diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-29 16:58:40 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-29 16:58:40 +0100 |
| commit | 233f8d7e1501a21686dbbed35dcfcdbc7074cee0 (patch) | |
| tree | 40198297294e64c7262cb177cd214d445d7f9336 | |
| parent | 21eb4072e67e107e56eaac35c686a0f91c077049 (diff) | |
| download | queue-3.18-233f8d7e1501a21686dbbed35dcfcdbc7074cee0.tar.gz | |
drop stuff already there and add 2 new ones
41 files changed, 91 insertions, 2223 deletions
diff --git a/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch b/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch deleted file mode 100644 index 7711a7e..0000000 --- a/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001 -From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> -Date: Thu, 28 Nov 2019 15:58:29 +0530 -Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() - -From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> - -commit 627ead724eff33673597216f5020b72118827de4 upstream. - -kmemleak reported backtrace: - [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260 - [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0 - [<1180f4fc>] i2c_register_adapter+0x186/0x400 - [<6083baf7>] i2c_add_adapter+0x4e/0x70 - [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915] - [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915] - [<81911d4b>] i915_pci_probe+0x48/0x160 [i915] - [<4b159af1>] pci_device_probe+0xdc/0x160 - [<b3c64704>] really_probe+0x1ee/0x450 - [<bc029f5a>] driver_probe_device+0x142/0x1b0 - [<d8829d20>] device_driver_attach+0x49/0x50 - [<de71f045>] __driver_attach+0xc9/0x150 - [<df33ac83>] bus_for_each_dev+0x56/0xa0 - [<80089bba>] driver_attach+0x19/0x20 - [<cc73f583>] bus_add_driver+0x177/0x220 - [<7b29d8c7>] driver_register+0x56/0xf0 - -In i2c_acpi_remove_space_handler(), a leak occurs whenever the -"data" parameter is initialized to 0 before being passed to -acpi_bus_get_private_data(). - -This is because the NULL pointer check in acpi_bus_get_private_data() -(condition->if(!*data)) returns EINVAL and, in consequence, memory is -never freed in i2c_acpi_remove_space_handler(). - -Fix the NULL pointer check in acpi_bus_get_private_data() to follow -the analogous check in acpi_get_data_full(). - -Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> -[ rjw: Subject & changelog ] -Cc: All applicable <stable@vger.kernel.org> -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/acpi/bus.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/acpi/bus.c -+++ b/drivers/acpi/bus.c -@@ -158,7 +158,7 @@ int acpi_bus_get_private_data(acpi_handl - { - acpi_status status; - -- if (!*data) -+ if (!data) - return -EINVAL; - - status = acpi_get_data(handle, acpi_bus_private_data_handler, data); diff --git a/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch deleted file mode 100644 index 7691036..0000000 --- a/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001 -From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> -Date: Wed, 4 Dec 2019 02:54:27 +0100 -Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices - -From: Rafael J. Wysocki <rafael.j.wysocki@intel.com> - -commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream. - -Certain ACPI-enumerated devices represented as platform devices in -Linux, like fans, require special low-level power management handling -implemented by their drivers that is not in agreement with the ACPI -PM domain behavior. That leads to problems with managing ACPI fans -during system-wide suspend and resume. - -For this reason, make acpi_dev_pm_attach() skip the affected devices -by adding a list of device IDs to avoid to it and putting the IDs of -the affected devices into that list. - -Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems) -Reported-by: Zhang Rui <rui.zhang@intel.com> -Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com> -Cc: 3.10+ <stable@vger.kernel.org> # 3.10+ -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/acpi/device_pm.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - ---- a/drivers/acpi/device_pm.c -+++ b/drivers/acpi/device_pm.c -@@ -1102,9 +1102,19 @@ static void acpi_dev_pm_detach(struct de - */ - int acpi_dev_pm_attach(struct device *dev, bool power_on) - { -+ /* -+ * Skip devices whose ACPI companions match the device IDs below, -+ * because they require special power management handling incompatible -+ * with the generic ACPI PM domain. -+ */ -+ static const struct acpi_device_id special_pm_ids[] = { -+ {"PNP0C0B", }, /* Generic ACPI fan */ -+ {"INT3404", }, /* Fan */ -+ {} -+ }; - struct acpi_device *adev = ACPI_COMPANION(dev); - -- if (!adev) -+ if (!adev || !acpi_match_device_ids(adev, special_pm_ids)) - return -ENODEV; - - if (dev->pm_domain) diff --git a/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch b/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch deleted file mode 100644 index f6bdaca..0000000 --- a/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001 -From: Denis Efremov <efremov@linux.com> -Date: Mon, 30 Sep 2019 23:31:47 +0300 -Subject: ar5523: check NULL before memcpy() in ar5523_cmd() - -From: Denis Efremov <efremov@linux.com> - -commit 315cee426f87658a6799815845788fde965ddaad upstream. - -memcpy() call with "idata == NULL && ilen == 0" results in undefined -behavior in ar5523_cmd(). For example, NULL is passed in callchain -"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch -adds ilen check before memcpy() call in ar5523_cmd() to prevent an -undefined behavior. - -Cc: Pontus Fuchs <pontus.fuchs@gmail.com> -Cc: Kalle Valo <kvalo@codeaurora.org> -Cc: "David S. Miller" <davem@davemloft.net> -Cc: David Laight <David.Laight@ACULAB.COM> -Cc: stable@vger.kernel.org -Signed-off-by: Denis Efremov <efremov@linux.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/net/wireless/ath/ar5523/ar5523.c -+++ b/drivers/net/wireless/ath/ar5523/ar5523.c -@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, - - if (flags & AR5523_CMD_FLAG_MAGIC) - hdr->magic = cpu_to_be32(1 << 24); -- memcpy(hdr + 1, idata, ilen); -+ if (ilen) -+ memcpy(hdr + 1, idata, ilen); - - cmd->odata = odata; - cmd->olen = olen; diff --git a/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch b/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch deleted file mode 100644 index ba4d5a4..0000000 --- a/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch +++ /dev/null @@ -1,59 +0,0 @@ -From d60d0cff4ab01255b25375425745c3cff69558ad Mon Sep 17 00:00:00 2001 -From: Lihua Yao <ylhuajnu@outlook.com> -Date: Tue, 10 Sep 2019 13:22:28 +0000 -Subject: ARM: dts: s3c64xx: Fix init order of clock providers - -From: Lihua Yao <ylhuajnu@outlook.com> - -commit d60d0cff4ab01255b25375425745c3cff69558ad upstream. - -fin_pll is the parent of clock-controller@7e00f000, specify -the dependency to ensure proper initialization order of clock -providers. - -without this patch: -[ 0.000000] S3C6410 clocks: apll = 0, mpll = 0 -[ 0.000000] epll = 0, arm_clk = 0 - -with this patch: -[ 0.000000] S3C6410 clocks: apll = 532000000, mpll = 532000000 -[ 0.000000] epll = 24000000, arm_clk = 532000000 - -Cc: <stable@vger.kernel.org> -Fixes: 3f6d439f2022 ("clk: reverse default clk provider initialization order in of_clk_init()") -Signed-off-by: Lihua Yao <ylhuajnu@outlook.com> -Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com> -Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/arm/boot/dts/s3c6410-mini6410.dts | 4 ++++ - arch/arm/boot/dts/s3c6410-smdk6410.dts | 4 ++++ - 2 files changed, 8 insertions(+) - ---- a/arch/arm/boot/dts/s3c6410-mini6410.dts -+++ b/arch/arm/boot/dts/s3c6410-mini6410.dts -@@ -167,6 +167,10 @@ - }; - }; - -+&clocks { -+ clocks = <&fin_pll>; -+}; -+ - &sdhci0 { - pinctrl-names = "default"; - pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>; ---- a/arch/arm/boot/dts/s3c6410-smdk6410.dts -+++ b/arch/arm/boot/dts/s3c6410-smdk6410.dts -@@ -71,6 +71,10 @@ - }; - }; - -+&clocks { -+ clocks = <&fin_pll>; -+}; -+ - &sdhci0 { - pinctrl-names = "default"; - pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>; diff --git a/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch b/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch deleted file mode 100644 index 4c6443e..0000000 --- a/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch +++ /dev/null @@ -1,44 +0,0 @@ -From d70f7d31a9e2088e8a507194354d41ea10062994 Mon Sep 17 00:00:00 2001 -From: Dmitry Osipenko <digetx@gmail.com> -Date: Tue, 30 Jul 2019 20:23:39 +0300 -Subject: ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume() - -From: Dmitry Osipenko <digetx@gmail.com> - -commit d70f7d31a9e2088e8a507194354d41ea10062994 upstream. - -There is an unfortunate typo in the code that results in writing to -FLOW_CTLR_HALT instead of FLOW_CTLR_CSR. - -Cc: <stable@vger.kernel.org> -Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com> -Signed-off-by: Dmitry Osipenko <digetx@gmail.com> -Signed-off-by: Thierry Reding <treding@nvidia.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/arm/mach-tegra/reset-handler.S | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/arch/arm/mach-tegra/reset-handler.S -+++ b/arch/arm/mach-tegra/reset-handler.S -@@ -56,16 +56,16 @@ ENTRY(tegra_resume) - cmp r6, #TEGRA20 - beq 1f @ Yes - /* Clear the flow controller flags for this CPU. */ -- cpu_to_csr_reg r1, r0 -+ cpu_to_csr_reg r3, r0 - mov32 r2, TEGRA_FLOW_CTRL_BASE -- ldr r1, [r2, r1] -+ ldr r1, [r2, r3] - /* Clear event & intr flag */ - orr r1, r1, \ - #FLOW_CTRL_CSR_INTR_FLAG | FLOW_CTRL_CSR_EVENT_FLAG - movw r0, #0x3FFD @ enable, cluster_switch, immed, bitmaps - @ & ext flags for CPU power mgnt - bic r1, r1, r0 -- str r1, [r2] -+ str r1, [r2, r3] - 1: - - mov32 r9, 0xc09 diff --git a/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch b/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch deleted file mode 100644 index 67eb4a3..0000000 --- a/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001 -From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> -Date: Tue, 12 Nov 2019 14:02:36 +0100 -Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report - -From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> - -commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream. - -Check for existance of jack before tracing. -NULL pointer dereference has been reported by KASAN while unloading -machine driver (snd_soc_cnl_rt274). - -Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com> -Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com -Signed-off-by: Mark Brown <broonie@kernel.org> -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - sound/soc/soc-jack.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/sound/soc/soc-jack.c -+++ b/sound/soc/soc-jack.c -@@ -69,10 +69,9 @@ void snd_soc_jack_report(struct snd_soc_ - unsigned int sync = 0; - int enable; - -- trace_snd_soc_jack_report(jack, mask, status); -- - if (!jack) - return; -+ trace_snd_soc_jack_report(jack, mask, status); - - codec = jack->codec; - dapm = &codec->dapm; diff --git a/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch b/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch deleted file mode 100644 index 315ea94..0000000 --- a/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 44805b0e62f15e90d233485420e1847133716bdc Mon Sep 17 00:00:00 2001 -From: Pavel Shilovsky <pshilov@microsoft.com> -Date: Tue, 12 Nov 2019 17:16:35 -0800 -Subject: CIFS: Respect O_SYNC and O_DIRECT flags during reconnect - -From: Pavel Shilovsky <pshilov@microsoft.com> - -commit 44805b0e62f15e90d233485420e1847133716bdc upstream. - -Currently the client translates O_SYNC and O_DIRECT flags -into corresponding SMB create options when openning a file. -The problem is that on reconnect when the file is being -re-opened the client doesn't set those flags and it causes -a server to reject re-open requests because create options -don't match. The latter means that any subsequent system -call against that open file fail until a share is re-mounted. - -Fix this by properly setting SMB create options when -re-openning files after reconnects. - -Fixes: 1013e760d10e6: ("SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags") -Cc: Stable <stable@vger.kernel.org> -Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> -Signed-off-by: Steve French <stfrench@microsoft.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/cifs/file.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/fs/cifs/file.c -+++ b/fs/cifs/file.c -@@ -696,6 +696,13 @@ cifs_reopen_file(struct cifsFileInfo *cf - if (backup_cred(cifs_sb)) - create_options |= CREATE_OPEN_BACKUP_INTENT; - -+ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ -+ if (cfile->f_flags & O_SYNC) -+ create_options |= CREATE_WRITE_THROUGH; -+ -+ if (cfile->f_flags & O_DIRECT) -+ create_options |= CREATE_NO_BUFFER; -+ - if (server->ops->get_lease_key) - server->ops->get_lease_key(inode, &cfile->fid); - diff --git a/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch b/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch deleted file mode 100644 index 3fc653f..0000000 --- a/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001 -From: Zhenzhong Duan <zhenzhong.duan@oracle.com> -Date: Wed, 23 Oct 2019 09:57:14 +0800 -Subject: cpuidle: Do not unset the driver if it is there already - -From: Zhenzhong Duan <zhenzhong.duan@oracle.com> - -commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream. - -Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has -a driver different from drv already and, if so, return -EBUSY before -updating any cpuidle_drivers per-CPU pointers. - -Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support") -Cc: 3.11+ <stable@vger.kernel.org> # 3.11+ -Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com> -[ rjw: Subject & changelog ] -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/cpuidle/driver.c | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - ---- a/drivers/cpuidle/driver.c -+++ b/drivers/cpuidle/driver.c -@@ -60,24 +60,23 @@ static inline void __cpuidle_unset_drive - * __cpuidle_set_driver - set per CPU driver variables for the given driver. - * @drv: a valid pointer to a struct cpuidle_driver - * -- * For each CPU in the driver's cpumask, unset the registered driver per CPU -- * to @drv. -- * -- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already. -+ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver -+ * different from drv already. - */ - static inline int __cpuidle_set_driver(struct cpuidle_driver *drv) - { - int cpu; - - for_each_cpu(cpu, drv->cpumask) { -+ struct cpuidle_driver *old_drv; - -- if (__cpuidle_get_cpu_driver(cpu)) { -- __cpuidle_unset_driver(drv); -+ old_drv = __cpuidle_get_cpu_driver(cpu); -+ if (old_drv && old_drv != drv) - return -EBUSY; -- } -+ } - -+ for_each_cpu(cpu, drv->cpumask) - per_cpu(cpuidle_drivers, cpu) = drv; -- } - - return 0; - } diff --git a/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch b/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch deleted file mode 100644 index df4f5a0..0000000 --- a/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 008037d4d972c9c47b273e40e52ae34f9d9e33e7 Mon Sep 17 00:00:00 2001 -From: Alex Deucher <alexander.deucher@amd.com> -Date: Tue, 26 Nov 2019 09:41:46 -0500 -Subject: drm/radeon: fix r1xx/r2xx register checker for POT textures -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Alex Deucher <alexander.deucher@amd.com> - -commit 008037d4d972c9c47b273e40e52ae34f9d9e33e7 upstream. - -Shift and mask were reversed. Noticed by chance. - -Tested-by: Meelis Roos <mroos@linux.ee> -Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> -Signed-off-by: Alex Deucher <alexander.deucher@amd.com> -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/gpu/drm/radeon/r100.c | 4 ++-- - drivers/gpu/drm/radeon/r200.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - ---- a/drivers/gpu/drm/radeon/r100.c -+++ b/drivers/gpu/drm/radeon/r100.c -@@ -1826,8 +1826,8 @@ static int r100_packet0_check(struct rad - track->textures[i].use_pitch = 1; - } else { - track->textures[i].use_pitch = 0; -- track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK); -- track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK); -+ track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT); -+ track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT); - } - if (idx_value & RADEON_TXFORMAT_CUBIC_MAP_ENABLE) - track->textures[i].tex_coord_type = 2; ---- a/drivers/gpu/drm/radeon/r200.c -+++ b/drivers/gpu/drm/radeon/r200.c -@@ -476,8 +476,8 @@ int r200_packet0_check(struct radeon_cs_ - track->textures[i].use_pitch = 1; - } else { - track->textures[i].use_pitch = 0; -- track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK); -- track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK); -+ track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT); -+ track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT); - } - if (idx_value & R200_TXFORMAT_LOOKUP_DISABLE) - track->textures[i].lookup_disable = true; diff --git a/ext4-check-for-directory-entries-too-close-to-block-end.patch b/ext4-check-for-directory-entries-too-close-to-block-end.patch new file mode 100644 index 0000000..9cd4fd4 --- /dev/null +++ b/ext4-check-for-directory-entries-too-close-to-block-end.patch @@ -0,0 +1,39 @@ +From 109ba779d6cca2d519c5dd624a3276d03e21948e Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Mon, 2 Dec 2019 18:02:13 +0100 +Subject: ext4: check for directory entries too close to block end + +From: Jan Kara <jack@suse.cz> + +commit 109ba779d6cca2d519c5dd624a3276d03e21948e upstream. + +ext4_check_dir_entry() currently does not catch a case when a directory +entry ends so close to the block end that the header of the next +directory entry would not fit in the remaining space. This can lead to +directory iteration code trying to access address beyond end of current +buffer head leading to oops. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + fs/ext4/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -78,6 +78,11 @@ int __ext4_check_dir_entry(const char *f + error_msg = "rec_len is too small for name_len"; + else if (unlikely(((char *) de - buf) + rlen > size)) + error_msg = "directory entry overrun"; ++ else if (unlikely(((char *) de - buf) + rlen > ++ size - EXT4_DIR_REC_LEN(1) && ++ ((char *) de - buf) + rlen != size)) { ++ error_msg = "directory entry too close to block end"; ++ } + else if (unlikely(le32_to_cpu(de->inode) > + le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) + error_msg = "inode out of bounds"; diff --git a/inet-protect-against-too-small-mtu-values.patch b/inet-protect-against-too-small-mtu-values.patch deleted file mode 100644 index d172ec6..0000000 --- a/inet-protect-against-too-small-mtu-values.patch +++ /dev/null @@ -1,176 +0,0 @@ -From foo@baz Tue 17 Dec 2019 09:44:32 PM CET -From: Eric Dumazet <edumazet@google.com> -Date: Thu, 5 Dec 2019 20:43:46 -0800 -Subject: inet: protect against too small mtu values. - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 501a90c945103e8627406763dac418f20f3837b2 ] - -syzbot was once again able to crash a host by setting a very small mtu -on loopback device. - -Let's make inetdev_valid_mtu() available in include/net/ip.h, -and use it in ip_setup_cork(), so that we protect both ip_append_page() -and __ip_append_data() - -Also add a READ_ONCE() when the device mtu is read. - -Pairs this lockless read with one WRITE_ONCE() in __dev_set_mtu(), -even if other code paths might write over this field. - -Add a big comment in include/linux/netdevice.h about dev->mtu -needing READ_ONCE()/WRITE_ONCE() annotations. - -Hopefully we will add the missing ones in followup patches. - -[1] - -refcount_t: saturated; leaking memory. -WARNING: CPU: 0 PID: 9464 at lib/refcount.c:22 refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22 -Kernel panic - not syncing: panic_on_warn set ... -CPU: 0 PID: 9464 Comm: syz-executor850 Not tainted 5.4.0-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x197/0x210 lib/dump_stack.c:118 - panic+0x2e3/0x75c kernel/panic.c:221 - __warn.cold+0x2f/0x3e kernel/panic.c:582 - report_bug+0x289/0x300 lib/bug.c:195 - fixup_bug arch/x86/kernel/traps.c:174 [inline] - fixup_bug arch/x86/kernel/traps.c:169 [inline] - do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 - do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286 - invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 -RIP: 0010:refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22 -Code: 06 31 ff 89 de e8 c8 f5 e6 fd 84 db 0f 85 6f ff ff ff e8 7b f4 e6 fd 48 c7 c7 e0 71 4f 88 c6 05 56 a6 a4 06 01 e8 c7 a8 b7 fd <0f> 0b e9 50 ff ff ff e8 5c f4 e6 fd 0f b6 1d 3d a6 a4 06 31 ff 89 -RSP: 0018:ffff88809689f550 EFLAGS: 00010286 -RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 -RDX: 0000000000000000 RSI: ffffffff815e4336 RDI: ffffed1012d13e9c -RBP: ffff88809689f560 R08: ffff88809c50a3c0 R09: fffffbfff15d31b1 -R10: fffffbfff15d31b0 R11: ffffffff8ae98d87 R12: 0000000000000001 -R13: 0000000000040100 R14: ffff888099041104 R15: ffff888218d96e40 - refcount_add include/linux/refcount.h:193 [inline] - skb_set_owner_w+0x2b6/0x410 net/core/sock.c:1999 - sock_wmalloc+0xf1/0x120 net/core/sock.c:2096 - ip_append_page+0x7ef/0x1190 net/ipv4/ip_output.c:1383 - udp_sendpage+0x1c7/0x480 net/ipv4/udp.c:1276 - inet_sendpage+0xdb/0x150 net/ipv4/af_inet.c:821 - kernel_sendpage+0x92/0xf0 net/socket.c:3794 - sock_sendpage+0x8b/0xc0 net/socket.c:936 - pipe_to_sendpage+0x2da/0x3c0 fs/splice.c:458 - splice_from_pipe_feed fs/splice.c:512 [inline] - __splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636 - splice_from_pipe+0x108/0x170 fs/splice.c:671 - generic_splice_sendpage+0x3c/0x50 fs/splice.c:842 - do_splice_from fs/splice.c:861 [inline] - direct_splice_actor+0x123/0x190 fs/splice.c:1035 - splice_direct_to_actor+0x3b4/0xa30 fs/splice.c:990 - do_splice_direct+0x1da/0x2a0 fs/splice.c:1078 - do_sendfile+0x597/0xd00 fs/read_write.c:1464 - __do_sys_sendfile64 fs/read_write.c:1525 [inline] - __se_sys_sendfile64 fs/read_write.c:1511 [inline] - __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x441409 -Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007fffb64c4f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 -RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441409 -RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005 -RBP: 0000000000073b8a R08: 0000000000000010 R09: 0000000000000010 -R10: 0000000000010001 R11: 0000000000000246 R12: 0000000000402180 -R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000 -Kernel Offset: disabled -Rebooting in 86400 seconds.. - -Fixes: 1470ddf7f8ce ("inet: Remove explicit write references to sk/inet in ip_append_data") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - include/linux/netdevice.h | 5 +++++ - include/net/ip.h | 5 +++++ - net/core/dev.c | 3 ++- - net/ipv4/devinet.c | 5 ----- - net/ipv4/ip_output.c | 14 +++++++++----- - 5 files changed, 21 insertions(+), 11 deletions(-) - ---- a/include/linux/netdevice.h -+++ b/include/linux/netdevice.h -@@ -1537,6 +1537,11 @@ struct net_device { - unsigned char if_port; - unsigned char dma; - -+ /* Note : dev->mtu is often read without holding a lock. -+ * Writers usually hold RTNL. -+ * It is recommended to use READ_ONCE() to annotate the reads, -+ * and to use WRITE_ONCE() to annotate the writes. -+ */ - unsigned int mtu; - unsigned short type; - unsigned short hard_header_len; ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -558,4 +558,9 @@ extern int sysctl_icmp_msgs_burst; - int ip_misc_proc_init(void); - #endif - -+static inline bool inetdev_valid_mtu(unsigned int mtu) -+{ -+ return likely(mtu >= IPV4_MIN_MTU); -+} -+ - #endif /* _IP_H */ ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -5723,7 +5723,8 @@ static int __dev_set_mtu(struct net_devi - if (ops->ndo_change_mtu) - return ops->ndo_change_mtu(dev, new_mtu); - -- dev->mtu = new_mtu; -+ /* Pairs with all the lockless reads of dev->mtu in the stack */ -+ WRITE_ONCE(dev->mtu, new_mtu); - return 0; - } - ---- a/net/ipv4/devinet.c -+++ b/net/ipv4/devinet.c -@@ -1326,11 +1326,6 @@ skip: - } - } - --static bool inetdev_valid_mtu(unsigned int mtu) --{ -- return mtu >= IPV4_MIN_MTU; --} -- - static void inetdev_send_gratuitous_arp(struct net_device *dev, - struct in_device *in_dev) - ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -1112,13 +1112,17 @@ static int ip_setup_cork(struct sock *sk - rt = *rtp; - if (unlikely(!rt)) - return -EFAULT; -- /* -- * We steal reference to this route, caller should not release it -- */ -- *rtp = NULL; -+ - cork->fragsize = ip_sk_use_pmtu(sk) ? -- dst_mtu(&rt->dst) : rt->dst.dev->mtu; -+ dst_mtu(&rt->dst) : READ_ONCE(rt->dst.dev->mtu); -+ -+ if (!inetdev_valid_mtu(cork->fragsize)) -+ return -ENETUNREACH; -+ - cork->dst = &rt->dst; -+ /* We stole this route, caller should not release it. */ -+ *rtp = NULL; -+ - cork->length = 0; - cork->ttl = ipc->ttl; - cork->tos = ipc->tos; diff --git a/lib-raid6-fix-awk-build-warnings.patch b/lib-raid6-fix-awk-build-warnings.patch deleted file mode 100644 index 009d71d..0000000 --- a/lib-raid6-fix-awk-build-warnings.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 702600eef73033ddd4eafcefcbb6560f3e3a90f7 Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -Date: Fri, 6 Dec 2019 16:26:00 +0100 -Subject: lib: raid6: fix awk build warnings - -From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - -commit 702600eef73033ddd4eafcefcbb6560f3e3a90f7 upstream. - -Newer versions of awk spit out these fun warnings: - awk: ../lib/raid6/unroll.awk:16: warning: regexp escape sequence `\#' is not a known regexp operator - -As commit 700c1018b86d ("x86/insn: Fix awk regexp warnings") showed, it -turns out that there are a number of awk strings that do not need to be -escaped and newer versions of awk now warn about this. - -Fix the string up so that no warning is produced. The exact same kernel -module gets created before and after this patch, showing that it wasn't -needed. - -Link: https://lore.kernel.org/r/20191206152600.GA75093@kroah.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - lib/raid6/unroll.awk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/lib/raid6/unroll.awk -+++ b/lib/raid6/unroll.awk -@@ -13,7 +13,7 @@ BEGIN { - for (i = 0; i < rep; ++i) { - tmp = $0 - gsub(/\$\$/, i, tmp) -- gsub(/\$\#/, n, tmp) -+ gsub(/\$#/, n, tmp) - gsub(/\$\*/, "$", tmp) - print tmp - } diff --git a/media-radio-wl1273-fix-interrupt-masking-on-release.patch b/media-radio-wl1273-fix-interrupt-masking-on-release.patch deleted file mode 100644 index 75ef2f1..0000000 --- a/media-radio-wl1273-fix-interrupt-masking-on-release.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Thu, 10 Oct 2019 10:13:32 -0300 -Subject: media: radio: wl1273: fix interrupt masking on release - -From: Johan Hovold <johan@kernel.org> - -commit 1091eb830627625dcf79958d99353c2391f41708 upstream. - -If a process is interrupted while accessing the radio device and the -core lock is contended, release() could return early and fail to update -the interrupt mask. - -Note that the return value of the v4l2 release file operation is -ignored. - -Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver") -Cc: stable <stable@vger.kernel.org> # 2.6.38 -Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com> -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> -Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/media/radio/radio-wl1273.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/drivers/media/radio/radio-wl1273.c -+++ b/drivers/media/radio/radio-wl1273.c -@@ -1142,8 +1142,7 @@ static int wl1273_fm_fops_release(struct - if (radio->rds_users > 0) { - radio->rds_users--; - if (radio->rds_users == 0) { -- if (mutex_lock_interruptible(&core->lock)) -- return -EINTR; -+ mutex_lock(&core->lock); - - radio->irq_flags &= ~WL1273_RDS_EVENT; - diff --git a/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch b/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch deleted file mode 100644 index 3f67e3d..0000000 --- a/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch +++ /dev/null @@ -1,73 +0,0 @@ -From aa71ecd8d86500da6081a72da6b0b524007e0627 Mon Sep 17 00:00:00 2001 -From: Chen Jun <chenjun102@huawei.com> -Date: Sat, 30 Nov 2019 17:58:11 -0800 -Subject: mm/shmem.c: cast the type of unmap_start to u64 - -From: Chen Jun <chenjun102@huawei.com> - -commit aa71ecd8d86500da6081a72da6b0b524007e0627 upstream. - -In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE, -which equal LLONG_MAX. - -If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in -shmem_fallocate, which will pass the checking in vfs_fallocate. - - /* Check for wrap through zero too */ - if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0)) - return -EFBIG; - -loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate -causes a overflow. - -Syzkaller reports a overflow problem in mm/shmem: - - UBSAN: Undefined behaviour in mm/shmem.c:2014:10 - signed integer overflow: '9223372036854775807 + 1' cannot be represented in type 'long long int' - CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1 - Hardware name: linux, dummy-virt (DT) - Call trace: - dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100 - show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238 - __dump_stack lib/dump_stack.c:15 [inline] - ubsan_epilogue+0x18/0x70 lib/ubsan.c:164 - handle_overflow+0x158/0x1b0 lib/ubsan.c:195 - shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104 - vfs_fallocate+0x238/0x428 fs/open.c:312 - SYSC_fallocate fs/open.c:335 [inline] - SyS_fallocate+0x54/0xc8 fs/open.c:239 - -The highest bit of unmap_start will be appended with sign bit 1 -(overflow) when calculate shmem_falloc.start: - - shmem_falloc.start = unmap_start >> PAGE_SHIFT. - -Fix it by casting the type of unmap_start to u64, when right shifted. - -This bug is found in LTS Linux 4.1. It also seems to exist in mainline. - -Link: http://lkml.kernel.org/r/1573867464-5107-1-git-send-email-chenjun102@huawei.com -Signed-off-by: Chen Jun <chenjun102@huawei.com> -Reviewed-by: Andrew Morton <akpm@linux-foundation.org> -Cc: Hugh Dickins <hughd@google.com> -Cc: Qian Cai <cai@lca.pw> -Cc: Kefeng Wang <wangkefeng.wang@huawei.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - mm/shmem.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -2079,7 +2079,7 @@ static long shmem_fallocate(struct file - } - - shmem_falloc.waitq = &shmem_falloc_waitq; -- shmem_falloc.start = unmap_start >> PAGE_SHIFT; -+ shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT; - shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; - spin_lock(&inode->i_lock); - inode->i_private = &shmem_falloc; diff --git a/mtd-spear_smi-fix-write-burst-mode.patch b/mtd-spear_smi-fix-write-burst-mode.patch deleted file mode 100644 index 12e89ae..0000000 --- a/mtd-spear_smi-fix-write-burst-mode.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 69c7f4618c16b4678f8a4949b6bb5ace259c0033 Mon Sep 17 00:00:00 2001 -From: Miquel Raynal <miquel.raynal@bootlin.com> -Date: Tue, 22 Oct 2019 16:58:59 +0200 -Subject: mtd: spear_smi: Fix Write Burst mode - -From: Miquel Raynal <miquel.raynal@bootlin.com> - -commit 69c7f4618c16b4678f8a4949b6bb5ace259c0033 upstream. - -Any write with either dd or flashcp to a device driven by the -spear_smi.c driver will pass through the spear_smi_cpy_toio() -function. This function will get called for chunks of up to 256 bytes. -If the amount of data is smaller, we may have a problem if the data -length is not 4-byte aligned. In this situation, the kernel panics -during the memcpy: - - # dd if=/dev/urandom bs=1001 count=1 of=/dev/mtd6 - spear_smi_cpy_toio [620] dest c9070000, src c7be8800, len 256 - spear_smi_cpy_toio [620] dest c9070100, src c7be8900, len 256 - spear_smi_cpy_toio [620] dest c9070200, src c7be8a00, len 256 - spear_smi_cpy_toio [620] dest c9070300, src c7be8b00, len 233 - Unhandled fault: external abort on non-linefetch (0x808) at 0xc90703e8 - [...] - PC is at memcpy+0xcc/0x330 - -The above error occurs because the implementation of memcpy_toio() -tries to optimize the number of I/O by writing 4 bytes at a time as -much as possible, until there are less than 4 bytes left and then -switches to word or byte writes. - -Unfortunately, the specification states about the Write Burst mode: - - "the next AHB Write request should point to the next - incremented address and should have the same size (byte, - half-word or word)" - -This means ARM architecture implementation of memcpy_toio() cannot -reliably be used blindly here. Workaround this situation by update the -write path to stick to byte access when the burst length is not -multiple of 4. - -Fixes: f18dbbb1bfe0 ("mtd: ST SPEAr: Add SMI driver for serial NOR flash") -Cc: Russell King <linux@armlinux.org.uk> -Cc: Boris Brezillon <boris.brezillon@collabora.com> -Cc: stable@vger.kernel.org -Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> -Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/mtd/devices/spear_smi.c | 38 +++++++++++++++++++++++++++++++++++++- - 1 file changed, 37 insertions(+), 1 deletion(-) - ---- a/drivers/mtd/devices/spear_smi.c -+++ b/drivers/mtd/devices/spear_smi.c -@@ -595,6 +595,26 @@ static int spear_mtd_read(struct mtd_inf - return 0; - } - -+/* -+ * The purpose of this function is to ensure a memcpy_toio() with byte writes -+ * only. Its structure is inspired from the ARM implementation of _memcpy_toio() -+ * which also does single byte writes but cannot be used here as this is just an -+ * implementation detail and not part of the API. Not mentioning the comment -+ * stating that _memcpy_toio() should be optimized. -+ */ -+static void spear_smi_memcpy_toio_b(volatile void __iomem *dest, -+ const void *src, size_t len) -+{ -+ const unsigned char *from = src; -+ -+ while (len) { -+ len--; -+ writeb(*from, dest); -+ from++; -+ dest++; -+ } -+} -+ - static inline int spear_smi_cpy_toio(struct spear_smi *dev, u32 bank, - void __iomem *dest, const void *src, size_t len) - { -@@ -617,7 +637,23 @@ static inline int spear_smi_cpy_toio(str - ctrlreg1 = readl(dev->io_base + SMI_CR1); - writel((ctrlreg1 | WB_MODE) & ~SW_MODE, dev->io_base + SMI_CR1); - -- memcpy_toio(dest, src, len); -+ /* -+ * In Write Burst mode (WB_MODE), the specs states that writes must be: -+ * - incremental -+ * - of the same size -+ * The ARM implementation of memcpy_toio() will optimize the number of -+ * I/O by using as much 4-byte writes as possible, surrounded by -+ * 2-byte/1-byte access if: -+ * - the destination is not 4-byte aligned -+ * - the length is not a multiple of 4-byte. -+ * Avoid this alternance of write access size by using our own 'byte -+ * access' helper if at least one of the two conditions above is true. -+ */ -+ if (IS_ALIGNED(len, sizeof(u32)) && -+ IS_ALIGNED((uintptr_t)dest, sizeof(u32))) -+ memcpy_toio(dest, src, len); -+ else -+ spear_smi_memcpy_toio_b(dest, src, len); - - writel(ctrlreg1, dev->io_base + SMI_CR1); - diff --git a/net-bridge-deny-dev_set_mac_address-when-unregistering.patch b/net-bridge-deny-dev_set_mac_address-when-unregistering.patch deleted file mode 100644 index eab9f69..0000000 --- a/net-bridge-deny-dev_set_mac_address-when-unregistering.patch +++ /dev/null @@ -1,76 +0,0 @@ -From foo@baz Wed 18 Dec 2019 01:37:17 PM CET -From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Date: Tue, 3 Dec 2019 16:48:06 +0200 -Subject: net: bridge: deny dev_set_mac_address() when unregistering - -From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> - -[ Upstream commit c4b4c421857dc7b1cf0dccbd738472360ff2cd70 ] - -We have an interesting memory leak in the bridge when it is being -unregistered and is a slave to a master device which would change the -mac of its slaves on unregister (e.g. bond, team). This is a very -unusual setup but we do end up leaking 1 fdb entry because -dev_set_mac_address() would cause the bridge to insert the new mac address -into its table after all fdbs are flushed, i.e. after dellink() on the -bridge has finished and we call NETDEV_UNREGISTER the bond/team would -release it and will call dev_set_mac_address() to restore its original -address and that in turn will add an fdb in the bridge. -One fix is to check for the bridge dev's reg_state in its -ndo_set_mac_address callback and return an error if the bridge is not in -NETREG_REGISTERED. - -Easy steps to reproduce: - 1. add bond in mode != A/B - 2. add any slave to the bond - 3. add bridge dev as a slave to the bond - 4. destroy the bridge device - -Trace: - unreferenced object 0xffff888035c4d080 (size 128): - comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s) - hex dump (first 32 bytes): - 41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00 A..6............ - d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00 ...^?........... - backtrace: - [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f - [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge] - [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge] - [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge] - [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge] - [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge] - [<000000006846a77f>] dev_set_mac_address+0x63/0x9b - [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding] - [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding] - [<00000000305d7795>] notifier_call_chain+0x38/0x56 - [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23 - [<000000008279477b>] rollback_registered_many+0x353/0x6a4 - [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f - [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43 - [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a - [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268 - -Fixes: 43598813386f ("bridge: add local MAC address to forwarding table (v2)") -Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com -Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/bridge/br_device.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/net/bridge/br_device.c -+++ b/net/bridge/br_device.c -@@ -198,6 +198,12 @@ static int br_set_mac_address(struct net - if (!is_valid_ether_addr(addr->sa_data)) - return -EADDRNOTAVAIL; - -+ /* dev_set_mac_addr() can be called by a master device on bridge's -+ * NETDEV_UNREGISTER, but since it's being destroyed do nothing -+ */ -+ if (dev->reg_state != NETREG_REGISTERED) -+ return -EBUSY; -+ - spin_lock_bh(&br->lock); - if (!ether_addr_equal(dev->dev_addr, addr->sa_data)) { - /* Mac address will be changed in br_stp_change_bridge_id(). */ diff --git a/pci-fix-intel-acs-quirk-updcr-register-address.patch b/pci-fix-intel-acs-quirk-updcr-register-address.patch deleted file mode 100644 index 8d1866f..0000000 --- a/pci-fix-intel-acs-quirk-updcr-register-address.patch +++ /dev/null @@ -1,46 +0,0 @@ -From d8558ac8c93d429d65d7490b512a3a67e559d0d4 Mon Sep 17 00:00:00 2001 -From: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com> -Date: Wed, 18 Sep 2019 15:16:52 +0200 -Subject: PCI: Fix Intel ACS quirk UPDCR register address - -From: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com> - -commit d8558ac8c93d429d65d7490b512a3a67e559d0d4 upstream. - -According to documentation [0] the correct offset for the Upstream Peer -Decode Configuration Register (UPDCR) is 0x1014. It was previously defined -as 0x1114. - -d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports") -intended to enforce isolation between PCI devices allowing them to be put -into separate IOMMU groups. Due to the wrong register offset the intended -isolation was not fully enforced. This is fixed with this patch. - -Please note that I did not test this patch because I have no hardware that -implements this register. - -[0] https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/4th-gen-core-family-mobile-i-o-datasheet.pdf (page 325) -Fixes: d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports") -Link: https://lore.kernel.org/r/7a3505df-79ba-8a28-464c-88b83eefffa6@kernkonzept.com -Signed-off-by: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com> -Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> -Reviewed-by: Andrew Murray <andrew.murray@arm.com> -Acked-by: Ashok Raj <ashok.raj@intel.com> -Cc: stable@vger.kernel.org # v3.15+ -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/pci/quirks.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -3819,7 +3819,7 @@ int pci_dev_specific_acs_enabled(struct - #define INTEL_BSPR_REG_BPPD (1 << 9) - - /* Upstream Peer Decode Configuration Register */ --#define INTEL_UPDCR_REG 0x1114 -+#define INTEL_UPDCR_REG 0x1014 - /* 5:0 Peer Decode Enable bits */ - #define INTEL_UPDCR_REG_MASK 0x3f - diff --git a/pci-msi-fix-incorrect-msi-x-masking-on-resume.patch b/pci-msi-fix-incorrect-msi-x-masking-on-resume.patch deleted file mode 100644 index aa12d72..0000000 --- a/pci-msi-fix-incorrect-msi-x-masking-on-resume.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e045fa29e89383c717e308609edd19d2fd29e1be Mon Sep 17 00:00:00 2001 -From: Jian-Hong Pan <jian-hong@endlessm.com> -Date: Tue, 8 Oct 2019 11:42:39 +0800 -Subject: PCI/MSI: Fix incorrect MSI-X masking on resume - -From: Jian-Hong Pan <jian-hong@endlessm.com> - -commit e045fa29e89383c717e308609edd19d2fd29e1be upstream. - -When a driver enables MSI-X, msix_program_entries() reads the MSI-X Vector -Control register for each vector and saves it in desc->masked. Each -register is 32 bits and bit 0 is the actual Mask bit. - -When we restored these registers during resume, we previously set the Mask -bit if *any* bit in desc->masked was set instead of when the Mask bit -itself was set: - - pci_restore_state - pci_restore_msi_state - __pci_restore_msix_state - for_each_pci_msi_entry - msix_mask_irq(entry, entry->masked) <-- entire u32 word - __pci_msix_desc_mask_irq(desc, flag) - mask_bits = desc->masked & ~PCI_MSIX_ENTRY_CTRL_MASKBIT - if (flag) <-- testing entire u32, not just bit 0 - mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT - writel(mask_bits, desc_addr + PCI_MSIX_ENTRY_VECTOR_CTRL) - -This means that after resume, MSI-X vectors were masked when they shouldn't -be, which leads to timeouts like this: - - nvme nvme0: I/O 978 QID 3 timeout, completion polled - -On resume, set the Mask bit only when the saved Mask bit from suspend was -set. - -This should remove the need for 19ea025e1d28 ("nvme: Add quirk for Kingston -NVME SSD running FW E8FK11.T"). - -[bhelgaas: commit log, move fix to __pci_msix_desc_mask_irq()] -Link: https://bugzilla.kernel.org/show_bug.cgi?id=204887 -Link: https://lore.kernel.org/r/20191008034238.2503-1-jian-hong@endlessm.com -Fixes: f2440d9acbe8 ("PCI MSI: Refactor interrupt masking code") -Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com> -Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/pci/msi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/pci/msi.c -+++ b/drivers/pci/msi.c -@@ -200,7 +200,7 @@ u32 default_msix_mask_irq(struct msi_des - unsigned offset = desc->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE + - PCI_MSIX_ENTRY_VECTOR_CTRL; - mask_bits &= ~PCI_MSIX_ENTRY_CTRL_MASKBIT; -- if (flag) -+ if (flag & PCI_MSIX_ENTRY_CTRL_MASKBIT) - mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT; - writel(mask_bits, desc->mask_base + offset); - diff --git a/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch b/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch deleted file mode 100644 index 1f54095..0000000 --- a/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch +++ /dev/null @@ -1,58 +0,0 @@ -From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001 -From: Krzysztof Kozlowski <krzk@kernel.org> -Date: Mon, 5 Aug 2019 18:27:10 +0200 -Subject: pinctrl: samsung: Fix device node refcount leaks in init code - -From: Krzysztof Kozlowski <krzk@kernel.org> - -commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream. - -Several functions use for_each_child_of_node() loop with a break to find -a matching child node. Although each iteration of -for_each_child_of_node puts the previous node, but early exit from loop -misses it. This leads to leak of device node. - -Cc: <stable@vger.kernel.org> -Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes") -Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/pinctrl/samsung/pinctrl-samsung.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/drivers/pinctrl/samsung/pinctrl-samsung.c -+++ b/drivers/pinctrl/samsung/pinctrl-samsung.c -@@ -291,6 +291,7 @@ static int samsung_dt_node_to_map(struct - &reserved_maps, num_maps); - if (ret < 0) { - samsung_dt_free_map(pctldev, *map, *num_maps); -+ of_node_put(np); - return ret; - } - } -@@ -758,8 +759,10 @@ static struct samsung_pmx_func *samsung_ - if (!of_get_child_count(cfg_np)) { - ret = samsung_pinctrl_create_function(dev, drvdata, - cfg_np, func); -- if (ret < 0) -+ if (ret < 0) { -+ of_node_put(cfg_np); - return ERR_PTR(ret); -+ } - if (ret > 0) { - ++func; - ++func_cnt; -@@ -770,8 +773,11 @@ static struct samsung_pmx_func *samsung_ - for_each_child_of_node(cfg_np, func_np) { - ret = samsung_pinctrl_create_function(dev, drvdata, - func_np, func); -- if (ret < 0) -+ if (ret < 0) { -+ of_node_put(func_np); -+ of_node_put(cfg_np); - return ERR_PTR(ret); -+ } - if (ret > 0) { - ++func; - ++func_cnt; diff --git a/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch b/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch deleted file mode 100644 index c19e240..0000000 --- a/powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f9ec11165301982585e5e5f606739b5bae5331f3 Mon Sep 17 00:00:00 2001 -From: Alastair D'Silva <alastair@d-silva.org> -Date: Mon, 4 Nov 2019 13:32:54 +1100 -Subject: powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB - -From: Alastair D'Silva <alastair@d-silva.org> - -commit f9ec11165301982585e5e5f606739b5bae5331f3 upstream. - -When calling __kernel_sync_dicache with a size >4GB, we were masking -off the upper 32 bits, so we would incorrectly flush a range smaller -than intended. - -This patch replaces the 32 bit shifts with 64 bit ones, so that -the full size is accounted for. - -Signed-off-by: Alastair D'Silva <alastair@d-silva.org> -Cc: stable@vger.kernel.org -Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> -Link: https://lore.kernel.org/r/20191104023305.9581-3-alastair@au1.ibm.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/powerpc/kernel/vdso64/cacheflush.S | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/powerpc/kernel/vdso64/cacheflush.S -+++ b/arch/powerpc/kernel/vdso64/cacheflush.S -@@ -39,7 +39,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) - subf r8,r6,r4 /* compute length */ - add r8,r8,r5 /* ensure we get enough */ - lwz r9,CFG_DCACHE_LOGBLOCKSZ(r10) -- srw. r8,r8,r9 /* compute line count */ -+ srd. r8,r8,r9 /* compute line count */ - crclr cr0*4+so - beqlr /* nothing to do? */ - mtctr r8 -@@ -56,7 +56,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache) - subf r8,r6,r4 /* compute length */ - add r8,r8,r5 - lwz r9,CFG_ICACHE_LOGBLOCKSZ(r10) -- srw. r8,r8,r9 /* compute line count */ -+ srd. r8,r8,r9 /* compute line count */ - crclr cr0*4+so - beqlr /* nothing to do? */ - mtctr r8 diff --git a/powerpc-irq-fix-stack-overflow-verification.patch b/powerpc-irq-fix-stack-overflow-verification.patch new file mode 100644 index 0000000..903fcf7 --- /dev/null +++ b/powerpc-irq-fix-stack-overflow-verification.patch @@ -0,0 +1,50 @@ +From 099bc4812f09155da77eeb960a983470249c9ce1 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Mon, 9 Dec 2019 06:19:08 +0000 +Subject: powerpc/irq: fix stack overflow verification + +From: Christophe Leroy <christophe.leroy@c-s.fr> + +commit 099bc4812f09155da77eeb960a983470249c9ce1 upstream. + +Before commit 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of +the irq stack"), check_stack_overflow() was called by do_IRQ(), before +switching to the irq stack. +In that commit, do_IRQ() was renamed __do_irq(), and is now executing +on the irq stack, so check_stack_overflow() has just become almost +useless. + +Move check_stack_overflow() call in do_IRQ() to do the check while +still on the current stack. + +Fixes: 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of the irq stack") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/e033aa8116ab12b7ca9a9c75189ad0741e3b9b5f.1575872340.git.christophe.leroy@c-s.fr +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + arch/powerpc/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -485,8 +485,6 @@ void __do_irq(struct pt_regs *regs) + + trace_irq_entry(regs); + +- check_stack_overflow(); +- + /* + * Query the platform PIC for the interrupt & ack it. + * +@@ -518,6 +516,8 @@ void do_IRQ(struct pt_regs *regs) + irqtp = hardirq_ctx[raw_smp_processor_id()]; + sirqtp = softirq_ctx[raw_smp_processor_id()]; + ++ check_stack_overflow(); ++ + /* Already there ? */ + if (unlikely(curtp == irqtp || curtp == sirqtp)) { + __do_irq(regs); diff --git a/quota-check-that-quota-is-not-dirty-before-release.patch b/quota-check-that-quota-is-not-dirty-before-release.patch deleted file mode 100644 index b313874..0000000 --- a/quota-check-that-quota-is-not-dirty-before-release.patch +++ /dev/null @@ -1,85 +0,0 @@ -From df4bb5d128e2c44848aeb36b7ceceba3ac85080d Mon Sep 17 00:00:00 2001 -From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> -Date: Thu, 31 Oct 2019 10:39:20 +0000 -Subject: quota: Check that quota is not dirty before release - -From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> - -commit df4bb5d128e2c44848aeb36b7ceceba3ac85080d upstream. - -There is a race window where quota was redirted once we drop dq_list_lock inside dqput(), -but before we grab dquot->dq_lock inside dquot_release() - -TASK1 TASK2 (chowner) -->dqput() - we_slept: - spin_lock(&dq_list_lock) - if (dquot_dirty(dquot)) { - spin_unlock(&dq_list_lock); - dquot->dq_sb->dq_op->write_dquot(dquot); - goto we_slept - if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { - spin_unlock(&dq_list_lock); - dquot->dq_sb->dq_op->release_dquot(dquot); - dqget() - mark_dquot_dirty() - dqput() - goto we_slept; - } -So dquot dirty quota will be released by TASK1, but on next we_sleept loop -we detect this and call ->write_dquot() for it. -XFSTEST: https://github.com/dmonakhov/xfstests/commit/440a80d4cbb39e9234df4d7240aee1d551c36107 - -Link: https://lore.kernel.org/r/20191031103920.3919-2-dmonakhov@openvz.org -CC: stable@vger.kernel.org -Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/ocfs2/quota_global.c | 2 +- - fs/quota/dquot.c | 2 +- - include/linux/quotaops.h | 10 ++++++++++ - 3 files changed, 12 insertions(+), 2 deletions(-) - ---- a/fs/ocfs2/quota_global.c -+++ b/fs/ocfs2/quota_global.c -@@ -714,7 +714,7 @@ static int ocfs2_release_dquot(struct dq - - mutex_lock(&dquot->dq_lock); - /* Check whether we are not racing with some other dqget() */ -- if (atomic_read(&dquot->dq_count) > 1) -+ if (dquot_is_busy(dquot)) - goto out; - /* Running from downconvert thread? Postpone quota processing to wq */ - if (current == osb->dc_task) { ---- a/fs/quota/dquot.c -+++ b/fs/quota/dquot.c -@@ -472,7 +472,7 @@ int dquot_release(struct dquot *dquot) - - mutex_lock(&dquot->dq_lock); - /* Check whether we are not racing with some other dqget() */ -- if (atomic_read(&dquot->dq_count) > 1) -+ if (dquot_is_busy(dquot)) - goto out_dqlock; - mutex_lock(&dqopt->dqio_mutex); - if (dqopt->ops[dquot->dq_id.type]->release_dqblk) { ---- a/include/linux/quotaops.h -+++ b/include/linux/quotaops.h -@@ -54,6 +54,16 @@ static inline struct dquot *dqgrab(struc - atomic_inc(&dquot->dq_count); - return dquot; - } -+ -+static inline bool dquot_is_busy(struct dquot *dquot) -+{ -+ if (test_bit(DQ_MOD_B, &dquot->dq_flags)) -+ return true; -+ if (atomic_read(&dquot->dq_count) > 1) -+ return true; -+ return false; -+} -+ - void dqput(struct dquot *dquot); - int dquot_scan_active(struct super_block *sb, - int (*fn)(struct dquot *dquot, unsigned long priv), diff --git a/quota-fix-livelock-in-dquot_writeback_dquots.patch b/quota-fix-livelock-in-dquot_writeback_dquots.patch deleted file mode 100644 index f9a933e..0000000 --- a/quota-fix-livelock-in-dquot_writeback_dquots.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 6ff33d99fc5c96797103b48b7b0902c296f09c05 Mon Sep 17 00:00:00 2001 -From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> -Date: Thu, 31 Oct 2019 10:39:19 +0000 -Subject: quota: fix livelock in dquot_writeback_dquots - -From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> - -commit 6ff33d99fc5c96797103b48b7b0902c296f09c05 upstream. - -Write only quotas which are dirty at entry. - -XFSTEST: https://github.com/dmonakhov/xfstests/commit/b10ad23566a5bf75832a6f500e1236084083cddc - -Link: https://lore.kernel.org/r/20191031103920.3919-1-dmonakhov@openvz.org -CC: stable@vger.kernel.org -Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> -Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> -Signed-off-by: Jan Kara <jack@suse.cz> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/quota/dquot.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - ---- a/fs/quota/dquot.c -+++ b/fs/quota/dquot.c -@@ -604,7 +604,7 @@ EXPORT_SYMBOL(dquot_scan_active); - /* Write all dquot structures to quota files */ - int dquot_writeback_dquots(struct super_block *sb, int type) - { -- struct list_head *dirty; -+ struct list_head dirty; - struct dquot *dquot; - struct quota_info *dqopt = sb_dqopt(sb); - int cnt; -@@ -617,9 +617,10 @@ int dquot_writeback_dquots(struct super_ - if (!sb_has_quota_active(sb, cnt)) - continue; - spin_lock(&dq_list_lock); -- dirty = &dqopt->info[cnt].dqi_dirty_list; -- while (!list_empty(dirty)) { -- dquot = list_first_entry(dirty, struct dquot, -+ /* Move list away to avoid livelock. */ -+ list_replace_init(&dqopt->info[cnt].dqi_dirty_list, &dirty); -+ while (!list_empty(&dirty)) { -+ dquot = list_first_entry(&dirty, struct dquot, - dq_dirty); - /* Dirty and inactive can be only bad dquot... */ - if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) { diff --git a/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch b/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch deleted file mode 100644 index fab3fac..0000000 --- a/rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 3155db7613edea8fb943624062baf1e4f9cfbfd6 Mon Sep 17 00:00:00 2001 -From: Larry Finger <Larry.Finger@lwfinger.net> -Date: Mon, 11 Nov 2019 13:40:45 -0600 -Subject: rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer - -From: Larry Finger <Larry.Finger@lwfinger.net> - -commit 3155db7613edea8fb943624062baf1e4f9cfbfd6 upstream. - -In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for -new drivers"), a callback needed to check if the hardware has released -a buffer indicating that a DMA operation is completed was not added. - -Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") -Cc: Stable <stable@vger.kernel.org> # v3.18+ -Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/net/wireless/rtlwifi/rtl8192de/sw.c | 1 + - drivers/net/wireless/rtlwifi/rtl8192de/trx.c | 17 +++++++++++++++++ - drivers/net/wireless/rtlwifi/rtl8192de/trx.h | 2 ++ - 3 files changed, 20 insertions(+) - ---- a/drivers/net/wireless/rtlwifi/rtl8192de/sw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192de/sw.c -@@ -242,6 +242,7 @@ static struct rtl_hal_ops rtl8192de_hal_ - .led_control = rtl92de_led_control, - .set_desc = rtl92de_set_desc, - .get_desc = rtl92de_get_desc, -+ .is_tx_desc_closed = rtl92de_is_tx_desc_closed, - .tx_polling = rtl92de_tx_polling, - .enable_hw_sec = rtl92de_enable_hw_security_config, - .set_key = rtl92de_set_key, ---- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c -@@ -863,6 +863,23 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is - return ret; - } - -+bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw, -+ u8 hw_queue, u16 index) -+{ -+ struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); -+ struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[hw_queue]; -+ u8 *entry = (u8 *)(&ring->desc[ring->idx]); -+ u8 own = (u8)rtl92de_get_desc(entry, true, HW_DESC_OWN); -+ -+ /* a beacon packet will only use the first -+ * descriptor by defaut, and the own bit may not -+ * be cleared by the hardware -+ */ -+ if (own) -+ return false; -+ return true; -+} -+ - void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue) - { - struct rtl_priv *rtlpriv = rtl_priv(hw); ---- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.h -+++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.h -@@ -740,6 +740,8 @@ bool rtl92de_rx_query_desc(struct ieee80 - void rtl92de_set_desc(struct ieee80211_hw *hw, u8 *pdesc, bool istx, - u8 desc_name, u8 *val); - u32 rtl92de_get_desc(u8 *pdesc, bool istx, u8 desc_name); -+bool rtl92de_is_tx_desc_closed(struct ieee80211_hw *hw, -+ u8 hw_queue, u16 index); - void rtl92de_tx_polling(struct ieee80211_hw *hw, u8 hw_queue); - void rtl92de_tx_fill_cmddesc(struct ieee80211_hw *hw, u8 *pdesc, - bool b_firstseg, bool b_lastseg, diff --git a/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch b/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch deleted file mode 100644 index ef08301..0000000 --- a/rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0e531cc575c4e9e3dd52ad287b49d3c2dc74c810 Mon Sep 17 00:00:00 2001 -From: Larry Finger <Larry.Finger@lwfinger.net> -Date: Mon, 11 Nov 2019 13:40:44 -0600 -Subject: rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address - -From: Larry Finger <Larry.Finger@lwfinger.net> - -commit 0e531cc575c4e9e3dd52ad287b49d3c2dc74c810 upstream. - -In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for -new drivers"), a callback to get the RX buffer address was added to -the PCI driver. Unfortunately, driver rtl8192de was not modified -appropriately and the code runs into a WARN_ONCE() call. The use -of an incorrect array is also fixed. - -Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") -Cc: Stable <stable@vger.kernel.org> # 3.18+ -Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/net/wireless/rtlwifi/rtl8192de/trx.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c -@@ -844,13 +844,15 @@ u32 rtl92de_get_desc(u8 *p_desc, bool is - break; - } - } else { -- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc; - switch (desc_name) { - case HW_DESC_OWN: -- ret = GET_RX_DESC_OWN(pdesc); -+ ret = GET_RX_DESC_OWN(p_desc); - break; - case HW_DESC_RXPKT_LEN: -- ret = GET_RX_DESC_PKT_LEN(pdesc); -+ ret = GET_RX_DESC_PKT_LEN(p_desc); -+ break; -+ case HW_DESC_RXBUFF_ADDR: -+ ret = GET_RX_DESC_BUFF_ADDR(p_desc); - break; - default: - RT_ASSERT(false, "ERR rxdesc :%d not process\n", diff --git a/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch b/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch deleted file mode 100644 index 1613b53..0000000 --- a/rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 330bb7117101099c687e9c7f13d48068670b9c62 Mon Sep 17 00:00:00 2001 -From: Larry Finger <Larry.Finger@lwfinger.net> -Date: Mon, 11 Nov 2019 13:40:46 -0600 -Subject: rtlwifi: rtl8192de: Fix missing enable interrupt flag - -From: Larry Finger <Larry.Finger@lwfinger.net> - -commit 330bb7117101099c687e9c7f13d48068670b9c62 upstream. - -In commit 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for -new drivers"), the flag that indicates that interrupts are enabled was -never set. - -In addition, there are several places when enable/disable interrupts -were commented out are restored. A sychronize_interrupts() call is -removed. - -Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") -Cc: Stable <stable@vger.kernel.org> # v3.18+ -Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/net/wireless/rtlwifi/rtl8192de/hw.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - ---- a/drivers/net/wireless/rtlwifi/rtl8192de/hw.c -+++ b/drivers/net/wireless/rtlwifi/rtl8192de/hw.c -@@ -1206,6 +1206,7 @@ void rtl92de_enable_interrupt(struct iee - - rtl_write_dword(rtlpriv, REG_HIMR, rtlpci->irq_mask[0] & 0xFFFFFFFF); - rtl_write_dword(rtlpriv, REG_HIMRE, rtlpci->irq_mask[1] & 0xFFFFFFFF); -+ rtlpci->irq_enabled = true; - } - - void rtl92de_disable_interrupt(struct ieee80211_hw *hw) -@@ -1215,7 +1216,7 @@ void rtl92de_disable_interrupt(struct ie - - rtl_write_dword(rtlpriv, REG_HIMR, IMR8190_DISABLED); - rtl_write_dword(rtlpriv, REG_HIMRE, IMR8190_DISABLED); -- synchronize_irq(rtlpci->pdev->irq); -+ rtlpci->irq_enabled = false; - } - - static void _rtl92de_poweroff_adapter(struct ieee80211_hw *hw) -@@ -1386,7 +1387,7 @@ void rtl92de_set_beacon_related_register - - bcn_interval = mac->beacon_interval; - atim_window = 2; -- /*rtl92de_disable_interrupt(hw); */ -+ rtl92de_disable_interrupt(hw); - rtl_write_word(rtlpriv, REG_ATIMWND, atim_window); - rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval); - rtl_write_word(rtlpriv, REG_BCNTCFG, 0x660f); -@@ -1406,9 +1407,9 @@ void rtl92de_set_beacon_interval(struct - - RT_TRACE(rtlpriv, COMP_BEACON, DBG_DMESG, - "beacon_interval:%d\n", bcn_interval); -- /* rtl92de_disable_interrupt(hw); */ -+ rtl92de_disable_interrupt(hw); - rtl_write_word(rtlpriv, REG_BCN_INTERVAL, bcn_interval); -- /* rtl92de_enable_interrupt(hw); */ -+ rtl92de_enable_interrupt(hw); - } - - void rtl92de_update_interrupt_mask(struct ieee80211_hw *hw, @@ -1,42 +1,4 @@ -staging-rtl8188eu-fix-interface-sanity-check.patch -staging-rtl8712-fix-interface-sanity-check.patch -staging-gigaset-fix-general-protection-fault-on-probe.patch -staging-gigaset-fix-illegal-free-on-probe-errors.patch -staging-gigaset-add-endpoint-type-sanity-check.patch -xhci-increase-sts_halt-timeout-in-xhci_suspend.patch -usb-atm-ueagle-atm-add-missing-endpoint-check.patch -usb-idmouse-fix-interface-sanity-checks.patch -usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch -usb-adutux-fix-interface-sanity-check.patch -usb-core-urb-fix-urb-structure-initialization-function.patch -usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch -mtd-spear_smi-fix-write-burst-mode.patch -rtlwifi-rtl8192de-fix-missing-code-to-retrieve-rx-buffer-address.patch -rtlwifi-rtl8192de-fix-missing-callback-that-tests-for-hw-release-of-buffer.patch -rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch -lib-raid6-fix-awk-build-warnings.patch -asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch -ar5523-check-null-before-memcpy-in-ar5523_cmd.patch -media-radio-wl1273-fix-interrupt-masking-on-release.patch -cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch -acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch -acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch -pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch -powerpc-allow-64bit-vdso-__kernel_sync_dicache-to-work-across-ranges-4gb.patch -quota-check-that-quota-is-not-dirty-before-release.patch -quota-fix-livelock-in-dquot_writeback_dquots.patch -mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch -net-bridge-deny-dev_set_mac_address-when-unregistering.patch -tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch -inet-protect-against-too-small-mtu-values.patch -pci-fix-intel-acs-quirk-updcr-register-address.patch -pci-msi-fix-incorrect-msi-x-masking-on-resume.patch -xtensa-fix-tlb-sanity-checker.patch -cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch -arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch -arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch dm-btree-increase-rebalance-threshold-in-__rebalance2.patch -drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch # newer stuff btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch @@ -51,4 +13,6 @@ net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch sctp-fully-initialize-v4-addr-in-some-functions.patch usbip-fix-error-path-of-vhci_recv_ret_submit.patch usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch +ext4-check-for-directory-entries-too-close-to-block-end.patch +powerpc-irq-fix-stack-overflow-verification.patch diff --git a/staging-gigaset-add-endpoint-type-sanity-check.patch b/staging-gigaset-add-endpoint-type-sanity-check.patch deleted file mode 100644 index 3820681..0000000 --- a/staging-gigaset-add-endpoint-type-sanity-check.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ed9ed5a89acba51b82bdff61144d4e4a4245ec8a Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Mon, 2 Dec 2019 09:56:10 +0100 -Subject: staging: gigaset: add endpoint-type sanity check - -From: Johan Hovold <johan@kernel.org> - -commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream. - -Add missing endpoint-type sanity checks to probe. - -This specifically prevents a warning in USB core on URB submission when -fuzzing USB descriptors. - -Signed-off-by: Johan Hovold <johan@kernel.org> -Cc: stable <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/isdn/gigaset/usb-gigaset.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - ---- a/drivers/isdn/gigaset/usb-gigaset.c -+++ b/drivers/isdn/gigaset/usb-gigaset.c -@@ -713,6 +713,12 @@ static int gigaset_probe(struct usb_inte - - endpoint = &hostif->endpoint[0].desc; - -+ if (!usb_endpoint_is_bulk_out(endpoint)) { -+ dev_err(&interface->dev, "missing bulk-out endpoint\n"); -+ retval = -ENODEV; -+ goto error; -+ } -+ - buffer_size = le16_to_cpu(endpoint->wMaxPacketSize); - ucs->bulk_out_size = buffer_size; - ucs->bulk_out_epnum = usb_endpoint_num(endpoint); -@@ -732,6 +738,12 @@ static int gigaset_probe(struct usb_inte - - endpoint = &hostif->endpoint[1].desc; - -+ if (!usb_endpoint_is_int_in(endpoint)) { -+ dev_err(&interface->dev, "missing int-in endpoint\n"); -+ retval = -ENODEV; -+ goto error; -+ } -+ - ucs->busy = 0; - - ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL); diff --git a/staging-gigaset-fix-general-protection-fault-on-probe.patch b/staging-gigaset-fix-general-protection-fault-on-probe.patch deleted file mode 100644 index a83e87d..0000000 --- a/staging-gigaset-fix-general-protection-fault-on-probe.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 53f35a39c3860baac1e5ca80bf052751cfb24a99 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Mon, 2 Dec 2019 09:56:08 +0100 -Subject: staging: gigaset: fix general protection fault on probe - -From: Johan Hovold <johan@kernel.org> - -commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream. - -Fix a general protection fault when accessing the endpoint descriptors -which could be triggered by a malicious device due to missing sanity -checks on the number of endpoints. - -Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com -Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter") -Cc: stable <stable@vger.kernel.org> # 2.6.17 -Cc: Hansjoerg Lipp <hjlipp@web.de> -Cc: Tilman Schmidt <tilman@imap.cc> -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/isdn/gigaset/usb-gigaset.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/drivers/isdn/gigaset/usb-gigaset.c -+++ b/drivers/isdn/gigaset/usb-gigaset.c -@@ -693,6 +693,11 @@ static int gigaset_probe(struct usb_inte - return -ENODEV; - } - -+ if (hostif->desc.bNumEndpoints < 2) { -+ dev_err(&interface->dev, "missing endpoints\n"); -+ return -ENODEV; -+ } -+ - dev_info(&udev->dev, "%s: Device matched ... !\n", __func__); - - /* allocate memory for our device state and initialize it */ diff --git a/staging-gigaset-fix-illegal-free-on-probe-errors.patch b/staging-gigaset-fix-illegal-free-on-probe-errors.patch deleted file mode 100644 index f9e9981..0000000 --- a/staging-gigaset-fix-illegal-free-on-probe-errors.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 84f60ca7b326ed8c08582417493982fe2573a9ad Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Mon, 2 Dec 2019 09:56:09 +0100 -Subject: staging: gigaset: fix illegal free on probe errors - -From: Johan Hovold <johan@kernel.org> - -commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream. - -The driver failed to initialise its receive-buffer pointer, something -which could lead to an illegal free on late probe errors. - -Fix this by making sure to clear all driver data at allocation. - -Fixes: 2032e2c2309d ("usb_gigaset: code cleanup") -Cc: stable <stable@vger.kernel.org> # 2.6.33 -Cc: Tilman Schmidt <tilman@imap.cc> -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/isdn/gigaset/usb-gigaset.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - ---- a/drivers/isdn/gigaset/usb-gigaset.c -+++ b/drivers/isdn/gigaset/usb-gigaset.c -@@ -579,8 +579,7 @@ static int gigaset_initcshw(struct cards - { - struct usb_cardstate *ucs; - -- cs->hw.usb = ucs = -- kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL); -+ cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL); - if (!ucs) { - pr_err("out of memory\n"); - return -ENOMEM; -@@ -592,9 +591,6 @@ static int gigaset_initcshw(struct cards - ucs->bchars[3] = 0; - ucs->bchars[4] = 0x11; - ucs->bchars[5] = 0x13; -- ucs->bulk_out_buffer = NULL; -- ucs->bulk_out_urb = NULL; -- ucs->read_urb = NULL; - tasklet_init(&cs->write_tasklet, - gigaset_modem_fill, (unsigned long) cs); - diff --git a/staging-rtl8188eu-fix-interface-sanity-check.patch b/staging-rtl8188eu-fix-interface-sanity-check.patch deleted file mode 100644 index 1921cbb..0000000 --- a/staging-rtl8188eu-fix-interface-sanity-check.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 74ca34118a0e05793935d804ccffcedd6eb56596 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Tue, 10 Dec 2019 12:47:50 +0100 -Subject: staging: rtl8188eu: fix interface sanity check - -From: Johan Hovold <johan@kernel.org> - -commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream. - -Make sure to use the current alternate setting when verifying the -interface descriptors to avoid binding to an invalid interface. - -Failing to do so could cause the driver to misbehave or trigger a WARN() -in usb_submit_urb() that kernels with panic_on_warn set would choke on. - -Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20") -Cc: stable <stable@vger.kernel.org> # 3.12 -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c -+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c -@@ -86,7 +86,7 @@ static struct dvobj_priv *usb_dvobj_init - phost_conf = pusbd->actconfig; - pconf_desc = &phost_conf->desc; - -- phost_iface = &usb_intf->altsetting[0]; -+ phost_iface = usb_intf->cur_altsetting; - piface_desc = &phost_iface->desc; - - pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces; diff --git a/staging-rtl8712-fix-interface-sanity-check.patch b/staging-rtl8712-fix-interface-sanity-check.patch deleted file mode 100644 index e5b22bc..0000000 --- a/staging-rtl8712-fix-interface-sanity-check.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c724f776f048538ecfdf53a52b7a522309f5c504 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Tue, 10 Dec 2019 12:47:51 +0100 -Subject: staging: rtl8712: fix interface sanity check - -From: Johan Hovold <johan@kernel.org> - -commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream. - -Make sure to use the current alternate setting when verifying the -interface descriptors to avoid binding to an invalid interface. - -Failing to do so could cause the driver to misbehave or trigger a WARN() -in usb_submit_urb() that kernels with panic_on_warn set would choke on. - -Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") -Cc: stable <stable@vger.kernel.org> # 2.6.37 -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/staging/rtl8712/usb_intf.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/staging/rtl8712/usb_intf.c -+++ b/drivers/staging/rtl8712/usb_intf.c -@@ -268,7 +268,7 @@ static uint r8712_usb_dvobj_init(struct - pdev_desc = &pusbd->descriptor; - phost_conf = pusbd->actconfig; - pconf_desc = &phost_conf->desc; -- phost_iface = &pintf->altsetting[0]; -+ phost_iface = pintf->cur_altsetting; - piface_desc = &phost_iface->desc; - pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints; - if (pusbd->speed == USB_SPEED_HIGH) { diff --git a/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch b/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch deleted file mode 100644 index eadf33d..0000000 --- a/tcp-md5-fix-potential-overestimation-of-tcp-option-space.patch +++ /dev/null @@ -1,46 +0,0 @@ -From foo@baz Wed 18 Dec 2019 01:37:17 PM CET -From: Eric Dumazet <edumazet@google.com> -Date: Thu, 5 Dec 2019 10:10:15 -0800 -Subject: tcp: md5: fix potential overestimation of TCP option space - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 9424e2e7ad93ffffa88f882c9bc5023570904b55 ] - -Back in 2008, Adam Langley fixed the corner case of packets for flows -having all of the following options : MD5 TS SACK - -Since MD5 needs 20 bytes, and TS needs 12 bytes, no sack block -can be cooked from the remaining 8 bytes. - -tcp_established_options() correctly sets opts->num_sack_blocks -to zero, but returns 36 instead of 32. - -This means TCP cooks packets with 4 extra bytes at the end -of options, containing unitialized bytes. - -Fixes: 33ad798c924b ("tcp: options clean up") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Acked-by: Soheil Hassas Yeganeh <soheil@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv4/tcp_output.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -693,8 +693,9 @@ static unsigned int tcp_established_opti - min_t(unsigned int, eff_sacks, - (remaining - TCPOLEN_SACK_BASE_ALIGNED) / - TCPOLEN_SACK_PERBLOCK); -- size += TCPOLEN_SACK_BASE_ALIGNED + -- opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK; -+ if (likely(opts->num_sack_blocks)) -+ size += TCPOLEN_SACK_BASE_ALIGNED + -+ opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK; - } - - return size; diff --git a/usb-adutux-fix-interface-sanity-check.patch b/usb-adutux-fix-interface-sanity-check.patch deleted file mode 100644 index 631b320..0000000 --- a/usb-adutux-fix-interface-sanity-check.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3c11c4bed02b202e278c0f5c319ae435d7fb9815 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Tue, 10 Dec 2019 12:25:59 +0100 -Subject: USB: adutux: fix interface sanity check - -From: Johan Hovold <johan@kernel.org> - -commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream. - -Make sure to use the current alternate setting when verifying the -interface descriptors to avoid binding to an invalid interface. - -Failing to do so could cause the driver to misbehave or trigger a WARN() -in usb_submit_urb() that kernels with panic_on_warn set would choke on. - -Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices") -Cc: stable <stable@vger.kernel.org> # 2.6.19 -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/adutux.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/misc/adutux.c -+++ b/drivers/usb/misc/adutux.c -@@ -686,7 +686,7 @@ static int adu_probe(struct usb_interfac - init_waitqueue_head(&dev->read_wait); - init_waitqueue_head(&dev->write_wait); - -- iface_desc = &interface->altsetting[0]; -+ iface_desc = &interface->cur_altsetting[0]; - - /* set up the endpoint information */ - for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { diff --git a/usb-atm-ueagle-atm-add-missing-endpoint-check.patch b/usb-atm-ueagle-atm-add-missing-endpoint-check.patch deleted file mode 100644 index 8eaeb3e..0000000 --- a/usb-atm-ueagle-atm-add-missing-endpoint-check.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 09068c1ad53fb077bdac288869dec2435420bdc4 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Tue, 10 Dec 2019 12:25:58 +0100 -Subject: USB: atm: ueagle-atm: add missing endpoint check - -From: Johan Hovold <johan@kernel.org> - -commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream. - -Make sure that the interrupt interface has an endpoint before trying to -access its endpoint descriptors to avoid dereferencing a NULL pointer. - -The driver binds to the interrupt interface with interface number 0, but -must not assume that this interface or its current alternate setting are -the first entries in the corresponding configuration arrays. - -Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") -Cc: stable <stable@vger.kernel.org> # 2.6.16 -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - ---- a/drivers/usb/atm/ueagle-atm.c -+++ b/drivers/usb/atm/ueagle-atm.c -@@ -2167,10 +2167,11 @@ resubmit: - /* - * Start the modem : init the data and start kernel thread - */ --static int uea_boot(struct uea_softc *sc) -+static int uea_boot(struct uea_softc *sc, struct usb_interface *intf) - { -- int ret, size; - struct intr_pkt *intr; -+ int ret = -ENOMEM; -+ int size; - - uea_enters(INS_TO_USBDEV(sc)); - -@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc - if (UEA_CHIP_VERSION(sc) == ADI930) - load_XILINX_firmware(sc); - -+ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { -+ ret = -ENODEV; -+ goto err0; -+ } -+ - intr = kmalloc(size, GFP_KERNEL); - if (!intr) { - uea_err(INS_TO_USBDEV(sc), -@@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc - usb_fill_int_urb(sc->urb_int, sc->usb_dev, - usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), - intr, size, uea_intr, sc, -- sc->usb_dev->actconfig->interface[0]->altsetting[0]. -- endpoint[0].desc.bInterval); -+ intf->cur_altsetting->endpoint[0].desc.bInterval); - - ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); - if (ret < 0) { -@@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc - sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); - if (IS_ERR(sc->kthread)) { - uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); -+ ret = PTR_ERR(sc->kthread); - goto err2; - } - -@@ -2241,7 +2247,7 @@ err1: - kfree(intr); - err0: - uea_leaves(INS_TO_USBDEV(sc)); -- return -ENOMEM; -+ return ret; - } - - /* -@@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data * - if (ret < 0) - goto error; - -- ret = uea_boot(sc); -+ ret = uea_boot(sc, intf); - if (ret < 0) - goto error_rm_grp; - diff --git a/usb-core-urb-fix-urb-structure-initialization-function.patch b/usb-core-urb-fix-urb-structure-initialization-function.patch deleted file mode 100644 index d7e95aa..0000000 --- a/usb-core-urb-fix-urb-structure-initialization-function.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1cd17f7f0def31e3695501c4f86cd3faf8489840 Mon Sep 17 00:00:00 2001 -From: Emiliano Ingrassia <ingrassia@epigenesys.com> -Date: Wed, 27 Nov 2019 17:03:55 +0100 -Subject: usb: core: urb: fix URB structure initialization function - -From: Emiliano Ingrassia <ingrassia@epigenesys.com> - -commit 1cd17f7f0def31e3695501c4f86cd3faf8489840 upstream. - -Explicitly initialize URB structure urb_list field in usb_init_urb(). -This field can be potentially accessed uninitialized and its -initialization is coherent with the usage of list_del_init() in -usb_hcd_unlink_urb_from_ep() and usb_giveback_urb_bh() and its -explicit initialization in usb_hcd_submit_urb() error path. - -Signed-off-by: Emiliano Ingrassia <ingrassia@epigenesys.com> -Cc: stable <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20191127160355.GA27196@ingrassia.epigenesys.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/core/urb.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/usb/core/urb.c -+++ b/drivers/usb/core/urb.c -@@ -40,6 +40,7 @@ void usb_init_urb(struct urb *urb) - if (urb) { - memset(urb, 0, sizeof(*urb)); - kref_init(&urb->kref); -+ INIT_LIST_HEAD(&urb->urb_list); - INIT_LIST_HEAD(&urb->anchor_list); - } - } diff --git a/usb-idmouse-fix-interface-sanity-checks.patch b/usb-idmouse-fix-interface-sanity-checks.patch deleted file mode 100644 index b23e015..0000000 --- a/usb-idmouse-fix-interface-sanity-checks.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 59920635b89d74b9207ea803d5e91498d39e8b69 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Tue, 10 Dec 2019 12:26:00 +0100 -Subject: USB: idmouse: fix interface sanity checks - -From: Johan Hovold <johan@kernel.org> - -commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream. - -Make sure to use the current alternate setting when verifying the -interface descriptors to avoid binding to an invalid interface. - -Failing to do so could cause the driver to misbehave or trigger a WARN() -in usb_submit_urb() that kernels with panic_on_warn set would choke on. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Cc: stable <stable@vger.kernel.org> -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/misc/idmouse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/misc/idmouse.c -+++ b/drivers/usb/misc/idmouse.c -@@ -342,7 +342,7 @@ static int idmouse_probe(struct usb_inte - int result; - - /* check if we have gotten the data or the hid interface */ -- iface_desc = &interface->altsetting[0]; -+ iface_desc = interface->cur_altsetting; - if (iface_desc->desc.bInterfaceClass != 0x0A) - return -ENODEV; - diff --git a/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch b/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch deleted file mode 100644 index 71f5b14..0000000 --- a/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 19e6317d24c25ee737c65d1ffb7483bdda4bb54a Mon Sep 17 00:00:00 2001 -From: Pete Zaitcev <zaitcev@redhat.com> -Date: Wed, 4 Dec 2019 20:39:41 -0600 -Subject: usb: mon: Fix a deadlock in usbmon between mmap and read - -From: Pete Zaitcev <zaitcev@redhat.com> - -commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream. - -The problem arises because our read() function grabs a lock of the -circular buffer, finds something of interest, then invokes copy_to_user() -straight from the buffer, which in turn takes mm->mmap_sem. In the same -time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem. -It attempts to take the fetch lock and deadlocks. - -This patch does away with protecting of our page list with any -semaphores, and instead relies on the kernel not close the device -while mmap is active in a process. - -In addition, we prohibit re-sizing of a buffer while mmap is active. -This way, when (now unlocked) fault is processed, it works with the -page that is intended to be mapped-in, and not some other random page. -Note that this may have an ABI impact, but hopefully no legitimate -program is this wrong. - -Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> -Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com -Reviewed-by: Alan Stern <stern@rowland.harvard.edu> -Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger") -Cc: <stable@vger.kernel.org> -Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/mon/mon_bin.c | 32 +++++++++++++++++++++----------- - 1 file changed, 21 insertions(+), 11 deletions(-) - ---- a/drivers/usb/mon/mon_bin.c -+++ b/drivers/usb/mon/mon_bin.c -@@ -1034,12 +1034,18 @@ static long mon_bin_ioctl(struct file *f - - mutex_lock(&rp->fetch_lock); - spin_lock_irqsave(&rp->b_lock, flags); -- mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); -- kfree(rp->b_vec); -- rp->b_vec = vec; -- rp->b_size = size; -- rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; -- rp->cnt_lost = 0; -+ if (rp->mmap_active) { -+ mon_free_buff(vec, size/CHUNK_SIZE); -+ kfree(vec); -+ ret = -EBUSY; -+ } else { -+ mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); -+ kfree(rp->b_vec); -+ rp->b_vec = vec; -+ rp->b_size = size; -+ rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; -+ rp->cnt_lost = 0; -+ } - spin_unlock_irqrestore(&rp->b_lock, flags); - mutex_unlock(&rp->fetch_lock); - } -@@ -1211,13 +1217,21 @@ mon_bin_poll(struct file *file, struct p - static void mon_bin_vma_open(struct vm_area_struct *vma) - { - struct mon_reader_bin *rp = vma->vm_private_data; -+ unsigned long flags; -+ -+ spin_lock_irqsave(&rp->b_lock, flags); - rp->mmap_active++; -+ spin_unlock_irqrestore(&rp->b_lock, flags); - } - - static void mon_bin_vma_close(struct vm_area_struct *vma) - { -+ unsigned long flags; -+ - struct mon_reader_bin *rp = vma->vm_private_data; -+ spin_lock_irqsave(&rp->b_lock, flags); - rp->mmap_active--; -+ spin_unlock_irqrestore(&rp->b_lock, flags); - } - - /* -@@ -1229,16 +1243,12 @@ static int mon_bin_vma_fault(struct vm_a - unsigned long offset, chunk_idx; - struct page *pageptr; - -- mutex_lock(&rp->fetch_lock); - offset = vmf->pgoff << PAGE_SHIFT; -- if (offset >= rp->b_size) { -- mutex_unlock(&rp->fetch_lock); -+ if (offset >= rp->b_size) - return VM_FAULT_SIGBUS; -- } - chunk_idx = offset / CHUNK_SIZE; - pageptr = rp->b_vec[chunk_idx].pg; - get_page(pageptr); -- mutex_unlock(&rp->fetch_lock); - vmf->page = pageptr; - return 0; - } diff --git a/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch b/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch deleted file mode 100644 index 1678c30..0000000 --- a/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 7c5a2df3367a2c4984f1300261345817d95b71f8 Mon Sep 17 00:00:00 2001 -From: Johan Hovold <johan@kernel.org> -Date: Tue, 10 Dec 2019 12:26:01 +0100 -Subject: USB: serial: io_edgeport: fix epic endpoint lookup - -From: Johan Hovold <johan@kernel.org> - -commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream. - -Make sure to use the current alternate setting when looking up the -endpoints on epic devices to avoid binding to an invalid interface. - -Failing to do so could cause the driver to misbehave or trigger a WARN() -in usb_submit_urb() that kernels with panic_on_warn set would choke on. - -Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") -Cc: stable <stable@vger.kernel.org> # 2.6.21 -Signed-off-by: Johan Hovold <johan@kernel.org> -Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/serial/io_edgeport.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - ---- a/drivers/usb/serial/io_edgeport.c -+++ b/drivers/usb/serial/io_edgeport.c -@@ -2854,16 +2854,18 @@ static int edge_startup(struct usb_seria - response = 0; - - if (edge_serial->is_epic) { -+ struct usb_host_interface *alt; -+ -+ alt = serial->interface->cur_altsetting; -+ - /* EPIC thing, set up our interrupt polling now and our read - * urb, so that the device knows it really is connected. */ - interrupt_in_found = bulk_in_found = bulk_out_found = false; -- for (i = 0; i < serial->interface->altsetting[0] -- .desc.bNumEndpoints; ++i) { -+ for (i = 0; i < alt->desc.bNumEndpoints; ++i) { - struct usb_endpoint_descriptor *endpoint; - int buffer_size; - -- endpoint = &serial->interface->altsetting[0]. -- endpoint[i].desc; -+ endpoint = &alt->endpoint[i].desc; - buffer_size = usb_endpoint_maxp(endpoint); - if (!interrupt_in_found && - (usb_endpoint_is_int_in(endpoint))) { diff --git a/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch b/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch deleted file mode 100644 index 2be8423..0000000 --- a/xhci-increase-sts_halt-timeout-in-xhci_suspend.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7c67cf6658cec70d8a43229f2ce74ca1443dc95e Mon Sep 17 00:00:00 2001 -From: Kai-Heng Feng <kai.heng.feng@canonical.com> -Date: Wed, 11 Dec 2019 16:20:05 +0200 -Subject: xhci: Increase STS_HALT timeout in xhci_suspend() - -From: Kai-Heng Feng <kai.heng.feng@canonical.com> - -commit 7c67cf6658cec70d8a43229f2ce74ca1443dc95e upstream. - -I've recently observed failed xHCI suspend attempt on AMD Raven Ridge -system: -kernel: xhci_hcd 0000:04:00.4: WARN: xHC CMD_RUN timeout -kernel: PM: suspend_common(): xhci_pci_suspend+0x0/0xd0 returns -110 -kernel: PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -110 -kernel: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x150 returns -110 -kernel: PM: Device 0000:04:00.4 failed to suspend async: error -110 - -Similar to commit ac343366846a ("xhci: Increase STS_SAVE timeout in -xhci_suspend()") we also need to increase the HALT timeout to make it be -able to suspend again. - -Cc: <stable@vger.kernel.org> # 5.2+ -Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()") -Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> -Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> -Link: https://lore.kernel.org/r/20191211142007.8847-5-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - drivers/usb/host/xhci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -898,7 +898,7 @@ static void xhci_disable_port_wake_on_bi - int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup) - { - int rc = 0; -- unsigned int delay = XHCI_MAX_HALT_USEC; -+ unsigned int delay = XHCI_MAX_HALT_USEC * 2; - struct usb_hcd *hcd = xhci_to_hcd(xhci); - u32 command; - diff --git a/xtensa-fix-tlb-sanity-checker.patch b/xtensa-fix-tlb-sanity-checker.patch deleted file mode 100644 index ef5ddc7..0000000 --- a/xtensa-fix-tlb-sanity-checker.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 36de10c4788efc6efe6ff9aa10d38cb7eea4c818 Mon Sep 17 00:00:00 2001 -From: Max Filippov <jcmvbkbc@gmail.com> -Date: Wed, 13 Nov 2019 13:18:31 -0800 -Subject: xtensa: fix TLB sanity checker - -From: Max Filippov <jcmvbkbc@gmail.com> - -commit 36de10c4788efc6efe6ff9aa10d38cb7eea4c818 upstream. - -Virtual and translated addresses retrieved by the xtensa TLB sanity -checker must be consistent, i.e. correspond to the same state of the -checked TLB entry. KASAN shadow memory is mapped dynamically using -auto-refill TLB entries and thus may change TLB state between the -virtual and translated address retrieval, resulting in false TLB -insanity report. -Move read_xtlb_translation close to read_xtlb_virtual to make sure that -read values are consistent. - -Cc: stable@vger.kernel.org -Fixes: a99e07ee5e88 ("xtensa: check TLB sanity on return to userspace") -Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - arch/xtensa/mm/tlb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/xtensa/mm/tlb.c -+++ b/arch/xtensa/mm/tlb.c -@@ -218,6 +218,8 @@ static int check_tlb_entry(unsigned w, u - unsigned tlbidx = w | (e << PAGE_SHIFT); - unsigned r0 = dtlb ? - read_dtlb_virtual(tlbidx) : read_itlb_virtual(tlbidx); -+ unsigned r1 = dtlb ? -+ read_dtlb_translation(tlbidx) : read_itlb_translation(tlbidx); - unsigned vpn = (r0 & PAGE_MASK) | (e << PAGE_SHIFT); - unsigned pte = get_pte_for_vaddr(vpn); - unsigned mm_asid = (get_rasid_register() >> 8) & ASID_MASK; -@@ -233,8 +235,6 @@ static int check_tlb_entry(unsigned w, u - } - - if (tlb_asid == mm_asid) { -- unsigned r1 = dtlb ? read_dtlb_translation(tlbidx) : -- read_itlb_translation(tlbidx); - if ((pte ^ r1) & PAGE_MASK) { - pr_err("%cTLB: way: %u, entry: %u, mapping: %08x->%08x, PTE: %08x\n", - dtlb ? 'D' : 'I', w, e, r0, r1, pte); |