+++ /dev/null
-From 76f7dec08fd64e9e3ad0810a1a8a60b0a846d348 Mon Sep 17 00:00:00 2001
-From: Kailang Yang <kailang@realtek.com>
-Date: Mon, 10 Feb 2020 16:30:26 +0800
-Subject: ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
-
-From: Kailang Yang <kailang@realtek.com>
-
-commit 76f7dec08fd64e9e3ad0810a1a8a60b0a846d348 upstream.
-
-ThinkPad want to support Headset Button control.
-This patch will enable it.
-
-Signed-off-by: Kailang Yang <kailang@realtek.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/7f0b7128f40f41f6b5582ff610adc33d@realtek.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- sound/pci/hda/patch_realtek.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -5725,7 +5725,7 @@ enum {
- ALC289_FIXUP_DUAL_SPK,
- ALC294_FIXUP_SPK2_TO_DAC1,
- ALC294_FIXUP_ASUS_DUAL_SPK,
--
-+ ALC285_FIXUP_THINKPAD_HEADSET_JACK,
- };
-
- static const struct hda_fixup alc269_fixups[] = {
-@@ -6813,7 +6813,12 @@ static const struct hda_fixup alc269_fix
- .chained = true,
- .chain_id = ALC294_FIXUP_SPK2_TO_DAC1
- },
--
-+ [ALC285_FIXUP_THINKPAD_HEADSET_JACK] = {
-+ .type = HDA_FIXUP_FUNC,
-+ .v.func = alc_fixup_headset_jack,
-+ .chained = true,
-+ .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1
-+ },
- };
-
- static const struct snd_pci_quirk alc269_fixup_tbl[] = {
-@@ -7049,8 +7054,8 @@ static const struct snd_pci_quirk alc269
- SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
- SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
- SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
-- SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
-- SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
-+ SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK),
-+ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK),
- SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
- SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
- SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+++ /dev/null
-From 8b33a134a9cc2a501f8fc731d91caef39237d495 Mon Sep 17 00:00:00 2001
-From: Jian-Hong Pan <jian-hong@endlessm.com>
-Date: Tue, 25 Feb 2020 15:29:21 +0800
-Subject: ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
-
-From: Jian-Hong Pan <jian-hong@endlessm.com>
-
-commit 8b33a134a9cc2a501f8fc731d91caef39237d495 upstream.
-
-A headset on the laptop like ASUS B9450FA does not work, until quirk
-ALC294_FIXUP_ASUS_HPE is applied.
-
-Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
-Signed-off-by: Kailang Yang <kailang@realtek.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20200225072920.109199-1-jian-hong@endlessm.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- sound/pci/hda/patch_realtek.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -5727,6 +5727,7 @@ enum {
- ALC294_FIXUP_SPK2_TO_DAC1,
- ALC294_FIXUP_ASUS_DUAL_SPK,
- ALC285_FIXUP_THINKPAD_HEADSET_JACK,
-+ ALC294_FIXUP_ASUS_HPE,
- };
-
- static const struct hda_fixup alc269_fixups[] = {
-@@ -6820,6 +6821,17 @@ static const struct hda_fixup alc269_fix
- .chained = true,
- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1
- },
-+ [ALC294_FIXUP_ASUS_HPE] = {
-+ .type = HDA_FIXUP_VERBS,
-+ .v.verbs = (const struct hda_verb[]) {
-+ /* Set EAPD high */
-+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x0f },
-+ { 0x20, AC_VERB_SET_PROC_COEF, 0x7774 },
-+ { }
-+ },
-+ .chained = true,
-+ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC
-+ },
- };
-
- static const struct snd_pci_quirk alc269_fixup_tbl[] = {
-@@ -6985,6 +6997,7 @@ static const struct snd_pci_quirk alc269
- SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
- SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK),
- SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
-+ SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE),
- SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
- SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC),
- SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC),
--- /dev/null
+From 7cdf6a0aae1cccf5167f3f04ecddcf648b78e289 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 19 Feb 2020 10:25:45 -0500
+Subject: dm cache: fix a crash due to incorrect work item cancelling
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7cdf6a0aae1cccf5167f3f04ecddcf648b78e289 upstream.
+
+The crash can be reproduced by running the lvm2 testsuite test
+lvconvert-thin-external-cache.sh for several minutes, e.g.:
+ while :; do make check T=shell/lvconvert-thin-external-cache.sh; done
+
+The crash happens in this call chain:
+do_waker -> policy_tick -> smq_tick -> end_hotspot_period -> clear_bitset
+-> memset -> __memset -- which accesses an invalid pointer in the vmalloc
+area.
+
+The work entry on the workqueue is executed even after the bitmap was
+freed. The problem is that cancel_delayed_work doesn't wait for the
+running work item to finish, so the work item can continue running and
+re-submitting itself even after cache_postsuspend. In order to make sure
+that the work item won't be running, we must use cancel_delayed_work_sync.
+
+Also, change flush_workqueue to drain_workqueue, so that if some work item
+submits itself or another work item, we are properly waiting for both of
+them.
+
+Fixes: c6b4fcbad044 ("dm: add cache target")
+Cc: stable@vger.kernel.org # v3.9
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-target.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -2859,8 +2859,8 @@ static void cache_postsuspend(struct dm_
+ prevent_background_work(cache);
+ BUG_ON(atomic_read(&cache->nr_io_migrations));
+
+- cancel_delayed_work(&cache->waker);
+- flush_workqueue(cache->wq);
++ cancel_delayed_work_sync(&cache->waker);
++ drain_workqueue(cache->wq);
+ WARN_ON(cache->tracker.in_flight);
+
+ /*
--- /dev/null
+From adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 24 Feb 2020 10:20:28 +0100
+Subject: dm: report suspended device during destroy
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 upstream.
+
+The function dm_suspended returns true if the target is suspended.
+However, when the target is being suspended during unload, it returns
+false.
+
+An example where this is a problem: the test "!dm_suspended(wc->ti)" in
+writecache_writeback is not sufficient, because dm_suspended returns
+zero while writecache_suspend is in progress. As is, without an
+enhanced dm_suspended, simply switching from flush_workqueue to
+drain_workqueue still emits warnings:
+workqueue writecache-writeback: drain_workqueue() isn't complete after 10 tries
+workqueue writecache-writeback: drain_workqueue() isn't complete after 100 tries
+workqueue writecache-writeback: drain_workqueue() isn't complete after 200 tries
+workqueue writecache-writeback: drain_workqueue() isn't complete after 300 tries
+workqueue writecache-writeback: drain_workqueue() isn't complete after 400 tries
+
+writecache_suspend calls flush_workqueue(wc->writeback_wq) - this function
+flushes the current work. However, the workqueue may re-queue itself and
+flush_workqueue doesn't wait for re-queued works to finish. Because of
+this - the function writecache_writeback continues execution after the
+device was suspended and then concurrently with writecache_dtr, causing
+a crash in writecache_writeback.
+
+We must use drain_workqueue - that waits until the work and all re-queued
+works finish.
+
+As a prereq for switching to drain_workqueue, this commit fixes
+dm_suspended to return true after the presuspend hook and before the
+postsuspend hook - just like during a normal suspend. It allows
+simplifying the dm-integrity and dm-writecache targets so that they
+don't have to maintain suspended flags on their own.
+
+With this change use of drain_workqueue() can be used effectively. This
+change was tested with the lvm2 testsuite and cryptsetup testsuite and
+the are no regressions.
+
+Fixes: 48debafe4f2f ("dm: add writecache target")
+Cc: stable@vger.kernel.org # 4.18+
+Reported-by: Corey Marthaler <cmarthal@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-integrity.c | 12 +++++-------
+ drivers/md/dm-writecache.c | 2 +-
+ drivers/md/dm.c | 1 +
+ 3 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -186,12 +186,13 @@ struct dm_integrity_c {
+ __u8 sectors_per_block;
+
+ unsigned char mode;
+- int suspending;
+
+ int failed;
+
+ struct crypto_shash *internal_hash;
+
++ struct dm_target *ti;
++
+ /* these variables are locked with endio_wait.lock */
+ struct rb_root in_progress;
+ struct list_head wait_list;
+@@ -2080,7 +2081,7 @@ static void integrity_writer(struct work
+ unsigned prev_free_sectors;
+
+ /* the following test is not needed, but it tests the replay code */
+- if (READ_ONCE(ic->suspending) && !ic->meta_dev)
++ if (unlikely(dm_suspended(ic->ti)) && !ic->meta_dev)
+ return;
+
+ spin_lock_irq(&ic->endio_wait.lock);
+@@ -2139,7 +2140,7 @@ static void integrity_recalc(struct work
+
+ next_chunk:
+
+- if (unlikely(READ_ONCE(ic->suspending)))
++ if (unlikely(dm_suspended(ic->ti)))
+ goto unlock_ret;
+
+ range.logical_sector = le64_to_cpu(ic->sb->recalc_sector);
+@@ -2411,8 +2412,6 @@ static void dm_integrity_postsuspend(str
+
+ del_timer_sync(&ic->autocommit_timer);
+
+- WRITE_ONCE(ic->suspending, 1);
+-
+ if (ic->recalc_wq)
+ drain_workqueue(ic->recalc_wq);
+
+@@ -2426,8 +2425,6 @@ static void dm_integrity_postsuspend(str
+ dm_integrity_flush_buffers(ic);
+ }
+
+- WRITE_ONCE(ic->suspending, 0);
+-
+ BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress));
+
+ ic->journal_uptodate = true;
+@@ -3116,6 +3113,7 @@ static int dm_integrity_ctr(struct dm_ta
+ }
+ ti->private = ic;
+ ti->per_io_data_size = sizeof(struct dm_integrity_io);
++ ic->ti = ti;
+
+ ic->in_progress = RB_ROOT;
+ INIT_LIST_HEAD(&ic->wait_list);
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -844,7 +844,7 @@ static void writecache_suspend(struct dm
+ }
+ wc_unlock(wc);
+
+- flush_workqueue(wc->writeback_wq);
++ drain_workqueue(wc->writeback_wq);
+
+ wc_lock(wc);
+ if (flush_on_suspend)
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2353,6 +2353,7 @@ static void __dm_destroy(struct mapped_d
+ map = dm_get_live_table(md, &srcu_idx);
+ if (!dm_suspended_md(md)) {
+ dm_table_presuspend_targets(map);
++ set_bit(DMF_SUSPENDED, &md->flags);
+ dm_table_postsuspend_targets(map);
+ }
+ /* dm_put_live_table must be before msleep, otherwise deadlock is possible */
--- /dev/null
+From 41c526c5af46d4c4dab7f72c99000b7fac0b9702 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 24 Feb 2020 10:20:30 +0100
+Subject: dm writecache: verify watermark during resume
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 41c526c5af46d4c4dab7f72c99000b7fac0b9702 upstream.
+
+Verify the watermark upon resume - so that if the target is reloaded
+with lower watermark, it will start the cleanup process immediately.
+
+Fixes: 48debafe4f2f ("dm: add writecache target")
+Cc: stable@vger.kernel.org # 4.18+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -631,6 +631,12 @@ static void writecache_add_to_freelist(s
+ wc->freelist_size++;
+ }
+
++static inline void writecache_verify_watermark(struct dm_writecache *wc)
++{
++ if (unlikely(wc->freelist_size + wc->writeback_size <= wc->freelist_high_watermark))
++ queue_work(wc->writeback_wq, &wc->writeback_work);
++}
++
+ static struct wc_entry *writecache_pop_from_freelist(struct dm_writecache *wc)
+ {
+ struct wc_entry *e;
+@@ -652,8 +658,8 @@ static struct wc_entry *writecache_pop_f
+ list_del(&e->lru);
+ }
+ wc->freelist_size--;
+- if (unlikely(wc->freelist_size + wc->writeback_size <= wc->freelist_high_watermark))
+- queue_work(wc->writeback_wq, &wc->writeback_work);
++
++ writecache_verify_watermark(wc);
+
+ return e;
+ }
+@@ -967,6 +973,8 @@ erase_this:
+ writecache_commit_flushed(wc, false);
+ }
+
++ writecache_verify_watermark(wc);
++
+ wc_unlock(wc);
+ }
+
+++ /dev/null
-From 25962e1a7f1d522f1b57ead2f266fab570042a70 Mon Sep 17 00:00:00 2001
-From: Frieder Schrempf <frieder.schrempf@kontron.de>
-Date: Tue, 25 Feb 2020 08:23:20 +0000
-Subject: dmaengine: imx-sdma: Fix the event id check to include RX event for UART6
-
-From: Frieder Schrempf <frieder.schrempf@kontron.de>
-
-commit 25962e1a7f1d522f1b57ead2f266fab570042a70 upstream.
-
-On i.MX6UL/ULL and i.MX6SX the DMA event id for the RX channel of
-UART6 is '0'. To fix the broken DMA support for UART6, we change
-the check for event_id0 to include '0' as a valid id.
-
-Fixes: 1ec1e82f2510 ("dmaengine: Add Freescale i.MX SDMA support")
-Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
-Reviewed-by: Fabio Estevam <festevam@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20200225082139.7646-1-frieder.schrempf@kontron.de
-Signed-off-by: Vinod Koul <vkoul@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
-index 332ca5034504..4d4477df4ede 100644
---- a/drivers/dma/imx-sdma.c
-+++ b/drivers/dma/imx-sdma.c
-@@ -1331,7 +1331,7 @@ static void sdma_free_chan_resources(struct dma_chan *chan)
-
- sdma_channel_synchronize(chan);
-
-- if (sdmac->event_id0)
-+ if (sdmac->event_id0 >= 0)
- sdma_event_disable(sdmac, sdmac->event_id0);
- if (sdmac->event_id1)
- sdma_event_disable(sdmac, sdmac->event_id1);
-@@ -1632,7 +1632,7 @@ static int sdma_config(struct dma_chan *chan,
- memcpy(&sdmac->slave_config, dmaengine_cfg, sizeof(*dmaengine_cfg));
-
- /* Set ENBLn earlier to make sure dma request triggered after that */
-- if (sdmac->event_id0) {
-+ if (sdmac->event_id0 >= 0) {
- if (sdmac->event_id0 >= sdmac->sdma->drvdata->num_events)
- return -EINVAL;
- sdma_event_enable(sdmac, sdmac->event_id0);
--- /dev/null
+From 94788af4ed039476ff3527b0e6a12c1dc42cb022 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 9 Feb 2020 19:33:38 +0300
+Subject: dmaengine: tegra-apb: Fix use-after-free
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 94788af4ed039476ff3527b0e6a12c1dc42cb022 upstream.
+
+I was doing some experiments with I2C and noticed that Tegra APB DMA
+driver crashes sometime after I2C DMA transfer termination. The crash
+happens because tegra_dma_terminate_all() bails out immediately if pending
+list is empty, and thus, it doesn't release the half-completed descriptors
+which are getting re-used before ISR tasklet kicks-in.
+
+ tegra-i2c 7000c400.i2c: DMA transfer timeout
+ elants_i2c 0-0010: elants_i2c_irq: failed to read data: -110
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 142 at lib/list_debug.c:45 __list_del_entry_valid+0x45/0xac
+ list_del corruption, ddbaac44->next is LIST_POISON1 (00000100)
+ Modules linked in:
+ CPU: 0 PID: 142 Comm: kworker/0:2 Not tainted 5.5.0-rc2-next-20191220-00175-gc3605715758d-dirty #538
+ Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
+ Workqueue: events_freezable_power_ thermal_zone_device_check
+ [<c010e5c5>] (unwind_backtrace) from [<c010a1c5>] (show_stack+0x11/0x14)
+ [<c010a1c5>] (show_stack) from [<c0973925>] (dump_stack+0x85/0x94)
+ [<c0973925>] (dump_stack) from [<c011f529>] (__warn+0xc1/0xc4)
+ [<c011f529>] (__warn) from [<c011f7e9>] (warn_slowpath_fmt+0x61/0x78)
+ [<c011f7e9>] (warn_slowpath_fmt) from [<c042497d>] (__list_del_entry_valid+0x45/0xac)
+ [<c042497d>] (__list_del_entry_valid) from [<c047a87f>] (tegra_dma_tasklet+0x5b/0x154)
+ [<c047a87f>] (tegra_dma_tasklet) from [<c0124799>] (tasklet_action_common.constprop.0+0x41/0x7c)
+ [<c0124799>] (tasklet_action_common.constprop.0) from [<c01022ab>] (__do_softirq+0xd3/0x2a8)
+ [<c01022ab>] (__do_softirq) from [<c0124683>] (irq_exit+0x7b/0x98)
+ [<c0124683>] (irq_exit) from [<c0168c19>] (__handle_domain_irq+0x45/0x80)
+ [<c0168c19>] (__handle_domain_irq) from [<c043e429>] (gic_handle_irq+0x45/0x7c)
+ [<c043e429>] (gic_handle_irq) from [<c0101aa5>] (__irq_svc+0x65/0x94)
+ Exception stack(0xde2ebb90 to 0xde2ebbd8)
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200209163356.6439-2-digetx@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/tegra20-apb-dma.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/dma/tegra20-apb-dma.c
++++ b/drivers/dma/tegra20-apb-dma.c
+@@ -756,10 +756,6 @@ static int tegra_dma_terminate_all(struc
+ bool was_busy;
+
+ spin_lock_irqsave(&tdc->lock, flags);
+- if (list_empty(&tdc->pending_sg_req)) {
+- spin_unlock_irqrestore(&tdc->lock, flags);
+- return 0;
+- }
+
+ if (!tdc->busy)
+ goto skip_dma_stop;
--- /dev/null
+From c33ee1301c393a241d6424e36eff1071811b1064 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 9 Feb 2020 19:33:39 +0300
+Subject: dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit c33ee1301c393a241d6424e36eff1071811b1064 upstream.
+
+The interrupt handler puts a half-completed DMA descriptor on a free list
+and then schedules tasklet to process bottom half of the descriptor that
+executes client's callback, this creates possibility to pick up the busy
+descriptor from the free list. Thus, let's disallow descriptor's re-use
+until it is fully processed.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200209163356.6439-3-digetx@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/tegra20-apb-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/tegra20-apb-dma.c
++++ b/drivers/dma/tegra20-apb-dma.c
+@@ -288,7 +288,7 @@ static struct tegra_dma_desc *tegra_dma_
+
+ /* Do not allocate if desc are waiting for ack */
+ list_for_each_entry(dma_desc, &tdc->free_dma_desc, node) {
+- if (async_tx_test_ack(&dma_desc->txd)) {
++ if (async_tx_test_ack(&dma_desc->txd) && !dma_desc->cb_count) {
+ list_del(&dma_desc->node);
+ spin_unlock_irqrestore(&tdc->lock, flags);
+ dma_desc->txd.flags = 0;
x86-xen-distribute-switch-variables-for-initializati.patch
net-thunderx-workaround-bgx-tx-underflow-issue.patch
alsa-hda-realtek-add-headset-mic-supported.patch
-alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch
alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-master.patch
-alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch
cifs-don-t-leak-eagain-for-stat-during-reconnect.patch
usb-storage-add-quirk-for-samsung-fit-flash.patch
usb-quirks-add-no_lpm-quirk-for-logitech-screen-share.patch
vt-selection-push-sel_lock-up.patch
media-v4l2-mem2mem.c-fix-broken-links.patch
x86-pkeys-manually-set-x86_feature_ospke-to-preserve-existing-changes.patch
-dmaengine-imx-sdma-fix-the-event-id-check-to-include-rx-event-for-uart6.patch
+dmaengine-tegra-apb-fix-use-after-free.patch
+dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch
+dm-cache-fix-a-crash-due-to-incorrect-work-item-cancelling.patch
+dm-report-suspended-device-during-destroy.patch
+dm-writecache-verify-watermark-during-resume.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
