From b25fec54d24053d434a03be093fcb41b3dac6ffb Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 9 Jul 2023 00:58:27 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...ssible-null-dereference-in-snd_ac97_.patch | 42 ++ ...l-and-__align-_str-outside-ifdef-__a.patch | 62 +++ queue-4.19/arcv2-entry-avoid-a-branch.patch | 38 ++ ...ents-about-hardware-auto-save-on-tak.patch | 158 ++++++ ...-out-the-z-flag-unclobber-from-commo.patch | 89 ++++ ...ite-to-enable-use-of-double-load-sto.patch | 466 ++++++++++++++++++ ...es-avoid-missing-declaration-warning.patch | 103 ++++ ...x-drop-clock-names-from-the-spi-node.patch | 42 ++ ...p93xx-fix-missing-prototype-warnings.patch | 48 ++ ...s-ulcb-kf-remove-flow-control-for-sc.patch | 46 ++ ...ement-max-value-for-alc-capture-targ.patch | 91 ++++ ...ers-cadence-ttc-fix-memory-leak-in-t.patch | 81 +++ ...ers-cadence-ttc-use-ttc-driver-as-pl.patch | 86 ++++ ...vers-unify-the-names-to-timer-format.patch | 219 ++++++++ ...ild-warnings-when-debug_fs-is-not-en.patch | 88 ++++ ...-fix-active-size-for-ampire-am-48027.patch | 51 ++ ...fix-possible-division-by-zero-errors.patch | 94 ++++ ...ete-description-of-evm_inode_setattr.patch | 39 ++ ..._mipid-fix-an-error-handling-path-in.patch | 44 ++ ...se-after-free-in-__gtp_encap_destroy.patch | 190 +++++++ .../hwrng-virtio-add-an-internal-buffer.patch | 127 +++++ ...-virtio-always-add-a-pending-request.patch | 111 +++++ .../hwrng-virtio-don-t-wait-on-cleanup.patch | 58 +++ .../hwrng-virtio-don-t-waste-entropy.patch | 130 +++++ ...x-race-on-data_avail-and-actual-data.patch | 86 ++++ ...dma.h-tx-num_descs-off-by-one-errors.patch | 110 +++++ ...-not-hardcode-interrupt-trigger-type.patch | 39 ++ ...drv260x-sleep-between-polling-go-bit.patch | 39 ++ ...ix-return-value-of-ipvlan_queue_xmit.patch | 66 +++ ...c-fix-missing-allocation-of-irq-desc.patch | 53 ++ ...c-kill-use-of-irq_create_strict_mapp.patch | 41 ++ ...a-memory-leak-in-crash_shrink_memory.patch | 93 ++++ ...initial-match-offset-for-every-block.patch | 59 +++ ...slab-out-of-bounds-in-md_bitmap_get_.patch | 65 +++ ...-loss-while-replacement-replace-rdev.patch | 79 +++ ...0-fix-overflow-of-md-safe_mode_delay.patch | 51 ++ ...rong-setting-of-max_corr_read_errors.patch | 38 ++ ...ke-memstick_debug_get_tpc_name-stati.patch | 49 ++ ...ion-mismatch-message-for-r_arm_-pc24.patch | 106 ++++ ...ion-mismatch-message-for-r_arm_abs32.patch | 133 +++++ ...e-netdev-dev_addr-assignment-helpers.patch | 82 +++ ...ntrack_sip-fix-the-ct_sip_parse_nume.patch | 53 ++ ...__sock_i_ino-for-__netlink_diag_dump.patch | 152 ++++++ ...ard-code-device-address-lenth-in-fdb.patch | 157 ++++++ ...otential-deadlock-in-netlink_set_err.patch | 117 +++++ ...eral-pointers-to-u8-char-and-sk_buff.patch | 465 +++++++++++++++++ ...sible-use-of-uninitialized-variable-.patch | 41 ++ ...clear_master-stub-for-non-config_pci.patch | 39 ++ ...ux-fix-off-by-one-in-die_get_varname.patch | 45 ++ ...4-check-return-value-of-devm_kasprin.patch | 41 ++ ...ew-return-correct-value-if-pin-in-pu.patch | 57 +++ ...nteger-overflow-issues-in-genpd_pars.patch | 48 ++ ...eon-avoid-double-free-in-ci_dpm_init.patch | 110 +++++ ...f-fix-buffer-overflow-in-tcp_basertt.patch | 36 ++ ...-error-handling-for-initialization-f.patch | 47 ++ queue-4.19/series | 76 +++ .../soc-fsl-qe-fix-usb.c-build-errors.patch | 60 +++ ...fine-dummy-watchdog_update_hrtimer_t.patch | 89 ++++ ...re-properly-prevent-false-positives-.patch | 84 ++++ ...-referencing-uninit-memory-in-ath9k_.patch | 58 +++ ...onvert-msecs-to-jiffies-where-needed.patch | 51 ++ ...-allow-to-overwrite-endpoint0-attrib.patch | 54 ++ ...r9003-mac-hardware-hang-check-regist.patch | 95 ++++ ...ossible-stall-on-ath9k_txq_list_has_.patch | 111 +++++ ...n-error-handling-path-in-atmel_probe.patch | 59 +++ ...-the-size-of-a-memory-allocation-in-.patch | 48 ++ ...-an-error-handling-path-in-orinoco_c.patch | 58 +++ ...-an-error-handling-path-in-spectrum_.patch | 59 +++ ...-useless-status-variable-in-parse_ad.patch | 53 ++ ...-an-error-handling-path-in-ray_probe.patch | 69 +++ ...ray_cs-utilize-strnlen-in-parse_addr.patch | 67 +++ ...ot-set-mmc_pm_keep_power-in-shutdown.patch | 41 ++ ...ix-an-error-handling-path-in-wl3501_.patch | 66 +++ ...bunch-of-formatting-issues-related-t.patch | 143 ++++++ ...sspelling-and-provide-missing-docume.patch | 64 +++ ...501_cs-remove-unnecessary-null-check.patch | 41 ++ .../wl3501_cs-use-eth_hw_addr_set.patch | 40 ++ 77 files changed, 6586 insertions(+) create mode 100644 queue-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch create mode 100644 queue-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch create mode 100644 queue-4.19/arcv2-entry-avoid-a-branch.patch create mode 100644 queue-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch create mode 100644 queue-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch create mode 100644 queue-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch create mode 100644 queue-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch create mode 100644 queue-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch create mode 100644 queue-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch create mode 100644 queue-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch create mode 100644 queue-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch create mode 100644 queue-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch create mode 100644 queue-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch create mode 100644 queue-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch create mode 100644 queue-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch create mode 100644 queue-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch create mode 100644 queue-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch create mode 100644 queue-4.19/evm-complete-description-of-evm_inode_setattr.patch create mode 100644 queue-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch create mode 100644 queue-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch create mode 100644 queue-4.19/hwrng-virtio-add-an-internal-buffer.patch create mode 100644 queue-4.19/hwrng-virtio-always-add-a-pending-request.patch create mode 100644 queue-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch create mode 100644 queue-4.19/hwrng-virtio-don-t-waste-entropy.patch create mode 100644 queue-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch create mode 100644 queue-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch create mode 100644 queue-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch create mode 100644 queue-4.19/input-drv260x-sleep-between-polling-go-bit.patch create mode 100644 queue-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch create mode 100644 queue-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch create mode 100644 queue-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch create mode 100644 queue-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch create mode 100644 queue-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch create mode 100644 queue-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch create mode 100644 queue-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch create mode 100644 queue-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch create mode 100644 queue-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch create mode 100644 queue-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch create mode 100644 queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch create mode 100644 queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch create mode 100644 queue-4.19/net-create-netdev-dev_addr-assignment-helpers.patch create mode 100644 queue-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch create mode 100644 queue-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch create mode 100644 queue-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch create mode 100644 queue-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch create mode 100644 queue-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch create mode 100644 queue-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch create mode 100644 queue-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch create mode 100644 queue-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch create mode 100644 queue-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch create mode 100644 queue-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch create mode 100644 queue-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch create mode 100644 queue-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch create mode 100644 queue-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch create mode 100644 queue-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch create mode 100644 queue-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch create mode 100644 queue-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch create mode 100644 queue-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch create mode 100644 queue-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch create mode 100644 queue-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch create mode 100644 queue-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch create mode 100644 queue-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch create mode 100644 queue-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch create mode 100644 queue-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch create mode 100644 queue-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch create mode 100644 queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch create mode 100644 queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch create mode 100644 queue-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch create mode 100644 queue-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch create mode 100644 queue-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch create mode 100644 queue-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch create mode 100644 queue-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch create mode 100644 queue-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch create mode 100644 queue-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch create mode 100644 queue-4.19/wl3501_cs-remove-unnecessary-null-check.patch create mode 100644 queue-4.19/wl3501_cs-use-eth_hw_addr_set.patch diff --git a/queue-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch b/queue-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch new file mode 100644 index 00000000000..1481eceac82 --- /dev/null +++ b/queue-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch @@ -0,0 +1,42 @@ +From ef191039261e6299d0524a779176e2161f7e34a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:17:32 +0800 +Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer + +From: Su Hui + +[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] + +smatch error: +sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: +we previously assumed 'rac97' could be null (see line 2072) + +remove redundant assignment, return error if rac97 is NULL. + +Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index a276c4283c7bb..3f13666a01904 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2026,8 +2026,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (rac97) +- *rac97 = NULL; ++ if (!rac97) ++ return -EINVAL; + if (snd_BUG_ON(!bus || !template)) + return -EINVAL; + if (snd_BUG_ON(template->num >= 4)) +-- +2.39.2 + diff --git a/queue-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch b/queue-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch new file mode 100644 index 00000000000..e31faaea748 --- /dev/null +++ b/queue-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch @@ -0,0 +1,62 @@ +From ad8837c42c62766fa3f8dfe3b124485fc46c71a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 00:50:50 +0900 +Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ + guard + +From: Masahiro Yamada + +[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ] + +ASM_NL is useful not only in *.S files but also in .c files for using +inline assembler in C code. + +On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to +a backquote (`) in *.S files, but a semicolon (;) in *.c files because +arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__, +so the definition for C code falls back to the default value defined in +include/linux/linkage.h. + +If ASM_NL is used in inline assembler in .c files, it will result in +wrong assembly code because a semicolon is not an instruction separator, +but the start of a comment for ARC. + +Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef. + +Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro") +Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/linkage.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h +index f3d29d4840d58..b89ca8b4d5975 100644 +--- a/arch/arc/include/asm/linkage.h ++++ b/arch/arc/include/asm/linkage.h +@@ -11,6 +11,10 @@ + + #include + ++#define ASM_NL ` /* use '`' to mark new line in macro */ ++#define __ALIGN .align 4 ++#define __ALIGN_STR __stringify(__ALIGN) ++ + #ifdef __ASSEMBLY__ + + .macro ST2 e, o, off +@@ -31,10 +35,6 @@ + #endif + .endm + +-#define ASM_NL ` /* use '`' to mark new line in macro */ +-#define __ALIGN .align 4 +-#define __ALIGN_STR __stringify(__ALIGN) +- + /* annotation for data we want in DCCM - if enabled in .config */ + .macro ARCFP_DATA nm + #ifdef CONFIG_ARC_HAS_DCCM +-- +2.39.2 + diff --git a/queue-4.19/arcv2-entry-avoid-a-branch.patch b/queue-4.19/arcv2-entry-avoid-a-branch.patch new file mode 100644 index 00000000000..77768c453b6 --- /dev/null +++ b/queue-4.19/arcv2-entry-avoid-a-branch.patch @@ -0,0 +1,38 @@ +From 75acdde2ef23456085ec596574a650610356060a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2019 16:24:15 -0700 +Subject: ARCv2: entry: avoid a branch + +From: Vineet Gupta + +[ Upstream commit ab854bfcd310b5872fe12eb8d3f2c30fe427f8f7 ] + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 3209a67629606..beaf655666cbd 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -100,12 +100,11 @@ + ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), + ; but on return, restored only if U mode + ++ lr r9, [AUX_USER_SP] ; U mode SP ++ + mov.nz r9, sp + add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP +- bnz 1f + +- lr r9, [AUX_USER_SP] ; U mode SP +-1: + PUSH r9 ; SP (pt_regs->sp) + + PUSH fp +-- +2.39.2 + diff --git a/queue-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch b/queue-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch new file mode 100644 index 00000000000..59f7315a690 --- /dev/null +++ b/queue-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch @@ -0,0 +1,158 @@ +From d101114608fd77f1804cd33e13286d0ff46f7084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2019 16:55:15 -0700 +Subject: ARCv2: entry: comments about hardware auto-save on taken interrupts + +From: Vineet Gupta + +[ Upstream commit 45869eb0c0afd72bd5ab2437d4b00915697c044a ] + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 78 ++++++++++++++++++++++++------ + 1 file changed, 62 insertions(+), 16 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 225e7df2d8ed8..1c3520d1fa420 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -7,15 +7,54 @@ + #include + #include /* For THREAD_SIZE */ + ++/* ++ * Interrupt/Exception stack layout (pt_regs) for ARCv2 ++ * (End of struct aligned to end of page [unless nested]) ++ * ++ * INTERRUPT EXCEPTION ++ * ++ * manual --------------------- manual ++ * | orig_r0 | ++ * | event/ECR | ++ * | bta | ++ * | user_r25 | ++ * | gp | ++ * | fp | ++ * | sp | ++ * | r12 | ++ * | r30 | ++ * | r58 | ++ * | r59 | ++ * hw autosave --------------------- ++ * optional | r0 | ++ * | r1 | ++ * ~ ~ ++ * | r9 | ++ * | r10 | ++ * | r11 | ++ * | blink | ++ * | lpe | ++ * | lps | ++ * | lpc | ++ * | ei base | ++ * | ldi base | ++ * | jli base | ++ * --------------------- ++ * hw autosave | pc / eret | ++ * mandatory | stat32 / erstatus | ++ * --------------------- ++ */ ++ + /*------------------------------------------------------------------------*/ + .macro INTERRUPT_PROLOGUE called_from +- +- ; Before jumping to Interrupt Vector, hardware micro-ops did following: ++ ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following: + ; 1. SP auto-switched to kernel mode stack +- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1, K:0) +- ; 3. Auto saved: r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI, PC, STAT32 ++ ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0) ++ ; 3. Auto save: (mandatory) Push PC and STAT32 on stack ++ ; hardware does even if CONFIG_ARC_IRQ_NO_AUTOSAVE ++ ; 4. Auto save: (optional) r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI + ; +- ; Now manually save: r12, sp, fp, gp, r25 ++ ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair + + #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE + .ifnc \called_from, exception +@@ -57,14 +96,17 @@ + ; - U mode: retrieve it from AUX_USER_SP + ; - K mode: add the offset from current SP where H/w starts auto push + ; +- ; Utilize the fact that Z bit is set if Intr taken in U mode ++ ; 1. Utilize the fact that Z bit is set if Intr taken in U mode ++ ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), ++ ; but on return, restored only if U mode ++ + mov.nz r9, sp +- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ++ add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP + bnz 1f + +- lr r9, [AUX_USER_SP] ++ lr r9, [AUX_USER_SP] ; U mode SP + 1: +- PUSH r9 ; SP ++ PUSH r9 ; SP (pt_regs->sp) + + PUSH fp + PUSH gp +@@ -85,6 +127,8 @@ + /*------------------------------------------------------------------------*/ + .macro INTERRUPT_EPILOGUE called_from + ++ ; INPUT: r0 has STAT32 of calling context ++ ; INPUT: Z flag set if returning to K mode + .ifnc \called_from, exception + add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss + .endif +@@ -98,9 +142,10 @@ + POP gp + POP fp + +- ; Don't touch AUX_USER_SP if returning to K mode (Z bit set) +- ; (Z bit set on K mode is inverse of INTERRUPT_PROLOGUE) +- add.z sp, sp, 4 ++ ; Restore SP (into AUX_USER_SP) only if returning to U mode ++ ; - for K mode, it will be implicitly restored as stack is unwound ++ ; - Z flag set on K is inverse of what hardware does on interrupt entry ++ ; but that doesn't really matter + bz 1f + + POPAX AUX_USER_SP +@@ -145,11 +190,11 @@ + /*------------------------------------------------------------------------*/ + .macro EXCEPTION_PROLOGUE + +- ; Before jumping to Exception Vector, hardware micro-ops did following: ++ ; (A) Before jumping to Exception Vector, hardware micro-ops did following: + ; 1. SP auto-switched to kernel mode stack +- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1,K:0) ++ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) + ; +- ; Now manually save the complete reg file ++ ; (B) Manually save the complete reg file below + + PUSH r9 ; freeup a register: slot of erstatus + +@@ -195,12 +240,13 @@ + PUSHAX ecr ; r9 contains ECR, expected by EV_Trap + + PUSH r0 ; orig_r0 ++ ; OUTPUT: r9 has ECR + .endm + + /*------------------------------------------------------------------------*/ + .macro EXCEPTION_EPILOGUE + +- ; Assumes r0 has PT_status32 ++ ; INPUT: r0 has STAT32 of calling context + btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE + + add sp, sp, 8 ; orig_r0/ECR don't need restoring +-- +2.39.2 + diff --git a/queue-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch b/queue-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch new file mode 100644 index 00000000000..652387be135 --- /dev/null +++ b/queue-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch @@ -0,0 +1,89 @@ +From e4c727839b77a24016fb973f42e27538b4d5f0b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2019 19:16:37 -0700 +Subject: ARCv2: entry: push out the Z flag unclobber from common + EXCEPTION_PROLOGUE + +From: Vineet Gupta + +[ Upstream commit 23c0cbd0c75c3b564850294427fd2be2bc2a015b ] + +Upon a taken interrupt/exception from User mode, HS hardware auto sets Z flag. +This helps shave a few instructions from EXCEPTION_PROLOGUE by eliding +re-reading ERSTATUS and some bit fiddling. + +However TLB Miss Exception handler can clobber the CPU flags and still end +up in EXCEPTION_PROLOGUE in the slow path handling TLB handling case: + + EV_TLBMissD + do_slow_path_pf + EV_TLBProtV (aliased to call_do_page_fault) + EXCEPTION_PROLOGUE + +As a result, EXCEPTION_PROLOGUE need to "unclobber" the Z flag which this +patch changes. It is now pushed out to TLB Miss Exception handler. +The reasons beings: + + - The flag restoration is only needed for slowpath TLB Miss Exception + handling, but currently being in EXCEPTION_PROLOGUE penalizes all + exceptions such as ProtV and syscall Trap, where Z flag is already + as expected. + + - Pushing unclobber out to where it was clobbered is much cleaner and + also serves to document the fact. + + - Makes EXCEPTION_PROLGUE similar to INTERRUPT_PROLOGUE so easier to + refactor the common parts which is what this series aims to do + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 8 -------- + arch/arc/mm/tlbex.S | 11 +++++++++++ + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 1c3520d1fa420..3209a67629606 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -225,14 +225,6 @@ + + ; -- for interrupts, regs above are auto-saved by h/w in that order -- + ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25) +- ; +- ; Set Z flag if this was from U mode (expected by INTERRUPT_PROLOGUE) +- ; Although H/w exception micro-ops do set Z flag for U mode (just like +- ; for interrupts), it could get clobbered in case we soft land here from +- ; a TLB Miss exception handler (tlbex.S) +- +- and r10, r10, STATUS_U_MASK +- xor.f 0, r10, STATUS_U_MASK + + INTERRUPT_PROLOGUE exception + +diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S +index 0e1e47a67c736..e50cac799a518 100644 +--- a/arch/arc/mm/tlbex.S ++++ b/arch/arc/mm/tlbex.S +@@ -396,6 +396,17 @@ EV_TLBMissD_fast_ret: ; additional label for VDK OS-kit instrumentation + ;-------- Common routine to call Linux Page Fault Handler ----------- + do_slow_path_pf: + ++#ifdef CONFIG_ISA_ARCV2 ++ ; Set Z flag if exception in U mode. Hardware micro-ops do this on any ++ ; taken interrupt/exception, and thus is already the case at the entry ++ ; above, but ensuing code would have already clobbered. ++ ; EXCEPTION_PROLOGUE called in slow path, relies on correct Z flag set ++ ++ lr r2, [erstatus] ++ and r2, r2, STATUS_U_MASK ++ bxor.f 0, r2, STATUS_U_BIT ++#endif ++ + ; Restore the 4-scratch regs saved by fast path miss handler + TLBMISS_RESTORE_REGS + +-- +2.39.2 + diff --git a/queue-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch b/queue-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch new file mode 100644 index 00000000000..84b7ea115f7 --- /dev/null +++ b/queue-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch @@ -0,0 +1,466 @@ +From d0fb99fc001ef3d140785f937db576f9b135eadd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2019 15:36:46 -0700 +Subject: ARCv2: entry: rewrite to enable use of double load/stores LDD/STD + +From: Vineet Gupta + +[ Upstream commit a4880801a72ecc2dcdfa432f81a754f3e7438567 ] + + - the motivation was to be remove blatent copy-paste due to hasty support + of CONFIG_ARC_IRQ_NO_AUTOSAVE support + + - but with refactoring we could use LDD/STD to greatly optimize the code + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 297 ++++++++++++++--------------- + arch/arc/include/asm/linkage.h | 18 ++ + arch/arc/kernel/asm-offsets.c | 7 + + arch/arc/kernel/entry-arcv2.S | 4 +- + 4 files changed, 167 insertions(+), 159 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index beaf655666cbd..0733752ce7fe8 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -46,7 +46,8 @@ + */ + + /*------------------------------------------------------------------------*/ +-.macro INTERRUPT_PROLOGUE called_from ++.macro INTERRUPT_PROLOGUE ++ + ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following: + ; 1. SP auto-switched to kernel mode stack + ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0) +@@ -57,39 +58,87 @@ + ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair + + #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE +-.ifnc \called_from, exception +- st.as r9, [sp, -10] ; save r9 in it's final stack slot +- sub sp, sp, 12 ; skip JLI, LDI, EI +- +- PUSH lp_count +- PUSHAX lp_start +- PUSHAX lp_end +- PUSH blink +- +- PUSH r11 +- PUSH r10 +- +- sub sp, sp, 4 ; skip r9 +- +- PUSH r8 +- PUSH r7 +- PUSH r6 +- PUSH r5 +- PUSH r4 +- PUSH r3 +- PUSH r2 +- PUSH r1 +- PUSH r0 +-.endif +-#endif ++ ; carve pt_regs on stack (case #3), PC/STAT32 already on stack ++ sub sp, sp, SZ_PT_REGS - 8 + +-#ifdef CONFIG_ARC_HAS_ACCL_REGS +- PUSH r59 +- PUSH r58 ++ __SAVE_REGFILE_HARD ++#else ++ ; carve pt_regs on stack (case #4), which grew partially already ++ sub sp, sp, PT_r0 + #endif + +- PUSH r30 +- PUSH r12 ++ __SAVE_REGFILE_SOFT ++.endm ++ ++/*------------------------------------------------------------------------*/ ++.macro EXCEPTION_PROLOGUE ++ ++ ; (A) Before jumping to Exception Vector, hardware micro-ops did following: ++ ; 1. SP auto-switched to kernel mode stack ++ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) ++ ; ++ ; (B) Manually save the complete reg file below ++ ++ sub sp, sp, SZ_PT_REGS ; carve pt_regs ++ ++ ; _HARD saves r10 clobbered by _SOFT as scratch hence comes first ++ ++ __SAVE_REGFILE_HARD ++ __SAVE_REGFILE_SOFT ++ ++ st r0, [sp] ; orig_r0 ++ ++ lr r10, [eret] ++ lr r11, [erstatus] ++ ST2 r10, r11, PT_ret ++ ++ lr r10, [ecr] ++ lr r11, [erbta] ++ ST2 r10, r11, PT_event ++ mov r9, r10 ++ ++ ; OUTPUT: r9 has ECR ++.endm ++ ++/*------------------------------------------------------------------------ ++ * This macro saves the registers manually which would normally be autosaved ++ * by hardware on taken interrupts. It is used by ++ * - exception handlers (which don't have autosave) ++ * - interrupt autosave disabled due to CONFIG_ARC_IRQ_NO_AUTOSAVE ++ */ ++.macro __SAVE_REGFILE_HARD ++ ++ ST2 r0, r1, PT_r0 ++ ST2 r2, r3, PT_r2 ++ ST2 r4, r5, PT_r4 ++ ST2 r6, r7, PT_r6 ++ ST2 r8, r9, PT_r8 ++ ST2 r10, r11, PT_r10 ++ ++ st blink, [sp, PT_blink] ++ ++ lr r10, [lp_end] ++ lr r11, [lp_start] ++ ST2 r10, r11, PT_lpe ++ ++ st lp_count, [sp, PT_lpc] ++ ++ ; skip JLI, LDI, EI for now ++.endm ++ ++/*------------------------------------------------------------------------ ++ * This macros saves a bunch of other registers which can't be autosaved for ++ * various reasons: ++ * - r12: the last caller saved scratch reg since hardware saves in pairs so r0-r11 ++ * - r30: free reg, used by gcc as scratch ++ * - ACCL/ACCH pair when they exist ++ */ ++.macro __SAVE_REGFILE_SOFT ++ ++ ST2 gp, fp, PT_r26 ; gp (r26), fp (r27) ++ ++ st r12, [sp, PT_sp + 4] ++ st r30, [sp, PT_sp + 8] + + ; Saving pt_regs->sp correctly requires some extra work due to the way + ; Auto stack switch works +@@ -100,46 +149,32 @@ + ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), + ; but on return, restored only if U mode + +- lr r9, [AUX_USER_SP] ; U mode SP ++ lr r10, [AUX_USER_SP] ; U mode SP + +- mov.nz r9, sp +- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP ++ ; ISA requires ADD.nz to have same dest and src reg operands ++ mov.nz r10, sp ++ add.nz r10, r10, SZ_PT_REGS ; K mode SP + +- PUSH r9 ; SP (pt_regs->sp) +- +- PUSH fp +- PUSH gp ++ st r10, [sp, PT_sp] ; SP (pt_regs->sp) + + #ifdef CONFIG_ARC_CURR_IN_REG +- PUSH r25 ; user_r25 ++ st r25, [sp, PT_user_r25] + GET_CURR_TASK_ON_CPU r25 +-#else +- sub sp, sp, 4 + #endif + +-.ifnc \called_from, exception +- sub sp, sp, 12 ; BTA/ECR/orig_r0 placeholder per pt_regs +-.endif ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ ST2 r58, r59, PT_sp + 12 ++#endif + + .endm + + /*------------------------------------------------------------------------*/ +-.macro INTERRUPT_EPILOGUE called_from ++.macro __RESTORE_REGFILE_SOFT + +- ; INPUT: r0 has STAT32 of calling context +- ; INPUT: Z flag set if returning to K mode +-.ifnc \called_from, exception +- add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss +-.endif +- +-#ifdef CONFIG_ARC_CURR_IN_REG +- POP r25 +-#else +- add sp, sp, 4 +-#endif ++ LD2 gp, fp, PT_r26 ; gp (r26), fp (r27) + +- POP gp +- POP fp ++ ld r12, [sp, PT_sp + 4] ++ ld r30, [sp, PT_sp + 8] + + ; Restore SP (into AUX_USER_SP) only if returning to U mode + ; - for K mode, it will be implicitly restored as stack is unwound +@@ -147,129 +182,77 @@ + ; but that doesn't really matter + bz 1f + +- POPAX AUX_USER_SP ++ ld r10, [sp, PT_sp] ; SP (pt_regs->sp) ++ sr r10, [AUX_USER_SP] + 1: +- POP r12 +- POP r30 + +-#ifdef CONFIG_ARC_HAS_ACCL_REGS +- POP r58 +- POP r59 ++#ifdef CONFIG_ARC_CURR_IN_REG ++ ld r25, [sp, PT_user_r25] + #endif + +-#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE +-.ifnc \called_from, exception +- POP r0 +- POP r1 +- POP r2 +- POP r3 +- POP r4 +- POP r5 +- POP r6 +- POP r7 +- POP r8 +- POP r9 +- POP r10 +- POP r11 +- +- POP blink +- POPAX lp_end +- POPAX lp_start +- +- POP r9 +- mov lp_count, r9 +- +- add sp, sp, 12 ; skip JLI, LDI, EI +- ld.as r9, [sp, -10] ; reload r9 which got clobbered +-.endif ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ LD2 r58, r59, PT_sp + 12 + #endif +- + .endm + + /*------------------------------------------------------------------------*/ +-.macro EXCEPTION_PROLOGUE ++.macro __RESTORE_REGFILE_HARD + +- ; (A) Before jumping to Exception Vector, hardware micro-ops did following: +- ; 1. SP auto-switched to kernel mode stack +- ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) +- ; +- ; (B) Manually save the complete reg file below ++ ld blink, [sp, PT_blink] + +- PUSH r9 ; freeup a register: slot of erstatus ++ LD2 r10, r11, PT_lpe ++ sr r10, [lp_end] ++ sr r11, [lp_start] + +- PUSHAX eret +- sub sp, sp, 12 ; skip JLI, LDI, EI +- PUSH lp_count +- PUSHAX lp_start +- PUSHAX lp_end +- PUSH blink ++ ld r10, [sp, PT_lpc] ; lp_count can't be target of LD ++ mov lp_count, r10 + +- PUSH r11 +- PUSH r10 ++ LD2 r0, r1, PT_r0 ++ LD2 r2, r3, PT_r2 ++ LD2 r4, r5, PT_r4 ++ LD2 r6, r7, PT_r6 ++ LD2 r8, r9, PT_r8 ++ LD2 r10, r11, PT_r10 ++.endm + +- ld.as r9, [sp, 10] ; load stashed r9 (status32 stack slot) +- lr r10, [erstatus] +- st.as r10, [sp, 10] ; save status32 at it's right stack slot + +- PUSH r9 +- PUSH r8 +- PUSH r7 +- PUSH r6 +- PUSH r5 +- PUSH r4 +- PUSH r3 +- PUSH r2 +- PUSH r1 +- PUSH r0 ++/*------------------------------------------------------------------------*/ ++.macro INTERRUPT_EPILOGUE + +- ; -- for interrupts, regs above are auto-saved by h/w in that order -- +- ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25) ++ ; INPUT: r0 has STAT32 of calling context ++ ; INPUT: Z flag set if returning to K mode + +- INTERRUPT_PROLOGUE exception ++ ; _SOFT clobbers r10 restored by _HARD hence the order + +- PUSHAX erbta +- PUSHAX ecr ; r9 contains ECR, expected by EV_Trap ++ __RESTORE_REGFILE_SOFT ++ ++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE ++ __RESTORE_REGFILE_HARD ++ add sp, sp, SZ_PT_REGS - 8 ++#else ++ add sp, sp, PT_r0 ++#endif + +- PUSH r0 ; orig_r0 +- ; OUTPUT: r9 has ECR + .endm + + /*------------------------------------------------------------------------*/ + .macro EXCEPTION_EPILOGUE + + ; INPUT: r0 has STAT32 of calling context +- btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE +- +- add sp, sp, 8 ; orig_r0/ECR don't need restoring +- POPAX erbta +- +- INTERRUPT_EPILOGUE exception +- +- POP r0 +- POP r1 +- POP r2 +- POP r3 +- POP r4 +- POP r5 +- POP r6 +- POP r7 +- POP r8 +- POP r9 +- POP r10 +- POP r11 +- +- POP blink +- POPAX lp_end +- POPAX lp_start +- +- POP r9 +- mov lp_count, r9 +- +- add sp, sp, 12 ; skip JLI, LDI, EI +- POPAX eret +- POPAX erstatus +- +- ld.as r9, [sp, -12] ; reload r9 which got clobbered ++ ++ btst r0, STATUS_U_BIT ; Z flag set if K, used in restoring SP ++ ++ ld r10, [sp, PT_event + 4] ++ sr r10, [erbta] ++ ++ LD2 r10, r11, PT_ret ++ sr r10, [eret] ++ sr r11, [erstatus] ++ ++ __RESTORE_REGFILE_SOFT ++ __RESTORE_REGFILE_HARD ++ ++ add sp, sp, SZ_PT_REGS + .endm + + .macro FAKE_RET_FROM_EXCPN +diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h +index 07c8e1a6c56e2..f3d29d4840d58 100644 +--- a/arch/arc/include/asm/linkage.h ++++ b/arch/arc/include/asm/linkage.h +@@ -13,6 +13,24 @@ + + #ifdef __ASSEMBLY__ + ++.macro ST2 e, o, off ++#ifdef CONFIG_ARC_HAS_LL64 ++ std \e, [sp, \off] ++#else ++ st \e, [sp, \off] ++ st \o, [sp, \off+4] ++#endif ++.endm ++ ++.macro LD2 e, o, off ++#ifdef CONFIG_ARC_HAS_LL64 ++ ldd \e, [sp, \off] ++#else ++ ld \e, [sp, \off] ++ ld \o, [sp, \off+4] ++#endif ++.endm ++ + #define ASM_NL ` /* use '`' to mark new line in macro */ + #define __ALIGN .align 4 + #define __ALIGN_STR __stringify(__ALIGN) +diff --git a/arch/arc/kernel/asm-offsets.c b/arch/arc/kernel/asm-offsets.c +index ecaf34e9235c2..e90dccecfd833 100644 +--- a/arch/arc/kernel/asm-offsets.c ++++ b/arch/arc/kernel/asm-offsets.c +@@ -58,7 +58,14 @@ int main(void) + DEFINE(PT_r5, offsetof(struct pt_regs, r5)); + DEFINE(PT_r6, offsetof(struct pt_regs, r6)); + DEFINE(PT_r7, offsetof(struct pt_regs, r7)); ++ DEFINE(PT_r8, offsetof(struct pt_regs, r8)); ++ DEFINE(PT_r10, offsetof(struct pt_regs, r10)); ++ DEFINE(PT_r26, offsetof(struct pt_regs, r26)); + DEFINE(PT_ret, offsetof(struct pt_regs, ret)); ++ DEFINE(PT_blink, offsetof(struct pt_regs, blink)); ++ DEFINE(PT_lpe, offsetof(struct pt_regs, lp_end)); ++ DEFINE(PT_lpc, offsetof(struct pt_regs, lp_count)); ++ DEFINE(PT_user_r25, offsetof(struct pt_regs, user_r25)); + + DEFINE(SZ_CALLEE_REGS, sizeof(struct callee_regs)); + DEFINE(SZ_PT_REGS, sizeof(struct pt_regs)); +diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S +index 562089d62d9d6..6cbf0ee8a20a7 100644 +--- a/arch/arc/kernel/entry-arcv2.S ++++ b/arch/arc/kernel/entry-arcv2.S +@@ -70,7 +70,7 @@ reserved: + + ENTRY(handle_interrupt) + +- INTERRUPT_PROLOGUE irq ++ INTERRUPT_PROLOGUE + + # irq control APIs local_irq_save/restore/disable/enable fiddle with + # global interrupt enable bits in STATUS32 (.IE for 1 prio, .E[] for 2 prio) +@@ -226,7 +226,7 @@ debug_marker_l1: + bset.nz r11, r11, AUX_IRQ_ACT_BIT_U ; NZ means U + sr r11, [AUX_IRQ_ACT] + +- INTERRUPT_EPILOGUE irq ++ INTERRUPT_EPILOGUE + rtie + + ;####### Return from Exception / pure kernel mode ####### +-- +2.39.2 + diff --git a/queue-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch b/queue-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch new file mode 100644 index 00000000000..eaed1169263 --- /dev/null +++ b/queue-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch @@ -0,0 +1,103 @@ +From b648318ddaf8c9c7c7a842d6e3b8fde1d8af0729 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 19:28:42 +0100 +Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings + +From: Arnd Bergmann + +[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] + +checker_stack_use_t32strd() and kprobe_handler() can be made static since +they are not used from other files, while coverage_start_registers() +and __kprobes_test_case() are used from assembler code, and just need +a declaration to avoid a warning with the global definition. + +arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' +arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' +arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' +arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' +arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' +arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' + +Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") +Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/checkers-common.c | 2 +- + arch/arm/probes/kprobes/core.c | 2 +- + arch/arm/probes/kprobes/opt-arm.c | 2 -- + arch/arm/probes/kprobes/test-core.c | 2 +- + arch/arm/probes/kprobes/test-core.h | 4 ++++ + 5 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c +index 971119c294741..aa10e5e46ebb2 100644 +--- a/arch/arm/probes/kprobes/checkers-common.c ++++ b/arch/arm/probes/kprobes/checkers-common.c +@@ -48,7 +48,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn, + * Different from other insn uses imm8, the real addressing offset of + * STRD in T32 encoding should be imm8 * 4. See ARMARM description. + */ +-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, ++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, + struct arch_probes_insn *asi, + const struct decode_header *h) + { +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c +index 62da8e2211e4b..0a7090a65bcad 100644 +--- a/arch/arm/probes/kprobes/core.c ++++ b/arch/arm/probes/kprobes/core.c +@@ -239,7 +239,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) + * kprobe, and that level is reserved for user kprobe handlers, so we can't + * risk encountering a new kprobe in an interrupt handler. + */ +-void __kprobes kprobe_handler(struct pt_regs *regs) ++static void __kprobes kprobe_handler(struct pt_regs *regs) + { + struct kprobe *p, *cur; + struct kprobe_ctlblk *kcb; +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index cf08cb7267670..1516c340a0766 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -158,8 +158,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) + } + } + +-extern void kprobe_handler(struct pt_regs *regs); +- + static void + optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + { +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c +index cc237fa9b90fb..1c86c5d980c5b 100644 +--- a/arch/arm/probes/kprobes/test-core.c ++++ b/arch/arm/probes/kprobes/test-core.c +@@ -723,7 +723,7 @@ static const char coverage_register_lookup[16] = { + [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP, + }; + +-unsigned coverage_start_registers(const struct decode_header *h) ++static unsigned coverage_start_registers(const struct decode_header *h) + { + unsigned regs = 0; + int i; +diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h +index 94285203e9f74..459ebda077139 100644 +--- a/arch/arm/probes/kprobes/test-core.h ++++ b/arch/arm/probes/kprobes/test-core.h +@@ -456,3 +456,7 @@ void kprobe_thumb32_test_cases(void); + #else + void kprobe_arm_test_cases(void); + #endif ++ ++void __kprobes_test_case_start(void); ++void __kprobes_test_case_end_16(void); ++void __kprobes_test_case_end_32(void); +-- +2.39.2 + diff --git a/queue-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch b/queue-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch new file mode 100644 index 00000000000..be7310d817f --- /dev/null +++ b/queue-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch @@ -0,0 +1,42 @@ +From 4e52ab7d7ce44846873fd33945aadd2562facd21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:28:30 +0200 +Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] + +There is no such property in the SPI controller binding documentation. +Also Linux driver doesn't look for it. + +This fixes: +arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) + From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm5301x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index 6edc4bd1e7eaf..a6406a347690e 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -468,7 +468,6 @@ spi@18029200 { + "spi_lr_session_done", + "spi_lr_overread"; + clocks = <&iprocmed>; +- clock-names = "iprocmed"; + num-cs = <2>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/queue-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch b/queue-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..1c80e49cf00 --- /dev/null +++ b/queue-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch @@ -0,0 +1,48 @@ +From d144f3f81fdf6521253b26f80c563d4fd016ec06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 17:30:58 +0200 +Subject: ARM: ep93xx: fix missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] + +ep93xx_clocksource_read() is only called from the file it is declared in, +while ep93xx_timer_init() is declared in a header that is not included here. + +arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' +arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' + +Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") +Acked-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c +index de998830f534f..b07956883e165 100644 +--- a/arch/arm/mach-ep93xx/timer-ep93xx.c ++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c +@@ -9,6 +9,7 @@ + #include + #include + #include "soc.h" ++#include "platform.h" + + /************************************************************************* + * Timer handling for EP93xx +@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void) + return ret; + } + +-u64 ep93xx_clocksource_read(struct clocksource *c) ++static u64 ep93xx_clocksource_read(struct clocksource *c) + { + u64 ret; + +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch b/queue-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch new file mode 100644 index 00000000000..26ea09779ca --- /dev/null +++ b/queue-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch @@ -0,0 +1,46 @@ +From b47a7c0f977c015c3bb169a6ccbe0fb4704473aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 10:48:22 +0200 +Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 + +From: Wolfram Sang + +[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ] + +The schematics are misleading, the flow control is for HSCIF1. We need +SCIF1 for GNSS/GPS which does not use flow control. + +Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1") +Signed-off-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +index 8bf3091a899c8..5abffdaf4077e 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +@@ -165,7 +165,7 @@ hscif0_pins: hscif0 { + }; + + scif1_pins: scif1 { +- groups = "scif1_data_b", "scif1_ctrl"; ++ groups = "scif1_data_b"; + function = "scif1"; + }; + +@@ -178,7 +178,6 @@ usb0_pins: usb0 { + &scif1 { + pinctrl-0 = <&scif1_pins>; + pinctrl-names = "default"; +- uart-has-rtscts; + + status = "okay"; + }; +-- +2.39.2 + diff --git a/queue-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch b/queue-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch new file mode 100644 index 00000000000..3380105e7d4 --- /dev/null +++ b/queue-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch @@ -0,0 +1,91 @@ +From 8f45f8cea8f66aefea559e9624ac96ba2ff58970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:38 +0300 +Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume + control + +From: Cristian Ciocaltea + +[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] + +The following error occurs when trying to restore a previously saved +ALSA mixer state (tested on a Rock 5B board): + + $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog + $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog + alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument + +According to ES8316 datasheet, the register at address 0x2B, which is +related to the above mixer control, contains by default the value 0xB0. +Considering the corresponding ALC target bits (ALCLVL) are 7:4, the +control is initialized with 11, which is one step above the maximum +value allowed by the driver: + + ALCLVL | dB gain + -------+-------- + 0000 | -16.5 + 0001 | -15.0 + 0010 | -13.5 + .... | ..... + 0111 | -6.0 + 1000 | -4.5 + 1001 | -3.0 + 1010 | -1.5 + .... | ..... + 1111 | -1.5 + +The tests performed using the VU meter feature (--vumeter=TYPE) of +arecord/aplay confirm the specs are correct and there is no measured +gain if the 1011-1111 range would have been mapped to 0 dB: + + dB gain | VU meter % + --------+----------- + -6.0 | 30-31 + -4.5 | 35-36 + -3.0 | 42-43 + -1.5 | 50-51 + 0.0 | 50-51 + +Increment the max value allowed for ALC Capture Target Volume control, +so that it matches the hardware default. Additionally, update the +related TLV to prevent an artificial extension of the dB gain range. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index 57130edaf3aba..834e542021fee 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -45,7 +45,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0); +-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0); ++ ++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv, ++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0), ++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0), ++); ++ + static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv, + 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0), + 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0), +@@ -107,7 +112,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = { + alc_max_gain_tlv), + SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0, + alc_min_gain_tlv), +- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0, ++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0, + alc_target_tlv), + SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0), + SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0), +-- +2.39.2 + diff --git a/queue-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch b/queue-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch new file mode 100644 index 00000000000..2c4588c7317 --- /dev/null +++ b/queue-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch @@ -0,0 +1,81 @@ +From cdce24c230c530209c4401a7acb8c7930aa81309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 06:56:11 +0000 +Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe + +From: Feng Mingxi + +[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ] + +Smatch reports: +drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() +warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. + +timer_baseaddr may have the problem of not being released after use, +I replaced it with the devm_of_iomap() function and added the clk_put() +function to cleanup the "clk_ce" and "clk_cs". + +Fixes: e932900a3279 ("arm: zynq: Use standard timer binding") +Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") +Signed-off-by: Feng Mingxi +Reviewed-by: Dongliang Mu +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index b1df0ded8f521..16b9bfb257564 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -494,10 +494,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + * and use it. Note that the event timer uses the interrupt and it's the + * 2nd TTC hence the irq_of_parse_and_map(,1) + */ +- timer_baseaddr = of_iomap(timer, 0); +- if (!timer_baseaddr) { ++ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL); ++ if (IS_ERR(timer_baseaddr)) { + pr_err("ERROR: invalid timer base address\n"); +- return -ENXIO; ++ return PTR_ERR(timer_baseaddr); + } + + irq = irq_of_parse_and_map(timer, 1); +@@ -521,20 +521,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + clk_ce = of_clk_get(timer, clksel); + if (IS_ERR(clk_ce)) { + pr_err("ERROR: timer input clock not found\n"); +- return PTR_ERR(clk_ce); ++ ret = PTR_ERR(clk_ce); ++ goto put_clk_cs; + } + + ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width); + if (ret) +- return ret; ++ goto put_clk_ce; + + ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq); + if (ret) +- return ret; ++ goto put_clk_ce; + + pr_info("%s #0 at %p, irq=%d\n", timer->name, timer_baseaddr, irq); + + return 0; ++ ++put_clk_ce: ++ clk_put(clk_ce); ++put_clk_cs: ++ clk_put(clk_cs); ++ return ret; + } + + static const struct of_device_id ttc_timer_of_match[] = { +-- +2.39.2 + diff --git a/queue-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch b/queue-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch new file mode 100644 index 00000000000..aefa2443a58 --- /dev/null +++ b/queue-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch @@ -0,0 +1,86 @@ +From 86fdffa20ff885a32027563da0692cd00e56eca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 02:36:28 -0800 +Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver + +From: Rajan Vaja + +[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ] + +Currently TTC driver is TIMER_OF_DECLARE type driver. Because of +that, TTC driver may be initialized before other clock drivers. If +TTC driver is dependent on that clock driver then initialization of +TTC driver will failed. + +So use TTC driver as platform driver instead of using +TIMER_OF_DECLARE. + +Signed-off-by: Rajan Vaja +Tested-by: Michal Simek +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com +Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index a7eb858a84a0f..b1df0ded8f521 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -23,6 +23,8 @@ + #include + #include + #include ++#include ++#include + + /* + * This driver configures the 2 16/32-bit count-up timers as follows: +@@ -472,13 +474,7 @@ static int __init ttc_setup_clockevent(struct clk *clk, + return err; + } + +-/** +- * ttc_timer_init - Initialize the timer +- * +- * Initializes the timer hardware and register the clock source and clock event +- * timers with Linux kernal timer framework +- */ +-static int __init ttc_timer_init(struct device_node *timer) ++static int __init ttc_timer_probe(struct platform_device *pdev) + { + unsigned int irq; + void __iomem *timer_baseaddr; +@@ -486,6 +482,7 @@ static int __init ttc_timer_init(struct device_node *timer) + static int initialized; + int clksel, ret; + u32 timer_width = 16; ++ struct device_node *timer = pdev->dev.of_node; + + if (initialized) + return 0; +@@ -540,4 +537,17 @@ static int __init ttc_timer_init(struct device_node *timer) + return 0; + } + +-TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init); ++static const struct of_device_id ttc_timer_of_match[] = { ++ {.compatible = "cdns,ttc"}, ++ {}, ++}; ++ ++MODULE_DEVICE_TABLE(of, ttc_timer_of_match); ++ ++static struct platform_driver ttc_timer_driver = { ++ .driver = { ++ .name = "cdns_ttc_timer", ++ .of_match_table = ttc_timer_of_match, ++ }, ++}; ++builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe); +-- +2.39.2 + diff --git a/queue-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch b/queue-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch new file mode 100644 index 00000000000..46574bac1d9 --- /dev/null +++ b/queue-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch @@ -0,0 +1,219 @@ +From ca60c700dea2b20caf43a6b9c00124a3dd36d227 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Sep 2018 05:59:23 +0200 +Subject: clocksource/drivers: Unify the names to timer-* format +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Lezcano + +[ Upstream commit 9d8d47ea6ec6048abc75ccc4486aff1a7db1ff4b ] + +In order to make some housekeeping in the directory, this patch renames +drivers to the timer-* format in order to unify their names. + +There is no functional changes. + +Acked-by: Uwe Kleine-König +Acked-by: Vladimir Zapolskiy +Acked-by: Liviu Dudau + +Signed-off-by: Daniel Lezcano +Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") +Signed-off-by: Sasha Levin +--- + MAINTAINERS | 10 +++---- + drivers/clocksource/Makefile | 26 +++++++++---------- + ...-armada-370-xp.c => timer-armada-370-xp.c} | 0 + ...adence_ttc_timer.c => timer-cadence-ttc.c} | 0 + .../{time-efm32.c => timer-efm32.c} | 0 + .../{fsl_ftm_timer.c => timer-fsl-ftm.c} | 0 + .../{time-lpc32xx.c => timer-lpc32xx.c} | 0 + .../{time-orion.c => timer-orion.c} | 0 + .../clocksource/{owl-timer.c => timer-owl.c} | 0 + .../{time-pistachio.c => timer-pistachio.c} | 0 + .../{qcom-timer.c => timer-qcom.c} | 0 + .../{versatile.c => timer-versatile.c} | 0 + .../{vf_pit_timer.c => timer-vf-pit.c} | 0 + .../{vt8500_timer.c => timer-vt8500.c} | 0 + .../{zevio-timer.c => timer-zevio.c} | 0 + 15 files changed, 18 insertions(+), 18 deletions(-) + rename drivers/clocksource/{time-armada-370-xp.c => timer-armada-370-xp.c} (100%) + rename drivers/clocksource/{cadence_ttc_timer.c => timer-cadence-ttc.c} (100%) + rename drivers/clocksource/{time-efm32.c => timer-efm32.c} (100%) + rename drivers/clocksource/{fsl_ftm_timer.c => timer-fsl-ftm.c} (100%) + rename drivers/clocksource/{time-lpc32xx.c => timer-lpc32xx.c} (100%) + rename drivers/clocksource/{time-orion.c => timer-orion.c} (100%) + rename drivers/clocksource/{owl-timer.c => timer-owl.c} (100%) + rename drivers/clocksource/{time-pistachio.c => timer-pistachio.c} (100%) + rename drivers/clocksource/{qcom-timer.c => timer-qcom.c} (100%) + rename drivers/clocksource/{versatile.c => timer-versatile.c} (100%) + rename drivers/clocksource/{vf_pit_timer.c => timer-vf-pit.c} (100%) + rename drivers/clocksource/{vt8500_timer.c => timer-vt8500.c} (100%) + rename drivers/clocksource/{zevio-timer.c => timer-zevio.c} (100%) + +diff --git a/MAINTAINERS b/MAINTAINERS +index 3d3d7f5d1c3f1..59003315a9597 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -1180,7 +1180,7 @@ N: owl + F: arch/arm/mach-actions/ + F: arch/arm/boot/dts/owl-* + F: arch/arm64/boot/dts/actions/ +-F: drivers/clocksource/owl-* ++F: drivers/clocksource/timer-owl* + F: drivers/pinctrl/actions/* + F: drivers/soc/actions/ + F: include/dt-bindings/power/owl-* +@@ -1603,7 +1603,7 @@ L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) + S: Maintained + F: arch/arm/boot/dts/lpc43* + F: drivers/clk/nxp/clk-lpc18xx* +-F: drivers/clocksource/time-lpc32xx.c ++F: drivers/clocksource/timer-lpc32xx.c + F: drivers/i2c/busses/i2c-lpc2k.c + F: drivers/memory/pl172.c + F: drivers/mtd/spi-nor/nxp-spifi.c +@@ -2219,7 +2219,7 @@ F: arch/arm/mach-vexpress/ + F: */*/vexpress* + F: */*/*/vexpress* + F: drivers/clk/versatile/clk-vexpress-osc.c +-F: drivers/clocksource/versatile.c ++F: drivers/clocksource/timer-versatile.c + N: mps2 + + ARM/VFP SUPPORT +@@ -2241,7 +2241,7 @@ M: Tony Prisk + L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) + S: Maintained + F: arch/arm/mach-vt8500/ +-F: drivers/clocksource/vt8500_timer.c ++F: drivers/clocksource/timer-vt8500.c + F: drivers/i2c/busses/i2c-wmt.c + F: drivers/mmc/host/wmt-sdmmc.c + F: drivers/pwm/pwm-vt8500.c +@@ -2306,7 +2306,7 @@ F: drivers/cpuidle/cpuidle-zynq.c + F: drivers/block/xsysace.c + N: zynq + N: xilinx +-F: drivers/clocksource/cadence_ttc_timer.c ++F: drivers/clocksource/timer-cadence-ttc.c + F: drivers/i2c/busses/i2c-cadence.c + F: drivers/mmc/host/sdhci-of-arasan.c + F: drivers/edac/synopsys_edac.c +diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile +index db51b2427e8a6..e33b21d3f9d8b 100644 +--- a/drivers/clocksource/Makefile ++++ b/drivers/clocksource/Makefile +@@ -23,8 +23,8 @@ obj-$(CONFIG_FTTMR010_TIMER) += timer-fttmr010.o + obj-$(CONFIG_ROCKCHIP_TIMER) += rockchip_timer.o + obj-$(CONFIG_CLKSRC_NOMADIK_MTU) += nomadik-mtu.o + obj-$(CONFIG_CLKSRC_DBX500_PRCMU) += clksrc-dbx500-prcmu.o +-obj-$(CONFIG_ARMADA_370_XP_TIMER) += time-armada-370-xp.o +-obj-$(CONFIG_ORION_TIMER) += time-orion.o ++obj-$(CONFIG_ARMADA_370_XP_TIMER) += timer-armada-370-xp.o ++obj-$(CONFIG_ORION_TIMER) += timer-orion.o + obj-$(CONFIG_BCM2835_TIMER) += bcm2835_timer.o + obj-$(CONFIG_CLPS711X_TIMER) += clps711x-timer.o + obj-$(CONFIG_ATLAS7_TIMER) += timer-atlas7.o +@@ -36,25 +36,25 @@ obj-$(CONFIG_SUN4I_TIMER) += sun4i_timer.o + obj-$(CONFIG_SUN5I_HSTIMER) += timer-sun5i.o + obj-$(CONFIG_MESON6_TIMER) += meson6_timer.o + obj-$(CONFIG_TEGRA_TIMER) += tegra20_timer.o +-obj-$(CONFIG_VT8500_TIMER) += vt8500_timer.o +-obj-$(CONFIG_NSPIRE_TIMER) += zevio-timer.o ++obj-$(CONFIG_VT8500_TIMER) += timer-vt8500.o ++obj-$(CONFIG_NSPIRE_TIMER) += timer-zevio.o + obj-$(CONFIG_BCM_KONA_TIMER) += bcm_kona_timer.o +-obj-$(CONFIG_CADENCE_TTC_TIMER) += cadence_ttc_timer.o +-obj-$(CONFIG_CLKSRC_EFM32) += time-efm32.o ++obj-$(CONFIG_CADENCE_TTC_TIMER) += timer-cadence-ttc.o ++obj-$(CONFIG_CLKSRC_EFM32) += timer-efm32.o + obj-$(CONFIG_CLKSRC_STM32) += timer-stm32.o + obj-$(CONFIG_CLKSRC_EXYNOS_MCT) += exynos_mct.o +-obj-$(CONFIG_CLKSRC_LPC32XX) += time-lpc32xx.o ++obj-$(CONFIG_CLKSRC_LPC32XX) += timer-lpc32xx.o + obj-$(CONFIG_CLKSRC_MPS2) += mps2-timer.o + obj-$(CONFIG_CLKSRC_SAMSUNG_PWM) += samsung_pwm_timer.o +-obj-$(CONFIG_FSL_FTM_TIMER) += fsl_ftm_timer.o +-obj-$(CONFIG_VF_PIT_TIMER) += vf_pit_timer.o +-obj-$(CONFIG_CLKSRC_QCOM) += qcom-timer.o ++obj-$(CONFIG_FSL_FTM_TIMER) += timer-fsl-ftm.o ++obj-$(CONFIG_VF_PIT_TIMER) += timer-vf-pit.o ++obj-$(CONFIG_CLKSRC_QCOM) += timer-qcom.o + obj-$(CONFIG_MTK_TIMER) += timer-mediatek.o +-obj-$(CONFIG_CLKSRC_PISTACHIO) += time-pistachio.o ++obj-$(CONFIG_CLKSRC_PISTACHIO) += timer-pistachio.o + obj-$(CONFIG_CLKSRC_TI_32K) += timer-ti-32k.o + obj-$(CONFIG_CLKSRC_NPS) += timer-nps.o + obj-$(CONFIG_OXNAS_RPS_TIMER) += timer-oxnas-rps.o +-obj-$(CONFIG_OWL_TIMER) += owl-timer.o ++obj-$(CONFIG_OWL_TIMER) += timer-owl.o + obj-$(CONFIG_SPRD_TIMER) += timer-sprd.o + obj-$(CONFIG_NPCM7XX_TIMER) += timer-npcm7xx.o + +@@ -66,7 +66,7 @@ obj-$(CONFIG_ARM_TIMER_SP804) += timer-sp804.o + obj-$(CONFIG_ARCH_HAS_TICK_BROADCAST) += dummy_timer.o + obj-$(CONFIG_KEYSTONE_TIMER) += timer-keystone.o + obj-$(CONFIG_INTEGRATOR_AP_TIMER) += timer-integrator-ap.o +-obj-$(CONFIG_CLKSRC_VERSATILE) += versatile.o ++obj-$(CONFIG_CLKSRC_VERSATILE) += timer-versatile.o + obj-$(CONFIG_CLKSRC_MIPS_GIC) += mips-gic-timer.o + obj-$(CONFIG_CLKSRC_TANGO_XTAL) += tango_xtal.o + obj-$(CONFIG_CLKSRC_IMX_GPT) += timer-imx-gpt.o +diff --git a/drivers/clocksource/time-armada-370-xp.c b/drivers/clocksource/timer-armada-370-xp.c +similarity index 100% +rename from drivers/clocksource/time-armada-370-xp.c +rename to drivers/clocksource/timer-armada-370-xp.c +diff --git a/drivers/clocksource/cadence_ttc_timer.c b/drivers/clocksource/timer-cadence-ttc.c +similarity index 100% +rename from drivers/clocksource/cadence_ttc_timer.c +rename to drivers/clocksource/timer-cadence-ttc.c +diff --git a/drivers/clocksource/time-efm32.c b/drivers/clocksource/timer-efm32.c +similarity index 100% +rename from drivers/clocksource/time-efm32.c +rename to drivers/clocksource/timer-efm32.c +diff --git a/drivers/clocksource/fsl_ftm_timer.c b/drivers/clocksource/timer-fsl-ftm.c +similarity index 100% +rename from drivers/clocksource/fsl_ftm_timer.c +rename to drivers/clocksource/timer-fsl-ftm.c +diff --git a/drivers/clocksource/time-lpc32xx.c b/drivers/clocksource/timer-lpc32xx.c +similarity index 100% +rename from drivers/clocksource/time-lpc32xx.c +rename to drivers/clocksource/timer-lpc32xx.c +diff --git a/drivers/clocksource/time-orion.c b/drivers/clocksource/timer-orion.c +similarity index 100% +rename from drivers/clocksource/time-orion.c +rename to drivers/clocksource/timer-orion.c +diff --git a/drivers/clocksource/owl-timer.c b/drivers/clocksource/timer-owl.c +similarity index 100% +rename from drivers/clocksource/owl-timer.c +rename to drivers/clocksource/timer-owl.c +diff --git a/drivers/clocksource/time-pistachio.c b/drivers/clocksource/timer-pistachio.c +similarity index 100% +rename from drivers/clocksource/time-pistachio.c +rename to drivers/clocksource/timer-pistachio.c +diff --git a/drivers/clocksource/qcom-timer.c b/drivers/clocksource/timer-qcom.c +similarity index 100% +rename from drivers/clocksource/qcom-timer.c +rename to drivers/clocksource/timer-qcom.c +diff --git a/drivers/clocksource/versatile.c b/drivers/clocksource/timer-versatile.c +similarity index 100% +rename from drivers/clocksource/versatile.c +rename to drivers/clocksource/timer-versatile.c +diff --git a/drivers/clocksource/vf_pit_timer.c b/drivers/clocksource/timer-vf-pit.c +similarity index 100% +rename from drivers/clocksource/vf_pit_timer.c +rename to drivers/clocksource/timer-vf-pit.c +diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/timer-vt8500.c +similarity index 100% +rename from drivers/clocksource/vt8500_timer.c +rename to drivers/clocksource/timer-vt8500.c +diff --git a/drivers/clocksource/zevio-timer.c b/drivers/clocksource/timer-zevio.c +similarity index 100% +rename from drivers/clocksource/zevio-timer.c +rename to drivers/clocksource/timer-zevio.c +-- +2.39.2 + diff --git a/queue-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch b/queue-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch new file mode 100644 index 00000000000..a6e1f3d77f7 --- /dev/null +++ b/queue-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch @@ -0,0 +1,88 @@ +From 0c67a96251f802879d2f45c09aaab210c2981721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:33:34 -0700 +Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] + +Fix build warnings when DEBUG_FS is not enabled by using an empty +do-while loop instead of a value: + +In file included from ../drivers/crypto/nx/nx.c:27: +../drivers/crypto/nx/nx.c: In function 'nx_register_algs': +../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] + 173 | #define NX_DEBUGFS_INIT(drv) (0) +../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' + 573 | NX_DEBUGFS_INIT(&nx_driver); +../drivers/crypto/nx/nx.c: In function 'nx_remove': +../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] + 174 | #define NX_DEBUGFS_FINI(drv) (0) +../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' + 793 | NX_DEBUGFS_FINI(&nx_driver); + +Also, there is no need to build nx_debugfs.o when DEBUG_FS is not +enabled, so change the Makefile to accommodate that. + +Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") +Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") +Signed-off-by: Randy Dunlap +Cc: Breno Leitão +Cc: Nayna Jain +Cc: Paulo Flabiano Smorigo +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: linux-crypto@vger.kernel.org +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/Makefile | 2 +- + drivers/crypto/nx/nx.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile +index 015155da59c29..76139865d7fa1 100644 +--- a/drivers/crypto/nx/Makefile ++++ b/drivers/crypto/nx/Makefile +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o + nx-crypto-objs := nx.o \ +- nx_debugfs.o \ + nx-aes-cbc.o \ + nx-aes-ecb.o \ + nx-aes-gcm.o \ +@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \ + nx-sha256.o \ + nx-sha512.o + ++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o + nx-compress-objs := nx-842.o +diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h +index c3e54af18645c..ebad937a9545c 100644 +--- a/drivers/crypto/nx/nx.h ++++ b/drivers/crypto/nx/nx.h +@@ -180,8 +180,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int, + int nx_debugfs_init(struct nx_crypto_driver *); + void nx_debugfs_fini(struct nx_crypto_driver *); + #else +-#define NX_DEBUGFS_INIT(drv) (0) +-#define NX_DEBUGFS_FINI(drv) (0) ++#define NX_DEBUGFS_INIT(drv) do {} while (0) ++#define NX_DEBUGFS_FINI(drv) do {} while (0) + #endif + + #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL) +-- +2.39.2 + diff --git a/queue-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch b/queue-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch new file mode 100644 index 00000000000..bcc9e6fb210 --- /dev/null +++ b/queue-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch @@ -0,0 +1,51 @@ +From e827def04dcba9582598bfa29b10f68ed4108f2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:50:39 +0200 +Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H + +From: Dario Binacchi + +[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] + +The previous setting was related to the overall dimension and not to the +active display area. +In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the +following parameters: + + ---------------------------------------------------------- +| Item | Specifications | unit | + ---------------------------------------------------------- +| Display area | 98.7 (W) x 57.5 (H) | mm | + ---------------------------------------------------------- +| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | + ---------------------------------------------------------- + +Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") +Signed-off-by: Dario Binacchi +Reviewed-by: Neil Armstrong +[narmstrong: fixed Fixes commit id length] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index a424afdcc77a1..35771e0e69fa6 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -405,8 +405,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = { + .num_modes = 1, + .bpc = 8, + .size = { +- .width = 105, +- .height = 67, ++ .width = 99, ++ .height = 58, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, + }; +-- +2.39.2 + diff --git a/queue-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch b/queue-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch new file mode 100644 index 00000000000..d8ce2e8ca6f --- /dev/null +++ b/queue-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch @@ -0,0 +1,94 @@ +From eeeaa3a9489dc01c08a7ac9ba2b400970310d8f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:33:27 -0700 +Subject: drm/radeon: fix possible division-by-zero errors + +From: Nikita Zhandarovich + +[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] + +Function rv740_get_decoded_reference_divider() may return 0 due to +unpredictable reference divider value calculated in +radeon_atom_get_clock_dividers(). This will lead to +division-by-zero error once that value is used as a divider +in calculating 'clk_s'. +While unlikely, this issue should nonetheless be prevented so add a +sanity check for such cases by testing 'decoded_ref' value against 0. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +v2: minor coding style fixes (Alex) +In practice this should actually happen as the vbios should be +properly populated. + +Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c +index 3eb7899a4035b..2c637e04dfebc 100644 +--- a/drivers/gpu/drm/radeon/cypress_dpm.c ++++ b/drivers/gpu/drm/radeon/cypress_dpm.c +@@ -558,8 +558,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c +index a7273c01de34b..2a9d415400f79 100644 +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2239,8 +2239,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c +index afd597ec50858..50290e93c79dc 100644 +--- a/drivers/gpu/drm/radeon/rv740_dpm.c ++++ b/drivers/gpu/drm/radeon/rv740_dpm.c +@@ -251,8 +251,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = 0x40000 * ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = 0x40000 * ss.percentage * + (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000); + + mpll_ss1 &= ~CLKV_MASK; +-- +2.39.2 + diff --git a/queue-4.19/evm-complete-description-of-evm_inode_setattr.patch b/queue-4.19/evm-complete-description-of-evm_inode_setattr.patch new file mode 100644 index 00000000000..8860eb8dd28 --- /dev/null +++ b/queue-4.19/evm-complete-description-of-evm_inode_setattr.patch @@ -0,0 +1,39 @@ +From 3ed7461ec41add6315b7cb24e8bdc79b6637250c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:40:36 +0100 +Subject: evm: Complete description of evm_inode_setattr() + +From: Roberto Sassu + +[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] + +Add the description for missing parameters of evm_inode_setattr() to +avoid the warning arising with W=n compile option. + +Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ +Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index 6d1efe1359f17..9c036a41e7347 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -474,7 +474,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) + + /** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute ++ * @idmap: idmap of the mount + * @dentry: pointer to the affected dentry ++ * @attr: iattr structure containing the new file attributes + * + * Permit update of file attributes when files have a valid EVM signature, + * except in the case of them having an immutable portable signature. +-- +2.39.2 + diff --git a/queue-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch b/queue-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch new file mode 100644 index 00000000000..0fa55d2e7b1 --- /dev/null +++ b/queue-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch @@ -0,0 +1,44 @@ +From 45589c7b202f7e510d68e9201eb4d378e0be55f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:42:28 +0200 +Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in + mipid_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] + +If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. + +Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c +index e3a85432f9266..5730355ee5986 100644 +--- a/drivers/video/fbdev/omap/lcd_mipid.c ++++ b/drivers/video/fbdev/omap/lcd_mipid.c +@@ -576,11 +576,15 @@ static int mipid_spi_probe(struct spi_device *spi) + + r = mipid_detect(md); + if (r < 0) +- return r; ++ goto free_md; + + omapfb_register_panel(&md->panel); + + return 0; ++ ++free_md: ++ kfree(md); ++ return r; + } + + static int mipid_spi_remove(struct spi_device *spi) +-- +2.39.2 + diff --git a/queue-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch b/queue-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch new file mode 100644 index 00000000000..ba0263f58f8 --- /dev/null +++ b/queue-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch @@ -0,0 +1,190 @@ +From f8db8de33b48afe5ae3f57f6e8cba66c1e9aa6a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 14:32:31 -0700 +Subject: gtp: Fix use-after-free in __gtp_encap_destroy(). + +From: Kuniyuki Iwashima + +[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] + +syzkaller reported use-after-free in __gtp_encap_destroy(). [0] + +It shows the same process freed sk and touched it illegally. + +Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() +and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, +but release_sock() is called after sock_put() releases the last refcnt. + +[0]: +BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] +BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] +BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] +BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] +BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 +Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 + +CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:351 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:462 + kasan_report+0xb2/0xe0 mm/kasan/report.c:572 + check_region_inline mm/kasan/generic.c:181 [inline] + kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] + queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] + do_raw_spin_lock include/linux/spinlock.h:186 [inline] + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] + _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:355 [inline] + release_sock+0x1f/0x1a0 net/core/sock.c:3526 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f1168b1fe5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d +RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 + + +Allocated by task 1483: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:186 [inline] + slab_post_alloc_hook mm/slab.h:711 [inline] + slab_alloc_node mm/slub.c:3451 [inline] + slab_alloc mm/slub.c:3459 [inline] + __kmem_cache_alloc_lru mm/slub.c:3466 [inline] + kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 + sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 + sk_alloc+0x34/0x6c0 net/core/sock.c:2132 + inet6_create net/ipv6/af_inet6.c:192 [inline] + inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 + __sock_create+0x2a1/0x530 net/socket.c:1535 + sock_create net/socket.c:1586 [inline] + __sys_socket_create net/socket.c:1623 [inline] + __sys_socket_create net/socket.c:1608 [inline] + __sys_socket+0x137/0x250 net/socket.c:1651 + __do_sys_socket net/socket.c:1664 [inline] + __se_sys_socket net/socket.c:1662 [inline] + __x64_sys_socket+0x72/0xb0 net/socket.c:1662 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 2401: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0xb4/0x490 mm/slub.c:3808 + sk_prot_free net/core/sock.c:2113 [inline] + __sk_destruct+0x500/0x720 net/core/sock.c:2207 + sk_destruct+0xc1/0xe0 net/core/sock.c:2222 + __sk_free+0xed/0x3d0 net/core/sock.c:2233 + sk_free+0x7c/0xa0 net/core/sock.c:2244 + sock_put include/net/sock.h:1981 [inline] + __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff88800dbef300 + which belongs to the cache UDPv6 of size 1344 +The buggy address is located 152 bytes inside of + freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) + +The buggy address belongs to the physical page: +page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 +head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff888008ee0801 +flags: 0x100000000010200(slab|head|node=0|zone=1) +page_type: 0xffffffff() +raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 +raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index e18d06cb2173c..2718b0507f713 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -301,7 +301,9 @@ static void __gtp_encap_destroy(struct sock *sk) + gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); ++ release_sock(sk); + sock_put(sk); ++ return; + } + release_sock(sk); + } +-- +2.39.2 + diff --git a/queue-4.19/hwrng-virtio-add-an-internal-buffer.patch b/queue-4.19/hwrng-virtio-add-an-internal-buffer.patch new file mode 100644 index 00000000000..2b441ee2227 --- /dev/null +++ b/queue-4.19/hwrng-virtio-add-an-internal-buffer.patch @@ -0,0 +1,127 @@ +From afa4aa51e6f9ff115b1cefcc5f7274340691a1f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:08 +0200 +Subject: hwrng: virtio - add an internal buffer + +From: Laurent Vivier + +[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ] + +hwrng core uses two buffers that can be mixed in the +virtio-rng queue. + +If the buffer is provided with wait=0 it is enqueued in the +virtio-rng queue but unused by the caller. +On the next call, core provides another buffer but the +first one is filled instead and the new one queued. +And the caller reads the data from the new one that is not +updated, and the data in the first one are lost. + +To avoid this mix, virtio-rng needs to use its own unique +internal buffer at a cost of a data copy to the caller buffer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 7abd604e938c2..999f523c80c1e 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -30,13 +30,20 @@ static DEFINE_IDA(rng_index_ida); + struct virtrng_info { + struct hwrng hwrng; + struct virtqueue *vq; +- struct completion have_data; + char name[25]; +- unsigned int data_avail; + int index; + bool busy; + bool hwrng_register_done; + bool hwrng_removed; ++ /* data transfer */ ++ struct completion have_data; ++ unsigned int data_avail; ++ /* minimal size returned by rng_buffer_size() */ ++#if SMP_CACHE_BYTES < 32 ++ u8 data[32]; ++#else ++ u8 data[SMP_CACHE_BYTES]; ++#endif + }; + + static void random_recv_done(struct virtqueue *vq) +@@ -51,14 +58,14 @@ static void random_recv_done(struct virtqueue *vq) + } + + /* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size) ++static void register_buffer(struct virtrng_info *vi) + { + struct scatterlist sg; + +- sg_init_one(&sg, buf, size); ++ sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL); ++ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL); + + virtqueue_kick(vi->vq); + } +@@ -67,6 +74,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; ++ unsigned int chunk; ++ size_t read; + + if (vi->hwrng_removed) + return -ENODEV; +@@ -74,19 +83,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (!vi->busy) { + vi->busy = true; + reinit_completion(&vi->have_data); +- register_buffer(vi, buf, size); ++ register_buffer(vi); + } + + if (!wait) + return 0; + +- ret = wait_for_completion_killable(&vi->have_data); +- if (ret < 0) +- return ret; ++ read = 0; ++ while (size != 0) { ++ ret = wait_for_completion_killable(&vi->have_data); ++ if (ret < 0) ++ return ret; ++ ++ chunk = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf + read, vi->data, chunk); ++ read += chunk; ++ size -= chunk; ++ vi->data_avail = 0; ++ ++ if (size != 0) { ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } ++ } + + vi->busy = false; + +- return vi->data_avail; ++ return read; + } + + static void virtio_cleanup(struct hwrng *rng) +-- +2.39.2 + diff --git a/queue-4.19/hwrng-virtio-always-add-a-pending-request.patch b/queue-4.19/hwrng-virtio-always-add-a-pending-request.patch new file mode 100644 index 00000000000..07ef2583852 --- /dev/null +++ b/queue-4.19/hwrng-virtio-always-add-a-pending-request.patch @@ -0,0 +1,111 @@ +From 7ae21313b4da71d05544089d1fdb20bab025446e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:11 +0200 +Subject: hwrng: virtio - always add a pending request + +From: Laurent Vivier + +[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ] + +If we ensure we have already some data available by enqueuing +again the buffer once data are exhausted, we can return what we +have without waiting for the device answer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index c88f175e60a4c..a84248c26fd7f 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -32,7 +32,6 @@ struct virtrng_info { + struct virtqueue *vq; + char name[25]; + int index; +- bool busy; + bool hwrng_register_done; + bool hwrng_removed; + /* data transfer */ +@@ -56,16 +55,18 @@ static void random_recv_done(struct virtqueue *vq) + return; + + vi->data_idx = 0; +- vi->busy = false; + + complete(&vi->have_data); + } + +-/* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi) ++static void request_entropy(struct virtrng_info *vi) + { + struct scatterlist sg; + ++ reinit_completion(&vi->have_data); ++ vi->data_avail = 0; ++ vi->data_idx = 0; ++ + sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +@@ -81,6 +82,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf, + memcpy(buf, vi->data + vi->data_idx, size); + vi->data_idx += size; + vi->data_avail -= size; ++ if (vi->data_avail == 0) ++ request_entropy(vi); + return size; + } + +@@ -110,13 +113,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + * so either size is 0 or data_avail is 0 + */ + while (size != 0) { +- /* data_avail is 0 */ +- if (!vi->busy) { +- /* no pending request, ask for more */ +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ /* data_avail is 0 but a request is pending */ + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -138,8 +135,7 @@ static void virtio_cleanup(struct hwrng *rng) + { + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + +- if (vi->busy) +- complete(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +@@ -175,6 +171,9 @@ static int probe_common(struct virtio_device *vdev) + goto err_find; + } + ++ /* we always have a pending entropy request */ ++ request_entropy(vi); ++ + return 0; + + err_find: +@@ -193,7 +192,6 @@ static void remove_common(struct virtio_device *vdev) + vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); +- vi->busy = false; + if (vi->hwrng_register_done) + hwrng_unregister(&vi->hwrng); + vdev->config->del_vqs(vdev); +-- +2.39.2 + diff --git a/queue-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch b/queue-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch new file mode 100644 index 00000000000..f0b00394a59 --- /dev/null +++ b/queue-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch @@ -0,0 +1,58 @@ +From 9c50a382f8e13e6db7abbe15241a4a9c88d4fc4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:09 +0200 +Subject: hwrng: virtio - don't wait on cleanup + +From: Laurent Vivier + +[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ] + +When virtio-rng device was dropped by the hwrng core we were forced +to wait the buffer to come back from the device to not have +remaining ongoing operation that could spoil the buffer. + +But now, as the buffer is internal to the virtio-rng we can release +the waiting loop immediately, the buffer will be retrieve and use +when the virtio-rng driver will be selected again. + +This avoids to hang on an rng_current write command if the virtio-rng +device is blocked by a lack of entropy. This allows to select +another entropy source if the current one is empty. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 999f523c80c1e..9a3fbd2b41107 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -94,6 +94,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; ++ /* if vi->data_avail is 0, we have been interrupted ++ * by a cleanup, but buffer stays in the queue ++ */ ++ if (vi->data_avail == 0) ++ return read; + + chunk = min_t(unsigned int, size, vi->data_avail); + memcpy(buf + read, vi->data, chunk); +@@ -117,7 +122,7 @@ static void virtio_cleanup(struct hwrng *rng) + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + + if (vi->busy) +- wait_for_completion(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +-- +2.39.2 + diff --git a/queue-4.19/hwrng-virtio-don-t-waste-entropy.patch b/queue-4.19/hwrng-virtio-don-t-waste-entropy.patch new file mode 100644 index 00000000000..37836241dfd --- /dev/null +++ b/queue-4.19/hwrng-virtio-don-t-waste-entropy.patch @@ -0,0 +1,130 @@ +From 92b8d417f897b6b2b12a75862caf03ab756af0c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:10 +0200 +Subject: hwrng: virtio - don't waste entropy + +From: Laurent Vivier + +[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ] + +if we don't use all the entropy available in the buffer, keep it +and use it later. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++---------- + 1 file changed, 35 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 9a3fbd2b41107..c88f175e60a4c 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -38,6 +38,7 @@ struct virtrng_info { + /* data transfer */ + struct completion have_data; + unsigned int data_avail; ++ unsigned int data_idx; + /* minimal size returned by rng_buffer_size() */ + #if SMP_CACHE_BYTES < 32 + u8 data[32]; +@@ -54,6 +55,9 @@ static void random_recv_done(struct virtqueue *vq) + if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) + return; + ++ vi->data_idx = 0; ++ vi->busy = false; ++ + complete(&vi->have_data); + } + +@@ -70,6 +74,16 @@ static void register_buffer(struct virtrng_info *vi) + virtqueue_kick(vi->vq); + } + ++static unsigned int copy_data(struct virtrng_info *vi, void *buf, ++ unsigned int size) ++{ ++ size = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf, vi->data + vi->data_idx, size); ++ vi->data_idx += size; ++ vi->data_avail -= size; ++ return size; ++} ++ + static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; +@@ -80,17 +94,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->hwrng_removed) + return -ENODEV; + +- if (!vi->busy) { +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); ++ read = 0; ++ ++ /* copy available data */ ++ if (vi->data_avail) { ++ chunk = copy_data(vi, buf, size); ++ size -= chunk; ++ read += chunk; + } + + if (!wait) +- return 0; ++ return read; + +- read = 0; ++ /* We have already copied available entropy, ++ * so either size is 0 or data_avail is 0 ++ */ + while (size != 0) { ++ /* data_avail is 0 */ ++ if (!vi->busy) { ++ /* no pending request, ask for more */ ++ vi->busy = true; ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -100,20 +126,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->data_avail == 0) + return read; + +- chunk = min_t(unsigned int, size, vi->data_avail); +- memcpy(buf + read, vi->data, chunk); +- read += chunk; ++ chunk = copy_data(vi, buf + read, size); + size -= chunk; +- vi->data_avail = 0; +- +- if (size != 0) { +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ read += chunk; + } + +- vi->busy = false; +- + return read; + } + +@@ -173,6 +190,7 @@ static void remove_common(struct virtio_device *vdev) + + vi->hwrng_removed = true; + vi->data_avail = 0; ++ vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); + vi->busy = false; +-- +2.39.2 + diff --git a/queue-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch b/queue-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch new file mode 100644 index 00000000000..76a65769e3d --- /dev/null +++ b/queue-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch @@ -0,0 +1,86 @@ +From 939a58b0fd48531e7170994e9836b43eb6a96c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 11:59:32 +0800 +Subject: hwrng: virtio - Fix race on data_avail and actual data + +From: Herbert Xu + +[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ] + +The virtio rng device kicks off a new entropy request whenever the +data available reaches zero. When a new request occurs at the end +of a read operation, that is, when the result of that request is +only needed by the next reader, then there is a race between the +writing of the new data and the next reader. + +This is because there is no synchronisation whatsoever between the +writer and the reader. + +Fix this by writing data_avail with smp_store_release and reading +it with smp_load_acquire when we first enter read. The subsequent +reads are safe because they're either protected by the first load +acquire, or by the completion mechanism. + +Also remove the redundant zeroing of data_idx in random_recv_done +(data_idx must already be zero at this point) and data_avail in +request_entropy (ditto). + +Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com +Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") +Signed-off-by: Herbert Xu +Acked-by: Michael S. Tsirkin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index a84248c26fd7f..58884d8752011 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -17,6 +17,7 @@ + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + ++#include + #include + #include + #include +@@ -49,13 +50,13 @@ struct virtrng_info { + static void random_recv_done(struct virtqueue *vq) + { + struct virtrng_info *vi = vq->vdev->priv; ++ unsigned int len; + + /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */ +- if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) ++ if (!virtqueue_get_buf(vi->vq, &len)) + return; + +- vi->data_idx = 0; +- ++ smp_store_release(&vi->data_avail, len); + complete(&vi->have_data); + } + +@@ -64,7 +65,6 @@ static void request_entropy(struct virtrng_info *vi) + struct scatterlist sg; + + reinit_completion(&vi->have_data); +- vi->data_avail = 0; + vi->data_idx = 0; + + sg_init_one(&sg, vi->data, sizeof(vi->data)); +@@ -100,7 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + read = 0; + + /* copy available data */ +- if (vi->data_avail) { ++ if (smp_load_acquire(&vi->data_avail)) { + chunk = copy_data(vi, buf, size); + size -= chunk; + read += chunk; +-- +2.39.2 + diff --git a/queue-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch b/queue-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch new file mode 100644 index 00000000000..38793da2e06 --- /dev/null +++ b/queue-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch @@ -0,0 +1,110 @@ +From 58240f64a0be015e60403b558eac9ea7b1483365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 11:56:28 -0500 +Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors + +From: Patrick Kelsey + +[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ] + +Fix three sources of error involving struct sdma_txreq.num_descs. + +When _extend_sdma_tx_descs() extends the descriptor array, it uses the +value of tx->num_descs to determine how many existing entries from the +tx's original, internal descriptor array to copy to the newly allocated +one. As this value was incremented before the call, the copy loop will +access one entry past the internal descriptor array, copying its contents +into the corresponding slot in the new array. + +If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then +invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a +loop that unmaps all descriptor entries in use. As this value was +incremented before the call, the unmap loop will invoke sdma_unmap_desc() +on a descriptor entry whose contents consist of whatever random data was +copied into it during (1), leading to cascading further calls into the +kernel and driver using arbitrary data. + +_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1. + +Fix all of the above by: +- Only increment .num_descs after .descp is extended. +- Use .num_descs - 1 instead of .num_descs for last .descp entry. + +Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors") +Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Brendan Cunningham +Signed-off-by: Patrick Kelsey +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/sdma.c | 4 ++-- + drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++-------- + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index 33ff9eca28f69..245f9505a9aca 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3202,8 +3202,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int rval = 0; + +- tx->num_desc++; +- if ((unlikely(tx->num_desc == tx->desc_limit))) { ++ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { + rval = _extend_sdma_tx_descs(dd, tx); + if (rval) { + __sdma_txclean(dd, tx); +@@ -3216,6 +3215,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + SDMA_MAP_NONE, + dd->sdma_pad_phys, + sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1))); ++ tx->num_desc++; + _sdma_close_tx(dd, tx); + return rval; + } +diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h +index 46c775f255d14..a3dd2f3d56cca 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.h ++++ b/drivers/infiniband/hw/hfi1/sdma.h +@@ -680,14 +680,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) + static inline void _sdma_close_tx(struct hfi1_devdata *dd, + struct sdma_txreq *tx) + { +- tx->descp[tx->num_desc].qw[0] |= +- SDMA_DESC0_LAST_DESC_FLAG; +- tx->descp[tx->num_desc].qw[1] |= +- dd->default_desc1; ++ u16 last_desc = tx->num_desc - 1; ++ ++ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; ++ tx->descp[last_desc].qw[1] |= dd->default_desc1; + if (tx->flags & SDMA_TXREQ_F_URGENT) +- tx->descp[tx->num_desc].qw[1] |= +- (SDMA_DESC1_HEAD_TO_HOST_FLAG | +- SDMA_DESC1_INT_REQ_FLAG); ++ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | ++ SDMA_DESC1_INT_REQ_FLAG); + } + + static inline int _sdma_txadd_daddr( +@@ -704,6 +703,7 @@ static inline int _sdma_txadd_daddr( + type, + addr, len); + WARN_ON(len > tx->tlen); ++ tx->num_desc++; + tx->tlen -= len; + /* special cases for last */ + if (!tx->tlen) { +@@ -715,7 +715,6 @@ static inline int _sdma_txadd_daddr( + _sdma_close_tx(dd, tx); + } + } +- tx->num_desc++; + return rval; + } + +-- +2.39.2 + diff --git a/queue-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch b/queue-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch new file mode 100644 index 00000000000..7b8245fb995 --- /dev/null +++ b/queue-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch @@ -0,0 +1,39 @@ +From 51b90364f500ae4b586dc32e18e61f232983cb55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:27:55 -0700 +Subject: Input: adxl34x - do not hardcode interrupt trigger type + +From: Marek Vasut + +[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] + +Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's +respect the settings specified in the firmware description. + +Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") +Signed-off-by: Marek Vasut +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/adxl34x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c +index 3695dd7dbb9b4..ec0c91ec52277 100644 +--- a/drivers/input/misc/adxl34x.c ++++ b/drivers/input/misc/adxl34x.c +@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, + AC_WRITE(ac, POWER_CTL, 0); + + err = request_threaded_irq(ac->irq, NULL, adxl34x_irq, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- dev_name(dev), ac); ++ IRQF_ONESHOT, dev_name(dev), ac); + if (err) { + dev_err(dev, "irq %d busy?\n", ac->irq); + goto err_free_mem; +-- +2.39.2 + diff --git a/queue-4.19/input-drv260x-sleep-between-polling-go-bit.patch b/queue-4.19/input-drv260x-sleep-between-polling-go-bit.patch new file mode 100644 index 00000000000..15813280a47 --- /dev/null +++ b/queue-4.19/input-drv260x-sleep-between-polling-go-bit.patch @@ -0,0 +1,39 @@ +From 569e4104a6ffce321ca0b44f7bcb5c522b3a082f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:01:45 -0700 +Subject: Input: drv260x - sleep between polling GO bit + +From: Luca Weiss + +[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] + +When doing the initial startup there's no need to poll without any +delay and spam the I2C bus. + +Let's sleep 15ms between each attempt, which is the same time as used +in the vendor driver. + +Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/drv260x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 17eb84ab4c0b7..fe3fbde989be2 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -443,6 +443,7 @@ static int drv260x_init(struct drv260x_data *haptics) + } + + do { ++ usleep_range(15000, 15500); + error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf); + if (error) { + dev_err(&haptics->client->dev, +-- +2.39.2 + diff --git a/queue-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch b/queue-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch new file mode 100644 index 00000000000..10fb05e24a0 --- /dev/null +++ b/queue-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch @@ -0,0 +1,66 @@ +From fb27984c7b464c888b054effdf720e797025a50e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 17:33:47 +0800 +Subject: ipvlan: Fix return value of ipvlan_queue_xmit() + +From: Cambda Zhu + +[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ] + +ipvlan_queue_xmit() should return NET_XMIT_XXX, but +ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX +in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED +in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to +NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or +NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase +both ipvlan and ipvlan->phy_dev drops counter. + +The skb to forward can be treated as xmitted successfully. This patch +makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Cambda Zhu +Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index eb80d277b56f5..6b6c5a7250a65 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -592,7 +592,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + out: +@@ -618,7 +619,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + skb = skb_share_check(skb, GFP_ATOMIC); +@@ -630,7 +632,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + * the skb for the main-dev. At the RX side we just return + * RX_PASS for it to be processed further on the stack. + */ +- return dev_forward_skb(ipvlan->phy_dev, skb); ++ dev_forward_skb(ipvlan->phy_dev, skb); ++ return NET_XMIT_SUCCESS; + + } else if (is_multicast_ether_addr(eth->h_dest)) { + skb_reset_mac_header(skb); +-- +2.39.2 + diff --git a/queue-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch b/queue-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch new file mode 100644 index 00000000000..bb6269bb90b --- /dev/null +++ b/queue-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch @@ -0,0 +1,53 @@ +From 4ccd3be2ccc9fa9c3b14d259dc5e795c7d90db2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:33:42 +0200 +Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors + +From: John Paul Adrian Glaubitz + +[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ] + +The initialization function for the J-Core AIC aic_irq_of_init() is +currently missing the call to irq_alloc_descs() which allocates and +initializes all the IRQ descriptors. Add missing function call and +return the error code from irq_alloc_descs() in case the allocation +fails. + +Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver") +Signed-off-by: John Paul Adrian Glaubitz +Tested-by: Rob Landley +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 5f47d8ee4ae39..b9dcc8e78c750 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node, + unsigned min_irq = JCORE_AIC2_MIN_HWIRQ; + unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1; + struct irq_domain *domain; ++ int ret; + + pr_info("Initializing J-Core AIC\n"); + +@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + ++ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq, ++ of_node_to_nid(node)); ++ ++ if (ret < 0) ++ return ret; ++ + domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, + &jcore_aic_irqdomain_ops, + &jcore_aic); +-- +2.39.2 + diff --git a/queue-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch b/queue-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch new file mode 100644 index 00000000000..a9ea1fb0971 --- /dev/null +++ b/queue-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch @@ -0,0 +1,41 @@ +From a0040d3dcb0b479ed0a896c972942db0a435106b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:35:51 +0100 +Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings() + +From: Marc Zyngier + +[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ] + +irq_create_strict_mappings() is a poor way to allow the use of +a linear IRQ domain as a legacy one. Let's be upfront about it. + +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org +Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 033bccb41455c..5f47d8ee4ae39 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + +- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops, ++ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, ++ &jcore_aic_irqdomain_ops, + &jcore_aic); + if (!domain) + return -ENOMEM; +- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq); + + return 0; + } +-- +2.39.2 + diff --git a/queue-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch b/queue-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch new file mode 100644 index 00000000000..59f26261be7 --- /dev/null +++ b/queue-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch @@ -0,0 +1,93 @@ +From 8b2db998a10f3e10565a0bcd7135e3b686532fed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 20:34:34 +0800 +Subject: kexec: fix a memory leak in crash_shrink_memory() + +From: Zhen Lei + +[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] + +Patch series "kexec: enable kexec_crash_size to support two crash kernel +regions". + +When crashkernel=X fails to reserve region under 4G, it will fall back to +reserve region above 4G and a region of the default size will also be +reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only +supports one crash kernel region now, the user cannot sense the low memory +reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot +be freed by writing this file. + +For example: +resource_size(crashk_res) = 512M +resource_size(crashk_low_res) = 256M + +The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be +768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size +of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, +which is incorrect. + +Since crashk_res manages the memory with high address and crashk_low_res +manages the memory with low address, crashk_low_res is shrunken only when +all crashk_res is shrunken. And because when there is only one crash +kernel region, crashk_res is always used. Therefore, if all crashk_res is +shrunken and crashk_low_res still exists, swap them. + +This patch (of 6): + +If the value of parameter 'new_size' is in the semi-open and semi-closed +interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the +calculation result of ram_res is: + + ram_res->start = crashk_res.end + 1 + ram_res->end = crashk_res.end + +The operation of insert_resource() fails, and ram_res is not added to +iomem_resource. As a result, the memory of the control block ram_res is +leaked. + +In fact, on all architectures, the start address and size of crashk_res +are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need +to round up crashk_res.start again. Instead, we should round up +'new_size' in advance. + +Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com +Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com +Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") +Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") +Signed-off-by: Zhen Lei +Acked-by: Baoquan He +Cc: Cong Wang +Cc: Eric W. Biederman +Cc: Michael Holzheu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c +index 6b3d7f7211dd6..3666d434a8f59 100644 +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -1020,6 +1020,7 @@ int crash_shrink_memory(unsigned long new_size) + start = crashk_res.start; + end = crashk_res.end; + old_size = (end == 0) ? 0 : end - start + 1; ++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN); + if (new_size >= old_size) { + ret = (new_size == old_size) ? 0 : -EINVAL; + goto unlock; +@@ -1031,9 +1032,7 @@ int crash_shrink_memory(unsigned long new_size) + goto unlock; + } + +- start = roundup(start, KEXEC_CRASH_MEM_ALIGN); +- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN); +- ++ end = start + new_size; + crash_free_reserved_phys_range(end, crashk_res.end); + + if ((start == end) && (crashk_res.parent != NULL)) +-- +2.39.2 + diff --git a/queue-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch b/queue-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch new file mode 100644 index 00000000000..1207b6478c1 --- /dev/null +++ b/queue-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch @@ -0,0 +1,59 @@ +From 87da1904b8c1c4030f88ea104f42f0a2d6b7bce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 20:06:57 +0100 +Subject: lib/ts_bm: reset initial match offset for every block of text + +From: Jeremy Sowden + +[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] + +The `shift` variable which indicates the offset in the string at which +to start matching the pattern is initialized to `bm->patlen - 1`, but it +is not reset when a new block is retrieved. This means the implemen- +tation may start looking at later and later positions in each successive +block and miss occurrences of the pattern at the beginning. E.g., +consider a HTTP packet held in a non-linear skb, where the HTTP request +line occurs in the second block: + + [... 52 bytes of packet headers ...] + GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n + +and the pattern is "GET /bmtest". + +Once the first block comprising the packet headers has been examined, +`shift` will be pointing to somewhere near the end of the block, and so +when the second block is examined the request line at the beginning will +be missed. + +Reinitialize the variable for each new block. + +Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + lib/ts_bm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ts_bm.c b/lib/ts_bm.c +index 9e66ee4020e90..5de382e79a45a 100644 +--- a/lib/ts_bm.c ++++ b/lib/ts_bm.c +@@ -64,10 +64,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) + struct ts_bm *bm = ts_config_priv(conf); + unsigned int i, text_len, consumed = state->offset; + const u8 *text; +- int shift = bm->patlen - 1, bs; ++ int bs; + const u8 icase = conf->flags & TS_IGNORECASE; + + for (;;) { ++ int shift = bm->patlen - 1; ++ + text_len = conf->get_next_block(consumed, &text, conf, state); + + if (unlikely(text_len == 0)) +-- +2.39.2 + diff --git a/queue-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch b/queue-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch new file mode 100644 index 00000000000..b2d63a56285 --- /dev/null +++ b/queue-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch @@ -0,0 +1,65 @@ +From c42045a300917bf19d72afa28c7485a1e242ad54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:48:05 +0800 +Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter + +From: Li Nan + +[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] + +If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() +will return -EINVAL because 'page >= bitmap->pages', but the return value +was not checked immediately in md_bitmap_get_counter() in order to set +*blocks value and slab-out-of-bounds occurs. + +Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and +return directly if true. + +Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 1c4c462787198..7ca81e917aef4 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -53,14 +53,7 @@ __acquires(bitmap->lock) + { + unsigned char *mappage; + +- if (page >= bitmap->pages) { +- /* This can happen if bitmap_start_sync goes beyond +- * End-of-device while looking for a whole page. +- * It is harmless. +- */ +- return -EINVAL; +- } +- ++ WARN_ON_ONCE(page >= bitmap->pages); + if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */ + return 0; + +@@ -1368,6 +1361,14 @@ __acquires(bitmap->lock) + sector_t csize; + int err; + ++ if (page >= bitmap->pages) { ++ /* ++ * This can happen if bitmap_start_sync goes beyond ++ * End-of-device while looking for a whole page or ++ * user set a huge number to sysfs bitmap_set_bits. ++ */ ++ return NULL; ++ } + err = md_bitmap_checkpage(bitmap, page, create, 0); + + if (bitmap->bp[page].hijacked || +-- +2.39.2 + diff --git a/queue-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch b/queue-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch new file mode 100644 index 00000000000..325b0cb9437 --- /dev/null +++ b/queue-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch @@ -0,0 +1,79 @@ +From 259441acc7d9499e917ec4612b2d9d732e643a53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 17:18:39 +0800 +Subject: md/raid10: fix io loss while replacement replace rdev + +From: Li Nan + +[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] + +When removing a disk with replacement, the replacement will be used to +replace rdev. During this process, there is a brief window in which both +rdev and replacement are read as NULL in raid10_write_request(). This +will result in io not being submitted but it should be. + + //remove //write + raid10_remove_disk raid10_write_request + mirror->rdev = NULL + read rdev -> NULL + mirror->rdev = mirror->replacement + mirror->replacement = NULL + read replacement -> NULL + +Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() +to prevent memory reordering. + +Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index f6d2be1d23864..d46056b07c079 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -781,8 +781,16 @@ static struct md_rdev *read_balance(struct r10conf *conf, + disk = r10_bio->devs[slot].devnum; + rdev = rcu_dereference(conf->mirrors[disk].replacement); + if (rdev == NULL || test_bit(Faulty, &rdev->flags) || +- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset) ++ r10_bio->devs[slot].addr + sectors > ++ rdev->recovery_offset) { ++ /* ++ * Read replacement first to prevent reading both rdev ++ * and replacement as NULL during replacement replace ++ * rdev. ++ */ ++ smp_mb(); + rdev = rcu_dereference(conf->mirrors[disk].rdev); ++ } + if (rdev == NULL || + test_bit(Faulty, &rdev->flags)) + continue; +@@ -1400,9 +1408,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + + for (i = 0; i < conf->copies; i++) { + int d = r10_bio->devs[i].devnum; +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[d].replacement); ++ struct md_rdev *rdev, *rrdev; ++ ++ rrdev = rcu_dereference(conf->mirrors[d].replacement); ++ /* ++ * Read replacement first to prevent reading both rdev and ++ * replacement as NULL during replacement replace rdev. ++ */ ++ smp_mb(); ++ rdev = rcu_dereference(conf->mirrors[d].rdev); + if (rdev == rrdev) + rrdev = NULL; + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { +-- +2.39.2 + diff --git a/queue-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch b/queue-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch new file mode 100644 index 00000000000..68be8949886 --- /dev/null +++ b/queue-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch @@ -0,0 +1,51 @@ +From 06023f86c6d335ab7cbc42c39fdf4677bddab0d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:33 +0800 +Subject: md/raid10: fix overflow of md/safe_mode_delay + +From: Li Nan + +[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] + +There is no input check when echo md/safe_mode_delay in safe_delay_store(). +And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by +checking overflow in safe_delay_store() and use unsigned long conversion in +safe_delay_show(). + +Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") +Signed-off-by: Li Nan +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index f8c111b369928..ad3e666b9d735 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3671,8 +3671,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) + static ssize_t + safe_delay_show(struct mddev *mddev, char *page) + { +- int msec = (mddev->safemode_delay*1000)/HZ; +- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); ++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; ++ ++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); + } + static ssize_t + safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) +@@ -3684,7 +3685,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) + return -EINVAL; + } + +- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) ++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ) + return -EINVAL; + if (msec == 0) + mddev->safemode_delay = 0; +-- +2.39.2 + diff --git a/queue-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch b/queue-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch new file mode 100644 index 00000000000..92a048b1d02 --- /dev/null +++ b/queue-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch @@ -0,0 +1,38 @@ +From 3ac2cda1e64e9661ec83abeb47a94e2514a776f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:34 +0800 +Subject: md/raid10: fix wrong setting of max_corr_read_errors + +From: Li Nan + +[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] + +There is no input check when echo md/max_read_errors and overflow might +occur. Add check of input number. + +Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index ad3e666b9d735..2e23a898fc978 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4337,6 +4337,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len + rv = kstrtouint(buf, 10, &n); + if (rv < 0) + return rv; ++ if (n > INT_MAX) ++ return -EINVAL; + atomic_set(&mddev->max_corr_read_errors, n); + return len; + } +-- +2.39.2 + diff --git a/queue-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch b/queue-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch new file mode 100644 index 00000000000..f489c149c25 --- /dev/null +++ b/queue-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch @@ -0,0 +1,49 @@ +From e30b96869547af066175585c4913bfb9bbf5e916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:27:04 +0200 +Subject: memstick r592: make memstick_debug_get_tpc_name() static + +From: Arnd Bergmann + +[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] + +There are no other files referencing this function, apparently +it was left global to avoid an 'unused function' warning when +the only caller is left out. With a 'W=1' build, it causes +a 'missing prototype' warning though: + +drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] + +Annotate the function as 'static __maybe_unused' to avoid both +problems. + +Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index edb1b5588b7a0..6360f5c6d3958 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -47,12 +47,10 @@ static const char *tpc_names[] = { + * memstick_debug_get_tpc_name - debug helper that returns string for + * a TPC number + */ +-const char *memstick_debug_get_tpc_name(int tpc) ++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc) + { + return tpc_names[tpc-1]; + } +-EXPORT_SYMBOL(memstick_debug_get_tpc_name); +- + + /* Read a register*/ + static inline u32 r592_read_reg(struct r592_device *dev, int address) +-- +2.39.2 + diff --git a/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch b/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch new file mode 100644 index 00000000000..19ffd3bb20f --- /dev/null +++ b/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch @@ -0,0 +1,106 @@ +From 900af37b23eddbb3069809f016b46b3a70a539a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:56 +0900 +Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} + +From: Masahiro Yamada + +[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] + +addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a +wrong way. + +Here, test code. + +[test code for R_ARM_JUMP24] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + b bar + +[test code for R_ARM_CALL] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + push {lr} + bl bar + pop {pc} + +If you compile it with ARM multi_v7_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) + +(You need to use GNU linker instead of LLD to reproduce it.) + +Fix the code to make modpost show the correct symbol name. + +I imported (with adjustment) sign_extend32() from include/linux/bitops.h. + +The '+8' is the compensation for pc-relative instruction. It is +documented in "ELF for the Arm Architecture" [1]. + + "If the relocation is pc-relative then compensation for the PC bias + (the PC value is 8 bytes ahead of the executing instruction in Arm + state and 4 bytes in Thumb state) must be encoded in the relocation + by the object producer." + +[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 41b1791a9463b..2060a3fe9691d 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1751,12 +1751,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + #define R_ARM_THM_JUMP19 51 + #endif + ++static int32_t sign_extend32(int32_t value, int index) ++{ ++ uint8_t shift = 31 - index; ++ ++ return (int32_t)(value << shift) >> shift; ++} ++ + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); + Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); + void *loc = reloc_location(elf, sechdr, r); + uint32_t inst; ++ int32_t offset; + + switch (r_typ) { + case R_ARM_ABS32: +@@ -1766,6 +1774,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + case R_ARM_PC24: + case R_ARM_CALL: + case R_ARM_JUMP24: ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25); ++ r->r_addend = offset + sym->st_value + 8; ++ break; + case R_ARM_THM_CALL: + case R_ARM_THM_JUMP24: + case R_ARM_THM_JUMP19: +-- +2.39.2 + diff --git a/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch b/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch new file mode 100644 index 00000000000..947c7ff4bbe --- /dev/null +++ b/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch @@ -0,0 +1,133 @@ +From 0d510b44c12ef373d8102b1be1652f7e485f1bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:55 +0900 +Subject: modpost: fix section mismatch message for R_ARM_ABS32 + +From: Masahiro Yamada + +[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] + +addend_arm_rel() processes R_ARM_ABS32 in a wrong way. + +Here, test code. + + [test code 1] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + +If you compile it with ARM versatile_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) + +(You need to use GNU linker instead of LLD to reproduce it.) + +If you compile it for other architectures, modpost will show the correct +symbol name. + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + +For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. + +I just mimicked the code in arch/arm/kernel/module.c. + +However, there is more difficulty for ARM. + +Here, test code. + + [test code 2] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + + int __initdata bar; + int get_bar(void) { return bar; } + +With this commit applied, modpost will show the following messages +for ARM versatile_defconfig: + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) + +The reference from 'get_bar' to 'foo' seems wrong. + +I have no solution for this because it is true in assembly level. + +In the following output, relocation at 0x1c is no longer associated +with 'bar'. The two relocation entries point to the same symbol, and +the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. + + Disassembly of section .text: + + 00000000 : + 0: e59f3004 ldr r3, [pc, #4] @ c + 4: e5930000 ldr r0, [r3] + 8: e12fff1e bx lr + c: 00000000 .word 0x00000000 + + 00000010 : + 10: e59f3004 ldr r3, [pc, #4] @ 1c + 14: e5930004 ldr r0, [r3, #4] + 18: e12fff1e bx lr + 1c: 00000000 .word 0x00000000 + + Relocation section '.rel.text' at offset 0x244 contains 2 entries: + Offset Info Type Sym.Value Sym. Name + 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data + 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data + +When find_elf_symbol() gets into a situation where relsym->st_name is +zero, there is no guarantee to get the symbol name as written in C. + +I am keeping the current logic because it is useful in many architectures, +but the symbol name is not always correct depending on the optimization. +I left some comments in find_tosym(). + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 8c2847ef4e422..41b1791a9463b 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1260,6 +1260,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + if (relsym->st_name != 0) + return relsym; + ++ /* ++ * Strive to find a better symbol name, but the resulting name may not ++ * match the symbol referenced in the original code. ++ */ + relsym_secindex = get_secindex(elf, relsym); + for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) { + if (get_secindex(elf, sym) != relsym_secindex) +@@ -1750,12 +1754,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); ++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); ++ void *loc = reloc_location(elf, sechdr, r); ++ uint32_t inst; + + switch (r_typ) { + case R_ARM_ABS32: +- /* From ARM ABI: (S + A) | T */ +- r->r_addend = (int)(long) +- (elf->symtab_start + ELF_R_SYM(r->r_info)); ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ r->r_addend = inst + sym->st_value; + break; + case R_ARM_PC24: + case R_ARM_CALL: +-- +2.39.2 + diff --git a/queue-4.19/net-create-netdev-dev_addr-assignment-helpers.patch b/queue-4.19/net-create-netdev-dev_addr-assignment-helpers.patch new file mode 100644 index 00000000000..297db3ad7ca --- /dev/null +++ b/queue-4.19/net-create-netdev-dev_addr-assignment-helpers.patch @@ -0,0 +1,82 @@ +From e30a64ceb7b11cf6fcd324236f5de49d836f811d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 11:10:37 -0700 +Subject: net: create netdev->dev_addr assignment helpers + +From: Jakub Kicinski + +[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ] + +Recent work on converting address list to a tree made it obvious +we need an abstraction around writing netdev->dev_addr. Without +such abstraction updating the main device address is invisible +to the core. + +Introduce a number of helpers which for now just wrap memcpy() +but in the future can make necessary changes to the address +tree. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + include/linux/etherdevice.h | 12 ++++++++++++ + include/linux/netdevice.h | 18 ++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index e1e9eff096d05..2932a40060c1d 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -291,6 +291,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src) + #endif + } + ++/** ++ * eth_hw_addr_set - Assign Ethernet address to a net_device ++ * @dev: pointer to net_device structure ++ * @addr: address to assign ++ * ++ * Assign given address to the net_device, addr_assign_type is not changed. ++ */ ++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ ether_addr_copy(dev->dev_addr, addr); ++} ++ + /** + * eth_hw_addr_inherit - Copy dev_addr from another net_device + * @dst: pointer to net_device to copy dev_addr to +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 90827d85265b0..7e9df3854420a 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4079,6 +4079,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list, + void __hw_addr_init(struct netdev_hw_addr_list *list); + + /* Functions used for device addresses handling */ ++static inline void ++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len) ++{ ++ memcpy(dev->dev_addr, addr, len); ++} ++ ++static inline void dev_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ __dev_addr_set(dev, addr, dev->addr_len); ++} ++ ++static inline void ++dev_addr_mod(struct net_device *dev, unsigned int offset, ++ const u8 *addr, size_t len) ++{ ++ memcpy(&dev->dev_addr[offset], addr, len); ++} ++ + int dev_addr_add(struct net_device *dev, const unsigned char *addr, + unsigned char addr_type); + int dev_addr_del(struct net_device *dev, const unsigned char *addr, +-- +2.39.2 + diff --git a/queue-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch b/queue-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch new file mode 100644 index 00000000000..92b7e6541a3 --- /dev/null +++ b/queue-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch @@ -0,0 +1,53 @@ +From c40874c71ae6f5e26f1958101a5a7dd1d049899f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 11:23:46 +0000 +Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() + return value. + +From: Ilia.Gavrilov + +[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] + +ct_sip_parse_numerical_param() returns only 0 or 1 now. +But process_register_request() and process_register_response() imply +checking for a negative value if parsing of a numerical header parameter +failed. +The invocation in nf_nat_sip() looks correct: + if (ct_sip_parse_numerical_param(...) > 0 && + ...) { ... } + +Make the return value of the function ct_sip_parse_numerical_param() +a tristate to fix all the cases +a) return 1 if value is found; *val is set +b) return 0 if value is not found; *val is unchanged +c) return -1 on error; *val is undefined + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 046f118dea06b..d16aa43ebd4d6 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -605,7 +605,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, + start += strlen(name); + *val = simple_strtoul(start, &end, 0); + if (start == end) +- return 0; ++ return -1; + if (matchoff && matchlen) { + *matchoff = start - dptr; + *matchlen = end - start; +-- +2.39.2 + diff --git a/queue-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch b/queue-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch new file mode 100644 index 00000000000..6e8e545f52f --- /dev/null +++ b/queue-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch @@ -0,0 +1,152 @@ +From 3a75a252bcf5592f5b27882ccbb7d44ddafb7763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 09:43:13 -0700 +Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump(). + +From: Kuniyuki Iwashima + +[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] + +syzbot reported a warning in __local_bh_enable_ip(). [0] + +Commit 8d61f926d420 ("netlink: fix potential deadlock in +netlink_set_err()") converted read_lock(&nl_table_lock) to +read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. + +However, __netlink_diag_dump() calls sock_i_ino() that uses +read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, +read_unlock_bh() finally enables IRQ even though it should stay +disabled until the following read_unlock_irqrestore(). + +Using read_lock() in sock_i_ino() would trigger a lockdep splat +in another place that was fixed in commit f064af1e500a ("net: fix +a lockdep splat"), so let's add __sock_i_ino() that would be safe +to use under BH disabled. + +[0]: +WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Modules linked in: +CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f +RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 +RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 +R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 +R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 +FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sock_i_ino+0x83/0xa0 net/core/sock.c:2559 + __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 + netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 + netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 + __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 + netlink_dump_start include/linux/netlink.h:329 [inline] + netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 + __sock_diag_cmd net/core/sock_diag.c:238 [inline] + sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 + netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 + sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:747 + ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 + __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5303aaabb9 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") +Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 1 + + net/core/sock.c | 17 ++++++++++++++--- + net/netlink/diag.c | 2 +- + 3 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 616e84d1670df..72739f72e4b90 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1840,6 +1840,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + } + + kuid_t sock_i_uid(struct sock *sk); ++unsigned long __sock_i_ino(struct sock *sk); + unsigned long sock_i_ino(struct sock *sk); + + static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) +diff --git a/net/core/sock.c b/net/core/sock.c +index 347a55519d0a5..5b31f3446fc7a 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1939,13 +1939,24 @@ kuid_t sock_i_uid(struct sock *sk) + } + EXPORT_SYMBOL(sock_i_uid); + +-unsigned long sock_i_ino(struct sock *sk) ++unsigned long __sock_i_ino(struct sock *sk) + { + unsigned long ino; + +- read_lock_bh(&sk->sk_callback_lock); ++ read_lock(&sk->sk_callback_lock); + ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; +- read_unlock_bh(&sk->sk_callback_lock); ++ read_unlock(&sk->sk_callback_lock); ++ return ino; ++} ++EXPORT_SYMBOL(__sock_i_ino); ++ ++unsigned long sock_i_ino(struct sock *sk) ++{ ++ unsigned long ino; ++ ++ local_bh_disable(); ++ ino = __sock_i_ino(sk); ++ local_bh_enable(); + return ino; + } + EXPORT_SYMBOL(sock_i_ino); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 83a0429805e9d..85ee4891c2c7f 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -167,7 +167,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI, +- sock_i_ino(sk)) < 0) { ++ __sock_i_ino(sk)) < 0) { + ret = 1; + break; + } +-- +2.39.2 + diff --git a/queue-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch b/queue-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch new file mode 100644 index 00000000000..d17adc884c3 --- /dev/null +++ b/queue-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch @@ -0,0 +1,157 @@ +From 459b47414fc29c8475bd27d3af1b1a4f95fb993f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:47:20 +0000 +Subject: netlink: do not hard code device address lenth in fdb dumps + +From: Eric Dumazet + +[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] + +syzbot reports that some netdev devices do not have a six bytes +address [1] + +Replace ETH_ALEN by dev->addr_len. + +[1] (Case of a device where dev->addr_len = 4) + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 +instrument_copy_to_user include/linux/instrumented.h:114 [inline] +copyout+0xb8/0x100 lib/iov_iter.c:169 +_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 +copy_to_iter include/linux/uio.h:206 [inline] +simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 +__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 +skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 +skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] +netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 +sock_recvmsg_nosec net/socket.c:1019 [inline] +sock_recvmsg net/socket.c:1040 [inline] +____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was stored to memory at: +__nla_put lib/nlattr.c:1009 [inline] +nla_put+0x1c6/0x230 lib/nlattr.c:1067 +nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 +nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] +ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 +rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 +netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 +netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 +sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 +____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 +slab_alloc_node mm/slub.c:3451 [inline] +__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 +kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 +kmalloc include/linux/slab.h:559 [inline] +__hw_addr_create net/core/dev_addr_lists.c:60 [inline] +__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 +__dev_mc_add net/core/dev_addr_lists.c:867 [inline] +dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 +igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 +ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 +ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 +addrconf_type_change net/ipv6/addrconf.c:3731 [inline] +addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1935 [inline] +call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] +call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 +bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 +do_set_master net/core/rtnetlink.c:2626 [inline] +rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] +__rtnl_newlink net/core/rtnetlink.c:3660 [inline] +rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 +rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 +netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 +rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0x999/0xd50 net/socket.c:2503 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 +__sys_sendmsg net/socket.c:2586 [inline] +__do_sys_sendmsg net/socket.c:2595 [inline] +__se_sys_sendmsg net/socket.c:2593 [inline] +__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Bytes 2856-2857 of 3500 are uninitialized +Memory access of size 3500 starts at ffff888018d99104 +Data copied to user address 0000000020000480 + +Fixes: d83b06036048 ("net: add fdb generic dump routine") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 2837cc03f69e2..79f62517e24a5 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3436,7 +3436,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + ndm->ndm_ifindex = dev->ifindex; + ndm->ndm_state = ndm_state; + +- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr)) ++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr)) + goto nla_put_failure; + if (vid) + if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid)) +@@ -3450,10 +3450,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + } + +-static inline size_t rtnl_fdb_nlmsg_size(void) ++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev) + { + return NLMSG_ALIGN(sizeof(struct ndmsg)) + +- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */ ++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */ + nla_total_size(sizeof(u16)) + /* NDA_VLAN */ + 0; + } +@@ -3465,7 +3465,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type, + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC); ++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC); + if (!skb) + goto errout; + +-- +2.39.2 + diff --git a/queue-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch b/queue-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch new file mode 100644 index 00000000000..ed4e1963a67 --- /dev/null +++ b/queue-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch @@ -0,0 +1,117 @@ +From 6845ece794e1aeaadab2f5f1b10d1d35bc668d1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:43:37 +0000 +Subject: netlink: fix potential deadlock in netlink_set_err() + +From: Eric Dumazet + +[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] + +syzbot reported a possible deadlock in netlink_set_err() [1] + +A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs +for netlink_lock_table()") in netlink_lock_table() + +This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() +which were not covered by cited commit. + +[1] + +WARNING: possible irq lock inversion dependency detected +6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted + +syz-executor.2/23011 just changed the state of lock: +ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 +but this lock was taken by another, SOFTIRQ-safe lock in the past: + (&local->queue_stop_reason_lock){..-.}-{2:2} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nl_table_lock); + local_irq_disable(); + lock(&local->queue_stop_reason_lock); + lock(nl_table_lock); + + lock(&local->queue_stop_reason_lock); + + *** DEADLOCK *** + +Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") +Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c +Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Johannes Berg +Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 5 +++-- + net/netlink/diag.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 57fd9b7cfc75f..35ecaa93f213a 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1603,6 +1603,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) + int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + { + struct netlink_set_err_data info; ++ unsigned long flags; + struct sock *sk; + int ret = 0; + +@@ -1612,12 +1613,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + /* sk->sk_err wants a positive error value */ + info.code = -code; + +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + + sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list) + ret += do_one_set_err(sk, &info); + +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + return ret; + } + EXPORT_SYMBOL(netlink_set_err); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 7dda33b9b7849..83a0429805e9d 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -93,6 +93,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + struct net *net = sock_net(skb->sk); + struct netlink_diag_req *req; + struct netlink_sock *nlsk; ++ unsigned long flags; + struct sock *sk; + int num = 2; + int ret = 0; +@@ -151,7 +152,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + num++; + + mc_list: +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + sk_for_each_bound(sk, &tbl->mc_list) { + if (sk_hashed(sk)) + continue; +@@ -172,7 +173,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + } + num++; + } +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + + done: + cb->args[0] = num; +-- +2.39.2 + diff --git a/queue-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch b/queue-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch new file mode 100644 index 00000000000..e9f0509bfca --- /dev/null +++ b/queue-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch @@ -0,0 +1,465 @@ +From f2fd3340eff76d7c5d0b33c8a89cb746bb836c1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 16:41:59 +0200 +Subject: nfc: constify several pointers to u8, char and sk_buff + +From: Krzysztof Kozlowski + +[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ] + +Several functions receive pointers to u8, char or sk_buff but do not +modify the contents so make them const. This allows doing the same for +local variables and in total makes the code a little bit safer. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()") +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 4 ++-- + net/nfc/core.c | 4 ++-- + net/nfc/hci/llc_shdlc.c | 10 ++++----- + net/nfc/llcp.h | 8 +++---- + net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++------------------- + net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------ + net/nfc/nfc.h | 2 +- + 7 files changed, 63 insertions(+), 55 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index bbdc73a3239df..8b86560b5cfb1 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -278,7 +278,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk, + struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp); + + int nfc_set_remote_general_bytes(struct nfc_dev *dev, +- u8 *gt, u8 gt_len); ++ const u8 *gt, u8 gt_len); + u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len); + + int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name, +@@ -292,7 +292,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len); ++ const u8 *gb, size_t gb_len); + int nfc_tm_deactivated(struct nfc_dev *dev); + int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb); + +diff --git a/net/nfc/core.c b/net/nfc/core.c +index a84f824da051d..dd12ee46ac730 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -646,7 +646,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx) + return rc; + } + +-int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len); + +@@ -675,7 +675,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb) + EXPORT_SYMBOL(nfc_tm_data_received); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len) ++ const u8 *gb, size_t gb_len) + { + int rc; + +diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c +index fe988936ad923..e6863c71f566d 100644 +--- a/net/nfc/hci/llc_shdlc.c ++++ b/net/nfc/hci/llc_shdlc.c +@@ -134,7 +134,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z) + return ((y >= x) || (y < z)) ? true : false; + } + +-static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, ++static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc, + int payload_len) + { + struct sk_buff *skb; +@@ -148,7 +148,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, + } + + /* immediately sends an S frame. */ +-static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc, + enum sframe_type sframe_type, int nr) + { + int r; +@@ -170,7 +170,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, + } + + /* immediately sends an U frame. skb may contain optional payload */ +-static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc, + struct sk_buff *skb, + enum uframe_modifier uframe_modifier) + { +@@ -372,7 +372,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r) + wake_up(shdlc->connect_wq); + } + +-static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +@@ -388,7 +388,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) + return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET); + } + +-static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index 1f68724d44d3b..a070a57fc1516 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -233,15 +233,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock); + + /* TLV API */ + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + + /* Commands API */ + void nfc_llcp_recv(void *data, struct sk_buff *skb, int err); +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length); ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length); + struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap); +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); + void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index d1fc019e932e0..6dcad7bcf20bb 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -27,7 +27,7 @@ + #include "nfc.h" + #include "llcp.h" + +-static u8 llcp_tlv_length[LLCP_TLV_MAX] = { ++static const u8 llcp_tlv_length[LLCP_TLV_MAX] = { + 0, + 1, /* VERSION */ + 2, /* MIUX */ +@@ -41,7 +41,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = { + + }; + +-static u8 llcp_tlv8(u8 *tlv, u8 type) ++static u8 llcp_tlv8(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -49,7 +49,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type) + return tlv[2]; + } + +-static u16 llcp_tlv16(u8 *tlv, u8 type) ++static u16 llcp_tlv16(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -58,37 +58,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type) + } + + +-static u8 llcp_tlv_version(u8 *tlv) ++static u8 llcp_tlv_version(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_VERSION); + } + +-static u16 llcp_tlv_miux(u8 *tlv) ++static u16 llcp_tlv_miux(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff; + } + +-static u16 llcp_tlv_wks(u8 *tlv) ++static u16 llcp_tlv_wks(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_WKS); + } + +-static u16 llcp_tlv_lto(u8 *tlv) ++static u16 llcp_tlv_lto(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_LTO); + } + +-static u8 llcp_tlv_opt(u8 *tlv) ++static u8 llcp_tlv_opt(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_OPT); + } + +-static u8 llcp_tlv_rw(u8 *tlv) ++static u8 llcp_tlv_rw(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf; + } + +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length) ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length) + { + u8 *tlv, length; + +@@ -142,7 +142,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap) + return sdres; + } + +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len) + { + struct nfc_llcp_sdp_tlv *sdreq; +@@ -202,9 +202,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head) + } + + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -251,9 +252,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, + } + + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -307,7 +309,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu, + return pdu; + } + +-static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv, ++static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv, + u8 tlv_length) + { + /* XXX Add an skb length check */ +@@ -401,9 +403,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *service_name_tlv = NULL, service_name_tlv_length; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *service_name_tlv = NULL; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +@@ -477,8 +480,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 3290f2275b857..bdc1a9d0965af 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -314,7 +314,7 @@ static char *wks[] = { + "urn:nfc:sn:snep", + }; + +-static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) ++static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + { + int sap, num_wks; + +@@ -338,7 +338,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -535,7 +535,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { + u8 *gb_cur, version, version_length; + u8 lto_length, wks_length, miux_length; +- u8 *version_tlv = NULL, *lto_tlv = NULL, ++ const u8 *version_tlv = NULL, *lto_tlv = NULL, + *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; +@@ -625,7 +625,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + return local->gb; + } + +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; + +@@ -652,27 +652,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) + local->remote_gb_len - 3); + } + +-static u8 nfc_llcp_dsap(struct sk_buff *pdu) ++static u8 nfc_llcp_dsap(const struct sk_buff *pdu) + { + return (pdu->data[0] & 0xfc) >> 2; + } + +-static u8 nfc_llcp_ptype(struct sk_buff *pdu) ++static u8 nfc_llcp_ptype(const struct sk_buff *pdu) + { + return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6); + } + +-static u8 nfc_llcp_ssap(struct sk_buff *pdu) ++static u8 nfc_llcp_ssap(const struct sk_buff *pdu) + { + return pdu->data[1] & 0x3f; + } + +-static u8 nfc_llcp_ns(struct sk_buff *pdu) ++static u8 nfc_llcp_ns(const struct sk_buff *pdu) + { + return pdu->data[2] >> 4; + } + +-static u8 nfc_llcp_nr(struct sk_buff *pdu) ++static u8 nfc_llcp_nr(const struct sk_buff *pdu) + { + return pdu->data[2] & 0xf; + } +@@ -814,7 +814,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + } + + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct nfc_llcp_sock *llcp_sock; + +@@ -828,9 +828,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + return llcp_sock; + } + +-static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len) ++static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) + { +- u8 *tlv = &skb->data[2], type, length; ++ u8 type, length; ++ const u8 *tlv = &skb->data[2]; + size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0; + + while (offset < tlv_array_len) { +@@ -888,7 +889,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct sock *new_sk, *parent; + struct nfc_llcp_sock *sock, *new_sock; +@@ -906,7 +907,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, + goto fail; + } + } else { +- u8 *sn; ++ const u8 *sn; + size_t sn_len; + + sn = nfc_llcp_connect_sn(skb, &sn_len); +@@ -1125,7 +1126,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1168,7 +1169,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1201,7 +1203,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1239,12 +1242,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) + } + + static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; +- u8 dsap, ssap, *tlv, type, length, tid, sap; ++ u8 dsap, ssap, type, length, tid, sap; ++ const u8 *tlv; + u16 tlv_len, offset; +- char *service_name; ++ const char *service_name; + size_t service_name_len; + struct nfc_llcp_sdp_tlv *sdp; + HLIST_HEAD(llc_sdres_list); +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index 6c6f76b370b1e..c792165f523f1 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -60,7 +60,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + int nfc_llcp_register_device(struct nfc_dev *dev); + void nfc_llcp_unregister_device(struct nfc_dev *dev); +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len); ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-- +2.39.2 + diff --git a/queue-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch b/queue-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch new file mode 100644 index 00000000000..11ed79bf3e6 --- /dev/null +++ b/queue-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch @@ -0,0 +1,41 @@ +From 994bdd8700413b10cf79b929542fa04709405edc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:52:04 +0200 +Subject: nfc: llcp: fix possible use of uninitialized variable in + nfc_llcp_send_connect() + +From: Krzysztof Kozlowski + +[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ] + +If sock->service_name is NULL, the local variable +service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(), +later leading to using value frmo the stack. Smatch warning: + + net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'. + +Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 6dcad7bcf20bb..737c7aa384f44 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -406,7 +406,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + const u8 *service_name_tlv = NULL; + const u8 *miux_tlv = NULL; + const u8 *rw_tlv = NULL; +- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; ++ u8 service_name_tlv_length = 0; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +-- +2.39.2 + diff --git a/queue-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch b/queue-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch new file mode 100644 index 00000000000..d1f2b4cef8e --- /dev/null +++ b/queue-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch @@ -0,0 +1,39 @@ +From 6c18e9d066dee0688410a364ac9344b0379068e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:27:44 +0800 +Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI + +From: Sui Jingfeng + +[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] + +Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that +support both PCI and platform devices don't need #ifdefs or extra Kconfig +symbols for the PCI parts. + +[bhelgaas: commit log] +Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") +Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn +Signed-off-by: Sui Jingfeng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 3e06e9790c255..1d1b0bfd51968 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1643,6 +1643,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class, + #define pci_dev_put(dev) do { } while (0) + + static inline void pci_set_master(struct pci_dev *dev) { } ++static inline void pci_clear_master(struct pci_dev *dev) { } + static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } + static inline void pci_disable_device(struct pci_dev *dev) { } + static inline int pci_assign_resource(struct pci_dev *dev, int i) +-- +2.39.2 + diff --git a/queue-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch b/queue-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch new file mode 100644 index 00000000000..8e17d476da1 --- /dev/null +++ b/queue-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch @@ -0,0 +1,45 @@ +From 1305047881df831eb992b45f8488e5dbc824694f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 16:41:01 -0700 +Subject: perf dwarf-aux: Fix off-by-one in die_get_varname() + +From: Namhyung Kim + +[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] + +The die_get_varname() returns "(unknown_type)" string if it failed to +find a type for the variable. But it had a space before the opening +parenthesis and it made the closing parenthesis cut off due to the +off-by-one in the string length (14). + +Signed-off-by: Namhyung Kim +Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index 6de57d9ee7cc2..db099dc20a682 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -1020,7 +1020,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf) + ret = die_get_typename(vr_die, buf); + if (ret < 0) { + pr_debug("Failed to get type, make it unknown.\n"); +- ret = strbuf_add(buf, " (unknown_type)", 14); ++ ret = strbuf_add(buf, "(unknown_type)", 14); + } + + return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die)); +-- +2.39.2 + diff --git a/queue-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch b/queue-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..f887cbf1584 --- /dev/null +++ b/queue-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From 8cc3629d359b1617fe9c7a963a43fb802602ce1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 13:53:33 +0300 +Subject: pinctrl: at91-pio4: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") +Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") +Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 5b883eb49ce92..cbbda24bf6a80 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1024,6 +1024,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + /* Pin naming convention: P(bank_name)(bank_pin_number). */ + pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", + bank + 'A', line); ++ if (!pin_desc[i].name) ++ return -ENOMEM; + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +-- +2.39.2 + diff --git a/queue-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch b/queue-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch new file mode 100644 index 00000000000..297f675b95f --- /dev/null +++ b/queue-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch @@ -0,0 +1,57 @@ +From 1dab81b0371c72df1a682c0bb10383010b482841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 17:37:34 +0300 +Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode + +From: Andy Shevchenko + +[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] + +Currently the getter returns ENOTSUPP on pin configured in +the push-pull mode. Fix this by adding the missed switch case. + +Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") +Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index 25932d2a71547..ef8eb42e4d383 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1032,11 +1032,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, + + break; + +- case PIN_CONFIG_DRIVE_OPEN_DRAIN: +- if (!(ctrl1 & CHV_PADCTRL1_ODEN)) +- return -EINVAL; +- break; +- + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: { + u32 cfg; + +@@ -1046,6 +1041,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, + return -EINVAL; + + break; ++ ++ case PIN_CONFIG_DRIVE_PUSH_PULL: ++ if (ctrl1 & CHV_PADCTRL1_ODEN) ++ return -EINVAL; ++ break; ++ ++ case PIN_CONFIG_DRIVE_OPEN_DRAIN: ++ if (!(ctrl1 & CHV_PADCTRL1_ODEN)) ++ return -EINVAL; ++ break; + } + + default: +-- +2.39.2 + diff --git a/queue-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch b/queue-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch new file mode 100644 index 00000000000..fd4ada2152b --- /dev/null +++ b/queue-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch @@ -0,0 +1,48 @@ +From ef15279e88446b0b4c31771ab1aca4bdc6714705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 06:07:43 -0700 +Subject: PM: domains: fix integer overflow issues in genpd_parse_state() + +From: Nikita Zhandarovich + +[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] + +Currently, while calculating residency and latency values, right +operands may overflow if resulting values are big enough. + +To prevent this, albeit unlikely case, play it safe and convert +right operands to left ones' type s64. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") +Signed-off-by: Nikita Zhandarovich +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index e865aa4b25047..b32d3cf4f670d 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2433,10 +2433,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state, + + err = of_property_read_u32(state_node, "min-residency-us", &residency); + if (!err) +- genpd_state->residency_ns = 1000 * residency; ++ genpd_state->residency_ns = 1000LL * residency; + +- genpd_state->power_on_latency_ns = 1000 * exit_latency; +- genpd_state->power_off_latency_ns = 1000 * entry_latency; ++ genpd_state->power_on_latency_ns = 1000LL * exit_latency; ++ genpd_state->power_off_latency_ns = 1000LL * entry_latency; + genpd_state->fwnode = &state_node->fwnode; + + return 0; +-- +2.39.2 + diff --git a/queue-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch b/queue-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch new file mode 100644 index 00000000000..6c81cb6efdb --- /dev/null +++ b/queue-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch @@ -0,0 +1,110 @@ +From 538cb4b674cd354c9bbdaaf06670cfdf71f72bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 08:12:28 -0700 +Subject: radeon: avoid double free in ci_dpm_init() + +From: Nikita Zhandarovich + +[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] + +Several calls to ci_dpm_fini() will attempt to free resources that +either have been freed before or haven't been allocated yet. This +may lead to undefined or dangerous behaviour. + +For instance, if r600_parse_extended_power_table() fails, it might +call r600_free_extended_power_table() as will ci_dpm_fini() later +during error handling. + +Fix this by only freeing pointers to objects previously allocated. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 90c1afe498bea..ce8b14592b69b 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -5552,6 +5552,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) + u8 frev, crev; + u8 *power_state_offset; + struct ci_ps *ps; ++ int ret; + + if (!atom_parse_data_header(mode_info->atom_context, index, NULL, + &frev, &crev, &data_offset)) +@@ -5581,11 +5582,15 @@ static int ci_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) +- return -EINVAL; ++ if (!rdev->pm.power_state[i].clock_info) { ++ ret = -EINVAL; ++ goto err_free_ps; ++ } + ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); +- if (ps == NULL) +- return -ENOMEM; ++ if (ps == NULL) { ++ ret = -ENOMEM; ++ goto err_free_ps; ++ } + rdev->pm.dpm.ps[i].ps_priv = ps; + ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], + non_clock_info, +@@ -5625,6 +5630,12 @@ static int ci_parse_power_table(struct radeon_device *rdev) + } + + return 0; ++ ++err_free_ps: ++ for (i = 0; i < rdev->pm.dpm.num_ps; i++) ++ kfree(rdev->pm.dpm.ps[i].ps_priv); ++ kfree(rdev->pm.dpm.ps); ++ return ret; + } + + static int ci_get_vbios_boot_values(struct radeon_device *rdev, +@@ -5713,25 +5724,26 @@ int ci_dpm_init(struct radeon_device *rdev) + + ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_get_platform_caps(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_parse_extended_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = ci_parse_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); ++ r600_free_extended_power_table(rdev); + return ret; + } + +-- +2.39.2 + diff --git a/queue-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch b/queue-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch new file mode 100644 index 00000000000..109b15337ed --- /dev/null +++ b/queue-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch @@ -0,0 +1,36 @@ +From 1bc2f94406b03808f08a0f4b770a725753a34849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 16:50:58 +0800 +Subject: samples/bpf: Fix buffer overflow in tcp_basertt + +From: Pengcheng Yang + +[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ] + +Using sizeof(nv) or strlen(nv)+1 is correct. + +Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program") +Signed-off-by: Pengcheng Yang +Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/tcp_basertt_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c +index 4bf4fc597db9a..653d233714ad0 100644 +--- a/samples/bpf/tcp_basertt_kern.c ++++ b/samples/bpf/tcp_basertt_kern.c +@@ -54,7 +54,7 @@ int bpf_basertt(struct bpf_sock_ops *skops) + case BPF_SOCK_OPS_BASE_RTT: + n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION, + cong, sizeof(cong)); +- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) { ++ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) { + /* Set base_rtt to 80us */ + rv = 80; + } else if (n) { +-- +2.39.2 + diff --git a/queue-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch b/queue-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch new file mode 100644 index 00000000000..bb38bc4df30 --- /dev/null +++ b/queue-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch @@ -0,0 +1,47 @@ +From a2a994777eca5a7c0463e65c84a199840479c744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 22:12:55 +0800 +Subject: scsi: 3w-xxxx: Add error handling for initialization failure in + tw_probe() + +From: Yuchen Yang + +[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] + +Smatch complains that: + +tw_probe() warn: missing error code 'retval' + +This patch adds error checking to tw_probe() to handle initialization +failure. If tw_reset_sequence() function returns a non-zero value, the +function will return -EINVAL to indicate initialization failure. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuchen Yang +Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-xxxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index 471366945bd4f..8a61e832607eb 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2303,8 +2303,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (tw_reset_sequence(tw_dev)) ++ if (tw_reset_sequence(tw_dev)) { ++ retval = -EINVAL; + goto out_release_mem_region; ++ } + + /* Set host specific parameters */ + host->max_id = TW_MAX_UNITS; +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 94a6922ca49..1b5430f0bd4 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -6,3 +6,79 @@ fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch scripts-tags.sh-resolve-gtags-empty-index-generation.patch drm-amdgpu-validate-vm-ioctl-flags.patch treewide-remove-uninitialized_var-usage.patch +md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch +md-raid10-fix-overflow-of-md-safe_mode_delay.patch +md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch +md-raid10-fix-io-loss-while-replacement-replace-rdev.patch +irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch +irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch +clocksource-drivers-unify-the-names-to-timer-format.patch +clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch +clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch +pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch +arm-9303-1-kprobes-avoid-missing-declaration-warning.patch +evm-complete-description-of-evm_inode_setattr.patch +wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch +wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch +samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch +wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch +nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch +nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch +wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch +wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch +wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch +wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch +wl3501_cs-remove-unnecessary-null-check.patch +wl3501_cs-fix-misspelling-and-provide-missing-docume.patch +net-create-netdev-dev_addr-assignment-helpers.patch +wl3501_cs-use-eth_hw_addr_set.patch +wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch +wifi-ray_cs-utilize-strnlen-in-parse_addr.patch +wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch +wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch +wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch +wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch +watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch +watchdog-perf-more-properly-prevent-false-positives-.patch +kexec-fix-a-memory-leak-in-crash_shrink_memory.patch +memstick-r592-make-memstick_debug_get_tpc_name-stati.patch +wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch +wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch +netlink-fix-potential-deadlock-in-netlink_set_err.patch +netlink-do-not-hard-code-device-address-lenth-in-fdb.patch +gtp-fix-use-after-free-in-__gtp_encap_destroy.patch +lib-ts_bm-reset-initial-match-offset-for-every-block.patch +netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch +ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch +netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch +radeon-avoid-double-free-in-ci_dpm_init.patch +input-drv260x-sleep-between-polling-go-bit.patch +arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch +input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch +drm-panel-simple-fix-active-size-for-ampire-am-48027.patch +arm-ep93xx-fix-missing-prototype-warnings.patch +asoc-es8316-increment-max-value-for-alc-capture-targ.patch +soc-fsl-qe-fix-usb.c-build-errors.patch +ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch +arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch +fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch +drm-radeon-fix-possible-division-by-zero-errors.patch +alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch +scsi-3w-xxxx-add-error-handling-for-initialization-f.patch +pci-add-pci_clear_master-stub-for-non-config_pci.patch +pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch +perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch +pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch +hwrng-virtio-add-an-internal-buffer.patch +hwrng-virtio-don-t-wait-on-cleanup.patch +hwrng-virtio-don-t-waste-entropy.patch +hwrng-virtio-always-add-a-pending-request.patch +hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch +crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch +modpost-fix-section-mismatch-message-for-r_arm_abs32.patch +modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch +arcv2-entry-comments-about-hardware-auto-save-on-tak.patch +arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch +arcv2-entry-avoid-a-branch.patch +arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch +arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch diff --git a/queue-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch b/queue-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch new file mode 100644 index 00000000000..05a3eb69638 --- /dev/null +++ b/queue-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch @@ -0,0 +1,60 @@ +From 71e654502cd063aaefe7768e183dbd8e7732fa18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 15:52:16 -0700 +Subject: soc/fsl/qe: fix usb.c build errors + +From: Randy Dunlap + +[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] + +Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. +This happens when PPC_EP88XC is set, which selects CPM1 & CPM. +When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE +being set. When USB_FSL_QE is set, QE_USB deafults to y, which +causes build errors when QUICC_ENGINE is not set. Making +QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. + +Fixes these build errors: + +drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': +usb.c:(.text+0x1e): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' +powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' +powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' + +Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ +Suggested-by: Michael Ellerman +Cc: Christophe Leroy +Cc: Leo Li +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: Qiang Zhao +Cc: linuxppc-dev +Cc: linux-arm-kernel@lists.infradead.org +Cc: Kumar Gala +Acked-by: Nicolas Schier +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig +index fabba17e9d65b..7ec158e2acf91 100644 +--- a/drivers/soc/fsl/qe/Kconfig ++++ b/drivers/soc/fsl/qe/Kconfig +@@ -37,6 +37,7 @@ config QE_TDM + + config QE_USB + bool ++ depends on QUICC_ENGINE + default y if USB_FSL_QE + help + QE USB Controller support +-- +2.39.2 + diff --git a/queue-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch b/queue-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch new file mode 100644 index 00000000000..dc4e15c9859 --- /dev/null +++ b/queue-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch @@ -0,0 +1,89 @@ +From 0c282f6c0842390de9ae2a22490760732c735d15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:25 -0700 +Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on + correct config + +From: Douglas Anderson + +[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] + +Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. + +This patch series adds the "buddy" hardlockup detector. In brief, the +buddy hardlockup detector can detect hardlockups without arch-level +support by having CPUs checkup on a "buddy" CPU periodically. + +Given the new design of this patch series, testing all combinations is +fairly difficult. I've attempted to make sure that all combinations of +CONFIG_ options are good, but it wouldn't surprise me if I missed +something. I apologize in advance and I'll do my best to fix any +problems that are found. + +This patch (of 18): + +The real watchdog_update_hrtimer_threshold() is defined in +kernel/watchdog_hld.c. That file is included if +CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file +if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. + +The dummy version of the function in "nmi.h" didn't get that quite right. +While this doesn't appear to be a huge deal, it's nice to make it +consistent. + +It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so +others don't get a double definition, and x86 uses perf lockup detector, +so it gets the out of line version. + +Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid +Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Reviewed-by: Nicholas Piggin +Reviewed-by: Petr Mladek +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Cc: Colin Cross +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index e972d1ae1ee63..6cb593d9ed08a 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh); + #endif + + #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \ +- defined(CONFIG_HARDLOCKUP_DETECTOR) ++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) + void watchdog_update_hrtimer_threshold(u64 period); + #else + static inline void watchdog_update_hrtimer_threshold(u64 period) { } +-- +2.39.2 + diff --git a/queue-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch b/queue-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch new file mode 100644 index 00000000000..58fc7eac1b9 --- /dev/null +++ b/queue-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch @@ -0,0 +1,84 @@ +From 3c6dc6af3bc7f2705b7a426759a9837e74c2a453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:26 -0700 +Subject: watchdog/perf: more properly prevent false positives with turbo modes + +From: Douglas Anderson + +[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] + +Currently, in the watchdog_overflow_callback() we first check to see if +the watchdog had been touched and _then_ we handle the workaround for +turbo mode. This order should be reversed. + +Specifically, "touching" the hardlockup detector's watchdog should avoid +lockups being detected for one period that should be roughly the same +regardless of whether we're running turbo or not. That means that we +should do the extra accounting for turbo _before_ we look at (and clear) +the global indicating that we've been touched. + +NOTE: this fix is made based on code inspection. I am not aware of any +reports where the old code would have generated false positives. That +being said, this order seems more correct and also makes it easier down +the line to share code with the "buddy" hardlockup detector. + +Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Colin Cross +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Petr Mladek +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/watchdog_hld.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c +index 71381168dedef..f8e460b4a59d5 100644 +--- a/kernel/watchdog_hld.c ++++ b/kernel/watchdog_hld.c +@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event, + /* Ensure the watchdog never gets throttled */ + event->hw.interrupts = 0; + ++ if (!watchdog_check_timestamp()) ++ return; ++ + if (__this_cpu_read(watchdog_nmi_touch) == true) { + __this_cpu_write(watchdog_nmi_touch, false); + return; + } + +- if (!watchdog_check_timestamp()) +- return; +- + /* check for a hardlockup + * This is done by making sure our timer interrupt + * is incrementing. The timer interrupt should have +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch b/queue-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch new file mode 100644 index 00000000000..12eb40f6c19 --- /dev/null +++ b/queue-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch @@ -0,0 +1,58 @@ +From cf65e68abf8e7ab7b1fbd232bbdf201720676629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:01 +0300 +Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] + +For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid +uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should +validate pkt_len before accessing the SKB. + +For example, the obtained SKB may have been badly constructed with +pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr +but after being processed in ath9k_htc_rx_msg() and passed to +ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI +command header which should be located inside its data payload. + +Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit +memory can be referenced. + +Tested on Qualcomm Atheros Communications AR9271 802.11n . + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index e4ea6f5cc78ab..5e2a610df61cf 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + if (unlikely(wmi->stopped)) + goto free_skb; + ++ /* Validate the obtained SKB. */ ++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) ++ goto free_skb; ++ + hdr = (struct wmi_cmd_hdr *) skb->data; + cmd_id = be16_to_cpu(hdr->command_id); + +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch b/queue-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch new file mode 100644 index 00000000000..62f1c572c60 --- /dev/null +++ b/queue-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch @@ -0,0 +1,51 @@ +From bbf82c3def2c11aee88ff24f3b0c8cf9599e0071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:46:55 +0300 +Subject: wifi: ath9k: convert msecs to jiffies where needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] + +Since 'ieee80211_queue_delayed_work()' expects timeout in +jiffies and not milliseconds, 'msecs_to_jiffies()' should +be used in 'ath_restart_work()' and '__ath9k_flush()'. + +Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index e8e297a04d360..2fdf9858a73d9 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc) + void ath_restart_work(struct ath_softc *sc) + { + ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + + if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) + ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, +@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop, + } + + ieee80211_queue_delayed_work(hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + } + + static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw) +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch b/queue-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch new file mode 100644 index 00000000000..39849183e97 --- /dev/null +++ b/queue-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch @@ -0,0 +1,54 @@ +From cbdd7ba95d47d114975b51072b4265f8344abe37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 18:03:17 +0300 +Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] + +A bad USB device is able to construct a service connection response +message with target endpoint being ENDPOINT0 which is reserved for +HTC_CTRL_RSVD_SVC and should not be modified to be used for any other +services. + +Reject such service connection responses. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 6331c98088e03..d5e5f9cf4ca86 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target, + + if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { + epid = svc_rspmsg->endpoint_id; +- if (epid < 0 || epid >= ENDPOINT_MAX) ++ ++ /* Check that the received epid for the endpoint to attach ++ * a new service is valid. ENDPOINT0 can't be used here as it ++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus ++ * should not be modified. ++ */ ++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX) + return; + + service_id = be16_to_cpu(svc_rspmsg->service_id); +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch b/queue-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch new file mode 100644 index 00000000000..49302b4acf5 --- /dev/null +++ b/queue-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch @@ -0,0 +1,95 @@ +From 16cb131de7a54b775ccf43c5fa130d76ee3a1901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:00 +0300 +Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset + calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Seiderer + +[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] + +Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset +calculation (do not overflow the shift for the second register/queues +above five, use the register layout described in the comments above +ath9k_hw_verify_hang() instead). + +Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") + +Reported-by: Gregg Wonderly +Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ +Signed-off-by: Peter Seiderer +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++-------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +index 2fe12b0de5b4f..dea8a998fb622 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue) + { + u32 dma_dbg_chain, dma_dbg_complete; + u8 dcu_chain_state, dcu_complete_state; ++ unsigned int dbg_reg, reg_offset; + int i; + +- for (i = 0; i < NUM_STATUS_READS; i++) { +- if (queue < 6) +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4); +- else +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5); ++ if (queue < 6) { ++ dbg_reg = AR_DMADBG_4; ++ reg_offset = queue * 5; ++ } else { ++ dbg_reg = AR_DMADBG_5; ++ reg_offset = (queue - 6) * 5; ++ } + ++ for (i = 0; i < NUM_STATUS_READS; i++) { ++ dma_dbg_chain = REG_READ(ah, dbg_reg); + dma_dbg_complete = REG_READ(ah, AR_DMADBG_6); + +- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f; ++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f; + dcu_complete_state = dma_dbg_complete & 0x3; + + if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1)) +@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + u8 dcu_chain_state, dcu_complete_state; + bool dcu_wait_frdone = false; + unsigned long chk_dcu = 0; ++ unsigned int reg_offset; + unsigned int i = 0; + + dma_dbg_4 = REG_READ(ah, AR_DMADBG_4); +@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + goto exit; + + for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { +- if (i < 6) ++ if (i < 6) { + chk_dbg = dma_dbg_4; +- else ++ reg_offset = i * 5; ++ } else { + chk_dbg = dma_dbg_5; ++ reg_offset = (i - 6) * 5; ++ } + +- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f; ++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f; + if (dcu_chain_state == 0x6) { + dcu_wait_frdone = true; + chk_dcu |= BIT(i); +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch b/queue-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch new file mode 100644 index 00000000000..60b7d4e55bd --- /dev/null +++ b/queue-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch @@ -0,0 +1,111 @@ +From 43e3a8b56606fdc140f08245ff49796f93f86e88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:37:44 +0200 +Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Remi Pommarel + +[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] + +On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite +loop if it is called while all txq_fifos have packets that use different +key that the one we are looking for. Fix it by exiting the loop if all +txq_fifos have been checked already. + +Because this loop is called under spin_lock_bh() (see ath_txq_lock) it +causes the following rcu stall: + +rcu: INFO: rcu_sched self-detected stall on CPU +ath10k_pci 0000:01:00.0: failed to read temperature -11 +rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 + (t=5257 jiffies g=17983297 q=334) +Task dump for CPU 1: +task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a +Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x1c/0x24 + sched_show_task+0x140/0x170 + dump_cpu_task+0x48/0x54 + rcu_dump_cpu_stacks+0xf0/0x134 + rcu_sched_clock_irq+0x8d8/0x9fc + update_process_times+0xa0/0xec + tick_sched_timer+0x5c/0xd0 + __hrtimer_run_queues+0x154/0x320 + hrtimer_interrupt+0x120/0x2f0 + arch_timer_handler_virt+0x38/0x44 + handle_percpu_devid_irq+0x9c/0x1e0 + handle_domain_irq+0x64/0x90 + gic_handle_irq+0x78/0xb0 + call_on_irq_stack+0x28/0x38 + do_interrupt_handler+0x54/0x5c + el1_interrupt+0x2c/0x4c + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x74/0x78 + ath9k_txq_has_key+0x1bc/0x250 [ath9k] + ath9k_set_key+0x1cc/0x3dc [ath9k] + drv_set_key+0x78/0x170 + ieee80211_key_replace+0x564/0x6cc + ieee80211_key_link+0x174/0x220 + ieee80211_add_key+0x11c/0x300 + nl80211_new_key+0x12c/0x330 + genl_family_rcv_msg_doit+0xbc/0x11c + genl_rcv_msg+0xd8/0x1c4 + netlink_rcv_skb+0x40/0x100 + genl_rcv+0x3c/0x50 + netlink_unicast+0x1ec/0x2c0 + netlink_sendmsg+0x198/0x3c0 + ____sys_sendmsg+0x210/0x250 + ___sys_sendmsg+0x78/0xc4 + __sys_sendmsg+0x4c/0x90 + __arm64_sys_sendmsg+0x28/0x30 + invoke_syscall.constprop.0+0x60/0x100 + do_el0_svc+0x48/0xd0 + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xa8/0xb0 + el0t_64_sync+0x158/0x15c + +This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH +from 8 to 2 makes it reasonably easy to reproduce. + +Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") +Signed-off-by: Remi Pommarel +Tested-by: Nicolas Escande +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index ee1b9c39bad7a..e8e297a04d360 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix) + static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + { + struct ath_hw *ah = sc->sc_ah; +- int i; ++ int i, j; + struct ath_txq *txq; + bool key_in_use = false; + +@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { + int idx = txq->txq_tailidx; + +- while (!key_in_use && +- !list_empty(&txq->txq_fifo[idx])) { ++ for (j = 0; !key_in_use && ++ !list_empty(&txq->txq_fifo[idx]) && ++ j < ATH_TXFIFO_DEPTH; j++) { + key_in_use = ath9k_txq_list_has_key( + &txq->txq_fifo[idx], keyix); + INCR(idx, ATH_TXFIFO_DEPTH); +-- +2.39.2 + diff --git a/queue-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch b/queue-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch new file mode 100644 index 00000000000..c4c2160eea1 --- /dev/null +++ b/queue-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch @@ -0,0 +1,59 @@ +From c11669e78c6279d4eb42e332fdcbd353a753cffd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:53:14 +0200 +Subject: wifi: atmel: Fix an error handling path in atmel_probe() + +From: Christophe JAILLET + +[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] + +Should atmel_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +atmel_probe(), not atmel_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c +index 7afc9c5329fb1..f5fa1a95b0c15 100644 +--- a/drivers/net/wireless/atmel/atmel_cs.c ++++ b/drivers/net/wireless/atmel/atmel_cs.c +@@ -73,6 +73,7 @@ struct local_info { + static int atmel_probe(struct pcmcia_device *p_dev) + { + struct local_info *local; ++ int ret; + + dev_dbg(&p_dev->dev, "atmel_attach()\n"); + +@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev) + + p_dev->priv = local; + +- return atmel_config(p_dev); +-} /* atmel_attach */ ++ ret = atmel_config(p_dev); ++ if (ret) ++ goto err_free_priv; ++ ++ return 0; ++ ++err_free_priv: ++ kfree(p_dev->priv); ++ return ret; ++} + + static void atmel_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch b/queue-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch new file mode 100644 index 00000000000..8f183f74d19 --- /dev/null +++ b/queue-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch @@ -0,0 +1,48 @@ +From d6fb7a006f008102f2c65907ae4ba8fed02b5d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 May 2023 15:53:15 +0200 +Subject: wifi: mwifiex: Fix the size of a memory allocation in + mwifiex_ret_802_11_scan() + +From: Christophe JAILLET + +[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ] + +The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info", +not "struct cfg80211_wowlan_nd_match". + +Use struct_size() to ease the computation of the needed size. + +The current code over-allocates some memory, so is safe. +But it wastes 32 bytes. + +Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index c9f6cd2919699..4f0e78ae3dbd0 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2208,9 +2208,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, + + if (nd_config) { + adapter->nd_info = +- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) + +- sizeof(struct cfg80211_wowlan_nd_match *) * +- scan_rsp->number_of_sets, GFP_ATOMIC); ++ kzalloc(struct_size(adapter->nd_info, matches, ++ scan_rsp->number_of_sets), ++ GFP_ATOMIC); + + if (adapter->nd_info) + adapter->nd_info->n_matches = scan_rsp->number_of_sets; +-- +2.39.2 + diff --git a/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch b/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch new file mode 100644 index 00000000000..5f229dd40a4 --- /dev/null +++ b/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch @@ -0,0 +1,58 @@ +From fdea8bce372ab31562ece0fb8bf706052166a8c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:38:22 +0200 +Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] + +Should orinoco_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +orinoco_cs_probe(), not orinoco_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +index a956f965a1e5e..03bfd2482656c 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + orinoco_cs_hard_reset, NULL); +@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return orinoco_cs_config(link); +-} /* orinoco_cs_attach */ ++ ret = orinoco_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void orinoco_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch b/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch new file mode 100644 index 00000000000..83af7fbc629 --- /dev/null +++ b/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch @@ -0,0 +1,59 @@ +From 7a359d8680a5bf516024b7d91b9bde70a5f1ef76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:29:46 +0200 +Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] + +Should spectrum_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +spectrum_cs_probe(), not spectrum_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +index b60048c95e0a8..011c86e55923e 100644 +--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + spectrum_cs_hard_reset, +@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return spectrum_cs_config(link); +-} /* spectrum_cs_attach */ ++ ret = spectrum_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void spectrum_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch b/queue-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch new file mode 100644 index 00000000000..4f8adcf5954 --- /dev/null +++ b/queue-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch @@ -0,0 +1,53 @@ +From 7d705b4ddd98b5603dec26cc74030feea2eebf60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:14 +0300 +Subject: wifi: ray_cs: Drop useless status variable in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ] + +The status variable assigned only once and used also only once. +Replace it's usage by actual value. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index f15714f19d0ff..e5cdcee04615f 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1653,7 +1653,6 @@ static int parse_addr(char *in_str, UCHAR *out) + { + int i, k; + int len; +- int status; + + if (in_str == NULL) + return 0; +@@ -1662,7 +1661,6 @@ static int parse_addr(char *in_str, UCHAR *out) + return 0; + memset(out, 0, ADDRLEN); + +- status = 1; + i = 5; + + while (len > 0) { +@@ -1680,7 +1678,7 @@ static int parse_addr(char *in_str, UCHAR *out) + if (!i--) + break; + } +- return status; ++ return 1; + } + + /*===========================================================================*/ +-- +2.39.2 + diff --git a/queue-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch b/queue-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch new file mode 100644 index 00000000000..a6ad78e58ad --- /dev/null +++ b/queue-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch @@ -0,0 +1,69 @@ +From c56ebaf56992bd5ad91919e1bdb623475a1bc379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:13:22 +0200 +Subject: wifi: ray_cs: Fix an error handling path in ray_probe() + +From: Christophe JAILLET + +[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] + +Should ray_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +ray_probe(), not ray_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index e5cdcee04615f..edc990d099789 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -282,13 +282,14 @@ static int ray_probe(struct pcmcia_device *p_dev) + { + ray_dev_t *local; + struct net_device *dev; ++ int ret; + + dev_dbg(&p_dev->dev, "ray_attach()\n"); + + /* Allocate space for private device-specific data */ + dev = alloc_etherdev(sizeof(ray_dev_t)); + if (!dev) +- goto fail_alloc_dev; ++ return -ENOMEM; + + local = netdev_priv(dev); + local->finder = p_dev; +@@ -325,11 +326,16 @@ static int ray_probe(struct pcmcia_device *p_dev) + timer_setup(&local->timer, NULL, 0); + + this_device = p_dev; +- return ray_config(p_dev); ++ ret = ray_config(p_dev); ++ if (ret) ++ goto err_free_dev; ++ ++ return 0; + +-fail_alloc_dev: +- return -ENOMEM; +-} /* ray_attach */ ++err_free_dev: ++ free_netdev(dev); ++ return ret; ++} + + static void ray_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/queue-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch b/queue-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch new file mode 100644 index 00000000000..df7e1dad046 --- /dev/null +++ b/queue-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch @@ -0,0 +1,67 @@ +From 39183f28dd2fa490bf43101f1f9693db74661545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:13 +0300 +Subject: wifi: ray_cs: Utilize strnlen() in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ] + +Instead of doing simple operations and using an additional variable on stack, +utilize strnlen() and reuse len variable. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 8704bae39e1bf..f15714f19d0ff 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1651,31 +1651,29 @@ static void authenticate_timeout(struct timer_list *t) + /*===========================================================================*/ + static int parse_addr(char *in_str, UCHAR *out) + { ++ int i, k; + int len; +- int i, j, k; + int status; + + if (in_str == NULL) + return 0; +- if ((len = strlen(in_str)) < 2) ++ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1; ++ if (len < 1) + return 0; + memset(out, 0, ADDRLEN); + + status = 1; +- j = len - 1; +- if (j > 12) +- j = 12; + i = 5; + +- while (j > 0) { +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ while (len > 0) { ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] = k; + else + return 0; + +- if (j == 0) ++ if (len == 0) + break; +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] += k << 4; + else + return 0; +-- +2.39.2 + diff --git a/queue-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch b/queue-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch new file mode 100644 index 00000000000..4ff8e9f0d4c --- /dev/null +++ b/queue-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch @@ -0,0 +1,41 @@ +From 2a7df1bf66097f12bf14a803010334fd8c7d3260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 00:28:59 +0200 +Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown + +From: Marek Vasut + +[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] + +It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag +indicates to the MMC subsystem to keep the slot powered on during +suspend, but in shutdown the slot should actually be powered off. +Drop this call. + +Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") +Signed-off-by: Marek Vasut +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c +index 48efe83c58d89..409a3e8305763 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -1368,9 +1368,6 @@ static void rsi_shutdown(struct device *dev) + if (sdev->write_fail) + rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n"); + +- if (rsi_set_sdio_pm_caps(adapter)) +- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n"); +- + rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n"); + } + +-- +2.39.2 + diff --git a/queue-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch b/queue-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch new file mode 100644 index 00000000000..a1abfa639d1 --- /dev/null +++ b/queue-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch @@ -0,0 +1,66 @@ +From 0ca96611eabb69439dd098fe35b02e57573d5f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:05:08 +0200 +Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe() + +From: Christophe JAILLET + +[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] + +Should wl3501_config() fail, some resources need to be released as already +done in the remove function. + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 46188a83d8be8..4380c5d8fdd27 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1863,6 +1863,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + { + struct net_device *dev; + struct wl3501_card *this; ++ int ret; + + /* The io structure describes IO port mapping */ + p_dev->resource[0]->end = 16; +@@ -1874,8 +1875,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + + dev = alloc_etherdev(sizeof(struct wl3501_card)); + if (!dev) +- goto out_link; +- ++ return -ENOMEM; + + dev->netdev_ops = &wl3501_netdev_ops; + dev->watchdog_timeo = 5 * HZ; +@@ -1888,9 +1888,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + netif_stop_queue(dev); + p_dev->priv = dev; + +- return wl3501_config(p_dev); +-out_link: +- return -ENOMEM; ++ ret = wl3501_config(p_dev); ++ if (ret) ++ goto out_free_etherdev; ++ ++ return 0; ++ ++out_free_etherdev: ++ free_netdev(dev); ++ return ret; + } + + static int wl3501_config(struct pcmcia_device *link) +-- +2.39.2 + diff --git a/queue-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch b/queue-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch new file mode 100644 index 00000000000..6c04e488320 --- /dev/null +++ b/queue-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch @@ -0,0 +1,143 @@ +From 547b7019051a368a9dc01f5544d6bb44912e690b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:33:51 +0100 +Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs + +From: Lee Jones + +[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel' + drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla' + drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt' + drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset' + drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index cfde9b94b4b60..78c89e6421f97 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -133,8 +133,8 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain - regulatory domain +- * @channel - channel to validate ++ * @reg_comain: regulatory domain ++ * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. + */ +@@ -153,7 +153,7 @@ static int iw_valid_channel(int reg_domain, int channel) + + /** + * iw_default_channel - get default channel for a regulatory domain +- * @reg_comain - regulatory domain ++ * @reg_domain: regulatory domain + * + * Returns the default channel for a regulatory domain + */ +@@ -236,6 +236,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this) + + /** + * wl3501_set_to_wla - Move 'size' bytes from PC to card ++ * @this: Card + * @dest: Card addressing space + * @src: PC addressing space + * @size: Bytes to move +@@ -258,6 +259,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src, + + /** + * wl3501_get_from_wla - Move 'size' bytes from card to PC ++ * @this: Card + * @src: Card addressing space + * @dest: PC addressing space + * @size: Bytes to move +@@ -454,7 +456,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + + /** + * wl3501_send_pkt - Send a packet. +- * @this - card ++ * @this: Card + * + * Send a packet. + * +@@ -722,7 +724,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) + + /** + * wl3501_block_interrupt - Mask interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -739,7 +741,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this) + + /** + * wl3501_unblock_interrupt - Enable interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -1113,8 +1115,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this) + + /** + * wl3501_interrupt - Hardware interrupt from card. +- * @irq - Interrupt number +- * @dev_id - net_device ++ * @irq: Interrupt number ++ * @dev_id: net_device + * + * We must acknowledge the interrupt as soon as possible, and block the + * interrupt from the same card immediately to prevent re-entry. +@@ -1252,7 +1254,7 @@ static int wl3501_close(struct net_device *dev) + + /** + * wl3501_reset - Reset the SUTRO. +- * @dev - network device ++ * @dev: network device + * + * It is almost the same as wl3501_open(). In fact, we may just wl3501_close() + * and wl3501_open() again, but I wouldn't like to free_irq() when the driver +@@ -1415,7 +1417,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev) + + /** + * wl3501_detach - deletes a driver "instance" +- * @link - FILL_IN ++ * @link: FILL_IN + * + * This deletes a driver "instance". The device is de-registered with Card + * Services. If it has been released, all local data structures are freed. +-- +2.39.2 + diff --git a/queue-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch b/queue-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch new file mode 100644 index 00000000000..56f0c147769 --- /dev/null +++ b/queue-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch @@ -0,0 +1,64 @@ +From 95fa0eae9a65ac7aa9641b6c3e2e2baa5a405801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 11:23:53 +0000 +Subject: wl3501_cs: Fix misspelling and provide missing documentation + +From: Lee Jones + +[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 5b2383270627c..c6d1a320e244f 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -133,7 +133,7 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain: regulatory domain ++ * @reg_domain: regulatory domain + * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. +@@ -457,11 +457,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + /** + * wl3501_send_pkt - Send a packet. + * @this: Card +- * +- * Send a packet. +- * +- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, ++ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, + * data[6] - data[11] is Src MAC Addr) ++ * @len: Packet length + * Ref: IEEE 802.11 + */ + static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) +-- +2.39.2 + diff --git a/queue-4.19/wl3501_cs-remove-unnecessary-null-check.patch b/queue-4.19/wl3501_cs-remove-unnecessary-null-check.patch new file mode 100644 index 00000000000..dcbf81babcd --- /dev/null +++ b/queue-4.19/wl3501_cs-remove-unnecessary-null-check.patch @@ -0,0 +1,41 @@ +From 21a78f971fc1457d7cca18d3b669df8c9ebe7e89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 18:45:58 +0100 +Subject: wl3501_cs: Remove unnecessary NULL check + +From: Alex Dewar + +[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ] + +In wl3501_detach(), link->priv is checked for a NULL value before being +passed to free_netdev(). However, it cannot be NULL at this point as it +has already been passed to other functions, so just remove the check. + +Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL) +Signed-off-by: Alex Dewar +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 78c89e6421f97..5b2383270627c 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1438,9 +1438,7 @@ static void wl3501_detach(struct pcmcia_device *link) + wl3501_release(link); + + unregister_netdev(dev); +- +- if (link->priv) +- free_netdev(link->priv); ++ free_netdev(dev); + } + + static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info, +-- +2.39.2 + diff --git a/queue-4.19/wl3501_cs-use-eth_hw_addr_set.patch b/queue-4.19/wl3501_cs-use-eth_hw_addr_set.patch new file mode 100644 index 00000000000..9e978595232 --- /dev/null +++ b/queue-4.19/wl3501_cs-use-eth_hw_addr_set.patch @@ -0,0 +1,40 @@ +From 377134b648d92ee9684576ff1522558cbf0c7a5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:50:20 -0700 +Subject: wl3501_cs: use eth_hw_addr_set() + +From: Jakub Kicinski + +[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ] + +Commit 406f42fa0d3c ("net-next: When a bond have a massive amount +of VLANs...") introduced a rbtree for faster Ethernet address look +up. To maintain netdev->dev_addr in this tree we need to make all +the writes to it got through appropriate helpers. + +Signed-off-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index c6d1a320e244f..46188a83d8be8 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1946,8 +1946,7 @@ static int wl3501_config(struct pcmcia_device *link) + goto failed; + } + +- for (i = 0; i < 6; i++) +- dev->dev_addr[i] = ((char *)&this->mac_addr)[i]; ++ eth_hw_addr_set(dev, this->mac_addr); + + /* print probe information */ + printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, " +-- +2.39.2 + -- 2.47.3