ +From c714ee3ecbd0dd2248b4ad7d088cdde08dcbb75a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 19:40:42 +0200 +Subject: rfkill: allocate static minor + +From: Marcel Holtmann + +[ Upstream commit 8670b2b8b029a6650d133486be9d2ace146fd29a ] + +udev has a feature of creating /dev/ device-nodes if it finds +a devnode: modalias. This allows for auto-loading of modules that +provide the node. This requires to use a statically allocated minor +number for misc character devices. + +However, rfkill uses dynamic minor numbers and prevents auto-loading +of the module. So allocate the next static misc minor number and use +it for rfkill. + +Signed-off-by: Marcel Holtmann +Link: https://lore.kernel.org/r/20191024174042.19851-1-marcel@holtmann.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/miscdevice.h | 1 + + net/rfkill/core.c | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h +index 4de703d9e21f..5e1e50b8f8c4 100644 +--- a/include/linux/miscdevice.h ++++ b/include/linux/miscdevice.h +@@ -56,6 +56,7 @@ + #define UHID_MINOR 239 + #define USERIO_MINOR 240 + #define VHOST_VSOCK_MINOR 241 ++#define RFKILL_MINOR 242 + #define MISC_DYNAMIC_MINOR 255 + + struct device; +diff --git a/net/rfkill/core.c b/net/rfkill/core.c +index 2064c3a35ef8..99a2e55b01cf 100644 +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -1312,10 +1312,12 @@ static const struct file_operations rfkill_fops = { + .llseek = no_llseek, + }; + ++#define RFKILL_NAME "rfkill" ++ + static struct miscdevice rfkill_miscdev = { +- .name = "rfkill", + .fops = &rfkill_fops, +- .minor = MISC_DYNAMIC_MINOR, ++ .name = RFKILL_NAME, ++ .minor = RFKILL_MINOR, + }; + + static int __init rfkill_init(void) +@@ -1367,3 +1369,6 @@ static void __exit rfkill_exit(void) + class_unregister(&rfkill_class); + } + module_exit(rfkill_exit); ++ ++MODULE_ALIAS_MISCDEV(RFKILL_MINOR); ++MODULE_ALIAS("devname:" RFKILL_NAME); +-- +2.20.1 + diff --git a/queue-4.14/rtl8xxxu-fix-rtl8723bu-connection-failure-issue-afte.patch b/queue-4.14/rtl8xxxu-fix-rtl8723bu-connection-failure-issue-afte.patch new file mode 100644 index 00000000000..d84b4cf7350 --- /dev/null +++ b/queue-4.14/rtl8xxxu-fix-rtl8723bu-connection-failure-issue-afte.patch @@ -0,0 +1,73 @@ +From 1d6cc79ee91f04cebf4b2e68229010e7a6b294f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 09:54:08 +0800 +Subject: rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot + +From: Chris Chiu + +[ Upstream commit 0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c ] + +The RTL8723BU has problems connecting to AP after each warm reboot. +Sometimes it returns no scan result, and in most cases, it fails +the authentication for unknown reason. However, it works totally +fine after cold reboot. + +Compare the value of register SYS_CR and SYS_CLK_MAC_CLK_ENABLE +for cold reboot and warm reboot, the registers imply that the MAC +is already powered and thus some procedures are skipped during +driver initialization. Double checked the vendor driver, it reads +the SYS_CR and SYS_CLK_MAC_CLK_ENABLE also but doesn't skip any +during initialization based on them. This commit only tells the +RTL8723BU to do full initialization without checking MAC status. + +Signed-off-by: Chris Chiu +Signed-off-by: Jes Sorensen +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 1 + + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c | 1 + + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 3 +++ + 3 files changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +index 95e3993d8a33..a895b6fd6f85 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -1349,6 +1349,7 @@ struct rtl8xxxu_fileops { + u8 has_s0s1:1; + u8 has_tx_report:1; + u8 gen2_thermal_meter:1; ++ u8 needs_full_init:1; + u32 adda_1t_init; + u32 adda_1t_path_on; + u32 adda_2t_path_on_a; +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c +index c4b86a84a721..27e97df996c7 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c +@@ -1673,6 +1673,7 @@ struct rtl8xxxu_fileops rtl8723bu_fops = { + .has_s0s1 = 1, + .has_tx_report = 1, + .gen2_thermal_meter = 1, ++ .needs_full_init = 1, + .adda_1t_init = 0x01c00014, + .adda_1t_path_on = 0x01c00014, + .adda_2t_path_on_a = 0x01c00014, +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 91b01ca32e75..b58bf8e2cad2 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -3905,6 +3905,9 @@ static int rtl8xxxu_init_device(struct ieee80211_hw *hw) + else + macpower = true; + ++ if (fops->needs_full_init) ++ macpower = false; ++ + ret = fops->power_on(priv); + if (ret < 0) { + dev_warn(dev, "%s: Failed power on\n", __func__); +-- +2.20.1 + diff --git a/queue-4.14/rtlwifi-fix-memory-leak-in-rtl92c_set_fw_rsvdpagepkt.patch b/queue-4.14/rtlwifi-fix-memory-leak-in-rtl92c_set_fw_rsvdpagepkt.patch new file mode 100644 index 00000000000..259edfe08e5 --- /dev/null +++ b/queue-4.14/rtlwifi-fix-memory-leak-in-rtl92c_set_fw_rsvdpagepkt.patch @@ -0,0 +1,64 @@ +From 838be9036315eb876acc83563ec89284e807fcc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 10:18:38 +0800 +Subject: rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt() + +From: Ping-Ke Shih + +[ Upstream commit 5174f1e41074b5186608badc2e89441d021e8c08 ] + +This leak was found by testing the EDIMAX EW-7612 on Raspberry Pi 3B+ with +Linux 5.4-rc5 (multi_v7_defconfig + rtlwifi + kmemleak) and noticed a +single memory leak during probe: + +unreferenced object 0xec13ee40 (size 176): + comm "kworker/u8:1", pid 36, jiffies 4294939321 (age 5580.790s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __netdev_alloc_skb+0x9c/0x164 + [<863dfa6e>] rtl92c_set_fw_rsvdpagepkt+0x254/0x340 [rtl8192c_common] + [<9572be0d>] rtl92cu_set_hw_reg+0xf48/0xfa4 [rtl8192cu] + [<116df4d8>] rtl_op_bss_info_changed+0x234/0x96c [rtlwifi] + [<8933575f>] ieee80211_bss_info_change_notify+0xb8/0x264 [mac80211] + [] ieee80211_assoc_success+0x934/0x1798 [mac80211] + [] ieee80211_rx_mgmt_assoc_resp+0x174/0x314 [mac80211] + [<5974629e>] ieee80211_sta_rx_queued_mgmt+0x3f4/0x7f0 [mac80211] + [] ieee80211_iface_work+0x208/0x318 [mac80211] + [] process_one_work+0x22c/0x564 + [] worker_thread+0x44/0x5d8 + [<82c7b073>] kthread+0x150/0x154 + [] ret_from_fork+0x14/0x2c + [<794dff30>] 0x0 + +It is because 8192cu doesn't implement usb_cmd_send_packet(), and this +patch just frees the skb within the function to resolve memleak problem +by now. Since 8192cu doesn't turn on fwctrl_lps that needs to download +command packet for firmware via the function, applying this patch doesn't +affect driver behavior. + +Reported-by: Stefan Wahren +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +index 530e80f0ef0b..1ee7f796113b 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +@@ -1556,6 +1556,8 @@ static bool usb_cmd_send_packet(struct ieee80211_hw *hw, struct sk_buff *skb) + * This is maybe necessary: + * rtlpriv->cfg->ops->fill_tx_cmddesc(hw, buffer, 1, 1, skb); + */ ++ dev_kfree_skb(skb); ++ + return true; + } + +-- +2.20.1 + diff --git a/queue-4.14/rtlwifi-prevent-memory-leak-in-rtl_usb_probe.patch b/queue-4.14/rtlwifi-prevent-memory-leak-in-rtl_usb_probe.patch new file mode 100644 index 00000000000..aac53b40b66 --- /dev/null +++ b/queue-4.14/rtlwifi-prevent-memory-leak-in-rtl_usb_probe.patch @@ -0,0 +1,47 @@ +From 16f3b397924ed99a9fc756586252d62969a5d35e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 20:20:21 -0500 +Subject: rtlwifi: prevent memory leak in rtl_usb_probe + +From: Navid Emamdoost + +[ Upstream commit 3f93616951138a598d930dcaec40f2bfd9ce43bb ] + +In rtl_usb_probe if allocation for usb_data fails the allocated hw +should be released. In addition the allocated rtlpriv->usb_data should +be released on error handling path. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 2401c8bdb211..93eda23f0123 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1068,8 +1068,10 @@ int rtl_usb_probe(struct usb_interface *intf, + rtlpriv->hw = hw; + rtlpriv->usb_data = kzalloc(RTL_USB_MAX_RX_COUNT * sizeof(u32), + GFP_KERNEL); +- if (!rtlpriv->usb_data) ++ if (!rtlpriv->usb_data) { ++ ieee80211_free_hw(hw); + return -ENOMEM; ++ } + + /* this spin lock must be initialized early */ + spin_lock_init(&rtlpriv->locks.usb_lock); +@@ -1130,6 +1132,7 @@ error_out2: + _rtl_usb_io_handler_release(hw); + usb_put_dev(udev); + complete(&rtlpriv->firmware_loading_complete); ++ kfree(rtlpriv->usb_data); + return -ENODEV; + } + EXPORT_SYMBOL(rtl_usb_probe); +-- +2.20.1 + diff --git a/queue-4.14/s390-disassembler-don-t-hide-instruction-addresses.patch b/queue-4.14/s390-disassembler-don-t-hide-instruction-addresses.patch new file mode 100644 index 00000000000..2830a03906e --- /dev/null +++ b/queue-4.14/s390-disassembler-don-t-hide-instruction-addresses.patch @@ -0,0 +1,73 @@ +From e6d44e20d11b727bf08f465157894bae4a7cb904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 18:25:16 +0100 +Subject: s390/disassembler: don't hide instruction addresses + +From: Ilya Leoshkevich + +[ Upstream commit 544f1d62e3e6c6e6d17a5e56f6139208acb5ff46 ] + +Due to kptr_restrict, JITted BPF code is now displayed like this: + +000000000b6ed1b2: ebdff0800024 stmg %r13,%r15,128(%r15) +000000004cde2ba0: 41d0f040 la %r13,64(%r15) +00000000fbad41b0: a7fbffa0 aghi %r15,-96 + +Leaking kernel addresses to dmesg is not a concern in this case, because +this happens only when JIT debugging is explicitly activated, which only +root can do. + +Use %px in this particular instance, and also to print an instruction +address in show_code and PCREL (e.g. brasl) arguments in print_insn. +While at present functionally equivalent to %016lx, %px is recommended +by Documentation/core-api/printk-formats.rst for such cases. + +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Vasily Gorbik +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/dis.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kernel/dis.c b/arch/s390/kernel/dis.c +index 2394557653d5..6d154069c962 100644 +--- a/arch/s390/kernel/dis.c ++++ b/arch/s390/kernel/dis.c +@@ -1930,10 +1930,11 @@ static int print_insn(char *buffer, unsigned char *code, unsigned long addr) + ptr += sprintf(ptr, "%%c%i", value); + else if (operand->flags & OPERAND_VR) + ptr += sprintf(ptr, "%%v%i", value); +- else if (operand->flags & OPERAND_PCREL) +- ptr += sprintf(ptr, "%lx", (signed int) value +- + addr); +- else if (operand->flags & OPERAND_SIGNED) ++ else if (operand->flags & OPERAND_PCREL) { ++ void *pcrel = (void *)((int)value + addr); ++ ++ ptr += sprintf(ptr, "%px", pcrel); ++ } else if (operand->flags & OPERAND_SIGNED) + ptr += sprintf(ptr, "%i", value); + else + ptr += sprintf(ptr, "%u", value); +@@ -2005,7 +2006,7 @@ void show_code(struct pt_regs *regs) + else + *ptr++ = ' '; + addr = regs->psw.addr + start - 32; +- ptr += sprintf(ptr, "%016lx: ", addr); ++ ptr += sprintf(ptr, "%px: ", (void *)addr); + if (start + opsize >= end) + break; + for (i = 0; i < opsize; i++) +@@ -2033,7 +2034,7 @@ void print_fn_code(unsigned char *code, unsigned long len) + opsize = insn_length(*code); + if (opsize > len) + break; +- ptr += sprintf(ptr, "%p: ", code); ++ ptr += sprintf(ptr, "%px: ", code); + for (i = 0; i < opsize; i++) + ptr += sprintf(ptr, "%02x", code[i]); + *ptr++ = '\t'; +-- +2.20.1 + diff --git a/queue-4.14/s390-mm-add-mm_pxd_folded-checks-to-pxd_free.patch b/queue-4.14/s390-mm-add-mm_pxd_folded-checks-to-pxd_free.patch new file mode 100644 index 00000000000..a5318025bc8 --- /dev/null +++ b/queue-4.14/s390-mm-add-mm_pxd_folded-checks-to-pxd_free.patch @@ -0,0 +1,72 @@ +From b78c77c1805451b948e746be1a64c47bdd52deb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 14:38:08 +0200 +Subject: s390/mm: add mm_pxd_folded() checks to pxd_free() + +From: Gerald Schaefer + +[ Upstream commit 2416cefc504ba8ae9b17e3e6b40afc72708f96be ] + +Unlike pxd_free_tlb(), the pxd_free() functions do not check for folded +page tables. This is not an issue so far, as those functions will actually +never be called, since no code will reach them when page tables are folded. + +In order to avoid future issues, and to make the s390 code more similar to +other architectures, add mm_pxd_folded() checks, similar to how it is done +in pxd_free_tlb(). + +This was found by testing a patch from from Anshuman Khandual, which is +currently discussed on LKML ("mm/debug: Add tests validating architecture +page table helpers"). + +Signed-off-by: Gerald Schaefer +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/pgalloc.h | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/include/asm/pgalloc.h b/arch/s390/include/asm/pgalloc.h +index bbe99cb8219d..11857fea993c 100644 +--- a/arch/s390/include/asm/pgalloc.h ++++ b/arch/s390/include/asm/pgalloc.h +@@ -70,7 +70,12 @@ static inline p4d_t *p4d_alloc_one(struct mm_struct *mm, unsigned long address) + crst_table_init(table, _REGION2_ENTRY_EMPTY); + return (p4d_t *) table; + } +-#define p4d_free(mm, p4d) crst_table_free(mm, (unsigned long *) p4d) ++ ++static inline void p4d_free(struct mm_struct *mm, p4d_t *p4d) ++{ ++ if (!mm_p4d_folded(mm)) ++ crst_table_free(mm, (unsigned long *) p4d); ++} + + static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long address) + { +@@ -79,7 +84,12 @@ static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long address) + crst_table_init(table, _REGION3_ENTRY_EMPTY); + return (pud_t *) table; + } +-#define pud_free(mm, pud) crst_table_free(mm, (unsigned long *) pud) ++ ++static inline void pud_free(struct mm_struct *mm, pud_t *pud) ++{ ++ if (!mm_pud_folded(mm)) ++ crst_table_free(mm, (unsigned long *) pud); ++} + + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long vmaddr) + { +@@ -97,6 +107,8 @@ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long vmaddr) + + static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd) + { ++ if (mm_pmd_folded(mm)) ++ return; + pgtable_pmd_page_dtor(virt_to_page(pmd)); + crst_table_free(mm, (unsigned long *) pmd); + } +-- +2.20.1 + diff --git a/queue-4.14/s390-time-ensure-get_clock_monotonic-returns-monoton.patch b/queue-4.14/s390-time-ensure-get_clock_monotonic-returns-monoton.patch new file mode 100644 index 00000000000..366f9c2c552 --- /dev/null +++ b/queue-4.14/s390-time-ensure-get_clock_monotonic-returns-monoton.patch @@ -0,0 +1,65 @@ +From ebed6c63609db9be4c528ca4a8171dad9a652898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 14:09:47 +0100 +Subject: s390/time: ensure get_clock_monotonic() returns monotonic values + +From: Heiko Carstens + +[ Upstream commit 011620688a71f2f1fe9901dbc2479a7c01053196 ] + +The current implementation of get_clock_monotonic() leaves it up to +the caller to call the function with preemption disabled. The only +core kernel caller (sched_clock) however does not disable preemption. + +In order to make sure that all callers of this function see monotonic +values handle disabling preemption within the function itself. + +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/timex.h | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h +index 64539c221672..0f12a3f91282 100644 +--- a/arch/s390/include/asm/timex.h ++++ b/arch/s390/include/asm/timex.h +@@ -10,8 +10,9 @@ + #ifndef _ASM_S390_TIMEX_H + #define _ASM_S390_TIMEX_H + +-#include ++#include + #include ++#include + + /* The value of the TOD clock for 1.1.1970. */ + #define TOD_UNIX_EPOCH 0x7d91048bca000000ULL +@@ -186,15 +187,18 @@ extern unsigned char tod_clock_base[16] __aligned(8); + /** + * get_clock_monotonic - returns current time in clock rate units + * +- * The caller must ensure that preemption is disabled. + * The clock and tod_clock_base get changed via stop_machine. +- * Therefore preemption must be disabled when calling this +- * function, otherwise the returned value is not guaranteed to +- * be monotonic. ++ * Therefore preemption must be disabled, otherwise the returned ++ * value is not guaranteed to be monotonic. + */ + static inline unsigned long long get_tod_clock_monotonic(void) + { +- return get_tod_clock() - *(unsigned long long *) &tod_clock_base[1]; ++ unsigned long long tod; ++ ++ preempt_disable(); ++ tod = get_tod_clock() - *(unsigned long long *) &tod_clock_base[1]; ++ preempt_enable(); ++ return tod; + } + + /** +-- +2.20.1 + diff --git a/queue-4.14/samples-pktgen-fix-proc_cmd-command-result-check-log.patch b/queue-4.14/samples-pktgen-fix-proc_cmd-command-result-check-log.patch new file mode 100644 index 00000000000..f41ddfae7d6 --- /dev/null +++ b/queue-4.14/samples-pktgen-fix-proc_cmd-command-result-check-log.patch @@ -0,0 +1,82 @@ +From d273a9b9bac1aae0157872f858798e0db78de95a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Oct 2019 17:25:07 +0900 +Subject: samples: pktgen: fix proc_cmd command result check logic + +From: Daniel T. Lee + +[ Upstream commit 3cad8f911575191fb3b81d8ed0e061e30f922223 ] + +Currently, proc_cmd is used to dispatch command to 'pg_ctrl', 'pg_thread', +'pg_set'. proc_cmd is designed to check command result with grep the +"Result:", but this might fail since this string is only shown in +'pg_thread' and 'pg_set'. + +This commit fixes this logic by grep-ing the "Result:" string only when +the command is not for 'pg_ctrl'. + +For clarity of an execution flow, 'errexit' flag has been set. + +To cleanup pktgen on exit, trap has been added for EXIT signal. + +Signed-off-by: Daniel T. Lee +Acked-by: Jesper Dangaard Brouer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + samples/pktgen/functions.sh | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/samples/pktgen/functions.sh b/samples/pktgen/functions.sh +index 205e4cde4601..065a7e296ee3 100644 +--- a/samples/pktgen/functions.sh ++++ b/samples/pktgen/functions.sh +@@ -5,6 +5,8 @@ + # Author: Jesper Dangaaard Brouer + # License: GPL + ++set -o errexit ++ + ## -- General shell logging cmds -- + function err() { + local exitcode=$1 +@@ -58,6 +60,7 @@ function pg_set() { + function proc_cmd() { + local result + local proc_file=$1 ++ local status=0 + # after shift, the remaining args are contained in $@ + shift + local proc_ctrl=${PROC_DIR}/$proc_file +@@ -73,13 +76,13 @@ function proc_cmd() { + echo "cmd: $@ > $proc_ctrl" + fi + # Quoting of "$@" is important for space expansion +- echo "$@" > "$proc_ctrl" +- local status=$? ++ echo "$@" > "$proc_ctrl" || status=$? + +- result=$(grep "Result: OK:" $proc_ctrl) +- # Due to pgctrl, cannot use exit code $? from grep +- if [[ "$result" == "" ]]; then +- grep "Result:" $proc_ctrl >&2 ++ if [[ "$proc_file" != "pgctrl" ]]; then ++ result=$(grep "Result: OK:" $proc_ctrl) || true ++ if [[ "$result" == "" ]]; then ++ grep "Result:" $proc_ctrl >&2 ++ fi + fi + if (( $status != 0 )); then + err 5 "Write error($status) occurred cmd: \"$@ > $proc_ctrl\"" +@@ -105,6 +108,8 @@ function pgset() { + fi + } + ++[[ $EUID -eq 0 ]] && trap 'pg_ctrl "reset"' EXIT ++ + ## -- General shell tricks -- + + function root_check_run_with_sudo() { +-- +2.20.1 + diff --git a/queue-4.14/selftests-bpf-correct-path-to-include-msg-path.patch b/queue-4.14/selftests-bpf-correct-path-to-include-msg-path.patch new file mode 100644 index 00000000000..6b0a99387b8 --- /dev/null +++ b/queue-4.14/selftests-bpf-correct-path-to-include-msg-path.patch @@ -0,0 +1,72 @@ +From b8f551ee9dff00219d5e72671ba0fbec27b63111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 15:04:04 +0300 +Subject: selftests/bpf: Correct path to include msg + path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ivan Khoronzhuk + +[ Upstream commit c588146378962786ddeec817f7736a53298a7b01 ] + +The "path" buf is supposed to contain path + printf msg up to 24 bytes. +It will be cut anyway, but compiler generates truncation warns like: + +" +samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c: In +function ‘setup_cgroup_environment’: +samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:52:34: +warning: ‘/cgroup.controllers’ directive output may be truncated +writing 19 bytes into a region of size between 1 and 4097 +[-Wformat-truncation=] +snprintf(path, sizeof(path), "%s/cgroup.controllers", cgroup_path); + ^~~~~~~~~~~~~~~~~~~ +samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:52:2: +note: ‘snprintf’ output between 20 and 4116 bytes into a destination +of size 4097 +snprintf(path, sizeof(path), "%s/cgroup.controllers", cgroup_path); +^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:72:34: +warning: ‘/cgroup.subtree_control’ directive output may be truncated +writing 23 bytes into a region of size between 1 and 4097 +[-Wformat-truncation=] +snprintf(path, sizeof(path), "%s/cgroup.subtree_control", + ^~~~~~~~~~~~~~~~~~~~~~~ +cgroup_path); +samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.c:72:2: +note: ‘snprintf’ output between 24 and 4120 bytes into a destination +of size 4097 +snprintf(path, sizeof(path), "%s/cgroup.subtree_control", +cgroup_path); +" + +In order to avoid warns, lets decrease buf size for cgroup workdir on +24 bytes with assumption to include also "/cgroup.subtree_control" to +the address. The cut will never happen anyway. + +Signed-off-by: Ivan Khoronzhuk +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20191002120404.26962-3-ivan.khoronzhuk@linaro.org +Signed-off-by: Sasha Levin +--- + samples/bpf/cgroup_helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/cgroup_helpers.c b/samples/bpf/cgroup_helpers.c +index 09afaddfc9ba..b5c09cd6c7bd 100644 +--- a/samples/bpf/cgroup_helpers.c ++++ b/samples/bpf/cgroup_helpers.c +@@ -43,7 +43,7 @@ + */ + int setup_cgroup_environment(void) + { +- char cgroup_workdir[PATH_MAX + 1]; ++ char cgroup_workdir[PATH_MAX - 24]; + + format_cgroup_path(cgroup_workdir, ""); + +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..679e04df185 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,121 @@ +drm-mst-fix-query_payload-ack-reply-struct.patch +drm-bridge-analogix-anx78xx-silence-eprobe_defer-war.patch +iio-light-bh1750-resolve-compiler-warning-and-make-c.patch +spi-add-call-to-spi_slave_abort-function-when-spidev.patch +staging-rtl8192u-fix-multiple-memory-leaks-on-error-.patch +staging-rtl8188eu-fix-possible-null-dereference.patch +rtlwifi-prevent-memory-leak-in-rtl_usb_probe.patch +libertas-fix-a-potential-null-pointer-dereference.patch +ib-iser-bound-protection_sg-size-by-data_sg-size.patch +media-am437x-vpfe-setting-std-to-current-value-is-no.patch +media-i2c-ov2659-fix-s_stream-return-value.patch +media-ov6650-fix-crop-rectangle-alignment-not-passed.patch +media-i2c-ov2659-fix-missing-720p-register-config.patch +media-ov6650-fix-stored-frame-format-not-in-sync-wit.patch +media-ov6650-fix-stored-crop-rectangle-not-in-sync-w.patch +tools-power-cpupower-fix-initializer-override-in-hsw.patch +media-venus-core-fix-msm8996-frequency-table.patch +ath10k-fix-offchannel-tx-failure-when-no-ath10k_mac_.patch +pinctrl-devicetree-avoid-taking-direct-reference-to-.patch +selftests-bpf-correct-path-to-include-msg-path.patch +usb-renesas_usbhs-add-suspend-event-support-in-gadge.patch +hwrng-omap3-rom-call-clk_disable_unprepare-on-exit-o.patch +regulator-max8907-fix-the-usage-of-uninitialized-var.patch +media-flexcop-usb-fix-null-ptr-deref-in-flexcop_usb_.patch +media-cec-funcs.h-add-status_req-checks.patch +drm-bridge-dw-hdmi-refuse-ddc-ci-transfers-on-the-in.patch +samples-pktgen-fix-proc_cmd-command-result-check-log.patch +block-fix-writeback-throttling-w-1-compiler-warnings.patch +mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_init_ev.patch +media-cx88-fix-some-error-handling-path-in-cx8800_in.patch +media-ti-vpe-vpe-fix-motion-vector-vpdma-stride.patch +media-ti-vpe-vpe-fix-a-v4l2-compliance-warning-about.patch +media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch +media-ti-vpe-vpe-make-sure-yuyv-is-set-as-default-fo.patch +media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-causi.patch +media-ti-vpe-vpe-ensure-buffers-are-cleaned-up-prope.patch +media-ti-vpe-vpe-fix-a-v4l2-compliance-failure-about.patch-7973 +extcon-sm5502-reset-registers-during-initialization.patch +x86-mm-use-the-correct-function-type-for-native_set_.patch +drm-bridge-dw-hdmi-restore-audio-when-setting-a-mode.patch +perf-test-report-failure-for-mmap-events.patch +perf-report-add-warning-when-libunwind-not-compiled-.patch +perf-trace-filter-own-pid-to-avoid-a-feedback-look-i.patch +usb-usbfs-suppress-problematic-bind-and-unbind-ueven.patch +iio-adc-max1027-reset-the-device-at-probe-time.patch +bluetooth-missed-cpu_to_le16-conversion-in-hci_init4.patch +bluetooth-hci_core-fix-init-for-hci_user_channel.patch +x86-mce-lower-throttling-mce-messages-priority-to-wa.patch +drm-gma500-fix-memory-disclosures-due-to-uninitializ.patch +rtl8xxxu-fix-rtl8723bu-connection-failure-issue-afte.patch +x86-ioapic-prevent-inconsistent-state-when-moving-an.patch +arm64-psci-reduce-the-waiting-time-for-cpu_psci_cpu_.patch +net-phy-dp83867-enable-robust-auto-mdix.patch +rdma-qedr-fix-memory-leak-in-user-qp-and-mr.patch +gpu-host1x-allocate-gather-copy-for-host1x.patch +net-dsa-lan9303-select-regmap-when-lan9303-enable.patch +phy-qcom-usb-hs-fix-extcon-double-register-after-pow.patch +s390-time-ensure-get_clock_monotonic-returns-monoton.patch +s390-mm-add-mm_pxd_folded-checks-to-pxd_free.patch +libata-ensure-ata_port-probe-has-completed-before-de.patch +loop-fix-no-unmap-write-zeroes-request-behavior.patch +pinctrl-sh-pfc-sh7734-fix-duplicate-tclk1_b.patch +iio-dln2-adc-fix-iio_triggered_buffer_postenable-pos.patch +bluetooth-fix-advertising-duplicated-flags.patch +pinctrl-amd-fix-__iomem-annotation-in-amd_gpio_irq_h.patch +ixgbe-protect-tx-timestamping-from-api-misuse.patch +media-rcar_drif-fix-a-memory-disclosure.patch +media-v4l2-core-fix-touch-support-in-v4l_g_fmt.patch +rfkill-allocate-static-minor.patch +bnx2x-fix-pf-vf-communication-over-multi-cos-queues.patch +spi-img-spfi-fix-potential-double-release.patch +alsa-timer-limit-max-amount-of-slave-instances.patch +rtlwifi-fix-memory-leak-in-rtl92c_set_fw_rsvdpagepkt.patch +perf-probe-fix-to-find-range-only-function-instance.patch +perf-probe-fix-to-list-probe-event-with-correct-line.patch +perf-probe-walk-function-lines-in-lexical-blocks.patch +perf-probe-fix-to-probe-an-inline-function-which-has.patch +perf-probe-fix-to-show-ranges-of-variables-in-functi.patch +perf-probe-fix-to-show-inlined-function-callsite-wit.patch +libsubcmd-use-o0-with-debug-1.patch +perf-probe-fix-to-probe-a-function-which-has-no-entr.patch +drm-amdgpu-fix-potential-double-drop-fence-reference.patch +perf-parse-if-pmu-configuration-fails-free-terms.patch +perf-probe-skip-overlapped-location-on-searching-var.patch +perf-probe-return-a-better-scope-die-if-there-is-no-.patch +perf-probe-fix-to-show-calling-lines-of-inlined-func.patch +perf-probe-skip-end-of-sequence-and-non-statement-li.patch +perf-probe-filter-out-instances-except-for-inlined-s.patch +ath10k-fix-get-invalid-tx-rate-for-mesh-metric.patch +fsi-core-fix-small-accesses-and-unaligned-offsets-vi.patch +media-pvrusb2-fix-oops-on-tear-down-when-radio-suppo.patch +media-si470x-i2c-add-missed-operations-in-remove.patch +edac-ghes-fix-grain-calculation.patch +spi-pxa2xx-add-missed-security-checks.patch +asoc-rt5677-mark-reg-rt5677_pwr_anlg2-as-volatile.patch +asoc-intel-kbl_rt5663_rt5514_max98927-add-dmic-forma.patch +s390-disassembler-don-t-hide-instruction-addresses.patch +parport-load-lowlevel-driver-if-ports-not-found.patch +cpufreq-register-drivers-only-after-cpu-devices-have.patch +x86-crash-add-a-forward-declaration-of-struct-kimage.patch +iwlwifi-mvm-fix-unaligned-read-of-rx_pkt_status.patch +spi-tegra20-slink-add-missed-clk_unprepare.patch +crypto-virtio-deal-with-unsupported-input-sizes.patch +mmc-tmio-add-mmc_cap_erase-to-allow-erase-discard-tr.patch +btrfs-don-t-prematurely-free-work-in-end_workqueue_f.patch +btrfs-don-t-prematurely-free-work-in-run_ordered_wor.patch +spi-st-ssc4-add-missed-pm_runtime_disable.patch +x86-insn-add-some-intel-instructions-to-the-opcode-m.patch +iwlwifi-check-kasprintf-return-value.patch +fbtft-make-sure-string-is-null-terminated.patch +crypto-sun4i-ss-fix-64-bit-size_t-warnings.patch +crypto-sun4i-ss-fix-64-bit-size_t-warnings-on-sun4i-.patch +mac80211-consider-qos-null-frames-for-sta_nullfunc_a.patch +crypto-vmx-avoid-weird-build-failures.patch +libtraceevent-fix-memory-leakage-in-copy_filter_type.patch +perf-parse-fix-potential-memory-leak-when-handling-t.patch +mips-fix-build-when-48-bits-virtual-memory-is-enable.patch +perf-intel-bts-does-not-support-aux-area-sampling.patch +net-phy-initialise-phydev-speed-and-duplex-sanely.patch +btrfs-don-t-prematurely-free-work-in-reada_start_mac.patch +btrfs-don-t-prematurely-free-work-in-scrub_missing_r.patch diff --git a/queue-4.14/spi-add-call-to-spi_slave_abort-function-when-spidev.patch b/queue-4.14/spi-add-call-to-spi_slave_abort-function-when-spidev.patch new file mode 100644 index 00000000000..63219e33f18 --- /dev/null +++ b/queue-4.14/spi-add-call-to-spi_slave_abort-function-when-spidev.patch @@ -0,0 +1,50 @@ +From 2cc695f7bc18045dfa00fc0a15f97c208b38733e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 11:11:42 +0200 +Subject: spi: Add call to spi_slave_abort() function when spidev driver is + released + +From: Lukasz Majewski + +[ Upstream commit 9f918a728cf86b2757b6a7025e1f46824bfe3155 ] + +This change is necessary for spidev devices (e.g. /dev/spidev3.0) working +in the slave mode (like NXP's dspi driver for Vybrid SoC). + +When SPI HW works in this mode - the master is responsible for providing +CS and CLK signals. However, when some fault happens - like for example +distortion on SPI lines - the SPI Linux driver needs a chance to recover +from this abnormal situation and prepare itself for next (correct) +transmission. + +This change doesn't pose any threat on drivers working in master mode as +spi_slave_abort() function checks if SPI slave mode is supported. + +Signed-off-by: Lukasz Majewski +Link: https://lore.kernel.org/r/20190924110547.14770-2-lukma@denx.de +Signed-off-by: Mark Brown +Reported-by: kbuild test robot +Link: https://lore.kernel.org/r/20190925091143.15468-2-lukma@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index c5fe08bc34a0..028725573e63 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -634,6 +634,9 @@ static int spidev_release(struct inode *inode, struct file *filp) + if (dofree) + kfree(spidev); + } ++#ifdef CONFIG_SPI_SLAVE ++ spi_slave_abort(spidev->spi); ++#endif + mutex_unlock(&device_list_lock); + + return 0; +-- +2.20.1 + diff --git a/queue-4.14/spi-img-spfi-fix-potential-double-release.patch b/queue-4.14/spi-img-spfi-fix-potential-double-release.patch new file mode 100644 index 00000000000..73b22b72f75 --- /dev/null +++ b/queue-4.14/spi-img-spfi-fix-potential-double-release.patch @@ -0,0 +1,39 @@ +From 4112f4413886e3580740088cb77de1596910a9ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 10:36:09 +0800 +Subject: spi: img-spfi: fix potential double release + +From: Pan Bian + +[ Upstream commit e9a8ba9769a0e354341bc6cc01b98aadcea1dfe9 ] + +The channels spfi->tx_ch and spfi->rx_ch are not set to NULL after they +are released. As a result, they will be released again, either on the +error handling branch in the same function or in the corresponding +remove function, i.e. img_spfi_remove(). This patch fixes the bug by +setting the two members to NULL. + +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/1573007769-20131-1-git-send-email-bianpan2016@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-img-spfi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-img-spfi.c b/drivers/spi/spi-img-spfi.c +index 7a37090dabbe..2e65b70c7879 100644 +--- a/drivers/spi/spi-img-spfi.c ++++ b/drivers/spi/spi-img-spfi.c +@@ -673,6 +673,8 @@ static int img_spfi_probe(struct platform_device *pdev) + dma_release_channel(spfi->tx_ch); + if (spfi->rx_ch) + dma_release_channel(spfi->rx_ch); ++ spfi->tx_ch = NULL; ++ spfi->rx_ch = NULL; + dev_warn(spfi->dev, "Failed to get DMA channels, falling back to PIO mode\n"); + } else { + master->dma_tx = spfi->tx_ch; +-- +2.20.1 + diff --git a/queue-4.14/spi-pxa2xx-add-missed-security-checks.patch b/queue-4.14/spi-pxa2xx-add-missed-security-checks.patch new file mode 100644 index 00000000000..8d51e13edb2 --- /dev/null +++ b/queue-4.14/spi-pxa2xx-add-missed-security-checks.patch @@ -0,0 +1,45 @@ +From fc9b625788e99d05218c1c30cd1c43edab66a9d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Nov 2019 16:09:43 +0800 +Subject: spi: pxa2xx: Add missed security checks + +From: Chuhong Yuan + +[ Upstream commit 5eb263ef08b5014cfc2539a838f39d2fd3531423 ] + +pxa2xx_spi_init_pdata misses checks for devm_clk_get and +platform_get_irq. +Add checks for them to fix the bugs. + +Since ssp->clk and ssp->irq are used in probe, they are mandatory here. +So we cannot use _optional() for devm_clk_get and platform_get_irq. + +Signed-off-by: Chuhong Yuan +Link: https://lore.kernel.org/r/20191109080943.30428-1-hslester96@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-pxa2xx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c +index 9bf3e5f945c7..b2245cdce230 100644 +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1559,7 +1559,13 @@ pxa2xx_spi_init_pdata(struct platform_device *pdev) + } + + ssp->clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(ssp->clk)) ++ return NULL; ++ + ssp->irq = platform_get_irq(pdev, 0); ++ if (ssp->irq < 0) ++ return NULL; ++ + ssp->type = type; + ssp->pdev = pdev; + ssp->port_id = pxa2xx_spi_get_port_id(adev); +-- +2.20.1 + diff --git a/queue-4.14/spi-st-ssc4-add-missed-pm_runtime_disable.patch b/queue-4.14/spi-st-ssc4-add-missed-pm_runtime_disable.patch new file mode 100644 index 00000000000..d529727333d --- /dev/null +++ b/queue-4.14/spi-st-ssc4-add-missed-pm_runtime_disable.patch @@ -0,0 +1,45 @@ +From a748f63a01dd8e471af2191f3576a837163255ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 10:48:48 +0800 +Subject: spi: st-ssc4: add missed pm_runtime_disable + +From: Chuhong Yuan + +[ Upstream commit cd050abeba2a95fe5374eec28ad2244617bcbab6 ] + +The driver forgets to call pm_runtime_disable in probe failure +and remove. +Add the missed calls to fix it. + +Signed-off-by: Chuhong Yuan +Link: https://lore.kernel.org/r/20191118024848.21645-1-hslester96@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-st-ssc4.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spi-st-ssc4.c b/drivers/spi/spi-st-ssc4.c +index a4e43fc19ece..5df01ffdef46 100644 +--- a/drivers/spi/spi-st-ssc4.c ++++ b/drivers/spi/spi-st-ssc4.c +@@ -385,6 +385,7 @@ static int spi_st_probe(struct platform_device *pdev) + return 0; + + clk_disable: ++ pm_runtime_disable(&pdev->dev); + clk_disable_unprepare(spi_st->clk); + put_master: + spi_master_put(master); +@@ -396,6 +397,8 @@ static int spi_st_remove(struct platform_device *pdev) + struct spi_master *master = platform_get_drvdata(pdev); + struct spi_st *spi_st = spi_master_get_devdata(master); + ++ pm_runtime_disable(&pdev->dev); ++ + clk_disable_unprepare(spi_st->clk); + + pinctrl_pm_select_sleep_state(&pdev->dev); +-- +2.20.1 + diff --git a/queue-4.14/spi-tegra20-slink-add-missed-clk_unprepare.patch b/queue-4.14/spi-tegra20-slink-add-missed-clk_unprepare.patch new file mode 100644 index 00000000000..c218e9aeb69 --- /dev/null +++ b/queue-4.14/spi-tegra20-slink-add-missed-clk_unprepare.patch @@ -0,0 +1,53 @@ +From 59773b55819ad77edfd3b9603d4903bbac33170b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 16:31:22 +0800 +Subject: spi: tegra20-slink: add missed clk_unprepare + +From: Chuhong Yuan + +[ Upstream commit 04358e40ba96d687c0811c21d9dede73f5244a98 ] + +The driver misses calling clk_unprepare in probe failure and remove. +Add the calls to fix it. + +Signed-off-by: Chuhong Yuan +Link: https://lore.kernel.org/r/20191115083122.12278-1-hslester96@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-slink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c +index 9831c1106945..62b074b167a9 100644 +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1078,7 +1078,7 @@ static int tegra_slink_probe(struct platform_device *pdev) + ret = clk_enable(tspi->clk); + if (ret < 0) { + dev_err(&pdev->dev, "Clock enable failed %d\n", ret); +- goto exit_free_master; ++ goto exit_clk_unprepare; + } + + spi_irq = platform_get_irq(pdev, 0); +@@ -1151,6 +1151,8 @@ exit_free_irq: + free_irq(spi_irq, tspi); + exit_clk_disable: + clk_disable(tspi->clk); ++exit_clk_unprepare: ++ clk_unprepare(tspi->clk); + exit_free_master: + spi_master_put(master); + return ret; +@@ -1164,6 +1166,7 @@ static int tegra_slink_remove(struct platform_device *pdev) + free_irq(tspi->irq, tspi); + + clk_disable(tspi->clk); ++ clk_unprepare(tspi->clk); + + if (tspi->tx_dma_chan) + tegra_slink_deinit_dma_param(tspi, false); +-- +2.20.1 + diff --git a/queue-4.14/staging-rtl8188eu-fix-possible-null-dereference.patch b/queue-4.14/staging-rtl8188eu-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..1d963a87247 --- /dev/null +++ b/queue-4.14/staging-rtl8188eu-fix-possible-null-dereference.patch @@ -0,0 +1,54 @@ +From 79fe758fec52d2e7f4f424c21bfba310b10b1790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2019 08:03:17 -0700 +Subject: staging: rtl8188eu: fix possible null dereference + +From: Connor Kuehl + +[ Upstream commit 228241944a48113470d3c3b46c88ba7fbe0a274b ] + +Inside a nested 'else' block at the beginning of this function is a +call that assigns 'psta' to the return value of 'rtw_get_stainfo()'. +If 'rtw_get_stainfo()' returns NULL and the flow of control reaches +the 'else if' where 'psta' is dereferenced, then we will dereference +a NULL pointer. + +Fix this by checking if 'psta' is not NULL before reading its +'psta->qos_option' data member. + +Addresses-Coverity: ("Dereference null return value") + +Signed-off-by: Connor Kuehl +Acked-by: Larry Finger +Link: https://lore.kernel.org/r/20190926150317.5894-1-connor.kuehl@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8188eu/core/rtw_xmit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c +index 904b988ecc4e..7c895af1ba31 100644 +--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c ++++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c +@@ -805,7 +805,7 @@ s32 rtw_make_wlanhdr(struct adapter *padapter, u8 *hdr, struct pkt_attrib *pattr + memcpy(pwlanhdr->addr2, get_bssid(pmlmepriv), ETH_ALEN); + memcpy(pwlanhdr->addr3, pattrib->src, ETH_ALEN); + +- if (psta->qos_option) ++ if (psta && psta->qos_option) + qos_option = true; + } else if (check_fwstate(pmlmepriv, WIFI_ADHOC_STATE) || + check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE)) { +@@ -813,7 +813,7 @@ s32 rtw_make_wlanhdr(struct adapter *padapter, u8 *hdr, struct pkt_attrib *pattr + memcpy(pwlanhdr->addr2, pattrib->src, ETH_ALEN); + memcpy(pwlanhdr->addr3, get_bssid(pmlmepriv), ETH_ALEN); + +- if (psta->qos_option) ++ if (psta && psta->qos_option) + qos_option = true; + } else { + RT_TRACE(_module_rtl871x_xmit_c_, _drv_err_, ("fw_state:%x is not allowed to xmit frame\n", get_fwstate(pmlmepriv))); +-- +2.20.1 + diff --git a/queue-4.14/staging-rtl8192u-fix-multiple-memory-leaks-on-error-.patch b/queue-4.14/staging-rtl8192u-fix-multiple-memory-leaks-on-error-.patch new file mode 100644 index 00000000000..ea4eae10922 --- /dev/null +++ b/queue-4.14/staging-rtl8192u-fix-multiple-memory-leaks-on-error-.patch @@ -0,0 +1,72 @@ +From 92ae950b40440883cfb5dbcd68841e1cd4c00629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2019 21:51:33 -0500 +Subject: staging: rtl8192u: fix multiple memory leaks on error path + +From: Navid Emamdoost + +[ Upstream commit ca312438cf176a16d4b89350cade8789ba8d7133 ] + +In rtl8192_tx on error handling path allocated urbs and also skb should +be released. + +Signed-off-by: Navid Emamdoost +Link: https://lore.kernel.org/r/20190920025137.29407-1-navid.emamdoost@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/r8192U_core.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c +index db3eb7ec5809..fbbd1b59dc11 100644 +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -1506,7 +1506,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb) + (tx_fwinfo_819x_usb *)(skb->data + USB_HWDESC_HEADER_LEN); + struct usb_device *udev = priv->udev; + int pend; +- int status; ++ int status, rt = -1; + struct urb *tx_urb = NULL, *tx_urb_zero = NULL; + unsigned int idx_pipe; + +@@ -1650,8 +1650,10 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb) + } + if (bSend0Byte) { + tx_urb_zero = usb_alloc_urb(0, GFP_ATOMIC); +- if (!tx_urb_zero) +- return -ENOMEM; ++ if (!tx_urb_zero) { ++ rt = -ENOMEM; ++ goto error; ++ } + usb_fill_bulk_urb(tx_urb_zero, udev, + usb_sndbulkpipe(udev, idx_pipe), + &zero, 0, tx_zero_isr, dev); +@@ -1661,7 +1663,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb) + "Error TX URB for zero byte %d, error %d", + atomic_read(&priv->tx_pending[tcb_desc->queue_index]), + status); +- return -1; ++ goto error; + } + } + netif_trans_update(dev); +@@ -1672,7 +1674,12 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff *skb) + RT_TRACE(COMP_ERR, "Error TX URB %d, error %d", + atomic_read(&priv->tx_pending[tcb_desc->queue_index]), + status); +- return -1; ++ ++error: ++ dev_kfree_skb_any(skb); ++ usb_free_urb(tx_urb); ++ usb_free_urb(tx_urb_zero); ++ return rt; + } + + static short rtl8192_usb_initendpoints(struct net_device *dev) +-- +2.20.1 + diff --git a/queue-4.14/tools-power-cpupower-fix-initializer-override-in-hsw.patch b/queue-4.14/tools-power-cpupower-fix-initializer-override-in-hsw.patch new file mode 100644 index 00000000000..6182edcf003 --- /dev/null +++ b/queue-4.14/tools-power-cpupower-fix-initializer-override-in-hsw.patch @@ -0,0 +1,63 @@ +From 77c082f3bcc47966ba5d00ba596e969b3728f991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 09:26:42 -0700 +Subject: tools/power/cpupower: Fix initializer override in hsw_ext_cstates + +From: Nathan Chancellor + +[ Upstream commit 7e5705c635ecfccde559ebbbe1eaf05b5cc60529 ] + +When building cpupower with clang, the following warning appears: + + utils/idle_monitor/hsw_ext_idle.c:42:16: warning: initializer overrides + prior initialization of this subobject [-Winitializer-overrides] + .desc = N_("Processor Package C2"), + ^~~~~~~~~~~~~~~~~~~~~~ + ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_' + #define N_(String) gettext_noop(String) + ^~~~~~ + ./utils/helpers/helpers.h:23:30: note: expanded from macro + 'gettext_noop' + #define gettext_noop(String) String + ^~~~~~ + utils/idle_monitor/hsw_ext_idle.c:41:16: note: previous initialization + is here + .desc = N_("Processor Package C9"), + ^~~~~~~~~~~~~~~~~~~~~~ + ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_' + #define N_(String) gettext_noop(String) + ^~~~~~ + ./utils/helpers/helpers.h:23:30: note: expanded from macro + 'gettext_noop' + #define gettext_noop(String) String + ^~~~~~ + 1 warning generated. + +This appears to be a copy and paste or merge mistake because the name +and id fields both have PC9 in them, not PC2. Remove the second +assignment to fix the warning. + +Fixes: 7ee767b69b68 ("cpupower: Add Haswell family 0x45 specific idle monitor to show PC8,9,10 states") +Link: https://github.com/ClangBuiltLinux/linux/issues/718 +Signed-off-by: Nathan Chancellor +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c b/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c +index f794d6bbb7e9..3e4ff4a1cdf4 100644 +--- a/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c ++++ b/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c +@@ -40,7 +40,6 @@ static cstate_t hsw_ext_cstates[HSW_EXT_CSTATE_COUNT] = { + { + .name = "PC9", + .desc = N_("Processor Package C9"), +- .desc = N_("Processor Package C2"), + .id = PC9, + .range = RANGE_PACKAGE, + .get_count_percent = hsw_ext_get_count_percent, +-- +2.20.1 + diff --git a/queue-4.14/usb-renesas_usbhs-add-suspend-event-support-in-gadge.patch b/queue-4.14/usb-renesas_usbhs-add-suspend-event-support-in-gadge.patch new file mode 100644 index 00000000000..d6b280eab2b --- /dev/null +++ b/queue-4.14/usb-renesas_usbhs-add-suspend-event-support-in-gadge.patch @@ -0,0 +1,89 @@ +From c0d62770424223a5176d99159dd7229c320a83d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2019 15:15:56 +0200 +Subject: usb: renesas_usbhs: add suspend event support in gadget mode + +From: Veeraiyan Chidambaram + +[ Upstream commit 39abcc84846bbc0538f13c190b6a9c7e36890cd2 ] + +When R-Car Gen3 USB 2.0 is in Gadget mode, if host is detached an interrupt +will be generated and Suspended state bit is set in interrupt status +register. Interrupt handler will call driver->suspend(composite_suspend) +if suspended state bit is set. composite_suspend will call +ffs_func_suspend which will post FUNCTIONFS_SUSPEND and will be consumed +by user space application via /dev/ep0. + +To be able to detect host detach, extend the DVSQ_MASK to cover the +Suspended bit of the DVSQ[2:0] bitfield from the Interrupt Status +Register 0 (INTSTS0) register and perform appropriate action in the +DVST interrupt handler (usbhsg_irq_dev_state). + +Without this commit, disconnection of the phone from R-Car-H3 ES2.0 +Salvator-X CN9 port is not recognized and reverse role switch does +not happen. If phone is connected again it does not enumerate. + +With this commit, disconnection will be recognized and reverse role +switch will happen by a user space application. If phone is connected +again it will enumerate properly and will become visible in the output +of 'lsusb'. + +Signed-off-by: Veeraiyan Chidambaram +Signed-off-by: Eugeniu Rosca +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1568207756-22325-3-git-send-email-external.veeraiyan.c@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/common.h | 3 ++- + drivers/usb/renesas_usbhs/mod_gadget.c | 12 +++++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/renesas_usbhs/common.h b/drivers/usb/renesas_usbhs/common.h +index b8620aa6b72e..8424c165f732 100644 +--- a/drivers/usb/renesas_usbhs/common.h ++++ b/drivers/usb/renesas_usbhs/common.h +@@ -163,11 +163,12 @@ struct usbhs_priv; + #define VBSTS (1 << 7) /* VBUS_0 and VBUSIN_0 Input Status */ + #define VALID (1 << 3) /* USB Request Receive */ + +-#define DVSQ_MASK (0x3 << 4) /* Device State */ ++#define DVSQ_MASK (0x7 << 4) /* Device State */ + #define POWER_STATE (0 << 4) + #define DEFAULT_STATE (1 << 4) + #define ADDRESS_STATE (2 << 4) + #define CONFIGURATION_STATE (3 << 4) ++#define SUSPENDED_STATE (4 << 4) + + #define CTSQ_MASK (0x7) /* Control Transfer Stage */ + #define IDLE_SETUP_STAGE 0 /* Idle stage or setup stage */ +diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c +index 0dedb0d91dcc..b27f2135b66d 100644 +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -465,12 +465,18 @@ static int usbhsg_irq_dev_state(struct usbhs_priv *priv, + { + struct usbhsg_gpriv *gpriv = usbhsg_priv_to_gpriv(priv); + struct device *dev = usbhsg_gpriv_to_dev(gpriv); ++ int state = usbhs_status_get_device_state(irq_state); + + gpriv->gadget.speed = usbhs_bus_get_speed(priv); + +- dev_dbg(dev, "state = %x : speed : %d\n", +- usbhs_status_get_device_state(irq_state), +- gpriv->gadget.speed); ++ dev_dbg(dev, "state = %x : speed : %d\n", state, gpriv->gadget.speed); ++ ++ if (gpriv->gadget.speed != USB_SPEED_UNKNOWN && ++ (state & SUSPENDED_STATE)) { ++ if (gpriv->driver && gpriv->driver->suspend) ++ gpriv->driver->suspend(&gpriv->gadget); ++ usb_gadget_set_state(&gpriv->gadget, USB_STATE_SUSPENDED); ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/usb-usbfs-suppress-problematic-bind-and-unbind-ueven.patch b/queue-4.14/usb-usbfs-suppress-problematic-bind-and-unbind-ueven.patch new file mode 100644 index 00000000000..500fe46927f --- /dev/null +++ b/queue-4.14/usb-usbfs-suppress-problematic-bind-and-unbind-ueven.patch @@ -0,0 +1,82 @@ +From e79ecc731e652ab98d386e567b25e21e34132f7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2019 13:55:18 +0200 +Subject: usb: usbfs: Suppress problematic bind and unbind uevents. + +From: Ingo Rohloff + +[ Upstream commit abb0b3d96a1f9407dd66831ae33985a386d4200d ] + +commit 1455cf8dbfd0 ("driver core: emit uevents when device is bound +to a driver") added bind and unbind uevents when a driver is bound or +unbound to a physical device. + +For USB devices which are handled via the generic usbfs layer (via +libusb for example), this is problematic: +Each time a user space program calls + ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr); +and then later + ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr); +The kernel will now produce a bind or unbind event, which does not +really contain any useful information. + +This allows a user space program to run a DoS attack against programs +which listen to uevents (in particular systemd/eudev/upowerd): +A malicious user space program just has to call in a tight loop + + ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr); + ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr); + +With this loop the malicious user space program floods the kernel and +all programs listening to uevents with tons of bind and unbind +events. + +This patch suppresses uevents for ioctls USBDEVFS_CLAIMINTERFACE and +USBDEVFS_RELEASEINTERFACE. + +Signed-off-by: Ingo Rohloff +Link: https://lore.kernel.org/r/20191011115518.2801-1-ingo.rohloff@lauterbach.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/devio.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 62b2a7105f02..4fb4cf8c2f14 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -755,8 +755,15 @@ static int claimintf(struct usb_dev_state *ps, unsigned int ifnum) + intf = usb_ifnum_to_if(dev, ifnum); + if (!intf) + err = -ENOENT; +- else ++ else { ++ unsigned int old_suppress; ++ ++ /* suppress uevents while claiming interface */ ++ old_suppress = dev_get_uevent_suppress(&intf->dev); ++ dev_set_uevent_suppress(&intf->dev, 1); + err = usb_driver_claim_interface(&usbfs_driver, intf, ps); ++ dev_set_uevent_suppress(&intf->dev, old_suppress); ++ } + if (err == 0) + set_bit(ifnum, &ps->ifclaimed); + return err; +@@ -776,7 +783,13 @@ static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum) + if (!intf) + err = -ENOENT; + else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) { ++ unsigned int old_suppress; ++ ++ /* suppress uevents while releasing interface */ ++ old_suppress = dev_get_uevent_suppress(&intf->dev); ++ dev_set_uevent_suppress(&intf->dev, 1); + usb_driver_release_interface(&usbfs_driver, intf); ++ dev_set_uevent_suppress(&intf->dev, old_suppress); + err = 0; + } + return err; +-- +2.20.1 + diff --git a/queue-4.14/x86-crash-add-a-forward-declaration-of-struct-kimage.patch b/queue-4.14/x86-crash-add-a-forward-declaration-of-struct-kimage.patch new file mode 100644 index 00000000000..b8ac32be629 --- /dev/null +++ b/queue-4.14/x86-crash-add-a-forward-declaration-of-struct-kimage.patch @@ -0,0 +1,72 @@ +From 9408779698c9baf8385edf0e752b1f7cf61c64f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2019 17:00:27 +0800 +Subject: x86/crash: Add a forward declaration of struct kimage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lianbo Jiang + +[ Upstream commit 112eee5d06007dae561f14458bde7f2a4879ef4e ] + +Add a forward declaration of struct kimage to the crash.h header because +future changes will invoke a crash-specific function from the realmode +init path and the compiler will complain otherwise like this: + + In file included from arch/x86/realmode/init.c:11: + ./arch/x86/include/asm/crash.h:5:32: warning: ‘struct kimage’ declared inside\ + parameter list will not be visible outside of this definition or declaration + 5 | int crash_load_segments(struct kimage *image); + | ^~~~~~ + ./arch/x86/include/asm/crash.h:6:37: warning: ‘struct kimage’ declared inside\ + parameter list will not be visible outside of this definition or declaration + 6 | int crash_copy_backup_region(struct kimage *image); + | ^~~~~~ + ./arch/x86/include/asm/crash.h:7:39: warning: ‘struct kimage’ declared inside\ + parameter list will not be visible outside of this definition or declaration + 7 | int crash_setup_memmap_entries(struct kimage *image, + | + + [ bp: Rewrite the commit message. ] + +Reported-by: kbuild test robot +Signed-off-by: Lianbo Jiang +Signed-off-by: Borislav Petkov +Cc: bhe@redhat.com +Cc: d.hatayama@fujitsu.com +Cc: dhowells@redhat.com +Cc: dyoung@redhat.com +Cc: ebiederm@xmission.com +Cc: horms@verge.net.au +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Jürgen Gross +Cc: kexec@lists.infradead.org +Cc: Thomas Gleixner +Cc: Tom Lendacky +Cc: vgoyal@redhat.com +Cc: x86-ml +Link: https://lkml.kernel.org/r/20191108090027.11082-4-lijiang@redhat.com +Link: https://lkml.kernel.org/r/201910310233.EJRtTMWP%25lkp@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/crash.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/crash.h b/arch/x86/include/asm/crash.h +index a7adb2bfbf0b..6b8ad6fa3979 100644 +--- a/arch/x86/include/asm/crash.h ++++ b/arch/x86/include/asm/crash.h +@@ -2,6 +2,8 @@ + #ifndef _ASM_X86_CRASH_H + #define _ASM_X86_CRASH_H + ++struct kimage; ++ + int crash_load_segments(struct kimage *image); + int crash_copy_backup_region(struct kimage *image); + int crash_setup_memmap_entries(struct kimage *image, +-- +2.20.1 + diff --git a/queue-4.14/x86-insn-add-some-intel-instructions-to-the-opcode-m.patch b/queue-4.14/x86-insn-add-some-intel-instructions-to-the-opcode-m.patch new file mode 100644 index 00000000000..f221f38e7aa --- /dev/null +++ b/queue-4.14/x86-insn-add-some-intel-instructions-to-the-opcode-m.patch @@ -0,0 +1,258 @@ +From 9d57c2472fb22706a99c2c8f9d1d9c2bf7f1aef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 15:54:47 +0200 +Subject: x86/insn: Add some Intel instructions to the opcode map + +From: Adrian Hunter + +[ Upstream commit b980be189c9badba50634671e2303e92bf28e35a ] + +Add to the opcode map the following instructions: + cldemote + tpause + umonitor + umwait + movdiri + movdir64b + enqcmd + enqcmds + encls + enclu + enclv + pconfig + wbnoinvd + +For information about the instructions, refer Intel SDM May 2019 +(325462-070US) and Intel Architecture Instruction Set Extensions +May 2019 (319433-037). + +The instruction decoding can be tested using the perf tools' +"x86 instruction decoder - new instructions" test as folllows: + + $ perf test -v "new " 2>&1 | grep -i cldemote + Decoded ok: 0f 1c 00 cldemote (%eax) + Decoded ok: 0f 1c 05 78 56 34 12 cldemote 0x12345678 + Decoded ok: 0f 1c 84 c8 78 56 34 12 cldemote 0x12345678(%eax,%ecx,8) + Decoded ok: 0f 1c 00 cldemote (%rax) + Decoded ok: 41 0f 1c 00 cldemote (%r8) + Decoded ok: 0f 1c 04 25 78 56 34 12 cldemote 0x12345678 + Decoded ok: 0f 1c 84 c8 78 56 34 12 cldemote 0x12345678(%rax,%rcx,8) + Decoded ok: 41 0f 1c 84 c8 78 56 34 12 cldemote 0x12345678(%r8,%rcx,8) + $ perf test -v "new " 2>&1 | grep -i tpause + Decoded ok: 66 0f ae f3 tpause %ebx + Decoded ok: 66 0f ae f3 tpause %ebx + Decoded ok: 66 41 0f ae f0 tpause %r8d + $ perf test -v "new " 2>&1 | grep -i umonitor + Decoded ok: 67 f3 0f ae f0 umonitor %ax + Decoded ok: f3 0f ae f0 umonitor %eax + Decoded ok: 67 f3 0f ae f0 umonitor %eax + Decoded ok: f3 0f ae f0 umonitor %rax + Decoded ok: 67 f3 41 0f ae f0 umonitor %r8d + $ perf test -v "new " 2>&1 | grep -i umwait + Decoded ok: f2 0f ae f0 umwait %eax + Decoded ok: f2 0f ae f0 umwait %eax + Decoded ok: f2 41 0f ae f0 umwait %r8d + $ perf test -v "new " 2>&1 | grep -i movdiri + Decoded ok: 0f 38 f9 03 movdiri %eax,(%ebx) + Decoded ok: 0f 38 f9 88 78 56 34 12 movdiri %ecx,0x12345678(%eax) + Decoded ok: 48 0f 38 f9 03 movdiri %rax,(%rbx) + Decoded ok: 48 0f 38 f9 88 78 56 34 12 movdiri %rcx,0x12345678(%rax) + $ perf test -v "new " 2>&1 | grep -i movdir64b + Decoded ok: 66 0f 38 f8 18 movdir64b (%eax),%ebx + Decoded ok: 66 0f 38 f8 88 78 56 34 12 movdir64b 0x12345678(%eax),%ecx + Decoded ok: 67 66 0f 38 f8 1c movdir64b (%si),%bx + Decoded ok: 67 66 0f 38 f8 8c 34 12 movdir64b 0x1234(%si),%cx + Decoded ok: 66 0f 38 f8 18 movdir64b (%rax),%rbx + Decoded ok: 66 0f 38 f8 88 78 56 34 12 movdir64b 0x12345678(%rax),%rcx + Decoded ok: 67 66 0f 38 f8 18 movdir64b (%eax),%ebx + Decoded ok: 67 66 0f 38 f8 88 78 56 34 12 movdir64b 0x12345678(%eax),%ecx + $ perf test -v "new " 2>&1 | grep -i enqcmd + Decoded ok: f2 0f 38 f8 18 enqcmd (%eax),%ebx + Decoded ok: f2 0f 38 f8 88 78 56 34 12 enqcmd 0x12345678(%eax),%ecx + Decoded ok: 67 f2 0f 38 f8 1c enqcmd (%si),%bx + Decoded ok: 67 f2 0f 38 f8 8c 34 12 enqcmd 0x1234(%si),%cx + Decoded ok: f3 0f 38 f8 18 enqcmds (%eax),%ebx + Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx + Decoded ok: 67 f3 0f 38 f8 1c enqcmds (%si),%bx + Decoded ok: 67 f3 0f 38 f8 8c 34 12 enqcmds 0x1234(%si),%cx + Decoded ok: f2 0f 38 f8 18 enqcmd (%rax),%rbx + Decoded ok: f2 0f 38 f8 88 78 56 34 12 enqcmd 0x12345678(%rax),%rcx + Decoded ok: 67 f2 0f 38 f8 18 enqcmd (%eax),%ebx + Decoded ok: 67 f2 0f 38 f8 88 78 56 34 12 enqcmd 0x12345678(%eax),%ecx + Decoded ok: f3 0f 38 f8 18 enqcmds (%rax),%rbx + Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%rax),%rcx + Decoded ok: 67 f3 0f 38 f8 18 enqcmds (%eax),%ebx + Decoded ok: 67 f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx + $ perf test -v "new " 2>&1 | grep -i enqcmds + Decoded ok: f3 0f 38 f8 18 enqcmds (%eax),%ebx + Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx + Decoded ok: 67 f3 0f 38 f8 1c enqcmds (%si),%bx + Decoded ok: 67 f3 0f 38 f8 8c 34 12 enqcmds 0x1234(%si),%cx + Decoded ok: f3 0f 38 f8 18 enqcmds (%rax),%rbx + Decoded ok: f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%rax),%rcx + Decoded ok: 67 f3 0f 38 f8 18 enqcmds (%eax),%ebx + Decoded ok: 67 f3 0f 38 f8 88 78 56 34 12 enqcmds 0x12345678(%eax),%ecx + $ perf test -v "new " 2>&1 | grep -i encls + Decoded ok: 0f 01 cf encls + Decoded ok: 0f 01 cf encls + $ perf test -v "new " 2>&1 | grep -i enclu + Decoded ok: 0f 01 d7 enclu + Decoded ok: 0f 01 d7 enclu + $ perf test -v "new " 2>&1 | grep -i enclv + Decoded ok: 0f 01 c0 enclv + Decoded ok: 0f 01 c0 enclv + $ perf test -v "new " 2>&1 | grep -i pconfig + Decoded ok: 0f 01 c5 pconfig + Decoded ok: 0f 01 c5 pconfig + $ perf test -v "new " 2>&1 | grep -i wbnoinvd + Decoded ok: f3 0f 09 wbnoinvd + Decoded ok: f3 0f 09 wbnoinvd + +Signed-off-by: Adrian Hunter +Reviewed-by: Andi Kleen +Acked-by: Masami Hiramatsu +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Jiri Olsa +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: x86@kernel.org +Link: http://lore.kernel.org/lkml/20191115135447.6519-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 18 ++++++++++++------ + tools/objtool/arch/x86/lib/x86-opcode-map.txt | 18 ++++++++++++------ + 2 files changed, 24 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index e0b85930dd77..0a0e9112f284 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -333,7 +333,7 @@ AVXcode: 1 + 06: CLTS + 07: SYSRET (o64) + 08: INVD +-09: WBINVD ++09: WBINVD | WBNOINVD (F3) + 0a: + 0b: UD2 (1B) + 0c: +@@ -364,7 +364,7 @@ AVXcode: 1 + # a ModR/M byte. + 1a: BNDCL Gv,Ev (F3) | BNDCU Gv,Ev (F2) | BNDMOV Gv,Ev (66) | BNDLDX Gv,Ev + 1b: BNDCN Gv,Ev (F2) | BNDMOV Ev,Gv (66) | BNDMK Gv,Ev (F3) | BNDSTX Ev,Gv +-1c: ++1c: Grp20 (1A),(1C) + 1d: + 1e: + 1f: NOP Ev +@@ -792,6 +792,8 @@ f3: Grp17 (1A) + f5: BZHI Gy,Ey,By (v) | PEXT Gy,By,Ey (F3),(v) | PDEP Gy,By,Ey (F2),(v) + f6: ADCX Gy,Ey (66) | ADOX Gy,Ey (F3) | MULX By,Gy,rDX,Ey (F2),(v) + f7: BEXTR Gy,Ey,By (v) | SHLX Gy,Ey,By (66),(v) | SARX Gy,Ey,By (F3),(v) | SHRX Gy,Ey,By (F2),(v) ++f8: MOVDIR64B Gv,Mdqq (66) | ENQCMD Gv,Mdqq (F2) | ENQCMDS Gv,Mdqq (F3) ++f9: MOVDIRI My,Gy + EndTable + + Table: 3-byte opcode 2 (0x0f 0x3a) +@@ -943,9 +945,9 @@ GrpTable: Grp6 + EndTable + + GrpTable: Grp7 +-0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B) +-1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B) +-2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B) ++0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B) | PCONFIG (101),(11B) | ENCLV (000),(11B) ++1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B) | ENCLS (111),(11B) ++2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B) | ENCLU (111),(11B) + 3: LIDT Ms + 4: SMSW Mw/Rv + 5: rdpkru (110),(11B) | wrpkru (111),(11B) +@@ -1020,7 +1022,7 @@ GrpTable: Grp15 + 3: vstmxcsr Md (v1) | WRGSBASE Ry (F3),(11B) + 4: XSAVE | ptwrite Ey (F3),(11B) + 5: XRSTOR | lfence (11B) +-6: XSAVEOPT | clwb (66) | mfence (11B) ++6: XSAVEOPT | clwb (66) | mfence (11B) | TPAUSE Rd (66),(11B) | UMONITOR Rv (F3),(11B) | UMWAIT Rd (F2),(11B) + 7: clflush | clflushopt (66) | sfence (11B) + EndTable + +@@ -1051,6 +1053,10 @@ GrpTable: Grp19 + 6: vscatterpf1qps/d Wx (66),(ev) + EndTable + ++GrpTable: Grp20 ++0: cldemote Mb ++EndTable ++ + # AMD's Prefetch Group + GrpTable: GrpP + 0: PREFETCH +diff --git a/tools/objtool/arch/x86/lib/x86-opcode-map.txt b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +index e0b85930dd77..0a0e9112f284 100644 +--- a/tools/objtool/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +@@ -333,7 +333,7 @@ AVXcode: 1 + 06: CLTS + 07: SYSRET (o64) + 08: INVD +-09: WBINVD ++09: WBINVD | WBNOINVD (F3) + 0a: + 0b: UD2 (1B) + 0c: +@@ -364,7 +364,7 @@ AVXcode: 1 + # a ModR/M byte. + 1a: BNDCL Gv,Ev (F3) | BNDCU Gv,Ev (F2) | BNDMOV Gv,Ev (66) | BNDLDX Gv,Ev + 1b: BNDCN Gv,Ev (F2) | BNDMOV Ev,Gv (66) | BNDMK Gv,Ev (F3) | BNDSTX Ev,Gv +-1c: ++1c: Grp20 (1A),(1C) + 1d: + 1e: + 1f: NOP Ev +@@ -792,6 +792,8 @@ f3: Grp17 (1A) + f5: BZHI Gy,Ey,By (v) | PEXT Gy,By,Ey (F3),(v) | PDEP Gy,By,Ey (F2),(v) + f6: ADCX Gy,Ey (66) | ADOX Gy,Ey (F3) | MULX By,Gy,rDX,Ey (F2),(v) + f7: BEXTR Gy,Ey,By (v) | SHLX Gy,Ey,By (66),(v) | SARX Gy,Ey,By (F3),(v) | SHRX Gy,Ey,By (F2),(v) ++f8: MOVDIR64B Gv,Mdqq (66) | ENQCMD Gv,Mdqq (F2) | ENQCMDS Gv,Mdqq (F3) ++f9: MOVDIRI My,Gy + EndTable + + Table: 3-byte opcode 2 (0x0f 0x3a) +@@ -943,9 +945,9 @@ GrpTable: Grp6 + EndTable + + GrpTable: Grp7 +-0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B) +-1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B) +-2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B) ++0: SGDT Ms | VMCALL (001),(11B) | VMLAUNCH (010),(11B) | VMRESUME (011),(11B) | VMXOFF (100),(11B) | PCONFIG (101),(11B) | ENCLV (000),(11B) ++1: SIDT Ms | MONITOR (000),(11B) | MWAIT (001),(11B) | CLAC (010),(11B) | STAC (011),(11B) | ENCLS (111),(11B) ++2: LGDT Ms | XGETBV (000),(11B) | XSETBV (001),(11B) | VMFUNC (100),(11B) | XEND (101)(11B) | XTEST (110)(11B) | ENCLU (111),(11B) + 3: LIDT Ms + 4: SMSW Mw/Rv + 5: rdpkru (110),(11B) | wrpkru (111),(11B) +@@ -1020,7 +1022,7 @@ GrpTable: Grp15 + 3: vstmxcsr Md (v1) | WRGSBASE Ry (F3),(11B) + 4: XSAVE | ptwrite Ey (F3),(11B) + 5: XRSTOR | lfence (11B) +-6: XSAVEOPT | clwb (66) | mfence (11B) ++6: XSAVEOPT | clwb (66) | mfence (11B) | TPAUSE Rd (66),(11B) | UMONITOR Rv (F3),(11B) | UMWAIT Rd (F2),(11B) + 7: clflush | clflushopt (66) | sfence (11B) + EndTable + +@@ -1051,6 +1053,10 @@ GrpTable: Grp19 + 6: vscatterpf1qps/d Wx (66),(ev) + EndTable + ++GrpTable: Grp20 ++0: cldemote Mb ++EndTable ++ + # AMD's Prefetch Group + GrpTable: GrpP + 0: PREFETCH +-- +2.20.1 + diff --git a/queue-4.14/x86-ioapic-prevent-inconsistent-state-when-moving-an.patch b/queue-4.14/x86-ioapic-prevent-inconsistent-state-when-moving-an.patch new file mode 100644 index 00000000000..33d32c484c0 --- /dev/null +++ b/queue-4.14/x86-ioapic-prevent-inconsistent-state-when-moving-an.patch @@ -0,0 +1,81 @@ +From 33f47160e7040a6070ffdd11f003988ebf65f808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 12:19:01 +0200 +Subject: x86/ioapic: Prevent inconsistent state when moving an interrupt + +From: Thomas Gleixner + +[ Upstream commit df4393424af3fbdcd5c404077176082a8ce459c4 ] + +There is an issue with threaded interrupts which are marked ONESHOT +and using the fasteoi handler: + + if (IS_ONESHOT()) + mask_irq(); + .... + cond_unmask_eoi_irq() + chip->irq_eoi(); + if (setaffinity_pending) { + mask_ioapic(); + ... + move_affinity(); + unmask_ioapic(); + } + +So if setaffinity is pending the interrupt will be moved and then +unconditionally unmasked at the ioapic level, which is wrong in two +aspects: + + 1) It should be kept masked up to the point where the threaded handler + finished. + + 2) The physical chip state and the software masked state are inconsistent + +Guard both the mask and the unmask with a check for the software masked +state. If the line is marked masked then the ioapic line is also masked, so +both mask_ioapic() and unmask_ioapic() can be skipped safely. + +Signed-off-by: Thomas Gleixner +Cc: Andy Shevchenko +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Sebastian Siewior +Fixes: 3aa551c9b4c4 ("genirq: add threaded interrupt handler support") +Link: https://lkml.kernel.org/r/20191017101938.321393687@linutronix.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/io_apic.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index 566b7bc5deaa..2271adbc3c42 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -1690,9 +1690,10 @@ static bool io_apic_level_ack_pending(struct mp_chip_data *data) + + static inline bool ioapic_irqd_mask(struct irq_data *data) + { +- /* If we are moving the irq we need to mask it */ ++ /* If we are moving the IRQ we need to mask it */ + if (unlikely(irqd_is_setaffinity_pending(data))) { +- mask_ioapic_irq(data); ++ if (!irqd_irq_masked(data)) ++ mask_ioapic_irq(data); + return true; + } + return false; +@@ -1729,7 +1730,9 @@ static inline void ioapic_irqd_unmask(struct irq_data *data, bool masked) + */ + if (!io_apic_level_ack_pending(data->chip_data)) + irq_move_masked_irq(data); +- unmask_ioapic_irq(data); ++ /* If the IRQ is masked in the core, leave it: */ ++ if (!irqd_irq_masked(data)) ++ unmask_ioapic_irq(data); + } + } + #else +-- +2.20.1 + diff --git a/queue-4.14/x86-mce-lower-throttling-mce-messages-priority-to-wa.patch b/queue-4.14/x86-mce-lower-throttling-mce-messages-priority-to-wa.patch new file mode 100644 index 00000000000..4b7b0a5a318 --- /dev/null +++ b/queue-4.14/x86-mce-lower-throttling-mce-messages-priority-to-wa.patch @@ -0,0 +1,67 @@ +From 63803b99edf99f4db776b236ad96f7caf6b870dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 17:54:24 +0200 +Subject: x86/mce: Lower throttling MCE messages' priority to warning + +From: Benjamin Berg + +[ Upstream commit 9c3bafaa1fd88e4dd2dba3735a1f1abb0f2c7bb7 ] + +On modern CPUs it is quite normal that the temperature limits are +reached and the CPU is throttled. In fact, often the thermal design is +not sufficient to cool the CPU at full load and limits can quickly be +reached when a burst in load happens. This will even happen with +technologies like RAPL limitting the long term power consumption of +the package. + +Also, these limits are "softer", as Srinivas explains: + +"CPU temperature doesn't have to hit max(TjMax) to get these warnings. +OEMs ha[ve] an ability to program a threshold where a thermal interrupt +can be generated. In some systems the offset is 20C+ (Read only value). + +In recent systems, there is another offset on top of it which can be +programmed by OS, once some agent can adjust power limits dynamically. +By default this is set to low by the firmware, which I guess the +prime motivation of Benjamin to submit the patch." + +So these messages do not usually indicate a hardware issue (e.g. +insufficient cooling). Log them as warnings to avoid confusion about +their severity. + + [ bp: Massage commit mesage. ] + +Signed-off-by: Benjamin Berg +Signed-off-by: Borislav Petkov +Reviewed-by: Hans de Goede +Tested-by: Christian Kellner +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: linux-edac +Cc: Peter Zijlstra +Cc: Srinivas Pandruvada +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: x86-ml +Link: https://lkml.kernel.org/r/20191009155424.249277-1-bberg@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c +index ee229ceee745..ec6a07b04fdb 100644 +--- a/arch/x86/kernel/cpu/mcheck/therm_throt.c ++++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c +@@ -185,7 +185,7 @@ static void therm_throt_process(bool new_event, int event, int level) + /* if we just entered the thermal event */ + if (new_event) { + if (event == THERMAL_THROTTLING_EVENT) +- pr_crit("CPU%d: %s temperature above threshold, cpu clock throttled (total events = %lu)\n", ++ pr_warn("CPU%d: %s temperature above threshold, cpu clock throttled (total events = %lu)\n", + this_cpu, + level == CORE_LEVEL ? "Core" : "Package", + state->count); +-- +2.20.1 + diff --git a/queue-4.14/x86-mm-use-the-correct-function-type-for-native_set_.patch b/queue-4.14/x86-mm-use-the-correct-function-type-for-native_set_.patch new file mode 100644 index 00000000000..021b052d426 --- /dev/null +++ b/queue-4.14/x86-mm-use-the-correct-function-type-for-native_set_.patch @@ -0,0 +1,65 @@ +From 3efadcf4d0474eb7ef5b9a3d0b97ae066f7037ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2019 14:14:02 -0700 +Subject: x86/mm: Use the correct function type for native_set_fixmap() + +From: Sami Tolvanen + +[ Upstream commit f53e2cd0b8ab7d9e390414470bdbd830f660133f ] + +We call native_set_fixmap indirectly through the function pointer +struct pv_mmu_ops::set_fixmap, which expects the first parameter to be +'unsigned' instead of 'enum fixed_addresses'. This patch changes the +function type for native_set_fixmap to match the pointer, which fixes +indirect call mismatches with Control-Flow Integrity (CFI) checking. + +Signed-off-by: Sami Tolvanen +Reviewed-by: Kees Cook +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: H . Peter Anvin +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190913211402.193018-1-samitolvanen@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/fixmap.h | 2 +- + arch/x86/mm/pgtable.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/fixmap.h b/arch/x86/include/asm/fixmap.h +index 6390bd8c141b..5e12b2319d7a 100644 +--- a/arch/x86/include/asm/fixmap.h ++++ b/arch/x86/include/asm/fixmap.h +@@ -159,7 +159,7 @@ extern pte_t *kmap_pte; + extern pte_t *pkmap_page_table; + + void __native_set_fixmap(enum fixed_addresses idx, pte_t pte); +-void native_set_fixmap(enum fixed_addresses idx, ++void native_set_fixmap(unsigned /* enum fixed_addresses */ idx, + phys_addr_t phys, pgprot_t flags); + + #ifndef CONFIG_PARAVIRT +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index b4fd36271f90..55338b392221 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -590,8 +590,8 @@ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte) + fixmaps_set++; + } + +-void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys, +- pgprot_t flags) ++void native_set_fixmap(unsigned /* enum fixed_addresses */ idx, ++ phys_addr_t phys, pgprot_t flags) + { + __native_set_fixmap(idx, pfn_pte(phys >> PAGE_SHIFT, flags)); + } +-- +2.20.1 +