Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/clk-qcom-clk-rpmh-wait-for-completion-when-enabling-.patch b/queue-5.4/clk-qcom-clk-rpmh-wait-for-completion-when-enabling-.patch
new file mode 100644 (file)
index 0000000..1bbf3b7
--- /dev/null
+++ b/queue-5.4/clk-qcom-clk-rpmh-wait-for-completion-when-enabling-.patch
@@ -0,0 +1,85 @@
+From f9ada3d52874637f7f7c38507b7bfb7a2c6b6ca2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2020 18:12:32 -0800
+Subject: clk: qcom: clk-rpmh: Wait for completion when enabling clocks
+
+From: Mike Tipton <mdtipton@codeaurora.org>
+
+[ Upstream commit dad4e7fda4bdc1a6357db500a7bab8843c08e521 ]
+
+The current implementation always uses rpmh_write_async, which doesn't
+wait for completion. That's fine for disable requests since there's no
+immediate need for the clocks and they can be disabled in the
+background. However, for enable requests we need to ensure the clocks
+are actually enabled before returning to the client. Otherwise, clients
+can end up accessing their HW before the necessary clocks are enabled,
+which can lead to bus errors.
+
+Use the synchronous version of this API (rpmh_write) for enable requests
+in the active set to ensure completion.
+
+Completion isn't required for sleep/wake sets, since they don't take
+effect until after we enter sleep. All rpmh requests are automatically
+flushed prior to entering sleep.
+
+Fixes: 9c7e47025a6b ("clk: qcom: clk-rpmh: Add QCOM RPMh clock driver")
+Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
+Link: https://lkml.kernel.org/r/20200215021232.1149-1-mdtipton@codeaurora.org
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+[sboyd@kernel.org: Reorg code a bit for readability, rename to 'wait' to
+make local variable not conflict with completion.h mechanism]
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/clk-rpmh.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/clk-rpmh.c b/drivers/clk/qcom/clk-rpmh.c
+index 96a36f6ff667d..d7586e26acd8d 100644
+--- a/drivers/clk/qcom/clk-rpmh.c
++++ b/drivers/clk/qcom/clk-rpmh.c
+@@ -143,12 +143,22 @@ static inline bool has_state_changed(struct clk_rpmh *c, u32 state)
+               != (c->aggr_state & BIT(state));
+ }
+ 
++static int clk_rpmh_send(struct clk_rpmh *c, enum rpmh_state state,
++                       struct tcs_cmd *cmd, bool wait)
++{
++      if (wait)
++              return rpmh_write(c->dev, state, cmd, 1);
++
++      return rpmh_write_async(c->dev, state, cmd, 1);
++}
++
+ static int clk_rpmh_send_aggregate_command(struct clk_rpmh *c)
+ {
+       struct tcs_cmd cmd = { 0 };
+       u32 cmd_state, on_val;
+       enum rpmh_state state = RPMH_SLEEP_STATE;
+       int ret;
++      bool wait;
+ 
+       cmd.addr = c->res_addr;
+       cmd_state = c->aggr_state;
+@@ -159,7 +169,8 @@ static int clk_rpmh_send_aggregate_command(struct clk_rpmh *c)
+                       if (cmd_state & BIT(state))
+                               cmd.data = on_val;
+ 
+-                      ret = rpmh_write_async(c->dev, state, &cmd, 1);
++                      wait = cmd_state && state == RPMH_ACTIVE_ONLY_STATE;
++                      ret = clk_rpmh_send(c, state, &cmd, wait);
+                       if (ret) {
+                               dev_err(c->dev, "set %s state of %s failed: (%d)\n",
+                                       !state ? "sleep" :
+@@ -267,7 +278,7 @@ static int clk_rpmh_bcm_send_cmd(struct clk_rpmh *c, bool enable)
+       cmd.addr = c->res_addr;
+       cmd.data = BCM_TCS_CMD(1, enable, 0, cmd_state);
+ 
+-      ret = rpmh_write_async(c->dev, RPMH_ACTIVE_ONLY_STATE, &cmd, 1);
++      ret = clk_rpmh_send(c, RPMH_ACTIVE_ONLY_STATE, &cmd, enable);
+       if (ret) {
+               dev_err(c->dev, "set active state of %s failed: (%d)\n",
+                       c->res_name, ret);
+-- 
+2.25.1
+

diff --git a/queue-5.4/fs-io_uring.c-fix-uninitialized-variable-is-referenc.patch b/queue-5.4/fs-io_uring.c-fix-uninitialized-variable-is-referenc.patch
new file mode 100644 (file)
index 0000000..d5cb122
--- /dev/null
+++ b/queue-5.4/fs-io_uring.c-fix-uninitialized-variable-is-referenc.patch
@@ -0,0 +1,34 @@
+From 6b79fb4b5ca11641ee54174d8ff9a81a39902eac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Aug 2020 23:56:44 -0700
+Subject: fs/io_uring.c: Fix uninitialized variable is referenced in
+ io_submit_sqe
+
+From: Liu Yong <pkfxxxing@gmail.com>
+
+the commit <a4d61e66ee4a> ("<io_uring: prevent re-read of sqe->opcode>")
+caused another vulnerability. After io_get_req(), the sqe_submit struct
+in req is not initialized, but the following code defaults that
+req->submit.opcode is available.
+
+Signed-off-by: Liu Yong <pkfxxxing@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index be3d595a607f4..c1aaee061dae5 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2559,6 +2559,7 @@ static void io_submit_sqe(struct io_ring_ctx *ctx, struct sqe_submit *s,
+               goto err;
+       }
+ 
++      memcpy(&req->submit, s, sizeof(*s));
+       ret = io_req_set_file(ctx, s, state, req);
+       if (unlikely(ret)) {
+ err_req:
+-- 
+2.25.1
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 14c674accf0b7669aa88320a9d513cb25107307e..3d1e811d7cc8aa5a3d73702b169963c226dda635 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -1,3 +1,5 @@
 tracepoint-mark-__tracepoint_string-s-__used.patch
 hid-input-fix-devices-that-return-multiple-bytes-in-battery-report.patch
 nvme-add-a-identify-namespace-identification-descriptor-list-quirk.patch
+fs-io_uring.c-fix-uninitialized-variable-is-referenc.patch
+clk-qcom-clk-rpmh-wait-for-completion-when-enabling-.patch