From 798f7de2797554aae268074dd73b8514102bf7fd Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 28 Feb 2021 22:19:09 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...rce-leak-for-drivers-without-.remove.patch | 83 ++++++ ...pressor-do-not-clear-sctlr.ntlsmd-fo.patch | 75 ++++++ ...e-missing-thermal-interrupt-for-4430.patch | 52 ++++ ...orrect-pmic-interrupt-trigger-level-.patch | 38 +++ ...-pmic-interrupt-trigger-level-.patch-17744 | 39 +++ ...-pmic-interrupt-trigger-level-.patch-24752 | 38 +++ ...-pmic-interrupt-trigger-level-.patch-24955 | 39 +++ .../arm-s3c-fix-fiq-for-clang-ias.patch | 93 +++++++ ...g-isb-after-invalidating-tlb-in-__pr.patch | 49 ++++ ...-correct-pmic-interrupt-trigger-leve.patch | 39 +++ ...ect-pmic-interrupt-trigger-leve.patch-6950 | 38 +++ ...6-fix-reserved-and-rfsa-nodes-unit-a.patch | 46 ++++ ...42l56-fix-up-error-handling-in-probe.patch | 46 ++++ ..._brcm-add-back-regulators-management.patch | 79 ++++++ ...us-crash-when-setting-nf_override-vi.patch | 96 +++++++ ...ay-ht16k33-fix-refresh-rate-handling.patch | 37 +++ ...e-update-of-coef-for-the-phy-revisio.patch | 50 ++++ ...smd-fix-a-resource-leak-in-error-han.patch | 78 ++++++ ...p-hci-device-reference-before-return.patch | 35 +++ ...itializing-response-id-after-clearin.patch | 39 +++ ...i-device-if-inquiry-procedure-interr.patch | 40 +++ ...-order-of-tx-disable-and-carrier-off.patch | 42 +++ ...d-double-checked-variable-once-witho.patch | 65 +++++ ...ror-returns-values-in-__load_free_sp.patch | 60 +++++ ...-t-allow-writing-ambiguous-v3-file-c.patch | 62 +++++ ...ts-fix-blacklist-flag-type-confusion.patch | 107 ++++++++ ...l-fix-initializing-the-old-rate-fall.patch | 39 +++ ...ers-mxs_timer-add-missing-semicolon-.patch | 49 ++++ ...avs-cpufreq-fix-resource-leaks-in-re.patch | 38 +++ ...e-struct-device_private-to-bcm_devic.patch | 83 ++++++ ...er-ensure-len-secret.len-in-decode_k.patch | 41 +++ .../crypto-sun4i-ss-fix-kmap-usage.patch | 254 ++++++++++++++++++ ...-fix-a-resource-leak-in-an-error-han.patch | 51 ++++ ...-fix-a-resource-leak-in-the-remove-f.patch | 42 +++ ...ngine-hsu-disable-spurious-interrupt.patch | 76 ++++++ ...-avoid-use-after-free-in-vmbus_onoff.patch | 45 ++++ ...error-return-code-in-psb_driver_load.patch | 38 +++ ...orrect-io_start-for-msm8994-20nm-phy.patch | 37 +++ ...tial-htree-index-checksum-corruption.patch | 55 ++++ ...fbdev-aty-sparc64-requires-fb_aty_ct.patch | 62 +++++ ...dle-no-map-field-in-the-memory-regio.patch | 42 +++ ...tial-integer-overflow-on-shift-of-a-.patch | 39 +++ ...a500-clean-up-error-handling-in-init.patch | 73 +++++ ...ct-and-skip-invalid-inputs-to-snto32.patch | 51 ++++ ...omem-fix-cooldown-period-calculation.patch | 35 +++ ...b-fix-brcmstd_send_i2c_cmd-condition.patch | 40 +++ ...or-ipv6-next-header-extension-header.patch | 63 +++++ ...ting-flow-control-settings-during-dr.patch | 87 ++++++ ...io-in-case-of-when-device-disassocia.patch | 54 ++++ ...send_request_unmap-for-timeout-reset.patch | 45 ++++ ...asurement-buffer-after-kexec-syscall.patch | 80 ++++++ ...free-ima-measurement-buffer-on-error.patch | 41 +++ ...elo-fix-an-error-code-in-elo_connect.patch | 40 +++ ...fs-release-buffer-head-before-return.patch | 49 ++++ ...e-after-free-in-jffs2_sum_write_data.patch | 58 ++++ ...ential-overflow-when-multiplying-to-.patch | 40 +++ ...x-a-bug-when-reallocating-some-dma-m.patch | 46 ++++ ...-ov5670-fix-pixel_rate-minimum-value.patch | 43 +++ .../media-lmedm04-fix-misuse-of-comma.patch | 40 +++ ...edia-pci-fix-memleak-in-empress_init.patch | 42 +++ ...-declare-variable-when-debug-is-defi.patch | 46 ++++ ...-fix-error-return-code-in-qm1d1c0042.patch | 43 +++ ...0-fix-memleak-in-tm6000_start_stream.patch | 40 +++ ...ccept-invalid-bformatindex-and-bfram.patch | 82 ++++++ ...n-error-handling-path-in-the-probe-f.patch | 43 +++ ...d-bd9571mwv-use-devm_mfd_add_devices.patch | 43 +++ ...c-prevent-use-after-free-in-wm831x_a.patch | 44 +++ ...ection-mismatch-for-loongson2_sc_ini.patch | 45 ++++ ...icitly-compare-ltq_ebu_pcc_istat-aga.patch | 55 ++++ ...46-add-module-alias-to-avoid-breakin.patch | 38 +++ ...46-fix-module-alias-to-enable-module.patch | 34 +++ ...otential-double-free-in-hugetlb_regi.patch | 46 ++++ ...potential-pte_unmap_unlock-pte-error.patch | 66 +++++ ...ntial-pte_unmap-on-an-not-mapped-pte.patch | 56 ++++ ...ix-a-resource-leak-in-the-error-hand.patch | 46 ++++ ...et-link-when-the-link-never-comes-ba.patch | 66 +++++ ...et-the-phy-rx-data-path-when-mailbox.patch | 128 +++++++++ ...ore-add-missed-mlx4_free_cmd_mailbox.patch | 39 +++ ...e-per-cpu-queue-mapping-for-armada-3.patch | 55 ++++ .../ocfs2-fix-a-use-after-free-on-error.patch | 60 +++++ ...-no-map-does-not-remove-already-rese.patch | 80 ++++++ ...ing-of-syscall-user-config-accessors.patch | 80 ++++++ ...pt-fix-missing-cyc-processing-in-psb.patch | 41 +++ ...aligned-access-in-sample-parsing-tes.patch | 73 +++++ ...so-filtering-when-not-finding-a-map-.patch | 101 +++++++ ...-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch | 36 +++ .../powerpc-47x-disable-256k-page-size.patch | 41 +++ ...8xx-fix-software-emulation-interrupt.patch | 40 +++ ...dlpar-handle-ibm-configure-connector.patch | 65 +++++ ...kchip_pwm_probe-remove-superfluous-c.patch | 43 +++ ...-leak-when-handling-corrupted-quota-.patch | 55 ++++ ...a-rxe-fix-coding-error-in-rxe_recv.c.patch | 67 +++++ ...lator-axp20x-fix-reference-cout-leak.patch | 52 ++++ queue-4.14/rtc-s5m-select-regmap_i2c.patch | 37 +++ ...ix-kconfig-warning-cnic-build-errors.patch | 57 ++++ queue-4.14/series | 109 ++++++++ ...ect-compat_binfmt_elf-if-binfmt_elf-.patch | 47 ++++ ...l-put-allocated-master-before-return.patch | 39 +++ ...spi-abort-read-if-dummy-cycles-requi.patch | 41 +++ ...he-controller-numbering-for-wildcat-.patch | 87 ++++++ ...tm32-properly-handle-0-byte-transfer.patch | 39 +++ ...s-wifi_regd.c-fix-incorrect-number-o.patch | 93 +++++++ ...take-mmap-lock-in-cacheflush-syscall.patch | 61 +++++ ...t-fail-unregistering-a-probe-due-to-.patch | 205 ++++++++++++++ ...ransaction-after-errors-with-unknown.patch | 84 ++++++ ...update-data-length-if-it-is-0-on-inb.patch | 63 +++++ ...trimming-xfer-length-a-debug-message.patch | 48 ++++ ...io-free-requests-only-after-callback.patch | 72 +++++ ...e_dirty_lock-when-unregistering-gues.patch | 43 +++ ...spurious-event-detection-for-common-.patch | 56 ++++ 110 files changed, 6413 insertions(+) create mode 100644 queue-4.14/amba-fix-resource-leak-for-drivers-without-.remove.patch create mode 100644 queue-4.14/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch create mode 100644 queue-4.14/arm-dts-configure-missing-thermal-interrupt-for-4430.patch create mode 100644 queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch create mode 100644 queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-17744 create mode 100644 queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24752 create mode 100644 queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24955 create mode 100644 queue-4.14/arm-s3c-fix-fiq-for-clang-ias.patch create mode 100644 queue-4.14/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch create mode 100644 queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch create mode 100644 queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch-6950 create mode 100644 queue-4.14/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch create mode 100644 queue-4.14/asoc-cs42l56-fix-up-error-handling-in-probe.patch create mode 100644 queue-4.14/ata-ahci_brcm-add-back-regulators-management.patch create mode 100644 queue-4.14/ath9k-fix-data-bus-crash-when-setting-nf_override-vi.patch create mode 100644 queue-4.14/auxdisplay-ht16k33-fix-refresh-rate-handling.patch create mode 100644 queue-4.14/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch create mode 100644 queue-4.14/bluetooth-btqcomsmd-fix-a-resource-leak-in-error-han.patch create mode 100644 queue-4.14/bluetooth-drop-hci-device-reference-before-return.patch create mode 100644 queue-4.14/bluetooth-fix-initializing-response-id-after-clearin.patch create mode 100644 queue-4.14/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch create mode 100644 queue-4.14/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch create mode 100644 queue-4.14/bpf_lru_list-read-double-checked-variable-once-witho.patch create mode 100644 queue-4.14/btrfs-clarify-error-returns-values-in-__load_free_sp.patch create mode 100644 queue-4.14/capabilities-don-t-allow-writing-ambiguous-v3-file-c.patch create mode 100644 queue-4.14/certs-fix-blacklist-flag-type-confusion.patch create mode 100644 queue-4.14/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch create mode 100644 queue-4.14/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch create mode 100644 queue-4.14/cpufreq-brcmstb-avs-cpufreq-fix-resource-leaks-in-re.patch create mode 100644 queue-4.14/crypto-bcm-rename-struct-device_private-to-bcm_devic.patch create mode 100644 queue-4.14/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch create mode 100644 queue-4.14/crypto-sun4i-ss-fix-kmap-usage.patch create mode 100644 queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch create mode 100644 queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch create mode 100644 queue-4.14/dmaengine-hsu-disable-spurious-interrupt.patch create mode 100644 queue-4.14/drivers-hv-vmbus-avoid-use-after-free-in-vmbus_onoff.patch create mode 100644 queue-4.14/drm-gma500-fix-error-return-code-in-psb_driver_load.patch create mode 100644 queue-4.14/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch create mode 100644 queue-4.14/ext4-fix-potential-htree-index-checksum-corruption.patch create mode 100644 queue-4.14/fbdev-aty-sparc64-requires-fb_aty_ct.patch create mode 100644 queue-4.14/fdt-properly-handle-no-map-field-in-the-memory-regio.patch create mode 100644 queue-4.14/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch create mode 100644 queue-4.14/gma500-clean-up-error-handling-in-init.patch create mode 100644 queue-4.14/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch create mode 100644 queue-4.14/hwrng-timeriomem-fix-cooldown-period-calculation.patch create mode 100644 queue-4.14/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch create mode 100644 queue-4.14/i40e-fix-flow-for-ipv6-next-header-extension-header.patch create mode 100644 queue-4.14/i40e-fix-overwriting-flow-control-settings-during-dr.patch create mode 100644 queue-4.14/ib-umad-return-eio-in-case-of-when-device-disassocia.patch create mode 100644 queue-4.14/ibmvnic-skip-send_request_unmap-for-timeout-reset.patch create mode 100644 queue-4.14/ima-free-ima-measurement-buffer-after-kexec-syscall.patch create mode 100644 queue-4.14/ima-free-ima-measurement-buffer-on-error.patch create mode 100644 queue-4.14/input-elo-fix-an-error-code-in-elo_connect.patch create mode 100644 queue-4.14/isofs-release-buffer-head-before-return.patch create mode 100644 queue-4.14/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch create mode 100644 queue-4.14/mac80211-fix-potential-overflow-when-multiplying-to-.patch create mode 100644 queue-4.14/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch create mode 100644 queue-4.14/media-i2c-ov5670-fix-pixel_rate-minimum-value.patch create mode 100644 queue-4.14/media-lmedm04-fix-misuse-of-comma.patch create mode 100644 queue-4.14/media-media-pci-fix-memleak-in-empress_init.patch create mode 100644 queue-4.14/media-pxa_camera-declare-variable-when-debug-is-defi.patch create mode 100644 queue-4.14/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch create mode 100644 queue-4.14/media-tm6000-fix-memleak-in-tm6000_start_stream.patch create mode 100644 queue-4.14/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch create mode 100644 queue-4.14/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch create mode 100644 queue-4.14/mfd-bd9571mwv-use-devm_mfd_add_devices.patch create mode 100644 queue-4.14/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch create mode 100644 queue-4.14/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch create mode 100644 queue-4.14/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch create mode 100644 queue-4.14/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch create mode 100644 queue-4.14/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch create mode 100644 queue-4.14/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch create mode 100644 queue-4.14/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch create mode 100644 queue-4.14/mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch create mode 100644 queue-4.14/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch create mode 100644 queue-4.14/net-amd-xgbe-reset-link-when-the-link-never-comes-ba.patch create mode 100644 queue-4.14/net-amd-xgbe-reset-the-phy-rx-data-path-when-mailbox.patch create mode 100644 queue-4.14/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch create mode 100644 queue-4.14/net-mvneta-remove-per-cpu-queue-mapping-for-armada-3.patch create mode 100644 queue-4.14/ocfs2-fix-a-use-after-free-on-error.patch create mode 100644 queue-4.14/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch create mode 100644 queue-4.14/pci-align-checking-of-syscall-user-config-accessors.patch create mode 100644 queue-4.14/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch create mode 100644 queue-4.14/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch create mode 100644 queue-4.14/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch create mode 100644 queue-4.14/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch create mode 100644 queue-4.14/powerpc-47x-disable-256k-page-size.patch create mode 100644 queue-4.14/powerpc-8xx-fix-software-emulation-interrupt.patch create mode 100644 queue-4.14/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch create mode 100644 queue-4.14/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch create mode 100644 queue-4.14/quota-fix-memory-leak-when-handling-corrupted-quota-.patch create mode 100644 queue-4.14/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch create mode 100644 queue-4.14/regulator-axp20x-fix-reference-cout-leak.patch create mode 100644 queue-4.14/rtc-s5m-select-regmap_i2c.patch create mode 100644 queue-4.14/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch create mode 100644 queue-4.14/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch create mode 100644 queue-4.14/spi-atmel-put-allocated-master-before-return.patch create mode 100644 queue-4.14/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch create mode 100644 queue-4.14/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch create mode 100644 queue-4.14/spi-stm32-properly-handle-0-byte-transfer.patch create mode 100644 queue-4.14/staging-rtl8723bs-wifi_regd.c-fix-incorrect-number-o.patch create mode 100644 queue-4.14/take-mmap-lock-in-cacheflush-syscall.patch create mode 100644 queue-4.14/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch create mode 100644 queue-4.14/usb-dwc2-abort-transaction-after-errors-with-unknown.patch create mode 100644 queue-4.14/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch create mode 100644 queue-4.14/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch create mode 100644 queue-4.14/usb-gadget-u_audio-free-requests-only-after-callback.patch create mode 100644 queue-4.14/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch create mode 100644 queue-4.14/xen-netback-fix-spurious-event-detection-for-common-.patch diff --git a/queue-4.14/amba-fix-resource-leak-for-drivers-without-.remove.patch b/queue-4.14/amba-fix-resource-leak-for-drivers-without-.remove.patch new file mode 100644 index 00000000000..d5cfb1fa817 --- /dev/null +++ b/queue-4.14/amba-fix-resource-leak-for-drivers-without-.remove.patch @@ -0,0 +1,83 @@ +From 2bd2ec69b353540771f07c20352b21905df673f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jan 2021 17:58:31 +0100 +Subject: amba: Fix resource leak for drivers without .remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit de5d7adb89367bbc87b4e5ce7afe7ae9bd86dc12 ] + +Consider an amba driver with a .probe but without a .remove callback (e.g. +pl061_gpio_driver). The function amba_probe() is called to bind a device +and so dev_pm_domain_attach() and others are called. As there is no remove +callback amba_remove() isn't called at unbind time however and so calling +dev_pm_domain_detach() is missed and the pm domain keeps active. + +To fix this always use the core driver callbacks and handle missing amba +callbacks there. For probe refuse registration as a driver without probe +doesn't make sense. + +Fixes: 7cfe249475fd ("ARM: AMBA: Add pclk support to AMBA bus infrastructure") +Reviewed-by: Ulf Hansson +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210126165835.687514-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/amba/bus.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index 8a99fbe5759fe..a82d068a84b4c 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -279,10 +279,11 @@ static int amba_remove(struct device *dev) + { + struct amba_device *pcdev = to_amba_device(dev); + struct amba_driver *drv = to_amba_driver(dev->driver); +- int ret; ++ int ret = 0; + + pm_runtime_get_sync(dev); +- ret = drv->remove(pcdev); ++ if (drv->remove) ++ ret = drv->remove(pcdev); + pm_runtime_put_noidle(dev); + + /* Undo the runtime PM settings in amba_probe() */ +@@ -299,7 +300,9 @@ static int amba_remove(struct device *dev) + static void amba_shutdown(struct device *dev) + { + struct amba_driver *drv = to_amba_driver(dev->driver); +- drv->shutdown(to_amba_device(dev)); ++ ++ if (drv->shutdown) ++ drv->shutdown(to_amba_device(dev)); + } + + /** +@@ -312,12 +315,13 @@ static void amba_shutdown(struct device *dev) + */ + int amba_driver_register(struct amba_driver *drv) + { +- drv->drv.bus = &amba_bustype; ++ if (!drv->probe) ++ return -EINVAL; + +-#define SETFN(fn) if (drv->fn) drv->drv.fn = amba_##fn +- SETFN(probe); +- SETFN(remove); +- SETFN(shutdown); ++ drv->drv.bus = &amba_bustype; ++ drv->drv.probe = amba_probe; ++ drv->drv.remove = amba_remove; ++ drv->drv.shutdown = amba_shutdown; + + return driver_register(&drv->drv); + } +-- +2.27.0 + diff --git a/queue-4.14/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch b/queue-4.14/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch new file mode 100644 index 00000000000..512afc715a3 --- /dev/null +++ b/queue-4.14/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch @@ -0,0 +1,75 @@ +From 100d9d93213c3bcdd2512eb7bda63c7dd4be0186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 10:47:24 +0100 +Subject: ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores + +From: Vladimir Murzin + +[ Upstream commit 2acb909750431030b65a0a2a17fd8afcbd813a84 ] + +It was observed that decompressor running on hardware implementing ARM v8.2 +Load/Store Multiple Atomicity and Ordering Control (LSMAOC), say, as guest, +would stuck just after: + +Uncompressing Linux... done, booting the kernel. + +The reason is that it clears nTLSMD bit when disabling caches: + + nTLSMD, bit [3] + + When ARMv8.2-LSMAOC is implemented: + + No Trap Load Multiple and Store Multiple to + Device-nGRE/Device-nGnRE/Device-nGnRnE memory. + + 0b0 All memory accesses by A32 and T32 Load Multiple and Store + Multiple at EL1 or EL0 that are marked at stage 1 as + Device-nGRE/Device-nGnRE/Device-nGnRnE memory are trapped and + generate a stage 1 Alignment fault. + + 0b1 All memory accesses by A32 and T32 Load Multiple and Store + Multiple at EL1 or EL0 that are marked at stage 1 as + Device-nGRE/Device-nGnRE/Device-nGnRnE memory are not trapped. + + This bit is permitted to be cached in a TLB. + + This field resets to 1. + + Otherwise: + + Reserved, RES1 + +So as effect we start getting traps we are not quite ready for. + +Looking into history it seems that mask used for SCTLR clear came from +the similar code for ARMv4, where bit[3] is the enable/disable bit for +the write buffer. That not applicable to ARMv7 and onwards, so retire +that bit from the masks. + +Fixes: 7d09e85448dfa78e3e58186c934449aaf6d49b50 ("[ARM] 4393/2: ARMv7: Add uncompressing code for the new CPU Id format") +Signed-off-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/head.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S +index 8ca539bdac356..becd5d4bc3a64 100644 +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -1088,9 +1088,9 @@ __armv4_mmu_cache_off: + __armv7_mmu_cache_off: + mrc p15, 0, r0, c1, c0 + #ifdef CONFIG_MMU +- bic r0, r0, #0x000d ++ bic r0, r0, #0x0005 + #else +- bic r0, r0, #0x000c ++ bic r0, r0, #0x0004 + #endif + mcr p15, 0, r0, c1, c0 @ turn MMU and cache off + mov r12, lr +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-configure-missing-thermal-interrupt-for-4430.patch b/queue-4.14/arm-dts-configure-missing-thermal-interrupt-for-4430.patch new file mode 100644 index 00000000000..028943227ca --- /dev/null +++ b/queue-4.14/arm-dts-configure-missing-thermal-interrupt-for-4430.patch @@ -0,0 +1,52 @@ +From a7e9e63ea5027ab9a4c7254451e6cb3bb90e125f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Dec 2020 10:42:30 +0200 +Subject: ARM: dts: Configure missing thermal interrupt for 4430 + +From: Tony Lindgren + +[ Upstream commit 44f416879a442600b006ef7dec3a6dc98bcf59c6 ] + +We have gpio_86 wired internally to the bandgap thermal shutdown +interrupt on 4430 like we have it on 4460 according to the TRM. +This can be found easily by searching for TSHUT. + +For some reason the thermal shutdown interrupt was never added +for 4430, let's add it. I believe this is needed for the thermal +shutdown interrupt handler ti_bandgap_tshut_irq_handler() to call +orderly_poweroff(). + +Fixes: aa9bb4bb8878 ("arm: dts: add omap4430 thermal data") +Cc: Carl Philipp Klemm +Cc: Daniel Lezcano +Cc: Eduardo Valentin +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Peter Ujfalusi +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap443x.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/omap443x.dtsi b/arch/arm/boot/dts/omap443x.dtsi +index 03c8ad91ddac9..5b4aa8f38e8e8 100644 +--- a/arch/arm/boot/dts/omap443x.dtsi ++++ b/arch/arm/boot/dts/omap443x.dtsi +@@ -35,10 +35,12 @@ + }; + + ocp { ++ /* 4430 has only gpio_86 tshut and no talert interrupt */ + bandgap: bandgap@4a002260 { + reg = <0x4a002260 0x4 + 0x4a00232C 0x4>; + compatible = "ti,omap4430-bandgap"; ++ gpios = <&gpio3 22 GPIO_ACTIVE_HIGH>; + + #thermal-sensor-cells = <0>; + }; +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch new file mode 100644 index 00000000000..49f4c83038e --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch @@ -0,0 +1,38 @@ +From 7874ff66ec37d5d6e3bea40cff2ac5872642ad45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:56 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Monk + +From: Krzysztof Kozlowski + +[ Upstream commit 8528cda2b7c667e9cd173aef1a677c71b7d5a096 ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: e0cefb3f79d3 ("ARM: dts: add board dts file for Exynos3250-based Monk board") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212903.216728-2-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos3250-monk.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos3250-monk.dts b/arch/arm/boot/dts/exynos3250-monk.dts +index bbdfcbc6e7d29..4334311d3b471 100644 +--- a/arch/arm/boot/dts/exynos3250-monk.dts ++++ b/arch/arm/boot/dts/exynos3250-monk.dts +@@ -191,7 +191,7 @@ + s2mps14_pmic@66 { + compatible = "samsung,s2mps14-pmic"; + interrupt-parent = <&gpx0>; +- interrupts = <7 IRQ_TYPE_NONE>; ++ interrupts = <7 IRQ_TYPE_LEVEL_LOW>; + reg = <0x66>; + wakeup-source; + +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-17744 b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-17744 new file mode 100644 index 00000000000..5a341a818ab --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-17744 @@ -0,0 +1,39 @@ +From 5ce0bfb30187f16d31d9adda8e9aaec7749e9f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:59 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale + Octa + +From: Krzysztof Kozlowski + +[ Upstream commit 1ac8893c4fa3d4a34915dc5cdab568a39db5086c ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. The falling edge +interrupt will mostly work but it's not correct. + +Fixes: 1fed2252713e ("ARM: dts: fix pinctrl for s2mps11-irq on exynos5420-arndale-octa") +Signed-off-by: Krzysztof Kozlowski +Tested-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20201210212903.216728-5-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5420-arndale-octa.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5420-arndale-octa.dts b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +index 38538211a9672..ab76c575b67a5 100644 +--- a/arch/arm/boot/dts/exynos5420-arndale-octa.dts ++++ b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +@@ -87,7 +87,7 @@ + reg = <0x66>; + + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&s2mps11_irq>; + +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24752 b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24752 new file mode 100644 index 00000000000..ee2e7108ba0 --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24752 @@ -0,0 +1,38 @@ +From 91b316cf6b794e3e02bd4aeffdbf3484233bc094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:58 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Spring + +From: Krzysztof Kozlowski + +[ Upstream commit 77e6a5467cb8657cf8b5e610a30a4c502085e4f9 ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: 53dd4138bb0a ("ARM: dts: Add exynos5250-spring device tree") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212903.216728-4-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5250-spring.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5250-spring.dts b/arch/arm/boot/dts/exynos5250-spring.dts +index d53bfcbeb39c4..1f2d4e51824b0 100644 +--- a/arch/arm/boot/dts/exynos5250-spring.dts ++++ b/arch/arm/boot/dts/exynos5250-spring.dts +@@ -111,7 +111,7 @@ + compatible = "samsung,s5m8767-pmic"; + reg = <0x66>; + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&s5m8767_irq &s5m8767_dvs &s5m8767_ds>; + wakeup-source; +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24955 b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24955 new file mode 100644 index 00000000000..ef8d446ec97 --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24955 @@ -0,0 +1,39 @@ +From 6128e8e6f6ba616fa4710cae7bab293cb83b89cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:57 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato + +From: Krzysztof Kozlowski + +[ Upstream commit 437ae60947716bb479e2f32466f49445c0509b1e ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: faaf348ef468 ("ARM: dts: Add board dts file for exynos3250-rinato") +Signed-off-by: Krzysztof Kozlowski +Tested-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20201210212903.216728-3-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos3250-rinato.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos3250-rinato.dts b/arch/arm/boot/dts/exynos3250-rinato.dts +index 0b45467d77a8f..c0c3b185b731f 100644 +--- a/arch/arm/boot/dts/exynos3250-rinato.dts ++++ b/arch/arm/boot/dts/exynos3250-rinato.dts +@@ -274,7 +274,7 @@ + s2mps14_pmic@66 { + compatible = "samsung,s2mps14-pmic"; + interrupt-parent = <&gpx0>; +- interrupts = <7 IRQ_TYPE_NONE>; ++ interrupts = <7 IRQ_TYPE_LEVEL_LOW>; + reg = <0x66>; + wakeup-source; + +-- +2.27.0 + diff --git a/queue-4.14/arm-s3c-fix-fiq-for-clang-ias.patch b/queue-4.14/arm-s3c-fix-fiq-for-clang-ias.patch new file mode 100644 index 00000000000..44bd4a4e378 --- /dev/null +++ b/queue-4.14/arm-s3c-fix-fiq-for-clang-ias.patch @@ -0,0 +1,93 @@ +From 3d993cd70e8852da5cfd99bf3d56a8062734f068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 17:23:42 +0100 +Subject: ARM: s3c: fix fiq for clang IAS + +From: Arnd Bergmann + +[ Upstream commit 7f9942c61fa60eda7cc8e42f04bd25b7d175876e ] + +Building with the clang integrated assembler produces a couple of +errors for the s3c24xx fiq support: + + arch/arm/mach-s3c/irq-s3c24xx-fiq.S:52:2: error: instruction 'subne' can not set flags, but 's' suffix specified + subnes pc, lr, #4 @@ return, still have work to do + + arch/arm/mach-s3c/irq-s3c24xx-fiq.S:64:1: error: invalid symbol redefinition + s3c24xx_spi_fiq_txrx: + +There are apparently two problems: one with extraneous or duplicate +labels, and one with old-style opcode mnemonics. Stefan Agner has +previously fixed other problems like this, but missed this particular +file. + +Fixes: bec0806cfec6 ("spi_s3c24xx: add FIQ pseudo-DMA support") +Cc: Stefan Agner +Signed-off-by: Arnd Bergmann +Reviewed-by: Nick Desaulniers +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20210204162416.3030114-1-arnd@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c24xx-fiq.S | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-s3c24xx-fiq.S b/drivers/spi/spi-s3c24xx-fiq.S +index 059f2dc1fda2d..1565c792da079 100644 +--- a/drivers/spi/spi-s3c24xx-fiq.S ++++ b/drivers/spi/spi-s3c24xx-fiq.S +@@ -36,7 +36,6 @@ + @ and an offset to the irq acknowledgment word + + ENTRY(s3c24xx_spi_fiq_rx) +-s3c24xx_spi_fix_rx: + .word fiq_rx_end - fiq_rx_start + .word fiq_rx_irq_ack - fiq_rx_start + fiq_rx_start: +@@ -50,7 +49,7 @@ fiq_rx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + @@ set IRQ controller so that next op will trigger IRQ + mov fiq_rtmp, #0 +@@ -62,7 +61,6 @@ fiq_rx_irq_ack: + fiq_rx_end: + + ENTRY(s3c24xx_spi_fiq_txrx) +-s3c24xx_spi_fiq_txrx: + .word fiq_txrx_end - fiq_txrx_start + .word fiq_txrx_irq_ack - fiq_txrx_start + fiq_txrx_start: +@@ -77,7 +75,7 @@ fiq_txrx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + mov fiq_rtmp, #0 + str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ] +@@ -89,7 +87,6 @@ fiq_txrx_irq_ack: + fiq_txrx_end: + + ENTRY(s3c24xx_spi_fiq_tx) +-s3c24xx_spi_fix_tx: + .word fiq_tx_end - fiq_tx_start + .word fiq_tx_irq_ack - fiq_tx_start + fiq_tx_start: +@@ -102,7 +99,7 @@ fiq_tx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + mov fiq_rtmp, #0 + str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ] +-- +2.27.0 + diff --git a/queue-4.14/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch b/queue-4.14/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch new file mode 100644 index 00000000000..86af20e1617 --- /dev/null +++ b/queue-4.14/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch @@ -0,0 +1,49 @@ +From 497614d10c5520c4d3393c643852f99b92652c97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 09:37:37 +0000 +Subject: arm64: Add missing ISB after invalidating TLB in __primary_switch + +From: Marc Zyngier + +[ Upstream commit 9d41053e8dc115c92b8002c3db5f545d7602498b ] + +Although there has been a bit of back and forth on the subject, it +appears that invalidating TLBs requires an ISB instruction when FEAT_ETS +is not implemented by the CPU. + +From the bible: + + | In an implementation that does not implement FEAT_ETS, a TLB + | maintenance instruction executed by a PE, PEx, can complete at any + | time after it is issued, but is only guaranteed to be finished for a + | PE, PEx, after the execution of DSB by the PEx followed by a Context + | synchronization event + +Add the missing ISB in __primary_switch, just in case. + +Fixes: 3c5e9f238bc4 ("arm64: head.S: move KASLR processing out of __enable_mmu()") +Suggested-by: Will Deacon +Signed-off-by: Marc Zyngier +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20210224093738.3629662-3-maz@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/head.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index bd24c8aed6120..30d1e850b16ae 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -756,6 +756,7 @@ __primary_switch: + + tlbi vmalle1 // Remove any stale TLB entries + dsb nsh ++ isb + + msr sctlr_el1, x19 // re-enable the MMU + isb +-- +2.27.0 + diff --git a/queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch b/queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch new file mode 100644 index 00000000000..1e1962d44c8 --- /dev/null +++ b/queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch @@ -0,0 +1,39 @@ +From 155631ed0cb1afb7f30d09c4bb96934ff9091c2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:29:01 +0100 +Subject: arm64: dts: exynos: correct PMIC interrupt trigger level on TM2 + +From: Krzysztof Kozlowski + +[ Upstream commit e98e2367dfb4b6d7a80c8ce795c644124eff5f36 ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: 01e5d2352152 ("arm64: dts: exynos: Add dts file for Exynos5433-based TM2 board") +Signed-off-by: Krzysztof Kozlowski +Tested-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20201210212903.216728-7-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi b/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi +index 297597442c442..7de6a187ba8f4 100644 +--- a/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi ++++ b/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi +@@ -343,7 +343,7 @@ + s2mps13-pmic@66 { + compatible = "samsung,s2mps13-pmic"; + interrupt-parent = <&gpa0>; +- interrupts = <7 IRQ_TYPE_NONE>; ++ interrupts = <7 IRQ_TYPE_LEVEL_LOW>; + reg = <0x66>; + samsung,s2mps11-wrstbi-ground; + +-- +2.27.0 + diff --git a/queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch-6950 b/queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch-6950 new file mode 100644 index 00000000000..04a51837f0f --- /dev/null +++ b/queue-4.14/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch-6950 @@ -0,0 +1,38 @@ +From 0ae03ae7be8caea7cb2e103681f4aa050905c0b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:29:02 +0100 +Subject: arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso + +From: Krzysztof Kozlowski + +[ Upstream commit 1fea2eb2f5bbd3fbbe2513d2386b5f6e6db17fd7 ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212903.216728-8-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +index c8824b918693d..a85ad9f55cda0 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts ++++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +@@ -88,7 +88,7 @@ + s2mps15_pmic@66 { + compatible = "samsung,s2mps15-pmic"; + reg = <0x66>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + interrupt-parent = <&gpa0>; + pinctrl-names = "default"; + pinctrl-0 = <&pmic_irq>; +-- +2.27.0 + diff --git a/queue-4.14/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch b/queue-4.14/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch new file mode 100644 index 00000000000..4dd11527c1d --- /dev/null +++ b/queue-4.14/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch @@ -0,0 +1,46 @@ +From b28b0dda3b6e8d1e2d8da61dce80bb44eb8ef87c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Jan 2021 11:44:16 +0100 +Subject: arm64: dts: msm8916: Fix reserved and rfsa nodes unit address + +From: Vincent Knecht + +[ Upstream commit d5ae2528b0b56cf054b27d48b0cb85330900082f ] + +Fix `reserved` and `rfsa` unit address according to their reg address + +Fixes: 7258e10e6a0b ("ARM: dts: msm8916: Update reserved-memory") + +Signed-off-by: Vincent Knecht +Link: https://lore.kernel.org/r/20210123104417.518105-1-vincent.knecht@mailoo.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 02b7a44f790b5..94697bab3805f 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -63,7 +63,7 @@ + no-map; + }; + +- reserved@8668000 { ++ reserved@86680000 { + reg = <0x0 0x86680000 0x0 0x80000>; + no-map; + }; +@@ -73,7 +73,7 @@ + no-map; + }; + +- rfsa@867e00000 { ++ rfsa@867e0000 { + reg = <0x0 0x867e0000 0x0 0x20000>; + no-map; + }; +-- +2.27.0 + diff --git a/queue-4.14/asoc-cs42l56-fix-up-error-handling-in-probe.patch b/queue-4.14/asoc-cs42l56-fix-up-error-handling-in-probe.patch new file mode 100644 index 00000000000..b744c5fe4e9 --- /dev/null +++ b/queue-4.14/asoc-cs42l56-fix-up-error-handling-in-probe.patch @@ -0,0 +1,46 @@ +From 6d5a24177b90b37c338a205ca12cd07e5583716a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 13:07:59 +0300 +Subject: ASoC: cs42l56: fix up error handling in probe + +From: Dan Carpenter + +[ Upstream commit 856fe64da84c95a1d415564b981ae3908eea2a76 ] + +There are two issues with this code. The first error path forgot to set +the error code and instead returns success. The second error path +doesn't clean up. + +Fixes: 272b5edd3b8f ("ASoC: Add support for CS42L56 CODEC") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/X9NE/9nK9/TuxuL+@mwanda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l56.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c +index cb6ca85f15362..52858b6c95a63 100644 +--- a/sound/soc/codecs/cs42l56.c ++++ b/sound/soc/codecs/cs42l56.c +@@ -1266,6 +1266,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client, + dev_err(&i2c_client->dev, + "CS42L56 Device ID (%X). Expected %X\n", + devid, CS42L56_DEVID); ++ ret = -EINVAL; + goto err_enable; + } + alpha_rev = reg & CS42L56_AREV_MASK; +@@ -1323,7 +1324,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client, + ret = snd_soc_register_codec(&i2c_client->dev, + &soc_codec_dev_cs42l56, &cs42l56_dai, 1); + if (ret < 0) +- return ret; ++ goto err_enable; + + return 0; + +-- +2.27.0 + diff --git a/queue-4.14/ata-ahci_brcm-add-back-regulators-management.patch b/queue-4.14/ata-ahci_brcm-add-back-regulators-management.patch new file mode 100644 index 00000000000..23608cb9a49 --- /dev/null +++ b/queue-4.14/ata-ahci_brcm-add-back-regulators-management.patch @@ -0,0 +1,79 @@ +From 3dad0765025f88303874822c73e708ee5f5f019f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 10:28:45 -0800 +Subject: ata: ahci_brcm: Add back regulators management + +From: Florian Fainelli + +[ Upstream commit 10340f8d7b6dd54e616339c8ccb2f397133ebea0 ] + +While reworking the resources management and departing from using +ahci_platform_enable_resources() which did not allow a proper step +separation like we need, we unfortunately lost the ability to control +AHCI regulators. This broke some Broadcom STB systems that do expect +regulators to be turned on to link up with attached hard drives. + +Fixes: c0cdf2ac4b5b ("ata: ahci_brcm: Fix AHCI resources management") +Signed-off-by: Florian Fainelli +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci_brcm.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/ahci_brcm.c b/drivers/ata/ahci_brcm.c +index 8beb81b24f142..52a242e99b043 100644 +--- a/drivers/ata/ahci_brcm.c ++++ b/drivers/ata/ahci_brcm.c +@@ -280,6 +280,10 @@ static int brcm_ahci_resume(struct device *dev) + if (ret) + return ret; + ++ ret = ahci_platform_enable_regulators(hpriv); ++ if (ret) ++ goto out_disable_clks; ++ + brcm_sata_init(priv); + brcm_sata_phys_enable(priv); + brcm_sata_alpm_init(hpriv); +@@ -309,6 +313,8 @@ out_disable_platform_phys: + ahci_platform_disable_phys(hpriv); + out_disable_phys: + brcm_sata_phys_disable(priv); ++ ahci_platform_disable_regulators(hpriv); ++out_disable_clks: + ahci_platform_disable_clks(hpriv); + return ret; + } +@@ -372,6 +378,10 @@ static int brcm_ahci_probe(struct platform_device *pdev) + if (ret) + goto out_reset; + ++ ret = ahci_platform_enable_regulators(hpriv); ++ if (ret) ++ goto out_disable_clks; ++ + /* Must be first so as to configure endianness including that + * of the standard AHCI register space. + */ +@@ -381,7 +391,7 @@ static int brcm_ahci_probe(struct platform_device *pdev) + priv->port_mask = brcm_ahci_get_portmask(hpriv, priv); + if (!priv->port_mask) { + ret = -ENODEV; +- goto out_disable_clks; ++ goto out_disable_regulators; + } + + /* Must be done before ahci_platform_enable_phys() */ +@@ -413,6 +423,8 @@ out_disable_platform_phys: + ahci_platform_disable_phys(hpriv); + out_disable_phys: + brcm_sata_phys_disable(priv); ++out_disable_regulators: ++ ahci_platform_disable_regulators(hpriv); + out_disable_clks: + ahci_platform_disable_clks(hpriv); + out_reset: +-- +2.27.0 + diff --git a/queue-4.14/ath9k-fix-data-bus-crash-when-setting-nf_override-vi.patch b/queue-4.14/ath9k-fix-data-bus-crash-when-setting-nf_override-vi.patch new file mode 100644 index 00000000000..8ee3e73719d --- /dev/null +++ b/queue-4.14/ath9k-fix-data-bus-crash-when-setting-nf_override-vi.patch @@ -0,0 +1,96 @@ +From dd32c13c7b339297afc4e1a765f065c9d8559a1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Feb 2021 09:53:44 +0200 +Subject: ath9k: fix data bus crash when setting nf_override via debugfs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 12c8f3d1cdd84f01ee777b756db9dddc1f1c9d17 ] + +When trying to set the noise floor via debugfs, a "data bus error" +crash like the following can happen: + +[ 88.433133] Data bus error, epc == 80221c28, ra == 83314e60 +[ 88.438895] Oops[#1]: +[ 88.441246] CPU: 0 PID: 7263 Comm: sh Not tainted 4.14.195 #0 +[ 88.447174] task: 838a1c20 task.stack: 82d5e000 +[ 88.451847] $ 0 : 00000000 00000030 deadc0de 83141de4 +[ 88.457248] $ 4 : b810a2c4 0000a2c4 83230fd4 00000000 +[ 88.462652] $ 8 : 0000000a 00000000 00000001 00000000 +[ 88.468055] $12 : 7f8ef318 00000000 00000000 77f802a0 +[ 88.473457] $16 : 83230080 00000002 0000001b 83230080 +[ 88.478861] $20 : 83a1c3f8 00841000 77f7adb0 ffffff92 +[ 88.484263] $24 : 00000fa4 77edd860 +[ 88.489665] $28 : 82d5e000 82d5fda8 00000000 83314e60 +[ 88.495070] Hi : 00000000 +[ 88.498044] Lo : 00000000 +[ 88.501040] epc : 80221c28 ioread32+0x8/0x10 +[ 88.505671] ra : 83314e60 ath9k_hw_loadnf+0x88/0x520 [ath9k_hw] +[ 88.512049] Status: 1000fc03 KERNEL EXL IE +[ 88.516369] Cause : 5080801c (ExcCode 07) +[ 88.520508] PrId : 00019374 (MIPS 24Kc) +[ 88.524556] Modules linked in: ath9k ath9k_common pppoe ppp_async l2tp_ppp cdc_mbim batman_adv ath9k_hw ath sr9700 smsc95xx sierra_net rndis_host qmi_wwan pppox ppp_generic pl2303 nf_conntrack_ipv6 mcs7830 mac80211 kalmia iptable_nat ipt_REJECT ipt_MASQUERADE huawei_cdc_ncm ftdi_sio dm9601 cfg80211 cdc_subset cdc_ncm cdc_ether cdc_eem ax88179_178a asix xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_ecn xt_dscp xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_NETMAP xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CLASSIFY usbserial usbnet usbhid slhc rtl8150 r8152 pegasus nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack +[ 88.597894] libcrc32c kaweth iptable_mangle iptable_filter ipt_ECN ipheth ip_tables hso hid_generic crc_ccitt compat cdc_wdm cdc_acm br_netfilter hid evdev input_core nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 l2tp_netlink l2tp_core udp_tunnel ip6_udp_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_beet ipcomp6 xfrm6_tunnel esp6 ah6 xfrm4_tunnel xfrm4_mode_tunnel xfrm4_mode_transport xfrm4_mode_beet ipcomp esp4 ah4 tunnel6 tunnel4 tun xfrm_user xfrm_ipcomp af_key xfrm_algo sha256_generic sha1_generic jitterentropy_rng drbg md5 hmac echainiv des_generic deflate zlib_inflate zlib_deflate cbc authenc crypto_acompress ehci_platform ehci_hcd gpio_button_hotplug usbcore nls_base usb_common crc16 mii aead crypto_null cryptomgr crc32c_generic +[ 88.671671] crypto_hash +[ 88.674292] Process sh (pid: 7263, threadinfo=82d5e000, task=838a1c20, tls=77f81efc) +[ 88.682279] Stack : 00008060 00000008 00000200 00000000 00000000 00000000 00000000 00000002 +[ 88.690916] 80500000 83230080 82d5fe22 00841000 77f7adb0 00000000 00000000 83156858 +[ 88.699553] 00000000 8352fa00 83ad62b0 835302a8 00000000 300a00f8 00000003 82d5fe38 +[ 88.708190] 82d5fef4 00000001 77f54dc4 77f80000 77f7adb0 c79fe901 00000000 00000000 +[ 88.716828] 80510000 00000002 00841000 77f54dc4 77f80000 801ce4cc 0000000b 41824292 +[ 88.725465] ... +[ 88.727994] Call Trace: +[ 88.730532] [<80221c28>] ioread32+0x8/0x10 +[ 88.734765] Code: 00000000 8c820000 0000000f <03e00008> 00000000 08088708 00000000 aca40000 03e00008 +[ 88.744846] +[ 88.746464] ---[ end trace db226b2de1b69b9e ]--- +[ 88.753477] Kernel panic - not syncing: Fatal exception +[ 88.759981] Rebooting in 3 seconds.. + +The "REG_READ(ah, AR_PHY_AGC_CONTROL)" in ath9k_hw_loadnf() does not +like being called when the hardware is asleep, leading to this crash. + +The easiest way to reproduce this is trying to set nf_override while +the hardware is down: + + $ ip link set down dev wlan0 + $ echo "-85" > /sys/kernel/debug/ieee80211/phy0/ath9k/nf_override + +Fixing this crash by waking the hardware up before trying to set the +noise floor. Similar to what other ath9k debugfs files do. + +Tested on a Lima board from 8devices, which has a QCA 4531 chipset. + +Fixes: b90189759a7f ("ath9k: add noise floor override option") +Cc: Simon Wunderlich +Signed-off-by: Linus Lüssing +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210209184352.4272-1-linus.luessing@c0d3.blue +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index 01fa301172885..e05be0eb3f349 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1236,8 +1236,11 @@ static ssize_t write_file_nf_override(struct file *file, + + ah->nf_override = val; + +- if (ah->curchan) ++ if (ah->curchan) { ++ ath9k_ps_wakeup(sc); + ath9k_hw_loadnf(ah, ah->curchan); ++ ath9k_ps_restore(sc); ++ } + + return count; + } +-- +2.27.0 + diff --git a/queue-4.14/auxdisplay-ht16k33-fix-refresh-rate-handling.patch b/queue-4.14/auxdisplay-ht16k33-fix-refresh-rate-handling.patch new file mode 100644 index 00000000000..6eb3792aa35 --- /dev/null +++ b/queue-4.14/auxdisplay-ht16k33-fix-refresh-rate-handling.patch @@ -0,0 +1,37 @@ +From dc9609d3b471b7e7eb3def48bb00ebd6393c3315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 16:39:40 +0100 +Subject: auxdisplay: ht16k33: Fix refresh rate handling + +From: Geert Uytterhoeven + +[ Upstream commit e89b0a426721a8ca5971bc8d70aa5ea35c020f90 ] + +Drop the call to msecs_to_jiffies(), as "HZ / fbdev->refresh_rate" is +already the number of jiffies to wait. + +Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index a93ded300740d..eec69213dad4f 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -125,8 +125,7 @@ static void ht16k33_fb_queue(struct ht16k33_priv *priv) + { + struct ht16k33_fbdev *fbdev = &priv->fbdev; + +- schedule_delayed_work(&fbdev->work, +- msecs_to_jiffies(HZ / fbdev->refresh_rate)); ++ schedule_delayed_work(&fbdev->work, HZ / fbdev->refresh_rate); + } + + /* +-- +2.27.0 + diff --git a/queue-4.14/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch b/queue-4.14/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch new file mode 100644 index 00000000000..9b1944d8a98 --- /dev/null +++ b/queue-4.14/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch @@ -0,0 +1,50 @@ +From fdec0e4b18ab9d9131412e049fc964d12a89595c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Feb 2021 12:05:32 +0000 +Subject: b43: N-PHY: Fix the update of coef for the PHY revision >= 3case + +From: Colin Ian King + +[ Upstream commit 4773acf3d4b50768bf08e9e97a204819e9ea0895 ] + +The documentation for the PHY update [1] states: + +Loop 4 times with index i + + If PHY Revision >= 3 + Copy table[i] to coef[i] + Otherwise + Set coef[i] to 0 + +the copy of the table to coef is currently implemented the wrong way +around, table is being updated from uninitialized values in coeff. +Fix this by swapping the assignment around. + +[1] https://bcm-v4.sipsolutions.net/802.11/PHY/N/RestoreCal/ + +Fixes: 2f258b74d13c ("b43: N-PHY: implement restoring general configuration") +Addresses-Coverity: ("Uninitialized scalar variable") +Signed-off-by: Colin Ian King +Acked-by: Larry Finger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/phy_n.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/phy_n.c b/drivers/net/wireless/broadcom/b43/phy_n.c +index a5557d70689f4..d1afa74aa144b 100644 +--- a/drivers/net/wireless/broadcom/b43/phy_n.c ++++ b/drivers/net/wireless/broadcom/b43/phy_n.c +@@ -5320,7 +5320,7 @@ static void b43_nphy_restore_cal(struct b43_wldev *dev) + + for (i = 0; i < 4; i++) { + if (dev->phy.rev >= 3) +- table[i] = coef[i]; ++ coef[i] = table[i]; + else + coef[i] = 0; + } +-- +2.27.0 + diff --git a/queue-4.14/bluetooth-btqcomsmd-fix-a-resource-leak-in-error-han.patch b/queue-4.14/bluetooth-btqcomsmd-fix-a-resource-leak-in-error-han.patch new file mode 100644 index 00000000000..2f233c56d99 --- /dev/null +++ b/queue-4.14/bluetooth-btqcomsmd-fix-a-resource-leak-in-error-han.patch @@ -0,0 +1,78 @@ +From 747eaff1c09ab2fa36a44a0d1870c272f42ebbe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 10:46:58 +0100 +Subject: Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in + the probe function + +From: Christophe JAILLET + +[ Upstream commit 9a39a927be01d89e53f04304ab99a8761e08910d ] + +Some resource should be released in the error handling path of the probe +function, as already done in the remove function. + +The remove function was fixed in commit 5052de8deff5 ("soc: qcom: smd: +Transition client drivers from smd to rpmsg") + +Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btqcomsmd.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/bluetooth/btqcomsmd.c b/drivers/bluetooth/btqcomsmd.c +index 093fd096f0c82..3a32150104c30 100644 +--- a/drivers/bluetooth/btqcomsmd.c ++++ b/drivers/bluetooth/btqcomsmd.c +@@ -154,12 +154,16 @@ static int btqcomsmd_probe(struct platform_device *pdev) + + btq->cmd_channel = qcom_wcnss_open_channel(wcnss, "APPS_RIVA_BT_CMD", + btqcomsmd_cmd_callback, btq); +- if (IS_ERR(btq->cmd_channel)) +- return PTR_ERR(btq->cmd_channel); ++ if (IS_ERR(btq->cmd_channel)) { ++ ret = PTR_ERR(btq->cmd_channel); ++ goto destroy_acl_channel; ++ } + + hdev = hci_alloc_dev(); +- if (!hdev) +- return -ENOMEM; ++ if (!hdev) { ++ ret = -ENOMEM; ++ goto destroy_cmd_channel; ++ } + + hci_set_drvdata(hdev, btq); + btq->hdev = hdev; +@@ -173,14 +177,21 @@ static int btqcomsmd_probe(struct platform_device *pdev) + hdev->set_bdaddr = qca_set_bdaddr_rome; + + ret = hci_register_dev(hdev); +- if (ret < 0) { +- hci_free_dev(hdev); +- return ret; +- } ++ if (ret < 0) ++ goto hci_free_dev; + + platform_set_drvdata(pdev, btq); + + return 0; ++ ++hci_free_dev: ++ hci_free_dev(hdev); ++destroy_cmd_channel: ++ rpmsg_destroy_ept(btq->cmd_channel); ++destroy_acl_channel: ++ rpmsg_destroy_ept(btq->acl_channel); ++ ++ return ret; + } + + static int btqcomsmd_remove(struct platform_device *pdev) +-- +2.27.0 + diff --git a/queue-4.14/bluetooth-drop-hci-device-reference-before-return.patch b/queue-4.14/bluetooth-drop-hci-device-reference-before-return.patch new file mode 100644 index 00000000000..64d04bd0c34 --- /dev/null +++ b/queue-4.14/bluetooth-drop-hci-device-reference-before-return.patch @@ -0,0 +1,35 @@ +From b480ba8219a06c00c922c01555b54795be295272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 23:34:19 -0800 +Subject: Bluetooth: drop HCI device reference before return + +From: Pan Bian + +[ Upstream commit 5a3ef03afe7e12982dc3b978f4c5077c907f7501 ] + +Call hci_dev_put() to decrement reference count of HCI device hdev if +fails to duplicate memory. + +Fixes: 0b26ab9dce74 ("Bluetooth: AMP: Handle Accept phylink command status evt") +Signed-off-by: Pan Bian +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/a2mp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c +index 3266264bc61ce..ef7e5b9b115fc 100644 +--- a/net/bluetooth/a2mp.c ++++ b/net/bluetooth/a2mp.c +@@ -519,6 +519,7 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, + assoc = kmemdup(req->amp_assoc, assoc_len, GFP_KERNEL); + if (!assoc) { + amp_ctrl_put(ctrl); ++ hci_dev_put(hdev); + return -ENOMEM; + } + +-- +2.27.0 + diff --git a/queue-4.14/bluetooth-fix-initializing-response-id-after-clearin.patch b/queue-4.14/bluetooth-fix-initializing-response-id-after-clearin.patch new file mode 100644 index 00000000000..a16352b5df5 --- /dev/null +++ b/queue-4.14/bluetooth-fix-initializing-response-id-after-clearin.patch @@ -0,0 +1,39 @@ +From 20f6aa19bf4c1611ccd4312dd39a434d34a605d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Dec 2020 19:12:32 -0800 +Subject: Bluetooth: Fix initializing response id after clearing struct + +From: Christopher William Snowhill + +[ Upstream commit a5687c644015a097304a2e47476c0ecab2065734 ] + +Looks like this was missed when patching the source to clear the structures +throughout, causing this one instance to clear the struct after the response +id is assigned. + +Fixes: eddb7732119d ("Bluetooth: A2MP: Fix not initializing all members") +Signed-off-by: Christopher William Snowhill +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/a2mp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c +index cd20c35daa6c7..3266264bc61ce 100644 +--- a/net/bluetooth/a2mp.c ++++ b/net/bluetooth/a2mp.c +@@ -388,9 +388,9 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, + hdev = hci_dev_get(req->id); + if (!hdev || hdev->amp_type == AMP_TYPE_BREDR || tmp) { + struct a2mp_amp_assoc_rsp rsp; +- rsp.id = req->id; + + memset(&rsp, 0, sizeof(rsp)); ++ rsp.id = req->id; + + if (tmp) { + rsp.status = A2MP_STATUS_COLLISION_OCCURED; +-- +2.27.0 + diff --git a/queue-4.14/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch b/queue-4.14/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch new file mode 100644 index 00000000000..8dc18ae53c5 --- /dev/null +++ b/queue-4.14/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch @@ -0,0 +1,40 @@ +From 2a4a96963bc5551b19ad62fb008a8dc34754f99d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 00:10:45 -0800 +Subject: Bluetooth: Put HCI device if inquiry procedure interrupts + +From: Pan Bian + +[ Upstream commit 28a758c861ff290e39d4f1ee0aa5df0f0b9a45ee ] + +Jump to the label done to decrement the reference count of HCI device +hdev on path that the Inquiry procedure is interrupted. + +Fixes: 3e13fa1e1fab ("Bluetooth: Fix hci_inquiry ioctl usage") +Signed-off-by: Pan Bian +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index ff80a9d41ce17..bf1263c1bc766 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1278,8 +1278,10 @@ int hci_inquiry(void __user *arg) + * cleared). If it is interrupted by a signal, return -EINTR. + */ + if (wait_on_bit(&hdev->flags, HCI_INQUIRY, +- TASK_INTERRUPTIBLE)) +- return -EINTR; ++ TASK_INTERRUPTIBLE)) { ++ err = -EINTR; ++ goto done; ++ } + } + + /* for unlimited number of responses we will use buffer with +-- +2.27.0 + diff --git a/queue-4.14/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch b/queue-4.14/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch new file mode 100644 index 00000000000..bc633c2d0bd --- /dev/null +++ b/queue-4.14/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch @@ -0,0 +1,42 @@ +From 2f730f45e6cd933a689ef5c38c21b38f3ed19a73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 02:24:23 -0500 +Subject: bnxt_en: reverse order of TX disable and carrier off + +From: Edwin Peer + +[ Upstream commit 132e0b65dc2b8bfa9721bfce834191f24fd1d7ed ] + +A TX queue can potentially immediately timeout after it is stopped +and the last TX timestamp on that queue was more than 5 seconds ago with +carrier still up. Prevent these intermittent false TX timeouts +by bringing down carrier first before calling netif_tx_disable(). + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index ea2a539e6e0f7..42af96f2b5f6b 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5752,9 +5752,10 @@ void bnxt_tx_disable(struct bnxt *bp) + txr->dev_state = BNXT_DEV_STATE_CLOSING; + } + } ++ /* Drop carrier first to prevent TX timeout */ ++ netif_carrier_off(bp->dev); + /* Stop all TX queues */ + netif_tx_disable(bp->dev); +- netif_carrier_off(bp->dev); + } + + void bnxt_tx_enable(struct bnxt *bp) +-- +2.27.0 + diff --git a/queue-4.14/bpf_lru_list-read-double-checked-variable-once-witho.patch b/queue-4.14/bpf_lru_list-read-double-checked-variable-once-witho.patch new file mode 100644 index 00000000000..17b6cdb607d --- /dev/null +++ b/queue-4.14/bpf_lru_list-read-double-checked-variable-once-witho.patch @@ -0,0 +1,65 @@ +From 4d1ec8d106a60e69da096aefd012585bef31cae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Feb 2021 12:27:01 +0100 +Subject: bpf_lru_list: Read double-checked variable once without lock + +From: Marco Elver + +[ Upstream commit 6df8fb83301d68ea0a0c0e1cbcc790fcc333ed12 ] + +For double-checked locking in bpf_common_lru_push_free(), node->type is +read outside the critical section and then re-checked under the lock. +However, concurrent writes to node->type result in data races. + +For example, the following concurrent access was observed by KCSAN: + + write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1: + __bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91 + __local_list_flush kernel/bpf/bpf_lru_list.c:298 + ... + read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0: + bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507 + bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555 + ... + +Fix the data races where node->type is read outside the critical section +(for double-checked locking) by marking the access with READ_ONCE() as +well as ensuring the variable is only accessed once. + +Fixes: 3a08c2fd7634 ("bpf: LRU List") +Reported-by: syzbot+3536db46dfa58c573458@syzkaller.appspotmail.com +Reported-by: syzbot+516acdb03d3e27d91bcd@syzkaller.appspotmail.com +Signed-off-by: Marco Elver +Signed-off-by: Andrii Nakryiko +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20210209112701.3341724-1-elver@google.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index e6ef4401a1380..9b5eeff72fd37 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -505,13 +505,14 @@ struct bpf_lru_node *bpf_lru_pop_free(struct bpf_lru *lru, u32 hash) + static void bpf_common_lru_push_free(struct bpf_lru *lru, + struct bpf_lru_node *node) + { ++ u8 node_type = READ_ONCE(node->type); + unsigned long flags; + +- if (WARN_ON_ONCE(node->type == BPF_LRU_LIST_T_FREE) || +- WARN_ON_ONCE(node->type == BPF_LRU_LOCAL_LIST_T_FREE)) ++ if (WARN_ON_ONCE(node_type == BPF_LRU_LIST_T_FREE) || ++ WARN_ON_ONCE(node_type == BPF_LRU_LOCAL_LIST_T_FREE)) + return; + +- if (node->type == BPF_LRU_LOCAL_LIST_T_PENDING) { ++ if (node_type == BPF_LRU_LOCAL_LIST_T_PENDING) { + struct bpf_lru_locallist *loc_l; + + loc_l = per_cpu_ptr(lru->common_lru.local_list, node->cpu); +-- +2.27.0 + diff --git a/queue-4.14/btrfs-clarify-error-returns-values-in-__load_free_sp.patch b/queue-4.14/btrfs-clarify-error-returns-values-in-__load_free_sp.patch new file mode 100644 index 00000000000..045df283419 --- /dev/null +++ b/queue-4.14/btrfs-clarify-error-returns-values-in-__load_free_sp.patch @@ -0,0 +1,60 @@ +From 1a47fafc3d3b8d0d7c8967fa468a341fb9665471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 09:08:04 +0800 +Subject: btrfs: clarify error returns values in __load_free_space_cache + +From: Zhihao Cheng + +[ Upstream commit 3cc64e7ebfb0d7faaba2438334c43466955a96e8 ] + +Return value in __load_free_space_cache is not properly set after +(unlikely) memory allocation failures and 0 is returned instead. +This is not a problem for the caller load_free_space_cache because only +value 1 is considered as 'cache loaded' but for clarity it's better +to set the errors accordingly. + +Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache") +Reported-by: Hulk Robot +Signed-off-by: Zhihao Cheng +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-cache.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 9bf72a9088aca..b272299afb673 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -759,8 +759,10 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + while (num_entries) { + e = kmem_cache_zalloc(btrfs_free_space_cachep, + GFP_NOFS); +- if (!e) ++ if (!e) { ++ ret = -ENOMEM; + goto free_cache; ++ } + + ret = io_ctl_read_entry(&io_ctl, e, &type); + if (ret) { +@@ -769,6 +771,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + } + + if (!e->bytes) { ++ ret = -1; + kmem_cache_free(btrfs_free_space_cachep, e); + goto free_cache; + } +@@ -788,6 +791,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + num_bitmaps--; + e->bitmap = kzalloc(PAGE_SIZE, GFP_NOFS); + if (!e->bitmap) { ++ ret = -ENOMEM; + kmem_cache_free( + btrfs_free_space_cachep, e); + goto free_cache; +-- +2.27.0 + diff --git a/queue-4.14/capabilities-don-t-allow-writing-ambiguous-v3-file-c.patch b/queue-4.14/capabilities-don-t-allow-writing-ambiguous-v3-file-c.patch new file mode 100644 index 00000000000..a805ddcbbd1 --- /dev/null +++ b/queue-4.14/capabilities-don-t-allow-writing-ambiguous-v3-file-c.patch @@ -0,0 +1,62 @@ +From b1d8be6792a37e9e9666a43245779f0bcce624a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Dec 2020 09:42:00 -0600 +Subject: capabilities: Don't allow writing ambiguous v3 file capabilities + +From: Eric W. Biederman + +[ Upstream commit 95ebabde382c371572297915b104e55403674e73 ] + +The v3 file capabilities have a uid field that records the filesystem +uid of the root user of the user namespace the file capabilities are +valid in. + +When someone is silly enough to have the same underlying uid as the +root uid of multiple nested containers a v3 filesystem capability can +be ambiguous. + +In the spirit of don't do that then, forbid writing a v3 filesystem +capability if it is ambiguous. + +Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") +Reviewed-by: Andrew G. Morgan +Reviewed-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Sasha Levin +--- + security/commoncap.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/security/commoncap.c b/security/commoncap.c +index bf689d61b293c..b534c4eee5bea 100644 +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -507,7 +507,8 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) + __u32 magic, nsmagic; + struct inode *inode = d_backing_inode(dentry); + struct user_namespace *task_ns = current_user_ns(), +- *fs_ns = inode->i_sb->s_user_ns; ++ *fs_ns = inode->i_sb->s_user_ns, ++ *ancestor; + kuid_t rootid; + size_t newsize; + +@@ -530,6 +531,15 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) + if (nsrootid == -1) + return -EINVAL; + ++ /* ++ * Do not allow allow adding a v3 filesystem capability xattr ++ * if the rootid field is ambiguous. ++ */ ++ for (ancestor = task_ns->parent; ancestor; ancestor = ancestor->parent) { ++ if (from_kuid(ancestor, rootid) == 0) ++ return -EINVAL; ++ } ++ + newsize = sizeof(struct vfs_ns_cap_data); + nscap = kmalloc(newsize, GFP_ATOMIC); + if (!nscap) +-- +2.27.0 + diff --git a/queue-4.14/certs-fix-blacklist-flag-type-confusion.patch b/queue-4.14/certs-fix-blacklist-flag-type-confusion.patch new file mode 100644 index 00000000000..0f4b8fa1bd3 --- /dev/null +++ b/queue-4.14/certs-fix-blacklist-flag-type-confusion.patch @@ -0,0 +1,107 @@ +From 5611f1fefa51c90957a5be70c563309cb9c5698a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 19:04:23 +0100 +Subject: certs: Fix blacklist flag type confusion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Howells + +[ Upstream commit 4993e1f9479a4161fd7d93e2b8b30b438f00cb0f ] + +KEY_FLAG_KEEP is not meant to be passed to keyring_alloc() or key_alloc(), +as these only take KEY_ALLOC_* flags. KEY_FLAG_KEEP has the same value as +KEY_ALLOC_BYPASS_RESTRICTION, but fortunately only key_create_or_update() +uses it. LSMs using the key_alloc hook don't check that flag. + +KEY_FLAG_KEEP is then ignored but fortunately (again) the root user cannot +write to the blacklist keyring, so it is not possible to remove a key/hash +from it. + +Fix this by adding a KEY_ALLOC_SET_KEEP flag that tells key_alloc() to set +KEY_FLAG_KEEP on the new key. blacklist_init() can then, correctly, pass +this to keyring_alloc(). + +We can also use this in ima_mok_init() rather than setting the flag +manually. + +Note that this doesn't fix an observable bug with the current +implementation but it is required to allow addition of new hashes to the +blacklist in the future without making it possible for them to be removed. + +Fixes: 734114f8782f ("KEYS: Add a system blacklist keyring") +Reported-by: Mickaël Salaün +Signed-off-by: David Howells +cc: Mickaël Salaün +cc: Mimi Zohar +Cc: David Woodhouse +Signed-off-by: Sasha Levin +--- + certs/blacklist.c | 2 +- + include/linux/key.h | 1 + + security/integrity/ima/ima_mok.c | 5 ++--- + security/keys/key.c | 2 ++ + 4 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/certs/blacklist.c b/certs/blacklist.c +index 3a507b9e2568a..e9f3f81c51f96 100644 +--- a/certs/blacklist.c ++++ b/certs/blacklist.c +@@ -157,7 +157,7 @@ static int __init blacklist_init(void) + KEY_USR_VIEW | KEY_USR_READ | + KEY_USR_SEARCH, + KEY_ALLOC_NOT_IN_QUOTA | +- KEY_FLAG_KEEP, ++ KEY_ALLOC_SET_KEEP, + NULL, NULL); + if (IS_ERR(blacklist_keyring)) + panic("Can't allocate system blacklist keyring\n"); +diff --git a/include/linux/key.h b/include/linux/key.h +index 8a15cabe928d0..8a66292090150 100644 +--- a/include/linux/key.h ++++ b/include/linux/key.h +@@ -248,6 +248,7 @@ extern struct key *key_alloc(struct key_type *type, + #define KEY_ALLOC_BUILT_IN 0x0004 /* Key is built into kernel */ + #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ + #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ ++#define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ + + extern void key_revoke(struct key *key); + extern void key_invalidate(struct key *key); +diff --git a/security/integrity/ima/ima_mok.c b/security/integrity/ima/ima_mok.c +index 073ddc9bce5ba..3e7a1523663b8 100644 +--- a/security/integrity/ima/ima_mok.c ++++ b/security/integrity/ima/ima_mok.c +@@ -43,13 +43,12 @@ __init int ima_mok_init(void) + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ | + KEY_USR_WRITE | KEY_USR_SEARCH, +- KEY_ALLOC_NOT_IN_QUOTA, ++ KEY_ALLOC_NOT_IN_QUOTA | ++ KEY_ALLOC_SET_KEEP, + restriction, NULL); + + if (IS_ERR(ima_blacklist_keyring)) + panic("Can't allocate IMA blacklist keyring."); +- +- set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); + return 0; + } + device_initcall(ima_mok_init); +diff --git a/security/keys/key.c b/security/keys/key.c +index 5f4cb271464a0..0dec3c82dde95 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, + key->flags |= 1 << KEY_FLAG_BUILTIN; + if (flags & KEY_ALLOC_UID_KEYRING) + key->flags |= 1 << KEY_FLAG_UID_KEYRING; ++ if (flags & KEY_ALLOC_SET_KEEP) ++ key->flags |= 1 << KEY_FLAG_KEEP; + + #ifdef KEY_DEBUGGING + key->magic = KEY_DEBUG_MAGIC; +-- +2.27.0 + diff --git a/queue-4.14/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch b/queue-4.14/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch new file mode 100644 index 00000000000..1cd5e6c42ea --- /dev/null +++ b/queue-4.14/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch @@ -0,0 +1,39 @@ +From 272878de3eaabf88490f163d00405b74091ae4f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Dec 2020 13:15:54 +0100 +Subject: clk: meson: clk-pll: fix initializing the old rate (fallback) for a + PLL + +From: Martin Blumenstingl + +[ Upstream commit 2f290b7c67adf6459a17a4c978102af35cd62e4a ] + +The "rate" parameter in meson_clk_pll_set_rate() contains the new rate. +Retrieve the old rate with clk_hw_get_rate() so we don't inifinitely try +to switch from the new rate to the same rate again. + +Fixes: 7a29a869434e8b ("clk: meson: Add support for Meson clock controller") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20201226121556.975418-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/clk-pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/clk-pll.c b/drivers/clk/meson/clk-pll.c +index 01341553f50b7..80ce8ea1ff16a 100644 +--- a/drivers/clk/meson/clk-pll.c ++++ b/drivers/clk/meson/clk-pll.c +@@ -178,7 +178,7 @@ static int meson_clk_pll_set_rate(struct clk_hw *hw, unsigned long rate, + if (parent_rate == 0 || rate == 0) + return -EINVAL; + +- old_rate = rate; ++ old_rate = clk_hw_get_rate(hw); + + rate_set = meson_clk_get_pll_settings(pll, rate); + if (!rate_set) +-- +2.27.0 + diff --git a/queue-4.14/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch b/queue-4.14/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch new file mode 100644 index 00000000000..33d7ee7f9f4 --- /dev/null +++ b/queue-4.14/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch @@ -0,0 +1,49 @@ +From ec22ca7849a8cced994ab498167de5794589302f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 13:19:55 -0800 +Subject: clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is + defined +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 7da390694afbaed8e0f05717a541dfaf1077ba51 ] + +When DEBUG is defined this error occurs + +drivers/clocksource/mxs_timer.c:138:1: error: + expected ‘;’ before ‘}’ token + +The preceding statement needs a semicolon. +Replace pr_info() with pr_debug() and remove the unneeded ifdef. + +Fixes: eb8703e2ef7c ("clockevents/drivers/mxs: Migrate to new 'set-state' interface") +Signed-off-by: Tom Rix +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210118211955.763609-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/mxs_timer.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/clocksource/mxs_timer.c b/drivers/clocksource/mxs_timer.c +index a03434e9fe8f4..7b8a468cf34f2 100644 +--- a/drivers/clocksource/mxs_timer.c ++++ b/drivers/clocksource/mxs_timer.c +@@ -152,10 +152,7 @@ static void mxs_irq_clear(char *state) + + /* Clear pending interrupt */ + timrot_irq_acknowledge(); +- +-#ifdef DEBUG +- pr_info("%s: changing mode to %s\n", __func__, state) +-#endif /* DEBUG */ ++ pr_debug("%s: changing mode to %s\n", __func__, state); + } + + static int mxs_shutdown(struct clock_event_device *evt) +-- +2.27.0 + diff --git a/queue-4.14/cpufreq-brcmstb-avs-cpufreq-fix-resource-leaks-in-re.patch b/queue-4.14/cpufreq-brcmstb-avs-cpufreq-fix-resource-leaks-in-re.patch new file mode 100644 index 00000000000..20c15b6262f --- /dev/null +++ b/queue-4.14/cpufreq-brcmstb-avs-cpufreq-fix-resource-leaks-in-re.patch @@ -0,0 +1,38 @@ +From 99eade581c917016b17109f9f94b2f5ae6ff2aed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Jan 2021 15:26:44 +0100 +Subject: cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() + +From: Christophe JAILLET + +[ Upstream commit 3657f729b6fb5f2c0bf693742de2dcd49c572aa1 ] + +If 'cpufreq_unregister_driver()' fails, just WARN and continue, so that +other resources are freed. + +Fixes: de322e085995 ("cpufreq: brcmstb-avs-cpufreq: AVS CPUfreq driver for Broadcom STB SoCs") +Signed-off-by: Christophe JAILLET +[ Viresh: Updated Subject ] +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/brcmstb-avs-cpufreq.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c +index 39c462711eae0..815dd7c33e469 100644 +--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c ++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c +@@ -1033,8 +1033,7 @@ static int brcm_avs_cpufreq_remove(struct platform_device *pdev) + int ret; + + ret = cpufreq_unregister_driver(&brcm_avs_driver); +- if (ret) +- return ret; ++ WARN_ON(ret); + + brcm_avs_cpufreq_debug_exit(pdev); + +-- +2.27.0 + diff --git a/queue-4.14/crypto-bcm-rename-struct-device_private-to-bcm_devic.patch b/queue-4.14/crypto-bcm-rename-struct-device_private-to-bcm_devic.patch new file mode 100644 index 00000000000..ead81a3cf5b --- /dev/null +++ b/queue-4.14/crypto-bcm-rename-struct-device_private-to-bcm_devic.patch @@ -0,0 +1,83 @@ +From 789fd71b6f88ef43059dea420068d4d3808710be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 00:02:37 +0100 +Subject: crypto: bcm - Rename struct device_private to bcm_device_private + +From: Jiri Olsa + +[ Upstream commit f7f2b43eaf6b4cfe54c75100709be31d5c4b52c8 ] + +Renaming 'struct device_private' to 'struct bcm_device_private', +because it clashes with 'struct device_private' from +'drivers/base/base.h'. + +While it's not a functional problem, it's causing two distinct +type hierarchies in BTF data. It also breaks build with options: + CONFIG_DEBUG_INFO_BTF=y + CONFIG_CRYPTO_DEV_BCM_SPU=y + +as reported by Qais Yousef [1]. + +[1] https://lore.kernel.org/lkml/20201229151352.6hzmjvu3qh6p2qgg@e107158-lin/ + +Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") +Signed-off-by: Jiri Olsa +Tested-by: Qais Yousef +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/bcm/cipher.c | 2 +- + drivers/crypto/bcm/cipher.h | 4 ++-- + drivers/crypto/bcm/util.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/bcm/cipher.c b/drivers/crypto/bcm/cipher.c +index af6119b3b6b72..676175d96b68b 100644 +--- a/drivers/crypto/bcm/cipher.c ++++ b/drivers/crypto/bcm/cipher.c +@@ -53,7 +53,7 @@ + + /* ================= Device Structure ================== */ + +-struct device_private iproc_priv; ++struct bcm_device_private iproc_priv; + + /* ==================== Parameters ===================== */ + +diff --git a/drivers/crypto/bcm/cipher.h b/drivers/crypto/bcm/cipher.h +index 57a55eb2a2552..07b2233342db8 100644 +--- a/drivers/crypto/bcm/cipher.h ++++ b/drivers/crypto/bcm/cipher.h +@@ -432,7 +432,7 @@ struct spu_hw { + u32 num_chan; + }; + +-struct device_private { ++struct bcm_device_private { + struct platform_device *pdev; + + struct spu_hw spu; +@@ -479,6 +479,6 @@ struct device_private { + struct mbox_chan **mbox; + }; + +-extern struct device_private iproc_priv; ++extern struct bcm_device_private iproc_priv; + + #endif +diff --git a/drivers/crypto/bcm/util.c b/drivers/crypto/bcm/util.c +index 430c5570ea877..657cf7e587214 100644 +--- a/drivers/crypto/bcm/util.c ++++ b/drivers/crypto/bcm/util.c +@@ -401,7 +401,7 @@ char *spu_alg_name(enum spu_cipher_alg alg, enum spu_cipher_mode mode) + static ssize_t spu_debugfs_read(struct file *filp, char __user *ubuf, + size_t count, loff_t *offp) + { +- struct device_private *ipriv; ++ struct bcm_device_private *ipriv; + char *buf; + ssize_t ret, out_offset, out_count; + int i; +-- +2.27.0 + diff --git a/queue-4.14/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch b/queue-4.14/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch new file mode 100644 index 00000000000..81a1fa0af21 --- /dev/null +++ b/queue-4.14/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch @@ -0,0 +1,41 @@ +From 388daf971523d64edcdad9994feb1e45b506e7af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Feb 2021 11:28:37 +0000 +Subject: crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() + +From: Daniele Alessandrelli + +[ Upstream commit a53ab94eb6850c3657392e2d2ce9b38c387a2633 ] + +The length ('len' parameter) passed to crypto_ecdh_decode_key() is never +checked against the length encoded in the passed buffer ('buf' +parameter). This could lead to an out-of-bounds access when the passed +length is less than the encoded length. + +Add a check to prevent that. + +Fixes: 3c4b23901a0c7 ("crypto: ecdh - Add ECDH software support") +Signed-off-by: Daniele Alessandrelli +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/ecdh_helper.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/crypto/ecdh_helper.c b/crypto/ecdh_helper.c +index f05bea5fd257a..ae33c01311b1d 100644 +--- a/crypto/ecdh_helper.c ++++ b/crypto/ecdh_helper.c +@@ -71,6 +71,9 @@ int crypto_ecdh_decode_key(const char *buf, unsigned int len, + if (secret.type != CRYPTO_KPP_SECRET_TYPE_ECDH) + return -EINVAL; + ++ if (unlikely(len < secret.len)) ++ return -EINVAL; ++ + ptr = ecdh_unpack_data(¶ms->curve_id, ptr, sizeof(params->curve_id)); + ptr = ecdh_unpack_data(¶ms->key_size, ptr, sizeof(params->key_size)); + if (secret.len != crypto_ecdh_key_len(params)) +-- +2.27.0 + diff --git a/queue-4.14/crypto-sun4i-ss-fix-kmap-usage.patch b/queue-4.14/crypto-sun4i-ss-fix-kmap-usage.patch new file mode 100644 index 00000000000..4c1cdb98633 --- /dev/null +++ b/queue-4.14/crypto-sun4i-ss-fix-kmap-usage.patch @@ -0,0 +1,254 @@ +From 026404ddec6f68b044ff51a4a358ac66db25437f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Dec 2020 20:02:30 +0000 +Subject: crypto: sun4i-ss - fix kmap usage + +From: Corentin Labbe + +[ Upstream commit 9bc3dd24e7dccd50757db743a3635ad5b0497e6e ] + +With the recent kmap change, some tests which were conditional on +CONFIG_DEBUG_HIGHMEM now are enabled by default. +This permit to detect a problem in sun4i-ss usage of kmap. + +sun4i-ss uses two kmap via sg_miter (one for input, one for output), but +using two kmap at the same time is hard: +"the ordering has to be correct and with sg_miter that's probably hard to get +right." (quoting Tlgx) + +So the easiest solution is to never have two sg_miter/kmap open at the same time. +After each use of sg_miter, I store the current index, for being able to +resume sg_miter to the right place. + +Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 109 +++++++++++++--------- + 1 file changed, 65 insertions(+), 44 deletions(-) + +diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +index 22e4918579254..178096e4e77da 100644 +--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +@@ -34,6 +34,8 @@ static int sun4i_ss_opti_poll(struct skcipher_request *areq) + unsigned int ileft = areq->cryptlen; + unsigned int oleft = areq->cryptlen; + unsigned int todo; ++ unsigned long pi = 0, po = 0; /* progress for in and out */ ++ bool miter_err; + struct sg_mapping_iter mi, mo; + unsigned int oi, oo; /* offset for in and out */ + unsigned long flags; +@@ -64,39 +66,51 @@ static int sun4i_ss_opti_poll(struct skcipher_request *areq) + } + writel(mode, ss->base + SS_CTL); + +- sg_miter_start(&mi, areq->src, sg_nents(areq->src), +- SG_MITER_FROM_SG | SG_MITER_ATOMIC); +- sg_miter_start(&mo, areq->dst, sg_nents(areq->dst), +- SG_MITER_TO_SG | SG_MITER_ATOMIC); +- sg_miter_next(&mi); +- sg_miter_next(&mo); +- if (!mi.addr || !mo.addr) { +- dev_err_ratelimited(ss->dev, "ERROR: sg_miter return null\n"); +- err = -EINVAL; +- goto release_ss; +- } + + ileft = areq->cryptlen / 4; + oleft = areq->cryptlen / 4; + oi = 0; + oo = 0; + do { +- todo = min(rx_cnt, ileft); +- todo = min_t(size_t, todo, (mi.length - oi) / 4); +- if (todo) { +- ileft -= todo; +- writesl(ss->base + SS_RXFIFO, mi.addr + oi, todo); +- oi += todo * 4; +- } +- if (oi == mi.length) { +- sg_miter_next(&mi); +- oi = 0; ++ if (ileft) { ++ sg_miter_start(&mi, areq->src, sg_nents(areq->src), ++ SG_MITER_FROM_SG | SG_MITER_ATOMIC); ++ if (pi) ++ sg_miter_skip(&mi, pi); ++ miter_err = sg_miter_next(&mi); ++ if (!miter_err || !mi.addr) { ++ dev_err_ratelimited(ss->dev, "ERROR: sg_miter return null\n"); ++ err = -EINVAL; ++ goto release_ss; ++ } ++ todo = min(rx_cnt, ileft); ++ todo = min_t(size_t, todo, (mi.length - oi) / 4); ++ if (todo) { ++ ileft -= todo; ++ writesl(ss->base + SS_RXFIFO, mi.addr + oi, todo); ++ oi += todo * 4; ++ } ++ if (oi == mi.length) { ++ pi += mi.length; ++ oi = 0; ++ } ++ sg_miter_stop(&mi); + } + + spaces = readl(ss->base + SS_FCSR); + rx_cnt = SS_RXFIFO_SPACES(spaces); + tx_cnt = SS_TXFIFO_SPACES(spaces); + ++ sg_miter_start(&mo, areq->dst, sg_nents(areq->dst), ++ SG_MITER_TO_SG | SG_MITER_ATOMIC); ++ if (po) ++ sg_miter_skip(&mo, po); ++ miter_err = sg_miter_next(&mo); ++ if (!miter_err || !mo.addr) { ++ dev_err_ratelimited(ss->dev, "ERROR: sg_miter return null\n"); ++ err = -EINVAL; ++ goto release_ss; ++ } + todo = min(tx_cnt, oleft); + todo = min_t(size_t, todo, (mo.length - oo) / 4); + if (todo) { +@@ -105,9 +119,10 @@ static int sun4i_ss_opti_poll(struct skcipher_request *areq) + oo += todo * 4; + } + if (oo == mo.length) { +- sg_miter_next(&mo); + oo = 0; ++ po += mo.length; + } ++ sg_miter_stop(&mo); + } while (oleft); + + if (areq->iv) { +@@ -118,8 +133,6 @@ static int sun4i_ss_opti_poll(struct skcipher_request *areq) + } + + release_ss: +- sg_miter_stop(&mi); +- sg_miter_stop(&mo); + writel(0, ss->base + SS_CTL); + spin_unlock_irqrestore(&ss->slock, flags); + return err; +@@ -148,6 +161,8 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + unsigned int oleft = areq->cryptlen; + unsigned int todo; + struct sg_mapping_iter mi, mo; ++ unsigned long pi = 0, po = 0; /* progress for in and out */ ++ bool miter_err; + unsigned int oi, oo; /* offset for in and out */ + char buf[4 * SS_RX_MAX];/* buffer for linearize SG src */ + char bufo[4 * SS_TX_MAX]; /* buffer for linearize SG dst */ +@@ -200,17 +215,6 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + } + writel(mode, ss->base + SS_CTL); + +- sg_miter_start(&mi, areq->src, sg_nents(areq->src), +- SG_MITER_FROM_SG | SG_MITER_ATOMIC); +- sg_miter_start(&mo, areq->dst, sg_nents(areq->dst), +- SG_MITER_TO_SG | SG_MITER_ATOMIC); +- sg_miter_next(&mi); +- sg_miter_next(&mo); +- if (!mi.addr || !mo.addr) { +- dev_err_ratelimited(ss->dev, "ERROR: sg_miter return null\n"); +- err = -EINVAL; +- goto release_ss; +- } + ileft = areq->cryptlen; + oleft = areq->cryptlen; + oi = 0; +@@ -218,6 +222,16 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + + while (oleft) { + if (ileft) { ++ sg_miter_start(&mi, areq->src, sg_nents(areq->src), ++ SG_MITER_FROM_SG | SG_MITER_ATOMIC); ++ if (pi) ++ sg_miter_skip(&mi, pi); ++ miter_err = sg_miter_next(&mi); ++ if (!miter_err || !mi.addr) { ++ dev_err_ratelimited(ss->dev, "ERROR: sg_miter return null\n"); ++ err = -EINVAL; ++ goto release_ss; ++ } + /* + * todo is the number of consecutive 4byte word that we + * can read from current SG +@@ -250,31 +264,38 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + } + } + if (oi == mi.length) { +- sg_miter_next(&mi); ++ pi += mi.length; + oi = 0; + } ++ sg_miter_stop(&mi); + } + + spaces = readl(ss->base + SS_FCSR); + rx_cnt = SS_RXFIFO_SPACES(spaces); + tx_cnt = SS_TXFIFO_SPACES(spaces); +- dev_dbg(ss->dev, +- "%x %u/%zu %u/%u cnt=%u %u/%zu %u/%u cnt=%u %u\n", +- mode, +- oi, mi.length, ileft, areq->cryptlen, rx_cnt, +- oo, mo.length, oleft, areq->cryptlen, tx_cnt, ob); + + if (!tx_cnt) + continue; ++ sg_miter_start(&mo, areq->dst, sg_nents(areq->dst), ++ SG_MITER_TO_SG | SG_MITER_ATOMIC); ++ if (po) ++ sg_miter_skip(&mo, po); ++ miter_err = sg_miter_next(&mo); ++ if (!miter_err || !mo.addr) { ++ dev_err_ratelimited(ss->dev, "ERROR: sg_miter return null\n"); ++ err = -EINVAL; ++ goto release_ss; ++ } + /* todo in 4bytes word */ + todo = min(tx_cnt, oleft / 4); + todo = min_t(size_t, todo, (mo.length - oo) / 4); ++ + if (todo) { + readsl(ss->base + SS_TXFIFO, mo.addr + oo, todo); + oleft -= todo * 4; + oo += todo * 4; + if (oo == mo.length) { +- sg_miter_next(&mo); ++ po += mo.length; + oo = 0; + } + } else { +@@ -299,12 +320,14 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + obo += todo; + oo += todo; + if (oo == mo.length) { ++ po += mo.length; + sg_miter_next(&mo); + oo = 0; + } + } while (obo < obl); + /* bufo must be fully used here */ + } ++ sg_miter_stop(&mo); + } + if (areq->iv) { + for (i = 0; i < 4 && i < ivsize / 4; i++) { +@@ -314,8 +337,6 @@ static int sun4i_ss_cipher_poll(struct skcipher_request *areq) + } + + release_ss: +- sg_miter_stop(&mi); +- sg_miter_stop(&mo); + writel(0, ss->base + SS_CTL); + spin_unlock_irqrestore(&ss->slock, flags); + +-- +2.27.0 + diff --git a/queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch b/queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch new file mode 100644 index 00000000000..f833829d184 --- /dev/null +++ b/queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch @@ -0,0 +1,51 @@ +From a891e653ae47684e2830de910c4a07fb9b0ff491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 17:06:14 +0100 +Subject: dmaengine: fsldma: Fix a resource leak in an error handling path of + the probe function + +From: Christophe JAILLET + +[ Upstream commit b202d4e82531a62a33a6b14d321dd2aad491578e ] + +In case of error, the previous 'fsl_dma_chan_probe()' calls must be undone +by some 'fsl_dma_chan_remove()', as already done in the remove function. + +It was added in the remove function in commit 77cd62e8082b ("fsldma: allow +Freescale Elo DMA driver to be compiled as a module") + +Fixes: d3f620b2c4fe ("fsldma: simplify IRQ probing and handling") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201212160614.92576-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsldma.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c +index 79166c8d5afc1..65d3571e723f9 100644 +--- a/drivers/dma/fsldma.c ++++ b/drivers/dma/fsldma.c +@@ -1218,6 +1218,7 @@ static int fsldma_of_probe(struct platform_device *op) + { + struct fsldma_device *fdev; + struct device_node *child; ++ unsigned int i; + int err; + + fdev = kzalloc(sizeof(*fdev), GFP_KERNEL); +@@ -1296,6 +1297,10 @@ static int fsldma_of_probe(struct platform_device *op) + return 0; + + out_free_fdev: ++ for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) { ++ if (fdev->chan[i]) ++ fsl_dma_chan_remove(fdev->chan[i]); ++ } + irq_dispose_mapping(fdev->irq); + iounmap(fdev->regs); + out_free: +-- +2.27.0 + diff --git a/queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch b/queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch new file mode 100644 index 00000000000..f7afbe33f2b --- /dev/null +++ b/queue-4.14/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch @@ -0,0 +1,42 @@ +From 696d65c214dd420754b079421329e7a9f1bd3f62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 17:05:16 +0100 +Subject: dmaengine: fsldma: Fix a resource leak in the remove function + +From: Christophe JAILLET + +[ Upstream commit cbc0ad004c03ad7971726a5db3ec84dba3dcb857 ] + +A 'irq_dispose_mapping()' call is missing in the remove function. +Add it. + +This is needed to undo the 'irq_of_parse_and_map() call from the probe +function and already part of the error handling path of the probe function. + +It was added in the probe function only in commit d3f620b2c4fe ("fsldma: +simplify IRQ probing and handling") + +Fixes: 77cd62e8082b ("fsldma: allow Freescale Elo DMA driver to be compiled as a module") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201212160516.92515-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsldma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c +index 3eaece888e751..79166c8d5afc1 100644 +--- a/drivers/dma/fsldma.c ++++ b/drivers/dma/fsldma.c +@@ -1318,6 +1318,7 @@ static int fsldma_of_remove(struct platform_device *op) + if (fdev->chan[i]) + fsl_dma_chan_remove(fdev->chan[i]); + } ++ irq_dispose_mapping(fdev->irq); + + iounmap(fdev->regs); + kfree(fdev); +-- +2.27.0 + diff --git a/queue-4.14/dmaengine-hsu-disable-spurious-interrupt.patch b/queue-4.14/dmaengine-hsu-disable-spurious-interrupt.patch new file mode 100644 index 00000000000..eee638f4292 --- /dev/null +++ b/queue-4.14/dmaengine-hsu-disable-spurious-interrupt.patch @@ -0,0 +1,76 @@ +From 27b426f8b52f62e01d589048542a2cfdced9e068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jan 2021 23:37:49 +0100 +Subject: dmaengine: hsu: disable spurious interrupt + +From: Ferry Toth + +[ Upstream commit 035b73b2b3b2e074a56489a7bf84b6a8012c0e0d ] + +On Intel Tangier B0 and Anniedale the interrupt line, disregarding +to have different numbers, is shared between HSU DMA and UART IPs. +Thus on such SoCs we are expecting that IRQ handler is called in +UART driver only. hsu_pci_irq was handling the spurious interrupt +from HSU DMA by returning immediately. This wastes CPU time and +since HSU DMA and HSU UART interrupt occur simultaneously they race +to be handled causing delay to the HSU UART interrupt handling. +Fix this by disabling the interrupt entirely. + +Fixes: 4831e0d9054c ("serial: 8250_mid: handle interrupt correctly in DMA case") +Signed-off-by: Ferry Toth +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210112223749.97036-1-ftoth@exalondelft.nl +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/hsu/pci.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/dma/hsu/pci.c b/drivers/dma/hsu/pci.c +index ad45cd344bbae..78836526d2e07 100644 +--- a/drivers/dma/hsu/pci.c ++++ b/drivers/dma/hsu/pci.c +@@ -29,22 +29,12 @@ + static irqreturn_t hsu_pci_irq(int irq, void *dev) + { + struct hsu_dma_chip *chip = dev; +- struct pci_dev *pdev = to_pci_dev(chip->dev); + u32 dmaisr; + u32 status; + unsigned short i; + int ret = 0; + int err; + +- /* +- * On Intel Tangier B0 and Anniedale the interrupt line, disregarding +- * to have different numbers, is shared between HSU DMA and UART IPs. +- * Thus on such SoCs we are expecting that IRQ handler is called in +- * UART driver only. +- */ +- if (pdev->device == PCI_DEVICE_ID_INTEL_MRFLD_HSU_DMA) +- return IRQ_HANDLED; +- + dmaisr = readl(chip->regs + HSU_PCI_DMAISR); + for (i = 0; i < chip->hsu->nr_channels; i++) { + if (dmaisr & 0x1) { +@@ -108,6 +98,17 @@ static int hsu_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (ret) + goto err_register_irq; + ++ /* ++ * On Intel Tangier B0 and Anniedale the interrupt line, disregarding ++ * to have different numbers, is shared between HSU DMA and UART IPs. ++ * Thus on such SoCs we are expecting that IRQ handler is called in ++ * UART driver only. Instead of handling the spurious interrupt ++ * from HSU DMA here and waste CPU time and delay HSU UART interrupt ++ * handling, disable the interrupt entirely. ++ */ ++ if (pdev->device == PCI_DEVICE_ID_INTEL_MRFLD_HSU_DMA) ++ disable_irq_nosync(chip->irq); ++ + pci_set_drvdata(pdev, chip); + + return 0; +-- +2.27.0 + diff --git a/queue-4.14/drivers-hv-vmbus-avoid-use-after-free-in-vmbus_onoff.patch b/queue-4.14/drivers-hv-vmbus-avoid-use-after-free-in-vmbus_onoff.patch new file mode 100644 index 00000000000..b5d64f17126 --- /dev/null +++ b/queue-4.14/drivers-hv-vmbus-avoid-use-after-free-in-vmbus_onoff.patch @@ -0,0 +1,45 @@ +From 7ac1b4dfefb69ba97f362b105ea4954545809add Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Dec 2020 08:08:25 +0100 +Subject: Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() + +From: Andrea Parri (Microsoft) + +[ Upstream commit e3fa4b747f085d2cda09bba0533b86fa76038635 ] + +When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could +invoke put_device(), that will eventually release the device and free +the channel object (cf. vmbus_device_release()). However, a pointer +to the object is dereferenced again later to load the primary_channel. +The use-after-free can be avoided by noticing that this load/check is +redundant if device_obj is non-NULL: primary_channel must be NULL if +device_obj is non-NULL, cf. vmbus_add_channel_work(). + +Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling") +Reported-by: Juan Vazquez +Signed-off-by: Andrea Parri (Microsoft) +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20201209070827.29335-5-parri.andrea@gmail.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 5bf633c15cd4b..3891d3c2cc002 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -989,8 +989,7 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + vmbus_device_unregister(channel->device_obj); + put_device(dev); + } +- } +- if (channel->primary_channel != NULL) { ++ } else if (channel->primary_channel != NULL) { + /* + * Sub-channel is being rescinded. Following is the channel + * close sequence when initiated from the driveri (refer to +-- +2.27.0 + diff --git a/queue-4.14/drm-gma500-fix-error-return-code-in-psb_driver_load.patch b/queue-4.14/drm-gma500-fix-error-return-code-in-psb_driver_load.patch new file mode 100644 index 00000000000..0dfc11096ad --- /dev/null +++ b/queue-4.14/drm-gma500-fix-error-return-code-in-psb_driver_load.patch @@ -0,0 +1,38 @@ +From c4c308576ec8fe14d83d6bb1345f231121af0490 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2020 10:02:16 +0800 +Subject: drm/gma500: Fix error return code in psb_driver_load() + +From: Jialin Zhang + +[ Upstream commit 6926872ae24452d4f2176a3ba2dee659497de2c4 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 5c49fd3aa0ab ("gma500: Add the core DRM files and headers") +Reported-by: Hulk Robot +Signed-off-by: Jialin Zhang +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201130020216.1906141-1-zhangjialin11@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/psb_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c +index 37a3be71acd90..d016ce846c634 100644 +--- a/drivers/gpu/drm/gma500/psb_drv.c ++++ b/drivers/gpu/drm/gma500/psb_drv.c +@@ -323,6 +323,8 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags) + if (ret) + goto out_err; + ++ ret = -ENOMEM; ++ + dev_priv->mmu = psb_mmu_driver_init(dev, 1, 0, 0); + if (!dev_priv->mmu) + goto out_err; +-- +2.27.0 + diff --git a/queue-4.14/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch b/queue-4.14/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch new file mode 100644 index 00000000000..f14a6b50e90 --- /dev/null +++ b/queue-4.14/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch @@ -0,0 +1,37 @@ +From 865d706f025cbe1fe786a3d0baa3af8d9b6a4ecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 17:15:58 +0100 +Subject: drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) + +From: Konrad Dybcio + +[ Upstream commit 33a7808ce1aea6e2edc1af25db25928137940c02 ] + +The previous registers were *almost* correct, but instead of +PHYs, they were pointing at DSI PLLs, resulting in the PHY id +autodetection failing miserably. + +Fixes: dcefc117cc19 ("drm/msm/dsi: Add support for msm8x94") +Signed-off-by: Konrad Dybcio +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c +index 1ca6c69516f57..4c037d855b272 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c +@@ -147,7 +147,7 @@ const struct msm_dsi_phy_cfg dsi_phy_20nm_cfgs = { + .disable = dsi_20nm_phy_disable, + .init = msm_dsi_phy_init_common, + }, +- .io_start = { 0xfd998300, 0xfd9a0300 }, ++ .io_start = { 0xfd998500, 0xfd9a0500 }, + .num_dsi_phy = 2, + }; + +-- +2.27.0 + diff --git a/queue-4.14/ext4-fix-potential-htree-index-checksum-corruption.patch b/queue-4.14/ext4-fix-potential-htree-index-checksum-corruption.patch new file mode 100644 index 00000000000..82b6f0a0048 --- /dev/null +++ b/queue-4.14/ext4-fix-potential-htree-index-checksum-corruption.patch @@ -0,0 +1,55 @@ +From 20bd3c75dcf49e408120770a8247fae13fa543e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 00:05:20 -0500 +Subject: ext4: fix potential htree index checksum corruption + +From: Theodore Ts'o + +[ Upstream commit b5776e7524afbd4569978ff790864755c438bba7 ] + +In the case where we need to do an interior node split, and +immediately afterwards, we are unable to allocate a new directory leaf +block due to ENOSPC, the directory index checksum's will not be filled +in correctly (and indeed, will not be correctly journalled). + +This looks like a bug that was introduced when we added largedir +support. The original code doesn't make any sense (and should have +been caught in code review), but it was hidden because most of the +time, the index node checksum will be set by do_split(). But if +do_split bails out due to ENOSPC, then ext4_handle_dirty_dx_node() +won't get called, and so the directory index checksum field will not +get set, leading to: + +EXT4-fs error (device sdb): dx_probe:858: inode #6635543: block 4022: comm nfsd: Directory index failed checksum + +Google-Bug-Id: 176345532 +Fixes: e08ac99fa2a2 ("ext4: add largedir feature") +Cc: Artem Blagodarenko +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index a4301fa4719ff..eff27e9de775f 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2293,11 +2293,10 @@ again: + (frame - 1)->bh); + if (err) + goto journal_error; +- if (restart) { +- err = ext4_handle_dirty_dx_node(handle, dir, +- frame->bh); ++ err = ext4_handle_dirty_dx_node(handle, dir, ++ frame->bh); ++ if (err) + goto journal_error; +- } + } else { + struct dx_root *dxroot; + memcpy((char *) entries2, (char *) entries, +-- +2.27.0 + diff --git a/queue-4.14/fbdev-aty-sparc64-requires-fb_aty_ct.patch b/queue-4.14/fbdev-aty-sparc64-requires-fb_aty_ct.patch new file mode 100644 index 00000000000..249a0acde42 --- /dev/null +++ b/queue-4.14/fbdev-aty-sparc64-requires-fb_aty_ct.patch @@ -0,0 +1,62 @@ +From d39cb61b57939e8c419be3383ba39a1d71a63cbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Nov 2020 19:17:52 -0800 +Subject: fbdev: aty: SPARC64 requires FB_ATY_CT + +From: Randy Dunlap + +[ Upstream commit c6c90c70db4d9a0989111d6b994d545659410f7a ] + +It looks like SPARC64 requires FB_ATY_CT to build without errors, +so have FB_ATY select FB_ATY_CT if both SPARC64 and PCI are enabled +instead of using "default y if SPARC64 && PCI", which is not strong +enough to prevent build errors. + +As it currently is, FB_ATY_CT can be disabled, resulting in build +errors: + +ERROR: modpost: "aty_postdividers" [drivers/video/fbdev/aty/atyfb.ko] undefined! +ERROR: modpost: "aty_ld_pll_ct" [drivers/video/fbdev/aty/atyfb.ko] undefined! + +Reviewed-by: Geert Uytterhoeven +Fixes: f7018c213502 ("video: move fbdev to drivers/video/fbdev") +Signed-off-by: Randy Dunlap +Cc: "David S. Miller" +Cc: sparclinux@vger.kernel.org +Cc: Tomi Valkeinen +Cc: dri-devel@lists.freedesktop.org +Cc: linux-fbdev@vger.kernel.org +Cc: Daniel Vetter +Cc: David Airlie +Cc: Bartlomiej Zolnierkiewicz +Cc: Geert Uytterhoeven +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201127031752.10371-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index 5e58f5ec0a28e..d00588d9b0258 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -1411,6 +1411,7 @@ config FB_ATY + select FB_CFB_IMAGEBLIT + select FB_BACKLIGHT if FB_ATY_BACKLIGHT + select FB_MACMODES if PPC ++ select FB_ATY_CT if SPARC64 && PCI + help + This driver supports graphics boards with the ATI Mach64 chips. + Say Y if you have such a graphics board. +@@ -1421,7 +1422,6 @@ config FB_ATY + config FB_ATY_CT + bool "Mach64 CT/VT/GT/LT (incl. 3D RAGE) support" + depends on PCI && FB_ATY +- default y if SPARC64 && PCI + help + Say Y here to support use of ATI's 64-bit Rage boards (or other + boards based on the Mach64 CT, VT, GT, and LT chipsets) as a +-- +2.27.0 + diff --git a/queue-4.14/fdt-properly-handle-no-map-field-in-the-memory-regio.patch b/queue-4.14/fdt-properly-handle-no-map-field-in-the-memory-regio.patch new file mode 100644 index 00000000000..dd6b0208d80 --- /dev/null +++ b/queue-4.14/fdt-properly-handle-no-map-field-in-the-memory-regio.patch @@ -0,0 +1,42 @@ +From 1a18e7a86967483de51330aede4dc572ca21d957 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 11:45:43 +0000 +Subject: fdt: Properly handle "no-map" field in the memory region + +From: KarimAllah Ahmed + +[ Upstream commit 86588296acbfb1591e92ba60221e95677ecadb43 ] + +Mark the memory region with NOMAP flag instead of completely removing it +from the memory blocks. That makes the FDT handling consistent with the EFI +memory map handling. + +Cc: Rob Herring +Cc: Frank Rowand +Cc: devicetree@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: KarimAllah Ahmed +Signed-off-by: Quentin Perret +Link: https://lore.kernel.org/r/20210115114544.1830068-2-qperret@google.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 6337c394bfe32..6df66fcefbb40 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -1213,7 +1213,7 @@ int __init __weak early_init_dt_reserve_memory_arch(phys_addr_t base, + phys_addr_t size, bool nomap) + { + if (nomap) +- return memblock_remove(base, size); ++ return memblock_mark_nomap(base, size); + return memblock_reserve(base, size); + } + +-- +2.27.0 + diff --git a/queue-4.14/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch b/queue-4.14/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch new file mode 100644 index 00000000000..6a2163f0140 --- /dev/null +++ b/queue-4.14/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch @@ -0,0 +1,39 @@ +From 84a084e4e7ba55841893fbd43a8e61b1370275ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 13:01:08 +0000 +Subject: fs/jfs: fix potential integer overflow on shift of a int + +From: Colin Ian King + +[ Upstream commit 4208c398aae4c2290864ba15c3dab7111f32bec1 ] + +The left shift of int 32 bit integer constant 1 is evaluated using 32 bit +arithmetic and then assigned to a signed 64 bit integer. In the case where +l2nb is 32 or more this can lead to an overflow. Avoid this by shifting +the value 1LL instead. + +Addresses-Coverity: ("Uninitentional integer overflow") +Fixes: b40c2e665cd5 ("fs/jfs: TRIM support for JFS Filesystem") +Signed-off-by: Colin Ian King +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 2d514c7affc2a..9ff510a489cb1 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1669,7 +1669,7 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) + } else if (rc == -ENOSPC) { + /* search for next smaller log2 block */ + l2nb = BLKSTOL2(nblocks) - 1; +- nblocks = 1 << l2nb; ++ nblocks = 1LL << l2nb; + } else { + /* Trim any already allocated blocks */ + jfs_error(bmp->db_ipbmap->i_sb, "-EIO\n"); +-- +2.27.0 + diff --git a/queue-4.14/gma500-clean-up-error-handling-in-init.patch b/queue-4.14/gma500-clean-up-error-handling-in-init.patch new file mode 100644 index 00000000000..1ab1ef1bb04 --- /dev/null +++ b/queue-4.14/gma500-clean-up-error-handling-in-init.patch @@ -0,0 +1,73 @@ +From 145cc3460e3862862f68aa3442d91220a60571f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Dec 2020 11:40:48 +0300 +Subject: gma500: clean up error handling in init + +From: Dan Carpenter + +[ Upstream commit 15ccc39b3aab667c6fa131206f01f31bfbccdf6a ] + +The main problem with this error handling was that it didn't clean up if +i2c_add_numbered_adapter() failed. This code is pretty old, and doesn't +match with today's checkpatch.pl standards so I took the opportunity to +tidy it up a bit. I changed the NULL comparison, and removed the +WARNING message if kzalloc() fails and updated the label names. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Dan Carpenter +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/X8ikkAqZfnDO2lu6@mwanda +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c +index e281070611480..fc9a34ed58bd1 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c +@@ -279,11 +279,8 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev) + hdmi_dev = pci_get_drvdata(dev); + + i2c_dev = kzalloc(sizeof(struct hdmi_i2c_dev), GFP_KERNEL); +- if (i2c_dev == NULL) { +- DRM_ERROR("Can't allocate interface\n"); +- ret = -ENOMEM; +- goto exit; +- } ++ if (!i2c_dev) ++ return -ENOMEM; + + i2c_dev->adap = &oaktrail_hdmi_i2c_adapter; + i2c_dev->status = I2C_STAT_INIT; +@@ -300,16 +297,23 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev) + oaktrail_hdmi_i2c_adapter.name, hdmi_dev); + if (ret) { + DRM_ERROR("Failed to request IRQ for I2C controller\n"); +- goto err; ++ goto free_dev; + } + + /* Adapter registration */ + ret = i2c_add_numbered_adapter(&oaktrail_hdmi_i2c_adapter); +- return ret; ++ if (ret) { ++ DRM_ERROR("Failed to add I2C adapter\n"); ++ goto free_irq; ++ } + +-err: ++ return 0; ++ ++free_irq: ++ free_irq(dev->irq, hdmi_dev); ++free_dev: + kfree(i2c_dev); +-exit: ++ + return ret; + } + +-- +2.27.0 + diff --git a/queue-4.14/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch b/queue-4.14/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch new file mode 100644 index 00000000000..c8e4c342478 --- /dev/null +++ b/queue-4.14/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch @@ -0,0 +1,51 @@ +From b2d11131264098a95f76b2ab9851bca81c5a5f5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Dec 2020 17:12:21 -0800 +Subject: HID: core: detect and skip invalid inputs to snto32() + +From: Randy Dunlap + +[ Upstream commit a0312af1f94d13800e63a7d0a66e563582e39aec ] + +Prevent invalid (0, 0) inputs to hid-core's snto32() function. + +Maybe it is just the dummy device here that is causing this, but +there are hundreds of calls to snto32(0, 0). Having n (bits count) +of 0 is causing the current UBSAN trap with a shift value of +0xffffffff (-1, or n - 1 in this function). + +Either of the value to shift being 0 or the bits count being 0 can be +handled by just returning 0 to the caller, avoiding the following +complex shift + OR operations: + + return value & (1 << (n - 1)) ? value | (~0U << n) : value; + +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: Randy Dunlap +Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: linux-input@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index fe4e889af0090..71ee1267d2efc 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1129,6 +1129,9 @@ EXPORT_SYMBOL_GPL(hid_open_report); + + static s32 snto32(__u32 value, unsigned n) + { ++ if (!value || !n) ++ return 0; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); +-- +2.27.0 + diff --git a/queue-4.14/hwrng-timeriomem-fix-cooldown-period-calculation.patch b/queue-4.14/hwrng-timeriomem-fix-cooldown-period-calculation.patch new file mode 100644 index 00000000000..6245cecda09 --- /dev/null +++ b/queue-4.14/hwrng-timeriomem-fix-cooldown-period-calculation.patch @@ -0,0 +1,35 @@ +From 0586d744cf08dfa03692f0faf9fe7ac2573f4452 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Feb 2021 16:14:59 +0100 +Subject: hwrng: timeriomem - Fix cooldown period calculation + +From: Jan Henrik Weinstock + +[ Upstream commit e145f5565dc48ccaf4cb50b7cfc48777bed8c100 ] + +Ensure cooldown period tolerance of 1% is actually accounted for. + +Fixes: ca3bff70ab32 ("hwrng: timeriomem - Improve performance...") +Signed-off-by: Jan Henrik Weinstock +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/timeriomem-rng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/timeriomem-rng.c b/drivers/char/hw_random/timeriomem-rng.c +index 03ff5483d8654..1aa7e0b0ae0fe 100644 +--- a/drivers/char/hw_random/timeriomem-rng.c ++++ b/drivers/char/hw_random/timeriomem-rng.c +@@ -79,7 +79,7 @@ static int timeriomem_rng_read(struct hwrng *hwrng, void *data, + */ + if (retval > 0) + usleep_range(period_us, +- period_us + min(1, period_us / 100)); ++ period_us + max(1, period_us / 100)); + + *(u32 *)data = readl(priv->io_base); + retval += sizeof(u32); +-- +2.27.0 + diff --git a/queue-4.14/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch b/queue-4.14/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch new file mode 100644 index 00000000000..8f5ee7ce7b8 --- /dev/null +++ b/queue-4.14/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch @@ -0,0 +1,40 @@ +From f7dbc4185c9f93ffbde5dc2ac6ac57b43c3c2253 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 17:11:01 +0100 +Subject: i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition + +From: Maxime Ripard + +[ Upstream commit a1858ce0cfe31368b23ba55794e409fb57ced4a4 ] + +The brcmstb_send_i2c_cmd currently has a condition that is (CMD_RD || +CMD_WR) which always evaluates to true, while the obvious fix is to test +whether the cmd variable passed as parameter holds one of these two +values. + +Fixes: dd1aa2524bc5 ("i2c: brcmstb: Add Broadcom settop SoC i2c controller driver") +Reported-by: Dave Stevenson +Signed-off-by: Maxime Ripard +Acked-by: Florian Fainelli +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-brcmstb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-brcmstb.c b/drivers/i2c/busses/i2c-brcmstb.c +index 78792b4d6437c..a658f975605a7 100644 +--- a/drivers/i2c/busses/i2c-brcmstb.c ++++ b/drivers/i2c/busses/i2c-brcmstb.c +@@ -318,7 +318,7 @@ static int brcmstb_send_i2c_cmd(struct brcmstb_i2c_dev *dev, + goto cmd_out; + } + +- if ((CMD_RD || CMD_WR) && ++ if ((cmd == CMD_RD || cmd == CMD_WR) && + bsc_readl(dev, iic_enable) & BSC_IIC_EN_NOACK_MASK) { + rc = -EREMOTEIO; + dev_dbg(dev->device, "controller received NOACK intr for %s\n", +-- +2.27.0 + diff --git a/queue-4.14/i40e-fix-flow-for-ipv6-next-header-extension-header.patch b/queue-4.14/i40e-fix-flow-for-ipv6-next-header-extension-header.patch new file mode 100644 index 00000000000..1ecbca7406e --- /dev/null +++ b/queue-4.14/i40e-fix-flow-for-ipv6-next-header-extension-header.patch @@ -0,0 +1,63 @@ +From 6e6bef47dfb7d20816ae29960aca6bb0fbadbefa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 07:57:04 +0000 +Subject: i40e: Fix flow for IPv6 next header (extension header) + +From: Slawomir Laba + +[ Upstream commit 92c6058024e87087cf1b99b0389d67c0a886360e ] + +When a packet contains an IPv6 header with next header which is +an extension header and not a protocol one, the kernel function +skb_transport_header called with such sk_buff will return a +pointer to the extension header and not to the TCP one. + +The above explained call caused a problem with packet processing +for skb with encapsulation for tunnel with I40E_TX_CTX_EXT_IP_IPV6. +The extension header was not skipped at all. + +The ipv6_skip_exthdr function does check if next header of the IPV6 +header is an extension header and doesn't modify the l4_proto pointer +if it points to a protocol header value so its safe to omit the +comparison of exthdr and l4.hdr pointers. The ipv6_skip_exthdr can +return value -1. This means that the skipping process failed +and there is something wrong with the packet so it will be dropped. + +Fixes: a3fd9d8876a5 ("i40e/i40evf: Handle IPv6 extension headers in checksum offload") +Signed-off-by: Slawomir Laba +Signed-off-by: Przemyslaw Patynowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 542c00b1c823f..d79a2c8175c4c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -2829,13 +2829,16 @@ static int i40e_tx_enable_csum(struct sk_buff *skb, u32 *tx_flags, + + l4_proto = ip.v4->protocol; + } else if (*tx_flags & I40E_TX_FLAGS_IPV6) { ++ int ret; ++ + tunnel |= I40E_TX_CTX_EXT_IP_IPV6; + + exthdr = ip.hdr + sizeof(*ip.v6); + l4_proto = ip.v6->nexthdr; +- if (l4.hdr != exthdr) +- ipv6_skip_exthdr(skb, exthdr - skb->data, +- &l4_proto, &frag_off); ++ ret = ipv6_skip_exthdr(skb, exthdr - skb->data, ++ &l4_proto, &frag_off); ++ if (ret < 0) ++ return -1; + } + + /* define outer transport */ +-- +2.27.0 + diff --git a/queue-4.14/i40e-fix-overwriting-flow-control-settings-during-dr.patch b/queue-4.14/i40e-fix-overwriting-flow-control-settings-during-dr.patch new file mode 100644 index 00000000000..dd8eecc46dd --- /dev/null +++ b/queue-4.14/i40e-fix-overwriting-flow-control-settings-during-dr.patch @@ -0,0 +1,87 @@ +From ac9d97a55ffa7d845cf7585b66624c1eb4785712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Nov 2020 15:08:27 +0000 +Subject: i40e: Fix overwriting flow control settings during driver loading + +From: Mateusz Palczewski + +[ Upstream commit 4cdb9f80dcd46aab3c0020b4a6920c22735c5d6e ] + +During driver loading flow control settings were written to FW +using a variable which was always zero, since it was being set +only by ethtool. This behavior has been corrected and driver +no longer overwrites the default FW/NVM settings. + +Fixes: 373149fc99a0 ("i40e: Decrease the scope of rtnl lock") +Signed-off-by: Dawid Lukwinski +Signed-off-by: Mateusz Palczewski +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 27 --------------------- + 1 file changed, 27 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index f4475cbf8ce86..3f43e4f0d3b17 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -7185,7 +7185,6 @@ static int i40e_reset(struct i40e_pf *pf) + static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + { + struct i40e_hw *hw = &pf->hw; +- u8 set_fc_aq_fail = 0; + i40e_status ret; + u32 val; + int v; +@@ -7263,13 +7262,6 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired) + i40e_stat_str(&pf->hw, ret), + i40e_aq_str(&pf->hw, pf->hw.aq.asq_last_status)); + +- /* make sure our flow control settings are restored */ +- ret = i40e_set_fc(&pf->hw, &set_fc_aq_fail, true); +- if (ret) +- dev_dbg(&pf->pdev->dev, "setting flow control: ret = %s last_status = %s\n", +- i40e_stat_str(&pf->hw, ret), +- i40e_aq_str(&pf->hw, pf->hw.aq.asq_last_status)); +- + /* Rebuild the VSIs and VEBs that existed before reset. + * They are still in our local switch element arrays, so only + * need to rebuild the switch model in the HW. +@@ -11286,7 +11278,6 @@ static int i40e_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + int err; + u32 val; + u32 i; +- u8 set_fc_aq_fail; + + err = pci_enable_device_mem(pdev); + if (err) +@@ -11555,24 +11546,6 @@ static int i40e_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto err_vsis; + } + +- /* Make sure flow control is set according to current settings */ +- err = i40e_set_fc(hw, &set_fc_aq_fail, true); +- if (set_fc_aq_fail & I40E_SET_FC_AQ_FAIL_GET) +- dev_dbg(&pf->pdev->dev, +- "Set fc with err %s aq_err %s on get_phy_cap\n", +- i40e_stat_str(hw, err), +- i40e_aq_str(hw, hw->aq.asq_last_status)); +- if (set_fc_aq_fail & I40E_SET_FC_AQ_FAIL_SET) +- dev_dbg(&pf->pdev->dev, +- "Set fc with err %s aq_err %s on set_phy_config\n", +- i40e_stat_str(hw, err), +- i40e_aq_str(hw, hw->aq.asq_last_status)); +- if (set_fc_aq_fail & I40E_SET_FC_AQ_FAIL_UPDATE) +- dev_dbg(&pf->pdev->dev, +- "Set fc with err %s aq_err %s on get_link_info\n", +- i40e_stat_str(hw, err), +- i40e_aq_str(hw, hw->aq.asq_last_status)); +- + /* if FDIR VSI was set up, start it now */ + for (i = 0; i < pf->num_alloc_vsi; i++) { + if (pf->vsi[i] && pf->vsi[i]->type == I40E_VSI_FDIR) { +-- +2.27.0 + diff --git a/queue-4.14/ib-umad-return-eio-in-case-of-when-device-disassocia.patch b/queue-4.14/ib-umad-return-eio-in-case-of-when-device-disassocia.patch new file mode 100644 index 00000000000..cc2933af0d9 --- /dev/null +++ b/queue-4.14/ib-umad-return-eio-in-case-of-when-device-disassocia.patch @@ -0,0 +1,54 @@ +From 4b6bc140b5c4aa183221d8b8ddccd69fbe1d4071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 14:13:38 +0200 +Subject: IB/umad: Return EIO in case of when device disassociated + +From: Shay Drory + +[ Upstream commit 4fc5461823c9cad547a9bdfbf17d13f0da0d6bb5 ] + +MAD message received by the user has EINVAL error in all flows +including when the device is disassociated. That makes it impossible +for the applications to treat such flow differently. + +Change it to return EIO, so the applications will be able to perform +disassociation recovery. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20210125121339.837518-2-leon@kernel.org +Signed-off-by: Shay Drory +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index 4a137bf584b04..a3aab7d55ad47 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -354,6 +354,11 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + + mutex_lock(&file->mutex); + ++ if (file->agents_dead) { ++ mutex_unlock(&file->mutex); ++ return -EIO; ++ } ++ + while (list_empty(&file->recv_list)) { + mutex_unlock(&file->mutex); + +@@ -496,7 +501,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + + agent = __get_agent(file, packet->mad.hdr.id); + if (!agent) { +- ret = -EINVAL; ++ ret = -EIO; + goto err_up; + } + +-- +2.27.0 + diff --git a/queue-4.14/ibmvnic-skip-send_request_unmap-for-timeout-reset.patch b/queue-4.14/ibmvnic-skip-send_request_unmap-for-timeout-reset.patch new file mode 100644 index 00000000000..55287aef411 --- /dev/null +++ b/queue-4.14/ibmvnic-skip-send_request_unmap-for-timeout-reset.patch @@ -0,0 +1,45 @@ +From 55fef8a06aac041b9fd22f8773a702b6558fbee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Feb 2021 20:49:00 -0600 +Subject: ibmvnic: skip send_request_unmap for timeout reset + +From: Lijun Pan + +[ Upstream commit 7d3a7b9ea59ddb223aec59b45fa1713c633aaed4 ] + +Timeout reset will trigger the VIOS to unmap it automatically, +similarly as FAILVOER and MOBILITY events. If we unmap it +in the linux side, we will see errors like +"30000003: Error 4 in REQUEST_UNMAP_RSP". +So, don't call send_request_unmap for timeout reset. + +Fixes: ed651a10875f ("ibmvnic: Updated reset handling") +Signed-off-by: Lijun Pan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index ec2dce057395a..4771dbee96819 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -201,8 +201,13 @@ static void free_long_term_buff(struct ibmvnic_adapter *adapter, + if (!ltb->buff) + return; + ++ /* VIOS automatically unmaps the long term buffer at remote ++ * end for the following resets: ++ * FAILOVER, MOBILITY, TIMEOUT. ++ */ + if (adapter->reset_reason != VNIC_RESET_FAILOVER && +- adapter->reset_reason != VNIC_RESET_MOBILITY) ++ adapter->reset_reason != VNIC_RESET_MOBILITY && ++ adapter->reset_reason != VNIC_RESET_TIMEOUT) + send_request_unmap(adapter, ltb->map_id); + dma_free_coherent(dev, ltb->size, ltb->buff, ltb->addr); + } +-- +2.27.0 + diff --git a/queue-4.14/ima-free-ima-measurement-buffer-after-kexec-syscall.patch b/queue-4.14/ima-free-ima-measurement-buffer-after-kexec-syscall.patch new file mode 100644 index 00000000000..a2e4873fd73 --- /dev/null +++ b/queue-4.14/ima-free-ima-measurement-buffer-after-kexec-syscall.patch @@ -0,0 +1,80 @@ +From c98564e7aa8ab27431f982181ad07d95266f2d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 09:49:51 -0800 +Subject: ima: Free IMA measurement buffer after kexec syscall + +From: Lakshmi Ramasubramanian + +[ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ] + +IMA allocates kernel virtual memory to carry forward the measurement +list, from the current kernel to the next kernel on kexec system call, +in ima_add_kexec_buffer() function. This buffer is not freed before +completing the kexec system call resulting in memory leak. + +Add ima_buffer field in "struct kimage" to store the virtual address +of the buffer allocated for the IMA measurement list. +Free the memory allocated for the IMA measurement list in +kimage_file_post_load_cleanup() function. + +Signed-off-by: Lakshmi Ramasubramanian +Suggested-by: Tyler Hicks +Reviewed-by: Thiago Jung Bauermann +Reviewed-by: Tyler Hicks +Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list") +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + include/linux/kexec.h | 5 +++++ + kernel/kexec_file.c | 5 +++++ + security/integrity/ima/ima_kexec.c | 2 ++ + 3 files changed, 12 insertions(+) + +diff --git a/include/linux/kexec.h b/include/linux/kexec.h +index 1c08c925cefbb..1ce6ba5f04077 100644 +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -217,6 +217,11 @@ struct kimage { + /* Information for loading purgatory */ + struct purgatory_info purgatory_info; + #endif ++ ++#ifdef CONFIG_IMA_KEXEC ++ /* Virtual address of IMA measurement buffer for kexec syscall */ ++ void *ima_buffer; ++#endif + }; + + /* kexec interface functions */ +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index 9f48f44122972..6d0bdedb2e207 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -95,6 +95,11 @@ void kimage_file_post_load_cleanup(struct kimage *image) + vfree(pi->sechdrs); + pi->sechdrs = NULL; + ++#ifdef CONFIG_IMA_KEXEC ++ vfree(image->ima_buffer); ++ image->ima_buffer = NULL; ++#endif /* CONFIG_IMA_KEXEC */ ++ + /* See if architecture has anything to cleanup post load */ + arch_kimage_file_post_load_cleanup(image); + +diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c +index 40bc385a80768..ce30e6edfedc4 100644 +--- a/security/integrity/ima/ima_kexec.c ++++ b/security/integrity/ima/ima_kexec.c +@@ -132,6 +132,8 @@ void ima_add_kexec_buffer(struct kimage *image) + return; + } + ++ image->ima_buffer = kexec_buffer; ++ + pr_debug("kexec measurement buffer for the loaded kernel at 0x%lx.\n", + kbuf.mem); + } +-- +2.27.0 + diff --git a/queue-4.14/ima-free-ima-measurement-buffer-on-error.patch b/queue-4.14/ima-free-ima-measurement-buffer-on-error.patch new file mode 100644 index 00000000000..ada2aa4386e --- /dev/null +++ b/queue-4.14/ima-free-ima-measurement-buffer-on-error.patch @@ -0,0 +1,41 @@ +From d8e5f8fb7ffe1e0ef4eb0a2ae4998a3b7f4aa7f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 09:49:50 -0800 +Subject: ima: Free IMA measurement buffer on error + +From: Lakshmi Ramasubramanian + +[ Upstream commit 6d14c6517885fa68524238787420511b87d671df ] + +IMA allocates kernel virtual memory to carry forward the measurement +list, from the current kernel to the next kernel on kexec system call, +in ima_add_kexec_buffer() function. In error code paths this memory +is not freed resulting in memory leak. + +Free the memory allocated for the IMA measurement list in +the error code paths in ima_add_kexec_buffer() function. + +Signed-off-by: Lakshmi Ramasubramanian +Suggested-by: Tyler Hicks +Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list") +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_kexec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c +index e473eee913cba..40bc385a80768 100644 +--- a/security/integrity/ima/ima_kexec.c ++++ b/security/integrity/ima/ima_kexec.c +@@ -122,6 +122,7 @@ void ima_add_kexec_buffer(struct kimage *image) + ret = kexec_add_buffer(&kbuf); + if (ret) { + pr_err("Error passing over kexec measurement buffer.\n"); ++ vfree(kexec_buffer); + return; + } + +-- +2.27.0 + diff --git a/queue-4.14/input-elo-fix-an-error-code-in-elo_connect.patch b/queue-4.14/input-elo-fix-an-error-code-in-elo_connect.patch new file mode 100644 index 00000000000..7adb22f87b9 --- /dev/null +++ b/queue-4.14/input-elo-fix-an-error-code-in-elo_connect.patch @@ -0,0 +1,40 @@ +From 24699a00a0f2883cc83d7f27d74be9d91c5e99aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Feb 2021 20:29:05 -0800 +Subject: Input: elo - fix an error code in elo_connect() + +From: Dan Carpenter + +[ Upstream commit 0958351e93fa0ac142f6dd8bd844441594f30a57 ] + +If elo_setup_10() fails then this should return an error code instead +of success. + +Fixes: fae3006e4b42 ("Input: elo - add support for non-pressure-sensitive touchscreens") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YBKFd5CvDu+jVmfW@mwanda +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/elo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/elo.c b/drivers/input/touchscreen/elo.c +index 83433e8efff70..9642b0dd24f9b 100644 +--- a/drivers/input/touchscreen/elo.c ++++ b/drivers/input/touchscreen/elo.c +@@ -345,8 +345,10 @@ static int elo_connect(struct serio *serio, struct serio_driver *drv) + switch (elo->id) { + + case 0: /* 10-byte protocol */ +- if (elo_setup_10(elo)) ++ if (elo_setup_10(elo)) { ++ err = -EIO; + goto fail3; ++ } + + break; + +-- +2.27.0 + diff --git a/queue-4.14/isofs-release-buffer-head-before-return.patch b/queue-4.14/isofs-release-buffer-head-before-return.patch new file mode 100644 index 00000000000..872874a8da2 --- /dev/null +++ b/queue-4.14/isofs-release-buffer-head-before-return.patch @@ -0,0 +1,49 @@ +From bd8f4b7ce057d3faac25031d7fb80000ad854432 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 04:04:55 -0800 +Subject: isofs: release buffer head before return + +From: Pan Bian + +[ Upstream commit 0a6dc67a6aa45f19bd4ff89b4f468fc50c4b8daa ] + +Release the buffer_head before returning error code in +do_isofs_readdir() and isofs_find_entry(). + +Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem") +Link: https://lore.kernel.org/r/20210118120455.118955-1-bianpan2016@163.com +Signed-off-by: Pan Bian +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/isofs/dir.c | 1 + + fs/isofs/namei.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c +index 947ce22f5b3c3..55df4d80793ba 100644 +--- a/fs/isofs/dir.c ++++ b/fs/isofs/dir.c +@@ -152,6 +152,7 @@ static int do_isofs_readdir(struct inode *inode, struct file *file, + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, + inode->i_ino); ++ brelse(bh); + return -EIO; + } + +diff --git a/fs/isofs/namei.c b/fs/isofs/namei.c +index cac468f04820e..558e7c51ce0d4 100644 +--- a/fs/isofs/namei.c ++++ b/fs/isofs/namei.c +@@ -102,6 +102,7 @@ isofs_find_entry(struct inode *dir, struct dentry *dentry, + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, + dir->i_ino); ++ brelse(bh); + return 0; + } + +-- +2.27.0 + diff --git a/queue-4.14/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch b/queue-4.14/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch new file mode 100644 index 00000000000..221eea6dbd5 --- /dev/null +++ b/queue-4.14/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch @@ -0,0 +1,58 @@ +From 8619c4633cc90c6ffc0acfe218ee90a57ae50508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Dec 2020 06:56:04 -0800 +Subject: jffs2: fix use after free in jffs2_sum_write_data() + +From: Tom Rix + +[ Upstream commit 19646447ad3a680d2ab08c097585b7d96a66126b ] + +clang static analysis reports this problem + +fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed + c->summary->sum_list_head = temp->u.next; + ^~~~~~~~~~~~ + +In jffs2_sum_write_data(), in a loop summary data is handles a node at +a time. When it has written out the node it is removed the summary list, +and the node is deleted. In the corner case when a +JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to +jffs2_sum_disable_collecting(). jffs2_sum_disable_collecting() deletes +the whole list which conflicts with the loop's deleting the list by parts. + +To preserve the old behavior of stopping the write midway, bail out of +the loop after disabling summary collection. + +Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.") +Signed-off-by: Tom Rix +Reviewed-by: Nathan Chancellor +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/summary.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c +index be7c8a6a57480..4fe64519870f1 100644 +--- a/fs/jffs2/summary.c ++++ b/fs/jffs2/summary.c +@@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock + dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n", + je16_to_cpu(temp->u.nodetype)); + jffs2_sum_disable_collecting(c->summary); ++ /* The above call removes the list, nothing more to do */ ++ goto bail_rwcompat; + } else { + BUG(); /* unknown node in summary information */ + } +@@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock + + c->summary->sum_num--; + } ++ bail_rwcompat: + + jffs2_sum_reset_collected(c->summary); + +-- +2.27.0 + diff --git a/queue-4.14/mac80211-fix-potential-overflow-when-multiplying-to-.patch b/queue-4.14/mac80211-fix-potential-overflow-when-multiplying-to-.patch new file mode 100644 index 00000000000..9b7a11491a5 --- /dev/null +++ b/queue-4.14/mac80211-fix-potential-overflow-when-multiplying-to-.patch @@ -0,0 +1,40 @@ +From d56c6dc7b9d430214e60cc9310fd1769fad0d6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 17:53:52 +0000 +Subject: mac80211: fix potential overflow when multiplying to u32 integers + +From: Colin Ian King + +[ Upstream commit 6194f7e6473be78acdc5d03edd116944bdbb2c4e ] + +The multiplication of the u32 variables tx_time and estimated_retx is +performed using a 32 bit multiplication and the result is stored in +a u64 result. This has a potential u32 overflow issue, so avoid this +by casting tx_time to a u64 to force a 64 bit multiply. + +Addresses-Coverity: ("Unintentional integer overflow") +Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210205175352.208841-1-colin.king@canonical.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_hwmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index fe65701fe95cc..f57232bcd4057 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -355,7 +355,7 @@ static u32 airtime_link_metric_get(struct ieee80211_local *local, + */ + tx_time = (device_constant + 10 * test_frame_len / rate); + estimated_retx = ((1 << (2 * ARITH_SHIFT)) / (s_unit - err)); +- result = (tx_time * estimated_retx) >> (2 * ARITH_SHIFT); ++ result = ((u64)tx_time * estimated_retx) >> (2 * ARITH_SHIFT); + return (u32)result; + } + +-- +2.27.0 + diff --git a/queue-4.14/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch b/queue-4.14/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch new file mode 100644 index 00000000000..8c5bf7a3ab0 --- /dev/null +++ b/queue-4.14/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch @@ -0,0 +1,46 @@ +From eebfe7b56df94888c513672ab0c489512b9c8d16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Jan 2021 22:21:46 +0100 +Subject: media: cx25821: Fix a bug when reallocating some dma memory + +From: Christophe JAILLET + +[ Upstream commit b2de3643c5024fc4fd128ba7767c7fb8b714bea7 ] + +This function looks like a realloc. + +However, if 'risc->cpu != NULL', the memory will be freed, but never +reallocated with the bigger 'size'. +Explicitly set 'risc->cpu' to NULL, so that the reallocation is +correctly performed a few lines below. + +[hverkuil: NULL != risc->cpu -> risc->cpu] + +Fixes: 5ede94c70553 ("[media] cx25821: remove bogus btcx_risc dependency) +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx25821/cx25821-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c +index 040c6c251d3a3..79582071f1390 100644 +--- a/drivers/media/pci/cx25821/cx25821-core.c ++++ b/drivers/media/pci/cx25821/cx25821-core.c +@@ -986,8 +986,10 @@ int cx25821_riscmem_alloc(struct pci_dev *pci, + __le32 *cpu; + dma_addr_t dma = 0; + +- if (NULL != risc->cpu && risc->size < size) ++ if (risc->cpu && risc->size < size) { + pci_free_consistent(pci, risc->size, risc->cpu, risc->dma); ++ risc->cpu = NULL; ++ } + if (NULL == risc->cpu) { + cpu = pci_zalloc_consistent(pci, size, &dma); + if (NULL == cpu) +-- +2.27.0 + diff --git a/queue-4.14/media-i2c-ov5670-fix-pixel_rate-minimum-value.patch b/queue-4.14/media-i2c-ov5670-fix-pixel_rate-minimum-value.patch new file mode 100644 index 00000000000..8670a77e178 --- /dev/null +++ b/queue-4.14/media-i2c-ov5670-fix-pixel_rate-minimum-value.patch @@ -0,0 +1,43 @@ +From e62dff4bed6832e67cd242a796e1940e8ca55d44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Dec 2020 18:52:20 +0100 +Subject: media: i2c: ov5670: Fix PIXEL_RATE minimum value + +From: Jacopo Mondi + +[ Upstream commit dc1eb7c9c290cba52937c9a224b22a400bb0ffd7 ] + +The driver currently reports a single supported value for +V4L2_CID_PIXEL_RATE and initializes the control's minimum value to 0, +which is very risky, as userspace might accidentally use it as divider +when calculating the time duration of a line. + +Fix this by using as minimum the only supported value when registering +the control. + +Fixes: 5de35c9b8dcd1 ("media: i2c: Add Omnivision OV5670 5M sensor support") +Signed-off-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5670.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/ov5670.c b/drivers/media/i2c/ov5670.c +index 6f7a1d6d22005..e3e8ba7b17169 100644 +--- a/drivers/media/i2c/ov5670.c ++++ b/drivers/media/i2c/ov5670.c +@@ -2073,7 +2073,8 @@ static int ov5670_init_controls(struct ov5670 *ov5670) + + /* By default, V4L2_CID_PIXEL_RATE is read only */ + ov5670->pixel_rate = v4l2_ctrl_new_std(ctrl_hdlr, &ov5670_ctrl_ops, +- V4L2_CID_PIXEL_RATE, 0, ++ V4L2_CID_PIXEL_RATE, ++ link_freq_configs[0].pixel_rate, + link_freq_configs[0].pixel_rate, + 1, + link_freq_configs[0].pixel_rate); +-- +2.27.0 + diff --git a/queue-4.14/media-lmedm04-fix-misuse-of-comma.patch b/queue-4.14/media-lmedm04-fix-misuse-of-comma.patch new file mode 100644 index 00000000000..e130fb9df88 --- /dev/null +++ b/queue-4.14/media-lmedm04-fix-misuse-of-comma.patch @@ -0,0 +1,40 @@ +From fda75b0ecaab678e9c93c074f82a68ca385f2408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 20:13:31 +0200 +Subject: media: lmedm04: Fix misuse of comma + +From: Joe Perches + +[ Upstream commit 59a3e78f8cc33901fe39035c1ab681374bba95ad ] + +There's a comma used instead of a semicolon that causes multiple +statements to be executed after an if instead of just the intended +single statement. + +Replace the comma with a semicolon. + +Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb") +Signed-off-by: Joe Perches +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index be26c029546bd..f481557f258ee 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -436,7 +436,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); + + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) +- lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa), ++ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa); + + lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + +-- +2.27.0 + diff --git a/queue-4.14/media-media-pci-fix-memleak-in-empress_init.patch b/queue-4.14/media-media-pci-fix-memleak-in-empress_init.patch new file mode 100644 index 00000000000..e486be45321 --- /dev/null +++ b/queue-4.14/media-media-pci-fix-memleak-in-empress_init.patch @@ -0,0 +1,42 @@ +From 379fc0f1364735d422b0124b70cc108e9fb09db3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 07:27:22 +0100 +Subject: media: media/pci: Fix memleak in empress_init + +From: Dinghao Liu + +[ Upstream commit 15d0c52241ecb1c9d802506bff6f5c3f7872c0df ] + +When vb2_queue_init() fails, dev->empress_dev +should be released just like other error handling +paths. + +Fixes: 2ada815fc48bb ("[media] saa7134: convert to vb2") +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7134/saa7134-empress.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7134/saa7134-empress.c b/drivers/media/pci/saa7134/saa7134-empress.c +index 66acfd35ffc60..8680eb08b654d 100644 +--- a/drivers/media/pci/saa7134/saa7134-empress.c ++++ b/drivers/media/pci/saa7134/saa7134-empress.c +@@ -293,8 +293,11 @@ static int empress_init(struct saa7134_dev *dev) + q->lock = &dev->lock; + q->dev = &dev->pci->dev; + err = vb2_queue_init(q); +- if (err) ++ if (err) { ++ video_device_release(dev->empress_dev); ++ dev->empress_dev = NULL; + return err; ++ } + dev->empress_dev->queue = q; + + video_set_drvdata(dev->empress_dev, dev); +-- +2.27.0 + diff --git a/queue-4.14/media-pxa_camera-declare-variable-when-debug-is-defi.patch b/queue-4.14/media-pxa_camera-declare-variable-when-debug-is-defi.patch new file mode 100644 index 00000000000..9fb20e35501 --- /dev/null +++ b/queue-4.14/media-pxa_camera-declare-variable-when-debug-is-defi.patch @@ -0,0 +1,46 @@ +From 4cbb8244c458c956d8d50ed772afae1d960269a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 14:45:13 +0100 +Subject: media: pxa_camera: declare variable when DEBUG is defined +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 031b9212eeee365443aaef013360ea6cded7b2c4 ] + +When DEBUG is defined this error occurs + +drivers/media/platform/pxa_camera.c:1410:7: error: + ‘i’ undeclared (first use in this function) + for (i = 0; i < vb->num_planes; i++) + ^ +The variable 'i' is missing, so declare it. + +Fixes: 6f28435d1c15 ("[media] media: platform: pxa_camera: trivial move of functions") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/pxa_camera.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/pxa_camera.c b/drivers/media/platform/pxa_camera.c +index d270a23299cc7..18dce48a6828d 100644 +--- a/drivers/media/platform/pxa_camera.c ++++ b/drivers/media/platform/pxa_camera.c +@@ -1450,6 +1450,9 @@ static int pxac_vb2_prepare(struct vb2_buffer *vb) + struct pxa_camera_dev *pcdev = vb2_get_drv_priv(vb->vb2_queue); + struct pxa_buffer *buf = vb2_to_pxa_buffer(vb); + int ret = 0; ++#ifdef DEBUG ++ int i; ++#endif + + switch (pcdev->channels) { + case 1: +-- +2.27.0 + diff --git a/queue-4.14/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch b/queue-4.14/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch new file mode 100644 index 00000000000..e709332b5b9 --- /dev/null +++ b/queue-4.14/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch @@ -0,0 +1,43 @@ +From 6232a4f3ed0c1495a22e947cc3903ae1711b3ef6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Nov 2020 02:34:37 +0100 +Subject: media: qm1d1c0042: fix error return code in qm1d1c0042_init() + +From: Luo Meng + +[ Upstream commit fcf8d018bdca0453b8d6359062e6bc1512d04c38 ] + +Fix to return a negative error code from the error handling case +instead of 0 in function qm1d1c0042_init(), as done elsewhere +in this function. + +Fixes: ab4d14528fdf ("[media] em28xx: add support for PLEX PX-BCUD (ISDB-S)") +Reported-by: Hulk Robot +Signed-off-by: Luo Meng +Acked-by: Akihiro Tsukada +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/qm1d1c0042.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/tuners/qm1d1c0042.c b/drivers/media/tuners/qm1d1c0042.c +index 9af2a155cfca9..416d1eeb9c029 100644 +--- a/drivers/media/tuners/qm1d1c0042.c ++++ b/drivers/media/tuners/qm1d1c0042.c +@@ -352,8 +352,10 @@ static int qm1d1c0042_init(struct dvb_frontend *fe) + if (val == reg_initval[reg_index][0x00]) + break; + } +- if (reg_index >= QM1D1C0042_NUM_REG_ROWS) ++ if (reg_index >= QM1D1C0042_NUM_REG_ROWS) { ++ ret = -EINVAL; + goto failed; ++ } + memcpy(state->regs, reg_initval[reg_index], QM1D1C0042_NUM_REGS); + usleep_range(2000, 3000); + +-- +2.27.0 + diff --git a/queue-4.14/media-tm6000-fix-memleak-in-tm6000_start_stream.patch b/queue-4.14/media-tm6000-fix-memleak-in-tm6000_start_stream.patch new file mode 100644 index 00000000000..3f8281509fc --- /dev/null +++ b/queue-4.14/media-tm6000-fix-memleak-in-tm6000_start_stream.patch @@ -0,0 +1,40 @@ +From e6a5315b52c38f94e933b6bffc655e815f33c1a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 09:26:37 +0100 +Subject: media: tm6000: Fix memleak in tm6000_start_stream + +From: Dinghao Liu + +[ Upstream commit 76aaf8a96771c16365b8510f1fb97738dc88026e ] + +When usb_clear_halt() fails, dvb->bulk_urb->transfer_buffer +and dvb->bulk_urb should be freed just like when +usb_submit_urb() fails. + +Fixes: 3169c9b26fffa ("V4L/DVB (12788): tm6000: Add initial DVB-T support") +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/tm6000/tm6000-dvb.c b/drivers/media/usb/tm6000/tm6000-dvb.c +index 9a2af71c26912..98a4bbea33f52 100644 +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -150,6 +150,10 @@ static int tm6000_start_stream(struct tm6000_core *dev) + if (ret < 0) { + printk(KERN_ERR "tm6000: error %i in %s during pipe reset\n", + ret, __func__); ++ ++ kfree(dvb->bulk_urb->transfer_buffer); ++ usb_free_urb(dvb->bulk_urb); ++ dvb->bulk_urb = NULL; + return ret; + } else + printk(KERN_ERR "tm6000: pipe resetted\n"); +-- +2.27.0 + diff --git a/queue-4.14/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch b/queue-4.14/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch new file mode 100644 index 00000000000..5f8d1e5b9fd --- /dev/null +++ b/queue-4.14/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch @@ -0,0 +1,82 @@ +From a0076013228fbf0d5deccfd134d68d24ff9fbe73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Dec 2020 15:11:13 +0100 +Subject: media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laurent Pinchart + +[ Upstream commit dc9455ffae02d7b7fb51ba1e007fffcb9dc5d890 ] + +The Renkforce RF AC4K 300 Action Cam 4K reports invalid bFormatIndex and +bFrameIndex values when negotiating the video probe and commit controls. +The UVC descriptors report a single supported format and frame size, +with bFormatIndex and bFrameIndex both equal to 2, but the video probe +and commit controls report bFormatIndex and bFrameIndex set to 1. + +The device otherwise operates correctly, but the driver rejects the +values and fails the format try operation. Fix it by ignoring the +invalid indices, and assuming that the format and frame requested by the +driver are accepted by the device. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=210767 + +Fixes: 8a652a17e3c0 ("media: uvcvideo: Ensure all probed info is returned to v4l2") +Reported-by: Till Dörges +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 644afd55c0f0f..08a3a8ad79d75 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -253,7 +253,9 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + goto done; + + /* After the probe, update fmt with the values returned from +- * negotiation with the device. ++ * negotiation with the device. Some devices return invalid bFormatIndex ++ * and bFrameIndex values, in which case we can only assume they have ++ * accepted the requested format as-is. + */ + for (i = 0; i < stream->nformats; ++i) { + if (probe->bFormatIndex == stream->format[i].index) { +@@ -262,11 +264,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + } + } + +- if (i == stream->nformats) { +- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n", ++ if (i == stream->nformats) ++ uvc_trace(UVC_TRACE_FORMAT, ++ "Unknown bFormatIndex %u, using default\n", + probe->bFormatIndex); +- return -EINVAL; +- } + + for (i = 0; i < format->nframes; ++i) { + if (probe->bFrameIndex == format->frame[i].bFrameIndex) { +@@ -275,11 +276,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + } + } + +- if (i == format->nframes) { +- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n", ++ if (i == format->nframes) ++ uvc_trace(UVC_TRACE_FORMAT, ++ "Unknown bFrameIndex %u, using default\n", + probe->bFrameIndex); +- return -EINVAL; +- } + + fmt->fmt.pix.width = frame->wWidth; + fmt->fmt.pix.height = frame->wHeight; +-- +2.27.0 + diff --git a/queue-4.14/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch b/queue-4.14/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch new file mode 100644 index 00000000000..bdbb8a0611a --- /dev/null +++ b/queue-4.14/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch @@ -0,0 +1,43 @@ +From 8cf32ac6145a368dfc66ea4584028536d3fa085b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 18:41:19 +0100 +Subject: media: vsp1: Fix an error handling path in the probe function + +From: Christophe JAILLET + +[ Upstream commit 7113469dafc2d545fa4fa9bc649c31dc27db492e ] + +A previous 'rcar_fcp_get()' call must be undone in the error handling path, +as already done in the remove function. + +Fixes: 94fcdf829793 ("[media] v4l: vsp1: Add FCP support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vsp1/vsp1_drv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c +index 5836fb298de27..1b0c236e70fd3 100644 +--- a/drivers/media/platform/vsp1/vsp1_drv.c ++++ b/drivers/media/platform/vsp1/vsp1_drv.c +@@ -866,8 +866,10 @@ static int vsp1_probe(struct platform_device *pdev) + } + + done: +- if (ret) ++ if (ret) { + pm_runtime_disable(&pdev->dev); ++ rcar_fcp_put(vsp1->fcp); ++ } + + return ret; + } +-- +2.27.0 + diff --git a/queue-4.14/mfd-bd9571mwv-use-devm_mfd_add_devices.patch b/queue-4.14/mfd-bd9571mwv-use-devm_mfd_add_devices.patch new file mode 100644 index 00000000000..8baed83f8e8 --- /dev/null +++ b/queue-4.14/mfd-bd9571mwv-use-devm_mfd_add_devices.patch @@ -0,0 +1,43 @@ +From b01582f2d2dbe2932f61a038bb650ad5b0a51e25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jan 2021 18:00:56 +0900 +Subject: mfd: bd9571mwv: Use devm_mfd_add_devices() + +From: Yoshihiro Shimoda + +[ Upstream commit c58ad0f2b052b5675d6394e03713ee41e721b44c ] + +To remove mfd devices when unload this driver, should use +devm_mfd_add_devices() instead. + +Fixes: d3ea21272094 ("mfd: Add ROHM BD9571MWV-M MFD PMIC driver") +Signed-off-by: Yoshihiro Shimoda +Acked-for-MFD-by: Lee Jones +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Matti Vaittinen +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/bd9571mwv.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/bd9571mwv.c b/drivers/mfd/bd9571mwv.c +index 98192d4863e4c..100bd25a1a995 100644 +--- a/drivers/mfd/bd9571mwv.c ++++ b/drivers/mfd/bd9571mwv.c +@@ -183,9 +183,9 @@ static int bd9571mwv_probe(struct i2c_client *client, + return ret; + } + +- ret = mfd_add_devices(bd->dev, PLATFORM_DEVID_AUTO, bd9571mwv_cells, +- ARRAY_SIZE(bd9571mwv_cells), NULL, 0, +- regmap_irq_get_domain(bd->irq_data)); ++ ret = devm_mfd_add_devices(bd->dev, PLATFORM_DEVID_AUTO, ++ bd9571mwv_cells, ARRAY_SIZE(bd9571mwv_cells), ++ NULL, 0, regmap_irq_get_domain(bd->irq_data)); + if (ret) { + regmap_del_irq_chip(bd->irq, bd->irq_data); + return ret; +-- +2.27.0 + diff --git a/queue-4.14/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch b/queue-4.14/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch new file mode 100644 index 00000000000..296b36d9512 --- /dev/null +++ b/queue-4.14/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch @@ -0,0 +1,44 @@ +From ff2887da7a74ec7a55f8b9089be805d9efd8aae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 17:37:24 +0300 +Subject: mfd: wm831x-auxadc: Prevent use after free in + wm831x_auxadc_read_irq() + +From: Dan Carpenter + +[ Upstream commit 26783d74cc6a440ee3ef9836a008a697981013d0 ] + +The "req" struct is always added to the "wm831x->auxadc_pending" list, +but it's only removed from the list on the success path. If a failure +occurs then the "req" struct is freed but it's still on the list, +leading to a use after free. + +Fixes: 78bb3688ea18 ("mfd: Support multiple active WM831x AUXADC conversions") +Signed-off-by: Dan Carpenter +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/wm831x-auxadc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/mfd/wm831x-auxadc.c b/drivers/mfd/wm831x-auxadc.c +index fd789d2eb0f52..9f7ae1e1ebcd6 100644 +--- a/drivers/mfd/wm831x-auxadc.c ++++ b/drivers/mfd/wm831x-auxadc.c +@@ -98,11 +98,10 @@ static int wm831x_auxadc_read_irq(struct wm831x *wm831x, + wait_for_completion_timeout(&req->done, msecs_to_jiffies(500)); + + mutex_lock(&wm831x->auxadc_lock); +- +- list_del(&req->list); + ret = req->val; + + out: ++ list_del(&req->list); + mutex_unlock(&wm831x->auxadc_lock); + + kfree(req); +-- +2.27.0 + diff --git a/queue-4.14/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch b/queue-4.14/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch new file mode 100644 index 00000000000..47534ad2532 --- /dev/null +++ b/queue-4.14/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch @@ -0,0 +1,45 @@ +From 220f212e07518c8effaac465bc5819b8325b3549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:34:56 -0700 +Subject: MIPS: c-r4k: Fix section mismatch for loongson2_sc_init + +From: Nathan Chancellor + +[ Upstream commit c58734eee6a2151ba033c0dcb31902c89e310374 ] + +When building with clang, the following section mismatch warning occurs: + +WARNING: modpost: vmlinux.o(.text+0x24490): Section mismatch in +reference from the function r4k_cache_init() to the function +.init.text:loongson2_sc_init() + +This should have been fixed with commit ad4fddef5f23 ("mips: fix Section +mismatch in reference") but it was missed. Remove the improper __init +annotation like that commit did. + +Fixes: 078a55fc824c ("MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code") +Link: https://github.com/ClangBuiltLinux/linux/issues/787 +Signed-off-by: Nathan Chancellor +Reviewed-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/c-r4k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index e4de107bf7fd8..c1afed6b1ce72 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1665,7 +1665,7 @@ static int probe_scache(void) + return 1; + } + +-static void __init loongson2_sc_init(void) ++static void loongson2_sc_init(void) + { + struct cpuinfo_mips *c = ¤t_cpu_data; + +-- +2.27.0 + diff --git a/queue-4.14/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch b/queue-4.14/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch new file mode 100644 index 00000000000..23d139a78a8 --- /dev/null +++ b/queue-4.14/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch @@ -0,0 +1,55 @@ +From 58f101485782f8e8c9b78385bf5cd6727534e6b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:15:48 -0700 +Subject: MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 + +From: Nathan Chancellor + +[ Upstream commit c6f2a9e17b9bef7677caddb1626c2402f3e9d2bd ] + +When building xway_defconfig with clang: + +arch/mips/lantiq/irq.c:305:48: error: use of logical '&&' with constant +operand [-Werror,-Wconstant-logical-operand] + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ^ ~~~~~~~~~~~~~~~~~ +arch/mips/lantiq/irq.c:305:48: note: use '&' for a bitwise operation + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ^~ + & +arch/mips/lantiq/irq.c:305:48: note: remove constant to silence this +warning + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ~^~~~~~~~~~~~~~~~~~~~ +1 error generated. + +Explicitly compare the constant LTQ_EBU_PCC_ISTAT against 0 to fix the +warning. Additionally, remove the unnecessary parentheses as this is a +simple conditional statement and shorthand '== 0' to '!'. + +Fixes: 3645da0276ae ("OF: MIPS: lantiq: implement irq_domain support") +Link: https://github.com/ClangBuiltLinux/linux/issues/807 +Reported-by: Dmitry Golovin +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index 37caeadb2964c..0476d7e97a03f 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -244,7 +244,7 @@ static void ltq_hw_irq_handler(struct irq_desc *desc) + generic_handle_irq(irq_linear_revmap(ltq_domain, hwirq)); + + /* if this is a EBU irq, we need to ack it or get a deadlock */ +- if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) ++ if (irq == LTQ_ICU_EBU_IRQ && !module && LTQ_EBU_PCC_ISTAT != 0) + ltq_ebu_w32(ltq_ebu_r32(LTQ_EBU_PCC_ISTAT) | 0x10, + LTQ_EBU_PCC_ISTAT); + } +-- +2.27.0 + diff --git a/queue-4.14/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch b/queue-4.14/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch new file mode 100644 index 00000000000..eed56f8f8b9 --- /dev/null +++ b/queue-4.14/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch @@ -0,0 +1,38 @@ +From d9ff9d0b5618add1fb946b2100dbb0d5415e9a0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 10:42:52 +0530 +Subject: misc: eeprom_93xx46: Add module alias to avoid breaking support for + non device tree users + +From: Aswath Govindraju + +[ Upstream commit 4540b9fbd8ebb21bb3735796d300a1589ee5fbf2 ] + +Module alias "spi:93xx46" is used by non device tree users like +drivers/misc/eeprom/digsy_mtc_eeprom.c and removing it will +break support for them. + +Fix this by adding back the module alias "spi:93xx46". + +Fixes: 13613a2246bf ("misc: eeprom_93xx46: Fix module alias to enable module autoprobe") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20210113051253.15061-1-a-govindraju@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93xx46.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c +index afaa717207b37..a3248ebd28c62 100644 +--- a/drivers/misc/eeprom/eeprom_93xx46.c ++++ b/drivers/misc/eeprom/eeprom_93xx46.c +@@ -522,4 +522,5 @@ module_spi_driver(eeprom_93xx46_driver); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs"); + MODULE_AUTHOR("Anatolij Gustschin "); ++MODULE_ALIAS("spi:93xx46"); + MODULE_ALIAS("spi:eeprom-93xx46"); +-- +2.27.0 + diff --git a/queue-4.14/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch b/queue-4.14/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch new file mode 100644 index 00000000000..19d71bad5f6 --- /dev/null +++ b/queue-4.14/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch @@ -0,0 +1,34 @@ +From f8f1b75b6485bd364b9681e6d2e9d23f9315f723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 22:09:53 +0530 +Subject: misc: eeprom_93xx46: Fix module alias to enable module autoprobe + +From: Aswath Govindraju + +[ Upstream commit 13613a2246bf531f5fc04e8e62e8f21a3d39bf1c ] + +Fix module autoprobe by correcting module alias to match the string from +/sys/class/.../spi1.0/modalias content. + +Fixes: 06b4501e88ad ("misc/eeprom: add driver for microwire 93xx46 EEPROMs") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20210107163957.28664-2-a-govindraju@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93xx46.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c +index 38766968bfa20..afaa717207b37 100644 +--- a/drivers/misc/eeprom/eeprom_93xx46.c ++++ b/drivers/misc/eeprom/eeprom_93xx46.c +@@ -522,4 +522,4 @@ module_spi_driver(eeprom_93xx46_driver); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs"); + MODULE_AUTHOR("Anatolij Gustschin "); +-MODULE_ALIAS("spi:93xx46"); ++MODULE_ALIAS("spi:eeprom-93xx46"); +-- +2.27.0 + diff --git a/queue-4.14/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch b/queue-4.14/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch new file mode 100644 index 00000000000..d5c44525757 --- /dev/null +++ b/queue-4.14/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch @@ -0,0 +1,46 @@ +From a776f04646749149eb78621a7f1d7b6f5b7ab22a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:06:50 -0800 +Subject: mm/hugetlb: fix potential double free in hugetlb_register_node() + error path + +From: Miaohe Lin + +[ Upstream commit cc2205a67dec5a700227a693fc113441e73e4641 ] + +In hugetlb_sysfs_add_hstate(), we would do kobject_put() on hstate_kobjs +when failed to create sysfs group but forget to set hstate_kobjs to NULL. +Then in hugetlb_register_node() error path, we may free it again via +hugetlb_unregister_node(). + +Link: https://lkml.kernel.org/r/20210107123249.36964-1-linmiaohe@huawei.com +Fixes: a3437870160c ("hugetlb: new sysfs interface") +Signed-off-by: Miaohe Lin +Reviewed-by: Mike Kravetz +Reviewed-by: Muchun Song +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 5f0d0f92adbf8..e67ed9dab409b 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2603,8 +2603,10 @@ static int hugetlb_sysfs_add_hstate(struct hstate *h, struct kobject *parent, + return -ENOMEM; + + retval = sysfs_create_group(hstate_kobjs[hi], hstate_attr_group); +- if (retval) ++ if (retval) { + kobject_put(hstate_kobjs[hi]); ++ hstate_kobjs[hi] = NULL; ++ } + + return retval; + } +-- +2.27.0 + diff --git a/queue-4.14/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch b/queue-4.14/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch new file mode 100644 index 00000000000..43234c39771 --- /dev/null +++ b/queue-4.14/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch @@ -0,0 +1,66 @@ +From 48cc7466a619a0633c7d1de1cfb419e02f0daf43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:04:33 -0800 +Subject: mm/memory.c: fix potential pte_unmap_unlock pte error + +From: Miaohe Lin + +[ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ] + +Since commit 42e4089c7890 ("x86/speculation/l1tf: Disallow non privileged +high MMIO PROT_NONE mappings"), when the first pfn modify is not allowed, +we would break the loop with pte unchanged. Then the wrong pte - 1 would +be passed to pte_unmap_unlock. + +Andi said: + + "While the fix is correct, I'm not sure if it actually is a real bug. + Is there any architecture that would do something else than unlocking + the underlying page? If it's just the underlying page then it should + be always the same page, so no bug" + +Link: https://lkml.kernel.org/r/20210109080118.20885-1-linmiaohe@huawei.com +Fixes: 42e4089c789 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings") +Signed-off-by: Hongxiang Lou +Signed-off-by: Miaohe Lin +Cc: Thomas Gleixner +Cc: Dave Hansen +Cc: Andi Kleen +Cc: Josh Poimboeuf +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/mm/memory.c b/mm/memory.c +index caefa5526b20c..5c2511831723e 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1984,11 +1984,11 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + unsigned long addr, unsigned long end, + unsigned long pfn, pgprot_t prot) + { +- pte_t *pte; ++ pte_t *pte, *mapped_pte; + spinlock_t *ptl; + int err = 0; + +- pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); ++ mapped_pte = pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); + if (!pte) + return -ENOMEM; + arch_enter_lazy_mmu_mode(); +@@ -2002,7 +2002,7 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + pfn++; + } while (pte++, addr += PAGE_SIZE, addr != end); + arch_leave_lazy_mmu_mode(); +- pte_unmap_unlock(pte - 1, ptl); ++ pte_unmap_unlock(mapped_pte, ptl); + return err; + } + +-- +2.27.0 + diff --git a/queue-4.14/mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch b/queue-4.14/mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch new file mode 100644 index 00000000000..1e852c6319a --- /dev/null +++ b/queue-4.14/mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch @@ -0,0 +1,56 @@ +From 8e9eaffc58eb5b1496333bc40299795255361095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 17:18:09 -0800 +Subject: mm/rmap: fix potential pte_unmap on an not mapped pte + +From: Miaohe Lin + +[ Upstream commit 5d5d19eda6b0ee790af89c45e3f678345be6f50f ] + +For PMD-mapped page (usually THP), pvmw->pte is NULL. For PTE-mapped THP, +pvmw->pte is mapped. But for HugeTLB pages, pvmw->pte is not mapped and +set to the relevant page table entry. So in page_vma_mapped_walk_done(), +we may do pte_unmap() for HugeTLB pte which is not mapped. Fix this by +checking pvmw->page against PageHuge before trying to do pte_unmap(). + +Link: https://lkml.kernel.org/r/20210127093349.39081-1-linmiaohe@huawei.com +Fixes: ace71a19cec5 ("mm: introduce page_vma_mapped_walk()") +Signed-off-by: Hongxiang Lou +Signed-off-by: Miaohe Lin +Tested-by: Sedat Dilek +Cc: Kees Cook +Cc: Nathan Chancellor +Cc: Mike Kravetz +Cc: Shakeel Butt +Cc: Johannes Weiner +Cc: Vlastimil Babka +Cc: Michel Lespinasse +Cc: Nick Desaulniers +Cc: "Kirill A. Shutemov" +Cc: Wei Yang +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: Brian Geffon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/rmap.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/rmap.h b/include/linux/rmap.h +index 988d176472df7..d7d6d4eb17949 100644 +--- a/include/linux/rmap.h ++++ b/include/linux/rmap.h +@@ -214,7 +214,8 @@ struct page_vma_mapped_walk { + + static inline void page_vma_mapped_walk_done(struct page_vma_mapped_walk *pvmw) + { +- if (pvmw->pte) ++ /* HugeTLB pte is set to the relevant page table entry without pte_mapped. */ ++ if (pvmw->pte && !PageHuge(pvmw->page)) + pte_unmap(pvmw->pte); + if (pvmw->ptl) + spin_unlock(pvmw->ptl); +-- +2.27.0 + diff --git a/queue-4.14/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch b/queue-4.14/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch new file mode 100644 index 00000000000..e42d6d4bbdd --- /dev/null +++ b/queue-4.14/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch @@ -0,0 +1,46 @@ +From 6003170822aeb93bcbf818d47aab94479317e87c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Dec 2020 22:09:22 +0100 +Subject: mmc: usdhi6rol0: Fix a resource leak in the error handling path of + the probe + +From: Christophe JAILLET + +[ Upstream commit 6052b3c370fb82dec28bcfff6d7ec0da84ac087a ] + +A call to 'ausdhi6_dma_release()' to undo a previous call to +'usdhi6_dma_request()' is missing in the error handling path of the probe +function. + +It is already present in the remove function. + +Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201217210922.165340-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/usdhi6rol0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c +index 64da6a88cfb90..76e31a30b0cf9 100644 +--- a/drivers/mmc/host/usdhi6rol0.c ++++ b/drivers/mmc/host/usdhi6rol0.c +@@ -1866,10 +1866,12 @@ static int usdhi6_probe(struct platform_device *pdev) + + ret = mmc_add_host(mmc); + if (ret < 0) +- goto e_clk_off; ++ goto e_release_dma; + + return 0; + ++e_release_dma: ++ usdhi6_dma_release(host); + e_clk_off: + clk_disable_unprepare(host->clk); + e_free_mmc: +-- +2.27.0 + diff --git a/queue-4.14/net-amd-xgbe-reset-link-when-the-link-never-comes-ba.patch b/queue-4.14/net-amd-xgbe-reset-link-when-the-link-never-comes-ba.patch new file mode 100644 index 00000000000..28f94ff2f3d --- /dev/null +++ b/queue-4.14/net-amd-xgbe-reset-link-when-the-link-never-comes-ba.patch @@ -0,0 +1,66 @@ +From 656c799b847a5f6c29b9f7bc2da5641dda967f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Feb 2021 00:37:09 +0530 +Subject: net: amd-xgbe: Reset link when the link never comes back + +From: Shyam Sundar S K + +[ Upstream commit 84fe68eb67f9499309cffd97c1ba269de125ff14 ] + +Normally, auto negotiation and reconnect should be automatically done by +the hardware. But there seems to be an issue where auto negotiation has +to be restarted manually. This happens because of link training and so +even though still connected to the partner the link never "comes back". +This needs an auto-negotiation restart. + +Also, a change in xgbe-mdio is needed to get ethtool to recognize the +link down and get the link change message. This change is only +required in a backplane connection mode. + +Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 2 +- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 119777986ea48..20ac6db6437b7 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -1355,7 +1355,7 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata) + &an_restart); + if (an_restart) { + xgbe_phy_config_aneg(pdata); +- return; ++ goto adjust_link; + } + + if (pdata->phy.link) { +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 4bb95ec6fba4a..bb6f0dcea6eab 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2435,6 +2435,14 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + if (reg & MDIO_STAT1_LSTATUS) + return 1; + ++ if (pdata->phy.autoneg == AUTONEG_ENABLE && ++ phy_data->port_mode == XGBE_PORT_MODE_BACKPLANE) { ++ if (!test_bit(XGBE_LINK_INIT, &pdata->dev_state)) { ++ netif_carrier_off(pdata->netdev); ++ *an_restart = 1; ++ } ++ } ++ + /* No link, attempt a receiver reset cycle */ + if (phy_data->rrc_count++ > XGBE_RRC_FREQUENCY) { + phy_data->rrc_count = 0; +-- +2.27.0 + diff --git a/queue-4.14/net-amd-xgbe-reset-the-phy-rx-data-path-when-mailbox.patch b/queue-4.14/net-amd-xgbe-reset-the-phy-rx-data-path-when-mailbox.patch new file mode 100644 index 00000000000..de3c6e33672 --- /dev/null +++ b/queue-4.14/net-amd-xgbe-reset-the-phy-rx-data-path-when-mailbox.patch @@ -0,0 +1,128 @@ +From 2c49908125bc1eb95771cee5da1c47bff75aec7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Feb 2021 00:37:07 +0530 +Subject: net: amd-xgbe: Reset the PHY rx data path when mailbox command + timeout + +From: Shyam Sundar S K + +[ Upstream commit 30b7edc82ec82578f4f5e6706766f0a9535617d3 ] + +Sometimes mailbox commands timeout when the RX data path becomes +unresponsive. This prevents the submission of new mailbox commands to DXIO. +This patch identifies the timeout and resets the RX data path so that the +next message can be submitted properly. + +Fixes: 549b32af9f7c ("amd-xgbe: Simplify mailbox interface rate change code") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 14 +++++++++++ + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 28 ++++++++++++++++++++- + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +index b40d4377cc71d..b2cd3bdba9f89 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +@@ -1279,10 +1279,18 @@ + #define MDIO_PMA_10GBR_FECCTRL 0x00ab + #endif + ++#ifndef MDIO_PMA_RX_CTRL1 ++#define MDIO_PMA_RX_CTRL1 0x8051 ++#endif ++ + #ifndef MDIO_PCS_DIG_CTRL + #define MDIO_PCS_DIG_CTRL 0x8000 + #endif + ++#ifndef MDIO_PCS_DIGITAL_STAT ++#define MDIO_PCS_DIGITAL_STAT 0x8010 ++#endif ++ + #ifndef MDIO_AN_XNP + #define MDIO_AN_XNP 0x0016 + #endif +@@ -1358,6 +1366,8 @@ + #define XGBE_KR_TRAINING_ENABLE BIT(1) + + #define XGBE_PCS_CL37_BP BIT(12) ++#define XGBE_PCS_PSEQ_STATE_MASK 0x1c ++#define XGBE_PCS_PSEQ_STATE_POWER_GOOD 0x10 + + #define XGBE_AN_CL37_INT_CMPLT BIT(0) + #define XGBE_AN_CL37_INT_MASK 0x01 +@@ -1375,6 +1385,10 @@ + #define XGBE_PMA_CDR_TRACK_EN_OFF 0x00 + #define XGBE_PMA_CDR_TRACK_EN_ON 0x01 + ++#define XGBE_PMA_RX_RST_0_MASK BIT(4) ++#define XGBE_PMA_RX_RST_0_RESET_ON 0x10 ++#define XGBE_PMA_RX_RST_0_RESET_OFF 0x00 ++ + /* Bit setting and getting macros + * The get macro will extract the current bit field value from within + * the variable +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index aac884314000c..4bb95ec6fba4a 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -1782,6 +1782,27 @@ static void xgbe_phy_set_redrv_mode(struct xgbe_prv_data *pdata) + xgbe_phy_put_comm_ownership(pdata); + } + ++static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata) ++{ ++ int reg; ++ ++ reg = XMDIO_READ_BITS(pdata, MDIO_MMD_PCS, MDIO_PCS_DIGITAL_STAT, ++ XGBE_PCS_PSEQ_STATE_MASK); ++ if (reg == XGBE_PCS_PSEQ_STATE_POWER_GOOD) { ++ /* Mailbox command timed out, reset of RX block is required. ++ * This can be done by asseting the reset bit and wait for ++ * its compeletion. ++ */ ++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_CTRL1, ++ XGBE_PMA_RX_RST_0_MASK, XGBE_PMA_RX_RST_0_RESET_ON); ++ ndelay(20); ++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_CTRL1, ++ XGBE_PMA_RX_RST_0_MASK, XGBE_PMA_RX_RST_0_RESET_OFF); ++ usleep_range(40, 50); ++ netif_err(pdata, link, pdata->netdev, "firmware mailbox reset performed\n"); ++ } ++} ++ + static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + unsigned int cmd, unsigned int sub_cmd) + { +@@ -1789,9 +1810,11 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + unsigned int wait; + + /* Log if a previous command did not complete */ +- if (XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS)) ++ if (XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS)) { + netif_dbg(pdata, link, pdata->netdev, + "firmware mailbox not ready for command\n"); ++ xgbe_phy_rx_reset(pdata); ++ } + + /* Construct the command */ + XP_SET_BITS(s0, XP_DRIVER_SCRATCH_0, COMMAND, cmd); +@@ -1813,6 +1836,9 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + + netif_dbg(pdata, link, pdata->netdev, + "firmware mailbox command did not complete\n"); ++ ++ /* Reset on error */ ++ xgbe_phy_rx_reset(pdata); + } + + static void xgbe_phy_rrc(struct xgbe_prv_data *pdata) +-- +2.27.0 + diff --git a/queue-4.14/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch b/queue-4.14/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch new file mode 100644 index 00000000000..9ffc6ae7541 --- /dev/null +++ b/queue-4.14/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch @@ -0,0 +1,39 @@ +From 1db90efa8d78e325d5c0f145a0d7adbaee1cb360 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Feb 2021 22:35:59 +0800 +Subject: net/mlx4_core: Add missed mlx4_free_cmd_mailbox() + +From: Chuhong Yuan + +[ Upstream commit 8eb65fda4a6dbd59cd5de24b106a10b6ee0d2176 ] + +mlx4_do_mirror_rule() forgets to call mlx4_free_cmd_mailbox() to +free the memory region allocated by mlx4_alloc_cmd_mailbox() before +an exit. +Add the missed call to fix it. + +Fixes: 78efed275117 ("net/mlx4_core: Support mirroring VF DMFS rules on both ports") +Signed-off-by: Chuhong Yuan +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20210221143559.390277-1-hslester96@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index 66e8054a8966d..ebff014f3218c 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -4988,6 +4988,7 @@ static int mlx4_do_mirror_rule(struct mlx4_dev *dev, struct res_fs_rule *fs_rule + + if (!fs_rule->mirr_mbox) { + mlx4_err(dev, "rule mirroring mailbox is null\n"); ++ mlx4_free_cmd_mailbox(dev, mailbox); + return -EINVAL; + } + memcpy(mailbox->buf, fs_rule->mirr_mbox, fs_rule->mirr_mbox_size); +-- +2.27.0 + diff --git a/queue-4.14/net-mvneta-remove-per-cpu-queue-mapping-for-armada-3.patch b/queue-4.14/net-mvneta-remove-per-cpu-queue-mapping-for-armada-3.patch new file mode 100644 index 00000000000..7475630ce89 --- /dev/null +++ b/queue-4.14/net-mvneta-remove-per-cpu-queue-mapping-for-armada-3.patch @@ -0,0 +1,55 @@ +From 7536ee8e3eee48352159a3f2194ec3f521add55d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Feb 2021 10:25:35 +0100 +Subject: net: mvneta: Remove per-cpu queue mapping for Armada 3700 + +From: Maxime Chevallier + +[ Upstream commit cf9bf871280d9e0a8869d98c2602d29caf69dfa3 ] + +According to Errata #23 "The per-CPU GbE interrupt is limited to Core +0", we can't use the per-cpu interrupt mechanism on the Armada 3700 +familly. + +This is correctly checked for RSS configuration, but the initial queue +mapping is still done by having the queues spread across all the CPUs in +the system, both in the init path and in the cpu_hotplug path. + +Fixes: 2636ac3cc2b4 ("net: mvneta: Add network support for Armada 3700 SoC") +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index a115e51dc2115..cc0414fd13557 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -2958,7 +2958,9 @@ static int mvneta_txq_init(struct mvneta_port *pp, + mvneta_tx_done_pkts_coal_set(pp, txq, txq->done_pkts_coal); + + /* Setup XPS mapping */ +- if (txq_number > 1) ++ if (pp->neta_armada3700) ++ cpu = 0; ++ else if (txq_number > 1) + cpu = txq->id % num_present_cpus(); + else + cpu = pp->rxq_def % num_present_cpus(); +@@ -3409,6 +3411,11 @@ static int mvneta_cpu_online(unsigned int cpu, struct hlist_node *node) + node_online); + struct mvneta_pcpu_port *port = per_cpu_ptr(pp->ports, cpu); + ++ /* Armada 3700's per-cpu interrupt for mvneta is broken, all interrupts ++ * are routed to CPU 0, so we don't need all the cpu-hotplug support ++ */ ++ if (pp->neta_armada3700) ++ return 0; + + spin_lock(&pp->lock); + /* +-- +2.27.0 + diff --git a/queue-4.14/ocfs2-fix-a-use-after-free-on-error.patch b/queue-4.14/ocfs2-fix-a-use-after-free-on-error.patch new file mode 100644 index 00000000000..00e91b030c6 --- /dev/null +++ b/queue-4.14/ocfs2-fix-a-use-after-free-on-error.patch @@ -0,0 +1,60 @@ +From d7f2f8b9b7138ea6cf34c88ec851c83660baf2c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:00:41 -0800 +Subject: ocfs2: fix a use after free on error + +From: Dan Carpenter + +[ Upstream commit c57d117f2b2f2a19b570c36f2819ef8d8210af20 ] + +The error handling in this function frees "reg" but it is still on the +"o2hb_all_regions" list so it will lead to a use after freew. Joseph Qi +points out that we need to clear the bit in the "o2hb_region_bitmap" as +well + +Link: https://lkml.kernel.org/r/YBk4M6HUG8jB/jc7@mwanda +Fixes: 1cf257f51191 ("ocfs2: fix memory leak") +Signed-off-by: Dan Carpenter +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/cluster/heartbeat.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c +index d0206042d068b..241dd3bb30e4f 100644 +--- a/fs/ocfs2/cluster/heartbeat.c ++++ b/fs/ocfs2/cluster/heartbeat.c +@@ -2154,7 +2154,7 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g + o2hb_nego_timeout_handler, + reg, NULL, ®->hr_handler_list); + if (ret) +- goto free; ++ goto remove_item; + + ret = o2net_register_handler(O2HB_NEGO_APPROVE_MSG, reg->hr_key, + sizeof(struct o2hb_nego_msg), +@@ -2173,6 +2173,12 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g + + unregister_handler: + o2net_unregister_handler_list(®->hr_handler_list); ++remove_item: ++ spin_lock(&o2hb_live_lock); ++ list_del(®->hr_all_item); ++ if (o2hb_global_heartbeat_active()) ++ clear_bit(reg->hr_region_num, o2hb_region_bitmap); ++ spin_unlock(&o2hb_live_lock); + free: + kfree(reg); + return ERR_PTR(ret); +-- +2.27.0 + diff --git a/queue-4.14/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch b/queue-4.14/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch new file mode 100644 index 00000000000..f0f0e188899 --- /dev/null +++ b/queue-4.14/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch @@ -0,0 +1,80 @@ +From 28532b48d428b2e539e9f0005ed441f8de683dea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 11:45:44 +0000 +Subject: of/fdt: Make sure no-map does not remove already reserved regions + +From: Nicolas Boichat + +[ Upstream commit 8a5a75e5e9e55de1cef5d83ca3589cb4899193ef ] + +If the device tree is incorrectly configured, and attempts to +define a "no-map" reserved memory that overlaps with the kernel +data/code, the kernel would crash quickly after boot, with no +obvious clue about the nature of the issue. + +For example, this would happen if we have the kernel mapped at +these addresses (from /proc/iomem): +40000000-41ffffff : System RAM + 40080000-40dfffff : Kernel code + 40e00000-411fffff : reserved + 41200000-413e0fff : Kernel data + +And we declare a no-map shared-dma-pool region at a fixed address +within that range: +mem_reserved: mem_region { + compatible = "shared-dma-pool"; + reg = <0 0x40000000 0 0x01A00000>; + no-map; +}; + +To fix this, when removing memory regions at early boot (which is +what "no-map" regions do), we need to make sure that the memory +is not already reserved. If we do, __reserved_mem_reserve_reg +will throw an error: +[ 0.000000] OF: fdt: Reserved memory: failed to reserve memory + for node 'mem_region': base 0x0000000040000000, size 26 MiB +and the code that will try to use the region should also fail, +later on. + +We do not do anything for non-"no-map" regions, as memblock +explicitly allows reserved regions to overlap, and the commit +that this fixes removed the check for that precise reason. + +[ qperret: fixed conflicts caused by the usage of memblock_mark_nomap ] + +Fixes: 094cb98179f19b7 ("of/fdt: memblock_reserve /memreserve/ regions in the case of partial overlap") +Signed-off-by: Nicolas Boichat +Reviewed-by: Stephen Boyd +Signed-off-by: Quentin Perret +Link: https://lore.kernel.org/r/20210115114544.1830068-3-qperret@google.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 6df66fcefbb40..3f58812d02d9f 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -1212,8 +1212,16 @@ int __init __weak early_init_dt_mark_hotplug_memory_arch(u64 base, u64 size) + int __init __weak early_init_dt_reserve_memory_arch(phys_addr_t base, + phys_addr_t size, bool nomap) + { +- if (nomap) ++ if (nomap) { ++ /* ++ * If the memory is already reserved (by another region), we ++ * should not allow it to be marked nomap. ++ */ ++ if (memblock_is_region_reserved(base, size)) ++ return -EBUSY; ++ + return memblock_mark_nomap(base, size); ++ } + return memblock_reserve(base, size); + } + +-- +2.27.0 + diff --git a/queue-4.14/pci-align-checking-of-syscall-user-config-accessors.patch b/queue-4.14/pci-align-checking-of-syscall-user-config-accessors.patch new file mode 100644 index 00000000000..e1bd4a09a27 --- /dev/null +++ b/queue-4.14/pci-align-checking-of-syscall-user-config-accessors.patch @@ -0,0 +1,80 @@ +From e1c8a89ee9a04e24e96df800da6cca8c54f7de5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jan 2021 16:39:32 +0100 +Subject: PCI: Align checking of syscall user config accessors + +From: Heiner Kallweit + +[ Upstream commit ef9e4005cbaf022c6251263aa27836acccaef65d ] + +After 34e3207205ef ("PCI: handle positive error codes"), +pci_user_read_config_*() and pci_user_write_config_*() return 0 or negative +errno values, not PCIBIOS_* values like PCIBIOS_SUCCESSFUL or +PCIBIOS_BAD_REGISTER_NUMBER. + +Remove comparisons with PCIBIOS_SUCCESSFUL and check only for non-zero. It +happens that PCIBIOS_SUCCESSFUL is zero, so this is not a functional +change, but it aligns this code with the user accessors. + +[bhelgaas: commit log] +Fixes: 34e3207205ef ("PCI: handle positive error codes") +Link: https://lore.kernel.org/r/f1220314-e518-1e18-bf94-8e6f8c703758@gmail.com +Signed-off-by: Heiner Kallweit +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/syscall.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index 83efa001c2e78..7445f895ecd1a 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -22,7 +22,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn, + u16 word; + u32 dword; + long err; +- long cfg_ret; ++ int cfg_ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -48,7 +48,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn, + } + + err = -EIO; +- if (cfg_ret != PCIBIOS_SUCCESSFUL) ++ if (cfg_ret) + goto error; + + switch (len) { +@@ -106,7 +106,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_byte(dev, off, byte); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +@@ -115,7 +115,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_word(dev, off, word); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +@@ -124,7 +124,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_dword(dev, off, dword); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +-- +2.27.0 + diff --git a/queue-4.14/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch b/queue-4.14/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch new file mode 100644 index 00000000000..8f7900b1aa0 --- /dev/null +++ b/queue-4.14/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch @@ -0,0 +1,41 @@ +From 5f497d6e2f8863a17f4f88fc7630f9625bf2b894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 19:53:47 +0200 +Subject: perf intel-pt: Fix missing CYC processing in PSB + +From: Adrian Hunter + +[ Upstream commit 03fb0f859b45d1eb05c984ab4bd3bef67e45ede2 ] + +Add missing CYC packet processing when walking through PSB+. This +improves the accuracy of timestamps that follow PSB+, until the next +MTC. + +Fixes: 3d49807870f08 ("perf tools: Add new Intel PT packet definitions") +Signed-off-by: Adrian Hunter +Reviewed-by: Andi Kleen +Cc: Jiri Olsa +Link: https://lore.kernel.org/r/20210205175350.23817-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index 6522b6513895c..e2f038f84dbc1 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1596,6 +1596,9 @@ static int intel_pt_walk_psbend(struct intel_pt_decoder *decoder) + break; + + case INTEL_PT_CYC: ++ intel_pt_calc_cyc_timestamp(decoder); ++ break; ++ + case INTEL_PT_VMCS: + case INTEL_PT_MNT: + case INTEL_PT_PAD: +-- +2.27.0 + diff --git a/queue-4.14/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch b/queue-4.14/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch new file mode 100644 index 00000000000..fc72031fbed --- /dev/null +++ b/queue-4.14/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch @@ -0,0 +1,73 @@ +From 85047e94bffa156b945c7a18f110f960e1eccd3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Feb 2021 18:16:38 +0900 +Subject: perf test: Fix unaligned access in sample parsing test + +From: Namhyung Kim + +[ Upstream commit c5c97cadd7ed13381cb6b4bef5c841a66938d350 ] + +The ubsan reported the following error. It was because sample's raw +data missed u32 padding at the end. So it broke the alignment of the +array after it. + +The raw data contains an u32 size prefix so the data size should have +an u32 padding after 8-byte aligned data. + +27: Sample parsing :util/synthetic-events.c:1539:4: + runtime error: store to misaligned address 0x62100006b9bc for type + '__u64' (aka 'unsigned long long'), which requires 8 byte alignment +0x62100006b9bc: note: pointer points here + 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + #0 0x561532a9fc96 in perf_event__synthesize_sample util/synthetic-events.c:1539:13 + #1 0x5615327f4a4f in do_test tests/sample-parsing.c:284:8 + #2 0x5615327f3f50 in test__sample_parsing tests/sample-parsing.c:381:9 + #3 0x56153279d3a1 in run_test tests/builtin-test.c:424:9 + #4 0x56153279c836 in test_and_print tests/builtin-test.c:454:9 + #5 0x56153279b7eb in __cmd_test tests/builtin-test.c:675:4 + #6 0x56153279abf0 in cmd_test tests/builtin-test.c:821:9 + #7 0x56153264e796 in run_builtin perf.c:312:11 + #8 0x56153264cf03 in handle_internal_command perf.c:364:8 + #9 0x56153264e47d in run_argv perf.c:408:2 + #10 0x56153264c9a9 in main perf.c:538:3 + #11 0x7f137ab6fbbc in __libc_start_main (/lib64/libc.so.6+0x38bbc) + #12 0x561532596828 in _start ... + +SUMMARY: UndefinedBehaviorSanitizer: misaligned-pointer-use + util/synthetic-events.c:1539:4 in + +Fixes: 045f8cd8542d ("perf tests: Add a sample parsing test") +Signed-off-by: Namhyung Kim +Acked-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: https://lore.kernel.org/r/20210214091638.519643-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/sample-parsing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/sample-parsing.c b/tools/perf/tests/sample-parsing.c +index 3ec6302b6498c..a1e7485f411cc 100644 +--- a/tools/perf/tests/sample-parsing.c ++++ b/tools/perf/tests/sample-parsing.c +@@ -173,7 +173,7 @@ static int do_test(u64 sample_type, u64 sample_regs, u64 read_format) + .data = {1, 211, 212, 213}, + }; + u64 regs[64]; +- const u64 raw_data[] = {0x123456780a0b0c0dULL, 0x1102030405060708ULL}; ++ const u32 raw_data[] = {0x12345678, 0x0a0b0c0d, 0x11020304, 0x05060708, 0 }; + const u64 data[] = {0x2211443366558877ULL, 0, 0xaabbccddeeff4321ULL}; + struct perf_sample sample = { + .ip = 101, +-- +2.27.0 + diff --git a/queue-4.14/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch b/queue-4.14/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch new file mode 100644 index 00000000000..a046819ce7c --- /dev/null +++ b/queue-4.14/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch @@ -0,0 +1,101 @@ +From 0f3cd52ffccfcb81bdb3ede86afaf1c96a4f4d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 09:52:47 -0300 +Subject: perf tools: Fix DSO filtering when not finding a map for a sampled + address + +From: Arnaldo Carvalho de Melo + +[ Upstream commit c69bf11ad3d30b6bf01cfa538ddff1a59467c734 ] + +When we lookup an address and don't find a map we should filter that +sample if the user specified a list of --dso entries to filter on, fix +it. + +Before: + + $ perf script + sleep 274800 2843.556162: 1 cycles:u: ffffffffbb26bff4 [unknown] ([unknown]) + sleep 274800 2843.556168: 1 cycles:u: ffffffffbb2b047d [unknown] ([unknown]) + sleep 274800 2843.556171: 1 cycles:u: ffffffffbb2706b2 [unknown] ([unknown]) + sleep 274800 2843.556174: 6 cycles:u: ffffffffbb2b0267 [unknown] ([unknown]) + sleep 274800 2843.556176: 59 cycles:u: ffffffffbb2b03b1 [unknown] ([unknown]) + sleep 274800 2843.556180: 691 cycles:u: ffffffffbb26bff4 [unknown] ([unknown]) + sleep 274800 2843.556189: 9160 cycles:u: 7fa9550eeaa3 __GI___tunables_init+0xf3 (/usr/lib64/ld-2.32.so) + sleep 274800 2843.556312: 86937 cycles:u: 7fa9550e157b _dl_lookup_symbol_x+0x4b (/usr/lib64/ld-2.32.so) + $ + +So we have some samples we somehow didn't find in a map for, if we now +do: + + $ perf report --stdio --dso /usr/lib64/ld-2.32.so + # dso: /usr/lib64/ld-2.32.so + # + # Total Lost Samples: 0 + # + # Samples: 8 of event 'cycles:u' + # Event count (approx.): 96856 + # + # Overhead Command Symbol + # ........ ....... ........................ + # + 89.76% sleep [.] _dl_lookup_symbol_x + 9.46% sleep [.] __GI___tunables_init + 0.71% sleep [k] 0xffffffffbb26bff4 + 0.06% sleep [k] 0xffffffffbb2b03b1 + 0.01% sleep [k] 0xffffffffbb2b0267 + 0.00% sleep [k] 0xffffffffbb2706b2 + 0.00% sleep [k] 0xffffffffbb2b047d + $ + +After this patch we get the right output with just entries for the DSOs +specified in --dso: + + $ perf report --stdio --dso /usr/lib64/ld-2.32.so + # dso: /usr/lib64/ld-2.32.so + # + # Total Lost Samples: 0 + # + # Samples: 8 of event 'cycles:u' + # Event count (approx.): 96856 + # + # Overhead Command Symbol + # ........ ....... ........................ + # + 89.76% sleep [.] _dl_lookup_symbol_x + 9.46% sleep [.] __GI___tunables_init + $ + # + +Fixes: 96415e4d3f5fdf9c ("perf symbols: Avoid unnecessary symbol loading when dso list is specified") +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20210128131209.GD775562@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/event.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c +index 70cada80d1853..87f683fd6f264 100644 +--- a/tools/perf/util/event.c ++++ b/tools/perf/util/event.c +@@ -1521,6 +1521,8 @@ int machine__resolve(struct machine *machine, struct addr_location *al, + } + + al->sym = map__find_symbol(al->map, al->addr); ++ } else if (symbol_conf.dso_list) { ++ al->filtered |= (1 << HIST_FILTER__DSO); + } + + if (symbol_conf.sym_list && +-- +2.27.0 + diff --git a/queue-4.14/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch b/queue-4.14/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch new file mode 100644 index 00000000000..02d8c0c2fb8 --- /dev/null +++ b/queue-4.14/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch @@ -0,0 +1,36 @@ +From fba21e30ea72d001c73f8c35bd7415f0a3bff8e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Dec 2020 14:57:31 +0200 +Subject: power: reset: at91-sama5d2_shdwc: fix wkupdbc mask + +From: Claudiu Beznea + +[ Upstream commit 95aa21a3f1183260db1b0395e03df5bebc5ed641 ] + +According to datasheet WKUPDBC mask is b/w bits 26..24. + +Fixes: f80cb48843987 ("power: reset: at91-shdwc: add new shutdown controller driver") +Signed-off-by: Claudiu Beznea +Reviewed-by: Alexandre Belloni +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/at91-sama5d2_shdwc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/reset/at91-sama5d2_shdwc.c b/drivers/power/reset/at91-sama5d2_shdwc.c +index 037976a1fe40b..c2fab93b556bb 100644 +--- a/drivers/power/reset/at91-sama5d2_shdwc.c ++++ b/drivers/power/reset/at91-sama5d2_shdwc.c +@@ -36,7 +36,7 @@ + + #define AT91_SHDW_MR 0x04 /* Shut Down Mode Register */ + #define AT91_SHDW_WKUPDBC_SHIFT 24 +-#define AT91_SHDW_WKUPDBC_MASK GENMASK(31, 16) ++#define AT91_SHDW_WKUPDBC_MASK GENMASK(26, 24) + #define AT91_SHDW_WKUPDBC(x) (((x) << AT91_SHDW_WKUPDBC_SHIFT) \ + & AT91_SHDW_WKUPDBC_MASK) + +-- +2.27.0 + diff --git a/queue-4.14/powerpc-47x-disable-256k-page-size.patch b/queue-4.14/powerpc-47x-disable-256k-page-size.patch new file mode 100644 index 00000000000..48f3d7cc7c1 --- /dev/null +++ b/queue-4.14/powerpc-47x-disable-256k-page-size.patch @@ -0,0 +1,41 @@ +From c72b925db51a1e1971fc15c1d0bb3693e7723065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 07:49:13 +0000 +Subject: powerpc/47x: Disable 256k page size + +From: Christophe Leroy + +[ Upstream commit 910a0cb6d259736a0c86e795d4c2f42af8d0d775 ] + +PPC47x_TLBE_SIZE isn't defined for 256k pages, leading to a build +break if 256k pages is selected. + +So change the kconfig so that 256k pages can't be selected for 47x. + +Fixes: e7f75ad01d59 ("powerpc/47x: Base ppc476 support") +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +[mpe: Expand change log to mention build break] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/2fed79b1154c872194f98bac4422c23918325e61.1611128938.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 52138ab45e574..fff11a5bb8056 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -735,7 +735,7 @@ config PPC_64K_PAGES + + config PPC_256K_PAGES + bool "256k page size" +- depends on 44x && !STDBINUTILS ++ depends on 44x && !STDBINUTILS && !PPC_47x + help + Make the page size 256k. + +-- +2.27.0 + diff --git a/queue-4.14/powerpc-8xx-fix-software-emulation-interrupt.patch b/queue-4.14/powerpc-8xx-fix-software-emulation-interrupt.patch new file mode 100644 index 00000000000..b68fb21487b --- /dev/null +++ b/queue-4.14/powerpc-8xx-fix-software-emulation-interrupt.patch @@ -0,0 +1,40 @@ +From 97c2ab7986a1d28d66814f39b2055d8b7b88ab9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 08:56:13 +0000 +Subject: powerpc/8xx: Fix software emulation interrupt + +From: Christophe Leroy + +[ Upstream commit 903178d0ce6bb30ef80a3604ab9ee2b57869fbc9 ] + +For unimplemented instructions or unimplemented SPRs, the 8xx triggers +a "Software Emulation Exception" (0x1000). That interrupt doesn't set +reason bits in SRR1 as the "Program Check Exception" does. + +Go through emulation_assist_interrupt() to set REASON_ILLEGAL. + +Fixes: fbbcc3bb139e ("powerpc/8xx: Remove SoftwareEmulation()") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/ad782af87a222efc79cfb06079b0fd23d4224eaf.1612515180.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/head_8xx.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S +index 43884af0e35c4..95ecfec96b495 100644 +--- a/arch/powerpc/kernel/head_8xx.S ++++ b/arch/powerpc/kernel/head_8xx.S +@@ -301,7 +301,7 @@ SystemCall: + /* On the MPC8xx, this is a software emulation interrupt. It occurs + * for all unimplemented and illegal instructions. + */ +- EXCEPTION(0x1000, SoftEmu, program_check_exception, EXC_XFER_STD) ++ EXCEPTION(0x1000, SoftEmu, emulation_assist_interrupt, EXC_XFER_STD) + + . = 0x1100 + /* +-- +2.27.0 + diff --git a/queue-4.14/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch b/queue-4.14/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch new file mode 100644 index 00000000000..00abf1b6863 --- /dev/null +++ b/queue-4.14/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch @@ -0,0 +1,65 @@ +From 8d83f5e1b98efe03216fc7963d111cf727e7311f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jan 2021 20:59:00 -0600 +Subject: powerpc/pseries/dlpar: handle ibm, configure-connector delay status + +From: Nathan Lynch + +[ Upstream commit 768d70e19ba525debd571b36e6d0ab19956c63d7 ] + +dlpar_configure_connector() has two problems in its handling of +ibm,configure-connector's return status: + +1. When the status is -2 (busy, call again), we call + ibm,configure-connector again immediately without checking whether + to schedule, which can result in monopolizing the CPU. +2. Extended delay status (9900..9905) goes completely unhandled, + causing the configuration to unnecessarily terminate. + +Fix both of these issues by using rtas_busy_delay(). + +Fixes: ab519a011caa ("powerpc/pseries: Kernel DLPAR Infrastructure") +Signed-off-by: Nathan Lynch +Reviewed-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210107025900.410369-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/dlpar.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index fb2876a84fbe6..985e434481042 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -139,7 +139,6 @@ void dlpar_free_cc_nodes(struct device_node *dn) + #define NEXT_PROPERTY 3 + #define PREV_PARENT 4 + #define MORE_MEMORY 5 +-#define CALL_AGAIN -2 + #define ERR_CFG_USE -9003 + + struct device_node *dlpar_configure_connector(__be32 drc_index, +@@ -181,6 +180,9 @@ struct device_node *dlpar_configure_connector(__be32 drc_index, + + spin_unlock(&rtas_data_buf_lock); + ++ if (rtas_busy_delay(rc)) ++ continue; ++ + switch (rc) { + case COMPLETE: + break; +@@ -233,9 +235,6 @@ struct device_node *dlpar_configure_connector(__be32 drc_index, + parent_path = last_dn->parent->full_name; + break; + +- case CALL_AGAIN: +- break; +- + case MORE_MEMORY: + case ERR_CFG_USE: + default: +-- +2.27.0 + diff --git a/queue-4.14/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch b/queue-4.14/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch new file mode 100644 index 00000000000..40f9876642a --- /dev/null +++ b/queue-4.14/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch @@ -0,0 +1,43 @@ +From 531e2f6de27b4032a56fe9bd66519829243efaa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jan 2021 11:12:06 -0500 +Subject: pwm: rockchip: rockchip_pwm_probe(): Remove superfluous + clk_unprepare() + +From: Simon South + +[ Upstream commit d5d8d675865ccddfe4da26c85f22c55cec663bf2 ] + +If rockchip_pwm_probe() fails to register a PWM device it calls +clk_unprepare() for the device's PWM clock, without having first disabled +the clock and before jumping to an error handler that also unprepares +it. This is likely to produce warnings from the kernel about the clock +being unprepared when it is still enabled, and then being unprepared when +it has already been unprepared. + +Prevent these warnings by removing this unnecessary call to +clk_unprepare(). + +Fixes: 48cf973cae33 ("pwm: rockchip: Avoid glitches on already running PWMs") +Signed-off-by: Simon South +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-rockchip.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/pwm/pwm-rockchip.c b/drivers/pwm/pwm-rockchip.c +index 4d99d468df09a..48bcc853d57a7 100644 +--- a/drivers/pwm/pwm-rockchip.c ++++ b/drivers/pwm/pwm-rockchip.c +@@ -370,7 +370,6 @@ static int rockchip_pwm_probe(struct platform_device *pdev) + + ret = pwmchip_add(&pc->chip); + if (ret < 0) { +- clk_unprepare(pc->clk); + dev_err(&pdev->dev, "pwmchip_add() failed: %d\n", ret); + goto err_pclk; + } +-- +2.27.0 + diff --git a/queue-4.14/quota-fix-memory-leak-when-handling-corrupted-quota-.patch b/queue-4.14/quota-fix-memory-leak-when-handling-corrupted-quota-.patch new file mode 100644 index 00000000000..b856895e6ad --- /dev/null +++ b/queue-4.14/quota-fix-memory-leak-when-handling-corrupted-quota-.patch @@ -0,0 +1,55 @@ +From 67bf478f0cd243c2501170536dcadfd3943e6530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Dec 2020 12:09:53 +0100 +Subject: quota: Fix memory leak when handling corrupted quota file + +From: Jan Kara + +[ Upstream commit a4db1072e1a3bd7a8d9c356e1902b13ac5deb8ef ] + +When checking corrupted quota file we can bail out and leak allocated +info structure. Properly free info structure on error return. + +Reported-by: syzbot+77779c9b52ab78154b08@syzkaller.appspotmail.com +Fixes: 11c514a99bb9 ("quota: Sanity-check quota file headers on load") +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/quota_v2.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c +index d99710270a373..addfaae8decfd 100644 +--- a/fs/quota/quota_v2.c ++++ b/fs/quota/quota_v2.c +@@ -165,19 +165,24 @@ static int v2_read_file_info(struct super_block *sb, int type) + quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).", + (loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits, + i_size_read(sb_dqopt(sb)->files[type])); +- goto out; ++ goto out_free; + } + if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) { + quota_error(sb, "Free block number too big (%u >= %u).", + qinfo->dqi_free_blk, qinfo->dqi_blocks); +- goto out; ++ goto out_free; + } + if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) { + quota_error(sb, "Block with free entry too big (%u >= %u).", + qinfo->dqi_free_entry, qinfo->dqi_blocks); +- goto out; ++ goto out_free; + } + ret = 0; ++out_free: ++ if (ret) { ++ kfree(info->dqi_priv); ++ info->dqi_priv = NULL; ++ } + out: + up_read(&dqopt->dqio_sem); + return ret; +-- +2.27.0 + diff --git a/queue-4.14/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch b/queue-4.14/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch new file mode 100644 index 00000000000..8362dc8107b --- /dev/null +++ b/queue-4.14/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch @@ -0,0 +1,67 @@ +From 09d0966c9e148cdce6d16fa6be72f5fd57610021 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jan 2021 15:45:01 -0600 +Subject: RDMA/rxe: Fix coding error in rxe_recv.c + +From: Bob Pearson + +[ Upstream commit 7d9ae80e31df57dd3253e1ec514f0000aa588a81 ] + +check_type_state() in rxe_recv.c is written as if the type bits in the +packet opcode were a bit mask which is not correct. This patch corrects +this code to compare all 3 type bits to the required type. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210127214500.3707-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index b7098f7bb30e5..43c1fd92b6d70 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -36,21 +36,26 @@ + #include "rxe.h" + #include "rxe_loc.h" + ++/* check that QP matches packet opcode type and is in a valid state */ + static int check_type_state(struct rxe_dev *rxe, struct rxe_pkt_info *pkt, + struct rxe_qp *qp) + { ++ unsigned int pkt_type; ++ + if (unlikely(!qp->valid)) + goto err1; + ++ pkt_type = pkt->opcode & 0xe0; ++ + switch (qp_type(qp)) { + case IB_QPT_RC: +- if (unlikely((pkt->opcode & IB_OPCODE_RC) != 0)) { ++ if (unlikely(pkt_type != IB_OPCODE_RC)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } + break; + case IB_QPT_UC: +- if (unlikely(!(pkt->opcode & IB_OPCODE_UC))) { ++ if (unlikely(pkt_type != IB_OPCODE_UC)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } +@@ -58,7 +63,7 @@ static int check_type_state(struct rxe_dev *rxe, struct rxe_pkt_info *pkt, + case IB_QPT_UD: + case IB_QPT_SMI: + case IB_QPT_GSI: +- if (unlikely(!(pkt->opcode & IB_OPCODE_UD))) { ++ if (unlikely(pkt_type != IB_OPCODE_UD)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } +-- +2.27.0 + diff --git a/queue-4.14/regulator-axp20x-fix-reference-cout-leak.patch b/queue-4.14/regulator-axp20x-fix-reference-cout-leak.patch new file mode 100644 index 00000000000..bed5ab426a2 --- /dev/null +++ b/queue-4.14/regulator-axp20x-fix-reference-cout-leak.patch @@ -0,0 +1,52 @@ +From 1821cab674c5f197e5077fd8ba964593b1b64987 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 04:33:13 -0800 +Subject: regulator: axp20x: Fix reference cout leak + +From: Pan Bian + +[ Upstream commit e78bf6be7edaacb39778f3a89416caddfc6c6d70 ] + +Decrements the reference count of device node and its child node. + +Fixes: dfe7a1b058bb ("regulator: AXP20x: Add support for regulators subsystem") +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210120123313.107640-1-bianpan2016@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/axp20x-regulator.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c +index 376a99b7cf5da..901e3fb65ebf7 100644 +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -493,7 +493,7 @@ static int axp20x_set_dcdc_freq(struct platform_device *pdev, u32 dcdcfreq) + static int axp20x_regulator_parse_dt(struct platform_device *pdev) + { + struct device_node *np, *regulators; +- int ret; ++ int ret = 0; + u32 dcdcfreq = 0; + + np = of_node_get(pdev->dev.parent->of_node); +@@ -508,13 +508,12 @@ static int axp20x_regulator_parse_dt(struct platform_device *pdev) + ret = axp20x_set_dcdc_freq(pdev, dcdcfreq); + if (ret < 0) { + dev_err(&pdev->dev, "Error setting dcdc frequency: %d\n", ret); +- return ret; + } +- + of_node_put(regulators); + } + +- return 0; ++ of_node_put(np); ++ return ret; + } + + static int axp20x_set_dcdc_workmode(struct regulator_dev *rdev, int id, u32 workmode) +-- +2.27.0 + diff --git a/queue-4.14/rtc-s5m-select-regmap_i2c.patch b/queue-4.14/rtc-s5m-select-regmap_i2c.patch new file mode 100644 index 00000000000..dc2db168814 --- /dev/null +++ b/queue-4.14/rtc-s5m-select-regmap_i2c.patch @@ -0,0 +1,37 @@ +From efd2f570bbc86e3bcd2bb567877f34b67e0fe89c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jan 2021 11:22:17 +0100 +Subject: rtc: s5m: select REGMAP_I2C + +From: Bartosz Golaszewski + +[ Upstream commit 1f0cbda3b452b520c5f3794f8f0e410e8bc7386a ] + +The rtc-s5m uses the I2C regmap but doesn't select it in Kconfig so +depending on the configuration the build may fail. Fix it. + +Fixes: 959df7778bbd ("rtc: Enable compile testing for Maxim and Samsung drivers") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210114102219.23682-2-brgl@bgdev.pl +Signed-off-by: Sasha Levin +--- + drivers/rtc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig +index 68b76e6ddc1ee..7129442f0dfe2 100644 +--- a/drivers/rtc/Kconfig ++++ b/drivers/rtc/Kconfig +@@ -625,6 +625,7 @@ config RTC_DRV_S5M + tristate "Samsung S2M/S5M series" + depends on MFD_SEC_CORE || COMPILE_TEST + select REGMAP_IRQ ++ select REGMAP_I2C + help + If you say yes here you will get support for the + RTC of Samsung S2MPS14 and S5M PMIC series. +-- +2.27.0 + diff --git a/queue-4.14/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch b/queue-4.14/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch new file mode 100644 index 00000000000..b48b0ff635d --- /dev/null +++ b/queue-4.14/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch @@ -0,0 +1,57 @@ +From 19bb856b310ed97f84a0d4cf8271e2ba6ce7ae5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Feb 2021 11:24:28 -0800 +Subject: scsi: bnx2fc: Fix Kconfig warning & CNIC build errors + +From: Randy Dunlap + +[ Upstream commit eefb816acb0162e94a85a857f3a55148f671d5a5 ] + +CNIC depends on MMU, but since 'select' does not follow any dependency +chains, SCSI_BNX2X_FCOE also needs to depend on MMU, so that erroneous +configs are not generated, which cause build errors in cnic. + +WARNING: unmet direct dependencies detected for CNIC + Depends on [n]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && MMU [=n] + Selected by [y]: + - SCSI_BNX2X_FCOE [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && LIBFC [=y] && LIBFCOE [=y] + +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L154': +cnic.c:(.text+0x1094): undefined reference to `uio_event_notify' +riscv64-linux-ld: cnic.c:(.text+0x10bc): undefined reference to `uio_event_notify' +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L1442': +cnic.c:(.text+0x96a8): undefined reference to `__uio_register_device' +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L0 ': +cnic.c:(.text.unlikely+0x68): undefined reference to `uio_unregister_device' + +Link: https://lore.kernel.org/r/20210213192428.22537-1-rdunlap@infradead.org +Fixes: 853e2bd2103a ("[SCSI] bnx2fc: Broadcom FCoE offload driver") +Cc: Saurav Kashyap +Cc: Javed Hasan +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: linux-scsi@vger.kernel.org +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bnx2fc/Kconfig b/drivers/scsi/bnx2fc/Kconfig +index d401a096dfc7e..2eb2476852b11 100644 +--- a/drivers/scsi/bnx2fc/Kconfig ++++ b/drivers/scsi/bnx2fc/Kconfig +@@ -4,6 +4,7 @@ config SCSI_BNX2X_FCOE + depends on (IPV6 || IPV6=n) + depends on LIBFC + depends on LIBFCOE ++ depends on MMU + select NETDEVICES + select ETHERNET + select NET_VENDOR_BROADCOM +-- +2.27.0 + diff --git a/queue-4.14/series b/queue-4.14/series index 75e1d76cd02..df009b8901e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -9,3 +9,112 @@ vmlinux.lds.h-add-dwarf-v5-sections.patch kdb-make-memory-allocations-more-robust.patch mips-vmlinux.lds.s-add-missing-page_aligned_data-section.patch random-fix-the-rndreseedcrng-ioctl.patch +bluetooth-btqcomsmd-fix-a-resource-leak-in-error-han.patch +bluetooth-fix-initializing-response-id-after-clearin.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24955 +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-24752 +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-17744 +arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch +arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch-6950 +cpufreq-brcmstb-avs-cpufreq-fix-resource-leaks-in-re.patch +usb-gadget-u_audio-free-requests-only-after-callback.patch +bluetooth-drop-hci-device-reference-before-return.patch +bluetooth-put-hci-device-if-inquiry-procedure-interr.patch +arm-dts-configure-missing-thermal-interrupt-for-4430.patch +usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch +usb-dwc2-abort-transaction-after-errors-with-unknown.patch +usb-dwc2-make-trimming-xfer-length-a-debug-message.patch +staging-rtl8723bs-wifi_regd.c-fix-incorrect-number-o.patch +arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch +arm-s3c-fix-fiq-for-clang-ias.patch +bpf_lru_list-read-double-checked-variable-once-witho.patch +ath9k-fix-data-bus-crash-when-setting-nf_override-vi.patch +bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch +xen-netback-fix-spurious-event-detection-for-common-.patch +mac80211-fix-potential-overflow-when-multiplying-to-.patch +b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch +ibmvnic-skip-send_request_unmap-for-timeout-reset.patch +net-amd-xgbe-reset-the-phy-rx-data-path-when-mailbox.patch +net-amd-xgbe-reset-link-when-the-link-never-comes-ba.patch +net-mvneta-remove-per-cpu-queue-mapping-for-armada-3.patch +fbdev-aty-sparc64-requires-fb_aty_ct.patch +drm-gma500-fix-error-return-code-in-psb_driver_load.patch +gma500-clean-up-error-handling-in-init.patch +crypto-sun4i-ss-fix-kmap-usage.patch +mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch +mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch +media-i2c-ov5670-fix-pixel_rate-minimum-value.patch +media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch +media-media-pci-fix-memleak-in-empress_init.patch +media-tm6000-fix-memleak-in-tm6000_start_stream.patch +asoc-cs42l56-fix-up-error-handling-in-probe.patch +crypto-bcm-rename-struct-device_private-to-bcm_devic.patch +media-lmedm04-fix-misuse-of-comma.patch +media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch +media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch +media-pxa_camera-declare-variable-when-debug-is-defi.patch +media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch +ata-ahci_brcm-add-back-regulators-management.patch +drivers-hv-vmbus-avoid-use-after-free-in-vmbus_onoff.patch +btrfs-clarify-error-returns-values-in-__load_free_sp.patch +hwrng-timeriomem-fix-cooldown-period-calculation.patch +crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch +ima-free-ima-measurement-buffer-on-error.patch +ima-free-ima-measurement-buffer-after-kexec-syscall.patch +fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch +jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch +capabilities-don-t-allow-writing-ambiguous-v3-file-c.patch +clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch +quota-fix-memory-leak-when-handling-corrupted-quota-.patch +spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch +hid-core-detect-and-skip-invalid-inputs-to-snto32.patch +dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch +dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch +dmaengine-hsu-disable-spurious-interrupt.patch +mfd-bd9571mwv-use-devm_mfd_add_devices.patch +fdt-properly-handle-no-map-field-in-the-memory-regio.patch +of-fdt-make-sure-no-map-does-not-remove-already-rese.patch +power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch +rtc-s5m-select-regmap_i2c.patch +clocksource-drivers-mxs_timer-add-missing-semicolon-.patch +regulator-axp20x-fix-reference-cout-leak.patch +certs-fix-blacklist-flag-type-confusion.patch +spi-atmel-put-allocated-master-before-return.patch +isofs-release-buffer-head-before-return.patch +auxdisplay-ht16k33-fix-refresh-rate-handling.patch +ib-umad-return-eio-in-case-of-when-device-disassocia.patch +powerpc-47x-disable-256k-page-size.patch +mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch +arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch +amba-fix-resource-leak-for-drivers-without-.remove.patch +tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch +perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch +rdma-rxe-fix-coding-error-in-rxe_recv.c.patch +spi-stm32-properly-handle-0-byte-transfer.patch +mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch +powerpc-pseries-dlpar-handle-ibm-configure-connector.patch +powerpc-8xx-fix-software-emulation-interrupt.patch +spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch +perf-intel-pt-fix-missing-cyc-processing-in-psb.patch +perf-test-fix-unaligned-access-in-sample-parsing-tes.patch +input-elo-fix-an-error-code-in-elo_connect.patch +sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch +misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch +misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch +pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch +vmci-use-set_page_dirty_lock-when-unregistering-gues.patch +pci-align-checking-of-syscall-user-config-accessors.patch +drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch +ext4-fix-potential-htree-index-checksum-corruption.patch +i40e-fix-flow-for-ipv6-next-header-extension-header.patch +i40e-fix-overwriting-flow-control-settings-during-dr.patch +take-mmap-lock-in-cacheflush-syscall.patch +net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch +ocfs2-fix-a-use-after-free-on-error.patch +mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch +mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch +arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch +i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch +mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch +scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch diff --git a/queue-4.14/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch b/queue-4.14/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch new file mode 100644 index 00000000000..c623e7f1643 --- /dev/null +++ b/queue-4.14/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch @@ -0,0 +1,47 @@ +From 94f0ae47ed86cfe705442e2f95fb144a00b8b559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Nov 2020 16:40:11 -0800 +Subject: sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set + +From: Randy Dunlap + +[ Upstream commit 80bddf5c93a99e11fc9faf7e4b575d01cecd45d3 ] + +Currently COMPAT on SPARC64 selects COMPAT_BINFMT_ELF unconditionally, +even when BINFMT_ELF is not enabled. This causes a kconfig warning. + +Instead, just select COMPAT_BINFMT_ELF if BINFMT_ELF is enabled. +This builds cleanly with no kconfig warnings. + +WARNING: unmet direct dependencies detected for COMPAT_BINFMT_ELF + Depends on [n]: COMPAT [=y] && BINFMT_ELF [=n] + Selected by [y]: + - COMPAT [=y] && SPARC64 [=y] + +Fixes: 26b4c912185a ("sparc,sparc64: unify Kconfig files") +Signed-off-by: Randy Dunlap +Cc: "David S. Miller" +Cc: sparclinux@vger.kernel.org +Cc: Sam Ravnborg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index 4e83f950713e9..76734ec93e1f0 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -574,7 +574,7 @@ config COMPAT + bool + depends on SPARC64 + default y +- select COMPAT_BINFMT_ELF ++ select COMPAT_BINFMT_ELF if BINFMT_ELF + select HAVE_UID16 + select ARCH_WANT_OLD_COMPAT_IPC + select COMPAT_OLD_SIGACTION +-- +2.27.0 + diff --git a/queue-4.14/spi-atmel-put-allocated-master-before-return.patch b/queue-4.14/spi-atmel-put-allocated-master-before-return.patch new file mode 100644 index 00000000000..8281209d738 --- /dev/null +++ b/queue-4.14/spi-atmel-put-allocated-master-before-return.patch @@ -0,0 +1,39 @@ +From e4c409c96ec4ba64ff72984a0276cbc305ff2f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jan 2021 21:00:25 -0800 +Subject: spi: atmel: Put allocated master before return + +From: Pan Bian + +[ Upstream commit 21ea2743f015dbacec1831bdc8afc848db9c2b8c ] + +The allocated master is not released. Goto error handling label rather +than directly return. + +Fixes: 5e9af37e46bc ("spi: atmel: introduce probe deferring") +Signed-off-by: Pan Bian +Fixes: 5e9af37e46bc ("spi: atmel: introduce probe deferring") +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20210120050025.25426-1-bianpan2016@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-atmel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c +index 7b739c449227f..6c9ce7b24aa0c 100644 +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -1582,7 +1582,7 @@ static int atmel_spi_probe(struct platform_device *pdev) + if (ret == 0) { + as->use_dma = true; + } else if (ret == -EPROBE_DEFER) { +- return ret; ++ goto out_unmap_regs; + } + } else if (as->caps.has_pdc_support) { + as->use_pdc = true; +-- +2.27.0 + diff --git a/queue-4.14/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch b/queue-4.14/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch new file mode 100644 index 00000000000..69b3ea7d454 --- /dev/null +++ b/queue-4.14/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch @@ -0,0 +1,41 @@ +From 52b78964293590dad62363e7e1692d267cfdf29e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Dec 2020 00:14:20 +0530 +Subject: spi: cadence-quadspi: Abort read if dummy cycles required are too + many + +From: Pratyush Yadav + +[ Upstream commit ceeda328edeeeeac7579e9dbf0610785a3b83d39 ] + +The controller can only support up to 31 dummy cycles. If the command +requires more it falls back to using 31. This command is likely to fail +because the correct number of cycles are not waited upon. Rather than +silently issuing an incorrect command, fail loudly so the caller can get +a chance to find out the command can't be supported by the controller. + +Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20201222184425.7028-3-p.yadav@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/cadence-quadspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/spi-nor/cadence-quadspi.c b/drivers/mtd/spi-nor/cadence-quadspi.c +index ff4edf4bb23c5..e58923d25f4a5 100644 +--- a/drivers/mtd/spi-nor/cadence-quadspi.c ++++ b/drivers/mtd/spi-nor/cadence-quadspi.c +@@ -465,7 +465,7 @@ static int cqspi_indirect_read_setup(struct spi_nor *nor, + /* Setup dummy clock cycles */ + dummy_clk = nor->read_dummy; + if (dummy_clk > CQSPI_DUMMY_CLKS_MAX) +- dummy_clk = CQSPI_DUMMY_CLKS_MAX; ++ return -EOPNOTSUPP; + + if (dummy_clk / 8) { + reg |= (1 << CQSPI_REG_RD_INSTR_MODE_EN_LSB); +-- +2.27.0 + diff --git a/queue-4.14/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch b/queue-4.14/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch new file mode 100644 index 00000000000..04c26ae204c --- /dev/null +++ b/queue-4.14/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch @@ -0,0 +1,87 @@ +From d885e07ccff4547e6d6c7f5c07a0d0bd49c12e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Feb 2021 18:38:15 +0200 +Subject: spi: pxa2xx: Fix the controller numbering for Wildcat Point + +From: Andy Shevchenko + +[ Upstream commit 54c5d3bfb0cfb7b31259765524567871dee11615 ] + +Wildcat Point has two SPI controllers and added one is actually second one. +Fix the numbering by adding the description of the first one. + +Fixes: caba248db286 ("spi: spi-pxa2xx-pci: Add ID and driver type for WildcatPoint PCH") +Cc: Leif Liddy +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210208163816.22147-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-pxa2xx-pci.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-pxa2xx-pci.c b/drivers/spi/spi-pxa2xx-pci.c +index 869f188b02eb3..1736a48bbccec 100644 +--- a/drivers/spi/spi-pxa2xx-pci.c ++++ b/drivers/spi/spi-pxa2xx-pci.c +@@ -21,7 +21,8 @@ enum { + PORT_BSW1, + PORT_BSW2, + PORT_CE4100, +- PORT_LPT, ++ PORT_LPT0, ++ PORT_LPT1, + }; + + struct pxa_spi_info { +@@ -55,8 +56,10 @@ static struct dw_dma_slave bsw1_rx_param = { .src_id = 7 }; + static struct dw_dma_slave bsw2_tx_param = { .dst_id = 8 }; + static struct dw_dma_slave bsw2_rx_param = { .src_id = 9 }; + +-static struct dw_dma_slave lpt_tx_param = { .dst_id = 0 }; +-static struct dw_dma_slave lpt_rx_param = { .src_id = 1 }; ++static struct dw_dma_slave lpt1_tx_param = { .dst_id = 0 }; ++static struct dw_dma_slave lpt1_rx_param = { .src_id = 1 }; ++static struct dw_dma_slave lpt0_tx_param = { .dst_id = 2 }; ++static struct dw_dma_slave lpt0_rx_param = { .src_id = 3 }; + + static bool lpss_dma_filter(struct dma_chan *chan, void *param) + { +@@ -182,12 +185,19 @@ static struct pxa_spi_info spi_info_configs[] = { + .num_chipselect = 1, + .max_clk_rate = 50000000, + }, +- [PORT_LPT] = { ++ [PORT_LPT0] = { + .type = LPSS_LPT_SSP, + .port_id = 0, + .setup = lpss_spi_setup, +- .tx_param = &lpt_tx_param, +- .rx_param = &lpt_rx_param, ++ .tx_param = &lpt0_tx_param, ++ .rx_param = &lpt0_rx_param, ++ }, ++ [PORT_LPT1] = { ++ .type = LPSS_LPT_SSP, ++ .port_id = 1, ++ .setup = lpss_spi_setup, ++ .tx_param = &lpt1_tx_param, ++ .rx_param = &lpt1_rx_param, + }, + }; + +@@ -281,8 +291,9 @@ static const struct pci_device_id pxa2xx_spi_pci_devices[] = { + { PCI_VDEVICE(INTEL, 0x2290), PORT_BSW1 }, + { PCI_VDEVICE(INTEL, 0x22ac), PORT_BSW2 }, + { PCI_VDEVICE(INTEL, 0x2e6a), PORT_CE4100 }, +- { PCI_VDEVICE(INTEL, 0x9ce6), PORT_LPT }, +- { }, ++ { PCI_VDEVICE(INTEL, 0x9ce5), PORT_LPT0 }, ++ { PCI_VDEVICE(INTEL, 0x9ce6), PORT_LPT1 }, ++ { } + }; + MODULE_DEVICE_TABLE(pci, pxa2xx_spi_pci_devices); + +-- +2.27.0 + diff --git a/queue-4.14/spi-stm32-properly-handle-0-byte-transfer.patch b/queue-4.14/spi-stm32-properly-handle-0-byte-transfer.patch new file mode 100644 index 00000000000..891f29c9aa0 --- /dev/null +++ b/queue-4.14/spi-stm32-properly-handle-0-byte-transfer.patch @@ -0,0 +1,39 @@ +From 410cc1b709b35cc1306bb147f3e876bc7cd94204 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 19:59:25 +0100 +Subject: spi: stm32: properly handle 0 byte transfer + +From: Alain Volmat + +[ Upstream commit 2269f5a8b1a7b38651d62676b98182828f29d11a ] + +On 0 byte transfer request, return straight from the +xfer function after finalizing the transfer. + +Fixes: dcbe0d84dfa5 ("spi: add driver for STM32 SPI controller") +Signed-off-by: Alain Volmat +Link: https://lore.kernel.org/r/1612551572-495-2-git-send-email-alain.volmat@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index d919803540510..c8e546439fff2 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -992,6 +992,10 @@ static int stm32_spi_transfer_one(struct spi_master *master, + struct stm32_spi *spi = spi_master_get_devdata(master); + int ret; + ++ /* Don't do anything on 0 bytes transfers */ ++ if (transfer->len == 0) ++ return 0; ++ + spi->tx_buf = transfer->tx_buf; + spi->rx_buf = transfer->rx_buf; + spi->tx_len = spi->tx_buf ? transfer->len : 0; +-- +2.27.0 + diff --git a/queue-4.14/staging-rtl8723bs-wifi_regd.c-fix-incorrect-number-o.patch b/queue-4.14/staging-rtl8723bs-wifi_regd.c-fix-incorrect-number-o.patch new file mode 100644 index 00000000000..895bef326d9 --- /dev/null +++ b/queue-4.14/staging-rtl8723bs-wifi_regd.c-fix-incorrect-number-o.patch @@ -0,0 +1,93 @@ +From 039c37d0853ae1f1cb891b68974db6ee0ec90c9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jan 2021 22:14:01 +0800 +Subject: staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory + rules + +From: Chen-Yu Tsai + +[ Upstream commit 61834c967a929f6b4b7fcb91f43fa225cc29aa19 ] + +The custom regulatory ruleset in the rtl8723bs driver lists an incorrect +number of rules: one too many. This results in an out-of-bounds access, +as detected by KASAN. This was possible thanks to the newly added support +for KASAN on ARMv7. + +Fix this by filling in the correct number of rules given. + +KASAN report: + +================================================================== +BUG: KASAN: global-out-of-bounds in cfg80211_does_bw_fit_range+0x14/0x4c [cfg80211] +Read of size 4 at addr bf20c254 by task ip/971 + +CPU: 2 PID: 971 Comm: ip Tainted: G C 5.11.0-rc2-00020-gf7fe528a7ebe #1 +Hardware name: Allwinner sun8i Family +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x9c/0xb4) +[] (dump_stack) from [] (print_address_description.constprop.2+0x1dc/0x2dc) +[] (print_address_description.constprop.2) from [] (kasan_report+0x1a8/0x1c4) +[] (kasan_report) from [] (cfg80211_does_bw_fit_range+0x14/0x4c [cfg80211]) +[] (cfg80211_does_bw_fit_range [cfg80211]) from [] (freq_reg_info_regd.part.6+0x108/0x124 [> +[] (freq_reg_info_regd.part.6 [cfg80211]) from [] (handle_channel_custom.constprop.12+0x48/> +[] (handle_channel_custom.constprop.12 [cfg80211]) from [] (wiphy_apply_custom_regulatory+0> +[] (wiphy_apply_custom_regulatory [cfg80211]) from [] (rtw_regd_init+0x60/0x70 [r8723bs]) +[] (rtw_regd_init [r8723bs]) from [] (rtw_cfg80211_init_wiphy+0x164/0x1e8 [r8723bs]) +[] (rtw_cfg80211_init_wiphy [r8723bs]) from [] (_netdev_open+0xe4/0x28c [r8723bs]) +[] (_netdev_open [r8723bs]) from [] (netdev_open+0x60/0x88 [r8723bs]) +[] (netdev_open [r8723bs]) from [] (__dev_open+0x178/0x220) +[] (__dev_open) from [] (__dev_change_flags+0x258/0x2c4) +[] (__dev_change_flags) from [] (dev_change_flags+0x40/0x80) +[] (dev_change_flags) from [] (do_setlink+0x538/0x1160) +[] (do_setlink) from [] (__rtnl_newlink+0x65c/0xad8) +[] (__rtnl_newlink) from [] (rtnl_newlink+0x4c/0x6c) +[] (rtnl_newlink) from [] (rtnetlink_rcv_msg+0x1f8/0x454) +[] (rtnetlink_rcv_msg) from [] (netlink_rcv_skb+0xc4/0x1e0) +[] (netlink_rcv_skb) from [] (netlink_unicast+0x2c8/0x3c4) +[] (netlink_unicast) from [] (netlink_sendmsg+0x320/0x5f0) +[] (netlink_sendmsg) from [] (____sys_sendmsg+0x320/0x3e0) +[] (____sys_sendmsg) from [] (___sys_sendmsg+0xe8/0x12c) +[] (___sys_sendmsg) from [] (__sys_sendmsg+0xc0/0x120) +[] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x58) +Exception stack(0xc5693fa8 to 0xc5693ff0) +3fa0: 00000074 c7a39800 00000003 b6cee648 00000000 00000000 +3fc0: 00000074 c7a39800 00000001 00000128 78d18349 00000000 b6ceeda0 004f7cb0 +3fe0: 00000128 b6cee5e8 aeca151f aec1d746 + +The buggy address belongs to the variable: + rtw_drv_halt+0xf908/0x6b4 [r8723bs] + +Memory state around the buggy address: + bf20c100: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 + bf20c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>bf20c200: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 + ^ + bf20c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + bf20c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +================================================================== + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20210108141401.31741-1-wens@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/os_dep/wifi_regd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8723bs/os_dep/wifi_regd.c b/drivers/staging/rtl8723bs/os_dep/wifi_regd.c +index aa2f62acc994d..4dd6f3fb59060 100644 +--- a/drivers/staging/rtl8723bs/os_dep/wifi_regd.c ++++ b/drivers/staging/rtl8723bs/os_dep/wifi_regd.c +@@ -39,7 +39,7 @@ + NL80211_RRF_PASSIVE_SCAN | NL80211_RRF_NO_OFDM) + + static const struct ieee80211_regdomain rtw_regdom_rd = { +- .n_reg_rules = 3, ++ .n_reg_rules = 2, + .alpha2 = "99", + .reg_rules = { + RTW_2GHZ_CH01_11, +-- +2.27.0 + diff --git a/queue-4.14/take-mmap-lock-in-cacheflush-syscall.patch b/queue-4.14/take-mmap-lock-in-cacheflush-syscall.patch new file mode 100644 index 00000000000..94ea31d6e22 --- /dev/null +++ b/queue-4.14/take-mmap-lock-in-cacheflush-syscall.patch @@ -0,0 +1,61 @@ +From 94c4e2a23429522082d63237493034d6a4435502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Feb 2021 14:59:35 +0800 +Subject: Take mmap lock in cacheflush syscall + +From: Jann Horn + +[ Upstream commit c26958cb5a0d9053d1358258827638773f3d36ed ] + +We need to take the mmap lock around find_vma() and subsequent use of the +VMA. Otherwise, we can race with concurrent operations like munmap(), which +can lead to use-after-free accesses to freed VMAs. + +Fixes: 1000197d8013 ("nios2: System calls handling") +Signed-off-by: Jann Horn +Signed-off-by: Ley Foon Tan +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/sys_nios2.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c +index cd390ec4f88bf..b1ca856999521 100644 +--- a/arch/nios2/kernel/sys_nios2.c ++++ b/arch/nios2/kernel/sys_nios2.c +@@ -22,6 +22,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, + unsigned int op) + { + struct vm_area_struct *vma; ++ struct mm_struct *mm = current->mm; + + if (len == 0) + return 0; +@@ -34,16 +35,22 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, + if (addr + len < addr) + return -EFAULT; + ++ if (mmap_read_lock_killable(mm)) ++ return -EINTR; ++ + /* + * Verify that the specified address region actually belongs + * to this process. + */ +- vma = find_vma(current->mm, addr); +- if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) ++ vma = find_vma(mm, addr); ++ if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) { ++ mmap_read_unlock(mm); + return -EFAULT; ++ } + + flush_cache_range(vma, addr, addr + len); + ++ mmap_read_unlock(mm); + return 0; + } + +-- +2.27.0 + diff --git a/queue-4.14/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch b/queue-4.14/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch new file mode 100644 index 00000000000..f1cc48cd55f --- /dev/null +++ b/queue-4.14/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch @@ -0,0 +1,205 @@ +From 9bd399cde40b6a4051af077218dcd82cd6320be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Nov 2020 09:34:05 -0500 +Subject: tracepoint: Do not fail unregistering a probe due to memory failure + +From: Steven Rostedt (VMware) + +[ Upstream commit befe6d946551d65cddbd32b9cb0170b0249fd5ed ] + +The list of tracepoint callbacks is managed by an array that is protected +by RCU. To update this array, a new array is allocated, the updates are +copied over to the new array, and then the list of functions for the +tracepoint is switched over to the new array. After a completion of an RCU +grace period, the old array is freed. + +This process happens for both adding a callback as well as removing one. +But on removing a callback, if the new array fails to be allocated, the +callback is not removed, and may be used after it is freed by the clients +of the tracepoint. + +There's really no reason to fail if the allocation for a new array fails +when removing a function. Instead, the function can simply be replaced by a +stub function that could be cleaned up on the next modification of the +array. That is, instead of calling the function registered to the +tracepoint, it would call a stub function in its place. + +Link: https://lore.kernel.org/r/20201115055256.65625-1-mmullins@mmlx.us +Link: https://lore.kernel.org/r/20201116175107.02db396d@gandalf.local.home +Link: https://lore.kernel.org/r/20201117211836.54acaef2@oasis.local.home +Link: https://lkml.kernel.org/r/20201118093405.7a6d2290@gandalf.local.home + +[ Note, this version does use undefined compiler behavior (assuming that + a stub function with no parameters or return, can be called by a location + that thinks it has parameters but still no return value. Static calls + do the same thing, so this trick is not without precedent. + + There's another solution that uses RCU tricks and is more complex, but + can be an alternative if this solution becomes an issue. + + Link: https://lore.kernel.org/lkml/20210127170721.58bce7cc@gandalf.local.home/ +] + +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Dmitry Vyukov +Cc: Martin KaFai Lau +Cc: Song Liu +Cc: Yonghong Song +Cc: Andrii Nakryiko +Cc: John Fastabend +Cc: KP Singh +Cc: netdev +Cc: bpf +Cc: Kees Cook +Cc: Florian Weimer +Fixes: 97e1c18e8d17b ("tracing: Kernel Tracepoints") +Reported-by: syzbot+83aa762ef23b6f0d1991@syzkaller.appspotmail.com +Reported-by: syzbot+d29e58bb557324e55e5e@syzkaller.appspotmail.com +Reported-by: Matt Mullins +Signed-off-by: Steven Rostedt (VMware) +Tested-by: Matt Mullins +Signed-off-by: Sasha Levin +--- + kernel/tracepoint.c | 80 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 64 insertions(+), 16 deletions(-) + +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c +index a170d83043a5a..b65b2e7fd8507 100644 +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -60,6 +60,12 @@ struct tp_probes { + struct tracepoint_func probes[0]; + }; + ++/* Called in removal of a func but failed to allocate a new tp_funcs */ ++static void tp_stub_func(void) ++{ ++ return; ++} ++ + static inline void *allocate_probes(int count) + { + struct tp_probes *p = kmalloc(count * sizeof(struct tracepoint_func) +@@ -98,6 +104,7 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func, + { + struct tracepoint_func *old, *new; + int nr_probes = 0; ++ int stub_funcs = 0; + int pos = -1; + + if (WARN_ON(!tp_func->func)) +@@ -114,14 +121,34 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func, + if (old[nr_probes].func == tp_func->func && + old[nr_probes].data == tp_func->data) + return ERR_PTR(-EEXIST); ++ if (old[nr_probes].func == tp_stub_func) ++ stub_funcs++; + } + } +- /* + 2 : one for new probe, one for NULL func */ +- new = allocate_probes(nr_probes + 2); ++ /* + 2 : one for new probe, one for NULL func - stub functions */ ++ new = allocate_probes(nr_probes + 2 - stub_funcs); + if (new == NULL) + return ERR_PTR(-ENOMEM); + if (old) { +- if (pos < 0) { ++ if (stub_funcs) { ++ /* Need to copy one at a time to remove stubs */ ++ int probes = 0; ++ ++ pos = -1; ++ for (nr_probes = 0; old[nr_probes].func; nr_probes++) { ++ if (old[nr_probes].func == tp_stub_func) ++ continue; ++ if (pos < 0 && old[nr_probes].prio < prio) ++ pos = probes++; ++ new[probes++] = old[nr_probes]; ++ } ++ nr_probes = probes; ++ if (pos < 0) ++ pos = probes; ++ else ++ nr_probes--; /* Account for insertion */ ++ ++ } else if (pos < 0) { + pos = nr_probes; + memcpy(new, old, nr_probes * sizeof(struct tracepoint_func)); + } else { +@@ -155,8 +182,9 @@ static void *func_remove(struct tracepoint_func **funcs, + /* (N -> M), (N > 1, M >= 0) probes */ + if (tp_func->func) { + for (nr_probes = 0; old[nr_probes].func; nr_probes++) { +- if (old[nr_probes].func == tp_func->func && +- old[nr_probes].data == tp_func->data) ++ if ((old[nr_probes].func == tp_func->func && ++ old[nr_probes].data == tp_func->data) || ++ old[nr_probes].func == tp_stub_func) + nr_del++; + } + } +@@ -175,14 +203,32 @@ static void *func_remove(struct tracepoint_func **funcs, + /* N -> M, (N > 1, M > 0) */ + /* + 1 for NULL */ + new = allocate_probes(nr_probes - nr_del + 1); +- if (new == NULL) +- return ERR_PTR(-ENOMEM); +- for (i = 0; old[i].func; i++) +- if (old[i].func != tp_func->func +- || old[i].data != tp_func->data) +- new[j++] = old[i]; +- new[nr_probes - nr_del].func = NULL; +- *funcs = new; ++ if (new) { ++ for (i = 0; old[i].func; i++) ++ if ((old[i].func != tp_func->func ++ || old[i].data != tp_func->data) ++ && old[i].func != tp_stub_func) ++ new[j++] = old[i]; ++ new[nr_probes - nr_del].func = NULL; ++ *funcs = new; ++ } else { ++ /* ++ * Failed to allocate, replace the old function ++ * with calls to tp_stub_func. ++ */ ++ for (i = 0; old[i].func; i++) ++ if (old[i].func == tp_func->func && ++ old[i].data == tp_func->data) { ++ old[i].func = tp_stub_func; ++ /* Set the prio to the next event. */ ++ if (old[i + 1].func) ++ old[i].prio = ++ old[i + 1].prio; ++ else ++ old[i].prio = -1; ++ } ++ *funcs = old; ++ } + } + debug_print_probes(*funcs); + return old; +@@ -239,10 +285,12 @@ static int tracepoint_remove_func(struct tracepoint *tp, + tp_funcs = rcu_dereference_protected(tp->funcs, + lockdep_is_held(&tracepoints_mutex)); + old = func_remove(&tp_funcs, func); +- if (IS_ERR(old)) { +- WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); ++ if (WARN_ON_ONCE(IS_ERR(old))) + return PTR_ERR(old); +- } ++ ++ if (tp_funcs == old) ++ /* Failed allocating new tp_funcs, replaced func with stub */ ++ return 0; + + if (!tp_funcs) { + /* Removed last function */ +-- +2.27.0 + diff --git a/queue-4.14/usb-dwc2-abort-transaction-after-errors-with-unknown.patch b/queue-4.14/usb-dwc2-abort-transaction-after-errors-with-unknown.patch new file mode 100644 index 00000000000..5de2afb6eec --- /dev/null +++ b/queue-4.14/usb-dwc2-abort-transaction-after-errors-with-unknown.patch @@ -0,0 +1,84 @@ +From 42a7536723dd088c05c806e013e845699e7d25b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:50 +0100 +Subject: usb: dwc2: Abort transaction after errors with unknown reason + +From: Guenter Roeck + +[ Upstream commit f74b68c61cbc4b2245022fcce038509333d63f6f ] + +In some situations, the following error messages are reported. + +dwc2 ff540000.usb: dwc2_hc_chhltd_intr_dma: Channel 1 - ChHltd set, but reason is unknown +dwc2 ff540000.usb: hcint 0x00000002, intsts 0x04000021 + +This is sometimes followed by: + +dwc2 ff540000.usb: dwc2_update_urb_state_abn(): trimming xfer length + +and then: + +WARNING: CPU: 0 PID: 0 at kernel/v4.19/drivers/usb/dwc2/hcd.c:2913 + dwc2_assign_and_init_hc+0x98c/0x990 + +The warning suggests that an odd buffer address is to be used for DMA. + +After an error is observed, the receive buffer may be full +(urb->actual_length >= urb->length). However, the urb is still left in +the queue unless three errors were observed in a row. When it is queued +again, the dwc2 hcd code translates this into a 1-block transfer. +If urb->actual_length (ie the total expected receive length) is not +DMA-aligned, the buffer pointer programmed into the chip will be +unaligned. This results in the observed warning. + +To solve the problem, abort input transactions after an error with +unknown cause if the entire packet was already received. This may be +a bit drastic, but we don't really know why the transfer was aborted +even though the entire packet was received. Aborting the transfer in +this situation is less risky than accepting a potentially corrupted +packet. + +With this patch in place, the 'ChHltd set' and 'trimming xfer length' +messages are still observed, but there are no more transfer attempts +with odd buffer addresses. + +Fixes: 151d0cbdbe860 ("usb: dwc2: make the scheduler handle excessive NAKs better") +Cc: Boris ARZUR +Cc: Douglas Anderson +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-3-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd_intr.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c +index 74be06354b5b6..10459ad19bcc2 100644 +--- a/drivers/usb/dwc2/hcd_intr.c ++++ b/drivers/usb/dwc2/hcd_intr.c +@@ -1939,6 +1939,18 @@ error: + qtd->error_count++; + dwc2_update_urb_state_abn(hsotg, chan, chnum, qtd->urb, + qtd, DWC2_HC_XFER_XACT_ERR); ++ /* ++ * We can get here after a completed transaction ++ * (urb->actual_length >= urb->length) which was not reported ++ * as completed. If that is the case, and we do not abort ++ * the transfer, a transfer of size 0 will be enqueued ++ * subsequently. If urb->actual_length is not DMA-aligned, ++ * the buffer will then point to an unaligned address, and ++ * the resulting behavior is undefined. Bail out in that ++ * situation. ++ */ ++ if (qtd->urb->actual_length >= qtd->urb->length) ++ qtd->error_count = 3; + dwc2_hcd_save_data_toggle(hsotg, chan, chnum, qtd); + dwc2_halt_channel(hsotg, chan, qtd, DWC2_HC_XFER_XACT_ERR); + } +-- +2.27.0 + diff --git a/queue-4.14/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch b/queue-4.14/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch new file mode 100644 index 00000000000..85ddc10738b --- /dev/null +++ b/queue-4.14/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch @@ -0,0 +1,63 @@ +From 09db7639b5142b759b6fd967903f38fffd5b5da9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:49 +0100 +Subject: usb: dwc2: Do not update data length if it is 0 on inbound transfers + +From: Guenter Roeck + +[ Upstream commit 415fa1c7305dedbb345e2cc8ac91769bc1c83f1a ] + +The DWC2 documentation states that transfers with zero data length should +set the number of packets to 1 and the transfer length to 0. This is not +currently the case for inbound transfers: the transfer length is set to +the maximum packet length. This can have adverse effects if the chip +actually does transfer data as it is programmed to do. Follow chip +documentation and keep the transfer length set to 0 in that situation. + +Fixes: 56f5b1cff22a1 ("staging: Core files for the DWC2 driver") +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-2-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index e6f8825835b06..ef7f3b013fcba 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -1490,19 +1490,20 @@ static void dwc2_hc_start_transfer(struct dwc2_hsotg *hsotg, + if (num_packets > max_hc_pkt_count) { + num_packets = max_hc_pkt_count; + chan->xfer_len = num_packets * chan->max_packet; ++ } else if (chan->ep_is_in) { ++ /* ++ * Always program an integral # of max packets ++ * for IN transfers. ++ * Note: This assumes that the input buffer is ++ * aligned and sized accordingly. ++ */ ++ chan->xfer_len = num_packets * chan->max_packet; + } + } else { + /* Need 1 packet for transfer length of 0 */ + num_packets = 1; + } + +- if (chan->ep_is_in) +- /* +- * Always program an integral # of max packets for IN +- * transfers +- */ +- chan->xfer_len = num_packets * chan->max_packet; +- + if (chan->ep_type == USB_ENDPOINT_XFER_INT || + chan->ep_type == USB_ENDPOINT_XFER_ISOC) + /* +-- +2.27.0 + diff --git a/queue-4.14/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch b/queue-4.14/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch new file mode 100644 index 00000000000..10300edf345 --- /dev/null +++ b/queue-4.14/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch @@ -0,0 +1,48 @@ +From 50bf0409e5b59dd981f91000cd1c1a0c3dccf9fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:51 +0100 +Subject: usb: dwc2: Make "trimming xfer length" a debug message + +From: Guenter Roeck + +[ Upstream commit 1a9e38cabd80356ffb98c2c88fec528ea9644fd5 ] + +With some USB network adapters, such as DM96xx, the following message +is seen for each maximum size receive packet. + +dwc2 ff540000.usb: dwc2_update_urb_state(): trimming xfer length + +This happens because the packet size requested by the driver is 1522 +bytes, wMaxPacketSize is 64, the dwc2 driver configures the chip to +receive 24*64 = 1536 bytes, and the chip does indeed send more than +1522 bytes of data. Since the event does not indicate an error condition, +the message is just noise. Demote it to debug level. + +Fixes: 7359d482eb4d3 ("staging: HCD files for the DWC2 driver") +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-4-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd_intr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c +index 10459ad19bcc2..1301bf687dcab 100644 +--- a/drivers/usb/dwc2/hcd_intr.c ++++ b/drivers/usb/dwc2/hcd_intr.c +@@ -487,7 +487,7 @@ static int dwc2_update_urb_state(struct dwc2_hsotg *hsotg, + &short_read); + + if (urb->actual_length + xfer_length > urb->length) { +- dev_warn(hsotg->dev, "%s(): trimming xfer length\n", __func__); ++ dev_dbg(hsotg->dev, "%s(): trimming xfer length\n", __func__); + xfer_length = urb->length - urb->actual_length; + } + +-- +2.27.0 + diff --git a/queue-4.14/usb-gadget-u_audio-free-requests-only-after-callback.patch b/queue-4.14/usb-gadget-u_audio-free-requests-only-after-callback.patch new file mode 100644 index 00000000000..501c14297ed --- /dev/null +++ b/queue-4.14/usb-gadget-u_audio-free-requests-only-after-callback.patch @@ -0,0 +1,72 @@ +From 057ccf4110187290bddf9397d5bca6a659a16ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 09:46:39 +0100 +Subject: usb: gadget: u_audio: Free requests only after callback + +From: Jack Pham + +[ Upstream commit 7de8681be2cde9f6953d3be1fa6ce05f9fe6e637 ] + +As per the kernel doc for usb_ep_dequeue(), it states that "this +routine is asynchronous, that is, it may return before the completion +routine runs". And indeed since v5.0 the dwc3 gadget driver updated +its behavior to place dequeued requests on to a cancelled list to be +given back later after the endpoint is stopped. + +The free_ep() was incorrectly assuming that a request was ready to +be freed after calling dequeue which results in a use-after-free +in dwc3 when it traverses its cancelled list. Fix this by moving +the usb_ep_free_request() call to the callback itself in case the +ep is disabled. + +Fixes: eb9fecb9e69b0 ("usb: gadget: f_uac2: split out audio core") +Reported-and-tested-by: Ferry Toth +Reviewed-and-tested-by: Peter Chen +Acked-by: Felipe Balbi +Signed-off-by: Jack Pham +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20210118084642.322510-2-jbrunet@baylibre.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_audio.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c +index d3a639297e060..0370a1314b88a 100644 +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -98,7 +98,12 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req) + struct snd_uac_chip *uac = prm->uac; + + /* i/f shutting down */ +- if (!prm->ep_enabled || req->status == -ESHUTDOWN) ++ if (!prm->ep_enabled) { ++ usb_ep_free_request(ep, req); ++ return; ++ } ++ ++ if (req->status == -ESHUTDOWN) + return; + + /* +@@ -360,8 +365,14 @@ static inline void free_ep(struct uac_rtd_params *prm, struct usb_ep *ep) + + for (i = 0; i < params->req_number; i++) { + if (prm->ureq[i].req) { +- usb_ep_dequeue(ep, prm->ureq[i].req); +- usb_ep_free_request(ep, prm->ureq[i].req); ++ if (usb_ep_dequeue(ep, prm->ureq[i].req)) ++ usb_ep_free_request(ep, prm->ureq[i].req); ++ /* ++ * If usb_ep_dequeue() cannot successfully dequeue the ++ * request, the request will be freed by the completion ++ * callback. ++ */ ++ + prm->ureq[i].req = NULL; + } + } +-- +2.27.0 + diff --git a/queue-4.14/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch b/queue-4.14/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch new file mode 100644 index 00000000000..e005c1ab4b9 --- /dev/null +++ b/queue-4.14/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch @@ -0,0 +1,43 @@ +From cf3e589d41fd6a155d9b04e821c4cd8a5ddd68a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 08:32:40 -0800 +Subject: VMCI: Use set_page_dirty_lock() when unregistering guest memory + +From: Jorgen Hansen + +[ Upstream commit 5a16c535409f8dcb7568e20737309e3027ae3e49 ] + +When the VMCI host support releases guest memory in the case where +the VM was killed, the pinned guest pages aren't locked. Use +set_page_dirty_lock() instead of set_page_dirty(). + +Testing done: Killed VM while having an active VMCI based vSocket +connection and observed warning from ext4. With this fix, no +warning was observed. Ran various vSocket tests without issues. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Reviewed-by: Vishnu Dasa +Signed-off-by: Jorgen Hansen +Link: https://lore.kernel.org/r/1611160360-30299-1-git-send-email-jhansen@vmware.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index d6210bf92c1f2..e096aae5f6546 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -732,7 +732,7 @@ static void qp_release_pages(struct page **pages, + + for (i = 0; i < num_pages; i++) { + if (dirty) +- set_page_dirty(pages[i]); ++ set_page_dirty_lock(pages[i]); + + put_page(pages[i]); + pages[i] = NULL; +-- +2.27.0 + diff --git a/queue-4.14/xen-netback-fix-spurious-event-detection-for-common-.patch b/queue-4.14/xen-netback-fix-spurious-event-detection-for-common-.patch new file mode 100644 index 00000000000..a1f838bdbc3 --- /dev/null +++ b/queue-4.14/xen-netback-fix-spurious-event-detection-for-common-.patch @@ -0,0 +1,56 @@ +From ad55736c540fa5e9618ac85c62d9d0e1cb7c4068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 11:16:12 +0100 +Subject: xen/netback: fix spurious event detection for common event case + +From: Juergen Gross + +[ Upstream commit a3daf3d39132b405781be8d9ede0c449b244b64e ] + +In case of a common event for rx and tx queue the event should be +regarded to be spurious if no rx and no tx requests are pending. + +Unfortunately the condition for testing that is wrong causing to +decide a event being spurious if no rx OR no tx requests are +pending. + +Fix that plus using local variables for rx/tx pending indicators in +order to split function calls and if condition. + +Fixes: 23025393dbeb3b ("xen/netback: use lateeoi irq binding") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Paul Durrant +Reviewed-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/interface.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 007600b7b8686..8ec25a5f1ee92 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -162,13 +162,15 @@ irqreturn_t xenvif_interrupt(int irq, void *dev_id) + { + struct xenvif_queue *queue = dev_id; + int old; ++ bool has_rx, has_tx; + + old = atomic_fetch_or(NETBK_COMMON_EOI, &queue->eoi_pending); + WARN(old, "Interrupt while EOI pending\n"); + +- /* Use bitwise or as we need to call both functions. */ +- if ((!xenvif_handle_tx_interrupt(queue) | +- !xenvif_handle_rx_interrupt(queue))) { ++ has_tx = xenvif_handle_tx_interrupt(queue); ++ has_rx = xenvif_handle_rx_interrupt(queue); ++ ++ if (!has_rx && !has_tx) { + atomic_andnot(NETBK_COMMON_EOI, &queue->eoi_pending); + xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); + } +-- +2.27.0 + -- 2.47.3