diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-08-26 11:46:24 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2020-08-28 08:15:01 -0400 |
commit | 5f318e51aaea770cc53fd59a654c57c208db78d0 (patch) | |
tree | 1268ebad9c4945a5ccf292e12ed60a2139818dac | |
parent | 98e18de50c6d183c78fcc9263512e3792f1b73e1 (diff) | |
download | longterm-queue-5.2-5f318e51aaea770cc53fd59a654c57c208db78d0.tar.gz |
raw import of mainline commits used in v5.4.59 for consideration
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
269 files changed, 17442 insertions, 0 deletions
diff --git a/queue/9p-Fix-memory-leak-in-v9fs_mount.patch b/queue/9p-Fix-memory-leak-in-v9fs_mount.patch new file mode 100644 index 00000000..5ee498b0 --- /dev/null +++ b/queue/9p-Fix-memory-leak-in-v9fs_mount.patch @@ -0,0 +1,46 @@ +From cb0aae0e31c632c407a2cab4307be85a001d4d98 Mon Sep 17 00:00:00 2001 +From: Zheng Bin <zhengbin13@huawei.com> +Date: Mon, 15 Jun 2020 09:21:53 +0800 +Subject: [PATCH] 9p: Fix memory leak in v9fs_mount + +commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream. + +v9fs_mount + v9fs_session_init + v9fs_cache_session_get_cookie + v9fs_random_cachetag -->alloc cachetag + v9ses->fscache = fscache_acquire_cookie -->maybe NULL + sb = sget -->fail, goto clunk +clunk_fid: + v9fs_session_close + if (v9ses->fscache) -->NULL + kfree(v9ses->cachetag) + +Thus memleak happens. + +Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com +Fixes: 60e78d2c993e ("9p: Add fscache support to 9p") +Cc: <stable@vger.kernel.org> # v2.6.32+ +Signed-off-by: Zheng Bin <zhengbin13@huawei.com> +Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> + +diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c +index 15a99f9c7253..39def020a074 100644 +--- a/fs/9p/v9fs.c ++++ b/fs/9p/v9fs.c +@@ -500,10 +500,9 @@ void v9fs_session_close(struct v9fs_session_info *v9ses) + } + + #ifdef CONFIG_9P_FSCACHE +- if (v9ses->fscache) { ++ if (v9ses->fscache) + v9fs_cache_session_put_cookie(v9ses); +- kfree(v9ses->cachetag); +- } ++ kfree(v9ses->cachetag); + #endif + kfree(v9ses->uname); + kfree(v9ses->aname); +-- +2.27.0 + diff --git a/queue/ACPICA-Do-not-increment-operation_region-reference-c.patch b/queue/ACPICA-Do-not-increment-operation_region-reference-c.patch new file mode 100644 index 00000000..228ded93 --- /dev/null +++ b/queue/ACPICA-Do-not-increment-operation_region-reference-c.patch @@ -0,0 +1,74 @@ +From 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 Mon Sep 17 00:00:00 2001 +From: Erik Kaneda <erik.kaneda@intel.com> +Date: Mon, 20 Jul 2020 10:31:20 -0700 +Subject: [PATCH] ACPICA: Do not increment operation_region reference counts + for field units + +commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 upstream. + +ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 + +Object reference counts are used as a part of ACPICA's garbage +collection mechanism. This mechanism keeps track of references to +heap-allocated structures such as the ACPI operand objects. + +Recent server firmware has revealed that this reference count can +overflow on large servers that declare many field units under the +same operation_region. This occurs because each field unit declaration +will add a reference count to the source operation_region. + +This change solves the reference count overflow for operation_regions +objects by preventing fieldunits from incrementing their +operation_region's reference count. Each operation_region's reference +count will not be changed by named objects declared under the Field +operator. During namespace deletion, the operation_region namespace +node will be deleted and each fieldunit will be deleted without +touching the deleted operation_region object. + +Link: https://github.com/acpica/acpica/commit/e17b28cf +Signed-off-by: Erik Kaneda <erik.kaneda@intel.com> +Signed-off-by: Bob Moore <robert.moore@intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index a4e306690a21..4a0f03157e08 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -473,10 +473,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + (u8)access_byte_width; + } + } +- /* An additional reference for the container */ +- +- acpi_ut_add_reference(obj_desc->field.region_obj); +- + ACPI_DEBUG_PRINT((ACPI_DB_BFIELD, + "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n", + obj_desc->field.start_field_bit_offset, +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index c365faf4e6cd..4c0d4e434196 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -568,11 +568,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + next_object = object->buffer_field.buffer_obj; + break; + +- case ACPI_TYPE_LOCAL_REGION_FIELD: +- +- next_object = object->field.region_obj; +- break; +- + case ACPI_TYPE_LOCAL_BANK_FIELD: + + next_object = object->bank_field.bank_obj; +@@ -613,6 +608,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + } + break; + ++ case ACPI_TYPE_LOCAL_REGION_FIELD: + case ACPI_TYPE_REGION: + default: + +-- +2.27.0 + diff --git a/queue/ALSA-hda-fix-the-micmute-led-status-for-Lenovo-Think.patch b/queue/ALSA-hda-fix-the-micmute-led-status-for-Lenovo-Think.patch new file mode 100644 index 00000000..a2fff397 --- /dev/null +++ b/queue/ALSA-hda-fix-the-micmute-led-status-for-Lenovo-Think.patch @@ -0,0 +1,35 @@ +From 386a6539992b82fe9ac4f9dc3f548956fd894d8c Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Mon, 10 Aug 2020 10:16:59 +0800 +Subject: [PATCH] ALSA: hda - fix the micmute led status for Lenovo ThinkCentre + AIO + +commit 386a6539992b82fe9ac4f9dc3f548956fd894d8c upstream. + +After installing the Ubuntu Linux, the micmute led status is not +correct. Users expect that the led is on if the capture is disabled, +but with the current kernel, the led is off with the capture disabled. + +We tried the old linux kernel like linux-4.15, there is no this issue. +It looks like we introduced this issue when switching to the led_cdev. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Link: https://lore.kernel.org/r/20200810021659.7429-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index daedcc0adc21..09d93dd88713 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4414,6 +4414,7 @@ static void alc233_fixup_lenovo_line2_mic_hotkey(struct hda_codec *codec, + { + struct alc_spec *spec = codec->spec; + ++ spec->micmute_led_polarity = 1; + alc_fixup_hp_gpio_led(codec, action, 0, 0x04); + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + spec->init_amp = ALC_INIT_DEFAULT; +-- +2.27.0 + diff --git a/queue/ALSA-usb-audio-Creative-USB-X-Fi-Pro-SB1095-volume-k.patch b/queue/ALSA-usb-audio-Creative-USB-X-Fi-Pro-SB1095-volume-k.patch new file mode 100644 index 00000000..9238e9c4 --- /dev/null +++ b/queue/ALSA-usb-audio-Creative-USB-X-Fi-Pro-SB1095-volume-k.patch @@ -0,0 +1,33 @@ +From fec9008828cde0076aae595ac031bfcf49d335a4 Mon Sep 17 00:00:00 2001 +From: Mirko Dietrich <buzz@l4m1.de> +Date: Thu, 6 Aug 2020 14:48:50 +0200 +Subject: [PATCH] ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob + support + +commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream. + +Adds an entry for Creative USB X-Fi to the rc_config array in +mixer_quirks.c to allow use of volume knob on the device. +Adds support for newer X-Fi Pro card, known as "Model No. SB1095" +with USB ID "041e:3263" + +Signed-off-by: Mirko Dietrich <buzz@l4m1.de> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200806124850.20334-1-buzz@l4m1.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index cec1cfd7edb7..199cdbfdc761 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -185,6 +185,7 @@ static const struct rc_config { + { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */ + { USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ ++ { USB_ID(0x041e, 0x3263), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */ + }; + +-- +2.27.0 + diff --git a/queue/ALSA-usb-audio-add-quirk-for-Pioneer-DDJ-RB.patch b/queue/ALSA-usb-audio-add-quirk-for-Pioneer-DDJ-RB.patch new file mode 100644 index 00000000..156b3bf8 --- /dev/null +++ b/queue/ALSA-usb-audio-add-quirk-for-Pioneer-DDJ-RB.patch @@ -0,0 +1,85 @@ +From 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 Mon Sep 17 00:00:00 2001 +From: Hector Martin <marcan@marcan.st> +Date: Mon, 10 Aug 2020 17:25:02 +0900 +Subject: [PATCH] ALSA: usb-audio: add quirk for Pioneer DDJ-RB + +commit 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 upstream. + +This is just another Pioneer device with fixed endpoints. Input is dummy +but used as feedback (it always returns silence). + +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin <marcan@marcan.st> +Link: https://lore.kernel.org/r/20200810082502.225979-1-marcan@marcan.st +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 9c3c03dc96d3..d79e3ddc5690 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3558,6 +3558,62 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + } + } + }, ++{ ++ /* ++ * PIONEER DJ DDJ-RB ++ * PCM is 4 channels out, 2 dummy channels in @ 44.1 fixed ++ * The feedback for the output is the dummy input. ++ */ ++ USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000e), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x01, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 2, ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x82, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC| ++ USB_ENDPOINT_USAGE_IMPLICIT_FB, ++ .rates = SNDRV_PCM_RATE_44100, ++ .rate_min = 44100, ++ .rate_max = 44100, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 44100 } ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + + #define ALC1220_VB_DESKTOP(vend, prod) { \ + USB_DEVICE(vend, prod), \ +-- +2.27.0 + diff --git a/queue/ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch b/queue/ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch new file mode 100644 index 00000000..04e0be9a --- /dev/null +++ b/queue/ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch @@ -0,0 +1,39 @@ +From 14a720dc1f5332f3bdf30a23a3bc549e81be974c Mon Sep 17 00:00:00 2001 +From: Hector Martin <marcan@marcan.st> +Date: Mon, 10 Aug 2020 13:53:19 +0900 +Subject: [PATCH] ALSA: usb-audio: fix overeager device match for MacroSilicon + MS2109 + +commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream. + +Matching by device matches all interfaces, which breaks the video/HID +portions of the device depending on module load order. + +Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109") +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin <marcan@marcan.st> +Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index adb3b62afed4..9c3c03dc96d3 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3662,7 +3662,13 @@ ALC1220_VB_DESKTOP(0x26ce, 0x0a01), /* Asrock TRX40 Creator */ + * with. + */ + { +- USB_DEVICE(0x534d, 0x2109), ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | ++ USB_DEVICE_ID_MATCH_INT_CLASS | ++ USB_DEVICE_ID_MATCH_INT_SUBCLASS, ++ .idVendor = 0x534d, ++ .idProduct = 0x2109, ++ .bInterfaceClass = USB_CLASS_AUDIO, ++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { + .vendor_name = "MacroSilicon", + .product_name = "MS2109", +-- +2.27.0 + diff --git a/queue/ALSA-usb-audio-work-around-streaming-quirk-for-Macro.patch b/queue/ALSA-usb-audio-work-around-streaming-quirk-for-Macro.patch new file mode 100644 index 00000000..080ed226 --- /dev/null +++ b/queue/ALSA-usb-audio-work-around-streaming-quirk-for-Macro.patch @@ -0,0 +1,82 @@ +From 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 Mon Sep 17 00:00:00 2001 +From: Hector Martin <marcan@marcan.st> +Date: Mon, 10 Aug 2020 17:24:00 +0900 +Subject: [PATCH] ALSA: usb-audio: work around streaming quirk for MacroSilicon + MS2109 + +commit 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 upstream. + +Further investigation of the L-R swap problem on the MS2109 reveals that +the problem isn't that the channels are swapped, but rather that they +are swapped and also out of phase by one sample. In other words, the +issue is actually that the very first frame that comes from the hardware +is a half-frame containing only the right channel, and after that +everything becomes offset. + +So introduce a new quirk field to drop the very first 2 bytes that come +in after the format is configured and a capture stream starts. This puts +the channels in phase and in the correct order. + +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin <marcan@marcan.st> +Link: https://lore.kernel.org/r/20200810082400.225858-1-marcan@marcan.st +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/usb/card.h b/sound/usb/card.h +index de43267b9c8a..5351d7183b1b 100644 +--- a/sound/usb/card.h ++++ b/sound/usb/card.h +@@ -137,6 +137,7 @@ struct snd_usb_substream { + unsigned int tx_length_quirk:1; /* add length specifier to transfers */ + unsigned int fmt_type; /* USB audio format type (1-3) */ + unsigned int pkt_offset_adj; /* Bytes to drop from beginning of packets (for non-compliant devices) */ ++ unsigned int stream_offset_adj; /* Bytes to drop from beginning of stream (for non-compliant devices) */ + + unsigned int running: 1; /* running status */ + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 415bfec49a01..5600751803cf 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1420,6 +1420,12 @@ static void retire_capture_urb(struct snd_usb_substream *subs, + // continue; + } + bytes = urb->iso_frame_desc[i].actual_length; ++ if (subs->stream_offset_adj > 0) { ++ unsigned int adj = min(subs->stream_offset_adj, bytes); ++ cp += adj; ++ bytes -= adj; ++ subs->stream_offset_adj -= adj; ++ } + frames = bytes / stride; + if (!subs->txfr_quirk) + bytes = frames * stride; +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index c551141f337e..abf99b814a0f 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1495,6 +1495,9 @@ void snd_usb_set_format_quirk(struct snd_usb_substream *subs, + case USB_ID(0x2b73, 0x000a): /* Pioneer DJ DJM-900NXS2 */ + pioneer_djm_set_format_quirk(subs); + break; ++ case USB_ID(0x534d, 0x2109): /* MacroSilicon MS2109 */ ++ subs->stream_offset_adj = 2; ++ break; + } + } + +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index 4d1e6579e54d..ca76ba5b5c0b 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -94,6 +94,7 @@ static void snd_usb_init_substream(struct snd_usb_stream *as, + subs->tx_length_quirk = as->chip->tx_length_quirk; + subs->speed = snd_usb_get_speed(subs->dev); + subs->pkt_offset_adj = 0; ++ subs->stream_offset_adj = 0; + + snd_usb_set_pcm_ops(as->pcm, stream); + +-- +2.27.0 + diff --git a/queue/ARM-8992-1-Fix-unwind_frame-for-clang-built-kernels.patch b/queue/ARM-8992-1-Fix-unwind_frame-for-clang-built-kernels.patch new file mode 100644 index 00000000..63fd984c --- /dev/null +++ b/queue/ARM-8992-1-Fix-unwind_frame-for-clang-built-kernels.patch @@ -0,0 +1,78 @@ +From b4d5ec9b39f8b31d98f65bc5577b5d15d93795d7 Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry <nhuck@google.com> +Date: Fri, 10 Jul 2020 20:23:37 +0100 +Subject: [PATCH] ARM: 8992/1: Fix unwind_frame for clang-built kernels + +commit b4d5ec9b39f8b31d98f65bc5577b5d15d93795d7 upstream. + +Since clang does not push pc and sp in function prologues, the current +implementation of unwind_frame does not work. By using the previous +frame's lr/fp instead of saved pc/sp we get valid unwinds on clang-built +kernels. + +The bounds check on next frame pointer must be changed as well since +there are 8 less bytes between frames. + +This fixes /proc/<pid>/stack. + +Link: https://github.com/ClangBuiltLinux/linux/issues/912 + +Reported-by: Miles Chen <miles.chen@mediatek.com> +Tested-by: Miles Chen <miles.chen@mediatek.com> +Cc: stable@vger.kernel.org +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: Nathan Huckleberry <nhuck@google.com> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> + +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index cc726afea023..76ea4178a55c 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -22,6 +22,19 @@ + * A simple function epilogue looks like this: + * ldm sp, {fp, sp, pc} + * ++ * When compiled with clang, pc and sp are not pushed. A simple function ++ * prologue looks like this when built with clang: ++ * ++ * stmdb {..., fp, lr} ++ * add fp, sp, #x ++ * sub sp, sp, #y ++ * ++ * A simple function epilogue looks like this when built with clang: ++ * ++ * sub sp, fp, #x ++ * ldm {..., fp, pc} ++ * ++ * + * Note that with framepointer enabled, even the leaf functions have the same + * prologue and epilogue, therefore we can ignore the LR value in this case. + */ +@@ -34,6 +47,16 @@ int notrace unwind_frame(struct stackframe *frame) + low = frame->sp; + high = ALIGN(low, THREAD_SIZE); + ++#ifdef CONFIG_CC_IS_CLANG ++ /* check current frame pointer is within bounds */ ++ if (fp < low + 4 || fp > high - 4) ++ return -EINVAL; ++ ++ frame->sp = frame->fp; ++ frame->fp = *(unsigned long *)(fp); ++ frame->pc = frame->lr; ++ frame->lr = *(unsigned long *)(fp + 4); ++#else + /* check current frame pointer is within bounds */ + if (fp < low + 12 || fp > high - 4) + return -EINVAL; +@@ -42,6 +65,7 @@ int notrace unwind_frame(struct stackframe *frame) + frame->fp = *(unsigned long *)(fp - 12); + frame->sp = *(unsigned long *)(fp - 8); + frame->pc = *(unsigned long *)(fp - 4); ++#endif + + return 0; + } +-- +2.27.0 + diff --git a/queue/ARM-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch b/queue/ARM-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch new file mode 100644 index 00000000..fd7e761b --- /dev/null +++ b/queue/ARM-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch @@ -0,0 +1,59 @@ +From f87a4f022c44e5b87e842a9f3e644fba87e8385f Mon Sep 17 00:00:00 2001 +From: yu kuai <yukuai3@huawei.com> +Date: Thu, 4 Jun 2020 20:33:01 +0800 +Subject: [PATCH] ARM: at91: pm: add missing put_device() call in + at91_pm_sram_init() + +commit f87a4f022c44e5b87e842a9f3e644fba87e8385f upstream. + +if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have +a corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM") +Signed-off-by: yu kuai <yukuai3@huawei.com> +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com + +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 074bde64064e..2aab043441e8 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -592,13 +592,13 @@ static void __init at91_pm_sram_init(void) + sram_pool = gen_pool_get(&pdev->dev, NULL); + if (!sram_pool) { + pr_warn("%s: sram pool unavailable!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz); + if (!sram_base) { + pr_warn("%s: unable to alloc sram!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base); +@@ -606,12 +606,17 @@ static void __init at91_pm_sram_init(void) + at91_pm_suspend_in_sram_sz, false); + if (!at91_suspend_sram_fn) { + pr_warn("SRAM: Could not map\n"); +- return; ++ goto out_put_device; + } + + /* Copy the pm suspend handler to SRAM */ + at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn, + &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz); ++ return; ++ ++out_put_device: ++ put_device(&pdev->dev); ++ return; + } + + static bool __init at91_is_pm_mode_active(int pm_mode) +-- +2.27.0 + diff --git a/queue/ARM-dts-gose-Fix-ports-node-name-for-adv7180.patch b/queue/ARM-dts-gose-Fix-ports-node-name-for-adv7180.patch new file mode 100644 index 00000000..ec14834a --- /dev/null +++ b/queue/ARM-dts-gose-Fix-ports-node-name-for-adv7180.patch @@ -0,0 +1,35 @@ +From d344234abde938ae1062edb6c05852b0bafb4a03 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= + <niklas.soderlund+renesas@ragnatech.se> +Date: Sat, 4 Jul 2020 17:58:55 +0200 +Subject: [PATCH] ARM: dts: gose: Fix ports node name for adv7180 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit d344234abde938ae1062edb6c05852b0bafb4a03 upstream. + +When adding the adv7180 device node the ports node was misspelled as +port, fix this. + +Fixes: 8cae359049a88b75 ("ARM: dts: gose: add composite video input") +Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se> +Link: https://lore.kernel.org/r/20200704155856.3037010-2-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> + +diff --git a/arch/arm/boot/dts/r8a7793-gose.dts b/arch/arm/boot/dts/r8a7793-gose.dts +index 79baf06019f5..a378b54867bb 100644 +--- a/arch/arm/boot/dts/r8a7793-gose.dts ++++ b/arch/arm/boot/dts/r8a7793-gose.dts +@@ -336,7 +336,7 @@ composite-in@20 { + reg = <0x20>; + remote = <&vin1>; + +- port { ++ ports { + #address-cells = <1>; + #size-cells = <0>; + +-- +2.27.0 + diff --git a/queue/ARM-dts-gose-Fix-ports-node-name-for-adv7612.patch b/queue/ARM-dts-gose-Fix-ports-node-name-for-adv7612.patch new file mode 100644 index 00000000..20308cfb --- /dev/null +++ b/queue/ARM-dts-gose-Fix-ports-node-name-for-adv7612.patch @@ -0,0 +1,35 @@ +From 59692ac5a7bb8c97ff440fc8917828083fbc38d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= + <niklas.soderlund+renesas@ragnatech.se> +Date: Mon, 13 Jul 2020 13:10:16 +0200 +Subject: [PATCH] ARM: dts: gose: Fix ports node name for adv7612 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 59692ac5a7bb8c97ff440fc8917828083fbc38d6 upstream. + +When adding the adv7612 device node the ports node was misspelled as +port, fix this. + +Fixes: bc63cd87f3ce924f ("ARM: dts: gose: add HDMI input") +Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se> +Link: https://lore.kernel.org/r/20200713111016.523189-1-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> + +diff --git a/arch/arm/boot/dts/r8a7793-gose.dts b/arch/arm/boot/dts/r8a7793-gose.dts +index 31fd3e9ae33e..abf487e8fe0f 100644 +--- a/arch/arm/boot/dts/r8a7793-gose.dts ++++ b/arch/arm/boot/dts/r8a7793-gose.dts +@@ -393,7 +393,7 @@ hdmi-in@4c { + interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + default-input = <0>; + +- port { ++ ports { + #address-cells = <1>; + #size-cells = <0>; + +-- +2.27.0 + diff --git a/queue/ARM-dts-sunxi-bananapi-m2-plus-v1.2-Add-regulator-su.patch b/queue/ARM-dts-sunxi-bananapi-m2-plus-v1.2-Add-regulator-su.patch new file mode 100644 index 00000000..d94179bc --- /dev/null +++ b/queue/ARM-dts-sunxi-bananapi-m2-plus-v1.2-Add-regulator-su.patch @@ -0,0 +1,44 @@ +From 55b271af765b0e03d1ff29502f81644b1a3c87fd Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai <wens@csie.org> +Date: Sat, 18 Jul 2020 00:00:47 +0800 +Subject: [PATCH] ARM: dts: sunxi: bananapi-m2-plus-v1.2: Add regulator supply + to all CPU cores + +commit 55b271af765b0e03d1ff29502f81644b1a3c87fd upstream. + +The device tree currently only assigns the a supply for the first CPU +core, when in reality the regulator supply is shared by all four cores. +This might cause an issue if the implementation does not realize the +sharing of the supply. + +Assign the same regulator supply to the remaining CPU cores to address +this. + +Fixes: 6eeb4180d4b9 ("ARM: dts: sunxi: h3-h5: Add Bananapi M2+ v1.2 device trees") +Signed-off-by: Chen-Yu Tsai <wens@csie.org> +Signed-off-by: Maxime Ripard <maxime@cerno.tech> +Link: https://lore.kernel.org/r/20200717160053.31191-3-wens@kernel.org + +diff --git a/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi b/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi +index 22466afd38a3..a628b5ee72b6 100644 +--- a/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi ++++ b/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi +@@ -28,3 +28,15 @@ reg_vdd_cpux: vdd-cpux { + &cpu0 { + cpu-supply = <®_vdd_cpux>; + }; ++ ++&cpu1 { ++ cpu-supply = <®_vdd_cpux>; ++}; ++ ++&cpu2 { ++ cpu-supply = <®_vdd_cpux>; ++}; ++ ++&cpu3 { ++ cpu-supply = <®_vdd_cpux>; ++}; +-- +2.27.0 + diff --git a/queue/ARM-dts-sunxi-bananapi-m2-plus-v1.2-Fix-CPU-supply-v.patch b/queue/ARM-dts-sunxi-bananapi-m2-plus-v1.2-Fix-CPU-supply-v.patch new file mode 100644 index 00000000..896121a0 --- /dev/null +++ b/queue/ARM-dts-sunxi-bananapi-m2-plus-v1.2-Fix-CPU-supply-v.patch @@ -0,0 +1,44 @@ +From e4dae01bf08b754de79072441c357737220b873f Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai <wens@csie.org> +Date: Sat, 18 Jul 2020 00:00:48 +0800 +Subject: [PATCH] ARM: dts: sunxi: bananapi-m2-plus-v1.2: Fix CPU supply + voltages + +commit e4dae01bf08b754de79072441c357737220b873f upstream. + +The Bananapi M2+ uses a GPIO line to change the effective resistance of +the CPU supply regulator's feedback resistor network. The voltages +described in the device tree were given directly by the vendor. This +turns out to be slightly off compared to the real values. + +The updated voltages are based on calculations of the feedback resistor +network, and verified down to three decimal places with a multi-meter. + +Fixes: 6eeb4180d4b9 ("ARM: dts: sunxi: h3-h5: Add Bananapi M2+ v1.2 device trees") +Signed-off-by: Chen-Yu Tsai <wens@csie.org> +Signed-off-by: Maxime Ripard <maxime@cerno.tech> +Link: https://lore.kernel.org/r/20200717160053.31191-4-wens@kernel.org + +diff --git a/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi b/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi +index a628b5ee72b6..235994a4a2eb 100644 +--- a/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi ++++ b/arch/arm/boot/dts/sunxi-bananapi-m2-plus-v1.2.dtsi +@@ -16,12 +16,12 @@ reg_vdd_cpux: vdd-cpux { + regulator-type = "voltage"; + regulator-boot-on; + regulator-always-on; +- regulator-min-microvolt = <1100000>; +- regulator-max-microvolt = <1300000>; ++ regulator-min-microvolt = <1108475>; ++ regulator-max-microvolt = <1308475>; + regulator-ramp-delay = <50>; /* 4ms */ + gpios = <&r_pio 0 1 GPIO_ACTIVE_HIGH>; /* PL1 */ + gpios-states = <0x1>; +- states = <1100000 0>, <1300000 1>; ++ states = <1108475 0>, <1308475 1>; + }; + }; + +-- +2.27.0 + diff --git a/queue/ARM-exynos-MCPM-Restore-big.LITTLE-cpuidle-support.patch b/queue/ARM-exynos-MCPM-Restore-big.LITTLE-cpuidle-support.patch new file mode 100644 index 00000000..2f84cfd3 --- /dev/null +++ b/queue/ARM-exynos-MCPM-Restore-big.LITTLE-cpuidle-support.patch @@ -0,0 +1,66 @@ +From ea9dd8f61c8a890843f68e8dc0062ce78365aab8 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski <m.szyprowski@samsung.com> +Date: Mon, 29 Jun 2020 12:02:18 +0200 +Subject: [PATCH] ARM: exynos: MCPM: Restore big.LITTLE cpuidle support + +commit ea9dd8f61c8a890843f68e8dc0062ce78365aab8 upstream. + +Call exynos_cpu_power_up(cpunr) unconditionally. This is needed by the +big.LITTLE cpuidle driver and has no side-effects on other code paths. + +The additional soft-reset call during little core power up has been added +to properly boot all cores on the Exynos5422-based boards with secure +firmware (like Odroid XU3/XU4 family). This however broke big.LITTLE +CPUidle driver, which worked only on boards without secure firmware (like +Peach-Pit/Pi Chromebooks). Apply the workaround only when board is +running under secure firmware. + +Fixes: 833b5794e330 ("ARM: EXYNOS: reset Little cores when cpu is up") +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Reviewed-by: Lukasz Luba <lukasz.luba@arm.com> +Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> + +diff --git a/arch/arm/mach-exynos/mcpm-exynos.c b/arch/arm/mach-exynos/mcpm-exynos.c +index 9a681b421ae1..cd861c57d5ad 100644 +--- a/arch/arm/mach-exynos/mcpm-exynos.c ++++ b/arch/arm/mach-exynos/mcpm-exynos.c +@@ -26,6 +26,7 @@ + #define EXYNOS5420_USE_L2_COMMON_UP_STATE BIT(30) + + static void __iomem *ns_sram_base_addr __ro_after_init; ++static bool secure_firmware __ro_after_init; + + /* + * The common v7_exit_coherency_flush API could not be used because of the +@@ -58,15 +59,16 @@ static void __iomem *ns_sram_base_addr __ro_after_init; + static int exynos_cpu_powerup(unsigned int cpu, unsigned int cluster) + { + unsigned int cpunr = cpu + (cluster * EXYNOS5420_CPUS_PER_CLUSTER); ++ bool state; + + pr_debug("%s: cpu %u cluster %u\n", __func__, cpu, cluster); + if (cpu >= EXYNOS5420_CPUS_PER_CLUSTER || + cluster >= EXYNOS5420_NR_CLUSTERS) + return -EINVAL; + +- if (!exynos_cpu_power_state(cpunr)) { +- exynos_cpu_power_up(cpunr); +- ++ state = exynos_cpu_power_state(cpunr); ++ exynos_cpu_power_up(cpunr); ++ if (!state && secure_firmware) { + /* + * This assumes the cluster number of the big cores(Cortex A15) + * is 0 and the Little cores(Cortex A7) is 1. +@@ -258,6 +260,8 @@ static int __init exynos_mcpm_init(void) + return -ENOMEM; + } + ++ secure_firmware = exynos_secure_firmware_available(); ++ + /* + * To increase the stability of KFC reset we need to program + * the PMU SPARE3 register +-- +2.27.0 + diff --git a/queue/ARM-socfpga-PM-add-missing-put_device-call-in-socfpg.patch b/queue/ARM-socfpga-PM-add-missing-put_device-call-in-socfpg.patch new file mode 100644 index 00000000..86599b4e --- /dev/null +++ b/queue/ARM-socfpga-PM-add-missing-put_device-call-in-socfpg.patch @@ -0,0 +1,58 @@ +From 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 Mon Sep 17 00:00:00 2001 +From: Yu Kuai <yukuai3@huawei.com> +Date: Tue, 21 Jul 2020 21:45:51 +0800 +Subject: [PATCH] ARM: socfpga: PM: add missing put_device() call in + socfpga_setup_ocram_self_refresh() + +commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 upstream. + +if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh +doesn't have a corresponding put_device(). Thus add a jump target to +fix the exception handling for this function implementation. + +Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram") +Signed-off-by: Yu Kuai <yukuai3@huawei.com> +Signed-off-by: Dinh Nguyen <dinguyen@kernel.org> + +diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c +index 6ed887cf8dc9..365c0428b21b 100644 +--- a/arch/arm/mach-socfpga/pm.c ++++ b/arch/arm/mach-socfpga/pm.c +@@ -49,14 +49,14 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -67,7 +67,7 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!suspend_ocram_base) { + pr_warn("%s: __arm_ioremap_exec failed!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + /* Copy the code that puts DDR in self refresh to ocram */ +@@ -81,6 +81,8 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!socfpga_sdram_self_refresh_in_ocram) + ret = -EFAULT; + ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(np); + +-- +2.27.0 + diff --git a/queue/ASoC-Intel-bxt_rt298-add-missing-.owner-field.patch b/queue/ASoC-Intel-bxt_rt298-add-missing-.owner-field.patch new file mode 100644 index 00000000..1524ba02 --- /dev/null +++ b/queue/ASoC-Intel-bxt_rt298-add-missing-.owner-field.patch @@ -0,0 +1,44 @@ +From 88cee34b776f80d2da04afb990c2a28c36799c43 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> +Date: Thu, 25 Jun 2020 14:12:55 -0500 +Subject: [PATCH] ASoC: Intel: bxt_rt298: add missing .owner field + +commit 88cee34b776f80d2da04afb990c2a28c36799c43 upstream. + +This field is required for ASoC cards. Not setting it will result in a +module->name pointer being NULL and generate problems such as + +cat /proc/asound/modules + 0 (efault) + +Fixes: 76016322ec56 ('ASoC: Intel: Add Broxton-P machine driver') +Reported-by: Jaroslav Kysela <perex@perex.cz> +Suggested-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> +Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com> +Link: https://lore.kernel.org/r/20200625191308.3322-5-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c +index 7a4decf34191..c84c60df17db 100644 +--- a/sound/soc/intel/boards/bxt_rt298.c ++++ b/sound/soc/intel/boards/bxt_rt298.c +@@ -565,6 +565,7 @@ static int bxt_card_late_probe(struct snd_soc_card *card) + /* broxton audio machine driver for SPT + RT298S */ + static struct snd_soc_card broxton_rt298 = { + .name = "broxton-rt298", ++ .owner = THIS_MODULE, + .dai_link = broxton_rt298_dais, + .num_links = ARRAY_SIZE(broxton_rt298_dais), + .controls = broxton_controls, +@@ -580,6 +581,7 @@ static struct snd_soc_card broxton_rt298 = { + + static struct snd_soc_card geminilake_rt298 = { + .name = "geminilake-rt298", ++ .owner = THIS_MODULE, + .dai_link = broxton_rt298_dais, + .num_links = ARRAY_SIZE(broxton_rt298_dais), + .controls = broxton_controls, +-- +2.27.0 + diff --git a/queue/ASoC-SOF-nocodec-add-missing-.owner-field.patch b/queue/ASoC-SOF-nocodec-add-missing-.owner-field.patch new file mode 100644 index 00000000..65db6319 --- /dev/null +++ b/queue/ASoC-SOF-nocodec-add-missing-.owner-field.patch @@ -0,0 +1,36 @@ +From 8753889e2720c1ef7ebf03370e384f5bf5ff4fab Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> +Date: Thu, 25 Jun 2020 14:12:52 -0500 +Subject: [PATCH] ASoC: SOF: nocodec: add missing .owner field + +commit 8753889e2720c1ef7ebf03370e384f5bf5ff4fab upstream. + +This field is required for ASoC cards. Not setting it will result in a +module->name pointer being NULL and generate problems such as + +cat /proc/asound/modules + 0 (efault) + +Fixes: 8017b8fd37bf ('ASoC: SOF: Add Nocodec machine driver support') +Reported-by: Jaroslav Kysela <perex@perex.cz> +Suggested-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> +Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com> +Link: https://lore.kernel.org/r/20200625191308.3322-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/sof/nocodec.c b/sound/soc/sof/nocodec.c +index d03b5be31255..9e922df6a710 100644 +--- a/sound/soc/sof/nocodec.c ++++ b/sound/soc/sof/nocodec.c +@@ -14,6 +14,7 @@ + + static struct snd_soc_card sof_nocodec_card = { + .name = "nocodec", /* the sof- prefix is added by the core */ ++ .owner = THIS_MODULE + }; + + static int sof_nocodec_bes_setup(struct device *dev, +-- +2.27.0 + diff --git a/queue/ASoC-fsl_sai-Fix-value-of-FSL_SAI_CR1_RFW_MASK.patch b/queue/ASoC-fsl_sai-Fix-value-of-FSL_SAI_CR1_RFW_MASK.patch new file mode 100644 index 00000000..08a7fb85 --- /dev/null +++ b/queue/ASoC-fsl_sai-Fix-value-of-FSL_SAI_CR1_RFW_MASK.patch @@ -0,0 +1,54 @@ +From 5aef1ff2397d021f93d874b57dff032fdfac73de Mon Sep 17 00:00:00 2001 +From: Shengjiu Wang <shengjiu.wang@nxp.com> +Date: Fri, 31 Jul 2020 14:28:15 +0800 +Subject: [PATCH] ASoC: fsl_sai: Fix value of FSL_SAI_CR1_RFW_MASK + +commit 5aef1ff2397d021f93d874b57dff032fdfac73de upstream. + +The fifo_depth is 64 on i.MX8QM/i.MX8QXP, 128 on i.MX8MQ, 16 on +i.MX7ULP. + +Original FSL_SAI_CR1_RFW_MASK value 0x1F is not suitable for +these platform, the FIFO watermark mask should be updated +according to the fifo_depth. + +Fixes: a860fac42097 ("ASoC: fsl_sai: Add support for imx7ulp/imx8mq") +Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com> +Reviewed-by: Fabio Estevam <festevam@gmail.com> +Link: https://lore.kernel.org/r/1596176895-28724-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 9d436b0c5718..7031869a023a 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -680,10 +680,11 @@ static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai) + regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), 0); + + regmap_update_bits(sai->regmap, FSL_SAI_TCR1(ofs), +- FSL_SAI_CR1_RFW_MASK, ++ FSL_SAI_CR1_RFW_MASK(sai->soc_data->fifo_depth), + sai->soc_data->fifo_depth - FSL_SAI_MAXBURST_TX); + regmap_update_bits(sai->regmap, FSL_SAI_RCR1(ofs), +- FSL_SAI_CR1_RFW_MASK, FSL_SAI_MAXBURST_RX - 1); ++ FSL_SAI_CR1_RFW_MASK(sai->soc_data->fifo_depth), ++ FSL_SAI_MAXBURST_RX - 1); + + snd_soc_dai_init_dma_data(cpu_dai, &sai->dma_params_tx, + &sai->dma_params_rx); +diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h +index 76b15deea80c..6aba7d28f5f3 100644 +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -94,7 +94,7 @@ + #define FSL_SAI_CSR_FRDE BIT(0) + + /* SAI Transmit and Receive Configuration 1 Register */ +-#define FSL_SAI_CR1_RFW_MASK 0x1f ++#define FSL_SAI_CR1_RFW_MASK(x) ((x) - 1) + + /* SAI Transmit and Receive Configuration 2 Register */ + #define FSL_SAI_CR2_SYNC BIT(30) +-- +2.27.0 + diff --git a/queue/ASoC-meson-axg-tdm-formatters-fix-sclk-inversion.patch b/queue/ASoC-meson-axg-tdm-formatters-fix-sclk-inversion.patch new file mode 100644 index 00000000..f7bc3497 --- /dev/null +++ b/queue/ASoC-meson-axg-tdm-formatters-fix-sclk-inversion.patch @@ -0,0 +1,112 @@ +From 0d3f01dcdc234001f979a0af0b6b31cb9f25b6c1 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet <jbrunet@baylibre.com> +Date: Wed, 29 Jul 2020 17:44:55 +0200 +Subject: [PATCH] ASoC: meson: axg-tdm-formatters: fix sclk inversion + +commit 0d3f01dcdc234001f979a0af0b6b31cb9f25b6c1 upstream. + +After carefully checking, it appears that both tdmout and tdmin require the +rising edge of the sclk they get to be synchronized with the frame sync +event (which should be a rising edge of lrclk). + +TDMIN was improperly set before this patch. Remove the sclk_invert quirk +which is no longer needed and fix the sclk phase. + +Fixes: 1a11d88f499c ("ASoC: meson: add tdm formatter base driver") +Signed-off-by: Jerome Brunet <jbrunet@baylibre.com> +Link: https://lore.kernel.org/r/20200729154456.1983396-4-jbrunet@baylibre.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/meson/axg-tdm-formatter.c b/sound/soc/meson/axg-tdm-formatter.c +index 358c8c0d861c..f7e8e9da68a0 100644 +--- a/sound/soc/meson/axg-tdm-formatter.c ++++ b/sound/soc/meson/axg-tdm-formatter.c +@@ -70,7 +70,7 @@ EXPORT_SYMBOL_GPL(axg_tdm_formatter_set_channel_masks); + static int axg_tdm_formatter_enable(struct axg_tdm_formatter *formatter) + { + struct axg_tdm_stream *ts = formatter->stream; +- bool invert = formatter->drv->quirks->invert_sclk; ++ bool invert; + int ret; + + /* Do nothing if the formatter is already enabled */ +@@ -96,11 +96,12 @@ static int axg_tdm_formatter_enable(struct axg_tdm_formatter *formatter) + return ret; + + /* +- * If sclk is inverted, invert it back and provide the inversion +- * required by the formatter ++ * If sclk is inverted, it means the bit should latched on the ++ * rising edge which is what our HW expects. If not, we need to ++ * invert it before the formatter. + */ +- invert ^= axg_tdm_sclk_invert(ts->iface->fmt); +- ret = clk_set_phase(formatter->sclk, invert ? 180 : 0); ++ invert = axg_tdm_sclk_invert(ts->iface->fmt); ++ ret = clk_set_phase(formatter->sclk, invert ? 0 : 180); + if (ret) + return ret; + +diff --git a/sound/soc/meson/axg-tdm-formatter.h b/sound/soc/meson/axg-tdm-formatter.h +index 9ef98e955cb2..a1f0dcc0ff13 100644 +--- a/sound/soc/meson/axg-tdm-formatter.h ++++ b/sound/soc/meson/axg-tdm-formatter.h +@@ -16,7 +16,6 @@ struct snd_kcontrol; + + struct axg_tdm_formatter_hw { + unsigned int skew_offset; +- bool invert_sclk; + }; + + struct axg_tdm_formatter_ops { +diff --git a/sound/soc/meson/axg-tdmin.c b/sound/soc/meson/axg-tdmin.c +index 3d002b4eb939..88ed95ae886b 100644 +--- a/sound/soc/meson/axg-tdmin.c ++++ b/sound/soc/meson/axg-tdmin.c +@@ -228,7 +228,6 @@ static const struct axg_tdm_formatter_driver axg_tdmin_drv = { + .regmap_cfg = &axg_tdmin_regmap_cfg, + .ops = &axg_tdmin_ops, + .quirks = &(const struct axg_tdm_formatter_hw) { +- .invert_sclk = false, + .skew_offset = 2, + }, + }; +@@ -238,7 +237,6 @@ static const struct axg_tdm_formatter_driver g12a_tdmin_drv = { + .regmap_cfg = &axg_tdmin_regmap_cfg, + .ops = &axg_tdmin_ops, + .quirks = &(const struct axg_tdm_formatter_hw) { +- .invert_sclk = false, + .skew_offset = 3, + }, + }; +diff --git a/sound/soc/meson/axg-tdmout.c b/sound/soc/meson/axg-tdmout.c +index 418ec314b37d..3ceabddae629 100644 +--- a/sound/soc/meson/axg-tdmout.c ++++ b/sound/soc/meson/axg-tdmout.c +@@ -238,7 +238,6 @@ static const struct axg_tdm_formatter_driver axg_tdmout_drv = { + .regmap_cfg = &axg_tdmout_regmap_cfg, + .ops = &axg_tdmout_ops, + .quirks = &(const struct axg_tdm_formatter_hw) { +- .invert_sclk = true, + .skew_offset = 1, + }, + }; +@@ -248,7 +247,6 @@ static const struct axg_tdm_formatter_driver g12a_tdmout_drv = { + .regmap_cfg = &axg_tdmout_regmap_cfg, + .ops = &axg_tdmout_ops, + .quirks = &(const struct axg_tdm_formatter_hw) { +- .invert_sclk = true, + .skew_offset = 2, + }, + }; +@@ -309,7 +307,6 @@ static const struct axg_tdm_formatter_driver sm1_tdmout_drv = { + .regmap_cfg = &axg_tdmout_regmap_cfg, + .ops = &axg_tdmout_ops, + .quirks = &(const struct axg_tdm_formatter_hw) { +- .invert_sclk = true, + .skew_offset = 2, + }, + }; +-- +2.27.0 + diff --git a/queue/ASoC-meson-axg-tdm-interface-fix-link-fmt-setup.patch b/queue/ASoC-meson-axg-tdm-interface-fix-link-fmt-setup.patch new file mode 100644 index 00000000..dcadb660 --- /dev/null +++ b/queue/ASoC-meson-axg-tdm-interface-fix-link-fmt-setup.patch @@ -0,0 +1,69 @@ +From 6878ba91ce84f7a07887a0615af70f969508839f Mon Sep 17 00:00:00 2001 +From: Jerome Brunet <jbrunet@baylibre.com> +Date: Wed, 29 Jul 2020 17:44:53 +0200 +Subject: [PATCH] ASoC: meson: axg-tdm-interface: fix link fmt setup + +commit 6878ba91ce84f7a07887a0615af70f969508839f upstream. + +The .set_fmt() callback of the axg tdm interface incorrectly +test the content of SND_SOC_DAIFMT_MASTER_MASK as if it was a +bitfield, which it is not. + +Implement the test correctly. + +Fixes: d60e4f1e4be5 ("ASoC: meson: add tdm interface driver") +Signed-off-by: Jerome Brunet <jbrunet@baylibre.com> +Link: https://lore.kernel.org/r/20200729154456.1983396-2-jbrunet@baylibre.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c +index 6de27238e9df..36df30915378 100644 +--- a/sound/soc/meson/axg-tdm-interface.c ++++ b/sound/soc/meson/axg-tdm-interface.c +@@ -119,18 +119,25 @@ static int axg_tdm_iface_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + { + struct axg_tdm_iface *iface = snd_soc_dai_get_drvdata(dai); + +- /* These modes are not supported */ +- if (fmt & (SND_SOC_DAIFMT_CBS_CFM | SND_SOC_DAIFMT_CBM_CFS)) { ++ switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) { ++ case SND_SOC_DAIFMT_CBS_CFS: ++ if (!iface->mclk) { ++ dev_err(dai->dev, "cpu clock master: mclk missing\n"); ++ return -ENODEV; ++ } ++ break; ++ ++ case SND_SOC_DAIFMT_CBM_CFM: ++ break; ++ ++ case SND_SOC_DAIFMT_CBS_CFM: ++ case SND_SOC_DAIFMT_CBM_CFS: + dev_err(dai->dev, "only CBS_CFS and CBM_CFM are supported\n"); ++ /* Fall-through */ ++ default: + return -EINVAL; + } + +- /* If the TDM interface is the clock master, it requires mclk */ +- if (!iface->mclk && (fmt & SND_SOC_DAIFMT_CBS_CFS)) { +- dev_err(dai->dev, "cpu clock master: mclk missing\n"); +- return -ENODEV; +- } +- + iface->fmt = fmt; + return 0; + } +@@ -319,7 +326,8 @@ static int axg_tdm_iface_hw_params(struct snd_pcm_substream *substream, + if (ret) + return ret; + +- if (iface->fmt & SND_SOC_DAIFMT_CBS_CFS) { ++ if ((iface->fmt & SND_SOC_DAIFMT_MASTER_MASK) == ++ SND_SOC_DAIFMT_CBS_CFS) { + ret = axg_tdm_iface_set_sclk(dai, params); + if (ret) + return ret; +-- +2.27.0 + diff --git a/queue/ASoC-meson-axg-tdmin-fix-g12a-skew.patch b/queue/ASoC-meson-axg-tdmin-fix-g12a-skew.patch new file mode 100644 index 00000000..391c641b --- /dev/null +++ b/queue/ASoC-meson-axg-tdmin-fix-g12a-skew.patch @@ -0,0 +1,50 @@ +From 80a254394fcfe55450b0351da298ca7231889219 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet <jbrunet@baylibre.com> +Date: Wed, 29 Jul 2020 17:44:54 +0200 +Subject: [PATCH] ASoC: meson: axg-tdmin: fix g12a skew + +commit 80a254394fcfe55450b0351da298ca7231889219 upstream. + +After carefully checking the result provided by the TDMIN on the g12a and +sm1 SoC families, the TDMIN skew offset appears to be 3 instead of 2 on the +axg. + +Fixes: f01bc67f58fd ("ASoC: meson: axg-tdm-formatter: rework quirks settings") +Signed-off-by: Jerome Brunet <jbrunet@baylibre.com> +Link: https://lore.kernel.org/r/20200729154456.1983396-3-jbrunet@baylibre.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/meson/axg-tdmin.c b/sound/soc/meson/axg-tdmin.c +index 973d4c02ef8d..3d002b4eb939 100644 +--- a/sound/soc/meson/axg-tdmin.c ++++ b/sound/soc/meson/axg-tdmin.c +@@ -233,10 +233,26 @@ static const struct axg_tdm_formatter_driver axg_tdmin_drv = { + }, + }; + ++static const struct axg_tdm_formatter_driver g12a_tdmin_drv = { ++ .component_drv = &axg_tdmin_component_drv, ++ .regmap_cfg = &axg_tdmin_regmap_cfg, ++ .ops = &axg_tdmin_ops, ++ .quirks = &(const struct axg_tdm_formatter_hw) { ++ .invert_sclk = false, ++ .skew_offset = 3, ++ }, ++}; ++ + static const struct of_device_id axg_tdmin_of_match[] = { + { + .compatible = "amlogic,axg-tdmin", + .data = &axg_tdmin_drv, ++ }, { ++ .compatible = "amlogic,g12a-tdmin", ++ .data = &g12a_tdmin_drv, ++ }, { ++ .compatible = "amlogic,sm1-tdmin", ++ .data = &g12a_tdmin_drv, + }, {} + }; + MODULE_DEVICE_TABLE(of, axg_tdmin_of_match); +-- +2.27.0 + diff --git a/queue/ASoC-meson-fixes-the-missed-kfree-for-axg_card_add_t.patch b/queue/ASoC-meson-fixes-the-missed-kfree-for-axg_card_add_t.patch new file mode 100644 index 00000000..8c6846cb --- /dev/null +++ b/queue/ASoC-meson-fixes-the-missed-kfree-for-axg_card_add_t.patch @@ -0,0 +1,34 @@ +From bd054ece7d9cdd88e900df6625e951a01d9f655e Mon Sep 17 00:00:00 2001 +From: Jing Xiangfeng <jingxiangfeng@huawei.com> +Date: Fri, 17 Jul 2020 16:22:42 +0800 +Subject: [PATCH] ASoC: meson: fixes the missed kfree() for + axg_card_add_tdm_loopback + +commit bd054ece7d9cdd88e900df6625e951a01d9f655e upstream. + +axg_card_add_tdm_loopback() misses to call kfree() in an error path. We +can use devm_kasprintf() to fix the issue, also improve maintainability. +So use it instead. + +Fixes: c84836d7f650 ("ASoC: meson: axg-card: use modern dai_link style") +Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> +Reviewed-by: Jerome Brunet <jbrunet@baylibre.com> +Link: https://lore.kernel.org/r/20200717082242.130627-1-jingxiangfeng@huawei.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/meson/axg-card.c b/sound/soc/meson/axg-card.c +index 89f7f64747cd..47f2d93224fe 100644 +--- a/sound/soc/meson/axg-card.c ++++ b/sound/soc/meson/axg-card.c +@@ -116,7 +116,7 @@ static int axg_card_add_tdm_loopback(struct snd_soc_card *card, + + lb = &card->dai_link[*index + 1]; + +- lb->name = kasprintf(GFP_KERNEL, "%s-lb", pad->name); ++ lb->name = devm_kasprintf(card->dev, GFP_KERNEL, "%s-lb", pad->name); + if (!lb->name) + return -ENOMEM; + +-- +2.27.0 + diff --git a/queue/Bluetooth-add-a-mutex-lock-to-avoid-UAF-in-do_enale_.patch b/queue/Bluetooth-add-a-mutex-lock-to-avoid-UAF-in-do_enale_.patch new file mode 100644 index 00000000..dd220d29 --- /dev/null +++ b/queue/Bluetooth-add-a-mutex-lock-to-avoid-UAF-in-do_enale_.patch @@ -0,0 +1,136 @@ +From f9c70bdc279b191da8d60777c627702c06e4a37d Mon Sep 17 00:00:00 2001 +From: Lihong Kou <koulihong@huawei.com> +Date: Tue, 23 Jun 2020 20:28:41 +0800 +Subject: [PATCH] Bluetooth: add a mutex lock to avoid UAF in do_enale_set + +commit f9c70bdc279b191da8d60777c627702c06e4a37d upstream. + +In the case we set or free the global value listen_chan in +different threads, we can encounter the UAF problems because +the method is not protected by any lock, add one to avoid +this bug. + +BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 +net/bluetooth/l2cap_core.c:730 +Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 + +CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 +Workqueue: events do_enable_set +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1fb/0x318 lib/dump_stack.c:118 + print_address_description+0x74/0x5c0 mm/kasan/report.c:374 + __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 + kasan_report+0x26/0x50 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 + do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Allocated by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 + chan_create net/bluetooth/6lowpan.c:640 [inline] + bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] + do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Freed by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10d/0x220 mm/slab.c:3757 + l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] + kref_put include/linux/kref.h:65 [inline] + l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 + do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +The buggy address belongs to the object at ffff888096950000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 0 bytes inside of + 2048-byte region [ffff888096950000, ffff888096950800) +The buggy address belongs to the page: +page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 +raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com +Signed-off-by: Lihong Kou <koulihong@huawei.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index bb55d92691b0..cff4944d5b66 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -50,6 +50,7 @@ static bool enable_6lowpan; + /* We are listening incoming connections via this channel + */ + static struct l2cap_chan *listen_chan; ++static DEFINE_MUTEX(set_lock); + + struct lowpan_peer { + struct list_head list; +@@ -1078,12 +1079,14 @@ static void do_enable_set(struct work_struct *work) + + enable_6lowpan = set_enable->flag; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + } + + listen_chan = bt_6lowpan_listen(); ++ mutex_unlock(&set_lock); + + kfree(set_enable); + } +@@ -1135,11 +1138,13 @@ static ssize_t lowpan_control_write(struct file *fp, + if (ret == -EINVAL) + return ret; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + listen_chan = NULL; + } ++ mutex_unlock(&set_lock); + + if (conn) { + struct lowpan_peer *peer; +-- +2.27.0 + diff --git a/queue/Bluetooth-btmtksdio-fix-up-firmware-download-sequenc.patch b/queue/Bluetooth-btmtksdio-fix-up-firmware-download-sequenc.patch new file mode 100644 index 00000000..ec0b1135 --- /dev/null +++ b/queue/Bluetooth-btmtksdio-fix-up-firmware-download-sequenc.patch @@ -0,0 +1,53 @@ +From 737cd06072a72e8984e41af8e5919338d0c5bf2b Mon Sep 17 00:00:00 2001 +From: Sean Wang <sean.wang@mediatek.com> +Date: Fri, 19 Jun 2020 19:52:02 +0000 +Subject: [PATCH] Bluetooth: btmtksdio: fix up firmware download sequence + +commit 737cd06072a72e8984e41af8e5919338d0c5bf2b upstream. + +Data RAM on the device have to be powered on before starting to download +the firmware. + +Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") +Co-developed-by: Mark Chen <Mark-YW.Chen@mediatek.com> +Signed-off-by: Mark Chen <Mark-YW.Chen@mediatek.com> +Signed-off-by: Sean Wang <sean.wang@mediatek.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c +index 519788c442ca..11494cd2a982 100644 +--- a/drivers/bluetooth/btmtksdio.c ++++ b/drivers/bluetooth/btmtksdio.c +@@ -685,7 +685,7 @@ static int mtk_setup_firmware(struct hci_dev *hdev, const char *fwname) + const u8 *fw_ptr; + size_t fw_size; + int err, dlen; +- u8 flag; ++ u8 flag, param; + + err = request_firmware(&fw, fwname, &hdev->dev); + if (err < 0) { +@@ -693,6 +693,20 @@ static int mtk_setup_firmware(struct hci_dev *hdev, const char *fwname) + return err; + } + ++ /* Power on data RAM the firmware relies on. */ ++ param = 1; ++ wmt_params.op = MTK_WMT_FUNC_CTRL; ++ wmt_params.flag = 3; ++ wmt_params.dlen = sizeof(param); ++ wmt_params.data = ¶m; ++ wmt_params.status = NULL; ++ ++ err = mtk_hci_wmt_sync(hdev, &wmt_params); ++ if (err < 0) { ++ bt_dev_err(hdev, "Failed to power on data RAM (%d)", err); ++ return err; ++ } ++ + fw_ptr = fw->data; + fw_size = fw->size; + +-- +2.27.0 + diff --git a/queue/Bluetooth-btusb-fix-up-firmware-download-sequence.patch b/queue/Bluetooth-btusb-fix-up-firmware-download-sequence.patch new file mode 100644 index 00000000..8fa4dde3 --- /dev/null +++ b/queue/Bluetooth-btusb-fix-up-firmware-download-sequence.patch @@ -0,0 +1,53 @@ +From f645125711c80f9651e4a57403d799070c6ad13b Mon Sep 17 00:00:00 2001 +From: Sean Wang <sean.wang@mediatek.com> +Date: Fri, 19 Jun 2020 19:52:01 +0000 +Subject: [PATCH] Bluetooth: btusb: fix up firmware download sequence + +commit f645125711c80f9651e4a57403d799070c6ad13b upstream. + +Data RAM on the device have to be powered on before starting to download +the firmware. + +Fixes: a1c49c434e15 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") +Co-developed-by: Mark Chen <Mark-YW.Chen@mediatek.com> +Signed-off-by: Mark Chen <Mark-YW.Chen@mediatek.com> +Signed-off-by: Sean Wang <sean.wang@mediatek.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index c7cc8e594166..e42fdd625eb0 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2934,7 +2934,7 @@ static int btusb_mtk_setup_firmware(struct hci_dev *hdev, const char *fwname) + const u8 *fw_ptr; + size_t fw_size; + int err, dlen; +- u8 flag; ++ u8 flag, param; + + err = request_firmware(&fw, fwname, &hdev->dev); + if (err < 0) { +@@ -2942,6 +2942,20 @@ static int btusb_mtk_setup_firmware(struct hci_dev *hdev, const char *fwname) + return err; + } + ++ /* Power on data RAM the firmware relies on. */ ++ param = 1; ++ wmt_params.op = BTMTK_WMT_FUNC_CTRL; ++ wmt_params.flag = 3; ++ wmt_params.dlen = sizeof(param); ++ wmt_params.data = ¶m; ++ wmt_params.status = NULL; ++ ++ err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params); ++ if (err < 0) { ++ bt_dev_err(hdev, "Failed to power on data RAM (%d)", err); ++ return err; ++ } ++ + fw_ptr = fw->data; + fw_size = fw->size; + +-- +2.27.0 + diff --git a/queue/Bluetooth-hci_h5-Set-HCI_UART_RESET_ON_INIT-to-corre.patch b/queue/Bluetooth-hci_h5-Set-HCI_UART_RESET_ON_INIT-to-corre.patch new file mode 100644 index 00000000..57010dac --- /dev/null +++ b/queue/Bluetooth-hci_h5-Set-HCI_UART_RESET_ON_INIT-to-corre.patch @@ -0,0 +1,31 @@ +From a7ad4b6119d740b1ec5788f1b98be0fd1c1b5a5a Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat <drinkcat@chromium.org> +Date: Tue, 21 Jul 2020 10:37:15 +0800 +Subject: [PATCH] Bluetooth: hci_h5: Set HCI_UART_RESET_ON_INIT to correct + flags + +commit a7ad4b6119d740b1ec5788f1b98be0fd1c1b5a5a upstream. + +HCI_UART_RESET_ON_INIT belongs in hdev_flags, not flags. + +Fixes: ce945552fde4a09 ("Bluetooth: hci_h5: Add support for serdev enumerated devices") +Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> +Reviewed-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c +index e60b2e0773db..e41854e0d79a 100644 +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -793,7 +793,7 @@ static int h5_serdev_probe(struct serdev_device *serdev) + if (!h5) + return -ENOMEM; + +- set_bit(HCI_UART_RESET_ON_INIT, &h5->serdev_hu.flags); ++ set_bit(HCI_UART_RESET_ON_INIT, &h5->serdev_hu.hdev_flags); + + h5->hu = &h5->serdev_hu; + h5->serdev_hu.serdev = serdev; +-- +2.27.0 + diff --git a/queue/Bluetooth-hci_serdev-Only-unregister-device-if-it-wa.patch b/queue/Bluetooth-hci_serdev-Only-unregister-device-if-it-wa.patch new file mode 100644 index 00000000..bf2e159c --- /dev/null +++ b/queue/Bluetooth-hci_serdev-Only-unregister-device-if-it-wa.patch @@ -0,0 +1,32 @@ +From 202798db9570104728dce8bb57dfeed47ce764bc Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat <drinkcat@chromium.org> +Date: Tue, 21 Jul 2020 10:37:16 +0800 +Subject: [PATCH] Bluetooth: hci_serdev: Only unregister device if it was + registered + +commit 202798db9570104728dce8bb57dfeed47ce764bc upstream. + +We should not call hci_unregister_dev if the device was not +successfully registered. + +Fixes: c34dc3bfa7642fd ("Bluetooth: hci_serdev: Introduce hci_uart_unregister_device()") +Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index 599855e4c57c..7b233312e723 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -355,7 +355,8 @@ void hci_uart_unregister_device(struct hci_uart *hu) + struct hci_dev *hdev = hu->hdev; + + clear_bit(HCI_UART_PROTO_READY, &hu->flags); +- hci_unregister_dev(hdev); ++ if (test_bit(HCI_UART_REGISTERED, &hu->flags)) ++ hci_unregister_dev(hdev); + hci_free_dev(hdev); + + cancel_work_sync(&hu->write_work); +-- +2.27.0 + diff --git a/queue/EDAC-Fix-reference-count-leaks.patch b/queue/EDAC-Fix-reference-count-leaks.patch new file mode 100644 index 00000000..9aae66c0 --- /dev/null +++ b/queue/EDAC-Fix-reference-count-leaks.patch @@ -0,0 +1,52 @@ +From 17ed808ad243192fb923e4e653c1338d3ba06207 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu <wu000273@umn.edu> +Date: Thu, 28 May 2020 15:22:37 -0500 +Subject: [PATCH] EDAC: Fix reference count leaks + +commit 17ed808ad243192fb923e4e653c1338d3ba06207 upstream. + +When kobject_init_and_add() returns an error, it should be handled +because kobject_init_and_add() takes a reference even when it fails. If +this function returns an error, kobject_put() must be called to properly +clean up the memory associated with the object. + +Therefore, replace calling kfree() and call kobject_put() and add a +missing kobject_put() in the edac_device_register_sysfs_main_kobj() +error path. + + [ bp: Massage and merge into a single patch. ] + +Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add") +Signed-off-by: Qiushi Wu <wu000273@umn.edu> +Signed-off-by: Borislav Petkov <bp@suse.de> +Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu +Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu + +diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c +index 0e7ea3591b78..5e7593753799 100644 +--- a/drivers/edac/edac_device_sysfs.c ++++ b/drivers/edac/edac_device_sysfs.c +@@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev) + + /* Error exit stack */ + err_kobj_reg: ++ kobject_put(&edac_dev->kobj); + module_put(edac_dev->owner); + + err_out: +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index 72c9eb9fdffb..53042af7262e 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void) + + /* Error unwind statck */ + kobject_init_and_add_fail: +- kfree(edac_pci_top_main_kobj); ++ kobject_put(edac_pci_top_main_kobj); + + kzalloc_fail: + module_put(THIS_MODULE); +-- +2.27.0 + diff --git a/queue/HID-input-Fix-devices-that-return-multiple-bytes-in-.patch b/queue/HID-input-Fix-devices-that-return-multiple-bytes-in-.patch new file mode 100644 index 00000000..1bc8c536 --- /dev/null +++ b/queue/HID-input-Fix-devices-that-return-multiple-bytes-in-.patch @@ -0,0 +1,60 @@ +From 4f57cace81438cc873a96f9f13f08298815c9b51 Mon Sep 17 00:00:00 2001 +From: Grant Likely <grant.likely@secretlab.ca> +Date: Fri, 10 Jul 2020 16:19:39 +0100 +Subject: [PATCH] HID: input: Fix devices that return multiple bytes in battery + report + +commit 4f57cace81438cc873a96f9f13f08298815c9b51 upstream. + +Some devices, particularly the 3DConnexion Spacemouse wireless 3D +controllers, return more than just the battery capacity in the battery +report. The Spacemouse devices return an additional byte with a device +specific field. However, hidinput_query_battery_capacity() only +requests a 2 byte transfer. + +When a spacemouse is connected via USB (direct wire, no wireless dongle) +and it returns a 3 byte report instead of the assumed 2 byte battery +report the larger transfer confuses and frightens the USB subsystem +which chooses to ignore the transfer. Then after 2 seconds assume the +device has stopped responding and reset it. This can be reproduced +easily by using a wired connection with a wireless spacemouse. The +Spacemouse will enter a loop of resetting every 2 seconds which can be +observed in dmesg. + +This patch solves the problem by increasing the transfer request to 4 +bytes instead of 2. The fix isn't particularly elegant, but it is simple +and safe to backport to stable kernels. A further patch will follow to +more elegantly handle battery reports that contain additional data. + +Signed-off-by: Grant Likely <grant.likely@secretlab.ca> +Cc: Darren Hart <darren@dvhart.com> +Cc: Jiri Kosina <jikos@kernel.org> +Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Cc: stable@vger.kernel.org +Tested-by: Darren Hart <dvhart@infradead.org> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index c8633beae260..b8eabf206e74 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -350,13 +350,13 @@ static int hidinput_query_battery_capacity(struct hid_device *dev) + u8 *buf; + int ret; + +- buf = kmalloc(2, GFP_KERNEL); ++ buf = kmalloc(4, GFP_KERNEL); + if (!buf) + return -ENOMEM; + +- ret = hid_hw_raw_request(dev, dev->battery_report_id, buf, 2, ++ ret = hid_hw_raw_request(dev, dev->battery_report_id, buf, 4, + dev->battery_report_type, HID_REQ_GET_REPORT); +- if (ret != 2) { ++ if (ret < 2) { + kfree(buf); + return -ENODATA; + } +-- +2.27.0 + diff --git a/queue/MIPS-OCTEON-add-missing-put_device-call-in-dwc3_octe.patch b/queue/MIPS-OCTEON-add-missing-put_device-call-in-dwc3_octe.patch new file mode 100644 index 00000000..465b617e --- /dev/null +++ b/queue/MIPS-OCTEON-add-missing-put_device-call-in-dwc3_octe.patch @@ -0,0 +1,43 @@ +From e8b9fc10f2615b9a525fce56981e40b489528355 Mon Sep 17 00:00:00 2001 +From: Yu Kuai <yukuai3@huawei.com> +Date: Tue, 21 Jul 2020 21:47:18 +0800 +Subject: [PATCH] MIPS: OCTEON: add missing put_device() call in + dwc3_octeon_device_init() + +commit e8b9fc10f2615b9a525fce56981e40b489528355 upstream. + +if of_find_device_by_node() succeed, dwc3_octeon_device_init() doesn't have +a corresponding put_device(). Thus add put_device() to fix the exception +handling for this function implementation. + +Fixes: 93e502b3c2d4 ("MIPS: OCTEON: Platform support for OCTEON III USB controller") +Signed-off-by: Yu Kuai <yukuai3@huawei.com> +Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> + +diff --git a/arch/mips/cavium-octeon/octeon-usb.c b/arch/mips/cavium-octeon/octeon-usb.c +index 1fd85c559700..950e6c6e8629 100644 +--- a/arch/mips/cavium-octeon/octeon-usb.c ++++ b/arch/mips/cavium-octeon/octeon-usb.c +@@ -518,6 +518,7 @@ static int __init dwc3_octeon_device_init(void) + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (res == NULL) { ++ put_device(&pdev->dev); + dev_err(&pdev->dev, "No memory resources\n"); + return -ENXIO; + } +@@ -529,8 +530,10 @@ static int __init dwc3_octeon_device_init(void) + * know the difference. + */ + base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(base)) ++ if (IS_ERR(base)) { ++ put_device(&pdev->dev); + return PTR_ERR(base); ++ } + + mutex_lock(&dwc3_octeon_clocks_mutex); + dwc3_octeon_clocks_start(&pdev->dev, (u64)base); +-- +2.27.0 + diff --git a/queue/NFS-Don-t-move-layouts-to-plh_return_segs-list-while.patch b/queue/NFS-Don-t-move-layouts-to-plh_return_segs-list-while.patch new file mode 100644 index 00000000..d020288e --- /dev/null +++ b/queue/NFS-Don-t-move-layouts-to-plh_return_segs-list-while.patch @@ -0,0 +1,48 @@ +From ff041727e9e029845857cac41aae118ead5e261b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@hammerspace.com> +Date: Tue, 4 Aug 2020 16:30:30 -0400 +Subject: [PATCH] NFS: Don't move layouts to plh_return_segs list while in use + +commit ff041727e9e029845857cac41aae118ead5e261b upstream. + +If the layout segment is still in use for a read or a write, we should +not move it to the layout plh_return_segs list. If we do, we can end +up returning the layout while I/O is still in progress. + +Fixes: e0b7d420f72a ("pNFS: Don't discard layout segments that are marked for return") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index d8cdb94c6668..262ce01c7abe 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2392,16 +2392,6 @@ pnfs_layout_process(struct nfs4_layoutget *lgp) + return ERR_PTR(-EAGAIN); + } + +-static int +-mark_lseg_invalid_or_return(struct pnfs_layout_segment *lseg, +- struct list_head *tmp_list) +-{ +- if (!mark_lseg_invalid(lseg, tmp_list)) +- return 0; +- pnfs_cache_lseg_for_layoutreturn(lseg->pls_layout, lseg); +- return 1; +-} +- + /** + * pnfs_mark_matching_lsegs_return - Free or return matching layout segments + * @lo: pointer to layout header +@@ -2438,7 +2428,7 @@ pnfs_mark_matching_lsegs_return(struct pnfs_layout_hdr *lo, + lseg, lseg->pls_range.iomode, + lseg->pls_range.offset, + lseg->pls_range.length); +- if (mark_lseg_invalid_or_return(lseg, tmp_list)) ++ if (mark_lseg_invalid(lseg, tmp_list)) + continue; + remaining++; + set_bit(NFS_LSEG_LAYOUTRETURN, &lseg->pls_flags); +-- +2.27.0 + diff --git a/queue/NFS-Don-t-return-layout-segments-that-are-in-use.patch b/queue/NFS-Don-t-return-layout-segments-that-are-in-use.patch new file mode 100644 index 00000000..67c50a9e --- /dev/null +++ b/queue/NFS-Don-t-return-layout-segments-that-are-in-use.patch @@ -0,0 +1,69 @@ +From d474f96104bd4377573526ebae2ee212205a6839 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@hammerspace.com> +Date: Wed, 5 Aug 2020 09:03:56 -0400 +Subject: [PATCH] NFS: Don't return layout segments that are in use + +commit d474f96104bd4377573526ebae2ee212205a6839 upstream. + +If the NFS_LAYOUT_RETURN_REQUESTED flag is set, we want to return the +layout as soon as possible, meaning that the affected layout segments +should be marked as invalid, and should no longer be in use for I/O. + +Fixes: f0b429819b5f ("pNFS: Ignore non-recalled layouts in pnfs_layout_need_return()") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 262ce01c7abe..b5baf36d4de5 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1226,31 +1226,27 @@ pnfs_send_layoutreturn(struct pnfs_layout_hdr *lo, + return status; + } + ++static bool ++pnfs_layout_segments_returnable(struct pnfs_layout_hdr *lo, ++ enum pnfs_iomode iomode, ++ u32 seq) ++{ ++ struct pnfs_layout_range recall_range = { ++ .length = NFS4_MAX_UINT64, ++ .iomode = iomode, ++ }; ++ return pnfs_mark_matching_lsegs_return(lo, &lo->plh_return_segs, ++ &recall_range, seq) != -EBUSY; ++} ++ + /* Return true if layoutreturn is needed */ + static bool + pnfs_layout_need_return(struct pnfs_layout_hdr *lo) + { +- struct pnfs_layout_segment *s; +- enum pnfs_iomode iomode; +- u32 seq; +- + if (!test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags)) + return false; +- +- seq = lo->plh_return_seq; +- iomode = lo->plh_return_iomode; +- +- /* Defer layoutreturn until all recalled lsegs are done */ +- list_for_each_entry(s, &lo->plh_segs, pls_list) { +- if (seq && pnfs_seqid_is_newer(s->pls_seq, seq)) +- continue; +- if (iomode != IOMODE_ANY && s->pls_range.iomode != iomode) +- continue; +- if (test_bit(NFS_LSEG_LAYOUTRETURN, &s->pls_flags)) +- return false; +- } +- +- return true; ++ return pnfs_layout_segments_returnable(lo, lo->plh_return_iomode, ++ lo->plh_return_seq); + } + + static void pnfs_layoutreturn_before_put_layout_hdr(struct pnfs_layout_hdr *lo) +-- +2.27.0 + diff --git a/queue/PCI-ASPM-Add-missing-newline-in-sysfs-policy.patch b/queue/PCI-ASPM-Add-missing-newline-in-sysfs-policy.patch new file mode 100644 index 00000000..51c1c8b9 --- /dev/null +++ b/queue/PCI-ASPM-Add-missing-newline-in-sysfs-policy.patch @@ -0,0 +1,34 @@ +From 3167e3d340c092fd47924bc4d23117a3074ef9a9 Mon Sep 17 00:00:00 2001 +From: Xiongfeng Wang <wangxiongfeng2@huawei.com> +Date: Fri, 17 Jul 2020 15:59:25 +0800 +Subject: [PATCH] PCI/ASPM: Add missing newline in sysfs 'policy' + +commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 upstream. + +When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a +newline for easy reading. Other sysfs attributes already include a +newline. + + [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy + [default] performance powersave powersupersave [root@localhost ~]# + +Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") +Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com +Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index b17e5ffd31b1..253c30cc1967 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -1182,6 +1182,7 @@ static int pcie_aspm_get_policy(char *buffer, const struct kernel_param *kp) + cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]); + else + cnt += sprintf(buffer + cnt, "%s ", policy_str[i]); ++ cnt += sprintf(buffer + cnt, "\n"); + return cnt; + } + +-- +2.27.0 + diff --git a/queue/PCI-Fix-pci_cfg_wait-queue-locking-problem.patch b/queue/PCI-Fix-pci_cfg_wait-queue-locking-problem.patch new file mode 100644 index 00000000..f72af93f --- /dev/null +++ b/queue/PCI-Fix-pci_cfg_wait-queue-locking-problem.patch @@ -0,0 +1,66 @@ +From 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas <bhelgaas@google.com> +Date: Thu, 25 Jun 2020 18:14:55 -0500 +Subject: [PATCH] PCI: Fix pci_cfg_wait queue locking problem + +commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb upstream. + +The pci_cfg_wait queue is used to prevent user-space config accesses to +devices while they are recovering from reset. + +Previously we used these operations on pci_cfg_wait: + + __add_wait_queue(&pci_cfg_wait, ...) + __remove_wait_queue(&pci_cfg_wait, ...) + wake_up_all(&pci_cfg_wait) + +The wake_up acquires the wait queue lock, but the add and remove do not. + +Originally these were all protected by the pci_lock, but cdcb33f98244 +("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved +wake_up_all() outside pci_lock, so it could race with add/remove +operations, which caused occasional kernel panics, e.g., during vfio-pci +hotplug/unplug testing: + + Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000 + +Resolve this by using wait_event() instead of __add_wait_queue() and +__remove_wait_queue(). The wait queue lock is held by both wait_event() +and wake_up_all(), so it provides mutual exclusion. + +Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock") +Link: https://lore.kernel.org/linux-pci/79827f2f-9b43-4411-1376-b9063b67aee3@huawei.com/T/#u +Based-on: https://lore.kernel.org/linux-pci/20191210031527.40136-1-zhengxiang9@huawei.com/ +Based-on-patch-by: Xiang Zheng <zhengxiang9@huawei.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Tested-by: Xiang Zheng <zhengxiang9@huawei.com> +Cc: Heyi Guo <guoheyi@huawei.com> +Cc: Biaoxiang Ye <yebiaoxiang@huawei.com> + +diff --git a/drivers/pci/access.c b/drivers/pci/access.c +index 79c4a2ef269a..9793f17fa184 100644 +--- a/drivers/pci/access.c ++++ b/drivers/pci/access.c +@@ -204,17 +204,13 @@ EXPORT_SYMBOL(pci_bus_set_ops); + static DECLARE_WAIT_QUEUE_HEAD(pci_cfg_wait); + + static noinline void pci_wait_cfg(struct pci_dev *dev) ++ __must_hold(&pci_lock) + { +- DECLARE_WAITQUEUE(wait, current); +- +- __add_wait_queue(&pci_cfg_wait, &wait); + do { +- set_current_state(TASK_UNINTERRUPTIBLE); + raw_spin_unlock_irq(&pci_lock); +- schedule(); ++ wait_event(pci_cfg_wait, !dev->block_cfg_access); + raw_spin_lock_irq(&pci_lock); + } while (dev->block_cfg_access); +- __remove_wait_queue(&pci_cfg_wait, &wait); + } + + /* Returns 0 on success, negative values indicate error. */ +-- +2.27.0 + diff --git a/queue/PCI-Release-IVRS-table-in-AMD-ACS-quirk.patch b/queue/PCI-Release-IVRS-table-in-AMD-ACS-quirk.patch new file mode 100644 index 00000000..8d7889c1 --- /dev/null +++ b/queue/PCI-Release-IVRS-table-in-AMD-ACS-quirk.patch @@ -0,0 +1,34 @@ +From 090688fa4e448284aaa16136372397d7d10814db Mon Sep 17 00:00:00 2001 +From: Hanjun Guo <guohanjun@huawei.com> +Date: Wed, 22 Jul 2020 17:44:28 +0800 +Subject: [PATCH] PCI: Release IVRS table in AMD ACS quirk + +commit 090688fa4e448284aaa16136372397d7d10814db upstream. + +The acpi_get_table() should be coupled with acpi_put_table() if the mapped +table is not used at runtime to release the table mapping. + +In pci_quirk_amd_sb_acs(), IVRS table is just used for checking AMD IOMMU +is supported, not used at runtime, so put the table after using it. + +Fixes: 15b100dfd1c9 ("PCI: Claim ACS support for AMD southbridge devices") +Link: https://lore.kernel.org/r/1595411068-15440-1-git-send-email-guohanjun@huawei.com +Signed-off-by: Hanjun Guo <guohanjun@huawei.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 052efeb9f053..2456a1950a8a 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4409,6 +4409,8 @@ static int pci_quirk_amd_sb_acs(struct pci_dev *dev, u16 acs_flags) + if (ACPI_FAILURE(status)) + return -ENODEV; + ++ acpi_put_table(header); ++ + /* Filter out flags not applicable to multifunction */ + acs_flags &= (PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_EC | PCI_ACS_DT); + +-- +2.27.0 + diff --git a/queue/PCI-cadence-Fix-updating-Vendor-ID-and-Subsystem-Ven.patch b/queue/PCI-cadence-Fix-updating-Vendor-ID-and-Subsystem-Ven.patch new file mode 100644 index 00000000..80049cba --- /dev/null +++ b/queue/PCI-cadence-Fix-updating-Vendor-ID-and-Subsystem-Ven.patch @@ -0,0 +1,51 @@ +From e3bca37d15dca118f2ef1f0a068bb6e07846ea20 Mon Sep 17 00:00:00 2001 +From: Kishon Vijay Abraham I <kishon@ti.com> +Date: Wed, 22 Jul 2020 16:33:11 +0530 +Subject: [PATCH] PCI: cadence: Fix updating Vendor ID and Subsystem Vendor ID + register + +commit e3bca37d15dca118f2ef1f0a068bb6e07846ea20 upstream. + +Commit 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe +controller") in order to update Vendor ID, directly wrote to +PCI_VENDOR_ID register. However PCI_VENDOR_ID in root port configuration +space is read-only register and writing to it will have no effect. +Use local management register to configure Vendor ID and Subsystem Vendor +ID. + +Link: https://lore.kernel.org/r/20200722110317.4744-10-kishon@ti.com +Fixes: 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe controller") +Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com> +Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com> +Reviewed-by: Rob Herring <robh@kernel.org> + +diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c +index 6069a46c8ef1..89d26324b2a8 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-host.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c +@@ -82,6 +82,7 @@ static int cdns_pcie_host_init_root_port(struct cdns_pcie_rc *rc) + { + struct cdns_pcie *pcie = &rc->pcie; + u32 value, ctrl; ++ u32 id; + + /* + * Set the root complex BAR configuration register: +@@ -101,8 +102,12 @@ static int cdns_pcie_host_init_root_port(struct cdns_pcie_rc *rc) + cdns_pcie_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value); + + /* Set root port configuration space */ +- if (rc->vendor_id != 0xffff) +- cdns_pcie_rp_writew(pcie, PCI_VENDOR_ID, rc->vendor_id); ++ if (rc->vendor_id != 0xffff) { ++ id = CDNS_PCIE_LM_ID_VENDOR(rc->vendor_id) | ++ CDNS_PCIE_LM_ID_SUBSYS(rc->vendor_id); ++ cdns_pcie_writel(pcie, CDNS_PCIE_LM_ID, id); ++ } ++ + if (rc->device_id != 0xffff) + cdns_pcie_rp_writew(pcie, PCI_DEVICE_ID, rc->device_id); + +-- +2.27.0 + diff --git a/queue/RDMA-core-Fix-bogus-WARN_ON-during-ib_unregister_dev.patch b/queue/RDMA-core-Fix-bogus-WARN_ON-during-ib_unregister_dev.patch new file mode 100644 index 00000000..17be4933 --- /dev/null +++ b/queue/RDMA-core-Fix-bogus-WARN_ON-during-ib_unregister_dev.patch @@ -0,0 +1,69 @@ +From 0cb42c0265837fafa2b4f302c8a7fed2631d7869 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe <jgg@nvidia.com> +Date: Fri, 26 Jun 2020 14:49:10 -0300 +Subject: [PATCH] RDMA/core: Fix bogus WARN_ON during + ib_unregister_device_queued() + +commit 0cb42c0265837fafa2b4f302c8a7fed2631d7869 upstream. + +ib_unregister_device_queued() can only be used by drivers using the new +dealloc_device callback flow, and it has a safety WARN_ON to ensure +drivers are using it properly. + +However, if unregister and register are raced there is a special +destruction path that maintains the uniform error handling semantic of +'caller does ib_dealloc_device() on failure'. This requires disabling the +dealloc_device callback which triggers the WARN_ON. + +Instead of using NULL to disable the callback use a special function +pointer so the WARN_ON does not trigger. + +Fixes: d0899892edd0 ("RDMA/device: Provide APIs from the core code to help unregistration") +Link: https://lore.kernel.org/r/0-v1-a36d512e0a99+762-syz_dealloc_driver_jgg@nvidia.com +Reported-by: syzbot+4088ed905e4ae2b0e13b@syzkaller.appspotmail.com +Suggested-by: Hillf Danton <hdanton@sina.com> +Reviewed-by: Leon Romanovsky <leonro@mellanox.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 1335ed1f1e4a..40cf07129f66 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -1339,6 +1339,10 @@ static int enable_device_and_get(struct ib_device *device) + return ret; + } + ++static void prevent_dealloc_device(struct ib_device *ib_dev) ++{ ++} ++ + /** + * ib_register_device - Register an IB device with IB core + * @device: Device to register +@@ -1409,11 +1413,11 @@ int ib_register_device(struct ib_device *device, const char *name) + * possibility for a parallel unregistration along with this + * error flow. Since we have a refcount here we know any + * parallel flow is stopped in disable_device and will see the +- * NULL pointers, causing the responsibility to ++ * special dealloc_driver pointer, causing the responsibility to + * ib_dealloc_device() to revert back to this thread. + */ + dealloc_fn = device->ops.dealloc_driver; +- device->ops.dealloc_driver = NULL; ++ device->ops.dealloc_driver = prevent_dealloc_device; + ib_device_put(device); + __ib_unregister_device(device); + device->ops.dealloc_driver = dealloc_fn; +@@ -1462,7 +1466,8 @@ static void __ib_unregister_device(struct ib_device *ib_dev) + * Drivers using the new flow may not call ib_dealloc_device except + * in error unwind prior to registration success. + */ +- if (ib_dev->ops.dealloc_driver) { ++ if (ib_dev->ops.dealloc_driver && ++ ib_dev->ops.dealloc_driver != prevent_dealloc_device) { + WARN_ON(kref_read(&ib_dev->dev.kobj.kref) <= 1); + ib_dealloc_device(ib_dev); + } +-- +2.27.0 + diff --git a/queue/RDMA-core-Fix-return-error-value-in-_ib_modify_qp-to.patch b/queue/RDMA-core-Fix-return-error-value-in-_ib_modify_qp-to.patch new file mode 100644 index 00000000..25d57846 --- /dev/null +++ b/queue/RDMA-core-Fix-return-error-value-in-_ib_modify_qp-to.patch @@ -0,0 +1,33 @@ +From 47fda651d5af2506deac57d54887cf55ce26e244 Mon Sep 17 00:00:00 2001 +From: Li Heng <liheng40@huawei.com> +Date: Sat, 25 Jul 2020 10:56:27 +0800 +Subject: [PATCH] RDMA/core: Fix return error value in _ib_modify_qp() to + negative + +commit 47fda651d5af2506deac57d54887cf55ce26e244 upstream. + +The error codes in _ib_modify_qp() are supposed to be negative errno. + +Fixes: 7a5c938b9ed0 ("IB/core: Check for rdma_protocol_ib only after validating port_num") +Link: https://lore.kernel.org/r/1595645787-20375-1-git-send-email-liheng40@huawei.com +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Li Heng <liheng40@huawei.com> +Reviewed-by: Parav Pandit <parav@mellanox.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 10f650a17ae7..3096e73797b7 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -1710,7 +1710,7 @@ static int _ib_modify_qp(struct ib_qp *qp, struct ib_qp_attr *attr, + if (!(rdma_protocol_ib(qp->device, + attr->alt_ah_attr.port_num) && + rdma_protocol_ib(qp->device, port))) { +- ret = EINVAL; ++ ret = -EINVAL; + goto out; + } + } +-- +2.27.0 + diff --git a/queue/RDMA-netlink-Remove-CAP_NET_RAW-check-when-dump-a-ra.patch b/queue/RDMA-netlink-Remove-CAP_NET_RAW-check-when-dump-a-ra.patch new file mode 100644 index 00000000..55e71804 --- /dev/null +++ b/queue/RDMA-netlink-Remove-CAP_NET_RAW-check-when-dump-a-ra.patch @@ -0,0 +1,34 @@ +From 1d70ad0f85435a7262de802b104e49e6598c50ff Mon Sep 17 00:00:00 2001 +From: Mark Zhang <markz@mellanox.com> +Date: Mon, 27 Jul 2020 12:58:28 +0300 +Subject: [PATCH] RDMA/netlink: Remove CAP_NET_RAW check when dump a raw QP + +commit 1d70ad0f85435a7262de802b104e49e6598c50ff upstream. + +When dumping QPs bound to a counter, raw QPs should be allowed to dump +without the CAP_NET_RAW privilege. This is consistent with what "rdma res +show qp" does. + +Fixes: c4ffee7c9bdb ("RDMA/netlink: Implement counter dumpit calback") +Link: https://lore.kernel.org/r/20200727095828.496195-1-leon@kernel.org +Signed-off-by: Mark Zhang <markz@mellanox.com> +Signed-off-by: Leon Romanovsky <leonro@mellanox.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> + +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index 76af7ea2875d..12d29d54a081 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -759,9 +759,6 @@ static int fill_stat_counter_qps(struct sk_buff *msg, + xa_lock(&rt->xa); + xa_for_each(&rt->xa, id, res) { + qp = container_of(res, struct ib_qp, res); +- if (qp->qp_type == IB_QPT_RAW_PACKET && !capable(CAP_NET_RAW)) +- continue; +- + if (!qp->counter || (qp->counter->id != counter->id)) + continue; + +-- +2.27.0 + diff --git a/queue/RDMA-qedr-SRQ-s-bug-fixes.patch b/queue/RDMA-qedr-SRQ-s-bug-fixes.patch new file mode 100644 index 00000000..b4f69275 --- /dev/null +++ b/queue/RDMA-qedr-SRQ-s-bug-fixes.patch @@ -0,0 +1,108 @@ +From acca72e2b031b9fbb4184511072bd246a0abcebc Mon Sep 17 00:00:00 2001 +From: Yuval Basson <ybason@marvell.com> +Date: Wed, 8 Jul 2020 22:55:26 +0300 +Subject: [PATCH] RDMA/qedr: SRQ's bug fixes + +commit acca72e2b031b9fbb4184511072bd246a0abcebc upstream. + +QP's with the same SRQ, working on different CQs and running in parallel +on different CPUs could lead to a race when maintaining the SRQ consumer +count, and leads to FW running out of SRQs. Update the consumer +atomically. Make sure the wqe_prod is updated after the sge_prod due to +FW requirements. + +Fixes: 3491c9e799fb ("qedr: Add support for kernel mode SRQ's") +Link: https://lore.kernel.org/r/20200708195526.31040-1-ybason@marvell.com +Signed-off-by: Michal Kalderon <mkalderon@marvell.com> +Signed-off-by: Yuval Basson <ybason@marvell.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> + +diff --git a/drivers/infiniband/hw/qedr/qedr.h b/drivers/infiniband/hw/qedr/qedr.h +index fdf90ecb2699..aa332027da86 100644 +--- a/drivers/infiniband/hw/qedr/qedr.h ++++ b/drivers/infiniband/hw/qedr/qedr.h +@@ -344,10 +344,10 @@ struct qedr_srq_hwq_info { + u32 wqe_prod; + u32 sge_prod; + u32 wr_prod_cnt; +- u32 wr_cons_cnt; ++ atomic_t wr_cons_cnt; + u32 num_elems; + +- u32 *virt_prod_pair_addr; ++ struct rdma_srq_producers *virt_prod_pair_addr; + dma_addr_t phy_prod_pair_addr; + }; + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 3d7d5617818f..42273aa0b5e1 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -3686,7 +3686,7 @@ static u32 qedr_srq_elem_left(struct qedr_srq_hwq_info *hw_srq) + * count and consumer count and subtract it from max + * work request supported so that we get elements left. + */ +- used = hw_srq->wr_prod_cnt - hw_srq->wr_cons_cnt; ++ used = hw_srq->wr_prod_cnt - (u32)atomic_read(&hw_srq->wr_cons_cnt); + + return hw_srq->max_wr - used; + } +@@ -3701,7 +3701,6 @@ int qedr_post_srq_recv(struct ib_srq *ibsrq, const struct ib_recv_wr *wr, + unsigned long flags; + int status = 0; + u32 num_sge; +- u32 offset; + + spin_lock_irqsave(&srq->lock, flags); + +@@ -3714,7 +3713,8 @@ int qedr_post_srq_recv(struct ib_srq *ibsrq, const struct ib_recv_wr *wr, + if (!qedr_srq_elem_left(hw_srq) || + wr->num_sge > srq->hw_srq.max_sges) { + DP_ERR(dev, "Can't post WR (%d,%d) || (%d > %d)\n", +- hw_srq->wr_prod_cnt, hw_srq->wr_cons_cnt, ++ hw_srq->wr_prod_cnt, ++ atomic_read(&hw_srq->wr_cons_cnt), + wr->num_sge, srq->hw_srq.max_sges); + status = -ENOMEM; + *bad_wr = wr; +@@ -3748,22 +3748,20 @@ int qedr_post_srq_recv(struct ib_srq *ibsrq, const struct ib_recv_wr *wr, + hw_srq->sge_prod++; + } + +- /* Flush WQE and SGE information before ++ /* Update WQE and SGE information before + * updating producer. + */ +- wmb(); ++ dma_wmb(); + + /* SRQ producer is 8 bytes. Need to update SGE producer index + * in first 4 bytes and need to update WQE producer in + * next 4 bytes. + */ +- *srq->hw_srq.virt_prod_pair_addr = hw_srq->sge_prod; +- offset = offsetof(struct rdma_srq_producers, wqe_prod); +- *((u8 *)srq->hw_srq.virt_prod_pair_addr + offset) = +- hw_srq->wqe_prod; ++ srq->hw_srq.virt_prod_pair_addr->sge_prod = hw_srq->sge_prod; ++ /* Make sure sge producer is updated first */ ++ dma_wmb(); ++ srq->hw_srq.virt_prod_pair_addr->wqe_prod = hw_srq->wqe_prod; + +- /* Flush producer after updating it. */ +- wmb(); + wr = wr->next; + } + +@@ -4182,7 +4180,7 @@ static int process_resp_one_srq(struct qedr_dev *dev, struct qedr_qp *qp, + } else { + __process_resp_one(dev, qp, cq, wc, resp, wr_id); + } +- srq->hw_srq.wr_cons_cnt++; ++ atomic_inc(&srq->hw_srq.wr_cons_cnt); + + return 1; + } +-- +2.27.0 + diff --git a/queue/RDMA-rxe-Prevent-access-to-wr-next-ptr-afrer-wr-is-p.patch b/queue/RDMA-rxe-Prevent-access-to-wr-next-ptr-afrer-wr-is-p.patch new file mode 100644 index 00000000..d66cf17e --- /dev/null +++ b/queue/RDMA-rxe-Prevent-access-to-wr-next-ptr-afrer-wr-is-p.patch @@ -0,0 +1,55 @@ +From 5f0b2a6093a4d9aab093964c65083fe801ef1e58 Mon Sep 17 00:00:00 2001 +From: Mikhail Malygin <m.malygin@yadro.com> +Date: Thu, 16 Jul 2020 22:03:41 +0300 +Subject: [PATCH] RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted + to send queue + +commit 5f0b2a6093a4d9aab093964c65083fe801ef1e58 upstream. + +rxe_post_send_kernel() iterates over linked list of wr's, until the +wr->next ptr is NULL. However if we've got an interrupt after last wr is +posted, control may be returned to the code after send completion callback +is executed and wr memory is freed. + +As a result, wr->next pointer may contain incorrect value leading to +panic. Store the wr->next on the stack before posting it. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20200716190340.23453-1-m.malygin@yadro.com +Signed-off-by: Mikhail Malygin <m.malygin@yadro.com> +Signed-off-by: Sergey Kojushev <s.kojushev@yadro.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> + +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c +index 74f071003690..c1649aec8c23 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -682,6 +682,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr, + unsigned int mask; + unsigned int length = 0; + int i; ++ struct ib_send_wr *next; + + while (wr) { + mask = wr_opcode_mask(wr->opcode, qp); +@@ -698,6 +699,8 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr, + break; + } + ++ next = wr->next; ++ + length = 0; + for (i = 0; i < wr->num_sge; i++) + length += wr->sg_list[i].length; +@@ -708,7 +711,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, const struct ib_send_wr *wr, + *bad_wr = wr; + break; + } +- wr = wr->next; ++ wr = next; + } + + rxe_run_task(&qp->req.task, 1); +-- +2.27.0 + diff --git a/queue/RDMA-rxe-Skip-dgid-check-in-loopback-mode.patch b/queue/RDMA-rxe-Skip-dgid-check-in-loopback-mode.patch new file mode 100644 index 00000000..9d69bfbb --- /dev/null +++ b/queue/RDMA-rxe-Skip-dgid-check-in-loopback-mode.patch @@ -0,0 +1,66 @@ +From 5c99274be8864519328aa74bc550ba410095bc1c Mon Sep 17 00:00:00 2001 +From: Zhu Yanjun <yanjunz@mellanox.com> +Date: Tue, 30 Jun 2020 15:36:05 +0300 +Subject: [PATCH] RDMA/rxe: Skip dgid check in loopback mode + +commit 5c99274be8864519328aa74bc550ba410095bc1c upstream. + +In the loopback tests, the following call trace occurs. + + Call Trace: + __rxe_do_task+0x1a/0x30 [rdma_rxe] + rxe_qp_destroy+0x61/0xa0 [rdma_rxe] + rxe_destroy_qp+0x20/0x60 [rdma_rxe] + ib_destroy_qp_user+0xcc/0x220 [ib_core] + uverbs_free_qp+0x3c/0xc0 [ib_uverbs] + destroy_hw_idr_uobject+0x24/0x70 [ib_uverbs] + uverbs_destroy_uobject+0x43/0x1b0 [ib_uverbs] + uobj_destroy+0x41/0x70 [ib_uverbs] + __uobj_get_destroy+0x39/0x70 [ib_uverbs] + ib_uverbs_destroy_qp+0x88/0xc0 [ib_uverbs] + ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xb9/0xf0 [ib_uverbs] + ib_uverbs_cmd_verbs+0xb16/0xc30 [ib_uverbs] + +The root cause is that the actual RDMA connection is not created in the +loopback tests and the rxe_match_dgid will fail randomly. + +To fix this call trace which appear in the loopback tests, skip check of +the dgid. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20200630123605.446959-1-leon@kernel.org +Signed-off-by: Zhu Yanjun <yanjunz@mellanox.com> +Signed-off-by: Leon Romanovsky <leonro@mellanox.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 831ad578a7b2..46e111c218fd 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -330,10 +330,14 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + + static int rxe_match_dgid(struct rxe_dev *rxe, struct sk_buff *skb) + { ++ struct rxe_pkt_info *pkt = SKB_TO_PKT(skb); + const struct ib_gid_attr *gid_attr; + union ib_gid dgid; + union ib_gid *pdgid; + ++ if (pkt->mask & RXE_LOOPBACK_MASK) ++ return 0; ++ + if (skb->protocol == htons(ETH_P_IP)) { + ipv6_addr_set_v4mapped(ip_hdr(skb)->daddr, + (struct in6_addr *)&dgid); +@@ -366,7 +370,7 @@ void rxe_rcv(struct sk_buff *skb) + if (unlikely(skb->len < pkt->offset + RXE_BTH_BYTES)) + goto drop; + +- if (unlikely(rxe_match_dgid(rxe, skb) < 0)) { ++ if (rxe_match_dgid(rxe, skb) < 0) { + pr_warn_ratelimited("failed matching dgid\n"); + goto drop; + } +-- +2.27.0 + diff --git a/queue/Revert-parisc-Drop-LDCW-barrier-in-CAS-code-when-run.patch b/queue/Revert-parisc-Drop-LDCW-barrier-in-CAS-code-when-run.patch new file mode 100644 index 00000000..10e09c60 --- /dev/null +++ b/queue/Revert-parisc-Drop-LDCW-barrier-in-CAS-code-when-run.patch @@ -0,0 +1,61 @@ +From 462fb756c7de1ffe5bc6099149136031c2d9c02a Mon Sep 17 00:00:00 2001 +From: Helge Deller <deller@gmx.de> +Date: Tue, 28 Jul 2020 18:52:58 +0200 +Subject: [PATCH] Revert "parisc: Drop LDCW barrier in CAS code when running + UP" + +commit 462fb756c7de1ffe5bc6099149136031c2d9c02a upstream. + +This reverts commit e6eb5fe9123f05dcbf339ae5c0b6d32fcc0685d5. +We need to optimize it differently. A follow up patch will correct it. + +Signed-off-by: Helge Deller <deller@gmx.de> +Cc: <stable@vger.kernel.org> # v5.2+ + +diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S +index f05c9d5b6b9e..ea505a81f821 100644 +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -641,8 +641,7 @@ cas_action: + 2: stw %r24, 0(%r26) + /* Free lock */ + #ifdef CONFIG_SMP +-98: LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) ++ LDCW 0(%sr2,%r20), %r1 /* Barrier */ + #endif + stw %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG +@@ -659,8 +658,7 @@ cas_action: + /* Error occurred on load or store */ + /* Free lock */ + #ifdef CONFIG_SMP +-98: LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) ++ LDCW 0(%sr2,%r20), %r1 /* Barrier */ + #endif + stw %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG +@@ -864,8 +862,7 @@ cas2_action: + cas2_end: + /* Free lock */ + #ifdef CONFIG_SMP +-98: LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) ++ LDCW 0(%sr2,%r20), %r1 /* Barrier */ + #endif + stw %r20, 0(%sr2,%r20) + /* Enable interrupts */ +@@ -878,8 +875,7 @@ cas2_end: + /* Error occurred on load or store */ + /* Free lock */ + #ifdef CONFIG_SMP +-98: LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) ++ LDCW 0(%sr2,%r20), %r1 /* Barrier */ + #endif + stw %r20, 0(%sr2,%r20) + ssm PSW_SM_I, %r0 +-- +2.27.0 + diff --git a/queue/Revert-parisc-Revert-Release-spinlocks-using-ordered.patch b/queue/Revert-parisc-Revert-Release-spinlocks-using-ordered.patch new file mode 100644 index 00000000..34520367 --- /dev/null +++ b/queue/Revert-parisc-Revert-Release-spinlocks-using-ordered.patch @@ -0,0 +1,75 @@ +From 157e9afcc4fa25068b0e8743bc254a9b56010e13 Mon Sep 17 00:00:00 2001 +From: Helge Deller <deller@gmx.de> +Date: Tue, 28 Jul 2020 18:56:14 +0200 +Subject: [PATCH] Revert "parisc: Revert "Release spinlocks using ordered + store"" + +commit 157e9afcc4fa25068b0e8743bc254a9b56010e13 upstream. + +This reverts commit 86d4d068df573a8c2105554624796c086d6bec3d. + +Signed-off-by: Helge Deller <deller@gmx.de> +Cc: <stable@vger.kernel.org> # v5.0+ + +diff --git a/arch/parisc/include/asm/spinlock.h b/arch/parisc/include/asm/spinlock.h +index 6f85ca70ce23..51b6c47f802f 100644 +--- a/arch/parisc/include/asm/spinlock.h ++++ b/arch/parisc/include/asm/spinlock.h +@@ -37,8 +37,8 @@ static inline void arch_spin_unlock(arch_spinlock_t *x) + volatile unsigned int *a; + + a = __ldcw_align(x); +- mb(); +- *a = 1; ++ /* Release with ordered store. */ ++ __asm__ __volatile__("stw,ma %0,0(%1)" : : "r"(1), "r"(a) : "memory"); + } + + static inline int arch_spin_trylock(arch_spinlock_t *x) +diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S +index 472ce9921b30..3ad61a177f5b 100644 +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -640,8 +640,7 @@ cas_action: + sub,<> %r28, %r25, %r0 + 2: stw %r24, 0(%r26) + /* Free lock */ +- sync +- stw %r20, 0(%sr2,%r20) ++ stw,ma %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG + /* Clear thread register indicator */ + stw %r0, 4(%sr2,%r20) +@@ -655,8 +654,7 @@ cas_action: + 3: + /* Error occurred on load or store */ + /* Free lock */ +- sync +- stw %r20, 0(%sr2,%r20) ++ stw,ma %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG + stw %r0, 4(%sr2,%r20) + #endif +@@ -857,8 +855,7 @@ cas2_action: + + cas2_end: + /* Free lock */ +- sync +- stw %r20, 0(%sr2,%r20) ++ stw,ma %r20, 0(%sr2,%r20) + /* Enable interrupts */ + ssm PSW_SM_I, %r0 + /* Return to userspace, set no error */ +@@ -868,8 +865,7 @@ cas2_end: + 22: + /* Error occurred on load or store */ + /* Free lock */ +- sync +- stw %r20, 0(%sr2,%r20) ++ stw,ma %r20, 0(%sr2,%r20) + ssm PSW_SM_I, %r0 + ldo 1(%r0),%r28 + b lws_exit +-- +2.27.0 + diff --git a/queue/Revert-parisc-Use-ldcw-instruction-for-SMP-spinlock-.patch b/queue/Revert-parisc-Use-ldcw-instruction-for-SMP-spinlock-.patch new file mode 100644 index 00000000..b5efb52b --- /dev/null +++ b/queue/Revert-parisc-Use-ldcw-instruction-for-SMP-spinlock-.patch @@ -0,0 +1,259 @@ +From 6e9f06ee6c9566f3606d93182ac8f803a148504b Mon Sep 17 00:00:00 2001 +From: Helge Deller <deller@gmx.de> +Date: Tue, 28 Jul 2020 18:54:40 +0200 +Subject: [PATCH] Revert "parisc: Use ldcw instruction for SMP spinlock release + barrier" + +commit 6e9f06ee6c9566f3606d93182ac8f803a148504b upstream. + +This reverts commit 9e5c602186a692a7e848c0da17aed40f49d30519. +No need to use the ldcw instruction as SMP spinlock release barrier. +Revert it to gain back speed again. + +Signed-off-by: Helge Deller <deller@gmx.de> +Cc: <stable@vger.kernel.org> # v5.2+ + +diff --git a/arch/parisc/include/asm/spinlock.h b/arch/parisc/include/asm/spinlock.h +index d2a3337599fb..6f85ca70ce23 100644 +--- a/arch/parisc/include/asm/spinlock.h ++++ b/arch/parisc/include/asm/spinlock.h +@@ -37,11 +37,7 @@ static inline void arch_spin_unlock(arch_spinlock_t *x) + volatile unsigned int *a; + + a = __ldcw_align(x); +-#ifdef CONFIG_SMP +- (void) __ldcw(a); +-#else + mb(); +-#endif + *a = 1; + } + +diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S +index 4b484ec7c7da..06455f1a40f5 100644 +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -454,9 +454,8 @@ + nop + LDREG 0(\ptp),\pte + bb,<,n \pte,_PAGE_PRESENT_BIT,3f +- LDCW 0(\tmp),\tmp1 + b \fault +- stw \spc,0(\tmp) ++ stw,ma \spc,0(\tmp) + 99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) + #endif + 2: LDREG 0(\ptp),\pte +@@ -465,22 +464,20 @@ + .endm + + /* Release pa_tlb_lock lock without reloading lock address. */ +- .macro tlb_unlock0 spc,tmp,tmp1 ++ .macro tlb_unlock0 spc,tmp + #ifdef CONFIG_SMP + 98: or,COND(=) %r0,\spc,%r0 +- LDCW 0(\tmp),\tmp1 +- or,COND(=) %r0,\spc,%r0 +- stw \spc,0(\tmp) ++ stw,ma \spc,0(\tmp) + 99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) + #endif + .endm + + /* Release pa_tlb_lock lock. */ +- .macro tlb_unlock1 spc,tmp,tmp1 ++ .macro tlb_unlock1 spc,tmp + #ifdef CONFIG_SMP + 98: load_pa_tlb_lock \tmp + 99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) +- tlb_unlock0 \spc,\tmp,\tmp1 ++ tlb_unlock0 \spc,\tmp + #endif + .endm + +@@ -1163,7 +1160,7 @@ dtlb_miss_20w: + + idtlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1189,7 +1186,7 @@ nadtlb_miss_20w: + + idtlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1223,7 +1220,7 @@ dtlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1256,7 +1253,7 @@ nadtlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1285,7 +1282,7 @@ dtlb_miss_20: + + idtlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1313,7 +1310,7 @@ nadtlb_miss_20: + + idtlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1420,7 +1417,7 @@ itlb_miss_20w: + + iitlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1444,7 +1441,7 @@ naitlb_miss_20w: + + iitlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1478,7 +1475,7 @@ itlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1502,7 +1499,7 @@ naitlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1532,7 +1529,7 @@ itlb_miss_20: + + iitlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1552,7 +1549,7 @@ naitlb_miss_20: + + iitlbt pte,prot + +- tlb_unlock1 spc,t0,t1 ++ tlb_unlock1 spc,t0 + rfir + nop + +@@ -1582,7 +1579,7 @@ dbit_trap_20w: + + idtlbt pte,prot + +- tlb_unlock0 spc,t0,t1 ++ tlb_unlock0 spc,t0 + rfir + nop + #else +@@ -1608,7 +1605,7 @@ dbit_trap_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock0 spc,t0,t1 ++ tlb_unlock0 spc,t0 + rfir + nop + +@@ -1628,7 +1625,7 @@ dbit_trap_20: + + idtlbt pte,prot + +- tlb_unlock0 spc,t0,t1 ++ tlb_unlock0 spc,t0 + rfir + nop + #endif +diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S +index ea505a81f821..472ce9921b30 100644 +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -640,9 +640,7 @@ cas_action: + sub,<> %r28, %r25, %r0 + 2: stw %r24, 0(%r26) + /* Free lock */ +-#ifdef CONFIG_SMP +- LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-#endif ++ sync + stw %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG + /* Clear thread register indicator */ +@@ -657,9 +655,7 @@ cas_action: + 3: + /* Error occurred on load or store */ + /* Free lock */ +-#ifdef CONFIG_SMP +- LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-#endif ++ sync + stw %r20, 0(%sr2,%r20) + #if ENABLE_LWS_DEBUG + stw %r0, 4(%sr2,%r20) +@@ -861,9 +857,7 @@ cas2_action: + + cas2_end: + /* Free lock */ +-#ifdef CONFIG_SMP +- LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-#endif ++ sync + stw %r20, 0(%sr2,%r20) + /* Enable interrupts */ + ssm PSW_SM_I, %r0 +@@ -874,9 +868,7 @@ cas2_end: + 22: + /* Error occurred on load or store */ + /* Free lock */ +-#ifdef CONFIG_SMP +- LDCW 0(%sr2,%r20), %r1 /* Barrier */ +-#endif ++ sync + stw %r20, 0(%sr2,%r20) + ssm PSW_SM_I, %r0 + ldo 1(%r0),%r28 +-- +2.27.0 + diff --git a/queue/SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch b/queue/SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch new file mode 100644 index 00000000..1a0e6b33 --- /dev/null +++ b/queue/SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch @@ -0,0 +1,54 @@ +From 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f Mon Sep 17 00:00:00 2001 +From: Chuck Lever <chuck.lever@oracle.com> +Date: Fri, 24 Jul 2020 17:08:57 -0400 +Subject: [PATCH] SUNRPC: Fix ("SUNRPC: Add "@len" parameter to gss_unwrap()") + +commit 986a4b63d3bc5f2c0eb4083b05aff2bf883b7b2f upstream. + +Braino when converting "buf->len -=" to "buf->len = len -". + +The result is under-estimation of the ralign and rslack values. On +krb5p mounts, this has caused READDIR to fail with EIO, and KASAN +splats when decoding READLINK replies. + +As a result of fixing this oversight, the gss_unwrap method now +returns a buf->len that can be shorter than priv_len for small +RPC messages. The additional adjustment done in unwrap_priv_data() +can underflow buf->len. This causes the nfsd_request_too_large +check to fail during some NFSv3 operations. + +Reported-by: Marian Rainer-Harbach +Reported-by: Pierre Sauter <pierre.sauter@stwm.de> +BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886277 +Fixes: 31c9590ae468 ("SUNRPC: Add "@len" parameter to gss_unwrap()") +Reviewed-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> + +diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c +index cf0fd170ac18..90b8329fef82 100644 +--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c ++++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c +@@ -584,7 +584,7 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, int len, + buf->head[0].iov_len); + memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen); + buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip; +- buf->len = len - GSS_KRB5_TOK_HDR_LEN + headskip; ++ buf->len = len - (GSS_KRB5_TOK_HDR_LEN + headskip); + + /* Trim off the trailing "extra count" and checksum blob */ + xdr_buf_trim(buf, ec + GSS_KRB5_TOK_HDR_LEN + tailskip); +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 7d83f54aaaa6..258b04372f85 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -990,7 +990,6 @@ unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gs + + maj_stat = gss_unwrap(ctx, 0, priv_len, buf); + pad = priv_len - buf->len; +- buf->len -= pad; + /* The upper layers assume the buffer is aligned on 4-byte boundaries. + * In the krb5p case, at least, the data ends up offset, so we need to + * move it around. */ +-- +2.27.0 + diff --git a/queue/Smack-fix-another-vsscanf-out-of-bounds.patch b/queue/Smack-fix-another-vsscanf-out-of-bounds.patch new file mode 100644 index 00000000..fd46f3af --- /dev/null +++ b/queue/Smack-fix-another-vsscanf-out-of-bounds.patch @@ -0,0 +1,33 @@ +From a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 23 Jul 2020 18:22:19 +0300 +Subject: [PATCH] Smack: fix another vsscanf out of bounds + +commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 upstream. + +This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in +vsscanf") where we added a bounds check on "rule". + +Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com +Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 840a192e9337..2bae1fc493d1 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -905,6 +905,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + for (i = 0; i < catlen; i++) { + rule += SMK_DIGITLEN; ++ if (rule > data + count) { ++ rc = -EOVERFLOW; ++ goto out; ++ } + ret = sscanf(rule, "%u", &cat); + if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) + goto out; +-- +2.27.0 + diff --git a/queue/Smack-prevent-underflow-in-smk_set_cipso.patch b/queue/Smack-prevent-underflow-in-smk_set_cipso.patch new file mode 100644 index 00000000..dad6a7c1 --- /dev/null +++ b/queue/Smack-prevent-underflow-in-smk_set_cipso.patch @@ -0,0 +1,30 @@ +From 42a2df3e829f3c5562090391b33714b2e2e5ad4a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 23 Jul 2020 18:23:05 +0300 +Subject: [PATCH] Smack: prevent underflow in smk_set_cipso() + +commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a upstream. + +We have an upper bound on "maplevel" but forgot to check for negative +values. + +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 2bae1fc493d1..9c4308077574 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -884,7 +884,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &maplevel); +- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) ++ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) + goto out; + + rule += SMK_DIGITLEN; +-- +2.27.0 + diff --git a/queue/USB-serial-cp210x-enable-usb-generic-throttle-unthro.patch b/queue/USB-serial-cp210x-enable-usb-generic-throttle-unthro.patch new file mode 100644 index 00000000..a7234b41 --- /dev/null +++ b/queue/USB-serial-cp210x-enable-usb-generic-throttle-unthro.patch @@ -0,0 +1,36 @@ +From 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 Mon Sep 17 00:00:00 2001 +From: Brant Merryman <brant.merryman@silabs.com> +Date: Fri, 26 Jun 2020 04:22:58 +0000 +Subject: [PATCH] USB: serial: cp210x: enable usb generic throttle/unthrottle + +commit 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 upstream. + +Assign the .throttle and .unthrottle functions to be generic function +in the driver structure to prevent data loss that can otherwise occur +if the host does not enable USB throttling. + +Signed-off-by: Brant Merryman <brant.merryman@silabs.com> +Co-developed-by: Phu Luu <phu.luu@silabs.com> +Signed-off-by: Phu Luu <phu.luu@silabs.com> +Link: https://lore.kernel.org/r/57401AF3-9961-461F-95E1-F8AFC2105F5E@silabs.com +[ johan: fix up tags ] +Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") +Cc: stable <stable@vger.kernel.org> # 2.6.12 +Signed-off-by: Johan Hovold <johan@kernel.org> + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index f5143eedbc48..bcceb4ad8be0 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -272,6 +272,8 @@ static struct usb_serial_driver cp210x_device = { + .break_ctl = cp210x_break_ctl, + .set_termios = cp210x_set_termios, + .tx_empty = cp210x_tx_empty, ++ .throttle = usb_serial_generic_throttle, ++ .unthrottle = usb_serial_generic_unthrottle, + .tiocmget = cp210x_tiocmget, + .tiocmset = cp210x_tiocmset, + .attach = cp210x_attach, +-- +2.27.0 + diff --git a/queue/USB-serial-cp210x-re-enable-auto-RTS-on-open.patch b/queue/USB-serial-cp210x-re-enable-auto-RTS-on-open.patch new file mode 100644 index 00000000..0213e5d6 --- /dev/null +++ b/queue/USB-serial-cp210x-re-enable-auto-RTS-on-open.patch @@ -0,0 +1,59 @@ +From c7614ff9b73a1e6fb2b1b51396da132ed22fecdb Mon Sep 17 00:00:00 2001 +From: Brant Merryman <brant.merryman@silabs.com> +Date: Fri, 26 Jun 2020 04:24:20 +0000 +Subject: [PATCH] USB: serial: cp210x: re-enable auto-RTS on open + +commit c7614ff9b73a1e6fb2b1b51396da132ed22fecdb upstream. + +CP210x hardware disables auto-RTS but leaves auto-CTS when in hardware +flow control mode and UART on cp210x hardware is disabled. When +re-opening the port, if auto-CTS is enabled on the cp210x, then auto-RTS +must be re-enabled in the driver. + +Signed-off-by: Brant Merryman <brant.merryman@silabs.com> +Co-developed-by: Phu Luu <phu.luu@silabs.com> +Signed-off-by: Phu Luu <phu.luu@silabs.com> +Link: https://lore.kernel.org/r/ECCF8E73-91F3-4080-BE17-1714BC8818FB@silabs.com +[ johan: fix up tags and problem description ] +Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") +Cc: stable <stable@vger.kernel.org> # 2.6.12 +Signed-off-by: Johan Hovold <johan@kernel.org> + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index bcceb4ad8be0..a90801ef0055 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -917,6 +917,7 @@ static void cp210x_get_termios_port(struct usb_serial_port *port, + u32 baud; + u16 bits; + u32 ctl_hs; ++ u32 flow_repl; + + cp210x_read_u32_reg(port, CP210X_GET_BAUDRATE, &baud); + +@@ -1017,6 +1018,22 @@ static void cp210x_get_termios_port(struct usb_serial_port *port, + ctl_hs = le32_to_cpu(flow_ctl.ulControlHandshake); + if (ctl_hs & CP210X_SERIAL_CTS_HANDSHAKE) { + dev_dbg(dev, "%s - flow control = CRTSCTS\n", __func__); ++ /* ++ * When the port is closed, the CP210x hardware disables ++ * auto-RTS and RTS is deasserted but it leaves auto-CTS when ++ * in hardware flow control mode. When re-opening the port, if ++ * auto-CTS is enabled on the cp210x, then auto-RTS must be ++ * re-enabled in the driver. ++ */ ++ flow_repl = le32_to_cpu(flow_ctl.ulFlowReplace); ++ flow_repl &= ~CP210X_SERIAL_RTS_MASK; ++ flow_repl |= CP210X_SERIAL_RTS_SHIFT(CP210X_SERIAL_RTS_FLOW_CTL); ++ flow_ctl.ulFlowReplace = cpu_to_le32(flow_repl); ++ cp210x_write_reg_block(port, ++ CP210X_SET_FLOW, ++ &flow_ctl, ++ sizeof(flow_ctl)); ++ + cflag |= CRTSCTS; + } else { + dev_dbg(dev, "%s - flow control = NONE\n", __func__); +-- +2.27.0 + diff --git a/queue/USB-serial-iuu_phoenix-fix-led-activity-helpers.patch b/queue/USB-serial-iuu_phoenix-fix-led-activity-helpers.patch new file mode 100644 index 00000000..0eecc1fc --- /dev/null +++ b/queue/USB-serial-iuu_phoenix-fix-led-activity-helpers.patch @@ -0,0 +1,64 @@ +From de37458f8c2bfc465500a1dd0d15dbe96d2a698c Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Thu, 16 Jul 2020 10:50:55 +0200 +Subject: [PATCH] USB: serial: iuu_phoenix: fix led-activity helpers + +commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c upstream. + +The set-led command is eight bytes long and starts with a command byte +followed by six bytes of RGB data and ends with a byte encoding a +frequency (see iuu_led() and iuu_rgbf_fill_buffer()). + +The led activity helpers had a few long-standing bugs which corrupted +the command packets by inserting a second command byte and thereby +offsetting the RGB data and dropping the frequency in non-xmas mode. + +In xmas mode, a related off-by-one error left the frequency field +uninitialised. + +Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver") +Reported-by: George Spelvin <lkml@sdf.org> +Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> + +diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c +index 6336616fee49..9da0e25bb0ea 100644 +--- a/drivers/usb/serial/iuu_phoenix.c ++++ b/drivers/usb/serial/iuu_phoenix.c +@@ -350,10 +350,11 @@ static void iuu_led_activity_on(struct urb *urb) + { + struct usb_serial_port *port = urb->context; + char *buf_ptr = port->write_urb->transfer_buffer; +- *buf_ptr++ = IUU_SET_LED; ++ + if (xmas) { +- get_random_bytes(buf_ptr, 6); +- *(buf_ptr+7) = 1; ++ buf_ptr[0] = IUU_SET_LED; ++ get_random_bytes(buf_ptr + 1, 6); ++ buf_ptr[7] = 1; + } else { + iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255); + } +@@ -370,13 +371,14 @@ static void iuu_led_activity_off(struct urb *urb) + { + struct usb_serial_port *port = urb->context; + char *buf_ptr = port->write_urb->transfer_buffer; ++ + if (xmas) { + iuu_rxcmd(urb); + return; +- } else { +- *buf_ptr++ = IUU_SET_LED; +- iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); + } ++ ++ iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); ++ + usb_fill_bulk_urb(port->write_urb, port->serial->dev, + usb_sndbulkpipe(port->serial->dev, + port->bulk_out_endpointAddress), +-- +2.27.0 + diff --git a/queue/af_packet-TPACKET_V3-fix-fill-status-rwlock-imbalanc.patch b/queue/af_packet-TPACKET_V3-fix-fill-status-rwlock-imbalanc.patch new file mode 100644 index 00000000..668e2184 --- /dev/null +++ b/queue/af_packet-TPACKET_V3-fix-fill-status-rwlock-imbalanc.patch @@ -0,0 +1,71 @@ +From 88fd1cb80daa20af063bce81e1fad14e945a8dc4 Mon Sep 17 00:00:00 2001 +From: John Ogness <john.ogness@linutronix.de> +Date: Thu, 13 Aug 2020 21:45:25 +0206 +Subject: [PATCH] af_packet: TPACKET_V3: fix fill status rwlock imbalance + +commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 upstream. + +After @blk_fill_in_prog_lock is acquired there is an early out vnet +situation that can occur. In that case, the rwlock needs to be +released. + +Also, since @blk_fill_in_prog_lock is only acquired when @tp_version +is exactly TPACKET_V3, only release it on that exact condition as +well. + +And finally, add sparse annotation so that it is clearer that +prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring +and releasing @blk_fill_in_prog_lock, respectively. sparse is still +unable to understand the balance, but the warnings are now on a +higher level that make more sense. + +Fixes: 632ca50f2cbd ("af_packet: TPACKET_V3: replace busy-wait loop") +Signed-off-by: John Ogness <john.ogness@linutronix.de> +Reported-by: kernel test robot <lkp@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 0b8160d1a6e0..479c257ded73 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -941,6 +941,7 @@ static int prb_queue_frozen(struct tpacket_kbdq_core *pkc) + } + + static void prb_clear_blk_fill_status(struct packet_ring_buffer *rb) ++ __releases(&pkc->blk_fill_in_prog_lock) + { + struct tpacket_kbdq_core *pkc = GET_PBDQC_FROM_RB(rb); + +@@ -989,6 +990,7 @@ static void prb_fill_curr_block(char *curr, + struct tpacket_kbdq_core *pkc, + struct tpacket_block_desc *pbd, + unsigned int len) ++ __acquires(&pkc->blk_fill_in_prog_lock) + { + struct tpacket3_hdr *ppd; + +@@ -2286,8 +2288,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if (do_vnet && + virtio_net_hdr_from_skb(skb, h.raw + macoff - + sizeof(struct virtio_net_hdr), +- vio_le(), true, 0)) ++ vio_le(), true, 0)) { ++ if (po->tp_version == TPACKET_V3) ++ prb_clear_blk_fill_status(&po->rx_ring); + goto drop_n_account; ++ } + + if (po->tp_version <= TPACKET_V2) { + packet_increment_rx_head(po, &po->rx_ring); +@@ -2393,7 +2398,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + __clear_bit(slot_id, po->rx_ring.rx_owner_map); + spin_unlock(&sk->sk_receive_queue.lock); + sk->sk_data_ready(sk); +- } else { ++ } else if (po->tp_version == TPACKET_V3) { + prb_clear_blk_fill_status(&po->rx_ring); + } + +-- +2.27.0 + diff --git a/queue/agp-intel-Fix-a-memory-leak-on-module-initialisation.patch b/queue/agp-intel-Fix-a-memory-leak-on-module-initialisation.patch new file mode 100644 index 00000000..83830d54 --- /dev/null +++ b/queue/agp-intel-Fix-a-memory-leak-on-module-initialisation.patch @@ -0,0 +1,37 @@ +From b975abbd382fe442713a4c233549abb90e57c22b Mon Sep 17 00:00:00 2001 +From: Qiushi Wu <wu000273@umn.edu> +Date: Fri, 22 May 2020 09:34:51 +0100 +Subject: [PATCH] agp/intel: Fix a memory leak on module initialisation failure + +commit b975abbd382fe442713a4c233549abb90e57c22b upstream. + +In intel_gtt_setup_scratch_page(), pointer "page" is not released if +pci_dma_mapping_error() return an error, leading to a memory leak on +module initialisation failure. Simply fix this issue by freeing "page" +before return. + +Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page") +Signed-off-by: Qiushi Wu <wu000273@umn.edu> +Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk + +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c +index 4b34a5195c65..5bfdf222d5f9 100644 +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -304,8 +304,10 @@ static int intel_gtt_setup_scratch_page(void) + if (intel_private.needs_dmar) { + dma_addr = pci_map_page(intel_private.pcidev, page, 0, + PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); +- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) ++ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) { ++ __free_page(page); + return -EINVAL; ++ } + + intel_private.scratch_page_dma = dma_addr; + } else +-- +2.27.0 + diff --git a/queue/arm64-dts-exynos-Fix-silent-hang-after-boot-on-Espre.patch b/queue/arm64-dts-exynos-Fix-silent-hang-after-boot-on-Espre.patch new file mode 100644 index 00000000..9bc61b83 --- /dev/null +++ b/queue/arm64-dts-exynos-Fix-silent-hang-after-boot-on-Espre.patch @@ -0,0 +1,31 @@ +From b072714bfc0e42c984b8fd6e069f3ca17de8137a Mon Sep 17 00:00:00 2001 +From: Alim Akhtar <alim.akhtar@samsung.com> +Date: Sun, 5 Jul 2020 12:39:17 +0530 +Subject: [PATCH] arm64: dts: exynos: Fix silent hang after boot on Espresso + +commit b072714bfc0e42c984b8fd6e069f3ca17de8137a upstream. + +Once regulators are disabled after kernel boot, on Espresso board silent +hang observed because of LDO7 being disabled. LDO7 actually provide +power to CPU cores and non-cpu blocks circuitries. Keep this regulator +always-on to fix this hang. + +Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") +Signed-off-by: Alim Akhtar <alim.akhtar@samsung.com> +Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> + +diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +index 790f12ca8981..bb86950032d3 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts ++++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +@@ -157,6 +157,7 @@ ldo7_reg: LDO7 { + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1150000>; + regulator-enable-ramp-delay = <125>; ++ regulator-always-on; + }; + + ldo8_reg: LDO8 { +-- +2.27.0 + diff --git a/queue/arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch b/queue/arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch new file mode 100644 index 00000000..3c9bd194 --- /dev/null +++ b/queue/arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch @@ -0,0 +1,65 @@ +From bbe28fc3cbabbef781bcdf847615d52ce2e26e42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo?= <ricardo.canuelo@collabora.com> +Date: Mon, 1 Jun 2020 08:33:06 +0200 +Subject: [PATCH] arm64: dts: hisilicon: hikey: fixes to comply with adi, + adv7533 DT binding +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit bbe28fc3cbabbef781bcdf847615d52ce2e26e42 upstream. + +hi3660-hikey960.dts: + Define a 'ports' node for 'adv7533: adv7533@39' and the + 'adi,dsi-lanes' property to make it compliant with the adi,adv7533 DT + binding. + + This fills the requirements to meet the binding requirements, + remote endpoints are not defined. + +hi6220-hikey.dts: + Change property name s/pd-gpio/pd-gpios, gpio properties should be + plural. This is just a cosmetic change. + +Signed-off-by: Ricardo Cañuelo <ricardo.canuelo@collabora.com> +Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Wei Xu <xuwei5@hisilicon.com> + +diff --git a/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts b/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts +index ff392a47562c..c1b614dabb8e 100644 +--- a/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts ++++ b/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts +@@ -573,6 +573,17 @@ adv7533: adv7533@39 { + status = "ok"; + compatible = "adi,adv7533"; + reg = <0x39>; ++ adi,dsi-lanes = <4>; ++ ports { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ port@0 { ++ reg = <0>; ++ }; ++ port@1 { ++ reg = <1>; ++ }; ++ }; + }; + }; + +diff --git a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts +index a41e0db8e71b..533ed523888d 100644 +--- a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts ++++ b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts +@@ -506,7 +506,7 @@ adv7533: adv7533@39 { + reg = <0x39>; + interrupt-parent = <&gpio1>; + interrupts = <1 2>; +- pd-gpio = <&gpio0 4 0>; ++ pd-gpios = <&gpio0 4 0>; + adi,dsi-lanes = <4>; + #sound-dai-cells = <0>; + +-- +2.27.0 + diff --git a/queue/arm64-dts-qcom-msm8916-Replace-invalid-bias-pull-non.patch b/queue/arm64-dts-qcom-msm8916-Replace-invalid-bias-pull-non.patch new file mode 100644 index 00000000..c9fcbe79 --- /dev/null +++ b/queue/arm64-dts-qcom-msm8916-Replace-invalid-bias-pull-non.patch @@ -0,0 +1,76 @@ +From 1b6a1a162defe649c5599d661b58ac64bb6f31b6 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold <stephan@gerhold.net> +Date: Fri, 5 Jun 2020 20:59:14 +0200 +Subject: [PATCH] arm64: dts: qcom: msm8916: Replace invalid bias-pull-none + property + +commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 upstream. + +msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio +pin configurations. This was likely copied from the qcom kernel fork +where the same property was used for these audio pins. + +However, "bias-pull-none" actually does not exist at all - not in +mainline and not in downstream. I can only guess that the original +intention was to configure "no pull", i.e. bias-disable. + +Change it to that instead. + +Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls") +Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> +Signed-off-by: Stephan Gerhold <stephan@gerhold.net> +Link: https://lore.kernel.org/r/20200605185916.318494-2-stephan@gerhold.net +Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> + +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index e9c00367f7fd..5785bf0a807c 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -556,7 +556,7 @@ pinconf { + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + cdc_pdm_lines_sus: pdm-lines-off { +@@ -585,7 +585,7 @@ pinconf { + pins = "gpio113", "gpio114", "gpio115", + "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -613,7 +613,7 @@ pinmux { + pinconf { + pins = "gpio110"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -639,7 +639,7 @@ pinmux { + pinconf { + pins = "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_mclk_tlmm_lines_sus: mclk-lines-off { +@@ -667,7 +667,7 @@ pinconf { + pins = "gpio112", "gpio117", "gpio118", + "gpio119"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_sec_tlmm_lines_sus: tlmm-lines-off { +-- +2.27.0 + diff --git a/queue/arm64-dts-rockchip-fix-rk3368-lion-gmac-reset-gpio.patch b/queue/arm64-dts-rockchip-fix-rk3368-lion-gmac-reset-gpio.patch new file mode 100644 index 00000000..9d5f67d2 --- /dev/null +++ b/queue/arm64-dts-rockchip-fix-rk3368-lion-gmac-reset-gpio.patch @@ -0,0 +1,37 @@ +From 2300e6dab473e93181cf76e4fe6671aa3d24c57b Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> +Date: Sun, 7 Jun 2020 23:29:09 +0200 +Subject: [PATCH] arm64: dts: rockchip: fix rk3368-lion gmac reset gpio + +commit 2300e6dab473e93181cf76e4fe6671aa3d24c57b upstream. + +The lion gmac node currently uses opposite active-values for the +gmac phy reset pin. The gpio-declaration uses active-high while the +separate snps,reset-active-low property marks the pin as active low. + +While on the kernel side this works ok, other DT users may get +confused - as seen with uboot right now. + +So bring this in line and make both properties match, similar to the +other Rockchip board. + +Fixes: d99a02bcfa81 ("arm64: dts: rockchip: add RK3368-uQ7 (Lion) SoM") +Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> +Link: https://lore.kernel.org/r/20200607212909.920575-1-heiko@sntech.de + +diff --git a/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi b/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi +index e17311e09082..216aafd90e7f 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi +@@ -156,7 +156,7 @@ &gmac { + pinctrl-0 = <&rgmii_pins>; + snps,reset-active-low; + snps,reset-delays-us = <0 10000 50000>; +- snps,reset-gpio = <&gpio3 RK_PB3 GPIO_ACTIVE_HIGH>; ++ snps,reset-gpio = <&gpio3 RK_PB3 GPIO_ACTIVE_LOW>; + tx_delay = <0x10>; + rx_delay = <0x10>; + status = "okay"; +-- +2.27.0 + diff --git a/queue/arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch b/queue/arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch new file mode 100644 index 00000000..ab22f103 --- /dev/null +++ b/queue/arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch @@ -0,0 +1,37 @@ +From 8a445086f8af0b7b9bd8d1901d6f306bb154f70d Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> +Date: Wed, 3 Jun 2020 15:28:36 +0200 +Subject: [PATCH] arm64: dts: rockchip: fix rk3399-puma gmac reset gpio + +commit 8a445086f8af0b7b9bd8d1901d6f306bb154f70d upstream. + +The puma gmac node currently uses opposite active-values for the +gmac phy reset pin. The gpio-declaration uses active-high while the +separate snps,reset-active-low property marks the pin as active low. + +While on the kernel side this works ok, other DT users may get +confused - as seen with uboot right now. + +So bring this in line and make both properties match, similar to the +other Rockchip board. + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> +Link: https://lore.kernel.org/r/20200603132836.362519-1-heiko@sntech.de + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +index 063f59a420b6..72c06abd27ea 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -157,7 +157,7 @@ &gmac { + phy-mode = "rgmii"; + pinctrl-names = "default"; + pinctrl-0 = <&rgmii_pins>; +- snps,reset-gpio = <&gpio3 RK_PC0 GPIO_ACTIVE_HIGH>; ++ snps,reset-gpio = <&gpio3 RK_PC0 GPIO_ACTIVE_LOW>; + snps,reset-active-low; + snps,reset-delays-us = <0 10000 50000>; + tx_delay = <0x10>; +-- +2.27.0 + diff --git a/queue/arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch b/queue/arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch new file mode 100644 index 00000000..ed8f3113 --- /dev/null +++ b/queue/arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch @@ -0,0 +1,37 @@ +From 7a7184f6cfa9279f1a1c10a1845d247d7fad54ff Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> +Date: Thu, 4 Jun 2020 11:12:39 +0200 +Subject: [PATCH] arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio + +commit 7a7184f6cfa9279f1a1c10a1845d247d7fad54ff upstream. + +The puma vcc5v0_host regulator node currently uses opposite active-values +for the enable pin. The gpio-declaration uses active-high while the +separate enable-active-low property marks the pin as active low. + +While on the kernel side this works ok, other DT users may get +confused - as seen with uboot right now. + +So bring this in line and make both properties match, similar to the +gmac fix. + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> +Link: https://lore.kernel.org/r/20200604091239.424318-1-heiko@sntech.de + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +index 07694b196fdb..063f59a420b6 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -101,7 +101,7 @@ vcc3v3_sys: vcc3v3-sys { + + vcc5v0_host: vcc5v0-host-regulator { + compatible = "regulator-fixed"; +- gpio = <&gpio4 RK_PA3 GPIO_ACTIVE_HIGH>; ++ gpio = <&gpio4 RK_PA3 GPIO_ACTIVE_LOW>; + enable-active-low; + pinctrl-names = "default"; + pinctrl-0 = <&vcc5v0_host_en>; +-- +2.27.0 + diff --git a/queue/ath10k-Acquire-tx_lock-in-tx-error-paths.patch b/queue/ath10k-Acquire-tx_lock-in-tx-error-paths.patch new file mode 100644 index 00000000..b5e583d7 --- /dev/null +++ b/queue/ath10k-Acquire-tx_lock-in-tx-error-paths.patch @@ -0,0 +1,44 @@ +From a738e766e3ed92c4ee5ec967777276b5ce11dd2c Mon Sep 17 00:00:00 2001 +From: Evan Green <evgreen@chromium.org> +Date: Thu, 4 Jun 2020 10:59:11 -0700 +Subject: [PATCH] ath10k: Acquire tx_lock in tx error paths + +commit a738e766e3ed92c4ee5ec967777276b5ce11dd2c upstream. + +ath10k_htt_tx_free_msdu_id() has a lockdep assertion that htt->tx_lock +is held. Acquire the lock in a couple of error paths when calling that +function to ensure this condition is met. + +Fixes: 6421969f248fd ("ath10k: refactor tx pending management") +Fixes: e62ee5c381c59 ("ath10k: Add support for htt_data_tx_desc_64 descriptor") +Signed-off-by: Evan Green <evgreen@chromium.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200604105901.1.I5b8b0c7ee0d3e51a73248975a9da61401b8f3900@changeid + +diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c +index 4fd10ac3a941..bbe869575855 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_tx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_tx.c +@@ -1591,7 +1591,9 @@ static int ath10k_htt_tx_32(struct ath10k_htt *htt, + err_unmap_msdu: + dma_unmap_single(dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); + err_free_msdu_id: ++ spin_lock_bh(&htt->tx_lock); + ath10k_htt_tx_free_msdu_id(htt, msdu_id); ++ spin_unlock_bh(&htt->tx_lock); + err: + return res; + } +@@ -1798,7 +1800,9 @@ static int ath10k_htt_tx_64(struct ath10k_htt *htt, + err_unmap_msdu: + dma_unmap_single(dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); + err_free_msdu_id: ++ spin_lock_bh(&htt->tx_lock); + ath10k_htt_tx_free_msdu_id(htt, msdu_id); ++ spin_unlock_bh(&htt->tx_lock); + err: + return res; + } +-- +2.27.0 + diff --git a/queue/bcache-fix-super-block-seq-numbers-comparision-in-re.patch b/queue/bcache-fix-super-block-seq-numbers-comparision-in-re.patch new file mode 100644 index 00000000..e70aedb7 --- /dev/null +++ b/queue/bcache-fix-super-block-seq-numbers-comparision-in-re.patch @@ -0,0 +1,73 @@ +From 117f636ea695270fe492d0c0c9dfadc7a662af47 Mon Sep 17 00:00:00 2001 +From: Coly Li <colyli@suse.de> +Date: Sat, 25 Jul 2020 20:00:26 +0800 +Subject: [PATCH] bcache: fix super block seq numbers comparision in + register_cache_set() + +commit 117f636ea695270fe492d0c0c9dfadc7a662af47 upstream. + +In register_cache_set(), c is pointer to struct cache_set, and ca is +pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this +registering cache has up to date version and other members, the in- +memory version and other members should be updated to the newer value. + +But current implementation makes a cache set only has a single cache +device, so the above assumption works well except for a special case. +The execption is when a cache device new created and both ca->sb.seq and +c->sb.seq are 0, because the super block is never flushed out yet. In +the location for the following if() check, +2156 if (ca->sb.seq > c->sb.seq) { +2157 c->sb.version = ca->sb.version; +2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); +2159 c->sb.flags = ca->sb.flags; +2160 c->sb.seq = ca->sb.seq; +2161 pr_debug("set version = %llu\n", c->sb.version); +2162 } +c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0, +the if() check will fail (because both values are 0), and the cache set +version, set_uuid, flags and seq won't be updated. + +The above problem is hiden for current code, because the bucket size is +compatible among different super block version. And the next time when +running cache set again, ca->sb.seq will be larger than 0 and cache set +super block version will be updated properly. + +But if the large bucket feature is enabled, sb->bucket_size is the low +16bits of the bucket size. For a power of 2 value, when the actual +bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then +read_super_common() will fail because the if() check to +is_power_of_2(sb->bucket_size) is false. This is how the long time +hidden bug is triggered. + +This patch modifies the if() check to the following way, +2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { +Then cache set's version, set_uuid, flags and seq will always be updated +corectly including for a new created cache device. + +Signed-off-by: Coly Li <colyli@suse.de> +Reviewed-by: Hannes Reinecke <hare@suse.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 6134e075efc8..40fb18028c01 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -2154,7 +2154,14 @@ static const char *register_cache_set(struct cache *ca) + sysfs_create_link(&c->kobj, &ca->kobj, buf)) + goto err; + +- if (ca->sb.seq > c->sb.seq) { ++ /* ++ * A special case is both ca->sb.seq and c->sb.seq are 0, ++ * such condition happens on a new created cache device whose ++ * super block is never flushed yet. In this case c->sb.version ++ * and other members should be updated too, otherwise we will ++ * have a mistaken super block version in cache set. ++ */ ++ if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { + c->sb.version = ca->sb.version; + memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); + c->sb.flags = ca->sb.flags; +-- +2.27.0 + diff --git a/queue/bdc-Fix-bug-causing-crash-after-multiple-disconnects.patch b/queue/bdc-Fix-bug-causing-crash-after-multiple-disconnects.patch new file mode 100644 index 00000000..4b7eb6c5 --- /dev/null +++ b/queue/bdc-Fix-bug-causing-crash-after-multiple-disconnects.patch @@ -0,0 +1,85 @@ +From a95bdfd22076497288868c028619bc5995f5cc7f Mon Sep 17 00:00:00 2001 +From: Sasi Kumar <sasi.kumar@broadcom.com> +Date: Wed, 22 Jul 2020 13:07:42 -0400 +Subject: [PATCH] bdc: Fix bug causing crash after multiple disconnects + +commit a95bdfd22076497288868c028619bc5995f5cc7f upstream. + +Multiple connects/disconnects can cause a crash on the second +disconnect. The driver had a problem where it would try to send +endpoint commands after it was disconnected which is not allowed +by the hardware. The fix is to only allow the endpoint commands +when the endpoint is connected. This will also fix issues that +showed up when using configfs to create gadgets. + +Signed-off-by: Sasi Kumar <sasi.kumar@broadcom.com> +Signed-off-by: Al Cooper <alcooperx@gmail.com> +Acked-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: Felipe Balbi <balbi@kernel.org> + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index 27e8f50974bb..28909d4b8190 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -278,6 +278,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + * in that case reinit is passed as 1 + */ + if (reinit) { ++ int i; + /* Enable interrupts */ + temp = bdc_readl(bdc->regs, BDC_BDCSC); + temp |= BDC_GIE; +@@ -287,6 +288,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + /* Initialize SRR to 0 */ + memset(bdc->srr.sr_bds, 0, + NUM_SR_ENTRIES * sizeof(struct bdc_bd)); ++ /* clear ep flags to avoid post disconnect stops/deconfigs */ ++ for (i = 1; i < bdc->num_eps; ++i) ++ bdc->bdc_ep_array[i]->flags = 0; + } else { + /* One time initiaization only */ + /* Enable status report function pointers */ +diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c +index ba250cf75bef..fafdc9fdb4a5 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c +@@ -615,7 +615,6 @@ int bdc_ep_enable(struct bdc_ep *ep) + } + bdc_dbg_bd_list(bdc, ep); + /* only for ep0: config ep is called for ep0 from connect event */ +- ep->flags |= BDC_EP_ENABLED; + if (ep->ep_num == 1) + return ret; + +@@ -759,10 +758,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req) + __func__, ep->name, start_bdi, end_bdi); + dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n", + ep, (void *)ep->usb_ep.desc); +- /* Stop the ep to see where the HW is ? */ +- ret = bdc_stop_ep(bdc, ep->ep_num); +- /* if there is an issue with stopping ep, then no need to go further */ +- if (ret) ++ /* if still connected, stop the ep to see where the HW is ? */ ++ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) { ++ ret = bdc_stop_ep(bdc, ep->ep_num); ++ /* if there is an issue, then no need to go further */ ++ if (ret) ++ return 0; ++ } else + return 0; + + /* +@@ -1911,7 +1913,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep) + __func__, ep->name, ep->flags); + + if (!(ep->flags & BDC_EP_ENABLED)) { +- dev_warn(bdc->dev, "%s is already disabled\n", ep->name); ++ if (bdc->gadget.speed != USB_SPEED_UNKNOWN) ++ dev_warn(bdc->dev, "%s is already disabled\n", ++ ep->name); + return 0; + } + spin_lock_irqsave(&bdc->lock, flags); +-- +2.27.0 + diff --git a/queue/bitfield.h-don-t-compile-time-validate-_val-in-FIELD.patch b/queue/bitfield.h-don-t-compile-time-validate-_val-in-FIELD.patch new file mode 100644 index 00000000..b965e0ae --- /dev/null +++ b/queue/bitfield.h-don-t-compile-time-validate-_val-in-FIELD.patch @@ -0,0 +1,53 @@ +From 444da3f52407d74c9aa12187ac6b01f76ee47d62 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski <kuba@kernel.org> +Date: Mon, 10 Aug 2020 11:21:11 -0700 +Subject: [PATCH] bitfield.h: don't compile-time validate _val in FIELD_FIT + +commit 444da3f52407d74c9aa12187ac6b01f76ee47d62 upstream. + +When ur_load_imm_any() is inlined into jeq_imm(), it's possible for the +compiler to deduce a case where _val can only have the value of -1 at +compile time. Specifically, + +/* struct bpf_insn: _s32 imm */ +u64 imm = insn->imm; /* sign extend */ +if (imm >> 32) { /* non-zero only if insn->imm is negative */ + /* inlined from ur_load_imm_any */ + u32 __imm = imm >> 32; /* therefore, always 0xffffffff */ + if (__builtin_constant_p(__imm) && __imm > 255) + compiletime_assert_XXX() + +This can result in tripping a BUILD_BUG_ON() in __BF_FIELD_CHECK() that +checks that a given value is representable in one byte (interpreted as +unsigned). + +FIELD_FIT() should return true or false at runtime for whether a value +can fit for not. Don't break the build over a value that's too large for +the mask. We'd prefer to keep the inlining and compiler optimizations +though we know this case will always return false. + +Cc: stable@vger.kernel.org +Fixes: 1697599ee301a ("bitfield.h: add FIELD_FIT() helper") +Link: https://lore.kernel.org/kernel-hardening/CAK7LNASvb0UDJ0U5wkYYRzTAdnEs64HjXpEUL7d=V0CXiAXcNw@mail.gmail.com/ +Reported-by: Masahiro Yamada <masahiroy@kernel.org> +Debugged-by: Sami Tolvanen <samitolvanen@google.com> +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h +index 48ea093ff04c..4e035aca6f7e 100644 +--- a/include/linux/bitfield.h ++++ b/include/linux/bitfield.h +@@ -77,7 +77,7 @@ + */ + #define FIELD_FIT(_mask, _val) \ + ({ \ +- __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_FIT: "); \ ++ __BF_FIELD_CHECK(_mask, 0ULL, 0ULL, "FIELD_FIT: "); \ + !((((typeof(_mask))_val) << __bf_shf(_mask)) & ~(_mask)); \ + }) + +-- +2.27.0 + diff --git a/queue/blktrace-fix-debugfs-use-after-free.patch b/queue/blktrace-fix-debugfs-use-after-free.patch new file mode 100644 index 00000000..926d9298 --- /dev/null +++ b/queue/blktrace-fix-debugfs-use-after-free.patch @@ -0,0 +1,212 @@ +From bad8e64fb19d3a0de5e564d9a7271c31bd684369 Mon Sep 17 00:00:00 2001 +From: Luis Chamberlain <mcgrof@kernel.org> +Date: Fri, 19 Jun 2020 20:47:28 +0000 +Subject: [PATCH] blktrace: fix debugfs use after free + +commit bad8e64fb19d3a0de5e564d9a7271c31bd684369 upstream. + +On commit 6ac93117ab00 ("blktrace: use existing disk debugfs directory") +merged on v4.12 Omar fixed the original blktrace code for request-based +drivers (multiqueue). This however left in place a possible crash, if you +happen to abuse blktrace while racing to remove / add a device. + +We used to use asynchronous removal of the request_queue, and with that +the issue was easier to reproduce. Now that we have reverted to +synchronous removal of the request_queue, the issue is still possible to +reproduce, its however just a bit more difficult. + +We essentially run two instances of break-blktrace which add/remove +a loop device, and setup a blktrace and just never tear the blktrace +down. We do this twice in parallel. This is easily reproduced with the +script run_0004.sh from break-blktrace [0]. + +We can end up with two types of panics each reflecting where we +race, one a failed blktrace setup: + +[ 252.426751] debugfs: Directory 'loop0' with parent 'block' already present! +[ 252.432265] BUG: kernel NULL pointer dereference, address: 00000000000000a0 +[ 252.436592] #PF: supervisor write access in kernel mode +[ 252.439822] #PF: error_code(0x0002) - not-present page +[ 252.442967] PGD 0 P4D 0 +[ 252.444656] Oops: 0002 [#1] SMP NOPTI +[ 252.446972] CPU: 10 PID: 1153 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 +[ 252.452673] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 +[ 252.456343] RIP: 0010:down_write+0x15/0x40 +[ 252.458146] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc + cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 + 00 00 <f0> 48 0f b1 55 00 75 0f 48 8b 04 25 c0 8b 01 00 48 89 + 45 08 5d +[ 252.463638] RSP: 0018:ffffa626415abcc8 EFLAGS: 00010246 +[ 252.464950] RAX: 0000000000000000 RBX: ffff958c25f0f5c0 RCX: ffffff8100000000 +[ 252.466727] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 +[ 252.468482] RBP: 00000000000000a0 R08: 0000000000000000 R09: 0000000000000001 +[ 252.470014] R10: 0000000000000000 R11: ffff958d1f9227ff R12: 0000000000000000 +[ 252.471473] R13: ffff958c25ea5380 R14: ffffffff8cce15f1 R15: 00000000000000a0 +[ 252.473346] FS: 00007f2e69dee540(0000) GS:ffff958c2fc80000(0000) knlGS:0000000000000000 +[ 252.475225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 252.476267] CR2: 00000000000000a0 CR3: 0000000427d10004 CR4: 0000000000360ee0 +[ 252.477526] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 252.478776] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 252.479866] Call Trace: +[ 252.480322] simple_recursive_removal+0x4e/0x2e0 +[ 252.481078] ? debugfs_remove+0x60/0x60 +[ 252.481725] ? relay_destroy_buf+0x77/0xb0 +[ 252.482662] debugfs_remove+0x40/0x60 +[ 252.483518] blk_remove_buf_file_callback+0x5/0x10 +[ 252.484328] relay_close_buf+0x2e/0x60 +[ 252.484930] relay_open+0x1ce/0x2c0 +[ 252.485520] do_blk_trace_setup+0x14f/0x2b0 +[ 252.486187] __blk_trace_setup+0x54/0xb0 +[ 252.486803] blk_trace_ioctl+0x90/0x140 +[ 252.487423] ? do_sys_openat2+0x1ab/0x2d0 +[ 252.488053] blkdev_ioctl+0x4d/0x260 +[ 252.488636] block_ioctl+0x39/0x40 +[ 252.489139] ksys_ioctl+0x87/0xc0 +[ 252.489675] __x64_sys_ioctl+0x16/0x20 +[ 252.490380] do_syscall_64+0x52/0x180 +[ 252.491032] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +And the other on the device removal: + +[ 128.528940] debugfs: Directory 'loop0' with parent 'block' already present! +[ 128.615325] BUG: kernel NULL pointer dereference, address: 00000000000000a0 +[ 128.619537] #PF: supervisor write access in kernel mode +[ 128.622700] #PF: error_code(0x0002) - not-present page +[ 128.625842] PGD 0 P4D 0 +[ 128.627585] Oops: 0002 [#1] SMP NOPTI +[ 128.629871] CPU: 12 PID: 544 Comm: break-blktrace Tainted: G E 5.7.0-rc2-next-20200420+ #164 +[ 128.635595] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 +[ 128.640471] RIP: 0010:down_write+0x15/0x40 +[ 128.643041] Code: eb ca e8 ae 22 8d ff cc cc cc cc cc cc cc cc cc cc cc cc + cc cc 0f 1f 44 00 00 55 48 89 fd e8 52 db ff ff 31 c0 ba 01 00 + 00 00 <f0> 48 0f b1 55 00 75 0f 65 48 8b 04 25 c0 8b 01 00 48 89 + 45 08 5d +[ 128.650180] RSP: 0018:ffffa9c3c05ebd78 EFLAGS: 00010246 +[ 128.651820] RAX: 0000000000000000 RBX: ffff8ae9a6370240 RCX: ffffff8100000000 +[ 128.653942] RDX: 0000000000000001 RSI: ffffff8100000000 RDI: 00000000000000a0 +[ 128.655720] RBP: 00000000000000a0 R08: 0000000000000002 R09: ffff8ae9afd2d3d0 +[ 128.657400] R10: 0000000000000056 R11: 0000000000000000 R12: 0000000000000000 +[ 128.659099] R13: 0000000000000000 R14: 0000000000000003 R15: 00000000000000a0 +[ 128.660500] FS: 00007febfd995540(0000) GS:ffff8ae9afd00000(0000) knlGS:0000000000000000 +[ 128.662204] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 128.663426] CR2: 00000000000000a0 CR3: 0000000420042003 CR4: 0000000000360ee0 +[ 128.664776] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 128.666022] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 128.667282] Call Trace: +[ 128.667801] simple_recursive_removal+0x4e/0x2e0 +[ 128.668663] ? debugfs_remove+0x60/0x60 +[ 128.669368] debugfs_remove+0x40/0x60 +[ 128.669985] blk_trace_free+0xd/0x50 +[ 128.670593] __blk_trace_remove+0x27/0x40 +[ 128.671274] blk_trace_shutdown+0x30/0x40 +[ 128.671935] blk_release_queue+0x95/0xf0 +[ 128.672589] kobject_put+0xa5/0x1b0 +[ 128.673188] disk_release+0xa2/0xc0 +[ 128.673786] device_release+0x28/0x80 +[ 128.674376] kobject_put+0xa5/0x1b0 +[ 128.674915] loop_remove+0x39/0x50 [loop] +[ 128.675511] loop_control_ioctl+0x113/0x130 [loop] +[ 128.676199] ksys_ioctl+0x87/0xc0 +[ 128.676708] __x64_sys_ioctl+0x16/0x20 +[ 128.677274] do_syscall_64+0x52/0x180 +[ 128.677823] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The common theme here is: + +debugfs: Directory 'loop0' with parent 'block' already present + +This crash happens because of how blktrace uses the debugfs directory +where it places its files. Upon init we always create the same directory +which would be needed by blktrace but we only do this for make_request +drivers (multiqueue) block drivers. When you race a removal of these +devices with a blktrace setup you end up in a situation where the +make_request recursive debugfs removal will sweep away the blktrace +files and then later blktrace will also try to remove individual +dentries which are already NULL. The inverse is also possible and hence +the two types of use after frees. + +We don't create the block debugfs directory on init for these types of +block devices: + + * request-based block driver block devices + * every possible partition + * scsi-generic + +And so, this race should in theory only be possible with make_request +drivers. + +We can fix the UAF by simply re-using the debugfs directory for +make_request drivers (multiqueue) and only creating the ephemeral +directory for the other type of block devices. The new clarifications +on relying on the q->blk_trace_mutex *and* also checking for q->blk_trace +*prior* to processing a blktrace ensures the debugfs directories are +only created if no possible directory name clashes are possible. + +This goes tested with: + + o nvme partitions + o ISCSI with tgt, and blktracing against scsi-generic with: + o block + o tape + o cdrom + o media changer + o blktests + +This patch is part of the work which disputes the severity of +CVE-2019-19770 which shows this issue is not a core debugfs issue, but +a misuse of debugfs within blktace. + +Fixes: 6ac93117ab00 ("blktrace: use existing disk debugfs directory") +Reported-by: syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com +Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Cc: Bart Van Assche <bvanassche@acm.org> +Cc: Omar Sandoval <osandov@fb.com> +Cc: Hannes Reinecke <hare@suse.com> +Cc: Nicolai Stange <nstange@suse.de> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Michal Hocko <mhocko@kernel.org> +Cc: "Martin K. Petersen" <martin.petersen@oracle.com> +Cc: "James E.J. Bottomley" <jejb@linux.ibm.com> +Cc: yu kuai <yukuai3@huawei.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 5a88a6b55933..e27dee345d81 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -524,10 +524,18 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + if (!bt->msg_data) + goto err; + +- ret = -ENOENT; +- +- dir = debugfs_lookup(buts->name, blk_debugfs_root); +- if (!dir) ++#ifdef CONFIG_BLK_DEBUG_FS ++ /* ++ * When tracing whole make_request drivers (multiqueue) block devices, ++ * reuse the existing debugfs directory created by the block layer on ++ * init. For request-based block devices, all partitions block devices, ++ * and scsi-generic block devices we create a temporary new debugfs ++ * directory that will be removed once the trace ends. ++ */ ++ if (queue_is_mq(q) && bdev && bdev == bdev->bd_contains) ++ dir = q->debugfs_dir; ++ else ++#endif + bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root); + + bt->dev = dev; +@@ -565,8 +573,6 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + + ret = 0; + err: +- if (dir && !bt->dir) +- dput(dir); + if (ret) + blk_trace_free(bt); + return ret; +-- +2.27.0 + diff --git a/queue/bpf-Fix-fds_example-SIGSEGV-error.patch b/queue/bpf-Fix-fds_example-SIGSEGV-error.patch new file mode 100644 index 00000000..7faa96dd --- /dev/null +++ b/queue/bpf-Fix-fds_example-SIGSEGV-error.patch @@ -0,0 +1,39 @@ +From eef8a42d6ce087d1c81c960ae0d14f955b742feb Mon Sep 17 00:00:00 2001 +From: Wenbo Zhang <ethercflow@gmail.com> +Date: Fri, 10 Jul 2020 05:20:35 -0400 +Subject: [PATCH] bpf: Fix fds_example SIGSEGV error + +commit eef8a42d6ce087d1c81c960ae0d14f955b742feb upstream. + +The `BPF_LOG_BUF_SIZE`'s value is `UINT32_MAX >> 8`, so define an array +with it on stack caused an overflow. + +Signed-off-by: Wenbo Zhang <ethercflow@gmail.com> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Andrii Nakryiko <andriin@fb.com> +Link: https://lore.kernel.org/bpf/20200710092035.28919-1-ethercflow@gmail.com + +diff --git a/samples/bpf/fds_example.c b/samples/bpf/fds_example.c +index d5992f787232..59f45fef5110 100644 +--- a/samples/bpf/fds_example.c ++++ b/samples/bpf/fds_example.c +@@ -30,6 +30,8 @@ + #define BPF_M_MAP 1 + #define BPF_M_PROG 2 + ++char bpf_log_buf[BPF_LOG_BUF_SIZE]; ++ + static void usage(void) + { + printf("Usage: fds_example [...]\n"); +@@ -57,7 +59,6 @@ static int bpf_prog_create(const char *object) + BPF_EXIT_INSN(), + }; + size_t insns_cnt = sizeof(insns) / sizeof(struct bpf_insn); +- char bpf_log_buf[BPF_LOG_BUF_SIZE]; + struct bpf_object *obj; + int prog_fd; + +-- +2.27.0 + diff --git a/queue/brcmfmac-To-fix-Bss-Info-flag-definition-Bug.patch b/queue/brcmfmac-To-fix-Bss-Info-flag-definition-Bug.patch new file mode 100644 index 00000000..33e7140c --- /dev/null +++ b/queue/brcmfmac-To-fix-Bss-Info-flag-definition-Bug.patch @@ -0,0 +1,33 @@ +From fa3266541b13f390eb35bdbc38ff4a03368be004 Mon Sep 17 00:00:00 2001 +From: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com> +Date: Thu, 4 Jun 2020 02:18:35 -0500 +Subject: [PATCH] brcmfmac: To fix Bss Info flag definition Bug + +commit fa3266541b13f390eb35bdbc38ff4a03368be004 upstream. + +Bss info flag definition need to be fixed from 0x2 to 0x4 +This flag is for rssi info received on channel. +All Firmware branches defined as 0x4 and this is bug in brcmfmac. + +Signed-off-by: Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com> +Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com> +Signed-off-by: Wright Feng <wright.feng@cypress.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +index de0ef1b545c4..2e31cc10c195 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +@@ -19,7 +19,7 @@ + #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008 + + #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */ +-#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002 ++#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004 + + #define BRCMF_STA_BRCM 0x00000001 /* Running a Broadcom driver */ + #define BRCMF_STA_WME 0x00000002 /* WMM association */ +-- +2.27.0 + diff --git a/queue/brcmfmac-keep-SDIO-watchdog-running-when-console_int.patch b/queue/brcmfmac-keep-SDIO-watchdog-running-when-console_int.patch new file mode 100644 index 00000000..1245806a --- /dev/null +++ b/queue/brcmfmac-keep-SDIO-watchdog-running-when-console_int.patch @@ -0,0 +1,39 @@ +From eccbf46b15bb3e35d004148f7c3a8fa8e9b26c1e Mon Sep 17 00:00:00 2001 +From: Wright Feng <wright.feng@cypress.com> +Date: Thu, 4 Jun 2020 02:18:33 -0500 +Subject: [PATCH] brcmfmac: keep SDIO watchdog running when console_interval is + non-zero + +commit eccbf46b15bb3e35d004148f7c3a8fa8e9b26c1e upstream. + +brcmfmac host driver makes SDIO bus sleep and stops SDIO watchdog if no +pending event or data. As a result, host driver does not poll firmware +console buffer before buffer overflow, which leads to missing firmware +logs. We should not stop SDIO watchdog if console_interval is non-zero +in debug build. + +Signed-off-by: Wright Feng <wright.feng@cypress.com> +Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200604071835.3842-4-wright.feng@cypress.com + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index 310d8075f5d7..bc02168ebb53 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -3699,7 +3699,11 @@ static void brcmf_sdio_bus_watchdog(struct brcmf_sdio *bus) + if (bus->idlecount > bus->idletime) { + brcmf_dbg(SDIO, "idle\n"); + sdio_claim_host(bus->sdiodev->func1); +- brcmf_sdio_wd_timer(bus, false); ++#ifdef DEBUG ++ if (!BRCMF_FWCON_ON() || ++ bus->console_interval == 0) ++#endif ++ brcmf_sdio_wd_timer(bus, false); + bus->idlecount = 0; + brcmf_sdio_bus_sleep(bus, true, false); + sdio_release_host(bus->sdiodev->func1); +-- +2.27.0 + diff --git a/queue/brcmfmac-set-state-of-hanger-slot-to-FREE-when-flush.patch b/queue/brcmfmac-set-state-of-hanger-slot-to-FREE-when-flush.patch new file mode 100644 index 00000000..f0b8908c --- /dev/null +++ b/queue/brcmfmac-set-state-of-hanger-slot-to-FREE-when-flush.patch @@ -0,0 +1,74 @@ +From fcdd7a875def793c38d7369633af3eba6c7cf089 Mon Sep 17 00:00:00 2001 +From: Wright Feng <wright.feng@cypress.com> +Date: Wed, 24 Jun 2020 04:16:07 -0500 +Subject: [PATCH] brcmfmac: set state of hanger slot to FREE when flushing PSQ + +commit fcdd7a875def793c38d7369633af3eba6c7cf089 upstream. + +When USB or SDIO device got abnormal bus disconnection, host driver +tried to clean up the skbs in PSQ and TXQ (The skb's pointer in hanger +slot linked to PSQ and TSQ), so we should set the state of skb hanger slot +to BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb. +In brcmf_fws_bus_txq_cleanup it already sets +BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb, therefore we add the +same thing in brcmf_fws_psq_flush to avoid following warning message. + + [ 1580.012880] ------------ [ cut here ]------------ + [ 1580.017550] WARNING: CPU: 3 PID: 3065 at +drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 +brcmu_pkt_buf_free_skb+0x21/0x30 [brcmutil] + [ 1580.184017] Call Trace: + [ 1580.186514] brcmf_fws_cleanup+0x14e/0x190 [brcmfmac] + [ 1580.191594] brcmf_fws_del_interface+0x70/0x90 [brcmfmac] + [ 1580.197029] brcmf_proto_bcdc_del_if+0xe/0x10 [brcmfmac] + [ 1580.202418] brcmf_remove_interface+0x69/0x190 [brcmfmac] + [ 1580.207888] brcmf_detach+0x90/0xe0 [brcmfmac] + [ 1580.212385] brcmf_usb_disconnect+0x76/0xb0 [brcmfmac] + [ 1580.217557] usb_unbind_interface+0x72/0x260 + [ 1580.221857] device_release_driver_internal+0x141/0x200 + [ 1580.227152] device_release_driver+0x12/0x20 + [ 1580.231460] bus_remove_device+0xfd/0x170 + [ 1580.235504] device_del+0x1d9/0x300 + [ 1580.239041] usb_disable_device+0x9e/0x270 + [ 1580.243160] usb_disconnect+0x94/0x270 + [ 1580.246980] hub_event+0x76d/0x13b0 + [ 1580.250499] process_one_work+0x144/0x360 + [ 1580.254564] worker_thread+0x4d/0x3c0 + [ 1580.258247] kthread+0x109/0x140 + [ 1580.261515] ? rescuer_thread+0x340/0x340 + [ 1580.265543] ? kthread_park+0x60/0x60 + [ 1580.269237] ? SyS_exit_group+0x14/0x20 + [ 1580.273118] ret_from_fork+0x25/0x30 + [ 1580.300446] ------------ [ cut here ]------------ + +Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Wright Feng <wright.feng@cypress.com> +Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200624091608.25154-2-wright.feng@cypress.com + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +index 4fefa7c0b892..2df6811c066e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +@@ -629,6 +629,7 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h, + static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, + int ifidx) + { ++ struct brcmf_fws_hanger_item *hi; + bool (*matchfn)(struct sk_buff *, void *) = NULL; + struct sk_buff *skb; + int prec; +@@ -640,6 +641,9 @@ static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, + skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx); + while (skb) { + hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT); ++ hi = &fws->hanger.items[hslot]; ++ WARN_ON(skb != hi->pkt); ++ hi->state = BRCMF_FWS_HANGER_ITEM_STATE_FREE; + brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb, + true); + brcmu_pkt_buf_free_skb(skb); +-- +2.27.0 + diff --git a/queue/btmrvl-Fix-firmware-filename-for-sd8977-chipset.patch b/queue/btmrvl-Fix-firmware-filename-for-sd8977-chipset.patch new file mode 100644 index 00000000..5d32dd79 --- /dev/null +++ b/queue/btmrvl-Fix-firmware-filename-for-sd8977-chipset.patch @@ -0,0 +1,44 @@ +From dbec3af5f13b88a96e31f252957ae1a82484a923 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org> +Date: Wed, 3 Jun 2020 10:22:28 +0200 +Subject: [PATCH] btmrvl: Fix firmware filename for sd8977 chipset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit dbec3af5f13b88a96e31f252957ae1a82484a923 upstream. + +Firmware for sd8977 chipset is distributed by Marvell package and also as +part of the linux-firmware repository in filename sdsd8977_combo_v2.bin. + +This patch fixes mwifiex driver to load correct firmware file for sd8977. + +Fixes: 8c57983bf7a79 ("Bluetooth: btmrvl: add support for sd8977 chipset") +Signed-off-by: Pali Rohár <pali@kernel.org> +Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c +index 0f3a020703ab..7aa2c94720bc 100644 +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -328,7 +328,7 @@ static const struct btmrvl_sdio_device btmrvl_sdio_sd8897 = { + + static const struct btmrvl_sdio_device btmrvl_sdio_sd8977 = { + .helper = NULL, +- .firmware = "mrvl/sd8977_uapsta.bin", ++ .firmware = "mrvl/sdsd8977_combo_v2.bin", + .reg = &btmrvl_reg_8977, + .support_pscan_win_report = true, + .sd_blksz_fw_dl = 256, +@@ -1831,6 +1831,6 @@ MODULE_FIRMWARE("mrvl/sd8787_uapsta.bin"); + MODULE_FIRMWARE("mrvl/sd8797_uapsta.bin"); + MODULE_FIRMWARE("mrvl/sd8887_uapsta.bin"); + MODULE_FIRMWARE("mrvl/sd8897_uapsta.bin"); +-MODULE_FIRMWARE("mrvl/sd8977_uapsta.bin"); ++MODULE_FIRMWARE("mrvl/sdsd8977_combo_v2.bin"); + MODULE_FIRMWARE("mrvl/sd8987_uapsta.bin"); + MODULE_FIRMWARE("mrvl/sd8997_uapsta.bin"); +-- +2.27.0 + diff --git a/queue/btmrvl-Fix-firmware-filename-for-sd8997-chipset.patch b/queue/btmrvl-Fix-firmware-filename-for-sd8997-chipset.patch new file mode 100644 index 00000000..3079bee3 --- /dev/null +++ b/queue/btmrvl-Fix-firmware-filename-for-sd8997-chipset.patch @@ -0,0 +1,42 @@ +From 00eb0cb36fad53315047af12e83c643d3a2c2e49 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org> +Date: Wed, 3 Jun 2020 10:22:29 +0200 +Subject: [PATCH] btmrvl: Fix firmware filename for sd8997 chipset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 00eb0cb36fad53315047af12e83c643d3a2c2e49 upstream. + +Firmware for sd8997 chipset is distributed by Marvell package and also as +part of the linux-firmware repository in filename sdsd8997_combo_v4.bin. + +This patch fixes mwifiex driver to load correct firmware file for sd8997. + +Fixes: f0ef67485f591 ("Bluetooth: btmrvl: add sd8997 chipset support") +Signed-off-by: Pali Rohár <pali@kernel.org> +Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c +index 7aa2c94720bc..4c7978cb1786 100644 +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -346,7 +346,7 @@ static const struct btmrvl_sdio_device btmrvl_sdio_sd8987 = { + + static const struct btmrvl_sdio_device btmrvl_sdio_sd8997 = { + .helper = NULL, +- .firmware = "mrvl/sd8997_uapsta.bin", ++ .firmware = "mrvl/sdsd8997_combo_v4.bin", + .reg = &btmrvl_reg_8997, + .support_pscan_win_report = true, + .sd_blksz_fw_dl = 256, +@@ -1833,4 +1833,4 @@ MODULE_FIRMWARE("mrvl/sd8887_uapsta.bin"); + MODULE_FIRMWARE("mrvl/sd8897_uapsta.bin"); + MODULE_FIRMWARE("mrvl/sdsd8977_combo_v2.bin"); + MODULE_FIRMWARE("mrvl/sd8987_uapsta.bin"); +-MODULE_FIRMWARE("mrvl/sd8997_uapsta.bin"); ++MODULE_FIRMWARE("mrvl/sdsd8997_combo_v4.bin"); +-- +2.27.0 + diff --git a/queue/btrfs-fix-lockdep-splat-from-btrfs_dump_space_info.patch b/queue/btrfs-fix-lockdep-splat-from-btrfs_dump_space_info.patch new file mode 100644 index 00000000..e77fc9fe --- /dev/null +++ b/queue/btrfs-fix-lockdep-splat-from-btrfs_dump_space_info.patch @@ -0,0 +1,192 @@ +From ab0db043c35da3477e57d4d516492b2d51a5ca0f Mon Sep 17 00:00:00 2001 +From: Josef Bacik <josef@toxicpanda.com> +Date: Fri, 17 Jul 2020 15:12:29 -0400 +Subject: [PATCH] btrfs: fix lockdep splat from btrfs_dump_space_info + +commit ab0db043c35da3477e57d4d516492b2d51a5ca0f upstream. + +When running with -o enospc_debug you can get the following splat if one +of the dump_space_info's trip + + ====================================================== + WARNING: possible circular locking dependency detected + 5.8.0-rc5+ #20 Tainted: G OE + ------------------------------------------------------ + dd/563090 is trying to acquire lock: + ffff9e7dbf4f1e18 (&ctl->tree_lock){+.+.}-{2:2}, at: btrfs_dump_free_space+0x2b/0xa0 [btrfs] + + but task is already holding lock: + ffff9e7e2284d428 (&cache->lock){+.+.}-{2:2}, at: btrfs_dump_space_info+0xaa/0x120 [btrfs] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #3 (&cache->lock){+.+.}-{2:2}: + _raw_spin_lock+0x25/0x30 + btrfs_add_reserved_bytes+0x3c/0x3c0 [btrfs] + find_free_extent+0x7ef/0x13b0 [btrfs] + btrfs_reserve_extent+0x9b/0x180 [btrfs] + btrfs_alloc_tree_block+0xc1/0x340 [btrfs] + alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs] + __btrfs_cow_block+0x122/0x530 [btrfs] + btrfs_cow_block+0x106/0x210 [btrfs] + commit_cowonly_roots+0x55/0x300 [btrfs] + btrfs_commit_transaction+0x4ed/0xac0 [btrfs] + sync_filesystem+0x74/0x90 + generic_shutdown_super+0x22/0x100 + kill_anon_super+0x14/0x30 + btrfs_kill_super+0x12/0x20 [btrfs] + deactivate_locked_super+0x36/0x70 + cleanup_mnt+0x104/0x160 + task_work_run+0x5f/0x90 + __prepare_exit_to_usermode+0x1bd/0x1c0 + do_syscall_64+0x5e/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #2 (&space_info->lock){+.+.}-{2:2}: + _raw_spin_lock+0x25/0x30 + btrfs_block_rsv_release+0x1a6/0x3f0 [btrfs] + btrfs_inode_rsv_release+0x4f/0x170 [btrfs] + btrfs_clear_delalloc_extent+0x155/0x480 [btrfs] + clear_state_bit+0x81/0x1a0 [btrfs] + __clear_extent_bit+0x25c/0x5d0 [btrfs] + clear_extent_bit+0x15/0x20 [btrfs] + btrfs_invalidatepage+0x2b7/0x3c0 [btrfs] + truncate_cleanup_page+0x47/0xe0 + truncate_inode_pages_range+0x238/0x840 + truncate_pagecache+0x44/0x60 + btrfs_setattr+0x202/0x5e0 [btrfs] + notify_change+0x33b/0x490 + do_truncate+0x76/0xd0 + path_openat+0x687/0xa10 + do_filp_open+0x91/0x100 + do_sys_openat2+0x215/0x2d0 + do_sys_open+0x44/0x80 + do_syscall_64+0x52/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #1 (&tree->lock#2){+.+.}-{2:2}: + _raw_spin_lock+0x25/0x30 + find_first_extent_bit+0x32/0x150 [btrfs] + write_pinned_extent_entries.isra.0+0xc5/0x100 [btrfs] + __btrfs_write_out_cache+0x172/0x480 [btrfs] + btrfs_write_out_cache+0x7a/0xf0 [btrfs] + btrfs_write_dirty_block_groups+0x286/0x3b0 [btrfs] + commit_cowonly_roots+0x245/0x300 [btrfs] + btrfs_commit_transaction+0x4ed/0xac0 [btrfs] + close_ctree+0xf9/0x2f5 [btrfs] + generic_shutdown_super+0x6c/0x100 + kill_anon_super+0x14/0x30 + btrfs_kill_super+0x12/0x20 [btrfs] + deactivate_locked_super+0x36/0x70 + cleanup_mnt+0x104/0x160 + task_work_run+0x5f/0x90 + __prepare_exit_to_usermode+0x1bd/0x1c0 + do_syscall_64+0x5e/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + -> #0 (&ctl->tree_lock){+.+.}-{2:2}: + __lock_acquire+0x1240/0x2460 + lock_acquire+0xab/0x360 + _raw_spin_lock+0x25/0x30 + btrfs_dump_free_space+0x2b/0xa0 [btrfs] + btrfs_dump_space_info+0xf4/0x120 [btrfs] + btrfs_reserve_extent+0x176/0x180 [btrfs] + __btrfs_prealloc_file_range+0x145/0x550 [btrfs] + cache_save_setup+0x28d/0x3b0 [btrfs] + btrfs_start_dirty_block_groups+0x1fc/0x4f0 [btrfs] + btrfs_commit_transaction+0xcc/0xac0 [btrfs] + btrfs_alloc_data_chunk_ondemand+0x162/0x4c0 [btrfs] + btrfs_check_data_free_space+0x4c/0xa0 [btrfs] + btrfs_buffered_write.isra.0+0x19b/0x740 [btrfs] + btrfs_file_write_iter+0x3cf/0x610 [btrfs] + new_sync_write+0x11e/0x1b0 + vfs_write+0x1c9/0x200 + ksys_write+0x68/0xe0 + do_syscall_64+0x52/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + other info that might help us debug this: + + Chain exists of: + &ctl->tree_lock --> &space_info->lock --> &cache->lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&cache->lock); + lock(&space_info->lock); + lock(&cache->lock); + lock(&ctl->tree_lock); + + *** DEADLOCK *** + + 6 locks held by dd/563090: + #0: ffff9e7e21d18448 (sb_writers#14){.+.+}-{0:0}, at: vfs_write+0x195/0x200 + #1: ffff9e7dd0410ed8 (&sb->s_type->i_mutex_key#19){++++}-{3:3}, at: btrfs_file_write_iter+0x86/0x610 [btrfs] + #2: ffff9e7e21d18638 (sb_internal#2){.+.+}-{0:0}, at: start_transaction+0x40b/0x5b0 [btrfs] + #3: ffff9e7e1f05d688 (&cur_trans->cache_write_mutex){+.+.}-{3:3}, at: btrfs_start_dirty_block_groups+0x158/0x4f0 [btrfs] + #4: ffff9e7e2284ddb8 (&space_info->groups_sem){++++}-{3:3}, at: btrfs_dump_space_info+0x69/0x120 [btrfs] + #5: ffff9e7e2284d428 (&cache->lock){+.+.}-{2:2}, at: btrfs_dump_space_info+0xaa/0x120 [btrfs] + + stack backtrace: + CPU: 3 PID: 563090 Comm: dd Tainted: G OE 5.8.0-rc5+ #20 + Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./890FX Deluxe5, BIOS P1.40 05/03/2011 + Call Trace: + dump_stack+0x96/0xd0 + check_noncircular+0x162/0x180 + __lock_acquire+0x1240/0x2460 + ? wake_up_klogd.part.0+0x30/0x40 + lock_acquire+0xab/0x360 + ? btrfs_dump_free_space+0x2b/0xa0 [btrfs] + _raw_spin_lock+0x25/0x30 + ? btrfs_dump_free_space+0x2b/0xa0 [btrfs] + btrfs_dump_free_space+0x2b/0xa0 [btrfs] + btrfs_dump_space_info+0xf4/0x120 [btrfs] + btrfs_reserve_extent+0x176/0x180 [btrfs] + __btrfs_prealloc_file_range+0x145/0x550 [btrfs] + ? btrfs_qgroup_reserve_data+0x1d/0x60 [btrfs] + cache_save_setup+0x28d/0x3b0 [btrfs] + btrfs_start_dirty_block_groups+0x1fc/0x4f0 [btrfs] + btrfs_commit_transaction+0xcc/0xac0 [btrfs] + ? start_transaction+0xe0/0x5b0 [btrfs] + btrfs_alloc_data_chunk_ondemand+0x162/0x4c0 [btrfs] + btrfs_check_data_free_space+0x4c/0xa0 [btrfs] + btrfs_buffered_write.isra.0+0x19b/0x740 [btrfs] + ? ktime_get_coarse_real_ts64+0xa8/0xd0 + ? trace_hardirqs_on+0x1c/0xe0 + btrfs_file_write_iter+0x3cf/0x610 [btrfs] + new_sync_write+0x11e/0x1b0 + vfs_write+0x1c9/0x200 + ksys_write+0x68/0xe0 + do_syscall_64+0x52/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This is because we're holding the block_group->lock while trying to dump +the free space cache. However we don't need this lock, we just need it +to read the values for the printk, so move the free space cache dumping +outside of the block group lock. + +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index c7bd3fdd7792..475968ccbd1d 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -468,8 +468,8 @@ void btrfs_dump_space_info(struct btrfs_fs_info *fs_info, + "block group %llu has %llu bytes, %llu used %llu pinned %llu reserved %s", + cache->start, cache->length, cache->used, cache->pinned, + cache->reserved, cache->ro ? "[readonly]" : ""); +- btrfs_dump_free_space(cache, bytes); + spin_unlock(&cache->lock); ++ btrfs_dump_free_space(cache, bytes); + } + if (++index < BTRFS_NR_RAID_TYPES) + goto again; +-- +2.27.0 + diff --git a/queue/bus-ti-sysc-Add-missing-quirk-flags-for-usb_host_hs.patch b/queue/bus-ti-sysc-Add-missing-quirk-flags-for-usb_host_hs.patch new file mode 100644 index 00000000..2376dbe1 --- /dev/null +++ b/queue/bus-ti-sysc-Add-missing-quirk-flags-for-usb_host_hs.patch @@ -0,0 +1,41 @@ +From 4254632dba27271f6de66efd87e444ee405dee29 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren <tony@atomide.com> +Date: Mon, 13 Jul 2020 09:59:47 -0700 +Subject: [PATCH] bus: ti-sysc: Add missing quirk flags for usb_host_hs + +commit 4254632dba27271f6de66efd87e444ee405dee29 upstream. + +Similar to what we have for the legacy platform data, we need to +configure SWSUP_SIDLE and SWSUP_MSTANDBY quirks for usb_host_hs. + +These are needed to drop the legacy platform data for usb_host_hs. + +Signed-off-by: Tony Lindgren <tony@atomide.com> + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 3affd180baac..78fc3da39088 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1330,6 +1330,10 @@ static const struct sysc_revision_quirk sysc_revision_quirks[] = { + SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_SWSUP_MSTANDBY), + SYSC_QUIRK("tptc", 0, 0, -ENODEV, -ENODEV, 0x40007c00, 0xffffffff, + SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_SWSUP_MSTANDBY), ++ SYSC_QUIRK("usb_host_hs", 0, 0, 0x10, 0x14, 0x50700100, 0xffffffff, ++ SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_SWSUP_MSTANDBY), ++ SYSC_QUIRK("usb_host_hs", 0, 0, 0x10, -ENODEV, 0x50700101, 0xffffffff, ++ SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_SWSUP_MSTANDBY), + SYSC_QUIRK("usb_otg_hs", 0, 0x400, 0x404, 0x408, 0x00000050, + 0xffffffff, SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_SWSUP_MSTANDBY), + SYSC_QUIRK("usb_otg_hs", 0, 0, 0x10, -ENODEV, 0x4ea2080d, 0xffffffff, +@@ -1408,8 +1412,6 @@ static const struct sysc_revision_quirk sysc_revision_quirks[] = { + SYSC_QUIRK("tpcc", 0, 0, -ENODEV, -ENODEV, 0x40014c00, 0xffffffff, 0), + SYSC_QUIRK("usbhstll", 0, 0, 0x10, 0x14, 0x00000004, 0xffffffff, 0), + SYSC_QUIRK("usbhstll", 0, 0, 0x10, 0x14, 0x00000008, 0xffffffff, 0), +- SYSC_QUIRK("usb_host_hs", 0, 0, 0x10, 0x14, 0x50700100, 0xffffffff, 0), +- SYSC_QUIRK("usb_host_hs", 0, 0, 0x10, -ENODEV, 0x50700101, 0xffffffff, 0), + SYSC_QUIRK("venc", 0x58003000, 0, -ENODEV, -ENODEV, 0x00000002, 0xffffffff, 0), + SYSC_QUIRK("vfpe", 0, 0, 0x104, -ENODEV, 0x4d001200, 0xffffffff, 0), + #endif +-- +2.27.0 + diff --git a/queue/clk-bcm63xx-gate-fix-last-clock-availability.patch b/queue/clk-bcm63xx-gate-fix-last-clock-availability.patch new file mode 100644 index 00000000..05e15d6d --- /dev/null +++ b/queue/clk-bcm63xx-gate-fix-last-clock-availability.patch @@ -0,0 +1,34 @@ +From cf8030d7035bd3e89c9e66f7193a7fc8057a9b9a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= <noltari@gmail.com> +Date: Tue, 9 Jun 2020 13:08:46 +0200 +Subject: [PATCH] clk: bcm63xx-gate: fix last clock availability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit cf8030d7035bd3e89c9e66f7193a7fc8057a9b9a upstream. + +In order to make the last clock available, maxbit has to be set to the +highest bit value plus 1. + +Fixes: 1c099779c1e2 ("clk: add BCM63XX gated clock controller driver") +Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> +Link: https://lore.kernel.org/r/20200609110846.4029620-1-noltari@gmail.com +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: Stephen Boyd <sboyd@kernel.org> + +diff --git a/drivers/clk/bcm/clk-bcm63xx-gate.c b/drivers/clk/bcm/clk-bcm63xx-gate.c +index 98e884957db8..911a29bd744e 100644 +--- a/drivers/clk/bcm/clk-bcm63xx-gate.c ++++ b/drivers/clk/bcm/clk-bcm63xx-gate.c +@@ -155,6 +155,7 @@ static int clk_bcm63xx_probe(struct platform_device *pdev) + + for (entry = table; entry->name; entry++) + maxbit = max_t(u8, maxbit, entry->bit); ++ maxbit++; + + hw = devm_kzalloc(&pdev->dev, struct_size(hw, data.hws, maxbit), + GFP_KERNEL); +-- +2.27.0 + diff --git a/queue/clk-qcom-clk-rpmh-Wait-for-completion-when-enabling-.patch b/queue/clk-qcom-clk-rpmh-Wait-for-completion-when-enabling-.patch new file mode 100644 index 00000000..128f99ad --- /dev/null +++ b/queue/clk-qcom-clk-rpmh-Wait-for-completion-when-enabling-.patch @@ -0,0 +1,79 @@ +From dad4e7fda4bdc1a6357db500a7bab8843c08e521 Mon Sep 17 00:00:00 2001 +From: Mike Tipton <mdtipton@codeaurora.org> +Date: Fri, 14 Feb 2020 18:12:32 -0800 +Subject: [PATCH] clk: qcom: clk-rpmh: Wait for completion when enabling clocks + +commit dad4e7fda4bdc1a6357db500a7bab8843c08e521 upstream. + +The current implementation always uses rpmh_write_async, which doesn't +wait for completion. That's fine for disable requests since there's no +immediate need for the clocks and they can be disabled in the +background. However, for enable requests we need to ensure the clocks +are actually enabled before returning to the client. Otherwise, clients +can end up accessing their HW before the necessary clocks are enabled, +which can lead to bus errors. + +Use the synchronous version of this API (rpmh_write) for enable requests +in the active set to ensure completion. + +Completion isn't required for sleep/wake sets, since they don't take +effect until after we enter sleep. All rpmh requests are automatically +flushed prior to entering sleep. + +Fixes: 9c7e47025a6b ("clk: qcom: clk-rpmh: Add QCOM RPMh clock driver") +Signed-off-by: Mike Tipton <mdtipton@codeaurora.org> +Link: https://lkml.kernel.org/r/20200215021232.1149-1-mdtipton@codeaurora.org +Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> +[sboyd@kernel.org: Reorg code a bit for readability, rename to 'wait' to +make local variable not conflict with completion.h mechanism] +Signed-off-by: Stephen Boyd <sboyd@kernel.org> + +diff --git a/drivers/clk/qcom/clk-rpmh.c b/drivers/clk/qcom/clk-rpmh.c +index 12bd8715dece..bfc29aec3a78 100644 +--- a/drivers/clk/qcom/clk-rpmh.c ++++ b/drivers/clk/qcom/clk-rpmh.c +@@ -143,12 +143,22 @@ static inline bool has_state_changed(struct clk_rpmh *c, u32 state) + != (c->aggr_state & BIT(state)); + } + ++static int clk_rpmh_send(struct clk_rpmh *c, enum rpmh_state state, ++ struct tcs_cmd *cmd, bool wait) ++{ ++ if (wait) ++ return rpmh_write(c->dev, state, cmd, 1); ++ ++ return rpmh_write_async(c->dev, state, cmd, 1); ++} ++ + static int clk_rpmh_send_aggregate_command(struct clk_rpmh *c) + { + struct tcs_cmd cmd = { 0 }; + u32 cmd_state, on_val; + enum rpmh_state state = RPMH_SLEEP_STATE; + int ret; ++ bool wait; + + cmd.addr = c->res_addr; + cmd_state = c->aggr_state; +@@ -159,7 +169,8 @@ static int clk_rpmh_send_aggregate_command(struct clk_rpmh *c) + if (cmd_state & BIT(state)) + cmd.data = on_val; + +- ret = rpmh_write_async(c->dev, state, &cmd, 1); ++ wait = cmd_state && state == RPMH_ACTIVE_ONLY_STATE; ++ ret = clk_rpmh_send(c, state, &cmd, wait); + if (ret) { + dev_err(c->dev, "set %s state of %s failed: (%d)\n", + !state ? "sleep" : +@@ -267,7 +278,7 @@ static int clk_rpmh_bcm_send_cmd(struct clk_rpmh *c, bool enable) + cmd.addr = c->res_addr; + cmd.data = BCM_TCS_CMD(1, enable, 0, cmd_state); + +- ret = rpmh_write_async(c->dev, RPMH_ACTIVE_ONLY_STATE, &cmd, 1); ++ ret = clk_rpmh_send(c, RPMH_ACTIVE_ONLY_STATE, &cmd, enable); + if (ret) { + dev_err(c->dev, "set active state of %s failed: (%d)\n", + c->res_name, ret); +-- +2.27.0 + diff --git a/queue/clk-scmi-Fix-min-and-max-rate-when-registering-clock.patch b/queue/clk-scmi-Fix-min-and-max-rate-when-registering-clock.patch new file mode 100644 index 00000000..497e291e --- /dev/null +++ b/queue/clk-scmi-Fix-min-and-max-rate-when-registering-clock.patch @@ -0,0 +1,65 @@ +From fcd2e0deae50bce48450f14c8fc5611b08d7438c Mon Sep 17 00:00:00 2001 +From: Sudeep Holla <sudeep.holla@arm.com> +Date: Thu, 9 Jul 2020 09:17:05 +0100 +Subject: [PATCH] clk: scmi: Fix min and max rate when registering clocks with + discrete rates + +commit fcd2e0deae50bce48450f14c8fc5611b08d7438c upstream. + +Currently we are not initializing the scmi clock with discrete rates +correctly. We fetch the min_rate and max_rate value only for clocks with +ranges and ignore the ones with discrete rates. This will lead to wrong +initialization of rate range when clock supports discrete rate. + +Fix this by using the first and the last rate in the sorted list of the +discrete clock rates while registering the clock. + +Link: https://lore.kernel.org/r/20200709081705.46084-2-sudeep.holla@arm.com +Fixes: 6d6a1d82eaef7 ("clk: add support for clocks provided by SCMI") +Reviewed-by: Stephen Boyd <sboyd@kernel.org> +Reported-and-tested-by: Dien Pham <dien.pham.ry@renesas.com> +Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> + +diff --git a/drivers/clk/clk-scmi.c b/drivers/clk/clk-scmi.c +index c491f5de0f3f..c754dfbb73fd 100644 +--- a/drivers/clk/clk-scmi.c ++++ b/drivers/clk/clk-scmi.c +@@ -103,6 +103,8 @@ static const struct clk_ops scmi_clk_ops = { + static int scmi_clk_ops_init(struct device *dev, struct scmi_clk *sclk) + { + int ret; ++ unsigned long min_rate, max_rate; ++ + struct clk_init_data init = { + .flags = CLK_GET_RATE_NOCACHE, + .num_parents = 0, +@@ -112,9 +114,23 @@ static int scmi_clk_ops_init(struct device *dev, struct scmi_clk *sclk) + + sclk->hw.init = &init; + ret = devm_clk_hw_register(dev, &sclk->hw); +- if (!ret) +- clk_hw_set_rate_range(&sclk->hw, sclk->info->range.min_rate, +- sclk->info->range.max_rate); ++ if (ret) ++ return ret; ++ ++ if (sclk->info->rate_discrete) { ++ int num_rates = sclk->info->list.num_rates; ++ ++ if (num_rates <= 0) ++ return -EINVAL; ++ ++ min_rate = sclk->info->list.rates[0]; ++ max_rate = sclk->info->list.rates[num_rates - 1]; ++ } else { ++ min_rate = sclk->info->range.min_rate; ++ max_rate = sclk->info->range.max_rate; ++ } ++ ++ clk_hw_set_rate_range(&sclk->hw, min_rate, max_rate); + return ret; + } + +-- +2.27.0 + diff --git a/queue/console-newport_con-fix-an-issue-about-leak-related-.patch b/queue/console-newport_con-fix-an-issue-about-leak-related-.patch new file mode 100644 index 00000000..fab9637b --- /dev/null +++ b/queue/console-newport_con-fix-an-issue-about-leak-related-.patch @@ -0,0 +1,85 @@ +From fd4b8243877250c05bb24af7fea5567110c9720b Mon Sep 17 00:00:00 2001 +From: Dejin Zheng <zhengdejin5@gmail.com> +Date: Fri, 24 Apr 2020 00:42:51 +0800 +Subject: [PATCH] console: newport_con: fix an issue about leak related system + resources + +commit fd4b8243877250c05bb24af7fea5567110c9720b upstream. + +A call of the function do_take_over_console() can fail here. +The corresponding system resources were not released then. +Thus add a call of iounmap() and release_mem_region() +together with the check of a failure predicate. and also +add release_mem_region() on device removal. + +Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding") +Suggested-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com> +Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Andrew Morton <akpm@osdl.org> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com + +diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c +index 00dddf6e08b0..2d2ee17052e8 100644 +--- a/drivers/video/console/newport_con.c ++++ b/drivers/video/console/newport_con.c +@@ -32,6 +32,8 @@ + #include <linux/linux_logo.h> + #include <linux/font.h> + ++#define NEWPORT_LEN 0x10000 ++ + #define FONT_DATA ((unsigned char *)font_vga_8x16.data) + + /* borrowed from fbcon.c */ +@@ -43,6 +45,7 @@ + static unsigned char *font_data[MAX_NR_CONSOLES]; + + static struct newport_regs *npregs; ++static unsigned long newport_addr; + + static int logo_active; + static int topscan; +@@ -702,7 +705,6 @@ const struct consw newport_con = { + static int newport_probe(struct gio_device *dev, + const struct gio_device_id *id) + { +- unsigned long newport_addr; + int err; + + if (!dev->resource.start) +@@ -712,7 +714,7 @@ static int newport_probe(struct gio_device *dev, + return -EBUSY; /* we only support one Newport as console */ + + newport_addr = dev->resource.start + 0xF0000; +- if (!request_mem_region(newport_addr, 0x10000, "Newport")) ++ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport")) + return -ENODEV; + + npregs = (struct newport_regs *)/* ioremap cannot fail */ +@@ -720,6 +722,11 @@ static int newport_probe(struct gio_device *dev, + console_lock(); + err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1); + console_unlock(); ++ ++ if (err) { ++ iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); ++ } + return err; + } + +@@ -727,6 +734,7 @@ static void newport_remove(struct gio_device *dev) + { + give_up_console(&newport_con); + iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); + } + + static struct gio_device_id newport_ids[] = { +-- +2.27.0 + diff --git a/queue/coresight-tmc-Fix-TMC-mode-read-in-tmc_read_unprepar.patch b/queue/coresight-tmc-Fix-TMC-mode-read-in-tmc_read_unprepar.patch new file mode 100644 index 00000000..7a0e2617 --- /dev/null +++ b/queue/coresight-tmc-Fix-TMC-mode-read-in-tmc_read_unprepar.patch @@ -0,0 +1,74 @@ +From d021f5c5ff679432c5e9faee0fd7350db2efb97c Mon Sep 17 00:00:00 2001 +From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> +Date: Thu, 16 Jul 2020 11:57:42 -0600 +Subject: [PATCH] coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb() + +commit d021f5c5ff679432c5e9faee0fd7350db2efb97c upstream. + +Reading TMC mode register without proper coresight power +management can lead to exceptions like the one in the call +trace below in tmc_read_unprepare_etb() when the trace data +is read after the sink is disabled. So fix this by having +a check for coresight sysfs mode before reading TMC mode +management register in tmc_read_unprepare_etb() similar to +tmc_read_prepare_etb(). + + SError Interrupt on CPU6, code 0xbe000411 -- SError + pstate: 80400089 (Nzcv daIf +PAN -UAO) + pc : tmc_read_unprepare_etb+0x74/0x108 + lr : tmc_read_unprepare_etb+0x54/0x108 + sp : ffffff80d9507c30 + x29: ffffff80d9507c30 x28: ffffff80b3569a0c + x27: 0000000000000000 x26: 00000000000a0001 + x25: ffffff80cbae9550 x24: 0000000000000010 + x23: ffffffd07296b0f0 x22: ffffffd0109ee028 + x21: 0000000000000000 x20: ffffff80d19e70e0 + x19: ffffff80d19e7080 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: dfffffd000000001 + x9 : 0000000000000000 x8 : 0000000000000002 + x7 : ffffffd071d0fe78 x6 : 0000000000000000 + x5 : 0000000000000080 x4 : 0000000000000001 + x3 : ffffffd071d0fe98 x2 : 0000000000000000 + x1 : 0000000000000004 x0 : 0000000000000001 + Kernel panic - not syncing: Asynchronous SError Interrupt + +Fixes: 4525412a5046 ("coresight: tmc: making prepare/unprepare functions generic") +Reported-by: Mike Leach <mike.leach@linaro.org> +Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org> +Tested-by: Mike Leach <mike.leach@linaro.org> +Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> +Link: https://lore.kernel.org/r/20200716175746.3338735-14-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c +index 36cce2bfb744..6375504ba8b0 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c +@@ -639,15 +639,14 @@ int tmc_read_unprepare_etb(struct tmc_drvdata *drvdata) + + spin_lock_irqsave(&drvdata->spinlock, flags); + +- /* There is no point in reading a TMC in HW FIFO mode */ +- mode = readl_relaxed(drvdata->base + TMC_MODE); +- if (mode != TMC_MODE_CIRCULAR_BUFFER) { +- spin_unlock_irqrestore(&drvdata->spinlock, flags); +- return -EINVAL; +- } +- + /* Re-enable the TMC if need be */ + if (drvdata->mode == CS_MODE_SYSFS) { ++ /* There is no point in reading a TMC in HW FIFO mode */ ++ mode = readl_relaxed(drvdata->base + TMC_MODE); ++ if (mode != TMC_MODE_CIRCULAR_BUFFER) { ++ spin_unlock_irqrestore(&drvdata->spinlock, flags); ++ return -EINVAL; ++ } + /* + * The trace run will continue with the same allocated trace + * buffer. As such zero-out the buffer so that we don't end +-- +2.27.0 + diff --git a/queue/cpufreq-Fix-locking-issues-with-governors.patch b/queue/cpufreq-Fix-locking-issues-with-governors.patch new file mode 100644 index 00000000..3c92595b --- /dev/null +++ b/queue/cpufreq-Fix-locking-issues-with-governors.patch @@ -0,0 +1,134 @@ +From 8cc46ae565c393f77417cb9530b1265eb50f5d2e Mon Sep 17 00:00:00 2001 +From: Viresh Kumar <viresh.kumar@linaro.org> +Date: Mon, 29 Jun 2020 13:54:58 +0530 +Subject: [PATCH] cpufreq: Fix locking issues with governors + +commit 8cc46ae565c393f77417cb9530b1265eb50f5d2e upstream. + +The locking around governors handling isn't adequate currently. + +The list of governors should never be traversed without the locking +in place. Also governor modules must not be removed while the code +in them is still in use. + +Reported-by: Quentin Perret <qperret@google.com> +Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> +Cc: All applicable <stable@vger.kernel.org> +[ rjw: Changelog ] +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 0128de3603df..e9e8200a0211 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -621,6 +621,24 @@ static struct cpufreq_governor *find_governor(const char *str_governor) + return NULL; + } + ++static struct cpufreq_governor *get_governor(const char *str_governor) ++{ ++ struct cpufreq_governor *t; ++ ++ mutex_lock(&cpufreq_governor_mutex); ++ t = find_governor(str_governor); ++ if (!t) ++ goto unlock; ++ ++ if (!try_module_get(t->owner)) ++ t = NULL; ++ ++unlock: ++ mutex_unlock(&cpufreq_governor_mutex); ++ ++ return t; ++} ++ + static unsigned int cpufreq_parse_policy(char *str_governor) + { + if (!strncasecmp(str_governor, "performance", CPUFREQ_NAME_LEN)) +@@ -640,28 +658,14 @@ static struct cpufreq_governor *cpufreq_parse_governor(char *str_governor) + { + struct cpufreq_governor *t; + +- mutex_lock(&cpufreq_governor_mutex); +- +- t = find_governor(str_governor); +- if (!t) { +- int ret; +- +- mutex_unlock(&cpufreq_governor_mutex); +- +- ret = request_module("cpufreq_%s", str_governor); +- if (ret) +- return NULL; +- +- mutex_lock(&cpufreq_governor_mutex); ++ t = get_governor(str_governor); ++ if (t) ++ return t; + +- t = find_governor(str_governor); +- } +- if (t && !try_module_get(t->owner)) +- t = NULL; +- +- mutex_unlock(&cpufreq_governor_mutex); ++ if (request_module("cpufreq_%s", str_governor)) ++ return NULL; + +- return t; ++ return get_governor(str_governor); + } + + /** +@@ -815,12 +819,14 @@ static ssize_t show_scaling_available_governors(struct cpufreq_policy *policy, + goto out; + } + ++ mutex_lock(&cpufreq_governor_mutex); + for_each_governor(t) { + if (i >= (ssize_t) ((PAGE_SIZE / sizeof(char)) + - (CPUFREQ_NAME_LEN + 2))) +- goto out; ++ break; + i += scnprintf(&buf[i], CPUFREQ_NAME_PLEN, "%s ", t->name); + } ++ mutex_unlock(&cpufreq_governor_mutex); + out: + i += sprintf(&buf[i], "\n"); + return i; +@@ -1058,15 +1064,17 @@ static int cpufreq_init_policy(struct cpufreq_policy *policy) + struct cpufreq_governor *def_gov = cpufreq_default_governor(); + struct cpufreq_governor *gov = NULL; + unsigned int pol = CPUFREQ_POLICY_UNKNOWN; ++ int ret; + + if (has_target()) { + /* Update policy governor to the one used before hotplug. */ +- gov = find_governor(policy->last_governor); ++ gov = get_governor(policy->last_governor); + if (gov) { + pr_debug("Restoring governor %s for cpu %d\n", + policy->governor->name, policy->cpu); + } else if (def_gov) { + gov = def_gov; ++ __module_get(gov->owner); + } else { + return -ENODATA; + } +@@ -1089,7 +1097,11 @@ static int cpufreq_init_policy(struct cpufreq_policy *policy) + return -ENODATA; + } + +- return cpufreq_set_policy(policy, gov, pol); ++ ret = cpufreq_set_policy(policy, gov, pol); ++ if (gov) ++ module_put(gov->owner); ++ ++ return ret; + } + + static int cpufreq_add_policy_cpu(struct cpufreq_policy *policy, unsigned int cpu) +-- +2.27.0 + diff --git a/queue/cpufreq-ap806-fix-cpufreq-driver-needs-ap-cpu-clk.patch b/queue/cpufreq-ap806-fix-cpufreq-driver-needs-ap-cpu-clk.patch new file mode 100644 index 00000000..f3728964 --- /dev/null +++ b/queue/cpufreq-ap806-fix-cpufreq-driver-needs-ap-cpu-clk.patch @@ -0,0 +1,32 @@ +From 8c37ad2f523396e15cf002b29f8f796447c71932 Mon Sep 17 00:00:00 2001 +From: Sven Auhagen <sven.auhagen@voleatech.de> +Date: Mon, 22 Jun 2020 14:01:23 +0200 +Subject: [PATCH] cpufreq: ap806: fix cpufreq driver needs ap cpu clk + +commit 8c37ad2f523396e15cf002b29f8f796447c71932 upstream. + +The Armada 8K cpufreq driver needs the Armada AP CPU CLK +to work. This dependency is currently not satisfied and +the ARMADA_AP_CPU_CLK can not be selected independently. + +Add it to the cpufreq Armada8k driver. + +Fixes: f525a670533d ("cpufreq: ap806: add cpufreq driver for Armada 8K") +Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de> +Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> + +diff --git a/drivers/cpufreq/Kconfig.arm b/drivers/cpufreq/Kconfig.arm +index c6cbfc8baf72..a967894c4613 100644 +--- a/drivers/cpufreq/Kconfig.arm ++++ b/drivers/cpufreq/Kconfig.arm +@@ -41,6 +41,7 @@ config ARM_ARMADA_37XX_CPUFREQ + config ARM_ARMADA_8K_CPUFREQ + tristate "Armada 8K CPUFreq driver" + depends on ARCH_MVEBU && CPUFREQ_DT ++ select ARMADA_AP_CPU_CLK + help + This enables the CPUFreq driver support for Marvell + Armada8k SOCs. +-- +2.27.0 + diff --git a/queue/cpufreq-dt-fix-oops-on-armada37xx.patch b/queue/cpufreq-dt-fix-oops-on-armada37xx.patch new file mode 100644 index 00000000..7b4d0816 --- /dev/null +++ b/queue/cpufreq-dt-fix-oops-on-armada37xx.patch @@ -0,0 +1,46 @@ +From 10470dec3decaf5ed3c596f85debd7c42777ae12 Mon Sep 17 00:00:00 2001 +From: Ivan Kokshaysky <ink@jurassic.park.msu.ru> +Date: Sat, 20 Jun 2020 17:44:49 +0100 +Subject: [PATCH] cpufreq: dt: fix oops on armada37xx + +commit 10470dec3decaf5ed3c596f85debd7c42777ae12 upstream. + +Commit 0c868627e617e43a295d8 (cpufreq: dt: Allow platform specific +intermediate callbacks) added two function pointers to the +struct cpufreq_dt_platform_data. However, armada37xx_cpufreq_driver_init() +has this struct (pdata) located on the stack and uses only "suspend" +and "resume" fields. So these newly added "get_intermediate" and +"target_intermediate" pointers are uninitialized and contain arbitrary +non-null values, causing all kinds of trouble. + +For instance, here is an oops on espressobin after an attempt to change +the cpefreq governor: + +[ 29.174554] Unable to handle kernel execute from non-executable memory at virtual address ffff00003f87bdc0 +... +[ 29.269373] pc : 0xffff00003f87bdc0 +[ 29.272957] lr : __cpufreq_driver_target+0x138/0x580 +... + +Fixed by zeroing out pdata before use. + +Cc: <stable@vger.kernel.org> # v5.7+ +Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> + +diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c +index aa0f06dec959..df1c941260d1 100644 +--- a/drivers/cpufreq/armada-37xx-cpufreq.c ++++ b/drivers/cpufreq/armada-37xx-cpufreq.c +@@ -456,6 +456,7 @@ static int __init armada37xx_cpufreq_driver_init(void) + /* Now that everything is setup, enable the DVFS at hardware level */ + armada37xx_cpufreq_enable_dvfs(nb_pm_base); + ++ memset(&pdata, 0, sizeof(pdata)); + pdata.suspend = armada37xx_cpufreq_suspend; + pdata.resume = armada37xx_cpufreq_resume; + +-- +2.27.0 + diff --git a/queue/crc-t10dif-Fix-potential-crypto-notify-dead-lock.patch b/queue/crc-t10dif-Fix-potential-crypto-notify-dead-lock.patch new file mode 100644 index 00000000..ece5b66b --- /dev/null +++ b/queue/crc-t10dif-Fix-potential-crypto-notify-dead-lock.patch @@ -0,0 +1,151 @@ +From 3906f640224dbe7714b52b66d7d68c0812808e19 Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Fri, 5 Jun 2020 16:59:18 +1000 +Subject: [PATCH] crc-t10dif: Fix potential crypto notify dead-lock + +commit 3906f640224dbe7714b52b66d7d68c0812808e19 upstream. + +The crypto notify call occurs with a read mutex held so you must +not do any substantial work directly. In particular, you cannot +call crypto_alloc_* as they may trigger further notifications +which may dead-lock in the presence of another writer. + +This patch fixes this by postponing the work into a work queue and +taking the same lock in the module init function. + +While we're at it this patch also ensures that all RCU accesses are +marked appropriately (tested with sparse). + +Finally this also reveals a race condition in module param show +function as it may be called prior to the module init function. +It's fixed by testing whether crct10dif_tfm is NULL (this is true +iff the init function has not completed assuming fallback is false). + +Fixes: 11dcb1037f40 ("crc-t10dif: Allow current transform to be...") +Fixes: b76377543b73 ("crc-t10dif: Pick better transform if one...") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> +Reviewed-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/lib/crc-t10dif.c b/lib/crc-t10dif.c +index 8cc01a603416..c9acf1c12cfc 100644 +--- a/lib/crc-t10dif.c ++++ b/lib/crc-t10dif.c +@@ -19,39 +19,46 @@ + static struct crypto_shash __rcu *crct10dif_tfm; + static struct static_key crct10dif_fallback __read_mostly; + static DEFINE_MUTEX(crc_t10dif_mutex); ++static struct work_struct crct10dif_rehash_work; + +-static int crc_t10dif_rehash(struct notifier_block *self, unsigned long val, void *data) ++static int crc_t10dif_notify(struct notifier_block *self, unsigned long val, void *data) + { + struct crypto_alg *alg = data; +- struct crypto_shash *new, *old; + + if (val != CRYPTO_MSG_ALG_LOADED || + static_key_false(&crct10dif_fallback) || + strncmp(alg->cra_name, CRC_T10DIF_STRING, strlen(CRC_T10DIF_STRING))) + return 0; + ++ schedule_work(&crct10dif_rehash_work); ++ return 0; ++} ++ ++static void crc_t10dif_rehash(struct work_struct *work) ++{ ++ struct crypto_shash *new, *old; ++ + mutex_lock(&crc_t10dif_mutex); + old = rcu_dereference_protected(crct10dif_tfm, + lockdep_is_held(&crc_t10dif_mutex)); + if (!old) { + mutex_unlock(&crc_t10dif_mutex); +- return 0; ++ return; + } + new = crypto_alloc_shash("crct10dif", 0, 0); + if (IS_ERR(new)) { + mutex_unlock(&crc_t10dif_mutex); +- return 0; ++ return; + } + rcu_assign_pointer(crct10dif_tfm, new); + mutex_unlock(&crc_t10dif_mutex); + + synchronize_rcu(); + crypto_free_shash(old); +- return 0; + } + + static struct notifier_block crc_t10dif_nb = { +- .notifier_call = crc_t10dif_rehash, ++ .notifier_call = crc_t10dif_notify, + }; + + __u16 crc_t10dif_update(__u16 crc, const unsigned char *buffer, size_t len) +@@ -86,19 +93,26 @@ EXPORT_SYMBOL(crc_t10dif); + + static int __init crc_t10dif_mod_init(void) + { ++ struct crypto_shash *tfm; ++ ++ INIT_WORK(&crct10dif_rehash_work, crc_t10dif_rehash); + crypto_register_notifier(&crc_t10dif_nb); +- crct10dif_tfm = crypto_alloc_shash("crct10dif", 0, 0); +- if (IS_ERR(crct10dif_tfm)) { ++ mutex_lock(&crc_t10dif_mutex); ++ tfm = crypto_alloc_shash("crct10dif", 0, 0); ++ if (IS_ERR(tfm)) { + static_key_slow_inc(&crct10dif_fallback); +- crct10dif_tfm = NULL; ++ tfm = NULL; + } ++ RCU_INIT_POINTER(crct10dif_tfm, tfm); ++ mutex_unlock(&crc_t10dif_mutex); + return 0; + } + + static void __exit crc_t10dif_mod_fini(void) + { + crypto_unregister_notifier(&crc_t10dif_nb); +- crypto_free_shash(crct10dif_tfm); ++ cancel_work_sync(&crct10dif_rehash_work); ++ crypto_free_shash(rcu_dereference_protected(crct10dif_tfm, 1)); + } + + module_init(crc_t10dif_mod_init); +@@ -106,11 +120,27 @@ module_exit(crc_t10dif_mod_fini); + + static int crc_t10dif_transform_show(char *buffer, const struct kernel_param *kp) + { ++ struct crypto_shash *tfm; ++ const char *name; ++ int len; ++ + if (static_key_false(&crct10dif_fallback)) + return sprintf(buffer, "fallback\n"); + +- return sprintf(buffer, "%s\n", +- crypto_tfm_alg_driver_name(crypto_shash_tfm(crct10dif_tfm))); ++ rcu_read_lock(); ++ tfm = rcu_dereference(crct10dif_tfm); ++ if (!tfm) { ++ len = sprintf(buffer, "init\n"); ++ goto unlock; ++ } ++ ++ name = crypto_tfm_alg_driver_name(crypto_shash_tfm(tfm)); ++ len = sprintf(buffer, "%s\n", name); ++ ++unlock: ++ rcu_read_unlock(); ++ ++ return len; + } + + module_param_call(transform, NULL, crc_t10dif_transform_show, NULL, 0644); +-- +2.27.0 + diff --git a/queue/crypto-aesni-Fix-build-with-LLVM_IAS-1.patch b/queue/crypto-aesni-Fix-build-with-LLVM_IAS-1.patch new file mode 100644 index 00000000..afb76012 --- /dev/null +++ b/queue/crypto-aesni-Fix-build-with-LLVM_IAS-1.patch @@ -0,0 +1,103 @@ +From 3347c8a079d67af21760a78cc5f2abbcf06d9571 Mon Sep 17 00:00:00 2001 +From: Sedat Dilek <sedat.dilek@gmail.com> +Date: Fri, 3 Jul 2020 16:32:06 +0200 +Subject: [PATCH] crypto: aesni - Fix build with LLVM_IAS=1 + +commit 3347c8a079d67af21760a78cc5f2abbcf06d9571 upstream. + +When building with LLVM_IAS=1 means using Clang's Integrated Assembly (IAS) +from LLVM/Clang >= v10.0.1-rc1+ instead of GNU/as from GNU/binutils +I see the following breakage in Debian/testing AMD64: + +<instantiation>:15:74: error: too many positional arguments + PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, + ^ + arch/x86/crypto/aesni-intel_asm.S:1598:2: note: while in macro instantiation + GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp) + ^ +<instantiation>:47:2: error: unknown use of instruction mnemonic without a size suffix + GHASH_4_ENCRYPT_4_PARALLEL_dec %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc + ^ +arch/x86/crypto/aesni-intel_asm.S:1599:2: note: while in macro instantiation + GCM_ENC_DEC dec + ^ +<instantiation>:15:74: error: too many positional arguments + PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, + ^ +arch/x86/crypto/aesni-intel_asm.S:1686:2: note: while in macro instantiation + GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp) + ^ +<instantiation>:47:2: error: unknown use of instruction mnemonic without a size suffix + GHASH_4_ENCRYPT_4_PARALLEL_enc %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc + ^ +arch/x86/crypto/aesni-intel_asm.S:1687:2: note: while in macro instantiation + GCM_ENC_DEC enc + +Craig Topper suggested me in ClangBuiltLinux issue #1050: + +> I think the "too many positional arguments" is because the parser isn't able +> to handle the trailing commas. +> +> The "unknown use of instruction mnemonic" is because the macro was named +> GHASH_4_ENCRYPT_4_PARALLEL_DEC but its being instantiated with +> GHASH_4_ENCRYPT_4_PARALLEL_dec I guess gas ignores case on the +> macro instantiation, but llvm doesn't. + +First, I removed the trailing comma in the PRECOMPUTE line. + +Second, I substituted: +1. GHASH_4_ENCRYPT_4_PARALLEL_DEC -> GHASH_4_ENCRYPT_4_PARALLEL_dec +2. GHASH_4_ENCRYPT_4_PARALLEL_ENC -> GHASH_4_ENCRYPT_4_PARALLEL_enc + +With these changes I was able to build with LLVM_IAS=1 and boot on bare metal. + +I confirmed that this works with Linux-kernel v5.7.5 final. + +NOTE: This patch is on top of Linux v5.7 final. + +Thanks to Craig and especially Nick for double-checking and his comments. + +Suggested-by: Craig Topper <craig.topper@intel.com> +Suggested-by: Craig Topper <craig.topper@gmail.com> +Suggested-by: Nick Desaulniers <ndesaulniers@google.com> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Cc: "ClangBuiltLinux" <clang-built-linux@googlegroups.com> +Link: https://github.com/ClangBuiltLinux/linux/issues/1050 +Link: https://bugs.llvm.org/show_bug.cgi?id=24494 +Signed-off-by: Sedat Dilek <sedat.dilek@gmail.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S +index 54e7d15dbd0d..7d4298e6d4cb 100644 +--- a/arch/x86/crypto/aesni-intel_asm.S ++++ b/arch/x86/crypto/aesni-intel_asm.S +@@ -266,7 +266,7 @@ ALL_F: .octa 0xffffffffffffffffffffffffffffffff + PSHUFB_XMM %xmm2, %xmm0 + movdqu %xmm0, CurCount(%arg2) # ctx_data.current_counter = iv + +- PRECOMPUTE \SUBKEY, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, ++ PRECOMPUTE \SUBKEY, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7 + movdqu HashKey(%arg2), %xmm13 + + CALC_AAD_HASH %xmm13, \AAD, \AADLEN, %xmm0, %xmm1, %xmm2, %xmm3, \ +@@ -978,7 +978,7 @@ _initial_blocks_done\@: + * arg1, %arg3, %arg4 are used as pointers only, not modified + * %r11 is the data offset value + */ +-.macro GHASH_4_ENCRYPT_4_PARALLEL_ENC TMP1 TMP2 TMP3 TMP4 TMP5 \ ++.macro GHASH_4_ENCRYPT_4_PARALLEL_enc TMP1 TMP2 TMP3 TMP4 TMP5 \ + TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7 XMM8 operation + + movdqa \XMM1, \XMM5 +@@ -1186,7 +1186,7 @@ aes_loop_par_enc_done\@: + * arg1, %arg3, %arg4 are used as pointers only, not modified + * %r11 is the data offset value + */ +-.macro GHASH_4_ENCRYPT_4_PARALLEL_DEC TMP1 TMP2 TMP3 TMP4 TMP5 \ ++.macro GHASH_4_ENCRYPT_4_PARALLEL_dec TMP1 TMP2 TMP3 TMP4 TMP5 \ + TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7 XMM8 operation + + movdqa \XMM1, \XMM5 +-- +2.27.0 + diff --git a/queue/crypto-aesni-add-compatibility-with-IAS.patch b/queue/crypto-aesni-add-compatibility-with-IAS.patch new file mode 100644 index 00000000..eaa89282 --- /dev/null +++ b/queue/crypto-aesni-add-compatibility-with-IAS.patch @@ -0,0 +1,72 @@ +From 44069737ac9625a0f02f0f7f5ab96aae4cd819bc Mon Sep 17 00:00:00 2001 +From: Jian Cai <caij2003@gmail.com> +Date: Mon, 22 Jun 2020 16:24:33 -0700 +Subject: [PATCH] crypto: aesni - add compatibility with IAS + +commit 44069737ac9625a0f02f0f7f5ab96aae4cd819bc upstream. + +Clang's integrated assembler complains "invalid reassignment of +non-absolute variable 'var_ddq_add'" while assembling +arch/x86/crypto/aes_ctrby8_avx-x86_64.S. It was because var_ddq_add was +reassigned with non-absolute values several times, which IAS did not +support. We can avoid the reassignment by replacing the uses of +var_ddq_add with its definitions accordingly to have compatilibility +with IAS. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1008 +Reported-by: Sedat Dilek <sedat.dilek@gmail.com> +Reported-by: Fangrui Song <maskray@google.com> +Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # build+boot Linux v5.7.5; clang v11.0.0-git +Signed-off-by: Jian Cai <caij2003@gmail.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/arch/x86/crypto/aes_ctrby8_avx-x86_64.S b/arch/x86/crypto/aes_ctrby8_avx-x86_64.S +index ec437db1fa54..494a3bda8487 100644 +--- a/arch/x86/crypto/aes_ctrby8_avx-x86_64.S ++++ b/arch/x86/crypto/aes_ctrby8_avx-x86_64.S +@@ -127,10 +127,6 @@ ddq_add_8: + + /* generate a unique variable for ddq_add_x */ + +-.macro setddq n +- var_ddq_add = ddq_add_\n +-.endm +- + /* generate a unique variable for xmm register */ + .macro setxdata n + var_xdata = %xmm\n +@@ -140,9 +136,7 @@ ddq_add_8: + + .macro club name, id + .altmacro +- .if \name == DDQ_DATA +- setddq %\id +- .elseif \name == XDATA ++ .if \name == XDATA + setxdata %\id + .endif + .noaltmacro +@@ -165,9 +159,8 @@ ddq_add_8: + + .set i, 1 + .rept (by - 1) +- club DDQ_DATA, i + club XDATA, i +- vpaddq var_ddq_add(%rip), xcounter, var_xdata ++ vpaddq (ddq_add_1 + 16 * (i - 1))(%rip), xcounter, var_xdata + vptest ddq_low_msk(%rip), var_xdata + jnz 1f + vpaddq ddq_high_add_1(%rip), var_xdata, var_xdata +@@ -180,8 +173,7 @@ ddq_add_8: + vmovdqa 1*16(p_keys), xkeyA + + vpxor xkey0, xdata0, xdata0 +- club DDQ_DATA, by +- vpaddq var_ddq_add(%rip), xcounter, xcounter ++ vpaddq (ddq_add_1 + 16 * (by - 1))(%rip), xcounter, xcounter + vptest ddq_low_msk(%rip), xcounter + jnz 1f + vpaddq ddq_high_add_1(%rip), xcounter, xcounter +-- +2.27.0 + diff --git a/queue/crypto-ccp-Fix-use-of-merged-scatterlists.patch b/queue/crypto-ccp-Fix-use-of-merged-scatterlists.patch new file mode 100644 index 00000000..ad59cf8f --- /dev/null +++ b/queue/crypto-ccp-Fix-use-of-merged-scatterlists.patch @@ -0,0 +1,175 @@ +From 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 Mon Sep 17 00:00:00 2001 +From: John Allen <john.allen@amd.com> +Date: Mon, 22 Jun 2020 15:24:02 -0500 +Subject: [PATCH] crypto: ccp - Fix use of merged scatterlists + +commit 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 upstream. + +Running the crypto manager self tests with +CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors +when using the ccp-crypto driver: + +alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ... + +alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ... + +alg: ahash: sha224-ccp test failed (wrong result) on test vector ... + +These errors are the result of improper processing of scatterlists mapped +for DMA. + +Given a scatterlist in which entries are merged as part of mapping the +scatterlist for DMA, the DMA length of a merged entry will reflect the +combined length of the entries that were merged. The subsequent +scatterlist entry will contain DMA information for the scatterlist entry +after the last merged entry, but the non-DMA information will be that of +the first merged entry. + +The ccp driver does not take this scatterlist merging into account. To +address this, add a second scatterlist pointer to track the current +position in the DMA mapped representation of the scatterlist. Both the DMA +representation and the original representation of the scatterlist must be +tracked as while most of the driver can use just the DMA representation, +scatterlist_map_and_copy() must use the original representation and +expects the scatterlist pointer to be accurate to the original +representation. + +In order to properly walk the original scatterlist, the scatterlist must +be walked until the combined lengths of the entries seen is equal to the +DMA length of the current entry being processed in the DMA mapped +representation. + +Fixes: 63b945091a070 ("crypto: ccp - CCP device driver and interface support") +Signed-off-by: John Allen <john.allen@amd.com> +Cc: stable@vger.kernel.org +Acked-by: Tom Lendacky <thomas.lendacky@amd.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/drivers/crypto/ccp/ccp-dev.h b/drivers/crypto/ccp/ccp-dev.h +index 3f68262d9ab4..87a34d91fdf7 100644 +--- a/drivers/crypto/ccp/ccp-dev.h ++++ b/drivers/crypto/ccp/ccp-dev.h +@@ -469,6 +469,7 @@ struct ccp_sg_workarea { + unsigned int sg_used; + + struct scatterlist *dma_sg; ++ struct scatterlist *dma_sg_head; + struct device *dma_dev; + unsigned int dma_count; + enum dma_data_direction dma_dir; +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index d270aa792888..a06d20263efa 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -63,7 +63,7 @@ static u32 ccp_gen_jobid(struct ccp_device *ccp) + static void ccp_sg_free(struct ccp_sg_workarea *wa) + { + if (wa->dma_count) +- dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir); ++ dma_unmap_sg(wa->dma_dev, wa->dma_sg_head, wa->nents, wa->dma_dir); + + wa->dma_count = 0; + } +@@ -92,6 +92,7 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, + return 0; + + wa->dma_sg = sg; ++ wa->dma_sg_head = sg; + wa->dma_dev = dev; + wa->dma_dir = dma_dir; + wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir); +@@ -104,14 +105,28 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, + static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len) + { + unsigned int nbytes = min_t(u64, len, wa->bytes_left); ++ unsigned int sg_combined_len = 0; + + if (!wa->sg) + return; + + wa->sg_used += nbytes; + wa->bytes_left -= nbytes; +- if (wa->sg_used == wa->sg->length) { +- wa->sg = sg_next(wa->sg); ++ if (wa->sg_used == sg_dma_len(wa->dma_sg)) { ++ /* Advance to the next DMA scatterlist entry */ ++ wa->dma_sg = sg_next(wa->dma_sg); ++ ++ /* In the case that the DMA mapped scatterlist has entries ++ * that have been merged, the non-DMA mapped scatterlist ++ * must be advanced multiple times for each merged entry. ++ * This ensures that the current non-DMA mapped entry ++ * corresponds to the current DMA mapped entry. ++ */ ++ do { ++ sg_combined_len += wa->sg->length; ++ wa->sg = sg_next(wa->sg); ++ } while (wa->sg_used > sg_combined_len); ++ + wa->sg_used = 0; + } + } +@@ -299,7 +314,7 @@ static unsigned int ccp_queue_buf(struct ccp_data *data, unsigned int from) + /* Update the structures and generate the count */ + buf_count = 0; + while (sg_wa->bytes_left && (buf_count < dm_wa->length)) { +- nbytes = min(sg_wa->sg->length - sg_wa->sg_used, ++ nbytes = min(sg_dma_len(sg_wa->dma_sg) - sg_wa->sg_used, + dm_wa->length - buf_count); + nbytes = min_t(u64, sg_wa->bytes_left, nbytes); + +@@ -331,11 +346,11 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, + * and destination. The resulting len values will always be <= UINT_MAX + * because the dma length is an unsigned int. + */ +- sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used; ++ sg_src_len = sg_dma_len(src->sg_wa.dma_sg) - src->sg_wa.sg_used; + sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len); + + if (dst) { +- sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used; ++ sg_dst_len = sg_dma_len(dst->sg_wa.dma_sg) - dst->sg_wa.sg_used; + sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len); + op_len = min(sg_src_len, sg_dst_len); + } else { +@@ -365,7 +380,7 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, + /* Enough data in the sg element, but we need to + * adjust for any previously copied data + */ +- op->src.u.dma.address = sg_dma_address(src->sg_wa.sg); ++ op->src.u.dma.address = sg_dma_address(src->sg_wa.dma_sg); + op->src.u.dma.offset = src->sg_wa.sg_used; + op->src.u.dma.length = op_len & ~(block_size - 1); + +@@ -386,7 +401,7 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, + /* Enough room in the sg element, but we need to + * adjust for any previously used area + */ +- op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg); ++ op->dst.u.dma.address = sg_dma_address(dst->sg_wa.dma_sg); + op->dst.u.dma.offset = dst->sg_wa.sg_used; + op->dst.u.dma.length = op->src.u.dma.length; + } +@@ -2027,7 +2042,7 @@ ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + dst.sg_wa.sg_used = 0; + for (i = 1; i <= src.sg_wa.dma_count; i++) { + if (!dst.sg_wa.sg || +- (dst.sg_wa.sg->length < src.sg_wa.sg->length)) { ++ (sg_dma_len(dst.sg_wa.sg) < sg_dma_len(src.sg_wa.sg))) { + ret = -EINVAL; + goto e_dst; + } +@@ -2053,8 +2068,8 @@ ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + goto e_dst; + } + +- dst.sg_wa.sg_used += src.sg_wa.sg->length; +- if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) { ++ dst.sg_wa.sg_used += sg_dma_len(src.sg_wa.sg); ++ if (dst.sg_wa.sg_used == sg_dma_len(dst.sg_wa.sg)) { + dst.sg_wa.sg = sg_next(dst.sg_wa.sg); + dst.sg_wa.sg_used = 0; + } +-- +2.27.0 + diff --git a/queue/crypto-ccree-fix-resource-leak-on-error-path.patch b/queue/crypto-ccree-fix-resource-leak-on-error-path.patch new file mode 100644 index 00000000..c43b4080 --- /dev/null +++ b/queue/crypto-ccree-fix-resource-leak-on-error-path.patch @@ -0,0 +1,80 @@ +From 9bc6165d608d676f05d8bf156a2c9923ee38d05b Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef <gilad@benyossef.com> +Date: Sun, 21 Jun 2020 14:19:57 +0300 +Subject: [PATCH] crypto: ccree - fix resource leak on error path + +commit 9bc6165d608d676f05d8bf156a2c9923ee38d05b upstream. + +Fix a small resource leak on the error path of cipher processing. + +Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com> +Fixes: 63ee04c8b491e ("crypto: ccree - add skcipher support") +Cc: Markus Elfring <Markus.Elfring@web.de> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c +index 872ea3ff1c6b..f144fe04748b 100644 +--- a/drivers/crypto/ccree/cc_cipher.c ++++ b/drivers/crypto/ccree/cc_cipher.c +@@ -159,7 +159,6 @@ static int cc_cipher_init(struct crypto_tfm *tfm) + skcipher_alg.base); + struct device *dev = drvdata_to_dev(cc_alg->drvdata); + unsigned int max_key_buf_size = cc_alg->skcipher_alg.max_keysize; +- int rc = 0; + + dev_dbg(dev, "Initializing context @%p for %s\n", ctx_p, + crypto_tfm_alg_name(tfm)); +@@ -171,10 +170,19 @@ static int cc_cipher_init(struct crypto_tfm *tfm) + ctx_p->flow_mode = cc_alg->flow_mode; + ctx_p->drvdata = cc_alg->drvdata; + ++ if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) { ++ /* Alloc hash tfm for essiv */ ++ ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0); ++ if (IS_ERR(ctx_p->shash_tfm)) { ++ dev_err(dev, "Error allocating hash tfm for ESSIV.\n"); ++ return PTR_ERR(ctx_p->shash_tfm); ++ } ++ } ++ + /* Allocate key buffer, cache line aligned */ + ctx_p->user.key = kmalloc(max_key_buf_size, GFP_KERNEL); + if (!ctx_p->user.key) +- return -ENOMEM; ++ goto free_shash; + + dev_dbg(dev, "Allocated key buffer in context. key=@%p\n", + ctx_p->user.key); +@@ -186,21 +194,19 @@ static int cc_cipher_init(struct crypto_tfm *tfm) + if (dma_mapping_error(dev, ctx_p->user.key_dma_addr)) { + dev_err(dev, "Mapping Key %u B at va=%pK for DMA failed\n", + max_key_buf_size, ctx_p->user.key); +- return -ENOMEM; ++ goto free_key; + } + dev_dbg(dev, "Mapped key %u B at va=%pK to dma=%pad\n", + max_key_buf_size, ctx_p->user.key, &ctx_p->user.key_dma_addr); + +- if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) { +- /* Alloc hash tfm for essiv */ +- ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0); +- if (IS_ERR(ctx_p->shash_tfm)) { +- dev_err(dev, "Error allocating hash tfm for ESSIV.\n"); +- return PTR_ERR(ctx_p->shash_tfm); +- } +- } ++ return 0; + +- return rc; ++free_key: ++ kfree(ctx_p->user.key); ++free_shash: ++ crypto_free_shash(ctx_p->shash_tfm); ++ ++ return -ENOMEM; + } + + static void cc_cipher_exit(struct crypto_tfm *tfm) +-- +2.27.0 + diff --git a/queue/crypto-cpt-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_SLEEP-w.patch b/queue/crypto-cpt-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_SLEEP-w.patch new file mode 100644 index 00000000..c31d004c --- /dev/null +++ b/queue/crypto-cpt-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_SLEEP-w.patch @@ -0,0 +1,104 @@ +From 9e27c99104707f083dccd3b4d79762859b5a0614 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka <mpatocka@redhat.com> +Date: Wed, 17 Jun 2020 09:48:56 -0400 +Subject: [PATCH] crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not + specified + +commit 9e27c99104707f083dccd3b4d79762859b5a0614 upstream. + +There is this call chain: +cvm_encrypt -> cvm_enc_dec -> cptvf_do_request -> process_request -> kzalloc +where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP +was not specified. + +Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> +Cc: stable@vger.kernel.org # v4.11+ +Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT") +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/drivers/crypto/cavium/cpt/cptvf_algs.c b/drivers/crypto/cavium/cpt/cptvf_algs.c +index 1be1adffff1d..2e4bf90c5798 100644 +--- a/drivers/crypto/cavium/cpt/cptvf_algs.c ++++ b/drivers/crypto/cavium/cpt/cptvf_algs.c +@@ -200,6 +200,7 @@ static inline int cvm_enc_dec(struct skcipher_request *req, u32 enc) + int status; + + memset(req_info, 0, sizeof(struct cpt_request_info)); ++ req_info->may_sleep = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) != 0; + memset(fctx, 0, sizeof(struct fc_context)); + create_input_list(req, enc, enc_iv_len); + create_output_list(req, enc_iv_len); +diff --git a/drivers/crypto/cavium/cpt/cptvf_reqmanager.c b/drivers/crypto/cavium/cpt/cptvf_reqmanager.c +index 7a24019356b5..e343249c8d05 100644 +--- a/drivers/crypto/cavium/cpt/cptvf_reqmanager.c ++++ b/drivers/crypto/cavium/cpt/cptvf_reqmanager.c +@@ -133,7 +133,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, + + /* Setup gather (input) components */ + g_sz_bytes = ((req->incnt + 3) / 4) * sizeof(struct sglist_component); +- info->gather_components = kzalloc(g_sz_bytes, GFP_KERNEL); ++ info->gather_components = kzalloc(g_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->gather_components) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -150,7 +150,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, + + /* Setup scatter (output) components */ + s_sz_bytes = ((req->outcnt + 3) / 4) * sizeof(struct sglist_component); +- info->scatter_components = kzalloc(s_sz_bytes, GFP_KERNEL); ++ info->scatter_components = kzalloc(s_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->scatter_components) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -167,7 +167,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, + + /* Create and initialize DPTR */ + info->dlen = g_sz_bytes + s_sz_bytes + SG_LIST_HDR_SIZE; +- info->in_buffer = kzalloc(info->dlen, GFP_KERNEL); ++ info->in_buffer = kzalloc(info->dlen, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->in_buffer) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -195,7 +195,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, + } + + /* Create and initialize RPTR */ +- info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, GFP_KERNEL); ++ info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (!info->out_buffer) { + ret = -ENOMEM; + goto scatter_gather_clean; +@@ -421,7 +421,7 @@ int process_request(struct cpt_vf *cptvf, struct cpt_request_info *req) + struct cpt_vq_command vq_cmd; + union cpt_inst_s cptinst; + +- info = kzalloc(sizeof(*info), GFP_KERNEL); ++ info = kzalloc(sizeof(*info), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (unlikely(!info)) { + dev_err(&pdev->dev, "Unable to allocate memory for info_buffer\n"); + return -ENOMEM; +@@ -443,7 +443,7 @@ int process_request(struct cpt_vf *cptvf, struct cpt_request_info *req) + * Get buffer for union cpt_res_s response + * structure and its physical address + */ +- info->completion_addr = kzalloc(sizeof(union cpt_res_s), GFP_KERNEL); ++ info->completion_addr = kzalloc(sizeof(union cpt_res_s), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); + if (unlikely(!info->completion_addr)) { + dev_err(&pdev->dev, "Unable to allocate memory for completion_addr\n"); + ret = -ENOMEM; +diff --git a/drivers/crypto/cavium/cpt/request_manager.h b/drivers/crypto/cavium/cpt/request_manager.h +index 3514b082eca7..1e8dd9ebcc17 100644 +--- a/drivers/crypto/cavium/cpt/request_manager.h ++++ b/drivers/crypto/cavium/cpt/request_manager.h +@@ -62,6 +62,8 @@ struct cpt_request_info { + union ctrl_info ctrl; /* User control information */ + struct cptvf_request req; /* Request Information (Core specific) */ + ++ bool may_sleep; ++ + struct buf_ptr in[MAX_BUF_CNT]; + struct buf_ptr out[MAX_BUF_CNT]; + +-- +2.27.0 + diff --git a/queue/crypto-hisilicon-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_S.patch b/queue/crypto-hisilicon-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_S.patch new file mode 100644 index 00000000..7b8d5e27 --- /dev/null +++ b/queue/crypto-hisilicon-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_S.patch @@ -0,0 +1,172 @@ +From 5ead051780404b5cb22147170acadd1994dc3236 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka <mpatocka@redhat.com> +Date: Wed, 17 Jun 2020 09:49:52 -0400 +Subject: [PATCH] crypto: hisilicon - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP + was not specified + +commit 5ead051780404b5cb22147170acadd1994dc3236 upstream. + +There is this call chain: +sec_alg_skcipher_encrypt -> sec_alg_skcipher_crypto -> +sec_alg_alloc_and_calc_split_sizes -> kcalloc +where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP +was not specified. + +Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> +Cc: stable@vger.kernel.org # v4.19+ +Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver") +Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/drivers/crypto/hisilicon/sec/sec_algs.c b/drivers/crypto/hisilicon/sec/sec_algs.c +index c27e7160d2df..4ad4ffd90cee 100644 +--- a/drivers/crypto/hisilicon/sec/sec_algs.c ++++ b/drivers/crypto/hisilicon/sec/sec_algs.c +@@ -175,7 +175,8 @@ static int sec_alloc_and_fill_hw_sgl(struct sec_hw_sgl **sec_sgl, + dma_addr_t *psec_sgl, + struct scatterlist *sgl, + int count, +- struct sec_dev_info *info) ++ struct sec_dev_info *info, ++ gfp_t gfp) + { + struct sec_hw_sgl *sgl_current = NULL; + struct sec_hw_sgl *sgl_next; +@@ -190,7 +191,7 @@ static int sec_alloc_and_fill_hw_sgl(struct sec_hw_sgl **sec_sgl, + sge_index = i % SEC_MAX_SGE_NUM; + if (sge_index == 0) { + sgl_next = dma_pool_zalloc(info->hw_sgl_pool, +- GFP_KERNEL, &sgl_next_dma); ++ gfp, &sgl_next_dma); + if (!sgl_next) { + ret = -ENOMEM; + goto err_free_hw_sgls; +@@ -545,14 +546,14 @@ void sec_alg_callback(struct sec_bd_info *resp, void *shadow) + } + + static int sec_alg_alloc_and_calc_split_sizes(int length, size_t **split_sizes, +- int *steps) ++ int *steps, gfp_t gfp) + { + size_t *sizes; + int i; + + /* Split into suitable sized blocks */ + *steps = roundup(length, SEC_REQ_LIMIT) / SEC_REQ_LIMIT; +- sizes = kcalloc(*steps, sizeof(*sizes), GFP_KERNEL); ++ sizes = kcalloc(*steps, sizeof(*sizes), gfp); + if (!sizes) + return -ENOMEM; + +@@ -568,7 +569,7 @@ static int sec_map_and_split_sg(struct scatterlist *sgl, size_t *split_sizes, + int steps, struct scatterlist ***splits, + int **splits_nents, + int sgl_len_in, +- struct device *dev) ++ struct device *dev, gfp_t gfp) + { + int ret, count; + +@@ -576,12 +577,12 @@ static int sec_map_and_split_sg(struct scatterlist *sgl, size_t *split_sizes, + if (!count) + return -EINVAL; + +- *splits = kcalloc(steps, sizeof(struct scatterlist *), GFP_KERNEL); ++ *splits = kcalloc(steps, sizeof(struct scatterlist *), gfp); + if (!*splits) { + ret = -ENOMEM; + goto err_unmap_sg; + } +- *splits_nents = kcalloc(steps, sizeof(int), GFP_KERNEL); ++ *splits_nents = kcalloc(steps, sizeof(int), gfp); + if (!*splits_nents) { + ret = -ENOMEM; + goto err_free_splits; +@@ -589,7 +590,7 @@ static int sec_map_and_split_sg(struct scatterlist *sgl, size_t *split_sizes, + + /* output the scatter list before and after this */ + ret = sg_split(sgl, count, 0, steps, split_sizes, +- *splits, *splits_nents, GFP_KERNEL); ++ *splits, *splits_nents, gfp); + if (ret) { + ret = -ENOMEM; + goto err_free_splits_nents; +@@ -630,13 +631,13 @@ static struct sec_request_el + int el_size, bool different_dest, + struct scatterlist *sgl_in, int n_ents_in, + struct scatterlist *sgl_out, int n_ents_out, +- struct sec_dev_info *info) ++ struct sec_dev_info *info, gfp_t gfp) + { + struct sec_request_el *el; + struct sec_bd_info *req; + int ret; + +- el = kzalloc(sizeof(*el), GFP_KERNEL); ++ el = kzalloc(sizeof(*el), gfp); + if (!el) + return ERR_PTR(-ENOMEM); + el->el_length = el_size; +@@ -668,7 +669,7 @@ static struct sec_request_el + el->sgl_in = sgl_in; + + ret = sec_alloc_and_fill_hw_sgl(&el->in, &el->dma_in, el->sgl_in, +- n_ents_in, info); ++ n_ents_in, info, gfp); + if (ret) + goto err_free_el; + +@@ -679,7 +680,7 @@ static struct sec_request_el + el->sgl_out = sgl_out; + ret = sec_alloc_and_fill_hw_sgl(&el->out, &el->dma_out, + el->sgl_out, +- n_ents_out, info); ++ n_ents_out, info, gfp); + if (ret) + goto err_free_hw_sgl_in; + +@@ -720,6 +721,7 @@ static int sec_alg_skcipher_crypto(struct skcipher_request *skreq, + int *splits_out_nents = NULL; + struct sec_request_el *el, *temp; + bool split = skreq->src != skreq->dst; ++ gfp_t gfp = skreq->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : GFP_ATOMIC; + + mutex_init(&sec_req->lock); + sec_req->req_base = &skreq->base; +@@ -728,13 +730,13 @@ static int sec_alg_skcipher_crypto(struct skcipher_request *skreq, + sec_req->len_in = sg_nents(skreq->src); + + ret = sec_alg_alloc_and_calc_split_sizes(skreq->cryptlen, &split_sizes, +- &steps); ++ &steps, gfp); + if (ret) + return ret; + sec_req->num_elements = steps; + ret = sec_map_and_split_sg(skreq->src, split_sizes, steps, &splits_in, + &splits_in_nents, sec_req->len_in, +- info->dev); ++ info->dev, gfp); + if (ret) + goto err_free_split_sizes; + +@@ -742,7 +744,7 @@ static int sec_alg_skcipher_crypto(struct skcipher_request *skreq, + sec_req->len_out = sg_nents(skreq->dst); + ret = sec_map_and_split_sg(skreq->dst, split_sizes, steps, + &splits_out, &splits_out_nents, +- sec_req->len_out, info->dev); ++ sec_req->len_out, info->dev, gfp); + if (ret) + goto err_unmap_in_sg; + } +@@ -775,7 +777,7 @@ static int sec_alg_skcipher_crypto(struct skcipher_request *skreq, + splits_in[i], splits_in_nents[i], + split ? splits_out[i] : NULL, + split ? splits_out_nents[i] : 0, +- info); ++ info, gfp); + if (IS_ERR(el)) { + ret = PTR_ERR(el); + goto err_free_elements; +-- +2.27.0 + diff --git a/queue/crypto-qat-fix-double-free-in-qat_uclo_create_batch_.patch b/queue/crypto-qat-fix-double-free-in-qat_uclo_create_batch_.patch new file mode 100644 index 00000000..79a57fb9 --- /dev/null +++ b/queue/crypto-qat-fix-double-free-in-qat_uclo_create_batch_.patch @@ -0,0 +1,90 @@ +From c06c76602e03bde24ee69a2022a829127e504202 Mon Sep 17 00:00:00 2001 +From: Tom Rix <trix@redhat.com> +Date: Mon, 13 Jul 2020 07:06:34 -0700 +Subject: [PATCH] crypto: qat - fix double free in + qat_uclo_create_batch_init_list + +commit c06c76602e03bde24ee69a2022a829127e504202 upstream. + +clang static analysis flags this error + +qat_uclo.c:297:3: warning: Attempt to free released memory + [unix.Malloc] + kfree(*init_tab_base); + ^~~~~~~~~~~~~~~~~~~~~ + +When input *init_tab_base is null, the function allocates memory for +the head of the list. When there is problem allocating other list +elements the list is unwound and freed. Then a check is made if the +list head was allocated and is also freed. + +Keeping track of the what may need to be freed is the variable 'tail_old'. +The unwinding/freeing block is + + while (tail_old) { + mem_init = tail_old->next; + kfree(tail_old); + tail_old = mem_init; + } + +The problem is that the first element of tail_old is also what was +allocated for the list head + + init_header = kzalloc(sizeof(*init_header), GFP_KERNEL); + ... + *init_tab_base = init_header; + flag = 1; + } + tail_old = init_header; + +So *init_tab_base/init_header are freed twice. + +There is another problem. +When the input *init_tab_base is non null the tail_old is calculated by +traveling down the list to first non null entry. + + tail_old = init_header; + while (tail_old->next) + tail_old = tail_old->next; + +When the unwinding free happens, the last entry of the input list will +be freed. + +So the freeing needs a general changed. +If locally allocated the first element of tail_old is freed, else it +is skipped. As a bit of cleanup, reset *init_tab_base if it came in +as null. + +Fixes: b4b7e67c917f ("crypto: qat - Intel(R) QAT ucode part of fw loader") +Cc: <stable@vger.kernel.org> +Signed-off-by: Tom Rix <trix@redhat.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c +index 4cc1f436b075..bff759e2f811 100644 +--- a/drivers/crypto/qat/qat_common/qat_uclo.c ++++ b/drivers/crypto/qat/qat_common/qat_uclo.c +@@ -288,13 +288,18 @@ static int qat_uclo_create_batch_init_list(struct icp_qat_fw_loader_handle + } + return 0; + out_err: ++ /* Do not free the list head unless we allocated it. */ ++ tail_old = tail_old->next; ++ if (flag) { ++ kfree(*init_tab_base); ++ *init_tab_base = NULL; ++ } ++ + while (tail_old) { + mem_init = tail_old->next; + kfree(tail_old); + tail_old = mem_init; + } +- if (flag) +- kfree(*init_tab_base); + return -ENOMEM; + } + +-- +2.27.0 + diff --git a/queue/cxl-Fix-kobject-memleak.patch b/queue/cxl-Fix-kobject-memleak.patch new file mode 100644 index 00000000..7a96efe8 --- /dev/null +++ b/queue/cxl-Fix-kobject-memleak.patch @@ -0,0 +1,38 @@ +From 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 Mon Sep 17 00:00:00 2001 +From: Wang Hai <wanghai38@huawei.com> +Date: Tue, 2 Jun 2020 20:07:33 +0800 +Subject: [PATCH] cxl: Fix kobject memleak + +commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 upstream. + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Fix it by adding a call to kobject_put() in the error path of +kobject_init_and_add(). + +Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Wang Hai <wanghai38@huawei.com> +Acked-by: Andrew Donnellan <ajd@linux.ibm.com> +Acked-by: Frederic Barrat <fbarrat@linux.ibm.com> +Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c +index f0263d1a1fdf..d97a243ad30c 100644 +--- a/drivers/misc/cxl/sysfs.c ++++ b/drivers/misc/cxl/sysfs.c +@@ -624,7 +624,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c + rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type, + &afu->dev.kobj, "cr%i", cr->cr); + if (rc) +- goto err; ++ goto err1; + + rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr); + if (rc) +-- +2.27.0 + diff --git a/queue/dlm-Fix-kobject-memleak.patch b/queue/dlm-Fix-kobject-memleak.patch new file mode 100644 index 00000000..26d76ed4 --- /dev/null +++ b/queue/dlm-Fix-kobject-memleak.patch @@ -0,0 +1,46 @@ +From 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 Mon Sep 17 00:00:00 2001 +From: Wang Hai <wanghai38@huawei.com> +Date: Mon, 15 Jun 2020 11:25:33 +0800 +Subject: [PATCH] dlm: Fix kobject memleak + +commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 upstream. + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Set do_unreg = 1 before kobject_init_and_add() to ensure that +kobject_put() can be called in its error patch. + +Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Wang Hai <wanghai38@huawei.com> +Signed-off-by: David Teigland <teigland@redhat.com> + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index e93670ecfae5..624617c12250 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -622,6 +622,9 @@ static int new_lockspace(const char *name, const char *cluster, + wait_event(ls->ls_recover_lock_wait, + test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags)); + ++ /* let kobject handle freeing of ls if there's an error */ ++ do_unreg = 1; ++ + ls->ls_kobj.kset = dlm_kset; + error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL, + "%s", ls->ls_name); +@@ -629,9 +632,6 @@ static int new_lockspace(const char *name, const char *cluster, + goto out_recoverd; + kobject_uevent(&ls->ls_kobj, KOBJ_ADD); + +- /* let kobject handle freeing of ls if there's an error */ +- do_unreg = 1; +- + /* This uevent triggers dlm_controld in userspace to add us to the + group of nodes that are members of this lockspace (managed by the + cluster infrastructure.) Once it's done that, it tells us who the +-- +2.27.0 + diff --git a/queue/drivers-net-wan-lapbether-Added-needed_headroom-and-.patch b/queue/drivers-net-wan-lapbether-Added-needed_headroom-and-.patch new file mode 100644 index 00000000..644fbd48 --- /dev/null +++ b/queue/drivers-net-wan-lapbether-Added-needed_headroom-and-.patch @@ -0,0 +1,107 @@ +From c7ca03c216acb14466a713fedf1b9f2c24994ef2 Mon Sep 17 00:00:00 2001 +From: Xie He <xie.he.0141@gmail.com> +Date: Wed, 5 Aug 2020 18:50:40 -0700 +Subject: [PATCH] drivers/net/wan/lapbether: Added needed_headroom and a + skb->len check + +commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 upstream. + +1. Added a skb->len check + +This driver expects upper layers to include a pseudo header of 1 byte +when passing down a skb for transmission. This driver will read this +1-byte header. This patch added a skb->len check before reading the +header to make sure the header exists. + +2. Changed to use needed_headroom instead of hard_header_len to request +necessary headroom to be allocated + +In net/packet/af_packet.c, the function packet_snd first reserves a +headroom of length (dev->hard_header_len + dev->needed_headroom). +Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header, +which calls dev->header_ops->create, to create the link layer header. +If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of +length (dev->hard_header_len), and assumes the user to provide the +appropriate link layer header. + +So according to the logic of af_packet.c, dev->hard_header_len should +be the length of the header that would be created by +dev->header_ops->create. + +However, this driver doesn't provide dev->header_ops, so logically +dev->hard_header_len should be 0. + +So we should use dev->needed_headroom instead of dev->hard_header_len +to request necessary headroom to be allocated. + +This change fixes kernel panic when this driver is used with AF_PACKET +SOCK_RAW sockets. + +Call stack when panic: + +[ 168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20 +put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0 +dev:veth0 +... +[ 168.399255] Call Trace: +[ 168.399259] skb_push.cold+0x14/0x24 +[ 168.399262] eth_header+0x2b/0xc0 +[ 168.399267] lapbeth_data_transmit+0x9a/0xb0 [lapbether] +[ 168.399275] lapb_data_transmit+0x22/0x2c [lapb] +[ 168.399277] lapb_transmit_buffer+0x71/0xb0 [lapb] +[ 168.399279] lapb_kick+0xe3/0x1c0 [lapb] +[ 168.399281] lapb_data_request+0x76/0xc0 [lapb] +[ 168.399283] lapbeth_xmit+0x56/0x90 [lapbether] +[ 168.399286] dev_hard_start_xmit+0x91/0x1f0 +[ 168.399289] ? irq_init_percpu_irqstack+0xc0/0x100 +[ 168.399291] __dev_queue_xmit+0x721/0x8e0 +[ 168.399295] ? packet_parse_headers.isra.0+0xd2/0x110 +[ 168.399297] dev_queue_xmit+0x10/0x20 +[ 168.399298] packet_sendmsg+0xbf0/0x19b0 +...... + +Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com> +Cc: Martin Schiller <ms@dev.tdt.de> +Cc: Brian Norris <briannorris@chromium.org> +Signed-off-by: Xie He <xie.he.0141@gmail.com> +Acked-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index b2868433718f..1ea15f2123ed 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -157,6 +157,12 @@ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb, + if (!netif_running(dev)) + goto drop; + ++ /* There should be a pseudo header of 1 byte added by upper layers. ++ * Check to make sure it is there before reading it. ++ */ ++ if (skb->len < 1) ++ goto drop; ++ + switch (skb->data[0]) { + case X25_IFACE_DATA: + break; +@@ -305,6 +311,7 @@ static void lapbeth_setup(struct net_device *dev) + dev->netdev_ops = &lapbeth_netdev_ops; + dev->needs_free_netdev = true; + dev->type = ARPHRD_X25; ++ dev->hard_header_len = 0; + dev->mtu = 1000; + dev->addr_len = 0; + } +@@ -331,7 +338,8 @@ static int lapbeth_new_device(struct net_device *dev) + * then this driver prepends a length field of 2 bytes, + * then the underlying Ethernet device prepends its own header. + */ +- ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len; ++ ndev->needed_headroom = -1 + 3 + 2 + dev->hard_header_len ++ + dev->needed_headroom; + + lapbeth = netdev_priv(ndev); + lapbeth->axdev = ndev; +-- +2.27.0 + diff --git a/queue/drm-amd-powerplay-fix-compile-error-with-ARCH-arc.patch b/queue/drm-amd-powerplay-fix-compile-error-with-ARCH-arc.patch new file mode 100644 index 00000000..985c0d90 --- /dev/null +++ b/queue/drm-amd-powerplay-fix-compile-error-with-ARCH-arc.patch @@ -0,0 +1,37 @@ +From 9822ba2ead1baa3de4860ad9472f652c4cc78c9c Mon Sep 17 00:00:00 2001 +From: Evan Quan <evan.quan@amd.com> +Date: Sun, 28 Jun 2020 19:12:42 +0800 +Subject: [PATCH] drm/amd/powerplay: fix compile error with ARCH=arc + +commit 9822ba2ead1baa3de4860ad9472f652c4cc78c9c upstream. + +Fix the compile error below: +drivers/gpu/drm/amd/amdgpu/../powerplay/smu_v11_0.c: In function 'smu_v11_0_init_microcode': +>> arch/arc/include/asm/bug.h:22:2: error: implicit declaration of function 'pr_warn'; did you mean 'pci_warn'? [-Werror=implicit-function-declaration] + 22 | pr_warn("BUG: failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); \ + | ^~~~~~~ +drivers/gpu/drm/amd/amdgpu/../powerplay/smu_v11_0.c:176:3: note: in expansion of macro 'BUG' + 176 | BUG(); + +Reported-by: kernel test robot <lkp@intel.com> +Signed-off-by: Evan Quan <evan.quan@amd.com> +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/amd/powerplay/smu_v11_0.c b/drivers/gpu/drm/amd/powerplay/smu_v11_0.c +index f24983a8876d..373e1135ca5f 100644 +--- a/drivers/gpu/drm/amd/powerplay/smu_v11_0.c ++++ b/drivers/gpu/drm/amd/powerplay/smu_v11_0.c +@@ -173,7 +173,8 @@ int smu_v11_0_init_microcode(struct smu_context *smu) + chip_name = "sienna_cichlid"; + break; + default: +- BUG(); ++ dev_err(adev->dev, "Unsupported ASIC type %d\n", adev->asic_type); ++ return -EINVAL; + } + + snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_smc.bin", chip_name); +-- +2.27.0 + diff --git a/queue/drm-amdgpu-avoid-dereferencing-a-NULL-pointer.patch b/queue/drm-amdgpu-avoid-dereferencing-a-NULL-pointer.patch new file mode 100644 index 00000000..6b705c1b --- /dev/null +++ b/queue/drm-amdgpu-avoid-dereferencing-a-NULL-pointer.patch @@ -0,0 +1,73 @@ +From 55611b507fd6453d26030c0c0619fdf0c262766d Mon Sep 17 00:00:00 2001 +From: Jack Xiao <Jack.Xiao@amd.com> +Date: Wed, 5 Jun 2019 16:30:13 +0800 +Subject: [PATCH] drm/amdgpu: avoid dereferencing a NULL pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 55611b507fd6453d26030c0c0619fdf0c262766d upstream. + +Check if irq_src is NULL to avoid dereferencing a NULL pointer, +for MES ring is uneccessary to recieve an interrupt notification. + +Signed-off-by: Jack Xiao <Jack.Xiao@amd.com> +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com> +Reviewed-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +index d878fe7fee51..3414e119f0cb 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +@@ -416,7 +416,9 @@ int amdgpu_fence_driver_start_ring(struct amdgpu_ring *ring, + ring->fence_drv.gpu_addr = adev->uvd.inst[ring->me].gpu_addr + index; + } + amdgpu_fence_write(ring, atomic_read(&ring->fence_drv.last_seq)); +- amdgpu_irq_get(adev, irq_src, irq_type); ++ ++ if (irq_src) ++ amdgpu_irq_get(adev, irq_src, irq_type); + + ring->fence_drv.irq_src = irq_src; + ring->fence_drv.irq_type = irq_type; +@@ -537,8 +539,9 @@ void amdgpu_fence_driver_fini(struct amdgpu_device *adev) + /* no need to trigger GPU reset as we are unloading */ + amdgpu_fence_driver_force_completion(ring); + } +- amdgpu_irq_put(adev, ring->fence_drv.irq_src, +- ring->fence_drv.irq_type); ++ if (ring->fence_drv.irq_src) ++ amdgpu_irq_put(adev, ring->fence_drv.irq_src, ++ ring->fence_drv.irq_type); + drm_sched_fini(&ring->sched); + del_timer_sync(&ring->fence_drv.fallback_timer); + for (j = 0; j <= ring->fence_drv.num_fences_mask; ++j) +@@ -574,8 +577,9 @@ void amdgpu_fence_driver_suspend(struct amdgpu_device *adev) + } + + /* disable the interrupt */ +- amdgpu_irq_put(adev, ring->fence_drv.irq_src, +- ring->fence_drv.irq_type); ++ if (ring->fence_drv.irq_src) ++ amdgpu_irq_put(adev, ring->fence_drv.irq_src, ++ ring->fence_drv.irq_type); + } + } + +@@ -601,8 +605,9 @@ void amdgpu_fence_driver_resume(struct amdgpu_device *adev) + continue; + + /* enable the interrupt */ +- amdgpu_irq_get(adev, ring->fence_drv.irq_src, +- ring->fence_drv.irq_type); ++ if (ring->fence_drv.irq_src) ++ amdgpu_irq_get(adev, ring->fence_drv.irq_src, ++ ring->fence_drv.irq_type); + } + } + +-- +2.27.0 + diff --git a/queue/drm-amdgpu-display-bail-early-in-dm_pp_get_static_cl.patch b/queue/drm-amdgpu-display-bail-early-in-dm_pp_get_static_cl.patch new file mode 100644 index 00000000..7b1dbfa1 --- /dev/null +++ b/queue/drm-amdgpu-display-bail-early-in-dm_pp_get_static_cl.patch @@ -0,0 +1,30 @@ +From 376814f5fcf1aadda501d1413d56e8af85d19a97 Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexander.deucher@amd.com> +Date: Wed, 17 Jun 2020 16:33:47 -0400 +Subject: [PATCH] drm/amdgpu/display bail early in dm_pp_get_static_clocks + +commit 376814f5fcf1aadda501d1413d56e8af85d19a97 upstream. + +If there are no supported callbacks. We'll fall back to the +nominal clocks. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1170 +Reviewed-by: Evan Quan <evan.quan@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c +index 484171241330..35a317b70719 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c +@@ -530,6 +530,8 @@ bool dm_pp_get_static_clocks( + &pp_clk_info); + else if (adev->smu.ppt_funcs) + ret = smu_get_current_clocks(&adev->smu, &pp_clk_info); ++ else ++ return false; + if (ret) + return false; + +-- +2.27.0 + diff --git a/queue/drm-arm-fix-unintentional-integer-overflow-on-left-s.patch b/queue/drm-arm-fix-unintentional-integer-overflow-on-left-s.patch new file mode 100644 index 00000000..cfd94870 --- /dev/null +++ b/queue/drm-arm-fix-unintentional-integer-overflow-on-left-s.patch @@ -0,0 +1,35 @@ +From 5f368ddea6fec519bdb93b5368f6a844b6ea27a6 Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Thu, 18 Jun 2020 11:04:00 +0100 +Subject: [PATCH] drm/arm: fix unintentional integer overflow on left shift + +commit 5f368ddea6fec519bdb93b5368f6a844b6ea27a6 upstream. + +Shifting the integer value 1 is evaluated using 32-bit arithmetic +and then used in an expression that expects a long value leads to +a potential integer overflow. Fix this by using the BIT macro to +perform the shift to avoid the overflow. + +Addresses-Coverity: ("Unintentional integer overflow") +Fixes: ad49f8602fe8 ("drm/arm: Add support for Mali Display Processors") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Acked-by: Liviu Dudau <liviu.dudau@arm.com> +Signed-off-by: Liviu Dudau <Liviu.Dudau@arm.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200618100400.11464-1-colin.king@canonical.com + +diff --git a/drivers/gpu/drm/arm/malidp_planes.c b/drivers/gpu/drm/arm/malidp_planes.c +index 37715cc6064e..ab45ac445045 100644 +--- a/drivers/gpu/drm/arm/malidp_planes.c ++++ b/drivers/gpu/drm/arm/malidp_planes.c +@@ -928,7 +928,7 @@ int malidp_de_planes_init(struct drm_device *drm) + const struct malidp_hw_regmap *map = &malidp->dev->hw->map; + struct malidp_plane *plane = NULL; + enum drm_plane_type plane_type; +- unsigned long crtcs = 1 << drm->mode_config.num_crtc; ++ unsigned long crtcs = BIT(drm->mode_config.num_crtc); + unsigned long flags = DRM_MODE_ROTATE_0 | DRM_MODE_ROTATE_90 | DRM_MODE_ROTATE_180 | + DRM_MODE_ROTATE_270 | DRM_MODE_REFLECT_X | DRM_MODE_REFLECT_Y; + unsigned int blend_caps = BIT(DRM_MODE_BLEND_PIXEL_NONE) | +-- +2.27.0 + diff --git a/queue/drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch b/queue/drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch new file mode 100644 index 00000000..f9d26718 --- /dev/null +++ b/queue/drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch @@ -0,0 +1,43 @@ +From 02cd2d3144653e6e2a0c7ccaa73311e48e2dc686 Mon Sep 17 00:00:00 2001 +From: Tom Rix <trix@redhat.com> +Date: Sun, 12 Jul 2020 08:24:53 -0700 +Subject: [PATCH] drm/bridge: sil_sii8620: initialize return of sii8620_readb + +commit 02cd2d3144653e6e2a0c7ccaa73311e48e2dc686 upstream. + +clang static analysis flags this error + +sil-sii8620.c:184:2: warning: Undefined or garbage value + returned to caller [core.uninitialized.UndefReturn] + return ret; + ^~~~~~~~~~ + +sii8620_readb calls sii8620_read_buf. +sii8620_read_buf can return without setting its output +pararmeter 'ret'. + +So initialize ret. + +Fixes: ce6e153f414a ("drm/bridge: add Silicon Image SiI8620 driver") +Signed-off-by: Tom Rix <trix@redhat.com> +Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Reviewed-by: Andrzej Hajda <a.hajda@samsung.com> +Signed-off-by: Sam Ravnborg <sam@ravnborg.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20200712152453.27510-1-trix@redhat.com + +diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c +index 7c0c93c7e61f..95f3d8cfe9ec 100644 +--- a/drivers/gpu/drm/bridge/sil-sii8620.c ++++ b/drivers/gpu/drm/bridge/sil-sii8620.c +@@ -178,7 +178,7 @@ static void sii8620_read_buf(struct sii8620 *ctx, u16 addr, u8 *buf, int len) + + static u8 sii8620_readb(struct sii8620 *ctx, u16 addr) + { +- u8 ret; ++ u8 ret = 0; + + sii8620_read_buf(ctx, addr, &ret, 1); + return ret; +-- +2.27.0 + diff --git a/queue/drm-bridge-ti-sn65dsi86-Clear-old-error-bits-before-.patch b/queue/drm-bridge-ti-sn65dsi86-Clear-old-error-bits-before-.patch new file mode 100644 index 00000000..8fe5f210 --- /dev/null +++ b/queue/drm-bridge-ti-sn65dsi86-Clear-old-error-bits-before-.patch @@ -0,0 +1,41 @@ +From baef4d56195b6d6e0f681f6eac03d8c6db011d34 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson <dianders@chromium.org> +Date: Fri, 8 May 2020 16:33:29 -0700 +Subject: [PATCH] drm/bridge: ti-sn65dsi86: Clear old error bits before AUX + transfers + +commit baef4d56195b6d6e0f681f6eac03d8c6db011d34 upstream. + +The AUX channel transfer error bits in the status register are latched +and need to be cleared. Clear them before doing our transfer so we +don't see old bits and get confused. + +Without this patch having a single failure would mean that all future +transfers would look like they failed. + +Fixes: b814ec6d4535 ("drm/bridge: ti-sn65dsi86: Implement AUX channel") +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Reviewed-by: Rob Clark <robdclark@gmail.com> +Signed-off-by: Sam Ravnborg <sam@ravnborg.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20200508163314.1.Idfa69d5d3fc9623083c0ff78572fea87dccb199c@changeid + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index 3b91fa0ebdf9..03a29c797784 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -869,6 +869,12 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, + buf[i]); + } + ++ /* Clear old status bits before start so we don't get confused */ ++ regmap_write(pdata->regmap, SN_AUX_CMD_STATUS_REG, ++ AUX_IRQ_STATUS_NAT_I2C_FAIL | ++ AUX_IRQ_STATUS_AUX_RPLY_TOUT | ++ AUX_IRQ_STATUS_AUX_SHORT); ++ + regmap_write(pdata->regmap, SN_AUX_CMD_REG, request_val | AUX_CMD_SEND); + + ret = regmap_read_poll_timeout(pdata->regmap, SN_AUX_CMD_REG, val, +-- +2.27.0 + diff --git a/queue/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch b/queue/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch new file mode 100644 index 00000000..73722f25 --- /dev/null +++ b/queue/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch @@ -0,0 +1,45 @@ +From c704b17071c4dc571dca3af4e4151dac51de081a Mon Sep 17 00:00:00 2001 +From: Michael Tretter <m.tretter@pengutronix.de> +Date: Thu, 17 Aug 2017 12:43:07 +0200 +Subject: [PATCH] drm/debugfs: fix plain echo to connector "force" attribute + +commit c704b17071c4dc571dca3af4e4151dac51de081a upstream. + +Using plain echo to set the "force" connector attribute fails with +-EINVAL, because echo appends a newline to the output. + +Replace strcmp with sysfs_streq to also accept strings that end with a +newline. + +v2: use sysfs_streq instead of stripping trailing whitespace + +Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> +Reviewed-by: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de + +diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c +index 2bea22130703..bfe4602f206b 100644 +--- a/drivers/gpu/drm/drm_debugfs.c ++++ b/drivers/gpu/drm/drm_debugfs.c +@@ -311,13 +311,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf, + + buf[len] = '\0'; + +- if (!strcmp(buf, "on")) ++ if (sysfs_streq(buf, "on")) + connector->force = DRM_FORCE_ON; +- else if (!strcmp(buf, "digital")) ++ else if (sysfs_streq(buf, "digital")) + connector->force = DRM_FORCE_ON_DIGITAL; +- else if (!strcmp(buf, "off")) ++ else if (sysfs_streq(buf, "off")) + connector->force = DRM_FORCE_OFF; +- else if (!strcmp(buf, "unspecified")) ++ else if (sysfs_streq(buf, "unspecified")) + connector->force = DRM_FORCE_UNSPECIFIED; + else + return -EINVAL; +-- +2.27.0 + diff --git a/queue/drm-etnaviv-Fix-error-path-on-failure-to-enable-bus-.patch b/queue/drm-etnaviv-Fix-error-path-on-failure-to-enable-bus-.patch new file mode 100644 index 00000000..00edcc12 --- /dev/null +++ b/queue/drm-etnaviv-Fix-error-path-on-failure-to-enable-bus-.patch @@ -0,0 +1,41 @@ +From f8794feaf65cdc97767604cf864775d20b97f397 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel <lkundrak@v3.sk> +Date: Tue, 16 Jun 2020 23:21:24 +0200 +Subject: [PATCH] drm/etnaviv: Fix error path on failure to enable bus clk + +commit f8794feaf65cdc97767604cf864775d20b97f397 upstream. + +Since commit 65f037e8e908 ("drm/etnaviv: add support for slave interface +clock") the reg clock is enabled before the bus clock and we need to undo +its enablement on error. + +Fixes: 65f037e8e908 ("drm/etnaviv: add support for slave interface clock") +Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> +Signed-off-by: Lucas Stach <l.stach@pengutronix.de> + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +index a31eeff2b297..c6dacfe3d321 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +@@ -1496,7 +1496,7 @@ static int etnaviv_gpu_clk_enable(struct etnaviv_gpu *gpu) + if (gpu->clk_bus) { + ret = clk_prepare_enable(gpu->clk_bus); + if (ret) +- return ret; ++ goto disable_clk_reg; + } + + if (gpu->clk_core) { +@@ -1519,6 +1519,9 @@ static int etnaviv_gpu_clk_enable(struct etnaviv_gpu *gpu) + disable_clk_bus: + if (gpu->clk_bus) + clk_disable_unprepare(gpu->clk_bus); ++disable_clk_reg: ++ if (gpu->clk_reg) ++ clk_disable_unprepare(gpu->clk_reg); + + return ret; + } +-- +2.27.0 + diff --git a/queue/drm-etnaviv-fix-ref-count-leak-via-pm_runtime_get_sy.patch b/queue/drm-etnaviv-fix-ref-count-leak-via-pm_runtime_get_sy.patch new file mode 100644 index 00000000..96457321 --- /dev/null +++ b/queue/drm-etnaviv-fix-ref-count-leak-via-pm_runtime_get_sy.patch @@ -0,0 +1,93 @@ +From c5d5a32ead1e3a61a07a1e59eb52a53e4a6b2a7f Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Mon, 15 Jun 2020 01:12:20 -0500 +Subject: [PATCH] drm/etnaviv: fix ref count leak via pm_runtime_get_sync + +commit c5d5a32ead1e3a61a07a1e59eb52a53e4a6b2a7f upstream. + +in etnaviv_gpu_submit, etnaviv_gpu_recover_hang, etnaviv_gpu_debugfs, +and etnaviv_gpu_init the call to pm_runtime_get_sync increments the +counter even in case of failure, leading to incorrect ref count. +In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: Lucas Stach <l.stach@pengutronix.de> + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +index fb37787449bb..d5a4cd85a0f6 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +@@ -722,7 +722,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu *gpu) + ret = pm_runtime_get_sync(gpu->dev); + if (ret < 0) { + dev_err(gpu->dev, "Failed to enable GPU power domain\n"); +- return ret; ++ goto pm_put; + } + + etnaviv_hw_identify(gpu); +@@ -819,6 +819,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu *gpu) + + fail: + pm_runtime_mark_last_busy(gpu->dev); ++pm_put: + pm_runtime_put_autosuspend(gpu->dev); + + return ret; +@@ -859,7 +860,7 @@ int etnaviv_gpu_debugfs(struct etnaviv_gpu *gpu, struct seq_file *m) + + ret = pm_runtime_get_sync(gpu->dev); + if (ret < 0) +- return ret; ++ goto pm_put; + + dma_lo = gpu_read(gpu, VIVS_FE_DMA_LOW); + dma_hi = gpu_read(gpu, VIVS_FE_DMA_HIGH); +@@ -1003,6 +1004,7 @@ int etnaviv_gpu_debugfs(struct etnaviv_gpu *gpu, struct seq_file *m) + ret = 0; + + pm_runtime_mark_last_busy(gpu->dev); ++pm_put: + pm_runtime_put_autosuspend(gpu->dev); + + return ret; +@@ -1016,7 +1018,7 @@ void etnaviv_gpu_recover_hang(struct etnaviv_gpu *gpu) + dev_err(gpu->dev, "recover hung GPU!\n"); + + if (pm_runtime_get_sync(gpu->dev) < 0) +- return; ++ goto pm_put; + + mutex_lock(&gpu->lock); + +@@ -1035,6 +1037,7 @@ void etnaviv_gpu_recover_hang(struct etnaviv_gpu *gpu) + + mutex_unlock(&gpu->lock); + pm_runtime_mark_last_busy(gpu->dev); ++pm_put: + pm_runtime_put_autosuspend(gpu->dev); + } + +@@ -1308,8 +1311,10 @@ struct dma_fence *etnaviv_gpu_submit(struct etnaviv_gem_submit *submit) + + if (!submit->runtime_resumed) { + ret = pm_runtime_get_sync(gpu->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(gpu->dev); + return NULL; ++ } + submit->runtime_resumed = true; + } + +@@ -1326,6 +1331,7 @@ struct dma_fence *etnaviv_gpu_submit(struct etnaviv_gem_submit *submit) + ret = event_alloc(gpu, nr_events, event); + if (ret) { + DRM_ERROR("no free events\n"); ++ pm_runtime_put_noidle(gpu->dev); + return NULL; + } + +-- +2.27.0 + diff --git a/queue/drm-gem-Fix-a-leak-in-drm_gem_objects_lookup.patch b/queue/drm-gem-Fix-a-leak-in-drm_gem_objects_lookup.patch new file mode 100644 index 00000000..a594e55d --- /dev/null +++ b/queue/drm-gem-Fix-a-leak-in-drm_gem_objects_lookup.patch @@ -0,0 +1,40 @@ +From ec0bb482de0ad5e4aba2a4537ea53eaeb77d11a6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 20 Mar 2020 16:23:34 +0300 +Subject: [PATCH] drm/gem: Fix a leak in drm_gem_objects_lookup() + +commit ec0bb482de0ad5e4aba2a4537ea53eaeb77d11a6 upstream. + +If the "handles" allocation or the copy_from_user() fails then we leak +"objs". It's supposed to be freed in panfrost_job_cleanup(). + +Fixes: c117aa4d8701 ("drm: Add a drm_gem_objects_lookup helper") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200320132334.GC95012@mwanda + +diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c +index 7bf628e13023..d6ef48bc7a7b 100644 +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -709,6 +709,8 @@ int drm_gem_objects_lookup(struct drm_file *filp, void __user *bo_handles, + if (!objs) + return -ENOMEM; + ++ *objs_out = objs; ++ + handles = kvmalloc_array(count, sizeof(u32), GFP_KERNEL); + if (!handles) { + ret = -ENOMEM; +@@ -722,8 +724,6 @@ int drm_gem_objects_lookup(struct drm_file *filp, void __user *bo_handles, + } + + ret = objects_lookup(filp, handles, count, objs); +- *objs_out = objs; +- + out: + kvfree(handles); + return ret; +-- +2.27.0 + diff --git a/queue/drm-imx-fix-use-after-free.patch b/queue/drm-imx-fix-use-after-free.patch new file mode 100644 index 00000000..b006c0b5 --- /dev/null +++ b/queue/drm-imx-fix-use-after-free.patch @@ -0,0 +1,262 @@ +From ba807c94f67fd64b3051199810d9e4dd209fdc00 Mon Sep 17 00:00:00 2001 +From: Philipp Zabel <p.zabel@pengutronix.de> +Date: Thu, 11 Jun 2020 14:43:31 +0200 +Subject: [PATCH] drm/imx: fix use after free + +commit ba807c94f67fd64b3051199810d9e4dd209fdc00 upstream. + +Component driver structures allocated with devm_kmalloc() in bind() are +freed automatically after unbind(). Since the contained drm structures +are accessed afterwards in drm_mode_config_cleanup(), move the +allocation into probe() to extend the driver structure's lifetime to the +lifetime of the device. This should eventually be changed to use drm +resource managed allocations with lifetime of the drm device. + +We also need to ensure that all componets are available during the +unbind() so we need to call component_unbind_all() before we free +non-devres resources like planes. + +Note this patch fixes the the use after free bug but introduces a +possible boot loop issue. The issue is triggered if the HDMI support is +enabled and a component driver always return -EPROBE_DEFER, see +discussion [1] for more details. + +[1] https://lkml.org/lkml/2020/3/24/1467 + +Fixes: 17b5001b5143 ("imx-drm: convert to componentised device support") +Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> +[m.felsch@pengutronix: fix imx_tve_probe()] +[m.felsch@pengutronix: resort component_unbind_all()) +[m.felsch@pengutronix: adapt commit message] +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> + +diff --git a/drivers/gpu/drm/imx/dw_hdmi-imx.c b/drivers/gpu/drm/imx/dw_hdmi-imx.c +index ba4ca17fd4d8..87869b9997a6 100644 +--- a/drivers/gpu/drm/imx/dw_hdmi-imx.c ++++ b/drivers/gpu/drm/imx/dw_hdmi-imx.c +@@ -209,9 +209,8 @@ static int dw_hdmi_imx_bind(struct device *dev, struct device *master, + if (!pdev->dev.of_node) + return -ENODEV; + +- hdmi = devm_kzalloc(&pdev->dev, sizeof(*hdmi), GFP_KERNEL); +- if (!hdmi) +- return -ENOMEM; ++ hdmi = dev_get_drvdata(dev); ++ memset(hdmi, 0, sizeof(*hdmi)); + + match = of_match_node(dw_hdmi_imx_dt_ids, pdev->dev.of_node); + plat_data = match->data; +@@ -235,8 +234,6 @@ static int dw_hdmi_imx_bind(struct device *dev, struct device *master, + drm_encoder_helper_add(encoder, &dw_hdmi_imx_encoder_helper_funcs); + drm_simple_encoder_init(drm, encoder, DRM_MODE_ENCODER_TMDS); + +- platform_set_drvdata(pdev, hdmi); +- + hdmi->hdmi = dw_hdmi_bind(pdev, encoder, plat_data); + + /* +@@ -266,6 +263,14 @@ static const struct component_ops dw_hdmi_imx_ops = { + + static int dw_hdmi_imx_probe(struct platform_device *pdev) + { ++ struct imx_hdmi *hdmi; ++ ++ hdmi = devm_kzalloc(&pdev->dev, sizeof(*hdmi), GFP_KERNEL); ++ if (!hdmi) ++ return -ENOMEM; ++ ++ platform_set_drvdata(pdev, hdmi); ++ + return component_add(&pdev->dev, &dw_hdmi_imx_ops); + } + +diff --git a/drivers/gpu/drm/imx/imx-drm-core.c b/drivers/gpu/drm/imx/imx-drm-core.c +index 2e38f1a5cf8d..3421043a558d 100644 +--- a/drivers/gpu/drm/imx/imx-drm-core.c ++++ b/drivers/gpu/drm/imx/imx-drm-core.c +@@ -275,9 +275,10 @@ static void imx_drm_unbind(struct device *dev) + + drm_kms_helper_poll_fini(drm); + ++ component_unbind_all(drm->dev, drm); ++ + drm_mode_config_cleanup(drm); + +- component_unbind_all(drm->dev, drm); + dev_set_drvdata(dev, NULL); + + drm_dev_put(drm); +diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c +index 66ea68e8da87..1823af9936c9 100644 +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -590,9 +590,8 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + int ret; + int i; + +- imx_ldb = devm_kzalloc(dev, sizeof(*imx_ldb), GFP_KERNEL); +- if (!imx_ldb) +- return -ENOMEM; ++ imx_ldb = dev_get_drvdata(dev); ++ memset(imx_ldb, 0, sizeof(*imx_ldb)); + + imx_ldb->regmap = syscon_regmap_lookup_by_phandle(np, "gpr"); + if (IS_ERR(imx_ldb->regmap)) { +@@ -700,8 +699,6 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + } + } + +- dev_set_drvdata(dev, imx_ldb); +- + return 0; + + free_child: +@@ -733,6 +730,14 @@ static const struct component_ops imx_ldb_ops = { + + static int imx_ldb_probe(struct platform_device *pdev) + { ++ struct imx_ldb *imx_ldb; ++ ++ imx_ldb = devm_kzalloc(&pdev->dev, sizeof(*imx_ldb), GFP_KERNEL); ++ if (!imx_ldb) ++ return -ENOMEM; ++ ++ platform_set_drvdata(pdev, imx_ldb); ++ + return component_add(&pdev->dev, &imx_ldb_ops); + } + +diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c +index ee63782c77e9..82d1ee1fb0c8 100644 +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -542,9 +542,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + int irq; + int ret; + +- tve = devm_kzalloc(dev, sizeof(*tve), GFP_KERNEL); +- if (!tve) +- return -ENOMEM; ++ tve = dev_get_drvdata(dev); ++ memset(tve, 0, sizeof(*tve)); + + tve->dev = dev; + spin_lock_init(&tve->lock); +@@ -655,8 +654,6 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + if (ret) + return ret; + +- dev_set_drvdata(dev, tve); +- + return 0; + } + +@@ -676,6 +673,14 @@ static const struct component_ops imx_tve_ops = { + + static int imx_tve_probe(struct platform_device *pdev) + { ++ struct imx_tve *tve; ++ ++ tve = devm_kzalloc(&pdev->dev, sizeof(*tve), GFP_KERNEL); ++ if (!tve) ++ return -ENOMEM; ++ ++ platform_set_drvdata(pdev, tve); ++ + return component_add(&pdev->dev, &imx_tve_ops); + } + +diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c +index 63c0284f8b3c..2256c9789fc2 100644 +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -438,21 +438,13 @@ static int ipu_drm_bind(struct device *dev, struct device *master, void *data) + struct ipu_client_platformdata *pdata = dev->platform_data; + struct drm_device *drm = data; + struct ipu_crtc *ipu_crtc; +- int ret; + +- ipu_crtc = devm_kzalloc(dev, sizeof(*ipu_crtc), GFP_KERNEL); +- if (!ipu_crtc) +- return -ENOMEM; ++ ipu_crtc = dev_get_drvdata(dev); ++ memset(ipu_crtc, 0, sizeof(*ipu_crtc)); + + ipu_crtc->dev = dev; + +- ret = ipu_crtc_init(ipu_crtc, pdata, drm); +- if (ret) +- return ret; +- +- dev_set_drvdata(dev, ipu_crtc); +- +- return 0; ++ return ipu_crtc_init(ipu_crtc, pdata, drm); + } + + static void ipu_drm_unbind(struct device *dev, struct device *master, +@@ -474,6 +466,7 @@ static const struct component_ops ipu_crtc_ops = { + static int ipu_drm_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; ++ struct ipu_crtc *ipu_crtc; + int ret; + + if (!dev->platform_data) +@@ -483,6 +476,12 @@ static int ipu_drm_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ ipu_crtc = devm_kzalloc(dev, sizeof(*ipu_crtc), GFP_KERNEL); ++ if (!ipu_crtc) ++ return -ENOMEM; ++ ++ dev_set_drvdata(dev, ipu_crtc); ++ + return component_add(dev, &ipu_crtc_ops); + } + +diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c +index ac916c84a631..622eabe9efb3 100644 +--- a/drivers/gpu/drm/imx/parallel-display.c ++++ b/drivers/gpu/drm/imx/parallel-display.c +@@ -326,9 +326,8 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data) + u32 bus_format = 0; + const char *fmt; + +- imxpd = devm_kzalloc(dev, sizeof(*imxpd), GFP_KERNEL); +- if (!imxpd) +- return -ENOMEM; ++ imxpd = dev_get_drvdata(dev); ++ memset(imxpd, 0, sizeof(*imxpd)); + + edidp = of_get_property(np, "edid", &imxpd->edid_len); + if (edidp) +@@ -359,8 +358,6 @@ static int imx_pd_bind(struct device *dev, struct device *master, void *data) + if (ret) + return ret; + +- dev_set_drvdata(dev, imxpd); +- + return 0; + } + +@@ -382,6 +379,14 @@ static const struct component_ops imx_pd_ops = { + + static int imx_pd_probe(struct platform_device *pdev) + { ++ struct imx_parallel_display *imxpd; ++ ++ imxpd = devm_kzalloc(&pdev->dev, sizeof(*imxpd), GFP_KERNEL); ++ if (!imxpd) ++ return -ENOMEM; ++ ++ platform_set_drvdata(pdev, imxpd); ++ + return component_add(&pdev->dev, &imx_pd_ops); + } + +-- +2.27.0 + diff --git a/queue/drm-imx-tve-fix-regulator_disable-error-path.patch b/queue/drm-imx-tve-fix-regulator_disable-error-path.patch new file mode 100644 index 00000000..9da33e2d --- /dev/null +++ b/queue/drm-imx-tve-fix-regulator_disable-error-path.patch @@ -0,0 +1,64 @@ +From 7bb58b987fee26da2a1665c01033022624986b7c Mon Sep 17 00:00:00 2001 +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Thu, 11 Jun 2020 14:43:32 +0200 +Subject: [PATCH] drm/imx: tve: fix regulator_disable error path + +commit 7bb58b987fee26da2a1665c01033022624986b7c upstream. + +Add missing regulator_disable() as devm_action to avoid dedicated +unbind() callback and fix the missing error handling. + +Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> + +diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c +index 82d1ee1fb0c8..3758de3e09bd 100644 +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -490,6 +490,13 @@ static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve) + return 0; + } + ++static void imx_tve_disable_regulator(void *data) ++{ ++ struct imx_tve *tve = data; ++ ++ regulator_disable(tve->dac_reg); ++} ++ + static bool imx_tve_readable_reg(struct device *dev, unsigned int reg) + { + return (reg % 4 == 0) && (reg <= 0xdc); +@@ -613,6 +620,9 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + ret = regulator_enable(tve->dac_reg); + if (ret) + return ret; ++ ret = devm_add_action_or_reset(dev, imx_tve_disable_regulator, tve); ++ if (ret) ++ return ret; + } + + tve->clk = devm_clk_get(dev, "tve"); +@@ -657,18 +667,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + return 0; + } + +-static void imx_tve_unbind(struct device *dev, struct device *master, +- void *data) +-{ +- struct imx_tve *tve = dev_get_drvdata(dev); +- +- if (!IS_ERR(tve->dac_reg)) +- regulator_disable(tve->dac_reg); +-} +- + static const struct component_ops imx_tve_ops = { + .bind = imx_tve_bind, +- .unbind = imx_tve_unbind, + }; + + static int imx_tve_probe(struct platform_device *pdev) +-- +2.27.0 + diff --git a/queue/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch b/queue/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch new file mode 100644 index 00000000..0ff2a602 --- /dev/null +++ b/queue/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch @@ -0,0 +1,44 @@ +From 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 Mon Sep 17 00:00:00 2001 +From: Emil Velikov <emil.velikov@collabora.com> +Date: Tue, 5 May 2020 17:03:29 +0100 +Subject: [PATCH] drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline + +commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 upstream. + +The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently +using the generic write. This does not look right. + +Perhaps some platforms don't distinguish between the two writers? + +Cc: Robert Chiras <robert.chiras@nxp.com> +Cc: Vinay Simha BN <simhavcs@gmail.com> +Cc: Jani Nikula <jani.nikula@intel.com> +Cc: Thierry Reding <treding@nvidia.com> +Fixes: e83950816367 ("drm/dsi: Implement set tear scanline") +Signed-off-by: Emil Velikov <emil.velikov@collabora.com> +Reviewed-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Sam Ravnborg <sam@ravnborg.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20200505160329.2976059-3-emil.l.velikov@gmail.com + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index b96d5b4629d7..07102d8da58f 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -1082,11 +1082,11 @@ EXPORT_SYMBOL(mipi_dsi_dcs_set_pixel_format); + */ + int mipi_dsi_dcs_set_tear_scanline(struct mipi_dsi_device *dsi, u16 scanline) + { +- u8 payload[3] = { MIPI_DCS_SET_TEAR_SCANLINE, scanline >> 8, +- scanline & 0xff }; ++ u8 payload[2] = { scanline >> 8, scanline & 0xff }; + ssize_t err; + +- err = mipi_dsi_generic_write(dsi, payload, sizeof(payload)); ++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_TEAR_SCANLINE, payload, ++ sizeof(payload)); + if (err < 0) + return err; + +-- +2.27.0 + diff --git a/queue/drm-msm-Fix-a-null-pointer-access-in-msm_gem_shrinke.patch b/queue/drm-msm-Fix-a-null-pointer-access-in-msm_gem_shrinke.patch new file mode 100644 index 00000000..8b93946c --- /dev/null +++ b/queue/drm-msm-Fix-a-null-pointer-access-in-msm_gem_shrinke.patch @@ -0,0 +1,168 @@ +From 3cbdc8d8b7f39a7af3ea7b8dfa75caaebfda4e56 Mon Sep 17 00:00:00 2001 +From: Akhil P Oommen <akhilpo@codeaurora.org> +Date: Fri, 10 Jul 2020 02:01:55 +0530 +Subject: [PATCH] drm/msm: Fix a null pointer access in + msm_gem_shrinker_count() + +commit 3cbdc8d8b7f39a7af3ea7b8dfa75caaebfda4e56 upstream. + +Adding an msm_gem_object object to the inactive_list before completing +its initialization is a bad idea because shrinker may pick it up from the +inactive_list. Fix this by making sure that the initialization is complete +before moving the msm_obj object to the inactive list. + +This patch fixes the below error: +[10027.553044] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068 +[10027.573305] Mem abort info: +[10027.590160] ESR = 0x96000006 +[10027.597905] EC = 0x25: DABT (current EL), IL = 32 bits +[10027.614430] SET = 0, FnV = 0 +[10027.624427] EA = 0, S1PTW = 0 +[10027.632722] Data abort info: +[10027.638039] ISV = 0, ISS = 0x00000006 +[10027.647459] CM = 0, WnR = 0 +[10027.654345] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001e3a6a000 +[10027.672681] [0000000000000068] pgd=0000000198c31003, pud=0000000198c31003, pmd=0000000000000000 +[10027.693900] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[10027.738261] CPU: 3 PID: 214 Comm: kswapd0 Tainted: G S 5.4.40 #1 +[10027.745766] Hardware name: Qualcomm Technologies, Inc. SC7180 IDP (DT) +[10027.752472] pstate: 80c00009 (Nzcv daif +PAN +UAO) +[10027.757409] pc : mutex_is_locked+0x14/0x2c +[10027.761626] lr : msm_gem_shrinker_count+0x70/0xec +[10027.766454] sp : ffffffc011323ad0 +[10027.769867] x29: ffffffc011323ad0 x28: ffffffe677e4b878 +[10027.775324] x27: 0000000000000cc0 x26: 0000000000000000 +[10027.780783] x25: ffffff817114a708 x24: 0000000000000008 +[10027.786242] x23: ffffff8023ab7170 x22: 0000000000000001 +[10027.791701] x21: ffffff817114a080 x20: 0000000000000119 +[10027.797160] x19: 0000000000000068 x18: 00000000000003bc +[10027.802621] x17: 0000000004a34210 x16: 00000000000000c0 +[10027.808083] x15: 0000000000000000 x14: 0000000000000000 +[10027.813542] x13: ffffffe677e0a3c0 x12: 0000000000000000 +[10027.819000] x11: 0000000000000000 x10: ffffff8174b94340 +[10027.824461] x9 : 0000000000000000 x8 : 0000000000000000 +[10027.829919] x7 : 00000000000001fc x6 : ffffffc011323c88 +[10027.835373] x5 : 0000000000000001 x4 : ffffffc011323d80 +[10027.840832] x3 : ffffffff0477b348 x2 : 0000000000000000 +[10027.846290] x1 : ffffffc011323b68 x0 : 0000000000000068 +[10027.851748] Call trace: +[10027.854264] mutex_is_locked+0x14/0x2c +[10027.858121] msm_gem_shrinker_count+0x70/0xec +[10027.862603] shrink_slab+0xc0/0x4b4 +[10027.866187] shrink_node+0x4a8/0x818 +[10027.869860] kswapd+0x624/0x890 +[10027.873097] kthread+0x11c/0x12c +[10027.876424] ret_from_fork+0x10/0x18 +[10027.880102] Code: f9000bf3 910003fd aa0003f3 d503201f (f9400268) +[10027.886362] ---[ end trace df5849a1a3543251 ]--- +[10027.891518] Kernel panic - not syncing: Fatal exception + +Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org> +Signed-off-by: Rob Clark <robdclark@chromium.org> + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index 38b0c0e1f83e..b2f49152b4d4 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -996,10 +996,8 @@ int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file, + + static int msm_gem_new_impl(struct drm_device *dev, + uint32_t size, uint32_t flags, +- struct drm_gem_object **obj, +- bool struct_mutex_locked) ++ struct drm_gem_object **obj) + { +- struct msm_drm_private *priv = dev->dev_private; + struct msm_gem_object *msm_obj; + + switch (flags & MSM_BO_CACHE_MASK) { +@@ -1025,15 +1023,6 @@ static int msm_gem_new_impl(struct drm_device *dev, + INIT_LIST_HEAD(&msm_obj->submit_entry); + INIT_LIST_HEAD(&msm_obj->vmas); + +- if (struct_mutex_locked) { +- WARN_ON(!mutex_is_locked(&dev->struct_mutex)); +- list_add_tail(&msm_obj->mm_list, &priv->inactive_list); +- } else { +- mutex_lock(&dev->struct_mutex); +- list_add_tail(&msm_obj->mm_list, &priv->inactive_list); +- mutex_unlock(&dev->struct_mutex); +- } +- + *obj = &msm_obj->base; + + return 0; +@@ -1043,6 +1032,7 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev, + uint32_t size, uint32_t flags, bool struct_mutex_locked) + { + struct msm_drm_private *priv = dev->dev_private; ++ struct msm_gem_object *msm_obj; + struct drm_gem_object *obj = NULL; + bool use_vram = false; + int ret; +@@ -1063,14 +1053,15 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev, + if (size == 0) + return ERR_PTR(-EINVAL); + +- ret = msm_gem_new_impl(dev, size, flags, &obj, struct_mutex_locked); ++ ret = msm_gem_new_impl(dev, size, flags, &obj); + if (ret) + goto fail; + ++ msm_obj = to_msm_bo(obj); ++ + if (use_vram) { + struct msm_gem_vma *vma; + struct page **pages; +- struct msm_gem_object *msm_obj = to_msm_bo(obj); + + mutex_lock(&msm_obj->lock); + +@@ -1105,6 +1096,15 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev, + mapping_set_gfp_mask(obj->filp->f_mapping, GFP_HIGHUSER); + } + ++ if (struct_mutex_locked) { ++ WARN_ON(!mutex_is_locked(&dev->struct_mutex)); ++ list_add_tail(&msm_obj->mm_list, &priv->inactive_list); ++ } else { ++ mutex_lock(&dev->struct_mutex); ++ list_add_tail(&msm_obj->mm_list, &priv->inactive_list); ++ mutex_unlock(&dev->struct_mutex); ++ } ++ + return obj; + + fail: +@@ -1127,6 +1127,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev, + struct drm_gem_object *msm_gem_import(struct drm_device *dev, + struct dma_buf *dmabuf, struct sg_table *sgt) + { ++ struct msm_drm_private *priv = dev->dev_private; + struct msm_gem_object *msm_obj; + struct drm_gem_object *obj; + uint32_t size; +@@ -1140,7 +1141,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev, + + size = PAGE_ALIGN(dmabuf->size); + +- ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj, false); ++ ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj); + if (ret) + goto fail; + +@@ -1165,6 +1166,11 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev, + } + + mutex_unlock(&msm_obj->lock); ++ ++ mutex_lock(&dev->struct_mutex); ++ list_add_tail(&msm_obj->mm_list, &priv->inactive_list); ++ mutex_unlock(&dev->struct_mutex); ++ + return obj; + + fail: +-- +2.27.0 + diff --git a/queue/drm-msm-a6xx-fix-gpu-failure-after-system-resume.patch b/queue/drm-msm-a6xx-fix-gpu-failure-after-system-resume.patch new file mode 100644 index 00000000..68b8df44 --- /dev/null +++ b/queue/drm-msm-a6xx-fix-gpu-failure-after-system-resume.patch @@ -0,0 +1,67 @@ +From 57c0bd517c06b088106b0236ed604056c8e06da5 Mon Sep 17 00:00:00 2001 +From: Akhil P Oommen <akhilpo@codeaurora.org> +Date: Fri, 17 Jul 2020 20:04:18 +0530 +Subject: [PATCH] drm: msm: a6xx: fix gpu failure after system resume + +commit 57c0bd517c06b088106b0236ed604056c8e06da5 upstream. + +On targets where GMU is available, GMU takes over the ownership of GX GDSC +during its initialization. So, move the refcount-get on GX PD before we +initialize the GMU. This ensures that nobody can collapse the GX GDSC +once GMU owns the GX GDSC. This patch fixes some GMU OOB errors seen +during GPU wake up during a system resume. + +Reported-by: Matthias Kaehlcke <mka@chromium.org> +Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org> +Tested-by: Matthias Kaehlcke <mka@chromium.org> +Reviewed-by: Jordan Crouse <jcrouse@codeaurora.org> +Signed-off-by: Rob Clark <robdclark@chromium.org> + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 856db46e93c4..b67b38c8fadf 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -864,10 +864,19 @@ int a6xx_gmu_resume(struct a6xx_gpu *a6xx_gpu) + /* Turn on the resources */ + pm_runtime_get_sync(gmu->dev); + ++ /* ++ * "enable" the GX power domain which won't actually do anything but it ++ * will make sure that the refcounting is correct in case we need to ++ * bring down the GX after a GMU failure ++ */ ++ if (!IS_ERR_OR_NULL(gmu->gxpd)) ++ pm_runtime_get_sync(gmu->gxpd); ++ + /* Use a known rate to bring up the GMU */ + clk_set_rate(gmu->core_clk, 200000000); + ret = clk_bulk_prepare_enable(gmu->nr_clocks, gmu->clocks); + if (ret) { ++ pm_runtime_put(gmu->gxpd); + pm_runtime_put(gmu->dev); + return ret; + } +@@ -910,19 +919,12 @@ int a6xx_gmu_resume(struct a6xx_gpu *a6xx_gpu) + /* Set the GPU to the current freq */ + a6xx_gmu_set_initial_freq(gpu, gmu); + +- /* +- * "enable" the GX power domain which won't actually do anything but it +- * will make sure that the refcounting is correct in case we need to +- * bring down the GX after a GMU failure +- */ +- if (!IS_ERR_OR_NULL(gmu->gxpd)) +- pm_runtime_get(gmu->gxpd); +- + out: + /* On failure, shut down the GMU to leave it in a good state */ + if (ret) { + disable_irq(gmu->gmu_irq); + a6xx_rpmh_stop(gmu); ++ pm_runtime_put(gmu->gxpd); + pm_runtime_put(gmu->dev); + } + +-- +2.27.0 + diff --git a/queue/drm-msm-ratelimit-crtc-event-overflow-error.patch b/queue/drm-msm-ratelimit-crtc-event-overflow-error.patch new file mode 100644 index 00000000..fb274071 --- /dev/null +++ b/queue/drm-msm-ratelimit-crtc-event-overflow-error.patch @@ -0,0 +1,30 @@ +From 5e16372b5940b1fecc3cc887fc02a50ba148d373 Mon Sep 17 00:00:00 2001 +From: Rob Clark <robdclark@chromium.org> +Date: Wed, 1 Jul 2020 13:36:00 -0700 +Subject: [PATCH] drm/msm: ratelimit crtc event overflow error + +commit 5e16372b5940b1fecc3cc887fc02a50ba148d373 upstream. + +This can happen a lot when things go pear shaped. Lets not flood dmesg +when this happens. + +Signed-off-by: Rob Clark <robdclark@chromium.org> +Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org> +Signed-off-by: Rob Clark <robdclark@chromium.org> + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index e15b42a780e0..969d95aa873c 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -389,7 +389,7 @@ static void dpu_crtc_frame_event_cb(void *data, u32 event) + spin_unlock_irqrestore(&dpu_crtc->spin_lock, flags); + + if (!fevent) { +- DRM_ERROR("crtc%d event %d overflow\n", crtc->base.id, event); ++ DRM_ERROR_RATELIMITED("crtc%d event %d overflow\n", crtc->base.id, event); + return; + } + +-- +2.27.0 + diff --git a/queue/drm-nouveau-fix-multiple-instances-of-reference-coun.patch b/queue/drm-nouveau-fix-multiple-instances-of-reference-coun.patch new file mode 100644 index 00000000..46eccde6 --- /dev/null +++ b/queue/drm-nouveau-fix-multiple-instances-of-reference-coun.patch @@ -0,0 +1,61 @@ +From 659fb5f154c3434c90a34586f3b7aa1c39cf6062 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki <pakki001@umn.edu> +Date: Sat, 13 Jun 2020 20:41:56 -0500 +Subject: [PATCH] drm/nouveau: fix multiple instances of reference count leaks + +commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 upstream. + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki <pakki001@umn.edu> +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index ac93d12201dc..880d962c1b19 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -1026,8 +1026,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv) + + /* need to bring up power immediately if opening device */ + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + get_task_comm(tmpname, current); + snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid)); +@@ -1109,8 +1111,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + long ret; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) { + case DRM_NOUVEAU_NVIF: +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index 63b832585390..133ab6fb7798 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -45,8 +45,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (WARN_ON(ret < 0 && ret != -EACCES)) ++ if (WARN_ON(ret < 0 && ret != -EACCES)) { ++ pm_runtime_put_autosuspend(dev); + return; ++ } + + if (gem->import_attach) + drm_prime_gem_destroy(gem, nvbo->bo.sg); +-- +2.27.0 + diff --git a/queue/drm-nouveau-fix-reference-count-leak-in-nouveau_debu.patch b/queue/drm-nouveau-fix-reference-count-leak-in-nouveau_debu.patch new file mode 100644 index 00000000..e2863e3e --- /dev/null +++ b/queue/drm-nouveau-fix-reference-count-leak-in-nouveau_debu.patch @@ -0,0 +1,34 @@ +From 8f29432417b11039ef960ab18987c7d61b2b5396 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki <pakki001@umn.edu> +Date: Sat, 13 Jun 2020 20:48:37 -0500 +Subject: [PATCH] drm/nouveau: fix reference count leak in + nouveau_debugfs_strap_peek + +commit 8f29432417b11039ef960ab18987c7d61b2b5396 upstream. + +nouveau_debugfs_strap_peek() calls pm_runtime_get_sync() that +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki <pakki001@umn.edu> +Signed-off-by: Ben Skeggs <bskeggs@redhat.com> + +diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c +index 63b5c8cf9ae4..8f63cda3db17 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c ++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c +@@ -54,8 +54,10 @@ nouveau_debugfs_strap_peek(struct seq_file *m, void *data) + int ret; + + ret = pm_runtime_get_sync(drm->dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(drm->dev->dev); + return ret; ++ } + + seq_printf(m, "0x%08x\n", + nvif_rd32(&drm->client.device.object, 0x101000)); +-- +2.27.0 + diff --git a/queue/drm-nouveau-kms-nv50-Fix-disabling-dithering.patch b/queue/drm-nouveau-kms-nv50-Fix-disabling-dithering.patch new file mode 100644 index 00000000..32cecd50 --- /dev/null +++ b/queue/drm-nouveau-kms-nv50-Fix-disabling-dithering.patch @@ -0,0 +1,58 @@ +From fb2420b701edbf96c2b6d557f0139902f455dc2b Mon Sep 17 00:00:00 2001 +From: Lyude Paul <lyude@redhat.com> +Date: Tue, 17 Mar 2020 14:54:06 -0400 +Subject: [PATCH] drm/nouveau/kms/nv50-: Fix disabling dithering + +commit fb2420b701edbf96c2b6d557f0139902f455dc2b upstream. + +While we expose the ability to turn off hardware dithering for nouveau, +we actually make the mistake of turning it on anyway, due to +dithering_depth containing a non-zero value if our dithering depth isn't +also set to 6 bpc. + +So, fix it by never enabling dithering when it's disabled. + +Signed-off-by: Lyude Paul <lyude@redhat.com> +Reviewed-by: Ben Skeggs <bskeggs@redhat.com> +Acked-by: Dave Airlie <airlied@gmail.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200627194657.156514-6-lyude@redhat.com + +diff --git a/drivers/gpu/drm/nouveau/dispnv50/head.c b/drivers/gpu/drm/nouveau/dispnv50/head.c +index 8f6455697ba7..ed6819519f6d 100644 +--- a/drivers/gpu/drm/nouveau/dispnv50/head.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/head.c +@@ -84,18 +84,20 @@ nv50_head_atomic_check_dither(struct nv50_head_atom *armh, + { + u32 mode = 0x00; + +- if (asyc->dither.mode == DITHERING_MODE_AUTO) { +- if (asyh->base.depth > asyh->or.bpc * 3) +- mode = DITHERING_MODE_DYNAMIC2X2; +- } else { +- mode = asyc->dither.mode; +- } ++ if (asyc->dither.mode) { ++ if (asyc->dither.mode == DITHERING_MODE_AUTO) { ++ if (asyh->base.depth > asyh->or.bpc * 3) ++ mode = DITHERING_MODE_DYNAMIC2X2; ++ } else { ++ mode = asyc->dither.mode; ++ } + +- if (asyc->dither.depth == DITHERING_DEPTH_AUTO) { +- if (asyh->or.bpc >= 8) +- mode |= DITHERING_DEPTH_8BPC; +- } else { +- mode |= asyc->dither.depth; ++ if (asyc->dither.depth == DITHERING_DEPTH_AUTO) { ++ if (asyh->or.bpc >= 8) ++ mode |= DITHERING_DEPTH_8BPC; ++ } else { ++ mode |= asyc->dither.depth; ++ } + } + + asyh->dither.enable = mode; +-- +2.27.0 + diff --git a/queue/drm-panel-simple-Fix-bpc-for-LG-LB070WV8-panel.patch b/queue/drm-panel-simple-Fix-bpc-for-LG-LB070WV8-panel.patch new file mode 100644 index 00000000..b130363b --- /dev/null +++ b/queue/drm-panel-simple-Fix-bpc-for-LG-LB070WV8-panel.patch @@ -0,0 +1,31 @@ +From a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> +Date: Sun, 12 Jul 2020 01:53:17 +0300 +Subject: [PATCH] drm: panel: simple: Fix bpc for LG LB070WV8 panel + +commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c upstream. + +The LG LB070WV8 panel incorrectly reports a 16 bits per component value, +while the panel uses 8 bits per component. Fix it. + +Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel") +Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> +Signed-off-by: Sam Ravnborg <sam@ravnborg.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index cbd26adf3a3b..f42249b72548 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2372,7 +2372,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = { + static const struct panel_desc lg_lb070wv8 = { + .modes = &lg_lb070wv8_mode, + .num_modes = 1, +- .bpc = 16, ++ .bpc = 8, + .size = { + .width = 151, + .height = 91, +-- +2.27.0 + diff --git a/queue/drm-radeon-Fix-reference-count-leaks-caused-by-pm_ru.patch b/queue/drm-radeon-Fix-reference-count-leaks-caused-by-pm_ru.patch new file mode 100644 index 00000000..58d613a2 --- /dev/null +++ b/queue/drm-radeon-Fix-reference-count-leaks-caused-by-pm_ru.patch @@ -0,0 +1,67 @@ +From 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki <pakki001@umn.edu> +Date: Sat, 13 Jun 2020 21:21:22 -0500 +Subject: [PATCH] drm/radeon: Fix reference count leaks caused by + pm_runtime_get_sync + +commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 upstream. + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Acked-by: Evan Quan <evan.quan@amd.com> +Signed-off-by: Aditya Pakki <pakki001@umn.edu> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 35db79a168bf..df1a7eb73651 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -635,8 +635,10 @@ radeon_crtc_set_config(struct drm_mode_set *set, + dev = set->crtc->dev; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_crtc_helper_set_config(set, ctx); + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index a71f13116d6b..4cd30613fa1d 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -544,8 +544,10 @@ long radeon_drm_ioctl(struct file *filp, + long ret; + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_ioctl(filp, cmd, arg); + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 95006cbf42c3..c76955228731 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -638,8 +638,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + file_priv->driver_priv = NULL; + + r = pm_runtime_get_sync(dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return r; ++ } + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +-- +2.27.0 + diff --git a/queue/drm-radeon-disable-AGP-by-default.patch b/queue/drm-radeon-disable-AGP-by-default.patch new file mode 100644 index 00000000..14e8dd6d --- /dev/null +++ b/queue/drm-radeon-disable-AGP-by-default.patch @@ -0,0 +1,38 @@ +From ba806f98f868ce107aa9c453fef751de9980e4af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com> +Date: Tue, 12 May 2020 10:55:58 +0200 +Subject: [PATCH] drm/radeon: disable AGP by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ba806f98f868ce107aa9c453fef751de9980e4af upstream. + +Always use the PCI GART instead. We just have to many cases +where AGP still causes problems. This means a performance +regression for some GPUs, but also a bug fix for some others. + +Signed-off-by: Christian König <christian.koenig@amd.com> +Reviewed-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index bbb0883e8ce6..a71f13116d6b 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -171,12 +171,7 @@ int radeon_no_wb; + int radeon_modeset = -1; + int radeon_dynclks = -1; + int radeon_r4xx_atom = 0; +-#ifdef __powerpc__ +-/* Default to PCI on PowerPC (fdo #95017) */ + int radeon_agpmode = -1; +-#else +-int radeon_agpmode = 0; +-#endif + int radeon_vram_limit = 0; + int radeon_gart_size = -1; /* auto */ + int radeon_benchmarking = 0; +-- +2.27.0 + diff --git a/queue/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch b/queue/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch new file mode 100644 index 00000000..8dd6d2cd --- /dev/null +++ b/queue/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch @@ -0,0 +1,33 @@ +From 7ee78aff9de13d5dccba133f4a0de5367194b243 Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Wed, 24 Jun 2020 13:07:10 +0100 +Subject: [PATCH] drm/radeon: fix array out-of-bounds read and write issues + +commit 7ee78aff9de13d5dccba133f4a0de5367194b243 upstream. + +There is an off-by-one bounds check on the index into arrays +table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that +can lead to reads and writes outside of arrays. Fix the bound checking +off-by-one error. + +Addresses-Coverity: ("Out-of-bounds read/write") +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 134aa2b01f90..86ac032275bb 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -4351,7 +4351,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] |= 0x100; + } + j++; +- if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + + if (!pi->mem_gddr5) { +-- +2.27.0 + diff --git a/queue/drm-stm-repair-runtime-power-management.patch b/queue/drm-stm-repair-runtime-power-management.patch new file mode 100644 index 00000000..23f836b8 --- /dev/null +++ b/queue/drm-stm-repair-runtime-power-management.patch @@ -0,0 +1,56 @@ +From ebd267b2e3c25d5f93a08528b47c036569eb8744 Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Sat, 29 Feb 2020 23:16:49 +0100 +Subject: [PATCH] drm/stm: repair runtime power management +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ebd267b2e3c25d5f93a08528b47c036569eb8744 upstream. + +Add missing pm_runtime_get_sync() into ltdc_crtc_atomic_enable() to +match pm_runtime_put_sync() in ltdc_crtc_atomic_disable(), otherwise +the LTDC might suspend via runtime PM, disable clock, and then fail +to resume later on. + +The test which triggers it is roughly -- run qt5 application which +uses eglfs platform and etnaviv, stop the application, sleep for 15 +minutes, run the application again. This leads to a timeout waiting +for vsync, because the LTDC has suspended, but did not resume. + +Fixes: 35ab6cfbf211 ("drm/stm: support runtime power management") +Signed-off-by: Marek Vasut <marex@denx.de> +Cc: Yannick Fertré <yannick.fertre@st.com> +Cc: Philippe Cornu <philippe.cornu@st.com> +Cc: Benjamin Gaignard <benjamin.gaignard@linaro.org> +Cc: Vincent Abriou <vincent.abriou@st.com> +Cc: Maxime Coquelin <mcoquelin.stm32@gmail.com> +Cc: Alexandre Torgue <alexandre.torgue@st.com> +To: dri-devel@lists.freedesktop.org +Cc: linux-stm32@st-md-mailman.stormreply.com +Cc: linux-arm-kernel@lists.infradead.org +Acked-by: Philippe Cornu <philippe.cornu@st.com> +Tested-by: Yannick Fertre <yannick.fertre@st.com> +Signed-off-by: Benjamin Gaignard <benjamin.gaignard@st.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200229221649.90813-1-marex@denx.de + +diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c +index ef77e1417ba8..6e28f707092f 100644 +--- a/drivers/gpu/drm/stm/ltdc.c ++++ b/drivers/gpu/drm/stm/ltdc.c +@@ -423,9 +423,12 @@ static void ltdc_crtc_atomic_enable(struct drm_crtc *crtc, + struct drm_crtc_state *old_state) + { + struct ltdc_device *ldev = crtc_to_ltdc(crtc); ++ struct drm_device *ddev = crtc->dev; + + DRM_DEBUG_DRIVER("\n"); + ++ pm_runtime_get_sync(ddev->dev); ++ + /* Sets the background color value */ + reg_write(ldev->regs, LTDC_BCCR, BCCR_BCBLACK); + +-- +2.27.0 + diff --git a/queue/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch b/queue/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch new file mode 100644 index 00000000..040ae77a --- /dev/null +++ b/queue/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch @@ -0,0 +1,45 @@ +From 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen <tomi.valkeinen@ti.com> +Date: Wed, 29 Apr 2020 13:42:32 +0300 +Subject: [PATCH] drm/tilcdc: fix leak & null ref in panel_connector_get_modes + +commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 upstream. + +If videomode_from_timings() returns true, the mode allocated with +drm_mode_create will be leaked. + +Also, the return value of drm_mode_create() is never checked, and thus +could cause NULL deref. + +Fix these two issues. + +Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com +Reviewed-by: Jyri Sarha <jsarha@ti.com> +Acked-by: Sam Ravnborg <sam@ravnborg.org> + +diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +index b207b2f19d42..1c9fa8cfcd49 100644 +--- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c ++++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +@@ -139,12 +139,16 @@ static int panel_connector_get_modes(struct drm_connector *connector) + int i; + + for (i = 0; i < timings->num_timings; i++) { +- struct drm_display_mode *mode = drm_mode_create(dev); ++ struct drm_display_mode *mode; + struct videomode vm; + + if (videomode_from_timings(timings, &vm, i)) + break; + ++ mode = drm_mode_create(dev); ++ if (!mode) ++ break; ++ + drm_display_mode_from_videomode(&vm, mode); + + mode->type = DRM_MODE_TYPE_DRIVER; +-- +2.27.0 + diff --git a/queue/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch b/queue/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch new file mode 100644 index 00000000..d49da839 --- /dev/null +++ b/queue/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch @@ -0,0 +1,76 @@ +From 5de5b6ecf97a021f29403aa272cb4e03318ef586 Mon Sep 17 00:00:00 2001 +From: Dave Airlie <airlied@redhat.com> +Date: Tue, 28 Jul 2020 14:17:36 +1000 +Subject: [PATCH] drm/ttm/nouveau: don't call tt destroy callback on alloc + failure. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 5de5b6ecf97a021f29403aa272cb4e03318ef586 upstream. + +This is confusing, and from my reading of all the drivers only +nouveau got this right. + +Just make the API act under driver control of it's own allocation +failing, and don't call destroy, if the page table fails to +create there is nothing to cleanup here. + +(I'm willing to believe I've missed something here, so please +review deeply). + +Reviewed-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com + +diff --git a/drivers/gpu/drm/nouveau/nouveau_sgdma.c b/drivers/gpu/drm/nouveau/nouveau_sgdma.c +index 20b6d0b3de5c..c3ccf661b7a6 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_sgdma.c ++++ b/drivers/gpu/drm/nouveau/nouveau_sgdma.c +@@ -95,12 +95,9 @@ nouveau_sgdma_create_ttm(struct ttm_buffer_object *bo, uint32_t page_flags) + else + nvbe->ttm.ttm.func = &nv50_sgdma_backend; + +- if (ttm_dma_tt_init(&nvbe->ttm, bo, page_flags)) +- /* +- * A failing ttm_dma_tt_init() will call ttm_tt_destroy() +- * and thus our nouveau_sgdma_destroy() hook, so we don't need +- * to free nvbe here. +- */ ++ if (ttm_dma_tt_init(&nvbe->ttm, bo, page_flags)) { ++ kfree(nvbe); + return NULL; ++ } + return &nvbe->ttm.ttm; + } +diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c +index bab67873cfd4..9d1c7177384c 100644 +--- a/drivers/gpu/drm/ttm/ttm_tt.c ++++ b/drivers/gpu/drm/ttm/ttm_tt.c +@@ -244,7 +244,6 @@ int ttm_tt_init(struct ttm_tt *ttm, struct ttm_buffer_object *bo, + ttm_tt_init_fields(ttm, bo, page_flags); + + if (ttm_tt_alloc_page_directory(ttm)) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +@@ -268,7 +267,6 @@ int ttm_dma_tt_init(struct ttm_dma_tt *ttm_dma, struct ttm_buffer_object *bo, + + INIT_LIST_HEAD(&ttm_dma->pages_list); + if (ttm_dma_tt_alloc_page_directory(ttm_dma)) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +@@ -290,7 +288,6 @@ int ttm_sg_tt_init(struct ttm_dma_tt *ttm_dma, struct ttm_buffer_object *bo, + else + ret = ttm_dma_tt_alloc_page_directory(ttm_dma); + if (ret) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +-- +2.27.0 + diff --git a/queue/dyndbg-fix-a-BUG_ON-in-ddebug_describe_flags.patch b/queue/dyndbg-fix-a-BUG_ON-in-ddebug_describe_flags.patch new file mode 100644 index 00000000..2777d66a --- /dev/null +++ b/queue/dyndbg-fix-a-BUG_ON-in-ddebug_describe_flags.patch @@ -0,0 +1,95 @@ +From f678ce8cc3cb2ad29df75d8824c74f36398ba871 Mon Sep 17 00:00:00 2001 +From: Jim Cromie <jim.cromie@gmail.com> +Date: Sun, 19 Jul 2020 17:10:47 -0600 +Subject: [PATCH] dyndbg: fix a BUG_ON in ddebug_describe_flags + +commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 upstream. + +ddebug_describe_flags() currently fills a caller provided string buffer, +after testing its size (also passed) in a BUG_ON. Fix this by +replacing them with a known-big-enough string buffer wrapped in a +struct, and passing that instead. + +Also simplify ddebug_describe_flags() flags parameter from a struct to +a member in that struct, and hoist the member deref up to the caller. +This makes the function reusable (soon) where flags are unpacked. + +Acked-by: <jbaron@akamai.com> +Signed-off-by: Jim Cromie <jim.cromie@gmail.com> +Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index 9b2445507988..0cb5679f6c54 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -87,22 +87,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = { + { _DPRINTK_FLAGS_NONE, '_' }, + }; + ++struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; }; ++ + /* format a string into buf[] which describes the _ddebug's flags */ +-static char *ddebug_describe_flags(struct _ddebug *dp, char *buf, +- size_t maxlen) ++static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb) + { +- char *p = buf; ++ char *p = fb->buf; + int i; + +- BUG_ON(maxlen < 6); + for (i = 0; i < ARRAY_SIZE(opt_array); ++i) +- if (dp->flags & opt_array[i].flag) ++ if (flags & opt_array[i].flag) + *p++ = opt_array[i].opt_char; +- if (p == buf) ++ if (p == fb->buf) + *p++ = '_'; + *p = '\0'; + +- return buf; ++ return fb->buf; + } + + #define vnpr_info(lvl, fmt, ...) \ +@@ -147,7 +147,7 @@ static int ddebug_change(const struct ddebug_query *query, + struct ddebug_table *dt; + unsigned int newflags; + unsigned int nfound = 0; +- char flagbuf[10]; ++ struct flagsbuf fbuf; + + /* search for matching ddebugs */ + mutex_lock(&ddebug_lock); +@@ -204,8 +204,7 @@ static int ddebug_change(const struct ddebug_query *query, + v2pr_info("changed %s:%d [%s]%s =%s\n", + trim_prefix(dp->filename), dp->lineno, + dt->mod_name, dp->function, +- ddebug_describe_flags(dp, flagbuf, +- sizeof(flagbuf))); ++ ddebug_describe_flags(dp->flags, &fbuf)); + } + } + mutex_unlock(&ddebug_lock); +@@ -814,7 +813,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + { + struct ddebug_iter *iter = m->private; + struct _ddebug *dp = p; +- char flagsbuf[10]; ++ struct flagsbuf flags; + + if (p == SEQ_START_TOKEN) { + seq_puts(m, +@@ -825,7 +824,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + seq_printf(m, "%s:%u [%s]%s =%s \"", + trim_prefix(dp->filename), dp->lineno, + iter->table->mod_name, dp->function, +- ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf))); ++ ddebug_describe_flags(dp->flags, &flags)); + seq_escape(m, dp->format, "\t\r\n\""); + seq_puts(m, "\"\n"); + +-- +2.27.0 + diff --git a/queue/erofs-fix-extended-inode-could-cross-boundary.patch b/queue/erofs-fix-extended-inode-could-cross-boundary.patch new file mode 100644 index 00000000..ed74d936 --- /dev/null +++ b/queue/erofs-fix-extended-inode-could-cross-boundary.patch @@ -0,0 +1,232 @@ +From 0dcd3c94e02438f4a571690e26f4ee997524102a Mon Sep 17 00:00:00 2001 +From: Gao Xiang <hsiangkao@redhat.com> +Date: Thu, 30 Jul 2020 01:58:01 +0800 +Subject: [PATCH] erofs: fix extended inode could cross boundary + +commit 0dcd3c94e02438f4a571690e26f4ee997524102a upstream. + +Each ondisk inode should be aligned with inode slot boundary +(32-byte alignment) because of nid calculation formula, so all +compact inodes (32 byte) cannot across page boundary. However, +extended inode is now 64-byte form, which can across page boundary +in principle if the location is specified on purpose, although +it's hard to be generated by mkfs due to the allocation policy +and rarely used by Android use case now mainly for > 4GiB files. + +For now, only two fields `i_ctime_nsec` and `i_nlink' couldn't +be read from disk properly and cause out-of-bound memory read +with random value. + +Let's fix now. + +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +Cc: <stable@vger.kernel.org> # 4.19+ +Link: https://lore.kernel.org/r/20200729175801.GA23973@xiangao.remote.csb +Reviewed-by: Chao Yu <yuchao0@huawei.com> +Signed-off-by: Gao Xiang <hsiangkao@redhat.com> + +diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c +index 577fc9df4471..139d0bed42f8 100644 +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -8,31 +8,80 @@ + + #include <trace/events/erofs.h> + +-/* no locking */ +-static int erofs_read_inode(struct inode *inode, void *data) ++/* ++ * if inode is successfully read, return its inode page (or sometimes ++ * the inode payload page if it's an extended inode) in order to fill ++ * inline data if possible. ++ */ ++static struct page *erofs_read_inode(struct inode *inode, ++ unsigned int *ofs) + { ++ struct super_block *sb = inode->i_sb; ++ struct erofs_sb_info *sbi = EROFS_SB(sb); + struct erofs_inode *vi = EROFS_I(inode); +- struct erofs_inode_compact *dic = data; +- struct erofs_inode_extended *die; ++ const erofs_off_t inode_loc = iloc(sbi, vi->nid); ++ ++ erofs_blk_t blkaddr, nblks = 0; ++ struct page *page; ++ struct erofs_inode_compact *dic; ++ struct erofs_inode_extended *die, *copied = NULL; ++ unsigned int ifmt; ++ int err; + +- const unsigned int ifmt = le16_to_cpu(dic->i_format); +- struct erofs_sb_info *sbi = EROFS_SB(inode->i_sb); +- erofs_blk_t nblks = 0; ++ blkaddr = erofs_blknr(inode_loc); ++ *ofs = erofs_blkoff(inode_loc); + +- vi->datalayout = erofs_inode_datalayout(ifmt); ++ erofs_dbg("%s, reading inode nid %llu at %u of blkaddr %u", ++ __func__, vi->nid, *ofs, blkaddr); ++ ++ page = erofs_get_meta_page(sb, blkaddr); ++ if (IS_ERR(page)) { ++ erofs_err(sb, "failed to get inode (nid: %llu) page, err %ld", ++ vi->nid, PTR_ERR(page)); ++ return page; ++ } + ++ dic = page_address(page) + *ofs; ++ ifmt = le16_to_cpu(dic->i_format); ++ ++ vi->datalayout = erofs_inode_datalayout(ifmt); + if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) { + erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu", + vi->datalayout, vi->nid); +- DBG_BUGON(1); +- return -EOPNOTSUPP; ++ err = -EOPNOTSUPP; ++ goto err_out; + } + + switch (erofs_inode_version(ifmt)) { + case EROFS_INODE_LAYOUT_EXTENDED: +- die = data; +- + vi->inode_isize = sizeof(struct erofs_inode_extended); ++ /* check if the inode acrosses page boundary */ ++ if (*ofs + vi->inode_isize <= PAGE_SIZE) { ++ *ofs += vi->inode_isize; ++ die = (struct erofs_inode_extended *)dic; ++ } else { ++ const unsigned int gotten = PAGE_SIZE - *ofs; ++ ++ copied = kmalloc(vi->inode_isize, GFP_NOFS); ++ if (!copied) { ++ err = -ENOMEM; ++ goto err_out; ++ } ++ memcpy(copied, dic, gotten); ++ unlock_page(page); ++ put_page(page); ++ ++ page = erofs_get_meta_page(sb, blkaddr + 1); ++ if (IS_ERR(page)) { ++ erofs_err(sb, "failed to get inode payload page (nid: %llu), err %ld", ++ vi->nid, PTR_ERR(page)); ++ kfree(copied); ++ return page; ++ } ++ *ofs = vi->inode_isize - gotten; ++ memcpy((u8 *)copied + gotten, page_address(page), *ofs); ++ die = copied; ++ } + vi->xattr_isize = erofs_xattr_ibody_size(die->i_xattr_icount); + + inode->i_mode = le16_to_cpu(die->i_mode); +@@ -69,9 +118,12 @@ static int erofs_read_inode(struct inode *inode, void *data) + /* total blocks for compressed files */ + if (erofs_inode_is_data_compressed(vi->datalayout)) + nblks = le32_to_cpu(die->i_u.compressed_blocks); ++ ++ kfree(copied); + break; + case EROFS_INODE_LAYOUT_COMPACT: + vi->inode_isize = sizeof(struct erofs_inode_compact); ++ *ofs += vi->inode_isize; + vi->xattr_isize = erofs_xattr_ibody_size(dic->i_xattr_icount); + + inode->i_mode = le16_to_cpu(dic->i_mode); +@@ -111,8 +163,8 @@ static int erofs_read_inode(struct inode *inode, void *data) + erofs_err(inode->i_sb, + "unsupported on-disk inode version %u of nid %llu", + erofs_inode_version(ifmt), vi->nid); +- DBG_BUGON(1); +- return -EOPNOTSUPP; ++ err = -EOPNOTSUPP; ++ goto err_out; + } + + if (!nblks) +@@ -120,13 +172,18 @@ static int erofs_read_inode(struct inode *inode, void *data) + inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9; + else + inode->i_blocks = nblks << LOG_SECTORS_PER_BLOCK; +- return 0; ++ return page; + + bogusimode: + erofs_err(inode->i_sb, "bogus i_mode (%o) @ nid %llu", + inode->i_mode, vi->nid); ++ err = -EFSCORRUPTED; ++err_out: + DBG_BUGON(1); +- return -EFSCORRUPTED; ++ kfree(copied); ++ unlock_page(page); ++ put_page(page); ++ return ERR_PTR(err); + } + + static int erofs_fill_symlink(struct inode *inode, void *data, +@@ -146,7 +203,7 @@ static int erofs_fill_symlink(struct inode *inode, void *data, + if (!lnk) + return -ENOMEM; + +- m_pofs += vi->inode_isize + vi->xattr_isize; ++ m_pofs += vi->xattr_isize; + /* inline symlink data shouldn't cross page boundary as well */ + if (m_pofs + inode->i_size > PAGE_SIZE) { + kfree(lnk); +@@ -167,37 +224,17 @@ static int erofs_fill_symlink(struct inode *inode, void *data, + + static int erofs_fill_inode(struct inode *inode, int isdir) + { +- struct super_block *sb = inode->i_sb; + struct erofs_inode *vi = EROFS_I(inode); + struct page *page; +- void *data; +- int err; +- erofs_blk_t blkaddr; + unsigned int ofs; +- erofs_off_t inode_loc; ++ int err = 0; + + trace_erofs_fill_inode(inode, isdir); +- inode_loc = iloc(EROFS_SB(sb), vi->nid); +- blkaddr = erofs_blknr(inode_loc); +- ofs = erofs_blkoff(inode_loc); +- +- erofs_dbg("%s, reading inode nid %llu at %u of blkaddr %u", +- __func__, vi->nid, ofs, blkaddr); + +- page = erofs_get_meta_page(sb, blkaddr); +- +- if (IS_ERR(page)) { +- erofs_err(sb, "failed to get inode (nid: %llu) page, err %ld", +- vi->nid, PTR_ERR(page)); ++ /* read inode base data from disk */ ++ page = erofs_read_inode(inode, &ofs); ++ if (IS_ERR(page)) + return PTR_ERR(page); +- } +- +- DBG_BUGON(!PageUptodate(page)); +- data = page_address(page); +- +- err = erofs_read_inode(inode, data + ofs); +- if (err) +- goto out_unlock; + + /* setup the new inode */ + switch (inode->i_mode & S_IFMT) { +@@ -210,7 +247,7 @@ static int erofs_fill_inode(struct inode *inode, int isdir) + inode->i_fop = &erofs_dir_fops; + break; + case S_IFLNK: +- err = erofs_fill_symlink(inode, data, ofs); ++ err = erofs_fill_symlink(inode, page_address(page), ofs); + if (err) + goto out_unlock; + inode_nohighmem(inode); +-- +2.27.0 + diff --git a/queue/firmware-arm_scmi-Fix-SCMI-genpd-domain-probing.patch b/queue/firmware-arm_scmi-Fix-SCMI-genpd-domain-probing.patch new file mode 100644 index 00000000..143f6e95 --- /dev/null +++ b/queue/firmware-arm_scmi-Fix-SCMI-genpd-domain-probing.patch @@ -0,0 +1,95 @@ +From e0f1a30cf184821499eeb67daedd7a3f21bbcb0b Mon Sep 17 00:00:00 2001 +From: Cristian Marussi <cristian.marussi@arm.com> +Date: Fri, 19 Jun 2020 23:03:30 +0100 +Subject: [PATCH] firmware: arm_scmi: Fix SCMI genpd domain probing + +commit e0f1a30cf184821499eeb67daedd7a3f21bbcb0b upstream. + +When, at probe time, an SCMI communication failure inhibits the capacity +to query power domains states, such domains should be skipped. + +Registering partially initialized SCMI power domains with genpd will +causes kernel panic. + + arm-scmi timed out in resp(caller: scmi_power_state_get+0xa4/0xd0) + scmi-power-domain scmi_dev.2: failed to get state for domain 9 + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + Mem abort info: + ESR = 0x96000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=00000009f3691000 + [0000000000000000] pgd=00000009f1ca0003, p4d=00000009f1ca0003, pud=00000009f35ea003, pmd=0000000000000000 + Internal error: Oops: 96000006 [#1] PREEMPT SMP + CPU: 2 PID: 381 Comm: bash Not tainted 5.8.0-rc1-00011-gebd118c2cca8 #2 + Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Jan 3 2020 + Internal error: Oops: 96000006 [#1] PREEMPT SMP + pstate: 80000005 (Nzcv daif -PAN -UAO BTYPE=--) + pc : of_genpd_add_provider_onecell+0x98/0x1f8 + lr : of_genpd_add_provider_onecell+0x48/0x1f8 + Call trace: + of_genpd_add_provider_onecell+0x98/0x1f8 + scmi_pm_domain_probe+0x174/0x1e8 + scmi_dev_probe+0x90/0xe0 + really_probe+0xe4/0x448 + driver_probe_device+0xfc/0x168 + device_driver_attach+0x7c/0x88 + bind_store+0xe8/0x128 + drv_attr_store+0x2c/0x40 + sysfs_kf_write+0x4c/0x60 + kernfs_fop_write+0x114/0x230 + __vfs_write+0x24/0x50 + vfs_write+0xbc/0x1e0 + ksys_write+0x70/0xf8 + __arm64_sys_write+0x24/0x30 + el0_svc_common.constprop.3+0x94/0x160 + do_el0_svc+0x2c/0x98 + el0_sync_handler+0x148/0x1a8 + el0_sync+0x158/0x180 + +Do not register any power domain that failed to be queried with genpd. + +Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") +Link: https://lore.kernel.org/r/20200619220330.12217-1-cristian.marussi@arm.com +Signed-off-by: Cristian Marussi <cristian.marussi@arm.com> +Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> + +diff --git a/drivers/firmware/arm_scmi/scmi_pm_domain.c b/drivers/firmware/arm_scmi/scmi_pm_domain.c +index bafbfe358f97..9e44479f0284 100644 +--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c ++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c +@@ -85,7 +85,10 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) + for (i = 0; i < num_domains; i++, scmi_pd++) { + u32 state; + +- domains[i] = &scmi_pd->genpd; ++ if (handle->power_ops->state_get(handle, i, &state)) { ++ dev_warn(dev, "failed to get state for domain %d\n", i); ++ continue; ++ } + + scmi_pd->domain = i; + scmi_pd->handle = handle; +@@ -94,13 +97,10 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) + scmi_pd->genpd.power_off = scmi_pd_power_off; + scmi_pd->genpd.power_on = scmi_pd_power_on; + +- if (handle->power_ops->state_get(handle, i, &state)) { +- dev_warn(dev, "failed to get state for domain %d\n", i); +- continue; +- } +- + pm_genpd_init(&scmi_pd->genpd, NULL, + state == SCMI_POWER_STATE_GENERIC_OFF); ++ ++ domains[i] = &scmi_pd->genpd; + } + + scmi_pd_data->domains = domains; +-- +2.27.0 + diff --git a/queue/fs-btrfs-Add-cond_resched-for-try_release_extent_map.patch b/queue/fs-btrfs-Add-cond_resched-for-try_release_extent_map.patch new file mode 100644 index 00000000..978cce2b --- /dev/null +++ b/queue/fs-btrfs-Add-cond_resched-for-try_release_extent_map.patch @@ -0,0 +1,57 @@ +From 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" <paulmck@kernel.org> +Date: Fri, 8 May 2020 14:15:37 -0700 +Subject: [PATCH] fs/btrfs: Add cond_resched() for try_release_extent_mapping() + stalls + +commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 upstream. + +Very large I/Os can cause the following RCU CPU stall warning: + +RIP: 0010:rb_prev+0x8/0x50 +Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = +89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48 +RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13 +RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0 +RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630 +RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238 +R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001 +R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0 + __lookup_extent_mapping+0xa0/0x110 + try_release_extent_mapping+0xdc/0x220 + btrfs_releasepage+0x45/0x70 + shrink_page_list+0xa39/0xb30 + shrink_inactive_list+0x18f/0x3b0 + shrink_lruvec+0x38e/0x6b0 + shrink_node+0x14d/0x690 + do_try_to_free_pages+0xc6/0x3e0 + try_to_free_mem_cgroup_pages+0xe6/0x1e0 + reclaim_high.constprop.73+0x87/0xc0 + mem_cgroup_handle_over_high+0x66/0x150 + exit_to_usermode_loop+0x82/0xd0 + do_syscall_64+0xd4/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +On a PREEMPT=n kernel, the try_release_extent_mapping() function's +"while" loop might run for a very long time on a large I/O. This commit +therefore adds a cond_resched() to this loop, providing RCU any needed +quiescent states. + +Signed-off-by: Paul E. McKenney <paulmck@kernel.org> + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 68c96057ad2d..704239546093 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4515,6 +4515,8 @@ int try_release_extent_mapping(struct page *page, gfp_t mask) + + /* once for us */ + free_extent_map(em); ++ ++ cond_resched(); /* Allow large-extent preemption. */ + } + } + return try_release_extent_state(tree, page, mask); +-- +2.27.0 + diff --git a/queue/fs-minix-check-return-value-of-sb_getblk.patch b/queue/fs-minix-check-return-value-of-sb_getblk.patch new file mode 100644 index 00000000..b50645b7 --- /dev/null +++ b/queue/fs-minix-check-return-value-of-sb_getblk.patch @@ -0,0 +1,76 @@ +From da27e0a0e5f655f0d58d4e153c3182bb2b290f64 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 11 Aug 2020 18:35:24 -0700 +Subject: [PATCH] fs/minix: check return value of sb_getblk() + +commit da27e0a0e5f655f0d58d4e153c3182bb2b290f64 upstream. + +Patch series "fs/minix: fix syzbot bugs and set s_maxbytes". + +This series fixes all syzbot bugs in the minix filesystem: + + KASAN: null-ptr-deref Write in get_block + KASAN: use-after-free Write in get_block + KASAN: use-after-free Read in get_block + WARNING in inc_nlink + KMSAN: uninit-value in get_block + WARNING in drop_nlink + +It also fixes the minix filesystem to set s_maxbytes correctly, so that +userspace sees the correct behavior when exceeding the max file size. + +This patch (of 6): + +sb_getblk() can fail, so check its return value. + +This fixes a NULL pointer dereference. + +Originally from Qiujun Huang. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Qiujun Huang <anenbupt@gmail.com> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: <stable@vger.kernel.org> +Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org +Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/fs/minix/itree_common.c b/fs/minix/itree_common.c +index 043c3fdbc8e7..446148792f41 100644 +--- a/fs/minix/itree_common.c ++++ b/fs/minix/itree_common.c +@@ -75,6 +75,7 @@ static int alloc_branch(struct inode *inode, + int n = 0; + int i; + int parent = minix_new_block(inode); ++ int err = -ENOSPC; + + branch[0].key = cpu_to_block(parent); + if (parent) for (n = 1; n < num; n++) { +@@ -85,6 +86,11 @@ static int alloc_branch(struct inode *inode, + break; + branch[n].key = cpu_to_block(nr); + bh = sb_getblk(inode->i_sb, parent); ++ if (!bh) { ++ minix_free_block(inode, nr); ++ err = -ENOMEM; ++ break; ++ } + lock_buffer(bh); + memset(bh->b_data, 0, bh->b_size); + branch[n].bh = bh; +@@ -103,7 +109,7 @@ static int alloc_branch(struct inode *inode, + bforget(branch[i].bh); + for (i = 0; i < n; i++) + minix_free_block(inode, block_to_cpu(branch[i].key)); +- return -ENOSPC; ++ return err; + } + + static inline int splice_branch(struct inode *inode, +-- +2.27.0 + diff --git a/queue/fs-minix-don-t-allow-getting-deleted-inodes.patch b/queue/fs-minix-don-t-allow-getting-deleted-inodes.patch new file mode 100644 index 00000000..3fe39b40 --- /dev/null +++ b/queue/fs-minix-don-t-allow-getting-deleted-inodes.patch @@ -0,0 +1,57 @@ +From facb03dddec04e4aac1bb2139accdceb04deb1f3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 11 Aug 2020 18:35:27 -0700 +Subject: [PATCH] fs/minix: don't allow getting deleted inodes + +commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream. + +If an inode has no links, we need to mark it bad rather than allowing it +to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when +doing directory operations on a fuzzed filesystem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com +Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: Qiujun Huang <anenbupt@gmail.com> +Cc: <stable@vger.kernel.org> +Link: http://lkml.kernel.org/r/20200628060846.682158-3-ebiggers@kernel.org +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/fs/minix/inode.c b/fs/minix/inode.c +index 7cb5fd38eb14..2bca95abe8f4 100644 +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -468,6 +468,13 @@ static struct inode *V1_minix_iget(struct inode *inode) + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); +@@ -501,6 +508,13 @@ static struct inode *V2_minix_iget(struct inode *inode) + iget_failed(inode); + return ERR_PTR(-EIO); + } ++ if (raw_inode->i_nlinks == 0) { ++ printk("MINIX-fs: deleted inode referenced: %lu\n", ++ inode->i_ino); ++ brelse(bh); ++ iget_failed(inode); ++ return ERR_PTR(-ESTALE); ++ } + inode->i_mode = raw_inode->i_mode; + i_uid_write(inode, raw_inode->i_uid); + i_gid_write(inode, raw_inode->i_gid); +-- +2.27.0 + diff --git a/queue/fs-minix-reject-too-large-maximum-file-size.patch b/queue/fs-minix-reject-too-large-maximum-file-size.patch new file mode 100644 index 00000000..507669d8 --- /dev/null +++ b/queue/fs-minix-reject-too-large-maximum-file-size.patch @@ -0,0 +1,74 @@ +From 270ef41094e9fa95273f288d7d785313ceab2ff3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 11 Aug 2020 18:35:30 -0700 +Subject: [PATCH] fs/minix: reject too-large maximum file size + +commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. + +If the minix filesystem tries to map a very large logical block number to +its on-disk location, block_to_path() can return offsets that are too +large, causing out-of-bounds memory accesses when accessing indirect index +blocks. This should be prevented by the check against the maximum file +size, but this doesn't work because the maximum file size is read directly +from the on-disk superblock and isn't validated itself. + +Fix this by validating the maximum file size at mount time. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com +Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com +Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: Qiujun Huang <anenbupt@gmail.com> +Cc: <stable@vger.kernel.org> +Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/fs/minix/inode.c b/fs/minix/inode.c +index 2bca95abe8f4..0dd929346f3f 100644 +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -150,6 +150,23 @@ static int minix_remount (struct super_block * sb, int * flags, char * data) + return 0; + } + ++static bool minix_check_superblock(struct minix_sb_info *sbi) ++{ ++ if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) ++ return false; ++ ++ /* ++ * s_max_size must not exceed the block mapping limitation. This check ++ * is only needed for V1 filesystems, since V2/V3 support an extra level ++ * of indirect blocks which places the limit well above U32_MAX. ++ */ ++ if (sbi->s_version == MINIX_V1 && ++ sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) ++ return false; ++ ++ return true; ++} ++ + static int minix_fill_super(struct super_block *s, void *data, int silent) + { + struct buffer_head *bh; +@@ -228,11 +245,12 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) + } else + goto out_no_fs; + ++ if (!minix_check_superblock(sbi)) ++ goto out_illegal_sb; ++ + /* + * Allocate the buffer map to keep the superblock small. + */ +- if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) +- goto out_illegal_sb; + i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh); + map = kzalloc(i, GFP_KERNEL); + if (!map) +-- +2.27.0 + diff --git a/queue/fsl-fman-check-dereferencing-null-pointer.patch b/queue/fsl-fman-check-dereferencing-null-pointer.patch new file mode 100644 index 00000000..70c59b02 --- /dev/null +++ b/queue/fsl-fman-check-dereferencing-null-pointer.patch @@ -0,0 +1,64 @@ +From cc5d229a122106733a85c279d89d7703f21e4d4f Mon Sep 17 00:00:00 2001 +From: Florinel Iordache <florinel.iordache@nxp.com> +Date: Mon, 3 Aug 2020 10:07:33 +0300 +Subject: [PATCH] fsl/fman: check dereferencing null pointer + +commit cc5d229a122106733a85c279d89d7703f21e4d4f upstream. + +Add a safe check to avoid dereferencing null pointer + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/freescale/fman/fman_dtsec.c b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +index 004c266802a8..bce3c9398887 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +@@ -1200,7 +1200,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->multicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +@@ -1213,7 +1213,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->unicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index bb02b37422cc..645764abdaae 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -981,7 +981,7 @@ int memac_del_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr) + + list_for_each(pos, &memac->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c +index 8c7eb878d5b4..41946b16f6c7 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c +@@ -626,7 +626,7 @@ int tgec_del_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr) + + list_for_each(pos, &tgec->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +-- +2.27.0 + diff --git a/queue/fsl-fman-fix-dereference-null-return-value.patch b/queue/fsl-fman-fix-dereference-null-return-value.patch new file mode 100644 index 00000000..e326af58 --- /dev/null +++ b/queue/fsl-fman-fix-dereference-null-return-value.patch @@ -0,0 +1,44 @@ +From 0572054617f32670abab4b4e89a876954d54b704 Mon Sep 17 00:00:00 2001 +From: Florinel Iordache <florinel.iordache@nxp.com> +Date: Mon, 3 Aug 2020 10:07:31 +0300 +Subject: [PATCH] fsl/fman: fix dereference null return value + +commit 0572054617f32670abab4b4e89a876954d54b704 upstream. + +Check before using returned value to avoid dereferencing null pointer. + +Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support") +Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c +index 87b26f063cc8..c27df153f895 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_port.c ++++ b/drivers/net/ethernet/freescale/fman/fman_port.c +@@ -1767,6 +1767,7 @@ static int fman_port_probe(struct platform_device *of_dev) + struct fman_port *port; + struct fman *fman; + struct device_node *fm_node, *port_node; ++ struct platform_device *fm_pdev; + struct resource res; + struct resource *dev_res; + u32 val; +@@ -1791,8 +1792,14 @@ static int fman_port_probe(struct platform_device *of_dev) + goto return_err; + } + +- fman = dev_get_drvdata(&of_find_device_by_node(fm_node)->dev); ++ fm_pdev = of_find_device_by_node(fm_node); + of_node_put(fm_node); ++ if (!fm_pdev) { ++ err = -EINVAL; ++ goto return_err; ++ } ++ ++ fman = dev_get_drvdata(&fm_pdev->dev); + if (!fman) { + err = -EINVAL; + goto return_err; +-- +2.27.0 + diff --git a/queue/fsl-fman-fix-eth-hash-table-allocation.patch b/queue/fsl-fman-fix-eth-hash-table-allocation.patch new file mode 100644 index 00000000..2f5d3374 --- /dev/null +++ b/queue/fsl-fman-fix-eth-hash-table-allocation.patch @@ -0,0 +1,32 @@ +From 3207f715c34317d08e798e11a10ce816feb53c0f Mon Sep 17 00:00:00 2001 +From: Florinel Iordache <florinel.iordache@nxp.com> +Date: Mon, 3 Aug 2020 10:07:34 +0300 +Subject: [PATCH] fsl/fman: fix eth hash table allocation + +commit 3207f715c34317d08e798e11a10ce816feb53c0f upstream. + +Fix memory allocation for ethernet address hash table. +The code was wrongly allocating an array for eth hash table which +is incorrect because this is the main structure for eth hash table +(struct eth_hash_t) that contains inside a number of elements. + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/freescale/fman/fman_mac.h b/drivers/net/ethernet/freescale/fman/fman_mac.h +index dd6d0526f6c1..19f327efdaff 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_mac.h ++++ b/drivers/net/ethernet/freescale/fman/fman_mac.h +@@ -252,7 +252,7 @@ static inline struct eth_hash_t *alloc_hash_table(u16 size) + struct eth_hash_t *hash; + + /* Allocate address hash table */ +- hash = kmalloc_array(size, sizeof(struct eth_hash_t *), GFP_KERNEL); ++ hash = kmalloc(sizeof(*hash), GFP_KERNEL); + if (!hash) + return NULL; + +-- +2.27.0 + diff --git a/queue/fsl-fman-fix-unreachable-code.patch b/queue/fsl-fman-fix-unreachable-code.patch new file mode 100644 index 00000000..cd537813 --- /dev/null +++ b/queue/fsl-fman-fix-unreachable-code.patch @@ -0,0 +1,29 @@ +From cc79fd8f557767de90ff199d3b6fb911df43160a Mon Sep 17 00:00:00 2001 +From: Florinel Iordache <florinel.iordache@nxp.com> +Date: Mon, 3 Aug 2020 10:07:32 +0300 +Subject: [PATCH] fsl/fman: fix unreachable code + +commit cc79fd8f557767de90ff199d3b6fb911df43160a upstream. + +The parameter 'priority' is incorrectly forced to zero which ultimately +induces logically dead code in the subsequent lines. + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index a5500ede4070..bb02b37422cc 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -852,7 +852,6 @@ int memac_set_tx_pause_frames(struct fman_mac *memac, u8 priority, + + tmp = ioread32be(®s->command_config); + tmp &= ~CMD_CFG_PFC_MODE; +- priority = 0; + + iowrite32be(tmp, ®s->command_config); + +-- +2.27.0 + diff --git a/queue/fsl-fman-use-32-bit-unsigned-integer.patch b/queue/fsl-fman-use-32-bit-unsigned-integer.patch new file mode 100644 index 00000000..7d2b9815 --- /dev/null +++ b/queue/fsl-fman-use-32-bit-unsigned-integer.patch @@ -0,0 +1,35 @@ +From 99f47abd9f7bf6e365820d355dc98f6955a562df Mon Sep 17 00:00:00 2001 +From: Florinel Iordache <florinel.iordache@nxp.com> +Date: Mon, 3 Aug 2020 10:07:30 +0300 +Subject: [PATCH] fsl/fman: use 32-bit unsigned integer + +commit 99f47abd9f7bf6e365820d355dc98f6955a562df upstream. + +Potentially overflowing expression (ts_freq << 16 and intgr << 16) +declared as type u32 (32-bit unsigned) is evaluated using 32-bit +arithmetic and then used in a context that expects an expression of +type u64 (64-bit unsigned) which ultimately is used as 16-bit +unsigned by typecasting to u16. Fixed by using an unsigned 32-bit +integer since the value is truncated anyway in the end. + +Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") +Signed-off-by: Florinel Iordache <florinel.iordache@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c +index f151d6e111dd..ef67e8599b39 100644 +--- a/drivers/net/ethernet/freescale/fman/fman.c ++++ b/drivers/net/ethernet/freescale/fman/fman.c +@@ -1398,8 +1398,7 @@ static void enable_time_stamp(struct fman *fman) + { + struct fman_fpm_regs __iomem *fpm_rg = fman->fpm_regs; + u16 fm_clk_freq = fman->state->fm_clk_freq; +- u32 tmp, intgr, ts_freq; +- u64 frac; ++ u32 tmp, intgr, ts_freq, frac; + + ts_freq = (u32)(1 << fman->state->count1_micro_bit); + /* configure timestamp so that bit 8 will count 1 microsecond +-- +2.27.0 + diff --git a/queue/gpu-host1x-debug-Fix-multiple-channels-emitting-mess.patch b/queue/gpu-host1x-debug-Fix-multiple-channels-emitting-mess.patch new file mode 100644 index 00000000..8c9399b8 --- /dev/null +++ b/queue/gpu-host1x-debug-Fix-multiple-channels-emitting-mess.patch @@ -0,0 +1,48 @@ +From 35681862808472a0a4b9a8817ae2789c0b5b3edc Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko <digetx@gmail.com> +Date: Mon, 29 Jun 2020 06:18:41 +0300 +Subject: [PATCH] gpu: host1x: debug: Fix multiple channels emitting messages + simultaneously + +commit 35681862808472a0a4b9a8817ae2789c0b5b3edc upstream. + +Once channel's job is hung, it dumps the channel's state into KMSG before +tearing down the offending job. If multiple channels hang at once, then +they dump messages simultaneously, making the debug info unreadable, and +thus, useless. This patch adds mutex which allows only one channel to emit +debug messages at a time. + +Signed-off-by: Dmitry Osipenko <digetx@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> + +diff --git a/drivers/gpu/host1x/debug.c b/drivers/gpu/host1x/debug.c +index c0392672a842..1b4997bda1c7 100644 +--- a/drivers/gpu/host1x/debug.c ++++ b/drivers/gpu/host1x/debug.c +@@ -16,6 +16,8 @@ + #include "debug.h" + #include "channel.h" + ++static DEFINE_MUTEX(debug_lock); ++ + unsigned int host1x_debug_trace_cmdbuf; + + static pid_t host1x_debug_force_timeout_pid; +@@ -52,12 +54,14 @@ static int show_channel(struct host1x_channel *ch, void *data, bool show_fifo) + struct output *o = data; + + mutex_lock(&ch->cdma.lock); ++ mutex_lock(&debug_lock); + + if (show_fifo) + host1x_hw_show_channel_fifo(m, ch, o); + + host1x_hw_show_channel_cdma(m, ch, o); + ++ mutex_unlock(&debug_lock); + mutex_unlock(&ch->cdma.lock); + + return 0; +-- +2.27.0 + diff --git a/queue/gpu-ipu-v3-Restore-RGB32-BGR32.patch b/queue/gpu-ipu-v3-Restore-RGB32-BGR32.patch new file mode 100644 index 00000000..9ff18ba3 --- /dev/null +++ b/queue/gpu-ipu-v3-Restore-RGB32-BGR32.patch @@ -0,0 +1,30 @@ +From 22b2cfad752d4b278ea7c38c0ee961ca50198ce8 Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam <slongerbeam@gmail.com> +Date: Wed, 17 Jun 2020 15:40:36 -0700 +Subject: [PATCH] gpu: ipu-v3: Restore RGB32, BGR32 + +commit 22b2cfad752d4b278ea7c38c0ee961ca50198ce8 upstream. + +RGB32 and BGR32 formats were inadvertently removed from the switch +statement in ipu_pixelformat_to_colorspace(). Restore them. + +Fixes: a59957172b0c ("gpu: ipu-v3: enable remaining 32-bit RGB V4L2 pixel formats") +Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com> +Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index ee2a025e54cf..b3dae9ec1a38 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -124,6 +124,8 @@ enum ipu_color_space ipu_pixelformat_to_colorspace(u32 pixelformat) + case V4L2_PIX_FMT_RGBX32: + case V4L2_PIX_FMT_ARGB32: + case V4L2_PIX_FMT_XRGB32: ++ case V4L2_PIX_FMT_RGB32: ++ case V4L2_PIX_FMT_BGR32: + return IPUV3_COLORSPACE_RGB; + default: + return IPUV3_COLORSPACE_UNKNOWN; +-- +2.27.0 + diff --git a/queue/iavf-Fix-updating-statistics.patch b/queue/iavf-Fix-updating-statistics.patch new file mode 100644 index 00000000..02874de6 --- /dev/null +++ b/queue/iavf-Fix-updating-statistics.patch @@ -0,0 +1,37 @@ +From 9358076642f14cec8c414850d5a909cafca3a9d6 Mon Sep 17 00:00:00 2001 +From: Tony Nguyen <anthony.l.nguyen@intel.com> +Date: Wed, 24 Jun 2020 09:04:22 -0700 +Subject: [PATCH] iavf: Fix updating statistics + +commit 9358076642f14cec8c414850d5a909cafca3a9d6 upstream. + +Commit bac8486116b0 ("iavf: Refactor the watchdog state machine") inverted +the logic for when to update statistics. Statistics should be updated when +no other commands are pending, instead they were only requested when a +command was processed. iavf_request_stats() would see a pending request +and not request statistics to be updated. This caused statistics to never +be updated; fix the logic. + +Fixes: bac8486116b0 ("iavf: Refactor the watchdog state machine") +Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> +Tested-by: Andrew Bowers <andrewx.bowers@intel.com> + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index b90ad1abbabb..48c956d90b90 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1937,7 +1937,10 @@ static void iavf_watchdog_task(struct work_struct *work) + iavf_send_api_ver(adapter); + } + } else { +- if (!iavf_process_aq_command(adapter) && ++ /* An error will be returned if no commands were ++ * processed; use this opportunity to update stats ++ */ ++ if (iavf_process_aq_command(adapter) && + adapter->state == __IAVF_RUNNING) + iavf_request_stats(adapter); + } +-- +2.27.0 + diff --git a/queue/iavf-fix-error-return-code-in-iavf_init_get_resource.patch b/queue/iavf-fix-error-return-code-in-iavf_init_get_resource.patch new file mode 100644 index 00000000..ec3354c0 --- /dev/null +++ b/queue/iavf-fix-error-return-code-in-iavf_init_get_resource.patch @@ -0,0 +1,34 @@ +From 753f3884f253de6b6d3a516e6651bda0baf4aede Mon Sep 17 00:00:00 2001 +From: Wei Yongjun <weiyongjun1@huawei.com> +Date: Thu, 18 Jun 2020 14:19:53 +0000 +Subject: [PATCH] iavf: fix error return code in iavf_init_get_resources() + +commit 753f3884f253de6b6d3a516e6651bda0baf4aede upstream. + +Fix to return negative error code -ENOMEM from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: b66c7bc1cd4d ("iavf: Refactor init state machine") +Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> +Tested-by: Andrew Bowers <andrewx.bowers@intel.com> +Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 78bd9e3df3ac..b90ad1abbabb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1852,8 +1852,10 @@ static int iavf_init_get_resources(struct iavf_adapter *adapter) + + adapter->rss_key = kzalloc(adapter->rss_key_size, GFP_KERNEL); + adapter->rss_lut = kzalloc(adapter->rss_lut_size, GFP_KERNEL); +- if (!adapter->rss_key || !adapter->rss_lut) ++ if (!adapter->rss_key || !adapter->rss_lut) { ++ err = -ENOMEM; + goto err_mem; ++ } + if (RSS_AQ(adapter)) + adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS; + else +-- +2.27.0 + diff --git a/queue/ice-Graceful-error-handling-in-HW-table-calloc-failu.patch b/queue/ice-Graceful-error-handling-in-HW-table-calloc-failu.patch new file mode 100644 index 00000000..cdca9bcd --- /dev/null +++ b/queue/ice-Graceful-error-handling-in-HW-table-calloc-failu.patch @@ -0,0 +1,37 @@ +From bcc46cb8a077c6189b44f1555b8659837f748eb2 Mon Sep 17 00:00:00 2001 +From: Surabhi Boob <surabhi.boob@intel.com> +Date: Wed, 29 Jul 2020 17:19:18 -0700 +Subject: [PATCH] ice: Graceful error handling in HW table calloc failure + +commit bcc46cb8a077c6189b44f1555b8659837f748eb2 upstream. + +In the ice_init_hw_tbls, if the devm_kcalloc for es->written fails, catch +that error and bail out gracefully, instead of continuing with a NULL +pointer. + +Fixes: 32d63fa1e9f3 ("ice: Initialize DDP package structures") +Signed-off-by: Surabhi Boob <surabhi.boob@intel.com> +Tested-by: Andrew Bowers <andrewx.bowers@intel.com> +Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> + +diff --git a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c +index d59869b2c65e..5ceba009db16 100644 +--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c ++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c +@@ -3151,10 +3151,12 @@ enum ice_status ice_init_hw_tbls(struct ice_hw *hw) + es->ref_count = devm_kcalloc(ice_hw_to_dev(hw), es->count, + sizeof(*es->ref_count), + GFP_KERNEL); ++ if (!es->ref_count) ++ goto err; + + es->written = devm_kcalloc(ice_hw_to_dev(hw), es->count, + sizeof(*es->written), GFP_KERNEL); +- if (!es->ref_count) ++ if (!es->written) + goto err; + } + return 0; +-- +2.27.0 + diff --git a/queue/iio-improve-IIO_CONCENTRATION-channel-type-descripti.patch b/queue/iio-improve-IIO_CONCENTRATION-channel-type-descripti.patch new file mode 100644 index 00000000..e327aff5 --- /dev/null +++ b/queue/iio-improve-IIO_CONCENTRATION-channel-type-descripti.patch @@ -0,0 +1,37 @@ +From df16c33a4028159d1ba8a7061c9fa950b58d1a61 Mon Sep 17 00:00:00 2001 +From: Tomasz Duszynski <tomasz.duszynski@octakon.com> +Date: Mon, 1 Jun 2020 18:15:52 +0200 +Subject: [PATCH] iio: improve IIO_CONCENTRATION channel type description + +commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 upstream. + +IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting +raw concentrations of pollutants. Raw value should be meaningless +before being properly scaled. Because of that description shouldn't +mention raw value unit whatsoever. + +Fix this by rephrasing existing description so it follows conventions +used throughout IIO ABI docs. + +Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type") +Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com> +Acked-by: Matt Ranostay <matt.ranostay@konsulko.com> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index d3e53a6d8331..5c62bfb0f3f5 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -1569,7 +1569,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw + KernelVersion: 4.3 + Contact: linux-iio@vger.kernel.org + Description: +- Raw (unscaled no offset etc.) percentage reading of a substance. ++ Raw (unscaled no offset etc.) reading of a substance. Units ++ after application of scale and offset are percents. + + What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw + What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw +-- +2.27.0 + diff --git a/queue/ima-Have-the-LSM-free-its-audit-rule.patch b/queue/ima-Have-the-LSM-free-its-audit-rule.patch new file mode 100644 index 00000000..99ecb0fd --- /dev/null +++ b/queue/ima-Have-the-LSM-free-its-audit-rule.patch @@ -0,0 +1,57 @@ +From 9ff8a616dfab96a4fa0ddd36190907dc68886d9b Mon Sep 17 00:00:00 2001 +From: Tyler Hicks <tyhicks@linux.microsoft.com> +Date: Thu, 9 Jul 2020 01:19:00 -0500 +Subject: [PATCH] ima: Have the LSM free its audit rule + +commit 9ff8a616dfab96a4fa0ddd36190907dc68886d9b upstream. + +Ask the LSM to free its audit rule rather than directly calling kfree(). +Both AppArmor and SELinux do additional work in their audit_rule_free() +hooks. Fix memory leaks by allowing the LSMs to perform necessary work. + +Fixes: b16942455193 ("ima: use the lsm policy update notifier") +Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> +Cc: Janne Karhunen <janne.karhunen@gmail.com> +Cc: Casey Schaufler <casey@schaufler-ca.com> +Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> + +diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h +index 4515975cc540..59ec28f5c117 100644 +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -420,6 +420,7 @@ static inline void ima_free_modsig(struct modsig *modsig) + #ifdef CONFIG_IMA_LSM_RULES + + #define security_filter_rule_init security_audit_rule_init ++#define security_filter_rule_free security_audit_rule_free + #define security_filter_rule_match security_audit_rule_match + + #else +@@ -430,6 +431,10 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr, + return -EINVAL; + } + ++static inline void security_filter_rule_free(void *lsmrule) ++{ ++} ++ + static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, + void *lsmrule) + { +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 66aa3e17a888..d7c268c2b0ce 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -258,7 +258,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry) + int i; + + for (i = 0; i < MAX_LSM_RULES; i++) { +- kfree(entry->lsm[i].rule); ++ security_filter_rule_free(entry->lsm[i].rule); + kfree(entry->lsm[i].args_p); + } + kfree(entry); +-- +2.27.0 + diff --git a/queue/include-asm-generic-vmlinux.lds.h-align-ro_after_ini.patch b/queue/include-asm-generic-vmlinux.lds.h-align-ro_after_ini.patch new file mode 100644 index 00000000..80321f4d --- /dev/null +++ b/queue/include-asm-generic-vmlinux.lds.h-align-ro_after_ini.patch @@ -0,0 +1,46 @@ +From 7f897acbe5d57995438c831670b7c400e9c0dc00 Mon Sep 17 00:00:00 2001 +From: Romain Naour <romain.naour@gmail.com> +Date: Fri, 14 Aug 2020 17:31:57 -0700 +Subject: [PATCH] include/asm-generic/vmlinux.lds.h: align ro_after_init + +commit 7f897acbe5d57995438c831670b7c400e9c0dc00 upstream. + +Since the patch [1], building the kernel using a toolchain built with +binutils 2.33.1 prevents booting a sh4 system under Qemu. Apply the patch +provided by Alan Modra [2] that fix alignment of rodata. + +[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ebd2263ba9a9124d93bbc0ece63d7e0fae89b40e +[2] https://www.sourceware.org/ml/binutils/2019-12/msg00112.html + +Signed-off-by: Romain Naour <romain.naour@gmail.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Alan Modra <amodra@gmail.com> +Cc: Bin Meng <bin.meng@windriver.com> +Cc: Chen Zhou <chenzhou10@huawei.com> +Cc: Geert Uytterhoeven <geert+renesas@glider.be> +Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> +Cc: Krzysztof Kozlowski <krzk@kernel.org> +Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> +Cc: Rich Felker <dalias@libc.org> +Cc: Sam Ravnborg <sam@ravnborg.org> +Cc: Yoshinori Sato <ysato@users.sourceforge.jp> +Cc: Arnd Bergmann <arnd@arndb.de> +Cc: <stable@vger.kernel.org> +Link: https://marc.info/?l=linux-sh&m=158429470221261 +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h +index 7616ff0b96ec..5430febd34be 100644 +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -394,6 +394,7 @@ + */ + #ifndef RO_AFTER_INIT_DATA + #define RO_AFTER_INIT_DATA \ ++ . = ALIGN(8); \ + __start_ro_after_init = .; \ + *(.data..ro_after_init) \ + JUMP_TABLE_DATA \ +-- +2.27.0 + diff --git a/queue/io_uring-Fix-NULL-pointer-dereference-in-loop_rw_ite.patch b/queue/io_uring-Fix-NULL-pointer-dereference-in-loop_rw_ite.patch new file mode 100644 index 00000000..f336bce1 --- /dev/null +++ b/queue/io_uring-Fix-NULL-pointer-dereference-in-loop_rw_ite.patch @@ -0,0 +1,104 @@ +From 2dd2111d0d383df104b144e0d1f6b5a00cb7cd88 Mon Sep 17 00:00:00 2001 +From: Guoyu Huang <hgy5945@gmail.com> +Date: Wed, 5 Aug 2020 03:53:50 -0700 +Subject: [PATCH] io_uring: Fix NULL pointer dereference in loop_rw_iter() + +commit 2dd2111d0d383df104b144e0d1f6b5a00cb7cd88 upstream. + +loop_rw_iter() does not check whether the file has a read or +write function. This can lead to NULL pointer dereference +when the user passes in a file descriptor that does not have +read or write function. + +The crash log looks like this: + +[ 99.834071] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 99.835364] #PF: supervisor instruction fetch in kernel mode +[ 99.836522] #PF: error_code(0x0010) - not-present page +[ 99.837771] PGD 8000000079d62067 P4D 8000000079d62067 PUD 79d8c067 PMD 0 +[ 99.839649] Oops: 0010 [#2] SMP PTI +[ 99.840591] CPU: 1 PID: 333 Comm: io_wqe_worker-0 Tainted: G D 5.8.0 #2 +[ 99.842622] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +[ 99.845140] RIP: 0010:0x0 +[ 99.845840] Code: Bad RIP value. +[ 99.846672] RSP: 0018:ffffa1c7c01ebc08 EFLAGS: 00010202 +[ 99.848018] RAX: 0000000000000000 RBX: ffff92363bd67300 RCX: ffff92363d461208 +[ 99.849854] RDX: 0000000000000010 RSI: 00007ffdbf696bb0 RDI: ffff92363bd67300 +[ 99.851743] RBP: ffffa1c7c01ebc40 R08: 0000000000000000 R09: 0000000000000000 +[ 99.853394] R10: ffffffff9ec692a0 R11: 0000000000000000 R12: 0000000000000010 +[ 99.855148] R13: 0000000000000000 R14: ffff92363d461208 R15: ffffa1c7c01ebc68 +[ 99.856914] FS: 0000000000000000(0000) GS:ffff92363dd00000(0000) knlGS:0000000000000000 +[ 99.858651] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 99.860032] CR2: ffffffffffffffd6 CR3: 000000007ac66000 CR4: 00000000000006e0 +[ 99.861979] Call Trace: +[ 99.862617] loop_rw_iter.part.0+0xad/0x110 +[ 99.863838] io_write+0x2ae/0x380 +[ 99.864644] ? kvm_sched_clock_read+0x11/0x20 +[ 99.865595] ? sched_clock+0x9/0x10 +[ 99.866453] ? sched_clock_cpu+0x11/0xb0 +[ 99.867326] ? newidle_balance+0x1d4/0x3c0 +[ 99.868283] io_issue_sqe+0xd8f/0x1340 +[ 99.869216] ? __switch_to+0x7f/0x450 +[ 99.870280] ? __switch_to_asm+0x42/0x70 +[ 99.871254] ? __switch_to_asm+0x36/0x70 +[ 99.872133] ? lock_timer_base+0x72/0xa0 +[ 99.873155] ? switch_mm_irqs_off+0x1bf/0x420 +[ 99.874152] io_wq_submit_work+0x64/0x180 +[ 99.875192] ? kthread_use_mm+0x71/0x100 +[ 99.876132] io_worker_handle_work+0x267/0x440 +[ 99.877233] io_wqe_worker+0x297/0x350 +[ 99.878145] kthread+0x112/0x150 +[ 99.878849] ? __io_worker_unuse+0x100/0x100 +[ 99.879935] ? kthread_park+0x90/0x90 +[ 99.880874] ret_from_fork+0x22/0x30 +[ 99.881679] Modules linked in: +[ 99.882493] CR2: 0000000000000000 +[ 99.883324] ---[ end trace 4453745f4673190b ]--- +[ 99.884289] RIP: 0010:0x0 +[ 99.884837] Code: Bad RIP value. +[ 99.885492] RSP: 0018:ffffa1c7c01ebc08 EFLAGS: 00010202 +[ 99.886851] RAX: 0000000000000000 RBX: ffff92363acd7f00 RCX: ffff92363d461608 +[ 99.888561] RDX: 0000000000000010 RSI: 00007ffe040d9e10 RDI: ffff92363acd7f00 +[ 99.890203] RBP: ffffa1c7c01ebc40 R08: 0000000000000000 R09: 0000000000000000 +[ 99.891907] R10: ffffffff9ec692a0 R11: 0000000000000000 R12: 0000000000000010 +[ 99.894106] R13: 0000000000000000 R14: ffff92363d461608 R15: ffffa1c7c01ebc68 +[ 99.896079] FS: 0000000000000000(0000) GS:ffff92363dd00000(0000) knlGS:0000000000000000 +[ 99.898017] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 99.899197] CR2: ffffffffffffffd6 CR3: 000000007ac66000 CR4: 00000000000006e0 + +Fixes: 32960613b7c3 ("io_uring: correctly handle non ->{read,write}_iter() file_operations") +Cc: stable@vger.kernel.org +Signed-off-by: Guoyu Huang <hgy5945@gmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 5e1c08e22990..8f96566603f3 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -3066,7 +3066,10 @@ static int io_iter_do_read(struct io_kiocb *req, struct iov_iter *iter) + { + if (req->file->f_op->read_iter) + return call_read_iter(req->file, &req->rw.kiocb, iter); +- return loop_rw_iter(READ, req->file, &req->rw.kiocb, iter); ++ else if (req->file->f_op->read) ++ return loop_rw_iter(READ, req->file, &req->rw.kiocb, iter); ++ else ++ return -EINVAL; + } + + static int io_read(struct io_kiocb *req, bool force_nonblock, +@@ -3203,8 +3206,10 @@ static int io_write(struct io_kiocb *req, bool force_nonblock, + + if (req->file->f_op->write_iter) + ret2 = call_write_iter(req->file, kiocb, &iter); +- else ++ else if (req->file->f_op->write) + ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter); ++ else ++ ret2 = -EINVAL; + + /* + * Raw bdev writes will return -EOPNOTSUPP for IOCB_NOWAIT. Just +-- +2.27.0 + diff --git a/queue/io_uring-fix-sq-array-offset-calculation.patch b/queue/io_uring-fix-sq-array-offset-calculation.patch new file mode 100644 index 00000000..01776a03 --- /dev/null +++ b/queue/io_uring-fix-sq-array-offset-calculation.patch @@ -0,0 +1,45 @@ +From b36200f543ff07a1cb346aa582349141df2c8068 Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov <dvyukov@google.com> +Date: Sat, 11 Jul 2020 11:31:11 +0200 +Subject: [PATCH] io_uring: fix sq array offset calculation + +commit b36200f543ff07a1cb346aa582349141df2c8068 upstream. + +rings_size() sets sq_offset to the total size of the rings (the returned +value which is used for memory allocation). This is wrong: sq array should +be located within the rings, not after them. Set sq_offset to where it +should be. + +Fixes: 75b28affdd6a ("io_uring: allocate the two rings together") +Signed-off-by: Dmitry Vyukov <dvyukov@google.com> +Acked-by: Hristo Venev <hristo@venev.name> +Cc: io-uring@vger.kernel.org +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index ff3851d40df4..ca932fb3c67d 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -7416,6 +7416,9 @@ static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries, + return SIZE_MAX; + #endif + ++ if (sq_offset) ++ *sq_offset = off; ++ + sq_array_size = array_size(sizeof(u32), sq_entries); + if (sq_array_size == SIZE_MAX) + return SIZE_MAX; +@@ -7423,9 +7426,6 @@ static unsigned long rings_size(unsigned sq_entries, unsigned cq_entries, + if (check_add_overflow(off, sq_array_size, &off)) + return SIZE_MAX; + +- if (sq_offset) +- *sq_offset = off; +- + return off; + } + +-- +2.27.0 + diff --git a/queue/io_uring-set-ctx-sq-cq-entry-count-earlier.patch b/queue/io_uring-set-ctx-sq-cq-entry-count-earlier.patch new file mode 100644 index 00000000..491d2bf3 --- /dev/null +++ b/queue/io_uring-set-ctx-sq-cq-entry-count-earlier.patch @@ -0,0 +1,50 @@ +From bd74048108c179cea0ff52979506164c80f29da7 Mon Sep 17 00:00:00 2001 +From: Jens Axboe <axboe@kernel.dk> +Date: Wed, 5 Aug 2020 12:58:23 -0600 +Subject: [PATCH] io_uring: set ctx sq/cq entry count earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit bd74048108c179cea0ff52979506164c80f29da7 upstream. + +If we hit an earlier error path in io_uring_create(), then we will have +accounted memory, but not set ctx->{sq,cq}_entries yet. Then when the +ring is torn down in error, we use those values to unaccount the memory. + +Ensure we set the ctx entries before we're able to hit a potential error +path. + +Cc: stable@vger.kernel.org +Reported-by: Tomáš Chaloupka <chalucha@gmail.com> +Tested-by: Tomáš Chaloupka <chalucha@gmail.com> +Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 8f96566603f3..0d857f7ca507 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -8193,6 +8193,10 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx, + struct io_rings *rings; + size_t size, sq_array_offset; + ++ /* make sure these are sane, as we already accounted them */ ++ ctx->sq_entries = p->sq_entries; ++ ctx->cq_entries = p->cq_entries; ++ + size = rings_size(p->sq_entries, p->cq_entries, &sq_array_offset); + if (size == SIZE_MAX) + return -EOVERFLOW; +@@ -8209,8 +8213,6 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx, + rings->cq_ring_entries = p->cq_entries; + ctx->sq_mask = rings->sq_ring_mask; + ctx->cq_mask = rings->cq_ring_mask; +- ctx->sq_entries = rings->sq_ring_entries; +- ctx->cq_entries = rings->cq_ring_entries; + + size = array_size(sizeof(struct io_uring_sqe), p->sq_entries); + if (size == SIZE_MAX) { +-- +2.27.0 + diff --git a/queue/iocost-Fix-check-condition-of-iocg-abs_vdebt.patch b/queue/iocost-Fix-check-condition-of-iocg-abs_vdebt.patch new file mode 100644 index 00000000..1e313891 --- /dev/null +++ b/queue/iocost-Fix-check-condition-of-iocg-abs_vdebt.patch @@ -0,0 +1,30 @@ +From d9012a59db54442d5b2fcfdfcded35cf566397d3 Mon Sep 17 00:00:00 2001 +From: Chengming Zhou <zhouchengming@bytedance.com> +Date: Thu, 30 Jul 2020 17:03:21 +0800 +Subject: [PATCH] iocost: Fix check condition of iocg abs_vdebt + +commit d9012a59db54442d5b2fcfdfcded35cf566397d3 upstream. + +We shouldn't skip iocg when its abs_vdebt is not zero. + +Fixes: 0b80f9866e6b ("iocost: protect iocg->abs_vdebt with iocg->waitq.lock") +Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com> +Acked-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index cea5ee9be639..521c29b8ae29 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -1370,7 +1370,7 @@ static void ioc_timer_fn(struct timer_list *timer) + * should have woken up in the last period and expire idle iocgs. + */ + list_for_each_entry_safe(iocg, tiocg, &ioc->active_iocgs, active_list) { +- if (!waitqueue_active(&iocg->waitq) && iocg->abs_vdebt && ++ if (!waitqueue_active(&iocg->waitq) && !iocg->abs_vdebt && + !iocg_is_idle(iocg)) + continue; + +-- +2.27.0 + diff --git a/queue/ionic-update-eid-test-for-overflow.patch b/queue/ionic-update-eid-test-for-overflow.patch new file mode 100644 index 00000000..fb3b1c8a --- /dev/null +++ b/queue/ionic-update-eid-test-for-overflow.patch @@ -0,0 +1,29 @@ +From 3fbc9bb6ca32d12d4d32a7ae32abef67ac95f889 Mon Sep 17 00:00:00 2001 +From: Shannon Nelson <snelson@pensando.io> +Date: Tue, 21 Jul 2020 13:34:07 -0700 +Subject: [PATCH] ionic: update eid test for overflow + +commit 3fbc9bb6ca32d12d4d32a7ae32abef67ac95f889 upstream. + +Fix up our comparison to better handle a potential (but largely +unlikely) wrap around. + +Signed-off-by: Shannon Nelson <snelson@pensando.io> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index bbfa25cd3294..db60c5405a58 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -719,7 +719,7 @@ static bool ionic_notifyq_service(struct ionic_cq *cq, + eid = le64_to_cpu(comp->event.eid); + + /* Have we run out of new completions to process? */ +- if (eid <= lif->last_eid) ++ if ((s64)(eid - lif->last_eid) <= 0) + return false; + + lif->last_eid = eid; +-- +2.27.0 + diff --git a/queue/ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch b/queue/ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch new file mode 100644 index 00000000..e92a1cb6 --- /dev/null +++ b/queue/ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch @@ -0,0 +1,123 @@ +From f0a5e4d7a594e0fe237d3dfafb069bb82f80f42f Mon Sep 17 00:00:00 2001 +From: Julian Anastasov <ja@ssi.bg> +Date: Wed, 1 Jul 2020 18:17:19 +0300 +Subject: [PATCH] ipvs: allow connection reuse for unconfirmed conntrack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit f0a5e4d7a594e0fe237d3dfafb069bb82f80f42f upstream. + +YangYuxi is reporting that connection reuse +is causing one-second delay when SYN hits +existing connection in TIME_WAIT state. +Such delay was added to give time to expire +both the IPVS connection and the corresponding +conntrack. This was considered a rare case +at that time but it is causing problem for +some environments such as Kubernetes. + +As nf_conntrack_tcp_packet() can decide to +release the conntrack in TIME_WAIT state and +to replace it with a fresh NEW conntrack, we +can use this to allow rescheduling just by +tuning our check: if the conntrack is +confirmed we can not schedule it to different +real server and the one-second delay still +applies but if new conntrack was created, +we are free to select new real server without +any delays. + +YangYuxi lists some of the problem reports: + +- One second connection delay in masquerading mode: +https://marc.info/?t=151683118100004&r=1&w=2 + +- IPVS low throughput #70747 +https://github.com/kubernetes/kubernetes/issues/70747 + +- Apache Bench can fill up ipvs service proxy in seconds #544 +https://github.com/cloudnativelabs/kube-router/issues/544 + +- Additional 1s latency in `host -> service IP -> pod` +https://github.com/kubernetes/kubernetes/issues/90854 + +Fixes: f719e3754ee2 ("ipvs: drop first packet to redirect conntrack") +Co-developed-by: YangYuxi <yx.atom1@gmail.com> +Signed-off-by: YangYuxi <yx.atom1@gmail.com> +Signed-off-by: Julian Anastasov <ja@ssi.bg> +Reviewed-by: Simon Horman <horms@verge.net.au> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index 0c9881241323..011f407b76fe 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -1626,18 +1626,16 @@ static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp) + } + #endif /* CONFIG_IP_VS_NFCT */ + +-/* Really using conntrack? */ +-static inline bool ip_vs_conn_uses_conntrack(struct ip_vs_conn *cp, +- struct sk_buff *skb) ++/* Using old conntrack that can not be redirected to another real server? */ ++static inline bool ip_vs_conn_uses_old_conntrack(struct ip_vs_conn *cp, ++ struct sk_buff *skb) + { + #ifdef CONFIG_IP_VS_NFCT + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + +- if (!(cp->flags & IP_VS_CONN_F_NFCT)) +- return false; + ct = nf_ct_get(skb, &ctinfo); +- if (ct) ++ if (ct && nf_ct_is_confirmed(ct)) + return true; + #endif + return false; +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index ca3670152565..b4a6b7662f3f 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -2066,14 +2066,14 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int + + conn_reuse_mode = sysctl_conn_reuse_mode(ipvs); + if (conn_reuse_mode && !iph.fragoffs && is_new_conn(skb, &iph) && cp) { +- bool uses_ct = false, resched = false; ++ bool old_ct = false, resched = false; + + if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp->dest && + unlikely(!atomic_read(&cp->dest->weight))) { + resched = true; +- uses_ct = ip_vs_conn_uses_conntrack(cp, skb); ++ old_ct = ip_vs_conn_uses_old_conntrack(cp, skb); + } else if (is_new_conn_expected(cp, conn_reuse_mode)) { +- uses_ct = ip_vs_conn_uses_conntrack(cp, skb); ++ old_ct = ip_vs_conn_uses_old_conntrack(cp, skb); + if (!atomic_read(&cp->n_control)) { + resched = true; + } else { +@@ -2081,15 +2081,17 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int + * that uses conntrack while it is still + * referenced by controlled connection(s). + */ +- resched = !uses_ct; ++ resched = !old_ct; + } + } + + if (resched) { ++ if (!old_ct) ++ cp->flags &= ~IP_VS_CONN_F_NFCT; + if (!atomic_read(&cp->n_control)) + ip_vs_conn_expire_now(cp); + __ip_vs_conn_put(cp); +- if (uses_ct) ++ if (old_ct) + return NF_DROP; + cp = NULL; + } +-- +2.27.0 + diff --git a/queue/irqchip-irq-mtk-sysirq-Replace-spinlock-with-raw_spi.patch b/queue/irqchip-irq-mtk-sysirq-Replace-spinlock-with-raw_spi.patch new file mode 100644 index 00000000..e03a2939 --- /dev/null +++ b/queue/irqchip-irq-mtk-sysirq-Replace-spinlock-with-raw_spi.patch @@ -0,0 +1,91 @@ +From 6eeb997ab5075e770a002c51351fa4ec2c6b5c39 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski <bgolaszewski@baylibre.com> +Date: Mon, 15 Jun 2020 09:44:45 +0200 +Subject: [PATCH] irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock + +commit 6eeb997ab5075e770a002c51351fa4ec2c6b5c39 upstream. + +This driver may take a regular spinlock when a raw spinlock +(irq_desc->lock) is already taken which results in the following +lockdep splat: + +============================= +[ BUG: Invalid wait context ] +5.7.0-rc7 #1 Not tainted +----------------------------- +swapper/0/0 is trying to lock: +ffffff800303b798 (&chip_data->lock){....}-{3:3}, at: mtk_sysirq_set_type+0x48/0xc0 +other info that might help us debug this: +context-{5:5} +2 locks held by swapper/0/0: + #0: ffffff800302ee68 (&desc->request_mutex){....}-{4:4}, at: __setup_irq+0xc4/0x8a0 + #1: ffffff800302ecf0 (&irq_desc_lock_class){....}-{2:2}, at: __setup_irq+0xe4/0x8a0 +stack backtrace: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc7 #1 +Hardware name: Pumpkin MT8516 (DT) +Call trace: + dump_backtrace+0x0/0x180 + show_stack+0x14/0x20 + dump_stack+0xd0/0x118 + __lock_acquire+0x8c8/0x2270 + lock_acquire+0xf8/0x470 + _raw_spin_lock_irqsave+0x50/0x78 + mtk_sysirq_set_type+0x48/0xc0 + __irq_set_trigger+0x58/0x170 + __setup_irq+0x420/0x8a0 + request_threaded_irq+0xd8/0x190 + timer_of_init+0x1e8/0x2c4 + mtk_gpt_init+0x5c/0x1dc + timer_probe+0x74/0xf4 + time_init+0x14/0x44 + start_kernel+0x394/0x4f0 + +Replace the spinlock_t with raw_spinlock_t to avoid this warning. + +Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> +Signed-off-by: Marc Zyngier <maz@kernel.org> +Link: https://lore.kernel.org/r/20200615074445.3579-1-brgl@bgdev.pl + +diff --git a/drivers/irqchip/irq-mtk-sysirq.c b/drivers/irqchip/irq-mtk-sysirq.c +index 73eae5966a40..6ff98b87e5c0 100644 +--- a/drivers/irqchip/irq-mtk-sysirq.c ++++ b/drivers/irqchip/irq-mtk-sysirq.c +@@ -15,7 +15,7 @@ + #include <linux/spinlock.h> + + struct mtk_sysirq_chip_data { +- spinlock_t lock; ++ raw_spinlock_t lock; + u32 nr_intpol_bases; + void __iomem **intpol_bases; + u32 *intpol_words; +@@ -37,7 +37,7 @@ static int mtk_sysirq_set_type(struct irq_data *data, unsigned int type) + reg_index = chip_data->which_word[hwirq]; + offset = hwirq & 0x1f; + +- spin_lock_irqsave(&chip_data->lock, flags); ++ raw_spin_lock_irqsave(&chip_data->lock, flags); + value = readl_relaxed(base + reg_index * 4); + if (type == IRQ_TYPE_LEVEL_LOW || type == IRQ_TYPE_EDGE_FALLING) { + if (type == IRQ_TYPE_LEVEL_LOW) +@@ -53,7 +53,7 @@ static int mtk_sysirq_set_type(struct irq_data *data, unsigned int type) + + data = data->parent_data; + ret = data->chip->irq_set_type(data, type); +- spin_unlock_irqrestore(&chip_data->lock, flags); ++ raw_spin_unlock_irqrestore(&chip_data->lock, flags); + return ret; + } + +@@ -212,7 +212,7 @@ static int __init mtk_sysirq_of_init(struct device_node *node, + ret = -ENOMEM; + goto out_free_which_word; + } +- spin_lock_init(&chip_data->lock); ++ raw_spin_lock_init(&chip_data->lock); + + return 0; + +-- +2.27.0 + diff --git a/queue/irqchip-ti-sci-inta-Fix-return-value-about-devm_iore.patch b/queue/irqchip-ti-sci-inta-Fix-return-value-about-devm_iore.patch new file mode 100644 index 00000000..de9c29c8 --- /dev/null +++ b/queue/irqchip-ti-sci-inta-Fix-return-value-about-devm_iore.patch @@ -0,0 +1,33 @@ +From 4b127a14cb1385dd355c7673d975258d5d668922 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang <yangtiezhu@loongson.cn> +Date: Sat, 6 Jun 2020 17:50:16 +0800 +Subject: [PATCH] irqchip/ti-sci-inta: Fix return value about + devm_ioremap_resource() + +commit 4b127a14cb1385dd355c7673d975258d5d668922 upstream. + +When call function devm_ioremap_resource(), we should use IS_ERR() +to check the return value and return PTR_ERR() if failed. + +Fixes: 9f1463b86c13 ("irqchip/ti-sci-inta: Add support for Interrupt Aggregator driver") +Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> +Signed-off-by: Marc Zyngier <maz@kernel.org> +Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com> +Link: https://lore.kernel.org/r/1591437017-5295-2-git-send-email-yangtiezhu@loongson.cn + +diff --git a/drivers/irqchip/irq-ti-sci-inta.c b/drivers/irqchip/irq-ti-sci-inta.c +index c20c9f7f06e0..df1f7fe66d1b 100644 +--- a/drivers/irqchip/irq-ti-sci-inta.c ++++ b/drivers/irqchip/irq-ti-sci-inta.c +@@ -570,7 +570,7 @@ static int ti_sci_inta_irq_domain_probe(struct platform_device *pdev) + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + inta->base = devm_ioremap_resource(dev, res); + if (IS_ERR(inta->base)) +- return -ENODEV; ++ return PTR_ERR(inta->base); + + domain = irq_domain_add_linear(dev_of_node(dev), + ti_sci_get_num_resources(inta->vint), +-- +2.27.0 + diff --git a/queue/irqdomain-treewide-Free-firmware-node-after-domain-r.patch b/queue/irqdomain-treewide-Free-firmware-node-after-domain-r.patch new file mode 100644 index 00000000..bec1fc5e --- /dev/null +++ b/queue/irqdomain-treewide-Free-firmware-node-after-domain-r.patch @@ -0,0 +1,152 @@ +From ec0160891e387f4771f953b888b1fe951398e5d9 Mon Sep 17 00:00:00 2001 +From: Jon Derrick <jonathan.derrick@intel.com> +Date: Tue, 21 Jul 2020 14:26:09 -0600 +Subject: [PATCH] irqdomain/treewide: Free firmware node after domain removal + +commit ec0160891e387f4771f953b888b1fe951398e5d9 upstream. + +Commit 711419e504eb ("irqdomain: Add the missing assignment of +domain->fwnode for named fwnode") unintentionally caused a dangling pointer +page fault issue on firmware nodes that were freed after IRQ domain +allocation. Commit e3beca48a45b fixed that dangling pointer issue by only +freeing the firmware node after an IRQ domain allocation failure. That fix +no longer frees the firmware node immediately, but leaves the firmware node +allocated after the domain is removed. + +The firmware node must be kept around through irq_domain_remove, but should be +freed it afterwards. + +Add the missing free operations after domain removal where where appropriate. + +Fixes: e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated") +Signed-off-by: Jon Derrick <jonathan.derrick@intel.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Acked-by: Bjorn Helgaas <bhelgaas@google.com> # drivers/pci +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1595363169-7157-1-git-send-email-jonathan.derrick@intel.com + +diff --git a/arch/mips/pci/pci-xtalk-bridge.c b/arch/mips/pci/pci-xtalk-bridge.c +index 5958217861b8..9b3cc775c55e 100644 +--- a/arch/mips/pci/pci-xtalk-bridge.c ++++ b/arch/mips/pci/pci-xtalk-bridge.c +@@ -728,6 +728,7 @@ static int bridge_probe(struct platform_device *pdev) + pci_free_resource_list(&host->windows); + err_remove_domain: + irq_domain_remove(domain); ++ irq_domain_free_fwnode(fn); + return err; + } + +@@ -735,8 +736,10 @@ static int bridge_remove(struct platform_device *pdev) + { + struct pci_bus *bus = platform_get_drvdata(pdev); + struct bridge_controller *bc = BRIDGE_CONTROLLER(bus); ++ struct fwnode_handle *fn = bc->domain->fwnode; + + irq_domain_remove(bc->domain); ++ irq_domain_free_fwnode(fn); + pci_lock_rescan_remove(); + pci_stop_root_bus(bus); + pci_remove_root_bus(bus); +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index 81ffcfbfaef2..21325a4a78b9 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2335,8 +2335,13 @@ static int mp_irqdomain_create(int ioapic) + + static void ioapic_destroy_irqdomain(int idx) + { ++ struct ioapic_domain_cfg *cfg = &ioapics[idx].irqdomain_cfg; ++ struct fwnode_handle *fn = ioapics[idx].irqdomain->fwnode; ++ + if (ioapics[idx].irqdomain) { + irq_domain_remove(ioapics[idx].irqdomain); ++ if (!cfg->dev) ++ irq_domain_free_fwnode(fn); + ioapics[idx].irqdomain = NULL; + } + } +diff --git a/drivers/iommu/intel/irq_remapping.c b/drivers/iommu/intel/irq_remapping.c +index 9564d23d094f..aa096b333a99 100644 +--- a/drivers/iommu/intel/irq_remapping.c ++++ b/drivers/iommu/intel/irq_remapping.c +@@ -628,13 +628,21 @@ static int intel_setup_irq_remapping(struct intel_iommu *iommu) + + static void intel_teardown_irq_remapping(struct intel_iommu *iommu) + { ++ struct fwnode_handle *fn; ++ + if (iommu && iommu->ir_table) { + if (iommu->ir_msi_domain) { ++ fn = iommu->ir_msi_domain->fwnode; ++ + irq_domain_remove(iommu->ir_msi_domain); ++ irq_domain_free_fwnode(fn); + iommu->ir_msi_domain = NULL; + } + if (iommu->ir_domain) { ++ fn = iommu->ir_domain->fwnode; ++ + irq_domain_remove(iommu->ir_domain); ++ irq_domain_free_fwnode(fn); + iommu->ir_domain = NULL; + } + free_pages((unsigned long)iommu->ir_table->base, +diff --git a/drivers/mfd/ioc3.c b/drivers/mfd/ioc3.c +index 74cee7cb0afc..d939ccc46509 100644 +--- a/drivers/mfd/ioc3.c ++++ b/drivers/mfd/ioc3.c +@@ -616,7 +616,10 @@ static int ioc3_mfd_probe(struct pci_dev *pdev, + /* Remove all already added MFD devices */ + mfd_remove_devices(&ipd->pdev->dev); + if (ipd->domain) { ++ struct fwnode_handle *fn = ipd->domain->fwnode; ++ + irq_domain_remove(ipd->domain); ++ irq_domain_free_fwnode(fn); + free_irq(ipd->domain_irq, (void *)ipd); + } + pci_iounmap(pdev, regs); +@@ -643,7 +646,10 @@ static void ioc3_mfd_remove(struct pci_dev *pdev) + /* Release resources */ + mfd_remove_devices(&ipd->pdev->dev); + if (ipd->domain) { ++ struct fwnode_handle *fn = ipd->domain->fwnode; ++ + irq_domain_remove(ipd->domain); ++ irq_domain_free_fwnode(fn); + free_irq(ipd->domain_irq, (void *)ipd); + } + pci_iounmap(pdev, ipd->regs); +diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c +index 9a64cf90c291..ebec0a6e77ed 100644 +--- a/drivers/pci/controller/vmd.c ++++ b/drivers/pci/controller/vmd.c +@@ -560,6 +560,7 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features) + if (!vmd->bus) { + pci_free_resource_list(&resources); + irq_domain_remove(vmd->irq_domain); ++ irq_domain_free_fwnode(fn); + return -ENODEV; + } + +@@ -673,6 +674,7 @@ static void vmd_cleanup_srcu(struct vmd_dev *vmd) + static void vmd_remove(struct pci_dev *dev) + { + struct vmd_dev *vmd = pci_get_drvdata(dev); ++ struct fwnode_handle *fn = vmd->irq_domain->fwnode; + + sysfs_remove_link(&vmd->dev->dev.kobj, "domain"); + pci_stop_root_bus(vmd->bus); +@@ -680,6 +682,7 @@ static void vmd_remove(struct pci_dev *dev) + vmd_cleanup_srcu(vmd); + vmd_detach_resources(vmd); + irq_domain_remove(vmd->irq_domain); ++ irq_domain_free_fwnode(fn); + } + + #ifdef CONFIG_PM_SLEEP +-- +2.27.0 + diff --git a/queue/iwlegacy-Check-the-return-value-of-pcie_capability_r.patch b/queue/iwlegacy-Check-the-return-value-of-pcie_capability_r.patch new file mode 100644 index 00000000..3458850f --- /dev/null +++ b/queue/iwlegacy-Check-the-return-value-of-pcie_capability_r.patch @@ -0,0 +1,39 @@ +From 9018fd7f2a73e9b290f48a56b421558fa31e8b75 Mon Sep 17 00:00:00 2001 +From: Bolarinwa Olayemi Saheed <refactormyself@gmail.com> +Date: Mon, 13 Jul 2020 19:55:27 +0200 +Subject: [PATCH] iwlegacy: Check the return value of pcie_capability_read_*() + +commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 upstream. + +On failure pcie_capability_read_dword() sets it's last parameter, val +to 0. However, with Patch 14/14, it is possible that val is set to ~0 on +failure. This would introduce a bug because (x & x) == (~0 & x). + +This bug can be avoided without changing the function's behaviour if the +return value of pcie_capability_read_dword is checked to confirm success. + +Check the return value of pcie_capability_read_dword() to ensure success. + +Suggested-by: Bjorn Helgaas <bjorn@helgaas.com> +Signed-off-by: Bolarinwa Olayemi Saheed <refactormyself@gmail.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index 348c17ce72f5..f78e062df572 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -4286,8 +4286,8 @@ il_apm_init(struct il_priv *il) + * power savings, even without L1. + */ + if (il->cfg->set_l0s) { +- pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); +- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { ++ ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); ++ if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) { + /* L1-ASPM enabled; disable(!) L0S */ + il_set_bit(il, CSR_GIO_REG, + CSR_GIO_REG_VAL_L0S_ENABLED); +-- +2.27.0 + diff --git a/queue/kernfs-do-not-call-fsnotify-with-name-without-a-pare.patch b/queue/kernfs-do-not-call-fsnotify-with-name-without-a-pare.patch new file mode 100644 index 00000000..ef7664a6 --- /dev/null +++ b/queue/kernfs-do-not-call-fsnotify-with-name-without-a-pare.patch @@ -0,0 +1,42 @@ +From 9991bb84b27a2594187898f261866cfc50255454 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein <amir73il@gmail.com> +Date: Wed, 8 Jul 2020 14:11:40 +0300 +Subject: [PATCH] kernfs: do not call fsnotify() with name without a parent + +commit 9991bb84b27a2594187898f261866cfc50255454 upstream. + +When creating an FS_MODIFY event on inode itself (not on parent) +the file_name argument should be NULL. + +The change to send a non NULL name to inode itself was done on purpuse +as part of another commit, as Tejun writes: "...While at it, supply the +target file name to fsnotify() from kernfs_node->name.". + +But this is wrong practice and inconsistent with inotify behavior when +watching a single file. When a child is being watched (as opposed to the +parent directory) the inotify event should contain the watch descriptor, +but not the file name. + +Fixes: df6a58c5c5aa ("kernfs: don't depend on d_find_any_alias()...") +Link: https://lore.kernel.org/r/20200708111156.24659-5-amir73il@gmail.com +Acked-by: Tejun Heo <tj@kernel.org> +Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Amir Goldstein <amir73il@gmail.com> +Signed-off-by: Jan Kara <jack@suse.cz> + +diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c +index 06b342d8462b..e23b3f62483c 100644 +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -912,7 +912,7 @@ static void kernfs_notify_workfn(struct work_struct *work) + } + + fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE, +- &name, 0); ++ NULL, 0); + iput(inode); + } + +-- +2.27.0 + diff --git a/queue/kobject-Avoid-premature-parent-object-freeing-in-kob.patch b/queue/kobject-Avoid-premature-parent-object-freeing-in-kob.patch new file mode 100644 index 00000000..2bbca0e8 --- /dev/null +++ b/queue/kobject-Avoid-premature-parent-object-freeing-in-kob.patch @@ -0,0 +1,111 @@ +From 079ad2fb4bf9eba8a0aaab014b49705cd7f07c66 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Thu, 4 Jun 2020 19:46:46 +0200 +Subject: [PATCH] kobject: Avoid premature parent object freeing in + kobject_cleanup() + +commit 079ad2fb4bf9eba8a0aaab014b49705cd7f07c66 upstream. + +If kobject_del() is invoked by kobject_cleanup() to delete the +target kobject, it may cause its parent kobject to be freed +before invoking the target kobject's ->release() method, which +effectively means freeing the parent before dealing with the +child entirely. + +That is confusing at best and it may also lead to functional +issues if the callers of kobject_cleanup() are not careful enough +about the order in which these calls are made, so avoid the +problem by making kobject_cleanup() drop the last reference to +the target kobject's parent at the end, after invoking the target +kobject's ->release() method. + +[ rjw: Rewrite the subject and changelog, make kobject_cleanup() + drop the parent reference only when __kobject_del() has been + called. ] + +Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org> +Reported-by: kernel test robot <rong.a.chen@intel.com> +Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"") +Suggested-by: Rafael J. Wysocki <rafael@kernel.org> +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Link: https://lore.kernel.org/r/1908555.IiAGLGrh1Z@kreacher +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/lib/kobject.c b/lib/kobject.c +index 1e4b7382a88e..3afb939f2a1c 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -599,14 +599,7 @@ int kobject_move(struct kobject *kobj, struct kobject *new_parent) + } + EXPORT_SYMBOL_GPL(kobject_move); + +-/** +- * kobject_del() - Unlink kobject from hierarchy. +- * @kobj: object. +- * +- * This is the function that should be called to delete an object +- * successfully added via kobject_add(). +- */ +-void kobject_del(struct kobject *kobj) ++static void __kobject_del(struct kobject *kobj) + { + struct kernfs_node *sd; + const struct kobj_type *ktype; +@@ -632,9 +625,23 @@ void kobject_del(struct kobject *kobj) + + kobj->state_in_sysfs = 0; + kobj_kset_leave(kobj); +- kobject_put(kobj->parent); + kobj->parent = NULL; + } ++ ++/** ++ * kobject_del() - Unlink kobject from hierarchy. ++ * @kobj: object. ++ * ++ * This is the function that should be called to delete an object ++ * successfully added via kobject_add(). ++ */ ++void kobject_del(struct kobject *kobj) ++{ ++ struct kobject *parent = kobj->parent; ++ ++ __kobject_del(kobj); ++ kobject_put(parent); ++} + EXPORT_SYMBOL(kobject_del); + + /** +@@ -670,6 +677,7 @@ EXPORT_SYMBOL(kobject_get_unless_zero); + */ + static void kobject_cleanup(struct kobject *kobj) + { ++ struct kobject *parent = kobj->parent; + struct kobj_type *t = get_ktype(kobj); + const char *name = kobj->name; + +@@ -684,7 +692,10 @@ static void kobject_cleanup(struct kobject *kobj) + if (kobj->state_in_sysfs) { + pr_debug("kobject: '%s' (%p): auto cleanup kobject_del\n", + kobject_name(kobj), kobj); +- kobject_del(kobj); ++ __kobject_del(kobj); ++ } else { ++ /* avoid dropping the parent reference unnecessarily */ ++ parent = NULL; + } + + if (t && t->release) { +@@ -698,6 +709,8 @@ static void kobject_cleanup(struct kobject *kobj) + pr_debug("kobject: '%s': free name\n", name); + kfree_const(name); + } ++ ++ kobject_put(parent); + } + + #ifdef CONFIG_DEBUG_KOBJECT_RELEASE +-- +2.27.0 + diff --git a/queue/leds-core-Flush-scheduled-work-for-system-suspend.patch b/queue/leds-core-Flush-scheduled-work-for-system-suspend.patch new file mode 100644 index 00000000..903c1020 --- /dev/null +++ b/queue/leds-core-Flush-scheduled-work-for-system-suspend.patch @@ -0,0 +1,36 @@ +From 302a085c20194bfa7df52e0fe684ee0c41da02e6 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng <kai.heng.feng@canonical.com> +Date: Thu, 2 Jul 2020 13:45:00 +0800 +Subject: [PATCH] leds: core: Flush scheduled work for system suspend + +commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 upstream. + +Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon +system suspend. + +led_set_brightness_nopm() uses schedule_work() to set LED brightness. +However, there's no guarantee that the scheduled work gets executed +because no one flushes the work. + +So flush the scheduled work to make sure LED gets turned off. + +Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Acked-by: Jacek Anaszewski <jacek.anaszewski@gmail.com> +Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions") +Signed-off-by: Pavel Machek <pavel@ucw.cz> + +diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c +index 3363a6551a70..cc3929f858b6 100644 +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -173,6 +173,7 @@ void led_classdev_suspend(struct led_classdev *led_cdev) + { + led_cdev->flags |= LED_SUSPENDED; + led_set_brightness_nopm(led_cdev, 0); ++ flush_work(&led_cdev->set_brightness_work); + } + EXPORT_SYMBOL_GPL(led_classdev_suspend); + +-- +2.27.0 + diff --git a/queue/leds-lm355x-avoid-enum-conversion-warning.patch b/queue/leds-lm355x-avoid-enum-conversion-warning.patch new file mode 100644 index 00000000..eb24392e --- /dev/null +++ b/queue/leds-lm355x-avoid-enum-conversion-warning.patch @@ -0,0 +1,54 @@ +From 985b1f596f9ed56f42b8c2280005f943e1434c06 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Tue, 5 May 2020 16:19:17 +0200 +Subject: [PATCH] leds: lm355x: avoid enum conversion warning + +commit 985b1f596f9ed56f42b8c2280005f943e1434c06 upstream. + +clang points out that doing arithmetic between diffent enums is usually +a mistake: + +drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ +drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ + +In this driver, it is intentional, so add a cast to hide the false-positive +warning. It appears to be the only instance of this warning at the moment. + +Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Pavel Machek <pavel@ucw.cz> + +diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c +index 11ce05249751..b2eb2e1e9c04 100644 +--- a/drivers/leds/leds-lm355x.c ++++ b/drivers/leds/leds-lm355x.c +@@ -164,18 +164,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip) + /* input and output pins configuration */ + switch (chip->type) { + case CHIP_LM3554: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin; + ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val); + if (ret < 0) + goto out; +- reg_val = pdata->pass_mode; ++ reg_val = (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val); + if (ret < 0) + goto out; + break; + + case CHIP_LM3556: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin | ++ (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val); + if (ret < 0) + goto out; +-- +2.27.0 + diff --git a/queue/liquidio-Fix-wrong-return-value-in-cn23xx_get_pf_num.patch b/queue/liquidio-Fix-wrong-return-value-in-cn23xx_get_pf_num.patch new file mode 100644 index 00000000..1d3d9445 --- /dev/null +++ b/queue/liquidio-Fix-wrong-return-value-in-cn23xx_get_pf_num.patch @@ -0,0 +1,31 @@ +From aa027850a292ea65524b8fab83eb91a124ad362c Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> +Date: Sun, 2 Aug 2020 19:15:44 +0800 +Subject: [PATCH] liquidio: Fix wrong return value in cn23xx_get_pf_num() + +commit aa027850a292ea65524b8fab83eb91a124ad362c upstream. + +On an error exit path, a negative error code should be returned +instead of a positive return value. + +Fixes: 0c45d7fe12c7e ("liquidio: fix use of pf in pass-through mode in a virtual machine") +Cc: Rick Farrington <ricardo.farrington@cavium.com> +Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +index 43d11c38b38a..4cddd628d41b 100644 +--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c ++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +@@ -1167,7 +1167,7 @@ static int cn23xx_get_pf_num(struct octeon_device *oct) + oct->pf_num = ((fdl_bit >> CN23XX_PCIE_SRIOV_FDL_BIT_POS) & + CN23XX_PCIE_SRIOV_FDL_MASK); + } else { +- ret = EINVAL; ++ ret = -EINVAL; + + /* Under some virtual environments, extended PCI regs are + * inaccessible, in which case the above read will have failed. +-- +2.27.0 + diff --git a/queue/loop-be-paranoid-on-exit-and-prevent-new-additions-r.patch b/queue/loop-be-paranoid-on-exit-and-prevent-new-additions-r.patch new file mode 100644 index 00000000..c3f10d42 --- /dev/null +++ b/queue/loop-be-paranoid-on-exit-and-prevent-new-additions-r.patch @@ -0,0 +1,41 @@ +From 200f93377220504c5e56754823e7adfea6037f1a Mon Sep 17 00:00:00 2001 +From: Luis Chamberlain <mcgrof@kernel.org> +Date: Fri, 19 Jun 2020 20:47:27 +0000 +Subject: [PATCH] loop: be paranoid on exit and prevent new additions / + removals + +commit 200f93377220504c5e56754823e7adfea6037f1a upstream. + +Be pedantic on removal as well and hold the mutex. +This should prevent uses of addition while we exit. + +Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> +Reviewed-by: Ming Lei <ming.lei@redhat.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 4acae248790c..a943207705dd 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -2404,6 +2404,8 @@ static void __exit loop_exit(void) + + range = max_loop ? max_loop << part_shift : 1UL << MINORBITS; + ++ mutex_lock(&loop_ctl_mutex); ++ + idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); + idr_destroy(&loop_index_idr); + +@@ -2411,6 +2413,8 @@ static void __exit loop_exit(void) + unregister_blkdev(LOOP_MAJOR, "loop"); + + misc_deregister(&loop_misc); ++ ++ mutex_unlock(&loop_ctl_mutex); + } + + module_init(loop_init); +-- +2.27.0 + diff --git a/queue/m68k-mac-Don-t-send-IOP-message-until-channel-is-idl.patch b/queue/m68k-mac-Don-t-send-IOP-message-until-channel-is-idl.patch new file mode 100644 index 00000000..c5b223b4 --- /dev/null +++ b/queue/m68k-mac-Don-t-send-IOP-message-until-channel-is-idl.patch @@ -0,0 +1,64 @@ +From aeb445bf2194d83e12e85bf5c65baaf1f093bd8f Mon Sep 17 00:00:00 2001 +From: Finn Thain <fthain@telegraphics.com.au> +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: [PATCH] m68k: mac: Don't send IOP message until channel is idle + +commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f upstream. + +In the following sequence of calls, iop_do_send() gets called when the +"send" channel is not in the IOP_MSG_IDLE state: + + iop_ism_irq() + iop_handle_send() + (msg->handler)() + iop_send_message() + iop_do_send() + +Avoid this by testing the channel state before calling iop_do_send(). + +When sending, and iop_send_queue is empty, call iop_do_send() because +the channel is idle. If iop_send_queue is not empty, iop_do_send() will +get called later by iop_handle_send(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Tested-by: Stan Johnson <userm57@yahoo.com> +Cc: Joshua Thompson <funaho@jurai.org> +Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index d3775afb0f07..754f6478c30d 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -415,7 +415,8 @@ static void iop_handle_send(uint iop_num, uint chan) + msg->status = IOP_MSGSTATUS_UNUSED; + msg = msg->next; + iop_send_queue[iop_num][chan] = msg; +- if (msg) iop_do_send(msg); ++ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) ++ iop_do_send(msg); + } + + /* +@@ -489,16 +490,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata, + + if (!(q = iop_send_queue[iop_num][chan])) { + iop_send_queue[iop_num][chan] = msg; ++ iop_do_send(msg); + } else { + while (q->next) q = q->next; + q->next = msg; + } + +- if (iop_readb(iop_base[iop_num], +- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) { +- iop_do_send(msg); +- } +- + return 0; + } + +-- +2.27.0 + diff --git a/queue/m68k-mac-Fix-IOP-status-control-register-writes.patch b/queue/m68k-mac-Fix-IOP-status-control-register-writes.patch new file mode 100644 index 00000000..db8f232b --- /dev/null +++ b/queue/m68k-mac-Fix-IOP-status-control-register-writes.patch @@ -0,0 +1,73 @@ +From 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 Mon Sep 17 00:00:00 2001 +From: Finn Thain <fthain@telegraphics.com.au> +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: [PATCH] m68k: mac: Fix IOP status/control register writes + +commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 upstream. + +When writing values to the IOP status/control register make sure those +values do not have any extraneous bits that will clear interrupt flags. + +To place the SCC IOP into bypass mode would be desirable but this is not +achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS +to the control register. Drop this ineffective register write. + +Remove the flawed and unused iop_bypass() function. Make use of the +unused iop_stop() function. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Tested-by: Stan Johnson <userm57@yahoo.com> +Cc: Joshua Thompson <funaho@jurai.org> +Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index 754f6478c30d..bfc8daf50744 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -183,7 +183,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8 + + static __inline__ void iop_stop(volatile struct mac_iop *iop) + { +- iop->status_ctrl &= ~IOP_RUN; ++ iop->status_ctrl = IOP_AUTOINC; + } + + static __inline__ void iop_start(volatile struct mac_iop *iop) +@@ -191,14 +191,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop) + iop->status_ctrl = IOP_RUN | IOP_AUTOINC; + } + +-static __inline__ void iop_bypass(volatile struct mac_iop *iop) +-{ +- iop->status_ctrl |= IOP_BYPASS; +-} +- + static __inline__ void iop_interrupt(volatile struct mac_iop *iop) + { +- iop->status_ctrl |= IOP_IRQ; ++ iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC; + } + + static int iop_alive(volatile struct mac_iop *iop) +@@ -244,7 +239,6 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_SCC]->status_ctrl = 0x87; + iop_scc_present = 1; + } else { + iop_base[IOP_NUM_SCC] = NULL; +@@ -256,7 +250,7 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_ISM]->status_ctrl = 0; ++ iop_stop(iop_base[IOP_NUM_ISM]); + iop_ism_present = 1; + } else { + iop_base[IOP_NUM_ISM] = NULL; +-- +2.27.0 + diff --git a/queue/macintosh-via-macii-Access-autopoll_devs-when-inside.patch b/queue/macintosh-via-macii-Access-autopoll_devs-when-inside.patch new file mode 100644 index 00000000..e484cec5 --- /dev/null +++ b/queue/macintosh-via-macii-Access-autopoll_devs-when-inside.patch @@ -0,0 +1,42 @@ +From 59ea38f6b3af5636edf541768a1ed721eeaca99e Mon Sep 17 00:00:00 2001 +From: Finn Thain <fthain@telegraphics.com.au> +Date: Sun, 28 Jun 2020 14:23:12 +1000 +Subject: [PATCH] macintosh/via-macii: Access autopoll_devs when inside lock + +commit 59ea38f6b3af5636edf541768a1ed721eeaca99e upstream. + +The interrupt handler should be excluded when accessing the autopoll_devs +variable. + +Fixes: d95fd5fce88f0 ("m68k: Mac II ADB fixes") # v5.0+ +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Tested-by: Stan Johnson <userm57@yahoo.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/5952dd8a9bc9de90f1acc4790c51dd42b4c98065.1593318192.git.fthain@telegraphics.com.au + +diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c +index ac824d7b2dcf..6aa903529570 100644 +--- a/drivers/macintosh/via-macii.c ++++ b/drivers/macintosh/via-macii.c +@@ -270,15 +270,12 @@ static int macii_autopoll(int devs) + unsigned long flags; + int err = 0; + ++ local_irq_save(flags); ++ + /* bit 1 == device 1, and so on. */ + autopoll_devs = devs & 0xFFFE; + +- if (!autopoll_devs) +- return 0; +- +- local_irq_save(flags); +- +- if (current_req == NULL) { ++ if (autopoll_devs && !current_req) { + /* Send a Talk Reg 0. The controller will repeatedly transmit + * this as long as it is idle. + */ +-- +2.27.0 + diff --git a/queue/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch b/queue/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch new file mode 100644 index 00000000..46cbd0f3 --- /dev/null +++ b/queue/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch @@ -0,0 +1,66 @@ +From 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 Mon Sep 17 00:00:00 2001 +From: Zhao Heming <heming.zhao@suse.com> +Date: Thu, 9 Jul 2020 11:29:29 +0800 +Subject: [PATCH] md-cluster: fix wild pointer of unlock_all_bitmaps() + +commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 upstream. + +reproduction steps: +``` +node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda +/dev/sdb +node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb +node1 # mdadm -G /dev/md0 -b none +mdadm: failed to remove clustered bitmap. +node1 # mdadm -S --scan +^C <==== mdadm hung & kernel crash +``` + +kernel stack: +``` +[ 335.230657] general protection fault: 0000 [#1] SMP NOPTI +[...] +[ 335.230848] Call Trace: +[ 335.230873] ? unlock_all_bitmaps+0x5/0x70 [md_cluster] +[ 335.230886] unlock_all_bitmaps+0x3d/0x70 [md_cluster] +[ 335.230899] leave+0x10f/0x190 [md_cluster] +[ 335.230932] ? md_super_wait+0x93/0xa0 [md_mod] +[ 335.230947] ? leave+0x5/0x190 [md_cluster] +[ 335.230973] md_cluster_stop+0x1a/0x30 [md_mod] +[ 335.230999] md_bitmap_free+0x142/0x150 [md_mod] +[ 335.231013] ? _cond_resched+0x15/0x40 +[ 335.231025] ? mutex_lock+0xe/0x30 +[ 335.231056] __md_stop+0x1c/0xa0 [md_mod] +[ 335.231083] do_md_stop+0x160/0x580 [md_mod] +[ 335.231119] ? 0xffffffffc05fb078 +[ 335.231148] md_ioctl+0xa04/0x1930 [md_mod] +[ 335.231165] ? filename_lookup+0xf2/0x190 +[ 335.231179] blkdev_ioctl+0x93c/0xa10 +[ 335.231205] ? _cond_resched+0x15/0x40 +[ 335.231214] ? __check_object_size+0xd4/0x1a0 +[ 335.231224] block_ioctl+0x39/0x40 +[ 335.231243] do_vfs_ioctl+0xa0/0x680 +[ 335.231253] ksys_ioctl+0x70/0x80 +[ 335.231261] __x64_sys_ioctl+0x16/0x20 +[ 335.231271] do_syscall_64+0x65/0x1f0 +[ 335.231278] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +``` + +Signed-off-by: Zhao Heming <heming.zhao@suse.com> +Signed-off-by: Song Liu <songliubraving@fb.com> + +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c +index 813a99ffa86f..73fd50e77975 100644 +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -1518,6 +1518,7 @@ static void unlock_all_bitmaps(struct mddev *mddev) + } + } + kfree(cinfo->other_bitmap_lockres); ++ cinfo->other_bitmap_lockres = NULL; + } + } + +-- +2.27.0 + diff --git a/queue/md-raid0-linear-fix-dereference-before-null-check-on.patch b/queue/md-raid0-linear-fix-dereference-before-null-check-on.patch new file mode 100644 index 00000000..c6782a5f --- /dev/null +++ b/queue/md-raid0-linear-fix-dereference-before-null-check-on.patch @@ -0,0 +1,49 @@ +From 9a5a85972c073f720d81a7ebd08bfe278e6e16db Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Thu, 2 Jul 2020 12:35:02 +0100 +Subject: [PATCH] md: raid0/linear: fix dereference before null check on + pointer mddev + +commit 9a5a85972c073f720d81a7ebd08bfe278e6e16db upstream. + +Pointer mddev is being dereferenced with a test_bit call before mddev +is being null checked, this may cause a null pointer dereference. Fix +this by moving the null pointer checks to sanity check mddev before +it is dereferenced. + +Addresses-Coverity: ("Dereference before null check") +Fixes: 62f7b1989c02 ("md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Reviewed-by: Guilherme G. Piccoli <gpiccoli@canonical.com> +Signed-off-by: Song Liu <songliubraving@fb.com> + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 8bb69c61afe0..49452149ac72 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -470,17 +470,18 @@ static blk_qc_t md_submit_bio(struct bio *bio) + struct mddev *mddev = bio->bi_disk->private_data; + unsigned int sectors; + +- if (unlikely(test_bit(MD_BROKEN, &mddev->flags)) && (rw == WRITE)) { ++ if (mddev == NULL || mddev->pers == NULL) { + bio_io_error(bio); + return BLK_QC_T_NONE; + } + +- blk_queue_split(&bio); +- +- if (mddev == NULL || mddev->pers == NULL) { ++ if (unlikely(test_bit(MD_BROKEN, &mddev->flags)) && (rw == WRITE)) { + bio_io_error(bio); + return BLK_QC_T_NONE; + } ++ ++ blk_queue_split(&bio); ++ + if (mddev->ro == 1 && unlikely(rw == WRITE)) { + if (bio_sectors(bio) != 0) + bio->bi_status = BLK_STS_IOERR; +-- +2.27.0 + diff --git a/queue/media-cros-ec-cec-do-not-bail-on-device_init_wakeup-.patch b/queue/media-cros-ec-cec-do-not-bail-on-device_init_wakeup-.patch new file mode 100644 index 00000000..30c3f758 --- /dev/null +++ b/queue/media-cros-ec-cec-do-not-bail-on-device_init_wakeup-.patch @@ -0,0 +1,44 @@ +From 6f01dfb760c027d5dd6199d91ee9599f2676b5c6 Mon Sep 17 00:00:00 2001 +From: Dariusz Marcinkiewicz <darekm@google.com> +Date: Mon, 22 Jun 2020 13:46:36 +0200 +Subject: [PATCH] media: cros-ec-cec: do not bail on device_init_wakeup failure + +commit 6f01dfb760c027d5dd6199d91ee9599f2676b5c6 upstream. + +Do not fail probing when device_init_wakeup fails. + +device_init_wakeup fails when the device is already enabled as wakeup +device. Hence, the driver fails to probe the device if: +- The device has already been enabled for wakeup (by e.g. sysfs) +- The driver has been unloaded and is being loaded again. + +This goal of the patch is to fix the above cases. + +Overwhelming majority of the drivers do not check device_init_wakeup +return code. + +Fixes: cd70de2d356ee ("media: platform: Add ChromeOS EC CEC driver") +Signed-off-by: Dariusz Marcinkiewicz <darekm@google.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> + +diff --git a/drivers/media/cec/platform/cros-ec/cros-ec-cec.c b/drivers/media/cec/platform/cros-ec/cros-ec-cec.c +index 0e7e2772f08f..2d95e16cd248 100644 +--- a/drivers/media/cec/platform/cros-ec/cros-ec-cec.c ++++ b/drivers/media/cec/platform/cros-ec/cros-ec-cec.c +@@ -277,11 +277,7 @@ static int cros_ec_cec_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, cros_ec_cec); + cros_ec_cec->cros_ec = cros_ec; + +- ret = device_init_wakeup(&pdev->dev, 1); +- if (ret) { +- dev_err(&pdev->dev, "failed to initialize wakeup\n"); +- return ret; +- } ++ device_init_wakeup(&pdev->dev, 1); + + cros_ec_cec->adap = cec_allocate_adapter(&cros_ec_cec_ops, cros_ec_cec, + DRV_NAME, +-- +2.27.0 + diff --git a/queue/media-cxusb-analog-fix-V4L2-dependency.patch b/queue/media-cxusb-analog-fix-V4L2-dependency.patch new file mode 100644 index 00000000..930fc1a7 --- /dev/null +++ b/queue/media-cxusb-analog-fix-V4L2-dependency.patch @@ -0,0 +1,42 @@ +From 1a55caf010c46d4f2073f9e92e97ef65358c16bf Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Thu, 7 May 2020 23:33:14 +0200 +Subject: [PATCH] media: cxusb-analog: fix V4L2 dependency + +commit 1a55caf010c46d4f2073f9e92e97ef65358c16bf upstream. + +CONFIG_DVB_USB_CXUSB_ANALOG is a 'bool' symbol with a dependency on the +tristate CONFIG_VIDEO_V4L2, which means it can be enabled as =y even +when its dependency is =m. This leads to a link failure: + +drivers/media/usb/dvb-usb/cxusb-analog.o: In function `cxusb_medion_analog_init': +cxusb-analog.c:(.text+0x92): undefined reference to `v4l2_subdev_call_wrappers' +drivers/media/usb/dvb-usb/cxusb-analog.o: In function `cxusb_medion_register_analog': +cxusb-analog.c:(.text+0x466): undefined reference to `v4l2_device_register' +cxusb-analog.c:(.text+0x4c3): undefined reference to `v4l2_i2c_new_subdev' +cxusb-analog.c:(.text+0x4fb): undefined reference to `v4l2_subdev_call_wrappers' +... + +Change the dependency only disallow the analog portion of the driver +in that configuration. + +Fixes: e478d4054054 ("media: cxusb: add analog mode support for Medion MD95700") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Sean Young <sean@mess.org> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> + +diff --git a/drivers/media/usb/dvb-usb/Kconfig b/drivers/media/usb/dvb-usb/Kconfig +index 15d29c91662f..25ba03edcb5c 100644 +--- a/drivers/media/usb/dvb-usb/Kconfig ++++ b/drivers/media/usb/dvb-usb/Kconfig +@@ -151,6 +151,7 @@ config DVB_USB_CXUSB + config DVB_USB_CXUSB_ANALOG + bool "Analog support for the Conexant USB2.0 hybrid reference design" + depends on DVB_USB_CXUSB && VIDEO_V4L2 ++ depends on VIDEO_V4L2=y || VIDEO_V4L2=DVB_USB_CXUSB + select VIDEO_CX25840 + select VIDEOBUF2_VMALLOC + help +-- +2.27.0 + diff --git a/queue/media-exynos4-is-Add-missed-check-for-pinctrl_lookup.patch b/queue/media-exynos4-is-Add-missed-check-for-pinctrl_lookup.patch new file mode 100644 index 00000000..f847a298 --- /dev/null +++ b/queue/media-exynos4-is-Add-missed-check-for-pinctrl_lookup.patch @@ -0,0 +1,33 @@ +From 18ffec750578f7447c288647d7282c7d12b1d969 Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan <hslester96@gmail.com> +Date: Thu, 28 May 2020 08:41:47 +0200 +Subject: [PATCH] media: exynos4-is: Add missed check for + pinctrl_lookup_state() + +commit 18ffec750578f7447c288647d7282c7d12b1d969 upstream. + +fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). +Add the missed check to fix it. + +Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") +Signed-off-by: Chuhong Yuan <hslester96@gmail.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 96e336b19cc3..16dd660137a8 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1270,6 +1270,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); ++ if (IS_ERR(pctl->state_idle)) ++ return PTR_ERR(pctl->state_idle); ++ + return 0; + } + +-- +2.27.0 + diff --git a/queue/media-firewire-Using-uninitialized-values-in-node_pr.patch b/queue/media-firewire-Using-uninitialized-values-in-node_pr.patch new file mode 100644 index 00000000..9536f00f --- /dev/null +++ b/queue/media-firewire-Using-uninitialized-values-in-node_pr.patch @@ -0,0 +1,34 @@ +From 2505a210fc126599013aec2be741df20aaacc490 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 8 May 2020 16:40:22 +0200 +Subject: [PATCH] media: firewire: Using uninitialized values in node_probe() + +commit 2505a210fc126599013aec2be741df20aaacc490 upstream. + +If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So +then the "strlen(model_names[i]) <= name_len" is true because strlen() +is unsigned and -ENOENT is type promoted to a very high positive value. +Then the "strncmp(name, model_names[i], name_len)" uses uninitialized +data because "name" is uninitialized. + +Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 97144734eb05..3f1ca40b9b98 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -272,6 +272,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); ++ if (name_len < 0) ++ return name_len; + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.27.0 + diff --git a/queue/media-marvell-ccic-Add-missed-v4l2_async_notifier_cl.patch b/queue/media-marvell-ccic-Add-missed-v4l2_async_notifier_cl.patch new file mode 100644 index 00000000..b0e3ec25 --- /dev/null +++ b/queue/media-marvell-ccic-Add-missed-v4l2_async_notifier_cl.patch @@ -0,0 +1,39 @@ +From 4603a5b4a87ccd6fb90cbfa10195291cfcf6ba34 Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan <hslester96@gmail.com> +Date: Wed, 3 Jun 2020 18:40:48 +0200 +Subject: [PATCH] media: marvell-ccic: Add missed v4l2_async_notifier_cleanup() + +commit 4603a5b4a87ccd6fb90cbfa10195291cfcf6ba34 upstream. + +mccic_register() forgets to cleanup the notifier in its error handler. +mccic_shutdown() also misses calling v4l2_async_notifier_cleanup(). +Add the missed calls to fix them. + +Fixes: 3eefe36cc00c ("media: marvell-ccic: use async notifier to get the sensor") +Signed-off-by: Chuhong Yuan <hslester96@gmail.com> +Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> + +diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c +index 09775b6624c6..326e79b8531c 100644 +--- a/drivers/media/platform/marvell-ccic/mcam-core.c ++++ b/drivers/media/platform/marvell-ccic/mcam-core.c +@@ -1940,6 +1940,7 @@ int mccic_register(struct mcam_camera *cam) + out: + v4l2_async_notifier_unregister(&cam->notifier); + v4l2_device_unregister(&cam->v4l2_dev); ++ v4l2_async_notifier_cleanup(&cam->notifier); + return ret; + } + EXPORT_SYMBOL_GPL(mccic_register); +@@ -1961,6 +1962,7 @@ void mccic_shutdown(struct mcam_camera *cam) + v4l2_ctrl_handler_free(&cam->ctrl_handler); + v4l2_async_notifier_unregister(&cam->notifier); + v4l2_device_unregister(&cam->v4l2_dev); ++ v4l2_async_notifier_cleanup(&cam->notifier); + } + EXPORT_SYMBOL_GPL(mccic_shutdown); + +-- +2.27.0 + diff --git a/queue/media-media-request-Fix-crash-if-memory-allocation-f.patch b/queue/media-media-request-Fix-crash-if-memory-allocation-f.patch new file mode 100644 index 00000000..af67a68d --- /dev/null +++ b/queue/media-media-request-Fix-crash-if-memory-allocation-f.patch @@ -0,0 +1,116 @@ +From e30cc79cc80fd919b697a15c5000d9f57487de8e Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> +Date: Sun, 21 Jun 2020 13:30:40 +0200 +Subject: [PATCH] media: media-request: Fix crash if memory allocation fails + +commit e30cc79cc80fd919b697a15c5000d9f57487de8e upstream. + +Syzbot reports a NULL-ptr deref in the kref_put() call: + +BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline] + kref_put include/linux/kref.h:64 [inline] + media_request_put drivers/media/mc/mc-request.c:81 [inline] + media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89 + __fput+0x2ed/0x750 fs/file_table.c:281 + task_work_run+0x147/0x1d0 kernel/task_work.c:123 + tracehook_notify_resume include/linux/tracehook.h:188 [inline] + exit_to_usermode_loop arch/x86/entry/common.c:165 [inline] + prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196 + +What led to this crash was an injected memory allocation failure in +media_request_alloc(): + +FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 0 + should_failslab+0x5/0x20 + kmem_cache_alloc_trace+0x57/0x300 + ? anon_inode_getfile+0xe5/0x170 + media_request_alloc+0x339/0x440 + media_device_request_alloc+0x94/0xc0 + media_device_ioctl+0x1fb/0x330 + ? do_vfs_ioctl+0x6ea/0x1a00 + ? media_ioctl+0x101/0x120 + ? __media_device_usb_init+0x430/0x430 + ? media_poll+0x110/0x110 + __se_sys_ioctl+0xf9/0x160 + do_syscall_64+0xf3/0x1b0 + +When that allocation fails, filp->private_data is left uninitialized +which media_request_close() does not expect and crashes. + +To avoid this, reorder media_request_alloc() such that +allocating the struct file happens as the last step thus +media_request_close() will no longer get called for a partially created +media request. + +Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> +Fixes: 10905d70d788 ("media: media-request: implement media requests") +Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> + +diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c +index e3fca436c75b..c0782fd96c59 100644 +--- a/drivers/media/mc/mc-request.c ++++ b/drivers/media/mc/mc-request.c +@@ -296,9 +296,18 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) + if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free)) + return -ENOMEM; + ++ if (mdev->ops->req_alloc) ++ req = mdev->ops->req_alloc(mdev); ++ else ++ req = kzalloc(sizeof(*req), GFP_KERNEL); ++ if (!req) ++ return -ENOMEM; ++ + fd = get_unused_fd_flags(O_CLOEXEC); +- if (fd < 0) +- return fd; ++ if (fd < 0) { ++ ret = fd; ++ goto err_free_req; ++ } + + filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC); + if (IS_ERR(filp)) { +@@ -306,15 +315,6 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) + goto err_put_fd; + } + +- if (mdev->ops->req_alloc) +- req = mdev->ops->req_alloc(mdev); +- else +- req = kzalloc(sizeof(*req), GFP_KERNEL); +- if (!req) { +- ret = -ENOMEM; +- goto err_fput; +- } +- + filp->private_data = req; + req->mdev = mdev; + req->state = MEDIA_REQUEST_STATE_IDLE; +@@ -336,12 +336,15 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) + + return 0; + +-err_fput: +- fput(filp); +- + err_put_fd: + put_unused_fd(fd); + ++err_free_req: ++ if (mdev->ops->req_free) ++ mdev->ops->req_free(req); ++ else ++ kfree(req); ++ + return ret; + } + +-- +2.27.0 + diff --git a/queue/media-omap3isp-Add-missed-v4l2_ctrl_handler_free-for.patch b/queue/media-omap3isp-Add-missed-v4l2_ctrl_handler_free-for.patch new file mode 100644 index 00000000..2b99b681 --- /dev/null +++ b/queue/media-omap3isp-Add-missed-v4l2_ctrl_handler_free-for.patch @@ -0,0 +1,43 @@ +From dc7690a73017e1236202022e26a6aa133f239c8c Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan <hslester96@gmail.com> +Date: Wed, 3 Jun 2020 18:41:22 +0200 +Subject: [PATCH] media: omap3isp: Add missed v4l2_ctrl_handler_free() for + preview_init_entities() + +commit dc7690a73017e1236202022e26a6aa133f239c8c upstream. + +preview_init_entities() does not call v4l2_ctrl_handler_free() when +it fails. +Add the missed function to fix it. + +Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") +Signed-off-by: Chuhong Yuan <hslester96@gmail.com> +Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> + +diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c +index 4dbdf3180d10..607b7685c982 100644 +--- a/drivers/media/platform/omap3isp/isppreview.c ++++ b/drivers/media/platform/omap3isp/isppreview.c +@@ -2287,7 +2287,7 @@ static int preview_init_entities(struct isp_prev_device *prev) + me->ops = &preview_media_ops; + ret = media_entity_pads_init(me, PREV_PADS_NUM, pads); + if (ret < 0) +- return ret; ++ goto error_handler_free; + + preview_init_formats(sd, NULL); + +@@ -2320,6 +2320,8 @@ static int preview_init_entities(struct isp_prev_device *prev) + omap3isp_video_cleanup(&prev->video_in); + error_video_in: + media_entity_cleanup(&prev->subdev.entity); ++error_handler_free: ++ v4l2_ctrl_handler_free(&prev->ctrls); + return ret; + } + +-- +2.27.0 + diff --git a/queue/mm-mmap.c-Add-cond_resched-for-exit_mmap-CPU-stalls.patch b/queue/mm-mmap.c-Add-cond_resched-for-exit_mmap-CPU-stalls.patch new file mode 100644 index 00000000..3e8d37d6 --- /dev/null +++ b/queue/mm-mmap.c-Add-cond_resched-for-exit_mmap-CPU-stalls.patch @@ -0,0 +1,77 @@ +From 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" <paulmck@kernel.org> +Date: Thu, 16 Apr 2020 16:46:10 -0700 +Subject: [PATCH] mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls + +commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 upstream. + +A large process running on a heavily loaded system can encounter the +following RCU CPU stall warning: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190 + (t=21013 jiffies g=1005461 q=132576) + NMI backtrace for cpu 3 + CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1 + Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016 + Call Trace: + <IRQ> + dump_stack+0x46/0x60 + nmi_cpu_backtrace.cold.3+0x13/0x50 + ? lapic_can_unplug_cpu.cold.27+0x34/0x34 + nmi_trigger_cpumask_backtrace+0xba/0xca + rcu_dump_cpu_stacks+0x99/0xc7 + rcu_sched_clock_irq.cold.87+0x1aa/0x397 + ? tick_sched_do_timer+0x60/0x60 + update_process_times+0x28/0x60 + tick_sched_timer+0x37/0x70 + __hrtimer_run_queues+0xfe/0x270 + hrtimer_interrupt+0xf4/0x210 + smp_apic_timer_interrupt+0x5e/0x120 + apic_timer_interrupt+0xf/0x20 + </IRQ> + RIP: 0010:kmem_cache_free+0x223/0x300 + Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65 + RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 + RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030 + RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18 + RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff + R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f + R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00 + ? remove_vma+0x4f/0x60 + remove_vma+0x4f/0x60 + exit_mmap+0xd6/0x160 + mmput+0x4a/0x110 + do_exit+0x278/0xae0 + ? syscall_trace_enter+0x1d3/0x2b0 + ? handle_mm_fault+0xaa/0x1c0 + do_group_exit+0x3a/0xa0 + __x64_sys_exit_group+0x14/0x20 + do_syscall_64+0x42/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run +for a very long time given a large process. This commit therefore adds +a cond_resched() to this loop, providing RCU any needed quiescent states. + +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: <linux-mm@kvack.org> +Reviewed-by: Shakeel Butt <shakeelb@google.com> +Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org> +Signed-off-by: Paul E. McKenney <paulmck@kernel.org> + +diff --git a/mm/mmap.c b/mm/mmap.c +index 59a4682ebf3f..972f839c6ec8 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3159,6 +3159,7 @@ void exit_mmap(struct mm_struct *mm) + if (vma->vm_flags & VM_ACCOUNT) + nr_accounted += vma_pages(vma); + vma = remove_vma(vma); ++ cond_resched(); + } + vm_unacct_memory(nr_accounted); + } +-- +2.27.0 + diff --git a/queue/mmc-sdhci-cadence-do-not-use-hardware-tuning-for-SD-.patch b/queue/mmc-sdhci-cadence-do-not-use-hardware-tuning-for-SD-.patch new file mode 100644 index 00000000..08a70b5e --- /dev/null +++ b/queue/mmc-sdhci-cadence-do-not-use-hardware-tuning-for-SD-.patch @@ -0,0 +1,189 @@ +From adc40a5179df30421a5537bfeb4545100ab97d5e Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada <yamada.masahiro@socionext.com> +Date: Mon, 20 Jul 2020 15:11:41 +0900 +Subject: [PATCH] mmc: sdhci-cadence: do not use hardware tuning for SD mode + +commit adc40a5179df30421a5537bfeb4545100ab97d5e upstream. + +As commit ef6b75671b5f ("mmc: sdhci-cadence: send tune request twice to +work around errata") stated, this IP has an errata. This commit applies +the second workaround for the SD mode. + +Due to the errata, it is not possible to use the hardware tuning provided +by SDHCI_HOST_CONTROL2. + +Use the software-controlled tuning like the eMMC mode. + +Set sdhci_host_ops::platform_execute_tuning instead of overriding +mmc_host_ops::execute_tuning. + +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Link: https://lore.kernel.org/r/20200720061141.172944-1-yamada.masahiro@socionext.com +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> + +diff --git a/drivers/mmc/host/sdhci-cadence.c b/drivers/mmc/host/sdhci-cadence.c +index 4a6c9ba82538..4d9f7681817c 100644 +--- a/drivers/mmc/host/sdhci-cadence.c ++++ b/drivers/mmc/host/sdhci-cadence.c +@@ -202,57 +202,6 @@ static u32 sdhci_cdns_get_emmc_mode(struct sdhci_cdns_priv *priv) + return FIELD_GET(SDHCI_CDNS_HRS06_MODE, tmp); + } + +-static void sdhci_cdns_set_uhs_signaling(struct sdhci_host *host, +- unsigned int timing) +-{ +- struct sdhci_cdns_priv *priv = sdhci_cdns_priv(host); +- u32 mode; +- +- switch (timing) { +- case MMC_TIMING_MMC_HS: +- mode = SDHCI_CDNS_HRS06_MODE_MMC_SDR; +- break; +- case MMC_TIMING_MMC_DDR52: +- mode = SDHCI_CDNS_HRS06_MODE_MMC_DDR; +- break; +- case MMC_TIMING_MMC_HS200: +- mode = SDHCI_CDNS_HRS06_MODE_MMC_HS200; +- break; +- case MMC_TIMING_MMC_HS400: +- if (priv->enhanced_strobe) +- mode = SDHCI_CDNS_HRS06_MODE_MMC_HS400ES; +- else +- mode = SDHCI_CDNS_HRS06_MODE_MMC_HS400; +- break; +- default: +- mode = SDHCI_CDNS_HRS06_MODE_SD; +- break; +- } +- +- sdhci_cdns_set_emmc_mode(priv, mode); +- +- /* For SD, fall back to the default handler */ +- if (mode == SDHCI_CDNS_HRS06_MODE_SD) +- sdhci_set_uhs_signaling(host, timing); +-} +- +-static const struct sdhci_ops sdhci_cdns_ops = { +- .set_clock = sdhci_set_clock, +- .get_timeout_clock = sdhci_cdns_get_timeout_clock, +- .set_bus_width = sdhci_set_bus_width, +- .reset = sdhci_reset, +- .set_uhs_signaling = sdhci_cdns_set_uhs_signaling, +-}; +- +-static const struct sdhci_pltfm_data sdhci_cdns_uniphier_pltfm_data = { +- .ops = &sdhci_cdns_ops, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, +-}; +- +-static const struct sdhci_pltfm_data sdhci_cdns_pltfm_data = { +- .ops = &sdhci_cdns_ops, +-}; +- + static int sdhci_cdns_set_tune_val(struct sdhci_host *host, unsigned int val) + { + struct sdhci_cdns_priv *priv = sdhci_cdns_priv(host); +@@ -286,23 +235,24 @@ static int sdhci_cdns_set_tune_val(struct sdhci_host *host, unsigned int val) + return 0; + } + +-static int sdhci_cdns_execute_tuning(struct mmc_host *mmc, u32 opcode) ++/* ++ * In SD mode, software must not use the hardware tuning and instead perform ++ * an almost identical procedure to eMMC. ++ */ ++static int sdhci_cdns_execute_tuning(struct sdhci_host *host, u32 opcode) + { +- struct sdhci_host *host = mmc_priv(mmc); + int cur_streak = 0; + int max_streak = 0; + int end_of_streak = 0; + int i; + + /* +- * This handler only implements the eMMC tuning that is specific to +- * this controller. Fall back to the standard method for SD timing. ++ * Do not execute tuning for UHS_SDR50 or UHS_DDR50. ++ * The delay is set by probe, based on the DT properties. + */ +- if (host->timing != MMC_TIMING_MMC_HS200) +- return sdhci_execute_tuning(mmc, opcode); +- +- if (WARN_ON(opcode != MMC_SEND_TUNING_BLOCK_HS200)) +- return -EINVAL; ++ if (host->timing != MMC_TIMING_MMC_HS200 && ++ host->timing != MMC_TIMING_UHS_SDR104) ++ return 0; + + for (i = 0; i < SDHCI_CDNS_MAX_TUNING_LOOP; i++) { + if (sdhci_cdns_set_tune_val(host, i) || +@@ -325,6 +275,58 @@ static int sdhci_cdns_execute_tuning(struct mmc_host *mmc, u32 opcode) + return sdhci_cdns_set_tune_val(host, end_of_streak - max_streak / 2); + } + ++static void sdhci_cdns_set_uhs_signaling(struct sdhci_host *host, ++ unsigned int timing) ++{ ++ struct sdhci_cdns_priv *priv = sdhci_cdns_priv(host); ++ u32 mode; ++ ++ switch (timing) { ++ case MMC_TIMING_MMC_HS: ++ mode = SDHCI_CDNS_HRS06_MODE_MMC_SDR; ++ break; ++ case MMC_TIMING_MMC_DDR52: ++ mode = SDHCI_CDNS_HRS06_MODE_MMC_DDR; ++ break; ++ case MMC_TIMING_MMC_HS200: ++ mode = SDHCI_CDNS_HRS06_MODE_MMC_HS200; ++ break; ++ case MMC_TIMING_MMC_HS400: ++ if (priv->enhanced_strobe) ++ mode = SDHCI_CDNS_HRS06_MODE_MMC_HS400ES; ++ else ++ mode = SDHCI_CDNS_HRS06_MODE_MMC_HS400; ++ break; ++ default: ++ mode = SDHCI_CDNS_HRS06_MODE_SD; ++ break; ++ } ++ ++ sdhci_cdns_set_emmc_mode(priv, mode); ++ ++ /* For SD, fall back to the default handler */ ++ if (mode == SDHCI_CDNS_HRS06_MODE_SD) ++ sdhci_set_uhs_signaling(host, timing); ++} ++ ++static const struct sdhci_ops sdhci_cdns_ops = { ++ .set_clock = sdhci_set_clock, ++ .get_timeout_clock = sdhci_cdns_get_timeout_clock, ++ .set_bus_width = sdhci_set_bus_width, ++ .reset = sdhci_reset, ++ .platform_execute_tuning = sdhci_cdns_execute_tuning, ++ .set_uhs_signaling = sdhci_cdns_set_uhs_signaling, ++}; ++ ++static const struct sdhci_pltfm_data sdhci_cdns_uniphier_pltfm_data = { ++ .ops = &sdhci_cdns_ops, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++}; ++ ++static const struct sdhci_pltfm_data sdhci_cdns_pltfm_data = { ++ .ops = &sdhci_cdns_ops, ++}; ++ + static void sdhci_cdns_hs400_enhanced_strobe(struct mmc_host *mmc, + struct mmc_ios *ios) + { +@@ -385,7 +387,6 @@ static int sdhci_cdns_probe(struct platform_device *pdev) + priv->hrs_addr = host->ioaddr; + priv->enhanced_strobe = false; + host->ioaddr += SDHCI_CDNS_SRS_BASE; +- host->mmc_host_ops.execute_tuning = sdhci_cdns_execute_tuning; + host->mmc_host_ops.hs400_enhanced_strobe = + sdhci_cdns_hs400_enhanced_strobe; + sdhci_enable_v4_mode(host); +-- +2.27.0 + diff --git a/queue/mmc-sdhci-pci-o2micro-Bug-fix-for-O2-host-controller.patch b/queue/mmc-sdhci-pci-o2micro-Bug-fix-for-O2-host-controller.patch new file mode 100644 index 00000000..8b62c517 --- /dev/null +++ b/queue/mmc-sdhci-pci-o2micro-Bug-fix-for-O2-host-controller.patch @@ -0,0 +1,37 @@ +From cdd2b769789ae1a030e1a26f6c37c5833cabcb34 Mon Sep 17 00:00:00 2001 +From: shirley her <shirley.her@bayhubtech.com> +Date: Mon, 20 Jul 2020 18:17:33 -0700 +Subject: [PATCH] mmc: sdhci-pci-o2micro: Bug fix for O2 host controller + Seabird1 + +commit cdd2b769789ae1a030e1a26f6c37c5833cabcb34 upstream. + +To fix support for the O2 host controller Seabird1, set the quirk +SDHCI_QUIRK2_PRESET_VALUE_BROKEN and the capability bit MMC_CAP2_NO_SDIO. +Moreover, assign the ->get_cd() callback. + +Signed-off-by: Shirley Her <shirley.her@bayhubtech.com> +Link: https://lore.kernel.org/r/20200721011733.8416-1-shirley.her@bayhubtech.com +[Ulf: Updated the commit message] +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> + +diff --git a/drivers/mmc/host/sdhci-pci-o2micro.c b/drivers/mmc/host/sdhci-pci-o2micro.c +index e2a846885902..ed3c605fcf0c 100644 +--- a/drivers/mmc/host/sdhci-pci-o2micro.c ++++ b/drivers/mmc/host/sdhci-pci-o2micro.c +@@ -561,6 +561,12 @@ static int sdhci_pci_o2_probe_slot(struct sdhci_pci_slot *slot) + slot->host->mmc_host_ops.get_cd = sdhci_o2_get_cd; + } + ++ if (chip->pdev->device == PCI_DEVICE_ID_O2_SEABIRD1) { ++ slot->host->mmc_host_ops.get_cd = sdhci_o2_get_cd; ++ host->mmc->caps2 |= MMC_CAP2_NO_SDIO; ++ host->quirks2 |= SDHCI_QUIRK2_PRESET_VALUE_BROKEN; ++ } ++ + host->mmc_host_ops.execute_tuning = sdhci_o2_execute_tuning; + + if (chip->pdev->device != PCI_DEVICE_ID_O2_FUJIN2) +-- +2.27.0 + diff --git a/queue/mt76-mt7615-fix-potential-memory-leak-in-mcu-message.patch b/queue/mt76-mt7615-fix-potential-memory-leak-in-mcu-message.patch new file mode 100644 index 00000000..ee9d1582 --- /dev/null +++ b/queue/mt76-mt7615-fix-potential-memory-leak-in-mcu-message.patch @@ -0,0 +1,43 @@ +From 9248c08c3fc4ef816c82aa49d01123f4746d349f Mon Sep 17 00:00:00 2001 +From: Sean Wang <sean.wang@mediatek.com> +Date: Wed, 8 Jul 2020 03:16:48 +0800 +Subject: [PATCH] mt76: mt7615: fix potential memory leak in mcu message + handler + +commit 9248c08c3fc4ef816c82aa49d01123f4746d349f upstream. + +Fix potential memory leak in mcu message handler on error condition. + +Fixes: 0e6a29e477f3 ("mt76: mt7615: add support to read temperature from mcu") +Acked-by: Lorenzo Bianconi <lorenzo@kernel.org> +Signed-off-by: Sean Wang <sean.wang@mediatek.com> +Signed-off-by: Felix Fietkau <nbd@nbd.name> + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +index 2e9e0002331e..83e29ee7b08b 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +@@ -183,8 +183,10 @@ mt7615_mcu_parse_response(struct mt7615_dev *dev, int cmd, + struct mt7615_mcu_rxd *rxd = (struct mt7615_mcu_rxd *)skb->data; + int ret = 0; + +- if (seq != rxd->seq) +- return -EAGAIN; ++ if (seq != rxd->seq) { ++ ret = -EAGAIN; ++ goto out; ++ } + + switch (cmd) { + case MCU_CMD_PATCH_SEM_CONTROL: +@@ -215,6 +217,7 @@ mt7615_mcu_parse_response(struct mt7615_dev *dev, int cmd, + default: + break; + } ++out: + dev_kfree_skb(skb); + + return ret; +-- +2.27.0 + diff --git a/queue/mtd-rawnand-qcom-avoid-write-to-unavailable-register.patch b/queue/mtd-rawnand-qcom-avoid-write-to-unavailable-register.patch new file mode 100644 index 00000000..56d49707 --- /dev/null +++ b/queue/mtd-rawnand-qcom-avoid-write-to-unavailable-register.patch @@ -0,0 +1,66 @@ +From 443440cc4a901af462239d286cd10721aa1c7dfc Mon Sep 17 00:00:00 2001 +From: Sivaprakash Murugesan <sivaprak@codeaurora.org> +Date: Fri, 12 Jun 2020 13:28:15 +0530 +Subject: [PATCH] mtd: rawnand: qcom: avoid write to unavailable register + +commit 443440cc4a901af462239d286cd10721aa1c7dfc upstream. + +SFLASHC_BURST_CFG is only available on older ipq NAND platforms, this +register has been removed when the NAND controller got implemented in +the qpic controller. + +Avoid writing this register on devices which are based on qpic NAND +controller. + +Fixes: dce84760b09f ("mtd: nand: qcom: Support for IPQ8074 QPIC NAND controller") +Cc: stable@vger.kernel.org +Signed-off-by: Sivaprakash Murugesan <sivaprak@codeaurora.org> +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> +Link: https://lore.kernel.org/linux-mtd/1591948696-16015-2-git-send-email-sivaprak@codeaurora.org + +diff --git a/drivers/mtd/nand/raw/qcom_nandc.c b/drivers/mtd/nand/raw/qcom_nandc.c +index f1daf330951b..78b5f211598c 100644 +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -459,11 +459,13 @@ struct qcom_nand_host { + * among different NAND controllers. + * @ecc_modes - ecc mode for NAND + * @is_bam - whether NAND controller is using BAM ++ * @is_qpic - whether NAND CTRL is part of qpic IP + * @dev_cmd_reg_start - NAND_DEV_CMD_* registers starting offset + */ + struct qcom_nandc_props { + u32 ecc_modes; + bool is_bam; ++ bool is_qpic; + u32 dev_cmd_reg_start; + }; + +@@ -2774,7 +2776,8 @@ static int qcom_nandc_setup(struct qcom_nand_controller *nandc) + u32 nand_ctrl; + + /* kill onenand */ +- nandc_write(nandc, SFLASHC_BURST_CFG, 0); ++ if (!nandc->props->is_qpic) ++ nandc_write(nandc, SFLASHC_BURST_CFG, 0); + nandc_write(nandc, dev_cmd_reg_addr(nandc, NAND_DEV_CMD_VLD), + NAND_DEV_CMD_VLD_VAL); + +@@ -3035,12 +3038,14 @@ static const struct qcom_nandc_props ipq806x_nandc_props = { + static const struct qcom_nandc_props ipq4019_nandc_props = { + .ecc_modes = (ECC_BCH_4BIT | ECC_BCH_8BIT), + .is_bam = true, ++ .is_qpic = true, + .dev_cmd_reg_start = 0x0, + }; + + static const struct qcom_nandc_props ipq8074_nandc_props = { + .ecc_modes = (ECC_BCH_4BIT | ECC_BCH_8BIT), + .is_bam = true, ++ .is_qpic = true, + .dev_cmd_reg_start = 0x7000, + }; + +-- +2.27.0 + diff --git a/queue/mwifiex-Fix-firmware-filename-for-sd8977-chipset.patch b/queue/mwifiex-Fix-firmware-filename-for-sd8977-chipset.patch new file mode 100644 index 00000000..7f64c004 --- /dev/null +++ b/queue/mwifiex-Fix-firmware-filename-for-sd8977-chipset.patch @@ -0,0 +1,36 @@ +From 47fd3ee25e13cc5add48ba2ed71f7ee964b9c3a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org> +Date: Wed, 3 Jun 2020 10:22:26 +0200 +Subject: [PATCH] mwifiex: Fix firmware filename for sd8977 chipset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 47fd3ee25e13cc5add48ba2ed71f7ee964b9c3a4 upstream. + +Firmware for sd8977 chipset is distributed by Marvell package and also as +part of the linux-firmware repository in filename sdsd8977_combo_v2.bin. + +This patch fixes mwifiex driver to load correct firmware file for sd8977. + +Fixes: 1a0f547831dce ("mwifiex: add support for sd8977 chipset") +Signed-off-by: Pali Rohár <pali@kernel.org> +Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.h b/drivers/net/wireless/marvell/mwifiex/sdio.h +index 71cd8629b28e..0cac2296ed53 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.h ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.h +@@ -36,7 +36,7 @@ + #define SD8897_DEFAULT_FW_NAME "mrvl/sd8897_uapsta.bin" + #define SD8887_DEFAULT_FW_NAME "mrvl/sd8887_uapsta.bin" + #define SD8801_DEFAULT_FW_NAME "mrvl/sd8801_uapsta.bin" +-#define SD8977_DEFAULT_FW_NAME "mrvl/sd8977_uapsta.bin" ++#define SD8977_DEFAULT_FW_NAME "mrvl/sdsd8977_combo_v2.bin" + #define SD8987_DEFAULT_FW_NAME "mrvl/sd8987_uapsta.bin" + #define SD8997_DEFAULT_FW_NAME "mrvl/sd8997_uapsta.bin" + +-- +2.27.0 + diff --git a/queue/mwifiex-Fix-firmware-filename-for-sd8997-chipset.patch b/queue/mwifiex-Fix-firmware-filename-for-sd8997-chipset.patch new file mode 100644 index 00000000..b12041f4 --- /dev/null +++ b/queue/mwifiex-Fix-firmware-filename-for-sd8997-chipset.patch @@ -0,0 +1,36 @@ +From 2e1fcac52a9ea53e5a13a585d48a29a0fb4a9daf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org> +Date: Wed, 3 Jun 2020 10:22:27 +0200 +Subject: [PATCH] mwifiex: Fix firmware filename for sd8997 chipset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 2e1fcac52a9ea53e5a13a585d48a29a0fb4a9daf upstream. + +Firmware for sd8997 chipset is distributed by Marvell package and also as +part of the linux-firmware repository in filename sdsd8997_combo_v4.bin. + +This patch fixes mwifiex driver to load correct firmware file for sd8997. + +Fixes: 6d85ef00d9dfe ("mwifiex: add support for 8997 chipset") +Signed-off-by: Pali Rohár <pali@kernel.org> +Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.h b/drivers/net/wireless/marvell/mwifiex/sdio.h +index 0cac2296ed53..8b476b007c5e 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.h ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.h +@@ -38,7 +38,7 @@ + #define SD8801_DEFAULT_FW_NAME "mrvl/sd8801_uapsta.bin" + #define SD8977_DEFAULT_FW_NAME "mrvl/sdsd8977_combo_v2.bin" + #define SD8987_DEFAULT_FW_NAME "mrvl/sd8987_uapsta.bin" +-#define SD8997_DEFAULT_FW_NAME "mrvl/sd8997_uapsta.bin" ++#define SD8997_DEFAULT_FW_NAME "mrvl/sdsd8997_combo_v4.bin" + + #define BLOCK_MODE 1 + #define BYTE_MODE 0 +-- +2.27.0 + diff --git a/queue/mwifiex-Prevent-memory-corruption-handling-keys.patch b/queue/mwifiex-Prevent-memory-corruption-handling-keys.patch new file mode 100644 index 00000000..2b1ca139 --- /dev/null +++ b/queue/mwifiex-Prevent-memory-corruption-handling-keys.patch @@ -0,0 +1,76 @@ +From e18696786548244914f36ec3c46ac99c53df99c3 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 8 Jul 2020 14:58:57 +0300 +Subject: [PATCH] mwifiex: Prevent memory corruption handling keys + +commit e18696786548244914f36ec3c46ac99c53df99c3 upstream. + +The length of the key comes from the network and it's a 16 bit number. It +needs to be capped to prevent a buffer overflow. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index f21660149f58..962d8bfe6f10 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -580,6 +580,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + { + struct host_cmd_ds_802_11_key_material *key = + &resp->params.key_material; ++ int len; ++ ++ len = le16_to_cpu(key->key_param_set.key_len); ++ if (len > sizeof(key->key_param_set.key)) ++ return -EINVAL; + + if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) { +@@ -593,9 +598,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + + memset(priv->aes_key.key_param_set.key, 0, + sizeof(key->key_param_set.key)); +- priv->aes_key.key_param_set.key_len = key->key_param_set.key_len; +- memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, +- le16_to_cpu(priv->aes_key.key_param_set.key_len)); ++ priv->aes_key.key_param_set.key_len = cpu_to_le16(len); ++ memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len); + + return 0; + } +@@ -610,9 +614,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + struct host_cmd_ds_command *resp) + { + struct host_cmd_ds_802_11_key_material_v2 *key_v2; +- __le16 len; ++ int len; + + key_v2 = &resp->params.key_material_v2; ++ ++ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); ++ if (len > WLAN_KEY_LEN_CCMP) ++ return -EINVAL; ++ + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) { + mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n"); +@@ -628,10 +637,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, + WLAN_KEY_LEN_CCMP); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = +- key_v2->key_param_set.key_params.aes.key_len; +- len = priv->aes_key_v2.key_param_set.key_params.aes.key_len; ++ cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +- key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len)); ++ key_v2->key_param_set.key_params.aes.key, len); + + return 0; + } +-- +2.27.0 + diff --git a/queue/net-Fix-potential-memory-leak-in-proto_register.patch b/queue/net-Fix-potential-memory-leak-in-proto_register.patch new file mode 100644 index 00000000..de4c8bbb --- /dev/null +++ b/queue/net-Fix-potential-memory-leak-in-proto_register.patch @@ -0,0 +1,81 @@ +From 0f5907af39137f8183ed536aaa00f322d7365130 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin <linmiaohe@huawei.com> +Date: Mon, 10 Aug 2020 08:16:58 -0400 +Subject: [PATCH] net: Fix potential memory leak in proto_register() + +commit 0f5907af39137f8183ed536aaa00f322d7365130 upstream. + +If we failed to assign proto idx, we free the twsk_slab_name but forget to +free the twsk_slab. Add a helper function tw_prot_cleanup() to free these +together and also use this helper function in proto_unregister(). + +Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()") +Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/sock.c b/net/core/sock.c +index 49cd5ffe673e..c9083ad44ea1 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3406,6 +3406,16 @@ static void sock_inuse_add(struct net *net, int val) + } + #endif + ++static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot) ++{ ++ if (!twsk_prot) ++ return; ++ kfree(twsk_prot->twsk_slab_name); ++ twsk_prot->twsk_slab_name = NULL; ++ kmem_cache_destroy(twsk_prot->twsk_slab); ++ twsk_prot->twsk_slab = NULL; ++} ++ + static void req_prot_cleanup(struct request_sock_ops *rsk_prot) + { + if (!rsk_prot) +@@ -3476,7 +3486,7 @@ int proto_register(struct proto *prot, int alloc_slab) + prot->slab_flags, + NULL); + if (prot->twsk_prot->twsk_slab == NULL) +- goto out_free_timewait_sock_slab_name; ++ goto out_free_timewait_sock_slab; + } + } + +@@ -3484,15 +3494,15 @@ int proto_register(struct proto *prot, int alloc_slab) + ret = assign_proto_idx(prot); + if (ret) { + mutex_unlock(&proto_list_mutex); +- goto out_free_timewait_sock_slab_name; ++ goto out_free_timewait_sock_slab; + } + list_add(&prot->node, &proto_list); + mutex_unlock(&proto_list_mutex); + return ret; + +-out_free_timewait_sock_slab_name: ++out_free_timewait_sock_slab: + if (alloc_slab && prot->twsk_prot) +- kfree(prot->twsk_prot->twsk_slab_name); ++ tw_prot_cleanup(prot->twsk_prot); + out_free_request_sock_slab: + if (alloc_slab) { + req_prot_cleanup(prot->rsk_prot); +@@ -3516,12 +3526,7 @@ void proto_unregister(struct proto *prot) + prot->slab = NULL; + + req_prot_cleanup(prot->rsk_prot); +- +- if (prot->twsk_prot != NULL && prot->twsk_prot->twsk_slab != NULL) { +- kmem_cache_destroy(prot->twsk_prot->twsk_slab); +- kfree(prot->twsk_prot->twsk_slab_name); +- prot->twsk_prot->twsk_slab = NULL; +- } ++ tw_prot_cleanup(prot->twsk_prot); + } + EXPORT_SYMBOL(proto_unregister); + +-- +2.27.0 + diff --git a/queue/net-Set-fput_needed-iff-FDPUT_FPUT-is-set.patch b/queue/net-Set-fput_needed-iff-FDPUT_FPUT-is-set.patch new file mode 100644 index 00000000..47f1052f --- /dev/null +++ b/queue/net-Set-fput_needed-iff-FDPUT_FPUT-is-set.patch @@ -0,0 +1,30 @@ +From ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin <linmiaohe@huawei.com> +Date: Thu, 6 Aug 2020 19:53:16 +0800 +Subject: [PATCH] net: Set fput_needed iff FDPUT_FPUT is set + +commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 upstream. + +We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed +accordingly. + +Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light") +Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/socket.c b/net/socket.c +index 3c3d6abe4c1e..e08415b4f939 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -500,7 +500,7 @@ static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed) + if (f.file) { + sock = sock_from_file(f.file, err); + if (likely(sock)) { +- *fput_needed = f.flags; ++ *fput_needed = f.flags & FDPUT_FPUT; + return sock; + } + fdput(f); +-- +2.27.0 + diff --git a/queue/net-dsa-mv88e6xxx-MV88E6097-does-not-support-jumbo-c.patch b/queue/net-dsa-mv88e6xxx-MV88E6097-does-not-support-jumbo-c.patch new file mode 100644 index 00000000..c2069350 --- /dev/null +++ b/queue/net-dsa-mv88e6xxx-MV88E6097-does-not-support-jumbo-c.patch @@ -0,0 +1,33 @@ +From 0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f Mon Sep 17 00:00:00 2001 +From: Chris Packham <chris.packham@alliedtelesis.co.nz> +Date: Fri, 24 Jul 2020 11:21:20 +1200 +Subject: [PATCH] net: dsa: mv88e6xxx: MV88E6097 does not support jumbo + configuration + +commit 0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f upstream. + +The MV88E6097 chip does not support configuring jumbo frames. Prior to +commit 5f4366660d65 only the 6352, 6351, 6165 and 6320 chips configured +jumbo mode. The refactor accidentally added the function for the 6097. +Remove the erroneous function pointer assignment. + +Fixes: 5f4366660d65 ("net: dsa: mv88e6xxx: Refactor setting of jumbo frames") +Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 6f019955ae42..4ddb6f3035c9 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3494,7 +3494,6 @@ static const struct mv88e6xxx_ops mv88e6097_ops = { + .port_set_frame_mode = mv88e6351_port_set_frame_mode, + .port_set_egress_floods = mv88e6352_port_set_egress_floods, + .port_set_ether_type = mv88e6351_port_set_ether_type, +- .port_set_jumbo_size = mv88e6165_port_set_jumbo_size, + .port_egress_rate_limiting = mv88e6095_port_egress_rate_limiting, + .port_pause_limit = mv88e6097_port_pause_limit, + .port_disable_learn_limit = mv88e6xxx_port_disable_learn_limit, +-- +2.27.0 + diff --git a/queue/net-dsa-rtl8366-Fix-VLAN-semantics.patch b/queue/net-dsa-rtl8366-Fix-VLAN-semantics.patch new file mode 100644 index 00000000..1557b645 --- /dev/null +++ b/queue/net-dsa-rtl8366-Fix-VLAN-semantics.patch @@ -0,0 +1,85 @@ +From 15ab7906cc9290afb006df1bb1074907fbcc7061 Mon Sep 17 00:00:00 2001 +From: Linus Walleij <linus.walleij@linaro.org> +Date: Mon, 27 Jul 2020 01:34:39 +0200 +Subject: [PATCH] net: dsa: rtl8366: Fix VLAN semantics + +commit 15ab7906cc9290afb006df1bb1074907fbcc7061 upstream. + +The RTL8366 would not handle adding new members (ports) to +a VLAN: the code assumed that ->port_vlan_add() was only +called once for a single port. When intializing the +switch with .configure_vlan_while_not_filtering set to +true, the function is called numerous times for adding +all ports to VLAN1, which was something the code could +not handle. + +Alter rtl8366_set_vlan() to just |= new members and +untagged flags to 4k and MC VLAN table entries alike. +This makes it possible to just add new ports to a +VLAN. + +Put in some helpful debug code that can be used to find +any further bugs here. + +Cc: DENG Qingfang <dqfext@gmail.com> +Cc: Mauri Sandberg <sandberg@mailfence.com> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index 993cf3ac59d9..2997abeecc4a 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -43,18 +43,26 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + int ret; + int i; + ++ dev_dbg(smi->dev, ++ "setting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", ++ vid, member, untag); ++ + /* Update the 4K table */ + ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); + if (ret) + return ret; + +- vlan4k.member = member; +- vlan4k.untag = untag; ++ vlan4k.member |= member; ++ vlan4k.untag |= untag; + vlan4k.fid = fid; + ret = smi->ops->set_vlan_4k(smi, &vlan4k); + if (ret) + return ret; + ++ dev_dbg(smi->dev, ++ "resulting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", ++ vid, vlan4k.member, vlan4k.untag); ++ + /* Try to find an existing MC entry for this VID */ + for (i = 0; i < smi->num_vlan_mc; i++) { + struct rtl8366_vlan_mc vlanmc; +@@ -65,11 +73,16 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + + if (vid == vlanmc.vid) { + /* update the MC entry */ +- vlanmc.member = member; +- vlanmc.untag = untag; ++ vlanmc.member |= member; ++ vlanmc.untag |= untag; + vlanmc.fid = fid; + + ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); ++ ++ dev_dbg(smi->dev, ++ "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n", ++ vid, vlanmc.member, vlanmc.untag); ++ + break; + } + } +-- +2.27.0 + diff --git a/queue/net-dsa-rtl8366-Fix-VLAN-set-up.patch b/queue/net-dsa-rtl8366-Fix-VLAN-set-up.patch new file mode 100644 index 00000000..e9e5043f --- /dev/null +++ b/queue/net-dsa-rtl8366-Fix-VLAN-set-up.patch @@ -0,0 +1,61 @@ +From 788abc6d9d278ed6fa1fa94db2098481a04152b7 Mon Sep 17 00:00:00 2001 +From: Linus Walleij <linus.walleij@linaro.org> +Date: Mon, 27 Jul 2020 01:34:40 +0200 +Subject: [PATCH] net: dsa: rtl8366: Fix VLAN set-up + +commit 788abc6d9d278ed6fa1fa94db2098481a04152b7 upstream. + +Alter the rtl8366_vlan_add() to call rtl8366_set_vlan() +inside the loop that goes over all VIDs since we now +properly support calling that function more than once. +Augment the loop to postincrement as this is more +intuitive. + +The loop moved past the last VID but called +rtl8366_set_vlan() with the port number instead of +the VID, assuming a 1-to-1 correspondence between +ports and VIDs. This was also a bug. + +Cc: DENG Qingfang <dqfext@gmail.com> +Cc: Mauri Sandberg <sandberg@mailfence.com> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index 2997abeecc4a..8f40fbf70a82 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -397,7 +397,7 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + if (dsa_is_dsa_port(ds, port) || dsa_is_cpu_port(ds, port)) + dev_err(smi->dev, "port is DSA or CPU port\n"); + +- for (vid = vlan->vid_begin; vid <= vlan->vid_end; ++vid) { ++ for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) { + int pvid_val = 0; + + dev_info(smi->dev, "add VLAN %04x\n", vid); +@@ -420,13 +420,13 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + if (ret < 0) + return; + } +- } + +- ret = rtl8366_set_vlan(smi, port, member, untag, 0); +- if (ret) +- dev_err(smi->dev, +- "failed to set up VLAN %04x", +- vid); ++ ret = rtl8366_set_vlan(smi, vid, member, untag, 0); ++ if (ret) ++ dev_err(smi->dev, ++ "failed to set up VLAN %04x", ++ vid); ++ } + } + EXPORT_SYMBOL_GPL(rtl8366_vlan_add); + +-- +2.27.0 + diff --git a/queue/net-ethernet-aquantia-Fix-wrong-return-value.patch b/queue/net-ethernet-aquantia-Fix-wrong-return-value.patch new file mode 100644 index 00000000..22ea9055 --- /dev/null +++ b/queue/net-ethernet-aquantia-Fix-wrong-return-value.patch @@ -0,0 +1,31 @@ +From 0470a48880f8bc42ce26962b79c7b802c5a695ec Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> +Date: Sun, 2 Aug 2020 19:15:37 +0800 +Subject: [PATCH] net: ethernet: aquantia: Fix wrong return value + +commit 0470a48880f8bc42ce26962b79c7b802c5a695ec upstream. + +In function hw_atl_a0_hw_multicast_list_set(), when an invalid +request is encountered, a negative error code should be returned. + +Fixes: bab6de8fd180b ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions") +Cc: David VomLehn <vomlehn@texas.net> +Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c +index c38a4b8a14cb..611875ef2cd1 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c +@@ -786,7 +786,7 @@ static int hw_atl_a0_hw_multicast_list_set(struct aq_hw_s *self, + int err = 0; + + if (count > (HW_ATL_A0_MAC_MAX - HW_ATL_A0_MAC_MIN)) { +- err = EBADRQC; ++ err = -EBADRQC; + goto err_exit; + } + for (cfg->mc_list_count = 0U; cfg->mc_list_count < count; ++cfg->mc_list_count) { +-- +2.27.0 + diff --git a/queue/net-initialize-fastreuse-on-inet_inherit_port.patch b/queue/net-initialize-fastreuse-on-inet_inherit_port.patch new file mode 100644 index 00000000..98ade422 --- /dev/null +++ b/queue/net-initialize-fastreuse-on-inet_inherit_port.patch @@ -0,0 +1,59 @@ +From d76f3351cea2d927fdf70dd7c06898235035e84e Mon Sep 17 00:00:00 2001 +From: Tim Froidcoeur <tim.froidcoeur@tessares.net> +Date: Tue, 11 Aug 2020 20:33:24 +0200 +Subject: [PATCH] net: initialize fastreuse on inet_inherit_port + +commit d76f3351cea2d927fdf70dd7c06898235035e84e upstream. + +In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or +SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind +behaviour or in the incorrect reuse of a bind. + +the kernel keeps track for each bind_bucket if all sockets in the +bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags. +These flags allow skipping the costly bind_conflict check when possible +(meaning when all sockets have the proper SO_REUSE option). + +For every socket added to a bind_bucket, these flags need to be updated. +As soon as a socket that does not support reuse is added, the flag is +set to false and will never go back to true, unless the bind_bucket is +deleted. + +Note that there is no mechanism to re-evaluate these flags when a socket +is removed (this might make sense when removing a socket that would not +allow reuse; this leaves room for a future patch). + +For this optimization to work, it is mandatory that these flags are +properly initialized and updated. + +When a child socket is created from a listen socket in +__inet_inherit_port, the TPROXY case could create a new bind bucket +without properly initializing these flags, thus preventing the +optimization to work. Alternatively, a socket not allowing reuse could +be added to an existing bind bucket without updating the flags, causing +bind_conflict to never be called as it should. + +Call inet_csk_update_fastreuse when __inet_inherit_port decides to create +a new bind_bucket or use a different bind_bucket than the one of the +listen socket. + +Fixes: 093d282321da ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()") +Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net> +Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 4eb4cd8d20dd..239e54474b65 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -163,6 +163,7 @@ int __inet_inherit_port(const struct sock *sk, struct sock *child) + return -ENOMEM; + } + } ++ inet_csk_update_fastreuse(tb, child); + } + inet_bind_hash(child, tb, port); + spin_unlock(&head->lock); +-- +2.27.0 + diff --git a/queue/net-mlx5-DR-Change-push-vlan-action-sequence.patch b/queue/net-mlx5-DR-Change-push-vlan-action-sequence.patch new file mode 100644 index 00000000..7e8007fe --- /dev/null +++ b/queue/net-mlx5-DR-Change-push-vlan-action-sequence.patch @@ -0,0 +1,85 @@ +From b206490940216542c68563699b279eed3c55107c Mon Sep 17 00:00:00 2001 +From: Alex Vesker <valex@mellanox.com> +Date: Mon, 13 Jul 2020 14:09:04 +0300 +Subject: [PATCH] net/mlx5: DR, Change push vlan action sequence + +commit b206490940216542c68563699b279eed3c55107c upstream. + +The DR TX state machine supports the following order: +modify header, push vlan and encapsulation. +Instead fs_dr would pass: +push vlan, modify header and encapsulation. + +The above caused the rule creation to fail on invalid action +sequence provided error. + +Fixes: 6a48faeeca10 ("net/mlx5: Add direct rule fs_cmd implementation") +Signed-off-by: Alex Vesker <valex@mellanox.com> +Reviewed-by: Maor Gottlieb <maorg@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +index 8887b2440c7d..9b08eb557a31 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c +@@ -279,29 +279,9 @@ static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns, + + /* The order of the actions are must to be keep, only the following + * order is supported by SW steering: +- * TX: push vlan -> modify header -> encap ++ * TX: modify header -> push vlan -> encap + * RX: decap -> pop vlan -> modify header + */ +- if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH) { +- tmp_action = create_action_push_vlan(domain, &fte->action.vlan[0]); +- if (!tmp_action) { +- err = -ENOMEM; +- goto free_actions; +- } +- fs_dr_actions[fs_dr_num_actions++] = tmp_action; +- actions[num_actions++] = tmp_action; +- } +- +- if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2) { +- tmp_action = create_action_push_vlan(domain, &fte->action.vlan[1]); +- if (!tmp_action) { +- err = -ENOMEM; +- goto free_actions; +- } +- fs_dr_actions[fs_dr_num_actions++] = tmp_action; +- actions[num_actions++] = tmp_action; +- } +- + if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_DECAP) { + enum mlx5dr_action_reformat_type decap_type = + DR_ACTION_REFORMAT_TYP_TNL_L2_TO_L2; +@@ -354,6 +334,26 @@ static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns, + actions[num_actions++] = + fte->action.modify_hdr->action.dr_action; + ++ if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH) { ++ tmp_action = create_action_push_vlan(domain, &fte->action.vlan[0]); ++ if (!tmp_action) { ++ err = -ENOMEM; ++ goto free_actions; ++ } ++ fs_dr_actions[fs_dr_num_actions++] = tmp_action; ++ actions[num_actions++] = tmp_action; ++ } ++ ++ if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH_2) { ++ tmp_action = create_action_push_vlan(domain, &fte->action.vlan[1]); ++ if (!tmp_action) { ++ err = -ENOMEM; ++ goto free_actions; ++ } ++ fs_dr_actions[fs_dr_num_actions++] = tmp_action; ++ actions[num_actions++] = tmp_action; ++ } ++ + if (delay_encap_set) + actions[num_actions++] = + fte->action.pkt_reformat->action.dr_action; +-- +2.27.0 + diff --git a/queue/net-mlx5-Delete-extra-dump-stack-that-gives-nothing.patch b/queue/net-mlx5-Delete-extra-dump-stack-that-gives-nothing.patch new file mode 100644 index 00000000..ff5939a8 --- /dev/null +++ b/queue/net-mlx5-Delete-extra-dump-stack-that-gives-nothing.patch @@ -0,0 +1,111 @@ +From 6c4e9bcfb48933d533ff975e152757991556294a Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky <leonro@mellanox.com> +Date: Sun, 19 Jul 2020 11:04:30 +0300 +Subject: [PATCH] net/mlx5: Delete extra dump stack that gives nothing + +commit 6c4e9bcfb48933d533ff975e152757991556294a upstream. + +The WARN_*() macros are intended to catch impossible situations +from the SW point of view. They gave a little in case HW<->SW interface +is out-of-sync. + +Such out-of-sync scenario can be due to SW errors that are not part +of this flow or because some HW errors, where dump stack won't help +either. + +This specific WARN_ON() is useless because mlx5_core code is prepared +to handle such situations and will unfold everything correctly while +providing enough information to the users to understand why FS is not +working. + +WARNING: CPU: 0 PID: 3222 at drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:825 connect_fts_in_prio.isra.20+0x1dd/0x260 linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:825 +Kernel panic - not syncing: panic_on_warn set ... +CPU: 0 PID: 3222 Comm: syz-executor861 Not tainted 5.5.0-rc6+ #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack linux/lib/dump_stack.c:77 [inline] + dump_stack+0x94/0xce linux/lib/dump_stack.c:118 + panic+0x234/0x56f linux/kernel/panic.c:221 + __warn+0x1cc/0x1e1 linux/kernel/panic.c:582 + report_bug+0x200/0x310 linux/lib/bug.c:195 + fixup_bug.part.11+0x32/0x80 linux/arch/x86/kernel/traps.c:174 + fixup_bug linux/arch/x86/kernel/traps.c:273 [inline] + do_error_trap+0xd3/0x100 linux/arch/x86/kernel/traps.c:267 + do_invalid_op+0x31/0x40 linux/arch/x86/kernel/traps.c:286 + invalid_op+0x1e/0x30 linux/arch/x86/entry/entry_64.S:1027 +RIP: 0010:connect_fts_in_prio.isra.20+0x1dd/0x260 +linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:825 +Code: 00 00 48 c7 c2 60 8c 31 84 48 c7 c6 00 81 31 84 48 8b 38 e8 3c a8 +cb ff 41 83 fd 01 8b 04 24 0f 8e 29 ff ff ff e8 83 7b bc fe <0f> 0b 8b +04 24 e9 1a ff ff ff 89 04 24 e8 c1 20 e0 fe 8b 04 24 eb +RSP: 0018:ffffc90004bb7858 EFLAGS: 00010293 +RAX: ffff88805de98e80 RBX: 0000000000000c96 RCX: ffffffff827a853d +RDX: 0000000000000000 RSI: 0000000000000000 RDI: fffff52000976efa +RBP: 0000000000000007 R08: ffffed100da060e3 R09: ffffed100da060e3 +R10: 0000000000000001 R11: ffffed100da060e2 R12: dffffc0000000000 +R13: 0000000000000002 R14: ffff8880683a1a10 R15: ffffed100d07bc1c + connect_prev_fts linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:844 [inline] + connect_flow_table linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:975 [inline] + __mlx5_create_flow_table+0x8f8/0x1710 linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:1064 + mlx5_create_flow_table linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:1094 [inline] + mlx5_create_auto_grouped_flow_table+0xe1/0x210 linux/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c:1136 + _get_prio linux/drivers/infiniband/hw/mlx5/main.c:3286 [inline] + get_flow_table+0x2ea/0x760 linux/drivers/infiniband/hw/mlx5/main.c:3376 + mlx5_ib_create_flow+0x331/0x11c0 linux/drivers/infiniband/hw/mlx5/main.c:3896 + ib_uverbs_ex_create_flow+0x13e8/0x1b40 linux/drivers/infiniband/core/uverbs_cmd.c:3311 + ib_uverbs_write+0xaa5/0xdf0 linux/drivers/infiniband/core/uverbs_main.c:769 + __vfs_write+0x7c/0x100 linux/fs/read_write.c:494 + vfs_write+0x168/0x4a0 linux/fs/read_write.c:558 + ksys_write+0xc8/0x200 linux/fs/read_write.c:611 + do_syscall_64+0x9c/0x390 linux/arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45a059 +Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fcc17564c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007fcc17564ca0 RCX: 000000000045a059 +RDX: 0000000000000030 RSI: 00000000200003c0 RDI: 0000000000000005 +RBP: 0000000000000007 R08: 0000000000000002 R09: 0000000000003131 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e636c +R13: 0000000000000000 R14: 00000000006e6360 R15: 00007ffdcbdaf6a0 +Dumping ftrace buffer: + (ftrace buffer empty) +Kernel Offset: disabled +Rebooting in 1 seconds.. + +Fixes: f90edfd279f3 ("net/mlx5_core: Connect flow tables") +Reviewed-by: Maor Gottlieb <maorg@mellanox.com> +Reviewed-by: Mark Bloch <markb@mellanox.com> +Signed-off-by: Leon Romanovsky <leonro@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index a10814814856..7e70a8178a46 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -846,18 +846,15 @@ static int connect_fts_in_prio(struct mlx5_core_dev *dev, + { + struct mlx5_flow_root_namespace *root = find_root(&prio->node); + struct mlx5_flow_table *iter; +- int i = 0; + int err; + + fs_for_each_ft(iter, prio) { +- i++; + err = root->cmds->modify_flow_table(root, iter, ft); + if (err) { +- mlx5_core_warn(dev, "Failed to modify flow table %d\n", +- iter->id); ++ mlx5_core_err(dev, ++ "Failed to modify flow table id %d, type %d, err %d\n", ++ iter->id, iter->type, err); + /* The driver is out of sync with the FW */ +- if (i > 1) +- WARN_ON(true); + return err; + } + } +-- +2.27.0 + diff --git a/queue/net-nfc-rawsock.c-add-CAP_NET_RAW-check.patch b/queue/net-nfc-rawsock.c-add-CAP_NET_RAW-check.patch new file mode 100644 index 00000000..d1d2a5c8 --- /dev/null +++ b/queue/net-nfc-rawsock.c-add-CAP_NET_RAW-check.patch @@ -0,0 +1,35 @@ +From 26896f01467a28651f7a536143fe5ac8449d4041 Mon Sep 17 00:00:00 2001 +From: Qingyu Li <ieatmuttonchuan@gmail.com> +Date: Mon, 10 Aug 2020 09:51:00 +0800 +Subject: [PATCH] net/nfc/rawsock.c: add CAP_NET_RAW check. + +commit 26896f01467a28651f7a536143fe5ac8449d4041 upstream. + +When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. + +Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c +index b2061b6746ea..955c195ae14b 100644 +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -328,10 +328,13 @@ static int rawsock_create(struct net *net, struct socket *sock, + if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) + return -ESOCKTNOSUPPORT; + +- if (sock->type == SOCK_RAW) ++ if (sock->type == SOCK_RAW) { ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + sock->ops = &rawsock_raw_ops; +- else ++ } else { + sock->ops = &rawsock_ops; ++ } + + sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); + if (!sk) +-- +2.27.0 + diff --git a/queue/net-phy-fix-memory-leak-in-device-create-error-path.patch b/queue/net-phy-fix-memory-leak-in-device-create-error-path.patch new file mode 100644 index 00000000..4349a002 --- /dev/null +++ b/queue/net-phy-fix-memory-leak-in-device-create-error-path.patch @@ -0,0 +1,45 @@ +From d02cbc46136105cf86f84ac355e16f04696f538d Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Thu, 6 Aug 2020 17:37:53 +0200 +Subject: [PATCH] net: phy: fix memory leak in device-create error path + +commit d02cbc46136105cf86f84ac355e16f04696f538d upstream. + +A recent commit introduced a late error path in phy_device_create() +which fails to release the device name allocated by dev_set_name(). + +Fixes: 13d0ab6750b2 ("net: phy: check return code when requesting PHY driver module") +Cc: Heiner Kallweit <hkallweit1@gmail.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 1b9523595839..57d44648c8dd 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -615,7 +615,9 @@ struct phy_device *phy_device_create(struct mii_bus *bus, int addr, u32 phy_id, + if (c45_ids) + dev->c45_ids = *c45_ids; + dev->irq = bus->irq[addr]; ++ + dev_set_name(&mdiodev->dev, PHY_ID_FMT, bus->id, addr); ++ device_initialize(&mdiodev->dev); + + dev->state = PHY_DOWN; + +@@ -649,10 +651,8 @@ struct phy_device *phy_device_create(struct mii_bus *bus, int addr, u32 phy_id, + ret = phy_request_driver_module(dev, phy_id); + } + +- if (!ret) { +- device_initialize(&mdiodev->dev); +- } else { +- kfree(dev); ++ if (ret) { ++ put_device(&mdiodev->dev); + dev = ERR_PTR(ret); + } + +-- +2.27.0 + diff --git a/queue/net-refactor-bind_bucket-fastreuse-into-helper.patch b/queue/net-refactor-bind_bucket-fastreuse-into-helper.patch new file mode 100644 index 00000000..69394d79 --- /dev/null +++ b/queue/net-refactor-bind_bucket-fastreuse-into-helper.patch @@ -0,0 +1,154 @@ +From 62ffc589abb176821662efc4525ee4ac0b9c3894 Mon Sep 17 00:00:00 2001 +From: Tim Froidcoeur <tim.froidcoeur@tessares.net> +Date: Tue, 11 Aug 2020 20:33:23 +0200 +Subject: [PATCH] net: refactor bind_bucket fastreuse into helper + +commit 62ffc589abb176821662efc4525ee4ac0b9c3894 upstream. + +Refactor the fastreuse update code in inet_csk_get_port into a small +helper function that can be called from other places. + +Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net> +Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index 1e209ce7d1bd..aa8893c68c50 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -304,6 +304,10 @@ void inet_csk_listen_stop(struct sock *sk); + + void inet_csk_addr2sockaddr(struct sock *sk, struct sockaddr *uaddr); + ++/* update the fast reuse flag when adding a socket */ ++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, ++ struct sock *sk); ++ + struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu); + + #define TCP_PINGPONG_THRESH 3 +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index d1a3913eebe0..b457dd2d6c75 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -296,6 +296,57 @@ static inline int sk_reuseport_match(struct inet_bind_bucket *tb, + ipv6_only_sock(sk), true, false); + } + ++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, ++ struct sock *sk) ++{ ++ kuid_t uid = sock_i_uid(sk); ++ bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN; ++ ++ if (hlist_empty(&tb->owners)) { ++ tb->fastreuse = reuse; ++ if (sk->sk_reuseport) { ++ tb->fastreuseport = FASTREUSEPORT_ANY; ++ tb->fastuid = uid; ++ tb->fast_rcv_saddr = sk->sk_rcv_saddr; ++ tb->fast_ipv6_only = ipv6_only_sock(sk); ++ tb->fast_sk_family = sk->sk_family; ++#if IS_ENABLED(CONFIG_IPV6) ++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; ++#endif ++ } else { ++ tb->fastreuseport = 0; ++ } ++ } else { ++ if (!reuse) ++ tb->fastreuse = 0; ++ if (sk->sk_reuseport) { ++ /* We didn't match or we don't have fastreuseport set on ++ * the tb, but we have sk_reuseport set on this socket ++ * and we know that there are no bind conflicts with ++ * this socket in this tb, so reset our tb's reuseport ++ * settings so that any subsequent sockets that match ++ * our current socket will be put on the fast path. ++ * ++ * If we reset we need to set FASTREUSEPORT_STRICT so we ++ * do extra checking for all subsequent sk_reuseport ++ * socks. ++ */ ++ if (!sk_reuseport_match(tb, sk)) { ++ tb->fastreuseport = FASTREUSEPORT_STRICT; ++ tb->fastuid = uid; ++ tb->fast_rcv_saddr = sk->sk_rcv_saddr; ++ tb->fast_ipv6_only = ipv6_only_sock(sk); ++ tb->fast_sk_family = sk->sk_family; ++#if IS_ENABLED(CONFIG_IPV6) ++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; ++#endif ++ } ++ } else { ++ tb->fastreuseport = 0; ++ } ++ } ++} ++ + /* Obtain a reference to a local port for the given sock, + * if snum is zero it means select any available local port. + * We try to allocate an odd port (and leave even ports for connect()) +@@ -308,7 +359,6 @@ int inet_csk_get_port(struct sock *sk, unsigned short snum) + struct inet_bind_hashbucket *head; + struct net *net = sock_net(sk); + struct inet_bind_bucket *tb = NULL; +- kuid_t uid = sock_i_uid(sk); + int l3mdev; + + l3mdev = inet_sk_bound_l3mdev(sk); +@@ -345,49 +395,8 @@ int inet_csk_get_port(struct sock *sk, unsigned short snum) + goto fail_unlock; + } + success: +- if (hlist_empty(&tb->owners)) { +- tb->fastreuse = reuse; +- if (sk->sk_reuseport) { +- tb->fastreuseport = FASTREUSEPORT_ANY; +- tb->fastuid = uid; +- tb->fast_rcv_saddr = sk->sk_rcv_saddr; +- tb->fast_ipv6_only = ipv6_only_sock(sk); +- tb->fast_sk_family = sk->sk_family; +-#if IS_ENABLED(CONFIG_IPV6) +- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; +-#endif +- } else { +- tb->fastreuseport = 0; +- } +- } else { +- if (!reuse) +- tb->fastreuse = 0; +- if (sk->sk_reuseport) { +- /* We didn't match or we don't have fastreuseport set on +- * the tb, but we have sk_reuseport set on this socket +- * and we know that there are no bind conflicts with +- * this socket in this tb, so reset our tb's reuseport +- * settings so that any subsequent sockets that match +- * our current socket will be put on the fast path. +- * +- * If we reset we need to set FASTREUSEPORT_STRICT so we +- * do extra checking for all subsequent sk_reuseport +- * socks. +- */ +- if (!sk_reuseport_match(tb, sk)) { +- tb->fastreuseport = FASTREUSEPORT_STRICT; +- tb->fastuid = uid; +- tb->fast_rcv_saddr = sk->sk_rcv_saddr; +- tb->fast_ipv6_only = ipv6_only_sock(sk); +- tb->fast_sk_family = sk->sk_family; +-#if IS_ENABLED(CONFIG_IPV6) +- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr; +-#endif +- } +- } else { +- tb->fastreuseport = 0; +- } +- } ++ inet_csk_update_fastreuse(tb, sk); ++ + if (!inet_csk(sk)->icsk_bind_hash) + inet_bind_hash(sk, tb, port); + WARN_ON(inet_csk(sk)->icsk_bind_hash != tb); +-- +2.27.0 + diff --git a/queue/net-spider_net-Fix-the-size-used-in-a-dma_free_coher.patch b/queue/net-spider_net-Fix-the-size-used-in-a-dma_free_coher.patch new file mode 100644 index 00000000..2dc756ab --- /dev/null +++ b/queue/net-spider_net-Fix-the-size-used-in-a-dma_free_coher.patch @@ -0,0 +1,34 @@ +From 36f28f7687a9ce665479cce5d64ce7afaa9e77ae Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Sun, 2 Aug 2020 15:53:33 +0200 +Subject: [PATCH] net: spider_net: Fix the size used in a 'dma_free_coherent()' + call + +commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae upstream. + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in +'spider_net_init_chain()'. + +Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing") +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c +index 3902b3aeb0c2..94267e1f5d30 100644 +--- a/drivers/net/ethernet/toshiba/spider_net.c ++++ b/drivers/net/ethernet/toshiba/spider_net.c +@@ -283,8 +283,8 @@ spider_net_free_chain(struct spider_net_card *card, + descr = descr->next; + } while (descr != chain->ring); + +- dma_free_coherent(&card->pdev->dev, chain->num_desc, +- chain->hwring, chain->dma_addr); ++ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr), ++ chain->hwring, chain->dma_addr); + } + + /** +-- +2.27.0 + diff --git a/queue/net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch b/queue/net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch new file mode 100644 index 00000000..f5e9863e --- /dev/null +++ b/queue/net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch @@ -0,0 +1,99 @@ +From c1055b76ad00aed0e8b79417080f212d736246b6 Mon Sep 17 00:00:00 2001 +From: Dean Nelson <dnelson@redhat.com> +Date: Wed, 5 Aug 2020 13:18:48 -0500 +Subject: [PATCH] net: thunderx: initialize VF's mailbox mutex before first + usage + +commit c1055b76ad00aed0e8b79417080f212d736246b6 upstream. + +A VF's mailbox mutex is not getting initialized by nicvf_probe() until after +it is first used. And such usage is resulting in... + +[ 28.270927] ------------[ cut here ]------------ +[ 28.270934] DEBUG_LOCKS_WARN_ON(lock->magic != lock) +[ 28.270980] WARNING: CPU: 9 PID: 675 at kernel/locking/mutex.c:938 __mutex_lock+0xdac/0x12f0 +[ 28.270985] Modules linked in: ast(+) nicvf(+) i2c_algo_bit drm_vram_helper drm_ttm_helper ttm nicpf(+) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ixgbe(+) sg thunder_bgx mdio i2c_thunderx mdio_thunder thunder_xcv mdio_cavium dm_mirror dm_region_hash dm_log dm_mod +[ 28.271064] CPU: 9 PID: 675 Comm: systemd-udevd Not tainted 4.18.0+ #1 +[ 28.271070] Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS F02 08/06/2019 +[ 28.271078] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 28.271086] pc : __mutex_lock+0xdac/0x12f0 +[ 28.271092] lr : __mutex_lock+0xdac/0x12f0 +[ 28.271097] sp : ffff800d42146fb0 +[ 28.271103] x29: ffff800d42146fb0 x28: 0000000000000000 +[ 28.271113] x27: ffff800d24361180 x26: dfff200000000000 +[ 28.271122] x25: 0000000000000000 x24: 0000000000000002 +[ 28.271132] x23: ffff20001597cc80 x22: ffff2000139e9848 +[ 28.271141] x21: 0000000000000000 x20: 1ffff001a8428e0c +[ 28.271151] x19: ffff200015d5d000 x18: 1ffff001ae0f2184 +[ 28.271160] x17: 0000000000000000 x16: 0000000000000000 +[ 28.271170] x15: ffff800d70790c38 x14: ffff20001597c000 +[ 28.271179] x13: ffff20001597cc80 x12: ffff040002b2f779 +[ 28.271189] x11: 1fffe40002b2f778 x10: ffff040002b2f778 +[ 28.271199] x9 : 0000000000000000 x8 : 00000000f1f1f1f1 +[ 28.271208] x7 : 00000000f2f2f2f2 x6 : 0000000000000000 +[ 28.271217] x5 : 1ffff001ae0f2186 x4 : 1fffe400027eb03c +[ 28.271227] x3 : dfff200000000000 x2 : ffff1001a8428dbe +[ 28.271237] x1 : c87fdfac7ea11d00 x0 : 0000000000000000 +[ 28.271246] Call trace: +[ 28.271254] __mutex_lock+0xdac/0x12f0 +[ 28.271261] mutex_lock_nested+0x3c/0x50 +[ 28.271297] nicvf_send_msg_to_pf+0x40/0x3a0 [nicvf] +[ 28.271316] nicvf_register_misc_interrupt+0x20c/0x328 [nicvf] +[ 28.271334] nicvf_probe+0x508/0xda0 [nicvf] +[ 28.271344] local_pci_probe+0xc4/0x180 +[ 28.271352] pci_device_probe+0x3ec/0x528 +[ 28.271363] driver_probe_device+0x21c/0xb98 +[ 28.271371] device_driver_attach+0xe8/0x120 +[ 28.271379] __driver_attach+0xe0/0x2a0 +[ 28.271386] bus_for_each_dev+0x118/0x190 +[ 28.271394] driver_attach+0x48/0x60 +[ 28.271401] bus_add_driver+0x328/0x558 +[ 28.271409] driver_register+0x148/0x398 +[ 28.271416] __pci_register_driver+0x14c/0x1b0 +[ 28.271437] nicvf_init_module+0x54/0x10000 [nicvf] +[ 28.271447] do_one_initcall+0x18c/0xc18 +[ 28.271457] do_init_module+0x18c/0x618 +[ 28.271464] load_module+0x2bc0/0x4088 +[ 28.271472] __se_sys_finit_module+0x110/0x188 +[ 28.271479] __arm64_sys_finit_module+0x70/0xa0 +[ 28.271490] el0_svc_handler+0x15c/0x380 +[ 28.271496] el0_svc+0x8/0xc +[ 28.271502] irq event stamp: 52649 +[ 28.271513] hardirqs last enabled at (52649): [<ffff200011b4d790>] _raw_spin_unlock_irqrestore+0xc0/0xd8 +[ 28.271522] hardirqs last disabled at (52648): [<ffff200011b4d3c4>] _raw_spin_lock_irqsave+0x3c/0xf0 +[ 28.271530] softirqs last enabled at (52330): [<ffff200010082af4>] __do_softirq+0xacc/0x117c +[ 28.271540] softirqs last disabled at (52313): [<ffff20001019b354>] irq_exit+0x3cc/0x500 +[ 28.271545] ---[ end trace a9b90324c8a0d4ee ]--- + +This problem is resolved by moving the call to mutex_init() up earlier +in nicvf_probe(). + +Fixes: 609ea65c65a0 ("net: thunderx: add mutex to protect mailbox from concurrent calls for same VF") +Signed-off-by: Dean Nelson <dnelson@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index d22c9d350355..c1378b5c780c 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -2177,6 +2177,9 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + nic->max_queues *= 2; + nic->ptp_clock = ptp_clock; + ++ /* Initialize mutex that serializes usage of VF's mailbox */ ++ mutex_init(&nic->rx_mode_mtx); ++ + /* MAP VF's configuration registers */ + nic->reg_base = pcim_iomap(pdev, PCI_CFG_REG_BAR_NUM, 0); + if (!nic->reg_base) { +@@ -2253,7 +2256,6 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + INIT_WORK(&nic->rx_mode_work.work, nicvf_set_rx_mode_task); + spin_lock_init(&nic->rx_mode_wq_lock); +- mutex_init(&nic->rx_mode_mtx); + + err = register_netdev(netdev); + if (err) { +-- +2.27.0 + diff --git a/queue/net-tls-Fix-kmap-usage.patch b/queue/net-tls-Fix-kmap-usage.patch new file mode 100644 index 00000000..8dfb8772 --- /dev/null +++ b/queue/net-tls-Fix-kmap-usage.patch @@ -0,0 +1,42 @@ +From b06c19d9f827f6743122795570bfc0c72db482b0 Mon Sep 17 00:00:00 2001 +From: Ira Weiny <ira.weiny@intel.com> +Date: Mon, 10 Aug 2020 17:02:58 -0700 +Subject: [PATCH] net/tls: Fix kmap usage + +commit b06c19d9f827f6743122795570bfc0c72db482b0 upstream. + +When MSG_OOB is specified to tls_device_sendpage() the mapped page is +never unmapped. + +Hold off mapping the page until after the flags are checked and the page +is actually needed. + +Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") +Signed-off-by: Ira Weiny <ira.weiny@intel.com> +Reviewed-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 18fa6067bb7f..b74e2741f74f 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -561,7 +561,7 @@ int tls_device_sendpage(struct sock *sk, struct page *page, + { + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct iov_iter msg_iter; +- char *kaddr = kmap(page); ++ char *kaddr; + struct kvec iov; + int rc; + +@@ -576,6 +576,7 @@ int tls_device_sendpage(struct sock *sk, struct page *page, + goto out; + } + ++ kaddr = kmap(page); + iov.iov_base = kaddr + offset; + iov.iov_len = size; + iov_iter_kvec(&msg_iter, WRITE, &iov, 1, size); +-- +2.27.0 + diff --git a/queue/nvme-add-a-Identify-Namespace-Identification-Descrip.patch b/queue/nvme-add-a-Identify-Namespace-Identification-Descrip.patch new file mode 100644 index 00000000..d32d3051 --- /dev/null +++ b/queue/nvme-add-a-Identify-Namespace-Identification-Descrip.patch @@ -0,0 +1,84 @@ +From 5bedd3afee8eb01ccd256f0cd2cc0fa6f841417a Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig <hch@lst.de> +Date: Tue, 28 Jul 2020 13:09:03 +0200 +Subject: [PATCH] nvme: add a Identify Namespace Identification Descriptor list + quirk + +commit 5bedd3afee8eb01ccd256f0cd2cc0fa6f841417a upstream. + +Add a quirk for a device that does not support the Identify Namespace +Identification Descriptor list despite claiming 1.3 compliance. + +Fixes: ea43d9709f72 ("nvme: fix identify error status silent ignore") +Reported-by: Ingo Brunberg <ingo_brunberg@web.de> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Tested-by: Ingo Brunberg <ingo_brunberg@web.de> +Reviewed-by: Sagi Grimberg <sagi@grimberg.me> + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index add040168e67..4ee2330c603e 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1102,6 +1102,9 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl, unsigned nsid, + int pos; + int len; + ++ if (ctrl->quirks & NVME_QUIRK_NO_NS_DESC_LIST) ++ return 0; ++ + c.identify.opcode = nvme_admin_identify; + c.identify.nsid = cpu_to_le32(nsid); + c.identify.cns = NVME_ID_CNS_NS_DESC_LIST; +@@ -1115,18 +1118,6 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl, unsigned nsid, + if (status) { + dev_warn(ctrl->device, + "Identify Descriptors failed (%d)\n", status); +- /* +- * Don't treat non-retryable errors as fatal, as we potentially +- * already have a NGUID or EUI-64. If we failed with DNR set, +- * we want to silently ignore the error as we can still +- * identify the device, but if the status has DNR set, we want +- * to propagate the error back specifically for the disk +- * revalidation flow to make sure we don't abandon the +- * device just because of a temporal retry-able error (such +- * as path of transport errors). +- */ +- if (status > 0 && (status & NVME_SC_DNR)) +- status = 0; + goto free_data; + } + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 1de3f9b827aa..09ffc3246f60 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -129,6 +129,13 @@ enum nvme_quirks { + * Don't change the value of the temperature threshold feature + */ + NVME_QUIRK_NO_TEMP_THRESH_CHANGE = (1 << 14), ++ ++ /* ++ * The controller doesn't handle the Identify Namespace ++ * Identification Descriptor list subcommand despite claiming ++ * NVMe 1.3 compliance. ++ */ ++ NVME_QUIRK_NO_NS_DESC_LIST = (1 << 15), + }; + + /* +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 25a187e43dbe..d4b1ff747123 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3099,6 +3099,8 @@ static const struct pci_device_id nvme_id_table[] = { + { PCI_VDEVICE(INTEL, 0x5845), /* Qemu emulated controller */ + .driver_data = NVME_QUIRK_IDENTIFY_CNS | + NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ { PCI_DEVICE(0x126f, 0x2263), /* Silicon Motion unidentified */ ++ .driver_data = NVME_QUIRK_NO_NS_DESC_LIST, }, + { PCI_DEVICE(0x1bb1, 0x0100), /* Seagate Nytro Flash Storage */ + .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY, }, + { PCI_DEVICE(0x1c58, 0x0003), /* HGST adapter */ +-- +2.27.0 + diff --git a/queue/nvme-multipath-do-not-fall-back-to-__nvme_find_path-.patch b/queue/nvme-multipath-do-not-fall-back-to-__nvme_find_path-.patch new file mode 100644 index 00000000..90e35abd --- /dev/null +++ b/queue/nvme-multipath-do-not-fall-back-to-__nvme_find_path-.patch @@ -0,0 +1,43 @@ +From fbd6a42d8932e172921c7de10468a2e12c34846b Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke <hare@suse.de> +Date: Mon, 27 Jul 2020 18:08:03 +0200 +Subject: [PATCH] nvme-multipath: do not fall back to __nvme_find_path() for + non-optimized paths + +commit fbd6a42d8932e172921c7de10468a2e12c34846b upstream. + +When nvme_round_robin_path() finds a valid namespace we should be using it; +falling back to __nvme_find_path() for non-optimized paths will cause the +result from nvme_round_robin_path() to be ignored for non-optimized paths. + +Fixes: 75c10e732724 ("nvme-multipath: round-robin I/O policy") +Signed-off-by: Martin Wilck <mwilck@suse.com> +Signed-off-by: Hannes Reinecke <hare@suse.de> +Reviewed-by: Sagi Grimberg <sagi@grimberg.me> +Signed-off-by: Christoph Hellwig <hch@lst.de> + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 93c70e1591de..3ded54d2c9c6 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -281,10 +281,13 @@ inline struct nvme_ns *nvme_find_path(struct nvme_ns_head *head) + struct nvme_ns *ns; + + ns = srcu_dereference(head->current_path[node], &head->srcu); +- if (READ_ONCE(head->subsys->iopolicy) == NVME_IOPOLICY_RR && ns) +- ns = nvme_round_robin_path(head, node, ns); +- if (unlikely(!ns || !nvme_path_is_optimized(ns))) +- ns = __nvme_find_path(head, node); ++ if (unlikely(!ns)) ++ return __nvme_find_path(head, node); ++ ++ if (READ_ONCE(head->subsys->iopolicy) == NVME_IOPOLICY_RR) ++ return nvme_round_robin_path(head, node, ns); ++ if (unlikely(!nvme_path_is_optimized(ns))) ++ return __nvme_find_path(head, node); + return ns; + } + +-- +2.27.0 + diff --git a/queue/nvme-multipath-fix-logic-for-non-optimized-paths.patch b/queue/nvme-multipath-fix-logic-for-non-optimized-paths.patch new file mode 100644 index 00000000..e364664b --- /dev/null +++ b/queue/nvme-multipath-fix-logic-for-non-optimized-paths.patch @@ -0,0 +1,36 @@ +From 3f6e3246db0e6f92e784965d9d0edb8abe6c6b74 Mon Sep 17 00:00:00 2001 +From: Martin Wilck <mwilck@suse.com> +Date: Mon, 27 Jul 2020 18:08:02 +0200 +Subject: [PATCH] nvme-multipath: fix logic for non-optimized paths + +commit 3f6e3246db0e6f92e784965d9d0edb8abe6c6b74 upstream. + +Handle the special case where we have exactly one optimized path, +which we should keep using in this case. + +Fixes: 75c10e732724 ("nvme-multipath: round-robin I/O policy") +Signed off-by: Martin Wilck <mwilck@suse.com> +Signed-off-by: Hannes Reinecke <hare@suse.de> +Reviewed-by: Sagi Grimberg <sagi@grimberg.me> +Signed-off-by: Christoph Hellwig <hch@lst.de> + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 900b35d47ec7..93c70e1591de 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -255,6 +255,12 @@ static struct nvme_ns *nvme_round_robin_path(struct nvme_ns_head *head, + fallback = ns; + } + ++ /* No optimized path found, re-check the current path */ ++ if (!nvme_path_is_disabled(old) && ++ old->ana_state == NVME_ANA_OPTIMIZED) { ++ found = old; ++ goto out; ++ } + if (!fallback) + return NULL; + found = fallback; +-- +2.27.0 + diff --git a/queue/nvme-rdma-fix-controller-reset-hang-during-traffic.patch b/queue/nvme-rdma-fix-controller-reset-hang-during-traffic.patch new file mode 100644 index 00000000..5a6b3f39 --- /dev/null +++ b/queue/nvme-rdma-fix-controller-reset-hang-during-traffic.patch @@ -0,0 +1,65 @@ +From 9f98772ba307dd89a3d17dc2589f213d3972fc64 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg <sagi@grimberg.me> +Date: Mon, 27 Jul 2020 17:32:09 -0700 +Subject: [PATCH] nvme-rdma: fix controller reset hang during traffic + +commit 9f98772ba307dd89a3d17dc2589f213d3972fc64 upstream. + +commit fe35ec58f0d3 ("block: update hctx map when use multiple maps") +exposed an issue where we may hang trying to wait for queue freeze +during I/O. We call blk_mq_update_nr_hw_queues which in case of multiple +queue maps (which we have now for default/read/poll) is attempting to +freeze the queue. However we never started queue freeze when starting the +reset, which means that we have inflight pending requests that entered the +queue that we will not complete once the queue is quiesced. + +So start a freeze before we quiesce the queue, and unfreeze the queue +after we successfully connected the I/O queues (and make sure to call +blk_mq_update_nr_hw_queues only after we are sure that the queue was +already frozen). + +This follows to how the pci driver handles resets. + +Fixes: fe35ec58f0d3 ("block: update hctx map when use multiple maps") +Signed-off-by: Sagi Grimberg <sagi@grimberg.me> +Signed-off-by: Christoph Hellwig <hch@lst.de> + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 5c3848974ccb..44c76ffbb264 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -967,15 +967,20 @@ static int nvme_rdma_configure_io_queues(struct nvme_rdma_ctrl *ctrl, bool new) + ret = PTR_ERR(ctrl->ctrl.connect_q); + goto out_free_tag_set; + } +- } else { +- blk_mq_update_nr_hw_queues(&ctrl->tag_set, +- ctrl->ctrl.queue_count - 1); + } + + ret = nvme_rdma_start_io_queues(ctrl); + if (ret) + goto out_cleanup_connect_q; + ++ if (!new) { ++ nvme_start_queues(&ctrl->ctrl); ++ nvme_wait_freeze(&ctrl->ctrl); ++ blk_mq_update_nr_hw_queues(ctrl->ctrl.tagset, ++ ctrl->ctrl.queue_count - 1); ++ nvme_unfreeze(&ctrl->ctrl); ++ } ++ + return 0; + + out_cleanup_connect_q: +@@ -1008,6 +1013,7 @@ static void nvme_rdma_teardown_io_queues(struct nvme_rdma_ctrl *ctrl, + bool remove) + { + if (ctrl->ctrl.queue_count > 1) { ++ nvme_start_freeze(&ctrl->ctrl); + nvme_stop_queues(&ctrl->ctrl); + nvme_rdma_stop_io_queues(ctrl); + if (ctrl->ctrl.tagset) { +-- +2.27.0 + diff --git a/queue/nvme-tcp-fix-controller-reset-hang-during-traffic.patch b/queue/nvme-tcp-fix-controller-reset-hang-during-traffic.patch new file mode 100644 index 00000000..55278900 --- /dev/null +++ b/queue/nvme-tcp-fix-controller-reset-hang-during-traffic.patch @@ -0,0 +1,65 @@ +From 2875b0aecabe2f081a8432e2bc85b85df0529490 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg <sagi@grimberg.me> +Date: Fri, 24 Jul 2020 15:10:12 -0700 +Subject: [PATCH] nvme-tcp: fix controller reset hang during traffic + +commit 2875b0aecabe2f081a8432e2bc85b85df0529490 upstream. + +commit fe35ec58f0d3 ("block: update hctx map when use multiple maps") +exposed an issue where we may hang trying to wait for queue freeze +during I/O. We call blk_mq_update_nr_hw_queues which in case of multiple +queue maps (which we have now for default/read/poll) is attempting to +freeze the queue. However we never started queue freeze when starting the +reset, which means that we have inflight pending requests that entered the +queue that we will not complete once the queue is quiesced. + +So start a freeze before we quiesce the queue, and unfreeze the queue +after we successfully connected the I/O queues (and make sure to call +blk_mq_update_nr_hw_queues only after we are sure that the queue was +already frozen). + +This follows to how the pci driver handles resets. + +Fixes: fe35ec58f0d3 ("block: update hctx map when use multiple maps") +Signed-off-by: Sagi Grimberg <sagi@grimberg.me> +Signed-off-by: Christoph Hellwig <hch@lst.de> + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 8c8fb65ca928..378c049e0a5e 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1771,15 +1771,20 @@ static int nvme_tcp_configure_io_queues(struct nvme_ctrl *ctrl, bool new) + ret = PTR_ERR(ctrl->connect_q); + goto out_free_tag_set; + } +- } else { +- blk_mq_update_nr_hw_queues(ctrl->tagset, +- ctrl->queue_count - 1); + } + + ret = nvme_tcp_start_io_queues(ctrl); + if (ret) + goto out_cleanup_connect_q; + ++ if (!new) { ++ nvme_start_queues(ctrl); ++ nvme_wait_freeze(ctrl); ++ blk_mq_update_nr_hw_queues(ctrl->tagset, ++ ctrl->queue_count - 1); ++ nvme_unfreeze(ctrl); ++ } ++ + return 0; + + out_cleanup_connect_q: +@@ -1884,6 +1889,7 @@ static void nvme_tcp_teardown_io_queues(struct nvme_ctrl *ctrl, + { + if (ctrl->queue_count <= 1) + return; ++ nvme_start_freeze(ctrl); + nvme_stop_queues(ctrl); + nvme_tcp_stop_io_queues(ctrl); + if (ctrl->tagset) { +-- +2.27.0 + diff --git a/queue/ocfs2-fix-unbalanced-locking.patch b/queue/ocfs2-fix-unbalanced-locking.patch new file mode 100644 index 00000000..d6807335 --- /dev/null +++ b/queue/ocfs2-fix-unbalanced-locking.patch @@ -0,0 +1,50 @@ +From 57c720d4144a9c2b88105c3e8f7b0e97e4b5cc93 Mon Sep 17 00:00:00 2001 +From: Pavel Machek <pavel@ucw.cz> +Date: Thu, 6 Aug 2020 23:18:09 -0700 +Subject: [PATCH] ocfs2: fix unbalanced locking + +commit 57c720d4144a9c2b88105c3e8f7b0e97e4b5cc93 upstream. + +Based on what fails, function can return with nfs_sync_rwlock either +locked or unlocked. That can not be right. + +Always return with lock unlocked on error. + +Fixes: 4cd9973f9ff6 ("ocfs2: avoid inode removal while nfsd is accessing it") +Signed-off-by: Pavel Machek (CIP) <pavel@denx.de> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> +Reviewed-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Mark Fasheh <mark@fasheh.com> +Cc: Joel Becker <jlbec@evilplan.org> +Cc: Junxiao Bi <junxiao.bi@oracle.com> +Cc: Changwei Ge <gechangwei@live.cn> +Cc: Gang He <ghe@suse.com> +Cc: Jun Piao <piaojun@huawei.com> +Link: http://lkml.kernel.org/r/20200724124443.GA28164@duo.ucw.cz +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c +index 751bc4dc7466..8e3a369086db 100644 +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -2871,9 +2871,15 @@ int ocfs2_nfs_sync_lock(struct ocfs2_super *osb, int ex) + + status = ocfs2_cluster_lock(osb, lockres, ex ? LKM_EXMODE : LKM_PRMODE, + 0, 0); +- if (status < 0) ++ if (status < 0) { + mlog(ML_ERROR, "lock on nfs sync lock failed %d\n", status); + ++ if (ex) ++ up_write(&osb->nfs_sync_rwlock); ++ else ++ up_read(&osb->nfs_sync_rwlock); ++ } ++ + return status; + } + +-- +2.27.0 + diff --git a/queue/parisc-Do-not-use-an-ordered-store-in-pa_tlb_lock.patch b/queue/parisc-Do-not-use-an-ordered-store-in-pa_tlb_lock.patch new file mode 100644 index 00000000..482f7146 --- /dev/null +++ b/queue/parisc-Do-not-use-an-ordered-store-in-pa_tlb_lock.patch @@ -0,0 +1,45 @@ +From e72b23dec1da5e62a0090c5da1d926778284e230 Mon Sep 17 00:00:00 2001 +From: John David Anglin <dave.anglin@bell.net> +Date: Tue, 28 Jul 2020 19:13:20 +0200 +Subject: [PATCH] parisc: Do not use an ordered store in pa_tlb_lock() + +commit e72b23dec1da5e62a0090c5da1d926778284e230 upstream. + +No need to use an ordered store in pa_tlb_lock() and update the comment +regarng usage of the sid register to unlocak a spinlock in +tlb_unlock0(). + +Signed-off-by: John David Anglin <dave.anglin@bell.net> +Signed-off-by: Helge Deller <deller@gmx.de> +Cc: <stable@vger.kernel.org> # v5.0+ + +diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S +index 06455f1a40f5..519f9056fd00 100644 +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -455,7 +455,7 @@ + LDREG 0(\ptp),\pte + bb,<,n \pte,_PAGE_PRESENT_BIT,3f + b \fault +- stw,ma \spc,0(\tmp) ++ stw \spc,0(\tmp) + 99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) + #endif + 2: LDREG 0(\ptp),\pte +@@ -463,7 +463,12 @@ + 3: + .endm + +- /* Release pa_tlb_lock lock without reloading lock address. */ ++ /* Release pa_tlb_lock lock without reloading lock address. ++ Note that the values in the register spc are limited to ++ NR_SPACE_IDS (262144). Thus, the stw instruction always ++ stores a nonzero value even when register spc is 64 bits. ++ We use an ordered store to ensure all prior accesses are ++ performed prior to releasing the lock. */ + .macro tlb_unlock0 spc,tmp + #ifdef CONFIG_SMP + 98: or,COND(=) %r0,\spc,%r0 +-- +2.27.0 + diff --git a/queue/parisc-Implement-__smp_store_release-and-__smp_load_.patch b/queue/parisc-Implement-__smp_store_release-and-__smp_load_.patch new file mode 100644 index 00000000..e7c30092 --- /dev/null +++ b/queue/parisc-Implement-__smp_store_release-and-__smp_load_.patch @@ -0,0 +1,91 @@ +From e96ebd589debd9a6a793608c4ec7019c38785dea Mon Sep 17 00:00:00 2001 +From: John David Anglin <dave.anglin@bell.net> +Date: Thu, 30 Jul 2020 08:59:12 -0400 +Subject: [PATCH] parisc: Implement __smp_store_release and __smp_load_acquire + barriers + +commit e96ebd589debd9a6a793608c4ec7019c38785dea upstream. + +This patch implements the __smp_store_release and __smp_load_acquire barriers +using ordered stores and loads. This avoids the sync instruction present in +the generic implementation. + +Cc: <stable@vger.kernel.org> # 4.14+ +Signed-off-by: Dave Anglin <dave.anglin@bell.net> +Signed-off-by: Helge Deller <deller@gmx.de> + +diff --git a/arch/parisc/include/asm/barrier.h b/arch/parisc/include/asm/barrier.h +index dbaaca84f27f..640d46edf32e 100644 +--- a/arch/parisc/include/asm/barrier.h ++++ b/arch/parisc/include/asm/barrier.h +@@ -26,6 +26,67 @@ + #define __smp_rmb() mb() + #define __smp_wmb() mb() + ++#define __smp_store_release(p, v) \ ++do { \ ++ typeof(p) __p = (p); \ ++ union { typeof(*p) __val; char __c[1]; } __u = \ ++ { .__val = (__force typeof(*p)) (v) }; \ ++ compiletime_assert_atomic_type(*p); \ ++ switch (sizeof(*p)) { \ ++ case 1: \ ++ asm volatile("stb,ma %0,0(%1)" \ ++ : : "r"(*(__u8 *)__u.__c), "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ case 2: \ ++ asm volatile("sth,ma %0,0(%1)" \ ++ : : "r"(*(__u16 *)__u.__c), "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ case 4: \ ++ asm volatile("stw,ma %0,0(%1)" \ ++ : : "r"(*(__u32 *)__u.__c), "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ case 8: \ ++ if (IS_ENABLED(CONFIG_64BIT)) \ ++ asm volatile("std,ma %0,0(%1)" \ ++ : : "r"(*(__u64 *)__u.__c), "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ } \ ++} while (0) ++ ++#define __smp_load_acquire(p) \ ++({ \ ++ union { typeof(*p) __val; char __c[1]; } __u; \ ++ typeof(p) __p = (p); \ ++ compiletime_assert_atomic_type(*p); \ ++ switch (sizeof(*p)) { \ ++ case 1: \ ++ asm volatile("ldb,ma 0(%1),%0" \ ++ : "=r"(*(__u8 *)__u.__c) : "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ case 2: \ ++ asm volatile("ldh,ma 0(%1),%0" \ ++ : "=r"(*(__u16 *)__u.__c) : "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ case 4: \ ++ asm volatile("ldw,ma 0(%1),%0" \ ++ : "=r"(*(__u32 *)__u.__c) : "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ case 8: \ ++ if (IS_ENABLED(CONFIG_64BIT)) \ ++ asm volatile("ldd,ma 0(%1),%0" \ ++ : "=r"(*(__u64 *)__u.__c) : "r"(__p) \ ++ : "memory"); \ ++ break; \ ++ } \ ++ __u.__val; \ ++}) + #include <asm-generic/barrier.h> + + #endif /* !__ASSEMBLY__ */ +-- +2.27.0 + diff --git a/queue/parisc-mask-out-enable-and-reserved-bits-from-sba-im.patch b/queue/parisc-mask-out-enable-and-reserved-bits-from-sba-im.patch new file mode 100644 index 00000000..bcbfce6b --- /dev/null +++ b/queue/parisc-mask-out-enable-and-reserved-bits-from-sba-im.patch @@ -0,0 +1,31 @@ +From 5b24993c21cbf2de11aff077a48c5cb0505a0450 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle <svens@stackframe.org> +Date: Tue, 11 Aug 2020 18:19:19 +0200 +Subject: [PATCH] parisc: mask out enable and reserved bits from sba imask + +commit 5b24993c21cbf2de11aff077a48c5cb0505a0450 upstream. + +When using kexec the SBA IOMMU IBASE might still have the RE +bit set. This triggers a WARN_ON when trying to write back the +IBASE register later, and it also makes some mask calculations fail. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Sven Schnelle <svens@stackframe.org> +Signed-off-by: Helge Deller <deller@gmx.de> + +diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c +index 7e112829d250..00785fa81ff7 100644 +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -1270,7 +1270,7 @@ sba_ioc_init_pluto(struct parisc_device *sba, struct ioc *ioc, int ioc_num) + ** (one that doesn't overlap memory or LMMIO space) in the + ** IBASE and IMASK registers. + */ +- ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE); ++ ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE) & ~0x1fffffULL; + iova_space_size = ~(READ_REG(ioc->ioc_hpa + IOC_IMASK) & 0xFFFFFFFFUL) + 1; + + if ((ioc->ibase < 0xfed00000UL) && ((ioc->ibase + iova_space_size) > 0xfee00000UL)) { +-- +2.27.0 + diff --git a/queue/phy-armada-38x-fix-NETA-lockup-when-repeatedly-switc.patch b/queue/phy-armada-38x-fix-NETA-lockup-when-repeatedly-switc.patch new file mode 100644 index 00000000..0e65a44f --- /dev/null +++ b/queue/phy-armada-38x-fix-NETA-lockup-when-repeatedly-switc.patch @@ -0,0 +1,136 @@ +From 1dea06cd643da38931382ebdc151efced201ffad Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Tue, 21 Jul 2020 15:40:43 +0100 +Subject: [PATCH] phy: armada-38x: fix NETA lockup when repeatedly switching + speeds + +commit 1dea06cd643da38931382ebdc151efced201ffad upstream. + +The mvneta hardware appears to lock up in various random ways when +repeatedly switching speeds between 1G and 2.5G, which involves +reprogramming the COMPHY. It is not entirely clear why this happens, +but best guess is that reprogramming the COMPHY glitches mvneta clocks +causing the hardware to fail. It seems that rebooting resolves the +failure, but not down/up cycling the interface alone. + +Various other approaches have been tried, such as trying to cleanly +power down the COMPHY and then take it back through the power up +initialisation, but this does not seem to help. + +It was finally noticed that u-boot's last step when configuring a +COMPHY for "SGMII" mode was to poke at a register described as +"GBE_CONFIGURATION_REG", which is undocumented in any external +documentation. All that we have is the fact that u-boot sets a bit +corresponding to the "SGMII" lane at the end of COMPHY initialisation. + +Experimentation shows that if we clear this bit prior to changing the +speed, and then set it afterwards, mvneta does not suffer this problem +on the SolidRun Clearfog when switching speeds between 1G and 2.5G. + +This problem was found while script-testing phylink. + +This fix also requires the corresponding change to DT to be effective. +See "ARM: dts: armada-38x: fix NETA lockup when repeatedly switching +speeds". + +Fixes: 14dc100b4411 ("phy: armada38x: add common phy support") +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Link: https://lore.kernel.org/r/E1jxtRj-0003Tz-CG@rmk-PC.armlinux.org.uk +Signed-off-by: Vinod Koul <vkoul@kernel.org> + +diff --git a/drivers/phy/marvell/phy-armada38x-comphy.c b/drivers/phy/marvell/phy-armada38x-comphy.c +index 6960dfd8ad8c..0fe408964334 100644 +--- a/drivers/phy/marvell/phy-armada38x-comphy.c ++++ b/drivers/phy/marvell/phy-armada38x-comphy.c +@@ -41,6 +41,7 @@ struct a38x_comphy_lane { + + struct a38x_comphy { + void __iomem *base; ++ void __iomem *conf; + struct device *dev; + struct a38x_comphy_lane lane[MAX_A38X_COMPHY]; + }; +@@ -54,6 +55,21 @@ static const u8 gbe_mux[MAX_A38X_COMPHY][MAX_A38X_PORTS] = { + { 0, 0, 3 }, + }; + ++static void a38x_set_conf(struct a38x_comphy_lane *lane, bool enable) ++{ ++ struct a38x_comphy *priv = lane->priv; ++ u32 conf; ++ ++ if (priv->conf) { ++ conf = readl_relaxed(priv->conf); ++ if (enable) ++ conf |= BIT(lane->port); ++ else ++ conf &= ~BIT(lane->port); ++ writel(conf, priv->conf); ++ } ++} ++ + static void a38x_comphy_set_reg(struct a38x_comphy_lane *lane, + unsigned int offset, u32 mask, u32 value) + { +@@ -97,6 +113,7 @@ static int a38x_comphy_set_mode(struct phy *phy, enum phy_mode mode, int sub) + { + struct a38x_comphy_lane *lane = phy_get_drvdata(phy); + unsigned int gen; ++ int ret; + + if (mode != PHY_MODE_ETHERNET) + return -EINVAL; +@@ -115,13 +132,20 @@ static int a38x_comphy_set_mode(struct phy *phy, enum phy_mode mode, int sub) + return -EINVAL; + } + ++ a38x_set_conf(lane, false); ++ + a38x_comphy_set_speed(lane, gen, gen); + +- return a38x_comphy_poll(lane, COMPHY_STAT1, +- COMPHY_STAT1_PLL_RDY_TX | +- COMPHY_STAT1_PLL_RDY_RX, +- COMPHY_STAT1_PLL_RDY_TX | +- COMPHY_STAT1_PLL_RDY_RX); ++ ret = a38x_comphy_poll(lane, COMPHY_STAT1, ++ COMPHY_STAT1_PLL_RDY_TX | ++ COMPHY_STAT1_PLL_RDY_RX, ++ COMPHY_STAT1_PLL_RDY_TX | ++ COMPHY_STAT1_PLL_RDY_RX); ++ ++ if (ret == 0) ++ a38x_set_conf(lane, true); ++ ++ return ret; + } + + static const struct phy_ops a38x_comphy_ops = { +@@ -174,14 +198,21 @@ static int a38x_comphy_probe(struct platform_device *pdev) + if (!priv) + return -ENOMEM; + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- base = devm_ioremap_resource(&pdev->dev, res); ++ base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(base)) + return PTR_ERR(base); + + priv->dev = &pdev->dev; + priv->base = base; + ++ /* Optional */ ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "conf"); ++ if (res) { ++ priv->conf = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(priv->conf)) ++ return PTR_ERR(priv->conf); ++ } ++ + for_each_available_child_of_node(pdev->dev.of_node, child) { + struct phy *phy; + int ret; +-- +2.27.0 + diff --git a/queue/phy-exynos5-usbdrd-Calibrating-makes-sense-only-for-.patch b/queue/phy-exynos5-usbdrd-Calibrating-makes-sense-only-for-.patch new file mode 100644 index 00000000..bd6e9469 --- /dev/null +++ b/queue/phy-exynos5-usbdrd-Calibrating-makes-sense-only-for-.patch @@ -0,0 +1,35 @@ +From dcbabfeb17c3c2fdb6bc92a3031ecd37df1834a8 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski <m.szyprowski@samsung.com> +Date: Wed, 8 Jul 2020 15:38:00 +0200 +Subject: [PATCH] phy: exynos5-usbdrd: Calibrating makes sense only for USB2.0 + PHY + +commit dcbabfeb17c3c2fdb6bc92a3031ecd37df1834a8 upstream. + +PHY calibration is needed only for USB2.0 (UTMI) PHY, so skip calling +calibration code when phy_calibrate() is called for USB3.0 (PIPE3) PHY. + +Fixes: d8c80bb3b55b ("phy: exynos5-usbdrd: Calibrate LOS levels for exynos5420/5800") +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Acked-by: Krzysztof Kozlowski <krzk@kernel.org> +Link: https://lore.kernel.org/r/20200708133800.3336-1-m.szyprowski@samsung.com +Signed-off-by: Vinod Koul <vkoul@kernel.org> + +diff --git a/drivers/phy/samsung/phy-exynos5-usbdrd.c b/drivers/phy/samsung/phy-exynos5-usbdrd.c +index eb06ce9f748f..9930d2027e94 100644 +--- a/drivers/phy/samsung/phy-exynos5-usbdrd.c ++++ b/drivers/phy/samsung/phy-exynos5-usbdrd.c +@@ -714,7 +714,9 @@ static int exynos5_usbdrd_phy_calibrate(struct phy *phy) + struct phy_usb_instance *inst = phy_get_drvdata(phy); + struct exynos5_usbdrd_phy *phy_drd = to_usbdrd_phy(inst); + +- return exynos5420_usbdrd_phy_calibrate(phy_drd); ++ if (inst->phy_cfg->id == EXYNOS5_DRDPHY_UTMI) ++ return exynos5420_usbdrd_phy_calibrate(phy_drd); ++ return 0; + } + + static const struct phy_ops exynos5_usbdrd_phy_ops = { +-- +2.27.0 + diff --git a/queue/phy-renesas-rcar-gen3-usb2-move-irq-registration-to-.patch b/queue/phy-renesas-rcar-gen3-usb2-move-irq-registration-to-.patch new file mode 100644 index 00000000..f935f0dc --- /dev/null +++ b/queue/phy-renesas-rcar-gen3-usb2-move-irq-registration-to-.patch @@ -0,0 +1,153 @@ +From 08b0ad375ca66181faee725b1b358bcae8d592ee Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> +Date: Fri, 17 Jul 2020 20:44:56 +0900 +Subject: [PATCH] phy: renesas: rcar-gen3-usb2: move irq registration to init + +commit 08b0ad375ca66181faee725b1b358bcae8d592ee upstream. + +If CONFIG_DEBUG_SHIRQ was enabled, r8a77951-salvator-xs could boot +correctly. If we appended "earlycon keep_bootcon" to the kernel +command like, we could get kernel log like below. + + SError Interrupt on CPU0, code 0xbf000002 -- SError + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc3-salvator-x-00505-g6c843129e6faaf01 #785 + Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) + pstate: 60400085 (nZCv daIf +PAN -UAO BTYPE=--) + pc : rcar_gen3_phy_usb2_irq+0x14/0x54 + lr : free_irq+0xf4/0x27c + +This means free_irq() calls the interrupt handler while PM runtime +is not getting if DEBUG_SHIRQ is enabled and rcar_gen3_phy_usb2_probe() +failed. To fix the issue, move the irq registration place to +rcar_gen3_phy_usb2_init() which is ready to handle the interrupts. + +Note that after the commit 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: +enable/disable independent irqs") which is merged into v5.2, since this +driver creates multiple phy instances, needs to check whether one of +phy instances is initialized. However, if we backport this patch to v5.1 +or less, we don't need to check it because such kernel have single +phy instance. + +Reported-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Reported-by: Geert Uytterhoeven <geert+renesas@glider.be> +Fixes: 9f391c574efc ("phy: rcar-gen3-usb2: add runtime ID/VBUS pin detection") +Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> +Link: https://lore.kernel.org/r/1594986297-12434-2-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Vinod Koul <vkoul@kernel.org> + +diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c +index bfb22f868857..5087b7c44d55 100644 +--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c ++++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c +@@ -111,6 +111,7 @@ struct rcar_gen3_chan { + struct work_struct work; + struct mutex lock; /* protects rphys[...].powered */ + enum usb_dr_mode dr_mode; ++ int irq; + bool extcon_host; + bool is_otg_channel; + bool uses_otg_pins; +@@ -389,12 +390,38 @@ static void rcar_gen3_init_otg(struct rcar_gen3_chan *ch) + rcar_gen3_device_recognition(ch); + } + ++static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) ++{ ++ struct rcar_gen3_chan *ch = _ch; ++ void __iomem *usb2_base = ch->base; ++ u32 status = readl(usb2_base + USB2_OBINTSTA); ++ irqreturn_t ret = IRQ_NONE; ++ ++ if (status & USB2_OBINT_BITS) { ++ dev_vdbg(ch->dev, "%s: %08x\n", __func__, status); ++ writel(USB2_OBINT_BITS, usb2_base + USB2_OBINTSTA); ++ rcar_gen3_device_recognition(ch); ++ ret = IRQ_HANDLED; ++ } ++ ++ return ret; ++} ++ + static int rcar_gen3_phy_usb2_init(struct phy *p) + { + struct rcar_gen3_phy *rphy = phy_get_drvdata(p); + struct rcar_gen3_chan *channel = rphy->ch; + void __iomem *usb2_base = channel->base; + u32 val; ++ int ret; ++ ++ if (!rcar_gen3_is_any_rphy_initialized(channel) && channel->irq >= 0) { ++ INIT_WORK(&channel->work, rcar_gen3_phy_usb2_work); ++ ret = request_irq(channel->irq, rcar_gen3_phy_usb2_irq, ++ IRQF_SHARED, dev_name(channel->dev), channel); ++ if (ret < 0) ++ dev_err(channel->dev, "No irq handler (%d)\n", channel->irq); ++ } + + /* Initialize USB2 part */ + val = readl(usb2_base + USB2_INT_ENABLE); +@@ -433,6 +460,9 @@ static int rcar_gen3_phy_usb2_exit(struct phy *p) + val &= ~USB2_INT_ENABLE_UCOM_INTEN; + writel(val, usb2_base + USB2_INT_ENABLE); + ++ if (channel->irq >= 0 && !rcar_gen3_is_any_rphy_initialized(channel)) ++ free_irq(channel->irq, channel); ++ + return 0; + } + +@@ -503,23 +533,6 @@ static const struct phy_ops rz_g1c_phy_usb2_ops = { + .owner = THIS_MODULE, + }; + +-static irqreturn_t rcar_gen3_phy_usb2_irq(int irq, void *_ch) +-{ +- struct rcar_gen3_chan *ch = _ch; +- void __iomem *usb2_base = ch->base; +- u32 status = readl(usb2_base + USB2_OBINTSTA); +- irqreturn_t ret = IRQ_NONE; +- +- if (status & USB2_OBINT_BITS) { +- dev_vdbg(ch->dev, "%s: %08x\n", __func__, status); +- writel(USB2_OBINT_BITS, usb2_base + USB2_OBINTSTA); +- rcar_gen3_device_recognition(ch); +- ret = IRQ_HANDLED; +- } +- +- return ret; +-} +- + static const struct of_device_id rcar_gen3_phy_usb2_match_table[] = { + { + .compatible = "renesas,usb2-phy-r8a77470", +@@ -598,7 +611,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) + struct phy_provider *provider; + struct resource *res; + const struct phy_ops *phy_usb2_ops; +- int irq, ret = 0, i; ++ int ret = 0, i; + + if (!dev->of_node) { + dev_err(dev, "This driver needs device tree\n"); +@@ -614,16 +627,8 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) + if (IS_ERR(channel->base)) + return PTR_ERR(channel->base); + +- /* call request_irq for OTG */ +- irq = platform_get_irq_optional(pdev, 0); +- if (irq >= 0) { +- INIT_WORK(&channel->work, rcar_gen3_phy_usb2_work); +- irq = devm_request_irq(dev, irq, rcar_gen3_phy_usb2_irq, +- IRQF_SHARED, dev_name(dev), channel); +- if (irq < 0) +- dev_err(dev, "No irq handler (%d)\n", irq); +- } +- ++ /* get irq number here and request_irq for OTG in phy_init */ ++ channel->irq = platform_get_irq_optional(pdev, 0); + channel->dr_mode = rcar_gen3_get_dr_mode(dev->of_node); + if (channel->dr_mode != USB_DR_MODE_UNKNOWN) { + int ret; +-- +2.27.0 + diff --git a/queue/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch b/queue/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch new file mode 100644 index 00000000..0e8f0c8d --- /dev/null +++ b/queue/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch @@ -0,0 +1,137 @@ +From f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f Mon Sep 17 00:00:00 2001 +From: Drew Fustini <drew@beagleboard.org> +Date: Mon, 8 Jun 2020 14:51:43 +0200 +Subject: [PATCH] pinctrl-single: fix pcs_parse_pinconf() return value + +commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f upstream. + +This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no +pinctrl_map is added. The current behavior is to return 0 when +!PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry() +incorrectly assumes that a map was added and sets num_maps = 2. + +Analysis: +========= +The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf() +if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf() +returns 0 to indicate there was no error and num_maps is then set to 2: + + 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + 981 struct device_node *np, + 982 struct pinctrl_map **map, + 983 unsigned *num_maps, + 984 const char **pgnames) + 985 { +<snip> +1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP; +1054 (*map)->data.mux.group = np->name; +1055 (*map)->data.mux.function = np->name; +1056 +1057 if (PCS_HAS_PINCONF && function) { +1058 res = pcs_parse_pinconf(pcs, np, function, map); +1059 if (res) +1060 goto free_pingroups; +1061 *num_maps = 2; +1062 } else { +1063 *num_maps = 1; +1064 } + +However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or +!nconfs. I believe these conditions should indicate that no map was +added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry() +will set num_maps = 2 even though no maps were successfully added, as +it does not reach "m++" on line 940: + + 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + 896 struct pcs_function *func, + 897 struct pinctrl_map **map) + 898 + 899 { + 900 struct pinctrl_map *m = *map; +<snip> + 917 /* If pinconf isn't supported, don't parse properties in below. */ + 918 if (!PCS_HAS_PINCONF) + 919 return 0; + 920 + 921 /* cacluate how much properties are supported in current node */ + 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) { + 923 if (of_find_property(np, prop2[i].name, NULL)) + 924 nconfs++; + 925 } + 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) { + 927 if (of_find_property(np, prop4[i].name, NULL)) + 928 nconfs++; + 929 } + 930 if (!nconfs) + 919 return 0; + 932 + 933 func->conf = devm_kcalloc(pcs->dev, + 934 nconfs, sizeof(struct pcs_conf_vals), + 935 GFP_KERNEL); + 936 if (!func->conf) + 937 return -ENOMEM; + 938 func->nconfs = nconfs; + 939 conf = &(func->conf[0]); + 940 m++; + +This situtation will cause a boot failure [0] on the BeagleBone Black +(AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi +has compatible = "pinconf-single" instead of "pinctrl-single". + +The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF +or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no +map was added. + +Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish +between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps +is set to 1 as it is valid for pinconf to be enabled and a given pin +group to not any pinconf properties. + +[0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/ + +Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf") +Signed-off-by: Drew Fustini <drew@beagleboard.org> +Acked-by: Tony Lindgren <tony@atomide.com> +Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1 +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index 1e0614daee9b..a9d511982780 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -916,7 +916,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + + /* If pinconf isn't supported, don't parse properties in below. */ + if (!PCS_HAS_PINCONF) +- return 0; ++ return -ENOTSUPP; + + /* cacluate how much properties are supported in current node */ + for (i = 0; i < ARRAY_SIZE(prop2); i++) { +@@ -928,7 +928,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + nconfs++; + } + if (!nconfs) +- return 0; ++ return -ENOTSUPP; + + func->conf = devm_kcalloc(pcs->dev, + nconfs, sizeof(struct pcs_conf_vals), +@@ -1056,9 +1056,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + + if (PCS_HAS_PINCONF && function) { + res = pcs_parse_pinconf(pcs, np, function, map); +- if (res) ++ if (res == 0) ++ *num_maps = 2; ++ else if (res == -ENOTSUPP) ++ *num_maps = 1; ++ else + goto free_pingroups; +- *num_maps = 2; + } else { + *num_maps = 1; + } +-- +2.27.0 + diff --git a/queue/platform-x86-asus-nb-wmi-add-support-for-ASUS-ROG-Ze.patch b/queue/platform-x86-asus-nb-wmi-add-support-for-ASUS-ROG-Ze.patch new file mode 100644 index 00000000..7f9f09d9 --- /dev/null +++ b/queue/platform-x86-asus-nb-wmi-add-support-for-ASUS-ROG-Ze.patch @@ -0,0 +1,121 @@ +From 13bceda68fb9ef388ad40d355ab8d03ee64d14c2 Mon Sep 17 00:00:00 2001 +From: Armas Spann <zappel@retarded.farm> +Date: Sat, 11 Jul 2020 11:43:21 +0200 +Subject: [PATCH] platform/x86: asus-nb-wmi: add support for ASUS ROG Zephyrus + G14 and G15 + +commit 13bceda68fb9ef388ad40d355ab8d03ee64d14c2 upstream. + +Add device support for the new ASUS ROG Zephyrus G14 (GA401I) and +G15 (GA502I) series. + +This is accomplished by two new quirk entries (one per each series), +as well as all current available G401I/G502I DMI_PRODUCT_NAMEs to match +the corresponding devices. + +Signed-off-by: Armas Spann <zappel@retarded.farm> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index 8c4d00482ef0..6c42f73c1dfd 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -110,6 +110,16 @@ static struct quirk_entry quirk_asus_forceals = { + .wmi_force_als_set = true, + }; + ++static struct quirk_entry quirk_asus_ga401i = { ++ .wmi_backlight_power = true, ++ .wmi_backlight_set_devstate = true, ++}; ++ ++static struct quirk_entry quirk_asus_ga502i = { ++ .wmi_backlight_power = true, ++ .wmi_backlight_set_devstate = true, ++}; ++ + static int dmi_matched(const struct dmi_system_id *dmi) + { + pr_info("Identified laptop model '%s'\n", dmi->ident); +@@ -411,6 +421,78 @@ static const struct dmi_system_id asus_quirks[] = { + }, + .driver_data = &quirk_asus_forceals, + }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA401IH", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA401IH"), ++ }, ++ .driver_data = &quirk_asus_ga401i, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA401II", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA401II"), ++ }, ++ .driver_data = &quirk_asus_ga401i, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA401IU", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA401IU"), ++ }, ++ .driver_data = &quirk_asus_ga401i, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA401IV", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA401IV"), ++ }, ++ .driver_data = &quirk_asus_ga401i, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA401IVC", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA401IVC"), ++ }, ++ .driver_data = &quirk_asus_ga401i, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA502II", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA502II"), ++ }, ++ .driver_data = &quirk_asus_ga502i, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA502IU", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA502IU"), ++ }, ++ .driver_data = &quirk_asus_ga502i, ++ }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. GA502IV", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "GA502IV"), ++ }, ++ .driver_data = &quirk_asus_ga502i, ++ }, + {}, + }; + +-- +2.27.0 + diff --git a/queue/platform-x86-intel-hid-Fix-return-value-check-in-che.patch b/queue/platform-x86-intel-hid-Fix-return-value-check-in-che.patch new file mode 100644 index 00000000..a94fa1fa --- /dev/null +++ b/queue/platform-x86-intel-hid-Fix-return-value-check-in-che.patch @@ -0,0 +1,33 @@ +From 71fbe886ce6dd0be17f20aded9c63fe58edd2806 Mon Sep 17 00:00:00 2001 +From: Lu Wei <luwei32@huawei.com> +Date: Fri, 10 Jul 2020 17:30:17 +0800 +Subject: [PATCH] platform/x86: intel-hid: Fix return value check in + check_acpi_dev() + +commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 upstream. + +In the function check_acpi_dev(), if it fails to create +platform device, the return value is ERR_PTR() or NULL. +Thus it must use IS_ERR_OR_NULL() to check return value. + +Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Lu Wei <luwei32@huawei.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> + +diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c +index 9ee79b74311c..86261970bd8f 100644 +--- a/drivers/platform/x86/intel-hid.c ++++ b/drivers/platform/x86/intel-hid.c +@@ -571,7 +571,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-hid: created platform device\n"); + +-- +2.27.0 + diff --git a/queue/platform-x86-intel-vbtn-Fix-return-value-check-in-ch.patch b/queue/platform-x86-intel-vbtn-Fix-return-value-check-in-ch.patch new file mode 100644 index 00000000..2b5be556 --- /dev/null +++ b/queue/platform-x86-intel-vbtn-Fix-return-value-check-in-ch.patch @@ -0,0 +1,33 @@ +From 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e Mon Sep 17 00:00:00 2001 +From: Lu Wei <luwei32@huawei.com> +Date: Fri, 10 Jul 2020 17:30:18 +0800 +Subject: [PATCH] platform/x86: intel-vbtn: Fix return value check in + check_acpi_dev() + +commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e upstream. + +In the function check_acpi_dev(), if it fails to create +platform device, the return value is ERR_PTR() or NULL. +Thus it must use IS_ERR_OR_NULL() to check return value. + +Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Lu Wei <luwei32@huawei.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index 0487b606a274..e85d8e58320c 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -299,7 +299,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-vbtn: created platform device\n"); + +-- +2.27.0 + diff --git a/queue/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch b/queue/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch new file mode 100644 index 00000000..bfc228b4 --- /dev/null +++ b/queue/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch @@ -0,0 +1,53 @@ +From ccf193dee1f0fff55b556928591f7818bac1b3b1 Mon Sep 17 00:00:00 2001 +From: Tom Rix <trix@redhat.com> +Date: Sun, 12 Jul 2020 12:23:51 -0700 +Subject: [PATCH] power: supply: check if calc_soc succeeded in + pm860x_init_battery + +commit ccf193dee1f0fff55b556928591f7818bac1b3b1 upstream. + +clang static analysis flags this error + +88pm860x_battery.c:522:19: warning: Assigned value is + garbage or undefined [core.uninitialized.Assign] + info->start_soc = soc; + ^ ~~~ +soc is set by calling calc_soc. +But calc_soc can return without setting soc. + +So check the return status and bail similarly to other +checks in pm860x_init_battery and initialize soc to +silence the warning. + +Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x") + +Signed-off-by: Tom Rix <trix@redhat.com> +Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> + +diff --git a/drivers/power/supply/88pm860x_battery.c b/drivers/power/supply/88pm860x_battery.c +index 1308f3a185f3..590da88a17a2 100644 +--- a/drivers/power/supply/88pm860x_battery.c ++++ b/drivers/power/supply/88pm860x_battery.c +@@ -433,7 +433,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + int ret; + int data; + int bat_remove; +- int soc; ++ int soc = 0; + + /* measure enable on GPADC1 */ + data = MEAS1_GP1; +@@ -496,7 +496,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + } + mutex_unlock(&info->lock); + +- calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ ret = calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ if (ret < 0) ++ goto out; + + data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG); + bat_remove = data & BAT_WU_LOG; +-- +2.27.0 + diff --git a/queue/powerpc-32s-Fix-CONFIG_BOOK3S_601-uses.patch b/queue/powerpc-32s-Fix-CONFIG_BOOK3S_601-uses.patch new file mode 100644 index 00000000..9d218f42 --- /dev/null +++ b/queue/powerpc-32s-Fix-CONFIG_BOOK3S_601-uses.patch @@ -0,0 +1,43 @@ +From df4d4ef22446b3a789a4efd74d34f2ec1e24deb2 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Fri, 24 Jul 2020 23:17:24 +1000 +Subject: [PATCH] powerpc/32s: Fix CONFIG_BOOK3S_601 uses + +commit df4d4ef22446b3a789a4efd74d34f2ec1e24deb2 upstream. + +We have two uses of CONFIG_BOOK3S_601, which doesn't exist. Fix them +to use CONFIG_PPC_BOOK3S_601 which is the correct symbol. + +Fixes: 12c3f1fd87bf ("powerpc/32s: get rid of CPU_FTR_601 feature") +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200724131728.1643966-5-mpe@ellerman.id.au + +diff --git a/arch/powerpc/include/asm/ptrace.h b/arch/powerpc/include/asm/ptrace.h +index f194339cef3b..155a197c0aa1 100644 +--- a/arch/powerpc/include/asm/ptrace.h ++++ b/arch/powerpc/include/asm/ptrace.h +@@ -243,7 +243,7 @@ static inline void set_trap_norestart(struct pt_regs *regs) + } + + #define arch_has_single_step() (1) +-#ifndef CONFIG_BOOK3S_601 ++#ifndef CONFIG_PPC_BOOK3S_601 + #define arch_has_block_step() (true) + #else + #define arch_has_block_step() (false) +diff --git a/arch/powerpc/include/asm/timex.h b/arch/powerpc/include/asm/timex.h +index d2d2c4bd8435..6047402b0a4d 100644 +--- a/arch/powerpc/include/asm/timex.h ++++ b/arch/powerpc/include/asm/timex.h +@@ -17,7 +17,7 @@ typedef unsigned long cycles_t; + + static inline cycles_t get_cycles(void) + { +- if (IS_ENABLED(CONFIG_BOOK3S_601)) ++ if (IS_ENABLED(CONFIG_PPC_BOOK3S_601)) + return 0; + + return mftb(); +-- +2.27.0 + diff --git a/queue/powerpc-book3s64-pkeys-Use-PVR-check-instead-of-cpu-.patch b/queue/powerpc-book3s64-pkeys-Use-PVR-check-instead-of-cpu-.patch new file mode 100644 index 00000000..57193d4e --- /dev/null +++ b/queue/powerpc-book3s64-pkeys-Use-PVR-check-instead-of-cpu-.patch @@ -0,0 +1,48 @@ +From d79e7a5f26f1d179cbb915a8bf2469b6d7431c29 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com> +Date: Thu, 9 Jul 2020 08:59:24 +0530 +Subject: [PATCH] powerpc/book3s64/pkeys: Use PVR check instead of cpu feature + +commit d79e7a5f26f1d179cbb915a8bf2469b6d7431c29 upstream. + +We are wrongly using CPU_FTRS_POWER8 to check for P8 support. Instead, we should +use PVR value. Now considering we are using CPU_FTRS_POWER8, that +implies we returned true for P9 with older firmware. Keep the same behavior +by checking for P9 PVR value. + +Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem") +Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200709032946.881753-2-aneesh.kumar@linux.ibm.com + +diff --git a/arch/powerpc/mm/book3s64/pkeys.c b/arch/powerpc/mm/book3s64/pkeys.c +index d174106bab67..82ace6acb0aa 100644 +--- a/arch/powerpc/mm/book3s64/pkeys.c ++++ b/arch/powerpc/mm/book3s64/pkeys.c +@@ -83,13 +83,17 @@ static int pkey_initialize(void) + scan_pkey_feature(); + + /* +- * Let's assume 32 pkeys on P8 bare metal, if its not defined by device +- * tree. We make this exception since skiboot forgot to expose this +- * property on power8. ++ * Let's assume 32 pkeys on P8/P9 bare metal, if its not defined by device ++ * tree. We make this exception since some version of skiboot forgot to ++ * expose this property on power8/9. + */ +- if (!pkeys_devtree_defined && !firmware_has_feature(FW_FEATURE_LPAR) && +- cpu_has_feature(CPU_FTRS_POWER8)) +- pkeys_total = 32; ++ if (!pkeys_devtree_defined && !firmware_has_feature(FW_FEATURE_LPAR)) { ++ unsigned long pvr = mfspr(SPRN_PVR); ++ ++ if (PVR_VER(pvr) == PVR_POWER8 || PVR_VER(pvr) == PVR_POWER8E || ++ PVR_VER(pvr) == PVR_POWER8NVL || PVR_VER(pvr) == PVR_POWER9) ++ pkeys_total = 32; ++ } + + /* + * Adjust the upper limit, based on the number of bits supported by +-- +2.27.0 + diff --git a/queue/powerpc-boot-Fix-CONFIG_PPC_MPC52XX-references.patch b/queue/powerpc-boot-Fix-CONFIG_PPC_MPC52XX-references.patch new file mode 100644 index 00000000..d8fa65f5 --- /dev/null +++ b/queue/powerpc-boot-Fix-CONFIG_PPC_MPC52XX-references.patch @@ -0,0 +1,46 @@ +From e5eff89657e72a9050d95fde146b54c7dc165981 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Fri, 24 Jul 2020 23:17:26 +1000 +Subject: [PATCH] powerpc/boot: Fix CONFIG_PPC_MPC52XX references + +commit e5eff89657e72a9050d95fde146b54c7dc165981 upstream. + +Commit 866bfc75f40e ("powerpc: conditionally compile platform-specific +serial drivers") made some code depend on CONFIG_PPC_MPC52XX, which +doesn't exist. + +Fix it to use CONFIG_PPC_MPC52xx. + +Fixes: 866bfc75f40e ("powerpc: conditionally compile platform-specific serial drivers") +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200724131728.1643966-7-mpe@ellerman.id.au + +diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile +index 4d43cb59b4a4..44af71543380 100644 +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -117,7 +117,7 @@ src-wlib-y := string.S crt0.S stdio.c decompress.c main.c \ + elf_util.c $(zlib-y) devtree.c stdlib.c \ + oflib.c ofconsole.c cuboot.c + +-src-wlib-$(CONFIG_PPC_MPC52XX) += mpc52xx-psc.c ++src-wlib-$(CONFIG_PPC_MPC52xx) += mpc52xx-psc.c + src-wlib-$(CONFIG_PPC64_BOOT_WRAPPER) += opal-calls.S opal.c + ifndef CONFIG_PPC64_BOOT_WRAPPER + src-wlib-y += crtsavres.S +diff --git a/arch/powerpc/boot/serial.c b/arch/powerpc/boot/serial.c +index 0bfa7e87e546..9a19e5905485 100644 +--- a/arch/powerpc/boot/serial.c ++++ b/arch/powerpc/boot/serial.c +@@ -128,7 +128,7 @@ int serial_console_init(void) + dt_is_compatible(devp, "fsl,cpm2-smc-uart")) + rc = cpm_console_init(devp, &serial_cd); + #endif +-#ifdef CONFIG_PPC_MPC52XX ++#ifdef CONFIG_PPC_MPC52xx + else if (dt_is_compatible(devp, "fsl,mpc5200-psc-uart")) + rc = mpc5200_psc_console_init(devp, &serial_cd); + #endif +-- +2.27.0 + diff --git a/queue/powerpc-perf-Fix-missing-is_sier_aviable-during-buil.patch b/queue/powerpc-perf-Fix-missing-is_sier_aviable-during-buil.patch new file mode 100644 index 00000000..dbe49652 --- /dev/null +++ b/queue/powerpc-perf-Fix-missing-is_sier_aviable-during-buil.patch @@ -0,0 +1,46 @@ +From 3c9450c053f88e525b2db1e6990cdf34d14e7696 Mon Sep 17 00:00:00 2001 +From: Madhavan Srinivasan <maddy@linux.ibm.com> +Date: Sun, 14 Jun 2020 14:06:04 +0530 +Subject: [PATCH] powerpc/perf: Fix missing is_sier_aviable() during build + +commit 3c9450c053f88e525b2db1e6990cdf34d14e7696 upstream. + +Compilation error: + arch/powerpc/perf/perf_regs.c:80:undefined reference to `.is_sier_available' + +Currently is_sier_available() is part of core-book3s.c, which is added +to build based on CONFIG_PPC_PERF_CTRS. + +A config with CONFIG_PERF_EVENTS and without CONFIG_PPC_PERF_CTRS will +have a build break because of missing is_sier_available(). + +In practice it only breaks when CONFIG_FSL_EMB_PERF_EVENT=n because +that also guards the usage of is_sier_available(). That only happens +with CONFIG_PPC_BOOK3E_64=y and CONFIG_FSL_SOC_BOOKE=n. + +Patch adds is_sier_available() in asm/perf_event.h to fix the build +break for configs missing CONFIG_PPC_PERF_CTRS. + +Fixes: 333804dc3b7a ("powerpc/perf: Update perf_regs structure to include SIER") +Reported-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com> +Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com> +[mpe: Add detail about CONFIG_FSL_SOC_BOOKE] +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200614083604.302611-1-maddy@linux.ibm.com + +diff --git a/arch/powerpc/include/asm/perf_event.h b/arch/powerpc/include/asm/perf_event.h +index eed3954082fa..1e8b2e1ec1db 100644 +--- a/arch/powerpc/include/asm/perf_event.h ++++ b/arch/powerpc/include/asm/perf_event.h +@@ -12,6 +12,8 @@ + + #ifdef CONFIG_PPC_PERF_CTRS + #include <asm/perf_event_server.h> ++#else ++static inline bool is_sier_available(void) { return false; } + #endif + + #ifdef CONFIG_FSL_EMB_PERF_EVENT +-- +2.27.0 + diff --git a/queue/powerpc-rtas-don-t-online-CPUs-for-partition-suspend.patch b/queue/powerpc-rtas-don-t-online-CPUs-for-partition-suspend.patch new file mode 100644 index 00000000..6980fb6d --- /dev/null +++ b/queue/powerpc-rtas-don-t-online-CPUs-for-partition-suspend.patch @@ -0,0 +1,286 @@ +From ec2fc2a9e9bbad9023aab65bc472ce7a3ca8608f Mon Sep 17 00:00:00 2001 +From: Nathan Lynch <nathanl@linux.ibm.com> +Date: Fri, 12 Jun 2020 00:12:22 -0500 +Subject: [PATCH] powerpc/rtas: don't online CPUs for partition suspend + +commit ec2fc2a9e9bbad9023aab65bc472ce7a3ca8608f upstream. + +Partition suspension, used for hibernation and migration, requires +that the OS place all but one of the LPAR's processor threads into one +of two states prior to calling the ibm,suspend-me RTAS function: + + * the architected offline state (via RTAS stop-self); or + * the H_JOIN hcall, which does not return until the partition + resumes execution + +Using H_CEDE as the offline mode, introduced by +commit 3aa565f53c39 ("powerpc/pseries: Add hooks to put the CPU into +an appropriate offline state"), means that any threads which are +offline from Linux's point of view must be moved to one of those two +states before a partition suspension can proceed. + +This was eventually addressed in commit 120496ac2d2d ("powerpc: Bring +all threads online prior to migration/hibernation"), which added code +to temporarily bring up any offline processor threads so they can call +H_JOIN. Conceptually this is fine, but the implementation has had +multiple races with cpu hotplug operations initiated from user +space[1][2][3], the error handling is fragile, and it generates +user-visible cpu hotplug events which is a lot of noise for a platform +feature that's supposed to minimize disruption to workloads. + +With commit 3aa565f53c39 ("powerpc/pseries: Add hooks to put the CPU +into an appropriate offline state") reverted, this code becomes +unnecessary, so remove it. Since any offline CPUs now are truly +offline from the platform's point of view, it is no longer necessary +to bring up CPUs only to have them call H_JOIN and then go offline +again upon resuming. Only active threads are required to call H_JOIN; +stopped threads can be left alone. + +[1] commit a6717c01ddc2 ("powerpc/rtas: use device model APIs and + serialization during LPM") +[2] commit 9fb603050ffd ("powerpc/rtas: retry when cpu offline races + with suspend/migration") +[3] commit dfd718a2ed1f ("powerpc/rtas: Fix a potential race between + CPU-Offline & Migration") + +Fixes: 120496ac2d2d ("powerpc: Bring all threads online prior to migration/hibernation") +Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200612051238.1007764-3-nathanl@linux.ibm.com + +diff --git a/arch/powerpc/include/asm/rtas.h b/arch/powerpc/include/asm/rtas.h +index 014968f25f7e..0107d724e9da 100644 +--- a/arch/powerpc/include/asm/rtas.h ++++ b/arch/powerpc/include/asm/rtas.h +@@ -253,8 +253,6 @@ extern int rtas_set_indicator_fast(int indicator, int index, int new_value); + extern void rtas_progress(char *s, unsigned short hex); + extern int rtas_suspend_cpu(struct rtas_suspend_me_data *data); + extern int rtas_suspend_last_cpu(struct rtas_suspend_me_data *data); +-extern int rtas_online_cpus_mask(cpumask_var_t cpus); +-extern int rtas_offline_cpus_mask(cpumask_var_t cpus); + extern int rtas_ibm_suspend_me(u64 handle); + + struct rtc_time; +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index a09eba03f180..806d554ce357 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -843,96 +843,6 @@ static void rtas_percpu_suspend_me(void *info) + __rtas_suspend_cpu((struct rtas_suspend_me_data *)info, 1); + } + +-enum rtas_cpu_state { +- DOWN, +- UP, +-}; +- +-#ifndef CONFIG_SMP +-static int rtas_cpu_state_change_mask(enum rtas_cpu_state state, +- cpumask_var_t cpus) +-{ +- if (!cpumask_empty(cpus)) { +- cpumask_clear(cpus); +- return -EINVAL; +- } else +- return 0; +-} +-#else +-/* On return cpumask will be altered to indicate CPUs changed. +- * CPUs with states changed will be set in the mask, +- * CPUs with status unchanged will be unset in the mask. */ +-static int rtas_cpu_state_change_mask(enum rtas_cpu_state state, +- cpumask_var_t cpus) +-{ +- int cpu; +- int cpuret = 0; +- int ret = 0; +- +- if (cpumask_empty(cpus)) +- return 0; +- +- for_each_cpu(cpu, cpus) { +- struct device *dev = get_cpu_device(cpu); +- +- switch (state) { +- case DOWN: +- cpuret = device_offline(dev); +- break; +- case UP: +- cpuret = device_online(dev); +- break; +- } +- if (cpuret < 0) { +- pr_debug("%s: cpu_%s for cpu#%d returned %d.\n", +- __func__, +- ((state == UP) ? "up" : "down"), +- cpu, cpuret); +- if (!ret) +- ret = cpuret; +- if (state == UP) { +- /* clear bits for unchanged cpus, return */ +- cpumask_shift_right(cpus, cpus, cpu); +- cpumask_shift_left(cpus, cpus, cpu); +- break; +- } else { +- /* clear bit for unchanged cpu, continue */ +- cpumask_clear_cpu(cpu, cpus); +- } +- } +- cond_resched(); +- } +- +- return ret; +-} +-#endif +- +-int rtas_online_cpus_mask(cpumask_var_t cpus) +-{ +- int ret; +- +- ret = rtas_cpu_state_change_mask(UP, cpus); +- +- if (ret) { +- cpumask_var_t tmp_mask; +- +- if (!alloc_cpumask_var(&tmp_mask, GFP_KERNEL)) +- return ret; +- +- /* Use tmp_mask to preserve cpus mask from first failure */ +- cpumask_copy(tmp_mask, cpus); +- rtas_offline_cpus_mask(tmp_mask); +- free_cpumask_var(tmp_mask); +- } +- +- return ret; +-} +- +-int rtas_offline_cpus_mask(cpumask_var_t cpus) +-{ +- return rtas_cpu_state_change_mask(DOWN, cpus); +-} +- + int rtas_ibm_suspend_me(u64 handle) + { + long state; +@@ -940,8 +850,6 @@ int rtas_ibm_suspend_me(u64 handle) + unsigned long retbuf[PLPAR_HCALL_BUFSIZE]; + struct rtas_suspend_me_data data; + DECLARE_COMPLETION_ONSTACK(done); +- cpumask_var_t offline_mask; +- int cpuret; + + if (!rtas_service_present("ibm,suspend-me")) + return -ENOSYS; +@@ -962,9 +870,6 @@ int rtas_ibm_suspend_me(u64 handle) + return -EIO; + } + +- if (!alloc_cpumask_var(&offline_mask, GFP_KERNEL)) +- return -ENOMEM; +- + atomic_set(&data.working, 0); + atomic_set(&data.done, 0); + atomic_set(&data.error, 0); +@@ -973,24 +878,8 @@ int rtas_ibm_suspend_me(u64 handle) + + lock_device_hotplug(); + +- /* All present CPUs must be online */ +- cpumask_andnot(offline_mask, cpu_present_mask, cpu_online_mask); +- cpuret = rtas_online_cpus_mask(offline_mask); +- if (cpuret) { +- pr_err("%s: Could not bring present CPUs online.\n", __func__); +- atomic_set(&data.error, cpuret); +- goto out; +- } +- + cpu_hotplug_disable(); + +- /* Check if we raced with a CPU-Offline Operation */ +- if (!cpumask_equal(cpu_present_mask, cpu_online_mask)) { +- pr_info("%s: Raced against a concurrent CPU-Offline\n", __func__); +- atomic_set(&data.error, -EAGAIN); +- goto out_hotplug_enable; +- } +- + /* Call function on all CPUs. One of us will make the + * rtas call + */ +@@ -1001,18 +890,11 @@ int rtas_ibm_suspend_me(u64 handle) + if (atomic_read(&data.error) != 0) + printk(KERN_ERR "Error doing global join\n"); + +-out_hotplug_enable: +- cpu_hotplug_enable(); + +- /* Take down CPUs not online prior to suspend */ +- cpuret = rtas_offline_cpus_mask(offline_mask); +- if (cpuret) +- pr_warn("%s: Could not restore CPUs to offline state.\n", +- __func__); ++ cpu_hotplug_enable(); + +-out: + unlock_device_hotplug(); +- free_cpumask_var(offline_mask); ++ + return atomic_read(&data.error); + } + +diff --git a/arch/powerpc/platforms/pseries/suspend.c b/arch/powerpc/platforms/pseries/suspend.c +index 0a24a5a185f0..f789693f61f4 100644 +--- a/arch/powerpc/platforms/pseries/suspend.c ++++ b/arch/powerpc/platforms/pseries/suspend.c +@@ -132,15 +132,11 @@ static ssize_t store_hibernate(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t count) + { +- cpumask_var_t offline_mask; + int rc; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + +- if (!alloc_cpumask_var(&offline_mask, GFP_KERNEL)) +- return -ENOMEM; +- + stream_id = simple_strtoul(buf, NULL, 16); + + do { +@@ -150,32 +146,16 @@ static ssize_t store_hibernate(struct device *dev, + } while (rc == -EAGAIN); + + if (!rc) { +- /* All present CPUs must be online */ +- cpumask_andnot(offline_mask, cpu_present_mask, +- cpu_online_mask); +- rc = rtas_online_cpus_mask(offline_mask); +- if (rc) { +- pr_err("%s: Could not bring present CPUs online.\n", +- __func__); +- goto out; +- } +- + stop_topology_update(); + rc = pm_suspend(PM_SUSPEND_MEM); + start_topology_update(); +- +- /* Take down CPUs not online prior to suspend */ +- if (!rtas_offline_cpus_mask(offline_mask)) +- pr_warn("%s: Could not restore CPUs to offline " +- "state.\n", __func__); + } + + stream_id = 0; + + if (!rc) + rc = count; +-out: +- free_cpumask_var(offline_mask); ++ + return rc; + } + +-- +2.27.0 + diff --git a/queue/powerpc-vdso-Fix-vdso-cpu-truncation.patch b/queue/powerpc-vdso-Fix-vdso-cpu-truncation.patch new file mode 100644 index 00000000..823b9988 --- /dev/null +++ b/queue/powerpc-vdso-Fix-vdso-cpu-truncation.patch @@ -0,0 +1,39 @@ +From a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 Mon Sep 17 00:00:00 2001 +From: Milton Miller <miltonm@us.ibm.com> +Date: Thu, 16 Jul 2020 09:37:04 +1000 +Subject: [PATCH] powerpc/vdso: Fix vdso cpu truncation + +commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 upstream. + +The code in vdso_cpu_init that exposes the cpu and numa node to +userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means +that any kernel running on a box with more than 4096 threads (NR_CPUS +advertises a limit of of 8192 cpus) would expose userspace to two cpu +contexts running at the same time with the same cpu number. + +Note: I'm not aware of any distro shipping a kernel with support for more +than 4096 threads today, nor of any system image that currently exceeds +4096 threads. Found via code browsing. + +Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu") +Signed-off-by: Milton Miller <miltonm@us.ibm.com> +Signed-off-by: Anton Blanchard <anton@linux.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org + +diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c +index e0f4ba45b6cc..8dad44262e75 100644 +--- a/arch/powerpc/kernel/vdso.c ++++ b/arch/powerpc/kernel/vdso.c +@@ -677,7 +677,7 @@ int vdso_getcpu_init(void) + node = cpu_to_node(cpu); + WARN_ON_ONCE(node > 0xffff); + +- val = (cpu & 0xfff) | ((node & 0xffff) << 16); ++ val = (cpu & 0xffff) | ((node & 0xffff) << 16); + mtspr(SPRN_SPRG_VDSO_WRITE, val); + get_paca()->sprg_vdso = val; + +-- +2.27.0 + diff --git a/queue/pstore-Fix-linking-when-crypto-API-disabled.patch b/queue/pstore-Fix-linking-when-crypto-API-disabled.patch new file mode 100644 index 00000000..e05e26c9 --- /dev/null +++ b/queue/pstore-Fix-linking-when-crypto-API-disabled.patch @@ -0,0 +1,51 @@ +From fd49e03280e596e54edb93a91bc96170f8e97e4a Mon Sep 17 00:00:00 2001 +From: Matteo Croce <mcroce@linux.microsoft.com> +Date: Mon, 6 Jul 2020 19:37:36 -0700 +Subject: [PATCH] pstore: Fix linking when crypto API disabled + +commit fd49e03280e596e54edb93a91bc96170f8e97e4a upstream. + +When building a kernel with CONFIG_PSTORE=y and CONFIG_CRYPTO not set, +a build error happens: + + ld: fs/pstore/platform.o: in function `pstore_dump': + platform.c:(.text+0x3f9): undefined reference to `crypto_comp_compress' + ld: fs/pstore/platform.o: in function `pstore_get_backend_records': + platform.c:(.text+0x784): undefined reference to `crypto_comp_decompress' + +This because some pstore code uses crypto_comp_(de)compress regardless +of the CONFIG_CRYPTO status. Fix it by wrapping the (de)compress usage +by IS_ENABLED(CONFIG_PSTORE_COMPRESS) + +Signed-off-by: Matteo Croce <mcroce@linux.microsoft.com> +Link: https://lore.kernel.org/lkml/20200706234045.9516-1-mcroce@linux.microsoft.com +Fixes: cb3bee0369bc ("pstore: Use crypto compress API") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook <keescook@chromium.org> + +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c +index a9e297eefdff..36714df37d5d 100644 +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -269,6 +269,9 @@ static int pstore_compress(const void *in, void *out, + { + int ret; + ++ if (!IS_ENABLED(CONFIG_PSTORE_COMPRESSION)) ++ return -EINVAL; ++ + ret = crypto_comp_compress(tfm, in, inlen, out, &outlen); + if (ret) { + pr_err("crypto_comp_compress failed, ret = %d!\n", ret); +@@ -668,7 +671,7 @@ static void decompress_record(struct pstore_record *record) + int unzipped_len; + char *unzipped, *workspace; + +- if (!record->compressed) ++ if (!IS_ENABLED(CONFIG_PSTORE_COMPRESSION) || !record->compressed) + return; + + /* Only PSTORE_TYPE_DMESG support compression. */ +-- +2.27.0 + diff --git a/queue/recordmcount-only-record-relocation-of-type-R_AARCH6.patch b/queue/recordmcount-only-record-relocation-of-type-R_AARCH6.patch new file mode 100644 index 00000000..a8a2cbab --- /dev/null +++ b/queue/recordmcount-only-record-relocation-of-type-R_AARCH6.patch @@ -0,0 +1,77 @@ +From ea0eada45632f4807b2f49de951072283e2d781c Mon Sep 17 00:00:00 2001 +From: Gregory Herrero <gregory.herrero@oracle.com> +Date: Fri, 17 Jul 2020 16:33:38 +0200 +Subject: [PATCH] recordmcount: only record relocation of type R_AARCH64_CALL26 + on arm64. + +commit ea0eada45632f4807b2f49de951072283e2d781c upstream. + +Currently, if a section has a relocation to '_mcount' symbol, a new +__mcount_loc entry will be added whatever the relocation type is. +This is problematic when a relocation to '_mcount' is in the middle of a +section and is not a call for ftrace use. + +Such relocation could be generated with below code for example: + bool is_mcount(unsigned long addr) + { + return (target == (unsigned long) &_mcount); + } + +With this snippet of code, ftrace will try to patch the mcount location +generated by this code on module load and fail with: + + Call trace: + ftrace_bug+0xa0/0x28c + ftrace_process_locs+0x2f4/0x430 + ftrace_module_init+0x30/0x38 + load_module+0x14f0/0x1e78 + __do_sys_finit_module+0x100/0x11c + __arm64_sys_finit_module+0x28/0x34 + el0_svc_common+0x88/0x194 + el0_svc_handler+0x38/0x8c + el0_svc+0x8/0xc + ---[ end trace d828d06b36ad9d59 ]--- + ftrace failed to modify + [<ffffa2dbf3a3a41c>] 0xffffa2dbf3a3a41c + actual: 66:a9:3c:90 + Initializing ftrace call sites + ftrace record flags: 2000000 + (0) + expected tramp: ffffa2dc6cf66724 + +So Limit the relocation type to R_AARCH64_CALL26 as in perl version of +recordmcount. + +Fixes: af64d2aa872a ("ftrace: Add arm64 support to recordmcount") +Signed-off-by: Gregory Herrero <gregory.herrero@oracle.com> +Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Link: https://lore.kernel.org/r/20200717143338.19302-1-gregory.herrero@oracle.com +Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> + +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c +index 7225107a9aaf..e59022b3f125 100644 +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -434,6 +434,11 @@ static int arm_is_fake_mcount(Elf32_Rel const *rp) + return 1; + } + ++static int arm64_is_fake_mcount(Elf64_Rel const *rp) ++{ ++ return ELF64_R_TYPE(w(rp->r_info)) != R_AARCH64_CALL26; ++} ++ + /* 64-bit EM_MIPS has weird ELF64_Rela.r_info. + * http://techpubs.sgi.com/library/manuals/4000/007-4658-001/pdf/007-4658-001.pdf + * We interpret Table 29 Relocation Operation (Elf64_Rel, Elf64_Rela) [p.40] +@@ -547,6 +552,7 @@ static int do_file(char const *const fname) + make_nop = make_nop_arm64; + rel_type_nop = R_AARCH64_NONE; + ideal_nop = ideal_nop4_arm64; ++ is_fake_mcount64 = arm64_is_fake_mcount; + break; + case EM_IA_64: reltype = R_IA64_IMM64; break; + case EM_MIPS: /* reltype: e_class */ break; +-- +2.27.0 + diff --git a/queue/regulator-fix-memory-leak-on-error-path-of-regulator.patch b/queue/regulator-fix-memory-leak-on-error-path-of-regulator.patch new file mode 100644 index 00000000..e028539e --- /dev/null +++ b/queue/regulator-fix-memory-leak-on-error-path-of-regulator.patch @@ -0,0 +1,111 @@ +From 9177514ce34902b3adb2abd490b6ad05d1cfcb43 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy <vz@mleia.com> +Date: Fri, 24 Jul 2020 03:50:13 +0300 +Subject: [PATCH] regulator: fix memory leak on error path of + regulator_register() + +commit 9177514ce34902b3adb2abd490b6ad05d1cfcb43 upstream. + +The change corrects registration and deregistration on error path +of a regulator, the problem was manifested by a reported memory +leak on deferred probe: + + as3722-regulator as3722-regulator: regulator 13 register failed -517 + + # cat /sys/kernel/debug/kmemleak + unreferenced object 0xecc43740 (size 64): + comm "swapper/0", pid 1, jiffies 4294937640 (age 712.880s) + hex dump (first 32 bytes): + 72 65 67 75 6c 61 74 6f 72 2e 32 34 00 5a 5a 5a regulator.24.ZZZ + 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ + backtrace: + [<0c4c3d1c>] __kmalloc_track_caller+0x15c/0x2c0 + [<40c0ad48>] kvasprintf+0x64/0xd4 + [<109abd29>] kvasprintf_const+0x70/0x84 + [<c4215946>] kobject_set_name_vargs+0x34/0xa8 + [<62282ea2>] dev_set_name+0x40/0x64 + [<a39b6757>] regulator_register+0x3a4/0x1344 + [<16a9543f>] devm_regulator_register+0x4c/0x84 + [<51a4c6a1>] as3722_regulator_probe+0x294/0x754 + ... + +The memory leak problem was introduced as a side ef another fix in +regulator_register() error path, I believe that the proper fix is +to decouple device_register() function into its two compounds and +initialize a struct device before assigning any values to its fields +and then using it before actual registration of a device happens. + +This lets to call put_device() safely after initialization, and, since +now a release callback is called, kfree(rdev->constraints) shall be +removed to exclude a double free condition. + +Fixes: a3cde9534ebd ("regulator: core: fix regulator_register() error paths to properly release rdev") +Signed-off-by: Vladimir Zapolskiy <vz@mleia.com> +Cc: Wen Yang <wenyang@linux.alibaba.com> +Link: https://lore.kernel.org/r/20200724005013.23278-1-vz@mleia.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 196e344a84d3..75ff7c563c5d 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5092,7 +5092,6 @@ regulator_register(const struct regulator_desc *regulator_desc, + struct regulator_dev *rdev; + bool dangling_cfg_gpiod = false; + bool dangling_of_gpiod = false; +- bool reg_device_fail = false; + struct device *dev; + int ret, i; + +@@ -5221,10 +5220,12 @@ regulator_register(const struct regulator_desc *regulator_desc, + } + + /* register with sysfs */ ++ device_initialize(&rdev->dev); + rdev->dev.class = ®ulator_class; + rdev->dev.parent = dev; + dev_set_name(&rdev->dev, "regulator.%lu", + (unsigned long) atomic_inc_return(®ulator_no)); ++ dev_set_drvdata(&rdev->dev, rdev); + + /* set regulator constraints */ + if (init_data) +@@ -5275,12 +5276,9 @@ regulator_register(const struct regulator_desc *regulator_desc, + !rdev->desc->fixed_uV) + rdev->is_switch = true; + +- dev_set_drvdata(&rdev->dev, rdev); +- ret = device_register(&rdev->dev); +- if (ret != 0) { +- reg_device_fail = true; ++ ret = device_add(&rdev->dev); ++ if (ret != 0) + goto unset_supplies; +- } + + rdev_init_debugfs(rdev); + +@@ -5302,17 +5300,15 @@ regulator_register(const struct regulator_desc *regulator_desc, + mutex_unlock(®ulator_list_mutex); + wash: + kfree(rdev->coupling_desc.coupled_rdevs); +- kfree(rdev->constraints); + mutex_lock(®ulator_list_mutex); + regulator_ena_gpio_free(rdev); + mutex_unlock(®ulator_list_mutex); ++ put_device(&rdev->dev); ++ rdev = NULL; + clean: + if (dangling_of_gpiod) + gpiod_put(config->ena_gpiod); +- if (reg_device_fail) +- put_device(&rdev->dev); +- else +- kfree(rdev); ++ kfree(rdev); + kfree(config); + rinse: + if (dangling_cfg_gpiod) +-- +2.27.0 + diff --git a/queue/rtw88-coex-only-skip-coex-triggered-by-BT-info.patch b/queue/rtw88-coex-only-skip-coex-triggered-by-BT-info.patch new file mode 100644 index 00000000..a00d4168 --- /dev/null +++ b/queue/rtw88-coex-only-skip-coex-triggered-by-BT-info.patch @@ -0,0 +1,44 @@ +From 3f194bd4ca1cd9b8eef34d37d562279dbeb80319 Mon Sep 17 00:00:00 2001 +From: Yan-Hsuan Chuang <yhchuang@realtek.com> +Date: Fri, 17 Jul 2020 14:49:34 +0800 +Subject: [PATCH] rtw88: coex: only skip coex triggered by BT info + +commit 3f194bd4ca1cd9b8eef34d37d562279dbeb80319 upstream. + +The coex mechanism used to skip upon the freeze flag is raised. +That will cause the coex mechanism being skipped unexpectedly. +Coex only wanted to keep the TDMA table from being changed by +BT side. + +So, check the freeze and reason, if the coex reason is coming +from BT info, skip it, to make sure the coex triggered by Wifi +itself can work. + +This is required for the AP mode, while the control flow is +different with STA mode. When starting an AP mode, the AP mode +needs to start working immedaitely after leaving IPS, and the +freeze flag could be raised. If the coex info is skipped, then +the AP mode will not set the antenna owner, leads to TX stuck. + +Fixes: 4136214f7c46 ("rtw88: add BT co-existence support") +Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200717064937.27966-5-yhchuang@realtek.com + +diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c +index 3abae32341c4..aa08fd7d9fcd 100644 +--- a/drivers/net/wireless/realtek/rtw88/coex.c ++++ b/drivers/net/wireless/realtek/rtw88/coex.c +@@ -1962,7 +1962,8 @@ static void rtw_coex_run_coex(struct rtw_dev *rtwdev, u8 reason) + if (coex_stat->wl_under_ips) + return; + +- if (coex->freeze && !coex_stat->bt_setup_link) ++ if (coex->freeze && coex_dm->reason == COEX_RSN_BTINFO && ++ !coex_stat->bt_setup_link) + return; + + coex_stat->cnt_wl[COEX_CNT_WL_COEXRUN]++; +-- +2.27.0 + diff --git a/queue/rtw88-fix-LDPC-field-for-RA-info.patch b/queue/rtw88-fix-LDPC-field-for-RA-info.patch new file mode 100644 index 00000000..7e884d68 --- /dev/null +++ b/queue/rtw88-fix-LDPC-field-for-RA-info.patch @@ -0,0 +1,33 @@ +From ae44fa993e8e6c1a1d22e5ca03d9eadd53b2745b Mon Sep 17 00:00:00 2001 +From: Tsang-Shian Lin <thlin@realtek.com> +Date: Fri, 17 Jul 2020 14:49:31 +0800 +Subject: [PATCH] rtw88: fix LDPC field for RA info + +commit ae44fa993e8e6c1a1d22e5ca03d9eadd53b2745b upstream. + +Convert the type of LDPC field to boolen because +LDPC field of RA info H2C command to firmware +is only one bit. + +Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") +Signed-off-by: Tsang-Shian Lin <thlin@realtek.com> +Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200717064937.27966-2-yhchuang@realtek.com + +diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c +index 6478fd7a78f6..13e79482f6d5 100644 +--- a/drivers/net/wireless/realtek/rtw88/fw.c ++++ b/drivers/net/wireless/realtek/rtw88/fw.c +@@ -456,7 +456,7 @@ void rtw_fw_send_ra_info(struct rtw_dev *rtwdev, struct rtw_sta_info *si) + SET_RA_INFO_INIT_RA_LVL(h2c_pkt, si->init_ra_lv); + SET_RA_INFO_SGI_EN(h2c_pkt, si->sgi_enable); + SET_RA_INFO_BW_MODE(h2c_pkt, si->bw_mode); +- SET_RA_INFO_LDPC(h2c_pkt, si->ldpc_en); ++ SET_RA_INFO_LDPC(h2c_pkt, !!si->ldpc_en); + SET_RA_INFO_NO_UPDATE(h2c_pkt, no_update); + SET_RA_INFO_VHT_EN(h2c_pkt, si->vht_enable); + SET_RA_INFO_DIS_PT(h2c_pkt, disable_pt); +-- +2.27.0 + diff --git a/queue/rtw88-fix-short-GI-capability-based-on-current-bandw.patch b/queue/rtw88-fix-short-GI-capability-based-on-current-bandw.patch new file mode 100644 index 00000000..36729b12 --- /dev/null +++ b/queue/rtw88-fix-short-GI-capability-based-on-current-bandw.patch @@ -0,0 +1,75 @@ +From 4dd86b901d1373ef8446ecb50a7ca009f3475211 Mon Sep 17 00:00:00 2001 +From: Tsang-Shian Lin <thlin@realtek.com> +Date: Fri, 17 Jul 2020 14:49:32 +0800 +Subject: [PATCH] rtw88: fix short GI capability based on current bandwidth + +commit 4dd86b901d1373ef8446ecb50a7ca009f3475211 upstream. + +Fix the transmission is not sent with short GI under +some conditions even if the receiver supports short GI. +If VHT capability IE exists in the beacon, the original +code uses the short GI for 80M field as driver's short GI +setting for transmission, even the current bandwidth is +not 80MHz. + +Short GI supported fields for 20M/40M are informed in HT +capability information element, and short GI supported +field for 80M is informed in VHT capability information +element. + +These three fields may be set to different values. +Driver needs to record each short GI support field for +each bandwidth, and send correct info depends on current +bandwidth to the WiFi firmware. + +Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") +Signed-off-by: Tsang-Shian Lin <thlin@realtek.com> +Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200717064937.27966-3-yhchuang@realtek.com + +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index 7304e8bc5e31..54044abf30d7 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -722,8 +722,6 @@ void rtw_update_sta_info(struct rtw_dev *rtwdev, struct rtw_sta_info *si) + stbc_en = VHT_STBC_EN; + if (sta->vht_cap.cap & IEEE80211_VHT_CAP_RXLDPC) + ldpc_en = VHT_LDPC_EN; +- if (sta->vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_80) +- is_support_sgi = true; + } else if (sta->ht_cap.ht_supported) { + ra_mask |= (sta->ht_cap.mcs.rx_mask[1] << 20) | + (sta->ht_cap.mcs.rx_mask[0] << 12); +@@ -731,9 +729,6 @@ void rtw_update_sta_info(struct rtw_dev *rtwdev, struct rtw_sta_info *si) + stbc_en = HT_STBC_EN; + if (sta->ht_cap.cap & IEEE80211_HT_CAP_LDPC_CODING) + ldpc_en = HT_LDPC_EN; +- if (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_20 || +- sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_40) +- is_support_sgi = true; + } + + if (efuse->hw_cap.nss == 1) +@@ -775,12 +770,18 @@ void rtw_update_sta_info(struct rtw_dev *rtwdev, struct rtw_sta_info *si) + switch (sta->bandwidth) { + case IEEE80211_STA_RX_BW_80: + bw_mode = RTW_CHANNEL_WIDTH_80; ++ is_support_sgi = sta->vht_cap.vht_supported && ++ (sta->vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_80); + break; + case IEEE80211_STA_RX_BW_40: + bw_mode = RTW_CHANNEL_WIDTH_40; ++ is_support_sgi = sta->ht_cap.ht_supported && ++ (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_40); + break; + default: + bw_mode = RTW_CHANNEL_WIDTH_20; ++ is_support_sgi = sta->ht_cap.ht_supported && ++ (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_20); + break; + } + +-- +2.27.0 + diff --git a/queue/s390-dasd-fix-inability-to-use-DASD-with-DIAG-driver.patch b/queue/s390-dasd-fix-inability-to-use-DASD-with-DIAG-driver.patch new file mode 100644 index 00000000..d93d8ede --- /dev/null +++ b/queue/s390-dasd-fix-inability-to-use-DASD-with-DIAG-driver.patch @@ -0,0 +1,103 @@ +From 9f4aa52387c68049403b59939df5c0dd8e3872cc Mon Sep 17 00:00:00 2001 +From: Stefan Haberland <sth@linux.ibm.com> +Date: Tue, 14 Jul 2020 22:03:26 +0200 +Subject: [PATCH] s390/dasd: fix inability to use DASD with DIAG driver + +commit 9f4aa52387c68049403b59939df5c0dd8e3872cc upstream. + +During initialization of the DASD DIAG driver a request is issued +that has a bio structure that resides on the stack. With virtually +mapped kernel stacks this bio address might be in virtual storage +which is unsuitable for usage with the diag250 call. +In this case the device can not be set online using the DIAG +discipline and fails with -EOPNOTSUP. +In the system journal the following error message is presented: + +dasd: X.X.XXXX Setting the DASD online with discipline DIAG failed +with rc=-95 + +Fix by allocating the bio structure instead of having it on the stack. + +Fixes: ce3dc447493f ("s390: add support for virtually mapped kernel stacks") +Signed-off-by: Stefan Haberland <sth@linux.ibm.com> +Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com> +Cc: stable@vger.kernel.org #4.20 +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/s390/block/dasd_diag.c b/drivers/s390/block/dasd_diag.c +index facb588d09e4..069d6b39cacf 100644 +--- a/drivers/s390/block/dasd_diag.c ++++ b/drivers/s390/block/dasd_diag.c +@@ -319,7 +319,7 @@ dasd_diag_check_device(struct dasd_device *device) + struct dasd_diag_characteristics *rdc_data; + struct vtoc_cms_label *label; + struct dasd_block *block; +- struct dasd_diag_bio bio; ++ struct dasd_diag_bio *bio; + unsigned int sb, bsize; + blocknum_t end_block; + int rc; +@@ -395,29 +395,36 @@ dasd_diag_check_device(struct dasd_device *device) + rc = -ENOMEM; + goto out; + } ++ bio = kzalloc(sizeof(*bio), GFP_KERNEL); ++ if (bio == NULL) { ++ DBF_DEV_EVENT(DBF_WARNING, device, "%s", ++ "No memory to allocate initialization bio"); ++ rc = -ENOMEM; ++ goto out_label; ++ } + rc = 0; + end_block = 0; + /* try all sizes - needed for ECKD devices */ + for (bsize = 512; bsize <= PAGE_SIZE; bsize <<= 1) { + mdsk_init_io(device, bsize, 0, &end_block); +- memset(&bio, 0, sizeof (struct dasd_diag_bio)); +- bio.type = MDSK_READ_REQ; +- bio.block_number = private->pt_block + 1; +- bio.buffer = label; ++ memset(bio, 0, sizeof(*bio)); ++ bio->type = MDSK_READ_REQ; ++ bio->block_number = private->pt_block + 1; ++ bio->buffer = label; + memset(&private->iob, 0, sizeof (struct dasd_diag_rw_io)); + private->iob.dev_nr = rdc_data->dev_nr; + private->iob.key = 0; + private->iob.flags = 0; /* do synchronous io */ + private->iob.block_count = 1; + private->iob.interrupt_params = 0; +- private->iob.bio_list = &bio; ++ private->iob.bio_list = bio; + private->iob.flaga = DASD_DIAG_FLAGA_DEFAULT; + rc = dia250(&private->iob, RW_BIO); + if (rc == 3) { + pr_warn("%s: A 64-bit DIAG call failed\n", + dev_name(&device->cdev->dev)); + rc = -EOPNOTSUPP; +- goto out_label; ++ goto out_bio; + } + mdsk_term_io(device); + if (rc == 0) +@@ -427,7 +434,7 @@ dasd_diag_check_device(struct dasd_device *device) + pr_warn("%s: Accessing the DASD failed because of an incorrect format (rc=%d)\n", + dev_name(&device->cdev->dev), rc); + rc = -EIO; +- goto out_label; ++ goto out_bio; + } + /* check for label block */ + if (memcmp(label->label_id, DASD_DIAG_CMS1, +@@ -457,6 +464,8 @@ dasd_diag_check_device(struct dasd_device *device) + (rc == 4) ? ", read-only device" : ""); + rc = 0; + } ++out_bio: ++ kfree(bio); + out_label: + free_page((long) label); + out: +-- +2.27.0 + diff --git a/queue/s390-gmap-improve-THP-splitting.patch b/queue/s390-gmap-improve-THP-splitting.patch new file mode 100644 index 00000000..74d34eb6 --- /dev/null +++ b/queue/s390-gmap-improve-THP-splitting.patch @@ -0,0 +1,77 @@ +From ba925fa35057a062ac98c3e8138b013ce4ce351c Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer <gerald.schaefer@linux.ibm.com> +Date: Wed, 29 Jul 2020 22:22:34 +0200 +Subject: [PATCH] s390/gmap: improve THP splitting + +commit ba925fa35057a062ac98c3e8138b013ce4ce351c upstream. + +During s390_enable_sie(), we need to take care of splitting all qemu user +process THP mappings. This is currently done with follow_page(FOLL_SPLIT), +by simply iterating over all vma ranges, with PAGE_SIZE increment. + +This logic is sub-optimal and can result in a lot of unnecessary overhead, +especially when using qemu and ASAN with large shadow map. Ilya reported +significant system slow-down with one CPU busy for a long time and overall +unresponsiveness. + +Fix this by using walk_page_vma() and directly calling split_huge_pmd() +only for present pmds, which greatly reduces overhead. + +Cc: <stable@vger.kernel.org> # v5.4+ +Reported-by: Ilya Leoshkevich <iii@linux.ibm.com> +Tested-by: Ilya Leoshkevich <iii@linux.ibm.com> +Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> +Signed-off-by: Heiko Carstens <hca@linux.ibm.com> + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index 190357ff86b3..46c1bf2a3b4b 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -2485,23 +2485,36 @@ void gmap_sync_dirty_log_pmd(struct gmap *gmap, unsigned long bitmap[4], + } + EXPORT_SYMBOL_GPL(gmap_sync_dirty_log_pmd); + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++static int thp_split_walk_pmd_entry(pmd_t *pmd, unsigned long addr, ++ unsigned long end, struct mm_walk *walk) ++{ ++ struct vm_area_struct *vma = walk->vma; ++ ++ split_huge_pmd(vma, pmd, addr); ++ return 0; ++} ++ ++static const struct mm_walk_ops thp_split_walk_ops = { ++ .pmd_entry = thp_split_walk_pmd_entry, ++}; ++ + static inline void thp_split_mm(struct mm_struct *mm) + { +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE + struct vm_area_struct *vma; +- unsigned long addr; + + for (vma = mm->mmap; vma != NULL; vma = vma->vm_next) { +- for (addr = vma->vm_start; +- addr < vma->vm_end; +- addr += PAGE_SIZE) +- follow_page(vma, addr, FOLL_SPLIT); + vma->vm_flags &= ~VM_HUGEPAGE; + vma->vm_flags |= VM_NOHUGEPAGE; ++ walk_page_vma(vma, &thp_split_walk_ops, NULL); + } + mm->def_flags |= VM_NOHUGEPAGE; +-#endif + } ++#else ++static inline void thp_split_mm(struct mm_struct *mm) ++{ ++} ++#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + + /* + * Remove all empty zero pages from the mapping for lazy refaulting +-- +2.27.0 + diff --git a/queue/s390-qeth-don-t-process-empty-bridge-port-events.patch b/queue/s390-qeth-don-t-process-empty-bridge-port-events.patch new file mode 100644 index 00000000..4fb2ee55 --- /dev/null +++ b/queue/s390-qeth-don-t-process-empty-bridge-port-events.patch @@ -0,0 +1,34 @@ +From 02472e28b9a45471c6d8729ff2c7422baa9be46a Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann <jwi@linux.ibm.com> +Date: Thu, 30 Jul 2020 17:01:20 +0200 +Subject: [PATCH] s390/qeth: don't process empty bridge port events + +commit 02472e28b9a45471c6d8729ff2c7422baa9be46a upstream. + +Discard events that don't contain any entries. This shouldn't happen, +but subsequent code relies on being able to use entry 0. So better +be safe than accessing garbage. + +Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control") +Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com> +Reviewed-by: Alexandra Winter <wintera@linux.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 38e97bbde9ed..8b342a88ff5c 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1140,6 +1140,10 @@ static void qeth_bridge_state_change(struct qeth_card *card, + int extrasize; + + QETH_CARD_TEXT(card, 2, "brstchng"); ++ if (qports->num_entries == 0) { ++ QETH_CARD_TEXT(card, 2, "BPempty"); ++ return; ++ } + if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) { + QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length); + return; +-- +2.27.0 + diff --git a/queue/sched-correct-SD_flags-returned-by-tl-sd_flags.patch b/queue/sched-correct-SD_flags-returned-by-tl-sd_flags.patch new file mode 100644 index 00000000..844fcaf3 --- /dev/null +++ b/queue/sched-correct-SD_flags-returned-by-tl-sd_flags.patch @@ -0,0 +1,34 @@ +From 9b1b234bb86bcdcdb142e900d39b599185465dbb Mon Sep 17 00:00:00 2001 +From: Peng Liu <iwtbavbm@gmail.com> +Date: Tue, 9 Jun 2020 23:09:36 +0800 +Subject: [PATCH] sched: correct SD_flags returned by tl->sd_flags() + +commit 9b1b234bb86bcdcdb142e900d39b599185465dbb upstream. + +During sched domain init, we check whether non-topological SD_flags are +returned by tl->sd_flags(), if found, fire a waning and correct the +violation, but the code failed to correct the violation. Correct this. + +Fixes: 143e1e28cb40 ("sched: Rework sched_domain topology definition") +Signed-off-by: Peng Liu <iwtbavbm@gmail.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org> +Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> +Link: https://lkml.kernel.org/r/20200609150936.GA13060@iZj6chx1xj0e0buvshuecpZ + +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index ba81187bb7af..9079d865a935 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -1328,7 +1328,7 @@ sd_init(struct sched_domain_topology_level *tl, + sd_flags = (*tl->sd_flags)(); + if (WARN_ONCE(sd_flags & ~TOPOLOGY_SD_FLAGS, + "wrong sd_flags in topology description\n")) +- sd_flags &= ~TOPOLOGY_SD_FLAGS; ++ sd_flags &= TOPOLOGY_SD_FLAGS; + + /* Apply detected topology flags */ + sd_flags |= dflags; +-- +2.27.0 + diff --git a/queue/sched-fair-Fix-NOHZ-next-idle-balance.patch b/queue/sched-fair-Fix-NOHZ-next-idle-balance.patch new file mode 100644 index 00000000..857dc942 --- /dev/null +++ b/queue/sched-fair-Fix-NOHZ-next-idle-balance.patch @@ -0,0 +1,80 @@ +From 3ea2f097b17e13a8280f1f9386c331b326a3dbef Mon Sep 17 00:00:00 2001 +From: Vincent Guittot <vincent.guittot@linaro.org> +Date: Tue, 9 Jun 2020 14:37:48 +0200 +Subject: [PATCH] sched/fair: Fix NOHZ next idle balance + +commit 3ea2f097b17e13a8280f1f9386c331b326a3dbef upstream. + +With commit: + 'b7031a02ec75 ("sched/fair: Add NOHZ_STATS_KICK")' +rebalance_domains of the local cfs_rq happens before others idle cpus have +updated nohz.next_balance and its value is overwritten. + +Move the update of nohz.next_balance for other idles cpus before balancing +and updating the next_balance of local cfs_rq. + +Also, the nohz.next_balance is now updated only if all idle cpus got a +chance to rebalance their domains and the idle balance has not been aborted +because of new activities on the CPU. In case of need_resched, the idle +load balance will be kick the next jiffie in order to address remaining +ilb. + +Fixes: b7031a02ec75 ("sched/fair: Add NOHZ_STATS_KICK") +Reported-by: Peng Liu <iwtbavbm@gmail.com> +Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> +Acked-by: Mel Gorman <mgorman@suse.de> +Link: https://lkml.kernel.org/r/20200609123748.18636-1-vincent.guittot@linaro.org + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index a785a9b262dd..295c9ffa850b 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10022,7 +10022,12 @@ static void kick_ilb(unsigned int flags) + { + int ilb_cpu; + +- nohz.next_balance++; ++ /* ++ * Increase nohz.next_balance only when if full ilb is triggered but ++ * not if we only update stats. ++ */ ++ if (flags & NOHZ_BALANCE_KICK) ++ nohz.next_balance = jiffies+1; + + ilb_cpu = find_new_ilb(); + +@@ -10343,6 +10348,14 @@ static bool _nohz_idle_balance(struct rq *this_rq, unsigned int flags, + } + } + ++ /* ++ * next_balance will be updated only when there is a need. ++ * When the CPU is attached to null domain for ex, it will not be ++ * updated. ++ */ ++ if (likely(update_next_balance)) ++ nohz.next_balance = next_balance; ++ + /* Newly idle CPU doesn't need an update */ + if (idle != CPU_NEWLY_IDLE) { + update_blocked_averages(this_cpu); +@@ -10363,14 +10376,6 @@ static bool _nohz_idle_balance(struct rq *this_rq, unsigned int flags, + if (has_blocked_load) + WRITE_ONCE(nohz.has_blocked, 1); + +- /* +- * next_balance will be updated only when there is a need. +- * When the CPU is attached to null domain for ex, it will not be +- * updated. +- */ +- if (likely(update_next_balance)) +- nohz.next_balance = next_balance; +- + return ret; + } + +-- +2.27.0 + diff --git a/queue/sched-uclamp-Fix-initialization-of-struct-uclamp_rq.patch b/queue/sched-uclamp-Fix-initialization-of-struct-uclamp_rq.patch new file mode 100644 index 00000000..e3e72336 --- /dev/null +++ b/queue/sched-uclamp-Fix-initialization-of-struct-uclamp_rq.patch @@ -0,0 +1,69 @@ +From d81ae8aac85ca2e307d273f6dc7863a721bf054e Mon Sep 17 00:00:00 2001 +From: Qais Yousef <qais.yousef@arm.com> +Date: Tue, 30 Jun 2020 12:21:22 +0100 +Subject: [PATCH] sched/uclamp: Fix initialization of struct uclamp_rq + +commit d81ae8aac85ca2e307d273f6dc7863a721bf054e upstream. + +struct uclamp_rq was zeroed out entirely in assumption that in the first +call to uclamp_rq_inc() they'd be initialized correctly in accordance to +default settings. + +But when next patch introduces a static key to skip +uclamp_rq_{inc,dec}() until userspace opts in to use uclamp, schedutil +will fail to perform any frequency changes because the +rq->uclamp[UCLAMP_MAX].value is zeroed at init and stays as such. Which +means all rqs are capped to 0 by default. + +Fix it by making sure we do proper initialization at init without +relying on uclamp_rq_inc() doing it later. + +Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting") +Signed-off-by: Qais Yousef <qais.yousef@arm.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> +Tested-by: Lukasz Luba <lukasz.luba@arm.com> +Link: https://lkml.kernel.org/r/20200630112123.12076-2-qais.yousef@arm.com + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 15c980af63db..9605db70e671 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1239,6 +1239,20 @@ static void uclamp_fork(struct task_struct *p) + } + } + ++static void __init init_uclamp_rq(struct rq *rq) ++{ ++ enum uclamp_id clamp_id; ++ struct uclamp_rq *uc_rq = rq->uclamp; ++ ++ for_each_clamp_id(clamp_id) { ++ uc_rq[clamp_id] = (struct uclamp_rq) { ++ .value = uclamp_none(clamp_id) ++ }; ++ } ++ ++ rq->uclamp_flags = 0; ++} ++ + static void __init init_uclamp(void) + { + struct uclamp_se uc_max = {}; +@@ -1247,11 +1261,8 @@ static void __init init_uclamp(void) + + mutex_init(&uclamp_mutex); + +- for_each_possible_cpu(cpu) { +- memset(&cpu_rq(cpu)->uclamp, 0, +- sizeof(struct uclamp_rq)*UCLAMP_CNT); +- cpu_rq(cpu)->uclamp_flags = 0; +- } ++ for_each_possible_cpu(cpu) ++ init_uclamp_rq(cpu_rq(cpu)); + + for_each_clamp_id(clamp_id) { + uclamp_se_set(&init_task.uclamp_req[clamp_id], +-- +2.27.0 + diff --git a/queue/scsi-cumana_2-Fix-different-dev_id-between-request_i.patch b/queue/scsi-cumana_2-Fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000..26ff2462 --- /dev/null +++ b/queue/scsi-cumana_2-Fix-different-dev_id-between-request_i.patch @@ -0,0 +1,33 @@ +From 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Thu, 25 Jun 2020 22:47:30 +0200 +Subject: [PATCH] scsi: cumana_2: Fix different dev_id between request_irq() + and free_irq() + +commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d upstream. + +The dev_id used in request_irq() and free_irq() should match. Use 'info' +in both cases. + +Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Acked-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c +index 65691c21f133..29294f0ef8a9 100644 +--- a/drivers/scsi/arm/cumana_2.c ++++ b/drivers/scsi/arm/cumana_2.c +@@ -450,7 +450,7 @@ static int cumanascsi2_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.27.0 + diff --git a/queue/scsi-eesox-Fix-different-dev_id-between-request_irq-.patch b/queue/scsi-eesox-Fix-different-dev_id-between-request_irq-.patch new file mode 100644 index 00000000..613c12e1 --- /dev/null +++ b/queue/scsi-eesox-Fix-different-dev_id-between-request_irq-.patch @@ -0,0 +1,32 @@ +From 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Fri, 26 Jun 2020 06:05:53 +0200 +Subject: [PATCH] scsi: eesox: Fix different dev_id between request_irq() and + free_irq() + +commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 upstream. + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c +index 6e204a2e0c8d..591ae2a6dd74 100644 +--- a/drivers/scsi/arm/eesox.c ++++ b/drivers/scsi/arm/eesox.c +@@ -571,7 +571,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id) + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_remove: + fas216_remove(host); +-- +2.27.0 + diff --git a/queue/scsi-megaraid_sas-Clear-affinity-hint.patch b/queue/scsi-megaraid_sas-Clear-affinity-hint.patch new file mode 100644 index 00000000..85ec8e35 --- /dev/null +++ b/queue/scsi-megaraid_sas-Clear-affinity-hint.patch @@ -0,0 +1,47 @@ +From 1eb81df5c53b1e785fdef298d533feab991381e4 Mon Sep 17 00:00:00 2001 +From: Tomas Henzl <thenzl@redhat.com> +Date: Thu, 9 Jul 2020 15:31:44 +0200 +Subject: [PATCH] scsi: megaraid_sas: Clear affinity hint + +commit 1eb81df5c53b1e785fdef298d533feab991381e4 upstream. + +To avoid a warning in free_irq, clear the affinity hint. + +Link: https://lore.kernel.org/r/20200709133144.8363-1-thenzl@redhat.com +Fixes: f0b9e7bdc309 ("scsi: megaraid_sas: Set affinity for high IOPS reply queues") +Acked-by: Sumit Saxena <sumit.saxena@broadcom.com> +Signed-off-by: Tomas Henzl <thenzl@redhat.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 8038467e446d..861f7140f52e 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -5610,9 +5610,13 @@ megasas_setup_irqs_msix(struct megasas_instance *instance, u8 is_probe) + &instance->irq_context[i])) { + dev_err(&instance->pdev->dev, + "Failed to register IRQ for vector %d.\n", i); +- for (j = 0; j < i; j++) ++ for (j = 0; j < i; j++) { ++ if (j < instance->low_latency_index_start) ++ irq_set_affinity_hint( ++ pci_irq_vector(pdev, j), NULL); + free_irq(pci_irq_vector(pdev, j), + &instance->irq_context[j]); ++ } + /* Retry irq register for IO_APIC*/ + instance->msix_vectors = 0; + instance->msix_load_balance = false; +@@ -5650,6 +5654,9 @@ megasas_destroy_irqs(struct megasas_instance *instance) { + + if (instance->msix_vectors) + for (i = 0; i < instance->msix_vectors; i++) { ++ if (i < instance->low_latency_index_start) ++ irq_set_affinity_hint( ++ pci_irq_vector(instance->pdev, i), NULL); + free_irq(pci_irq_vector(instance->pdev, i), + &instance->irq_context[i]); + } +-- +2.27.0 + diff --git a/queue/scsi-mesh-Fix-panic-after-host-or-bus-reset.patch b/queue/scsi-mesh-Fix-panic-after-host-or-bus-reset.patch new file mode 100644 index 00000000..7eddba2d --- /dev/null +++ b/queue/scsi-mesh-Fix-panic-after-host-or-bus-reset.patch @@ -0,0 +1,103 @@ +From edd7dd2292ab9c3628b65c4d04514c3068ad54f6 Mon Sep 17 00:00:00 2001 +From: Finn Thain <fthain@telegraphics.com.au> +Date: Thu, 23 Jul 2020 09:25:51 +1000 +Subject: [PATCH] scsi: mesh: Fix panic after host or bus reset + +commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 upstream. + +Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus +results in EH measures and a panic: + +[ 25.499838] mesh: configured for synchronous 5 MB/s +[ 25.787154] mesh: performing initial bus reset... +[ 29.867115] scsi host0: MESH +[ 29.929527] mesh: target 0 synchronous at 3.6 MB/s +[ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS +[ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB) +[ 32.070975] sd 0:0:0:0: [sda] Write Protect is off +[ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08 +[ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA +[ 32.332708] sda: [mac] sda1 sda2 sda3 +[ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk +... snip ... +[ 76.687067] mesh_abort((ptrval)) +[ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 76.880720] dma stat=84e0 cmdptr=1f73d000 +[ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.005567] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.130512] mesh_abort((ptrval)) +[ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 77.325778] dma stat=84e0 cmdptr=1f73d000 +[ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.453665] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.582902] mesh_host_reset +[ 88.187083] Kernel panic - not syncing: mesh: double DMA start ! +[ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1 +[ 88.323302] Call Trace: +[ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable) +[ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414 +[ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70 +[ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384 +[ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8 +[ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178 +[ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8 +[ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520 +[ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8 +[ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c +[ 89.044112] Rebooting in 180 seconds.. + +In theory, a panic can happen after a bus or host reset with dma_started +flag set. Fix this by halting the DMA before reinitializing the host. +Don't assume that ms->current_req is set when halt_dma() is invoked as it +may not hold for bus or host reset. + +BTW, this particular Conner drive can be made to work by inhibiting +disconnect/reselect with 'mesh.resel_targets=0'. + +Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Paul Mackerras <paulus@ozlabs.org> +Reported-and-tested-by: Stan Johnson <userm57@yahoo.com> +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c +index f9f8f4921654..fd1d03064079 100644 +--- a/drivers/scsi/mesh.c ++++ b/drivers/scsi/mesh.c +@@ -1045,6 +1045,8 @@ static void handle_error(struct mesh_state *ms) + while ((in_8(&mr->bus_status1) & BS1_RST) != 0) + udelay(1); + printk("done\n"); ++ if (ms->dma_started) ++ halt_dma(ms); + handle_reset(ms); + /* request_q is empty, no point in mesh_start() */ + return; +@@ -1357,7 +1359,8 @@ static void halt_dma(struct mesh_state *ms) + ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd), + ms->tgts[ms->conn_tgt].data_goes_out); + } +- scsi_dma_unmap(cmd); ++ if (cmd) ++ scsi_dma_unmap(cmd); + ms->dma_started = 0; + } + +@@ -1712,6 +1715,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd) + + spin_lock_irqsave(ms->host->host_lock, flags); + ++ if (ms->dma_started) ++ halt_dma(ms); ++ + /* Reset the controller & dbdma channel */ + out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */ + out_8(&mr->exception, 0xff); /* clear all exception bits */ +-- +2.27.0 + diff --git a/queue/scsi-powertec-Fix-different-dev_id-between-request_i.patch b/queue/scsi-powertec-Fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000..6a54ace7 --- /dev/null +++ b/queue/scsi-powertec-Fix-different-dev_id-between-request_i.patch @@ -0,0 +1,32 @@ +From d179f7c763241c1dc5077fca88ddc3c47d21b763 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Fri, 26 Jun 2020 05:59:48 +0200 +Subject: [PATCH] scsi: powertec: Fix different dev_id between request_irq() + and free_irq() + +commit d179f7c763241c1dc5077fca88ddc3c47d21b763 upstream. + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c +index 772a13e5fd91..d99ef014528e 100644 +--- a/drivers/scsi/arm/powertec.c ++++ b/drivers/scsi/arm/powertec.c +@@ -378,7 +378,7 @@ static int powertecscsi_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.27.0 + diff --git a/queue/scsi-scsi_debug-Add-check-for-sdebug_max_queue-durin.patch b/queue/scsi-scsi_debug-Add-check-for-sdebug_max_queue-durin.patch new file mode 100644 index 00000000..795be387 --- /dev/null +++ b/queue/scsi-scsi_debug-Add-check-for-sdebug_max_queue-durin.patch @@ -0,0 +1,87 @@ +From c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb Mon Sep 17 00:00:00 2001 +From: John Garry <john.garry@huawei.com> +Date: Thu, 9 Jul 2020 20:23:19 +0800 +Subject: [PATCH] scsi: scsi_debug: Add check for sdebug_max_queue during + module init + +commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb upstream. + +sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like +this can be triggered by passing an out-of-range value: + +Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 + pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--) + pc : schedule_resp+0x2a4/0xa70 [scsi_debug] + lr : schedule_resp+0x52c/0xa70 [scsi_debug] + sp : ffff800022ab36f0 + x29: ffff800022ab36f0 x28: ffff0023a935a610 + x27: ffff800008e0a648 x26: 0000000000000003 + x25: ffff0023e84f3200 x24: 00000000003d0900 + x23: 0000000000000000 x22: 0000000000000000 + x21: ffff0023be60a320 x20: ffff0023be60b538 + x19: ffff800008e13000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 + x9 : 0000000000000001 x8 : 0000000000000000 + x7 : 0000000000000000 x6 : 00000000000000c1 + x5 : 0000020000200000 x4 : dead0000000000ff + x3 : 0000000000000200 x2 : 0000000000000200 + x1 : ffff800008e13d88 x0 : 0000000000000000 + Call trace: +schedule_resp+0x2a4/0xa70 [scsi_debug] +scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug] +scsi_queue_rq+0x698/0x840 +__blk_mq_try_issue_directly+0x108/0x228 +blk_mq_request_issue_directly+0x58/0x98 +blk_mq_try_issue_list_directly+0x5c/0xf0 +blk_mq_sched_insert_requests+0x18c/0x200 +blk_mq_flush_plug_list+0x11c/0x190 +blk_flush_plug_list+0xdc/0x110 +blk_finish_plug+0x38/0x210 +blkdev_direct_IO+0x450/0x4d8 +generic_file_read_iter+0x84/0x180 +blkdev_read_iter+0x3c/0x50 +aio_read+0xc0/0x170 +io_submit_one+0x5c8/0xc98 +__arm64_sys_io_submit+0x1b0/0x258 +el0_svc_common.constprop.3+0x68/0x170 +do_el0_svc+0x24/0x90 +el0_sync_handler+0x13c/0x1a8 +el0_sync+0x158/0x180 + Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340) + +In addition, it should not be less than 1. + +So add checks for these, and fail the module init for those cases. + +[mkp: changed if condition to match error message] + +Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com +Fixes: c483739430f1 ("scsi_debug: add multiple queue support") +Reviewed-by: Ming Lei <ming.lei@redhat.com> +Acked-by: Douglas Gilbert <dgilbert@interlog.com> +Signed-off-by: John Garry <john.garry@huawei.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index 4692f5b6ad13..dc8fd6400e40 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -6613,6 +6613,12 @@ static int __init scsi_debug_init(void) + pr_err("submit_queues must be 1 or more\n"); + return -EINVAL; + } ++ ++ if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) { ++ pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE); ++ return -EINVAL; ++ } ++ + sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue), + GFP_KERNEL); + if (sdebug_q_arr == NULL) +-- +2.27.0 + diff --git a/queue/seccomp-Fix-ioctl-number-for-SECCOMP_IOCTL_NOTIF_ID_.patch b/queue/seccomp-Fix-ioctl-number-for-SECCOMP_IOCTL_NOTIF_ID_.patch new file mode 100644 index 00000000..79ddb8ac --- /dev/null +++ b/queue/seccomp-Fix-ioctl-number-for-SECCOMP_IOCTL_NOTIF_ID_.patch @@ -0,0 +1,71 @@ +From 47e33c05f9f07cac3de833e531bcac9ae052c7ca Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Mon, 15 Jun 2020 15:42:46 -0700 +Subject: [PATCH] seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID + +commit 47e33c05f9f07cac3de833e531bcac9ae052c7ca upstream. + +When SECCOMP_IOCTL_NOTIF_ID_VALID was first introduced it had the wrong +direction flag set. While this isn't a big deal as nothing currently +enforces these bits in the kernel, it should be defined correctly. Fix +the define and provide support for the old command until it is no longer +needed for backward compatibility. + +Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") +Signed-off-by: Kees Cook <keescook@chromium.org> + +diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h +index c1735455bc53..965290f7dcc2 100644 +--- a/include/uapi/linux/seccomp.h ++++ b/include/uapi/linux/seccomp.h +@@ -123,5 +123,6 @@ struct seccomp_notif_resp { + #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif) + #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \ + struct seccomp_notif_resp) +-#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64) ++#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOW(2, __u64) ++ + #endif /* _UAPI_LINUX_SECCOMP_H */ +diff --git a/kernel/seccomp.c b/kernel/seccomp.c +index 5f0e3f3a7a5d..0ed57e8c49d0 100644 +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -44,6 +44,14 @@ + #include <linux/anon_inodes.h> + #include <linux/lockdep.h> + ++/* ++ * When SECCOMP_IOCTL_NOTIF_ID_VALID was first introduced, it had the ++ * wrong direction flag in the ioctl number. This is the broken one, ++ * which the kernel needs to keep supporting until all userspaces stop ++ * using the wrong command number. ++ */ ++#define SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR SECCOMP_IOR(2, __u64) ++ + enum notify_state { + SECCOMP_NOTIFY_INIT, + SECCOMP_NOTIFY_SENT, +@@ -1236,6 +1244,7 @@ static long seccomp_notify_ioctl(struct file *file, unsigned int cmd, + return seccomp_notify_recv(filter, buf); + case SECCOMP_IOCTL_NOTIF_SEND: + return seccomp_notify_send(filter, buf); ++ case SECCOMP_IOCTL_NOTIF_ID_VALID_WRONG_DIR: + case SECCOMP_IOCTL_NOTIF_ID_VALID: + return seccomp_notify_id_valid(filter, buf); + default: +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 43884b6625fc..61f9ac200001 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -186,7 +186,7 @@ struct seccomp_metadata { + #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif) + #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \ + struct seccomp_notif_resp) +-#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64) ++#define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOW(2, __u64) + + struct seccomp_notif { + __u64 id; +-- +2.27.0 + diff --git a/queue/selftests-powerpc-Fix-CPU-affinity-for-child-process.patch b/queue/selftests-powerpc-Fix-CPU-affinity-for-child-process.patch new file mode 100644 index 00000000..6bbf4d34 --- /dev/null +++ b/queue/selftests-powerpc-Fix-CPU-affinity-for-child-process.patch @@ -0,0 +1,76 @@ +From 854eb5022be04f81e318765f089f41a57c8e5d83 Mon Sep 17 00:00:00 2001 +From: Harish <harish@linux.ibm.com> +Date: Tue, 9 Jun 2020 13:44:23 +0530 +Subject: [PATCH] selftests/powerpc: Fix CPU affinity for child process + +commit 854eb5022be04f81e318765f089f41a57c8e5d83 upstream. + +On systems with large number of cpus, test fails trying to set +affinity by calling sched_setaffinity() with smaller size for affinity +mask. This patch fixes it by making sure that the size of allocated +affinity mask is dependent on the number of CPUs as reported by +get_nprocs(). + +Fixes: 00b7ec5c9cf3 ("selftests/powerpc: Import Anton's context_switch2 benchmark") +Reported-by: Shirisha Ganta <shiganta@in.ibm.com> +Signed-off-by: Sandipan Das <sandipan@linux.ibm.com> +Signed-off-by: Harish <harish@linux.ibm.com> +Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com> +Reviewed-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200609081423.529664-1-harish@linux.ibm.com + +diff --git a/tools/testing/selftests/powerpc/benchmarks/context_switch.c b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +index a2e8c9da7fa5..d50cc05df495 100644 +--- a/tools/testing/selftests/powerpc/benchmarks/context_switch.c ++++ b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +@@ -19,6 +19,7 @@ + #include <limits.h> + #include <sys/time.h> + #include <sys/syscall.h> ++#include <sys/sysinfo.h> + #include <sys/types.h> + #include <sys/shm.h> + #include <linux/futex.h> +@@ -104,8 +105,9 @@ static void start_thread_on(void *(*fn)(void *), void *arg, unsigned long cpu) + + static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + { +- int pid; +- cpu_set_t cpuset; ++ int pid, ncpus; ++ cpu_set_t *cpuset; ++ size_t size; + + pid = fork(); + if (pid == -1) { +@@ -116,14 +118,23 @@ static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + if (pid) + return; + +- CPU_ZERO(&cpuset); +- CPU_SET(cpu, &cpuset); ++ ncpus = get_nprocs(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ cpuset = CPU_ALLOC(ncpus); ++ if (!cpuset) { ++ perror("malloc"); ++ exit(1); ++ } ++ CPU_ZERO_S(size, cpuset); ++ CPU_SET_S(cpu, size, cpuset); + +- if (sched_setaffinity(0, sizeof(cpuset), &cpuset)) { ++ if (sched_setaffinity(0, size, cpuset)) { + perror("sched_setaffinity"); ++ CPU_FREE(cpuset); + exit(1); + } + ++ CPU_FREE(cpuset); + fn(arg); + + exit(0); +-- +2.27.0 + diff --git a/queue/selftests-powerpc-Fix-online-CPU-selection.patch b/queue/selftests-powerpc-Fix-online-CPU-selection.patch new file mode 100644 index 00000000..a07e1141 --- /dev/null +++ b/queue/selftests-powerpc-Fix-online-CPU-selection.patch @@ -0,0 +1,89 @@ +From dfa03fff86027e58c8dba5c03ae68150d4e513ad Mon Sep 17 00:00:00 2001 +From: Sandipan Das <sandipan@linux.ibm.com> +Date: Thu, 30 Jul 2020 10:38:46 +0530 +Subject: [PATCH] selftests/powerpc: Fix online CPU selection + +commit dfa03fff86027e58c8dba5c03ae68150d4e513ad upstream. + +The size of the CPU affinity mask must be large enough for +systems with a very large number of CPUs. Otherwise, tests +which try to determine the first online CPU by calling +sched_getaffinity() will fail. This makes sure that the size +of the allocated affinity mask is dependent on the number of +CPUs as reported by get_nprocs_conf(). + +Fixes: 3752e453f6ba ("selftests/powerpc: Add tests of PMU EBBs") +Reported-by: Shirisha Ganta <shiganta@in.ibm.com> +Signed-off-by: Sandipan Das <sandipan@linux.ibm.com> +Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/a408c4b8e9a23bb39b539417a21eb0ff47bb5127.1596084858.git.sandipan@linux.ibm.com + +diff --git a/tools/testing/selftests/powerpc/utils.c b/tools/testing/selftests/powerpc/utils.c +index 933678f1ed0a..18b6a773d5c7 100644 +--- a/tools/testing/selftests/powerpc/utils.c ++++ b/tools/testing/selftests/powerpc/utils.c +@@ -16,6 +16,7 @@ + #include <string.h> + #include <sys/ioctl.h> + #include <sys/stat.h> ++#include <sys/sysinfo.h> + #include <sys/types.h> + #include <sys/utsname.h> + #include <unistd.h> +@@ -88,28 +89,40 @@ void *get_auxv_entry(int type) + + int pick_online_cpu(void) + { +- cpu_set_t mask; +- int cpu; ++ int ncpus, cpu = -1; ++ cpu_set_t *mask; ++ size_t size; ++ ++ ncpus = get_nprocs_conf(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ mask = CPU_ALLOC(ncpus); ++ if (!mask) { ++ perror("malloc"); ++ return -1; ++ } + +- CPU_ZERO(&mask); ++ CPU_ZERO_S(size, mask); + +- if (sched_getaffinity(0, sizeof(mask), &mask)) { ++ if (sched_getaffinity(0, size, mask)) { + perror("sched_getaffinity"); +- return -1; ++ goto done; + } + + /* We prefer a primary thread, but skip 0 */ +- for (cpu = 8; cpu < CPU_SETSIZE; cpu += 8) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = 8; cpu < ncpus; cpu += 8) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + /* Search for anything, but in reverse */ +- for (cpu = CPU_SETSIZE - 1; cpu >= 0; cpu--) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = ncpus - 1; cpu >= 0; cpu--) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + printf("No cpus in affinity mask?!\n"); +- return -1; ++ ++done: ++ CPU_FREE(mask); ++ return cpu; + } + + bool is_ppc64le(void) +-- +2.27.0 + diff --git a/queue/selftests-powerpc-Squash-spurious-errors-due-to-devi.patch b/queue/selftests-powerpc-Squash-spurious-errors-due-to-devi.patch new file mode 100644 index 00000000..56a30f0f --- /dev/null +++ b/queue/selftests-powerpc-Squash-spurious-errors-due-to-devi.patch @@ -0,0 +1,63 @@ +From 5f8cf6475828b600ff6d000e580c961ac839cc61 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran <oohall@gmail.com> +Date: Mon, 27 Jul 2020 11:01:27 +1000 +Subject: [PATCH] selftests/powerpc: Squash spurious errors due to device + removal + +commit 5f8cf6475828b600ff6d000e580c961ac839cc61 upstream. + +For drivers that don't have the error handling callbacks we implement +recovery by removing the device and re-probing it. This causes the sysfs +directory for the PCI device to be removed which causes the following +spurious error to be printed when checking the PE state: + +Breaking 0005:03:00.0... +./eeh-basic.sh: line 13: can't open /sys/bus/pci/devices/0005:03:00.0/eeh_pe_state: no such file +0005:03:00.0, waited 0/60 +0005:03:00.0, waited 1/60 +0005:03:00.0, waited 2/60 +0005:03:00.0, waited 3/60 +0005:03:00.0, waited 4/60 +0005:03:00.0, waited 5/60 +0005:03:00.0, waited 6/60 +0005:03:00.0, waited 7/60 +0005:03:00.0, Recovered after 8 seconds + +We currently try to avoid this by checking if the PE state file exists +before reading from it. This is however inherently racy so re-work the +state checking so that we only read from the file once, and we squash any +errors that occur while reading. + +Fixes: 85d86c8aa52e ("selftests/powerpc: Add basic EEH selftest") +Signed-off-by: Oliver O'Halloran <oohall@gmail.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/20200727010127.23698-1-oohall@gmail.com + +diff --git a/tools/testing/selftests/powerpc/eeh/eeh-functions.sh b/tools/testing/selftests/powerpc/eeh/eeh-functions.sh +index f52ed92b53e7..00dc32c0ed75 100755 +--- a/tools/testing/selftests/powerpc/eeh/eeh-functions.sh ++++ b/tools/testing/selftests/powerpc/eeh/eeh-functions.sh +@@ -5,12 +5,17 @@ pe_ok() { + local dev="$1" + local path="/sys/bus/pci/devices/$dev/eeh_pe_state" + +- if ! [ -e "$path" ] ; then ++ # if a driver doesn't support the error handling callbacks then the ++ # device is recovered by removing and re-probing it. This causes the ++ # sysfs directory to disappear so read the PE state once and squash ++ # any potential error messages ++ local eeh_state="$(cat $path 2>/dev/null)" ++ if [ -z "$eeh_state" ]; then + return 1; + fi + +- local fw_state="$(cut -d' ' -f1 < $path)" +- local sw_state="$(cut -d' ' -f2 < $path)" ++ local fw_state="$(echo $eeh_state | cut -d' ' -f1)" ++ local sw_state="$(echo $eeh_state | cut -d' ' -f2)" + + # If EEH_PE_ISOLATED or EEH_PE_RECOVERING are set then the PE is in an + # error state or being recovered. Either way, not ok. +-- +2.27.0 + diff --git a/queue/series b/queue/series new file mode 100644 index 00000000..08512182 --- /dev/null +++ b/queue/series @@ -0,0 +1,268 @@ +tracepoint-Mark-__tracepoint_string-s-__used.patch +HID-input-Fix-devices-that-return-multiple-bytes-in-.patch +nvme-add-a-Identify-Namespace-Identification-Descrip.patch +clk-qcom-clk-rpmh-Wait-for-completion-when-enabling-.patch +x86-mce-inject-Fix-a-wrong-assignment-of-i_mce.statu.patch +sched-fair-Fix-NOHZ-next-idle-balance.patch +sched-correct-SD_flags-returned-by-tl-sd_flags.patch +arm64-dts-rockchip-fix-rk3368-lion-gmac-reset-gpio.patch +arm64-dts-rockchip-fix-rk3399-puma-vcc5v0-host-gpio.patch +arm64-dts-rockchip-fix-rk3399-puma-gmac-reset-gpio.patch +EDAC-Fix-reference-count-leaks.patch +crc-t10dif-Fix-potential-crypto-notify-dead-lock.patch +arm64-dts-qcom-msm8916-Replace-invalid-bias-pull-non.patch +blktrace-fix-debugfs-use-after-free.patch +crypto-ccree-fix-resource-leak-on-error-path.patch +ARM-exynos-MCPM-Restore-big.LITTLE-cpuidle-support.patch +firmware-arm_scmi-Fix-SCMI-genpd-domain-probing.patch +arm64-dts-exynos-Fix-silent-hang-after-boot-on-Espre.patch +sched-uclamp-Fix-initialization-of-struct-uclamp_rq.patch +clk-scmi-Fix-min-and-max-rate-when-registering-clock.patch +m68k-mac-Don-t-send-IOP-message-until-channel-is-idl.patch +m68k-mac-Fix-IOP-status-control-register-writes.patch +platform-x86-intel-hid-Fix-return-value-check-in-che.patch +platform-x86-intel-vbtn-Fix-return-value-check-in-ch.patch +ARM-dts-gose-Fix-ports-node-name-for-adv7180.patch +ARM-dts-gose-Fix-ports-node-name-for-adv7612.patch +ARM-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch +ARM-dts-sunxi-bananapi-m2-plus-v1.2-Add-regulator-su.patch +ARM-dts-sunxi-bananapi-m2-plus-v1.2-Fix-CPU-supply-v.patch +spi-lantiq-fix-Rx-overflow-error-in-full-duplex-mode.patch +tpm-Require-that-all-digests-are-present-in-TCG_PCR_.patch +recordmcount-only-record-relocation-of-type-R_AARCH6.patch +regulator-fix-memory-leak-on-error-path-of-regulator.patch +io_uring-fix-sq-array-offset-calculation.patch +spi-rockchip-Fix-error-in-SPI-slave-pio-read.patch +ARM-socfpga-PM-add-missing-put_device-call-in-socfpg.patch +iocost-Fix-check-condition-of-iocg-abs_vdebt.patch +irqchip-ti-sci-inta-Fix-return-value-about-devm_iore.patch +seccomp-Fix-ioctl-number-for-SECCOMP_IOCTL_NOTIF_ID_.patch +md-raid0-linear-fix-dereference-before-null-check-on.patch +nvme-tcp-fix-controller-reset-hang-during-traffic.patch +nvme-rdma-fix-controller-reset-hang-during-traffic.patch +nvme-multipath-fix-logic-for-non-optimized-paths.patch +nvme-multipath-do-not-fall-back-to-__nvme_find_path-.patch +drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch +soc-qcom-rpmh-rsc-Set-suppress_bind_attrs-flag.patch +Bluetooth-add-a-mutex-lock-to-avoid-UAF-in-do_enale_.patch +loop-be-paranoid-on-exit-and-prevent-new-additions-r.patch +fs-btrfs-Add-cond_resched-for-try_release_extent_map.patch +drm-amdgpu-avoid-dereferencing-a-NULL-pointer.patch +drm-radeon-Fix-reference-count-leaks-caused-by-pm_ru.patch +crypto-aesni-Fix-build-with-LLVM_IAS-1.patch +video-fbdev-savage-fix-memory-leak-on-error-handling.patch +video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch +bus-ti-sysc-Add-missing-quirk-flags-for-usb_host_hs.patch +md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch +drm-nouveau-kms-nv50-Fix-disabling-dithering.patch +arm64-dts-hisilicon-hikey-fixes-to-comply-with-adi-a.patch +drm-etnaviv-fix-ref-count-leak-via-pm_runtime_get_sy.patch +drm-nouveau-fix-reference-count-leak-in-nouveau_debu.patch +drm-nouveau-fix-multiple-instances-of-reference-coun.patch +mmc-sdhci-cadence-do-not-use-hardware-tuning-for-SD-.patch +btrfs-fix-lockdep-splat-from-btrfs_dump_space_info.patch +usb-mtu3-clear-dual-mode-of-u3port-when-disable-devi.patch +drm-msm-a6xx-fix-gpu-failure-after-system-resume.patch +drm-msm-Fix-a-null-pointer-access-in-msm_gem_shrinke.patch +drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch +drm-radeon-disable-AGP-by-default.patch +irqchip-irq-mtk-sysirq-Replace-spinlock-with-raw_spi.patch +mm-mmap.c-Add-cond_resched-for-exit_mmap-CPU-stalls.patch +drm-amdgpu-display-bail-early-in-dm_pp_get_static_cl.patch +drm-amd-powerplay-fix-compile-error-with-ARCH-arc.patch +bpf-Fix-fds_example-SIGSEGV-error.patch +brcmfmac-keep-SDIO-watchdog-running-when-console_int.patch +brcmfmac-To-fix-Bss-Info-flag-definition-Bug.patch +brcmfmac-set-state-of-hanger-slot-to-FREE-when-flush.patch +platform-x86-asus-nb-wmi-add-support-for-ASUS-ROG-Ze.patch +iwlegacy-Check-the-return-value-of-pcie_capability_r.patch +gpu-host1x-debug-Fix-multiple-channels-emitting-mess.patch +ionic-update-eid-test-for-overflow.patch +mmc-sdhci-pci-o2micro-Bug-fix-for-O2-host-controller.patch +usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch +bdc-Fix-bug-causing-crash-after-multiple-disconnects.patch +usb-bdc-Halt-controller-on-suspend.patch +dyndbg-fix-a-BUG_ON-in-ddebug_describe_flags.patch +bcache-fix-super-block-seq-numbers-comparision-in-re.patch +ACPICA-Do-not-increment-operation_region-reference-c.patch +drm-msm-ratelimit-crtc-event-overflow-error.patch +drm-gem-Fix-a-leak-in-drm_gem_objects_lookup.patch +drm-bridge-ti-sn65dsi86-Clear-old-error-bits-before-.patch +agp-intel-Fix-a-memory-leak-on-module-initialisation.patch +mwifiex-Fix-firmware-filename-for-sd8977-chipset.patch +mwifiex-Fix-firmware-filename-for-sd8997-chipset.patch +btmrvl-Fix-firmware-filename-for-sd8977-chipset.patch +btmrvl-Fix-firmware-filename-for-sd8997-chipset.patch +video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch +console-newport_con-fix-an-issue-about-leak-related-.patch +video-pxafb-Fix-the-function-used-to-balance-a-dma_a.patch +ath10k-Acquire-tx_lock-in-tx-error-paths.patch +iio-improve-IIO_CONCENTRATION-channel-type-descripti.patch +drm-etnaviv-Fix-error-path-on-failure-to-enable-bus-.patch +drm-arm-fix-unintentional-integer-overflow-on-left-s.patch +clk-bcm63xx-gate-fix-last-clock-availability.patch +leds-lm355x-avoid-enum-conversion-warning.patch +Bluetooth-btusb-fix-up-firmware-download-sequence.patch +Bluetooth-btmtksdio-fix-up-firmware-download-sequenc.patch +media-cxusb-analog-fix-V4L2-dependency.patch +media-marvell-ccic-Add-missed-v4l2_async_notifier_cl.patch +media-omap3isp-Add-missed-v4l2_ctrl_handler_free-for.patch +ASoC-SOF-nocodec-add-missing-.owner-field.patch +ASoC-Intel-bxt_rt298-add-missing-.owner-field.patch +scsi-cumana_2-Fix-different-dev_id-between-request_i.patch +drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch +cxl-Fix-kobject-memleak.patch +drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch +staging-vchiq_arm-Add-a-matching-unregister-call.patch +iavf-fix-error-return-code-in-iavf_init_get_resource.patch +iavf-Fix-updating-statistics.patch +RDMA-core-Fix-bogus-WARN_ON-during-ib_unregister_dev.patch +scsi-powertec-Fix-different-dev_id-between-request_i.patch +scsi-eesox-Fix-different-dev_id-between-request_irq-.patch +ipvs-allow-connection-reuse-for-unconfirmed-conntrac.patch +media-firewire-Using-uninitialized-values-in-node_pr.patch +media-exynos4-is-Add-missed-check-for-pinctrl_lookup.patch +media-cros-ec-cec-do-not-bail-on-device_init_wakeup-.patch +xfs-don-t-eat-an-EIO-ENOSPC-writeback-error-when-scr.patch +xfs-fix-reflink-quota-reservation-accounting-error.patch +RDMA-rxe-Skip-dgid-check-in-loopback-mode.patch +PCI-Fix-pci_cfg_wait-queue-locking-problem.patch +drm-stm-repair-runtime-power-management.patch +kobject-Avoid-premature-parent-object-freeing-in-kob.patch +leds-core-Flush-scheduled-work-for-system-suspend.patch +drm-panel-simple-Fix-bpc-for-LG-LB070WV8-panel.patch +phy-exynos5-usbdrd-Calibrating-makes-sense-only-for-.patch +drm-bridge-sil_sii8620-initialize-return-of-sii8620_.patch +scsi-scsi_debug-Add-check-for-sdebug_max_queue-durin.patch +mwifiex-Prevent-memory-corruption-handling-keys.patch +kernfs-do-not-call-fsnotify-with-name-without-a-pare.patch +powerpc-rtas-don-t-online-CPUs-for-partition-suspend.patch +powerpc-vdso-Fix-vdso-cpu-truncation.patch +RDMA-qedr-SRQ-s-bug-fixes.patch +RDMA-rxe-Prevent-access-to-wr-next-ptr-afrer-wr-is-p.patch +ima-Have-the-LSM-free-its-audit-rule.patch +staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch +ASoC-meson-fixes-the-missed-kfree-for-axg_card_add_t.patch +PCI-ASPM-Add-missing-newline-in-sysfs-policy.patch +phy-renesas-rcar-gen3-usb2-move-irq-registration-to-.patch +powerpc-book3s64-pkeys-Use-PVR-check-instead-of-cpu-.patch +drm-imx-fix-use-after-free.patch +drm-imx-tve-fix-regulator_disable-error-path.patch +gpu-ipu-v3-Restore-RGB32-BGR32.patch +spi-lantiq-ssc-Fix-warning-by-using-WQ_MEM_RECLAIM.patch +USB-serial-iuu_phoenix-fix-led-activity-helpers.patch +usb-core-fix-quirks_param_set-writing-to-a-const-poi.patch +thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch +coresight-tmc-Fix-TMC-mode-read-in-tmc_read_unprepar.patch +powerpc-perf-Fix-missing-is_sier_aviable-during-buil.patch +mt76-mt7615-fix-potential-memory-leak-in-mcu-message.patch +phy-armada-38x-fix-NETA-lockup-when-repeatedly-switc.patch +MIPS-OCTEON-add-missing-put_device-call-in-dwc3_octe.patch +usb-dwc2-Fix-error-path-in-gadget-registration.patch +usb-gadget-f_uac2-fix-AC-Interface-Header-Descriptor.patch +scsi-megaraid_sas-Clear-affinity-hint.patch +scsi-mesh-Fix-panic-after-host-or-bus-reset.patch +net-dsa-mv88e6xxx-MV88E6097-does-not-support-jumbo-c.patch +macintosh-via-macii-Access-autopoll_devs-when-inside.patch +PCI-cadence-Fix-updating-Vendor-ID-and-Subsystem-Ven.patch +RDMA-core-Fix-return-error-value-in-_ib_modify_qp-to.patch +Smack-fix-another-vsscanf-out-of-bounds.patch +Smack-prevent-underflow-in-smk_set_cipso.patch +power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch +Bluetooth-hci_h5-Set-HCI_UART_RESET_ON_INIT-to-corre.patch +Bluetooth-hci_serdev-Only-unregister-device-if-it-wa.patch +net-dsa-rtl8366-Fix-VLAN-semantics.patch +net-dsa-rtl8366-Fix-VLAN-set-up.patch +xfs-fix-inode-allocation-block-res-calculation-prece.patch +selftests-powerpc-Squash-spurious-errors-due-to-devi.patch +powerpc-32s-Fix-CONFIG_BOOK3S_601-uses.patch +powerpc-boot-Fix-CONFIG_PPC_MPC52XX-references.patch +selftests-powerpc-Fix-CPU-affinity-for-child-process.patch +RDMA-netlink-Remove-CAP_NET_RAW-check-when-dump-a-ra.patch +PCI-Release-IVRS-table-in-AMD-ACS-quirk.patch +cpufreq-ap806-fix-cpufreq-driver-needs-ap-cpu-clk.patch +selftests-powerpc-Fix-online-CPU-selection.patch +ASoC-meson-axg-tdm-interface-fix-link-fmt-setup.patch +ASoC-meson-axg-tdmin-fix-g12a-skew.patch +ASoC-meson-axg-tdm-formatters-fix-sclk-inversion.patch +ASoC-fsl_sai-Fix-value-of-FSL_SAI_CR1_RFW_MASK.patch +s390-qeth-don-t-process-empty-bridge-port-events.patch +ice-Graceful-error-handling-in-HW-table-calloc-failu.patch +rtw88-fix-LDPC-field-for-RA-info.patch +rtw88-fix-short-GI-capability-based-on-current-bandw.patch +rtw88-coex-only-skip-coex-triggered-by-BT-info.patch +wl1251-fix-always-return-0-error.patch +tools-build-Propagate-build-failures-from-tools-buil.patch +tools-bpftool-Fix-wrong-return-value-in-do_dump.patch +net-mlx5-DR-Change-push-vlan-action-sequence.patch +net-mlx5-Delete-extra-dump-stack-that-gives-nothing.patch +net-ethernet-aquantia-Fix-wrong-return-value.patch +liquidio-Fix-wrong-return-value-in-cn23xx_get_pf_num.patch +net-spider_net-Fix-the-size-used-in-a-dma_free_coher.patch +fsl-fman-use-32-bit-unsigned-integer.patch +fsl-fman-fix-dereference-null-return-value.patch +fsl-fman-fix-unreachable-code.patch +fsl-fman-check-dereferencing-null-pointer.patch +fsl-fman-fix-eth-hash-table-allocation.patch +net-thunderx-initialize-VF-s-mailbox-mutex-before-fi.patch +dlm-Fix-kobject-memleak.patch +ocfs2-fix-unbalanced-locking.patch +pinctrl-single-fix-pcs_parse_pinconf-return-value.patch +svcrdma-Fix-page-leak-in-svc_rdma_recv_read_chunk.patch +SUNRPC-Fix-SUNRPC-Add-len-parameter-to-gss_unwrap.patch +x86-fsgsbase-64-Fix-NULL-deref-in-86_fsgsbase_read_t.patch +crypto-aesni-add-compatibility-with-IAS.patch +af_packet-TPACKET_V3-fix-fill-status-rwlock-imbalanc.patch +drivers-net-wan-lapbether-Added-needed_headroom-and-.patch +net-Fix-potential-memory-leak-in-proto_register.patch +net-nfc-rawsock.c-add-CAP_NET_RAW-check.patch +net-phy-fix-memory-leak-in-device-create-error-path.patch +net-Set-fput_needed-iff-FDPUT_FPUT-is-set.patch +net-tls-Fix-kmap-usage.patch +tcp-correct-read-of-TFO-keys-on-big-endian-systems.patch +vmxnet3-use-correct-tcp-hdr-length-when-packet-is-en.patch +net-refactor-bind_bucket-fastreuse-into-helper.patch +net-initialize-fastreuse-on-inet_inherit_port.patch +USB-serial-cp210x-re-enable-auto-RTS-on-open.patch +USB-serial-cp210x-enable-usb-generic-throttle-unthro.patch +ALSA-hda-fix-the-micmute-led-status-for-Lenovo-Think.patch +ALSA-usb-audio-Creative-USB-X-Fi-Pro-SB1095-volume-k.patch +ALSA-usb-audio-fix-overeager-device-match-for-MacroS.patch +ALSA-usb-audio-work-around-streaming-quirk-for-Macro.patch +9p-Fix-memory-leak-in-v9fs_mount.patch +media-media-request-Fix-crash-if-memory-allocation-f.patch +drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch +io_uring-set-ctx-sq-cq-entry-count-earlier.patch +NFS-Don-t-move-layouts-to-plh_return_segs-list-while.patch +NFS-Don-t-return-layout-segments-that-are-in-use.patch +cpufreq-Fix-locking-issues-with-governors.patch +cpufreq-dt-fix-oops-on-armada37xx.patch +include-asm-generic-vmlinux.lds.h-align-ro_after_ini.patch +spi-spidev-Align-buffers-for-DMA.patch +mtd-rawnand-qcom-avoid-write-to-unavailable-register.patch +erofs-fix-extended-inode-could-cross-boundary.patch +Revert-parisc-Drop-LDCW-barrier-in-CAS-code-when-run.patch +Revert-parisc-Use-ldcw-instruction-for-SMP-spinlock-.patch +Revert-parisc-Revert-Release-spinlocks-using-ordered.patch +parisc-Do-not-use-an-ordered-store-in-pa_tlb_lock.patch +parisc-Implement-__smp_store_release-and-__smp_load_.patch +parisc-mask-out-enable-and-reserved-bits-from-sba-im.patch +ARM-8992-1-Fix-unwind_frame-for-clang-built-kernels.patch +irqdomain-treewide-Free-firmware-node-after-domain-r.patch +ALSA-usb-audio-add-quirk-for-Pioneer-DDJ-RB.patch +tpm-Unify-the-mismatching-TPM-space-buffer-sizes.patch +pstore-Fix-linking-when-crypto-API-disabled.patch +crypto-hisilicon-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_S.patch +crypto-qat-fix-double-free-in-qat_uclo_create_batch_.patch +crypto-ccp-Fix-use-of-merged-scatterlists.patch +crypto-cpt-don-t-sleep-of-CRYPTO_TFM_REQ_MAY_SLEEP-w.patch +bitfield.h-don-t-compile-time-validate-_val-in-FIELD.patch +fs-minix-check-return-value-of-sb_getblk.patch +fs-minix-don-t-allow-getting-deleted-inodes.patch +fs-minix-reject-too-large-maximum-file-size.patch +xen-balloon-fix-accounting-in-alloc_xenballooned_pag.patch +xen-balloon-make-the-balloon-wait-interruptible.patch +xen-gntdev-Fix-dmabuf-import-with-non-zero-sgt-offse.patch +s390-dasd-fix-inability-to-use-DASD-with-DIAG-driver.patch +s390-gmap-improve-THP-splitting.patch +io_uring-Fix-NULL-pointer-dereference-in-loop_rw_ite.patch diff --git a/queue/soc-qcom-rpmh-rsc-Set-suppress_bind_attrs-flag.patch b/queue/soc-qcom-rpmh-rsc-Set-suppress_bind_attrs-flag.patch new file mode 100644 index 00000000..cf3a433b --- /dev/null +++ b/queue/soc-qcom-rpmh-rsc-Set-suppress_bind_attrs-flag.patch @@ -0,0 +1,35 @@ +From 1a53ce9ab4faeb841b33d62d23283dc76c0e7c5a Mon Sep 17 00:00:00 2001 +From: Maulik Shah <mkshah@codeaurora.org> +Date: Mon, 22 Jun 2020 12:23:25 +0530 +Subject: [PATCH] soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag + +commit 1a53ce9ab4faeb841b33d62d23283dc76c0e7c5a upstream. + +rpmh-rsc driver is fairly core to system and should not be removable +once its probed. However it allows to unbind driver from sysfs using +below command which results into a crash on sc7180. + +echo 18200000.rsc > /sys/bus/platform/drivers/rpmh/unbind + +Lets prevent unbind at runtime by setting suppress_bind_attrs flag. + +Reviewed-by: Stephen Boyd <swboyd@chromium.org> +Signed-off-by: Maulik Shah <mkshah@codeaurora.org> +Link: https://lore.kernel.org/r/1592808805-2437-1-git-send-email-mkshah@codeaurora.org +Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> + +diff --git a/drivers/soc/qcom/rpmh-rsc.c b/drivers/soc/qcom/rpmh-rsc.c +index 076fd27f3081..752a5619f715 100644 +--- a/drivers/soc/qcom/rpmh-rsc.c ++++ b/drivers/soc/qcom/rpmh-rsc.c +@@ -1023,6 +1023,7 @@ static struct platform_driver rpmh_driver = { + .driver = { + .name = "rpmh", + .of_match_table = rpmh_drv_match, ++ .suppress_bind_attrs = true, + }, + }; + +-- +2.27.0 + diff --git a/queue/spi-lantiq-fix-Rx-overflow-error-in-full-duplex-mode.patch b/queue/spi-lantiq-fix-Rx-overflow-error-in-full-duplex-mode.patch new file mode 100644 index 00000000..02adba65 --- /dev/null +++ b/queue/spi-lantiq-fix-Rx-overflow-error-in-full-duplex-mode.patch @@ -0,0 +1,60 @@ +From 661ccf2b3f1360be50242726f7c26ced6a9e7d52 Mon Sep 17 00:00:00 2001 +From: Dilip Kota <eswara.kota@linux.intel.com> +Date: Fri, 17 Jul 2020 14:27:50 +0800 +Subject: [PATCH] spi: lantiq: fix: Rx overflow error in full duplex mode + +commit 661ccf2b3f1360be50242726f7c26ced6a9e7d52 upstream. + +In full duplex mode, rx overflow error is observed. To overcome the error, +wait until the complete data got received and proceed further. + +Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller") +Signed-off-by: Dilip Kota <eswara.kota@linux.intel.com> +Link: https://lore.kernel.org/r/efb650b0faa49a00788c4e0ca8ef7196bdba851d.1594957019.git.eswara.kota@linux.intel.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/drivers/spi/spi-lantiq-ssc.c b/drivers/spi/spi-lantiq-ssc.c +index 1cf650e25e31..24585890996b 100644 +--- a/drivers/spi/spi-lantiq-ssc.c ++++ b/drivers/spi/spi-lantiq-ssc.c +@@ -183,6 +183,7 @@ struct lantiq_ssc_spi { + unsigned int tx_fifo_size; + unsigned int rx_fifo_size; + unsigned int base_cs; ++ unsigned int fdx_tx_level; + }; + + static u32 lantiq_ssc_readl(const struct lantiq_ssc_spi *spi, u32 reg) +@@ -480,6 +481,7 @@ static void tx_fifo_write(struct lantiq_ssc_spi *spi) + u32 data; + unsigned int tx_free = tx_fifo_free(spi); + ++ spi->fdx_tx_level = 0; + while (spi->tx_todo && tx_free) { + switch (spi->bits_per_word) { + case 2 ... 8: +@@ -508,6 +510,7 @@ static void tx_fifo_write(struct lantiq_ssc_spi *spi) + + lantiq_ssc_writel(spi, data, LTQ_SPI_TB); + tx_free--; ++ spi->fdx_tx_level++; + } + } + +@@ -519,6 +522,13 @@ static void rx_fifo_read_full_duplex(struct lantiq_ssc_spi *spi) + u32 data; + unsigned int rx_fill = rx_fifo_level(spi); + ++ /* ++ * Wait until all expected data to be shifted in. ++ * Otherwise, rx overrun may occur. ++ */ ++ while (rx_fill != spi->fdx_tx_level) ++ rx_fill = rx_fifo_level(spi); ++ + while (rx_fill) { + data = lantiq_ssc_readl(spi, LTQ_SPI_RB); + +-- +2.27.0 + diff --git a/queue/spi-lantiq-ssc-Fix-warning-by-using-WQ_MEM_RECLAIM.patch b/queue/spi-lantiq-ssc-Fix-warning-by-using-WQ_MEM_RECLAIM.patch new file mode 100644 index 00000000..2db17a43 --- /dev/null +++ b/queue/spi-lantiq-ssc-Fix-warning-by-using-WQ_MEM_RECLAIM.patch @@ -0,0 +1,41 @@ +From ba3548cf29616b58c93bbaffc3d636898d009858 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens <hauke@hauke-m.de> +Date: Fri, 17 Jul 2020 23:56:48 +0200 +Subject: [PATCH] spi: lantiq-ssc: Fix warning by using WQ_MEM_RECLAIM + +commit ba3548cf29616b58c93bbaffc3d636898d009858 upstream. + +The lantiq-ssc driver uses internally an own workqueue to wait till the +data is not only written out of the FIFO but really written to the wire. +This workqueue is flushed while the SPI subsystem is working in some +other system workqueue. + +The system workqueue is marked as WQ_MEM_RECLAIM, but the workqueue in +the lantiq-ssc driver does not use WQ_MEM_RECLAIM for now. Add this flag +too to prevent this warning. + +This fixes the following warning: +[ 2.975956] WARNING: CPU: 1 PID: 17 at kernel/workqueue.c:2614 check_flush_dependency+0x168/0x184 +[ 2.984752] workqueue: WQ_MEM_RECLAIM kblockd:blk_mq_run_work_fn is flushing !WQ_MEM_RECLAIM 1e100800.spi:0x0 + +Fixes: 891b7c5fbf61 ("mtd_blkdevs: convert to blk-mq") +Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> +Link: https://lore.kernel.org/r/20200717215648.20522-1-hauke@hauke-m.de +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/drivers/spi/spi-lantiq-ssc.c b/drivers/spi/spi-lantiq-ssc.c +index 1fd7ee53d451..a12a5d0cfebf 100644 +--- a/drivers/spi/spi-lantiq-ssc.c ++++ b/drivers/spi/spi-lantiq-ssc.c +@@ -899,7 +899,7 @@ static int lantiq_ssc_probe(struct platform_device *pdev) + master->bits_per_word_mask = SPI_BPW_RANGE_MASK(2, 8) | + SPI_BPW_MASK(16) | SPI_BPW_MASK(32); + +- spi->wq = alloc_ordered_workqueue(dev_name(dev), 0); ++ spi->wq = alloc_ordered_workqueue(dev_name(dev), WQ_MEM_RECLAIM); + if (!spi->wq) { + err = -ENOMEM; + goto err_clk_put; +-- +2.27.0 + diff --git a/queue/spi-rockchip-Fix-error-in-SPI-slave-pio-read.patch b/queue/spi-rockchip-Fix-error-in-SPI-slave-pio-read.patch new file mode 100644 index 00000000..8a47430a --- /dev/null +++ b/queue/spi-rockchip-Fix-error-in-SPI-slave-pio-read.patch @@ -0,0 +1,33 @@ +From 4294e4accf8d695ea5605f6b189008b692e3e82c Mon Sep 17 00:00:00 2001 +From: Jon Lin <jon.lin@rock-chips.com> +Date: Thu, 23 Jul 2020 08:43:56 +0800 +Subject: [PATCH] spi: rockchip: Fix error in SPI slave pio read + +commit 4294e4accf8d695ea5605f6b189008b692e3e82c upstream. + +The RXFLR is possible larger than rx_left in Rockchip SPI, fix it. + +Fixes: 01b59ce5dac8 ("spi: rockchip: use irq rather than polling") +Signed-off-by: Jon Lin <jon.lin@rock-chips.com> +Tested-by: Emil Renner Berthing <kernel@esmil.dk> +Reviewed-by: Heiko Stuebner <heiko@sntech.de> +Reviewed-by: Emil Renner Berthing <kernel@esmil.dk> +Link: https://lore.kernel.org/r/20200723004356.6390-3-jon.lin@rock-chips.com +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c +index a451dacab5cf..75a8a9428ff8 100644 +--- a/drivers/spi/spi-rockchip.c ++++ b/drivers/spi/spi-rockchip.c +@@ -291,7 +291,7 @@ static void rockchip_spi_pio_writer(struct rockchip_spi *rs) + static void rockchip_spi_pio_reader(struct rockchip_spi *rs) + { + u32 words = readl_relaxed(rs->regs + ROCKCHIP_SPI_RXFLR); +- u32 rx_left = rs->rx_left - words; ++ u32 rx_left = (rs->rx_left > words) ? rs->rx_left - words : 0; + + /* the hardware doesn't allow us to change fifo threshold + * level while spi is enabled, so instead make sure to leave +-- +2.27.0 + diff --git a/queue/spi-spidev-Align-buffers-for-DMA.patch b/queue/spi-spidev-Align-buffers-for-DMA.patch new file mode 100644 index 00000000..1be693e6 --- /dev/null +++ b/queue/spi-spidev-Align-buffers-for-DMA.patch @@ -0,0 +1,92 @@ +From aa9e862d7d5bcecd4dca9f39e8b684b93dd84ee7 Mon Sep 17 00:00:00 2001 +From: Christian Eggers <ceggers@arri.de> +Date: Tue, 28 Jul 2020 12:08:32 +0200 +Subject: [PATCH] spi: spidev: Align buffers for DMA + +commit aa9e862d7d5bcecd4dca9f39e8b684b93dd84ee7 upstream. + +Simply copying all xfers from userspace into one bounce buffer causes +alignment problems if the SPI controller uses DMA. + +Ensure that all transfer data blocks within the rx and tx bounce buffers +are aligned for DMA (according to ARCH_KMALLOC_MINALIGN). + +Alignment may increase the usage of the bounce buffers. In some cases, +the buffers may need to be increased using the "bufsiz" module +parameter. + +Signed-off-by: Christian Eggers <ceggers@arri.de> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200728100832.24788-1-ceggers@arri.de +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 59e07675ef86..455e99c4958e 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -224,6 +224,11 @@ static int spidev_message(struct spidev_data *spidev, + for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers; + n; + n--, k_tmp++, u_tmp++) { ++ /* Ensure that also following allocations from rx_buf/tx_buf will meet ++ * DMA alignment requirements. ++ */ ++ unsigned int len_aligned = ALIGN(u_tmp->len, ARCH_KMALLOC_MINALIGN); ++ + k_tmp->len = u_tmp->len; + + total += k_tmp->len; +@@ -239,17 +244,17 @@ static int spidev_message(struct spidev_data *spidev, + + if (u_tmp->rx_buf) { + /* this transfer needs space in RX bounce buffer */ +- rx_total += k_tmp->len; ++ rx_total += len_aligned; + if (rx_total > bufsiz) { + status = -EMSGSIZE; + goto done; + } + k_tmp->rx_buf = rx_buf; +- rx_buf += k_tmp->len; ++ rx_buf += len_aligned; + } + if (u_tmp->tx_buf) { + /* this transfer needs space in TX bounce buffer */ +- tx_total += k_tmp->len; ++ tx_total += len_aligned; + if (tx_total > bufsiz) { + status = -EMSGSIZE; + goto done; +@@ -259,7 +264,7 @@ static int spidev_message(struct spidev_data *spidev, + (uintptr_t) u_tmp->tx_buf, + u_tmp->len)) + goto done; +- tx_buf += k_tmp->len; ++ tx_buf += len_aligned; + } + + k_tmp->cs_change = !!u_tmp->cs_change; +@@ -293,16 +298,16 @@ static int spidev_message(struct spidev_data *spidev, + goto done; + + /* copy any rx data out of bounce buffer */ +- rx_buf = spidev->rx_buffer; +- for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) { ++ for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers; ++ n; ++ n--, k_tmp++, u_tmp++) { + if (u_tmp->rx_buf) { + if (copy_to_user((u8 __user *) +- (uintptr_t) u_tmp->rx_buf, rx_buf, ++ (uintptr_t) u_tmp->rx_buf, k_tmp->rx_buf, + u_tmp->len)) { + status = -EFAULT; + goto done; + } +- rx_buf += u_tmp->len; + } + } + status = total; +-- +2.27.0 + diff --git a/queue/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch b/queue/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch new file mode 100644 index 00000000..b695b407 --- /dev/null +++ b/queue/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch @@ -0,0 +1,36 @@ +From c4283950a9a4d3bf4a3f362e406c80ab14f10714 Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Thu, 16 Jul 2020 16:47:20 +0100 +Subject: [PATCH] staging: rtl8192u: fix a dubious looking mask before a shift + +commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 upstream. + +Currently the masking of ret with 0xff and followed by a right shift +of 8 bits always leaves a zero result. It appears the mask of 0xff +is incorrect and should be 0xff00, but I don't have the hardware to +test this. Fix this to mask the upper 8 bits before shifting. + +[ Not tested ] + +Addresses-Coverity: ("Operands don't affect result") +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Link: https://lore.kernel.org/r/20200716154720.1710252-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c +index fcfb9024a83f..6ec65187bef9 100644 +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -2374,7 +2374,7 @@ static int rtl8192_read_eeprom_info(struct net_device *dev) + ret = eprom_read(dev, (EEPROM_TX_PW_INDEX_CCK >> 1)); + if (ret < 0) + return ret; +- priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff) >> 8; ++ priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff00) >> 8; + } else + priv->EEPROMTxPowerLevelCCK = 0x10; + RT_TRACE(COMP_EPROM, "CCK Tx Power Levl: 0x%02x\n", priv->EEPROMTxPowerLevelCCK); +-- +2.27.0 + diff --git a/queue/staging-vchiq_arm-Add-a-matching-unregister-call.patch b/queue/staging-vchiq_arm-Add-a-matching-unregister-call.patch new file mode 100644 index 00000000..a1fb7e9f --- /dev/null +++ b/queue/staging-vchiq_arm-Add-a-matching-unregister-call.patch @@ -0,0 +1,33 @@ +From 5d9272e28a9a6117fb63f5f930991304765caa32 Mon Sep 17 00:00:00 2001 +From: Phil Elwell <phil@raspberrypi.com> +Date: Mon, 29 Jun 2020 17:09:06 +0200 +Subject: [PATCH] staging: vchiq_arm: Add a matching unregister call + +commit 5d9272e28a9a6117fb63f5f930991304765caa32 upstream. + +All the registered children of vchiq have a corresponding call to +platform_device_unregister except bcm2835_audio. Fix that. + +Fixes: 25c7597af20d ("staging: vchiq_arm: Register a platform device for audio") + +Signed-off-by: Phil Elwell <phil@raspberrypi.com> +Signed-off-by: Jacopo Mondi <jacopo@jmondi.org> +Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de> +Link: https://lore.kernel.org/r/20200629150945.10720-9-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +index 28ea8c3a4cba..355590f1e130 100644 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +@@ -2805,6 +2805,7 @@ static int vchiq_probe(struct platform_device *pdev) + + static int vchiq_remove(struct platform_device *pdev) + { ++ platform_device_unregister(bcm2835_audio); + platform_device_unregister(bcm2835_camera); + vchiq_debugfs_deinit(); + device_destroy(vchiq_class, vchiq_devid); +-- +2.27.0 + diff --git a/queue/svcrdma-Fix-page-leak-in-svc_rdma_recv_read_chunk.patch b/queue/svcrdma-Fix-page-leak-in-svc_rdma_recv_read_chunk.patch new file mode 100644 index 00000000..f986479b --- /dev/null +++ b/queue/svcrdma-Fix-page-leak-in-svc_rdma_recv_read_chunk.patch @@ -0,0 +1,78 @@ +From e814eecbe3bbeaa8b004d25a4b8974d232b765a9 Mon Sep 17 00:00:00 2001 +From: Chuck Lever <chuck.lever@oracle.com> +Date: Thu, 11 Jun 2020 12:44:56 -0400 +Subject: [PATCH] svcrdma: Fix page leak in svc_rdma_recv_read_chunk() + +commit e814eecbe3bbeaa8b004d25a4b8974d232b765a9 upstream. + +Commit 07d0ff3b0cd2 ("svcrdma: Clean up Read chunk path") moved the +page saver logic so that it gets executed event when an error occurs. +In that case, the I/O is never posted, and those pages are then +leaked. Errors in this path, however, are quite rare. + +Fixes: 07d0ff3b0cd2 ("svcrdma: Clean up Read chunk path") +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c +index 5eb35309ecef..83806fa94def 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c +@@ -684,7 +684,6 @@ static int svc_rdma_build_read_chunk(struct svc_rqst *rqstp, + struct svc_rdma_read_info *info, + __be32 *p) + { +- unsigned int i; + int ret; + + ret = -EINVAL; +@@ -707,12 +706,6 @@ static int svc_rdma_build_read_chunk(struct svc_rqst *rqstp, + info->ri_chunklen += rs_length; + } + +- /* Pages under I/O have been copied to head->rc_pages. +- * Prevent their premature release by svc_xprt_release() . +- */ +- for (i = 0; i < info->ri_readctxt->rc_page_count; i++) +- rqstp->rq_pages[i] = NULL; +- + return ret; + } + +@@ -807,6 +800,26 @@ static int svc_rdma_build_pz_read_chunk(struct svc_rqst *rqstp, + return ret; + } + ++/* Pages under I/O have been copied to head->rc_pages. Ensure they ++ * are not released by svc_xprt_release() until the I/O is complete. ++ * ++ * This has to be done after all Read WRs are constructed to properly ++ * handle a page that is part of I/O on behalf of two different RDMA ++ * segments. ++ * ++ * Do this only if I/O has been posted. Otherwise, we do indeed want ++ * svc_xprt_release() to clean things up properly. ++ */ ++static void svc_rdma_save_io_pages(struct svc_rqst *rqstp, ++ const unsigned int start, ++ const unsigned int num_pages) ++{ ++ unsigned int i; ++ ++ for (i = start; i < num_pages + start; i++) ++ rqstp->rq_pages[i] = NULL; ++} ++ + /** + * svc_rdma_recv_read_chunk - Pull a Read chunk from the client + * @rdma: controlling RDMA transport +@@ -860,6 +873,7 @@ int svc_rdma_recv_read_chunk(struct svcxprt_rdma *rdma, struct svc_rqst *rqstp, + ret = svc_rdma_post_chunk_ctxt(&info->ri_cc); + if (ret < 0) + goto out_err; ++ svc_rdma_save_io_pages(rqstp, 0, head->rc_page_count); + return 0; + + out_err: +-- +2.27.0 + diff --git a/queue/tcp-correct-read-of-TFO-keys-on-big-endian-systems.patch b/queue/tcp-correct-read-of-TFO-keys-on-big-endian-systems.patch new file mode 100644 index 00000000..9398f12b --- /dev/null +++ b/queue/tcp-correct-read-of-TFO-keys-on-big-endian-systems.patch @@ -0,0 +1,149 @@ +From f19008e676366c44e9241af57f331b6c6edf9552 Mon Sep 17 00:00:00 2001 +From: Jason Baron <jbaron@akamai.com> +Date: Mon, 10 Aug 2020 13:38:39 -0400 +Subject: [PATCH] tcp: correct read of TFO keys on big endian systems + +commit f19008e676366c44e9241af57f331b6c6edf9552 upstream. + +When TFO keys are read back on big endian systems either via the global +sysctl interface or via getsockopt() using TCP_FASTOPEN_KEY, the values +don't match what was written. + +For example, on s390x: + +# echo "1-2-3-4" > /proc/sys/net/ipv4/tcp_fastopen_key +# cat /proc/sys/net/ipv4/tcp_fastopen_key +02000000-01000000-04000000-03000000 + +Instead of: + +# cat /proc/sys/net/ipv4/tcp_fastopen_key +00000001-00000002-00000003-00000004 + +Fix this by converting to the correct endianness on read. This was +reported by Colin Ian King when running the 'tcp_fastopen_backup_key' net +selftest on s390x, which depends on the read value matching what was +written. I've confirmed that the test now passes on big and little endian +systems. + +Signed-off-by: Jason Baron <jbaron@akamai.com> +Fixes: 438ac88009bc ("net: fastopen: robustness and endianness fixes for SipHash") +Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Cc: Eric Dumazet <edumazet@google.com> +Reported-and-tested-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index dbf5c791a6eb..eab6c7510b5b 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1672,6 +1672,8 @@ void tcp_fastopen_destroy_cipher(struct sock *sk); + void tcp_fastopen_ctx_destroy(struct net *net); + int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk, + void *primary_key, void *backup_key); ++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk, ++ u64 *key); + void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb); + struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, + struct request_sock *req, +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 5653e3b011bf..54023a46db04 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -301,24 +301,16 @@ static int proc_tcp_fastopen_key(struct ctl_table *table, int write, + struct ctl_table tbl = { .maxlen = ((TCP_FASTOPEN_KEY_LENGTH * + 2 * TCP_FASTOPEN_KEY_MAX) + + (TCP_FASTOPEN_KEY_MAX * 5)) }; +- struct tcp_fastopen_context *ctx; +- u32 user_key[TCP_FASTOPEN_KEY_MAX * 4]; +- __le32 key[TCP_FASTOPEN_KEY_MAX * 4]; ++ u32 user_key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u32)]; ++ __le32 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(__le32)]; + char *backup_data; +- int ret, i = 0, off = 0, n_keys = 0; ++ int ret, i = 0, off = 0, n_keys; + + tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL); + if (!tbl.data) + return -ENOMEM; + +- rcu_read_lock(); +- ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx); +- if (ctx) { +- n_keys = tcp_fastopen_context_len(ctx); +- memcpy(&key[0], &ctx->key[0], TCP_FASTOPEN_KEY_LENGTH * n_keys); +- } +- rcu_read_unlock(); +- ++ n_keys = tcp_fastopen_get_cipher(net, NULL, (u64 *)key); + if (!n_keys) { + memset(&key[0], 0, TCP_FASTOPEN_KEY_LENGTH); + n_keys = 1; +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c06d2bfd2ec4..31f3b858db81 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3685,22 +3685,14 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + return 0; + + case TCP_FASTOPEN_KEY: { +- __u8 key[TCP_FASTOPEN_KEY_BUF_LENGTH]; +- struct tcp_fastopen_context *ctx; +- unsigned int key_len = 0; ++ u64 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u64)]; ++ unsigned int key_len; + + if (get_user(len, optlen)) + return -EFAULT; + +- rcu_read_lock(); +- ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx); +- if (ctx) { +- key_len = tcp_fastopen_context_len(ctx) * +- TCP_FASTOPEN_KEY_LENGTH; +- memcpy(&key[0], &ctx->key[0], key_len); +- } +- rcu_read_unlock(); +- ++ key_len = tcp_fastopen_get_cipher(net, icsk, key) * ++ TCP_FASTOPEN_KEY_LENGTH; + len = min_t(unsigned int, len, key_len); + if (put_user(len, optlen)) + return -EFAULT; +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 19ad9586c720..1bb85821f1e6 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -108,6 +108,29 @@ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk, + return err; + } + ++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk, ++ u64 *key) ++{ ++ struct tcp_fastopen_context *ctx; ++ int n_keys = 0, i; ++ ++ rcu_read_lock(); ++ if (icsk) ++ ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx); ++ else ++ ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx); ++ if (ctx) { ++ n_keys = tcp_fastopen_context_len(ctx); ++ for (i = 0; i < n_keys; i++) { ++ put_unaligned_le64(ctx->key[i].key[0], key + (i * 2)); ++ put_unaligned_le64(ctx->key[i].key[1], key + (i * 2) + 1); ++ } ++ } ++ rcu_read_unlock(); ++ ++ return n_keys; ++} ++ + static bool __tcp_fastopen_cookie_gen_cipher(struct request_sock *req, + struct sk_buff *syn, + const siphash_key_t *key, +-- +2.27.0 + diff --git a/queue/thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch b/queue/thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch new file mode 100644 index 00000000..f78acc15 --- /dev/null +++ b/queue/thermal-ti-soc-thermal-Fix-reversed-condition-in-ti_.patch @@ -0,0 +1,31 @@ +From 0f348db01fdf128813fdd659fcc339038fb421a4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 16 Jun 2020 12:19:49 +0300 +Subject: [PATCH] thermal: ti-soc-thermal: Fix reversed condition in + ti_thermal_expose_sensor() + +commit 0f348db01fdf128813fdd659fcc339038fb421a4 upstream. + +This condition is reversed and will cause breakage. + +Fixes: 7440f518dad9 ("thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> +Link: https://lore.kernel.org/r/20200616091949.GA11940@mwanda + +diff --git a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c +index 85776db4bf34..2ce4b19f312a 100644 +--- a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c ++++ b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c +@@ -169,7 +169,7 @@ int ti_thermal_expose_sensor(struct ti_bandgap *bgp, int id, + + data = ti_bandgap_get_sensor_data(bgp, id); + +- if (!IS_ERR_OR_NULL(data)) ++ if (IS_ERR_OR_NULL(data)) + data = ti_thermal_build_data(bgp, id); + + if (!data) +-- +2.27.0 + diff --git a/queue/tools-bpftool-Fix-wrong-return-value-in-do_dump.patch b/queue/tools-bpftool-Fix-wrong-return-value-in-do_dump.patch new file mode 100644 index 00000000..b6447922 --- /dev/null +++ b/queue/tools-bpftool-Fix-wrong-return-value-in-do_dump.patch @@ -0,0 +1,34 @@ +From 041549b7b2c7811ec40e705c439211f00ade2dda Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> +Date: Sun, 2 Aug 2020 19:15:40 +0800 +Subject: [PATCH] tools, bpftool: Fix wrong return value in do_dump() + +commit 041549b7b2c7811ec40e705c439211f00ade2dda upstream. + +In case of btf_id does not exist, a negative error code -ENOENT +should be returned. + +Fixes: c93cc69004df3 ("bpftool: add ability to dump BTF types") +Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Reviewed-by: Tobias Klauser <tklauser@distanz.ch> +Acked-by: Andrii Nakryiko <andriin@fb.com> +Acked-by: John Fastabend <john.fastabend@gmail.com> +Link: https://lore.kernel.org/bpf/20200802111540.5384-1-tianjia.zhang@linux.alibaba.com + +diff --git a/tools/bpf/bpftool/btf.c b/tools/bpf/bpftool/btf.c +index fc9bc7a23db6..37c091308714 100644 +--- a/tools/bpf/bpftool/btf.c ++++ b/tools/bpf/bpftool/btf.c +@@ -596,7 +596,7 @@ static int do_dump(int argc, char **argv) + goto done; + } + if (!btf) { +- err = ENOENT; ++ err = -ENOENT; + p_err("can't find btf with ID (%u)", btf_id); + goto done; + } +-- +2.27.0 + diff --git a/queue/tools-build-Propagate-build-failures-from-tools-buil.patch b/queue/tools-build-Propagate-build-failures-from-tools-buil.patch new file mode 100644 index 00000000..f0e69c34 --- /dev/null +++ b/queue/tools-build-Propagate-build-failures-from-tools-buil.patch @@ -0,0 +1,46 @@ +From a278f3d8191228212c553a5d4303fa603214b717 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko <andriin@fb.com> +Date: Thu, 30 Jul 2020 19:42:44 -0700 +Subject: [PATCH] tools, build: Propagate build failures from + tools/build/Makefile.build + +commit a278f3d8191228212c553a5d4303fa603214b717 upstream. + +The '&&' command seems to have a bad effect when $(cmd_$(1)) exits with +non-zero effect: the command failure is masked (despite `set -e`) and all but +the first command of $(dep-cmd) is executed (successfully, as they are mostly +printfs), thus overall returning 0 in the end. + +This means in practice that despite compilation errors, tools's build Makefile +will return success. We see this very reliably with libbpf's Makefile, which +doesn't get compilation error propagated properly. This in turns causes issues +with selftests build, as well as bpftool and other projects that rely on +building libbpf. + +The fix is simple: don't use &&. Given `set -e`, we don't need to chain +commands with &&. The shell will exit on first failure, giving desired +behavior and propagating error properly. + +Fixes: 275e2d95591e ("tools build: Move dependency copy into function") +Signed-off-by: Andrii Nakryiko <andriin@fb.com> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Jiri Olsa <jolsa@redhat.com> +Link: https://lore.kernel.org/bpf/20200731024244.872574-1-andriin@fb.com + +diff --git a/tools/build/Build.include b/tools/build/Build.include +index 9ec01f4454f9..585486e40995 100644 +--- a/tools/build/Build.include ++++ b/tools/build/Build.include +@@ -74,7 +74,8 @@ dep-cmd = $(if $(wildcard $(fixdep)), + # dependencies in the cmd file + if_changed_dep = $(if $(strip $(any-prereq) $(arg-check)), \ + @set -e; \ +- $(echo-cmd) $(cmd_$(1)) && $(dep-cmd)) ++ $(echo-cmd) $(cmd_$(1)); \ ++ $(dep-cmd)) + + # if_changed - execute command if any prerequisite is newer than + # target, or command line has changed +-- +2.27.0 + diff --git a/queue/tpm-Require-that-all-digests-are-present-in-TCG_PCR_.patch b/queue/tpm-Require-that-all-digests-are-present-in-TCG_PCR_.patch new file mode 100644 index 00000000..af577ee8 --- /dev/null +++ b/queue/tpm-Require-that-all-digests-are-present-in-TCG_PCR_.patch @@ -0,0 +1,110 @@ +From 7f3d176f5f7e3f0477bf82df0f600fcddcdcc4e4 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks <tyhicks@linux.microsoft.com> +Date: Fri, 10 Jul 2020 14:29:55 -0500 +Subject: [PATCH] tpm: Require that all digests are present in TCG_PCR_EVENT2 + structures + +commit 7f3d176f5f7e3f0477bf82df0f600fcddcdcc4e4 upstream. + +Require that the TCG_PCR_EVENT2.digests.count value strictly matches the +value of TCG_EfiSpecIdEvent.numberOfAlgorithms in the event field of the +TCG_PCClientPCREvent event log header. Also require that +TCG_EfiSpecIdEvent.numberOfAlgorithms is non-zero. + +The TCG PC Client Platform Firmware Profile Specification section 9.1 +(Family "2.0", Level 00 Revision 1.04) states: + + For each Hash algorithm enumerated in the TCG_PCClientPCREvent entry, + there SHALL be a corresponding digest in all TCG_PCR_EVENT2 structures. + Note: This includes EV_NO_ACTION events which do not extend the PCR. + +Section 9.4.5.1 provides this description of +TCG_EfiSpecIdEvent.numberOfAlgorithms: + + The number of Hash algorithms in the digestSizes field. This field MUST + be set to a value of 0x01 or greater. + +Enforce these restrictions, as required by the above specification, in +order to better identify and ignore invalid sequences of bytes at the +end of an otherwise valid TPM2 event log. Firmware doesn't always have +the means necessary to inform the kernel of the actual event log size so +the kernel's event log parsing code should be stringent when parsing the +event log for resiliency against firmware bugs. This is true, for +example, when firmware passes the event log to the kernel via a reserved +memory region described in device tree. + +POWER and some ARM systems use the "linux,sml-base" and "linux,sml-size" +device tree properties to describe the memory region used to pass the +event log from firmware to the kernel. Unfortunately, the +"linux,sml-size" property describes the size of the entire reserved +memory region rather than the size of the event long within the memory +region and the event log format does not include information describing +the size of the event log. + +tpm_read_log_of(), in drivers/char/tpm/eventlog/of.c, is where the +"linux,sml-size" property is used. At the end of that function, +log->bios_event_log_end is pointing at the end of the reserved memory +region. That's typically 0x10000 bytes offset from "linux,sml-base", +depending on what's defined in the device tree source. + +The firmware event log only fills a portion of those 0x10000 bytes and +the rest of the memory region should be zeroed out by firmware. Even in +the case of a properly zeroed bytes in the remainder of the memory +region, the only thing allowing the kernel's event log parser to detect +the end of the event log is the following conditional in +__calc_tpm2_event_size(): + + if (event_type == 0 && event_field->event_size == 0) + size = 0; + +If that wasn't there, __calc_tpm2_event_size() would think that a 16 +byte sequence of zeroes, following an otherwise valid event log, was +a valid event. + +However, problems can occur if a single bit is set in the offset +corresponding to either the TCG_PCR_EVENT2.eventType or +TCG_PCR_EVENT2.eventSize fields, after the last valid event log entry. +This could confuse the parser into thinking that an additional entry is +present in the event log and exposing this invalid entry to userspace in +the /sys/kernel/security/tpm0/binary_bios_measurements file. Such +problems have been seen if firmware does not fully zero the memory +region upon a warm reboot. + +This patch significantly raises the bar on how difficult it is for +stale/invalid memory to confuse the kernel's event log parser but +there's still, ultimately, a reliance on firmware to properly initialize +the remainder of the memory region reserved for the event log as the +parser cannot be expected to detect a stale but otherwise properly +formatted firmware event log entry. + +Fixes: fd5c78694f3f ("tpm: fix handling of the TPM 2.0 event logs") +Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> +Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> +Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> + +diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h +index 64356b199e94..739ba9a03ec1 100644 +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -211,9 +211,16 @@ static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, + + efispecid = (struct tcg_efi_specid_event_head *)event_header->event; + +- /* Check if event is malformed. */ ++ /* ++ * Perform validation of the event in order to identify malformed ++ * events. This function may be asked to parse arbitrary byte sequences ++ * immediately following a valid event log. The caller expects this ++ * function to recognize that the byte sequence is not a valid event ++ * and to return an event size of 0. ++ */ + if (memcmp(efispecid->signature, TCG_SPECID_SIG, +- sizeof(TCG_SPECID_SIG)) || count > efispecid->num_algs) { ++ sizeof(TCG_SPECID_SIG)) || ++ !efispecid->num_algs || count != efispecid->num_algs) { + size = 0; + goto out; + } +-- +2.27.0 + diff --git a/queue/tpm-Unify-the-mismatching-TPM-space-buffer-sizes.patch b/queue/tpm-Unify-the-mismatching-TPM-space-buffer-sizes.patch new file mode 100644 index 00000000..e0337094 --- /dev/null +++ b/queue/tpm-Unify-the-mismatching-TPM-space-buffer-sizes.patch @@ -0,0 +1,167 @@ +From 6c4e79d99e6f42b79040f1a33cd4018f5425030b Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> +Date: Fri, 3 Jul 2020 01:55:59 +0300 +Subject: [PATCH] tpm: Unify the mismatching TPM space buffer sizes + +commit 6c4e79d99e6f42b79040f1a33cd4018f5425030b upstream. + +The size of the buffers for storing context's and sessions can vary from +arch to arch as PAGE_SIZE can be anything between 4 kB and 256 kB (the +maximum for PPC64). Define a fixed buffer size set to 16 kB. This should be +enough for most use with three handles (that is how many we allow at the +moment). Parametrize the buffer size while doing this, so that it is easier +to revisit this later on if required. + +Cc: stable@vger.kernel.org +Reported-by: Stefan Berger <stefanb@linux.ibm.com> +Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") +Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> +Tested-by: Stefan Berger <stefanb@linux.ibm.com> +Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> + +diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c +index 8c77e88012e9..ddaeceb7e109 100644 +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -386,13 +386,8 @@ struct tpm_chip *tpm_chip_alloc(struct device *pdev, + chip->cdev.owner = THIS_MODULE; + chip->cdevs.owner = THIS_MODULE; + +- chip->work_space.context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); +- if (!chip->work_space.context_buf) { +- rc = -ENOMEM; +- goto out; +- } +- chip->work_space.session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); +- if (!chip->work_space.session_buf) { ++ rc = tpm2_init_space(&chip->work_space, TPM2_SPACE_BUFFER_SIZE); ++ if (rc) { + rc = -ENOMEM; + goto out; + } +diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h +index 0fbcede241ea..947d1db0a5cc 100644 +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -59,6 +59,9 @@ enum tpm_addr { + + #define TPM_TAG_RQU_COMMAND 193 + ++/* TPM2 specific constants. */ ++#define TPM2_SPACE_BUFFER_SIZE 16384 /* 16 kB */ ++ + struct stclear_flags_t { + __be16 tag; + u8 deactivated; +@@ -228,7 +231,7 @@ unsigned long tpm2_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal); + int tpm2_probe(struct tpm_chip *chip); + int tpm2_get_cc_attrs_tbl(struct tpm_chip *chip); + int tpm2_find_cc(struct tpm_chip *chip, u32 cc); +-int tpm2_init_space(struct tpm_space *space); ++int tpm2_init_space(struct tpm_space *space, unsigned int buf_size); + void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space); + void tpm2_flush_space(struct tpm_chip *chip); + int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u8 *cmd, +diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c +index 982d341d8837..784b8b3cb903 100644 +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -38,18 +38,21 @@ static void tpm2_flush_sessions(struct tpm_chip *chip, struct tpm_space *space) + } + } + +-int tpm2_init_space(struct tpm_space *space) ++int tpm2_init_space(struct tpm_space *space, unsigned int buf_size) + { +- space->context_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); ++ space->context_buf = kzalloc(buf_size, GFP_KERNEL); + if (!space->context_buf) + return -ENOMEM; + +- space->session_buf = kzalloc(PAGE_SIZE, GFP_KERNEL); ++ space->session_buf = kzalloc(buf_size, GFP_KERNEL); + if (space->session_buf == NULL) { + kfree(space->context_buf); ++ /* Prevent caller getting a dangling pointer. */ ++ space->context_buf = NULL; + return -ENOMEM; + } + ++ space->buf_size = buf_size; + return 0; + } + +@@ -311,8 +314,10 @@ int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u8 *cmd, + sizeof(space->context_tbl)); + memcpy(&chip->work_space.session_tbl, &space->session_tbl, + sizeof(space->session_tbl)); +- memcpy(chip->work_space.context_buf, space->context_buf, PAGE_SIZE); +- memcpy(chip->work_space.session_buf, space->session_buf, PAGE_SIZE); ++ memcpy(chip->work_space.context_buf, space->context_buf, ++ space->buf_size); ++ memcpy(chip->work_space.session_buf, space->session_buf, ++ space->buf_size); + + rc = tpm2_load_space(chip); + if (rc) { +@@ -492,7 +497,7 @@ static int tpm2_save_space(struct tpm_chip *chip) + continue; + + rc = tpm2_save_context(chip, space->context_tbl[i], +- space->context_buf, PAGE_SIZE, ++ space->context_buf, space->buf_size, + &offset); + if (rc == -ENOENT) { + space->context_tbl[i] = 0; +@@ -509,9 +514,8 @@ static int tpm2_save_space(struct tpm_chip *chip) + continue; + + rc = tpm2_save_context(chip, space->session_tbl[i], +- space->session_buf, PAGE_SIZE, ++ space->session_buf, space->buf_size, + &offset); +- + if (rc == -ENOENT) { + /* handle error saving session, just forget it */ + space->session_tbl[i] = 0; +@@ -557,8 +561,10 @@ int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, + sizeof(space->context_tbl)); + memcpy(&space->session_tbl, &chip->work_space.session_tbl, + sizeof(space->session_tbl)); +- memcpy(space->context_buf, chip->work_space.context_buf, PAGE_SIZE); +- memcpy(space->session_buf, chip->work_space.session_buf, PAGE_SIZE); ++ memcpy(space->context_buf, chip->work_space.context_buf, ++ space->buf_size); ++ memcpy(space->session_buf, chip->work_space.session_buf, ++ space->buf_size); + + return 0; + out: +diff --git a/drivers/char/tpm/tpmrm-dev.c b/drivers/char/tpm/tpmrm-dev.c +index 7a0a7051a06f..eef0fb06ea83 100644 +--- a/drivers/char/tpm/tpmrm-dev.c ++++ b/drivers/char/tpm/tpmrm-dev.c +@@ -21,7 +21,7 @@ static int tpmrm_open(struct inode *inode, struct file *file) + if (priv == NULL) + return -ENOMEM; + +- rc = tpm2_init_space(&priv->space); ++ rc = tpm2_init_space(&priv->space, TPM2_SPACE_BUFFER_SIZE); + if (rc) { + kfree(priv); + return -ENOMEM; +diff --git a/include/linux/tpm.h b/include/linux/tpm.h +index 03e9b184411b..8f4ff39f51e7 100644 +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -96,6 +96,7 @@ struct tpm_space { + u8 *context_buf; + u32 session_tbl[3]; + u8 *session_buf; ++ u32 buf_size; + }; + + struct tpm_bios_log { +-- +2.27.0 + diff --git a/queue/tracepoint-Mark-__tracepoint_string-s-__used.patch b/queue/tracepoint-Mark-__tracepoint_string-s-__used.patch new file mode 100644 index 00000000..a014ddd4 --- /dev/null +++ b/queue/tracepoint-Mark-__tracepoint_string-s-__used.patch @@ -0,0 +1,48 @@ +From f3751ad0116fb6881f2c3c957d66a9327f69cefb Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers <ndesaulniers@google.com> +Date: Thu, 30 Jul 2020 15:45:54 -0700 +Subject: [PATCH] tracepoint: Mark __tracepoint_string's __used + +commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream. + +__tracepoint_string's have their string data stored in .rodata, and an +address to that data stored in the "__tracepoint_str" section. Functions +that refer to those strings refer to the symbol of the address. Compiler +optimization can replace those address references with references +directly to the string data. If the address doesn't appear to have other +uses, then it appears dead to the compiler and is removed. This can +break the /tracing/printk_formats sysfs node which iterates the +addresses stored in the "__tracepoint_str" section. + +Like other strings stored in custom sections in this header, mark these +__used to inform the compiler that there are other non-obvious users of +the address, so they should still be emitted. + +Link: https://lkml.kernel.org/r/20200730224555.2142154-2-ndesaulniers@google.com + +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> +Cc: stable@vger.kernel.org +Fixes: 102c9323c35a8 ("tracing: Add __tracepoint_string() to export string pointers") +Reported-by: Tim Murray <timmurray@google.com> +Reported-by: Simon MacMullen <simonmacm@google.com> +Suggested-by: Greg Hackmann <ghackmann@google.com> +Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> + +diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h +index a1fecf311621..3a5b717d92e8 100644 +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -361,7 +361,7 @@ static inline struct tracepoint *tracepoint_ptr_deref(tracepoint_ptr_t *p) + static const char *___tp_str __tracepoint_string = str; \ + ___tp_str; \ + }) +-#define __tracepoint_string __attribute__((section("__tracepoint_str"))) ++#define __tracepoint_string __attribute__((section("__tracepoint_str"), used)) + #else + /* + * tracepoint_string() is used to save the string address for userspace +-- +2.27.0 + diff --git a/queue/usb-bdc-Halt-controller-on-suspend.patch b/queue/usb-bdc-Halt-controller-on-suspend.patch new file mode 100644 index 00000000..abab56fb --- /dev/null +++ b/queue/usb-bdc-Halt-controller-on-suspend.patch @@ -0,0 +1,45 @@ +From 5fc453d7de3d0c345812453823a3a56783c5f82c Mon Sep 17 00:00:00 2001 +From: Danesh Petigara <danesh.petigara@broadcom.com> +Date: Wed, 22 Jul 2020 13:07:45 -0400 +Subject: [PATCH] usb: bdc: Halt controller on suspend + +commit 5fc453d7de3d0c345812453823a3a56783c5f82c upstream. + +GISB bus error kernel panics have been observed during S2 transition +tests on the 7271t platform. The errors are a result of the BDC +interrupt handler trying to access BDC register space after the +system's suspend callbacks have completed. + +Adding a suspend hook to the BDC driver that halts the controller before +S2 entry thus preventing unwanted access to the BDC register space during +this transition. + +Signed-off-by: Danesh Petigara <danesh.petigara@broadcom.com> +Signed-off-by: Al Cooper <alcooperx@gmail.com> +Acked-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: Felipe Balbi <balbi@kernel.org> + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index d4ec1e37d50a..0f1617e34f38 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -603,9 +603,14 @@ static int bdc_remove(struct platform_device *pdev) + static int bdc_suspend(struct device *dev) + { + struct bdc *bdc = dev_get_drvdata(dev); ++ int ret; + +- clk_disable_unprepare(bdc->clk); +- return 0; ++ /* Halt the controller */ ++ ret = bdc_stop(bdc); ++ if (!ret) ++ clk_disable_unprepare(bdc->clk); ++ ++ return ret; + } + + static int bdc_resume(struct device *dev) +-- +2.27.0 + diff --git a/queue/usb-core-fix-quirks_param_set-writing-to-a-const-poi.patch b/queue/usb-core-fix-quirks_param_set-writing-to-a-const-poi.patch new file mode 100644 index 00000000..3ef32fd6 --- /dev/null +++ b/queue/usb-core-fix-quirks_param_set-writing-to-a-const-poi.patch @@ -0,0 +1,76 @@ +From b1b6bed3b5036509b449b5965285d5057ba42527 Mon Sep 17 00:00:00 2001 +From: Kars Mulder <kerneldev@karsmulder.nl> +Date: Tue, 7 Jul 2020 16:43:50 +0200 +Subject: [PATCH] usb: core: fix quirks_param_set() writing to a const pointer + +commit b1b6bed3b5036509b449b5965285d5057ba42527 upstream. + +The function quirks_param_set() takes as argument a const char* pointer +to the new value of the usbcore.quirks parameter. It then casts this +pointer to a non-const char* pointer and passes it to the strsep() +function, which overwrites the value. + +Fix this by creating a copy of the value using kstrdup() and letting +that copy be written to by strsep(). + +Fixes: 027bd6cafd9a ("usb: core: Add "quirks" parameter for usbcore") +Signed-off-by: Kars Mulder <kerneldev@karsmulder.nl> + +Link: https://lore.kernel.org/r/5ee2-5f048a00-21-618c5c00@230659773 +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 870df71d1827..7c1198f80c23 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -25,17 +25,23 @@ static unsigned int quirk_count; + + static char quirks_param[128]; + +-static int quirks_param_set(const char *val, const struct kernel_param *kp) ++static int quirks_param_set(const char *value, const struct kernel_param *kp) + { +- char *p, *field; ++ char *val, *p, *field; + u16 vid, pid; + u32 flags; + size_t i; + int err; + ++ val = kstrdup(value, GFP_KERNEL); ++ if (!val) ++ return -ENOMEM; ++ + err = param_set_copystring(val, kp); +- if (err) ++ if (err) { ++ kfree(val); + return err; ++ } + + mutex_lock(&quirk_mutex); + +@@ -60,10 +66,11 @@ static int quirks_param_set(const char *val, const struct kernel_param *kp) + if (!quirk_list) { + quirk_count = 0; + mutex_unlock(&quirk_mutex); ++ kfree(val); + return -ENOMEM; + } + +- for (i = 0, p = (char *)val; p && *p;) { ++ for (i = 0, p = val; p && *p;) { + /* Each entry consists of VID:PID:flags */ + field = strsep(&p, ":"); + if (!field) +@@ -144,6 +151,7 @@ static int quirks_param_set(const char *val, const struct kernel_param *kp) + + unlock: + mutex_unlock(&quirk_mutex); ++ kfree(val); + + return 0; + } +-- +2.27.0 + diff --git a/queue/usb-dwc2-Fix-error-path-in-gadget-registration.patch b/queue/usb-dwc2-Fix-error-path-in-gadget-registration.patch new file mode 100644 index 00000000..94cd7d14 --- /dev/null +++ b/queue/usb-dwc2-Fix-error-path-in-gadget-registration.patch @@ -0,0 +1,91 @@ +From 33a06f1300a79cfd461cea0268f05e969d4f34ec Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski <m.szyprowski@samsung.com> +Date: Thu, 16 Jul 2020 14:09:48 +0200 +Subject: [PATCH] usb: dwc2: Fix error path in gadget registration + +commit 33a06f1300a79cfd461cea0268f05e969d4f34ec upstream. + +When gadget registration fails, one should not call usb_del_gadget_udc(). +Ensure this by setting gadget->udc to NULL. Also in case of a failure +there is no need to disable low-level hardware, so return immiedetly +instead of jumping to error_init label. + +This fixes the following kernel NULL ptr dereference on gadget failure +(can be easily triggered with g_mass_storage without any module +parameters): + +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1 +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024 +dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM +Mass Storage Function, version: 2009/09/11 +LUN: removable file: (no medium) +no file given for LUN0 +g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22 +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000104 +pgd = (ptrval) +[00000104] *pgd=00000000 +Internal error: Oops: 805 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133 +Hardware name: Samsung Exynos (Flattened Device Tree) +Workqueue: events deferred_probe_work_func +PC is at usb_del_gadget_udc+0x38/0xc4 +LR is at __mutex_lock+0x31c/0xb18 +... +Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval)) +Stack: (0xef121db0 to 0xef122000) +... +[<c076bf3c>] (usb_del_gadget_udc) from [<c0726bec>] (dwc2_hsotg_remove+0x10/0x20) +[<c0726bec>] (dwc2_hsotg_remove) from [<c0711208>] (dwc2_driver_probe+0x57c/0x69c) +[<c0711208>] (dwc2_driver_probe) from [<c06247c0>] (platform_drv_probe+0x6c/0xa4) +[<c06247c0>] (platform_drv_probe) from [<c0621df4>] (really_probe+0x200/0x48c) +[<c0621df4>] (really_probe) from [<c06221e8>] (driver_probe_device+0x78/0x1fc) +[<c06221e8>] (driver_probe_device) from [<c061fcd4>] (bus_for_each_drv+0x74/0xb8) +[<c061fcd4>] (bus_for_each_drv) from [<c0621b54>] (__device_attach+0xd4/0x16c) +[<c0621b54>] (__device_attach) from [<c0620c98>] (bus_probe_device+0x88/0x90) +[<c0620c98>] (bus_probe_device) from [<c06211b0>] (deferred_probe_work_func+0x3c/0xd0) +[<c06211b0>] (deferred_probe_work_func) from [<c0149280>] (process_one_work+0x234/0x7dc) +[<c0149280>] (process_one_work) from [<c014986c>] (worker_thread+0x44/0x51c) +[<c014986c>] (worker_thread) from [<c0150b1c>] (kthread+0x158/0x1a0) +[<c0150b1c>] (kthread) from [<c0100114>] (ret_from_fork+0x14/0x20) +Exception stack(0xef121fb0 to 0xef121ff8) +... +---[ end trace 9724c2fc7cc9c982 ]--- + +While fixing this also fix the double call to dwc2_lowlevel_hw_disable() +if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level +hardware is already disabled before calling usb_add_gadget_udc(). That +function correctly preserves low-level hardware state, there is no need +for the second unconditional dwc2_lowlevel_hw_disable() call. + +Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver") +Acked-by: Minas Harutyunyan <hminas@synopsys.com> +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Signed-off-by: Felipe Balbi <balbi@kernel.org> + +diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c +index 8fea5f1f60ab..68b56b43a45e 100644 +--- a/drivers/usb/dwc2/platform.c ++++ b/drivers/usb/dwc2/platform.c +@@ -591,6 +591,7 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (hsotg->gadget_enabled) { + retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget); + if (retval) { ++ hsotg->gadget.udc = NULL; + dwc2_hsotg_remove(hsotg); + goto error_init; + } +@@ -602,7 +603,8 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (hsotg->params.activate_stm_id_vb_detection) + regulator_disable(hsotg->usb33d); + error: +- dwc2_lowlevel_hw_disable(hsotg); ++ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL) ++ dwc2_lowlevel_hw_disable(hsotg); + return retval; + } + +-- +2.27.0 + diff --git a/queue/usb-gadget-f_uac2-fix-AC-Interface-Header-Descriptor.patch b/queue/usb-gadget-f_uac2-fix-AC-Interface-Header-Descriptor.patch new file mode 100644 index 00000000..ad570105 --- /dev/null +++ b/queue/usb-gadget-f_uac2-fix-AC-Interface-Header-Descriptor.patch @@ -0,0 +1,51 @@ +From a9cf8715180b18c62addbfe6f6267b8101903119 Mon Sep 17 00:00:00 2001 +From: Ruslan Bilovol <ruslan.bilovol@gmail.com> +Date: Fri, 3 Jul 2020 16:49:03 +0300 +Subject: [PATCH] usb: gadget: f_uac2: fix AC Interface Header Descriptor + wTotalLength + +commit a9cf8715180b18c62addbfe6f6267b8101903119 upstream. + +As per UAC2 spec (ch. 4.7.2), wTotalLength of AC Interface +Header Descriptor "includes the combined length of this +descriptor header and all Clock Source, Unit and Terminal +descriptors." + +Thus add its size to its wTotalLength. + +Also after recent changes wTotalLength is calculated +dynamically, update static definition of uac2_ac_header_descriptor +accordingly + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com> +Signed-off-by: Felipe Balbi <balbi@kernel.org> + +diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c +index db2d4980cb35..3633df6d7610 100644 +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -215,10 +215,7 @@ static struct uac2_ac_header_descriptor ac_hdr_desc = { + .bDescriptorSubtype = UAC_MS_HEADER, + .bcdADC = cpu_to_le16(0x200), + .bCategory = UAC2_FUNCTION_IO_BOX, +- .wTotalLength = cpu_to_le16(sizeof in_clk_src_desc +- + sizeof out_clk_src_desc + sizeof usb_out_it_desc +- + sizeof io_in_it_desc + sizeof usb_in_ot_desc +- + sizeof io_out_ot_desc), ++ /* .wTotalLength = DYNAMIC */ + .bmControls = 0, + }; + +@@ -501,7 +498,7 @@ static void setup_descriptor(struct f_uac2_opts *opts) + as_in_hdr_desc.bTerminalLink = usb_in_ot_desc.bTerminalID; + + iad_desc.bInterfaceCount = 1; +- ac_hdr_desc.wTotalLength = 0; ++ ac_hdr_desc.wTotalLength = cpu_to_le16(sizeof(ac_hdr_desc)); + + if (EPIN_EN(opts)) { + u16 len = le16_to_cpu(ac_hdr_desc.wTotalLength); +-- +2.27.0 + diff --git a/queue/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch b/queue/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch new file mode 100644 index 00000000..73cfd429 --- /dev/null +++ b/queue/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch @@ -0,0 +1,37 @@ +From 2468c877da428ebfd701142c4cdfefcfb7d4c00e Mon Sep 17 00:00:00 2001 +From: Evgeny Novikov <novikov@ispras.ru> +Date: Tue, 21 Jul 2020 23:15:58 +0300 +Subject: [PATCH] usb: gadget: net2280: fix memory leak on probe error handling + paths + +commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e upstream. + +Driver does not release memory for device on error handling paths in +net2280_probe() when gadget_release() is not registered yet. + +The patch fixes the bug like in other similar drivers. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov <novikov@ispras.ru> +Signed-off-by: Felipe Balbi <balbi@kernel.org> + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 5eff85eeaa5a..7530bd9a08c4 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -3781,8 +3781,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + done: +- if (dev) ++ if (dev) { + net2280_remove(pdev); ++ kfree(dev); ++ } + return retval; + } + +-- +2.27.0 + diff --git a/queue/usb-mtu3-clear-dual-mode-of-u3port-when-disable-devi.patch b/queue/usb-mtu3-clear-dual-mode-of-u3port-when-disable-devi.patch new file mode 100644 index 00000000..af193055 --- /dev/null +++ b/queue/usb-mtu3-clear-dual-mode-of-u3port-when-disable-devi.patch @@ -0,0 +1,35 @@ +From f1e51e99ed498d4aa9ae5df28e43d558ea627781 Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun <chunfeng.yun@mediatek.com> +Date: Mon, 27 Jul 2020 15:14:59 +0800 +Subject: [PATCH] usb: mtu3: clear dual mode of u3port when disable device + +commit f1e51e99ed498d4aa9ae5df28e43d558ea627781 upstream. + +If not clear u3port's dual mode when disable device, the IP +will fail to enter sleep mode when suspend. + +Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com> +Link: https://lore.kernel.org/r/1595834101-13094-10-git-send-email-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/mtu3/mtu3_core.c b/drivers/usb/mtu3/mtu3_core.c +index 9e0b68b3920c..b3b459937566 100644 +--- a/drivers/usb/mtu3/mtu3_core.c ++++ b/drivers/usb/mtu3/mtu3_core.c +@@ -131,8 +131,12 @@ static void mtu3_device_disable(struct mtu3 *mtu) + mtu3_setbits(ibase, SSUSB_U2_CTRL(0), + SSUSB_U2_PORT_DIS | SSUSB_U2_PORT_PDN); + +- if (mtu->ssusb->dr_mode == USB_DR_MODE_OTG) ++ if (mtu->ssusb->dr_mode == USB_DR_MODE_OTG) { + mtu3_clrbits(ibase, SSUSB_U2_CTRL(0), SSUSB_U2_PORT_OTG_SEL); ++ if (mtu->is_u3_ip) ++ mtu3_clrbits(ibase, SSUSB_U3_CTRL(0), ++ SSUSB_U3_PORT_DUAL_MODE); ++ } + + mtu3_setbits(ibase, U3D_SSUSB_IP_PW_CTRL2, SSUSB_IP_DEV_PDN); + } +-- +2.27.0 + diff --git a/queue/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch b/queue/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch new file mode 100644 index 00000000..e0cebf86 --- /dev/null +++ b/queue/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch @@ -0,0 +1,40 @@ +From edcb3895a751c762a18d25c8d9846ce9759ed7e1 Mon Sep 17 00:00:00 2001 +From: Evgeny Novikov <novikov@ispras.ru> +Date: Tue, 30 Jun 2020 22:54:51 +0300 +Subject: [PATCH] video: fbdev: neofb: fix memory leak in neo_scan_monitor() + +commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 upstream. + +neofb_probe() calls neo_scan_monitor() that can successfully allocate a +memory for info->monspecs.modedb and proceed to case 0x03. There it does +not free the memory and returns -1. neofb_probe() goes to label +err_scan_monitor, thus, it does not free this memory through calling +fb_destroy_modedb() as well. We can not go to label err_init_hw since +neo_scan_monitor() can fail during memory allocation. So, the patch frees +the memory directly for case 0x03. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov <novikov@ispras.ru> +Cc: Jani Nikula <jani.nikula@intel.com> +Cc: Mike Rapoport <rppt@linux.ibm.com> +Cc: Daniel Vetter <daniel.vetter@ffwll.ch> +Cc: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru + +diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c +index f5a676bfd67a..09a20d4ab35f 100644 +--- a/drivers/video/fbdev/neofb.c ++++ b/drivers/video/fbdev/neofb.c +@@ -1819,6 +1819,7 @@ static int neo_scan_monitor(struct fb_info *info) + #else + printk(KERN_ERR + "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n"); ++ kfree(info->monspecs.modedb); + return -1; + #endif + default: +-- +2.27.0 + diff --git a/queue/video-fbdev-savage-fix-memory-leak-on-error-handling.patch b/queue/video-fbdev-savage-fix-memory-leak-on-error-handling.patch new file mode 100644 index 00000000..07d9f4c4 --- /dev/null +++ b/queue/video-fbdev-savage-fix-memory-leak-on-error-handling.patch @@ -0,0 +1,39 @@ +From e8d35898a78e34fc854ed9680bc3f9caedab08cd Mon Sep 17 00:00:00 2001 +From: Evgeny Novikov <novikov@ispras.ru> +Date: Fri, 19 Jun 2020 19:21:36 +0300 +Subject: [PATCH] video: fbdev: savage: fix memory leak on error handling path + in probe + +commit e8d35898a78e34fc854ed9680bc3f9caedab08cd upstream. + +savagefb_probe() calls savage_init_fb_info() that can successfully +allocate memory for info->pixmap.addr but then fail when +fb_alloc_cmap() fails. savagefb_probe() goes to label failed_init and +does not free allocated memory. It is not valid to go to label +failed_mmio since savage_init_fb_info() can fail during memory +allocation as well. So, the patch free allocated memory on the error +handling path in savage_init_fb_info() itself. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov <novikov@ispras.ru> +Cc: Antonino Daplas <adaplas@gmail.com> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200619162136.9010-1-novikov@ispras.ru + +diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c +index 3c8ae87f0ea7..3fd87aeb6c79 100644 +--- a/drivers/video/fbdev/savage/savagefb_driver.c ++++ b/drivers/video/fbdev/savage/savagefb_driver.c +@@ -2157,6 +2157,8 @@ static int savage_init_fb_info(struct fb_info *info, struct pci_dev *dev, + info->flags |= FBINFO_HWACCEL_COPYAREA | + FBINFO_HWACCEL_FILLRECT | + FBINFO_HWACCEL_IMAGEBLIT; ++ else ++ kfree(info->pixmap.addr); + } + #endif + return err; +-- +2.27.0 + diff --git a/queue/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch b/queue/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch new file mode 100644 index 00000000..b8f27f9c --- /dev/null +++ b/queue/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch @@ -0,0 +1,37 @@ +From 98bd4f72988646c35569e1e838c0ab80d06c77f6 Mon Sep 17 00:00:00 2001 +From: Dejin Zheng <zhengdejin5@gmail.com> +Date: Thu, 23 Apr 2020 00:07:19 +0800 +Subject: [PATCH] video: fbdev: sm712fb: fix an issue about iounmap for a wrong + address + +commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 upstream. + +the sfb->fb->screen_base is not save the value get by iounmap() when +the chip id is 0x720. so iounmap() for address sfb->fb->screen_base +is not right. + +Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev") +Cc: Andy Shevchenko <andy.shevchenko@gmail.com> +Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Cc: Teddy Wang <teddy.wang@siliconmotion.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com + +diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c +index 6a1b4a853d9e..8cd655d6d628 100644 +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -1429,6 +1429,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb, + static void smtc_unmap_smem(struct smtcfb_info *sfb) + { + if (sfb && sfb->fb->screen_base) { ++ if (sfb->chip_id == 0x720) ++ sfb->fb->screen_base -= 0x00200000; + iounmap(sfb->fb->screen_base); + sfb->fb->screen_base = NULL; + } +-- +2.27.0 + diff --git a/queue/video-pxafb-Fix-the-function-used-to-balance-a-dma_a.patch b/queue/video-pxafb-Fix-the-function-used-to-balance-a-dma_a.patch new file mode 100644 index 00000000..7a4c9623 --- /dev/null +++ b/queue/video-pxafb-Fix-the-function-used-to-balance-a-dma_a.patch @@ -0,0 +1,43 @@ +From 499a2c41b954518c372873202d5e7714e22010c4 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Wed, 29 Apr 2020 10:45:05 +0200 +Subject: [PATCH] video: pxafb: Fix the function used to balance a + 'dma_alloc_coherent()' call + +commit 499a2c41b954518c372873202d5e7714e22010c4 upstream. + +'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()' +not 'dma_free_wc()'. +The correct dma_free_ function is already used in the error handling path +of the probe function. + +Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable") +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Cc: Sumit Semwal <sumit.semwal@linaro.org> +Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Cc: Jonathan Corbet <corbet@lwn.net> +Cc: Viresh Kumar <viresh.kumar@linaro.org> +Cc: Jani Nikula <jani.nikula@intel.com> +cc: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Cc: Eric Miao <eric.miao@marvell.com> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr + +diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c +index 00b96a78676e..6f972bed410a 100644 +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2417,8 +2417,8 @@ static int pxafb_remove(struct platform_device *dev) + + free_pages_exact(fbi->video_mem, fbi->video_mem_size); + +- dma_free_wc(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, +- fbi->dma_buff_phys); ++ dma_free_coherent(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, ++ fbi->dma_buff_phys); + + return 0; + } +-- +2.27.0 + diff --git a/queue/vmxnet3-use-correct-tcp-hdr-length-when-packet-is-en.patch b/queue/vmxnet3-use-correct-tcp-hdr-length-when-packet-is-en.patch new file mode 100644 index 00000000..6f1805ca --- /dev/null +++ b/queue/vmxnet3-use-correct-tcp-hdr-length-when-packet-is-en.patch @@ -0,0 +1,38 @@ +From 8a7f280f29a80f6e0798f5d6e07c5dd8726620fe Mon Sep 17 00:00:00 2001 +From: Ronak Doshi <doshir@vmware.com> +Date: Mon, 10 Aug 2020 09:55:55 -0700 +Subject: [PATCH] vmxnet3: use correct tcp hdr length when packet is + encapsulated + +commit 8a7f280f29a80f6e0798f5d6e07c5dd8726620fe upstream. + +Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload +support") added support for encapsulation offload. However, while +calculating tcp hdr length, it does not take into account if the +packet is encapsulated or not. + +This patch fixes this issue by using correct reference for inner +tcp header. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi <doshir@vmware.com> +Acked-by: Guolin Yang <gyang@vmware.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index ca395f9679d0..2818015324b8 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -886,7 +886,8 @@ vmxnet3_parse_hdr(struct sk_buff *skb, struct vmxnet3_tx_queue *tq, + + switch (protocol) { + case IPPROTO_TCP: +- ctx->l4_hdr_size = tcp_hdrlen(skb); ++ ctx->l4_hdr_size = skb->encapsulation ? inner_tcp_hdrlen(skb) : ++ tcp_hdrlen(skb); + break; + case IPPROTO_UDP: + ctx->l4_hdr_size = sizeof(struct udphdr); +-- +2.27.0 + diff --git a/queue/wl1251-fix-always-return-0-error.patch b/queue/wl1251-fix-always-return-0-error.patch new file mode 100644 index 00000000..19ea9377 --- /dev/null +++ b/queue/wl1251-fix-always-return-0-error.patch @@ -0,0 +1,32 @@ +From 20e6421344b5bc2f97b8e2db47b6994368417904 Mon Sep 17 00:00:00 2001 +From: Wang Hai <wanghai38@huawei.com> +Date: Thu, 30 Jul 2020 15:39:39 +0800 +Subject: [PATCH] wl1251: fix always return 0 error + +commit 20e6421344b5bc2f97b8e2db47b6994368417904 upstream. + +wl1251_event_ps_report() should not always return 0 because +wl1251_ps_set_mode() may fail. Change it to return 'ret'. + +Fixes: f7ad1eed4d4b ("wl1251: retry power save entry") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Wang Hai <wanghai38@huawei.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com + +diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c +index 850864dbafa1..e6d426edab56 100644 +--- a/drivers/net/wireless/ti/wl1251/event.c ++++ b/drivers/net/wireless/ti/wl1251/event.c +@@ -70,7 +70,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl, + break; + } + +- return 0; ++ return ret; + } + + static void wl1251_event_mbox_dump(struct event_mailbox *mbox) +-- +2.27.0 + diff --git a/queue/x86-fsgsbase-64-Fix-NULL-deref-in-86_fsgsbase_read_t.patch b/queue/x86-fsgsbase-64-Fix-NULL-deref-in-86_fsgsbase_read_t.patch new file mode 100644 index 00000000..16ac1ceb --- /dev/null +++ b/queue/x86-fsgsbase-64-Fix-NULL-deref-in-86_fsgsbase_read_t.patch @@ -0,0 +1,69 @@ +From 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 14 Aug 2020 11:16:17 -0700 +Subject: [PATCH] x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task + +commit 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239 upstream. + +syzbot found its way in 86_fsgsbase_read_task() and triggered this oops: + + KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] + CPU: 0 PID: 6866 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0 + RIP: 0010:x86_fsgsbase_read_task+0x16d/0x310 arch/x86/kernel/process_64.c:393 + Call Trace: + putreg32+0x3ab/0x530 arch/x86/kernel/ptrace.c:876 + genregs32_set arch/x86/kernel/ptrace.c:1026 [inline] + genregs32_set+0xa4/0x100 arch/x86/kernel/ptrace.c:1006 + copy_regset_from_user include/linux/regset.h:326 [inline] + ia32_arch_ptrace arch/x86/kernel/ptrace.c:1061 [inline] + compat_arch_ptrace+0x36c/0xd90 arch/x86/kernel/ptrace.c:1198 + __do_compat_sys_ptrace kernel/ptrace.c:1420 [inline] + __se_compat_sys_ptrace kernel/ptrace.c:1389 [inline] + __ia32_compat_sys_ptrace+0x220/0x2f0 kernel/ptrace.c:1389 + do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline] + __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126 + do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +This can happen if ptrace() or sigreturn() pokes an LDT selector into FS +or GS for a task with no LDT and something tries to read the base before +a return to usermode notices the bad selector and fixes it. + +The fix is to make sure ldt pointer is not NULL. + +Fixes: 07e1d88adaae ("x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately") +Co-developed-by: Jann Horn <jannh@google.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Acked-by: Andy Lutomirski <luto@kernel.org> +Cc: Chang S. Bae <chang.seok.bae@intel.com> +Cc: Andy Lutomirski <luto@amacapital.net> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Dave Hansen <dave.hansen@linux.intel.com> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Markus T Metzger <markus.t.metzger@intel.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Ravi Shankar <ravi.v.shankar@intel.com> +Cc: Rik van Riel <riel@surriel.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c +index d6f946707270..9afefe325acb 100644 +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -390,7 +390,7 @@ unsigned long x86_fsgsbase_read_task(struct task_struct *task, + */ + mutex_lock(&task->mm->context.lock); + ldt = task->mm->context.ldt; +- if (unlikely(idx >= ldt->nr_entries)) ++ if (unlikely(!ldt || idx >= ldt->nr_entries)) + base = 0; + else + base = get_desc_base(ldt->entries + idx); +-- +2.27.0 + diff --git a/queue/x86-mce-inject-Fix-a-wrong-assignment-of-i_mce.statu.patch b/queue/x86-mce-inject-Fix-a-wrong-assignment-of-i_mce.statu.patch new file mode 100644 index 00000000..606bbb85 --- /dev/null +++ b/queue/x86-mce-inject-Fix-a-wrong-assignment-of-i_mce.statu.patch @@ -0,0 +1,32 @@ +From 5d7f7d1d5e01c22894dee7c9c9266500478dca99 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan <zhenzhong.duan@gmail.com> +Date: Thu, 11 Jun 2020 10:32:38 +0800 +Subject: [PATCH] x86/mce/inject: Fix a wrong assignment of i_mce.status + +commit 5d7f7d1d5e01c22894dee7c9c9266500478dca99 upstream. + +The original code is a nop as i_mce.status is or'ed with part of itself, +fix it. + +Fixes: a1300e505297 ("x86/ras/mce_amd_inj: Trigger deferred and thresholding errors interrupts") +Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +Acked-by: Yazen Ghannam <yazen.ghannam@amd.com> +Link: https://lkml.kernel.org/r/20200611023238.3830-1-zhenzhong.duan@gmail.com + +diff --git a/arch/x86/kernel/cpu/mce/inject.c b/arch/x86/kernel/cpu/mce/inject.c +index 0593b192eb8f..7843ab3fde09 100644 +--- a/arch/x86/kernel/cpu/mce/inject.c ++++ b/arch/x86/kernel/cpu/mce/inject.c +@@ -511,7 +511,7 @@ static void do_inject(void) + */ + if (inj_type == DFR_INT_INJ) { + i_mce.status |= MCI_STATUS_DEFERRED; +- i_mce.status |= (i_mce.status & ~MCI_STATUS_UC); ++ i_mce.status &= ~MCI_STATUS_UC; + } + + /* +-- +2.27.0 + diff --git a/queue/xen-balloon-fix-accounting-in-alloc_xenballooned_pag.patch b/queue/xen-balloon-fix-accounting-in-alloc_xenballooned_pag.patch new file mode 100644 index 00000000..9942db0b --- /dev/null +++ b/queue/xen-balloon-fix-accounting-in-alloc_xenballooned_pag.patch @@ -0,0 +1,42 @@ +From 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne <roger.pau@citrix.com> +Date: Mon, 27 Jul 2020 11:13:39 +0200 +Subject: [PATCH] xen/balloon: fix accounting in alloc_xenballooned_pages error + path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream. + +target_unpopulated is incremented with nr_pages at the start of the +function, but the call to free_xenballooned_pages will only subtract +pgno number of pages, and thus the rest need to be subtracted before +returning or else accounting will be skewed. + +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200727091342.52325-2-roger.pau@citrix.com +Signed-off-by: Juergen Gross <jgross@suse.com> + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 77c57568e5d7..3cb10ed32557 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -630,6 +630,12 @@ int alloc_xenballooned_pages(int nr_pages, struct page **pages) + out_undo: + mutex_unlock(&balloon_mutex); + free_xenballooned_pages(pgno, pages); ++ /* ++ * NB: free_xenballooned_pages will only subtract pgno pages, but since ++ * target_unpopulated is incremented with nr_pages at the start we need ++ * to remove the remaining ones also, or accounting will be screwed. ++ */ ++ balloon_stats.target_unpopulated -= nr_pages - pgno; + return ret; + } + EXPORT_SYMBOL(alloc_xenballooned_pages); +-- +2.27.0 + diff --git a/queue/xen-balloon-make-the-balloon-wait-interruptible.patch b/queue/xen-balloon-make-the-balloon-wait-interruptible.patch new file mode 100644 index 00000000..d4d45cdd --- /dev/null +++ b/queue/xen-balloon-make-the-balloon-wait-interruptible.patch @@ -0,0 +1,42 @@ +From 88a479ff6ef8af7f07e11593d58befc644244ff7 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne <roger.pau@citrix.com> +Date: Mon, 27 Jul 2020 11:13:40 +0200 +Subject: [PATCH] xen/balloon: make the balloon wait interruptible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 88a479ff6ef8af7f07e11593d58befc644244ff7 upstream. + +So it can be killed, or else processes can get hung indefinitely +waiting for balloon pages. + +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200727091342.52325-3-roger.pau@citrix.com +Signed-off-by: Juergen Gross <jgross@suse.com> + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 3cb10ed32557..292413b27575 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -568,11 +568,13 @@ static int add_ballooned_pages(int nr_pages) + if (xen_hotplug_unpopulated) { + st = reserve_additional_memory(); + if (st != BP_ECANCELED) { ++ int rc; ++ + mutex_unlock(&balloon_mutex); +- wait_event(balloon_wq, ++ rc = wait_event_interruptible(balloon_wq, + !list_empty(&ballooned_pages)); + mutex_lock(&balloon_mutex); +- return 0; ++ return rc ? -ENOMEM : 0; + } + } + +-- +2.27.0 + diff --git a/queue/xen-gntdev-Fix-dmabuf-import-with-non-zero-sgt-offse.patch b/queue/xen-gntdev-Fix-dmabuf-import-with-non-zero-sgt-offse.patch new file mode 100644 index 00000000..2836ed85 --- /dev/null +++ b/queue/xen-gntdev-Fix-dmabuf-import-with-non-zero-sgt-offse.patch @@ -0,0 +1,41 @@ +From 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b Mon Sep 17 00:00:00 2001 +From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com> +Date: Thu, 13 Aug 2020 09:21:09 +0300 +Subject: [PATCH] xen/gntdev: Fix dmabuf import with non-zero sgt offset + +commit 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b upstream. + +It is possible that the scatter-gather table during dmabuf import has +non-zero offset of the data, but user-space doesn't expect that. +Fix this by failing the import, so user-space doesn't access wrong data. + +Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality") + +Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com> +Acked-by: Juergen Gross <jgross@suse.com> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200813062113.11030-2-andr2000@gmail.com +Signed-off-by: Juergen Gross <jgross@suse.com> + +diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c +index 75d3bb948bf3..b1b6eebafd5d 100644 +--- a/drivers/xen/gntdev-dmabuf.c ++++ b/drivers/xen/gntdev-dmabuf.c +@@ -613,6 +613,14 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev, + goto fail_detach; + } + ++ /* Check that we have zero offset. */ ++ if (sgt->sgl->offset) { ++ ret = ERR_PTR(-EINVAL); ++ pr_debug("DMA buffer has %d bytes offset, user-space expects 0\n", ++ sgt->sgl->offset); ++ goto fail_unmap; ++ } ++ + /* Check number of pages that imported buffer has. */ + if (attach->dmabuf->size != gntdev_dmabuf->nr_pages << PAGE_SHIFT) { + ret = ERR_PTR(-EINVAL); +-- +2.27.0 + diff --git a/queue/xfs-don-t-eat-an-EIO-ENOSPC-writeback-error-when-scr.patch b/queue/xfs-don-t-eat-an-EIO-ENOSPC-writeback-error-when-scr.patch new file mode 100644 index 00000000..5c3ad11a --- /dev/null +++ b/queue/xfs-don-t-eat-an-EIO-ENOSPC-writeback-error-when-scr.patch @@ -0,0 +1,65 @@ +From eb0efe5063bb10bcb653e4f8e92a74719c03a347 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <darrick.wong@oracle.com> +Date: Mon, 29 Jun 2020 14:47:17 -0700 +Subject: [PATCH] xfs: don't eat an EIO/ENOSPC writeback error when scrubbing + data fork + +commit eb0efe5063bb10bcb653e4f8e92a74719c03a347 upstream. + +The data fork scrubber calls filemap_write_and_wait to flush dirty pages +and delalloc reservations out to disk prior to checking the data fork's +extent mappings. Unfortunately, this means that scrub can consume the +EIO/ENOSPC errors that would otherwise have stayed around in the address +space until (we hope) the writer application calls fsync to persist data +and collect errors. The end result is that programs that wrote to a +file might never see the error code and proceed as if nothing were +wrong. + +xfs_scrub is not in a position to notify file writers about the +writeback failure, and it's only here to check metadata, not file +contents. Therefore, if writeback fails, we should stuff the error code +back into the address space so that an fsync by the writer application +can pick that up. + +Fixes: 99d9d8d05da2 ("xfs: scrub inode block mappings") +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Reviewed-by: Brian Foster <bfoster@redhat.com> +Reviewed-by: Dave Chinner <dchinner@redhat.com> + +diff --git a/fs/xfs/scrub/bmap.c b/fs/xfs/scrub/bmap.c +index 7badd6dfe544..955302e7cdde 100644 +--- a/fs/xfs/scrub/bmap.c ++++ b/fs/xfs/scrub/bmap.c +@@ -45,9 +45,27 @@ xchk_setup_inode_bmap( + */ + if (S_ISREG(VFS_I(sc->ip)->i_mode) && + sc->sm->sm_type == XFS_SCRUB_TYPE_BMBTD) { ++ struct address_space *mapping = VFS_I(sc->ip)->i_mapping; ++ + inode_dio_wait(VFS_I(sc->ip)); +- error = filemap_write_and_wait(VFS_I(sc->ip)->i_mapping); +- if (error) ++ ++ /* ++ * Try to flush all incore state to disk before we examine the ++ * space mappings for the data fork. Leave accumulated errors ++ * in the mapping for the writer threads to consume. ++ * ++ * On ENOSPC or EIO writeback errors, we continue into the ++ * extent mapping checks because write failures do not ++ * necessarily imply anything about the correctness of the file ++ * metadata. The metadata and the file data could be on ++ * completely separate devices; a media failure might only ++ * affect a subset of the disk, etc. We can handle delalloc ++ * extents in the scrubber, so leaving them in memory is fine. ++ */ ++ error = filemap_fdatawrite(mapping); ++ if (!error) ++ error = filemap_fdatawait_keep_errors(mapping); ++ if (error && (error != -ENOSPC && error != -EIO)) + goto out; + } + +-- +2.27.0 + diff --git a/queue/xfs-fix-inode-allocation-block-res-calculation-prece.patch b/queue/xfs-fix-inode-allocation-block-res-calculation-prece.patch new file mode 100644 index 00000000..313c05de --- /dev/null +++ b/queue/xfs-fix-inode-allocation-block-res-calculation-prece.patch @@ -0,0 +1,40 @@ +From b2a8864728683443f34a9fd33a2b78b860934cc1 Mon Sep 17 00:00:00 2001 +From: Brian Foster <bfoster@redhat.com> +Date: Wed, 15 Jul 2020 18:44:50 -0700 +Subject: [PATCH] xfs: fix inode allocation block res calculation precedence + +commit b2a8864728683443f34a9fd33a2b78b860934cc1 upstream. + +The block reservation calculation for inode allocation is supposed +to consist of the blocks required for the inode chunk plus +(maxlevels-1) of the inode btree multiplied by the number of inode +btrees in the fs (2 when finobt is enabled, 1 otherwise). + +Instead, the macro returns (ialloc_blocks + 2) due to a precedence +error in the calculation logic. This leads to block reservation +overruns via generic/531 on small block filesystems with finobt +enabled. Add braces to fix the calculation and reserve the +appropriate number of blocks. + +Fixes: 9d43b180af67 ("xfs: update inode allocation/free transaction reservations for finobt") +Signed-off-by: Brian Foster <bfoster@redhat.com> +Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> + +diff --git a/fs/xfs/libxfs/xfs_trans_space.h b/fs/xfs/libxfs/xfs_trans_space.h +index 88221c7a04cc..c6df01a2a158 100644 +--- a/fs/xfs/libxfs/xfs_trans_space.h ++++ b/fs/xfs/libxfs/xfs_trans_space.h +@@ -57,7 +57,7 @@ + XFS_DAREMOVE_SPACE_RES(mp, XFS_DATA_FORK) + #define XFS_IALLOC_SPACE_RES(mp) \ + (M_IGEO(mp)->ialloc_blks + \ +- (xfs_sb_version_hasfinobt(&mp->m_sb) ? 2 : 1 * \ ++ ((xfs_sb_version_hasfinobt(&mp->m_sb) ? 2 : 1) * \ + (M_IGEO(mp)->inobt_maxlevels - 1))) + + /* +-- +2.27.0 + diff --git a/queue/xfs-fix-reflink-quota-reservation-accounting-error.patch b/queue/xfs-fix-reflink-quota-reservation-accounting-error.patch new file mode 100644 index 00000000..08f75a40 --- /dev/null +++ b/queue/xfs-fix-reflink-quota-reservation-accounting-error.patch @@ -0,0 +1,58 @@ +From 83895227aba1ade33e81f586aa7b6b1e143096a5 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <darrick.wong@oracle.com> +Date: Mon, 29 Jun 2020 14:47:18 -0700 +Subject: [PATCH] xfs: fix reflink quota reservation accounting error + +commit 83895227aba1ade33e81f586aa7b6b1e143096a5 upstream. + +Quota reservations are supposed to account for the blocks that might be +allocated due to a bmap btree split. Reflink doesn't do this, so fix +this to make the quota accounting more accurate before we start +rearranging things. + +Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another") +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Reviewed-by: Brian Foster <bfoster@redhat.com> + +diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c +index 107bf2a2f344..d89201d40891 100644 +--- a/fs/xfs/xfs_reflink.c ++++ b/fs/xfs/xfs_reflink.c +@@ -1003,6 +1003,7 @@ xfs_reflink_remap_extent( + xfs_filblks_t rlen; + xfs_filblks_t unmap_len; + xfs_off_t newlen; ++ int64_t qres; + int error; + + unmap_len = irec->br_startoff + irec->br_blockcount - destoff; +@@ -1025,13 +1026,19 @@ xfs_reflink_remap_extent( + xfs_ilock(ip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, ip, 0); + +- /* If we're not just clearing space, then do we have enough quota? */ +- if (real_extent) { +- error = xfs_trans_reserve_quota_nblks(tp, ip, +- irec->br_blockcount, 0, XFS_QMOPT_RES_REGBLKS); +- if (error) +- goto out_cancel; +- } ++ /* ++ * Reserve quota for this operation. We don't know if the first unmap ++ * in the dest file will cause a bmap btree split, so we always reserve ++ * at least enough blocks for that split. If the extent being mapped ++ * in is written, we need to reserve quota for that too. ++ */ ++ qres = XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK); ++ if (real_extent) ++ qres += irec->br_blockcount; ++ error = xfs_trans_reserve_quota_nblks(tp, ip, qres, 0, ++ XFS_QMOPT_RES_REGBLKS); ++ if (error) ++ goto out_cancel; + + trace_xfs_reflink_remap(ip, irec->br_startoff, + irec->br_blockcount, irec->br_startblock); +-- +2.27.0 + |