From: Greg Kroah-Hartman Date: Wed, 15 Jan 2020 21:02:37 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.14.166~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=007381a541cf808305e720a4dfe744fc219bafa5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: asoc-soc-core-set-dpcm_playback-dpcm_capture.patch asoc-sof-imx8-fix-dsp_box-offset.patch asoc-sof-imx8-fix-memory-allocation-failure-check-on-priv-pd_dev.patch asoc-stm32-spdifrx-fix-inconsistent-lock-state.patch asoc-stm32-spdifrx-fix-input-pin-state-management.patch asoc-stm32-spdifrx-fix-race-condition-in-irq-handler.patch bpf-cgroup-prevent-out-of-order-release-of-cgroup-bpf.patch fs-move-guard_bio_eod-after-bio_set_op_attrs.patch gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch gpio-zynq-fix-for-bug-in-zynq_gpio_restore_context-api.patch i2c-bcm2835-store-pointer-to-bus-clock.patch ib-hfi1-don-t-cancel-unused-work-item.patch iommu-remove-device-link-to-group-on-failure.patch iommu-vt-d-unlink-device-if-failed-to-add-to-group.patch mtd-onenand-omap2-pass-correct-flags-for-prep_dma_memcpy.patch mtd-rawnand-stm32_fmc2-avoid-to-lock-the-cpu-bus.patch netfilter-nft_flow_offload-fix-underflow-in-flowtable-reference-counter.patch phy-mapphone-mdm6600-fix-uninitialized-status-value-regression.patch pinctrl-lochnagar-select-gpiolib.patch pinctrl-meson-fix-wrong-shift-value-when-get-drive-strength.patch pm-devfreq-tegra-add-common_clk-dependency.patch rdma-bnxt_re-avoid-freeing-mr-resources-if-dereg-fails.patch rdma-bnxt_re-fix-send-work-entry-state-check-while-polling-completions.patch rtc-mt6397-fix-alarm-register-overwrite.patch scsi-mpt3sas-fix-double-free-in-attach-error-handling.patch selftests-loopback.sh-skip-this-test-if-the-driver-does-not-support.patch --- diff --git a/queue-5.4/asoc-soc-core-set-dpcm_playback-dpcm_capture.patch b/queue-5.4/asoc-soc-core-set-dpcm_playback-dpcm_capture.patch new file mode 100644 index 00000000000..060d5b85279 --- /dev/null +++ b/queue-5.4/asoc-soc-core-set-dpcm_playback-dpcm_capture.patch @@ -0,0 +1,36 @@ +From 218fe9b7ec7f32c10a07539365488d80af7b0084 Mon Sep 17 00:00:00 2001 +From: Daniel Baluta +Date: Wed, 4 Dec 2019 17:13:33 +0200 +Subject: ASoC: soc-core: Set dpcm_playback / dpcm_capture + +From: Daniel Baluta + +commit 218fe9b7ec7f32c10a07539365488d80af7b0084 upstream. + +When converting a normal link to a DPCM link we need +to set dpcm_playback / dpcm_capture otherwise playback/capture +streams will not be created resulting in errors like this: + +[ 36.039111] sai1-wm8960-hifi: ASoC: no backend playback stream + +Fixes: a655de808cbde ("ASoC: core: Allow topology to override machine driver FE DAI link config") +Signed-off-by: Daniel Baluta +Link: https://lore.kernel.org/r/20191204151333.26625-1-daniel.baluta@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1886,6 +1886,8 @@ match: + + /* convert non BE into BE */ + dai_link->no_pcm = 1; ++ dai_link->dpcm_playback = 1; ++ dai_link->dpcm_capture = 1; + + /* override any BE fixups */ + dai_link->be_hw_params_fixup = diff --git a/queue-5.4/asoc-sof-imx8-fix-dsp_box-offset.patch b/queue-5.4/asoc-sof-imx8-fix-dsp_box-offset.patch new file mode 100644 index 00000000000..2132cc93e82 --- /dev/null +++ b/queue-5.4/asoc-sof-imx8-fix-dsp_box-offset.patch @@ -0,0 +1,60 @@ +From dcf08d0f8f09081b16f69071dd55d51d5e964e84 Mon Sep 17 00:00:00 2001 +From: Daniel Baluta +Date: Fri, 20 Dec 2019 11:05:31 -0600 +Subject: ASoC: SOF: imx8: Fix dsp_box offset + +From: Daniel Baluta + +commit dcf08d0f8f09081b16f69071dd55d51d5e964e84 upstream. + +dsp_box is used to keep DSP initiated messages. The value of dsp_offset +is set by the DSP with the first message, so we need a way to bootstrap +it in order to get the first message. + +We do this by setting the correct default dsp_box offset which on i.MX8 +is not zero. + +Very interesting is why it has worked until now. + +On i.MX8, DSP communicates with ARM core using a shared SDRAM memory +area. Actually, there are two shared areas: + * SDRAM0 - starting at 0x92400000, size 0x800000 + * SDRAM1 - starting at 0x92C00000, size 0x800000 + +SDRAM0 keeps the data sections, starting with .rodata. By chance +fw_ready structure was placed at the beginning of .rodata. + +dsp_box_base is defined as SDRAM0 + dsp_box_offset and it is placed +at the beginning of SDRAM1 (dsp_box_offset should be 0x800000). But +because it is zero initialized by default it points to SDRAM0 where +by chance the fw_ready was placed in the SOF firmware. + +Anyhow, SOF commit 7466bee378dd811b ("clk: make freq arrays constant") +fw_ready is no longer at the beginning of SDRAM0 and everything shows +how lucky we were until now. + +Fix this by properly setting the default dsp_box offset. + +Fixes: 202acc565a1f050 ("ASoC: SOF: imx: Add i.MX8 HW support") +Signed-off-by: Daniel Baluta +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20191220170531.10423-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sof/imx/imx8.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/sof/imx/imx8.c ++++ b/sound/soc/sof/imx/imx8.c +@@ -304,6 +304,9 @@ static int imx8_probe(struct snd_sof_dev + } + sdev->mailbox_bar = SOF_FW_BLK_TYPE_SRAM; + ++ /* set default mailbox offset for FW ready message */ ++ sdev->dsp_box.offset = MBOX_OFFSET; ++ + return 0; + + exit_pdev_unregister: diff --git a/queue-5.4/asoc-sof-imx8-fix-memory-allocation-failure-check-on-priv-pd_dev.patch b/queue-5.4/asoc-sof-imx8-fix-memory-allocation-failure-check-on-priv-pd_dev.patch new file mode 100644 index 00000000000..cbaa826572a --- /dev/null +++ b/queue-5.4/asoc-sof-imx8-fix-memory-allocation-failure-check-on-priv-pd_dev.patch @@ -0,0 +1,36 @@ +From 98910e1d61384430a080b4bcf986c3b0cf3fdf46 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 4 Dec 2019 12:48:16 +0000 +Subject: ASoC: SOF: imx8: fix memory allocation failure check on priv->pd_dev + +From: Colin Ian King + +commit 98910e1d61384430a080b4bcf986c3b0cf3fdf46 upstream. + +The memory allocation failure check for priv->pd_dev is incorrectly +pointer checking priv instead of priv->pd_dev. Fix this. + +Addresses-Coverity: ("Logically dead code") +Fixes: 202acc565a1f ("ASoC: SOF: imx: Add i.MX8 HW support") +Signed-off-by: Colin Ian King +Reviewed-by: Daniel Baluta +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20191204124816.1415359-1-colin.king@canonical.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sof/imx/imx8.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/sof/imx/imx8.c ++++ b/sound/soc/sof/imx/imx8.c +@@ -209,7 +209,7 @@ static int imx8_probe(struct snd_sof_dev + + priv->pd_dev = devm_kmalloc_array(&pdev->dev, priv->num_domains, + sizeof(*priv->pd_dev), GFP_KERNEL); +- if (!priv) ++ if (!priv->pd_dev) + return -ENOMEM; + + priv->link = devm_kmalloc_array(&pdev->dev, priv->num_domains, diff --git a/queue-5.4/asoc-stm32-spdifrx-fix-inconsistent-lock-state.patch b/queue-5.4/asoc-stm32-spdifrx-fix-inconsistent-lock-state.patch new file mode 100644 index 00000000000..c431efd8a2b --- /dev/null +++ b/queue-5.4/asoc-stm32-spdifrx-fix-inconsistent-lock-state.patch @@ -0,0 +1,90 @@ +From 2859b1784031b5709446af8f6039c467f136e67d Mon Sep 17 00:00:00 2001 +From: Olivier Moysan +Date: Wed, 4 Dec 2019 16:43:31 +0100 +Subject: ASoC: stm32: spdifrx: fix inconsistent lock state + +From: Olivier Moysan + +commit 2859b1784031b5709446af8f6039c467f136e67d upstream. + +In current spdifrx driver locks may be requested as follows: +- request lock on iec capture control, when starting synchronization. +- request lock in interrupt context, when spdifrx stop is called +from IRQ handler. + +Take lock with IRQs disabled, to avoid the possible deadlock. + +Lockdep report: +[ 74.278059] ================================ +[ 74.282306] WARNING: inconsistent lock state +[ 74.290120] -------------------------------- +... +[ 74.314373] CPU0 +[ 74.314377] ---- +[ 74.314381] lock(&(&spdifrx->lock)->rlock); +[ 74.314396] +[ 74.314400] lock(&(&spdifrx->lock)->rlock); + +Fixes: 03e4d5d56fa5 ("ASoC: stm32: Add SPDIFRX support") + +Signed-off-by: Olivier Moysan +Link: https://lore.kernel.org/r/20191204154333.7152-2-olivier.moysan@st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/stm/stm32_spdifrx.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sound/soc/stm/stm32_spdifrx.c ++++ b/sound/soc/stm/stm32_spdifrx.c +@@ -320,6 +320,7 @@ static void stm32_spdifrx_dma_ctrl_stop( + static int stm32_spdifrx_start_sync(struct stm32_spdifrx_data *spdifrx) + { + int cr, cr_mask, imr, ret; ++ unsigned long flags; + + /* Enable IRQs */ + imr = SPDIFRX_IMR_IFEIE | SPDIFRX_IMR_SYNCDIE | SPDIFRX_IMR_PERRIE; +@@ -327,7 +328,7 @@ static int stm32_spdifrx_start_sync(stru + if (ret) + return ret; + +- spin_lock(&spdifrx->lock); ++ spin_lock_irqsave(&spdifrx->lock, flags); + + spdifrx->refcount++; + +@@ -360,7 +361,7 @@ static int stm32_spdifrx_start_sync(stru + "Failed to start synchronization\n"); + } + +- spin_unlock(&spdifrx->lock); ++ spin_unlock_irqrestore(&spdifrx->lock, flags); + + return ret; + } +@@ -368,11 +369,12 @@ static int stm32_spdifrx_start_sync(stru + static void stm32_spdifrx_stop(struct stm32_spdifrx_data *spdifrx) + { + int cr, cr_mask, reg; ++ unsigned long flags; + +- spin_lock(&spdifrx->lock); ++ spin_lock_irqsave(&spdifrx->lock, flags); + + if (--spdifrx->refcount) { +- spin_unlock(&spdifrx->lock); ++ spin_unlock_irqrestore(&spdifrx->lock, flags); + return; + } + +@@ -391,7 +393,7 @@ static void stm32_spdifrx_stop(struct st + regmap_read(spdifrx->regmap, STM32_SPDIFRX_DR, ®); + regmap_read(spdifrx->regmap, STM32_SPDIFRX_CSR, ®); + +- spin_unlock(&spdifrx->lock); ++ spin_unlock_irqrestore(&spdifrx->lock, flags); + } + + static int stm32_spdifrx_dma_ctrl_register(struct device *dev, diff --git a/queue-5.4/asoc-stm32-spdifrx-fix-input-pin-state-management.patch b/queue-5.4/asoc-stm32-spdifrx-fix-input-pin-state-management.patch new file mode 100644 index 00000000000..1a0b02f40ef --- /dev/null +++ b/queue-5.4/asoc-stm32-spdifrx-fix-input-pin-state-management.patch @@ -0,0 +1,57 @@ +From 3b7658679d88b5628939f9bdc8e613f79cd821f9 Mon Sep 17 00:00:00 2001 +From: Olivier Moysan +Date: Wed, 4 Dec 2019 16:43:33 +0100 +Subject: ASoC: stm32: spdifrx: fix input pin state management + +From: Olivier Moysan + +commit 3b7658679d88b5628939f9bdc8e613f79cd821f9 upstream. + +Changing input state in iec capture control is not safe, +as the pin state may be changed concurrently by ASoC +framework. +Remove pin state handling in iec capture control. + +Note: This introduces a restriction on capture control, +when pin sleep state is defined in device tree. In this case +channel status can be captured only when an audio stream +capture is active. + +Fixes: f68c2a682d44 ("ASoC: stm32: spdifrx: add power management") + +Signed-off-by: Olivier Moysan +Link: https://lore.kernel.org/r/20191204154333.7152-4-olivier.moysan@st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/stm/stm32_spdifrx.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/sound/soc/stm/stm32_spdifrx.c ++++ b/sound/soc/stm/stm32_spdifrx.c +@@ -12,7 +12,6 @@ + #include + #include + #include +-#include + #include + #include + +@@ -482,8 +481,6 @@ static int stm32_spdifrx_get_ctrl_data(s + memset(spdifrx->cs, 0, SPDIFRX_CS_BYTES_NB); + memset(spdifrx->ub, 0, SPDIFRX_UB_BYTES_NB); + +- pinctrl_pm_select_default_state(&spdifrx->pdev->dev); +- + ret = stm32_spdifrx_dma_ctrl_start(spdifrx); + if (ret < 0) + return ret; +@@ -515,7 +512,6 @@ static int stm32_spdifrx_get_ctrl_data(s + + end: + clk_disable_unprepare(spdifrx->kclk); +- pinctrl_pm_select_sleep_state(&spdifrx->pdev->dev); + + return ret; + } diff --git a/queue-5.4/asoc-stm32-spdifrx-fix-race-condition-in-irq-handler.patch b/queue-5.4/asoc-stm32-spdifrx-fix-race-condition-in-irq-handler.patch new file mode 100644 index 00000000000..753c18812bb --- /dev/null +++ b/queue-5.4/asoc-stm32-spdifrx-fix-race-condition-in-irq-handler.patch @@ -0,0 +1,108 @@ +From 86e1956af4c863d653136fd6e5694adf2054dbaa Mon Sep 17 00:00:00 2001 +From: Olivier Moysan +Date: Wed, 4 Dec 2019 16:43:32 +0100 +Subject: ASoC: stm32: spdifrx: fix race condition in irq handler + +From: Olivier Moysan + +commit 86e1956af4c863d653136fd6e5694adf2054dbaa upstream. + +When snd_pcm_stop() is called in interrupt routine, +substream context may have already been released. +Add protection on substream context. + +Fixes: 03e4d5d56fa5 ("ASoC: stm32: Add SPDIFRX support") + +Signed-off-by: Olivier Moysan +Link: https://lore.kernel.org/r/20191204154333.7152-3-olivier.moysan@st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/stm/stm32_spdifrx.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +--- a/sound/soc/stm/stm32_spdifrx.c ++++ b/sound/soc/stm/stm32_spdifrx.c +@@ -220,6 +220,7 @@ + * @slave_config: dma slave channel runtime config pointer + * @phys_addr: SPDIFRX registers physical base address + * @lock: synchronization enabling lock ++ * @irq_lock: prevent race condition with IRQ on stream state + * @cs: channel status buffer + * @ub: user data buffer + * @irq: SPDIFRX interrupt line +@@ -240,6 +241,7 @@ struct stm32_spdifrx_data { + struct dma_slave_config slave_config; + dma_addr_t phys_addr; + spinlock_t lock; /* Sync enabling lock */ ++ spinlock_t irq_lock; /* Prevent race condition on stream state */ + unsigned char cs[SPDIFRX_CS_BYTES_NB]; + unsigned char ub[SPDIFRX_UB_BYTES_NB]; + int irq; +@@ -665,7 +667,6 @@ static const struct regmap_config stm32_ + static irqreturn_t stm32_spdifrx_isr(int irq, void *devid) + { + struct stm32_spdifrx_data *spdifrx = (struct stm32_spdifrx_data *)devid; +- struct snd_pcm_substream *substream = spdifrx->substream; + struct platform_device *pdev = spdifrx->pdev; + unsigned int cr, mask, sr, imr; + unsigned int flags; +@@ -733,14 +734,19 @@ static irqreturn_t stm32_spdifrx_isr(int + regmap_update_bits(spdifrx->regmap, STM32_SPDIFRX_CR, + SPDIFRX_CR_SPDIFEN_MASK, cr); + +- if (substream) +- snd_pcm_stop(substream, SNDRV_PCM_STATE_DISCONNECTED); ++ spin_lock(&spdifrx->irq_lock); ++ if (spdifrx->substream) ++ snd_pcm_stop(spdifrx->substream, ++ SNDRV_PCM_STATE_DISCONNECTED); ++ spin_unlock(&spdifrx->irq_lock); + + return IRQ_HANDLED; + } + +- if (err_xrun && substream) +- snd_pcm_stop_xrun(substream); ++ spin_lock(&spdifrx->irq_lock); ++ if (err_xrun && spdifrx->substream) ++ snd_pcm_stop_xrun(spdifrx->substream); ++ spin_unlock(&spdifrx->irq_lock); + + return IRQ_HANDLED; + } +@@ -749,9 +755,12 @@ static int stm32_spdifrx_startup(struct + struct snd_soc_dai *cpu_dai) + { + struct stm32_spdifrx_data *spdifrx = snd_soc_dai_get_drvdata(cpu_dai); ++ unsigned long flags; + int ret; + ++ spin_lock_irqsave(&spdifrx->irq_lock, flags); + spdifrx->substream = substream; ++ spin_unlock_irqrestore(&spdifrx->irq_lock, flags); + + ret = clk_prepare_enable(spdifrx->kclk); + if (ret) +@@ -827,8 +836,12 @@ static void stm32_spdifrx_shutdown(struc + struct snd_soc_dai *cpu_dai) + { + struct stm32_spdifrx_data *spdifrx = snd_soc_dai_get_drvdata(cpu_dai); ++ unsigned long flags; + ++ spin_lock_irqsave(&spdifrx->irq_lock, flags); + spdifrx->substream = NULL; ++ spin_unlock_irqrestore(&spdifrx->irq_lock, flags); ++ + clk_disable_unprepare(spdifrx->kclk); + } + +@@ -932,6 +945,7 @@ static int stm32_spdifrx_probe(struct pl + spdifrx->pdev = pdev; + init_completion(&spdifrx->cs_completion); + spin_lock_init(&spdifrx->lock); ++ spin_lock_init(&spdifrx->irq_lock); + + platform_set_drvdata(pdev, spdifrx); + diff --git a/queue-5.4/bpf-cgroup-prevent-out-of-order-release-of-cgroup-bpf.patch b/queue-5.4/bpf-cgroup-prevent-out-of-order-release-of-cgroup-bpf.patch new file mode 100644 index 00000000000..5434eac9f6d --- /dev/null +++ b/queue-5.4/bpf-cgroup-prevent-out-of-order-release-of-cgroup-bpf.patch @@ -0,0 +1,148 @@ +From e10360f815ca6367357b2c2cfef17fc663e50f7b Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Fri, 27 Dec 2019 13:50:34 -0800 +Subject: bpf: cgroup: prevent out-of-order release of cgroup bpf + +From: Roman Gushchin + +commit e10360f815ca6367357b2c2cfef17fc663e50f7b upstream. + +Before commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") +cgroup bpf structures were released with +corresponding cgroup structures. It guaranteed the hierarchical order +of destruction: children were always first. It preserved attached +programs from being released before their propagated copies. + +But with cgroup auto-detachment there are no such guarantees anymore: +cgroup bpf is released as soon as the cgroup is offline and there are +no live associated sockets. It means that an attached program can be +detached and released, while its propagated copy is still living +in the cgroup subtree. This will obviously lead to an use-after-free +bug. + +To reproduce the issue the following script can be used: + + #!/bin/bash + + CGROOT=/sys/fs/cgroup + + mkdir -p ${CGROOT}/A ${CGROOT}/B ${CGROOT}/A/C + sleep 1 + + ./test_cgrp2_attach ${CGROOT}/A egress & + A_PID=$! + ./test_cgrp2_attach ${CGROOT}/B egress & + B_PID=$! + + echo $$ > ${CGROOT}/A/C/cgroup.procs + iperf -s & + S_PID=$! + iperf -c localhost -t 100 & + C_PID=$! + + sleep 1 + + echo $$ > ${CGROOT}/B/cgroup.procs + echo ${S_PID} > ${CGROOT}/B/cgroup.procs + echo ${C_PID} > ${CGROOT}/B/cgroup.procs + + sleep 1 + + rmdir ${CGROOT}/A/C + rmdir ${CGROOT}/A + + sleep 1 + + kill -9 ${S_PID} ${C_PID} ${A_PID} ${B_PID} + +On the unpatched kernel the following stacktrace can be obtained: + +[ 33.619799] BUG: unable to handle page fault for address: ffffbdb4801ab002 +[ 33.620677] #PF: supervisor read access in kernel mode +[ 33.621293] #PF: error_code(0x0000) - not-present page +[ 33.622754] Oops: 0000 [#1] SMP NOPTI +[ 33.623202] CPU: 0 PID: 601 Comm: iperf Not tainted 5.5.0-rc2+ #23 +[ 33.625545] RIP: 0010:__cgroup_bpf_run_filter_skb+0x29f/0x3d0 +[ 33.635809] Call Trace: +[ 33.636118] ? __cgroup_bpf_run_filter_skb+0x2bf/0x3d0 +[ 33.636728] ? __switch_to_asm+0x40/0x70 +[ 33.637196] ip_finish_output+0x68/0xa0 +[ 33.637654] ip_output+0x76/0xf0 +[ 33.638046] ? __ip_finish_output+0x1c0/0x1c0 +[ 33.638576] __ip_queue_xmit+0x157/0x410 +[ 33.639049] __tcp_transmit_skb+0x535/0xaf0 +[ 33.639557] tcp_write_xmit+0x378/0x1190 +[ 33.640049] ? _copy_from_iter_full+0x8d/0x260 +[ 33.640592] tcp_sendmsg_locked+0x2a2/0xdc0 +[ 33.641098] ? sock_has_perm+0x10/0xa0 +[ 33.641574] tcp_sendmsg+0x28/0x40 +[ 33.641985] sock_sendmsg+0x57/0x60 +[ 33.642411] sock_write_iter+0x97/0x100 +[ 33.642876] new_sync_write+0x1b6/0x1d0 +[ 33.643339] vfs_write+0xb6/0x1a0 +[ 33.643752] ksys_write+0xa7/0xe0 +[ 33.644156] do_syscall_64+0x5b/0x1b0 +[ 33.644605] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fix this by grabbing a reference to the bpf structure of each ancestor +on the initialization of the cgroup bpf structure, and dropping the +reference at the end of releasing the cgroup bpf structure. + +This will restore the hierarchical order of cgroup bpf releasing, +without adding any operations on hot paths. + +Thanks to Josef Bacik for the debugging and the initial analysis of +the problem. + +Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") +Reported-by: Josef Bacik +Signed-off-by: Roman Gushchin +Acked-by: Song Liu +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/cgroup.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -35,8 +35,8 @@ void cgroup_bpf_offline(struct cgroup *c + */ + static void cgroup_bpf_release(struct work_struct *work) + { +- struct cgroup *cgrp = container_of(work, struct cgroup, +- bpf.release_work); ++ struct cgroup *p, *cgrp = container_of(work, struct cgroup, ++ bpf.release_work); + enum bpf_cgroup_storage_type stype; + struct bpf_prog_array *old_array; + unsigned int type; +@@ -65,6 +65,9 @@ static void cgroup_bpf_release(struct wo + + mutex_unlock(&cgroup_mutex); + ++ for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p)) ++ cgroup_bpf_put(p); ++ + percpu_ref_exit(&cgrp->bpf.refcnt); + cgroup_put(cgrp); + } +@@ -199,6 +202,7 @@ int cgroup_bpf_inherit(struct cgroup *cg + */ + #define NR ARRAY_SIZE(cgrp->bpf.effective) + struct bpf_prog_array *arrays[NR] = {}; ++ struct cgroup *p; + int ret, i; + + ret = percpu_ref_init(&cgrp->bpf.refcnt, cgroup_bpf_release_fn, 0, +@@ -206,6 +210,9 @@ int cgroup_bpf_inherit(struct cgroup *cg + if (ret) + return ret; + ++ for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p)) ++ cgroup_bpf_get(p); ++ + for (i = 0; i < NR; i++) + INIT_LIST_HEAD(&cgrp->bpf.progs[i]); + diff --git a/queue-5.4/fs-move-guard_bio_eod-after-bio_set_op_attrs.patch b/queue-5.4/fs-move-guard_bio_eod-after-bio_set_op_attrs.patch new file mode 100644 index 00000000000..6d3cd77cf52 --- /dev/null +++ b/queue-5.4/fs-move-guard_bio_eod-after-bio_set_op_attrs.patch @@ -0,0 +1,120 @@ +From 83c9c547168e8b914ea6398430473a4de68c52cc Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sun, 5 Jan 2020 09:41:14 +0800 +Subject: fs: move guard_bio_eod() after bio_set_op_attrs + +From: Ming Lei + +commit 83c9c547168e8b914ea6398430473a4de68c52cc upstream. + +Commit 85a8ce62c2ea ("block: add bio_truncate to fix guard_bio_eod") +adds bio_truncate() for handling bio EOD. However, bio_truncate() +doesn't use the passed 'op' parameter from guard_bio_eod's callers. + +So bio_trunacate() may retrieve wrong 'op', and zering pages may +not be done for READ bio. + +Fixes this issue by moving guard_bio_eod() after bio_set_op_attrs() +in submit_bh_wbc() so that bio_truncate() can always retrieve correct +op info. + +Meantime remove the 'op' parameter from guard_bio_eod() because it isn't +used any more. + +Cc: Carlos Maiolino +Cc: linux-fsdevel@vger.kernel.org +Fixes: 85a8ce62c2ea ("block: add bio_truncate to fix guard_bio_eod") +Signed-off-by: Ming Lei +Signed-off-by: Greg Kroah-Hartman + +Fold in kerneldoc and bio_op() change. + +Signed-off-by: Jens Axboe + +--- + block/bio.c | 12 +++++++++++- + fs/buffer.c | 8 ++++---- + fs/internal.h | 2 +- + fs/mpage.c | 2 +- + 4 files changed, 17 insertions(+), 7 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -535,6 +535,16 @@ void zero_fill_bio_iter(struct bio *bio, + } + EXPORT_SYMBOL(zero_fill_bio_iter); + ++/** ++ * bio_truncate - truncate the bio to small size of @new_size ++ * @bio: the bio to be truncated ++ * @new_size: new size for truncating the bio ++ * ++ * Description: ++ * Truncate the bio to new size of @new_size. If bio_op(bio) is ++ * REQ_OP_READ, zero the truncated part. This function should only ++ * be used for handling corner cases, such as bio eod. ++ */ + void bio_truncate(struct bio *bio, unsigned new_size) + { + struct bio_vec bv; +@@ -545,7 +555,7 @@ void bio_truncate(struct bio *bio, unsig + if (new_size >= bio->bi_iter.bi_size) + return; + +- if (bio_data_dir(bio) != READ) ++ if (bio_op(bio) != REQ_OP_READ) + goto exit; + + bio_for_each_segment(bv, bio, iter) { +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -2991,7 +2991,7 @@ static void end_bio_bh_io_sync(struct bi + * errors, this only handles the "we need to be able to + * do IO at the final sector" case. + */ +-void guard_bio_eod(int op, struct bio *bio) ++void guard_bio_eod(struct bio *bio) + { + sector_t maxsector; + struct hd_struct *part; +@@ -3055,15 +3055,15 @@ static int submit_bh_wbc(int op, int op_ + bio->bi_end_io = end_bio_bh_io_sync; + bio->bi_private = bh; + +- /* Take care of bh's that straddle the end of the device */ +- guard_bio_eod(op, bio); +- + if (buffer_meta(bh)) + op_flags |= REQ_META; + if (buffer_prio(bh)) + op_flags |= REQ_PRIO; + bio_set_op_attrs(bio, op, op_flags); + ++ /* Take care of bh's that straddle the end of the device */ ++ guard_bio_eod(bio); ++ + if (wbc) { + wbc_init_bio(wbc, bio); + wbc_account_cgroup_owner(wbc, bh->b_page, bh->b_size); +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -38,7 +38,7 @@ static inline int __sync_blockdev(struct + /* + * buffer.c + */ +-extern void guard_bio_eod(int rw, struct bio *bio); ++extern void guard_bio_eod(struct bio *bio); + extern int __block_write_begin_int(struct page *page, loff_t pos, unsigned len, + get_block_t *get_block, struct iomap *iomap); + +--- a/fs/mpage.c ++++ b/fs/mpage.c +@@ -62,7 +62,7 @@ static struct bio *mpage_bio_submit(int + { + bio->bi_end_io = mpage_end_io; + bio_set_op_attrs(bio, op, op_flags); +- guard_bio_eod(op, bio); ++ guard_bio_eod(bio); + submit_bio(bio); + return NULL; + } diff --git a/queue-5.4/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch b/queue-5.4/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch new file mode 100644 index 00000000000..b7151049408 --- /dev/null +++ b/queue-5.4/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch @@ -0,0 +1,46 @@ +From d935bd50dd14a7714cbdba9a76435dbb56edb1ae Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 27 Nov 2019 10:59:19 +0100 +Subject: gpio: Fix error message on out-of-range GPIO in lookup table + +From: Geert Uytterhoeven + +commit d935bd50dd14a7714cbdba9a76435dbb56edb1ae upstream. + +When a GPIO offset in a lookup table is out-of-range, the printed error +message (1) does not include the actual out-of-range value, and (2) +contains an off-by-one error in the upper bound. + +Avoid user confusion by also printing the actual GPIO offset, and +correcting the upper bound of the range. +While at it, use "%u" for unsigned int. + +Sample impact: + + -requested GPIO 0 is out of range [0..32] for chip e6052000.gpio + +requested GPIO 0 (45) is out of range [0..31] for chip e6052000.gpio + +Fixes: 2a3cf6a3599e9015 ("gpiolib: return -ENOENT if no GPIO mapping exists") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191127095919.4214-1-geert+renesas@glider.be +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -4328,8 +4328,9 @@ static struct gpio_desc *gpiod_find(stru + + if (chip->ngpio <= p->chip_hwnum) { + dev_err(dev, +- "requested GPIO %d is out of range [0..%d] for chip %s\n", +- idx, chip->ngpio, chip->label); ++ "requested GPIO %u (%u) is out of range [0..%u] for chip %s\n", ++ idx, p->chip_hwnum, chip->ngpio - 1, ++ chip->label); + return ERR_PTR(-EINVAL); + } + diff --git a/queue-5.4/gpio-zynq-fix-for-bug-in-zynq_gpio_restore_context-api.patch b/queue-5.4/gpio-zynq-fix-for-bug-in-zynq_gpio_restore_context-api.patch new file mode 100644 index 00000000000..862e6f1cf59 --- /dev/null +++ b/queue-5.4/gpio-zynq-fix-for-bug-in-zynq_gpio_restore_context-api.patch @@ -0,0 +1,56 @@ +From 36f2e7207f21a83ca0054116191f119ac64583ab Mon Sep 17 00:00:00 2001 +From: Swapna Manupati +Date: Thu, 26 Dec 2019 17:42:11 +0530 +Subject: gpio: zynq: Fix for bug in zynq_gpio_restore_context API + +From: Swapna Manupati + +commit 36f2e7207f21a83ca0054116191f119ac64583ab upstream. + +This patch writes the inverse value of Interrupt Mask Status +register into the Interrupt Enable register in +zynq_gpio_restore_context API to fix the bug. + +Fixes: e11de4de28c0 ("gpio: zynq: Add support for suspend resume") +Signed-off-by: Swapna Manupati +Signed-off-by: Michal Simek +Signed-off-by: Srinivas Neeli +Link: https://lore.kernel.org/r/1577362338-28744-2-git-send-email-srinivas.neeli@xilinx.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-zynq.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpio/gpio-zynq.c ++++ b/drivers/gpio/gpio-zynq.c +@@ -681,6 +681,8 @@ static void zynq_gpio_restore_context(st + unsigned int bank_num; + + for (bank_num = 0; bank_num < gpio->p_data->max_bank; bank_num++) { ++ writel_relaxed(ZYNQ_GPIO_IXR_DISABLE_ALL, gpio->base_addr + ++ ZYNQ_GPIO_INTDIS_OFFSET(bank_num)); + writel_relaxed(gpio->context.datalsw[bank_num], + gpio->base_addr + + ZYNQ_GPIO_DATA_LSW_OFFSET(bank_num)); +@@ -690,9 +692,6 @@ static void zynq_gpio_restore_context(st + writel_relaxed(gpio->context.dirm[bank_num], + gpio->base_addr + + ZYNQ_GPIO_DIRM_OFFSET(bank_num)); +- writel_relaxed(gpio->context.int_en[bank_num], +- gpio->base_addr + +- ZYNQ_GPIO_INTEN_OFFSET(bank_num)); + writel_relaxed(gpio->context.int_type[bank_num], + gpio->base_addr + + ZYNQ_GPIO_INTTYPE_OFFSET(bank_num)); +@@ -702,6 +701,9 @@ static void zynq_gpio_restore_context(st + writel_relaxed(gpio->context.int_any[bank_num], + gpio->base_addr + + ZYNQ_GPIO_INTANY_OFFSET(bank_num)); ++ writel_relaxed(~(gpio->context.int_en[bank_num]), ++ gpio->base_addr + ++ ZYNQ_GPIO_INTEN_OFFSET(bank_num)); + } + } + diff --git a/queue-5.4/hid-hidraw-uhid-always-report-epollout.patch b/queue-5.4/hid-hidraw-uhid-always-report-epollout.patch index 3a699550d4d..6c19b8fb942 100644 --- a/queue-5.4/hid-hidraw-uhid-always-report-epollout.patch +++ b/queue-5.4/hid-hidraw-uhid-always-report-epollout.patch @@ -17,12 +17,10 @@ Fixes: 9f3b61dc1dd7b ("HID: hidraw: Fix returning EPOLLOUT from hidraw_poll") Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin --- - drivers/hid/hidraw.c | 7 ++++--- - drivers/hid/uhid.c | 5 +++-- + drivers/hid/hidraw.c | 7 ++++--- + drivers/hid/uhid.c | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) -diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c -index c25e95c19cad..b382c6bf2c5c 100644 --- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -249,13 +249,14 @@ out: @@ -43,8 +41,6 @@ index c25e95c19cad..b382c6bf2c5c 100644 } static int hidraw_open(struct inode *inode, struct file *file) -diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c -index 935c3d0a3b63..8fe3efcb8327 100644 --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -766,13 +766,14 @@ unlock: @@ -64,6 +60,3 @@ index 935c3d0a3b63..8fe3efcb8327 100644 } static const struct file_operations uhid_fops = { --- -2.20.1 - diff --git a/queue-5.4/i2c-bcm2835-store-pointer-to-bus-clock.patch b/queue-5.4/i2c-bcm2835-store-pointer-to-bus-clock.patch new file mode 100644 index 00000000000..acce7f78719 --- /dev/null +++ b/queue-5.4/i2c-bcm2835-store-pointer-to-bus-clock.patch @@ -0,0 +1,85 @@ +From 3b722da6672df8392f9c43d7c7e04bddd81d7e37 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Sat, 4 Jan 2020 16:13:20 +0100 +Subject: i2c: bcm2835: Store pointer to bus clock + +From: Stefan Wahren + +commit 3b722da6672df8392f9c43d7c7e04bddd81d7e37 upstream. + +The commit bebff81fb8b9 ("i2c: bcm2835: Model Divider in CCF") introduced +a NULL pointer dereference on driver unload. It seems that we can't fetch +the bus clock via devm_clk_get in bcm2835_i2c_remove. As an alternative +approach store a pointer to the bus clock in the private driver structure. + +Fixes: bebff81fb8b9 ("i2c: bcm2835: Model Divider in CCF") +Signed-off-by: Stefan Wahren +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-bcm2835.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/i2c/busses/i2c-bcm2835.c ++++ b/drivers/i2c/busses/i2c-bcm2835.c +@@ -58,6 +58,7 @@ struct bcm2835_i2c_dev { + struct i2c_adapter adapter; + struct completion completion; + struct i2c_msg *curr_msg; ++ struct clk *bus_clk; + int num_msgs; + u32 msg_err; + u8 *msg_buf; +@@ -404,7 +405,6 @@ static int bcm2835_i2c_probe(struct plat + struct resource *mem, *irq; + int ret; + struct i2c_adapter *adap; +- struct clk *bus_clk; + struct clk *mclk; + u32 bus_clk_rate; + +@@ -427,11 +427,11 @@ static int bcm2835_i2c_probe(struct plat + return PTR_ERR(mclk); + } + +- bus_clk = bcm2835_i2c_register_div(&pdev->dev, mclk, i2c_dev); ++ i2c_dev->bus_clk = bcm2835_i2c_register_div(&pdev->dev, mclk, i2c_dev); + +- if (IS_ERR(bus_clk)) { ++ if (IS_ERR(i2c_dev->bus_clk)) { + dev_err(&pdev->dev, "Could not register clock\n"); +- return PTR_ERR(bus_clk); ++ return PTR_ERR(i2c_dev->bus_clk); + } + + ret = of_property_read_u32(pdev->dev.of_node, "clock-frequency", +@@ -442,13 +442,13 @@ static int bcm2835_i2c_probe(struct plat + bus_clk_rate = 100000; + } + +- ret = clk_set_rate_exclusive(bus_clk, bus_clk_rate); ++ ret = clk_set_rate_exclusive(i2c_dev->bus_clk, bus_clk_rate); + if (ret < 0) { + dev_err(&pdev->dev, "Could not set clock frequency\n"); + return ret; + } + +- ret = clk_prepare_enable(bus_clk); ++ ret = clk_prepare_enable(i2c_dev->bus_clk); + if (ret) { + dev_err(&pdev->dev, "Couldn't prepare clock"); + return ret; +@@ -491,10 +491,9 @@ static int bcm2835_i2c_probe(struct plat + static int bcm2835_i2c_remove(struct platform_device *pdev) + { + struct bcm2835_i2c_dev *i2c_dev = platform_get_drvdata(pdev); +- struct clk *bus_clk = devm_clk_get(i2c_dev->dev, "div"); + +- clk_rate_exclusive_put(bus_clk); +- clk_disable_unprepare(bus_clk); ++ clk_rate_exclusive_put(i2c_dev->bus_clk); ++ clk_disable_unprepare(i2c_dev->bus_clk); + + free_irq(i2c_dev->irq, i2c_dev); + i2c_del_adapter(&i2c_dev->adapter); diff --git a/queue-5.4/ib-hfi1-don-t-cancel-unused-work-item.patch b/queue-5.4/ib-hfi1-don-t-cancel-unused-work-item.patch new file mode 100644 index 00000000000..2c861b082ee --- /dev/null +++ b/queue-5.4/ib-hfi1-don-t-cancel-unused-work-item.patch @@ -0,0 +1,52 @@ +From ca9033ba69c7e3477f207df69867b2ea969197c8 Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Thu, 19 Dec 2019 16:19:41 -0500 +Subject: IB/hfi1: Don't cancel unused work item + +From: Kaike Wan + +commit ca9033ba69c7e3477f207df69867b2ea969197c8 upstream. + +In the iowait structure, two iowait_work entries were included to queue a +given object: one for normal IB operations, and the other for TID RDMA +operations. For non-TID RDMA operations, the iowait_work structure for TID +RDMA is initialized to contain a NULL function (not used). When the QP is +reset, the function iowait_cancel_work will be called to cancel any +pending work. The problem is that this function will call +cancel_work_sync() for both iowait_work entries, even though the one for +TID RDMA is not used at all. Eventually, the call cascades to +__flush_work(), wherein a WARN_ON will be triggered due to the fact that +work->func is NULL. + +The WARN_ON was introduced in commit 4d43d395fed1 ("workqueue: Try to +catch flush_work() without INIT_WORK().") + +This patch fixes the issue by making sure that a work function is present +for TID RDMA before calling cancel_work_sync in iowait_cancel_work. + +Fixes: 4d43d395fed1 ("workqueue: Try to catch flush_work() without INIT_WORK().") +Fixes: 5da0fc9dbf89 ("IB/hfi1: Prepare resource waits for dual leg") +Link: https://lore.kernel.org/r/20191219211941.58387.39883.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/iowait.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/iowait.c ++++ b/drivers/infiniband/hw/hfi1/iowait.c +@@ -81,7 +81,9 @@ void iowait_init(struct iowait *wait, u3 + void iowait_cancel_work(struct iowait *w) + { + cancel_work_sync(&iowait_get_ib_work(w)->iowork); +- cancel_work_sync(&iowait_get_tid_work(w)->iowork); ++ /* Make sure that the iowork for TID RDMA is used */ ++ if (iowait_get_tid_work(w)->iowork.func) ++ cancel_work_sync(&iowait_get_tid_work(w)->iowork); + } + + /** diff --git a/queue-5.4/iommu-remove-device-link-to-group-on-failure.patch b/queue-5.4/iommu-remove-device-link-to-group-on-failure.patch new file mode 100644 index 00000000000..91c6f226f15 --- /dev/null +++ b/queue-5.4/iommu-remove-device-link-to-group-on-failure.patch @@ -0,0 +1,32 @@ +From 7d4e6ccd1fb09dbfbc49746ca82bd5c25ad4bfe4 Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Tue, 31 Dec 2019 13:24:19 -0700 +Subject: iommu: Remove device link to group on failure + +From: Jon Derrick + +commit 7d4e6ccd1fb09dbfbc49746ca82bd5c25ad4bfe4 upstream. + +This adds the missing teardown step that removes the device link from +the group when the device addition fails. + +Signed-off-by: Jon Derrick +Fixes: 797a8b4d768c5 ("iommu: Handle default domain attach failure") +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/iommu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -751,6 +751,7 @@ err_put_group: + mutex_unlock(&group->mutex); + dev->iommu_group = NULL; + kobject_put(group->devices_kobj); ++ sysfs_remove_link(group->devices_kobj, device->name); + err_free_name: + kfree(device->name); + err_remove_link: diff --git a/queue-5.4/iommu-vt-d-unlink-device-if-failed-to-add-to-group.patch b/queue-5.4/iommu-vt-d-unlink-device-if-failed-to-add-to-group.patch new file mode 100644 index 00000000000..6c5a69f2f98 --- /dev/null +++ b/queue-5.4/iommu-vt-d-unlink-device-if-failed-to-add-to-group.patch @@ -0,0 +1,58 @@ +From f78947c409204138a4bc0609f98e07ef9d01ac0a Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Tue, 31 Dec 2019 13:24:20 -0700 +Subject: iommu/vt-d: Unlink device if failed to add to group + +From: Jon Derrick + +commit f78947c409204138a4bc0609f98e07ef9d01ac0a upstream. + +If the device fails to be added to the group, make sure to unlink the +reference before returning. + +Signed-off-by: Jon Derrick +Fixes: 39ab9555c2411 ("iommu: Add sysfs bindings for struct iommu_device") +Acked-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5593,8 +5593,10 @@ static int intel_iommu_add_device(struct + + group = iommu_group_get_for_dev(dev); + +- if (IS_ERR(group)) +- return PTR_ERR(group); ++ if (IS_ERR(group)) { ++ ret = PTR_ERR(group); ++ goto unlink; ++ } + + iommu_group_put(group); + +@@ -5620,7 +5622,8 @@ static int intel_iommu_add_device(struct + if (!get_private_domain_for_dev(dev)) { + dev_warn(dev, + "Failed to get a private domain.\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto unlink; + } + + dev_info(dev, +@@ -5635,6 +5638,10 @@ static int intel_iommu_add_device(struct + } + + return 0; ++ ++unlink: ++ iommu_device_unlink(&iommu->iommu, dev); ++ return ret; + } + + static void intel_iommu_remove_device(struct device *dev) diff --git a/queue-5.4/mtd-onenand-omap2-pass-correct-flags-for-prep_dma_memcpy.patch b/queue-5.4/mtd-onenand-omap2-pass-correct-flags-for-prep_dma_memcpy.patch new file mode 100644 index 00000000000..e55f5756e0a --- /dev/null +++ b/queue-5.4/mtd-onenand-omap2-pass-correct-flags-for-prep_dma_memcpy.patch @@ -0,0 +1,37 @@ +From 8bcef0d54067077cf9a6cb129022c77559926e8c Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Tue, 7 Jan 2020 10:45:44 +0200 +Subject: mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy + +From: Peter Ujfalusi + +commit 8bcef0d54067077cf9a6cb129022c77559926e8c upstream. + +The commit converting the driver to DMAengine was missing the flags for +the memcpy prepare call. +It went unnoticed since the omap-dma driver was ignoring them. + +Fixes: 3ed6a4d1de2c5 (" mtd: onenand: omap2: Convert to use dmaengine for memcp") +Reported-by: Aaro Koskinen +Signed-off-by: Peter Ujfalusi +Tested-by: H. Nikolaus Schaller +Tested-by: Aaro Koskinen +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/onenand/omap2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/onenand/omap2.c ++++ b/drivers/mtd/nand/onenand/omap2.c +@@ -328,7 +328,8 @@ static inline int omap2_onenand_dma_tran + struct dma_async_tx_descriptor *tx; + dma_cookie_t cookie; + +- tx = dmaengine_prep_dma_memcpy(c->dma_chan, dst, src, count, 0); ++ tx = dmaengine_prep_dma_memcpy(c->dma_chan, dst, src, count, ++ DMA_CTRL_ACK | DMA_PREP_INTERRUPT); + if (!tx) { + dev_err(&c->pdev->dev, "Failed to prepare DMA memcpy\n"); + return -EIO; diff --git a/queue-5.4/mtd-rawnand-stm32_fmc2-avoid-to-lock-the-cpu-bus.patch b/queue-5.4/mtd-rawnand-stm32_fmc2-avoid-to-lock-the-cpu-bus.patch new file mode 100644 index 00000000000..316633f5785 --- /dev/null +++ b/queue-5.4/mtd-rawnand-stm32_fmc2-avoid-to-lock-the-cpu-bus.patch @@ -0,0 +1,101 @@ +From 4114b17af41272e14939b000ce8f3ed7ba937e3c Mon Sep 17 00:00:00 2001 +From: Christophe Kerello +Date: Mon, 16 Dec 2019 10:01:55 +0100 +Subject: mtd: rawnand: stm32_fmc2: avoid to lock the CPU bus + +From: Christophe Kerello + +commit 4114b17af41272e14939b000ce8f3ed7ba937e3c upstream. + +We are currently using nand_soft_waitrdy to poll the status of the NAND +flash. FMC2 enables the wait feature bit (this feature is mandatory for +the sequencer mode). By enabling this feature, we can't poll the status +of the NAND flash, the read status command is stucked in FMC2 pipeline +until R/B# signal is high, and locks the CPU bus. +To avoid to lock the CPU bus, we poll FMC2 ISR register. This register +reports the status of the R/B# signal. + +Fixes: 2cd457f328c1 ("mtd: rawnand: stm32_fmc2: add STM32 FMC2 NAND flash controller driver") +Signed-off-by: Christophe Kerello +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/stm32_fmc2_nand.c | 38 +++++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/stm32_fmc2_nand.c ++++ b/drivers/mtd/nand/raw/stm32_fmc2_nand.c +@@ -37,6 +37,7 @@ + /* Max ECC buffer length */ + #define FMC2_MAX_ECC_BUF_LEN (FMC2_BCHDSRS_LEN * FMC2_MAX_SG) + ++#define FMC2_TIMEOUT_US 1000 + #define FMC2_TIMEOUT_MS 1000 + + /* Timings */ +@@ -53,6 +54,8 @@ + #define FMC2_PMEM 0x88 + #define FMC2_PATT 0x8c + #define FMC2_HECCR 0x94 ++#define FMC2_ISR 0x184 ++#define FMC2_ICR 0x188 + #define FMC2_CSQCR 0x200 + #define FMC2_CSQCFGR1 0x204 + #define FMC2_CSQCFGR2 0x208 +@@ -118,6 +121,12 @@ + #define FMC2_PATT_ATTHIZ(x) (((x) & 0xff) << 24) + #define FMC2_PATT_DEFAULT 0x0a0a0a0a + ++/* Register: FMC2_ISR */ ++#define FMC2_ISR_IHLF BIT(1) ++ ++/* Register: FMC2_ICR */ ++#define FMC2_ICR_CIHLF BIT(1) ++ + /* Register: FMC2_CSQCR */ + #define FMC2_CSQCR_CSQSTART BIT(0) + +@@ -1322,6 +1331,31 @@ static void stm32_fmc2_write_data(struct + stm32_fmc2_set_buswidth_16(fmc2, true); + } + ++static int stm32_fmc2_waitrdy(struct nand_chip *chip, unsigned long timeout_ms) ++{ ++ struct stm32_fmc2_nfc *fmc2 = to_stm32_nfc(chip->controller); ++ const struct nand_sdr_timings *timings; ++ u32 isr, sr; ++ ++ /* Check if there is no pending requests to the NAND flash */ ++ if (readl_relaxed_poll_timeout_atomic(fmc2->io_base + FMC2_SR, sr, ++ sr & FMC2_SR_NWRF, 1, ++ FMC2_TIMEOUT_US)) ++ dev_warn(fmc2->dev, "Waitrdy timeout\n"); ++ ++ /* Wait tWB before R/B# signal is low */ ++ timings = nand_get_sdr_timings(&chip->data_interface); ++ ndelay(PSEC_TO_NSEC(timings->tWB_max)); ++ ++ /* R/B# signal is low, clear high level flag */ ++ writel_relaxed(FMC2_ICR_CIHLF, fmc2->io_base + FMC2_ICR); ++ ++ /* Wait R/B# signal is high */ ++ return readl_relaxed_poll_timeout_atomic(fmc2->io_base + FMC2_ISR, ++ isr, isr & FMC2_ISR_IHLF, ++ 5, 1000 * timeout_ms); ++} ++ + static int stm32_fmc2_exec_op(struct nand_chip *chip, + const struct nand_operation *op, + bool check_only) +@@ -1366,8 +1400,8 @@ static int stm32_fmc2_exec_op(struct nan + break; + + case NAND_OP_WAITRDY_INSTR: +- ret = nand_soft_waitrdy(chip, +- instr->ctx.waitrdy.timeout_ms); ++ ret = stm32_fmc2_waitrdy(chip, ++ instr->ctx.waitrdy.timeout_ms); + break; + } + } diff --git a/queue-5.4/netfilter-nft_flow_offload-fix-underflow-in-flowtable-reference-counter.patch b/queue-5.4/netfilter-nft_flow_offload-fix-underflow-in-flowtable-reference-counter.patch new file mode 100644 index 00000000000..5a4e67150aa --- /dev/null +++ b/queue-5.4/netfilter-nft_flow_offload-fix-underflow-in-flowtable-reference-counter.patch @@ -0,0 +1,33 @@ +From 8ca79606cdfde2e37ee4f0707b9d1874a6f0eb38 Mon Sep 17 00:00:00 2001 +From: wenxu +Date: Fri, 20 Dec 2019 17:08:46 +0800 +Subject: netfilter: nft_flow_offload: fix underflow in flowtable reference counter + +From: wenxu + +commit 8ca79606cdfde2e37ee4f0707b9d1874a6f0eb38 upstream. + +The .deactivate and .activate interfaces already deal with the reference +counter. Otherwise, this results in spurious "Device is busy" errors. + +Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") +Signed-off-by: wenxu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_flow_offload.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -197,9 +197,6 @@ static void nft_flow_offload_activate(co + static void nft_flow_offload_destroy(const struct nft_ctx *ctx, + const struct nft_expr *expr) + { +- struct nft_flow_offload *priv = nft_expr_priv(expr); +- +- priv->flowtable->use--; + nf_ct_netns_put(ctx->net, ctx->family); + } + diff --git a/queue-5.4/phy-mapphone-mdm6600-fix-uninitialized-status-value-regression.patch b/queue-5.4/phy-mapphone-mdm6600-fix-uninitialized-status-value-regression.patch new file mode 100644 index 00000000000..ec025109b42 --- /dev/null +++ b/queue-5.4/phy-mapphone-mdm6600-fix-uninitialized-status-value-regression.patch @@ -0,0 +1,65 @@ +From af5d44de571811a151510bfd1236407b7f551cd9 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Fri, 30 Aug 2019 14:43:12 -0700 +Subject: phy: mapphone-mdm6600: Fix uninitialized status value regression + +From: Tony Lindgren + +commit af5d44de571811a151510bfd1236407b7f551cd9 upstream. + +Only the used bits get cleared with bitmap_zero() when we call +gpiod_get_array_value_cansleep(). We must mask only the bits we're +using for ddata->status as the other bits in the bitmap may not be +initialized. + +And let's also drop useless debug code accidentally left over while +at it. + +Fixes: b9762bebc633 ("gpiolib: Pass bitmaps, not integer arrays, to get/set array") +Cc: Jacopo Mondi +Cc: Janusz Krzysztofik +Cc: Linus Walleij +Cc: Marcel Partap +Cc: Merlijn Wajer +Cc: Michael Scott +Cc: NeKit +Cc: Pavel Machek +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/motorola/phy-mapphone-mdm6600.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/phy/motorola/phy-mapphone-mdm6600.c ++++ b/drivers/phy/motorola/phy-mapphone-mdm6600.c +@@ -200,7 +200,7 @@ static void phy_mdm6600_status(struct wo + struct phy_mdm6600 *ddata; + struct device *dev; + DECLARE_BITMAP(values, PHY_MDM6600_NR_STATUS_LINES); +- int error, i, val = 0; ++ int error; + + ddata = container_of(work, struct phy_mdm6600, status_work.work); + dev = ddata->dev; +@@ -212,16 +212,11 @@ static void phy_mdm6600_status(struct wo + if (error) + return; + +- for (i = 0; i < PHY_MDM6600_NR_STATUS_LINES; i++) { +- val |= test_bit(i, values) << i; +- dev_dbg(ddata->dev, "XXX %s: i: %i values[i]: %i val: %i\n", +- __func__, i, test_bit(i, values), val); +- } +- ddata->status = values[0]; ++ ddata->status = values[0] & ((1 << PHY_MDM6600_NR_STATUS_LINES) - 1); + + dev_info(dev, "modem status: %i %s\n", + ddata->status, +- phy_mdm6600_status_name[ddata->status & 7]); ++ phy_mdm6600_status_name[ddata->status]); + complete(&ddata->ack); + } + diff --git a/queue-5.4/pinctrl-lochnagar-select-gpiolib.patch b/queue-5.4/pinctrl-lochnagar-select-gpiolib.patch new file mode 100644 index 00000000000..30d54fb9fbf --- /dev/null +++ b/queue-5.4/pinctrl-lochnagar-select-gpiolib.patch @@ -0,0 +1,40 @@ +From f7e36e18946b4ec756b9c5cf4fb8891be8d1e4a3 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 18 Dec 2019 17:36:46 +0100 +Subject: pinctrl: lochnagar: select GPIOLIB + +From: Arnd Bergmann + +commit f7e36e18946b4ec756b9c5cf4fb8891be8d1e4a3 upstream. + +In a rare randconfig build I came across one configuration that does +not enable CONFIG_GPIOLIB, which is needed by lochnagar: + +ERROR: "devm_gpiochip_add_data" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! +ERROR: "gpiochip_generic_free" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! +ERROR: "gpiochip_generic_request" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! +ERROR: "gpiochip_get_data" [drivers/pinctrl/cirrus/pinctrl-lochnagar.ko] undefined! + +Add another 'select' like all other pinctrl drivers have. + +Fixes: 0548448b719a ("pinctrl: lochnagar: Add support for the Cirrus Logic Lochnagar") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20191218163701.171914-1-arnd@arndb.de +Acked-by: Charles Keepax +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/cirrus/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pinctrl/cirrus/Kconfig ++++ b/drivers/pinctrl/cirrus/Kconfig +@@ -2,6 +2,7 @@ + config PINCTRL_LOCHNAGAR + tristate "Cirrus Logic Lochnagar pinctrl driver" + depends on MFD_LOCHNAGAR ++ select GPIOLIB + select PINMUX + select PINCONF + select GENERIC_PINCONF diff --git a/queue-5.4/pinctrl-meson-fix-wrong-shift-value-when-get-drive-strength.patch b/queue-5.4/pinctrl-meson-fix-wrong-shift-value-when-get-drive-strength.patch new file mode 100644 index 00000000000..bdb17aa6503 --- /dev/null +++ b/queue-5.4/pinctrl-meson-fix-wrong-shift-value-when-get-drive-strength.patch @@ -0,0 +1,36 @@ +From 35c60be220572de7d6605c4318f640d133982040 Mon Sep 17 00:00:00 2001 +From: Qianggui Song +Date: Thu, 26 Dec 2019 10:37:34 +0800 +Subject: pinctrl: meson: Fix wrong shift value when get drive-strength + +From: Qianggui Song + +commit 35c60be220572de7d6605c4318f640d133982040 upstream. + +In meson_pinconf_get_drive_strength, variable bit is calculated by +meson_calc_reg_and_bit, this value is the offset from the first pin of a +certain bank to current pin, while Meson SoCs use two bits for each pin +to depict drive-strength. So a left shift by 1 should be done or node +pinconf-pins shows wrong message. + +Fixes: 6ea3e3bbef37 ("pinctrl: meson: add support of drive-strength-microamp") + +Signed-off-by: Qianggui Song +Link: https://lore.kernel.org/r/20191226023734.9631-1-qianggui.song@amlogic.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/meson/pinctrl-meson.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pinctrl/meson/pinctrl-meson.c ++++ b/drivers/pinctrl/meson/pinctrl-meson.c +@@ -441,6 +441,7 @@ static int meson_pinconf_get_drive_stren + return ret; + + meson_calc_reg_and_bit(bank, pin, REG_DS, ®, &bit); ++ bit = bit << 1; + + ret = regmap_read(pc->reg_ds, reg, &val); + if (ret) diff --git a/queue-5.4/pm-devfreq-tegra-add-common_clk-dependency.patch b/queue-5.4/pm-devfreq-tegra-add-common_clk-dependency.patch new file mode 100644 index 00000000000..d3dcce99d89 --- /dev/null +++ b/queue-5.4/pm-devfreq-tegra-add-common_clk-dependency.patch @@ -0,0 +1,34 @@ +From 5fdb0684b5b0f41402161f068d3d84bf6ed1c3f4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 12 Dec 2019 10:56:31 +0900 +Subject: PM / devfreq: tegra: Add COMMON_CLK dependency + +From: Arnd Bergmann + +commit 5fdb0684b5b0f41402161f068d3d84bf6ed1c3f4 upstream. + +Compile-testing this driver fails if CONFIG_COMMON_CLK is not set: + +drivers/devfreq/tegra30-devfreq.o: In function `tegra_devfreq_target': +tegra30-devfreq.c:(.text+0x164): undefined reference to `clk_set_min_rate' + +Fixes: 35f8dbc72721 ("PM / devfreq: tegra: Enable COMPILE_TEST for the driver") +Signed-off-by: Arnd Bergmann +Reviewed-by: Dmitry Osipenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/devfreq/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/devfreq/Kconfig ++++ b/drivers/devfreq/Kconfig +@@ -99,6 +99,7 @@ config ARM_TEGRA_DEVFREQ + ARCH_TEGRA_210_SOC || \ + COMPILE_TEST + select PM_OPP ++ depends on COMMON_CLK + help + This adds the DEVFREQ driver for the Tegra family of SoCs. + It reads ACTMON counters of memory controllers and adjusts the diff --git a/queue-5.4/rdma-bnxt_re-avoid-freeing-mr-resources-if-dereg-fails.patch b/queue-5.4/rdma-bnxt_re-avoid-freeing-mr-resources-if-dereg-fails.patch new file mode 100644 index 00000000000..9b90e6396a7 --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-avoid-freeing-mr-resources-if-dereg-fails.patch @@ -0,0 +1,82 @@ +From 9a4467a6b282a299b932608ac2c9034f8415359f Mon Sep 17 00:00:00 2001 +From: Selvin Xavier +Date: Mon, 25 Nov 2019 00:39:29 -0800 +Subject: RDMA/bnxt_re: Avoid freeing MR resources if dereg fails + +From: Selvin Xavier + +commit 9a4467a6b282a299b932608ac2c9034f8415359f upstream. + +The driver returns an error code for MR dereg, but frees the MR structure. +When the MR dereg is retried due to previous error, the system crashes as +the structure is already freed. + + BUG: unable to handle kernel NULL pointer dereference at 00000000000001b8 + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + CPU: 7 PID: 12178 Comm: ib_send_bw Kdump: loaded Not tainted 4.18.0-124.el8.x86_64 #1 + Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.1.10 03/10/2015 + RIP: 0010:__dev_printk+0x2a/0x70 + Code: 0f 1f 44 00 00 49 89 d1 48 85 f6 0f 84 f6 2b 00 00 4c 8b 46 70 4d 85 c0 75 04 4c 8b +46 10 48 8b 86 a8 00 00 00 48 85 c0 74 16 <48> 8b 08 0f be 7f 01 48 c7 c2 13 ac ac 83 83 ef 30 e9 10 fe ff ff + RSP: 0018:ffffaf7c04607a60 EFLAGS: 00010006 + RAX: 00000000000001b8 RBX: ffffa0010c91c488 RCX: 0000000000000246 + RDX: ffffaf7c04607a68 RSI: ffffa0010c91caa8 RDI: ffffffff83a788eb + RBP: ffffaf7c04607ac8 R08: 0000000000000000 R09: ffffaf7c04607a68 + R10: 0000000000000000 R11: 0000000000000001 R12: ffffaf7c04607b90 + R13: 000000000000000e R14: 0000000000000000 R15: 00000000ffffa001 + FS: 0000146fa1f1cdc0(0000) GS:ffffa0012fac0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000000001b8 CR3: 000000007680a003 CR4: 00000000001606e0 + Call Trace: + dev_err+0x6c/0x90 + ? dev_printk_emit+0x4e/0x70 + bnxt_qplib_rcfw_send_message+0x594/0x660 [bnxt_re] + ? dev_err+0x6c/0x90 + bnxt_qplib_free_mrw+0x80/0xe0 [bnxt_re] + bnxt_re_dereg_mr+0x2e/0xd0 [bnxt_re] + ib_dereg_mr+0x2f/0x50 [ib_core] + destroy_hw_idr_uobject+0x20/0x70 [ib_uverbs] + uverbs_destroy_uobject+0x2e/0x170 [ib_uverbs] + __uverbs_cleanup_ufile+0x6e/0x90 [ib_uverbs] + uverbs_destroy_ufile_hw+0x61/0x130 [ib_uverbs] + ib_uverbs_close+0x1f/0x80 [ib_uverbs] + __fput+0xb7/0x230 + task_work_run+0x8a/0xb0 + do_exit+0x2da/0xb40 +... + RIP: 0033:0x146fa113a387 + Code: Bad RIP value. + RSP: 002b:00007fff945d1478 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02 + RAX: 0000000000000000 RBX: 000055a248908d70 RCX: 0000000000000000 + RDX: 0000146fa1f2b000 RSI: 0000000000000001 RDI: 000055a248906488 + RBP: 000055a248909630 R08: 0000000000010000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 000055a248906488 + R13: 0000000000000001 R14: 0000000000000000 R15: 000055a2489095f0 + +Do not free the MR structures, when driver returns error to the stack. + +Fixes: 872f3578241d ("RDMA/bnxt_re: Add support for MRs with Huge pages") +Link: https://lore.kernel.org/r/1574671174-5064-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -3323,8 +3323,10 @@ int bnxt_re_dereg_mr(struct ib_mr *ib_mr + int rc; + + rc = bnxt_qplib_free_mrw(&rdev->qplib_res, &mr->qplib_mr); +- if (rc) ++ if (rc) { + dev_err(rdev_to_dev(rdev), "Dereg MR failed: %#x\n", rc); ++ return rc; ++ } + + if (mr->pages) { + rc = bnxt_qplib_free_fast_reg_page_list(&rdev->qplib_res, diff --git a/queue-5.4/rdma-bnxt_re-fix-send-work-entry-state-check-while-polling-completions.patch b/queue-5.4/rdma-bnxt_re-fix-send-work-entry-state-check-while-polling-completions.patch new file mode 100644 index 00000000000..3bc95d21a0e --- /dev/null +++ b/queue-5.4/rdma-bnxt_re-fix-send-work-entry-state-check-while-polling-completions.patch @@ -0,0 +1,50 @@ +From c5275723580922e5f3264f96751337661a153c7d Mon Sep 17 00:00:00 2001 +From: Selvin Xavier +Date: Mon, 25 Nov 2019 00:39:30 -0800 +Subject: RDMA/bnxt_re: Fix Send Work Entry state check while polling completions + +From: Selvin Xavier + +commit c5275723580922e5f3264f96751337661a153c7d upstream. + +Some adapters need a fence Work Entry to handle retransmission. Currently +the driver checks for this condition, only if the Send queue entry is +signalled. Implement the condition check, irrespective of the signalled +state of the Work queue entries + +Failure to add the fence can result in access to memory that is already +marked as completed, triggering data corruption, transmission failure, +IOMMU failures, etc. + +Fixes: 9152e0b722b2 ("RDMA/bnxt_re: HW workarounds for handling specific conditions") +Link: https://lore.kernel.org/r/1574671174-5064-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2283,13 +2283,13 @@ static int bnxt_qplib_cq_process_req(str + /* Add qp to flush list of the CQ */ + bnxt_qplib_add_flush_qp(qp); + } else { ++ /* Before we complete, do WA 9060 */ ++ if (do_wa9060(qp, cq, cq_cons, sw_sq_cons, ++ cqe_sq_cons)) { ++ *lib_qp = qp; ++ goto out; ++ } + if (swq->flags & SQ_SEND_FLAGS_SIGNAL_COMP) { +- /* Before we complete, do WA 9060 */ +- if (do_wa9060(qp, cq, cq_cons, sw_sq_cons, +- cqe_sq_cons)) { +- *lib_qp = qp; +- goto out; +- } + cqe->status = CQ_REQ_STATUS_OK; + cqe++; + (*budget)--; diff --git a/queue-5.4/rtc-mt6397-fix-alarm-register-overwrite.patch b/queue-5.4/rtc-mt6397-fix-alarm-register-overwrite.patch new file mode 100644 index 00000000000..5fc66b41a0d --- /dev/null +++ b/queue-5.4/rtc-mt6397-fix-alarm-register-overwrite.patch @@ -0,0 +1,103 @@ +From 653997eeecef95c3ead4fba1b2d27e6a5854d6cd Mon Sep 17 00:00:00 2001 +From: Ran Bi +Date: Wed, 11 Dec 2019 17:43:54 +0800 +Subject: rtc: mt6397: fix alarm register overwrite + +From: Ran Bi + +commit 653997eeecef95c3ead4fba1b2d27e6a5854d6cd upstream. + +Alarm registers high byte was reserved for other functions. +This add mask in alarm registers operation functions. +This also fix error condition in interrupt handler. + +Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver") + +Signed-off-by: Ran Bi +Signed-off-by: Hsin-Hsiung Wang +Link: https://lore.kernel.org/r/1576057435-3561-6-git-send-email-hsin-hsiung.wang@mediatek.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-mt6397.c | 47 +++++++++++++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 14 deletions(-) + +--- a/drivers/rtc/rtc-mt6397.c ++++ b/drivers/rtc/rtc-mt6397.c +@@ -47,6 +47,14 @@ + + #define RTC_AL_SEC 0x0018 + ++#define RTC_AL_SEC_MASK 0x003f ++#define RTC_AL_MIN_MASK 0x003f ++#define RTC_AL_HOU_MASK 0x001f ++#define RTC_AL_DOM_MASK 0x001f ++#define RTC_AL_DOW_MASK 0x0007 ++#define RTC_AL_MTH_MASK 0x000f ++#define RTC_AL_YEA_MASK 0x007f ++ + #define RTC_PDN2 0x002e + #define RTC_PDN2_PWRON_ALARM BIT(4) + +@@ -103,7 +111,7 @@ static irqreturn_t mtk_rtc_irq_handler_t + irqen = irqsta & ~RTC_IRQ_EN_AL; + mutex_lock(&rtc->lock); + if (regmap_write(rtc->regmap, rtc->addr_base + RTC_IRQ_EN, +- irqen) < 0) ++ irqen) == 0) + mtk_rtc_write_trigger(rtc); + mutex_unlock(&rtc->lock); + +@@ -225,12 +233,12 @@ static int mtk_rtc_read_alarm(struct dev + alm->pending = !!(pdn2 & RTC_PDN2_PWRON_ALARM); + mutex_unlock(&rtc->lock); + +- tm->tm_sec = data[RTC_OFFSET_SEC]; +- tm->tm_min = data[RTC_OFFSET_MIN]; +- tm->tm_hour = data[RTC_OFFSET_HOUR]; +- tm->tm_mday = data[RTC_OFFSET_DOM]; +- tm->tm_mon = data[RTC_OFFSET_MTH]; +- tm->tm_year = data[RTC_OFFSET_YEAR]; ++ tm->tm_sec = data[RTC_OFFSET_SEC] & RTC_AL_SEC_MASK; ++ tm->tm_min = data[RTC_OFFSET_MIN] & RTC_AL_MIN_MASK; ++ tm->tm_hour = data[RTC_OFFSET_HOUR] & RTC_AL_HOU_MASK; ++ tm->tm_mday = data[RTC_OFFSET_DOM] & RTC_AL_DOM_MASK; ++ tm->tm_mon = data[RTC_OFFSET_MTH] & RTC_AL_MTH_MASK; ++ tm->tm_year = data[RTC_OFFSET_YEAR] & RTC_AL_YEA_MASK; + + tm->tm_year += RTC_MIN_YEAR_OFFSET; + tm->tm_mon--; +@@ -251,14 +259,25 @@ static int mtk_rtc_set_alarm(struct devi + tm->tm_year -= RTC_MIN_YEAR_OFFSET; + tm->tm_mon++; + +- data[RTC_OFFSET_SEC] = tm->tm_sec; +- data[RTC_OFFSET_MIN] = tm->tm_min; +- data[RTC_OFFSET_HOUR] = tm->tm_hour; +- data[RTC_OFFSET_DOM] = tm->tm_mday; +- data[RTC_OFFSET_MTH] = tm->tm_mon; +- data[RTC_OFFSET_YEAR] = tm->tm_year; +- + mutex_lock(&rtc->lock); ++ ret = regmap_bulk_read(rtc->regmap, rtc->addr_base + RTC_AL_SEC, ++ data, RTC_OFFSET_COUNT); ++ if (ret < 0) ++ goto exit; ++ ++ data[RTC_OFFSET_SEC] = ((data[RTC_OFFSET_SEC] & ~(RTC_AL_SEC_MASK)) | ++ (tm->tm_sec & RTC_AL_SEC_MASK)); ++ data[RTC_OFFSET_MIN] = ((data[RTC_OFFSET_MIN] & ~(RTC_AL_MIN_MASK)) | ++ (tm->tm_min & RTC_AL_MIN_MASK)); ++ data[RTC_OFFSET_HOUR] = ((data[RTC_OFFSET_HOUR] & ~(RTC_AL_HOU_MASK)) | ++ (tm->tm_hour & RTC_AL_HOU_MASK)); ++ data[RTC_OFFSET_DOM] = ((data[RTC_OFFSET_DOM] & ~(RTC_AL_DOM_MASK)) | ++ (tm->tm_mday & RTC_AL_DOM_MASK)); ++ data[RTC_OFFSET_MTH] = ((data[RTC_OFFSET_MTH] & ~(RTC_AL_MTH_MASK)) | ++ (tm->tm_mon & RTC_AL_MTH_MASK)); ++ data[RTC_OFFSET_YEAR] = ((data[RTC_OFFSET_YEAR] & ~(RTC_AL_YEA_MASK)) | ++ (tm->tm_year & RTC_AL_YEA_MASK)); ++ + if (alm->enabled) { + ret = regmap_bulk_write(rtc->regmap, + rtc->addr_base + RTC_AL_SEC, diff --git a/queue-5.4/scsi-mpt3sas-fix-double-free-in-attach-error-handling.patch b/queue-5.4/scsi-mpt3sas-fix-double-free-in-attach-error-handling.patch new file mode 100644 index 00000000000..dc17468c4ed --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-fix-double-free-in-attach-error-handling.patch @@ -0,0 +1,43 @@ +From ee560e7bbab0c10cf3f0e71997fbc354ab2ee5cb Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 3 Dec 2019 12:36:52 +0300 +Subject: scsi: mpt3sas: Fix double free in attach error handling + +From: Dan Carpenter + +commit ee560e7bbab0c10cf3f0e71997fbc354ab2ee5cb upstream. + +The caller also calls _base_release_memory_pools() on error so it leads to +a number of double frees: + +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->chain_dma_pool' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->hpr_lookup' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->internal_lookup' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->pcie_sgl_dma_pool' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_dma_pool' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_free_dma_pool' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_post_free_array_dma_pool' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->reply_post_free_dma_pool' double freed +drivers/scsi/mpt3sas/mpt3sas_base.c:7207 mpt3sas_base_attach() warn: 'ioc->sense_dma_pool' double freed + +Fixes: 74522a92bbf0 ("scsi: mpt3sas: Optimize I/O memory consumption in driver.") +Link: https://lore.kernel.org/r/20191203093652.gyntgvnkw2udatyc@kili.mountain +Signed-off-by: Dan Carpenter +Acked-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -5234,7 +5234,6 @@ _base_allocate_memory_pools(struct MPT3S + &ct->chain_buffer_dma); + if (!ct->chain_buffer) { + ioc_err(ioc, "chain_lookup: pci_pool_alloc failed\n"); +- _base_release_memory_pools(ioc); + goto out; + } + } diff --git a/queue-5.4/selftests-loopback.sh-skip-this-test-if-the-driver-does-not-support.patch b/queue-5.4/selftests-loopback.sh-skip-this-test-if-the-driver-does-not-support.patch new file mode 100644 index 00000000000..d106290987f --- /dev/null +++ b/queue-5.4/selftests-loopback.sh-skip-this-test-if-the-driver-does-not-support.patch @@ -0,0 +1,48 @@ +From cc7e3f63d7299dd1119be39aa187b867d6f8aa17 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Fri, 3 Jan 2020 15:41:24 +0800 +Subject: selftests: loopback.sh: skip this test if the driver does not support + +From: Hangbin Liu + +commit cc7e3f63d7299dd1119be39aa187b867d6f8aa17 upstream. + +The loopback feature is only supported on a few drivers like broadcom, +mellanox, etc. The default veth driver has not supported it yet. To avoid +returning failed and making the runner feel confused, let's just skip +the test on drivers that not support loopback. + +Fixes: ad11340994d5 ("selftests: Add loopback test") +Signed-off-by: Hangbin Liu +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/net/forwarding/loopback.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/tools/testing/selftests/net/forwarding/loopback.sh ++++ b/tools/testing/selftests/net/forwarding/loopback.sh +@@ -1,6 +1,9 @@ + #!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ + ALL_TESTS="loopback_test" + NUM_NETIFS=2 + source tc_common.sh +@@ -72,6 +75,11 @@ setup_prepare() + + h1_create + h2_create ++ ++ if ethtool -k $h1 | grep loopback | grep -q fixed; then ++ log_test "SKIP: dev $h1 does not support loopback feature" ++ exit $ksft_skip ++ fi + } + + cleanup() diff --git a/queue-5.4/series b/queue-5.4/series index 6f146b4ed4e..c185d8608c4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,27 @@ hid-hidraw-uhid-always-report-epollout.patch +rtc-mt6397-fix-alarm-register-overwrite.patch +phy-mapphone-mdm6600-fix-uninitialized-status-value-regression.patch +rdma-bnxt_re-avoid-freeing-mr-resources-if-dereg-fails.patch +rdma-bnxt_re-fix-send-work-entry-state-check-while-polling-completions.patch +ib-hfi1-don-t-cancel-unused-work-item.patch +mtd-rawnand-stm32_fmc2-avoid-to-lock-the-cpu-bus.patch +i2c-bcm2835-store-pointer-to-bus-clock.patch +asoc-sof-imx8-fix-memory-allocation-failure-check-on-priv-pd_dev.patch +asoc-soc-core-set-dpcm_playback-dpcm_capture.patch +asoc-stm32-spdifrx-fix-inconsistent-lock-state.patch +asoc-stm32-spdifrx-fix-race-condition-in-irq-handler.patch +asoc-stm32-spdifrx-fix-input-pin-state-management.patch +pinctrl-lochnagar-select-gpiolib.patch +netfilter-nft_flow_offload-fix-underflow-in-flowtable-reference-counter.patch +asoc-sof-imx8-fix-dsp_box-offset.patch +mtd-onenand-omap2-pass-correct-flags-for-prep_dma_memcpy.patch +gpio-zynq-fix-for-bug-in-zynq_gpio_restore_context-api.patch +pinctrl-meson-fix-wrong-shift-value-when-get-drive-strength.patch +selftests-loopback.sh-skip-this-test-if-the-driver-does-not-support.patch +iommu-vt-d-unlink-device-if-failed-to-add-to-group.patch +iommu-remove-device-link-to-group-on-failure.patch +bpf-cgroup-prevent-out-of-order-release-of-cgroup-bpf.patch +fs-move-guard_bio_eod-after-bio_set_op_attrs.patch +scsi-mpt3sas-fix-double-free-in-attach-error-handling.patch +gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch +pm-devfreq-tegra-add-common_clk-dependency.patch