From 17444ed6da564161e667f260d6a2846851f0cc94 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 16 May 2020 23:55:00 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...x-race-in-monitor-detection-during-p.patch | 49 +++++++ ...ealtek-fix-s3-pop-noise-on-dell-wyse.patch | 72 ++++++++++ ...tate-only-mention-the-bios-disabling.patch | 37 ++++++ ..._tdma-reset-channel-error-on-release.patch | 41 ++++++ ...a.c-avoid-data-race-between-probe-an.patch | 47 +++++++ ..._bo_kunmap_atomic_page-in-qxl_image_.patch | 36 +++++ ...n-da9052-synchronize-access-with-mfd.patch | 46 +++++++ ...r-handling-in-i40iw_manage_arp_cache.patch | 38 ++++++ ...urn-value-of-calls-to-ib_get_cached_.patch | 68 ++++++++++ ...pc_find_ipc-incorrectly-updates-posi.patch | 125 ++++++++++++++++++ ...ll-pointer-dereference-in-ssif_probe.patch | 42 ++++++ ...ack-avoid-gcc-10-zero-length-bounds-.patch | 66 +++++++++ ...-enable-pin-configuration-setting-fo.patch | 38 ++++++ ...ew-add-missing-spinlock-usage-in-chv.patch | 51 +++++++ queue-4.14/series | 15 +++ ...-unwind-hints-in-register-clearing-c.patch | 109 +++++++++++++++ 16 files changed, 880 insertions(+) create mode 100644 queue-4.14/alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch create mode 100644 queue-4.14/alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch create mode 100644 queue-4.14/cpufreq-intel_pstate-only-mention-the-bios-disabling.patch create mode 100644 queue-4.14/dmaengine-mmp_tdma-reset-channel-error-on-release.patch create mode 100644 queue-4.14/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch create mode 100644 queue-4.14/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch create mode 100644 queue-4.14/hwmon-da9052-synchronize-access-with-mfd.patch create mode 100644 queue-4.14/i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch create mode 100644 queue-4.14/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch create mode 100644 queue-4.14/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch create mode 100644 queue-4.14/ipmi-fix-null-pointer-dereference-in-ssif_probe.patch create mode 100644 queue-4.14/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch create mode 100644 queue-4.14/pinctrl-baytrail-enable-pin-configuration-setting-fo.patch create mode 100644 queue-4.14/pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch create mode 100644 queue-4.14/x86-entry-64-fix-unwind-hints-in-register-clearing-c.patch diff --git a/queue-4.14/alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch b/queue-4.14/alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch new file mode 100644 index 00000000000..4e8be6f4391 --- /dev/null +++ b/queue-4.14/alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch @@ -0,0 +1,49 @@ +From c9b5a435ddb312b0988918a4db5d25c0a64417ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 15:38:36 +0300 +Subject: ALSA: hda/hdmi: fix race in monitor detection during probe + +From: Kai Vehmanen + +[ Upstream commit ca76282b6faffc83601c25bd2a95f635c03503ef ] + +A race exists between build_pcms() and build_controls() phases of codec +setup. Build_pcms() sets up notifier for jack events. If a monitor event +is received before build_controls() is run, the initial jack state is +lost and never reported via mixer controls. + +The problem can be hit at least with SOF as the controller driver. SOF +calls snd_hda_codec_build_controls() in its workqueue-based probe and +this can be delayed enough to hit the race condition. + +Fix the issue by invalidating the per-pin ELD information when +build_controls() is called. The existing call to hdmi_present_sense() +will update the ELD contents. This ensures initial monitor state is +correctly reflected via mixer controls. + +BugLink: https://github.com/thesofproject/linux/issues/1687 +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200428123836.24512-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 435c0efb9bf29..6b4ebaefd8f85 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2212,7 +2212,9 @@ static int generic_hdmi_build_controls(struct hda_codec *codec) + + for (pin_idx = 0; pin_idx < spec->num_pins; pin_idx++) { + struct hdmi_spec_per_pin *per_pin = get_pin(spec, pin_idx); ++ struct hdmi_eld *pin_eld = &per_pin->sink_eld; + ++ pin_eld->eld_valid = false; + hdmi_present_sense(per_pin, 0); + } + +-- +2.20.1 + diff --git a/queue-4.14/alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch b/queue-4.14/alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch new file mode 100644 index 00000000000..bcd03401313 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch @@ -0,0 +1,72 @@ +From 88ef81b2fec7abe9d619179cdd9f6c5c0962c1af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 May 2020 23:24:47 +0800 +Subject: ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse + +From: Kai-Heng Feng + +[ Upstream commit 52e4e36807aeac1cdd07b14e509c8a64101e1a09 ] + +Commit 317d9313925c ("ALSA: hda/realtek - Set default power save node to +0") makes the ALC225 have pop noise on S3 resume and cold boot. + +The previous fix enable power save node universally for ALC225, however +it makes some ALC225 systems unable to produce any sound. + +So let's only enable power save node for the affected Dell Wyse +platform. + +Fixes: 317d9313925c ("ALSA: hda/realtek - Set default power save node to 0") +BugLink: https://bugs.launchpad.net/bugs/1866357 +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20200503152449.22761-2-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index b2aec97414fb8..d578f6594223f 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5354,6 +5354,15 @@ static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec, + } + } + ++static void alc225_fixup_s3_pop_noise(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action != HDA_FIXUP_ACT_PRE_PROBE) ++ return; ++ ++ codec->power_save_node = 1; ++} ++ + /* Forcibly assign NID 0x03 to HP/LO while NID 0x02 to SPK for EQ */ + static void alc274_fixup_bind_dacs(struct hda_codec *codec, + const struct hda_fixup *fix, int action) +@@ -5507,6 +5516,7 @@ enum { + ALC233_FIXUP_LENOVO_MULTI_CODECS, + ALC294_FIXUP_LENOVO_MIC_LOCATION, + ALC225_FIXUP_DELL_WYSE_MIC_NO_PRESENCE, ++ ALC225_FIXUP_S3_POP_NOISE, + ALC700_FIXUP_INTEL_REFERENCE, + ALC274_FIXUP_DELL_BIND_DACS, + ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, +@@ -6339,6 +6349,12 @@ static const struct hda_fixup alc269_fixups[] = { + { } + }, + .chained = true, ++ .chain_id = ALC225_FIXUP_S3_POP_NOISE ++ }, ++ [ALC225_FIXUP_S3_POP_NOISE] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc225_fixup_s3_pop_noise, ++ .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC + }, + [ALC700_FIXUP_INTEL_REFERENCE] = { +-- +2.20.1 + diff --git a/queue-4.14/cpufreq-intel_pstate-only-mention-the-bios-disabling.patch b/queue-4.14/cpufreq-intel_pstate-only-mention-the-bios-disabling.patch new file mode 100644 index 00000000000..fb6e2d6210c --- /dev/null +++ b/queue-4.14/cpufreq-intel_pstate-only-mention-the-bios-disabling.patch @@ -0,0 +1,37 @@ +From 6d97c7aaf119c98d3cd69ffbe1f91ad82efb03c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Apr 2020 20:26:29 +0100 +Subject: cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode + once + +From: Chris Wilson + +[ Upstream commit 8c539776ac83c0857395e1ccc9c6b516521a2d32 ] + +Make a note of the first time we discover the turbo mode has been +disabled by the BIOS, as otherwise we complain every time we try to +update the mode. + +Signed-off-by: Chris Wilson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 7a5662425b291..1aa0b05c8cbdf 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -935,7 +935,7 @@ static ssize_t store_no_turbo(struct kobject *a, struct kobj_attribute *b, + + update_turbo_state(); + if (global.turbo_disabled) { +- pr_warn("Turbo disabled by BIOS or unavailable on processor\n"); ++ pr_notice_once("Turbo disabled by BIOS or unavailable on processor\n"); + mutex_unlock(&intel_pstate_limits_lock); + mutex_unlock(&intel_pstate_driver_lock); + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.14/dmaengine-mmp_tdma-reset-channel-error-on-release.patch b/queue-4.14/dmaengine-mmp_tdma-reset-channel-error-on-release.patch new file mode 100644 index 00000000000..ac3ac5102f5 --- /dev/null +++ b/queue-4.14/dmaengine-mmp_tdma-reset-channel-error-on-release.patch @@ -0,0 +1,41 @@ +From d31f72d90ea41821715f29132991c66351a4408f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Apr 2020 18:49:09 +0200 +Subject: dmaengine: mmp_tdma: Reset channel error on release + +From: Lubomir Rintel + +[ Upstream commit 0c89446379218698189a47871336cb30286a7197 ] + +When a channel configuration fails, the status of the channel is set to +DEV_ERROR so that an attempt to submit it fails. However, this status +sticks until the heat end of the universe, making it impossible to +recover from the error. + +Let's reset it when the channel is released so that further use of the +channel with correct configuration is not impacted. + +Signed-off-by: Lubomir Rintel +Link: https://lore.kernel.org/r/20200419164912.670973-5-lkundrak@v3.sk +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_tdma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c +index 13c68b6434ce2..15b4a44e60069 100644 +--- a/drivers/dma/mmp_tdma.c ++++ b/drivers/dma/mmp_tdma.c +@@ -362,6 +362,8 @@ static void mmp_tdma_free_descriptor(struct mmp_tdma_chan *tdmac) + gen_pool_free(gpool, (unsigned long)tdmac->desc_arr, + size); + tdmac->desc_arr = NULL; ++ if (tdmac->status == DMA_ERROR) ++ tdmac->status = DMA_COMPLETE; + + return; + } +-- +2.20.1 + diff --git a/queue-4.14/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch b/queue-4.14/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch new file mode 100644 index 00000000000..e3e02b86e72 --- /dev/null +++ b/queue-4.14/dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch @@ -0,0 +1,47 @@ +From a42b5d1ffc1b39190f93bcd0b9b64bd6230d5035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 11:53:35 +0530 +Subject: dmaengine: pch_dma.c: Avoid data race between probe and irq handler + +From: Madhuparna Bhowmik + +[ Upstream commit 2e45676a4d33af47259fa186ea039122ce263ba9 ] + +pd->dma.dev is read in irq handler pd_irq(). +However, it is set to pdev->dev after request_irq(). +Therefore, set pd->dma.dev to pdev->dev before request_irq() to +avoid data race between pch_dma_probe() and pd_irq(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200416062335.29223-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pch_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/pch_dma.c b/drivers/dma/pch_dma.c +index f9028e9d0dfc2..d6af2d439b979 100644 +--- a/drivers/dma/pch_dma.c ++++ b/drivers/dma/pch_dma.c +@@ -873,6 +873,7 @@ static int pch_dma_probe(struct pci_dev *pdev, + } + + pci_set_master(pdev); ++ pd->dma.dev = &pdev->dev; + + err = request_irq(pdev->irq, pd_irq, IRQF_SHARED, DRV_NAME, pd); + if (err) { +@@ -888,7 +889,6 @@ static int pch_dma_probe(struct pci_dev *pdev, + goto err_free_irq; + } + +- pd->dma.dev = &pdev->dev; + + INIT_LIST_HEAD(&pd->dma.channels); + +-- +2.20.1 + diff --git a/queue-4.14/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch b/queue-4.14/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch new file mode 100644 index 00000000000..4e9061987cb --- /dev/null +++ b/queue-4.14/drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch @@ -0,0 +1,36 @@ +From 7091491864a82ddf12793a5ba1e232f6817edadb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 12:34:36 +0300 +Subject: drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() + +From: Vasily Averin + +[ Upstream commit 5b5703dbafae74adfbe298a56a81694172caf5e6 ] + +v2: removed TODO reminder + +Signed-off-by: Vasily Averin +Link: http://patchwork.freedesktop.org/patch/msgid/a4e0ae09-a73c-1c62-04ef-3f990d41bea9@virtuozzo.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/qxl/qxl_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/qxl/qxl_image.c b/drivers/gpu/drm/qxl/qxl_image.c +index 7fbcc35e8ad35..c89c10055641e 100644 +--- a/drivers/gpu/drm/qxl/qxl_image.c ++++ b/drivers/gpu/drm/qxl/qxl_image.c +@@ -210,7 +210,8 @@ qxl_image_init_helper(struct qxl_device *qdev, + break; + default: + DRM_ERROR("unsupported image bit depth\n"); +- return -EINVAL; /* TODO: cleanup */ ++ qxl_bo_kunmap_atomic_page(qdev, image_bo, ptr); ++ return -EINVAL; + } + image->u.bitmap.flags = QXL_BITMAP_TOP_DOWN; + image->u.bitmap.x = width; +-- +2.20.1 + diff --git a/queue-4.14/hwmon-da9052-synchronize-access-with-mfd.patch b/queue-4.14/hwmon-da9052-synchronize-access-with-mfd.patch new file mode 100644 index 00000000000..919caaa34ee --- /dev/null +++ b/queue-4.14/hwmon-da9052-synchronize-access-with-mfd.patch @@ -0,0 +1,46 @@ +From 1226096af87404eec35f35026b835e9272c1b5b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 13:02:19 +0200 +Subject: hwmon: (da9052) Synchronize access with mfd + +From: Samu Nuutamo + +[ Upstream commit 333e22db228f0bd0c839553015a6a8d3db4ba569 ] + +When tsi-as-adc is configured it is possible for in7[0123]_input read to +return an incorrect value if a concurrent read to in[456]_input is +performed. This is caused by a concurrent manipulation of the mux +channel without proper locking as hwmon and mfd use different locks for +synchronization. + +Switch hwmon to use the same lock as mfd when accessing the TSI channel. + +Fixes: 4f16cab19a3d5 ("hwmon: da9052: Add support for TSI channel") +Signed-off-by: Samu Nuutamo +[rebase to current master, reword commit message slightly] +Signed-off-by: Sebastian Reichel +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/da9052-hwmon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/da9052-hwmon.c b/drivers/hwmon/da9052-hwmon.c +index a973eb6a28908..9e44d2385e6f9 100644 +--- a/drivers/hwmon/da9052-hwmon.c ++++ b/drivers/hwmon/da9052-hwmon.c +@@ -250,9 +250,9 @@ static ssize_t da9052_read_tsi(struct device *dev, + int channel = to_sensor_dev_attr(devattr)->index; + int ret; + +- mutex_lock(&hwmon->hwmon_lock); ++ mutex_lock(&hwmon->da9052->auxadc_lock); + ret = __da9052_read_tsi(dev, channel); +- mutex_unlock(&hwmon->hwmon_lock); ++ mutex_unlock(&hwmon->da9052->auxadc_lock); + + if (ret < 0) + return ret; +-- +2.20.1 + diff --git a/queue-4.14/i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch b/queue-4.14/i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch new file mode 100644 index 00000000000..365dd3d4cca --- /dev/null +++ b/queue-4.14/i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch @@ -0,0 +1,38 @@ +From 553c966fff5e3fae8b7a20ef6f1641fcb245d84b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 12:22:11 +0300 +Subject: i40iw: Fix error handling in i40iw_manage_arp_cache() + +From: Dan Carpenter + +[ Upstream commit 37e31d2d26a4124506c24e95434e9baf3405a23a ] + +The i40iw_arp_table() function can return -EOVERFLOW if +i40iw_alloc_resource() fails so we can't just test for "== -1". + +Fixes: 4e9042e647ff ("i40iw: add hw and utils files") +Link: https://lore.kernel.org/r/20200422092211.GA195357@mwanda +Signed-off-by: Dan Carpenter +Acked-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c +index 476867a3f584f..4ded9411fb325 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c +@@ -483,7 +483,7 @@ void i40iw_manage_arp_cache(struct i40iw_device *iwdev, + int arp_index; + + arp_index = i40iw_arp_table(iwdev, ip_addr, ipv4, mac_addr, action); +- if (arp_index == -1) ++ if (arp_index < 0) + return; + cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false); + if (!cqp_request) +-- +2.20.1 + diff --git a/queue-4.14/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch b/queue-4.14/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch new file mode 100644 index 00000000000..0610969655c --- /dev/null +++ b/queue-4.14/ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch @@ -0,0 +1,68 @@ +From 0adb9b2e1dec5610ba5a8b27854d4f3038e17cd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 10:59:21 +0300 +Subject: IB/mlx4: Test return value of calls to ib_get_cached_pkey + +From: Jack Morgenstein + +[ Upstream commit 6693ca95bd4330a0ad7326967e1f9bcedd6b0800 ] + +In the mlx4_ib_post_send() flow, some functions call ib_get_cached_pkey() +without checking its return value. If ib_get_cached_pkey() returns an +error code, these functions should return failure. + +Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") +Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") +Fixes: e622f2f4ad21 ("IB: split struct ib_send_wr") +Link: https://lore.kernel.org/r/20200426075921.130074-1-leon@kernel.org +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/qp.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index e10c3d915e389..df1ecd29057f8 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -2917,6 +2917,7 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp, + int send_size; + int header_size; + int spc; ++ int err; + int i; + + if (wr->wr.opcode != IB_WR_SEND) +@@ -2951,7 +2952,9 @@ static int build_sriov_qp0_header(struct mlx4_ib_sqp *sqp, + + sqp->ud_header.lrh.virtual_lane = 0; + sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED); +- ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, 0, &pkey); ++ if (err) ++ return err; + sqp->ud_header.bth.pkey = cpu_to_be16(pkey); + if (sqp->qp.mlx4_ib_qp_type == MLX4_IB_QPT_TUN_SMI_OWNER) + sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn); +@@ -3240,9 +3243,14 @@ static int build_mlx_header(struct mlx4_ib_sqp *sqp, struct ib_ud_wr *wr, + } + sqp->ud_header.bth.solicited_event = !!(wr->wr.send_flags & IB_SEND_SOLICITED); + if (!sqp->qp.ibqp.qp_num) +- ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, sqp->pkey_index, ++ &pkey); + else +- ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, &pkey); ++ err = ib_get_cached_pkey(ib_dev, sqp->qp.port, wr->pkey_index, ++ &pkey); ++ if (err) ++ return err; ++ + sqp->ud_header.bth.pkey = cpu_to_be16(pkey); + sqp->ud_header.bth.destination_qpn = cpu_to_be32(wr->remote_qpn); + sqp->ud_header.bth.psn = cpu_to_be32((sqp->send_psn++) & ((1 << 24) - 1)); +-- +2.20.1 + diff --git a/queue-4.14/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch b/queue-4.14/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch new file mode 100644 index 00000000000..e88b69e1a11 --- /dev/null +++ b/queue-4.14/ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch @@ -0,0 +1,125 @@ +From eaf1c2fcf1589ed457c28ba7205dea919d2515b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 17:50:48 -0700 +Subject: ipc/util.c: sysvipc_find_ipc() incorrectly updates position index + +From: Vasily Averin + +[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ] + +Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase +position index") is causing this bug (seen on 5.6.8): + + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + + # ipcmk -Q + Message queue id: 0 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x82db8127 0 root 644 0 0 + + # ipcmk -Q + Message queue id: 1 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x82db8127 0 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcrm -q 0 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x76d1fb2a 1 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcmk -Q + Message queue id: 2 + # ipcrm -q 2 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x76d1fb2a 1 root 644 0 0 + 0x76d1fb2a 1 root 644 0 0 + + # ipcmk -Q + Message queue id: 3 + # ipcrm -q 1 + # ipcs -q + + ------ Message Queues -------- + key msqid owner perms used-bytes messages + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + 0x7c982867 3 root 644 0 0 + +Whenever an IPC item with a low id is deleted, the items with higher ids +are duplicated, as if filling a hole. + +new_pos should jump through hole of unused ids, pos can be updated +inside "for" cycle. + +Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") +Reported-by: Andreas Schwab +Reported-by: Randy Dunlap +Signed-off-by: Vasily Averin +Signed-off-by: Andrew Morton +Acked-by: Waiman Long +Cc: NeilBrown +Cc: Steven Rostedt +Cc: Ingo Molnar +Cc: Peter Oberparleiter +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Cc: +Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/util.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ipc/util.c b/ipc/util.c +index 7989f5e532198..5a65b0cbae7db 100644 +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -750,21 +750,21 @@ static struct kern_ipc_perm *sysvipc_find_ipc(struct ipc_ids *ids, loff_t pos, + total++; + } + +- *new_pos = pos + 1; ++ ipc = NULL; + if (total >= ids->in_use) +- return NULL; ++ goto out; + + for (; pos < IPCMNI; pos++) { + ipc = idr_find(&ids->ipcs_idr, pos); + if (ipc != NULL) { + rcu_read_lock(); + ipc_lock_object(ipc); +- return ipc; ++ break; + } + } +- +- /* Out of range - return NULL to terminate iteration */ +- return NULL; ++out: ++ *new_pos = pos + 1; ++ return ipc; + } + + static void *sysvipc_proc_next(struct seq_file *s, void *it, loff_t *pos) +-- +2.20.1 + diff --git a/queue-4.14/ipmi-fix-null-pointer-dereference-in-ssif_probe.patch b/queue-4.14/ipmi-fix-null-pointer-dereference-in-ssif_probe.patch new file mode 100644 index 00000000000..b81be82ccd1 --- /dev/null +++ b/queue-4.14/ipmi-fix-null-pointer-dereference-in-ssif_probe.patch @@ -0,0 +1,42 @@ +From c234412e3ae3af53b3d9a78bef3633eb9d4d09f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Aug 2018 10:00:34 -0500 +Subject: ipmi: Fix NULL pointer dereference in ssif_probe + +From: Gustavo A. R. Silva + +[ Upstream commit a8627cda7cfffe1792c199660c2b4f03ba2bd97b ] + +There is a potential execution path in which function ssif_info_find() +returns NULL, hence there is a NULL pointer dereference when accessing +pointer *addr_info* + +Fix this by null checking *addr_info* before dereferencing it. + +Addresses-Coverity-ID: 1473145 ("Explicit null dereferenced") +Fixes: e333054a91d1 ("ipmi: Fix I2C client removal in the SSIF driver") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index 0146bc3252c5a..cf87bfe971e6b 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -1731,7 +1731,9 @@ static int ssif_probe(struct i2c_client *client, const struct i2c_device_id *id) + + out: + if (rv) { +- addr_info->client = NULL; ++ if (addr_info) ++ addr_info->client = NULL; ++ + dev_err(&client->dev, "Unable to start IPMI SSIF: %d\n", rv); + kfree(ssif_info); + } +-- +2.20.1 + diff --git a/queue-4.14/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch b/queue-4.14/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch new file mode 100644 index 00000000000..898a4f0cd1f --- /dev/null +++ b/queue-4.14/netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch @@ -0,0 +1,66 @@ +From 4e892d6cf2b02e9c8fe5b98a32aa28ff11d0c2bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 23:30:48 +0200 +Subject: netfilter: conntrack: avoid gcc-10 zero-length-bounds warning + +From: Arnd Bergmann + +[ Upstream commit 2c407aca64977ede9b9f35158e919773cae2082f ] + +gcc-10 warns around a suspicious access to an empty struct member: + +net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc': +net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds] + 1522 | memset(&ct->__nfct_init_offset[0], 0, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from net/netfilter/nf_conntrack_core.c:37: +include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset' + 90 | u8 __nfct_init_offset[0]; + | ^~~~~~~~~~~~~~~~~~ + +The code is correct but a bit unusual. Rework it slightly in a way that +does not trigger the warning, using an empty struct instead of an empty +array. There are probably more elegant ways to do this, but this is the +smallest change. + +Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer") +Signed-off-by: Arnd Bergmann +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack.h | 2 +- + net/netfilter/nf_conntrack_core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 93bbae8f96414..b6dbc80b6ed15 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -80,7 +80,7 @@ struct nf_conn { + struct hlist_node nat_bysource; + #endif + /* all members below initialized via memset */ +- u8 __nfct_init_offset[0]; ++ struct { } __nfct_init_offset; + + /* If we were expected by an expectation, this will be it */ + struct nf_conn *master; +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index a79f5a89cab14..8064d769c953c 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1208,9 +1208,9 @@ __nf_conntrack_alloc(struct net *net, + *(unsigned long *)(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode.pprev) = hash; + ct->status = 0; + write_pnet(&ct->ct_net, net); +- memset(&ct->__nfct_init_offset[0], 0, ++ memset(&ct->__nfct_init_offset, 0, + offsetof(struct nf_conn, proto) - +- offsetof(struct nf_conn, __nfct_init_offset[0])); ++ offsetof(struct nf_conn, __nfct_init_offset)); + + nf_ct_zone_add(ct, zone); + +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-baytrail-enable-pin-configuration-setting-fo.patch b/queue-4.14/pinctrl-baytrail-enable-pin-configuration-setting-fo.patch new file mode 100644 index 00000000000..e399463c676 --- /dev/null +++ b/queue-4.14/pinctrl-baytrail-enable-pin-configuration-setting-fo.patch @@ -0,0 +1,38 @@ +From b5e1e7f6d0bbc1ceba9d1ece8cd2e64be5d322f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 19:32:54 +0200 +Subject: pinctrl: baytrail: Enable pin configuration setting for GPIO chip + +From: Andy Shevchenko + +[ Upstream commit ccd025eaddaeb99e982029446197c544252108e2 ] + +It appears that pin configuration for GPIO chip hasn't been enabled yet +due to absence of ->set_config() callback. + +Enable it here for Intel Baytrail. + +Fixes: c501d0b149de ("pinctrl: baytrail: Add pin control operations") +Depends-on: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-baytrail.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c +index 4fb3e44f91331..2ea4bb9ce6e16 100644 +--- a/drivers/pinctrl/intel/pinctrl-baytrail.c ++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c +@@ -1503,6 +1503,7 @@ static const struct gpio_chip byt_gpio_chip = { + .direction_output = byt_gpio_direction_output, + .get = byt_gpio_get, + .set = byt_gpio_set, ++ .set_config = gpiochip_generic_config, + .dbg_show = byt_gpio_dbg_show, + }; + +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch b/queue-4.14/pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch new file mode 100644 index 00000000000..d865d3b52e7 --- /dev/null +++ b/queue-4.14/pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch @@ -0,0 +1,51 @@ +From 99a4cba40e397fffc7e5ee511575b4d896763bc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 12:11:54 +0800 +Subject: pinctrl: cherryview: Add missing spinlock usage in + chv_gpio_irq_handler + +From: Grace Kao + +[ Upstream commit 69388e15f5078c961b9e5319e22baea4c57deff1 ] + +According to Braswell NDA Specification Update (#557593), +concurrent read accesses may result in returning 0xffffffff and write +instructions may be dropped. We have an established format for the +commit references, i.e. +cdca06e4e859 ("pinctrl: baytrail: Add missing spinlock usage in +byt_gpio_irq_handler") + +Fixes: 0bd50d719b00 ("pinctrl: cherryview: prevent concurrent access to GPIO controllers") +Signed-off-by: Grace Kao +Reported-by: Brian Norris +Reviewed-by: Brian Norris +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index 0907531a02caa..d39718b4242d9 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1514,11 +1514,15 @@ static void chv_gpio_irq_handler(struct irq_desc *desc) + struct chv_pinctrl *pctrl = gpiochip_get_data(gc); + struct irq_chip *chip = irq_desc_get_chip(desc); + unsigned long pending; ++ unsigned long flags; + u32 intr_line; + + chained_irq_enter(chip, desc); + ++ raw_spin_lock_irqsave(&chv_lock, flags); + pending = readl(pctrl->regs + CHV_INTSTAT); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); ++ + for_each_set_bit(intr_line, &pending, pctrl->community->nirqs) { + unsigned irq, offset; + +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 0ff185e3179..b4a090fa1d2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -52,3 +52,18 @@ net-moxa-fix-a-potential-double-free_irq.patch drop_monitor-work-around-gcc-10-stringop-overflow-wa.patch virtio-blk-handle-block_device_operations-callbacks-.patch scsi-sg-add-sg_remove_request-in-sg_write.patch +dmaengine-pch_dma.c-avoid-data-race-between-probe-an.patch +dmaengine-mmp_tdma-reset-channel-error-on-release.patch +cpufreq-intel_pstate-only-mention-the-bios-disabling.patch +alsa-hda-hdmi-fix-race-in-monitor-detection-during-p.patch +drm-qxl-lost-qxl_bo_kunmap_atomic_page-in-qxl_image_.patch +ipc-util.c-sysvipc_find_ipc-incorrectly-updates-posi.patch +alsa-hda-realtek-fix-s3-pop-noise-on-dell-wyse.patch +x86-entry-64-fix-unwind-hints-in-register-clearing-c.patch +ipmi-fix-null-pointer-dereference-in-ssif_probe.patch +pinctrl-baytrail-enable-pin-configuration-setting-fo.patch +pinctrl-cherryview-add-missing-spinlock-usage-in-chv.patch +i40iw-fix-error-handling-in-i40iw_manage_arp_cache.patch +netfilter-conntrack-avoid-gcc-10-zero-length-bounds-.patch +ib-mlx4-test-return-value-of-calls-to-ib_get_cached_.patch +hwmon-da9052-synchronize-access-with-mfd.patch diff --git a/queue-4.14/x86-entry-64-fix-unwind-hints-in-register-clearing-c.patch b/queue-4.14/x86-entry-64-fix-unwind-hints-in-register-clearing-c.patch new file mode 100644 index 00000000000..94a73f8a7f9 --- /dev/null +++ b/queue-4.14/x86-entry-64-fix-unwind-hints-in-register-clearing-c.patch @@ -0,0 +1,109 @@ +From d0a62c8026f5e5e55891764f18b0f64ec4c65d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 05:03:01 -0500 +Subject: x86/entry/64: Fix unwind hints in register clearing code + +From: Josh Poimboeuf + +[ Upstream commit 06a9750edcffa808494d56da939085c35904e618 ] + +The PUSH_AND_CLEAR_REGS macro zeroes each register immediately after +pushing it. If an NMI or exception hits after a register is cleared, +but before the UNWIND_HINT_REGS annotation, the ORC unwinder will +wrongly think the previous value of the register was zero. This can +confuse the unwinding process and cause it to exit early. + +Because ORC is simpler than DWARF, there are a limited number of unwind +annotation states, so it's not possible to add an individual unwind hint +after each push/clear combination. Instead, the register clearing +instructions need to be consolidated and moved to after the +UNWIND_HINT_REGS annotation. + +Fixes: 3f01daecd545 ("x86/entry/64: Introduce the PUSH_AND_CLEAN_REGS macro") +Reviewed-by: Miroslav Benes +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: Dave Jones +Cc: Jann Horn +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vince Weaver +Link: https://lore.kernel.org/r/68fd3d0bc92ae2d62ff7879d15d3684217d51f08.1587808742.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/calling.h | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h +index 557c1bdda311b..1dbc62a96b859 100644 +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -98,13 +98,6 @@ For 32-bit we have the following conventions - kernel is built with + #define SIZEOF_PTREGS 21*8 + + .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax save_ret=0 +- /* +- * Push registers and sanitize registers of values that a +- * speculation attack might otherwise want to exploit. The +- * lower registers are likely clobbered well before they +- * could be put to use in a speculative execution gadget. +- * Interleave XOR with PUSH for better uop scheduling: +- */ + .if \save_ret + pushq %rsi /* pt_regs->si */ + movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */ +@@ -117,29 +110,40 @@ For 32-bit we have the following conventions - kernel is built with + pushq %rcx /* pt_regs->cx */ + pushq \rax /* pt_regs->ax */ + pushq %r8 /* pt_regs->r8 */ +- xorl %r8d, %r8d /* nospec r8 */ + pushq %r9 /* pt_regs->r9 */ +- xorl %r9d, %r9d /* nospec r9 */ + pushq %r10 /* pt_regs->r10 */ +- xorl %r10d, %r10d /* nospec r10 */ + pushq %r11 /* pt_regs->r11 */ +- xorl %r11d, %r11d /* nospec r11*/ + pushq %rbx /* pt_regs->rbx */ +- xorl %ebx, %ebx /* nospec rbx*/ + pushq %rbp /* pt_regs->rbp */ +- xorl %ebp, %ebp /* nospec rbp*/ + pushq %r12 /* pt_regs->r12 */ +- xorl %r12d, %r12d /* nospec r12*/ + pushq %r13 /* pt_regs->r13 */ +- xorl %r13d, %r13d /* nospec r13*/ + pushq %r14 /* pt_regs->r14 */ +- xorl %r14d, %r14d /* nospec r14*/ + pushq %r15 /* pt_regs->r15 */ +- xorl %r15d, %r15d /* nospec r15*/ + UNWIND_HINT_REGS ++ + .if \save_ret + pushq %rsi /* return address on top of stack */ + .endif ++ ++ /* ++ * Sanitize registers of values that a speculation attack might ++ * otherwise want to exploit. The lower registers are likely clobbered ++ * well before they could be put to use in a speculative execution ++ * gadget. ++ */ ++ xorl %edx, %edx /* nospec dx */ ++ xorl %ecx, %ecx /* nospec cx */ ++ xorl %r8d, %r8d /* nospec r8 */ ++ xorl %r9d, %r9d /* nospec r9 */ ++ xorl %r10d, %r10d /* nospec r10 */ ++ xorl %r11d, %r11d /* nospec r11 */ ++ xorl %ebx, %ebx /* nospec rbx */ ++ xorl %ebp, %ebp /* nospec rbp */ ++ xorl %r12d, %r12d /* nospec r12 */ ++ xorl %r13d, %r13d /* nospec r13 */ ++ xorl %r14d, %r14d /* nospec r14 */ ++ xorl %r15d, %r15d /* nospec r15 */ ++ + .endm + + .macro POP_REGS pop_rdi=1 skip_r11rcx=0 +-- +2.20.1 + -- 2.47.3