From 572e207deab1be1e4b6236fc517ad239ffcde4f2 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 28 Feb 2021 22:19:11 -0500 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...rce-leak-for-drivers-without-.remove.patch | 83 +++++++ ...pressor-do-not-clear-sctlr.ntlsmd-fo.patch | 75 +++++++ ...orrect-pmic-interrupt-trigger-level-.patch | 38 ++++ ...-pmic-interrupt-trigger-level-.patch-26341 | 39 ++++ queue-4.4/arm-s3c-fix-fiq-for-clang-ias.patch | 93 ++++++++ ...42l56-fix-up-error-handling-in-probe.patch | 46 ++++ ...e-update-of-coef-for-the-phy-revisio.patch | 50 +++++ ...p-hci-device-reference-before-return.patch | 35 +++ ...itializing-response-id-after-clearin.patch | 39 ++++ ...i-device-if-inquiry-procedure-interr.patch | 40 ++++ ...-order-of-tx-disable-and-carrier-off.patch | 42 ++++ ...ror-returns-values-in-__load_free_sp.patch | 60 +++++ ...l-fix-initializing-the-old-rate-fall.patch | 39 ++++ ...ers-mxs_timer-add-missing-semicolon-.patch | 49 +++++ ...-fix-a-resource-leak-in-an-error-han.patch | 51 +++++ ...-fix-a-resource-leak-in-the-remove-f.patch | 42 ++++ ...error-return-code-in-psb_driver_load.patch | 38 ++++ ...fbdev-aty-sparc64-requires-fb_aty_ct.patch | 62 ++++++ ...tial-integer-overflow-on-shift-of-a-.patch | 39 ++++ ...a500-clean-up-error-handling-in-init.patch | 73 +++++++ ...ct-and-skip-invalid-inputs-to-snto32.patch | 51 +++++ ...b-fix-brcmstd_send_i2c_cmd-condition.patch | 40 ++++ ...io-in-case-of-when-device-disassocia.patch | 54 +++++ ...elo-fix-an-error-code-in-elo_connect.patch | 40 ++++ ...fs-release-buffer-head-before-return.patch | 49 +++++ ...e-after-free-in-jffs2_sum_write_data.patch | 58 +++++ ...x-a-bug-when-reallocating-some-dma-m.patch | 46 ++++ .../media-lmedm04-fix-misuse-of-comma.patch | 40 ++++ ...edia-pci-fix-memleak-in-empress_init.patch | 42 ++++ ...0-fix-memleak-in-tm6000_start_stream.patch | 40 ++++ ...ccept-invalid-bformatindex-and-bfram.patch | 82 +++++++ ...c-prevent-use-after-free-in-wm831x_a.patch | 44 ++++ ...ection-mismatch-for-loongson2_sc_ini.patch | 45 ++++ ...icitly-compare-ltq_ebu_pcc_istat-aga.patch | 55 +++++ ...46-add-module-alias-to-avoid-breakin.patch | 38 ++++ ...46-fix-module-alias-to-enable-module.patch | 34 +++ ...otential-double-free-in-hugetlb_regi.patch | 46 ++++ ...potential-pte_unmap_unlock-pte-error.patch | 66 ++++++ ...ix-a-resource-leak-in-the-error-hand.patch | 46 ++++ ...ing-of-syscall-user-config-accessors.patch | 80 +++++++ ...pt-fix-missing-cyc-processing-in-psb.patch | 41 ++++ ...aligned-access-in-sample-parsing-tes.patch | 73 +++++++ .../powerpc-47x-disable-256k-page-size.patch | 41 ++++ ...dlpar-handle-ibm-configure-connector.patch | 65 ++++++ ...lator-axp20x-fix-reference-cout-leak.patch | 52 +++++ ...ix-kconfig-warning-cnic-build-errors.patch | 57 +++++ queue-4.4/series | 53 +++++ ...ect-compat_binfmt_elf-if-binfmt_elf-.patch | 47 ++++ ...take-mmap-lock-in-cacheflush-syscall.patch | 61 ++++++ ...t-fail-unregistering-a-probe-due-to-.patch | 205 ++++++++++++++++++ ...ransaction-after-errors-with-unknown.patch | 84 +++++++ ...trimming-xfer-length-a-debug-message.patch | 48 ++++ ...e_dirty_lock-when-unregistering-gues.patch | 43 ++++ ...spurious-event-detection-for-common-.patch | 56 +++++ 54 files changed, 2955 insertions(+) create mode 100644 queue-4.4/amba-fix-resource-leak-for-drivers-without-.remove.patch create mode 100644 queue-4.4/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch create mode 100644 queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch create mode 100644 queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-26341 create mode 100644 queue-4.4/arm-s3c-fix-fiq-for-clang-ias.patch create mode 100644 queue-4.4/asoc-cs42l56-fix-up-error-handling-in-probe.patch create mode 100644 queue-4.4/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch create mode 100644 queue-4.4/bluetooth-drop-hci-device-reference-before-return.patch create mode 100644 queue-4.4/bluetooth-fix-initializing-response-id-after-clearin.patch create mode 100644 queue-4.4/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch create mode 100644 queue-4.4/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch create mode 100644 queue-4.4/btrfs-clarify-error-returns-values-in-__load_free_sp.patch create mode 100644 queue-4.4/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch create mode 100644 queue-4.4/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch create mode 100644 queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch create mode 100644 queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch create mode 100644 queue-4.4/drm-gma500-fix-error-return-code-in-psb_driver_load.patch create mode 100644 queue-4.4/fbdev-aty-sparc64-requires-fb_aty_ct.patch create mode 100644 queue-4.4/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch create mode 100644 queue-4.4/gma500-clean-up-error-handling-in-init.patch create mode 100644 queue-4.4/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch create mode 100644 queue-4.4/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch create mode 100644 queue-4.4/ib-umad-return-eio-in-case-of-when-device-disassocia.patch create mode 100644 queue-4.4/input-elo-fix-an-error-code-in-elo_connect.patch create mode 100644 queue-4.4/isofs-release-buffer-head-before-return.patch create mode 100644 queue-4.4/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch create mode 100644 queue-4.4/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch create mode 100644 queue-4.4/media-lmedm04-fix-misuse-of-comma.patch create mode 100644 queue-4.4/media-media-pci-fix-memleak-in-empress_init.patch create mode 100644 queue-4.4/media-tm6000-fix-memleak-in-tm6000_start_stream.patch create mode 100644 queue-4.4/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch create mode 100644 queue-4.4/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch create mode 100644 queue-4.4/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch create mode 100644 queue-4.4/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch create mode 100644 queue-4.4/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch create mode 100644 queue-4.4/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch create mode 100644 queue-4.4/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch create mode 100644 queue-4.4/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch create mode 100644 queue-4.4/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch create mode 100644 queue-4.4/pci-align-checking-of-syscall-user-config-accessors.patch create mode 100644 queue-4.4/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch create mode 100644 queue-4.4/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch create mode 100644 queue-4.4/powerpc-47x-disable-256k-page-size.patch create mode 100644 queue-4.4/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch create mode 100644 queue-4.4/regulator-axp20x-fix-reference-cout-leak.patch create mode 100644 queue-4.4/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch create mode 100644 queue-4.4/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch create mode 100644 queue-4.4/take-mmap-lock-in-cacheflush-syscall.patch create mode 100644 queue-4.4/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch create mode 100644 queue-4.4/usb-dwc2-abort-transaction-after-errors-with-unknown.patch create mode 100644 queue-4.4/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch create mode 100644 queue-4.4/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch create mode 100644 queue-4.4/xen-netback-fix-spurious-event-detection-for-common-.patch diff --git a/queue-4.4/amba-fix-resource-leak-for-drivers-without-.remove.patch b/queue-4.4/amba-fix-resource-leak-for-drivers-without-.remove.patch new file mode 100644 index 00000000000..05a790d007b --- /dev/null +++ b/queue-4.4/amba-fix-resource-leak-for-drivers-without-.remove.patch @@ -0,0 +1,83 @@ +From 1ae56537105f2894b52128d0c380e7f8714dda4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jan 2021 17:58:31 +0100 +Subject: amba: Fix resource leak for drivers without .remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit de5d7adb89367bbc87b4e5ce7afe7ae9bd86dc12 ] + +Consider an amba driver with a .probe but without a .remove callback (e.g. +pl061_gpio_driver). The function amba_probe() is called to bind a device +and so dev_pm_domain_attach() and others are called. As there is no remove +callback amba_remove() isn't called at unbind time however and so calling +dev_pm_domain_detach() is missed and the pm domain keeps active. + +To fix this always use the core driver callbacks and handle missing amba +callbacks there. For probe refuse registration as a driver without probe +doesn't make sense. + +Fixes: 7cfe249475fd ("ARM: AMBA: Add pclk support to AMBA bus infrastructure") +Reviewed-by: Ulf Hansson +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210126165835.687514-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/amba/bus.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index 1accc01fb0ca9..91c99cce22a4d 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -275,10 +275,11 @@ static int amba_remove(struct device *dev) + { + struct amba_device *pcdev = to_amba_device(dev); + struct amba_driver *drv = to_amba_driver(dev->driver); +- int ret; ++ int ret = 0; + + pm_runtime_get_sync(dev); +- ret = drv->remove(pcdev); ++ if (drv->remove) ++ ret = drv->remove(pcdev); + pm_runtime_put_noidle(dev); + + /* Undo the runtime PM settings in amba_probe() */ +@@ -295,7 +296,9 @@ static int amba_remove(struct device *dev) + static void amba_shutdown(struct device *dev) + { + struct amba_driver *drv = to_amba_driver(dev->driver); +- drv->shutdown(to_amba_device(dev)); ++ ++ if (drv->shutdown) ++ drv->shutdown(to_amba_device(dev)); + } + + /** +@@ -308,12 +311,13 @@ static void amba_shutdown(struct device *dev) + */ + int amba_driver_register(struct amba_driver *drv) + { +- drv->drv.bus = &amba_bustype; ++ if (!drv->probe) ++ return -EINVAL; + +-#define SETFN(fn) if (drv->fn) drv->drv.fn = amba_##fn +- SETFN(probe); +- SETFN(remove); +- SETFN(shutdown); ++ drv->drv.bus = &amba_bustype; ++ drv->drv.probe = amba_probe; ++ drv->drv.remove = amba_remove; ++ drv->drv.shutdown = amba_shutdown; + + return driver_register(&drv->drv); + } +-- +2.27.0 + diff --git a/queue-4.4/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch b/queue-4.4/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch new file mode 100644 index 00000000000..0a88306c4c9 --- /dev/null +++ b/queue-4.4/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch @@ -0,0 +1,75 @@ +From f9f8fc2c5473b21b571d62f70a0061460edf6b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 10:47:24 +0100 +Subject: ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores + +From: Vladimir Murzin + +[ Upstream commit 2acb909750431030b65a0a2a17fd8afcbd813a84 ] + +It was observed that decompressor running on hardware implementing ARM v8.2 +Load/Store Multiple Atomicity and Ordering Control (LSMAOC), say, as guest, +would stuck just after: + +Uncompressing Linux... done, booting the kernel. + +The reason is that it clears nTLSMD bit when disabling caches: + + nTLSMD, bit [3] + + When ARMv8.2-LSMAOC is implemented: + + No Trap Load Multiple and Store Multiple to + Device-nGRE/Device-nGnRE/Device-nGnRnE memory. + + 0b0 All memory accesses by A32 and T32 Load Multiple and Store + Multiple at EL1 or EL0 that are marked at stage 1 as + Device-nGRE/Device-nGnRE/Device-nGnRnE memory are trapped and + generate a stage 1 Alignment fault. + + 0b1 All memory accesses by A32 and T32 Load Multiple and Store + Multiple at EL1 or EL0 that are marked at stage 1 as + Device-nGRE/Device-nGnRE/Device-nGnRnE memory are not trapped. + + This bit is permitted to be cached in a TLB. + + This field resets to 1. + + Otherwise: + + Reserved, RES1 + +So as effect we start getting traps we are not quite ready for. + +Looking into history it seems that mask used for SCTLR clear came from +the similar code for ARMv4, where bit[3] is the enable/disable bit for +the write buffer. That not applicable to ARMv7 and onwards, so retire +that bit from the masks. + +Fixes: 7d09e85448dfa78e3e58186c934449aaf6d49b50 ("[ARM] 4393/2: ARMv7: Add uncompressing code for the new CPU Id format") +Signed-off-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/head.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S +index 856913705169f..082d036e95649 100644 +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -1074,9 +1074,9 @@ __armv4_mmu_cache_off: + __armv7_mmu_cache_off: + mrc p15, 0, r0, c1, c0 + #ifdef CONFIG_MMU +- bic r0, r0, #0x000d ++ bic r0, r0, #0x0005 + #else +- bic r0, r0, #0x000c ++ bic r0, r0, #0x0004 + #endif + mcr p15, 0, r0, c1, c0 @ turn MMU and cache off + mov r12, lr +-- +2.27.0 + diff --git a/queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch b/queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch new file mode 100644 index 00000000000..31b8f6d4ad4 --- /dev/null +++ b/queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch @@ -0,0 +1,38 @@ +From d574cd3cdefb216886fcf0096fbbd275339ace4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:58 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Spring + +From: Krzysztof Kozlowski + +[ Upstream commit 77e6a5467cb8657cf8b5e610a30a4c502085e4f9 ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: 53dd4138bb0a ("ARM: dts: Add exynos5250-spring device tree") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212903.216728-4-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5250-spring.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5250-spring.dts b/arch/arm/boot/dts/exynos5250-spring.dts +index c1edd6d038a90..4b3bd43f77213 100644 +--- a/arch/arm/boot/dts/exynos5250-spring.dts ++++ b/arch/arm/boot/dts/exynos5250-spring.dts +@@ -112,7 +112,7 @@ + compatible = "samsung,s5m8767-pmic"; + reg = <0x66>; + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&s5m8767_irq &s5m8767_dvs &s5m8767_ds>; + wakeup-source; +-- +2.27.0 + diff --git a/queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-26341 b/queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-26341 new file mode 100644 index 00000000000..52cc90717f3 --- /dev/null +++ b/queue-4.4/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-26341 @@ -0,0 +1,39 @@ +From 3101633b593be4fd3369d2c64e1401a488ef9af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:59 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale + Octa + +From: Krzysztof Kozlowski + +[ Upstream commit 1ac8893c4fa3d4a34915dc5cdab568a39db5086c ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. The falling edge +interrupt will mostly work but it's not correct. + +Fixes: 1fed2252713e ("ARM: dts: fix pinctrl for s2mps11-irq on exynos5420-arndale-octa") +Signed-off-by: Krzysztof Kozlowski +Tested-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20201210212903.216728-5-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5420-arndale-octa.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5420-arndale-octa.dts b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +index b54c0b8a5b346..5cf9bcc91c4ab 100644 +--- a/arch/arm/boot/dts/exynos5420-arndale-octa.dts ++++ b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +@@ -75,7 +75,7 @@ + s2mps11,buck4-ramp-enable = <1>; + + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&s2mps11_irq>; + +-- +2.27.0 + diff --git a/queue-4.4/arm-s3c-fix-fiq-for-clang-ias.patch b/queue-4.4/arm-s3c-fix-fiq-for-clang-ias.patch new file mode 100644 index 00000000000..f7d6beadd14 --- /dev/null +++ b/queue-4.4/arm-s3c-fix-fiq-for-clang-ias.patch @@ -0,0 +1,93 @@ +From 7e479d713c99d588bb5be6cdb7f49e99c2c9b459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 17:23:42 +0100 +Subject: ARM: s3c: fix fiq for clang IAS + +From: Arnd Bergmann + +[ Upstream commit 7f9942c61fa60eda7cc8e42f04bd25b7d175876e ] + +Building with the clang integrated assembler produces a couple of +errors for the s3c24xx fiq support: + + arch/arm/mach-s3c/irq-s3c24xx-fiq.S:52:2: error: instruction 'subne' can not set flags, but 's' suffix specified + subnes pc, lr, #4 @@ return, still have work to do + + arch/arm/mach-s3c/irq-s3c24xx-fiq.S:64:1: error: invalid symbol redefinition + s3c24xx_spi_fiq_txrx: + +There are apparently two problems: one with extraneous or duplicate +labels, and one with old-style opcode mnemonics. Stefan Agner has +previously fixed other problems like this, but missed this particular +file. + +Fixes: bec0806cfec6 ("spi_s3c24xx: add FIQ pseudo-DMA support") +Cc: Stefan Agner +Signed-off-by: Arnd Bergmann +Reviewed-by: Nick Desaulniers +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20210204162416.3030114-1-arnd@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c24xx-fiq.S | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-s3c24xx-fiq.S b/drivers/spi/spi-s3c24xx-fiq.S +index 059f2dc1fda2d..1565c792da079 100644 +--- a/drivers/spi/spi-s3c24xx-fiq.S ++++ b/drivers/spi/spi-s3c24xx-fiq.S +@@ -36,7 +36,6 @@ + @ and an offset to the irq acknowledgment word + + ENTRY(s3c24xx_spi_fiq_rx) +-s3c24xx_spi_fix_rx: + .word fiq_rx_end - fiq_rx_start + .word fiq_rx_irq_ack - fiq_rx_start + fiq_rx_start: +@@ -50,7 +49,7 @@ fiq_rx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + @@ set IRQ controller so that next op will trigger IRQ + mov fiq_rtmp, #0 +@@ -62,7 +61,6 @@ fiq_rx_irq_ack: + fiq_rx_end: + + ENTRY(s3c24xx_spi_fiq_txrx) +-s3c24xx_spi_fiq_txrx: + .word fiq_txrx_end - fiq_txrx_start + .word fiq_txrx_irq_ack - fiq_txrx_start + fiq_txrx_start: +@@ -77,7 +75,7 @@ fiq_txrx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + mov fiq_rtmp, #0 + str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ] +@@ -89,7 +87,6 @@ fiq_txrx_irq_ack: + fiq_txrx_end: + + ENTRY(s3c24xx_spi_fiq_tx) +-s3c24xx_spi_fix_tx: + .word fiq_tx_end - fiq_tx_start + .word fiq_tx_irq_ack - fiq_tx_start + fiq_tx_start: +@@ -102,7 +99,7 @@ fiq_tx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + mov fiq_rtmp, #0 + str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ] +-- +2.27.0 + diff --git a/queue-4.4/asoc-cs42l56-fix-up-error-handling-in-probe.patch b/queue-4.4/asoc-cs42l56-fix-up-error-handling-in-probe.patch new file mode 100644 index 00000000000..13bfdf915d2 --- /dev/null +++ b/queue-4.4/asoc-cs42l56-fix-up-error-handling-in-probe.patch @@ -0,0 +1,46 @@ +From 6b732d756bae29419dbd14721ea9f8aa94239457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 13:07:59 +0300 +Subject: ASoC: cs42l56: fix up error handling in probe + +From: Dan Carpenter + +[ Upstream commit 856fe64da84c95a1d415564b981ae3908eea2a76 ] + +There are two issues with this code. The first error path forgot to set +the error code and instead returns success. The second error path +doesn't clean up. + +Fixes: 272b5edd3b8f ("ASoC: Add support for CS42L56 CODEC") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/X9NE/9nK9/TuxuL+@mwanda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l56.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c +index 7cd5f769bb614..a22879ddda476 100644 +--- a/sound/soc/codecs/cs42l56.c ++++ b/sound/soc/codecs/cs42l56.c +@@ -1269,6 +1269,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client, + dev_err(&i2c_client->dev, + "CS42L56 Device ID (%X). Expected %X\n", + devid, CS42L56_DEVID); ++ ret = -EINVAL; + goto err_enable; + } + alpha_rev = reg & CS42L56_AREV_MASK; +@@ -1324,7 +1325,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client, + ret = snd_soc_register_codec(&i2c_client->dev, + &soc_codec_dev_cs42l56, &cs42l56_dai, 1); + if (ret < 0) +- return ret; ++ goto err_enable; + + return 0; + +-- +2.27.0 + diff --git a/queue-4.4/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch b/queue-4.4/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch new file mode 100644 index 00000000000..8ee27844b61 --- /dev/null +++ b/queue-4.4/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch @@ -0,0 +1,50 @@ +From b72bc21994432bdca74a7d13cd3daa4a6c7b70d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Feb 2021 12:05:32 +0000 +Subject: b43: N-PHY: Fix the update of coef for the PHY revision >= 3case + +From: Colin Ian King + +[ Upstream commit 4773acf3d4b50768bf08e9e97a204819e9ea0895 ] + +The documentation for the PHY update [1] states: + +Loop 4 times with index i + + If PHY Revision >= 3 + Copy table[i] to coef[i] + Otherwise + Set coef[i] to 0 + +the copy of the table to coef is currently implemented the wrong way +around, table is being updated from uninitialized values in coeff. +Fix this by swapping the assignment around. + +[1] https://bcm-v4.sipsolutions.net/802.11/PHY/N/RestoreCal/ + +Fixes: 2f258b74d13c ("b43: N-PHY: implement restoring general configuration") +Addresses-Coverity: ("Uninitialized scalar variable") +Signed-off-by: Colin Ian King +Acked-by: Larry Finger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/b43/phy_n.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/b43/phy_n.c b/drivers/net/wireless/b43/phy_n.c +index 9f0bcf3b8414c..fa847ae5b5270 100644 +--- a/drivers/net/wireless/b43/phy_n.c ++++ b/drivers/net/wireless/b43/phy_n.c +@@ -5320,7 +5320,7 @@ static void b43_nphy_restore_cal(struct b43_wldev *dev) + + for (i = 0; i < 4; i++) { + if (dev->phy.rev >= 3) +- table[i] = coef[i]; ++ coef[i] = table[i]; + else + coef[i] = 0; + } +-- +2.27.0 + diff --git a/queue-4.4/bluetooth-drop-hci-device-reference-before-return.patch b/queue-4.4/bluetooth-drop-hci-device-reference-before-return.patch new file mode 100644 index 00000000000..cc077358344 --- /dev/null +++ b/queue-4.4/bluetooth-drop-hci-device-reference-before-return.patch @@ -0,0 +1,35 @@ +From 90fbf525fea74c111f69c9b522e2da560bb712d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 23:34:19 -0800 +Subject: Bluetooth: drop HCI device reference before return + +From: Pan Bian + +[ Upstream commit 5a3ef03afe7e12982dc3b978f4c5077c907f7501 ] + +Call hci_dev_put() to decrement reference count of HCI device hdev if +fails to duplicate memory. + +Fixes: 0b26ab9dce74 ("Bluetooth: AMP: Handle Accept phylink command status evt") +Signed-off-by: Pan Bian +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/a2mp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c +index 242ef2abd0911..fcd819ffda108 100644 +--- a/net/bluetooth/a2mp.c ++++ b/net/bluetooth/a2mp.c +@@ -519,6 +519,7 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, + assoc = kmemdup(req->amp_assoc, assoc_len, GFP_KERNEL); + if (!assoc) { + amp_ctrl_put(ctrl); ++ hci_dev_put(hdev); + return -ENOMEM; + } + +-- +2.27.0 + diff --git a/queue-4.4/bluetooth-fix-initializing-response-id-after-clearin.patch b/queue-4.4/bluetooth-fix-initializing-response-id-after-clearin.patch new file mode 100644 index 00000000000..96b570d2ee2 --- /dev/null +++ b/queue-4.4/bluetooth-fix-initializing-response-id-after-clearin.patch @@ -0,0 +1,39 @@ +From 7b882e169b058843c25331bcd5ba27da16c0070d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Dec 2020 19:12:32 -0800 +Subject: Bluetooth: Fix initializing response id after clearing struct + +From: Christopher William Snowhill + +[ Upstream commit a5687c644015a097304a2e47476c0ecab2065734 ] + +Looks like this was missed when patching the source to clear the structures +throughout, causing this one instance to clear the struct after the response +id is assigned. + +Fixes: eddb7732119d ("Bluetooth: A2MP: Fix not initializing all members") +Signed-off-by: Christopher William Snowhill +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/a2mp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c +index 8f918155685db..242ef2abd0911 100644 +--- a/net/bluetooth/a2mp.c ++++ b/net/bluetooth/a2mp.c +@@ -388,9 +388,9 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, + hdev = hci_dev_get(req->id); + if (!hdev || hdev->amp_type == AMP_TYPE_BREDR || tmp) { + struct a2mp_amp_assoc_rsp rsp; +- rsp.id = req->id; + + memset(&rsp, 0, sizeof(rsp)); ++ rsp.id = req->id; + + if (tmp) { + rsp.status = A2MP_STATUS_COLLISION_OCCURED; +-- +2.27.0 + diff --git a/queue-4.4/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch b/queue-4.4/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch new file mode 100644 index 00000000000..2879c23bb14 --- /dev/null +++ b/queue-4.4/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch @@ -0,0 +1,40 @@ +From 18b436df5531b2df3295437d228185dd2a577e78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 00:10:45 -0800 +Subject: Bluetooth: Put HCI device if inquiry procedure interrupts + +From: Pan Bian + +[ Upstream commit 28a758c861ff290e39d4f1ee0aa5df0f0b9a45ee ] + +Jump to the label done to decrement the reference count of HCI device +hdev on path that the Inquiry procedure is interrupted. + +Fixes: 3e13fa1e1fab ("Bluetooth: Fix hci_inquiry ioctl usage") +Signed-off-by: Pan Bian +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 4bce3ef2c392a..cc905a4e57325 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1372,8 +1372,10 @@ int hci_inquiry(void __user *arg) + * cleared). If it is interrupted by a signal, return -EINTR. + */ + if (wait_on_bit(&hdev->flags, HCI_INQUIRY, +- TASK_INTERRUPTIBLE)) +- return -EINTR; ++ TASK_INTERRUPTIBLE)) { ++ err = -EINTR; ++ goto done; ++ } + } + + /* for unlimited number of responses we will use buffer with +-- +2.27.0 + diff --git a/queue-4.4/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch b/queue-4.4/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch new file mode 100644 index 00000000000..76d49e97b06 --- /dev/null +++ b/queue-4.4/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch @@ -0,0 +1,42 @@ +From e9b1f0be7a427fd171e9d1eae5b32c3aa4dcf6bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 02:24:23 -0500 +Subject: bnxt_en: reverse order of TX disable and carrier off + +From: Edwin Peer + +[ Upstream commit 132e0b65dc2b8bfa9721bfce834191f24fd1d7ed ] + +A TX queue can potentially immediately timeout after it is stopped +and the last TX timestamp on that queue was more than 5 seconds ago with +carrier still up. Prevent these intermittent false TX timeouts +by bringing down carrier first before calling netif_tx_disable(). + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 250ecbcca019f..7444f17b9e050 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4313,9 +4313,10 @@ static void bnxt_tx_disable(struct bnxt *bp) + txr->dev_state = BNXT_DEV_STATE_CLOSING; + } + } ++ /* Drop carrier first to prevent TX timeout */ ++ netif_carrier_off(bp->dev); + /* Stop all TX queues */ + netif_tx_disable(bp->dev); +- netif_carrier_off(bp->dev); + } + + static void bnxt_tx_enable(struct bnxt *bp) +-- +2.27.0 + diff --git a/queue-4.4/btrfs-clarify-error-returns-values-in-__load_free_sp.patch b/queue-4.4/btrfs-clarify-error-returns-values-in-__load_free_sp.patch new file mode 100644 index 00000000000..e8dff973faa --- /dev/null +++ b/queue-4.4/btrfs-clarify-error-returns-values-in-__load_free_sp.patch @@ -0,0 +1,60 @@ +From fde5bc858d6c6db2f75538a88c06fc5935cdb832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 09:08:04 +0800 +Subject: btrfs: clarify error returns values in __load_free_space_cache + +From: Zhihao Cheng + +[ Upstream commit 3cc64e7ebfb0d7faaba2438334c43466955a96e8 ] + +Return value in __load_free_space_cache is not properly set after +(unlikely) memory allocation failures and 0 is returned instead. +This is not a problem for the caller load_free_space_cache because only +value 1 is considered as 'cache loaded' but for clarity it's better +to set the errors accordingly. + +Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache") +Reported-by: Hulk Robot +Signed-off-by: Zhihao Cheng +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-cache.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 05b1b0f99f0bc..55d8020afc583 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -754,8 +754,10 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + while (num_entries) { + e = kmem_cache_zalloc(btrfs_free_space_cachep, + GFP_NOFS); +- if (!e) ++ if (!e) { ++ ret = -ENOMEM; + goto free_cache; ++ } + + ret = io_ctl_read_entry(&io_ctl, e, &type); + if (ret) { +@@ -764,6 +766,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + } + + if (!e->bytes) { ++ ret = -1; + kmem_cache_free(btrfs_free_space_cachep, e); + goto free_cache; + } +@@ -783,6 +786,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + num_bitmaps--; + e->bitmap = kzalloc(PAGE_CACHE_SIZE, GFP_NOFS); + if (!e->bitmap) { ++ ret = -ENOMEM; + kmem_cache_free( + btrfs_free_space_cachep, e); + goto free_cache; +-- +2.27.0 + diff --git a/queue-4.4/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch b/queue-4.4/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch new file mode 100644 index 00000000000..93bec31e259 --- /dev/null +++ b/queue-4.4/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch @@ -0,0 +1,39 @@ +From 62a35f90224add9dd4cf1dabef65ef0a5a7a33d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Dec 2020 13:15:54 +0100 +Subject: clk: meson: clk-pll: fix initializing the old rate (fallback) for a + PLL + +From: Martin Blumenstingl + +[ Upstream commit 2f290b7c67adf6459a17a4c978102af35cd62e4a ] + +The "rate" parameter in meson_clk_pll_set_rate() contains the new rate. +Retrieve the old rate with clk_hw_get_rate() so we don't inifinitely try +to switch from the new rate to the same rate again. + +Fixes: 7a29a869434e8b ("clk: meson: Add support for Meson clock controller") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20201226121556.975418-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/clk-pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/clk-pll.c b/drivers/clk/meson/clk-pll.c +index 664edf0708ea7..50b1138aaad71 100644 +--- a/drivers/clk/meson/clk-pll.c ++++ b/drivers/clk/meson/clk-pll.c +@@ -138,7 +138,7 @@ static int meson_clk_pll_set_rate(struct clk_hw *hw, unsigned long rate, + if (parent_rate == 0 || rate == 0) + return -EINVAL; + +- old_rate = rate; ++ old_rate = clk_hw_get_rate(hw); + + rate_set = meson_clk_get_pll_settings(pll, rate); + if (!rate_set) +-- +2.27.0 + diff --git a/queue-4.4/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch b/queue-4.4/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch new file mode 100644 index 00000000000..45d74239d0c --- /dev/null +++ b/queue-4.4/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch @@ -0,0 +1,49 @@ +From 6548ce854c561ce911280a78b9c578175cce6f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 13:19:55 -0800 +Subject: clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is + defined +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 7da390694afbaed8e0f05717a541dfaf1077ba51 ] + +When DEBUG is defined this error occurs + +drivers/clocksource/mxs_timer.c:138:1: error: + expected ‘;’ before ‘}’ token + +The preceding statement needs a semicolon. +Replace pr_info() with pr_debug() and remove the unneeded ifdef. + +Fixes: eb8703e2ef7c ("clockevents/drivers/mxs: Migrate to new 'set-state' interface") +Signed-off-by: Tom Rix +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210118211955.763609-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/mxs_timer.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/clocksource/mxs_timer.c b/drivers/clocksource/mxs_timer.c +index f5ce2961c0d62..23f125126fa81 100644 +--- a/drivers/clocksource/mxs_timer.c ++++ b/drivers/clocksource/mxs_timer.c +@@ -154,10 +154,7 @@ static void mxs_irq_clear(char *state) + + /* Clear pending interrupt */ + timrot_irq_acknowledge(); +- +-#ifdef DEBUG +- pr_info("%s: changing mode to %s\n", __func__, state) +-#endif /* DEBUG */ ++ pr_debug("%s: changing mode to %s\n", __func__, state); + } + + static int mxs_shutdown(struct clock_event_device *evt) +-- +2.27.0 + diff --git a/queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch b/queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch new file mode 100644 index 00000000000..672342a8285 --- /dev/null +++ b/queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch @@ -0,0 +1,51 @@ +From 30729df165bfb97bf0f5e87c4d4b692a1fefcbdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 17:06:14 +0100 +Subject: dmaengine: fsldma: Fix a resource leak in an error handling path of + the probe function + +From: Christophe JAILLET + +[ Upstream commit b202d4e82531a62a33a6b14d321dd2aad491578e ] + +In case of error, the previous 'fsl_dma_chan_probe()' calls must be undone +by some 'fsl_dma_chan_remove()', as already done in the remove function. + +It was added in the remove function in commit 77cd62e8082b ("fsldma: allow +Freescale Elo DMA driver to be compiled as a module") + +Fixes: d3f620b2c4fe ("fsldma: simplify IRQ probing and handling") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201212160614.92576-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsldma.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c +index 1a637104cc08e..7c4b4c71d3a0e 100644 +--- a/drivers/dma/fsldma.c ++++ b/drivers/dma/fsldma.c +@@ -1335,6 +1335,7 @@ static int fsldma_of_probe(struct platform_device *op) + { + struct fsldma_device *fdev; + struct device_node *child; ++ unsigned int i; + int err; + + fdev = kzalloc(sizeof(*fdev), GFP_KERNEL); +@@ -1416,6 +1417,10 @@ static int fsldma_of_probe(struct platform_device *op) + return 0; + + out_free_fdev: ++ for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) { ++ if (fdev->chan[i]) ++ fsl_dma_chan_remove(fdev->chan[i]); ++ } + irq_dispose_mapping(fdev->irq); + kfree(fdev); + out_return: +-- +2.27.0 + diff --git a/queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch b/queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch new file mode 100644 index 00000000000..e324d4be41b --- /dev/null +++ b/queue-4.4/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch @@ -0,0 +1,42 @@ +From b61bc1754964bb00489a0569f3865f4c84fea63a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 17:05:16 +0100 +Subject: dmaengine: fsldma: Fix a resource leak in the remove function + +From: Christophe JAILLET + +[ Upstream commit cbc0ad004c03ad7971726a5db3ec84dba3dcb857 ] + +A 'irq_dispose_mapping()' call is missing in the remove function. +Add it. + +This is needed to undo the 'irq_of_parse_and_map() call from the probe +function and already part of the error handling path of the probe function. + +It was added in the probe function only in commit d3f620b2c4fe ("fsldma: +simplify IRQ probing and handling") + +Fixes: 77cd62e8082b ("fsldma: allow Freescale Elo DMA driver to be compiled as a module") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201212160516.92515-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsldma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c +index 2209f75fdf05b..1a637104cc08e 100644 +--- a/drivers/dma/fsldma.c ++++ b/drivers/dma/fsldma.c +@@ -1436,6 +1436,7 @@ static int fsldma_of_remove(struct platform_device *op) + if (fdev->chan[i]) + fsl_dma_chan_remove(fdev->chan[i]); + } ++ irq_dispose_mapping(fdev->irq); + + iounmap(fdev->regs); + kfree(fdev); +-- +2.27.0 + diff --git a/queue-4.4/drm-gma500-fix-error-return-code-in-psb_driver_load.patch b/queue-4.4/drm-gma500-fix-error-return-code-in-psb_driver_load.patch new file mode 100644 index 00000000000..0ea6dc21b20 --- /dev/null +++ b/queue-4.4/drm-gma500-fix-error-return-code-in-psb_driver_load.patch @@ -0,0 +1,38 @@ +From 7a5bc791f8c81bd704dd5a6658af1222a0f51b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2020 10:02:16 +0800 +Subject: drm/gma500: Fix error return code in psb_driver_load() + +From: Jialin Zhang + +[ Upstream commit 6926872ae24452d4f2176a3ba2dee659497de2c4 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 5c49fd3aa0ab ("gma500: Add the core DRM files and headers") +Reported-by: Hulk Robot +Signed-off-by: Jialin Zhang +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201130020216.1906141-1-zhangjialin11@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/psb_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c +index db98ab5cde3d8..15a909efe0c70 100644 +--- a/drivers/gpu/drm/gma500/psb_drv.c ++++ b/drivers/gpu/drm/gma500/psb_drv.c +@@ -325,6 +325,8 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags) + if (ret) + goto out_err; + ++ ret = -ENOMEM; ++ + dev_priv->mmu = psb_mmu_driver_init(dev, 1, 0, 0); + if (!dev_priv->mmu) + goto out_err; +-- +2.27.0 + diff --git a/queue-4.4/fbdev-aty-sparc64-requires-fb_aty_ct.patch b/queue-4.4/fbdev-aty-sparc64-requires-fb_aty_ct.patch new file mode 100644 index 00000000000..e40e5b08337 --- /dev/null +++ b/queue-4.4/fbdev-aty-sparc64-requires-fb_aty_ct.patch @@ -0,0 +1,62 @@ +From 784fbf05d2ec356649ffff18b97dbd46d0a86d9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Nov 2020 19:17:52 -0800 +Subject: fbdev: aty: SPARC64 requires FB_ATY_CT + +From: Randy Dunlap + +[ Upstream commit c6c90c70db4d9a0989111d6b994d545659410f7a ] + +It looks like SPARC64 requires FB_ATY_CT to build without errors, +so have FB_ATY select FB_ATY_CT if both SPARC64 and PCI are enabled +instead of using "default y if SPARC64 && PCI", which is not strong +enough to prevent build errors. + +As it currently is, FB_ATY_CT can be disabled, resulting in build +errors: + +ERROR: modpost: "aty_postdividers" [drivers/video/fbdev/aty/atyfb.ko] undefined! +ERROR: modpost: "aty_ld_pll_ct" [drivers/video/fbdev/aty/atyfb.ko] undefined! + +Reviewed-by: Geert Uytterhoeven +Fixes: f7018c213502 ("video: move fbdev to drivers/video/fbdev") +Signed-off-by: Randy Dunlap +Cc: "David S. Miller" +Cc: sparclinux@vger.kernel.org +Cc: Tomi Valkeinen +Cc: dri-devel@lists.freedesktop.org +Cc: linux-fbdev@vger.kernel.org +Cc: Daniel Vetter +Cc: David Airlie +Cc: Bartlomiej Zolnierkiewicz +Cc: Geert Uytterhoeven +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201127031752.10371-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index 6873be0344486..e24e77e31529e 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -1397,6 +1397,7 @@ config FB_ATY + select FB_CFB_IMAGEBLIT + select FB_BACKLIGHT if FB_ATY_BACKLIGHT + select FB_MACMODES if PPC ++ select FB_ATY_CT if SPARC64 && PCI + help + This driver supports graphics boards with the ATI Mach64 chips. + Say Y if you have such a graphics board. +@@ -1407,7 +1408,6 @@ config FB_ATY + config FB_ATY_CT + bool "Mach64 CT/VT/GT/LT (incl. 3D RAGE) support" + depends on PCI && FB_ATY +- default y if SPARC64 && PCI + help + Say Y here to support use of ATI's 64-bit Rage boards (or other + boards based on the Mach64 CT, VT, GT, and LT chipsets) as a +-- +2.27.0 + diff --git a/queue-4.4/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch b/queue-4.4/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch new file mode 100644 index 00000000000..b91fd1b8fdd --- /dev/null +++ b/queue-4.4/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch @@ -0,0 +1,39 @@ +From 574c77ce4a11778a783884e70d61b4892072f25e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 13:01:08 +0000 +Subject: fs/jfs: fix potential integer overflow on shift of a int + +From: Colin Ian King + +[ Upstream commit 4208c398aae4c2290864ba15c3dab7111f32bec1 ] + +The left shift of int 32 bit integer constant 1 is evaluated using 32 bit +arithmetic and then assigned to a signed 64 bit integer. In the case where +l2nb is 32 or more this can lead to an overflow. Avoid this by shifting +the value 1LL instead. + +Addresses-Coverity: ("Uninitentional integer overflow") +Fixes: b40c2e665cd5 ("fs/jfs: TRIM support for JFS Filesystem") +Signed-off-by: Colin Ian King +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 2d514c7affc2a..9ff510a489cb1 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1669,7 +1669,7 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) + } else if (rc == -ENOSPC) { + /* search for next smaller log2 block */ + l2nb = BLKSTOL2(nblocks) - 1; +- nblocks = 1 << l2nb; ++ nblocks = 1LL << l2nb; + } else { + /* Trim any already allocated blocks */ + jfs_error(bmp->db_ipbmap->i_sb, "-EIO\n"); +-- +2.27.0 + diff --git a/queue-4.4/gma500-clean-up-error-handling-in-init.patch b/queue-4.4/gma500-clean-up-error-handling-in-init.patch new file mode 100644 index 00000000000..fc009ea333b --- /dev/null +++ b/queue-4.4/gma500-clean-up-error-handling-in-init.patch @@ -0,0 +1,73 @@ +From 2da361554f6fc3bba40d51c8fa702b372f92c28f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Dec 2020 11:40:48 +0300 +Subject: gma500: clean up error handling in init + +From: Dan Carpenter + +[ Upstream commit 15ccc39b3aab667c6fa131206f01f31bfbccdf6a ] + +The main problem with this error handling was that it didn't clean up if +i2c_add_numbered_adapter() failed. This code is pretty old, and doesn't +match with today's checkpatch.pl standards so I took the opportunity to +tidy it up a bit. I changed the NULL comparison, and removed the +WARNING message if kzalloc() fails and updated the label names. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Dan Carpenter +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/X8ikkAqZfnDO2lu6@mwanda +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c +index e281070611480..fc9a34ed58bd1 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c +@@ -279,11 +279,8 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev) + hdmi_dev = pci_get_drvdata(dev); + + i2c_dev = kzalloc(sizeof(struct hdmi_i2c_dev), GFP_KERNEL); +- if (i2c_dev == NULL) { +- DRM_ERROR("Can't allocate interface\n"); +- ret = -ENOMEM; +- goto exit; +- } ++ if (!i2c_dev) ++ return -ENOMEM; + + i2c_dev->adap = &oaktrail_hdmi_i2c_adapter; + i2c_dev->status = I2C_STAT_INIT; +@@ -300,16 +297,23 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev) + oaktrail_hdmi_i2c_adapter.name, hdmi_dev); + if (ret) { + DRM_ERROR("Failed to request IRQ for I2C controller\n"); +- goto err; ++ goto free_dev; + } + + /* Adapter registration */ + ret = i2c_add_numbered_adapter(&oaktrail_hdmi_i2c_adapter); +- return ret; ++ if (ret) { ++ DRM_ERROR("Failed to add I2C adapter\n"); ++ goto free_irq; ++ } + +-err: ++ return 0; ++ ++free_irq: ++ free_irq(dev->irq, hdmi_dev); ++free_dev: + kfree(i2c_dev); +-exit: ++ + return ret; + } + +-- +2.27.0 + diff --git a/queue-4.4/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch b/queue-4.4/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch new file mode 100644 index 00000000000..8cb00ed82bc --- /dev/null +++ b/queue-4.4/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch @@ -0,0 +1,51 @@ +From 769b96f590f1a948727159f4092a52f470cebd3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Dec 2020 17:12:21 -0800 +Subject: HID: core: detect and skip invalid inputs to snto32() + +From: Randy Dunlap + +[ Upstream commit a0312af1f94d13800e63a7d0a66e563582e39aec ] + +Prevent invalid (0, 0) inputs to hid-core's snto32() function. + +Maybe it is just the dummy device here that is causing this, but +there are hundreds of calls to snto32(0, 0). Having n (bits count) +of 0 is causing the current UBSAN trap with a shift value of +0xffffffff (-1, or n - 1 in this function). + +Either of the value to shift being 0 or the bits count being 0 can be +handled by just returning 0 to the caller, avoiding the following +complex shift + OR operations: + + return value & (1 << (n - 1)) ? value | (~0U << n) : value; + +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: Randy Dunlap +Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: linux-input@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 1495cf343d9f5..25544a08fa838 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1109,6 +1109,9 @@ EXPORT_SYMBOL_GPL(hid_open_report); + + static s32 snto32(__u32 value, unsigned n) + { ++ if (!value || !n) ++ return 0; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); +-- +2.27.0 + diff --git a/queue-4.4/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch b/queue-4.4/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch new file mode 100644 index 00000000000..ba7c62c8c3a --- /dev/null +++ b/queue-4.4/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch @@ -0,0 +1,40 @@ +From fef9f600c7799b7b980633814964576cebc8ec84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 17:11:01 +0100 +Subject: i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition + +From: Maxime Ripard + +[ Upstream commit a1858ce0cfe31368b23ba55794e409fb57ced4a4 ] + +The brcmstb_send_i2c_cmd currently has a condition that is (CMD_RD || +CMD_WR) which always evaluates to true, while the obvious fix is to test +whether the cmd variable passed as parameter holds one of these two +values. + +Fixes: dd1aa2524bc5 ("i2c: brcmstb: Add Broadcom settop SoC i2c controller driver") +Reported-by: Dave Stevenson +Signed-off-by: Maxime Ripard +Acked-by: Florian Fainelli +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-brcmstb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-brcmstb.c b/drivers/i2c/busses/i2c-brcmstb.c +index 81115abf3c1f5..6e9007adad849 100644 +--- a/drivers/i2c/busses/i2c-brcmstb.c ++++ b/drivers/i2c/busses/i2c-brcmstb.c +@@ -304,7 +304,7 @@ static int brcmstb_send_i2c_cmd(struct brcmstb_i2c_dev *dev, + goto cmd_out; + } + +- if ((CMD_RD || CMD_WR) && ++ if ((cmd == CMD_RD || cmd == CMD_WR) && + bsc_readl(dev, iic_enable) & BSC_IIC_EN_NOACK_MASK) { + rc = -EREMOTEIO; + dev_dbg(dev->device, "controller received NOACK intr for %s\n", +-- +2.27.0 + diff --git a/queue-4.4/ib-umad-return-eio-in-case-of-when-device-disassocia.patch b/queue-4.4/ib-umad-return-eio-in-case-of-when-device-disassocia.patch new file mode 100644 index 00000000000..e553e833854 --- /dev/null +++ b/queue-4.4/ib-umad-return-eio-in-case-of-when-device-disassocia.patch @@ -0,0 +1,54 @@ +From 96aa5690106019528c11d7957cb27ebfb90478d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 14:13:38 +0200 +Subject: IB/umad: Return EIO in case of when device disassociated + +From: Shay Drory + +[ Upstream commit 4fc5461823c9cad547a9bdfbf17d13f0da0d6bb5 ] + +MAD message received by the user has EINVAL error in all flows +including when the device is disassociated. That makes it impossible +for the applications to treat such flow differently. + +Change it to return EIO, so the applications will be able to perform +disassociation recovery. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20210125121339.837518-2-leon@kernel.org +Signed-off-by: Shay Drory +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index e9e75f40714cb..27bc51409f559 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -342,6 +342,11 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + + mutex_lock(&file->mutex); + ++ if (file->agents_dead) { ++ mutex_unlock(&file->mutex); ++ return -EIO; ++ } ++ + while (list_empty(&file->recv_list)) { + mutex_unlock(&file->mutex); + +@@ -484,7 +489,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + + agent = __get_agent(file, packet->mad.hdr.id); + if (!agent) { +- ret = -EINVAL; ++ ret = -EIO; + goto err_up; + } + +-- +2.27.0 + diff --git a/queue-4.4/input-elo-fix-an-error-code-in-elo_connect.patch b/queue-4.4/input-elo-fix-an-error-code-in-elo_connect.patch new file mode 100644 index 00000000000..9393b613b0b --- /dev/null +++ b/queue-4.4/input-elo-fix-an-error-code-in-elo_connect.patch @@ -0,0 +1,40 @@ +From 1f53b89c4941b56f95e4d406dc1da0e1c1b4d82f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Feb 2021 20:29:05 -0800 +Subject: Input: elo - fix an error code in elo_connect() + +From: Dan Carpenter + +[ Upstream commit 0958351e93fa0ac142f6dd8bd844441594f30a57 ] + +If elo_setup_10() fails then this should return an error code instead +of success. + +Fixes: fae3006e4b42 ("Input: elo - add support for non-pressure-sensitive touchscreens") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YBKFd5CvDu+jVmfW@mwanda +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/elo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/elo.c b/drivers/input/touchscreen/elo.c +index 8051a4b704ea3..e2e31cbd6b2c3 100644 +--- a/drivers/input/touchscreen/elo.c ++++ b/drivers/input/touchscreen/elo.c +@@ -345,8 +345,10 @@ static int elo_connect(struct serio *serio, struct serio_driver *drv) + switch (elo->id) { + + case 0: /* 10-byte protocol */ +- if (elo_setup_10(elo)) ++ if (elo_setup_10(elo)) { ++ err = -EIO; + goto fail3; ++ } + + break; + +-- +2.27.0 + diff --git a/queue-4.4/isofs-release-buffer-head-before-return.patch b/queue-4.4/isofs-release-buffer-head-before-return.patch new file mode 100644 index 00000000000..6681995aec8 --- /dev/null +++ b/queue-4.4/isofs-release-buffer-head-before-return.patch @@ -0,0 +1,49 @@ +From 9e43e132db2e887ac8bd5962198c96a6c87b7592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 04:04:55 -0800 +Subject: isofs: release buffer head before return + +From: Pan Bian + +[ Upstream commit 0a6dc67a6aa45f19bd4ff89b4f468fc50c4b8daa ] + +Release the buffer_head before returning error code in +do_isofs_readdir() and isofs_find_entry(). + +Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem") +Link: https://lore.kernel.org/r/20210118120455.118955-1-bianpan2016@163.com +Signed-off-by: Pan Bian +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/isofs/dir.c | 1 + + fs/isofs/namei.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c +index b943cbd963bb9..2e7d74c7beed8 100644 +--- a/fs/isofs/dir.c ++++ b/fs/isofs/dir.c +@@ -151,6 +151,7 @@ static int do_isofs_readdir(struct inode *inode, struct file *file, + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, + inode->i_ino); ++ brelse(bh); + return -EIO; + } + +diff --git a/fs/isofs/namei.c b/fs/isofs/namei.c +index 7b543e6b6526d..696f255d15325 100644 +--- a/fs/isofs/namei.c ++++ b/fs/isofs/namei.c +@@ -101,6 +101,7 @@ isofs_find_entry(struct inode *dir, struct dentry *dentry, + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, + dir->i_ino); ++ brelse(bh); + return 0; + } + +-- +2.27.0 + diff --git a/queue-4.4/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch b/queue-4.4/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch new file mode 100644 index 00000000000..6ca398edf13 --- /dev/null +++ b/queue-4.4/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch @@ -0,0 +1,58 @@ +From 3a2545daae460aa792c68aa4b3ef4589cd456350 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Dec 2020 06:56:04 -0800 +Subject: jffs2: fix use after free in jffs2_sum_write_data() + +From: Tom Rix + +[ Upstream commit 19646447ad3a680d2ab08c097585b7d96a66126b ] + +clang static analysis reports this problem + +fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed + c->summary->sum_list_head = temp->u.next; + ^~~~~~~~~~~~ + +In jffs2_sum_write_data(), in a loop summary data is handles a node at +a time. When it has written out the node it is removed the summary list, +and the node is deleted. In the corner case when a +JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to +jffs2_sum_disable_collecting(). jffs2_sum_disable_collecting() deletes +the whole list which conflicts with the loop's deleting the list by parts. + +To preserve the old behavior of stopping the write midway, bail out of +the loop after disabling summary collection. + +Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.") +Signed-off-by: Tom Rix +Reviewed-by: Nathan Chancellor +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/summary.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c +index bc5385471a6e3..c05d6f5f10ecd 100644 +--- a/fs/jffs2/summary.c ++++ b/fs/jffs2/summary.c +@@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock + dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n", + je16_to_cpu(temp->u.nodetype)); + jffs2_sum_disable_collecting(c->summary); ++ /* The above call removes the list, nothing more to do */ ++ goto bail_rwcompat; + } else { + BUG(); /* unknown node in summary information */ + } +@@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock + + c->summary->sum_num--; + } ++ bail_rwcompat: + + jffs2_sum_reset_collected(c->summary); + +-- +2.27.0 + diff --git a/queue-4.4/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch b/queue-4.4/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch new file mode 100644 index 00000000000..804b3efa353 --- /dev/null +++ b/queue-4.4/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch @@ -0,0 +1,46 @@ +From 8b4b9f6db69b3e76f0c8105da6c7db4c3fa2b218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Jan 2021 22:21:46 +0100 +Subject: media: cx25821: Fix a bug when reallocating some dma memory + +From: Christophe JAILLET + +[ Upstream commit b2de3643c5024fc4fd128ba7767c7fb8b714bea7 ] + +This function looks like a realloc. + +However, if 'risc->cpu != NULL', the memory will be freed, but never +reallocated with the bigger 'size'. +Explicitly set 'risc->cpu' to NULL, so that the reallocation is +correctly performed a few lines below. + +[hverkuil: NULL != risc->cpu -> risc->cpu] + +Fixes: 5ede94c70553 ("[media] cx25821: remove bogus btcx_risc dependency) +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx25821/cx25821-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c +index 54398d8a4696c..b43cf85ed5f05 100644 +--- a/drivers/media/pci/cx25821/cx25821-core.c ++++ b/drivers/media/pci/cx25821/cx25821-core.c +@@ -990,8 +990,10 @@ int cx25821_riscmem_alloc(struct pci_dev *pci, + __le32 *cpu; + dma_addr_t dma = 0; + +- if (NULL != risc->cpu && risc->size < size) ++ if (risc->cpu && risc->size < size) { + pci_free_consistent(pci, risc->size, risc->cpu, risc->dma); ++ risc->cpu = NULL; ++ } + if (NULL == risc->cpu) { + cpu = pci_zalloc_consistent(pci, size, &dma); + if (NULL == cpu) +-- +2.27.0 + diff --git a/queue-4.4/media-lmedm04-fix-misuse-of-comma.patch b/queue-4.4/media-lmedm04-fix-misuse-of-comma.patch new file mode 100644 index 00000000000..e4f83df6210 --- /dev/null +++ b/queue-4.4/media-lmedm04-fix-misuse-of-comma.patch @@ -0,0 +1,40 @@ +From 4fbd52106bf1cb409e6db2a02bd2115dae2279ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 20:13:31 +0200 +Subject: media: lmedm04: Fix misuse of comma + +From: Joe Perches + +[ Upstream commit 59a3e78f8cc33901fe39035c1ab681374bba95ad ] + +There's a comma used instead of a semicolon that causes multiple +statements to be executed after an if instead of just the intended +single statement. + +Replace the comma with a semicolon. + +Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb") +Signed-off-by: Joe Perches +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 09c97847bf959..b586a23ab5887 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -445,7 +445,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); + + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) +- lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa), ++ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa); + + lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + +-- +2.27.0 + diff --git a/queue-4.4/media-media-pci-fix-memleak-in-empress_init.patch b/queue-4.4/media-media-pci-fix-memleak-in-empress_init.patch new file mode 100644 index 00000000000..87345fa3115 --- /dev/null +++ b/queue-4.4/media-media-pci-fix-memleak-in-empress_init.patch @@ -0,0 +1,42 @@ +From f14064ebba060938ebc9112f687f669e04a45ce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 07:27:22 +0100 +Subject: media: media/pci: Fix memleak in empress_init + +From: Dinghao Liu + +[ Upstream commit 15d0c52241ecb1c9d802506bff6f5c3f7872c0df ] + +When vb2_queue_init() fails, dev->empress_dev +should be released just like other error handling +paths. + +Fixes: 2ada815fc48bb ("[media] saa7134: convert to vb2") +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7134/saa7134-empress.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7134/saa7134-empress.c b/drivers/media/pci/saa7134/saa7134-empress.c +index 56b932c97196d..ae3b96e9cff35 100644 +--- a/drivers/media/pci/saa7134/saa7134-empress.c ++++ b/drivers/media/pci/saa7134/saa7134-empress.c +@@ -295,8 +295,11 @@ static int empress_init(struct saa7134_dev *dev) + q->timestamp_flags = V4L2_BUF_FLAG_TIMESTAMP_MONOTONIC; + q->lock = &dev->lock; + err = vb2_queue_init(q); +- if (err) ++ if (err) { ++ video_device_release(dev->empress_dev); ++ dev->empress_dev = NULL; + return err; ++ } + dev->empress_dev->queue = q; + + video_set_drvdata(dev->empress_dev, dev); +-- +2.27.0 + diff --git a/queue-4.4/media-tm6000-fix-memleak-in-tm6000_start_stream.patch b/queue-4.4/media-tm6000-fix-memleak-in-tm6000_start_stream.patch new file mode 100644 index 00000000000..572fb245be3 --- /dev/null +++ b/queue-4.4/media-tm6000-fix-memleak-in-tm6000_start_stream.patch @@ -0,0 +1,40 @@ +From 337dcd6b570388af617d476afe6bda39f3009ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 09:26:37 +0100 +Subject: media: tm6000: Fix memleak in tm6000_start_stream + +From: Dinghao Liu + +[ Upstream commit 76aaf8a96771c16365b8510f1fb97738dc88026e ] + +When usb_clear_halt() fails, dvb->bulk_urb->transfer_buffer +and dvb->bulk_urb should be freed just like when +usb_submit_urb() fails. + +Fixes: 3169c9b26fffa ("V4L/DVB (12788): tm6000: Add initial DVB-T support") +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/tm6000/tm6000-dvb.c b/drivers/media/usb/tm6000/tm6000-dvb.c +index 87401b18d85a8..8afc7de1cf834 100644 +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -158,6 +158,10 @@ static int tm6000_start_stream(struct tm6000_core *dev) + if (ret < 0) { + printk(KERN_ERR "tm6000: error %i in %s during pipe reset\n", + ret, __func__); ++ ++ kfree(dvb->bulk_urb->transfer_buffer); ++ usb_free_urb(dvb->bulk_urb); ++ dvb->bulk_urb = NULL; + return ret; + } else + printk(KERN_ERR "tm6000: pipe resetted\n"); +-- +2.27.0 + diff --git a/queue-4.4/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch b/queue-4.4/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch new file mode 100644 index 00000000000..6c4c3c9e5e2 --- /dev/null +++ b/queue-4.4/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch @@ -0,0 +1,82 @@ +From 74bf84089066e56f54a4e01a722971c1c25cf65d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Dec 2020 15:11:13 +0100 +Subject: media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laurent Pinchart + +[ Upstream commit dc9455ffae02d7b7fb51ba1e007fffcb9dc5d890 ] + +The Renkforce RF AC4K 300 Action Cam 4K reports invalid bFormatIndex and +bFrameIndex values when negotiating the video probe and commit controls. +The UVC descriptors report a single supported format and frame size, +with bFormatIndex and bFrameIndex both equal to 2, but the video probe +and commit controls report bFormatIndex and bFrameIndex set to 1. + +The device otherwise operates correctly, but the driver rejects the +values and fails the format try operation. Fix it by ignoring the +invalid indices, and assuming that the format and frame requested by the +driver are accepted by the device. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=210767 + +Fixes: 8a652a17e3c0 ("media: uvcvideo: Ensure all probed info is returned to v4l2") +Reported-by: Till Dörges +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index a0a544628053d..154f5bd45940e 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -243,7 +243,9 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + goto done; + + /* After the probe, update fmt with the values returned from +- * negotiation with the device. ++ * negotiation with the device. Some devices return invalid bFormatIndex ++ * and bFrameIndex values, in which case we can only assume they have ++ * accepted the requested format as-is. + */ + for (i = 0; i < stream->nformats; ++i) { + if (probe->bFormatIndex == stream->format[i].index) { +@@ -252,11 +254,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + } + } + +- if (i == stream->nformats) { +- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n", ++ if (i == stream->nformats) ++ uvc_trace(UVC_TRACE_FORMAT, ++ "Unknown bFormatIndex %u, using default\n", + probe->bFormatIndex); +- return -EINVAL; +- } + + for (i = 0; i < format->nframes; ++i) { + if (probe->bFrameIndex == format->frame[i].bFrameIndex) { +@@ -265,11 +266,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + } + } + +- if (i == format->nframes) { +- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n", ++ if (i == format->nframes) ++ uvc_trace(UVC_TRACE_FORMAT, ++ "Unknown bFrameIndex %u, using default\n", + probe->bFrameIndex); +- return -EINVAL; +- } + + fmt->fmt.pix.width = frame->wWidth; + fmt->fmt.pix.height = frame->wHeight; +-- +2.27.0 + diff --git a/queue-4.4/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch b/queue-4.4/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch new file mode 100644 index 00000000000..0fa18cda403 --- /dev/null +++ b/queue-4.4/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch @@ -0,0 +1,44 @@ +From 9c7c3f1c53a55690f153be23bb5d2f1546513269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 17:37:24 +0300 +Subject: mfd: wm831x-auxadc: Prevent use after free in + wm831x_auxadc_read_irq() + +From: Dan Carpenter + +[ Upstream commit 26783d74cc6a440ee3ef9836a008a697981013d0 ] + +The "req" struct is always added to the "wm831x->auxadc_pending" list, +but it's only removed from the list on the success path. If a failure +occurs then the "req" struct is freed but it's still on the list, +leading to a use after free. + +Fixes: 78bb3688ea18 ("mfd: Support multiple active WM831x AUXADC conversions") +Signed-off-by: Dan Carpenter +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/wm831x-auxadc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/mfd/wm831x-auxadc.c b/drivers/mfd/wm831x-auxadc.c +index fd789d2eb0f52..9f7ae1e1ebcd6 100644 +--- a/drivers/mfd/wm831x-auxadc.c ++++ b/drivers/mfd/wm831x-auxadc.c +@@ -98,11 +98,10 @@ static int wm831x_auxadc_read_irq(struct wm831x *wm831x, + wait_for_completion_timeout(&req->done, msecs_to_jiffies(500)); + + mutex_lock(&wm831x->auxadc_lock); +- +- list_del(&req->list); + ret = req->val; + + out: ++ list_del(&req->list); + mutex_unlock(&wm831x->auxadc_lock); + + kfree(req); +-- +2.27.0 + diff --git a/queue-4.4/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch b/queue-4.4/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch new file mode 100644 index 00000000000..0799e129356 --- /dev/null +++ b/queue-4.4/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch @@ -0,0 +1,45 @@ +From 7cbbdfe6346f1f78539c0f06503c3ce872d56e70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:34:56 -0700 +Subject: MIPS: c-r4k: Fix section mismatch for loongson2_sc_init + +From: Nathan Chancellor + +[ Upstream commit c58734eee6a2151ba033c0dcb31902c89e310374 ] + +When building with clang, the following section mismatch warning occurs: + +WARNING: modpost: vmlinux.o(.text+0x24490): Section mismatch in +reference from the function r4k_cache_init() to the function +.init.text:loongson2_sc_init() + +This should have been fixed with commit ad4fddef5f23 ("mips: fix Section +mismatch in reference") but it was missed. Remove the improper __init +annotation like that commit did. + +Fixes: 078a55fc824c ("MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code") +Link: https://github.com/ClangBuiltLinux/linux/issues/787 +Signed-off-by: Nathan Chancellor +Reviewed-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/c-r4k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index 6c0147bd8e801..90f8d6d51f316 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1401,7 +1401,7 @@ static int probe_scache(void) + return 1; + } + +-static void __init loongson2_sc_init(void) ++static void loongson2_sc_init(void) + { + struct cpuinfo_mips *c = ¤t_cpu_data; + +-- +2.27.0 + diff --git a/queue-4.4/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch b/queue-4.4/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch new file mode 100644 index 00000000000..67c93201fa7 --- /dev/null +++ b/queue-4.4/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch @@ -0,0 +1,55 @@ +From 5e0482986bc16c454caf7a2815d0697b78d87a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:15:48 -0700 +Subject: MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 + +From: Nathan Chancellor + +[ Upstream commit c6f2a9e17b9bef7677caddb1626c2402f3e9d2bd ] + +When building xway_defconfig with clang: + +arch/mips/lantiq/irq.c:305:48: error: use of logical '&&' with constant +operand [-Werror,-Wconstant-logical-operand] + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ^ ~~~~~~~~~~~~~~~~~ +arch/mips/lantiq/irq.c:305:48: note: use '&' for a bitwise operation + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ^~ + & +arch/mips/lantiq/irq.c:305:48: note: remove constant to silence this +warning + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ~^~~~~~~~~~~~~~~~~~~~ +1 error generated. + +Explicitly compare the constant LTQ_EBU_PCC_ISTAT against 0 to fix the +warning. Additionally, remove the unnecessary parentheses as this is a +simple conditional statement and shorthand '== 0' to '!'. + +Fixes: 3645da0276ae ("OF: MIPS: lantiq: implement irq_domain support") +Link: https://github.com/ClangBuiltLinux/linux/issues/807 +Reported-by: Dmitry Golovin +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index a7057a06c0961..5526b89a21a02 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -245,7 +245,7 @@ static void ltq_hw_irqdispatch(int module) + do_IRQ((int)irq + MIPS_CPU_IRQ_CASCADE + (INT_NUM_IM_OFFSET * module)); + + /* if this is a EBU irq, we need to ack it or get a deadlock */ +- if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) ++ if (irq == LTQ_ICU_EBU_IRQ && !module && LTQ_EBU_PCC_ISTAT != 0) + ltq_ebu_w32(ltq_ebu_r32(LTQ_EBU_PCC_ISTAT) | 0x10, + LTQ_EBU_PCC_ISTAT); + } +-- +2.27.0 + diff --git a/queue-4.4/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch b/queue-4.4/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch new file mode 100644 index 00000000000..faed9027a5c --- /dev/null +++ b/queue-4.4/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch @@ -0,0 +1,38 @@ +From ff279e1acfcbfa8de9954f7ee965a8e38941510e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 10:42:52 +0530 +Subject: misc: eeprom_93xx46: Add module alias to avoid breaking support for + non device tree users + +From: Aswath Govindraju + +[ Upstream commit 4540b9fbd8ebb21bb3735796d300a1589ee5fbf2 ] + +Module alias "spi:93xx46" is used by non device tree users like +drivers/misc/eeprom/digsy_mtc_eeprom.c and removing it will +break support for them. + +Fix this by adding back the module alias "spi:93xx46". + +Fixes: 13613a2246bf ("misc: eeprom_93xx46: Fix module alias to enable module autoprobe") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20210113051253.15061-1-a-govindraju@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93xx46.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c +index 15c7e3574bcb2..22c1f06728a9c 100644 +--- a/drivers/misc/eeprom/eeprom_93xx46.c ++++ b/drivers/misc/eeprom/eeprom_93xx46.c +@@ -380,4 +380,5 @@ module_spi_driver(eeprom_93xx46_driver); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs"); + MODULE_AUTHOR("Anatolij Gustschin "); ++MODULE_ALIAS("spi:93xx46"); + MODULE_ALIAS("spi:eeprom-93xx46"); +-- +2.27.0 + diff --git a/queue-4.4/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch b/queue-4.4/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch new file mode 100644 index 00000000000..1ec504d289d --- /dev/null +++ b/queue-4.4/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch @@ -0,0 +1,34 @@ +From 08b963e22192447168b92e4eca870becdcd3aed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 22:09:53 +0530 +Subject: misc: eeprom_93xx46: Fix module alias to enable module autoprobe + +From: Aswath Govindraju + +[ Upstream commit 13613a2246bf531f5fc04e8e62e8f21a3d39bf1c ] + +Fix module autoprobe by correcting module alias to match the string from +/sys/class/.../spi1.0/modalias content. + +Fixes: 06b4501e88ad ("misc/eeprom: add driver for microwire 93xx46 EEPROMs") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20210107163957.28664-2-a-govindraju@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93xx46.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c +index ff63f05edc763..15c7e3574bcb2 100644 +--- a/drivers/misc/eeprom/eeprom_93xx46.c ++++ b/drivers/misc/eeprom/eeprom_93xx46.c +@@ -380,4 +380,4 @@ module_spi_driver(eeprom_93xx46_driver); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs"); + MODULE_AUTHOR("Anatolij Gustschin "); +-MODULE_ALIAS("spi:93xx46"); ++MODULE_ALIAS("spi:eeprom-93xx46"); +-- +2.27.0 + diff --git a/queue-4.4/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch b/queue-4.4/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch new file mode 100644 index 00000000000..3e038f34775 --- /dev/null +++ b/queue-4.4/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch @@ -0,0 +1,46 @@ +From 3070f3d765aa703e1045bd67f3d88ecffae457f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:06:50 -0800 +Subject: mm/hugetlb: fix potential double free in hugetlb_register_node() + error path + +From: Miaohe Lin + +[ Upstream commit cc2205a67dec5a700227a693fc113441e73e4641 ] + +In hugetlb_sysfs_add_hstate(), we would do kobject_put() on hstate_kobjs +when failed to create sysfs group but forget to set hstate_kobjs to NULL. +Then in hugetlb_register_node() error path, we may free it again via +hugetlb_unregister_node(). + +Link: https://lkml.kernel.org/r/20210107123249.36964-1-linmiaohe@huawei.com +Fixes: a3437870160c ("hugetlb: new sysfs interface") +Signed-off-by: Miaohe Lin +Reviewed-by: Mike Kravetz +Reviewed-by: Muchun Song +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index dc877712ef1f3..7c3ecac8aeb3f 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2485,8 +2485,10 @@ static int hugetlb_sysfs_add_hstate(struct hstate *h, struct kobject *parent, + return -ENOMEM; + + retval = sysfs_create_group(hstate_kobjs[hi], hstate_attr_group); +- if (retval) ++ if (retval) { + kobject_put(hstate_kobjs[hi]); ++ hstate_kobjs[hi] = NULL; ++ } + + return retval; + } +-- +2.27.0 + diff --git a/queue-4.4/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch b/queue-4.4/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch new file mode 100644 index 00000000000..8d9bb8eb4bd --- /dev/null +++ b/queue-4.4/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch @@ -0,0 +1,66 @@ +From 6f413a786beb3527d7f850db5516065dee13de66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:04:33 -0800 +Subject: mm/memory.c: fix potential pte_unmap_unlock pte error + +From: Miaohe Lin + +[ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ] + +Since commit 42e4089c7890 ("x86/speculation/l1tf: Disallow non privileged +high MMIO PROT_NONE mappings"), when the first pfn modify is not allowed, +we would break the loop with pte unchanged. Then the wrong pte - 1 would +be passed to pte_unmap_unlock. + +Andi said: + + "While the fix is correct, I'm not sure if it actually is a real bug. + Is there any architecture that would do something else than unlocking + the underlying page? If it's just the underlying page then it should + be always the same page, so no bug" + +Link: https://lkml.kernel.org/r/20210109080118.20885-1-linmiaohe@huawei.com +Fixes: 42e4089c789 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings") +Signed-off-by: Hongxiang Lou +Signed-off-by: Miaohe Lin +Cc: Thomas Gleixner +Cc: Dave Hansen +Cc: Andi Kleen +Cc: Josh Poimboeuf +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/mm/memory.c b/mm/memory.c +index fa752df6dc857..86ca97c24f1d9 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1686,11 +1686,11 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + unsigned long addr, unsigned long end, + unsigned long pfn, pgprot_t prot) + { +- pte_t *pte; ++ pte_t *pte, *mapped_pte; + spinlock_t *ptl; + int err = 0; + +- pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); ++ mapped_pte = pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); + if (!pte) + return -ENOMEM; + arch_enter_lazy_mmu_mode(); +@@ -1704,7 +1704,7 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + pfn++; + } while (pte++, addr += PAGE_SIZE, addr != end); + arch_leave_lazy_mmu_mode(); +- pte_unmap_unlock(pte - 1, ptl); ++ pte_unmap_unlock(mapped_pte, ptl); + return err; + } + +-- +2.27.0 + diff --git a/queue-4.4/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch b/queue-4.4/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch new file mode 100644 index 00000000000..b55c77f81ff --- /dev/null +++ b/queue-4.4/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch @@ -0,0 +1,46 @@ +From c913ff9d17e71fec6a74e0a7f953841b6c5a5f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Dec 2020 22:09:22 +0100 +Subject: mmc: usdhi6rol0: Fix a resource leak in the error handling path of + the probe + +From: Christophe JAILLET + +[ Upstream commit 6052b3c370fb82dec28bcfff6d7ec0da84ac087a ] + +A call to 'ausdhi6_dma_release()' to undo a previous call to +'usdhi6_dma_request()' is missing in the error handling path of the probe +function. + +It is already present in the remove function. + +Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201217210922.165340-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/usdhi6rol0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c +index b47122d3e8d8c..2b6a9c6a6e965 100644 +--- a/drivers/mmc/host/usdhi6rol0.c ++++ b/drivers/mmc/host/usdhi6rol0.c +@@ -1808,10 +1808,12 @@ static int usdhi6_probe(struct platform_device *pdev) + + ret = mmc_add_host(mmc); + if (ret < 0) +- goto e_clk_off; ++ goto e_release_dma; + + return 0; + ++e_release_dma: ++ usdhi6_dma_release(host); + e_clk_off: + clk_disable_unprepare(host->clk); + e_free_mmc: +-- +2.27.0 + diff --git a/queue-4.4/pci-align-checking-of-syscall-user-config-accessors.patch b/queue-4.4/pci-align-checking-of-syscall-user-config-accessors.patch new file mode 100644 index 00000000000..1c6f02df874 --- /dev/null +++ b/queue-4.4/pci-align-checking-of-syscall-user-config-accessors.patch @@ -0,0 +1,80 @@ +From d679570f3620a4a19a70fcd32611d07fa617a661 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jan 2021 16:39:32 +0100 +Subject: PCI: Align checking of syscall user config accessors + +From: Heiner Kallweit + +[ Upstream commit ef9e4005cbaf022c6251263aa27836acccaef65d ] + +After 34e3207205ef ("PCI: handle positive error codes"), +pci_user_read_config_*() and pci_user_write_config_*() return 0 or negative +errno values, not PCIBIOS_* values like PCIBIOS_SUCCESSFUL or +PCIBIOS_BAD_REGISTER_NUMBER. + +Remove comparisons with PCIBIOS_SUCCESSFUL and check only for non-zero. It +happens that PCIBIOS_SUCCESSFUL is zero, so this is not a functional +change, but it aligns this code with the user accessors. + +[bhelgaas: commit log] +Fixes: 34e3207205ef ("PCI: handle positive error codes") +Link: https://lore.kernel.org/r/f1220314-e518-1e18-bf94-8e6f8c703758@gmail.com +Signed-off-by: Heiner Kallweit +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/syscall.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index b91c4da683657..7958250856d36 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -21,7 +21,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn, + u16 word; + u32 dword; + long err; +- long cfg_ret; ++ int cfg_ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -47,7 +47,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn, + } + + err = -EIO; +- if (cfg_ret != PCIBIOS_SUCCESSFUL) ++ if (cfg_ret) + goto error; + + switch (len) { +@@ -105,7 +105,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_byte(dev, off, byte); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +@@ -114,7 +114,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_word(dev, off, word); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +@@ -123,7 +123,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_dword(dev, off, dword); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +-- +2.27.0 + diff --git a/queue-4.4/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch b/queue-4.4/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch new file mode 100644 index 00000000000..3a11854c368 --- /dev/null +++ b/queue-4.4/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch @@ -0,0 +1,41 @@ +From cb66d807de28bd4ae08f9d754817759aaf15b428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 19:53:47 +0200 +Subject: perf intel-pt: Fix missing CYC processing in PSB + +From: Adrian Hunter + +[ Upstream commit 03fb0f859b45d1eb05c984ab4bd3bef67e45ede2 ] + +Add missing CYC packet processing when walking through PSB+. This +improves the accuracy of timestamps that follow PSB+, until the next +MTC. + +Fixes: 3d49807870f08 ("perf tools: Add new Intel PT packet definitions") +Signed-off-by: Adrian Hunter +Reviewed-by: Andi Kleen +Cc: Jiri Olsa +Link: https://lore.kernel.org/r/20210205175350.23817-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index c1944765533c8..28f9e88c65bac 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1478,6 +1478,9 @@ static int intel_pt_walk_psbend(struct intel_pt_decoder *decoder) + break; + + case INTEL_PT_CYC: ++ intel_pt_calc_cyc_timestamp(decoder); ++ break; ++ + case INTEL_PT_VMCS: + case INTEL_PT_MNT: + case INTEL_PT_PAD: +-- +2.27.0 + diff --git a/queue-4.4/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch b/queue-4.4/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch new file mode 100644 index 00000000000..8c099632dfb --- /dev/null +++ b/queue-4.4/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch @@ -0,0 +1,73 @@ +From a6767892441bcc17b072440cc7cecff278450bd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Feb 2021 18:16:38 +0900 +Subject: perf test: Fix unaligned access in sample parsing test + +From: Namhyung Kim + +[ Upstream commit c5c97cadd7ed13381cb6b4bef5c841a66938d350 ] + +The ubsan reported the following error. It was because sample's raw +data missed u32 padding at the end. So it broke the alignment of the +array after it. + +The raw data contains an u32 size prefix so the data size should have +an u32 padding after 8-byte aligned data. + +27: Sample parsing :util/synthetic-events.c:1539:4: + runtime error: store to misaligned address 0x62100006b9bc for type + '__u64' (aka 'unsigned long long'), which requires 8 byte alignment +0x62100006b9bc: note: pointer points here + 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + #0 0x561532a9fc96 in perf_event__synthesize_sample util/synthetic-events.c:1539:13 + #1 0x5615327f4a4f in do_test tests/sample-parsing.c:284:8 + #2 0x5615327f3f50 in test__sample_parsing tests/sample-parsing.c:381:9 + #3 0x56153279d3a1 in run_test tests/builtin-test.c:424:9 + #4 0x56153279c836 in test_and_print tests/builtin-test.c:454:9 + #5 0x56153279b7eb in __cmd_test tests/builtin-test.c:675:4 + #6 0x56153279abf0 in cmd_test tests/builtin-test.c:821:9 + #7 0x56153264e796 in run_builtin perf.c:312:11 + #8 0x56153264cf03 in handle_internal_command perf.c:364:8 + #9 0x56153264e47d in run_argv perf.c:408:2 + #10 0x56153264c9a9 in main perf.c:538:3 + #11 0x7f137ab6fbbc in __libc_start_main (/lib64/libc.so.6+0x38bbc) + #12 0x561532596828 in _start ... + +SUMMARY: UndefinedBehaviorSanitizer: misaligned-pointer-use + util/synthetic-events.c:1539:4 in + +Fixes: 045f8cd8542d ("perf tests: Add a sample parsing test") +Signed-off-by: Namhyung Kim +Acked-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: https://lore.kernel.org/r/20210214091638.519643-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/sample-parsing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/sample-parsing.c b/tools/perf/tests/sample-parsing.c +index 30c02181e78b2..bdef02599b4e3 100644 +--- a/tools/perf/tests/sample-parsing.c ++++ b/tools/perf/tests/sample-parsing.c +@@ -167,7 +167,7 @@ static int do_test(u64 sample_type, u64 sample_regs, u64 read_format) + .data = {1, 211, 212, 213}, + }; + u64 regs[64]; +- const u64 raw_data[] = {0x123456780a0b0c0dULL, 0x1102030405060708ULL}; ++ const u32 raw_data[] = {0x12345678, 0x0a0b0c0d, 0x11020304, 0x05060708, 0 }; + const u64 data[] = {0x2211443366558877ULL, 0, 0xaabbccddeeff4321ULL}; + struct perf_sample sample = { + .ip = 101, +-- +2.27.0 + diff --git a/queue-4.4/powerpc-47x-disable-256k-page-size.patch b/queue-4.4/powerpc-47x-disable-256k-page-size.patch new file mode 100644 index 00000000000..9dcd90a0e26 --- /dev/null +++ b/queue-4.4/powerpc-47x-disable-256k-page-size.patch @@ -0,0 +1,41 @@ +From 78d9b1b471e479f557aa01cd63d21f450be2713e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 07:49:13 +0000 +Subject: powerpc/47x: Disable 256k page size + +From: Christophe Leroy + +[ Upstream commit 910a0cb6d259736a0c86e795d4c2f42af8d0d775 ] + +PPC47x_TLBE_SIZE isn't defined for 256k pages, leading to a build +break if 256k pages is selected. + +So change the kconfig so that 256k pages can't be selected for 47x. + +Fixes: e7f75ad01d59 ("powerpc/47x: Base ppc476 support") +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +[mpe: Expand change log to mention build break] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/2fed79b1154c872194f98bac4422c23918325e61.1611128938.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 4ece20178145d..735f99906a320 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -577,7 +577,7 @@ config PPC_64K_PAGES + + config PPC_256K_PAGES + bool "256k page size" +- depends on 44x && !STDBINUTILS ++ depends on 44x && !STDBINUTILS && !PPC_47x + help + Make the page size 256k. + +-- +2.27.0 + diff --git a/queue-4.4/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch b/queue-4.4/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch new file mode 100644 index 00000000000..3cd0b628ed7 --- /dev/null +++ b/queue-4.4/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch @@ -0,0 +1,65 @@ +From c055ba982bbecb8359e8c5c15e1859241546ff79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jan 2021 20:59:00 -0600 +Subject: powerpc/pseries/dlpar: handle ibm, configure-connector delay status + +From: Nathan Lynch + +[ Upstream commit 768d70e19ba525debd571b36e6d0ab19956c63d7 ] + +dlpar_configure_connector() has two problems in its handling of +ibm,configure-connector's return status: + +1. When the status is -2 (busy, call again), we call + ibm,configure-connector again immediately without checking whether + to schedule, which can result in monopolizing the CPU. +2. Extended delay status (9900..9905) goes completely unhandled, + causing the configuration to unnecessarily terminate. + +Fix both of these issues by using rtas_busy_delay(). + +Fixes: ab519a011caa ("powerpc/pseries: Kernel DLPAR Infrastructure") +Signed-off-by: Nathan Lynch +Reviewed-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210107025900.410369-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/dlpar.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index 551ba5b35df9d..91a667d8b1e90 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -131,7 +131,6 @@ void dlpar_free_cc_nodes(struct device_node *dn) + #define NEXT_PROPERTY 3 + #define PREV_PARENT 4 + #define MORE_MEMORY 5 +-#define CALL_AGAIN -2 + #define ERR_CFG_USE -9003 + + struct device_node *dlpar_configure_connector(__be32 drc_index, +@@ -173,6 +172,9 @@ struct device_node *dlpar_configure_connector(__be32 drc_index, + + spin_unlock(&rtas_data_buf_lock); + ++ if (rtas_busy_delay(rc)) ++ continue; ++ + switch (rc) { + case COMPLETE: + break; +@@ -225,9 +227,6 @@ struct device_node *dlpar_configure_connector(__be32 drc_index, + parent_path = last_dn->parent->full_name; + break; + +- case CALL_AGAIN: +- break; +- + case MORE_MEMORY: + case ERR_CFG_USE: + default: +-- +2.27.0 + diff --git a/queue-4.4/regulator-axp20x-fix-reference-cout-leak.patch b/queue-4.4/regulator-axp20x-fix-reference-cout-leak.patch new file mode 100644 index 00000000000..67466acee70 --- /dev/null +++ b/queue-4.4/regulator-axp20x-fix-reference-cout-leak.patch @@ -0,0 +1,52 @@ +From 013216be4adfc7cc4f1dcfa3a9d0fc4d7e3db41c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 04:33:13 -0800 +Subject: regulator: axp20x: Fix reference cout leak + +From: Pan Bian + +[ Upstream commit e78bf6be7edaacb39778f3a89416caddfc6c6d70 ] + +Decrements the reference count of device node and its child node. + +Fixes: dfe7a1b058bb ("regulator: AXP20x: Add support for regulators subsystem") +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210120123313.107640-1-bianpan2016@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/axp20x-regulator.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c +index 5cf4a97e03048..df235ac1a6b2b 100644 +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -279,7 +279,7 @@ static int axp20x_set_dcdc_freq(struct platform_device *pdev, u32 dcdcfreq) + static int axp20x_regulator_parse_dt(struct platform_device *pdev) + { + struct device_node *np, *regulators; +- int ret; ++ int ret = 0; + u32 dcdcfreq = 0; + + np = of_node_get(pdev->dev.parent->of_node); +@@ -294,13 +294,12 @@ static int axp20x_regulator_parse_dt(struct platform_device *pdev) + ret = axp20x_set_dcdc_freq(pdev, dcdcfreq); + if (ret < 0) { + dev_err(&pdev->dev, "Error setting dcdc frequency: %d\n", ret); +- return ret; + } +- + of_node_put(regulators); + } + +- return 0; ++ of_node_put(np); ++ return ret; + } + + static int axp20x_set_dcdc_workmode(struct regulator_dev *rdev, int id, u32 workmode) +-- +2.27.0 + diff --git a/queue-4.4/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch b/queue-4.4/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch new file mode 100644 index 00000000000..c20b63459b1 --- /dev/null +++ b/queue-4.4/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch @@ -0,0 +1,57 @@ +From 22b02ff3a210ce8e8c1fbe8745cef7d191991d9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Feb 2021 11:24:28 -0800 +Subject: scsi: bnx2fc: Fix Kconfig warning & CNIC build errors + +From: Randy Dunlap + +[ Upstream commit eefb816acb0162e94a85a857f3a55148f671d5a5 ] + +CNIC depends on MMU, but since 'select' does not follow any dependency +chains, SCSI_BNX2X_FCOE also needs to depend on MMU, so that erroneous +configs are not generated, which cause build errors in cnic. + +WARNING: unmet direct dependencies detected for CNIC + Depends on [n]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && MMU [=n] + Selected by [y]: + - SCSI_BNX2X_FCOE [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && LIBFC [=y] && LIBFCOE [=y] + +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L154': +cnic.c:(.text+0x1094): undefined reference to `uio_event_notify' +riscv64-linux-ld: cnic.c:(.text+0x10bc): undefined reference to `uio_event_notify' +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L1442': +cnic.c:(.text+0x96a8): undefined reference to `__uio_register_device' +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L0 ': +cnic.c:(.text.unlikely+0x68): undefined reference to `uio_unregister_device' + +Link: https://lore.kernel.org/r/20210213192428.22537-1-rdunlap@infradead.org +Fixes: 853e2bd2103a ("[SCSI] bnx2fc: Broadcom FCoE offload driver") +Cc: Saurav Kashyap +Cc: Javed Hasan +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: linux-scsi@vger.kernel.org +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bnx2fc/Kconfig b/drivers/scsi/bnx2fc/Kconfig +index d401a096dfc7e..2eb2476852b11 100644 +--- a/drivers/scsi/bnx2fc/Kconfig ++++ b/drivers/scsi/bnx2fc/Kconfig +@@ -4,6 +4,7 @@ config SCSI_BNX2X_FCOE + depends on (IPV6 || IPV6=n) + depends on LIBFC + depends on LIBFCOE ++ depends on MMU + select NETDEVICES + select ETHERNET + select NET_VENDOR_BROADCOM +-- +2.27.0 + diff --git a/queue-4.4/series b/queue-4.4/series index e9fb6217e4c..e77aab03d7f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -6,3 +6,56 @@ igb-remove-incorrect-unexpected-sys-wrap-log-message.patch scripts-recordmcount.pl-support-big-endian-for-arch-.patch kdb-make-memory-allocations-more-robust.patch mips-vmlinux.lds.s-add-missing-page_aligned_data-section.patch +bluetooth-fix-initializing-response-id-after-clearin.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-26341 +bluetooth-drop-hci-device-reference-before-return.patch +bluetooth-put-hci-device-if-inquiry-procedure-interr.patch +usb-dwc2-abort-transaction-after-errors-with-unknown.patch +usb-dwc2-make-trimming-xfer-length-a-debug-message.patch +arm-s3c-fix-fiq-for-clang-ias.patch +bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch +xen-netback-fix-spurious-event-detection-for-common-.patch +b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch +fbdev-aty-sparc64-requires-fb_aty_ct.patch +drm-gma500-fix-error-return-code-in-psb_driver_load.patch +gma500-clean-up-error-handling-in-init.patch +mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch +mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch +media-media-pci-fix-memleak-in-empress_init.patch +media-tm6000-fix-memleak-in-tm6000_start_stream.patch +asoc-cs42l56-fix-up-error-handling-in-probe.patch +media-lmedm04-fix-misuse-of-comma.patch +media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch +media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch +btrfs-clarify-error-returns-values-in-__load_free_sp.patch +fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch +jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch +clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch +hid-core-detect-and-skip-invalid-inputs-to-snto32.patch +dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch +dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch +clocksource-drivers-mxs_timer-add-missing-semicolon-.patch +regulator-axp20x-fix-reference-cout-leak.patch +isofs-release-buffer-head-before-return.patch +ib-umad-return-eio-in-case-of-when-device-disassocia.patch +powerpc-47x-disable-256k-page-size.patch +mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch +arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch +amba-fix-resource-leak-for-drivers-without-.remove.patch +tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch +mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch +powerpc-pseries-dlpar-handle-ibm-configure-connector.patch +perf-intel-pt-fix-missing-cyc-processing-in-psb.patch +perf-test-fix-unaligned-access-in-sample-parsing-tes.patch +input-elo-fix-an-error-code-in-elo_connect.patch +sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch +misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch +misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch +vmci-use-set_page_dirty_lock-when-unregistering-gues.patch +pci-align-checking-of-syscall-user-config-accessors.patch +take-mmap-lock-in-cacheflush-syscall.patch +mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch +mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch +i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch +scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch diff --git a/queue-4.4/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch b/queue-4.4/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch new file mode 100644 index 00000000000..e0d74bfae1a --- /dev/null +++ b/queue-4.4/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch @@ -0,0 +1,47 @@ +From 683c6f6c04b0d3da121ffa859e99519860651c6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Nov 2020 16:40:11 -0800 +Subject: sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set + +From: Randy Dunlap + +[ Upstream commit 80bddf5c93a99e11fc9faf7e4b575d01cecd45d3 ] + +Currently COMPAT on SPARC64 selects COMPAT_BINFMT_ELF unconditionally, +even when BINFMT_ELF is not enabled. This causes a kconfig warning. + +Instead, just select COMPAT_BINFMT_ELF if BINFMT_ELF is enabled. +This builds cleanly with no kconfig warnings. + +WARNING: unmet direct dependencies detected for COMPAT_BINFMT_ELF + Depends on [n]: COMPAT [=y] && BINFMT_ELF [=n] + Selected by [y]: + - COMPAT [=y] && SPARC64 [=y] + +Fixes: 26b4c912185a ("sparc,sparc64: unify Kconfig files") +Signed-off-by: Randy Dunlap +Cc: "David S. Miller" +Cc: sparclinux@vger.kernel.org +Cc: Sam Ravnborg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index 94f4ac21761bf..f42973685fd2c 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -539,7 +539,7 @@ config COMPAT + bool + depends on SPARC64 + default y +- select COMPAT_BINFMT_ELF ++ select COMPAT_BINFMT_ELF if BINFMT_ELF + select HAVE_UID16 + select ARCH_WANT_OLD_COMPAT_IPC + select COMPAT_OLD_SIGACTION +-- +2.27.0 + diff --git a/queue-4.4/take-mmap-lock-in-cacheflush-syscall.patch b/queue-4.4/take-mmap-lock-in-cacheflush-syscall.patch new file mode 100644 index 00000000000..df7149b6d93 --- /dev/null +++ b/queue-4.4/take-mmap-lock-in-cacheflush-syscall.patch @@ -0,0 +1,61 @@ +From 244758ba62fba26291ab05f76a696c10e5093eec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Feb 2021 14:59:35 +0800 +Subject: Take mmap lock in cacheflush syscall + +From: Jann Horn + +[ Upstream commit c26958cb5a0d9053d1358258827638773f3d36ed ] + +We need to take the mmap lock around find_vma() and subsequent use of the +VMA. Otherwise, we can race with concurrent operations like munmap(), which +can lead to use-after-free accesses to freed VMAs. + +Fixes: 1000197d8013 ("nios2: System calls handling") +Signed-off-by: Jann Horn +Signed-off-by: Ley Foon Tan +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/sys_nios2.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c +index cd390ec4f88bf..b1ca856999521 100644 +--- a/arch/nios2/kernel/sys_nios2.c ++++ b/arch/nios2/kernel/sys_nios2.c +@@ -22,6 +22,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, + unsigned int op) + { + struct vm_area_struct *vma; ++ struct mm_struct *mm = current->mm; + + if (len == 0) + return 0; +@@ -34,16 +35,22 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, + if (addr + len < addr) + return -EFAULT; + ++ if (mmap_read_lock_killable(mm)) ++ return -EINTR; ++ + /* + * Verify that the specified address region actually belongs + * to this process. + */ +- vma = find_vma(current->mm, addr); +- if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) ++ vma = find_vma(mm, addr); ++ if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) { ++ mmap_read_unlock(mm); + return -EFAULT; ++ } + + flush_cache_range(vma, addr, addr + len); + ++ mmap_read_unlock(mm); + return 0; + } + +-- +2.27.0 + diff --git a/queue-4.4/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch b/queue-4.4/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch new file mode 100644 index 00000000000..757e0d788aa --- /dev/null +++ b/queue-4.4/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch @@ -0,0 +1,205 @@ +From 105d9713ef60729bdf366e1c62133eaf1fbba3e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Nov 2020 09:34:05 -0500 +Subject: tracepoint: Do not fail unregistering a probe due to memory failure + +From: Steven Rostedt (VMware) + +[ Upstream commit befe6d946551d65cddbd32b9cb0170b0249fd5ed ] + +The list of tracepoint callbacks is managed by an array that is protected +by RCU. To update this array, a new array is allocated, the updates are +copied over to the new array, and then the list of functions for the +tracepoint is switched over to the new array. After a completion of an RCU +grace period, the old array is freed. + +This process happens for both adding a callback as well as removing one. +But on removing a callback, if the new array fails to be allocated, the +callback is not removed, and may be used after it is freed by the clients +of the tracepoint. + +There's really no reason to fail if the allocation for a new array fails +when removing a function. Instead, the function can simply be replaced by a +stub function that could be cleaned up on the next modification of the +array. That is, instead of calling the function registered to the +tracepoint, it would call a stub function in its place. + +Link: https://lore.kernel.org/r/20201115055256.65625-1-mmullins@mmlx.us +Link: https://lore.kernel.org/r/20201116175107.02db396d@gandalf.local.home +Link: https://lore.kernel.org/r/20201117211836.54acaef2@oasis.local.home +Link: https://lkml.kernel.org/r/20201118093405.7a6d2290@gandalf.local.home + +[ Note, this version does use undefined compiler behavior (assuming that + a stub function with no parameters or return, can be called by a location + that thinks it has parameters but still no return value. Static calls + do the same thing, so this trick is not without precedent. + + There's another solution that uses RCU tricks and is more complex, but + can be an alternative if this solution becomes an issue. + + Link: https://lore.kernel.org/lkml/20210127170721.58bce7cc@gandalf.local.home/ +] + +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Dmitry Vyukov +Cc: Martin KaFai Lau +Cc: Song Liu +Cc: Yonghong Song +Cc: Andrii Nakryiko +Cc: John Fastabend +Cc: KP Singh +Cc: netdev +Cc: bpf +Cc: Kees Cook +Cc: Florian Weimer +Fixes: 97e1c18e8d17b ("tracing: Kernel Tracepoints") +Reported-by: syzbot+83aa762ef23b6f0d1991@syzkaller.appspotmail.com +Reported-by: syzbot+d29e58bb557324e55e5e@syzkaller.appspotmail.com +Reported-by: Matt Mullins +Signed-off-by: Steven Rostedt (VMware) +Tested-by: Matt Mullins +Signed-off-by: Sasha Levin +--- + kernel/tracepoint.c | 80 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 64 insertions(+), 16 deletions(-) + +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c +index eda85bbf1c2e4..a1f9be7030021 100644 +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -59,6 +59,12 @@ struct tp_probes { + struct tracepoint_func probes[0]; + }; + ++/* Called in removal of a func but failed to allocate a new tp_funcs */ ++static void tp_stub_func(void) ++{ ++ return; ++} ++ + static inline void *allocate_probes(int count) + { + struct tp_probes *p = kmalloc(count * sizeof(struct tracepoint_func) +@@ -97,6 +103,7 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func, + { + struct tracepoint_func *old, *new; + int nr_probes = 0; ++ int stub_funcs = 0; + int pos = -1; + + if (WARN_ON(!tp_func->func)) +@@ -113,14 +120,34 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func, + if (old[nr_probes].func == tp_func->func && + old[nr_probes].data == tp_func->data) + return ERR_PTR(-EEXIST); ++ if (old[nr_probes].func == tp_stub_func) ++ stub_funcs++; + } + } +- /* + 2 : one for new probe, one for NULL func */ +- new = allocate_probes(nr_probes + 2); ++ /* + 2 : one for new probe, one for NULL func - stub functions */ ++ new = allocate_probes(nr_probes + 2 - stub_funcs); + if (new == NULL) + return ERR_PTR(-ENOMEM); + if (old) { +- if (pos < 0) { ++ if (stub_funcs) { ++ /* Need to copy one at a time to remove stubs */ ++ int probes = 0; ++ ++ pos = -1; ++ for (nr_probes = 0; old[nr_probes].func; nr_probes++) { ++ if (old[nr_probes].func == tp_stub_func) ++ continue; ++ if (pos < 0 && old[nr_probes].prio < prio) ++ pos = probes++; ++ new[probes++] = old[nr_probes]; ++ } ++ nr_probes = probes; ++ if (pos < 0) ++ pos = probes; ++ else ++ nr_probes--; /* Account for insertion */ ++ ++ } else if (pos < 0) { + pos = nr_probes; + memcpy(new, old, nr_probes * sizeof(struct tracepoint_func)); + } else { +@@ -154,8 +181,9 @@ static void *func_remove(struct tracepoint_func **funcs, + /* (N -> M), (N > 1, M >= 0) probes */ + if (tp_func->func) { + for (nr_probes = 0; old[nr_probes].func; nr_probes++) { +- if (old[nr_probes].func == tp_func->func && +- old[nr_probes].data == tp_func->data) ++ if ((old[nr_probes].func == tp_func->func && ++ old[nr_probes].data == tp_func->data) || ++ old[nr_probes].func == tp_stub_func) + nr_del++; + } + } +@@ -174,14 +202,32 @@ static void *func_remove(struct tracepoint_func **funcs, + /* N -> M, (N > 1, M > 0) */ + /* + 1 for NULL */ + new = allocate_probes(nr_probes - nr_del + 1); +- if (new == NULL) +- return ERR_PTR(-ENOMEM); +- for (i = 0; old[i].func; i++) +- if (old[i].func != tp_func->func +- || old[i].data != tp_func->data) +- new[j++] = old[i]; +- new[nr_probes - nr_del].func = NULL; +- *funcs = new; ++ if (new) { ++ for (i = 0; old[i].func; i++) ++ if ((old[i].func != tp_func->func ++ || old[i].data != tp_func->data) ++ && old[i].func != tp_stub_func) ++ new[j++] = old[i]; ++ new[nr_probes - nr_del].func = NULL; ++ *funcs = new; ++ } else { ++ /* ++ * Failed to allocate, replace the old function ++ * with calls to tp_stub_func. ++ */ ++ for (i = 0; old[i].func; i++) ++ if (old[i].func == tp_func->func && ++ old[i].data == tp_func->data) { ++ old[i].func = tp_stub_func; ++ /* Set the prio to the next event. */ ++ if (old[i + 1].func) ++ old[i].prio = ++ old[i + 1].prio; ++ else ++ old[i].prio = -1; ++ } ++ *funcs = old; ++ } + } + debug_print_probes(*funcs); + return old; +@@ -234,10 +280,12 @@ static int tracepoint_remove_func(struct tracepoint *tp, + tp_funcs = rcu_dereference_protected(tp->funcs, + lockdep_is_held(&tracepoints_mutex)); + old = func_remove(&tp_funcs, func); +- if (IS_ERR(old)) { +- WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); ++ if (WARN_ON_ONCE(IS_ERR(old))) + return PTR_ERR(old); +- } ++ ++ if (tp_funcs == old) ++ /* Failed allocating new tp_funcs, replaced func with stub */ ++ return 0; + + if (!tp_funcs) { + /* Removed last function */ +-- +2.27.0 + diff --git a/queue-4.4/usb-dwc2-abort-transaction-after-errors-with-unknown.patch b/queue-4.4/usb-dwc2-abort-transaction-after-errors-with-unknown.patch new file mode 100644 index 00000000000..f60251d3925 --- /dev/null +++ b/queue-4.4/usb-dwc2-abort-transaction-after-errors-with-unknown.patch @@ -0,0 +1,84 @@ +From 1fcc073363f1d98b127a9e2b6c45ed1efe2b8f98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:50 +0100 +Subject: usb: dwc2: Abort transaction after errors with unknown reason + +From: Guenter Roeck + +[ Upstream commit f74b68c61cbc4b2245022fcce038509333d63f6f ] + +In some situations, the following error messages are reported. + +dwc2 ff540000.usb: dwc2_hc_chhltd_intr_dma: Channel 1 - ChHltd set, but reason is unknown +dwc2 ff540000.usb: hcint 0x00000002, intsts 0x04000021 + +This is sometimes followed by: + +dwc2 ff540000.usb: dwc2_update_urb_state_abn(): trimming xfer length + +and then: + +WARNING: CPU: 0 PID: 0 at kernel/v4.19/drivers/usb/dwc2/hcd.c:2913 + dwc2_assign_and_init_hc+0x98c/0x990 + +The warning suggests that an odd buffer address is to be used for DMA. + +After an error is observed, the receive buffer may be full +(urb->actual_length >= urb->length). However, the urb is still left in +the queue unless three errors were observed in a row. When it is queued +again, the dwc2 hcd code translates this into a 1-block transfer. +If urb->actual_length (ie the total expected receive length) is not +DMA-aligned, the buffer pointer programmed into the chip will be +unaligned. This results in the observed warning. + +To solve the problem, abort input transactions after an error with +unknown cause if the entire packet was already received. This may be +a bit drastic, but we don't really know why the transfer was aborted +even though the entire packet was received. Aborting the transfer in +this situation is less risky than accepting a potentially corrupted +packet. + +With this patch in place, the 'ChHltd set' and 'trimming xfer length' +messages are still observed, but there are no more transfer attempts +with odd buffer addresses. + +Fixes: 151d0cbdbe860 ("usb: dwc2: make the scheduler handle excessive NAKs better") +Cc: Boris ARZUR +Cc: Douglas Anderson +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-3-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd_intr.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c +index 51866f3f20522..84487548918f9 100644 +--- a/drivers/usb/dwc2/hcd_intr.c ++++ b/drivers/usb/dwc2/hcd_intr.c +@@ -1915,6 +1915,18 @@ error: + qtd->error_count++; + dwc2_update_urb_state_abn(hsotg, chan, chnum, qtd->urb, + qtd, DWC2_HC_XFER_XACT_ERR); ++ /* ++ * We can get here after a completed transaction ++ * (urb->actual_length >= urb->length) which was not reported ++ * as completed. If that is the case, and we do not abort ++ * the transfer, a transfer of size 0 will be enqueued ++ * subsequently. If urb->actual_length is not DMA-aligned, ++ * the buffer will then point to an unaligned address, and ++ * the resulting behavior is undefined. Bail out in that ++ * situation. ++ */ ++ if (qtd->urb->actual_length >= qtd->urb->length) ++ qtd->error_count = 3; + dwc2_hcd_save_data_toggle(hsotg, chan, chnum, qtd); + dwc2_halt_channel(hsotg, chan, qtd, DWC2_HC_XFER_XACT_ERR); + } +-- +2.27.0 + diff --git a/queue-4.4/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch b/queue-4.4/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch new file mode 100644 index 00000000000..bfa5ecdfba2 --- /dev/null +++ b/queue-4.4/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch @@ -0,0 +1,48 @@ +From a1c56dae76baf6e396c64bbfdb013ee434ed5822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:51 +0100 +Subject: usb: dwc2: Make "trimming xfer length" a debug message + +From: Guenter Roeck + +[ Upstream commit 1a9e38cabd80356ffb98c2c88fec528ea9644fd5 ] + +With some USB network adapters, such as DM96xx, the following message +is seen for each maximum size receive packet. + +dwc2 ff540000.usb: dwc2_update_urb_state(): trimming xfer length + +This happens because the packet size requested by the driver is 1522 +bytes, wMaxPacketSize is 64, the dwc2 driver configures the chip to +receive 24*64 = 1536 bytes, and the chip does indeed send more than +1522 bytes of data. Since the event does not indicate an error condition, +the message is just noise. Demote it to debug level. + +Fixes: 7359d482eb4d3 ("staging: HCD files for the DWC2 driver") +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-4-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd_intr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c +index 84487548918f9..9c030e0033fe9 100644 +--- a/drivers/usb/dwc2/hcd_intr.c ++++ b/drivers/usb/dwc2/hcd_intr.c +@@ -461,7 +461,7 @@ static int dwc2_update_urb_state(struct dwc2_hsotg *hsotg, + &short_read); + + if (urb->actual_length + xfer_length > urb->length) { +- dev_warn(hsotg->dev, "%s(): trimming xfer length\n", __func__); ++ dev_dbg(hsotg->dev, "%s(): trimming xfer length\n", __func__); + xfer_length = urb->length - urb->actual_length; + } + +-- +2.27.0 + diff --git a/queue-4.4/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch b/queue-4.4/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch new file mode 100644 index 00000000000..1ec2f1f0a5a --- /dev/null +++ b/queue-4.4/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch @@ -0,0 +1,43 @@ +From 7aa05a3e8248725ef1ffffedf09c45b05f3871aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 08:32:40 -0800 +Subject: VMCI: Use set_page_dirty_lock() when unregistering guest memory + +From: Jorgen Hansen + +[ Upstream commit 5a16c535409f8dcb7568e20737309e3027ae3e49 ] + +When the VMCI host support releases guest memory in the case where +the VM was killed, the pinned guest pages aren't locked. Use +set_page_dirty_lock() instead of set_page_dirty(). + +Testing done: Killed VM while having an active VMCI based vSocket +connection and observed warning from ext4. With this fix, no +warning was observed. Ran various vSocket tests without issues. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Reviewed-by: Vishnu Dasa +Signed-off-by: Jorgen Hansen +Link: https://lore.kernel.org/r/1611160360-30299-1-git-send-email-jhansen@vmware.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index e57340e980c4b..44e29d835e246 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -732,7 +732,7 @@ static void qp_release_pages(struct page **pages, + + for (i = 0; i < num_pages; i++) { + if (dirty) +- set_page_dirty(pages[i]); ++ set_page_dirty_lock(pages[i]); + + page_cache_release(pages[i]); + pages[i] = NULL; +-- +2.27.0 + diff --git a/queue-4.4/xen-netback-fix-spurious-event-detection-for-common-.patch b/queue-4.4/xen-netback-fix-spurious-event-detection-for-common-.patch new file mode 100644 index 00000000000..f2f00f76ba0 --- /dev/null +++ b/queue-4.4/xen-netback-fix-spurious-event-detection-for-common-.patch @@ -0,0 +1,56 @@ +From 7ed826ef9a9b363a1acb1d138d7dbf30a4dddf64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 11:16:12 +0100 +Subject: xen/netback: fix spurious event detection for common event case + +From: Juergen Gross + +[ Upstream commit a3daf3d39132b405781be8d9ede0c449b244b64e ] + +In case of a common event for rx and tx queue the event should be +regarded to be spurious if no rx and no tx requests are pending. + +Unfortunately the condition for testing that is wrong causing to +decide a event being spurious if no rx OR no tx requests are +pending. + +Fix that plus using local variables for rx/tx pending indicators in +order to split function calls and if condition. + +Fixes: 23025393dbeb3b ("xen/netback: use lateeoi irq binding") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Paul Durrant +Reviewed-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/interface.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index f9f4391ecee37..93f7659e75954 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -161,13 +161,15 @@ irqreturn_t xenvif_interrupt(int irq, void *dev_id) + { + struct xenvif_queue *queue = dev_id; + int old; ++ bool has_rx, has_tx; + + old = xenvif_atomic_fetch_or(NETBK_COMMON_EOI, &queue->eoi_pending); + WARN(old, "Interrupt while EOI pending\n"); + +- /* Use bitwise or as we need to call both functions. */ +- if ((!xenvif_handle_tx_interrupt(queue) | +- !xenvif_handle_rx_interrupt(queue))) { ++ has_tx = xenvif_handle_tx_interrupt(queue); ++ has_rx = xenvif_handle_rx_interrupt(queue); ++ ++ if (!has_rx && !has_tx) { + atomic_andnot(NETBK_COMMON_EOI, &queue->eoi_pending); + xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); + } +-- +2.27.0 + -- 2.47.3