From: Sasha Levin Date: Mon, 26 Oct 2020 04:58:12 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.241~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=016107b0d11bd246fe9967ffbad9e2db17b26f06;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch b/queue-5.4/alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch new file mode 100644 index 00000000000..61c46ce3485 --- /dev/null +++ b/queue-5.4/alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch @@ -0,0 +1,70 @@ +From d76029032ee1f94a486cce5cdd351b994abb568c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 16:10:37 -0400 +Subject: ALSA: hda/ca0132 - Add AE-7 microphone selection commands. + +From: Connor McAdams + +[ Upstream commit ed93f9750c6c2ed371347d0aac3dcd31cb9cf256 ] + +Add AE-7 quirk data for setting of microphone. The AE-7 has no front +panel connector, so only rear-mic/line-in have new commands. + +Signed-off-by: Connor McAdams +Link: https://lore.kernel.org/r/20200825201040.30339-19-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 6aa39339db0ab..98a11c38e7a8e 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4674,6 +4674,15 @@ static int ca0132_alt_select_in(struct hda_codec *codec) + ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); + tmp = FLOAT_THREE; + break; ++ case QUIRK_AE7: ++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); ++ tmp = FLOAT_THREE; ++ chipio_set_conn_rate(codec, MEM_CONNID_MICIN2, ++ SR_96_000); ++ chipio_set_conn_rate(codec, MEM_CONNID_MICOUT2, ++ SR_96_000); ++ dspio_set_uint_param(codec, 0x80, 0x01, FLOAT_ZERO); ++ break; + default: + tmp = FLOAT_ONE; + break; +@@ -4719,6 +4728,14 @@ static int ca0132_alt_select_in(struct hda_codec *codec) + case QUIRK_AE5: + ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); + break; ++ case QUIRK_AE7: ++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x3f); ++ chipio_set_conn_rate(codec, MEM_CONNID_MICIN2, ++ SR_96_000); ++ chipio_set_conn_rate(codec, MEM_CONNID_MICOUT2, ++ SR_96_000); ++ dspio_set_uint_param(codec, 0x80, 0x01, FLOAT_ZERO); ++ break; + default: + break; + } +@@ -4728,7 +4745,10 @@ static int ca0132_alt_select_in(struct hda_codec *codec) + if (ca0132_quirk(spec) == QUIRK_R3DI) + chipio_set_conn_rate(codec, 0x0F, SR_96_000); + +- tmp = FLOAT_ZERO; ++ if (ca0132_quirk(spec) == QUIRK_AE7) ++ tmp = FLOAT_THREE; ++ else ++ tmp = FLOAT_ZERO; + dspio_set_uint_param(codec, 0x80, 0x00, tmp); + + switch (ca0132_quirk(spec)) { +-- +2.25.1 + diff --git a/queue-5.4/alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch b/queue-5.4/alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch new file mode 100644 index 00000000000..cfa6134bf00 --- /dev/null +++ b/queue-5.4/alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch @@ -0,0 +1,42 @@ +From 5f577af703d3edf7cd114d1de3ace2e0d4d1c720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 16:10:29 -0400 +Subject: ALSA: hda/ca0132 - Add new quirk ID for SoundBlaster AE-7. + +From: Connor McAdams + +[ Upstream commit 620f08eea6d6961b789af3fa3ea86725c8c93ece ] + +Add a new PCI subsystem ID for the SoundBlaster AE-7 card. + +Signed-off-by: Connor McAdams +Link: https://lore.kernel.org/r/20200825201040.30339-11-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 98a11c38e7a8e..459aff6c10bc5 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1065,6 +1065,7 @@ enum { + QUIRK_R3DI, + QUIRK_R3D, + QUIRK_AE5, ++ QUIRK_AE7, + }; + + #ifdef CONFIG_PCI +@@ -1184,6 +1185,7 @@ static const struct snd_pci_quirk ca0132_quirks[] = { + SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D), + SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D), + SND_PCI_QUIRK(0x1102, 0x0051, "Sound Blaster AE-5", QUIRK_AE5), ++ SND_PCI_QUIRK(0x1102, 0x0081, "Sound Blaster AE-7", QUIRK_AE7), + {} + }; + +-- +2.25.1 + diff --git a/queue-5.4/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch b/queue-5.4/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch new file mode 100644 index 00000000000..6945568b2c8 --- /dev/null +++ b/queue-5.4/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch @@ -0,0 +1,51 @@ +From 80fe0c4a60c357b3c83e9b49b252b45d841f7e52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 10:38:56 +0200 +Subject: ALSA: seq: oss: Avoid mutex lock for a long-time ioctl + +From: Takashi Iwai + +[ Upstream commit 2759caad2600d503c3b0ed800e7e03d2cd7a4c05 ] + +Recently we applied a fix to cover the whole OSS sequencer ioctls with +the mutex for dealing with the possible races. This works fine in +general, but in theory, this may lead to unexpectedly long stall if an +ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future +timestamp was queued. + +For fixing such a potential stall, this patch changes the mutex lock +applied conditionally excluding such an ioctl command. Also, change +the mutex_lock() with the interruptible version for user to allow +escaping from the big-hammer mutex. + +Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls") +Suggested-by: Pavel Machek +Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/oss/seq_oss.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c +index c8b9c0b315d8f..250a92b187265 100644 +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -174,9 +174,12 @@ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + if (snd_BUG_ON(!dp)) + return -ENXIO; + +- mutex_lock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC && ++ mutex_lock_interruptible(®ister_mutex)) ++ return -ERESTARTSYS; + rc = snd_seq_oss_ioctl(dp, cmd, arg); +- mutex_unlock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC) ++ mutex_unlock(®ister_mutex); + return rc; + } + +-- +2.25.1 + diff --git a/queue-5.4/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch b/queue-5.4/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch new file mode 100644 index 00000000000..208e17a6b88 --- /dev/null +++ b/queue-5.4/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch @@ -0,0 +1,45 @@ +From 5b17f5a1571de754a085878160aea178cc69fc12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:46:52 +0300 +Subject: arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER + +From: Necip Fazil Yildiran + +[ Upstream commit 63bcf87cb1c57956e1179f1a78dde625c7e3cba7 ] + +When ARC_SOC_HSDK is enabled and RESET_CONTROLLER is disabled, it results +in the following Kbuild warning: + +WARNING: unmet direct dependencies detected for RESET_HSDK + Depends on [n]: RESET_CONTROLLER [=n] && HAS_IOMEM [=y] && (ARC_SOC_HSDK [=y] || COMPILE_TEST [=n]) + Selected by [y]: + - ARC_SOC_HSDK [=y] && ISA_ARCV2 [=y] + +The reason is that ARC_SOC_HSDK selects RESET_HSDK without depending on or +selecting RESET_CONTROLLER while RESET_HSDK is subordinate to +RESET_CONTROLLER. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: a528629dfd3b ("ARC: [plat-hsdk] select CONFIG_RESET_HSDK from Kconfig") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/plat-hsdk/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig +index ce81018345184..6b5c54576f54d 100644 +--- a/arch/arc/plat-hsdk/Kconfig ++++ b/arch/arc/plat-hsdk/Kconfig +@@ -8,5 +8,6 @@ menuconfig ARC_SOC_HSDK + select ARC_HAS_ACCL_REGS + select ARC_IRQ_NO_AUTOSAVE + select CLK_HSDK ++ select RESET_CONTROLLER + select RESET_HSDK + select HAVE_PCI +-- +2.25.1 + diff --git a/queue-5.4/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch b/queue-5.4/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch new file mode 100644 index 00000000000..ec1543559f0 --- /dev/null +++ b/queue-5.4/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch @@ -0,0 +1,68 @@ +From 0e7c0f5db529a170ee384ebbfb17ea8ca9b1b68f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 16:58:06 +0100 +Subject: ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT + values + +From: Guillaume Tucker + +[ Upstream commit 8e007b367a59bcdf484c81f6df9bd5a4cc179ca6 ] + +The L310_PREFETCH_CTRL register bits 28 and 29 to enable data and +instruction prefetch respectively can also be accessed via the +L2X0_AUX_CTRL register. They appear to be actually wired together in +hardware between the registers. Changing them in the prefetch +register only will get undone when restoring the aux control register +later on. For this reason, set these bits in both registers during +initialisation according to the devicetree property values. + +Link: https://lore.kernel.org/lkml/76f2f3ad5e77e356e0a5b99ceee1e774a2842c25.1597061474.git.guillaume.tucker@collabora.com/ + +Fixes: ec3bd0e68a67 ("ARM: 8391/1: l2c: add options to overwrite prefetching behavior") +Signed-off-by: Guillaume Tucker +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/cache-l2x0.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c +index 12c26eb88afbc..43d91bfd23600 100644 +--- a/arch/arm/mm/cache-l2x0.c ++++ b/arch/arm/mm/cache-l2x0.c +@@ -1249,20 +1249,28 @@ static void __init l2c310_of_parse(const struct device_node *np, + + ret = of_property_read_u32(np, "prefetch-data", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_DATA_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-data property value is missing\n"); + } + + ret = of_property_read_u32(np, "prefetch-instr", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_INSTR_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-instr property value is missing\n"); + } +-- +2.25.1 + diff --git a/queue-5.4/arm-at91-pm-of_node_put-after-its-usage.patch b/queue-5.4/arm-at91-pm-of_node_put-after-its-usage.patch new file mode 100644 index 00000000000..83f826fca94 --- /dev/null +++ b/queue-5.4/arm-at91-pm-of_node_put-after-its-usage.patch @@ -0,0 +1,35 @@ +From 53a5bdcb74cca901b0318da9aeef8533e4235749 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:36:50 +0300 +Subject: ARM: at91: pm: of_node_put() after its usage + +From: Claudiu Beznea + +[ Upstream commit e222f943519564978e082c152b4140a47e93392c ] + +Put node after it has been used. + +Fixes: 13f16017d3e3f ("ARM: at91: pm: Tie the USB clock mask to the pmc") +Signed-off-by: Claudiu Beznea +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/1596616610-15460-4-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/mach-at91/pm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 6bc3000deb86e..676cc2a318f41 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -777,6 +777,7 @@ static void __init at91_pm_init(void (*pm_idle)(void)) + + pmc_np = of_find_matching_node_and_match(NULL, atmel_pmc_ids, &of_id); + soc_pm.data.pmc = of_iomap(pmc_np, 0); ++ of_node_put(pmc_np); + if (!soc_pm.data.pmc) { + pr_err("AT91: PM not supported, PMC not found\n"); + return; +-- +2.25.1 + diff --git a/queue-5.4/arm-dts-imx6sl-fix-rng-node.patch b/queue-5.4/arm-dts-imx6sl-fix-rng-node.patch new file mode 100644 index 00000000000..29cd5ead4a0 --- /dev/null +++ b/queue-5.4/arm-dts-imx6sl-fix-rng-node.patch @@ -0,0 +1,45 @@ +From f469fbef075719ae8df97fad13d0d3baffeb9373 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jul 2020 18:26:01 +0300 +Subject: ARM: dts: imx6sl: fix rng node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +[ Upstream commit 82ffb35c2ce63ef8e0325f75eb48022abcf8edbe ] + +rng DT node was added without a compatible string. + +i.MX driver for RNGC (drivers/char/hw_random/imx-rngc.c) also claims +support for RNGB, and is currently used for i.MX25. + +Let's use this driver also for RNGB block in i.MX6SL. + +Fixes: e29fe21cff96 ("ARM: dts: add device tree source for imx6sl SoC") +Signed-off-by: Horia Geantă +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index 3a96b5538a2a1..540880f0413fd 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -936,8 +936,10 @@ memory-controller@21b0000 { + }; + + rngb: rngb@21b4000 { ++ compatible = "fsl,imx6sl-rngb", "fsl,imx25-rngb"; + reg = <0x021b4000 0x4000>; + interrupts = <0 5 IRQ_TYPE_LEVEL_HIGH>; ++ clocks = <&clks IMX6SL_CLK_DUMMY>; + }; + + weim: weim@21b8000 { +-- +2.25.1 + diff --git a/queue-5.4/arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch b/queue-5.4/arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch new file mode 100644 index 00000000000..eb03c1d4c91 --- /dev/null +++ b/queue-5.4/arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch @@ -0,0 +1,71 @@ +From 5539185dcd5fd8850f99a189cd8f229a7dc7704a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Aug 2020 20:19:57 +0200 +Subject: ARM: dts: meson8: remove two invalid interrupt lines from the GPU + node + +From: Martin Blumenstingl + +[ Upstream commit 737e7610b545cc901a9696083c1824a7104b8d1b ] + +The 3.10 vendor kernel defines the following GPU 20 interrupt lines: + #define INT_MALI_GP AM_IRQ(160) + #define INT_MALI_GP_MMU AM_IRQ(161) + #define INT_MALI_PP AM_IRQ(162) + #define INT_MALI_PMU AM_IRQ(163) + #define INT_MALI_PP0 AM_IRQ(164) + #define INT_MALI_PP0_MMU AM_IRQ(165) + #define INT_MALI_PP1 AM_IRQ(166) + #define INT_MALI_PP1_MMU AM_IRQ(167) + #define INT_MALI_PP2 AM_IRQ(168) + #define INT_MALI_PP2_MMU AM_IRQ(169) + #define INT_MALI_PP3 AM_IRQ(170) + #define INT_MALI_PP3_MMU AM_IRQ(171) + #define INT_MALI_PP4 AM_IRQ(172) + #define INT_MALI_PP4_MMU AM_IRQ(173) + #define INT_MALI_PP5 AM_IRQ(174) + #define INT_MALI_PP5_MMU AM_IRQ(175) + #define INT_MALI_PP6 AM_IRQ(176) + #define INT_MALI_PP6_MMU AM_IRQ(177) + #define INT_MALI_PP7 AM_IRQ(178) + #define INT_MALI_PP7_MMU AM_IRQ(179) + +However, the driver from the 3.10 vendor kernel does not use the +following four interrupt lines: +- INT_MALI_PP3 +- INT_MALI_PP3_MMU +- INT_MALI_PP7 +- INT_MALI_PP7_MMU + +Drop the "pp3" and "ppmmu3" interrupt lines. This is also important +because there is no matching entry in interrupt-names for it (meaning +the "pp2" interrupt is actually assigned to the "pp3" interrupt line). + +Fixes: 7d3f6b536e72c9 ("ARM: dts: meson8: add the Mali-450 MP6 GPU") +Reported-by: Thomas Graichen +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Tested-by: thomas graichen +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20200815181957.408649-1-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/meson8.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm/boot/dts/meson8.dtsi b/arch/arm/boot/dts/meson8.dtsi +index db2033f674c67..3efe9d41c2bb6 100644 +--- a/arch/arm/boot/dts/meson8.dtsi ++++ b/arch/arm/boot/dts/meson8.dtsi +@@ -230,8 +230,6 @@ mali: gpu@c0000 { + , + , + , +- , +- , + , + , + , +-- +2.25.1 + diff --git a/queue-5.4/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch b/queue-5.4/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch new file mode 100644 index 00000000000..44c2cae28f7 --- /dev/null +++ b/queue-5.4/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch @@ -0,0 +1,53 @@ +From d0712c2dfe1cd26ef67f9279b640a2f01fd93ee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 16:53:17 +0300 +Subject: ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers + +From: Cristian Ciocaltea + +[ Upstream commit 55f6c9931f7c32f19cf221211f099dfd8dab3af9 ] + +The PPI interrupts for cortex-a9 were incorrectly specified, fix them. + +Fixes: fdfe7f4f9d85 ("ARM: dts: Add Actions Semi S500 and LeMaker Guitar") +Signed-off-by: Cristian Ciocaltea +Reviewed-by: Peter Korsgaard +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/owl-s500.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/owl-s500.dtsi b/arch/arm/boot/dts/owl-s500.dtsi +index 5ceb6cc4451d2..1dbe4e8b38ac7 100644 +--- a/arch/arm/boot/dts/owl-s500.dtsi ++++ b/arch/arm/boot/dts/owl-s500.dtsi +@@ -84,21 +84,21 @@ scu: scu@b0020000 { + global_timer: timer@b0020200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0xb0020200 0x100>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + twd_timer: timer@b0020600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xb0020600 0x20>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + twd_wdt: wdt@b0020620 { + compatible = "arm,cortex-a9-twd-wdt"; + reg = <0xb0020620 0xe0>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + +-- +2.25.1 + diff --git a/queue-5.4/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch b/queue-5.4/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch new file mode 100644 index 00000000000..96c0ad7e39e --- /dev/null +++ b/queue-5.4/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch @@ -0,0 +1,54 @@ +From fdcc94e7f3f1dcf3a7a928c00bb80e5b52f33899 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 21:36:49 +0200 +Subject: ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator + +From: Jernej Skrabec + +[ Upstream commit 3658a2b7f3e16c7053eb8d70657b94bb62c5a0f4 ] + +DCDC1 regulator powers many different subsystems. While some of them can +work at 3.0 V, some of them can not. For example, VCC-HDMI can only work +between 3.24 V and 3.36 V. According to OS images provided by the board +manufacturer this regulator should be set to 3.3 V. + +Set DCDC1 and DCDC1SW to 3.3 V in order to fix this. + +Fixes: da7ac948fa93 ("ARM: dts: sun8i: Add board dts file for Banana Pi M2 Ultra") +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20200824193649.978197-1-jernej.skrabec@siol.net +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts +index 42d62d1ba1dc7..ea15073f0c79c 100644 +--- a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts ++++ b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts +@@ -223,16 +223,16 @@ ®_aldo3 { + }; + + ®_dc1sw { +- regulator-min-microvolt = <3000000>; +- regulator-max-microvolt = <3000000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + regulator-name = "vcc-gmac-phy"; + }; + + ®_dcdc1 { + regulator-always-on; +- regulator-min-microvolt = <3000000>; +- regulator-max-microvolt = <3000000>; +- regulator-name = "vcc-3v0"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-3v3"; + }; + + ®_dcdc2 { +-- +2.25.1 + diff --git a/queue-5.4/arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch b/queue-5.4/arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch new file mode 100644 index 00000000000..1fa691fbb9f --- /dev/null +++ b/queue-5.4/arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch @@ -0,0 +1,42 @@ +From 075c3b1a2d23bea588a3d1e9bef26f5ad724419e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 09:16:22 +0300 +Subject: ARM: OMAP2+: Restore MPU power domain if cpu_cluster_pm_enter() fails + +From: Tony Lindgren + +[ Upstream commit 8f04aea048d56f3e39a7e543939450246542a6fc ] + +If cpu_cluster_pm_enter() fails, we need to set MPU power domain back +to enabled to prevent the next WFI from potentially triggering an +undesired MPU power domain state change. + +We already do this for omap_enter_idle_smp() but are missing it for +omap_enter_idle_coupled(). + +Fixes: 55be2f50336f ("ARM: OMAP2+: Handle errors for cpu_pm") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/cpuidle44xx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c +index 6f5f89711f256..a92d277f81a08 100644 +--- a/arch/arm/mach-omap2/cpuidle44xx.c ++++ b/arch/arm/mach-omap2/cpuidle44xx.c +@@ -174,8 +174,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + */ + if (mpuss_can_lose_context) { + error = cpu_cluster_pm_enter(); +- if (error) ++ if (error) { ++ omap_set_pwrdm_state(mpu_pd, PWRDM_POWER_ON); + goto cpu_cluster_pm_out; ++ } + } + } + +-- +2.25.1 + diff --git a/queue-5.4/arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch b/queue-5.4/arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch new file mode 100644 index 00000000000..0a96f42cc1f --- /dev/null +++ b/queue-5.4/arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch @@ -0,0 +1,107 @@ +From 0126d403b40a0fdae19922d4515e2ea931709ecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 20:20:20 +0200 +Subject: ARM: s3c24xx: fix mmc gpio lookup tables + +From: Arnd Bergmann + +[ Upstream commit 3af4e8774b6d03683932b0961998e01355bccd74 ] + +The gpio controller names differ between s3c24xx and s3c64xx, +and it seems that these all got the wrong names, using GPx instead +of GPIOx. + +Fixes: d2951dfa070d ("mmc: s3cmci: Use the slot GPIO descriptor") +Signed-off-by: Arnd Bergmann +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20200806182059.2431-3-krzk@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/mach-s3c24xx/mach-at2440evb.c | 2 +- + arch/arm/mach-s3c24xx/mach-h1940.c | 4 ++-- + arch/arm/mach-s3c24xx/mach-mini2440.c | 4 ++-- + arch/arm/mach-s3c24xx/mach-n30.c | 4 ++-- + arch/arm/mach-s3c24xx/mach-rx1950.c | 4 ++-- + 5 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/mach-s3c24xx/mach-at2440evb.c b/arch/arm/mach-s3c24xx/mach-at2440evb.c +index 58c5ef3cf1d7e..2d370f7f75fa2 100644 +--- a/arch/arm/mach-s3c24xx/mach-at2440evb.c ++++ b/arch/arm/mach-s3c24xx/mach-at2440evb.c +@@ -143,7 +143,7 @@ static struct gpiod_lookup_table at2440evb_mci_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPG(10) */ +- GPIO_LOOKUP("GPG", 10, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOG", 10, "cd", GPIO_ACTIVE_LOW), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-h1940.c b/arch/arm/mach-s3c24xx/mach-h1940.c +index 74d6b68e91c74..8d9d8e7c71d4c 100644 +--- a/arch/arm/mach-s3c24xx/mach-h1940.c ++++ b/arch/arm/mach-s3c24xx/mach-h1940.c +@@ -468,9 +468,9 @@ static struct gpiod_lookup_table h1940_mmc_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPF(5) */ +- GPIO_LOOKUP("GPF", 5, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOF", 5, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPH(8) */ +- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_LOW), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-mini2440.c b/arch/arm/mach-s3c24xx/mach-mini2440.c +index 9035f868fb34e..3a5b1124037b2 100644 +--- a/arch/arm/mach-s3c24xx/mach-mini2440.c ++++ b/arch/arm/mach-s3c24xx/mach-mini2440.c +@@ -244,9 +244,9 @@ static struct gpiod_lookup_table mini2440_mmc_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPG(8) */ +- GPIO_LOOKUP("GPG", 8, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOG", 8, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPH(8) */ +- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_HIGH), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-n30.c b/arch/arm/mach-s3c24xx/mach-n30.c +index d856f23939aff..ffa20f52aa832 100644 +--- a/arch/arm/mach-s3c24xx/mach-n30.c ++++ b/arch/arm/mach-s3c24xx/mach-n30.c +@@ -359,9 +359,9 @@ static struct gpiod_lookup_table n30_mci_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPF(1) */ +- GPIO_LOOKUP("GPF", 1, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOF", 1, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPG(10) */ +- GPIO_LOOKUP("GPG", 10, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOG", 10, "wp", GPIO_ACTIVE_LOW), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-rx1950.c b/arch/arm/mach-s3c24xx/mach-rx1950.c +index 29f9b345a5311..534e9c1d8161f 100644 +--- a/arch/arm/mach-s3c24xx/mach-rx1950.c ++++ b/arch/arm/mach-s3c24xx/mach-rx1950.c +@@ -567,9 +567,9 @@ static struct gpiod_lookup_table rx1950_mmc_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPF(5) */ +- GPIO_LOOKUP("GPF", 5, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOF", 5, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPH(8) */ +- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_LOW), + { }, + }, + }; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-actions-limit-address-range-for-pinctrl-no.patch b/queue-5.4/arm64-dts-actions-limit-address-range-for-pinctrl-no.patch new file mode 100644 index 00000000000..404e894cf96 --- /dev/null +++ b/queue-5.4/arm64-dts-actions-limit-address-range-for-pinctrl-no.patch @@ -0,0 +1,54 @@ +From 7aed01a039af40bca9bbd986bff3f26c2e968ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 23:12:02 +0530 +Subject: arm64: dts: actions: limit address range for pinctrl node + +From: Amit Singh Tomar + +[ Upstream commit 4bb1eb3cd4bd6241d5e5f99bbfd801ea5a007b6c ] + +After commit 7cdf8446ed1d ("arm64: dts: actions: Add pinctrl node for +Actions Semi S700") following error has been observed while booting +Linux on Cubieboard7-lite(based on S700 SoC). + +[ 0.257415] pinctrl-s700 e01b0000.pinctrl: can't request region for +resource [mem 0xe01b0000-0xe01b0fff] +[ 0.266902] pinctrl-s700: probe of e01b0000.pinctrl failed with error -16 + +This is due to the fact that memory range for "sps" power domain controller +clashes with pinctrl. + +One way to fix it, is to limit pinctrl address range which is safe +to do as current pinctrl driver uses address range only up to 0x100. + +This commit limits the pinctrl address range to 0x100 so that it doesn't +conflict with sps range. + +Fixes: 7cdf8446ed1d ("arm64: dts: actions: Add pinctrl node for Actions +Semi S700") + +Reviewed-by: Manivannan Sadhasivam +Suggested-by: Andre Przywara +Signed-off-by: Amit Singh Tomar +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/actions/s700.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/actions/s700.dtsi b/arch/arm64/boot/dts/actions/s700.dtsi +index 2006ad5424fa6..f8eb72bb41254 100644 +--- a/arch/arm64/boot/dts/actions/s700.dtsi ++++ b/arch/arm64/boot/dts/actions/s700.dtsi +@@ -231,7 +231,7 @@ timer: timer@e024c000 { + + pinctrl: pinctrl@e01b0000 { + compatible = "actions,s700-pinctrl"; +- reg = <0x0 0xe01b0000 0x0 0x1000>; ++ reg = <0x0 0xe01b0000 0x0 0x100>; + clocks = <&cmu CLK_GPIO>; + gpio-controller; + gpio-ranges = <&pinctrl 0 0 136>; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch b/queue-5.4/arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch new file mode 100644 index 00000000000..f50bcaeafaf --- /dev/null +++ b/queue-5.4/arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch @@ -0,0 +1,52 @@ +From 7f8274ac0628a3418a3e72c468d825249692cadc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 14:27:55 +0800 +Subject: arm64: dts: allwinner: h5: remove Mali GPU PMU module + +From: Qiang Yu + +[ Upstream commit 2933bf3528007f834fb7f5eab033f9c5b0683f91 ] + +H5's Mali GPU PMU is not present or working corretly although +H5 datasheet record its interrupt vector. + +Adding this module will miss lead lima driver try to shutdown +it and get waiting timeout. This problem is not exposed before +lima runtime PM support is added. + +Fixes: bb39ed07e55b ("arm64: dts: allwinner: h5: Add device node for Mali-450 GPU") +Signed-off-by: Qiang Yu +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20200822062755.534761-1-yuq825@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi +index eaf8f83794fd9..8466d44ee0b15 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi +@@ -155,8 +155,7 @@ mali: gpu@1e80000 { + , + , + , +- , +- ; ++ ; + interrupt-names = "gp", + "gpmmu", + "pp", +@@ -167,8 +166,7 @@ mali: gpu@1e80000 { + "pp2", + "ppmmu2", + "pp3", +- "ppmmu3", +- "pmu"; ++ "ppmmu3"; + clocks = <&ccu CLK_BUS_GPU>, <&ccu CLK_GPU>; + clock-names = "bus", "core"; + resets = <&ccu RST_BUS_GPU>; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch b/queue-5.4/arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch new file mode 100644 index 00000000000..7534e19d508 --- /dev/null +++ b/queue-5.4/arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch @@ -0,0 +1,41 @@ +From 6ca1028252c9103344880f04b1cc0bececeb88b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 16:53:09 +0200 +Subject: arm64: dts: imx8mq: Add missing interrupts to GPC + +From: Krzysztof Kozlowski + +[ Upstream commit 791619f66843a213784efb2f171be98933bad991 ] + +The i.MX General Power Controller v2 device node was missing interrupts +property necessary to route its interrupt to GIC. This also fixes the +dbts_check warnings like: + + arch/arm64/boot/dts/freescale/imx8mq-evk.dt.yaml: gpc@303a0000: + {'compatible': ... '$nodename': ['gpc@303a0000']} is not valid under any of the given schemas + arch/arm64/boot/dts/freescale/imx8mq-evk.dt.yaml: gpc@303a0000: 'interrupts' is a required property + +Fixes: fdbcc04da246 ("arm64: dts: imx8mq: add GPC power domains") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Lucas Stach +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index bc8540f879654..f1011bcd5ed5a 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -516,6 +516,7 @@ src: reset-controller@30390000 { + gpc: gpc@303a0000 { + compatible = "fsl,imx8mq-gpc"; + reg = <0x303a0000 0x10000>; ++ interrupts = ; + interrupt-parent = <&gic>; + interrupt-controller; + #interrupt-cells = <3>; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-meson-vim3-correct-led-polarity.patch b/queue-5.4/arm64-dts-meson-vim3-correct-led-polarity.patch new file mode 100644 index 00000000000..ddca0ca5617 --- /dev/null +++ b/queue-5.4/arm64-dts-meson-vim3-correct-led-polarity.patch @@ -0,0 +1,43 @@ +From 060d26a70deed8de9717a3e7833c765348ee5eca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 16:18:50 +0200 +Subject: arm64: dts: meson: vim3: correct led polarity + +From: Jerome Brunet + +[ Upstream commit 1f9d87d08e4a2299e86f8a1600aedf87ecd3b636 ] + +The LEDs on the vim3 are active when the gpio is high, not low. + +Fixes: c6d29c66e582 ("arm64: dts: meson-g12b-khadas-vim3: add initial device-tree") +Signed-off-by: Jerome Brunet +Signed-off-by: Kevin Hilman +Link: https://lore.kernel.org/r/20200803141850.172704-1-jbrunet@baylibre.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi b/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi +index 8647da7d6609b..f6694aad84db3 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi +@@ -43,13 +43,13 @@ leds { + + white { + label = "vim3:white:sys"; +- gpios = <&gpio_ao GPIOAO_4 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio_ao GPIOAO_4 GPIO_ACTIVE_HIGH>; + linux,default-trigger = "heartbeat"; + }; + + red { + label = "vim3:red"; +- gpios = <&gpio_expander 5 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio_expander 5 GPIO_ACTIVE_HIGH>; + }; + }; + +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch b/queue-5.4/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch new file mode 100644 index 00000000000..34966c9ec09 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch @@ -0,0 +1,54 @@ +From 0e77e0f5466f38e6821aef80b7036f7f5bdff538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:11 +0200 +Subject: arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts + +From: Stephan Gerhold + +[ Upstream commit 027cca9eb5b450c3f6bb916ba999144c2ec23cb7 ] + +The mdss node sets #interrupt-cells = <1>, so its interrupts +should be referenced using a single cell (in this case: only the +interrupt number). + +However, right now the mdp/dsi node both have two interrupt cells +set, e.g. interrupts = <4 0>. The 0 is probably meant to say +IRQ_TYPE_NONE (= 0), but with #interrupt-cells = <1> this is +actually interpreted as a second interrupt line. + +Remove the IRQ flags from both interrupts to fix this. + +Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-5-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index ade2eb1781e37..d95273af9f1e4 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -934,7 +934,7 @@ mdp: mdp@1a01000 { + reg-names = "mdp_phys"; + + interrupt-parent = <&mdss>; +- interrupts = <0 0>; ++ interrupts = <0>; + + clocks = <&gcc GCC_MDSS_AHB_CLK>, + <&gcc GCC_MDSS_AXI_CLK>, +@@ -966,7 +966,7 @@ dsi0: dsi@1a98000 { + reg-names = "dsi_ctrl"; + + interrupt-parent = <&mdss>; +- interrupts = <4 0>; ++ interrupts = <4>; + + assigned-clocks = <&gcc BYTE0_CLK_SRC>, + <&gcc PCLK0_CLK_SRC>; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch b/queue-5.4/arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch new file mode 100644 index 00000000000..e782bb8ab9e --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch @@ -0,0 +1,71 @@ +From 78ac66ae4de1fa049d58f6670d12c77d104617e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:09 +0200 +Subject: arm64: dts: qcom: msm8916: Remove one more thermal trip point unit + name + +From: Stephan Gerhold + +[ Upstream commit e6859ae8603c5946b8f3ecbd9b4f02b72955b9d0 ] + +Commit fe2aff0c574d2 ("arm64: dts: qcom: msm8916: remove unit name for thermal trip points") +removed the unit names for most of the thermal trip points defined +in msm8916.dtsi, but missed to update the one for cpu0_1-thermal. + +So why wasn't this spotted by "make dtbs_check"? Apparently, the name +of the thermal zone is already invalid: thermal-zones.yaml specifies +a regex of ^[a-zA-Z][a-zA-Z0-9\\-]{1,12}-thermal$, so it is not allowed +to contain underscores. Therefore the thermal zone was never verified +using the DTB schema. + +After replacing the underscore in the thermal zone name, the warning +shows up: + + apq8016-sbc.dt.yaml: thermal-zones: cpu0-1-thermal:trips: 'trip-point@0' + does not match any of the regexes: '^[a-zA-Z][a-zA-Z0-9\\-_]{0,63}$', 'pinctrl-[0-9]+' + +Fix up the thermal zone names and remove the unit name for the trip point. + +Cc: Amit Kucheria +Fixes: fe2aff0c574d2 ("arm64: dts: qcom: msm8916: remove unit name for thermal trip points") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-3-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 340da154d4e37..ade2eb1781e37 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -175,14 +175,14 @@ pmu { + }; + + thermal-zones { +- cpu0_1-thermal { ++ cpu0-1-thermal { + polling-delay-passive = <250>; + polling-delay = <1000>; + + thermal-sensors = <&tsens 4>; + + trips { +- cpu0_1_alert0: trip-point@0 { ++ cpu0_1_alert0: trip-point0 { + temperature = <75000>; + hysteresis = <2000>; + type = "passive"; +@@ -205,7 +205,7 @@ map0 { + }; + }; + +- cpu2_3-thermal { ++ cpu2-3-thermal { + polling-delay-passive = <250>; + polling-delay = <1000>; + +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch b/queue-5.4/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch new file mode 100644 index 00000000000..1b8f514591e --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch @@ -0,0 +1,48 @@ +From f1d259393862d52a9aacc3fa0ba4eafaa3e6cbde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:10 +0200 +Subject: arm64: dts: qcom: pm8916: Remove invalid reg size from wcd_codec + +From: Stephan Gerhold + +[ Upstream commit c2f0cbb57dbac6da3d38b47b5b96de0fe4e23884 ] + +Tha parent node of "wcd_codec" specifies #address-cells = <1> +and #size-cells = <0>, which means that each resource should be +described by one cell for the address and size omitted. + +However, wcd_codec currently lists 0x200 as second cell (probably +the size of the resource). When parsing this would be treated like +another memory resource - which is entirely wrong. + +To quote the device tree specification [1]: + "If the parent node specifies a value of 0 for #size-cells, + the length field in the value of reg shall be omitted." + +[1]: https://www.devicetree.org/specifications/ + +Fixes: 5582fcb3829f ("arm64: dts: apq8016-sbc: add analog audio support with multicodec") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-4-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pm8916.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/pm8916.dtsi b/arch/arm64/boot/dts/qcom/pm8916.dtsi +index 9dd2df1cbf47d..40df4d95a47ac 100644 +--- a/arch/arm64/boot/dts/qcom/pm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/pm8916.dtsi +@@ -113,7 +113,7 @@ pm8916_1: pm8916@1 { + + wcd_codec: codec@f000 { + compatible = "qcom,pm8916-wcd-analog-codec"; +- reg = <0xf000 0x200>; ++ reg = <0xf000>; + reg-names = "pmic-codec-core"; + clocks = <&gcc GCC_CODEC_DIGCODEC_CLK>; + clock-names = "mclk"; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch b/queue-5.4/arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch new file mode 100644 index 00000000000..7a586766d99 --- /dev/null +++ b/queue-5.4/arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch @@ -0,0 +1,39 @@ +From e8e980af6e848e22da743c833f1da0fc1acdc843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 15:21:17 +0200 +Subject: arm64: dts: renesas: r8a774c0: Fix MSIOF1 DMA channels + +From: Geert Uytterhoeven + +[ Upstream commit c91dfc9818df5f43c10c727f1cecaebdb5e2fa92 ] + +According to Technical Update TN-RCT-S0352A/E, MSIOF1 DMA can only be +used with SYS-DMAC0 on R-Car E3. + +Fixes: 62c0056f1c3eb15d ("arm64: dts: renesas: r8a774c0: Add MSIOF nodes") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20200917132117.8515-3-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r8a774c0.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r8a774c0.dtsi b/arch/arm64/boot/dts/renesas/r8a774c0.dtsi +index a1c2de90e4706..73ded80a79ba0 100644 +--- a/arch/arm64/boot/dts/renesas/r8a774c0.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a774c0.dtsi +@@ -1212,9 +1212,8 @@ msiof1: spi@e6ea0000 { + reg = <0 0xe6ea0000 0 0x0064>; + interrupts = ; + clocks = <&cpg CPG_MOD 210>; +- dmas = <&dmac1 0x43>, <&dmac1 0x42>, +- <&dmac2 0x43>, <&dmac2 0x42>; +- dma-names = "tx", "rx", "tx", "rx"; ++ dmas = <&dmac0 0x43>, <&dmac0 0x42>; ++ dma-names = "tx", "rx"; + power-domains = <&sysc R8A774C0_PD_ALWAYS_ON>; + resets = <&cpg 210>; + #address-cells = <1>; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch b/queue-5.4/arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch new file mode 100644 index 00000000000..21fabcaebf5 --- /dev/null +++ b/queue-5.4/arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch @@ -0,0 +1,39 @@ +From 51ca09d14fa5cb633fdacabff87d96442bc57691 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 15:21:16 +0200 +Subject: arm64: dts: renesas: r8a77990: Fix MSIOF1 DMA channels + +From: Geert Uytterhoeven + +[ Upstream commit 453802c463abd003a7c38ffbc90b67ba162335b6 ] + +According to Technical Update TN-RCT-S0352A/E, MSIOF1 DMA can only be +used with SYS-DMAC0 on R-Car E3. + +Fixes: 8517042060b55a37 ("arm64: dts: renesas: r8a77990: Add DMA properties to MSIOF nodes") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20200917132117.8515-2-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r8a77990.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r8a77990.dtsi b/arch/arm64/boot/dts/renesas/r8a77990.dtsi +index 455954c3d98ea..dabee157119f9 100644 +--- a/arch/arm64/boot/dts/renesas/r8a77990.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a77990.dtsi +@@ -1168,9 +1168,8 @@ msiof1: spi@e6ea0000 { + reg = <0 0xe6ea0000 0 0x0064>; + interrupts = ; + clocks = <&cpg CPG_MOD 210>; +- dmas = <&dmac1 0x43>, <&dmac1 0x42>, +- <&dmac2 0x43>, <&dmac2 0x42>; +- dma-names = "tx", "rx", "tx", "rx"; ++ dmas = <&dmac0 0x43>, <&dmac0 0x42>; ++ dma-names = "tx", "rx"; + power-domains = <&sysc R8A77990_PD_ALWAYS_ON>; + resets = <&cpg 210>; + #address-cells = <1>; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-zynqmp-remove-additional-compatible-string.patch b/queue-5.4/arm64-dts-zynqmp-remove-additional-compatible-string.patch new file mode 100644 index 00000000000..9e5da0893bc --- /dev/null +++ b/queue-5.4/arm64-dts-zynqmp-remove-additional-compatible-string.patch @@ -0,0 +1,60 @@ +From 4a132167c58e62b28e77f5aa2b305389c80ef4e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 10:59:14 +0200 +Subject: arm64: dts: zynqmp: Remove additional compatible string for i2c IPs + +From: Michal Simek + +[ Upstream commit 35292518cb0a626fcdcabf739aed75060a018ab5 ] + +DT binding permits only one compatible string which was decribed in past by +commit 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq +Ultrascale+ MPSoC"). +The commit aea37006e183 ("dt-bindings: i2c: cadence: Migrate i2c-cadence +documentation to YAML") has converted binding to yaml and the following +issues is reported: +...: i2c@ff030000: compatible: Additional items are not allowed +('cdns,i2c-r1p10' was unexpected) + From schema: +.../Documentation/devicetree/bindings/i2c/cdns,i2c-r1p10.yaml fds +...: i2c@ff030000: compatible: ['cdns,i2c-r1p14', 'cdns,i2c-r1p10'] is too +long + +The commit c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +has added the second compatible string but without removing origin one. +The patch is only keeping one compatible string "cdns,i2c-r1p14". + +Fixes: c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/cc294ae1a79ef845af6809ddb4049f0c0f5bb87a.1598259551.git.michal.simek@xilinx.com +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +index 9aa67340a4d8c..a2645262f8623 100644 +--- a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi ++++ b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +@@ -419,7 +419,7 @@ gpio: gpio@ff0a0000 { + }; + + i2c0: i2c@ff020000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 17 4>; +@@ -429,7 +429,7 @@ i2c0: i2c@ff020000 { + }; + + i2c1: i2c@ff030000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 18 4>; +-- +2.25.1 + diff --git a/queue-5.4/asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch b/queue-5.4/asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch new file mode 100644 index 00000000000..f59be434812 --- /dev/null +++ b/queue-5.4/asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch @@ -0,0 +1,75 @@ +From e38060a4b961846448f79d747311fa5f86df325e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 21:02:24 +0800 +Subject: ASoC: fsl: imx-es8328: add missing put_device() call in + imx_es8328_probe() + +From: Yu Kuai + +[ Upstream commit e525db7e4b44c5b2b5aac0dad24e23cb58c54d22 ] + +if of_find_device_by_node() succeed, imx_es8328_probe() doesn't have +a corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20200825130224.1488694-1-yukuai3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-es8328.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/fsl/imx-es8328.c b/sound/soc/fsl/imx-es8328.c +index 15a27a2cd0cae..fad1eb6253d53 100644 +--- a/sound/soc/fsl/imx-es8328.c ++++ b/sound/soc/fsl/imx-es8328.c +@@ -145,13 +145,13 @@ static int imx_es8328_probe(struct platform_device *pdev) + data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL); + if (!data) { + ret = -ENOMEM; +- goto fail; ++ goto put_device; + } + + comp = devm_kzalloc(dev, 3 * sizeof(*comp), GFP_KERNEL); + if (!comp) { + ret = -ENOMEM; +- goto fail; ++ goto put_device; + } + + data->dev = dev; +@@ -182,12 +182,12 @@ static int imx_es8328_probe(struct platform_device *pdev) + ret = snd_soc_of_parse_card_name(&data->card, "model"); + if (ret) { + dev_err(dev, "Unable to parse card name\n"); +- goto fail; ++ goto put_device; + } + ret = snd_soc_of_parse_audio_routing(&data->card, "audio-routing"); + if (ret) { + dev_err(dev, "Unable to parse routing: %d\n", ret); +- goto fail; ++ goto put_device; + } + data->card.num_links = 1; + data->card.owner = THIS_MODULE; +@@ -196,10 +196,12 @@ static int imx_es8328_probe(struct platform_device *pdev) + ret = snd_soc_register_card(&data->card); + if (ret) { + dev_err(dev, "Unable to register: %d\n", ret); +- goto fail; ++ goto put_device; + } + + platform_set_drvdata(pdev, data); ++put_device: ++ put_device(&ssi_pdev->dev); + fail: + of_node_put(ssi_np); + of_node_put(codec_np); +-- +2.25.1 + diff --git a/queue-5.4/asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch b/queue-5.4/asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch new file mode 100644 index 00000000000..c2e5a5dd497 --- /dev/null +++ b/queue-5.4/asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch @@ -0,0 +1,92 @@ +From 3cae98325dbb7994c2274bd62a52559691a26538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 18:26:00 +0800 +Subject: ASoC: fsl_sai: Instantiate snd_soc_dai_driver + +From: Shengjiu Wang + +[ Upstream commit 22a16145af824f91014d07f8664114859900b9e6 ] + +Instantiate snd_soc_dai_driver for independent symmetric control. +Otherwise the symmetric setting may be overwritten by other +instance. + +Fixes: 08fdf65e37d5 ("ASoC: fsl_sai: Add asynchronous mode support") +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1600424760-32071-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 19 +++++++++++-------- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 914b75c23d1bf..027259695551c 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -694,7 +694,7 @@ static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai) + return 0; + } + +-static struct snd_soc_dai_driver fsl_sai_dai = { ++static struct snd_soc_dai_driver fsl_sai_dai_template = { + .probe = fsl_sai_dai_probe, + .playback = { + .stream_name = "CPU-Playback", +@@ -965,12 +965,15 @@ static int fsl_sai_probe(struct platform_device *pdev) + return ret; + } + ++ memcpy(&sai->cpu_dai_drv, &fsl_sai_dai_template, ++ sizeof(fsl_sai_dai_template)); ++ + /* Sync Tx with Rx as default by following old DT binding */ + sai->synchronous[RX] = true; + sai->synchronous[TX] = false; +- fsl_sai_dai.symmetric_rates = 1; +- fsl_sai_dai.symmetric_channels = 1; +- fsl_sai_dai.symmetric_samplebits = 1; ++ sai->cpu_dai_drv.symmetric_rates = 1; ++ sai->cpu_dai_drv.symmetric_channels = 1; ++ sai->cpu_dai_drv.symmetric_samplebits = 1; + + if (of_find_property(np, "fsl,sai-synchronous-rx", NULL) && + of_find_property(np, "fsl,sai-asynchronous", NULL)) { +@@ -987,9 +990,9 @@ static int fsl_sai_probe(struct platform_device *pdev) + /* Discard all settings for asynchronous mode */ + sai->synchronous[RX] = false; + sai->synchronous[TX] = false; +- fsl_sai_dai.symmetric_rates = 0; +- fsl_sai_dai.symmetric_channels = 0; +- fsl_sai_dai.symmetric_samplebits = 0; ++ sai->cpu_dai_drv.symmetric_rates = 0; ++ sai->cpu_dai_drv.symmetric_channels = 0; ++ sai->cpu_dai_drv.symmetric_samplebits = 0; + } + + if (of_find_property(np, "fsl,sai-mclk-direction-output", NULL) && +@@ -1018,7 +1021,7 @@ static int fsl_sai_probe(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_component, +- &fsl_sai_dai, 1); ++ &sai->cpu_dai_drv, 1); + if (ret) + goto err_pm_disable; + +diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h +index 6aba7d28f5f34..677ecfc1ec68f 100644 +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -180,6 +180,7 @@ struct fsl_sai { + unsigned int bclk_ratio; + + const struct fsl_sai_soc_data *soc_data; ++ struct snd_soc_dai_driver cpu_dai_drv; + struct snd_dmaengine_dai_dma_data dma_params_rx; + struct snd_dmaengine_dai_dma_data dma_params_tx; + }; +-- +2.25.1 + diff --git a/queue-5.4/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch b/queue-5.4/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch new file mode 100644 index 00000000000..ad51d00b040 --- /dev/null +++ b/queue-5.4/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch @@ -0,0 +1,62 @@ +From 385e4556b5366b6077b59049f8a0f3af099f0c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 16:23:02 +0530 +Subject: ASoC: qcom: lpass-cpu: fix concurrency issue + +From: Rohit kumar + +[ Upstream commit 753a6e17942f6f425ca622e1610625998312ad89 ] + +i2sctl register value is set to 0 during hw_free(). This +impacts any ongoing concurrent session on the same i2s +port. As trigger() stop already resets enable bit to 0, +there is no need of explicit hw_free. Removing it to +fix the issue. + +Fixes: 80beab8e1d86 ("ASoC: qcom: Add LPASS CPU DAI driver") +Signed-off-by: Rohit kumar +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/1597402388-14112-7-git-send-email-rohitkr@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/lpass-cpu.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/sound/soc/qcom/lpass-cpu.c b/sound/soc/qcom/lpass-cpu.c +index dbce7e92baf3c..c5d6952a4a33f 100644 +--- a/sound/soc/qcom/lpass-cpu.c ++++ b/sound/soc/qcom/lpass-cpu.c +@@ -174,21 +174,6 @@ static int lpass_cpu_daiops_hw_params(struct snd_pcm_substream *substream, + return 0; + } + +-static int lpass_cpu_daiops_hw_free(struct snd_pcm_substream *substream, +- struct snd_soc_dai *dai) +-{ +- struct lpass_data *drvdata = snd_soc_dai_get_drvdata(dai); +- int ret; +- +- ret = regmap_write(drvdata->lpaif_map, +- LPAIF_I2SCTL_REG(drvdata->variant, dai->driver->id), +- 0); +- if (ret) +- dev_err(dai->dev, "error writing to i2sctl reg: %d\n", ret); +- +- return ret; +-} +- + static int lpass_cpu_daiops_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { +@@ -269,7 +254,6 @@ const struct snd_soc_dai_ops asoc_qcom_lpass_cpu_dai_ops = { + .startup = lpass_cpu_daiops_startup, + .shutdown = lpass_cpu_daiops_shutdown, + .hw_params = lpass_cpu_daiops_hw_params, +- .hw_free = lpass_cpu_daiops_hw_free, + .prepare = lpass_cpu_daiops_prepare, + .trigger = lpass_cpu_daiops_trigger, + }; +-- +2.25.1 + diff --git a/queue-5.4/asoc-qcom-lpass-platform-fix-memory-leak.patch b/queue-5.4/asoc-qcom-lpass-platform-fix-memory-leak.patch new file mode 100644 index 00000000000..9c189a785aa --- /dev/null +++ b/queue-5.4/asoc-qcom-lpass-platform-fix-memory-leak.patch @@ -0,0 +1,46 @@ +From 2eb949a858fbd71fc2136ec8884ff5e1d874f6e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 16:23:00 +0530 +Subject: ASoC: qcom: lpass-platform: fix memory leak + +From: Rohit kumar + +[ Upstream commit 5fd188215d4eb52703600d8986b22311099a5940 ] + +lpass_pcm_data is never freed. Free it in close +ops to avoid memory leak. + +Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage") +Signed-off-by: Rohit kumar +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/1597402388-14112-5-git-send-email-rohitkr@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/lpass-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/qcom/lpass-platform.c b/sound/soc/qcom/lpass-platform.c +index 4c745baa39f73..9acaef81dd74c 100644 +--- a/sound/soc/qcom/lpass-platform.c ++++ b/sound/soc/qcom/lpass-platform.c +@@ -61,7 +61,7 @@ static int lpass_platform_pcmops_open(struct snd_pcm_substream *substream) + int ret, dma_ch, dir = substream->stream; + struct lpass_pcm_data *data; + +- data = devm_kzalloc(soc_runtime->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -119,6 +119,7 @@ static int lpass_platform_pcmops_close(struct snd_pcm_substream *substream) + if (v->free_dma_channel) + v->free_dma_channel(drvdata, data->dma_ch); + ++ kfree(data); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch b/queue-5.4/asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch new file mode 100644 index 00000000000..8ca2b368093 --- /dev/null +++ b/queue-5.4/asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch @@ -0,0 +1,60 @@ +From c26664fa3a714e8364ecfc7ea76946df99b14f0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 19:31:39 +0200 +Subject: ASoC: tlv320aic32x4: Fix bdiv clock rate derivation + +From: Miquel Raynal + +[ Upstream commit 40b37136287ba6b34aa2f1f6123f3d6d205dc2f0 ] + +Current code expects a single channel to be always used. Fix this +situation by forwarding the number of channels used. Then fix the +derivation of the bdiv clock rate. + +Fixes: 96c3bb00239d ("ASoC: tlv320aic32x4: Dynamically Determine Clocking") +Suggested-by: Alexandre Belloni +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20200911173140.29984-3-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320aic32x4.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/tlv320aic32x4.c b/sound/soc/codecs/tlv320aic32x4.c +index 68165de1c8dea..7a1ffbaf48be5 100644 +--- a/sound/soc/codecs/tlv320aic32x4.c ++++ b/sound/soc/codecs/tlv320aic32x4.c +@@ -662,7 +662,7 @@ static int aic32x4_set_processing_blocks(struct snd_soc_component *component, + } + + static int aic32x4_setup_clocks(struct snd_soc_component *component, +- unsigned int sample_rate) ++ unsigned int sample_rate, unsigned int channels) + { + u8 aosr; + u16 dosr; +@@ -750,7 +750,9 @@ static int aic32x4_setup_clocks(struct snd_soc_component *component, + dosr); + + clk_set_rate(clocks[5].clk, +- sample_rate * 32); ++ sample_rate * 32 * ++ channels); ++ + return 0; + } + } +@@ -772,7 +774,8 @@ static int aic32x4_hw_params(struct snd_pcm_substream *substream, + u8 iface1_reg = 0; + u8 dacsetup_reg = 0; + +- aic32x4_setup_clocks(component, params_rate(params)); ++ aic32x4_setup_clocks(component, params_rate(params), ++ params_channels(params)); + + switch (params_width(params)) { + case 16: +-- +2.25.1 + diff --git a/queue-5.4/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch b/queue-5.4/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch new file mode 100644 index 00000000000..addc40a597b --- /dev/null +++ b/queue-5.4/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch @@ -0,0 +1,68 @@ +From 6aea8cab73778ca67fa373a802481d0329cd4b9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 18:11:05 -0400 +Subject: ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() + +From: Zekun Shen + +[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ] + +The idx in __ath10k_htt_rx_ring_fill_n function lives in +consistent dma region writable by the device. Malfunctional +or malicious device could manipulate such idx to have a OOB +write. Either by + htt->rx_ring.netbufs_ring[idx] = skb; +or by + ath10k_htt_set_paddrs_ring(htt, paddr, idx); + +The idx can also be negative as it's signed, giving a large +memory space to write to. + +It's possibly exploitable by corruptting a legit pointer with +a skb pointer. And then fill skb with payload as rougue object. + +Part of the log here. Sometimes it appears as UAF when writing +to a freed memory by chance. + + [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 + [ 15.595483] #PF: supervisor write access in kernel mode + [ 15.596250] #PF: error_code(0x0002) - not-present page + [ 15.597013] PGD 0 P4D 0 + [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI + [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 + [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] + [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n + (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 9f0e7b4943ec6..8ca0a808a644d 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -142,6 +142,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num) + BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2); + + idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr); ++ ++ if (idx < 0 || idx >= htt->rx_ring.size) { ++ ath10k_err(htt->ar, "rx ring index is not valid, firmware malfunctioning?\n"); ++ idx &= htt->rx_ring.size_mask; ++ ret = -ENOMEM; ++ goto fail; ++ } ++ + while (num > 0) { + skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN); + if (!skb) { +-- +2.25.1 + diff --git a/queue-5.4/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch b/queue-5.4/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch new file mode 100644 index 00000000000..3216d0d1e1d --- /dev/null +++ b/queue-5.4/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch @@ -0,0 +1,39 @@ +From 0470ac8685a5f667d2a5c05fe0c06b1d7cf67237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 14:22:27 +0200 +Subject: ath10k: Fix the size used in a 'dma_free_coherent()' call in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit 454530a9950b5a26d4998908249564cedfc4babc ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +Fixes: 1863008369ae ("ath10k: fix shadow register implementation for WCN3990") +Signed-off-by: Christophe JAILLET +Reviewed-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802122227.678637-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/ce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c +index eca87f7c5b6c1..01e05af5ae085 100644 +--- a/drivers/net/wireless/ath/ath10k/ce.c ++++ b/drivers/net/wireless/ath/ath10k/ce.c +@@ -1555,7 +1555,7 @@ ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id, + ret = ath10k_ce_alloc_shadow_base(ar, src_ring, nentries); + if (ret) { + dma_free_coherent(ar->dev, +- (nentries * sizeof(struct ce_desc_64) + ++ (nentries * sizeof(struct ce_desc) + + CE_DESC_RING_ALIGN), + src_ring->base_addr_owner_space_unaligned, + base_addr); +-- +2.25.1 + diff --git a/queue-5.4/ath10k-provide-survey-info-as-accumulated-data.patch b/queue-5.4/ath10k-provide-survey-info-as-accumulated-data.patch new file mode 100644 index 00000000000..295154a0507 --- /dev/null +++ b/queue-5.4/ath10k-provide-survey-info-as-accumulated-data.patch @@ -0,0 +1,73 @@ +From e9cf25c876ac2ca7557cce33f4f8a3e5f17b9c5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 20:29:03 +0300 +Subject: ath10k: provide survey info as accumulated data + +From: Venkateswara Naralasetty + +[ Upstream commit 720e5c03e5cb26d33d97f55192b791bb48478aa5 ] + +It is expected that the returned counters by .get_survey are monotonic +increasing. But the data from ath10k gets reset to zero regularly. Channel +active/busy time are then showing incorrect values (less than previous or +sometimes zero) for the currently active channel during successive survey +dump commands. + +example: + + $ iw dev wlan0 survey dump + Survey data from wlan0 + frequency: 5180 MHz [in use] + channel active time: 54995 ms + channel busy time: 432 ms + channel receive time: 0 ms + channel transmit time: 59 ms + ... + + $ iw dev wlan0 survey dump + Survey data from wlan0 + frequency: 5180 MHz [in use] + channel active time: 32592 ms + channel busy time: 254 ms + channel receive time: 0 ms + channel transmit time: 0 ms + ... + +The correct way to handle this is to use the non-clearing +WMI_BSS_SURVEY_REQ_TYPE_READ wmi_bss_survey_req_type. The firmware will +then accumulate the survey data and handle wrap arounds. + +Tested-on: QCA9984 hw1.0 10.4-3.5.3-00057 +Tested-on: QCA988X hw2.0 10.2.4-1.0-00047 +Tested-on: QCA9888 hw2.0 10.4-3.9.0.2-00024 +Tested-on: QCA4019 hw1.0 10.4-3.6-00140 + +Fixes: fa7937e3d5c2 ("ath10k: update bss channel survey information") +Signed-off-by: Venkateswara Naralasetty +Tested-by: Markus Theil +Tested-by: John Deere <24601deerej@gmail.com> +[sven@narfation.org: adjust commit message] +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1592232686-28712-1-git-send-email-kvalo@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index d373602a80145..915ba2a7f7448 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7131,7 +7131,7 @@ ath10k_mac_update_bss_chan_survey(struct ath10k *ar, + struct ieee80211_channel *channel) + { + int ret; +- enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ_CLEAR; ++ enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ; + + lockdep_assert_held(&ar->conf_mutex); + +-- +2.25.1 + diff --git a/queue-5.4/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch b/queue-5.4/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch new file mode 100644 index 00000000000..e66a7f0a6f9 --- /dev/null +++ b/queue-5.4/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch @@ -0,0 +1,39 @@ +From 849d1ec50dcf73f629647d9865b418d74f4b6165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:13:15 +0300 +Subject: ath6kl: prevent potential array overflow in ath6kl_add_new_sta() + +From: Dan Carpenter + +[ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ] + +The value for "aid" comes from skb->data so Smatch marks it as +untrusted. If it's invalid then it can result in an out of bounds array +access in ath6kl_add_new_sta(). + +Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c +index 5e7ea838a9218..814131a0680a4 100644 +--- a/drivers/net/wireless/ath/ath6kl/main.c ++++ b/drivers/net/wireless/ath/ath6kl/main.c +@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr, + + ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid); + ++ if (aid < 1 || aid > AP_MAX_NUM_STA) ++ return; ++ + if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) { + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *) assoc_info; +-- +2.25.1 + diff --git a/queue-5.4/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch b/queue-5.4/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch new file mode 100644 index 00000000000..909bcd86429 --- /dev/null +++ b/queue-5.4/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch @@ -0,0 +1,43 @@ +From 962546d225d6fa1dd1037b22549180f50bca919a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 17:27:32 +0300 +Subject: ath6kl: wmi: prevent a shift wrapping bug in + ath6kl_wmi_delete_pstream_cmd() + +From: Dan Carpenter + +[ Upstream commit 6a950755cec1a90ddaaff3e4acb5333617441c32 ] + +The "tsid" is a user controlled u8 which comes from debugfs. Values +more than 15 are invalid because "active_tsids" is a 16 bit variable. +If the value of "tsid" is more than 31 then that leads to a shift +wrapping bug. + +Fixes: 8fffd9e5ec9e ("ath6kl: Implement support for QOS-enable and QOS-disable from userspace") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200918142732.GA909725@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index 2382c6c46851e..c610fe21c85c0 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -2645,6 +2645,11 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class, + return -EINVAL; + } + ++ if (tsid >= 16) { ++ ath6kl_err("invalid tsid: %d\n", tsid); ++ return -EINVAL; ++ } ++ + skb = ath6kl_wmi_get_new_buf(sizeof(*cmd)); + if (!skb) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-5.4/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch b/queue-5.4/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch new file mode 100644 index 00000000000..43fffffd2f7 --- /dev/null +++ b/queue-5.4/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch @@ -0,0 +1,42 @@ +From 467f5dd0d3a2f7d984271ca1e0a8a244e5031148 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:12:53 +0300 +Subject: ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() + +From: Dan Carpenter + +[ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ] + +The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks +it as untrusted so we have to check it before using it as an array +offset. + +This is similar to a bug that syzkaller found in commit e4ff08a4d727 +("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is +probably a real issue. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index d2e062eaf5614..510e61e97dbcb 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -339,6 +339,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + + if (skb) { + htc_hdr = (struct htc_frame_hdr *) skb->data; ++ if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint)) ++ goto ret; + endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id]; + skb_pull(skb, sizeof(struct htc_frame_hdr)); + +-- +2.25.1 + diff --git a/queue-5.4/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch b/queue-5.4/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch new file mode 100644 index 00000000000..ce976526d24 --- /dev/null +++ b/queue-5.4/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch @@ -0,0 +1,92 @@ +From 1418d1585503d0b7b2715687dea18d3f1a38deca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 03:14:27 -0400 +Subject: ath9k: hif_usb: fix race condition between usb_get_urb() and + usb_kill_anchored_urbs() + +From: Brooke Basile + +[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ] + +Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor +systems create a race condition in which usb_kill_anchored_urbs() deallocates +the URB before the completer callback is called in usb_kill_urb(), resulting +in a use-after-free. +To fix this, add proper lock protection to usb_kill_urb() calls that can +possibly run concurrently with usb_kill_anchored_urbs(). + +Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf +Signed-off-by: Brooke Basile +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 3f563e02d17da..2ed98aaed6fb5 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle) + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + /* The pending URBs have to be canceled. */ ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); ++ list_del(&tx_buf->list); ++ usb_free_urb(tx_buf->urb); ++ kfree(tx_buf->buf); ++ kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +@@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) + struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; + unsigned long flags; + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_buf, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + hif_dev->tx.flags |= HIF_USB_TX_FLUSH; + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +-- +2.25.1 + diff --git a/queue-5.4/backlight-sky81452-backlight-fix-refcount-imbalance-.patch b/queue-5.4/backlight-sky81452-backlight-fix-refcount-imbalance-.patch new file mode 100644 index 00000000000..43254efdc4c --- /dev/null +++ b/queue-5.4/backlight-sky81452-backlight-fix-refcount-imbalance-.patch @@ -0,0 +1,37 @@ +From 8cd6e0d18523bd3987fa19be091e0e89e8199215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:38:17 +0800 +Subject: backlight: sky81452-backlight: Fix refcount imbalance on error + +From: dinghao.liu@zju.edu.cn + +[ Upstream commit b7a4f80bc316a56d6ec8750e93e66f42431ed960 ] + +When of_property_read_u32_array() returns an error code, a +pairing refcount decrement is needed to keep np's refcount +balanced. + +Fixes: f705806c9f355 ("backlight: Add support Skyworks SKY81452 backlight driver") +Signed-off-by: Dinghao Liu +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/sky81452-backlight.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c +index 2355f00f57732..1f6301375fd33 100644 +--- a/drivers/video/backlight/sky81452-backlight.c ++++ b/drivers/video/backlight/sky81452-backlight.c +@@ -196,6 +196,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( + num_entry); + if (ret < 0) { + dev_err(dev, "led-sources node is invalid.\n"); ++ of_node_put(np); + return ERR_PTR(-EINVAL); + } + +-- +2.25.1 + diff --git a/queue-5.4/binder-remove-bogus-warning-on-failed-same-process-t.patch b/queue-5.4/binder-remove-bogus-warning-on-failed-same-process-t.patch new file mode 100644 index 00000000000..ec2cb02e648 --- /dev/null +++ b/queue-5.4/binder-remove-bogus-warning-on-failed-same-process-t.patch @@ -0,0 +1,47 @@ +From 25c2ec63cc358ba677fd723955e583f0092e8880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 18:53:59 +0200 +Subject: binder: Remove bogus warning on failed same-process transaction + +From: Jann Horn + +[ Upstream commit e8b8ae7ce32e17a5c29f0289e9e2a39c7dcaa1b8 ] + +While binder transactions with the same binder_proc as sender and recipient +are forbidden, transactions with the same task_struct as sender and +recipient are possible (even though currently there is a weird check in +binder_transaction() that rejects them in the target==0 case). +Therefore, task_struct identities can't be used to distinguish whether +the caller is running in the context of the sender or the recipient. + +Since I see no easy way to make this WARN_ON() useful and correct, let's +just remove it. + +Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds") +Reported-by: syzbot+e113a0b970b7b3f394ba@syzkaller.appspotmail.com +Acked-by: Christian Brauner +Acked-by: Todd Kjos +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20200806165359.2381483-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/android/binder.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index 0f56a82615389..b62b1ab6bb699 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2326,8 +2326,6 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, + * file is done when the transaction is torn + * down. + */ +- WARN_ON(failed_at && +- proc->tsk == current->group_leader); + } break; + case BINDER_TYPE_PTR: + /* +-- +2.25.1 + diff --git a/queue-5.4/blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch b/queue-5.4/blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch new file mode 100644 index 00000000000..4501beeefbf --- /dev/null +++ b/queue-5.4/blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch @@ -0,0 +1,61 @@ +From f584084898a7f28d9493c553d5c685cd24f8ab53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 01:00:14 -0700 +Subject: blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue + +From: Yang Yang + +[ Upstream commit 47ce030b7ac5a5259a9a5919f230b52497afc31a ] + +blk_exit_queue will free elevator_data, while blk_mq_run_work_fn +will access it. Move cancel of hctx->run_work to the front of +blk_exit_queue to avoid use-after-free. + +Fixes: 1b97871b501f ("blk-mq: move cancel of hctx->run_work into blk_mq_hw_sysfs_release") +Signed-off-by: Yang Yang +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sysfs.c | 2 -- + block/blk-sysfs.c | 9 ++++++++- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c +index a09ab0c3d074d..5dafd7a8ec913 100644 +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -36,8 +36,6 @@ static void blk_mq_hw_sysfs_release(struct kobject *kobj) + struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx, + kobj); + +- cancel_delayed_work_sync(&hctx->run_work); +- + if (hctx->flags & BLK_MQ_F_BLOCKING) + cleanup_srcu_struct(hctx->srcu); + blk_free_flush_queue(hctx->fq); +diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c +index 46f5198be0173..bf33570da5ac7 100644 +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -891,9 +891,16 @@ static void __blk_release_queue(struct work_struct *work) + + blk_free_queue_stats(q->stats); + +- if (queue_is_mq(q)) ++ if (queue_is_mq(q)) { ++ struct blk_mq_hw_ctx *hctx; ++ int i; ++ + cancel_delayed_work_sync(&q->requeue_work); + ++ queue_for_each_hw_ctx(q, hctx, i) ++ cancel_delayed_work_sync(&hctx->run_work); ++ } ++ + blk_exit_queue(q); + + blk_queue_free_zone_bitmaps(q); +-- +2.25.1 + diff --git a/queue-5.4/block-ratelimit-handle_bad_sector-message.patch b/queue-5.4/block-ratelimit-handle_bad_sector-message.patch new file mode 100644 index 00000000000..bed52e77f51 --- /dev/null +++ b/queue-5.4/block-ratelimit-handle_bad_sector-message.patch @@ -0,0 +1,47 @@ +From b9e252426dbafe91e01ee3e81076a1753a119fee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 22:37:23 +0900 +Subject: block: ratelimit handle_bad_sector() message + +From: Tetsuo Handa + +[ Upstream commit f4ac712e4fe009635344b9af5d890fe25fcc8c0d ] + +syzbot is reporting unkillable task [1], for the caller is failing to +handle a corrupted filesystem image which attempts to access beyond +the end of the device. While we need to fix the caller, flooding the +console with handle_bad_sector() message is unlikely useful. + +[1] https://syzkaller.appspot.com/bug?id=f1f49fb971d7a3e01bd8ab8cff2ff4572ccf3092 + +Signed-off-by: Tetsuo Handa +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 81aafb601df06..d2213220099d3 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -743,11 +743,10 @@ static void handle_bad_sector(struct bio *bio, sector_t maxsector) + { + char b[BDEVNAME_SIZE]; + +- printk(KERN_INFO "attempt to access beyond end of device\n"); +- printk(KERN_INFO "%s: rw=%d, want=%Lu, limit=%Lu\n", +- bio_devname(bio, b), bio->bi_opf, +- (unsigned long long)bio_end_sector(bio), +- (long long)maxsector); ++ pr_info_ratelimited("attempt to access beyond end of device\n" ++ "%s: rw=%d, want=%llu, limit=%llu\n", ++ bio_devname(bio, b), bio->bi_opf, ++ bio_end_sector(bio), maxsector); + } + + #ifdef CONFIG_FAIL_MAKE_REQUEST +-- +2.25.1 + diff --git a/queue-5.4/bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch b/queue-5.4/bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch new file mode 100644 index 00000000000..924311a880c --- /dev/null +++ b/queue-5.4/bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch @@ -0,0 +1,34 @@ +From 8987380924cd0e8ce4f71f5099f6e0dc0a5b63bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 15:44:21 +0800 +Subject: Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb + +From: Dinghao Liu + +[ Upstream commit d33fe77bdf75806d785dabf90d21d962122e5296 ] + +When kmalloc() on buf fails, urb should be freed just like +when kmalloc() on dr fails. + +Signed-off-by: Dinghao Liu +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index f3f0529564da0..b326eeddaadf0 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2664,6 +2664,7 @@ static int btusb_mtk_submit_wmt_recv_urb(struct hci_dev *hdev) + buf = kmalloc(size, GFP_KERNEL); + if (!buf) { + kfree(dr); ++ usb_free_urb(urb); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-5.4/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch b/queue-5.4/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch new file mode 100644 index 00000000000..a456708f456 --- /dev/null +++ b/queue-5.4/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch @@ -0,0 +1,51 @@ +From 5b95ca52c87f0d945f4d4197f97f1396f87fd4bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Aug 2020 11:29:56 -0500 +Subject: Bluetooth: hci_uart: Cancel init work before unregistering + +From: Samuel Holland + +[ Upstream commit 3b799254cf6f481460719023d7a18f46651e5e7f ] + +If hci_uart_tty_close() or hci_uart_unregister_device() is called while +hu->init_ready is scheduled, hci_register_dev() could be called after +the hci_uart is torn down. Avoid this by ensuring the work is complete +or canceled before checking the HCI_UART_REGISTERED flag. + +Fixes: 9f2aee848fe6 ("Bluetooth: Add delayed init sequence support for UART controllers") +Signed-off-by: Samuel Holland +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 1 + + drivers/bluetooth/hci_serdev.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 85a30fb9177bb..f83d67eafc9f0 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -538,6 +538,7 @@ static void hci_uart_tty_close(struct tty_struct *tty) + clear_bit(HCI_UART_PROTO_READY, &hu->flags); + percpu_up_write(&hu->proto_lock); + ++ cancel_work_sync(&hu->init_ready); + cancel_work_sync(&hu->write_work); + + if (hdev) { +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index ad2f26cb2622e..5b9aa73ff2b7f 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -357,6 +357,8 @@ void hci_uart_unregister_device(struct hci_uart *hu) + struct hci_dev *hdev = hu->hdev; + + clear_bit(HCI_UART_PROTO_READY, &hu->flags); ++ ++ cancel_work_sync(&hu->init_ready); + if (test_bit(HCI_UART_REGISTERED, &hu->flags)) + hci_unregister_dev(hdev); + hci_free_dev(hdev); +-- +2.25.1 + diff --git a/queue-5.4/bluetooth-only-mark-socket-zapped-after-unlocking.patch b/queue-5.4/bluetooth-only-mark-socket-zapped-after-unlocking.patch new file mode 100644 index 00000000000..f6dd455dbba --- /dev/null +++ b/queue-5.4/bluetooth-only-mark-socket-zapped-after-unlocking.patch @@ -0,0 +1,73 @@ +From 58c4555c2cd4f21abc79106b1bcaab9d49143dce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 15:33:18 -0700 +Subject: Bluetooth: Only mark socket zapped after unlocking + +From: Abhishek Pandit-Subedi + +[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ] + +Since l2cap_sock_teardown_cb doesn't acquire the channel lock before +setting the socket as zapped, it could potentially race with +l2cap_sock_release which frees the socket. Thus, wait until the cleanup +is complete before marking the socket as zapped. + +This race was reproduced on a JBL GO speaker after the remote device +rejected L2CAP connection due to resource unavailability. + +Here is a dmesg log with debug logs from a repro of this bug: +[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002 +[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0 +[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2 +[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001 +[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952 +[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c +[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00 +[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4 +[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT +[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT +[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3 +[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6 +[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159 +[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053 +[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +[ 3465.430332] Causing a watchdog bite! + +Signed-off-by: Abhishek Pandit-Subedi +Reported-by: Balakrishna Godavarthi +Reviewed-by: Manish Mandlik +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 40e96a610e2b4..8648c5211ebe6 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1344,8 +1344,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + parent = bt_sk(sk)->parent; + +- sock_set_flag(sk, SOCK_ZAPPED); +- + switch (chan->state) { + case BT_OPEN: + case BT_BOUND: +@@ -1372,8 +1370,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + break; + } +- + release_sock(sk); ++ ++ /* Only zap after cleanup to avoid use after free race */ ++ sock_set_flag(sk, SOCK_ZAPPED); ++ + } + + static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, +-- +2.25.1 + diff --git a/queue-5.4/bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch b/queue-5.4/bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch new file mode 100644 index 00000000000..3bca589796a --- /dev/null +++ b/queue-5.4/bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch @@ -0,0 +1,85 @@ +From 459e61c2c37aedb0da2b79c8019127c06a9aa6e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 23:10:07 +0200 +Subject: bpf: Limit caller's stack depth 256 for subprogs with tailcalls + +From: Maciej Fijalkowski + +[ Upstream commit 7f6e4312e15a5c370e84eaa685879b6bdcc717e4 ] + +Protect against potential stack overflow that might happen when bpf2bpf +calls get combined with tailcalls. Limit the caller's stack depth for +such case down to 256 so that the worst case scenario would result in 8k +stack size (32 which is tailcall limit * 256 = 8k). + +Suggested-by: Alexei Starovoitov +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 1 + + kernel/bpf/verifier.c | 29 +++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 26a6d58ca78cc..81c7ea83e8079 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -342,6 +342,7 @@ struct bpf_subprog_info { + u32 start; /* insn idx of function entry point */ + u32 linfo_idx; /* The idx to the main_prog->aux->linfo */ + u16 stack_depth; /* max. stack depth used by this function */ ++ bool has_tail_call; + }; + + /* single container for all structs +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index ae27dd77a73cb..507474f79195f 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1160,6 +1160,10 @@ static int check_subprogs(struct bpf_verifier_env *env) + for (i = 0; i < insn_cnt; i++) { + u8 code = insn[i].code; + ++ if (code == (BPF_JMP | BPF_CALL) && ++ insn[i].imm == BPF_FUNC_tail_call && ++ insn[i].src_reg != BPF_PSEUDO_CALL) ++ subprog[cur_subprog].has_tail_call = true; + if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32) + goto next; + if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL) +@@ -2612,6 +2616,31 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + int ret_prog[MAX_CALL_FRAMES]; + + process_func: ++ /* protect against potential stack overflow that might happen when ++ * bpf2bpf calls get combined with tailcalls. Limit the caller's stack ++ * depth for such case down to 256 so that the worst case scenario ++ * would result in 8k stack size (32 which is tailcall limit * 256 = ++ * 8k). ++ * ++ * To get the idea what might happen, see an example: ++ * func1 -> sub rsp, 128 ++ * subfunc1 -> sub rsp, 256 ++ * tailcall1 -> add rsp, 256 ++ * func2 -> sub rsp, 192 (total stack size = 128 + 192 = 320) ++ * subfunc2 -> sub rsp, 64 ++ * subfunc22 -> sub rsp, 128 ++ * tailcall2 -> add rsp, 128 ++ * func3 -> sub rsp, 32 (total stack size 128 + 192 + 64 + 32 = 416) ++ * ++ * tailcall will unwind the current stack frame but it will not get rid ++ * of caller's stack as shown on the example above. ++ */ ++ if (idx && subprog[idx].has_tail_call && depth >= 256) { ++ verbose(env, ++ "tail_calls are not allowed when call stack of previous frames is %d bytes. Too large\n", ++ depth); ++ return -EACCES; ++ } + /* round up to 32-bytes, since this is granularity + * of interpreter stack size + */ +-- +2.25.1 + diff --git a/queue-5.4/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch b/queue-5.4/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch new file mode 100644 index 00000000000..7bb30bbd7f3 --- /dev/null +++ b/queue-5.4/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch @@ -0,0 +1,37 @@ +From 3829c8358bd92807abad531df7a765155815829b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 17:36:05 +0800 +Subject: brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach + +From: Wang Yufen + +[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ] + +When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL, +we should destroy the workqueue. + +Reported-by: Hulk Robot +Signed-off-by: Wang Yufen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +index e3dd8623be4ec..c2705d7a4247e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -1619,6 +1619,8 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr) + BRCMF_TX_IOCTL_MAX_MSG_SIZE, + msgbuf->ioctbuf, + msgbuf->ioctbuf_handle); ++ if (msgbuf->txflow_wq) ++ destroy_workqueue(msgbuf->txflow_wq); + kfree(msgbuf); + } + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-5.4/brcmfmac-check-ndev-pointer.patch b/queue-5.4/brcmfmac-check-ndev-pointer.patch new file mode 100644 index 00000000000..e18e9bbd0ac --- /dev/null +++ b/queue-5.4/brcmfmac-check-ndev-pointer.patch @@ -0,0 +1,54 @@ +From e7fcfb20caef512cb1a5f96b5b6473c7bdb4d96c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 09:18:04 -0700 +Subject: brcmfmac: check ndev pointer + +From: Tom Rix + +[ Upstream commit 9c9f015bc9f8839831c7ba0a6d731a3853c464e2 ] + +Clang static analysis reports this error + +brcmfmac/core.c:490:4: warning: Dereference of null pointer + (*ifp)->ndev->stats.rx_errors++; + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In this block of code + + if (ret || !(*ifp) || !(*ifp)->ndev) { + if (ret != -ENODATA && *ifp) + (*ifp)->ndev->stats.rx_errors++; + brcmu_pkt_buf_free_skb(skb); + return -ENODATA; + } + +(*ifp)->ndev being NULL is caught as an error +But then it is used to report the error. + +So add a check before using it. + +Fixes: 91b632803ee4 ("brcmfmac: Use net_device_stats from struct net_device") +Signed-off-by: Tom Rix +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802161804.6126-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 85cf96461ddeb..e9bb8dbdc9aa8 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -483,7 +483,7 @@ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb, + ret = brcmf_proto_hdrpull(drvr, true, skb, ifp); + + if (ret || !(*ifp) || !(*ifp)->ndev) { +- if (ret != -ENODATA && *ifp) ++ if (ret != -ENODATA && *ifp && (*ifp)->ndev) + (*ifp)->ndev->stats.rx_errors++; + brcmu_pkt_buf_free_skb(skb); + return -ENODATA; +-- +2.25.1 + diff --git a/queue-5.4/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch b/queue-5.4/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch new file mode 100644 index 00000000000..5ed9426be38 --- /dev/null +++ b/queue-5.4/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch @@ -0,0 +1,43 @@ +From 1008e6dce86b98737abbb6ac32e7e84bb5b441dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 12:17:41 +0000 +Subject: brcmsmac: fix memory leak in wlc_phy_attach_lcnphy + +From: Keita Suzuki + +[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ] + +When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy, +the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be +freed in the caller function. + +Fix this by calling wlc_phy_detach_lcnphy in the error handler of +wlc_phy_txpwr_srom_read_lcnphy before returning. + +Signed-off-by: Keita Suzuki +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +index 7ef36234a25dc..66797dc5e90d5 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +@@ -5065,8 +5065,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi) + pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft; + pi->pi_fptr.detach = wlc_phy_detach_lcnphy; + +- if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) ++ if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) { ++ kfree(pi->u.pi_lcnphy); + return false; ++ } + + if (LCNREV_IS(pi->pubpi.phy_rev, 1)) { + if (pi_lcn->lcnphy_tempsense_option == 3) { +-- +2.25.1 + diff --git a/queue-5.4/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch b/queue-5.4/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch new file mode 100644 index 00000000000..96c9e5b80ce --- /dev/null +++ b/queue-5.4/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch @@ -0,0 +1,95 @@ +From 31201d27f834e3fd721b416b1a30c4d7529a8ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 16:44:19 +0200 +Subject: can: flexcan: flexcan_chip_stop(): add error handling and propagate + error value + +From: Joakim Zhang + +[ Upstream commit 9ad02c7f4f279504bdd38ab706fdc97d5f2b2a9c ] + +This patch implements error handling and propagates the error value of +flexcan_chip_stop(). This function will be called from flexcan_suspend() +in an upcoming patch in some SoCs which support LPSR mode. + +Add a new function flexcan_chip_stop_disable_on_error() that tries to +disable the chip even in case of errors. + +Signed-off-by: Joakim Zhang +[mkl: introduce flexcan_chip_stop_disable_on_error() and use it in flexcan_close()] +Signed-off-by: Marc Kleine-Budde +Link: https://lore.kernel.org/r/20200922144429.2613631-11-mkl@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index e5c207ad3c77d..aaa7ed1dc97ee 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1232,18 +1232,23 @@ static int flexcan_chip_start(struct net_device *dev) + return err; + } + +-/* flexcan_chip_stop ++/* __flexcan_chip_stop + * +- * this functions is entered with clocks enabled ++ * this function is entered with clocks enabled + */ +-static void flexcan_chip_stop(struct net_device *dev) ++static int __flexcan_chip_stop(struct net_device *dev, bool disable_on_error) + { + struct flexcan_priv *priv = netdev_priv(dev); + struct flexcan_regs __iomem *regs = priv->regs; ++ int err; + + /* freeze + disable module */ +- flexcan_chip_freeze(priv); +- flexcan_chip_disable(priv); ++ err = flexcan_chip_freeze(priv); ++ if (err && !disable_on_error) ++ return err; ++ err = flexcan_chip_disable(priv); ++ if (err && !disable_on_error) ++ goto out_chip_unfreeze; + + /* Disable all interrupts */ + priv->write(0, ®s->imask2); +@@ -1253,6 +1258,23 @@ static void flexcan_chip_stop(struct net_device *dev) + + flexcan_transceiver_disable(priv); + priv->can.state = CAN_STATE_STOPPED; ++ ++ return 0; ++ ++ out_chip_unfreeze: ++ flexcan_chip_unfreeze(priv); ++ ++ return err; ++} ++ ++static inline int flexcan_chip_stop_disable_on_error(struct net_device *dev) ++{ ++ return __flexcan_chip_stop(dev, true); ++} ++ ++static inline int flexcan_chip_stop(struct net_device *dev) ++{ ++ return __flexcan_chip_stop(dev, false); + } + + static int flexcan_open(struct net_device *dev) +@@ -1341,7 +1363,7 @@ static int flexcan_close(struct net_device *dev) + + netif_stop_queue(dev); + can_rx_offload_disable(&priv->offload); +- flexcan_chip_stop(dev); ++ flexcan_chip_stop_disable_on_error(dev); + + can_rx_offload_del(&priv->offload); + free_irq(dev->irq, dev); +-- +2.25.1 + diff --git a/queue-5.4/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch b/queue-5.4/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch new file mode 100644 index 00000000000..3ad8e3bd7d1 --- /dev/null +++ b/queue-5.4/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch @@ -0,0 +1,52 @@ +From 838d16997734cda37b9a2605e12bafe0e836f6d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 09:59:10 +0300 +Subject: clk: at91: clk-main: update key before writing AT91_CKGR_MOR + +From: Claudiu Beznea + +[ Upstream commit 85d071e7f19a6a9abf30476b90b3819642568756 ] + +SAMA5D2 datasheet specifies on chapter 33.22.8 (PMC Clock Generator +Main Oscillator Register) that writing any value other than +0x37 on KEY field aborts the write operation. Use the key when +selecting main clock parent. + +Fixes: 27cb1c2083373 ("clk: at91: rework main clk implementation") +Signed-off-by: Claudiu Beznea +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/1598338751-20607-3-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/at91/clk-main.c b/drivers/clk/at91/clk-main.c +index 37c22667e8319..4313ecb2af5b2 100644 +--- a/drivers/clk/at91/clk-main.c ++++ b/drivers/clk/at91/clk-main.c +@@ -437,12 +437,17 @@ static int clk_sam9x5_main_set_parent(struct clk_hw *hw, u8 index) + return -EINVAL; + + regmap_read(regmap, AT91_CKGR_MOR, &tmp); +- tmp &= ~MOR_KEY_MASK; + + if (index && !(tmp & AT91_PMC_MOSCSEL)) +- regmap_write(regmap, AT91_CKGR_MOR, tmp | AT91_PMC_MOSCSEL); ++ tmp = AT91_PMC_MOSCSEL; + else if (!index && (tmp & AT91_PMC_MOSCSEL)) +- regmap_write(regmap, AT91_CKGR_MOR, tmp & ~AT91_PMC_MOSCSEL); ++ tmp = 0; ++ else ++ return 0; ++ ++ regmap_update_bits(regmap, AT91_CKGR_MOR, ++ AT91_PMC_MOSCSEL | MOR_KEY_MASK, ++ tmp | AT91_PMC_KEY); + + while (!clk_sam9x5_main_ready(regmap)) + cpu_relax(); +-- +2.25.1 + diff --git a/queue-5.4/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch b/queue-5.4/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch new file mode 100644 index 00000000000..aada1fff9de --- /dev/null +++ b/queue-5.4/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch @@ -0,0 +1,41 @@ +From c0d1bb6eae85ed98544f2de6d4db04734e316205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 18:11:58 -0500 +Subject: clk: bcm2835: add missing release if devm_clk_hw_register fails + +From: Navid Emamdoost + +[ Upstream commit f6c992ca7dd4f49042eec61f3fb426c94d901675 ] + +In the implementation of bcm2835_register_pll(), the allocated pll is +leaked if devm_clk_hw_register() fails to register hw. Release pll if +devm_clk_hw_register() fails. + +Signed-off-by: Navid Emamdoost +Link: https://lore.kernel.org/r/20200809231202.15811-1-navid.emamdoost@gmail.com +Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 45420b514149f..c5486537b9284 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1336,8 +1336,10 @@ static struct clk_hw *bcm2835_register_pll(struct bcm2835_cprman *cprman, + pll->hw.init = &init; + + ret = devm_clk_hw_register(cprman->dev, &pll->hw); +- if (ret) ++ if (ret) { ++ kfree(pll); + return NULL; ++ } + return &pll->hw; + } + +-- +2.25.1 + diff --git a/queue-5.4/clk-imx8mq-fix-usdhc-parents-order.patch b/queue-5.4/clk-imx8mq-fix-usdhc-parents-order.patch new file mode 100644 index 00000000000..92dec460a92 --- /dev/null +++ b/queue-5.4/clk-imx8mq-fix-usdhc-parents-order.patch @@ -0,0 +1,54 @@ +From b9f9a6160e52ad5b96304beb39f567fe34ce190f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 12:25:44 +0300 +Subject: clk: imx8mq: Fix usdhc parents order + +From: Abel Vesa + +[ Upstream commit b159c63d82ff8ffddc6c6f0eb881b113b36ecad7 ] + +According to the latest RM (see Table 5-1. Clock Root Table), +both usdhc root clocks have the parent order as follows: + +000 - 25M_REF_CLK +001 - SYSTEM_PLL1_DIV2 +010 - SYSTEM_PLL1_CLK +011 - SYSTEM_PLL2_DIV2 +100 - SYSTEM_PLL3_CLK +101 - SYSTEM_PLL1_DIV3 +110 - AUDIO_PLL2_CLK +111 - SYSTEM_PLL1_DIV8 + +So the audio_pll2_out and sys3_pll_out have to be swapped. + +Fixes: b80522040cd3 ("clk: imx: Add clock driver for i.MX8MQ CCM") +Signed-off-by: Abel Vesa +Reported-by: Cosmin Stefan Stoica +Link: https://lore.kernel.org/r/1602753944-30757-1-git-send-email-abel.vesa@nxp.com +Reviewed-by: Fabio Estevam +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mq.c b/drivers/clk/imx/clk-imx8mq.c +index 41fc9c63356ea..1846bd879dd71 100644 +--- a/drivers/clk/imx/clk-imx8mq.c ++++ b/drivers/clk/imx/clk-imx8mq.c +@@ -157,10 +157,10 @@ static const char * const imx8mq_qspi_sels[] = {"osc_25m", "sys1_pll_400m", "sys + "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", }; + + static const char * const imx8mq_usdhc1_sels[] = {"osc_25m", "sys1_pll_400m", "sys1_pll_800m", "sys2_pll_500m", +- "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", }; ++ "sys3_pll_out", "sys1_pll_266m", "audio_pll2_out", "sys1_pll_100m", }; + + static const char * const imx8mq_usdhc2_sels[] = {"osc_25m", "sys1_pll_400m", "sys1_pll_800m", "sys2_pll_500m", +- "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", }; ++ "sys3_pll_out", "sys1_pll_266m", "audio_pll2_out", "sys1_pll_100m", }; + + static const char * const imx8mq_i2c1_sels[] = {"osc_25m", "sys1_pll_160m", "sys2_pll_50m", "sys3_pll_out", "audio_pll1_out", + "video_pll1_out", "audio_pll2_out", "sys1_pll_133m", }; +-- +2.25.1 + diff --git a/queue-5.4/clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch b/queue-5.4/clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch new file mode 100644 index 00000000000..5a84e8192a1 --- /dev/null +++ b/queue-5.4/clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch @@ -0,0 +1,40 @@ +From 2654c10b33b14b410f64d49c501efd07ee9d53b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:57:38 +0300 +Subject: clk: keystone: sci-clk: fix parsing assigned-clock data during probe + +From: Tero Kristo + +[ Upstream commit 2f05cced7307489faab873367fb20cd212e1d890 ] + +The DT clock probe loop incorrectly terminates after processing "clocks" +only, fix this by re-starting the loop when all entries for current +DT property have been parsed. + +Fixes: 8e48b33f9def ("clk: keystone: sci-clk: probe clocks from DT instead of firmware") +Reported-by: Peter Ujfalusi +Signed-off-by: Tero Kristo +Link: https://lore.kernel.org/r/20200907085740.1083-2-t-kristo@ti.com +Acked-by: Santosh Shilimkar +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/sci-clk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c +index 7edf8c8432b67..64ea895f1a7df 100644 +--- a/drivers/clk/keystone/sci-clk.c ++++ b/drivers/clk/keystone/sci-clk.c +@@ -522,7 +522,7 @@ static int ti_sci_scan_clocks_from_dt(struct sci_clk_provider *provider) + np = of_find_node_with_property(np, *clk_name); + if (!np) { + clk_name++; +- break; ++ continue; + } + + if (!of_device_is_available(np)) +-- +2.25.1 + diff --git a/queue-5.4/clk-mediatek-add-uart0-clock-support.patch b/queue-5.4/clk-mediatek-add-uart0-clock-support.patch new file mode 100644 index 00000000000..4c37b71e5fe --- /dev/null +++ b/queue-5.4/clk-mediatek-add-uart0-clock-support.patch @@ -0,0 +1,37 @@ +From fd89685fbb1bca33d22e1ba58162621d9f568158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 21:30:16 +0800 +Subject: clk: mediatek: add UART0 clock support + +From: Hanks Chen + +[ Upstream commit 804a892456b73604b7ecfb1b00a96a29f3d2aedf ] + +Add MT6779 UART0 clock support. + +Fixes: 710774e04861 ("clk: mediatek: Add MT6779 clock support") +Signed-off-by: Wendell Lin +Signed-off-by: Hanks Chen +Reviewed-by: Matthias Brugger +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt6779.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/mediatek/clk-mt6779.c b/drivers/clk/mediatek/clk-mt6779.c +index 608a9a6621a37..00920182bbe63 100644 +--- a/drivers/clk/mediatek/clk-mt6779.c ++++ b/drivers/clk/mediatek/clk-mt6779.c +@@ -919,6 +919,8 @@ static const struct mtk_gate infra_clks[] = { + "pwm_sel", 19), + GATE_INFRA0(CLK_INFRA_PWM, "infra_pwm", + "pwm_sel", 21), ++ GATE_INFRA0(CLK_INFRA_UART0, "infra_uart0", ++ "uart_sel", 22), + GATE_INFRA0(CLK_INFRA_UART1, "infra_uart1", + "uart_sel", 23), + GATE_INFRA0(CLK_INFRA_UART2, "infra_uart2", +-- +2.25.1 + diff --git a/queue-5.4/clk-meson-g12a-mark-fclk_div2-as-critical.patch b/queue-5.4/clk-meson-g12a-mark-fclk_div2-as-critical.patch new file mode 100644 index 00000000000..407bc86a0d7 --- /dev/null +++ b/queue-5.4/clk-meson-g12a-mark-fclk_div2-as-critical.patch @@ -0,0 +1,55 @@ +From e5681c2b0fe91b939412974659c18e9f9f2752f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 17:52:05 +0200 +Subject: clk: meson: g12a: mark fclk_div2 as critical + +From: Stefan Agner + +[ Upstream commit 2c4e80e06790cb49ad2603855d30c5aac2209c47 ] + +On Amlogic Meson G12b platform, similar to fclk_div3, the fclk_div2 +seems to be necessary for the system to operate correctly as well. + +Typically, the clock also gets chosen by the eMMC peripheral. This +probably masked the problem so far. However, when booting from a SD +card the clock seems to get disabled which leads to a system freeze. + +Let's mark this clock as critical, fixing boot from SD card on G12b +platforms. + +Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") +Signed-off-by: Stefan Agner +Signed-off-by: Jerome Brunet +Tested-by: Anand Moon +Cc: Marek Szyprowski +Link: https://lore.kernel.org/r/577e0129e8ee93972d92f13187ff4e4286182f67.1598629915.git.stefan@agner.ch +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index d2760a021301d..3143e16065de6 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -298,6 +298,17 @@ static struct clk_regmap g12a_fclk_div2 = { + &g12a_fclk_div2_div.hw + }, + .num_parents = 1, ++ /* ++ * Similar to fclk_div3, it seems that this clock is used by ++ * the resident firmware and is required by the platform to ++ * operate correctly. ++ * Until the following condition are met, we need this clock to ++ * be marked as critical: ++ * a) Mark the clock used by a firmware resource, if possible ++ * b) CCF has a clock hand-off mechanism to make the sure the ++ * clock stays on until the proper driver comes along ++ */ ++ .flags = CLK_IS_CRITICAL, + }, + }; + +-- +2.25.1 + diff --git a/queue-5.4/clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch b/queue-5.4/clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch new file mode 100644 index 00000000000..8ff3635180e --- /dev/null +++ b/queue-5.4/clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch @@ -0,0 +1,37 @@ +From 722368b63c0307a57eae4e7d498577438a3a9fa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 14:09:09 +0200 +Subject: clk: qcom: gcc-sdm660: Fix wrong parent_map + +From: Konrad Dybcio + +[ Upstream commit d46e5a39f9be9288f1ce2170c4c7f8098f4e7f68 ] + +This was likely overlooked while porting the driver upstream. + +Reported-by: Pavel Dubrova +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20200922120909.97203-1-konradybcio@gmail.com +Fixes: f2a76a2955c0 ("clk: qcom: Add Global Clock controller (GCC) driver for SDM660") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sdm660.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-sdm660.c b/drivers/clk/qcom/gcc-sdm660.c +index c6fb57cd576f5..aa5c0c6ead017 100644 +--- a/drivers/clk/qcom/gcc-sdm660.c ++++ b/drivers/clk/qcom/gcc-sdm660.c +@@ -666,7 +666,7 @@ static struct clk_rcg2 hmss_rbcpr_clk_src = { + .cmd_rcgr = 0x48044, + .mnd_width = 0, + .hid_width = 5, +- .parent_map = gcc_parent_map_xo_gpll0_gpll0_early_div, ++ .parent_map = gcc_parent_map_xo_gpll0, + .freq_tbl = ftbl_hmss_rbcpr_clk_src, + .clkr.hw.init = &(struct clk_init_data){ + .name = "hmss_rbcpr_clk_src", +-- +2.25.1 + diff --git a/queue-5.4/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch b/queue-5.4/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch new file mode 100644 index 00000000000..fcdd0ab8fb5 --- /dev/null +++ b/queue-5.4/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch @@ -0,0 +1,44 @@ +From f9ae763ab8a94ce18e0a6388e23c5483cc5f7b49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 17:41:44 -0700 +Subject: clk: rockchip: Initialize hw to error to avoid undefined behavior + +From: Stephen Boyd + +[ Upstream commit b608f11d49ec671739604cc763248d8e8fadbbeb ] + +We can get down to this return value from ERR_CAST() without +initializing hw. Set it to -ENOMEM so that we always return something +sane. + +Fixes the following smatch warning: + +drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() error: uninitialized symbol 'hw'. +drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() warn: passing zero to 'ERR_CAST' + +Cc: Elaine Zhang +Cc: Heiko Stuebner +Fixes: 956060a52795 ("clk: rockchip: add support for half divider") +Reviewed-by: Heiko Stuebner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-half-divider.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-half-divider.c b/drivers/clk/rockchip/clk-half-divider.c +index ba9f00dc9740c..7dd2e0b1a5866 100644 +--- a/drivers/clk/rockchip/clk-half-divider.c ++++ b/drivers/clk/rockchip/clk-half-divider.c +@@ -167,7 +167,7 @@ struct clk *rockchip_clk_register_halfdiv(const char *name, + unsigned long flags, + spinlock_t *lock) + { +- struct clk *clk; ++ struct clk *clk = ERR_PTR(-ENOMEM); + struct clk_mux *mux = NULL; + struct clk_gate *gate = NULL; + struct clk_divider *div = NULL; +-- +2.25.1 + diff --git a/queue-5.4/coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch b/queue-5.4/coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch new file mode 100644 index 00000000000..9ef62b4d9aa --- /dev/null +++ b/queue-5.4/coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch @@ -0,0 +1,47 @@ +From 6cc98dc027df70fef436465cef665a9caa2b2749 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 10:34:56 -0600 +Subject: coresight: etm: perf: Fix warning caused by etm_setup_aux failure + +From: Tingwei Zhang + +[ Upstream commit 716f5652a13122364a65e694386b9b26f5e98c51 ] + +When coresight_build_path() fails on all the cpus, etm_setup_aux +calls etm_free_aux() to free allocated event_data. +WARN_ON(cpumask_empty(mask) will be triggered since cpu mask is empty. +Check event_data->snk_config is not NULL first to avoid this +warning. + +Fixes: f5200aa9831f38 ("coresight: perf: Refactor function free_event_data()") +Reviewed-by: Mike Leach +Reviewed-by: Suzuki K Poulose +Signed-off-by: Tingwei Zhang +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200928163513.70169-9-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm-perf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c +index c4b9898e28418..9b0c5d719232f 100644 +--- a/drivers/hwtracing/coresight/coresight-etm-perf.c ++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c +@@ -126,10 +126,10 @@ static void free_sink_buffer(struct etm_event_data *event_data) + cpumask_t *mask = &event_data->mask; + struct coresight_device *sink; + +- if (WARN_ON(cpumask_empty(mask))) ++ if (!event_data->snk_config) + return; + +- if (!event_data->snk_config) ++ if (WARN_ON(cpumask_empty(mask))) + return; + + cpu = cpumask_first(mask); +-- +2.25.1 + diff --git a/queue-5.4/coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch b/queue-5.4/coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch new file mode 100644 index 00000000000..e2e4303428a --- /dev/null +++ b/queue-5.4/coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch @@ -0,0 +1,120 @@ +From f0f88735e1bb2658233af03e7372812ae033e799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:31 -0600 +Subject: coresight: etm4x: Handle unreachable sink in perf mode + +From: Suzuki K Poulose + +[ Upstream commit 859d510e58dac94f0b204b7b5cccafbc130d2291 ] + +If the specified/hinted sink is not reachable from a subset of the CPUs, +we could end up unable to trace the event on those CPUs. This +is the best effort we could do until we support 1:1 configurations. +Fail gracefully in such cases avoiding a WARN_ON, which can be easily +triggered by the user on certain platforms (Arm N1SDP), with the following +trace paths : + + CPU0 + \ + -- Funnel0 --> ETF0 --> + / \ + CPU1 \ + MainFunnel + CPU2 / + \ / + -- Funnel1 --> ETF1 --> + / + CPU1 + +$ perf record --per-thread -e cs_etm/@ETF0/u -- + +could trigger the following WARNING, when the event is scheduled +on CPU2. + +[10919.513250] ------------[ cut here ]------------ +[10919.517861] WARNING: CPU: 2 PID: 24021 at +drivers/hwtracing/coresight/coresight-etm-perf.c:316 etm_event_start+0xf8/0x100 +... + +[10919.564403] CPU: 2 PID: 24021 Comm: perf Not tainted 5.8.0+ #24 +[10919.570308] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--) +[10919.575865] pc : etm_event_start+0xf8/0x100 +[10919.580034] lr : etm_event_start+0x80/0x100 +[10919.584202] sp : fffffe001932f940 +[10919.587502] x29: fffffe001932f940 x28: fffffc834995f800 +[10919.592799] x27: 0000000000000000 x26: fffffe0011f3ced0 +[10919.598095] x25: fffffc837fce244c x24: fffffc837fce2448 +[10919.603391] x23: 0000000000000002 x22: fffffc8353529c00 +[10919.608688] x21: fffffc835bb31000 x20: 0000000000000000 +[10919.613984] x19: fffffc837fcdcc70 x18: 0000000000000000 +[10919.619281] x17: 0000000000000000 x16: 0000000000000000 +[10919.624577] x15: 0000000000000000 x14: 00000000000009f8 +[10919.629874] x13: 00000000000009f8 x12: 0000000000000018 +[10919.635170] x11: 0000000000000000 x10: 0000000000000000 +[10919.640467] x9 : fffffe00108cd168 x8 : 0000000000000000 +[10919.645763] x7 : 0000000000000020 x6 : 0000000000000001 +[10919.651059] x5 : 0000000000000002 x4 : 0000000000000001 +[10919.656356] x3 : 0000000000000000 x2 : 0000000000000000 +[10919.661652] x1 : fffffe836eb40000 x0 : 0000000000000000 +[10919.666949] Call trace: +[10919.669382] etm_event_start+0xf8/0x100 +[10919.673203] etm_event_add+0x40/0x60 +[10919.676765] event_sched_in.isra.134+0xcc/0x210 +[10919.681281] merge_sched_in+0xb0/0x2a8 +[10919.685017] visit_groups_merge.constprop.140+0x15c/0x4b8 +[10919.690400] ctx_sched_in+0x15c/0x170 +[10919.694048] perf_event_sched_in+0x6c/0xa0 +[10919.698130] ctx_resched+0x60/0xa0 +[10919.701517] perf_event_exec+0x288/0x2f0 +[10919.705425] begin_new_exec+0x4c8/0xf58 +[10919.709247] load_elf_binary+0x66c/0xf30 +[10919.713155] exec_binprm+0x15c/0x450 +[10919.716716] __do_execve_file+0x508/0x748 +[10919.720711] __arm64_sys_execve+0x40/0x50 +[10919.724707] do_el0_svc+0xf4/0x1b8 +[10919.728095] el0_sync_handler+0xf8/0x124 +[10919.732003] el0_sync+0x140/0x180 + +Even though we don't support using separate sinks for the ETMs yet (e.g, +for 1:1 configurations), we should at least honor the user's choice and +handle the limitations gracefully, by simply skipping the tracing on ETMs +which can't reach the requested sink. + +Fixes: f9d81a657bb8 ("coresight: perf: Allow tracing on hotplugged CPUs") +Cc: Mathieu Poirier +Cc: Mike Leach +Reported-by: Jeremy Linton +Tested-by: Jeremy Linton +Signed-off-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-11-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm-perf.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c +index 84f1dcb698272..c4b9898e28418 100644 +--- a/drivers/hwtracing/coresight/coresight-etm-perf.c ++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c +@@ -310,6 +310,16 @@ static void etm_event_start(struct perf_event *event, int flags) + if (!event_data) + goto fail; + ++ /* ++ * Check if this ETM is allowed to trace, as decided ++ * at etm_setup_aux(). This could be due to an unreachable ++ * sink from this ETM. We can't do much in this case if ++ * the sink was specified or hinted to the driver. For ++ * now, simply don't record anything on this ETM. ++ */ ++ if (!cpumask_test_cpu(cpu, &event_data->mask)) ++ goto fail_end_stop; ++ + path = etm_event_cpu_path(event_data, cpu); + /* We need a sink, no need to continue without one */ + sink = coresight_get_sink(path); +-- +2.25.1 + diff --git a/queue-5.4/cpufreq-armada-37xx-add-missing-module_device_table.patch b/queue-5.4/cpufreq-armada-37xx-add-missing-module_device_table.patch new file mode 100644 index 00000000000..4cbce2ec64d --- /dev/null +++ b/queue-5.4/cpufreq-armada-37xx-add-missing-module_device_table.patch @@ -0,0 +1,47 @@ +From f063a4270cc3f04cf2145070049c758adafc72fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 15:27:16 +0200 +Subject: cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit c942d1542f1bc5001216fabce9cb8ffbe515777e ] + +CONFIG_ARM_ARMADA_37XX_CPUFREQ is tristate option and therefore this +cpufreq driver can be compiled as a module. This patch adds missing +MODULE_DEVICE_TABLE which generates correct modalias for automatic +loading of this cpufreq driver when is compiled as an external module. + +Reviewed-by: Andrew Lunn +Signed-off-by: Pali Rohár +Fixes: 92ce45fb875d7 ("cpufreq: Add DVFS support for Armada 37xx") +[ Viresh: Added __maybe_unused ] +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/armada-37xx-cpufreq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c +index df1c941260d14..b4af4094309b0 100644 +--- a/drivers/cpufreq/armada-37xx-cpufreq.c ++++ b/drivers/cpufreq/armada-37xx-cpufreq.c +@@ -484,6 +484,12 @@ static int __init armada37xx_cpufreq_driver_init(void) + /* late_initcall, to guarantee the driver is loaded after A37xx clock driver */ + late_initcall(armada37xx_cpufreq_driver_init); + ++static const struct of_device_id __maybe_unused armada37xx_cpufreq_of_match[] = { ++ { .compatible = "marvell,armada-3700-nb-pm" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, armada37xx_cpufreq_of_match); ++ + MODULE_AUTHOR("Gregory CLEMENT "); + MODULE_DESCRIPTION("Armada 37xx cpufreq driver"); + MODULE_LICENSE("GPL"); +-- +2.25.1 + diff --git a/queue-5.4/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch b/queue-5.4/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch new file mode 100644 index 00000000000..dbda87429fe --- /dev/null +++ b/queue-5.4/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch @@ -0,0 +1,52 @@ +From 7bf594853081ea196eb8ad57cb0d7929f4530a68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 13:32:54 +0530 +Subject: cpufreq: powernv: Fix frame-size-overflow in + powernv_cpufreq_reboot_notifier + +From: Srikar Dronamraju + +[ Upstream commit a2d0230b91f7e23ceb5d8fb6a9799f30517ec33a ] + +The patch avoids allocating cpufreq_policy on stack hence fixing frame +size overflow in 'powernv_cpufreq_reboot_notifier': + + drivers/cpufreq/powernv-cpufreq.c: In function powernv_cpufreq_reboot_notifier: + drivers/cpufreq/powernv-cpufreq.c:906:1: error: the frame size of 2064 bytes is larger than 2048 bytes + +Fixes: cf30af76 ("cpufreq: powernv: Set the cpus to nominal frequency during reboot/kexec") +Signed-off-by: Srikar Dronamraju +Reviewed-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200922080254.41497-1-srikar@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernv-cpufreq.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index 3a2f022f6bde2..bc6ccf2c7aae0 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -884,12 +884,15 @@ static int powernv_cpufreq_reboot_notifier(struct notifier_block *nb, + unsigned long action, void *unused) + { + int cpu; +- struct cpufreq_policy cpu_policy; ++ struct cpufreq_policy *cpu_policy; + + rebooting = true; + for_each_online_cpu(cpu) { +- cpufreq_get_policy(&cpu_policy, cpu); +- powernv_cpufreq_target_index(&cpu_policy, get_nominal_index()); ++ cpu_policy = cpufreq_cpu_get(cpu); ++ if (!cpu_policy) ++ continue; ++ powernv_cpufreq_target_index(cpu_policy, get_nominal_index()); ++ cpufreq_cpu_put(cpu_policy); + } + + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-5.4/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch b/queue-5.4/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch new file mode 100644 index 00000000000..1e9af7b2813 --- /dev/null +++ b/queue-5.4/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch @@ -0,0 +1,37 @@ +From ae5dd30aaad32950f940bd24d7978f55b9e78174 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 17:03:27 +1000 +Subject: crypto: algif_skcipher - EBUSY on aio should be an error + +From: Herbert Xu + +[ Upstream commit 2a05b029c1ee045b886ebf9efef9985ca23450de ] + +I removed the MAY_BACKLOG flag on the aio path a while ago but +the error check still incorrectly interpreted EBUSY as success. +This may cause the submitter to wait for a request that will never +complete. + +Fixes: dad419970637 ("crypto: algif_skcipher - Do not set...") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_skcipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index 81c4022285a7c..30069a92a9b22 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -123,7 +123,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, + crypto_skcipher_decrypt(&areq->cra_u.skcipher_req); + + /* AIO operation in progress */ +- if (err == -EINPROGRESS || err == -EBUSY) ++ if (err == -EINPROGRESS) + return -EIOCBQUEUED; + + sock_put(sk); +-- +2.25.1 + diff --git a/queue-5.4/crypto-ccp-fix-error-handling.patch b/queue-5.4/crypto-ccp-fix-error-handling.patch new file mode 100644 index 00000000000..2c853596d04 --- /dev/null +++ b/queue-5.4/crypto-ccp-fix-error-handling.patch @@ -0,0 +1,35 @@ +From c80fb227d17347cee07fde6c07d802e0fd54ccb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 13:34:35 +0200 +Subject: crypto: ccp - fix error handling + +From: Pavel Machek + +[ Upstream commit e356c49c6cf0db3f00e1558749170bd56e47652d ] + +Fix resource leak in error handling. + +Signed-off-by: Pavel Machek (CIP) +Acked-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index 64112c736810e..7234b95241e91 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -1746,7 +1746,7 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + break; + default: + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + } else { + /* Stash the context */ +-- +2.25.1 + diff --git a/queue-5.4/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch b/queue-5.4/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch new file mode 100644 index 00000000000..9eb380e3ffe --- /dev/null +++ b/queue-5.4/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch @@ -0,0 +1,36 @@ +From e550764889334060c7bc407c03ece97bfa8f06ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 16:56:48 +0200 +Subject: crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit f7ade9aaf66bd5599690acf0597df2c0f6cd825a ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in 'setup_crypt_desc()'. + +Fixes: 81bef0150074 ("crypto: ixp4xx - Hardware crypto support for IXP4xx CPUs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ixp4xx_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index 9181523ba7607..acaa504d5a798 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -527,7 +527,7 @@ static void release_ixp_crypto(struct device *dev) + + if (crypt_virt) { + dma_free_coherent(dev, +- NPE_QLEN_TOTAL * sizeof( struct crypt_ctl), ++ NPE_QLEN * sizeof(struct crypt_ctl), + crypt_virt, crypt_phys); + } + } +-- +2.25.1 + diff --git a/queue-5.4/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch b/queue-5.4/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch new file mode 100644 index 00000000000..f1728ad7637 --- /dev/null +++ b/queue-5.4/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch @@ -0,0 +1,46 @@ +From e57f0a962765b7ab8ea20b5e77163c32d09d08a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:32 +0800 +Subject: crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() + +From: Tianjia Zhang + +[ Upstream commit 8cbde6c6a6d2b1599ff90f932304aab7e32fce89 ] + +In case of memory allocation failure, a negative error code should +be returned. + +Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") +Cc: Ryder Lee +Signed-off-by: Tianjia Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mediatek/mtk-platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c +index 7e3ad085b5bdd..ef4339e84d034 100644 +--- a/drivers/crypto/mediatek/mtk-platform.c ++++ b/drivers/crypto/mediatek/mtk-platform.c +@@ -442,7 +442,7 @@ static void mtk_desc_dma_free(struct mtk_cryp *cryp) + static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + { + struct mtk_ring **ring = cryp->ring; +- int i, err = ENOMEM; ++ int i; + + for (i = 0; i < MTK_RING_MAX; i++) { + ring[i] = kzalloc(sizeof(**ring), GFP_KERNEL); +@@ -476,7 +476,7 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + ring[i]->cmd_base, ring[i]->cmd_dma); + kfree(ring[i]); + } +- return err; ++ return -ENOMEM; + } + + static int mtk_crypto_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-5.4/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch b/queue-5.4/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch new file mode 100644 index 00000000000..b2a98de4c69 --- /dev/null +++ b/queue-5.4/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch @@ -0,0 +1,39 @@ +From a855ece137c39a1aa66fa786f3a19fff1b1b8713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 10:56:24 +0300 +Subject: crypto: omap-sham - fix digcnt register handling with export/import + +From: Tero Kristo + +[ Upstream commit 3faf757bad75f3fc1b2736f0431e295a073a7423 ] + +Running export/import for hashes in peculiar order (mostly done by +openssl) can mess up the internal book keeping of the OMAP SHA core. +Fix by forcibly writing the correct DIGCNT back to hardware. This issue +was noticed while transitioning to openssl 1.1 support. + +Fixes: 0d373d603202 ("crypto: omap-sham - Add OMAP4/AM33XX SHAM Support") +Signed-off-by: Tero Kristo +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index aba5db3c0588f..d7c0c982ba433 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -453,6 +453,9 @@ static void omap_sham_write_ctrl_omap4(struct omap_sham_dev *dd, size_t length, + struct omap_sham_reqctx *ctx = ahash_request_ctx(dd->req); + u32 val, mask; + ++ if (likely(ctx->digcnt)) ++ omap_sham_write(dd, SHA_REG_DIGCNT(dd), ctx->digcnt); ++ + /* + * Setting ALGO_CONST only for the first iteration and + * CLOSE_HASH only for the last one. Note that flags mode bits +-- +2.25.1 + diff --git a/queue-5.4/crypto-picoxcell-fix-potential-race-condition-bug.patch b/queue-5.4/crypto-picoxcell-fix-potential-race-condition-bug.patch new file mode 100644 index 00000000000..46a60395a41 --- /dev/null +++ b/queue-5.4/crypto-picoxcell-fix-potential-race-condition-bug.patch @@ -0,0 +1,55 @@ +From 1d0b9bf0437ed2476d828142c56312b909ad320c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:00:24 +0530 +Subject: crypto: picoxcell - Fix potential race condition bug + +From: Madhuparna Bhowmik + +[ Upstream commit 64f4a62e3b17f1e473f971127c2924cae42afc82 ] + +engine->stat_irq_thresh was initialized after device_create_file() in +the probe function, the initialization may race with call to +spacc_stat_irq_thresh_store() which updates engine->stat_irq_thresh, +therefore initialize it before creating the file in probe function. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: ce92136843cb ("crypto: picoxcell - add support for the...") +Signed-off-by: Madhuparna Bhowmik +Acked-by: Jamie Iles +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/picoxcell_crypto.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/picoxcell_crypto.c b/drivers/crypto/picoxcell_crypto.c +index 2680e1525db58..13ecbb0e58528 100644 +--- a/drivers/crypto/picoxcell_crypto.c ++++ b/drivers/crypto/picoxcell_crypto.c +@@ -1697,11 +1697,6 @@ static int spacc_probe(struct platform_device *pdev) + goto err_clk_put; + } + +- ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh); +- if (ret) +- goto err_clk_disable; +- +- + /* + * Use an IRQ threshold of 50% as a default. This seems to be a + * reasonable trade off of latency against throughput but can be +@@ -1709,6 +1704,10 @@ static int spacc_probe(struct platform_device *pdev) + */ + engine->stat_irq_thresh = (engine->fifo_sz / 2); + ++ ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh); ++ if (ret) ++ goto err_clk_disable; ++ + /* + * Configure the interrupts. We only use the STAT_CNT interrupt as we + * only submit a new packet for processing when we complete another in +-- +2.25.1 + diff --git a/queue-5.4/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch b/queue-5.4/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch new file mode 100644 index 00000000000..be30e545b1a --- /dev/null +++ b/queue-5.4/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch @@ -0,0 +1,46 @@ +From a8ca48606ed9f842a1acf7e827741bd027e47e01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 11:00:51 +0800 +Subject: cypto: mediatek - fix leaks in mtk_desc_ring_alloc + +From: Xiaoliang Pang + +[ Upstream commit 228d284aac61283cde508a925d666f854b57af63 ] + +In the init loop, if an error occurs in function 'dma_alloc_coherent', +then goto the err_cleanup section, after run i--, +in the array ring, the struct mtk_ring with index i will not be released, +causing memory leaks + +Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") +Cc: Ryder Lee +Signed-off-by: Xiaoliang Pang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mediatek/mtk-platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c +index ef4339e84d034..efce3a83b35a8 100644 +--- a/drivers/crypto/mediatek/mtk-platform.c ++++ b/drivers/crypto/mediatek/mtk-platform.c +@@ -469,13 +469,13 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + return 0; + + err_cleanup: +- for (; i--; ) { ++ do { + dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ, + ring[i]->res_base, ring[i]->res_dma); + dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ, + ring[i]->cmd_base, ring[i]->cmd_dma); + kfree(ring[i]); +- } ++ } while (i--); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-5.4/dmaengine-dmatest-check-list-for-emptiness-before-ac.patch b/queue-5.4/dmaengine-dmatest-check-list-for-emptiness-before-ac.patch new file mode 100644 index 00000000000..9bd0b7f0f9f --- /dev/null +++ b/queue-5.4/dmaengine-dmatest-check-list-for-emptiness-before-ac.patch @@ -0,0 +1,58 @@ +From e69eb9692117d898a2215bf17f83863ab0f27000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 14:58:46 +0300 +Subject: dmaengine: dmatest: Check list for emptiness before access its last + entry + +From: Andy Shevchenko + +[ Upstream commit b28de385b71abf31ce68ec0387638bee26ae9024 ] + +After writing a garbage to the channel we get an Oops in dmatest_chan_set() +due to access to last entry in the empty list. + +[ 212.670672] BUG: unable to handle page fault for address: fffffff000000020 +[ 212.677562] #PF: supervisor read access in kernel mode +[ 212.682702] #PF: error_code(0x0000) - not-present page +... +[ 212.710074] RIP: 0010:dmatest_chan_set+0x149/0x2d0 [dmatest] +[ 212.715739] Code: e8 cc f9 ff ff 48 8b 1d 0d 55 00 00 48 83 7b 10 00 0f 84 63 01 00 00 48 c7 c7 d0 65 4d c0 e8 ee 4a f5 e1 48 89 c6 48 8b 43 10 <48> 8b 40 20 48 8b 78 58 48 85 ff 0f 84 f5 00 00 00 e8 b1 41 f5 e1 + +Fix this by checking list for emptiness before accessing its last entry. + +Fixes: d53513d5dc28 ("dmaengine: dmatest: Add support for multi channel testing") +Cc: Vladimir Murzin +Signed-off-by: Andy Shevchenko +Tested-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200922115847.30100-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index 62d9825a49e9d..238936e2dfe2d 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -1218,15 +1218,14 @@ static int dmatest_chan_set(const char *val, const struct kernel_param *kp) + add_threaded_test(info); + + /* Check if channel was added successfully */ +- dtc = list_last_entry(&info->channels, struct dmatest_chan, node); +- +- if (dtc->chan) { ++ if (!list_empty(&info->channels)) { + /* + * if new channel was not successfully added, revert the + * "test_channel" string to the name of the last successfully + * added channel. exception for when users issues empty string + * to channel parameter. + */ ++ dtc = list_last_entry(&info->channels, struct dmatest_chan, node); + if ((strcmp(dma_chan_name(dtc->chan), strim(test_channel)) != 0) + && (strcmp("", strim(test_channel)) != 0)) { + ret = -EINVAL; +-- +2.25.1 + diff --git a/queue-5.4/dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch b/queue-5.4/dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch new file mode 100644 index 00000000000..d138ab4b0cf --- /dev/null +++ b/queue-5.4/dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch @@ -0,0 +1,65 @@ +From 3b388e8dc97ffa07880657e5172b9ab332a02ac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 23:08:23 +0300 +Subject: dmaengine: dw: Activate FIFO-mode for memory peripherals only + +From: Serge Semin + +[ Upstream commit 6d9459d04081c796fc67c2bb771f4e4ebb5744c4 ] + +CFGx.FIFO_MODE field controls a DMA-controller "FIFO readiness" criterion. +In other words it determines when to start pushing data out of a DW +DMAC channel FIFO to a destination peripheral or from a source +peripheral to the DW DMAC channel FIFO. Currently FIFO-mode is set to one +for all DW DMAC channels. It means they are tuned to flush data out of +FIFO (to a memory peripheral or by accepting the burst transaction +requests) when FIFO is at least half-full (except at the end of the block +transfer, when FIFO-flush mode is activated) and are configured to get +data to the FIFO when it's at least half-empty. + +Such configuration is a good choice when there is no slave device involved +in the DMA transfers. In that case the number of bursts per block is less +than when CFGx.FIFO_MODE = 0 and, hence, the bus utilization will improve. +But the latency of DMA transfers may increase when CFGx.FIFO_MODE = 1, +since DW DMAC will wait for the channel FIFO contents to be either +half-full or half-empty depending on having the destination or the source +transfers. Such latencies might be dangerous in case if the DMA transfers +are expected to be performed from/to a slave device. Since normally +peripheral devices keep data in internal FIFOs, any latency at some +critical moment may cause one being overflown and consequently losing +data. This especially concerns a case when either a peripheral device is +relatively fast or the DW DMAC engine is relatively slow with respect to +the incoming data pace. + +In order to solve problems, which might be caused by the latencies +described above, let's enable the FIFO half-full/half-empty "FIFO +readiness" criterion only for DMA transfers with no slave device involved. +Thanks to the commit 99ba8b9b0d97 ("dmaengine: dw: Initialize channel +before each transfer") we can freely do that in the generic +dw_dma_initialize_chan() method. + +Signed-off-by: Serge Semin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200731200826.9292-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw/dw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/dw/dw.c b/drivers/dma/dw/dw.c +index 7a085b3c1854c..d9810980920a1 100644 +--- a/drivers/dma/dw/dw.c ++++ b/drivers/dma/dw/dw.c +@@ -14,7 +14,7 @@ + static void dw_dma_initialize_chan(struct dw_dma_chan *dwc) + { + struct dw_dma *dw = to_dw_dma(dwc->chan.device); +- u32 cfghi = DWC_CFGH_FIFO_MODE; ++ u32 cfghi = is_slave_direction(dwc->direction) ? 0 : DWC_CFGH_FIFO_MODE; + u32 cfglo = DWC_CFGL_CH_PRIOR(dwc->priority); + bool hs_polarity = dwc->dws.hs_polarity; + +-- +2.25.1 + diff --git a/queue-5.4/dmaengine-dw-add-dma-channels-mask-cell-support.patch b/queue-5.4/dmaengine-dw-add-dma-channels-mask-cell-support.patch new file mode 100644 index 00000000000..fcb0f5aab7b --- /dev/null +++ b/queue-5.4/dmaengine-dw-add-dma-channels-mask-cell-support.patch @@ -0,0 +1,114 @@ +From 90f6649d40d3dd2b016e8a1d13044f172b018801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 23:08:26 +0300 +Subject: dmaengine: dw: Add DMA-channels mask cell support + +From: Serge Semin + +[ Upstream commit e8ee6c8cb61b676f1a2d6b942329e98224bd8ee9 ] + +DW DMA IP-core provides a way to synthesize the DMA controller with +channels having different parameters like maximum burst-length, +multi-block support, maximum data width, etc. Those parameters both +explicitly and implicitly affect the channels performance. Since DMA slave +devices might be very demanding to the DMA performance, let's provide a +functionality for the slaves to be assigned with DW DMA channels, which +performance according to the platform engineer fulfill their requirements. +After this patch is applied it can be done by passing the mask of suitable +DMA-channels either directly in the dw_dma_slave structure instance or as +a fifth cell of the DMA DT-property. If mask is zero or not provided, then +there is no limitation on the channels allocation. + +For instance Baikal-T1 SoC is equipped with a DW DMAC engine, which first +two channels are synthesized with max burst length of 16, while the rest +of the channels have been created with max-burst-len=4. It would seem that +the first two channels must be faster than the others and should be more +preferable for the time-critical DMA slave devices. In practice it turned +out that the situation is quite the opposite. The channels with +max-burst-len=4 demonstrated a better performance than the channels with +max-burst-len=16 even when they both had been initialized with the same +settings. The performance drop of the first two DMA-channels made them +unsuitable for the DW APB SSI slave device. No matter what settings they +are configured with, full-duplex SPI transfers occasionally experience the +Rx FIFO overflow. It means that the DMA-engine doesn't keep up with +incoming data pace even though the SPI-bus is enabled with speed of 25MHz +while the DW DMA controller is clocked with 50MHz signal. There is no such +problem has been noticed for the channels synthesized with +max-burst-len=4. + +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200731200826.9292-6-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw/core.c | 4 ++++ + drivers/dma/dw/of.c | 7 +++++-- + include/linux/platform_data/dma-dw.h | 2 ++ + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c +index a1b56f52db2f2..5e7fdc0b6e3db 100644 +--- a/drivers/dma/dw/core.c ++++ b/drivers/dma/dw/core.c +@@ -772,6 +772,10 @@ bool dw_dma_filter(struct dma_chan *chan, void *param) + if (dws->dma_dev != chan->device->dev) + return false; + ++ /* permit channels in accordance with the channels mask */ ++ if (dws->channels && !(dws->channels & dwc->mask)) ++ return false; ++ + /* We have to copy data since dws can be temporary storage */ + memcpy(&dwc->dws, dws, sizeof(struct dw_dma_slave)); + +diff --git a/drivers/dma/dw/of.c b/drivers/dma/dw/of.c +index 9e27831dee324..43e975fb67142 100644 +--- a/drivers/dma/dw/of.c ++++ b/drivers/dma/dw/of.c +@@ -22,18 +22,21 @@ static struct dma_chan *dw_dma_of_xlate(struct of_phandle_args *dma_spec, + }; + dma_cap_mask_t cap; + +- if (dma_spec->args_count != 3) ++ if (dma_spec->args_count < 3 || dma_spec->args_count > 4) + return NULL; + + slave.src_id = dma_spec->args[0]; + slave.dst_id = dma_spec->args[0]; + slave.m_master = dma_spec->args[1]; + slave.p_master = dma_spec->args[2]; ++ if (dma_spec->args_count >= 4) ++ slave.channels = dma_spec->args[3]; + + if (WARN_ON(slave.src_id >= DW_DMA_MAX_NR_REQUESTS || + slave.dst_id >= DW_DMA_MAX_NR_REQUESTS || + slave.m_master >= dw->pdata->nr_masters || +- slave.p_master >= dw->pdata->nr_masters)) ++ slave.p_master >= dw->pdata->nr_masters || ++ slave.channels >= BIT(dw->pdata->nr_channels))) + return NULL; + + dma_cap_zero(cap); +diff --git a/include/linux/platform_data/dma-dw.h b/include/linux/platform_data/dma-dw.h +index f3eaf9ec00a1b..70078be166e3c 100644 +--- a/include/linux/platform_data/dma-dw.h ++++ b/include/linux/platform_data/dma-dw.h +@@ -21,6 +21,7 @@ + * @dst_id: dst request line + * @m_master: memory master for transfers on allocated channel + * @p_master: peripheral master for transfers on allocated channel ++ * @channels: mask of the channels permitted for allocation (zero value means any) + * @hs_polarity:set active low polarity of handshake interface + */ + struct dw_dma_slave { +@@ -29,6 +30,7 @@ struct dw_dma_slave { + u8 dst_id; + u8 m_master; + u8 p_master; ++ u8 channels; + bool hs_polarity; + }; + +-- +2.25.1 + diff --git a/queue-5.4/drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch b/queue-5.4/drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch new file mode 100644 index 00000000000..6ea044e4050 --- /dev/null +++ b/queue-5.4/drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch @@ -0,0 +1,59 @@ +From 993c06745f0508c17f68a3c77f3afc704e6c399a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 16:41:10 -0400 +Subject: drivers/perf: thunderx2_pmu: Fix memory resource error handling + +From: Mark Salter + +[ Upstream commit 688494a407d1419a6b158c644b262c61cde39f48 ] + +In tx2_uncore_pmu_init_dev(), a call to acpi_dev_get_resources() is used +to create a list _CRS resources which is searched for the device base +address. There is an error check following this: + + if (!rentry->res) + return NULL + +In no case, will rentry->res be NULL, so the test is useless. Even +if the test worked, it comes before the resource list memory is +freed. None of this really matters as long as the ACPI table has +the memory resource. Let's clean it up so that it makes sense and +will give a meaningful error should firmware leave out the memory +resource. + +Fixes: 69c32972d593 ("drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver") +Signed-off-by: Mark Salter +Link: https://lore.kernel.org/r/20200915204110.326138-2-msalter@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/thunderx2_pmu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/perf/thunderx2_pmu.c b/drivers/perf/thunderx2_pmu.c +index 9e1c3c7eeba9b..170ccb164c604 100644 +--- a/drivers/perf/thunderx2_pmu.c ++++ b/drivers/perf/thunderx2_pmu.c +@@ -627,14 +627,17 @@ static struct tx2_uncore_pmu *tx2_uncore_pmu_init_dev(struct device *dev, + list_for_each_entry(rentry, &list, node) { + if (resource_type(rentry->res) == IORESOURCE_MEM) { + res = *rentry->res; ++ rentry = NULL; + break; + } + } ++ acpi_dev_free_resource_list(&list); + +- if (!rentry->res) ++ if (rentry) { ++ dev_err(dev, "PMU type %d: Fail to find resource\n", type); + return NULL; ++ } + +- acpi_dev_free_resource_list(&list); + base = devm_ioremap_resource(dev, &res); + if (IS_ERR(base)) { + dev_err(dev, "PMU type %d: Fail to map resource\n", type); +-- +2.25.1 + diff --git a/queue-5.4/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch b/queue-5.4/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch new file mode 100644 index 00000000000..74fdc60e76f --- /dev/null +++ b/queue-5.4/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch @@ -0,0 +1,126 @@ +From 98a4d8958f88db248c9b4d01a288530c886afde2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 16:41:09 -0400 +Subject: drivers/perf: xgene_pmu: Fix uninitialized resource struct + +From: Mark Salter + +[ Upstream commit a76b8236edcf5b785d044b930f9e14ad02b4a484 ] + +This splat was reported on newer Fedora kernels booting on certain +X-gene based machines: + + xgene-pmu APMC0D83:00: X-Gene PMU version 3 + Unable to handle kernel read from unreadable memory at virtual \ + address 0000000000004006 + ... + Call trace: + string+0x50/0x100 + vsnprintf+0x160/0x750 + devm_kvasprintf+0x5c/0xb4 + devm_kasprintf+0x54/0x60 + __devm_ioremap_resource+0xdc/0x1a0 + devm_ioremap_resource+0x14/0x20 + acpi_get_pmu_hw_inf.isra.0+0x84/0x15c + acpi_pmu_dev_add+0xbc/0x21c + acpi_ns_walk_namespace+0x16c/0x1e4 + acpi_walk_namespace+0xb4/0xfc + xgene_pmu_probe_pmu_dev+0x7c/0xe0 + xgene_pmu_probe.part.0+0x2c0/0x310 + xgene_pmu_probe+0x54/0x64 + platform_drv_probe+0x60/0xb4 + really_probe+0xe8/0x4a0 + driver_probe_device+0xe4/0x100 + device_driver_attach+0xcc/0xd4 + __driver_attach+0xb0/0x17c + bus_for_each_dev+0x6c/0xb0 + driver_attach+0x30/0x40 + bus_add_driver+0x154/0x250 + driver_register+0x84/0x140 + __platform_driver_register+0x54/0x60 + xgene_pmu_driver_init+0x28/0x34 + do_one_initcall+0x40/0x204 + do_initcalls+0x104/0x144 + kernel_init_freeable+0x198/0x210 + kernel_init+0x20/0x12c + ret_from_fork+0x10/0x18 + Code: 91000400 110004e1 eb08009f 540000c0 (38646846) + ---[ end trace f08c10566496a703 ]--- + +This is due to use of an uninitialized local resource struct in the xgene +pmu driver. The thunderx2_pmu driver avoids this by using the resource list +constructed by acpi_dev_get_resources() rather than using a callback from +that function. The callback in the xgene driver didn't fully initialize +the resource. So get rid of the callback and search the resource list as +done by thunderx2. + +Fixes: 832c927d119b ("perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver") +Signed-off-by: Mark Salter +Link: https://lore.kernel.org/r/20200915204110.326138-1-msalter@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/xgene_pmu.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/drivers/perf/xgene_pmu.c b/drivers/perf/xgene_pmu.c +index 328aea9f6be32..50b37f8f5c7ff 100644 +--- a/drivers/perf/xgene_pmu.c ++++ b/drivers/perf/xgene_pmu.c +@@ -1459,17 +1459,6 @@ static char *xgene_pmu_dev_name(struct device *dev, u32 type, int id) + } + + #if defined(CONFIG_ACPI) +-static int acpi_pmu_dev_add_resource(struct acpi_resource *ares, void *data) +-{ +- struct resource *res = data; +- +- if (ares->type == ACPI_RESOURCE_TYPE_FIXED_MEMORY32) +- acpi_dev_resource_memory(ares, res); +- +- /* Always tell the ACPI core to skip this resource */ +- return 1; +-} +- + static struct + xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + struct acpi_device *adev, u32 type) +@@ -1481,6 +1470,7 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + struct hw_pmu_info *inf; + void __iomem *dev_csr; + struct resource res; ++ struct resource_entry *rentry; + int enable_bit; + int rc; + +@@ -1489,11 +1479,23 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + return NULL; + + INIT_LIST_HEAD(&resource_list); +- rc = acpi_dev_get_resources(adev, &resource_list, +- acpi_pmu_dev_add_resource, &res); ++ rc = acpi_dev_get_resources(adev, &resource_list, NULL, NULL); ++ if (rc <= 0) { ++ dev_err(dev, "PMU type %d: No resources found\n", type); ++ return NULL; ++ } ++ ++ list_for_each_entry(rentry, &resource_list, node) { ++ if (resource_type(rentry->res) == IORESOURCE_MEM) { ++ res = *rentry->res; ++ rentry = NULL; ++ break; ++ } ++ } + acpi_dev_free_resource_list(&resource_list); +- if (rc < 0) { +- dev_err(dev, "PMU type %d: No resource address found\n", type); ++ ++ if (rentry) { ++ dev_err(dev, "PMU type %d: No memory resource found\n", type); + return NULL; + } + +-- +2.25.1 + diff --git a/queue-5.4/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch b/queue-5.4/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch new file mode 100644 index 00000000000..104bc730b81 --- /dev/null +++ b/queue-5.4/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch @@ -0,0 +1,99 @@ +From b72dfdcf3290a78d41fec0897d3c50964b82d711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 02:51:11 +0530 +Subject: drivers/virt/fsl_hypervisor: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit 7f360bec37857bfd5a48cef21d86f58a09a3df63 ] + +First, when memory allocation for sg_list_unaligned failed, there +is a bug of calling put_pages() as we haven't pinned any pages. + +Second, if get_user_pages_fast() failed we should unpin num_pinned +pages. + +This will address both. + +As part of these changes, minor update in documentation. + +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Souptick Joarder +Reviewed-by: Dan Carpenter +Reviewed-by: John Hubbard +Link: https://lore.kernel.org/r/1598995271-6755-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/virt/fsl_hypervisor.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c +index 93d5bebf9572a..fb292f9cf29df 100644 +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -157,7 +157,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + unsigned int i; + long ret = 0; +- int num_pinned; /* return value from get_user_pages() */ ++ int num_pinned = 0; /* return value from get_user_pages_fast() */ + phys_addr_t remote_paddr; /* The next address in the remote buffer */ + uint32_t count; /* The number of bytes left to copy */ + +@@ -174,7 +174,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + return -EINVAL; + + /* +- * The array of pages returned by get_user_pages() covers only ++ * The array of pages returned by get_user_pages_fast() covers only + * page-aligned memory. Since the user buffer is probably not + * page-aligned, we need to handle the discrepancy. + * +@@ -224,7 +224,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + /* + * 'pages' is an array of struct page pointers that's initialized by +- * get_user_pages(). ++ * get_user_pages_fast(). + */ + pages = kcalloc(num_pages, sizeof(struct page *), GFP_KERNEL); + if (!pages) { +@@ -241,7 +241,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + if (!sg_list_unaligned) { + pr_debug("fsl-hv: could not allocate S/G list\n"); + ret = -ENOMEM; +- goto exit; ++ goto free_pages; + } + sg_list = PTR_ALIGN(sg_list_unaligned, sizeof(struct fh_sg_list)); + +@@ -250,7 +250,6 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + num_pages, param.source != -1 ? FOLL_WRITE : 0, pages); + + if (num_pinned != num_pages) { +- /* get_user_pages() failed */ + pr_debug("fsl-hv: could not lock source buffer\n"); + ret = (num_pinned < 0) ? num_pinned : -EFAULT; + goto exit; +@@ -292,13 +291,13 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + virt_to_phys(sg_list), num_pages); + + exit: +- if (pages) { +- for (i = 0; i < num_pages; i++) +- if (pages[i]) +- put_page(pages[i]); ++ if (pages && (num_pinned > 0)) { ++ for (i = 0; i < num_pinned; i++) ++ put_page(pages[i]); + } + + kfree(sg_list_unaligned); ++free_pages: + kfree(pages); + + if (!ret) +-- +2.25.1 + diff --git a/queue-5.4/drm-amd-display-fix-wrong-return-value-in-dm_update_.patch b/queue-5.4/drm-amd-display-fix-wrong-return-value-in-dm_update_.patch new file mode 100644 index 00000000000..0e5abb8e6e0 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-wrong-return-value-in-dm_update_.patch @@ -0,0 +1,38 @@ +From 348d189939496e524eb886e5868f1c6f628b3992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:36 +0800 +Subject: drm/amd/display: Fix wrong return value in dm_update_plane_state() + +From: Tianjia Zhang + +[ Upstream commit c35376137e940c3389df2726a92649c01a9844b4 ] + +On an error exit path, a negative error code should be returned +instead of a positive return value. + +Fixes: 9e869063b0021 ("drm/amd/display: Move iteration out of dm_update_planes") +Cc: Leo Li +Signed-off-by: Tianjia Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 2384aa018993d..7c58085031732 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -6984,8 +6984,7 @@ static int dm_update_plane_state(struct dc *dc, + dm_old_plane_state->dc_state, + dm_state->context)) { + +- ret = EINVAL; +- return ret; ++ return -EINVAL; + } + + +-- +2.25.1 + diff --git a/queue-5.4/drm-crc-debugfs-fix-memleak-in-crc_control_write.patch b/queue-5.4/drm-crc-debugfs-fix-memleak-in-crc_control_write.patch new file mode 100644 index 00000000000..8eb1acdc3cd --- /dev/null +++ b/queue-5.4/drm-crc-debugfs-fix-memleak-in-crc_control_write.patch @@ -0,0 +1,43 @@ +From 34efab5e34f00c5ebd1a7662e5545c0a890a8ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 16:22:28 +0800 +Subject: drm/crc-debugfs: Fix memleak in crc_control_write + +From: Dinghao Liu + +[ Upstream commit f7ec68b341dbd5da13d4c65ce444dcd605f1c42e ] + +When verify_crc_source() fails, source needs to be freed. +However, current code is returning directly and ends up +leaking memory. + +Fixes: d5cc15a0c66e ("drm: crc: Introduce verify_crc_source callback") +Signed-off-by: Dinghao Liu +Reviewed-by: Laurent Pinchart +[danvet: change Fixes: tag per Laurent's review] +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200819082228.26847-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs_crc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_debugfs_crc.c b/drivers/gpu/drm/drm_debugfs_crc.c +index 6a626c82e264b..f6598c5a9a879 100644 +--- a/drivers/gpu/drm/drm_debugfs_crc.c ++++ b/drivers/gpu/drm/drm_debugfs_crc.c +@@ -144,8 +144,10 @@ static ssize_t crc_control_write(struct file *file, const char __user *ubuf, + source[len - 1] = '\0'; + + ret = crtc->funcs->verify_crc_source(crtc, source, &values_cnt); +- if (ret) ++ if (ret) { ++ kfree(source); + return ret; ++ } + + spin_lock_irq(&crc->lock); + +-- +2.25.1 + diff --git a/queue-5.4/drm-gma500-fix-error-check.patch b/queue-5.4/drm-gma500-fix-error-check.patch new file mode 100644 index 00000000000..89f99c7b755 --- /dev/null +++ b/queue-5.4/drm-gma500-fix-error-check.patch @@ -0,0 +1,54 @@ +From c614a78645af04e5991940bf651b64ad361c24d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 13:59:11 -0700 +Subject: drm/gma500: fix error check + +From: Tom Rix + +[ Upstream commit cdd296cdae1af2d27dae3fcfbdf12c5252ab78cf ] + +Reviewing this block of code in cdv_intel_dp_init() + +ret = cdv_intel_dp_aux_native_read(gma_encoder, DP_DPCD_REV, ... + +cdv_intel_edp_panel_vdd_off(gma_encoder); +if (ret == 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + drm_encoder_cleanup(encoder); + cdv_intel_dp_destroy(connector); + goto err_priv; +} else { + +The (ret == 0) is not strict enough. +cdv_intel_dp_aux_native_read() returns > 0 on success +otherwise it is failure. + +So change to <= + +Fixes: d112a8163f83 ("gma500/cdv: Add eDP support") + +Signed-off-by: Tom Rix +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20200805205911.20927-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c +index 570b59520fd13..2ff4b35151bf8 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c +@@ -2120,7 +2120,7 @@ cdv_intel_dp_init(struct drm_device *dev, struct psb_intel_mode_device *mode_dev + intel_dp->dpcd, + sizeof(intel_dp->dpcd)); + cdv_intel_edp_panel_vdd_off(gma_encoder); +- if (ret == 0) { ++ if (ret <= 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + cdv_intel_dp_encoder_destroy(encoder); +-- +2.25.1 + diff --git a/queue-5.4/drm-msm-a6xx-fix-a-potential-overflow-issue.patch b/queue-5.4/drm-msm-a6xx-fix-a-potential-overflow-issue.patch new file mode 100644 index 00000000000..6721051c900 --- /dev/null +++ b/queue-5.4/drm-msm-a6xx-fix-a-potential-overflow-issue.patch @@ -0,0 +1,37 @@ +From 819087bde0cfb74a134e73116ff8046418874e30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Sep 2020 18:25:58 +0800 +Subject: drm/msm/a6xx: fix a potential overflow issue + +From: Zhenzhong Duan + +[ Upstream commit 08d3ab4b46339bc6f97e83b54a3fb4f8bf8f4cd9 ] + +It's allocating an array of a6xx_gpu_state_obj structure rathor than +its pointers. + +This patch fix it. + +Signed-off-by: Zhenzhong Duan +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c +index 691c1a277d91b..dfcbb2b7cdda3 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c +@@ -834,7 +834,7 @@ static void a6xx_get_indexed_registers(struct msm_gpu *gpu, + int i; + + a6xx_state->indexed_regs = state_kcalloc(a6xx_state, count, +- sizeof(a6xx_state->indexed_regs)); ++ sizeof(*a6xx_state->indexed_regs)); + if (!a6xx_state->indexed_regs) + return; + +-- +2.25.1 + diff --git a/queue-5.4/drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch b/queue-5.4/drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch new file mode 100644 index 00000000000..629ef468516 --- /dev/null +++ b/queue-5.4/drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch @@ -0,0 +1,83 @@ +From 2e8776003fccbdb8d20156a791e5c40264526c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 14:59:41 -0700 +Subject: drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() + +From: Stephen Boyd + +[ Upstream commit 22f760941844dbcee6ee446e1896532f6dff01ef ] + +The cstate->num_mixers member is only set to a non-zero value once +dpu_encoder_virt_mode_set() is called, but the atomic check function can +be called by userspace before that. Let's avoid the div-by-zero here and +inside _dpu_crtc_setup_lm_bounds() by skipping this part of the atomic +check if dpu_encoder_virt_mode_set() hasn't been called yet. This fixes +an UBSAN warning: + + UBSAN: Undefined behaviour in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c:860:31 + division by zero + CPU: 7 PID: 409 Comm: frecon Tainted: G S 5.4.31 #128 + Hardware name: Google Trogdor (rev0) (DT) + Call trace: + dump_backtrace+0x0/0x14c + show_stack+0x20/0x2c + dump_stack+0xa0/0xd8 + __ubsan_handle_divrem_overflow+0xec/0x110 + dpu_crtc_atomic_check+0x97c/0x9d4 + drm_atomic_helper_check_planes+0x160/0x1c8 + drm_atomic_helper_check+0x54/0xbc + drm_atomic_check_only+0x6a8/0x880 + drm_atomic_commit+0x20/0x5c + drm_atomic_helper_set_config+0x98/0xa0 + drm_mode_setcrtc+0x308/0x5dc + drm_ioctl_kernel+0x9c/0x114 + drm_ioctl+0x2ac/0x4b0 + drm_compat_ioctl+0xe8/0x13c + __arm64_compat_sys_ioctl+0x184/0x324 + el0_svc_common+0xa4/0x154 + el0_svc_compat_handler+0x + +Cc: Abhinav Kumar +Cc: Jeykumar Sankaran +Cc: Jordan Crouse +Cc: Sean Paul +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Stephen Boyd +Reviewed-by: Abhinav Kumar +Tested-by: Sai Prakash Ranjan +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index 36c85c05b7cf7..4aed5e9a84a45 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -819,7 +819,7 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + struct drm_plane *plane; + struct drm_display_mode *mode; + +- int cnt = 0, rc = 0, mixer_width, i, z_pos; ++ int cnt = 0, rc = 0, mixer_width = 0, i, z_pos; + + struct dpu_multirect_plane_states multirect_plane[DPU_STAGE_MAX * 2]; + int multirect_count = 0; +@@ -852,9 +852,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + + memset(pipe_staged, 0, sizeof(pipe_staged)); + +- mixer_width = mode->hdisplay / cstate->num_mixers; ++ if (cstate->num_mixers) { ++ mixer_width = mode->hdisplay / cstate->num_mixers; + +- _dpu_crtc_setup_lm_bounds(crtc, state); ++ _dpu_crtc_setup_lm_bounds(crtc, state); ++ } + + crtc_rect.x2 = mode->hdisplay; + crtc_rect.y2 = mode->vdisplay; +-- +2.25.1 + diff --git a/queue-5.4/drm-mxsfb-check-framebuffer-pitch.patch b/queue-5.4/drm-mxsfb-check-framebuffer-pitch.patch new file mode 100644 index 00000000000..b782c854fad --- /dev/null +++ b/queue-5.4/drm-mxsfb-check-framebuffer-pitch.patch @@ -0,0 +1,71 @@ +From 04e699c822597457b03ce66891618aa8fe93febc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 16:16:54 +0200 +Subject: drm: mxsfb: check framebuffer pitch + +From: Stefan Agner + +[ Upstream commit d5a0c816900419105a12e7471bf074319dfa34be ] + +The lcdif IP does not support a framebuffer pitch (stride) other than +framebuffer width. Check for equality and reject the framebuffer +otherwise. + +This prevents a distorted picture when using 640x800 and running the +Mesa graphics stack. Mesa tries to use a cache aligned stride, which +leads at that particular resolution to width != stride. Currently +Mesa has no fallback behavior, but rejecting this configuration allows +userspace to handle the issue correctly. + +Fixes: 45d59d704080 ("drm: Add new driver for MXSFB controller") +Signed-off-by: Stefan Agner +Reviewed-by: Laurent Pinchart +Link: https://patchwork.freedesktop.org/patch/msgid/20200908141654.266836-1-stefan@agner.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/mxsfb_drv.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mxsfb/mxsfb_drv.c b/drivers/gpu/drm/mxsfb/mxsfb_drv.c +index e8506335cd155..1694a7deb9133 100644 +--- a/drivers/gpu/drm/mxsfb/mxsfb_drv.c ++++ b/drivers/gpu/drm/mxsfb/mxsfb_drv.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -87,8 +88,26 @@ void mxsfb_disable_axi_clk(struct mxsfb_drm_private *mxsfb) + clk_disable_unprepare(mxsfb->clk_axi); + } + ++static struct drm_framebuffer * ++mxsfb_fb_create(struct drm_device *dev, struct drm_file *file_priv, ++ const struct drm_mode_fb_cmd2 *mode_cmd) ++{ ++ const struct drm_format_info *info; ++ ++ info = drm_get_format_info(dev, mode_cmd); ++ if (!info) ++ return ERR_PTR(-EINVAL); ++ ++ if (mode_cmd->width * info->cpp[0] != mode_cmd->pitches[0]) { ++ dev_dbg(dev->dev, "Invalid pitch: fb width must match pitch\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ ++ return drm_gem_fb_create(dev, file_priv, mode_cmd); ++} ++ + static const struct drm_mode_config_funcs mxsfb_mode_config_funcs = { +- .fb_create = drm_gem_fb_create, ++ .fb_create = mxsfb_fb_create, + .atomic_check = drm_atomic_helper_check, + .atomic_commit = drm_atomic_helper_commit, + }; +-- +2.25.1 + diff --git a/queue-5.4/drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch b/queue-5.4/drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch new file mode 100644 index 00000000000..e0b02248442 --- /dev/null +++ b/queue-5.4/drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch @@ -0,0 +1,39 @@ +From 25837147d4f33f0e0e7a7408a1c82061dbb6edaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 03:32:54 +0300 +Subject: drm: panel: Fix bpc for OrtusTech COM43H4M85ULC panel + +From: Laurent Pinchart + +[ Upstream commit 3b8095169982ff4ec2a1b4be61b7224bbef23b48 ] + +The OrtusTech COM43H4M85ULC panel is a 18-bit RGB panel. Commit +f098f168e91c ("drm: panel: Fix bus format for OrtusTech COM43H4M85ULC +panel") has fixed the bus formats, but forgot to address the bpc value. +Set it to 6. + +Fixes: f098f168e91c ("drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200824003254.21904-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 14f5c79299cc0..f0ea782df836d 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2382,7 +2382,7 @@ static const struct drm_display_mode ortustech_com43h4m85ulc_mode = { + static const struct panel_desc ortustech_com43h4m85ulc = { + .modes = &ortustech_com43h4m85ulc_mode, + .num_modes = 1, +- .bpc = 8, ++ .bpc = 6, + .size = { + .width = 56, + .height = 93, +-- +2.25.1 + diff --git a/queue-5.4/drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch b/queue-5.4/drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch new file mode 100644 index 00000000000..4ac191b52d4 --- /dev/null +++ b/queue-5.4/drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch @@ -0,0 +1,37 @@ +From bc9cfe1438fdfd073634a256c782dcf7c4ba5e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 01:02:44 +0300 +Subject: drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel + +From: Laurent Pinchart + +[ Upstream commit f098f168e91ca915c6cf8aa316136af647792f2f ] + +The OrtusTech COM43H4M85ULC panel is a 18-bit RGB panel, set the bus +format to MEDIA_BUS_FMT_RGB666_1X18. + +Fixes: 725c9d40f3fe ("drm/panel: Add support for OrtusTech COM43H4M85ULC panel") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200812220244.24500-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 6d9656323a3f4..14f5c79299cc0 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2387,7 +2387,7 @@ static const struct panel_desc ortustech_com43h4m85ulc = { + .width = 56, + .height = 93, + }, +- .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18, + .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE, + }; + +-- +2.25.1 + diff --git a/queue-5.4/drm-panfrost-add-amlogic-reset-quirk-callback.patch b/queue-5.4/drm-panfrost-add-amlogic-reset-quirk-callback.patch new file mode 100644 index 00000000000..6251e0855d1 --- /dev/null +++ b/queue-5.4/drm-panfrost-add-amlogic-reset-quirk-callback.patch @@ -0,0 +1,81 @@ +From a41008b54a47c18f69adae37a5ec0c16566cf889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 17:01:46 +0200 +Subject: drm/panfrost: add amlogic reset quirk callback + +From: Neil Armstrong + +[ Upstream commit 110003002291525bb209f47e6dbf121a63249a97 ] + +The T820, G31 & G52 GPUs integrated by Amlogic in the respective GXM, +G12A/SM1 & G12B SoCs needs a quirk in the PWR registers at the GPU reset +time. + +Since the Amlogic's integration of the GPU cores with the SoC is not +publicly documented we do not know what does these values, but they +permit having a fully functional GPU running with Panfrost. + +Signed-off-by: Neil Armstrong +[Steven: Fix typo in commit log] +Reviewed-by: Steven Price +Reviewed-by: Alyssa Rosenzweig +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20200916150147.25753-3-narmstrong@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_gpu.c | 11 +++++++++++ + drivers/gpu/drm/panfrost/panfrost_gpu.h | 2 ++ + drivers/gpu/drm/panfrost/panfrost_regs.h | 4 ++++ + 3 files changed, 17 insertions(+) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c +index 1431db13ec788..0d39a201c7591 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c +@@ -75,6 +75,17 @@ int panfrost_gpu_soft_reset(struct panfrost_device *pfdev) + return 0; + } + ++void panfrost_gpu_amlogic_quirk(struct panfrost_device *pfdev) ++{ ++ /* ++ * The Amlogic integrated Mali-T820, Mali-G31 & Mali-G52 needs ++ * these undocumented bits in GPU_PWR_OVERRIDE1 to be set in order ++ * to operate correctly. ++ */ ++ gpu_write(pfdev, GPU_PWR_KEY, GPU_PWR_KEY_UNLOCK); ++ gpu_write(pfdev, GPU_PWR_OVERRIDE1, 0xfff | (0x20 << 16)); ++} ++ + static void panfrost_gpu_init_quirks(struct panfrost_device *pfdev) + { + u32 quirks = 0; +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.h b/drivers/gpu/drm/panfrost/panfrost_gpu.h +index 4112412087b27..468c51e7e46db 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.h ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.h +@@ -16,4 +16,6 @@ int panfrost_gpu_soft_reset(struct panfrost_device *pfdev); + void panfrost_gpu_power_on(struct panfrost_device *pfdev); + void panfrost_gpu_power_off(struct panfrost_device *pfdev); + ++void panfrost_gpu_amlogic_quirk(struct panfrost_device *pfdev); ++ + #endif +diff --git a/drivers/gpu/drm/panfrost/panfrost_regs.h b/drivers/gpu/drm/panfrost/panfrost_regs.h +index ea38ac60581c6..eddaa62ad8b0e 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_regs.h ++++ b/drivers/gpu/drm/panfrost/panfrost_regs.h +@@ -51,6 +51,10 @@ + #define GPU_STATUS 0x34 + #define GPU_STATUS_PRFCNT_ACTIVE BIT(2) + #define GPU_LATEST_FLUSH_ID 0x38 ++#define GPU_PWR_KEY 0x50 /* (WO) Power manager key register */ ++#define GPU_PWR_KEY_UNLOCK 0x2968A819 ++#define GPU_PWR_OVERRIDE0 0x54 /* (RW) Power manager override settings */ ++#define GPU_PWR_OVERRIDE1 0x58 /* (RW) Power manager override settings */ + #define GPU_FAULT_STATUS 0x3C + #define GPU_FAULT_ADDRESS_LO 0x40 + #define GPU_FAULT_ADDRESS_HI 0x44 +-- +2.25.1 + diff --git a/queue-5.4/drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch b/queue-5.4/drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch new file mode 100644 index 00000000000..d819c587426 --- /dev/null +++ b/queue-5.4/drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch @@ -0,0 +1,50 @@ +From 668f6598b15b2b999e58bc98ce1d3530b47036b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 13:29:57 +0100 +Subject: drm/panfrost: Ensure GPU quirks are always initialised + +From: Steven Price + +[ Upstream commit 8c3c818c23a5bbce6ff180dd2ee04415241df77c ] + +The GPU 'CONFIG' registers used to work around hardware issues are +cleared on reset so need to be programmed every time the GPU is reset. +However panfrost_device_reset() failed to do this. + +To avoid this in future instead move the call to +panfrost_gpu_init_quirks() to panfrost_gpu_power_on() so that the +regsiters are always programmed just before the cores are powered. + +Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") +Signed-off-by: Steven Price +Reviewed-by: Alyssa Rosenzweig +Link: https://patchwork.freedesktop.org/patch/msgid/20200909122957.51667-1-steven.price@arm.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_gpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c +index 8822ec13a0d61..1431db13ec788 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c +@@ -304,6 +304,8 @@ void panfrost_gpu_power_on(struct panfrost_device *pfdev) + int ret; + u32 val; + ++ panfrost_gpu_init_quirks(pfdev); ++ + /* Just turn on everything for now */ + gpu_write(pfdev, L2_PWRON_LO, pfdev->features.l2_present); + ret = readl_relaxed_poll_timeout(pfdev->iomem + L2_READY_LO, +@@ -357,7 +359,6 @@ int panfrost_gpu_init(struct panfrost_device *pfdev) + return err; + } + +- panfrost_gpu_init_quirks(pfdev); + panfrost_gpu_power_on(pfdev); + + return 0; +-- +2.25.1 + diff --git a/queue-5.4/drm-radeon-prefer-lower-feedback-dividers.patch b/queue-5.4/drm-radeon-prefer-lower-feedback-dividers.patch new file mode 100644 index 00000000000..3a81e9213b6 --- /dev/null +++ b/queue-5.4/drm-radeon-prefer-lower-feedback-dividers.patch @@ -0,0 +1,48 @@ +From 1ce0faed7f388cf195457e3675d17444563d11db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:33:48 +0800 +Subject: drm/radeon: Prefer lower feedback dividers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai-Heng Feng + +[ Upstream commit 5150dd85bdfa08143cacf1b4249121651bed3c35 ] + +Commit 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +fixed screen flicker for HP Compaq nx9420 but breaks other laptops like +Asus X50SL. + +Turns out we also need to favor lower feedback dividers. + +Users confirmed this change fixes the regression and doesn't regress the +original fix. + +Fixes: 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +BugLink: https://bugs.launchpad.net/bugs/1791312 +BugLink: https://bugs.launchpad.net/bugs/1861554 +Reviewed-by: Christian König +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index f9f74150d0d73..e7c4e06bc7d4f 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -932,7 +932,7 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div, + + /* get matching reference and feedback divider */ + *ref_div = min(max(den/post_div, 1u), ref_div_max); +- *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den); ++ *fb_div = max(nom * *ref_div * post_div / den, 1u); + + /* limit fb divider to its maximum */ + if (*fb_div > fb_div_max) { +-- +2.25.1 + diff --git a/queue-5.4/drm-vkms-fix-xrgb-on-compute-crc.patch b/queue-5.4/drm-vkms-fix-xrgb-on-compute-crc.patch new file mode 100644 index 00000000000..775b70518b8 --- /dev/null +++ b/queue-5.4/drm-vkms-fix-xrgb-on-compute-crc.patch @@ -0,0 +1,39 @@ +From e7bd5106fb33a9705ce293d6e1126c966e88c74c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 17:25:24 -0300 +Subject: drm/vkms: fix xrgb on compute crc + +From: Melissa Wen + +[ Upstream commit 0986191186128b10b6bbfa5220fc587ed5725e49 ] + +The previous memset operation was not correctly zeroing the alpha +channel to compute the crc, and as a result, the IGT subtest +kms_cursor_crc/pipe-A-cursor-alpha-transparent fails. + +Fixes: db7f419c06d7c ("drm/vkms: Compute CRC with Cursor Plane") + +Signed-off-by: Melissa Wen +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200730202524.5upzuh4irboru7my@smtp.gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_composer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vkms_composer.c +index d5585695c64d1..45d6ebbdbdb22 100644 +--- a/drivers/gpu/drm/vkms/vkms_composer.c ++++ b/drivers/gpu/drm/vkms/vkms_composer.c +@@ -33,7 +33,7 @@ static uint32_t compute_crc(void *vaddr_out, struct vkms_composer *composer) + + (i * composer->pitch) + + (j * composer->cpp); + /* XRGB format ignores Alpha channel */ +- memset(vaddr_out + src_offset + 24, 0, 8); ++ bitmap_clear(vaddr_out + src_offset, 24, 8); + crc = crc32_le(crc, vaddr_out + src_offset, + sizeof(u32)); + } +-- +2.25.1 + diff --git a/queue-5.4/edac-aspeed-fix-handling-of-platform_get_irq-error.patch b/queue-5.4/edac-aspeed-fix-handling-of-platform_get_irq-error.patch new file mode 100644 index 00000000000..5083b14e83b --- /dev/null +++ b/queue-5.4/edac-aspeed-fix-handling-of-platform_get_irq-error.patch @@ -0,0 +1,43 @@ +From 83738e6a06bbc9ef998253964b95b90c5d3767dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:07:42 +0200 +Subject: EDAC/aspeed: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit afce6996943be265fa39240b67025cfcb1bcdfb1 ] + +platform_get_irq() returns a negative error number on error. In such a +case, comparison to 0 would pass the check therefore check the return +value properly, whether it is negative. + + [ bp: Massage commit message. ] + +Fixes: 9b7e6242ee4e ("EDAC, aspeed: Add an Aspeed AST2500 EDAC driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Borislav Petkov +Reviewed-by: Stefan Schaeckeler +Link: https://lkml.kernel.org/r/20200827070743.26628-1-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/aspeed_edac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/edac/aspeed_edac.c b/drivers/edac/aspeed_edac.c +index 5634437bb39d2..66669f9d690be 100644 +--- a/drivers/edac/aspeed_edac.c ++++ b/drivers/edac/aspeed_edac.c +@@ -209,8 +209,8 @@ static int config_irq(void *ctx, struct platform_device *pdev) + /* register interrupt handler */ + irq = platform_get_irq(pdev, 0); + dev_dbg(&pdev->dev, "got irq %d\n", irq); +- if (!irq) +- return -ENODEV; ++ if (irq < 0) ++ return irq; + + rc = devm_request_irq(&pdev->dev, irq, mcr_isr, IRQF_TRIGGER_HIGH, + DRV_NAME, ctx); +-- +2.25.1 + diff --git a/queue-5.4/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch b/queue-5.4/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch new file mode 100644 index 00000000000..601df638a8b --- /dev/null +++ b/queue-5.4/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch @@ -0,0 +1,69 @@ +From c9b2547db6e33832a084e942380c1adc5553231e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 20:14:37 +0800 +Subject: EDAC/i5100: Fix error handling order in i5100_init_one() + +From: Dinghao Liu + +[ Upstream commit 857a3139bd8be4f702c030c8ca06f3fd69c1741a ] + +When pci_get_device_func() fails, the driver doesn't need to execute +pci_dev_put(). mci should still be freed, though, to prevent a memory +leak. When pci_enable_device() fails, the error injection PCI device +"einj" doesn't need to be disabled either. + + [ bp: Massage commit message, rename label to "bail_mc_free". ] + +Fixes: 52608ba205461 ("i5100_edac: probe for device 19 function 0") +Signed-off-by: Dinghao Liu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200826121437.31606-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/edac/i5100_edac.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c +index 251f2b692785d..0c72daa519ffa 100644 +--- a/drivers/edac/i5100_edac.c ++++ b/drivers/edac/i5100_edac.c +@@ -1074,16 +1074,15 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + PCI_DEVICE_ID_INTEL_5100_19, 0); + if (!einj) { + ret = -ENODEV; +- goto bail_einj; ++ goto bail_mc_free; + } + + rc = pci_enable_device(einj); + if (rc < 0) { + ret = rc; +- goto bail_disable_einj; ++ goto bail_einj; + } + +- + mci->pdev = &pdev->dev; + + priv = mci->pvt_info; +@@ -1149,14 +1148,14 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + bail_scrub: + priv->scrub_enable = 0; + cancel_delayed_work_sync(&(priv->i5100_scrubbing)); +- edac_mc_free(mci); +- +-bail_disable_einj: + pci_disable_device(einj); + + bail_einj: + pci_dev_put(einj); + ++bail_mc_free: ++ edac_mc_free(mci); ++ + bail_disable_ch1: + pci_disable_device(ch1mm); + +-- +2.25.1 + diff --git a/queue-5.4/edac-ti-fix-handling-of-platform_get_irq-error.patch b/queue-5.4/edac-ti-fix-handling-of-platform_get_irq-error.patch new file mode 100644 index 00000000000..619d438202e --- /dev/null +++ b/queue-5.4/edac-ti-fix-handling-of-platform_get_irq-error.patch @@ -0,0 +1,42 @@ +From 19ff9080051b877c47b055bea8d8b76a7845d95f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:07:43 +0200 +Subject: EDAC/ti: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 66077adb70a2a9e92540155b2ace33ec98299c90 ] + +platform_get_irq() returns a negative error number on error. In such a +case, comparison to 0 would pass the check therefore check the return +value properly, whether it is negative. + + [ bp: Massage commit message. ] + +Fixes: 86a18ee21e5e ("EDAC, ti: Add support for TI keystone and DRA7xx EDAC") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Borislav Petkov +Reviewed-by: Tero Kristo +Link: https://lkml.kernel.org/r/20200827070743.26628-2-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/ti_edac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c +index 6ac26d1b929f0..3247689467435 100644 +--- a/drivers/edac/ti_edac.c ++++ b/drivers/edac/ti_edac.c +@@ -278,7 +278,8 @@ static int ti_edac_probe(struct platform_device *pdev) + + /* add EMIF ECC error handler */ + error_irq = platform_get_irq(pdev, 0); +- if (!error_irq) { ++ if (error_irq < 0) { ++ ret = error_irq; + edac_printk(KERN_ERR, EDAC_MOD_NAME, + "EMIF irq number not defined.\n"); + goto err; +-- +2.25.1 + diff --git a/queue-5.4/ext4-limit-entries-returned-when-counting-fsmap-reco.patch b/queue-5.4/ext4-limit-entries-returned-when-counting-fsmap-reco.patch new file mode 100644 index 00000000000..4307dd57e9b --- /dev/null +++ b/queue-5.4/ext4-limit-entries-returned-when-counting-fsmap-reco.patch @@ -0,0 +1,40 @@ +From 893fe883412bd54d798157c2be820d8b8126a5ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 15:21:48 -0700 +Subject: ext4: limit entries returned when counting fsmap records + +From: Darrick J. Wong + +[ Upstream commit af8c53c8bc087459b1aadd4c94805d8272358d79 ] + +If userspace asked fsmap to try to count the number of entries, we cannot +return more than UINT_MAX entries because fmh_entries is u32. +Therefore, stop counting if we hit this limit or else we will waste time +to return truncated results. + +Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls") +Signed-off-by: Darrick J. Wong +Link: https://lore.kernel.org/r/20201001222148.GA49520@magnolia +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/fsmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/fsmap.c b/fs/ext4/fsmap.c +index dbccf46f17709..37347ba868b70 100644 +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -108,6 +108,9 @@ static int ext4_getfsmap_helper(struct super_block *sb, + + /* Are we just counting mappings? */ + if (info->gfi_head->fmh_count == 0) { ++ if (info->gfi_head->fmh_entries == UINT_MAX) ++ return EXT4_QUERY_RANGE_ABORT; ++ + if (rec_fsblk > info->gfi_next_fsblk) + info->gfi_head->fmh_entries++; + +-- +2.25.1 + diff --git a/queue-5.4/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch b/queue-5.4/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch new file mode 100644 index 00000000000..a5804b4673e --- /dev/null +++ b/queue-5.4/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch @@ -0,0 +1,78 @@ +From fef39b35ac609a2cfddaee940ee231e8559dcd72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 14:09:48 +0100 +Subject: f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info + +From: Jamie Iles + +[ Upstream commit ae284d87abade58c8db7760c808f311ef1ce693c ] + +syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an +f2fs filesystem could result in the following splat: + + kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250) + kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750) + ------------[ cut here ]------------ + ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 + WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101 + Hardware name: linux,dummy-virt (DT) + Call trace: + dump_backtrace+0x0/0x4d8 + show_stack+0x34/0x48 + dump_stack+0x174/0x1f8 + panic+0x360/0x7a0 + __warn+0x244/0x2ec + report_bug+0x240/0x398 + bug_handler+0x50/0xc0 + call_break_hook+0x160/0x1d8 + brk_handler+0x30/0xc0 + do_debug_exception+0x184/0x340 + el1_dbg+0x48/0xb0 + el1_sync_handler+0x170/0x1c8 + el1_sync+0x80/0x100 + debug_print_object+0x180/0x240 + debug_check_no_obj_freed+0x200/0x430 + slab_free_freelist_hook+0x190/0x210 + kfree+0x13c/0x460 + f2fs_put_super+0x624/0xa58 + generic_shutdown_super+0x120/0x300 + kill_block_super+0x94/0xf8 + kill_f2fs_super+0x244/0x308 + deactivate_locked_super+0x104/0x150 + deactivate_super+0x118/0x148 + cleanup_mnt+0x27c/0x3c0 + __cleanup_mnt+0x28/0x38 + task_work_run+0x10c/0x248 + do_notify_resume+0x9d4/0x1188 + work_pending+0x8/0x34c + +Like the error handling for f2fs_register_sysfs(), we need to wait for +the kobject to be destroyed before returning to prevent a potential +use-after-free. + +Fixes: bf9e697ecd42 ("f2fs: expose features to sysfs entry") +Cc: Jaegeuk Kim +Cc: Chao Yu +Signed-off-by: Jamie Iles +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 170934430d7d7..029e693e201cf 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -788,4 +788,5 @@ void f2fs_unregister_sysfs(struct f2fs_sb_info *sbi) + } + kobject_del(&sbi->s_kobj); + kobject_put(&sbi->s_kobj); ++ wait_for_completion(&sbi->s_kobj_unregister); + } +-- +2.25.1 + diff --git a/queue-5.4/fbmem-add-margin-check-to-fb_check_caps.patch b/queue-5.4/fbmem-add-margin-check-to-fb_check_caps.patch new file mode 100644 index 00000000000..60d29bbe164 --- /dev/null +++ b/queue-5.4/fbmem-add-margin-check-to-fb_check_caps.patch @@ -0,0 +1,47 @@ +From 982cacb7f7bc947ac3345727057adb03d7b92ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 15:26:03 -0400 +Subject: fbmem: add margin check to fb_check_caps() + +From: George Kennedy + +[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ] + +A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting +or yres setting in struct fb_var_screeninfo will result in a +KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as +the margins are being cleared. The margins are cleared in +chunks and if the xres setting or yres setting is a value of +zero upto the chunk size, the failure will occur. + +Add a margin check to validate xres and yres settings. + +Signed-off-by: George Kennedy +Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com +Reviewed-by: Dan Carpenter +Cc: Dhaval Giani +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index 97abcd497c7e0..bf76dadbed87f 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1001,6 +1001,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var) + return 0; + } + ++ /* bitfill_aligned() assumes that it's at least 8x8 */ ++ if (var->xres < 8 || var->yres < 8) ++ return -EINVAL; ++ + ret = info->fbops->fb_check_var(var, info); + + if (ret) +-- +2.25.1 + diff --git a/queue-5.4/fix-use-after-free-in-get_capset_info-callback.patch b/queue-5.4/fix-use-after-free-in-get_capset_info-callback.patch new file mode 100644 index 00000000000..a029dd62829 --- /dev/null +++ b/queue-5.4/fix-use-after-free-in-get_capset_info-callback.patch @@ -0,0 +1,61 @@ +From 2d4dd4f9f560288fee0adec2327161e2b80ec3dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:08:25 -0700 +Subject: Fix use after free in get_capset_info callback. + +From: Doug Horn + +[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ] + +If a response to virtio_gpu_cmd_get_capset_info takes longer than +five seconds to return, the callback will access freed kernel memory +in vg->capsets. + +Signed-off-by: Doug Horn +Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_kms.c | 2 ++ + drivers/gpu/drm/virtio/virtgpu_vq.c | 10 +++++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c +index c190702fab726..6dcc05ab31eba 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_kms.c ++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c +@@ -96,8 +96,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev, + vgdev->capsets[i].id > 0, 5 * HZ); + if (ret == 0) { + DRM_ERROR("timed out waiting for cap set %d\n", i); ++ spin_lock(&vgdev->display_info_lock); + kfree(vgdev->capsets); + vgdev->capsets = NULL; ++ spin_unlock(&vgdev->display_info_lock); + return; + } + DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n", +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 7ac20490e1b4c..92022a83bbd5e 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -572,9 +572,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev, + int i = le32_to_cpu(cmd->capset_index); + + spin_lock(&vgdev->display_info_lock); +- vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); +- vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); +- vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ if (vgdev->capsets) { ++ vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); ++ vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); ++ vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ } else { ++ DRM_ERROR("invalid capset memory."); ++ } + spin_unlock(&vgdev->display_info_lock); + wake_up(&vgdev->resp_wq); + } +-- +2.25.1 + diff --git a/queue-5.4/fs-dlm-fix-configfs-memory-leak.patch b/queue-5.4/fs-dlm-fix-configfs-memory-leak.patch new file mode 100644 index 00000000000..99bfc843f4a --- /dev/null +++ b/queue-5.4/fs-dlm-fix-configfs-memory-leak.patch @@ -0,0 +1,70 @@ +From 33ce48ec4faae7947fe7088d73789ae9d495ca14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 15:02:51 -0400 +Subject: fs: dlm: fix configfs memory leak + +From: Alexander Aring + +[ Upstream commit 3d2825c8c6105b0f36f3ff72760799fa2e71420e ] + +This patch fixes the following memory detected by kmemleak and umount +gfs2 filesystem which removed the last lockspace: + +unreferenced object 0xffff9264f482f600 (size 192): + comm "dlm_controld", pid 325, jiffies 4294690276 (age 48.136s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 6e 6f 64 65 73 00 00 00 ........nodes... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000060481d7>] make_space+0x41/0x130 + [<000000008d905d46>] configfs_mkdir+0x1a2/0x5f0 + [<00000000729502cf>] vfs_mkdir+0x155/0x210 + [<000000000369bcf1>] do_mkdirat+0x6d/0x110 + [<00000000cc478a33>] do_syscall_64+0x33/0x40 + [<00000000ce9ccf01>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The patch just remembers the "nodes" entry pointer in space as I think +it's created as subdirectory when parent "spaces" is created. In +function drop_space() we will lost the pointer reference to nds because +configfs_remove_default_groups(). However as this subdirectory is always +available when "spaces" exists it will just be freed when "spaces" will be +freed. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/config.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/dlm/config.c b/fs/dlm/config.c +index 3b21082e1b550..3b1012a3c4396 100644 +--- a/fs/dlm/config.c ++++ b/fs/dlm/config.c +@@ -216,6 +216,7 @@ struct dlm_space { + struct list_head members; + struct mutex members_lock; + int members_count; ++ struct dlm_nodes *nds; + }; + + struct dlm_comms { +@@ -424,6 +425,7 @@ static struct config_group *make_space(struct config_group *g, const char *name) + INIT_LIST_HEAD(&sp->members); + mutex_init(&sp->members_lock); + sp->members_count = 0; ++ sp->nds = nds; + return &sp->group; + + fail: +@@ -445,6 +447,7 @@ static void drop_space(struct config_group *g, struct config_item *i) + static void release_space(struct config_item *i) + { + struct dlm_space *sp = config_item_to_space(i); ++ kfree(sp->nds); + kfree(sp); + } + +-- +2.25.1 + diff --git a/queue-5.4/fs-fix-null-dereference-due-to-data-race-in-prepend_.patch b/queue-5.4/fs-fix-null-dereference-due-to-data-race-in-prepend_.patch new file mode 100644 index 00000000000..0b29e43b6b3 --- /dev/null +++ b/queue-5.4/fs-fix-null-dereference-due-to-data-race-in-prepend_.patch @@ -0,0 +1,68 @@ +From 1cb60beb7d6940a95e6c62af13ab9c95053e9e5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 13:45:28 -0700 +Subject: fs: fix NULL dereference due to data race in prepend_path() + +From: Andrii Nakryiko + +[ Upstream commit 09cad07547445bf3a41683e4d3abcd154c123ef5 ] + +Fix data race in prepend_path() with re-reading mnt->mnt_ns twice +without holding the lock. + +is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns) might +re-read the pointer again which could be NULL already, if in between +reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets +mnt->mnt_ns to NULL. + +This is seen in production with the following stack trace: + + BUG: kernel NULL pointer dereference, address: 0000000000000048 + ... + RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0 + Call Trace: + d_path+0xe6/0x150 + proc_pid_readlink+0x8f/0x100 + vfs_readlink+0xf8/0x110 + do_readlinkat+0xfd/0x120 + __x64_sys_readlinkat+0x1a/0x20 + do_syscall_64+0x42/0x110 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: f2683bd8d5bd ("[PATCH] fix d_absolute_path() interplay with fsmount()") +Signed-off-by: Andrii Nakryiko +Reviewed-by: Josef Bacik +Cc: Alexander Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/d_path.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/d_path.c b/fs/d_path.c +index 0f1fc1743302f..a69e2cd36e6e3 100644 +--- a/fs/d_path.c ++++ b/fs/d_path.c +@@ -102,6 +102,8 @@ static int prepend_path(const struct path *path, + + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) { + struct mount *parent = READ_ONCE(mnt->mnt_parent); ++ struct mnt_namespace *mnt_ns; ++ + /* Escaped? */ + if (dentry != vfsmnt->mnt_root) { + bptr = *buffer; +@@ -116,7 +118,9 @@ static int prepend_path(const struct path *path, + vfsmnt = &mnt->mnt; + continue; + } +- if (is_mounted(vfsmnt) && !is_anon_ns(mnt->mnt_ns)) ++ mnt_ns = READ_ONCE(mnt->mnt_ns); ++ /* open-coded is_mounted() to use local mnt_ns */ ++ if (!IS_ERR_OR_NULL(mnt_ns) && !is_anon_ns(mnt_ns)) + error = 1; // absolute root + else + error = 2; // detached or not attached yet +-- +2.25.1 + diff --git a/queue-5.4/hid-hid-input-fix-stylus-battery-reporting.patch b/queue-5.4/hid-hid-input-fix-stylus-battery-reporting.patch new file mode 100644 index 00000000000..e412bc43971 --- /dev/null +++ b/queue-5.4/hid-hid-input-fix-stylus-battery-reporting.patch @@ -0,0 +1,49 @@ +From 453ef0674840c48b9cc05b0626482e698aa80dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 16:35:52 -0700 +Subject: HID: hid-input: fix stylus battery reporting + +From: Dmitry Torokhov + +[ Upstream commit 505f394fa239cecb76d916aa858f87ed7ea7fde4 ] + +With commit 4f3882177240 hid-input started clearing of "ignored" usages +to avoid using garbage that might have been left in them. However +"battery strength" usages should not be ignored, as we do want to +use them. + +Fixes: 4f3882177240 ("HID: hid-input: clear unmapped usages") +Reported-by: Kenneth Albanowski +Tested-by: Kenneth Albanowski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index e3d475f4baf66..b2bff932c524f 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -797,7 +797,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x3b: /* Battery Strength */ + hidinput_setup_battery(device, HID_INPUT_REPORT, field); + usage->type = EV_PWR; +- goto ignore; ++ return; + + case 0x3c: /* Invert */ + map_key_clear(BTN_TOOL_RUBBER); +@@ -1059,7 +1059,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case HID_DC_BATTERYSTRENGTH: + hidinput_setup_battery(device, HID_INPUT_REPORT, field); + usage->type = EV_PWR; +- goto ignore; ++ return; + } + goto unknown; + +-- +2.25.1 + diff --git a/queue-5.4/hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch b/queue-5.4/hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch new file mode 100644 index 00000000000..7a588237cf2 --- /dev/null +++ b/queue-5.4/hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch @@ -0,0 +1,61 @@ +From d37f1f231f8d9bc55de3bd23aae6a49e66793703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 09:56:42 +0200 +Subject: HID: ite: Add USB id match for Acer One S1003 keyboard dock + +From: Hans de Goede + +[ Upstream commit 5bf2f2f331ad812c9b7eea6e14a3ea328acbffc0 ] + +The Acer One S1003 2-in-1 keyboard dock uses a Synaptics S910xx touchpad +which is connected to an ITE 8910 USB keyboard controller chip. + +This keyboard has the same quirk for its rfkill / airplane mode hotkey as +other keyboards with ITE keyboard chips, it only sends a single release +event when pressed and released, it never sends a press event. + +This commit adds this keyboards USB id to the hid-ite id-table, fixing +the rfkill key not working on this keyboard. Note that like for the +Acer Aspire Switch 10 (SW5-012) the id-table entry matches on the +HID_GROUP_GENERIC generic group so that hid-ite only binds to the +keyboard interface and the mouse/touchpad interface is left untouched +so that hid-multitouch can bind to it. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-ite.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index e03a4d794240c..7363d0b488bd8 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1119,6 +1119,7 @@ + #define USB_DEVICE_ID_SYNAPTICS_DELL_K12A 0x2819 + #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012 0x2968 + #define USB_DEVICE_ID_SYNAPTICS_TP_V103 0x5710 ++#define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003 0x73f5 + #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5 0x81a7 + + #define USB_VENDOR_ID_TEXAS_INSTRUMENTS 0x2047 +diff --git a/drivers/hid/hid-ite.c b/drivers/hid/hid-ite.c +index 6c55682c59740..044a93f3c1178 100644 +--- a/drivers/hid/hid-ite.c ++++ b/drivers/hid/hid-ite.c +@@ -44,6 +44,10 @@ static const struct hid_device_id ite_devices[] = { + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_SYNAPTICS, + USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, ++ /* ITE8910 USB kbd ctlr, with Synaptics touchpad connected to it. */ ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_SYNAPTICS, ++ USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003) }, + { } + }; + MODULE_DEVICE_TABLE(hid, ite_devices); +-- +2.25.1 + diff --git a/queue-5.4/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch b/queue-5.4/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch new file mode 100644 index 00000000000..b9079f9bae7 --- /dev/null +++ b/queue-5.4/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch @@ -0,0 +1,78 @@ +From 5facf14f82507179b1b0e280c044eabdca10ee55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:57:35 +0300 +Subject: HID: roccat: add bounds checking in kone_sysfs_write_settings() + +From: Dan Carpenter + +[ Upstream commit d4f98dbfe717490e771b6e701904bfcf4b4557f0 ] + +This code doesn't check if "settings->startup_profile" is within bounds +and that could result in an out of bounds array access. What the code +does do is it checks if the settings can be written to the firmware, so +it's possible that the firmware has a bounds check? It's safer and +easier to verify when the bounds checking is done in the kernel. + +Fixes: 14bf62cde794 ("HID: add driver for Roccat Kone gaming mouse") +Signed-off-by: Dan Carpenter +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat-kone.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c +index 1a6e600197d0b..509b9bb1362cb 100644 +--- a/drivers/hid/hid-roccat-kone.c ++++ b/drivers/hid/hid-roccat-kone.c +@@ -294,31 +294,40 @@ static ssize_t kone_sysfs_write_settings(struct file *fp, struct kobject *kobj, + struct kone_device *kone = hid_get_drvdata(dev_get_drvdata(dev)); + struct usb_device *usb_dev = interface_to_usbdev(to_usb_interface(dev)); + int retval = 0, difference, old_profile; ++ struct kone_settings *settings = (struct kone_settings *)buf; + + /* I need to get my data in one piece */ + if (off != 0 || count != sizeof(struct kone_settings)) + return -EINVAL; + + mutex_lock(&kone->kone_lock); +- difference = memcmp(buf, &kone->settings, sizeof(struct kone_settings)); ++ difference = memcmp(settings, &kone->settings, ++ sizeof(struct kone_settings)); + if (difference) { +- retval = kone_set_settings(usb_dev, +- (struct kone_settings const *)buf); +- if (retval) { +- mutex_unlock(&kone->kone_lock); +- return retval; ++ if (settings->startup_profile < 1 || ++ settings->startup_profile > 5) { ++ retval = -EINVAL; ++ goto unlock; + } + ++ retval = kone_set_settings(usb_dev, settings); ++ if (retval) ++ goto unlock; ++ + old_profile = kone->settings.startup_profile; +- memcpy(&kone->settings, buf, sizeof(struct kone_settings)); ++ memcpy(&kone->settings, settings, sizeof(struct kone_settings)); + + kone_profile_activated(kone, kone->settings.startup_profile); + + if (kone->settings.startup_profile != old_profile) + kone_profile_report(kone, kone->settings.startup_profile); + } ++unlock: + mutex_unlock(&kone->kone_lock); + ++ if (retval) ++ return retval; ++ + return sizeof(struct kone_settings); + } + static BIN_ATTR(settings, 0660, kone_sysfs_read_settings, +-- +2.25.1 + diff --git a/queue-5.4/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch b/queue-5.4/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch new file mode 100644 index 00000000000..cc8e1a0ed5a --- /dev/null +++ b/queue-5.4/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch @@ -0,0 +1,55 @@ +From 96614bee47888d147744d06a3c19c63238c78836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 14:39:29 -0700 +Subject: hwmon: (pmbus/max34440) Fix status register reads for + MAX344{51,60,61} + +From: Guenter Roeck + +[ Upstream commit 6c094b31ea2ad773824362ba0fccb88d36f8d32d ] + +Starting with MAX34451, the chips of this series support STATUS_IOUT and +STATUS_TEMPERATURE commands, and no longer report over-current and +over-temperature status with STATUS_MFR_SPECIFIC. + +Fixes: 7a001dbab4ade ("hwmon: (pmbus/max34440) Add support for MAX34451.") +Fixes: 50115ac9b6f35 ("hwmon: (pmbus/max34440) Add support for MAX34460 and MAX34461") +Reported-by: Steve Foreman +Cc: Steve Foreman +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/max34440.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/hwmon/pmbus/max34440.c b/drivers/hwmon/pmbus/max34440.c +index 5c63a66007293..e22617def70bf 100644 +--- a/drivers/hwmon/pmbus/max34440.c ++++ b/drivers/hwmon/pmbus/max34440.c +@@ -387,7 +387,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[18] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +@@ -418,7 +417,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[15] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[16] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[17] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +@@ -454,7 +452,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[21] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +-- +2.25.1 + diff --git a/queue-5.4/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch b/queue-5.4/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch new file mode 100644 index 00000000000..aa2a4c3d9ed --- /dev/null +++ b/queue-5.4/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch @@ -0,0 +1,79 @@ +From 72f9ec08b64da1b9d4311105af1098032e95c790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 16:41:58 +0200 +Subject: i2c: core: Restore acpi_walk_dep_device_list() getting called after + registering the ACPI i2c devs + +From: Hans de Goede + +[ Upstream commit 8058d69905058ec8f467a120b5ec5bb831ea67f3 ] + +Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() +before i2c_acpi_register_devices()")'s intention was to only move the +acpi_install_address_space_handler() call to the point before where +the ACPI declared i2c-children of the adapter where instantiated by +i2c_acpi_register_devices(). + +But i2c_acpi_install_space_handler() had a call to +acpi_walk_dep_device_list() hidden (that is I missed it) at the end +of it, so as an unwanted side-effect now acpi_walk_dep_device_list() +was also being called before i2c_acpi_register_devices(). + +Move the acpi_walk_dep_device_list() call to the end of +i2c_acpi_register_devices(), so that it is once again called *after* +the i2c_client-s hanging of the adapter have been created. + +This fixes the Microsoft Surface Go 2 hanging at boot. + +Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209627 +Reported-by: Rainer Finke +Reported-by: Kieran Bingham +Suggested-by: Maximilian Luz +Tested-by: Kieran Bingham +Signed-off-by: Hans de Goede +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index ce70b5288472c..c70983780ae79 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -264,6 +264,7 @@ static acpi_status i2c_acpi_add_device(acpi_handle handle, u32 level, + void i2c_acpi_register_devices(struct i2c_adapter *adap) + { + acpi_status status; ++ acpi_handle handle; + + if (!has_acpi_companion(&adap->dev)) + return; +@@ -274,6 +275,15 @@ void i2c_acpi_register_devices(struct i2c_adapter *adap) + adap, NULL); + if (ACPI_FAILURE(status)) + dev_warn(&adap->dev, "failed to enumerate I2C slaves\n"); ++ ++ if (!adap->dev.parent) ++ return; ++ ++ handle = ACPI_HANDLE(adap->dev.parent); ++ if (!handle) ++ return; ++ ++ acpi_walk_dep_device_list(handle); + } + + const struct acpi_device_id * +@@ -737,7 +747,6 @@ int i2c_acpi_install_space_handler(struct i2c_adapter *adapter) + return -ENOMEM; + } + +- acpi_walk_dep_device_list(handle); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/i2c-rcar-auto-select-reset_controller.patch b/queue-5.4/i2c-rcar-auto-select-reset_controller.patch new file mode 100644 index 00000000000..6d8a7990820 --- /dev/null +++ b/queue-5.4/i2c-rcar-auto-select-reset_controller.patch @@ -0,0 +1,39 @@ +From e86f94c1c4e161779ffe1724a3549de7f5e3b373 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 11:23:30 +0200 +Subject: i2c: rcar: Auto select RESET_CONTROLLER + +From: Dirk Behme + +[ Upstream commit 5b9bacf28a973a6b16510493416baeefa2c06289 ] + +The i2c-rcar driver utilizes the Generic Reset Controller kernel +feature, so select the RESET_CONTROLLER option when the I2C_RCAR +option is selected with a Gen3 SoC. + +Fixes: 2b16fd63059ab9 ("i2c: rcar: handle RXDMA HW behaviour on Gen3") +Signed-off-by: Dirk Behme +Signed-off-by: Andy Lowe +[erosca: Add "if ARCH_RCAR_GEN3" per Wolfram's request] +Signed-off-by: Eugeniu Rosca +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index 146ce40d8e0aa..2d08a8719506c 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -1162,6 +1162,7 @@ config I2C_RCAR + tristate "Renesas R-Car I2C Controller" + depends on ARCH_RENESAS || COMPILE_TEST + select I2C_SLAVE ++ select RESET_CONTROLLER if ARCH_RCAR_GEN3 + help + If you say yes to this option, support will be included for the + R-Car I2C controller. +-- +2.25.1 + diff --git a/queue-5.4/i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch b/queue-5.4/i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch new file mode 100644 index 00000000000..7adc2a5ad43 --- /dev/null +++ b/queue-5.4/i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch @@ -0,0 +1,66 @@ +From 0015233bd8a20b54429b17d3ababeda618c492e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 11:32:22 +0200 +Subject: i3c: master add i3c_master_attach_boardinfo to preserve boardinfo + +From: Parshuram Thombare + +[ Upstream commit 9da36a7ec42135428e1d41621e3703429bda3b2e ] + +Boardinfo was lost if I3C object for devices with boardinfo +available are not created or not added to the I3C device list +because of some failure e.g. SETDASA failed, retrieve info failed etc +This patch adds i3c_master_attach_boardinfo which scan boardinfo list +in the master object and 'attach' it to the I3C device object. + +Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") +Signed-off-by: Parshuram Thombare +Signed-off-by: Boris Brezillon +Link: https://lore.kernel.org/linux-i3c/1590053542-389-1-git-send-email-pthombar@cadence.com +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 5c051dba32a51..6cc71c90f85ea 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1760,6 +1760,21 @@ static void i3c_master_bus_cleanup(struct i3c_master_controller *master) + i3c_master_detach_free_devs(master); + } + ++static void i3c_master_attach_boardinfo(struct i3c_dev_desc *i3cdev) ++{ ++ struct i3c_master_controller *master = i3cdev->common.master; ++ struct i3c_dev_boardinfo *i3cboardinfo; ++ ++ list_for_each_entry(i3cboardinfo, &master->boardinfo.i3c, node) { ++ if (i3cdev->info.pid != i3cboardinfo->pid) ++ continue; ++ ++ i3cdev->boardinfo = i3cboardinfo; ++ i3cdev->info.static_addr = i3cboardinfo->static_addr; ++ return; ++ } ++} ++ + static struct i3c_dev_desc * + i3c_master_search_i3c_dev_duplicate(struct i3c_dev_desc *refdev) + { +@@ -1815,10 +1830,10 @@ int i3c_master_add_i3c_dev_locked(struct i3c_master_controller *master, + if (ret) + goto err_detach_dev; + ++ i3c_master_attach_boardinfo(newdev); ++ + olddev = i3c_master_search_i3c_dev_duplicate(newdev); + if (olddev) { +- newdev->boardinfo = olddev->boardinfo; +- newdev->info.static_addr = olddev->info.static_addr; + newdev->dev = olddev->dev; + if (newdev->dev) + newdev->dev->desc = newdev; +-- +2.25.1 + diff --git a/queue-5.4/i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch b/queue-5.4/i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch new file mode 100644 index 00000000000..ce14a7ffcfb --- /dev/null +++ b/queue-5.4/i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch @@ -0,0 +1,40 @@ +From 887735229011b93607cf59cac6333025e22a8e2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 11:33:50 +0800 +Subject: i3c: master: Fix error return in cdns_i3c_master_probe() + +From: Jing Xiangfeng + +[ Upstream commit abea14bfdebbe9bd02f2ad24a1f3a878ed21c8f0 ] + +Fix to return negative error code -ENOMEM from the error handling +case instead of 0. + +Fixes: 603f2bee2c54 ("i3c: master: Add driver for Cadence IP") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Boris Brezillon +Link: https://lore.kernel.org/linux-i3c/20200911033350.23904-1-jingxiangfeng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/i3c-master-cdns.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c +index 10db0bf0655a9..6d5719cea9f53 100644 +--- a/drivers/i3c/master/i3c-master-cdns.c ++++ b/drivers/i3c/master/i3c-master-cdns.c +@@ -1593,8 +1593,10 @@ static int cdns_i3c_master_probe(struct platform_device *pdev) + master->ibi.slots = devm_kcalloc(&pdev->dev, master->ibi.num_slots, + sizeof(*master->ibi.slots), + GFP_KERNEL); +- if (!master->ibi.slots) ++ if (!master->ibi.slots) { ++ ret = -ENOMEM; + goto err_disable_sysclk; ++ } + + writel(IBIR_THR(1), master->regs + CMD_IBI_THR_CTRL); + writel(MST_INT_IBIR_THR, master->regs + MST_IER); +-- +2.25.1 + diff --git a/queue-5.4/i40iw-add-support-to-make-destroy-qp-synchronous.patch b/queue-5.4/i40iw-add-support-to-make-destroy-qp-synchronous.patch new file mode 100644 index 00000000000..b6c814091ab --- /dev/null +++ b/queue-5.4/i40iw-add-support-to-make-destroy-qp-synchronous.patch @@ -0,0 +1,408 @@ +From fd03be7c453e3111e16104a88109646053682249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 08:18:12 -0500 +Subject: i40iw: Add support to make destroy QP synchronous + +From: Sindhu, Devale + +[ Upstream commit f2334964e969762e266a616acf9377f6046470a2 ] + +Occasionally ib_write_bw crash is seen due to access of a pd object in +i40iw_sc_qp_destroy after it is freed. Destroy qp is not synchronous in +i40iw and thus the iwqp object could be referencing a pd object that is +freed by ib core as a result of successful return from i40iw_destroy_qp. + +Wait in i40iw_destroy_qp till all QP references are released and destroy +the QP and its associated resources before returning. Switch to use the +refcount API vs atomic API for lifetime management of the qp. + + RIP: 0010:i40iw_sc_qp_destroy+0x4b/0x120 [i40iw] + [...] + RSP: 0018:ffffb4a7042e3ba8 EFLAGS: 00010002 + RAX: 0000000000000000 RBX: 0000000000000001 RCX: dead000000000122 + RDX: ffffb4a7042e3bac RSI: ffff8b7ef9b1e940 RDI: ffff8b7efbf09080 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 + R10: 8080808080808080 R11: 0000000000000010 R12: ffff8b7efbf08050 + R13: 0000000000000001 R14: ffff8b7f15042928 R15: ffff8b7ef9b1e940 + FS: 0000000000000000(0000) GS:ffff8b7f2fa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000400 CR3: 000000020d60a006 CR4: 00000000001606e0 + Call Trace: + i40iw_exec_cqp_cmd+0x4d3/0x5c0 [i40iw] + ? try_to_wake_up+0x1ea/0x5d0 + ? __switch_to_asm+0x40/0x70 + i40iw_process_cqp_cmd+0x95/0xa0 [i40iw] + i40iw_handle_cqp_op+0x42/0x1a0 [i40iw] + ? cm_event_handler+0x13c/0x1f0 [iw_cm] + i40iw_rem_ref+0xa0/0xf0 [i40iw] + cm_work_handler+0x99c/0xd10 [iw_cm] + process_one_work+0x1a1/0x360 + worker_thread+0x30/0x380 + ? process_one_work+0x360/0x360 + kthread+0x10c/0x130 + ? kthread_park+0x80/0x80 + ret_from_fork+0x35/0x40 + +Fixes: d37498417947 ("i40iw: add files for iwarp interface") +Link: https://lore.kernel.org/r/20200916131811.2077-1-shiraz.saleem@intel.com +Reported-by: Kamal Heib +Signed-off-by: Sindhu, Devale +Signed-off-by: Shiraz, Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw.h | 9 ++-- + drivers/infiniband/hw/i40iw/i40iw_cm.c | 10 ++-- + drivers/infiniband/hw/i40iw/i40iw_hw.c | 4 +- + drivers/infiniband/hw/i40iw/i40iw_utils.c | 59 ++++------------------- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 31 ++++++++---- + drivers/infiniband/hw/i40iw/i40iw_verbs.h | 3 +- + 6 files changed, 45 insertions(+), 71 deletions(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw.h b/drivers/infiniband/hw/i40iw/i40iw.h +index 8feec35f95a7c..6d6719fa7e46a 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw.h ++++ b/drivers/infiniband/hw/i40iw/i40iw.h +@@ -398,8 +398,8 @@ static inline struct i40iw_qp *to_iwqp(struct ib_qp *ibqp) + } + + /* i40iw.c */ +-void i40iw_add_ref(struct ib_qp *); +-void i40iw_rem_ref(struct ib_qp *); ++void i40iw_qp_add_ref(struct ib_qp *ibqp); ++void i40iw_qp_rem_ref(struct ib_qp *ibqp); + struct ib_qp *i40iw_get_qp(struct ib_device *, int); + + void i40iw_flush_wqes(struct i40iw_device *iwdev, +@@ -543,9 +543,8 @@ enum i40iw_status_code i40iw_manage_qhash(struct i40iw_device *iwdev, + bool wait); + void i40iw_receive_ilq(struct i40iw_sc_vsi *vsi, struct i40iw_puda_buf *rbuf); + void i40iw_free_sqbuf(struct i40iw_sc_vsi *vsi, void *bufp); +-void i40iw_free_qp_resources(struct i40iw_device *iwdev, +- struct i40iw_qp *iwqp, +- u32 qp_num); ++void i40iw_free_qp_resources(struct i40iw_qp *iwqp); ++ + enum i40iw_status_code i40iw_obj_aligned_mem(struct i40iw_device *iwdev, + struct i40iw_dma_mem *memptr, + u32 size, u32 mask); +diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c +index fa7a5ff498c73..56c1e9abc52dc 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -2322,7 +2322,7 @@ static void i40iw_rem_ref_cm_node(struct i40iw_cm_node *cm_node) + iwqp = cm_node->iwqp; + if (iwqp) { + iwqp->cm_node = NULL; +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + cm_node->iwqp = NULL; + } else if (cm_node->qhash_set) { + i40iw_get_addr_info(cm_node, &nfo); +@@ -3452,7 +3452,7 @@ void i40iw_cm_disconn(struct i40iw_qp *iwqp) + kfree(work); + return; + } +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + + work->iwqp = iwqp; +@@ -3623,7 +3623,7 @@ static void i40iw_disconnect_worker(struct work_struct *work) + + kfree(dwork); + i40iw_cm_disconn_true(iwqp); +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +@@ -3745,7 +3745,7 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + cm_node->lsmm_size = accept.size + conn_param->private_data_len; + i40iw_cm_init_tsa_conn(iwqp, cm_node); + cm_id->add_ref(cm_id); +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + + attr.qp_state = IB_QPS_RTS; + cm_node->qhash_set = false; +@@ -3908,7 +3908,7 @@ int i40iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + iwqp->cm_node = cm_node; + cm_node->iwqp = iwqp; + iwqp->cm_id = cm_id; +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + + if (cm_node->state != I40IW_CM_STATE_OFFLOADED) { + cm_node->state = I40IW_CM_STATE_SYN_SENT; +diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c +index ae8b97c306657..a7512508f7e60 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c +@@ -313,7 +313,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev) + __func__, info->qp_cq_id); + continue; + } +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + qp = &iwqp->sc_qp; + spin_lock_irqsave(&iwqp->lock, flags); +@@ -427,7 +427,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev) + break; + } + if (info->qp) +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } while (1); + + if (aeqcnt) +diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c +index 016524683e17e..72db7c1dc2998 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c +@@ -479,25 +479,6 @@ void i40iw_cleanup_pending_cqp_op(struct i40iw_device *iwdev) + } + } + +-/** +- * i40iw_free_qp - callback after destroy cqp completes +- * @cqp_request: cqp request for destroy qp +- * @num: not used +- */ +-static void i40iw_free_qp(struct i40iw_cqp_request *cqp_request, u32 num) +-{ +- struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)cqp_request->param; +- struct i40iw_qp *iwqp = (struct i40iw_qp *)qp->back_qp; +- struct i40iw_device *iwdev; +- u32 qp_num = iwqp->ibqp.qp_num; +- +- iwdev = iwqp->iwdev; +- +- i40iw_rem_pdusecount(iwqp->iwpd, iwdev); +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); +- i40iw_rem_devusecount(iwdev); +-} +- + /** + * i40iw_wait_event - wait for completion + * @iwdev: iwarp device +@@ -618,26 +599,23 @@ void i40iw_rem_pdusecount(struct i40iw_pd *iwpd, struct i40iw_device *iwdev) + } + + /** +- * i40iw_add_ref - add refcount for qp ++ * i40iw_qp_add_ref - add refcount for qp + * @ibqp: iqarp qp + */ +-void i40iw_add_ref(struct ib_qp *ibqp) ++void i40iw_qp_add_ref(struct ib_qp *ibqp) + { + struct i40iw_qp *iwqp = (struct i40iw_qp *)ibqp; + +- atomic_inc(&iwqp->refcount); ++ refcount_inc(&iwqp->refcount); + } + + /** +- * i40iw_rem_ref - rem refcount for qp and free if 0 ++ * i40iw_qp_rem_ref - rem refcount for qp and free if 0 + * @ibqp: iqarp qp + */ +-void i40iw_rem_ref(struct ib_qp *ibqp) ++void i40iw_qp_rem_ref(struct ib_qp *ibqp) + { + struct i40iw_qp *iwqp; +- enum i40iw_status_code status; +- struct i40iw_cqp_request *cqp_request; +- struct cqp_commands_info *cqp_info; + struct i40iw_device *iwdev; + u32 qp_num; + unsigned long flags; +@@ -645,7 +623,7 @@ void i40iw_rem_ref(struct ib_qp *ibqp) + iwqp = to_iwqp(ibqp); + iwdev = iwqp->iwdev; + spin_lock_irqsave(&iwdev->qptable_lock, flags); +- if (!atomic_dec_and_test(&iwqp->refcount)) { ++ if (!refcount_dec_and_test(&iwqp->refcount)) { + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + return; + } +@@ -653,25 +631,8 @@ void i40iw_rem_ref(struct ib_qp *ibqp) + qp_num = iwqp->ibqp.qp_num; + iwdev->qp_table[qp_num] = NULL; + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); +- cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false); +- if (!cqp_request) +- return; +- +- cqp_request->callback_fcn = i40iw_free_qp; +- cqp_request->param = (void *)&iwqp->sc_qp; +- cqp_info = &cqp_request->info; +- cqp_info->cqp_cmd = OP_QP_DESTROY; +- cqp_info->post_sq = 1; +- cqp_info->in.u.qp_destroy.qp = &iwqp->sc_qp; +- cqp_info->in.u.qp_destroy.scratch = (uintptr_t)cqp_request; +- cqp_info->in.u.qp_destroy.remove_hash_idx = true; +- status = i40iw_handle_cqp_op(iwdev, cqp_request); +- if (!status) +- return; ++ complete(&iwqp->free_qp); + +- i40iw_rem_pdusecount(iwqp->iwpd, iwdev); +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); +- i40iw_rem_devusecount(iwdev); + } + + /** +@@ -938,7 +899,7 @@ static void i40iw_terminate_timeout(struct timer_list *t) + struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)&iwqp->sc_qp; + + i40iw_terminate_done(qp, 1); +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +@@ -950,7 +911,7 @@ void i40iw_terminate_start_timer(struct i40iw_sc_qp *qp) + struct i40iw_qp *iwqp; + + iwqp = (struct i40iw_qp *)qp->back_qp; +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + timer_setup(&iwqp->terminate_timer, i40iw_terminate_timeout, 0); + iwqp->terminate_timer.expires = jiffies + HZ; + add_timer(&iwqp->terminate_timer); +@@ -966,7 +927,7 @@ void i40iw_terminate_del_timer(struct i40iw_sc_qp *qp) + + iwqp = (struct i40iw_qp *)qp->back_qp; + if (del_timer(&iwqp->terminate_timer)) +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +index cd9ee1664a69e..22bf4f09c0647 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -366,11 +366,11 @@ static struct i40iw_pbl *i40iw_get_pbl(unsigned long va, + * @iwqp: qp ptr (user or kernel) + * @qp_num: qp number assigned + */ +-void i40iw_free_qp_resources(struct i40iw_device *iwdev, +- struct i40iw_qp *iwqp, +- u32 qp_num) ++void i40iw_free_qp_resources(struct i40iw_qp *iwqp) + { + struct i40iw_pbl *iwpbl = &iwqp->iwpbl; ++ struct i40iw_device *iwdev = iwqp->iwdev; ++ u32 qp_num = iwqp->ibqp.qp_num; + + i40iw_ieq_cleanup_qp(iwdev->vsi.ieq, &iwqp->sc_qp); + i40iw_dealloc_push_page(iwdev, &iwqp->sc_qp); +@@ -404,6 +404,10 @@ static void i40iw_clean_cqes(struct i40iw_qp *iwqp, struct i40iw_cq *iwcq) + static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + { + struct i40iw_qp *iwqp = to_iwqp(ibqp); ++ struct ib_qp_attr attr; ++ struct i40iw_device *iwdev = iwqp->iwdev; ++ ++ memset(&attr, 0, sizeof(attr)); + + iwqp->destroyed = 1; + +@@ -418,7 +422,15 @@ static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + } + } + +- i40iw_rem_ref(&iwqp->ibqp); ++ attr.qp_state = IB_QPS_ERR; ++ i40iw_modify_qp(&iwqp->ibqp, &attr, IB_QP_STATE, NULL); ++ i40iw_qp_rem_ref(&iwqp->ibqp); ++ wait_for_completion(&iwqp->free_qp); ++ i40iw_cqp_qp_destroy_cmd(&iwdev->sc_dev, &iwqp->sc_qp); ++ i40iw_rem_pdusecount(iwqp->iwpd, iwdev); ++ i40iw_free_qp_resources(iwqp); ++ i40iw_rem_devusecount(iwdev); ++ + return 0; + } + +@@ -579,6 +591,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + qp->back_qp = (void *)iwqp; + qp->push_idx = I40IW_INVALID_PUSH_PAGE_INDEX; + ++ iwqp->iwdev = iwdev; + iwqp->ctx_info.iwarp_info = &iwqp->iwarp_info; + + if (i40iw_allocate_dma_mem(dev->hw, +@@ -603,7 +616,6 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + goto error; + } + +- iwqp->iwdev = iwdev; + iwqp->iwpd = iwpd; + iwqp->ibqp.qp_num = qp_num; + qp = &iwqp->sc_qp; +@@ -717,7 +729,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + goto error; + } + +- i40iw_add_ref(&iwqp->ibqp); ++ refcount_set(&iwqp->refcount, 1); + spin_lock_init(&iwqp->lock); + iwqp->sig_all = (init_attr->sq_sig_type == IB_SIGNAL_ALL_WR) ? 1 : 0; + iwdev->qp_table[qp_num] = iwqp; +@@ -739,10 +751,11 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + } + init_completion(&iwqp->sq_drained); + init_completion(&iwqp->rq_drained); ++ init_completion(&iwqp->free_qp); + + return &iwqp->ibqp; + error: +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); ++ i40iw_free_qp_resources(iwqp); + return ERR_PTR(err_code); + } + +@@ -2654,13 +2667,13 @@ static const struct ib_device_ops i40iw_dev_ops = { + .get_hw_stats = i40iw_get_hw_stats, + .get_port_immutable = i40iw_port_immutable, + .iw_accept = i40iw_accept, +- .iw_add_ref = i40iw_add_ref, ++ .iw_add_ref = i40iw_qp_add_ref, + .iw_connect = i40iw_connect, + .iw_create_listen = i40iw_create_listen, + .iw_destroy_listen = i40iw_destroy_listen, + .iw_get_qp = i40iw_get_qp, + .iw_reject = i40iw_reject, +- .iw_rem_ref = i40iw_rem_ref, ++ .iw_rem_ref = i40iw_qp_rem_ref, + .map_mr_sg = i40iw_map_mr_sg, + .mmap = i40iw_mmap, + .modify_qp = i40iw_modify_qp, +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.h b/drivers/infiniband/hw/i40iw/i40iw_verbs.h +index 3a413752ccc38..ad7d81041bc9a 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.h ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.h +@@ -140,7 +140,7 @@ struct i40iw_qp { + struct i40iw_qp_host_ctx_info ctx_info; + struct i40iwarp_offload_info iwarp_info; + void *allocated_buffer; +- atomic_t refcount; ++ refcount_t refcount; + struct iw_cm_id *cm_id; + void *cm_node; + struct ib_mr *lsmm_mr; +@@ -175,5 +175,6 @@ struct i40iw_qp { + struct i40iw_dma_mem ietf_mem; + struct completion sq_drained; + struct completion rq_drained; ++ struct completion free_qp; + }; + #endif +-- +2.25.1 + diff --git a/queue-5.4/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch b/queue-5.4/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch new file mode 100644 index 00000000000..6df4f1a6fa5 --- /dev/null +++ b/queue-5.4/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch @@ -0,0 +1,41 @@ +From 02830b523bc5ec59461d0c5505ec92d795b3795c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 08:19:41 +0200 +Subject: IB/mlx4: Adjust delayed work when a dup is observed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit 785167a114855c5aa75efca97000e405c2cc85bf ] + +When scheduling delayed work to clean up the cache, if the entry already +has been scheduled for deletion, we adjust the delay. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-7-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index b591861934b3c..81d6a3460b55d 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -280,6 +280,9 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id) + if (!sriov->is_going_down && !id->scheduled_delete) { + id->scheduled_delete = 1; + schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT); ++ } else if (id->scheduled_delete) { ++ /* Adjust timeout if already scheduled */ ++ mod_delayed_work(system_wq, &id->timeout, CM_CLEANUP_CACHE_TIMEOUT); + } + spin_unlock_irqrestore(&sriov->going_down_lock, flags); + spin_unlock(&sriov->id_map_lock); +-- +2.25.1 + diff --git a/queue-5.4/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch b/queue-5.4/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch new file mode 100644 index 00000000000..f86c5b3e3b8 --- /dev/null +++ b/queue-5.4/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch @@ -0,0 +1,181 @@ +From ad89d084e7a6636e300a1f81a07ed6a5d54bb39d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 08:19:39 +0200 +Subject: IB/mlx4: Fix starvation in paravirt mux/demux +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit 7fd1507df7cee9c533f38152fcd1dd769fcac6ce ] + +The mlx4 driver will proxy MAD packets through the PF driver. A VM or an +instantiated VF will send its MAD packets to the PF driver using +loop-back. The PF driver will be informed by an interrupt, but defer the +handling and polling of CQEs to a worker thread running on an ordered +work-queue. + +Consider the following scenario: the VMs will in short proximity in time, +for example due to a network event, send many MAD packets to the PF +driver. Lets say there are K VMs, each sending N packets. + +The interrupt from the first VM will start the worker thread, which will +poll N CQEs. A common case here is where the PF driver will multiplex the +packets received from the VMs out on the wire QP. + +But before the wire QP has returned a send CQE and associated interrupt, +the other K - 1 VMs have sent their N packets as well. + +The PF driver has to multiplex K * N packets out on the wire QP. But the +send-queue on the wire QP has a finite capacity. + +So, in this scenario, if K * N is larger than the send-queue capacity of +the wire QP, we will get MAD packets dropped on the floor with this +dynamic debug message: + +mlx4_ib_multiplex_mad: failed sending GSI to wire on behalf of slave 2 (-11) + +and this despite the fact that the wire send-queue could have capacity, +but the PF driver isn't aware, because the wire send CQEs have not yet +been polled. + +We can also have a similar scenario inbound, with a wire recv-queue larger +than the tunnel QP's send-queue. If many remote peers send MAD packets to +the very same VM, the tunnel send-queue destined to the VM could allegedly +be construed to be full by the PF driver. + +This starvation is fixed by introducing separate work queues for the wire +QPs vs. the tunnel QPs. + +With this fix, using a dual ported HCA, 8 VFs instantiated, we could run +cmtime on each of the 18 interfaces towards a similar configured peer, +each cmtime instance with 800 QPs (all in all 14400 QPs) without a single +CM packet getting lost. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-5-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/mad.c | 34 +++++++++++++++++++++++++--- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 ++ + 2 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index 57079110af9b5..08eccf2b6967d 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1307,6 +1307,18 @@ static void mlx4_ib_tunnel_comp_handler(struct ib_cq *cq, void *arg) + spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags); + } + ++static void mlx4_ib_wire_comp_handler(struct ib_cq *cq, void *arg) ++{ ++ unsigned long flags; ++ struct mlx4_ib_demux_pv_ctx *ctx = cq->cq_context; ++ struct mlx4_ib_dev *dev = to_mdev(ctx->ib_dev); ++ ++ spin_lock_irqsave(&dev->sriov.going_down_lock, flags); ++ if (!dev->sriov.is_going_down && ctx->state == DEMUX_PV_STATE_ACTIVE) ++ queue_work(ctx->wi_wq, &ctx->work); ++ spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags); ++} ++ + static int mlx4_ib_post_pv_qp_buf(struct mlx4_ib_demux_pv_ctx *ctx, + struct mlx4_ib_demux_pv_qp *tun_qp, + int index) +@@ -2009,7 +2021,8 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + cq_size *= 2; + + cq_attr.cqe = cq_size; +- ctx->cq = ib_create_cq(ctx->ib_dev, mlx4_ib_tunnel_comp_handler, ++ ctx->cq = ib_create_cq(ctx->ib_dev, ++ create_tun ? mlx4_ib_tunnel_comp_handler : mlx4_ib_wire_comp_handler, + NULL, ctx, &cq_attr); + if (IS_ERR(ctx->cq)) { + ret = PTR_ERR(ctx->cq); +@@ -2046,6 +2059,7 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + INIT_WORK(&ctx->work, mlx4_ib_sqp_comp_worker); + + ctx->wq = to_mdev(ibdev)->sriov.demux[port - 1].wq; ++ ctx->wi_wq = to_mdev(ibdev)->sriov.demux[port - 1].wi_wq; + + ret = ib_req_notify_cq(ctx->cq, IB_CQ_NEXT_COMP); + if (ret) { +@@ -2189,7 +2203,7 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + goto err_mcg; + } + +- snprintf(name, sizeof name, "mlx4_ibt%d", port); ++ snprintf(name, sizeof(name), "mlx4_ibt%d", port); + ctx->wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); + if (!ctx->wq) { + pr_err("Failed to create tunnelling WQ for port %d\n", port); +@@ -2197,7 +2211,15 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + goto err_wq; + } + +- snprintf(name, sizeof name, "mlx4_ibud%d", port); ++ snprintf(name, sizeof(name), "mlx4_ibwi%d", port); ++ ctx->wi_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); ++ if (!ctx->wi_wq) { ++ pr_err("Failed to create wire WQ for port %d\n", port); ++ ret = -ENOMEM; ++ goto err_wiwq; ++ } ++ ++ snprintf(name, sizeof(name), "mlx4_ibud%d", port); + ctx->ud_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); + if (!ctx->ud_wq) { + pr_err("Failed to create up/down WQ for port %d\n", port); +@@ -2208,6 +2230,10 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + return 0; + + err_udwq: ++ destroy_workqueue(ctx->wi_wq); ++ ctx->wi_wq = NULL; ++ ++err_wiwq: + destroy_workqueue(ctx->wq); + ctx->wq = NULL; + +@@ -2255,12 +2281,14 @@ static void mlx4_ib_free_demux_ctx(struct mlx4_ib_demux_ctx *ctx) + ctx->tun[i]->state = DEMUX_PV_STATE_DOWNING; + } + flush_workqueue(ctx->wq); ++ flush_workqueue(ctx->wi_wq); + for (i = 0; i < dev->dev->caps.sqp_demux; i++) { + destroy_pv_resources(dev, i, ctx->port, ctx->tun[i], 0); + free_pv_object(dev, i, ctx->port); + } + kfree(ctx->tun); + destroy_workqueue(ctx->ud_wq); ++ destroy_workqueue(ctx->wi_wq); + destroy_workqueue(ctx->wq); + } + } +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index eb53bb4c0c91c..0173e3931cc7f 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -459,6 +459,7 @@ struct mlx4_ib_demux_pv_ctx { + struct ib_pd *pd; + struct work_struct work; + struct workqueue_struct *wq; ++ struct workqueue_struct *wi_wq; + struct mlx4_ib_demux_pv_qp qp[2]; + }; + +@@ -466,6 +467,7 @@ struct mlx4_ib_demux_ctx { + struct ib_device *ib_dev; + int port; + struct workqueue_struct *wq; ++ struct workqueue_struct *wi_wq; + struct workqueue_struct *ud_wq; + spinlock_t ud_lock; + atomic64_t subnet_prefix; +-- +2.25.1 + diff --git a/queue-5.4/ib-rdmavt-fix-sizeof-mismatch.patch b/queue-5.4/ib-rdmavt-fix-sizeof-mismatch.patch new file mode 100644 index 00000000000..554e741b7aa --- /dev/null +++ b/queue-5.4/ib-rdmavt-fix-sizeof-mismatch.patch @@ -0,0 +1,46 @@ +From 23a6630219ad9cebdf7c281cfd2d4a8e8fb92f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 10:52:04 +0100 +Subject: IB/rdmavt: Fix sizeof mismatch + +From: Colin Ian King + +[ Upstream commit 8e71f694e0c819db39af2336f16eb9689f1ae53f ] + +An incorrect sizeof is being used, struct rvt_ibport ** is not correct, it +should be struct rvt_ibport *. Note that since ** is the same size as +* this is not causing any issues. Improve this fix by using +sizeof(*rdi->ports) as this allows us to not even reference the type +of the pointer. Also remove line breaks as the entire statement can +fit on one line. + +Link: https://lore.kernel.org/r/20201008095204.82683-1-colin.king@canonical.com +Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") +Fixes: ff6acd69518e ("IB/rdmavt: Add device structure allocation") +Signed-off-by: Colin Ian King +Reviewed-by: Ira Weiny +Acked-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/vt.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c +index 18da1e1ea9797..833f3f1b87f5e 100644 +--- a/drivers/infiniband/sw/rdmavt/vt.c ++++ b/drivers/infiniband/sw/rdmavt/vt.c +@@ -95,9 +95,7 @@ struct rvt_dev_info *rvt_alloc_device(size_t size, int nports) + if (!rdi) + return rdi; + +- rdi->ports = kcalloc(nports, +- sizeof(struct rvt_ibport **), +- GFP_KERNEL); ++ rdi->ports = kcalloc(nports, sizeof(*rdi->ports), GFP_KERNEL); + if (!rdi->ports) + ib_dealloc_device(&rdi->ibdev); + +-- +2.25.1 + diff --git a/queue-5.4/ibmvnic-set-up-200gbps-speed.patch b/queue-5.4/ibmvnic-set-up-200gbps-speed.patch new file mode 100644 index 00000000000..3de8ff7b80e --- /dev/null +++ b/queue-5.4/ibmvnic-set-up-200gbps-speed.patch @@ -0,0 +1,60 @@ +From ebbe9428f67a2d0e5b0767792a0fb0e45a3cd5d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 19:06:25 -0500 +Subject: ibmvnic: set up 200GBPS speed + +From: Lijun Pan + +[ Upstream commit b9cd795b0e4860f482bf3741d12e1c8f3ec1cfc9 ] + +Set up the speed according to crq->query_phys_parms.rsp.speed. +Fix IBMVNIC_10GBPS typo. + +Fixes: f8d6ae0d27ec ("ibmvnic: Report actual backing device speed and duplex values") +Signed-off-by: Lijun Pan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 5 ++++- + drivers/net/ethernet/ibm/ibmvnic.h | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 59d437df6cab4..48105a2eebe4d 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -4477,7 +4477,7 @@ static int handle_query_phys_parms_rsp(union ibmvnic_crq *crq, + case IBMVNIC_1GBPS: + adapter->speed = SPEED_1000; + break; +- case IBMVNIC_10GBP: ++ case IBMVNIC_10GBPS: + adapter->speed = SPEED_10000; + break; + case IBMVNIC_25GBPS: +@@ -4492,6 +4492,9 @@ static int handle_query_phys_parms_rsp(union ibmvnic_crq *crq, + case IBMVNIC_100GBPS: + adapter->speed = SPEED_100000; + break; ++ case IBMVNIC_200GBPS: ++ adapter->speed = SPEED_200000; ++ break; + default: + if (netif_carrier_ok(netdev)) + netdev_warn(netdev, "Unknown speed 0x%08x\n", rspeed); +diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h +index ebc39248b334a..0da20f19bb17c 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.h ++++ b/drivers/net/ethernet/ibm/ibmvnic.h +@@ -373,7 +373,7 @@ struct ibmvnic_phys_parms { + #define IBMVNIC_10MBPS 0x40000000 + #define IBMVNIC_100MBPS 0x20000000 + #define IBMVNIC_1GBPS 0x10000000 +-#define IBMVNIC_10GBP 0x08000000 ++#define IBMVNIC_10GBPS 0x08000000 + #define IBMVNIC_40GBPS 0x04000000 + #define IBMVNIC_100GBPS 0x02000000 + #define IBMVNIC_25GBPS 0x01000000 +-- +2.25.1 + diff --git a/queue-5.4/ida-free-allocated-bitmap-in-error-path.patch b/queue-5.4/ida-free-allocated-bitmap-in-error-path.patch new file mode 100644 index 00000000000..5963a17d11f --- /dev/null +++ b/queue-5.4/ida-free-allocated-bitmap-in-error-path.patch @@ -0,0 +1,88 @@ +From de81b5a79f34b61a05b18a1b07d805afbf8b5dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2020 14:26:13 -0400 +Subject: ida: Free allocated bitmap in error path + +From: Matthew Wilcox (Oracle) + +[ Upstream commit a219b856a2b993da234108307be772448f22b0ce ] + +If a bitmap needs to be allocated, and then by the time the thread +is scheduled to be run again all the indices which would satisfy the +allocation have been allocated then we would leak the allocation. Almost +impossible to hit in practice, but a trivial fix. Found by Coverity. + +Fixes: f32f004cddf8 ("ida: Convert to XArray") +Reported-by: coverity-bot +Reviewed-by: Kees Cook +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + lib/idr.c | 1 + + tools/testing/radix-tree/idr-test.c | 29 +++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/lib/idr.c b/lib/idr.c +index c2cf2c52bbde5..4d2eef0259d2c 100644 +--- a/lib/idr.c ++++ b/lib/idr.c +@@ -470,6 +470,7 @@ int ida_alloc_range(struct ida *ida, unsigned int min, unsigned int max, + goto retry; + nospc: + xas_unlock_irqrestore(&xas, flags); ++ kfree(alloc); + return -ENOSPC; + } + EXPORT_SYMBOL(ida_alloc_range); +diff --git a/tools/testing/radix-tree/idr-test.c b/tools/testing/radix-tree/idr-test.c +index 8995092d541ec..3b796dd5e5772 100644 +--- a/tools/testing/radix-tree/idr-test.c ++++ b/tools/testing/radix-tree/idr-test.c +@@ -523,8 +523,27 @@ static void *ida_random_fn(void *arg) + return NULL; + } + ++static void *ida_leak_fn(void *arg) ++{ ++ struct ida *ida = arg; ++ time_t s = time(NULL); ++ int i, ret; ++ ++ rcu_register_thread(); ++ ++ do for (i = 0; i < 1000; i++) { ++ ret = ida_alloc_range(ida, 128, 128, GFP_KERNEL); ++ if (ret >= 0) ++ ida_free(ida, 128); ++ } while (time(NULL) < s + 2); ++ ++ rcu_unregister_thread(); ++ return NULL; ++} ++ + void ida_thread_tests(void) + { ++ DEFINE_IDA(ida); + pthread_t threads[20]; + int i; + +@@ -536,6 +555,16 @@ void ida_thread_tests(void) + + while (i--) + pthread_join(threads[i], NULL); ++ ++ for (i = 0; i < ARRAY_SIZE(threads); i++) ++ if (pthread_create(&threads[i], NULL, ida_leak_fn, &ida)) { ++ perror("creating ida thread"); ++ exit(1); ++ } ++ ++ while (i--) ++ pthread_join(threads[i], NULL); ++ assert(ida_is_empty(&ida)); + } + + void ida_tests(void) +-- +2.25.1 + diff --git a/queue-5.4/iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch b/queue-5.4/iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch new file mode 100644 index 00000000000..d16a942571d --- /dev/null +++ b/queue-5.4/iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch @@ -0,0 +1,72 @@ +From 703cdaa4cf0caa3435b3bad9d2e88a8769e63b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 16:55:28 +0200 +Subject: iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling + +From: Fabrice Gasnier + +[ Upstream commit c537d3457542a398caa1fe58e0976c5f83cf7281 ] + +When the ADC is runtime suspended and starting a conversion, the stm32-adc +driver calls pm_runtime_get_sync() that gets cascaded to the parent +(e.g. runtime resume of stm32-adc-core driver). This also kicks the +autosuspend delay (e.g. 2s) of the parent. +Once the ADC is active, calling pm_runtime_get_sync() again (upon a new +capture) won't kick the autosuspend delay for the parent (stm32-adc-core +driver) as already active. + +Currently, this makes the stm32-adc-core driver go in suspend state +every 2s when doing slow polling. As an example, doing a capture, e.g. +cat in_voltageY_raw at a 0.2s rate, the auto suspend delay for the parent +isn't refreshed. Once it expires, the parent immediately falls into +runtime suspended state, in between two captures, as soon as the child +driver falls into runtime suspend state: +- e.g. after 2s, + child calls pm_runtime_put_autosuspend() + 100ms + autosuspend delay of the child. +- stm32-adc-core switches off regulators, clocks and so on. +- They get switched on back again 100ms later in this example (at 2.2s). + +So, use runtime_idle() callback in stm32-adc-core driver to call +pm_runtime_mark_last_busy() for the parent driver (stm32-adc-core), +to avoid this. + +Fixes: 9bdbb1139ca1 ("iio: adc: stm32-adc: add power management support") +Signed-off-by: Fabrice Gasnier +Reviewed-by: Ulf Hansson +Link: https://lore.kernel.org/r/1593615328-5180-1-git-send-email-fabrice.gasnier@st.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/stm32-adc-core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/stm32-adc-core.c b/drivers/iio/adc/stm32-adc-core.c +index 74f3a2be17a64..14d6a537289cb 100644 +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -780,6 +780,13 @@ static int stm32_adc_core_runtime_resume(struct device *dev) + { + return stm32_adc_core_hw_start(dev); + } ++ ++static int stm32_adc_core_runtime_idle(struct device *dev) ++{ ++ pm_runtime_mark_last_busy(dev); ++ ++ return 0; ++} + #endif + + static const struct dev_pm_ops stm32_adc_core_pm_ops = { +@@ -787,7 +794,7 @@ static const struct dev_pm_ops stm32_adc_core_pm_ops = { + pm_runtime_force_resume) + SET_RUNTIME_PM_OPS(stm32_adc_core_runtime_suspend, + stm32_adc_core_runtime_resume, +- NULL) ++ stm32_adc_core_runtime_idle) + }; + + static const struct stm32_adc_priv_cfg stm32f4_adc_priv_cfg = { +-- +2.25.1 + diff --git a/queue-5.4/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch b/queue-5.4/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch new file mode 100644 index 00000000000..5348527be3e --- /dev/null +++ b/queue-5.4/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch @@ -0,0 +1,39 @@ +From b06621a75dd319f1b9aae0090285eb266360902b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:51:05 -0700 +Subject: Input: ep93xx_keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 7d50f6656dacf085a00beeedbc48b19a37d17881 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 60214f058f44 ("Input: ep93xx_keypad - update driver to new core support") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-1-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/ep93xx_keypad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/ep93xx_keypad.c b/drivers/input/keyboard/ep93xx_keypad.c +index 7c70492d9d6b5..f831f01501d58 100644 +--- a/drivers/input/keyboard/ep93xx_keypad.c ++++ b/drivers/input/keyboard/ep93xx_keypad.c +@@ -250,8 +250,8 @@ static int ep93xx_keypad_probe(struct platform_device *pdev) + } + + keypad->irq = platform_get_irq(pdev, 0); +- if (!keypad->irq) { +- err = -ENXIO; ++ if (keypad->irq < 0) { ++ err = keypad->irq; + goto failed_free; + } + +-- +2.25.1 + diff --git a/queue-5.4/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch b/queue-5.4/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch new file mode 100644 index 00000000000..c090f291251 --- /dev/null +++ b/queue-5.4/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch @@ -0,0 +1,67 @@ +From ec664e591b8df5db6e8a7e27f016d39122f1f58b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 10:17:01 -0700 +Subject: Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() + +From: Dan Carpenter + +[ Upstream commit 30df23c5ecdfb8da5b0bc17ceef67eff9e1b0957 ] + +If imx6ul_tsc_init() fails then we need to clean up the clocks. + +I reversed the "if (input_dev->users) {" condition to make the code a +bit simpler. + +Fixes: 6cc527b05847 ("Input: imx6ul_tsc - propagate the errors") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200905124942.GC183976@mwanda +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/imx6ul_tsc.c | 27 +++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/input/touchscreen/imx6ul_tsc.c b/drivers/input/touchscreen/imx6ul_tsc.c +index 9ed258854349b..5e6ba5c4eca2a 100644 +--- a/drivers/input/touchscreen/imx6ul_tsc.c ++++ b/drivers/input/touchscreen/imx6ul_tsc.c +@@ -530,20 +530,25 @@ static int __maybe_unused imx6ul_tsc_resume(struct device *dev) + + mutex_lock(&input_dev->mutex); + +- if (input_dev->users) { +- retval = clk_prepare_enable(tsc->adc_clk); +- if (retval) +- goto out; +- +- retval = clk_prepare_enable(tsc->tsc_clk); +- if (retval) { +- clk_disable_unprepare(tsc->adc_clk); +- goto out; +- } ++ if (!input_dev->users) ++ goto out; + +- retval = imx6ul_tsc_init(tsc); ++ retval = clk_prepare_enable(tsc->adc_clk); ++ if (retval) ++ goto out; ++ ++ retval = clk_prepare_enable(tsc->tsc_clk); ++ if (retval) { ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; + } + ++ retval = imx6ul_tsc_init(tsc); ++ if (retval) { ++ clk_disable_unprepare(tsc->tsc_clk); ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; ++ } + out: + mutex_unlock(&input_dev->mutex); + return retval; +-- +2.25.1 + diff --git a/queue-5.4/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch b/queue-5.4/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch new file mode 100644 index 00000000000..431765cb855 --- /dev/null +++ b/queue-5.4/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch @@ -0,0 +1,41 @@ +From 7bb3020f7f89e03a90ecd3cc1d164d8f75acf1c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:52:15 -0700 +Subject: Input: omap4-keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 4738dd1992fa13acfbbd71800c71c612f466fa44 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: f3a1ba60dbdb ("Input: omap4-keypad - use platform device helpers") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-2-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/omap4-keypad.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c +index 94c94d7f5155f..d6c924032aaa8 100644 +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -240,10 +240,8 @@ static int omap4_keypad_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "no keyboard irq assigned\n"); +- return -EINVAL; +- } ++ if (irq < 0) ++ return irq; + + keypad_data = kzalloc(sizeof(struct omap4_keypad), GFP_KERNEL); + if (!keypad_data) { +-- +2.25.1 + diff --git a/queue-5.4/input-stmfts-fix-a-vs-typo.patch b/queue-5.4/input-stmfts-fix-a-vs-typo.patch new file mode 100644 index 00000000000..958df1de700 --- /dev/null +++ b/queue-5.4/input-stmfts-fix-a-vs-typo.patch @@ -0,0 +1,37 @@ +From 337a60e195589b0d4b1d8978e3f286cab5c5fd7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 10:26:09 -0700 +Subject: Input: stmfts - fix a & vs && typo + +From: YueHaibing + +[ Upstream commit d04afe14b23651e7a8bc89727a759e982a8458e4 ] + +In stmfts_sysfs_hover_enable_write(), we should check value and +sdata->hover_enabled is all true. + +Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20200916141941.16684-1-yuehaibing@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/stmfts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/stmfts.c b/drivers/input/touchscreen/stmfts.c +index b6f95f20f9244..cd8805d71d977 100644 +--- a/drivers/input/touchscreen/stmfts.c ++++ b/drivers/input/touchscreen/stmfts.c +@@ -479,7 +479,7 @@ static ssize_t stmfts_sysfs_hover_enable_write(struct device *dev, + + mutex_lock(&sdata->mutex); + +- if (value & sdata->hover_enabled) ++ if (value && sdata->hover_enabled) + goto out; + + if (sdata->running) +-- +2.25.1 + diff --git a/queue-5.4/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch b/queue-5.4/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch new file mode 100644 index 00000000000..c5e45772c0a --- /dev/null +++ b/queue-5.4/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch @@ -0,0 +1,55 @@ +From 76d2d9c2801014053395cd549ddd46548d4dff35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:56:40 -0700 +Subject: Input: sun4i-ps2 - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit cafb3abea6136e59ea534004e5773361e196bb94 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: e443631d20f5 ("Input: serio - add support for Alwinner A10/A20 PS/2 controller") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20200828145744.3636-4-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/sun4i-ps2.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/serio/sun4i-ps2.c b/drivers/input/serio/sun4i-ps2.c +index a681a2c04e399..f15ed3dcdb9b2 100644 +--- a/drivers/input/serio/sun4i-ps2.c ++++ b/drivers/input/serio/sun4i-ps2.c +@@ -211,7 +211,6 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + struct sun4i_ps2data *drvdata; + struct serio *serio; + struct device *dev = &pdev->dev; +- unsigned int irq; + int error; + + drvdata = kzalloc(sizeof(struct sun4i_ps2data), GFP_KERNEL); +@@ -264,14 +263,12 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + writel(0, drvdata->reg_base + PS2_REG_GCTL); + + /* Get IRQ for the device */ +- irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(dev, "no IRQ found\n"); +- error = -ENXIO; ++ drvdata->irq = platform_get_irq(pdev, 0); ++ if (drvdata->irq < 0) { ++ error = drvdata->irq; + goto err_disable_clk; + } + +- drvdata->irq = irq; + drvdata->serio = serio; + drvdata->dev = dev; + +-- +2.25.1 + diff --git a/queue-5.4/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch b/queue-5.4/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch new file mode 100644 index 00000000000..67c2059acc8 --- /dev/null +++ b/queue-5.4/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch @@ -0,0 +1,51 @@ +From 94a69e09185b3a93df0d12bb915891bf92f951f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:56:19 -0700 +Subject: Input: twl4030_keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit c277e1f0dc3c7d7b5b028e20dd414df241642036 ] + +platform_get_irq() returns -ERRNO on error. In such case casting to +unsigned and comparing to 0 would pass the check. + +Fixes: 7abf38d6d13c ("Input: twl4030-keypad - add device tree support") +Reported-by: kernel test robot +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-3-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/twl4030_keypad.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/input/keyboard/twl4030_keypad.c b/drivers/input/keyboard/twl4030_keypad.c +index af3a6824f1a4d..77e0743a3cf85 100644 +--- a/drivers/input/keyboard/twl4030_keypad.c ++++ b/drivers/input/keyboard/twl4030_keypad.c +@@ -50,7 +50,7 @@ struct twl4030_keypad { + bool autorepeat; + unsigned int n_rows; + unsigned int n_cols; +- unsigned int irq; ++ int irq; + + struct device *dbg_dev; + struct input_dev *input; +@@ -376,10 +376,8 @@ static int twl4030_kp_probe(struct platform_device *pdev) + } + + kp->irq = platform_get_irq(pdev, 0); +- if (!kp->irq) { +- dev_err(&pdev->dev, "no keyboard irq assigned\n"); +- return -EINVAL; +- } ++ if (kp->irq < 0) ++ return kp->irq; + + error = matrix_keypad_build_keymap(keymap_data, NULL, + TWL4030_MAX_ROWS, +-- +2.25.1 + diff --git a/queue-5.4/iomap-clear-page-error-before-beginning-a-write.patch b/queue-5.4/iomap-clear-page-error-before-beginning-a-write.patch new file mode 100644 index 00000000000..69f2392f976 --- /dev/null +++ b/queue-5.4/iomap-clear-page-error-before-beginning-a-write.patch @@ -0,0 +1,51 @@ +From 60d38631cc80ebe3182dc936f6d5f6b34ccda8a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 08:26:17 -0700 +Subject: iomap: Clear page error before beginning a write + +From: Matthew Wilcox (Oracle) + +[ Upstream commit e6e7ca92623a43156100306861272e04d46385fc ] + +If we find a page in write_begin which is !Uptodate, we need +to clear any error on the page before starting to read data +into it. This matches how filemap_fault(), do_read_cache_page() +and generic_file_buffered_read() handle PageError on !Uptodate pages. +When calling iomap_set_range_uptodate() in __iomap_write_begin(), blocks +were not being marked as uptodate. + +This was found with generic/127 and a specially modified kernel which +would fail (some) readahead I/Os. The test read some bytes in a prior +page which caused readahead to extend into page 0x34. There was +a subsequent write to page 0x34, followed by a read to page 0x34. +Because the blocks were still marked as !Uptodate, the read caused all +blocks to be re-read, overwriting the write. With this change, and the +next one, the bytes which were written are marked as being Uptodate, so +even though the page is still marked as !Uptodate, the blocks containing +the written data are not re-read from storage. + +Fixes: 9dc55f1389f9 ("iomap: add support for sub-pagesize buffered I/O without buffer heads") +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index a30ea7ecb790a..80867a1a94f26 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -559,6 +559,7 @@ __iomap_write_begin(struct inode *inode, loff_t pos, unsigned len, + + if (PageUptodate(page)) + return 0; ++ ClearPageError(page); + + do { + iomap_adjust_read_range(inode, iop, &block_start, +-- +2.25.1 + diff --git a/queue-5.4/iomap-fix-warn_on_once-from-unprivileged-users.patch b/queue-5.4/iomap-fix-warn_on_once-from-unprivileged-users.patch new file mode 100644 index 00000000000..a66c5c3e9db --- /dev/null +++ b/queue-5.4/iomap-fix-warn_on_once-from-unprivileged-users.patch @@ -0,0 +1,48 @@ +From 41479f9141e09f88b61ff264d0fe6a90ab72e802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 08:26:15 -0700 +Subject: iomap: fix WARN_ON_ONCE() from unprivileged users + +From: Qian Cai + +[ Upstream commit a805c111650cdba6ee880f528abdd03c1af82089 ] + +It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by +unprivileged users which would taint the kernel, or worse - panic if +panic_on_warn or panic_on_taint is set. Hence, just convert it to +pr_warn_ratelimited() to let users know their workloads are racing. +Thank Dave Chinner for the initial analysis of the racing reproducers. + +Signed-off-by: Qian Cai +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/iomap/direct-io.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c +index 7b5f76efef02d..8c98fd92bf665 100644 +--- a/fs/iomap/direct-io.c ++++ b/fs/iomap/direct-io.c +@@ -377,6 +377,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length, + return iomap_dio_bio_actor(inode, pos, length, dio, iomap); + case IOMAP_INLINE: + return iomap_dio_inline_actor(inode, pos, length, dio, iomap); ++ case IOMAP_DELALLOC: ++ /* ++ * DIO is not serialised against mmap() access at all, and so ++ * if the page_mkwrite occurs between the writeback and the ++ * iomap_apply() call in the DIO path, then it will see the ++ * DELALLOC block that the page-mkwrite allocated. ++ */ ++ pr_warn_ratelimited("Direct I/O collision with buffered writes! File: %pD4 Comm: %.20s\n", ++ dio->iocb->ki_filp, current->comm); ++ return -EIO; + default: + WARN_ON_ONCE(1); + return -EIO; +-- +2.25.1 + diff --git a/queue-5.4/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch b/queue-5.4/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch new file mode 100644 index 00000000000..62f260ff001 --- /dev/null +++ b/queue-5.4/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch @@ -0,0 +1,90 @@ +From 472d656c215b8b74e9e420cf934332751467cfd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 16:17:21 -0700 +Subject: ip_gre: set dev->hard_header_len and dev->needed_headroom properly + +From: Cong Wang + +[ Upstream commit fdafed459998e2be0e877e6189b24cb7a0183224 ] + +GRE tunnel has its own header_ops, ipgre_header_ops, and sets it +conditionally. When it is set, it assumes the outer IP header is +already created before ipgre_xmit(). + +This is not true when we send packets through a raw packet socket, +where L2 headers are supposed to be constructed by user. Packet +socket calls dev_validate_header() to validate the header. But +GRE tunnel does not set dev->hard_header_len, so that check can +be simply bypassed, therefore uninit memory could be passed down +to ipgre_xmit(). Similar for dev->needed_headroom. + +dev->hard_header_len is supposed to be the length of the header +created by dev->header_ops->create(), so it should be used whenever +header_ops is set, and dev->needed_headroom should be used when it +is not set. + +Reported-and-tested-by: syzbot+4a2c52677a8a1aa283cb@syzkaller.appspotmail.com +Cc: William Tu +Acked-by: Willem de Bruijn +Signed-off-by: Cong Wang +Acked-by: Xie He +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 85ba1453ba5ca..fedad3a3e61b8 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -603,9 +603,7 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { +- /* Need space for new headers */ +- if (skb_cow_head(skb, dev->needed_headroom - +- (tunnel->hlen + sizeof(struct iphdr)))) ++ if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; +@@ -723,7 +721,11 @@ static void ipgre_link_update(struct net_device *dev, bool set_mtu) + len = tunnel->tun_hlen - len; + tunnel->hlen = tunnel->hlen + len; + +- dev->needed_headroom = dev->needed_headroom + len; ++ if (dev->header_ops) ++ dev->hard_header_len += len; ++ else ++ dev->needed_headroom += len; ++ + if (set_mtu) + dev->mtu = max_t(int, dev->mtu - len, 68); + +@@ -926,6 +928,7 @@ static void __gre_tunnel_init(struct net_device *dev) + tunnel->parms.iph.protocol = IPPROTO_GRE; + + tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen; ++ dev->needed_headroom = tunnel->hlen + sizeof(tunnel->parms.iph); + + dev->features |= GRE_FEATURES; + dev->hw_features |= GRE_FEATURES; +@@ -969,10 +972,14 @@ static int ipgre_tunnel_init(struct net_device *dev) + return -EINVAL; + dev->flags = IFF_BROADCAST; + dev->header_ops = &ipgre_header_ops; ++ dev->hard_header_len = tunnel->hlen + sizeof(*iph); ++ dev->needed_headroom = 0; + } + #endif + } else if (!tunnel->collect_md) { + dev->header_ops = &ipgre_header_ops; ++ dev->hard_header_len = tunnel->hlen + sizeof(*iph); ++ dev->needed_headroom = 0; + } + + return ip_tunnel_init(dev); +-- +2.25.1 + diff --git a/queue-5.4/ipmi_si-fix-wrong-return-value-in-try_smi_init.patch b/queue-5.4/ipmi_si-fix-wrong-return-value-in-try_smi_init.patch new file mode 100644 index 00000000000..fba82ff5a22 --- /dev/null +++ b/queue-5.4/ipmi_si-fix-wrong-return-value-in-try_smi_init.patch @@ -0,0 +1,38 @@ +From e6cc99662b855eeee4b1cf68bf01e9567d802393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 22:52:12 +0800 +Subject: ipmi_si: Fix wrong return value in try_smi_init() + +From: Tianjia Zhang + +[ Upstream commit 8fe7990ceda8597e407d06bffc4bdbe835a93ece ] + +On an error exit path, a negative error code should be returned +instead of a positive return value. + +Fixes: 90b2d4f15ff7 ("ipmi_si: Remove hacks for adding a dummy platform devices") +Cc: Corey Minyard +Signed-off-by: Tianjia Zhang +Message-Id: <20201005145212.84435-1-tianjia.zhang@linux.alibaba.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_si_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c +index 6b9a0593d2eb7..b6e7df9e88503 100644 +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -1977,7 +1977,7 @@ static int try_smi_init(struct smi_info *new_smi) + /* Do this early so it's available for logs. */ + if (!new_smi->io.dev) { + pr_err("IPMI interface added with no device\n"); +- rv = EIO; ++ rv = -EIO; + goto out_err; + } + +-- +2.25.1 + diff --git a/queue-5.4/ipvs-clear-skb-tstamp-in-forwarding-path.patch b/queue-5.4/ipvs-clear-skb-tstamp-in-forwarding-path.patch new file mode 100644 index 00000000000..7a6ab57a1dd --- /dev/null +++ b/queue-5.4/ipvs-clear-skb-tstamp-in-forwarding-path.patch @@ -0,0 +1,59 @@ +From fc8ed5d5843e8a34e969d58a210b50ba3314c618 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 21:24:25 +0300 +Subject: ipvs: clear skb->tstamp in forwarding path + +From: Julian Anastasov + +[ Upstream commit 7980d2eabde82be86c5be18aa3d07e88ec13c6a1 ] + +fq qdisc requires tstamp to be cleared in forwarding path + +Reported-by: Evgeny B +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209427 +Suggested-by: Eric Dumazet +Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths") +Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC") +Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.") +Signed-off-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_xmit.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c +index c62a131a60948..cefc39878b1a4 100644 +--- a/net/netfilter/ipvs/ip_vs_xmit.c ++++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -615,6 +615,8 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb, + if (ret == NF_ACCEPT) { + nf_reset_ct(skb); + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + } + return ret; + } +@@ -655,6 +657,8 @@ static inline int ip_vs_nat_send_or_cont(int pf, struct sk_buff *skb, + + if (!local) { + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb, + NULL, skb_dst(skb)->dev, dst_output); + } else +@@ -675,6 +679,8 @@ static inline int ip_vs_send_or_cont(int pf, struct sk_buff *skb, + if (!local) { + ip_vs_drop_early_demux_sk(skb); + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb, + NULL, skb_dst(skb)->dev, dst_output); + } else +-- +2.25.1 + diff --git a/queue-5.4/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch b/queue-5.4/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch new file mode 100644 index 00000000000..e2cfe612ed2 --- /dev/null +++ b/queue-5.4/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch @@ -0,0 +1,52 @@ +From 02c3822d60bcd4a638c36654ae46b6829f0304f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 03:46:40 -0400 +Subject: ipvs: Fix uninit-value in do_ip_vs_set_ctl() + +From: Peilin Ye + +[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ] + +do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is +zero. Fix it. + +Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 +Suggested-by: Julian Anastasov +Signed-off-by: Peilin Ye +Acked-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 3cccc88ef817b..99168af0c28d9 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2465,6 +2465,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + /* Set timeout values for (tcp tcpfin udp) */ + ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); + goto out_unlock; ++ } else if (!len) { ++ /* No more commands with len == 0 below */ ++ ret = -EINVAL; ++ goto out_unlock; + } + + usvc_compat = (struct ip_vs_service_user *)arg; +@@ -2541,9 +2545,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + break; + case IP_VS_SO_SET_DELDEST: + ret = ip_vs_del_dest(svc, &udest); +- break; +- default: +- ret = -EINVAL; + } + + out_unlock: +-- +2.25.1 + diff --git a/queue-5.4/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch b/queue-5.4/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch new file mode 100644 index 00000000000..1b754dcf201 --- /dev/null +++ b/queue-5.4/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch @@ -0,0 +1,45 @@ +From a642c59689ef4068680fc712a1ae9a3ed3a08520 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 10:31:20 +0300 +Subject: iwlwifi: mvm: split a print to avoid a WARNING in ROC + +From: Emmanuel Grumbach + +[ Upstream commit 903b3f9badf1d54f77b468b96706dab679b45b14 ] + +A print in the remain on channel code was too long and caused +a WARNING, split it. + +Signed-off-by: Emmanuel Grumbach +Fixes: dc28e12f2125 ("iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200930102759.58d57c0bdc68.Ib06008665e7bf1199c360aa92691d9c74fb84990@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index ed92a8e8cd519..01b26b3327b01 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -3650,9 +3650,12 @@ static int iwl_mvm_send_aux_roc_cmd(struct iwl_mvm *mvm, + tail->apply_time_max_delay = cpu_to_le32(delay); + + IWL_DEBUG_TE(mvm, +- "ROC: Requesting to remain on channel %u for %ums (requested = %ums, max_delay = %ums, dtim_interval = %ums)\n", +- channel->hw_value, req_dur, duration, delay, +- dtim_interval); ++ "ROC: Requesting to remain on channel %u for %ums\n", ++ channel->hw_value, req_dur); ++ IWL_DEBUG_TE(mvm, ++ "\t(requested = %ums, max_delay = %ums, dtim_interval = %ums)\n", ++ duration, delay, dtim_interval); ++ + /* Set the node address */ + memcpy(tail->node_addr, vif->addr, ETH_ALEN); + +-- +2.25.1 + diff --git a/queue-5.4/kdb-fix-pager-search-for-multi-line-strings.patch b/queue-5.4/kdb-fix-pager-search-for-multi-line-strings.patch new file mode 100644 index 00000000000..a550070bfc3 --- /dev/null +++ b/queue-5.4/kdb-fix-pager-search-for-multi-line-strings.patch @@ -0,0 +1,55 @@ +From 72f08330f4d8f1a9688003ec012a01c62525a304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 15:17:08 +0100 +Subject: kdb: Fix pager search for multi-line strings + +From: Daniel Thompson + +[ Upstream commit d081a6e353168f15e63eb9e9334757f20343319f ] + +Currently using forward search doesn't handle multi-line strings correctly. +The search routine replaces line breaks with \0 during the search and, for +regular searches ("help | grep Common\n"), there is code after the line +has been discarded or printed to replace the break character. + +However during a pager search ("help\n" followed by "/Common\n") when the +string is matched we will immediately return to normal output and the code +that should restore the \n becomes unreachable. Fix this by restoring the +replaced character when we disable the search mode and update the comment +accordingly. + +Fixes: fb6daa7520f9d ("kdb: Provide forward search at more prompt") +Link: https://lore.kernel.org/r/20200909141708.338273-1-daniel.thompson@linaro.org +Reviewed-by: Douglas Anderson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 3a5184eb6977d..46821793637a1 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -679,12 +679,16 @@ int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap) + size_avail = sizeof(kdb_buffer) - len; + goto kdb_print_out; + } +- if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) ++ if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) { + /* + * This was a interactive search (using '/' at more +- * prompt) and it has completed. Clear the flag. ++ * prompt) and it has completed. Replace the \0 with ++ * its original value to ensure multi-line strings ++ * are handled properly, and return to normal mode. + */ ++ *cphold = replaced_byte; + kdb_grepping_flag = 0; ++ } + /* + * at this point the string is a full line and + * should be printed, up to the null. +-- +2.25.1 + diff --git a/queue-5.4/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch b/queue-5.4/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch new file mode 100644 index 00000000000..9028152a442 --- /dev/null +++ b/queue-5.4/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch @@ -0,0 +1,39 @@ +From 555193dd01a8c4fe509e7572f1921a124fadc24d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 10:23:42 +0800 +Subject: KVM: x86: emulating RDPID failure shall return #UD rather than #GP + +From: Robert Hoo + +[ Upstream commit a9e2e0ae686094571378c72d8146b5a1a92d0652 ] + +Per Intel's SDM, RDPID takes a #UD if it is unsupported, which is more or +less what KVM is emulating when MSR_TSC_AUX is not available. In fact, +there are no scenarios in which RDPID is supposed to #GP. + +Fixes: fb6d4d340e ("KVM: x86: emulate RDPID") +Signed-off-by: Robert Hoo +Message-Id: <1598581422-76264-1-git-send-email-robert.hu@linux.intel.com> +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index cc7823e7ef96c..484c32b7f79ff 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3617,7 +3617,7 @@ static int em_rdpid(struct x86_emulate_ctxt *ctxt) + u64 tsc_aux = 0; + + if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux)) +- return emulate_gp(ctxt, 0); ++ return emulate_ud(ctxt); + ctxt->dst.val = tsc_aux; + return X86EMUL_CONTINUE; + } +-- +2.25.1 + diff --git a/queue-5.4/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch b/queue-5.4/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch new file mode 100644 index 00000000000..db230c04d6f --- /dev/null +++ b/queue-5.4/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch @@ -0,0 +1,45 @@ +From 456b0ea832dd2664f5c3208d915d84d91ace62b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:11:38 -0700 +Subject: lib/crc32.c: fix trivial typo in preprocessor condition + +From: Tobias Jordan + +[ Upstream commit 904542dc56524f921a6bab0639ff6249c01e775f ] + +Whether crc32_be needs a lookup table is chosen based on CRC_LE_BITS. +Obviously, the _be function should be governed by the _BE_ define. + +This probably never pops up as it's hard to come up with a configuration +where CRC_BE_BITS isn't the same as CRC_LE_BITS and as nobody is using +bitwise CRC anyway. + +Fixes: 46c5801eaf86 ("crc32: bolt on crc32c") +Signed-off-by: Tobias Jordan +Signed-off-by: Andrew Morton +Cc: Krzysztof Kozlowski +Cc: Jonathan Corbet +Cc: Mauro Carvalho Chehab +Link: https://lkml.kernel.org/r/20200923182122.GA3338@agrajag.zerfleddert.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/crc32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/crc32.c b/lib/crc32.c +index 4a20455d1f61e..bf60ef26a45c2 100644 +--- a/lib/crc32.c ++++ b/lib/crc32.c +@@ -331,7 +331,7 @@ static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p, + return crc; + } + +-#if CRC_LE_BITS == 1 ++#if CRC_BE_BITS == 1 + u32 __pure crc32_be(u32 crc, unsigned char const *p, size_t len) + { + return crc32_be_generic(crc, p, len, NULL, CRC32_POLY_BE); +-- +2.25.1 + diff --git a/queue-5.4/lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch b/queue-5.4/lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch new file mode 100644 index 00000000000..07b23c7dcd7 --- /dev/null +++ b/queue-5.4/lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch @@ -0,0 +1,42 @@ +From 9971df532ca745bf9959935b6d98d5c8a3d4ac74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 15:33:51 +0100 +Subject: lightnvm: fix out-of-bounds write to array devices->info[] + +From: Colin Ian King + +[ Upstream commit a48faebe65b0db55a73b9220c3d919eee849bb79 ] + +There is an off-by-one array check that can lead to a out-of-bounds +write to devices->info[i]. Fix this by checking by using >= rather +than > for the size check. Also replace hard-coded array size limit +with ARRAY_SIZE on the array. + +Addresses-Coverity: ("Out-of-bounds write") +Fixes: cd9e9808d18f ("lightnvm: Support for Open-Channel SSDs") +Signed-off-by: Colin Ian King +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/lightnvm/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c +index 7543e395a2c64..a2ebc75af8c79 100644 +--- a/drivers/lightnvm/core.c ++++ b/drivers/lightnvm/core.c +@@ -1316,8 +1316,9 @@ static long nvm_ioctl_get_devices(struct file *file, void __user *arg) + strlcpy(info->bmname, "gennvm", sizeof(info->bmname)); + i++; + +- if (i > 31) { +- pr_err("max 31 devices can be reported.\n"); ++ if (i >= ARRAY_SIZE(devices->info)) { ++ pr_err("max %zd devices can be reported.\n", ++ ARRAY_SIZE(devices->info)); + break; + } + } +-- +2.25.1 + diff --git a/queue-5.4/mac80211-handle-lack-of-sband-bitrates-in-rates.patch b/queue-5.4/mac80211-handle-lack-of-sband-bitrates-in-rates.patch new file mode 100644 index 00000000000..45b9809dec8 --- /dev/null +++ b/queue-5.4/mac80211-handle-lack-of-sband-bitrates-in-rates.patch @@ -0,0 +1,58 @@ +From 8e3f102729945f4125b1a80569a92db5d90c7f37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 09:45:21 -0700 +Subject: mac80211: handle lack of sband->bitrates in rates + +From: Thomas Pedersen + +[ Upstream commit 8b783d104e7f40684333d2ec155fac39219beb2f ] + +Even though a driver or mac80211 shouldn't produce a +legacy bitrate if sband->bitrates doesn't exist, don't +crash if that is the case either. + +This fixes a kernel panic if station dump is run before +last_rate can be updated with a data frame when +sband->bitrates is missing (eg. in S1G bands). + +Signed-off-by: Thomas Pedersen +Link: https://lore.kernel.org/r/20201005164522.18069-1-thomas@adapt-ip.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 ++- + net/mac80211/sta_info.c | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index a9dda5c228f60..fa293feef935d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -698,7 +698,8 @@ void sta_set_rate_info_tx(struct sta_info *sta, + u16 brate; + + sband = ieee80211_get_sband(sta->sdata); +- if (sband) { ++ WARN_ON_ONCE(sband && !sband->bitrates); ++ if (sband && sband->bitrates) { + brate = sband->bitrates[rate->idx].bitrate; + rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift); + } +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index f5d96107af6de..4f14d8a06915a 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2083,6 +2083,10 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u32 rate, + int rate_idx = STA_STATS_GET(LEGACY_IDX, rate); + + sband = local->hw.wiphy->bands[band]; ++ ++ if (WARN_ON_ONCE(!sband->bitrates)) ++ break; ++ + brate = sband->bitrates[rate_idx].bitrate; + if (rinfo->bw == RATE_INFO_BW_5) + shift = 2; +-- +2.25.1 + diff --git a/queue-5.4/maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch b/queue-5.4/maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch new file mode 100644 index 00000000000..62cd8816ce1 --- /dev/null +++ b/queue-5.4/maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch @@ -0,0 +1,49 @@ +From 0cf0833f7e939478df8c22b02afc4f42e111da77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:31:28 +0200 +Subject: maiblox: mediatek: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 558e4c36ec9f2722af4fe8ef84dc812bcdb5c43a ] + +platform_get_irq() returns -ERRNO on error. In such case casting to u32 +and comparing to 0 would pass the check. + +Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c +index 9a6ce9f5a7db5..3c8b365ce635a 100644 +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -70,7 +70,7 @@ struct cmdq_task { + struct cmdq { + struct mbox_controller mbox; + void __iomem *base; +- u32 irq; ++ int irq; + u32 thread_nr; + u32 irq_mask; + struct cmdq_thread *thread; +@@ -474,10 +474,8 @@ static int cmdq_probe(struct platform_device *pdev) + } + + cmdq->irq = platform_get_irq(pdev, 0); +- if (!cmdq->irq) { +- dev_err(dev, "failed to get irq\n"); +- return -EINVAL; +- } ++ if (cmdq->irq < 0) ++ return cmdq->irq; + + cmdq->thread_nr = (u32)(unsigned long)of_device_get_match_data(dev); + cmdq->irq_mask = GENMASK(cmdq->thread_nr - 1, 0); +-- +2.25.1 + diff --git a/queue-5.4/mailbox-avoid-timer-start-from-callback.patch b/queue-5.4/mailbox-avoid-timer-start-from-callback.patch new file mode 100644 index 00000000000..1e88e897126 --- /dev/null +++ b/queue-5.4/mailbox-avoid-timer-start-from-callback.patch @@ -0,0 +1,75 @@ +From 0233ffbbdfb590a862f8e702433a9da6f669cf1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 12:20:56 -0500 +Subject: mailbox: avoid timer start from callback + +From: Jassi Brar + +[ Upstream commit c7dacf5b0f32957b24ef29df1207dc2cd8307743 ] + +If the txdone is done by polling, it is possible for msg_submit() to start +the timer while txdone_hrtimer() callback is running. If the timer needs +recheduling, it could already be enqueued by the time hrtimer_forward_now() +is called, leading hrtimer to loudly complain. + +WARNING: CPU: 3 PID: 74 at kernel/time/hrtimer.c:932 hrtimer_forward+0xc4/0x110 +CPU: 3 PID: 74 Comm: kworker/u8:1 Not tainted 5.9.0-rc2-00236-gd3520067d01c-dirty #5 +Hardware name: Libre Computer AML-S805X-AC (DT) +Workqueue: events_freezable_power_ thermal_zone_device_check +pstate: 20000085 (nzCv daIf -PAN -UAO BTYPE=--) +pc : hrtimer_forward+0xc4/0x110 +lr : txdone_hrtimer+0xf8/0x118 +[...] + +This can be fixed by not starting the timer from the callback path. Which +requires the timer reloading as long as any message is queued on the +channel, and not just when current tx is not done yet. + +Fixes: 0cc67945ea59 ("mailbox: switch to hrtimer for tx_complete polling") +Reported-by: Da Xue +Reviewed-by: Sudeep Holla +Tested-by: Sudeep Holla +Acked-by: Jerome Brunet +Tested-by: Jerome Brunet +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c +index 0b821a5b2db84..3e7d4b20ab34f 100644 +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -82,9 +82,12 @@ static void msg_submit(struct mbox_chan *chan) + exit: + spin_unlock_irqrestore(&chan->lock, flags); + +- if (!err && (chan->txdone_method & TXDONE_BY_POLL)) +- /* kick start the timer immediately to avoid delays */ +- hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ /* kick start the timer immediately to avoid delays */ ++ if (!err && (chan->txdone_method & TXDONE_BY_POLL)) { ++ /* but only if not already active */ ++ if (!hrtimer_active(&chan->mbox->poll_hrt)) ++ hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ } + } + + static void tx_tick(struct mbox_chan *chan, int r) +@@ -122,11 +125,10 @@ static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer) + struct mbox_chan *chan = &mbox->chans[i]; + + if (chan->active_req && chan->cl) { ++ resched = true; + txdone = chan->mbox->ops->last_tx_done(chan); + if (txdone) + tx_tick(chan, 0); +- else +- resched = true; + } + } + +-- +2.25.1 + diff --git a/queue-5.4/md-bitmap-fix-memory-leak-of-temporary-bitmap.patch b/queue-5.4/md-bitmap-fix-memory-leak-of-temporary-bitmap.patch new file mode 100644 index 00000000000..ab19f412ed5 --- /dev/null +++ b/queue-5.4/md-bitmap-fix-memory-leak-of-temporary-bitmap.patch @@ -0,0 +1,60 @@ +From 4089ead4b8e96f6b58bfec14fbf4308ad5cc0846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 13:40:13 +0800 +Subject: md/bitmap: fix memory leak of temporary bitmap + +From: Zhao Heming + +[ Upstream commit 1383b347a8ae4a69c04ae3746e6cb5c8d38e2585 ] + +Callers of get_bitmap_from_slot() are responsible to free the bitmap. + +Suggested-by: Guoqing Jiang +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 3 ++- + drivers/md/md-cluster.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 3ad18246fcb3c..7227d03dbbea7 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -1954,6 +1954,7 @@ int md_bitmap_load(struct mddev *mddev) + } + EXPORT_SYMBOL_GPL(md_bitmap_load); + ++/* caller need to free returned bitmap with md_bitmap_free() */ + struct bitmap *get_bitmap_from_slot(struct mddev *mddev, int slot) + { + int rv = 0; +@@ -2017,6 +2018,7 @@ int md_bitmap_copy_from_slot(struct mddev *mddev, int slot, + md_bitmap_unplug(mddev->bitmap); + *low = lo; + *high = hi; ++ md_bitmap_free(bitmap); + + return rv; + } +@@ -2620,4 +2622,3 @@ struct attribute_group md_bitmap_group = { + .name = "bitmap", + .attrs = md_bitmap_attrs, + }; +- +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c +index d50737ec40394..afbbc552c3275 100644 +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -1166,6 +1166,7 @@ static int resize_bitmaps(struct mddev *mddev, sector_t newsize, sector_t oldsiz + * can't resize bitmap + */ + goto out; ++ md_bitmap_free(bitmap); + } + + return 0; +-- +2.25.1 + diff --git a/queue-5.4/media-ati_remote-sanity-check-for-both-endpoints.patch b/queue-5.4/media-ati_remote-sanity-check-for-both-endpoints.patch new file mode 100644 index 00000000000..ce0808b7430 --- /dev/null +++ b/queue-5.4/media-ati_remote-sanity-check-for-both-endpoints.patch @@ -0,0 +1,40 @@ +From 29125bd28760d4b437b4c7413345de5ebc408b68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 15:50:51 +0200 +Subject: media: ati_remote: sanity check for both endpoints + +From: Oliver Neukum + +[ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ] + +If you do sanity checks, you should do them for both endpoints. +Hence introduce checking for endpoint type for the output +endpoint, too. + +Reported-by: syzbot+998261c2ae5932458f6c@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ati_remote.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c +index 9cdef17b4793f..c12dda73cdd53 100644 +--- a/drivers/media/rc/ati_remote.c ++++ b/drivers/media/rc/ati_remote.c +@@ -835,6 +835,10 @@ static int ati_remote_probe(struct usb_interface *interface, + err("%s: endpoint_in message size==0? \n", __func__); + return -ENODEV; + } ++ if (!usb_endpoint_is_int_out(endpoint_out)) { ++ err("%s: Unexpected endpoint_out\n", __func__); ++ return -ENODEV; ++ } + + ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL); + rc_dev = rc_allocate_device(RC_DRIVER_SCANCODE); +-- +2.25.1 + diff --git a/queue-5.4/media-bdisp-fix-runtime-pm-imbalance-on-error.patch b/queue-5.4/media-bdisp-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..edd8b791094 --- /dev/null +++ b/queue-5.4/media-bdisp-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,46 @@ +From 14916e37e67bc8bab3a338213bfc1b5fbebf0ded Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 12:00:21 +0200 +Subject: media: bdisp: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +index 675b5f2b4c2ee..a55ddf8d185d5 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -1367,7 +1367,7 @@ static int bdisp_probe(struct platform_device *pdev) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "failed to set PM\n"); +- goto err_dbg; ++ goto err_pm; + } + + /* Filters */ +@@ -1395,7 +1395,6 @@ static int bdisp_probe(struct platform_device *pdev) + bdisp_hw_free_filters(bdisp->dev); + err_pm: + pm_runtime_put(dev); +-err_dbg: + bdisp_debugfs_remove(bdisp); + err_v4l2: + v4l2_device_unregister(&bdisp->v4l2_dev); +-- +2.25.1 + diff --git a/queue-5.4/media-camss-fix-a-reference-count-leak.patch b/queue-5.4/media-camss-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..50ca158cc1c --- /dev/null +++ b/queue-5.4/media-camss-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From b75cae197a8261e415cf0ed660c36fbe82c1fb18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:27:12 +0200 +Subject: media: camss: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit d0675b67b42eb4f1a840d1513b5b00f78312f833 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +PM runtime put is not called in error handling paths. +Thus call pm_runtime_put_sync() if pm_runtime_get_sync() fails. + +Fixes: 02afa816dbbf ("media: camss: Add basic runtime PM support") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss-csiphy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-csiphy.c b/drivers/media/platform/qcom/camss/camss-csiphy.c +index 008afb85023be..3c5b9082ad723 100644 +--- a/drivers/media/platform/qcom/camss/camss-csiphy.c ++++ b/drivers/media/platform/qcom/camss/camss-csiphy.c +@@ -176,8 +176,10 @@ static int csiphy_set_power(struct v4l2_subdev *sd, int on) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_sync(dev); + return ret; ++ } + + ret = csiphy_set_clock_rates(csiphy); + if (ret < 0) { +-- +2.25.1 + diff --git a/queue-5.4/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch b/queue-5.4/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch new file mode 100644 index 00000000000..d8891b4799a --- /dev/null +++ b/queue-5.4/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch @@ -0,0 +1,41 @@ +From 2582c782c1f7e7a05febd64a961a317e144c22a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:10:58 +0200 +Subject: media: exynos4-is: Fix a reference count leak due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 2f90607c3797d..a07d796f63df0 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -484,8 +484,10 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd) + return -ENXIO; + + ret = pm_runtime_get_sync(fmd->pmf); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(fmd->pmf); + return ret; ++ } + + fmd->num_sensors = 0; + +-- +2.25.1 + diff --git a/queue-5.4/media-exynos4-is-fix-a-reference-count-leak.patch b/queue-5.4/media-exynos4-is-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..b40d210bc33 --- /dev/null +++ b/queue-5.4/media-exynos4-is-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From f43e37a7ff103a548b0b2e147a32a254b8bb008d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:01:11 +0200 +Subject: media: exynos4-is: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 64157b2cb1940449e7df2670e85781c690266588 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/mipi-csis.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c +index 540151bbf58f2..1aac167abb175 100644 +--- a/drivers/media/platform/exynos4-is/mipi-csis.c ++++ b/drivers/media/platform/exynos4-is/mipi-csis.c +@@ -510,8 +510,10 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable) + if (enable) { + s5pcsis_clear_counters(state); + ret = pm_runtime_get_sync(&state->pdev->dev); +- if (ret && ret != 1) ++ if (ret && ret != 1) { ++ pm_runtime_put_noidle(&state->pdev->dev); + return ret; ++ } + } + + mutex_lock(&state->lock); +-- +2.25.1 + diff --git a/queue-5.4/media-exynos4-is-fix-several-reference-count-leaks-d.patch b/queue-5.4/media-exynos4-is-fix-several-reference-count-leaks-d.patch new file mode 100644 index 00000000000..521d9ceab45 --- /dev/null +++ b/queue-5.4/media-exynos4-is-fix-several-reference-count-leaks-d.patch @@ -0,0 +1,55 @@ +From ebf80575d5916878ef3e68aeaaead59f3743f9af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:18:29 +0200 +Subject: media: exynos4-is: Fix several reference count leaks due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-isp.c | 4 +++- + drivers/media/platform/exynos4-is/fimc-lite.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c +index cde0d254ec1c4..a77c49b185115 100644 +--- a/drivers/media/platform/exynos4-is/fimc-isp.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp.c +@@ -305,8 +305,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on) + + if (on) { + ret = pm_runtime_get_sync(&is->pdev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(&is->pdev->dev); + return ret; ++ } + set_bit(IS_ST_PWR_ON, &is->state); + + ret = fimc_is_start_firmware(is); +diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c +index e87c6a09205bd..efd06621951c7 100644 +--- a/drivers/media/platform/exynos4-is/fimc-lite.c ++++ b/drivers/media/platform/exynos4-is/fimc-lite.c +@@ -470,7 +470,7 @@ static int fimc_lite_open(struct file *file) + set_bit(ST_FLITE_IN_USE, &fimc->state); + ret = pm_runtime_get_sync(&fimc->pdev->dev); + if (ret < 0) +- goto unlock; ++ goto err_pm; + + ret = v4l2_fh_open(file); + if (ret < 0) +-- +2.25.1 + diff --git a/queue-5.4/media-firewire-fix-memory-leak.patch b/queue-5.4/media-firewire-fix-memory-leak.patch new file mode 100644 index 00000000000..7e434b68f02 --- /dev/null +++ b/queue-5.4/media-firewire-fix-memory-leak.patch @@ -0,0 +1,39 @@ +From 8790af765b569e6f05c0863ff4fe9287db8cc419 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 11:01:37 +0200 +Subject: media: firewire: fix memory leak + +From: Pavel Machek + +[ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ] + +Fix memory leak in node_probe. + +Signed-off-by: Pavel Machek (CIP) +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-fw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 3f1ca40b9b987..8a8585261bb80 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -272,8 +272,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); +- if (name_len < 0) +- return name_len; ++ if (name_len < 0) { ++ err = name_len; ++ goto fail_free; ++ } + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.25.1 + diff --git a/queue-5.4/media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch b/queue-5.4/media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch new file mode 100644 index 00000000000..05fffc382b6 --- /dev/null +++ b/queue-5.4/media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch @@ -0,0 +1,141 @@ +From 35ef78a0d38492595d1a84e362a1018cd524f727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 22:18:32 +0200 +Subject: media: i2c: ov5640: Enable data pins on poweron for DVP mode + +From: Lad Prabhakar + +[ Upstream commit 576f5d4ba8f672953513280510abf9a736b015cc ] + +During testing this sensor on iW-RainboW-G21D-Qseven platform in 8-bit DVP +mode with rcar-vin bridge noticed the capture worked fine for the first run +(with yavta), but for subsequent runs the bridge driver waited for the +frame to be captured. Debugging further noticed the data lines were +enabled/disabled in stream on/off callback and dumping the register +contents 0x3017/0x3018 in ov5640_set_stream_dvp() reported the correct +values, but yet frame capturing failed. + +To get around this issue data lines are enabled in s_power callback. +(Also the sensor remains in power down mode if not streaming so power +consumption shouldn't be affected) + +Fixes: f22996db44e2d ("media: ov5640: add support of DVP parallel interface") +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 73 +++++++++++++++++++++----------------- + 1 file changed, 40 insertions(+), 33 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 3c6ad2dd9c0e1..be6c882dd1d54 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -274,8 +274,7 @@ static inline struct v4l2_subdev *ctrl_to_sd(struct v4l2_ctrl *ctrl) + /* YUV422 UYVY VGA@30fps */ + static const struct reg_value ov5640_init_setting_30fps_VGA[] = { + {0x3103, 0x11, 0, 0}, {0x3008, 0x82, 0, 5}, {0x3008, 0x42, 0, 0}, +- {0x3103, 0x03, 0, 0}, {0x3017, 0x00, 0, 0}, {0x3018, 0x00, 0, 0}, +- {0x3630, 0x36, 0, 0}, ++ {0x3103, 0x03, 0, 0}, {0x3630, 0x36, 0, 0}, + {0x3631, 0x0e, 0, 0}, {0x3632, 0xe2, 0, 0}, {0x3633, 0x12, 0, 0}, + {0x3621, 0xe0, 0, 0}, {0x3704, 0xa0, 0, 0}, {0x3703, 0x5a, 0, 0}, + {0x3715, 0x78, 0, 0}, {0x3717, 0x01, 0, 0}, {0x370b, 0x60, 0, 0}, +@@ -1272,33 +1271,6 @@ static int ov5640_set_stream_dvp(struct ov5640_dev *sensor, bool on) + if (ret) + return ret; + +- /* +- * enable VSYNC/HREF/PCLK DVP control lines +- * & D[9:6] DVP data lines +- * +- * PAD OUTPUT ENABLE 01 +- * - 6: VSYNC output enable +- * - 5: HREF output enable +- * - 4: PCLK output enable +- * - [3:0]: D[9:6] output enable +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT_ENABLE01, +- on ? 0x7f : 0); +- if (ret) +- return ret; +- +- /* +- * enable D[5:0] DVP data lines +- * +- * PAD OUTPUT ENABLE 02 +- * - [7:2]: D[5:0] output enable +- */ +- ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, +- on ? 0xfc : 0); +- if (ret) +- return ret; +- + return ov5640_write_reg(sensor, OV5640_REG_SYS_CTRL0, on ? + OV5640_REG_SYS_CTRL0_SW_PWUP : + OV5640_REG_SYS_CTRL0_SW_PWDN); +@@ -2055,6 +2027,40 @@ static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on) + return 0; + } + ++static int ov5640_set_power_dvp(struct ov5640_dev *sensor, bool on) ++{ ++ int ret; ++ ++ if (!on) { ++ /* Reset settings to their default values. */ ++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE01, 0x00); ++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, 0x00); ++ return 0; ++ } ++ ++ /* ++ * enable VSYNC/HREF/PCLK DVP control lines ++ * & D[9:6] DVP data lines ++ * ++ * PAD OUTPUT ENABLE 01 ++ * - 6: VSYNC output enable ++ * - 5: HREF output enable ++ * - 4: PCLK output enable ++ * - [3:0]: D[9:6] output enable ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE01, 0x7f); ++ if (ret) ++ return ret; ++ ++ /* ++ * enable D[5:0] DVP data lines ++ * ++ * PAD OUTPUT ENABLE 02 ++ * - [7:2]: D[5:0] output enable ++ */ ++ return ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, 0xfc); ++} ++ + static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + { + int ret = 0; +@@ -2069,11 +2075,12 @@ static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + goto power_off; + } + +- if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) { ++ if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) + ret = ov5640_set_power_mipi(sensor, on); +- if (ret) +- goto power_off; +- } ++ else ++ ret = ov5640_set_power_dvp(sensor, on); ++ if (ret) ++ goto power_off; + + if (!on) + ov5640_set_power_off(sensor); +-- +2.25.1 + diff --git a/queue-5.4/media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch b/queue-5.4/media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch new file mode 100644 index 00000000000..2f3a392ea4a --- /dev/null +++ b/queue-5.4/media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch @@ -0,0 +1,70 @@ +From 35209651ee8b191a07c43fc748bdc9f6edfcf5c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 22:18:30 +0200 +Subject: media: i2c: ov5640: Remain in power down for DVP mode unless + streaming + +From: Lad Prabhakar + +[ Upstream commit 3b987d70e903962eb8c5961ba166c345a49d1a0b ] + +Keep the sensor in software power down mode and wake up only in +ov5640_set_stream_dvp() callback. + +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index b21ddbd514465..065f9706db7e5 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -34,6 +34,8 @@ + #define OV5640_REG_SYS_RESET02 0x3002 + #define OV5640_REG_SYS_CLOCK_ENABLE02 0x3006 + #define OV5640_REG_SYS_CTRL0 0x3008 ++#define OV5640_REG_SYS_CTRL0_SW_PWDN 0x42 ++#define OV5640_REG_SYS_CTRL0_SW_PWUP 0x02 + #define OV5640_REG_CHIP_ID 0x300a + #define OV5640_REG_IO_MIPI_CTRL00 0x300e + #define OV5640_REG_PAD_OUTPUT_ENABLE01 0x3017 +@@ -1109,6 +1111,12 @@ static int ov5640_load_regs(struct ov5640_dev *sensor, + val = regs->val; + mask = regs->mask; + ++ /* remain in power down mode for DVP */ ++ if (regs->reg_addr == OV5640_REG_SYS_CTRL0 && ++ val == OV5640_REG_SYS_CTRL0_SW_PWUP && ++ sensor->ep.bus_type != V4L2_MBUS_CSI2_DPHY) ++ continue; ++ + if (mask) + ret = ov5640_mod_reg(sensor, reg_addr, mask, val); + else +@@ -1286,9 +1294,14 @@ static int ov5640_set_stream_dvp(struct ov5640_dev *sensor, bool on) + * PAD OUTPUT ENABLE 02 + * - [7:2]: D[5:0] output enable + */ +- return ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT_ENABLE02, +- on ? 0xfc : 0); ++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, ++ on ? 0xfc : 0); ++ if (ret) ++ return ret; ++ ++ return ov5640_write_reg(sensor, OV5640_REG_SYS_CTRL0, on ? ++ OV5640_REG_SYS_CTRL0_SW_PWUP : ++ OV5640_REG_SYS_CTRL0_SW_PWDN); + } + + static int ov5640_set_stream_mipi(struct ov5640_dev *sensor, bool on) +-- +2.25.1 + diff --git a/queue-5.4/media-i2c-ov5640-separate-out-mipi-configuration-fro.patch b/queue-5.4/media-i2c-ov5640-separate-out-mipi-configuration-fro.patch new file mode 100644 index 00000000000..6aa4a00d2ba --- /dev/null +++ b/queue-5.4/media-i2c-ov5640-separate-out-mipi-configuration-fro.patch @@ -0,0 +1,164 @@ +From ba2f0a533aa167dafb723fb1278ea972a9da748e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 22:18:31 +0200 +Subject: media: i2c: ov5640: Separate out mipi configuration from s_power + +From: Lad Prabhakar + +[ Upstream commit b1751ae652fb95919c08df5bdd739ccf9886158a ] + +In preparation for adding DVP configuration in s_power callback +move mipi configuration into separate function + +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 116 +++++++++++++++++++------------------ + 1 file changed, 60 insertions(+), 56 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 065f9706db7e5..3c6ad2dd9c0e1 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -2000,6 +2000,61 @@ static void ov5640_set_power_off(struct ov5640_dev *sensor) + clk_disable_unprepare(sensor->xclk); + } + ++static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on) ++{ ++ int ret; ++ ++ if (!on) { ++ /* Reset MIPI bus settings to their default values. */ ++ ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x58); ++ ov5640_write_reg(sensor, OV5640_REG_MIPI_CTRL00, 0x04); ++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT00, 0x00); ++ return 0; ++ } ++ ++ /* ++ * Power up MIPI HS Tx and LS Rx; 2 data lanes mode ++ * ++ * 0x300e = 0x40 ++ * [7:5] = 010 : 2 data lanes mode (see FIXME note in ++ * "ov5640_set_stream_mipi()") ++ * [4] = 0 : Power up MIPI HS Tx ++ * [3] = 0 : Power up MIPI LS Rx ++ * [2] = 0 : MIPI interface disabled ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x40); ++ if (ret) ++ return ret; ++ ++ /* ++ * Gate clock and set LP11 in 'no packets mode' (idle) ++ * ++ * 0x4800 = 0x24 ++ * [5] = 1 : Gate clock when 'no packets' ++ * [2] = 1 : MIPI bus in LP11 when 'no packets' ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_MIPI_CTRL00, 0x24); ++ if (ret) ++ return ret; ++ ++ /* ++ * Set data lanes and clock in LP11 when 'sleeping' ++ * ++ * 0x3019 = 0x70 ++ * [6] = 1 : MIPI data lane 2 in LP11 when 'sleeping' ++ * [5] = 1 : MIPI data lane 1 in LP11 when 'sleeping' ++ * [4] = 1 : MIPI clock lane in LP11 when 'sleeping' ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT00, 0x70); ++ if (ret) ++ return ret; ++ ++ /* Give lanes some time to coax into LP11 state. */ ++ usleep_range(500, 1000); ++ ++ return 0; ++} ++ + static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + { + int ret = 0; +@@ -2012,67 +2067,16 @@ static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + ret = ov5640_restore_mode(sensor); + if (ret) + goto power_off; ++ } + +- /* We're done here for DVP bus, while CSI-2 needs setup. */ +- if (sensor->ep.bus_type != V4L2_MBUS_CSI2_DPHY) +- return 0; +- +- /* +- * Power up MIPI HS Tx and LS Rx; 2 data lanes mode +- * +- * 0x300e = 0x40 +- * [7:5] = 010 : 2 data lanes mode (see FIXME note in +- * "ov5640_set_stream_mipi()") +- * [4] = 0 : Power up MIPI HS Tx +- * [3] = 0 : Power up MIPI LS Rx +- * [2] = 0 : MIPI interface disabled +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_IO_MIPI_CTRL00, 0x40); +- if (ret) +- goto power_off; +- +- /* +- * Gate clock and set LP11 in 'no packets mode' (idle) +- * +- * 0x4800 = 0x24 +- * [5] = 1 : Gate clock when 'no packets' +- * [2] = 1 : MIPI bus in LP11 when 'no packets' +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_MIPI_CTRL00, 0x24); +- if (ret) +- goto power_off; +- +- /* +- * Set data lanes and clock in LP11 when 'sleeping' +- * +- * 0x3019 = 0x70 +- * [6] = 1 : MIPI data lane 2 in LP11 when 'sleeping' +- * [5] = 1 : MIPI data lane 1 in LP11 when 'sleeping' +- * [4] = 1 : MIPI clock lane in LP11 when 'sleeping' +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT00, 0x70); ++ if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) { ++ ret = ov5640_set_power_mipi(sensor, on); + if (ret) + goto power_off; ++ } + +- /* Give lanes some time to coax into LP11 state. */ +- usleep_range(500, 1000); +- +- } else { +- if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) { +- /* Reset MIPI bus settings to their default values. */ +- ov5640_write_reg(sensor, +- OV5640_REG_IO_MIPI_CTRL00, 0x58); +- ov5640_write_reg(sensor, +- OV5640_REG_MIPI_CTRL00, 0x04); +- ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT00, 0x00); +- } +- ++ if (!on) + ov5640_set_power_off(sensor); +- } + + return 0; + +-- +2.25.1 + diff --git a/queue-5.4/media-m5mols-check-function-pointer-in-m5mols_sensor.patch b/queue-5.4/media-m5mols-check-function-pointer-in-m5mols_sensor.patch new file mode 100644 index 00000000000..8cc06124c48 --- /dev/null +++ b/queue-5.4/media-m5mols-check-function-pointer-in-m5mols_sensor.patch @@ -0,0 +1,45 @@ +From 3e9752346476389e7f74b5bad7ca792eece25859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 17:34:47 +0200 +Subject: media: m5mols: Check function pointer in m5mols_sensor_power + +From: Tom Rix + +[ Upstream commit 52438c4463ac904d14bf3496765e67750766f3a6 ] + +clang static analysis reports this error + +m5mols_core.c:767:4: warning: Called function pointer + is null (null dereference) [core.CallAndMessage] + info->set_power(&client->dev, 0); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In other places, the set_power ptr is checked. +So add a check. + +Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP") +Signed-off-by: Tom Rix +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/m5mols/m5mols_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c +index de295114ca482..21666d705e372 100644 +--- a/drivers/media/i2c/m5mols/m5mols_core.c ++++ b/drivers/media/i2c/m5mols/m5mols_core.c +@@ -764,7 +764,8 @@ static int m5mols_sensor_power(struct m5mols_info *info, bool enable) + + ret = regulator_bulk_enable(ARRAY_SIZE(supplies), supplies); + if (ret) { +- info->set_power(&client->dev, 0); ++ if (info->set_power) ++ info->set_power(&client->dev, 0); + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.4/media-media-pci-prevent-memory-leak-in-bttv_probe.patch b/queue-5.4/media-media-pci-prevent-memory-leak-in-bttv_probe.patch new file mode 100644 index 00000000000..22523423752 --- /dev/null +++ b/queue-5.4/media-media-pci-prevent-memory-leak-in-bttv_probe.patch @@ -0,0 +1,65 @@ +From e61dd6caa7ef53b6cdc5af139b64108abcc1603c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 11:52:30 +0200 +Subject: media: media/pci: prevent memory leak in bttv_probe + +From: Xiaolong Huang + +[ Upstream commit 7b817585b730665126b45df5508dd69526448bc8 ] + +In bttv_probe if some functions such as pci_enable_device, +pci_set_dma_mask and request_mem_region fails the allocated + memory for btv should be released. + +Signed-off-by: Xiaolong Huang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/bt8xx/bttv-driver.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c +index a359da7773a90..ff2962cea6164 100644 +--- a/drivers/media/pci/bt8xx/bttv-driver.c ++++ b/drivers/media/pci/bt8xx/bttv-driver.c +@@ -4013,11 +4013,13 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + btv->id = dev->device; + if (pci_enable_device(dev)) { + pr_warn("%d: Can't enable device\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) { + pr_warn("%d: No suitable DMA available\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (!request_mem_region(pci_resource_start(dev,0), + pci_resource_len(dev,0), +@@ -4025,7 +4027,8 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + pr_warn("%d: can't request iomem (0x%llx)\n", + btv->c.nr, + (unsigned long long)pci_resource_start(dev, 0)); +- return -EBUSY; ++ result = -EBUSY; ++ goto free_mem; + } + pci_set_master(dev); + pci_set_command(dev); +@@ -4211,6 +4214,10 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + release_mem_region(pci_resource_start(btv->c.pci,0), + pci_resource_len(btv->c.pci,0)); + pci_disable_device(btv->c.pci); ++ ++free_mem: ++ bttvs[btv->c.nr] = NULL; ++ kfree(btv); + return result; + } + +-- +2.25.1 + diff --git a/queue-5.4/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch b/queue-5.4/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch new file mode 100644 index 00000000000..738a3a96ef6 --- /dev/null +++ b/queue-5.4/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch @@ -0,0 +1,44 @@ +From 87dcb617f177b5aea251208600083426501ef37d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 11:26:04 +0200 +Subject: media: mx2_emmaprp: Fix memleak in emmaprp_probe + +From: Dinghao Liu + +[ Upstream commit 21d387b8d372f859d9e87fdcc7c3b4a432737f4d ] + +When platform_get_irq() fails, we should release +vfd and unregister pcdev->v4l2_dev just like the +subsequent error paths. + +Fixes: d4e192cc44914 ("media: mx2_emmaprp: Check for platform_get_irq() error") +Signed-off-by: Dinghao Liu +Reviewed-by: Fabio Estevam +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mx2_emmaprp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c +index 27779b75df543..ac112cf06ab31 100644 +--- a/drivers/media/platform/mx2_emmaprp.c ++++ b/drivers/media/platform/mx2_emmaprp.c +@@ -852,8 +852,11 @@ static int emmaprp_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, pcdev); + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) +- return irq; ++ if (irq < 0) { ++ ret = irq; ++ goto rel_vdev; ++ } ++ + ret = devm_request_irq(&pdev->dev, irq, emmaprp_irq, 0, + dev_name(&pdev->dev), pcdev); + if (ret) +-- +2.25.1 + diff --git a/queue-5.4/media-omap3isp-fix-memleak-in-isp_probe.patch b/queue-5.4/media-omap3isp-fix-memleak-in-isp_probe.patch new file mode 100644 index 00000000000..7375c36bf5c --- /dev/null +++ b/queue-5.4/media-omap3isp-fix-memleak-in-isp_probe.patch @@ -0,0 +1,41 @@ +From 4debf249981920e77f207074aa09ea01bc221ee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 08:53:52 +0200 +Subject: media: omap3isp: Fix memleak in isp_probe + +From: Dinghao Liu + +[ Upstream commit d8fc21c17099635e8ebd986d042be65a6c6b5bd0 ] + +When devm_ioremap_resource() fails, isp should be +freed just like other error paths in isp_probe. + +Fixes: 8644cdf972dd6 ("[media] omap3isp: Replace many MMIO regions by two") +Signed-off-by: Dinghao Liu +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index 327c5716922ac..dce6b3685e135 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2330,8 +2330,10 @@ static int isp_probe(struct platform_device *pdev) + mem = platform_get_resource(pdev, IORESOURCE_MEM, i); + isp->mmio_base[map_idx] = + devm_ioremap_resource(isp->dev, mem); +- if (IS_ERR(isp->mmio_base[map_idx])) +- return PTR_ERR(isp->mmio_base[map_idx]); ++ if (IS_ERR(isp->mmio_base[map_idx])) { ++ ret = PTR_ERR(isp->mmio_base[map_idx]); ++ goto error; ++ } + } + + ret = isp_get_clocks(isp); +-- +2.25.1 + diff --git a/queue-5.4/media-ov5640-correct-bit-div-register-in-clock-tree-.patch b/queue-5.4/media-ov5640-correct-bit-div-register-in-clock-tree-.patch new file mode 100644 index 00000000000..fb971802a06 --- /dev/null +++ b/queue-5.4/media-ov5640-correct-bit-div-register-in-clock-tree-.patch @@ -0,0 +1,39 @@ +From 273a22aea3d2e08cfc459f5b8d5d7a65f521f417 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 11:06:58 +0200 +Subject: media: ov5640: Correct Bit Div register in clock tree diagram + +From: Paul Kocialkowski + +[ Upstream commit 4c85f628f6639e3e3e0a7788416154f28dfcae4f ] + +Although the code is correct and doing the right thing, the clock diagram +showed the wrong register for the bit divider, which had me doubting the +understanding of the tree. Fix this to avoid doubts in the future. + +Signed-off-by: Paul Kocialkowski +Fixes: aa2882481cada ("media: ov5640: Adjust the clock based on the expected rate") +Acked-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 266e947572c1e..b21ddbd514465 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -740,7 +740,7 @@ static int ov5640_mod_reg(struct ov5640_dev *sensor, u16 reg, + * +->| PLL Root Div | - reg 0x3037, bit 4 + * +-+------------+ + * | +---------+ +- * +->| Bit Div | - reg 0x3035, bits 0-3 ++ * +->| Bit Div | - reg 0x3034, bits 0-3 + * +-+-------+ + * | +-------------+ + * +->| SCLK Div | - reg 0x3108, bits 0-1 +-- +2.25.1 + diff --git a/queue-5.4/media-platform-fcp-fix-a-reference-count-leak.patch b/queue-5.4/media-platform-fcp-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..4520e22b1ca --- /dev/null +++ b/queue-5.4/media-platform-fcp-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From b47754de148a1d0674fcbdcbfa1b68981d88c73d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:19:44 +0200 +Subject: media: platform: fcp: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit 63e36a381d92a9cded97e90d481ee22566557dd1 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Fixes: 6eaafbdb668b ("[media] v4l: rcar-fcp: Keep the coding style consistent") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-fcp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c +index 5c6b00737fe75..05c712e00a2a7 100644 +--- a/drivers/media/platform/rcar-fcp.c ++++ b/drivers/media/platform/rcar-fcp.c +@@ -103,8 +103,10 @@ int rcar_fcp_enable(struct rcar_fcp_device *fcp) + return 0; + + ret = pm_runtime_get_sync(fcp->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(fcp->dev); + return ret; ++ } + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch b/queue-5.4/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch new file mode 100644 index 00000000000..23f0e6daa97 --- /dev/null +++ b/queue-5.4/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch @@ -0,0 +1,53 @@ +From 4d3826029a9a06de7a203d11db30a22309791bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 15:29:33 +0200 +Subject: media: platform: s3c-camif: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit dafa3605fe60d5a61239d670919b2a36e712481e ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Also, call pm_runtime_disable() when pm_runtime_get_sync() returns +an error code. + +Signed-off-by: Dinghao Liu +Reviewed-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s3c-camif/camif-core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c +index c6fbcd7036d6d..ee624804862e2 100644 +--- a/drivers/media/platform/s3c-camif/camif-core.c ++++ b/drivers/media/platform/s3c-camif/camif-core.c +@@ -464,7 +464,7 @@ static int s3c_camif_probe(struct platform_device *pdev) + + ret = camif_media_dev_init(camif); + if (ret < 0) +- goto err_alloc; ++ goto err_pm; + + ret = camif_register_sensor(camif); + if (ret < 0) +@@ -498,10 +498,9 @@ static int s3c_camif_probe(struct platform_device *pdev) + media_device_unregister(&camif->media_dev); + media_device_cleanup(&camif->media_dev); + camif_unregister_media_entities(camif); +-err_alloc: ++err_pm: + pm_runtime_put(dev); + pm_runtime_disable(dev); +-err_pm: + camif_clk_put(camif); + err_clk: + s3c_camif_unregister_subdev(camif); +-- +2.25.1 + diff --git a/queue-5.4/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch b/queue-5.4/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch new file mode 100644 index 00000000000..93ed40b8615 --- /dev/null +++ b/queue-5.4/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch @@ -0,0 +1,37 @@ +From d30d6b96b2eb8fc25dd22fefd1623cade4496561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 12:05:02 +0200 +Subject: media: platform: sti: hva: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit d912a1d9e9afe69c6066c1ceb6bfc09063074075 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/hva/hva-hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index bb13348be0832..43f279e2a6a38 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -389,7 +389,7 @@ int hva_hw_probe(struct platform_device *pdev, struct hva_dev *hva) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "%s failed to set PM\n", HVA_PREFIX); +- goto err_clk; ++ goto err_pm; + } + + /* check IP hardware version */ +-- +2.25.1 + diff --git a/queue-5.4/media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch b/queue-5.4/media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch new file mode 100644 index 00000000000..3ed0c183125 --- /dev/null +++ b/queue-5.4/media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch @@ -0,0 +1,84 @@ +From d557f84535be9249d8d78d46d9db41d1c0d541e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 22:59:38 +0200 +Subject: media: rcar-csi2: Allocate v4l2_async_subdev dynamically + +From: Laurent Pinchart + +[ Upstream commit 2cac7cbfb4099980e78244359ab9c6f056d6a7ec ] + +v4l2_async_notifier_add_subdev() requires the asd to be allocated +dynamically, but the rcar-csi2 driver embeds it in the rcar_csi2 +structure. This causes memory corruption when the notifier is destroyed +at remove time with v4l2_async_notifier_cleanup(). + +Fix this issue by registering the asd with +v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically +internally. + +Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 24 +++++++++------------ + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c +index c14af1b929dff..d27eccfa57cae 100644 +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -361,7 +361,6 @@ struct rcar_csi2 { + struct media_pad pads[NR_OF_RCAR_CSI2_PAD]; + + struct v4l2_async_notifier notifier; +- struct v4l2_async_subdev asd; + struct v4l2_subdev *remote; + + struct v4l2_mbus_framefmt mf; +@@ -810,6 +809,8 @@ static int rcsi2_parse_v4l2(struct rcar_csi2 *priv, + + static int rcsi2_parse_dt(struct rcar_csi2 *priv) + { ++ struct v4l2_async_subdev *asd; ++ struct fwnode_handle *fwnode; + struct device_node *ep; + struct v4l2_fwnode_endpoint v4l2_ep = { .bus_type = 0 }; + int ret; +@@ -833,24 +834,19 @@ static int rcsi2_parse_dt(struct rcar_csi2 *priv) + return ret; + } + +- priv->asd.match.fwnode = +- fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep)); +- priv->asd.match_type = V4L2_ASYNC_MATCH_FWNODE; +- ++ fwnode = fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep)); + of_node_put(ep); + +- v4l2_async_notifier_init(&priv->notifier); +- +- ret = v4l2_async_notifier_add_subdev(&priv->notifier, &priv->asd); +- if (ret) { +- fwnode_handle_put(priv->asd.match.fwnode); +- return ret; +- } ++ dev_dbg(priv->dev, "Found '%pOF'\n", to_of_node(fwnode)); + ++ v4l2_async_notifier_init(&priv->notifier); + priv->notifier.ops = &rcar_csi2_notify_ops; + +- dev_dbg(priv->dev, "Found '%pOF'\n", +- to_of_node(priv->asd.match.fwnode)); ++ asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, fwnode, ++ sizeof(*asd)); ++ fwnode_handle_put(fwnode); ++ if (IS_ERR(asd)) ++ return PTR_ERR(asd); + + ret = v4l2_async_subdev_notifier_register(&priv->subdev, + &priv->notifier); +-- +2.25.1 + diff --git a/queue-5.4/media-rcar-vin-fix-a-reference-count-leak.patch b/queue-5.4/media-rcar-vin-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..e6a502c5930 --- /dev/null +++ b/queue-5.4/media-rcar-vin-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From 5980a14bf724a2be4746ad415a33a91820cd1de4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 00:30:08 +0200 +Subject: media: rcar-vin: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit aaffa0126a111d65f4028c503c76192d4cc93277 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus call pm_runtime_put_noidle() +if pm_runtime_get_sync() fails. + +Fixes: 90dedce9bc54 ("media: rcar-vin: add function to manipulate Gen3 chsel value") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-dma.c b/drivers/media/platform/rcar-vin/rcar-dma.c +index 3cb29b2e0b2b1..e5f6360801082 100644 +--- a/drivers/media/platform/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/rcar-vin/rcar-dma.c +@@ -1334,8 +1334,10 @@ int rvin_set_channel_routing(struct rvin_dev *vin, u8 chsel) + int ret; + + ret = pm_runtime_get_sync(vin->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(vin->dev); + return ret; ++ } + + /* Make register writes take effect immediately. */ + vnmc = rvin_read(vin, VNMC_REG); +-- +2.25.1 + diff --git a/queue-5.4/media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch b/queue-5.4/media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch new file mode 100644 index 00000000000..479b2fc67ed --- /dev/null +++ b/queue-5.4/media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch @@ -0,0 +1,82 @@ +From d6f5cc2dff01d06f2efb0bf6a6345a21110fe6dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 22:59:37 +0200 +Subject: media: rcar_drif: Allocate v4l2_async_subdev dynamically + +From: Laurent Pinchart + +[ Upstream commit 468e986dac0e94194334ca6d0abf3af8c250792e ] + +v4l2_async_notifier_add_subdev() requires the asd to be allocated +dynamically, but the rcar-drif driver embeds it in the +rcar_drif_graph_ep structure. This causes memory corruption when the +notifier is destroyed at remove time with v4l2_async_notifier_cleanup(). + +Fix this issue by registering the asd with +v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically +internally. + +Fixes: d079f94c9046 ("media: platform: Switch to v4l2_async_notifier_add_subdev") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar_drif.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c +index 208ff260b0c10..af3c8d405509e 100644 +--- a/drivers/media/platform/rcar_drif.c ++++ b/drivers/media/platform/rcar_drif.c +@@ -185,7 +185,6 @@ struct rcar_drif_frame_buf { + /* OF graph endpoint's V4L2 async data */ + struct rcar_drif_graph_ep { + struct v4l2_subdev *subdev; /* Async matched subdev */ +- struct v4l2_async_subdev asd; /* Async sub-device descriptor */ + }; + + /* DMA buffer */ +@@ -1105,12 +1104,6 @@ static int rcar_drif_notify_bound(struct v4l2_async_notifier *notifier, + struct rcar_drif_sdr *sdr = + container_of(notifier, struct rcar_drif_sdr, notifier); + +- if (sdr->ep.asd.match.fwnode != +- of_fwnode_handle(subdev->dev->of_node)) { +- rdrif_err(sdr, "subdev %s cannot bind\n", subdev->name); +- return -EINVAL; +- } +- + v4l2_set_subdev_hostdata(subdev, sdr); + sdr->ep.subdev = subdev; + rdrif_dbg(sdr, "bound asd %s\n", subdev->name); +@@ -1214,7 +1207,7 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) + { + struct v4l2_async_notifier *notifier = &sdr->notifier; + struct fwnode_handle *fwnode, *ep; +- int ret; ++ struct v4l2_async_subdev *asd; + + v4l2_async_notifier_init(notifier); + +@@ -1233,12 +1226,13 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) + return -EINVAL; + } + +- sdr->ep.asd.match.fwnode = fwnode; +- sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE; +- ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd); ++ asd = v4l2_async_notifier_add_fwnode_subdev(notifier, fwnode, ++ sizeof(*asd)); + fwnode_handle_put(fwnode); ++ if (IS_ERR(asd)) ++ return PTR_ERR(asd); + +- return ret; ++ return 0; + } + + /* Check if the given device is the primary bond */ +-- +2.25.1 + diff --git a/queue-5.4/media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch b/queue-5.4/media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch new file mode 100644 index 00000000000..4b2c67b2e03 --- /dev/null +++ b/queue-5.4/media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch @@ -0,0 +1,63 @@ +From d22095d2bee51f3ea2421230ff3706164f804ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 22:59:36 +0200 +Subject: media: rcar_drif: Fix fwnode reference leak when parsing DT + +From: Laurent Pinchart + +[ Upstream commit cdd4f7824994c9254acc6e415750529ea2d2cfe0 ] + +The fwnode reference corresponding to the endpoint is leaked in an error +path of the rcar_drif_parse_subdevs() function. Fix it, and reorganize +fwnode reference handling in the function to release references early, +simplifying error paths. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar_drif.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c +index 0f267a237b424..208ff260b0c10 100644 +--- a/drivers/media/platform/rcar_drif.c ++++ b/drivers/media/platform/rcar_drif.c +@@ -1223,28 +1223,22 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) + if (!ep) + return 0; + ++ /* Get the endpoint properties */ ++ rcar_drif_get_ep_properties(sdr, ep); ++ + fwnode = fwnode_graph_get_remote_port_parent(ep); ++ fwnode_handle_put(ep); + if (!fwnode) { + dev_warn(sdr->dev, "bad remote port parent\n"); +- fwnode_handle_put(ep); + return -EINVAL; + } + + sdr->ep.asd.match.fwnode = fwnode; + sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE; + ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd); +- if (ret) { +- fwnode_handle_put(fwnode); +- return ret; +- } +- +- /* Get the endpoint properties */ +- rcar_drif_get_ep_properties(sdr, ep); +- + fwnode_handle_put(fwnode); +- fwnode_handle_put(ep); + +- return 0; ++ return ret; + } + + /* Check if the given device is the primary bond */ +-- +2.25.1 + diff --git a/queue-5.4/media-revert-media-exynos4-is-add-missed-check-for-p.patch b/queue-5.4/media-revert-media-exynos4-is-add-missed-check-for-p.patch new file mode 100644 index 00000000000..d03ed38f7d3 --- /dev/null +++ b/queue-5.4/media-revert-media-exynos4-is-add-missed-check-for-p.patch @@ -0,0 +1,47 @@ +From 7e4db62060f8329dcba3d237ad371895dc28cfbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 17:32:39 +0200 +Subject: media: Revert "media: exynos4-is: Add missed check for + pinctrl_lookup_state()" + +From: Sylwester Nawrocki + +[ Upstream commit 00d21f325d58567d81d9172096692d0a9ea7f725 ] + +The "idle" pinctrl state is optional as documented in the DT binding. +The change introduced by the commit being reverted makes that pinctrl state +mandatory and breaks initialization of the whole media driver, since the +"idle" state is not specified in any mainline dts. + +This reverts commit 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +to fix the regression. + +Fixes: 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 9c31d950cddf7..2f90607c3797d 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1268,11 +1268,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + if (IS_ERR(pctl->state_default)) + return PTR_ERR(pctl->state_default); + ++ /* PINCTRL_STATE_IDLE is optional */ + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); +- if (IS_ERR(pctl->state_idle)) +- return PTR_ERR(pctl->state_idle); +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/media-rockchip-rga-fix-a-reference-count-leak.patch b/queue-5.4/media-rockchip-rga-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..f4278ab6bc3 --- /dev/null +++ b/queue-5.4/media-rockchip-rga-fix-a-reference-count-leak.patch @@ -0,0 +1,38 @@ +From 2ff57265991ae2921ad23e26bce6eb4e8aa0970d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:13:49 +0200 +Subject: media: rockchip/rga: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit 884d638e0853c4b5f01eb6d048fc3b6239012404 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus call pm_runtime_put_noidle() +if pm_runtime_get_sync() fails. + +Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support") +Signed-off-by: Qiushi Wu +Reviewed-by: Heiko Stuebner +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga-buf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c +index 36b821ccc1dba..bf9a75b75083b 100644 +--- a/drivers/media/platform/rockchip/rga/rga-buf.c ++++ b/drivers/media/platform/rockchip/rga/rga-buf.c +@@ -81,6 +81,7 @@ static int rga_buf_start_streaming(struct vb2_queue *q, unsigned int count) + + ret = pm_runtime_get_sync(rga->dev); + if (ret < 0) { ++ pm_runtime_put_noidle(rga->dev); + rga_buf_return_buffers(q, VB2_BUF_STATE_QUEUED); + return ret; + } +-- +2.25.1 + diff --git a/queue-5.4/media-s5p-mfc-fix-a-reference-count-leak.patch b/queue-5.4/media-s5p-mfc-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..94809ac8b21 --- /dev/null +++ b/queue-5.4/media-s5p-mfc-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From 4ffbd8d2a4dc5c718038acdee2535c636e7185aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:31:22 +0200 +Subject: media: s5p-mfc: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 78741ce98c2e36188e2343434406b0e0bc50b0e7 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Fixes: c5086f130a77 ("[media] s5p-mfc: Use clock gating only on MFC v5 hardware") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +index 7d52431c2c837..62d2320a72186 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +@@ -79,8 +79,10 @@ int s5p_mfc_power_on(void) + int i, ret = 0; + + ret = pm_runtime_get_sync(pm->device); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(pm->device); + return ret; ++ } + + /* clock control */ + for (i = 0; i < pm->num_clocks; i++) { +-- +2.25.1 + diff --git a/queue-5.4/media-saa7134-avoid-a-shift-overflow.patch b/queue-5.4/media-saa7134-avoid-a-shift-overflow.patch new file mode 100644 index 00000000000..41c5ed5ab83 --- /dev/null +++ b/queue-5.4/media-saa7134-avoid-a-shift-overflow.patch @@ -0,0 +1,39 @@ +From 198cbd378dc5e5894b9e485602dede4a39f36167 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 08:37:12 +0200 +Subject: media: saa7134: avoid a shift overflow + +From: Mauro Carvalho Chehab + +[ Upstream commit 15a36aae1ec1c1f17149b6113b92631791830740 ] + +As reported by smatch: + drivers/media/pci/saa7134//saa7134-tvaudio.c:686 saa_dsp_writel() warn: should 'reg << 2' be a 64 bit type? + +On a 64-bits Kernel, the shift might be bigger than 32 bits. + +In real, this should never happen, but let's shut up the warning. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7134/saa7134-tvaudio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7134/saa7134-tvaudio.c b/drivers/media/pci/saa7134/saa7134-tvaudio.c +index 79e1afb710758..5cc4ef21f9d37 100644 +--- a/drivers/media/pci/saa7134/saa7134-tvaudio.c ++++ b/drivers/media/pci/saa7134/saa7134-tvaudio.c +@@ -683,7 +683,8 @@ int saa_dsp_writel(struct saa7134_dev *dev, int reg, u32 value) + { + int err; + +- audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", reg << 2, value); ++ audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", ++ (reg << 2) & 0xffffffff, value); + err = saa_dsp_wait_bit(dev,SAA7135_DSP_RWSTATE_WRR); + if (err < 0) + return err; +-- +2.25.1 + diff --git a/queue-5.4/media-st-delta-fix-reference-count-leak-in-delta_run.patch b/queue-5.4/media-st-delta-fix-reference-count-leak-in-delta_run.patch new file mode 100644 index 00000000000..f6a43cfe4c3 --- /dev/null +++ b/queue-5.4/media-st-delta-fix-reference-count-leak-in-delta_run.patch @@ -0,0 +1,40 @@ +From 7fda546662519cc3d5a267b31671595d35afeb9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:58:41 +0200 +Subject: media: st-delta: Fix reference count leak in delta_run_work + +From: Aditya Pakki + +[ Upstream commit 57cc666d36adc7b45e37ba4cd7bc4e44ec4c43d7 ] + +delta_run_work() calls delta_get_sync() that increments +the reference counter. In case of failure, decrement the reference +count by calling delta_put_autosuspend(). + +Signed-off-by: Aditya Pakki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/delta/delta-v4l2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sti/delta/delta-v4l2.c b/drivers/media/platform/sti/delta/delta-v4l2.c +index 91369fb3ffaa4..2791107e641bc 100644 +--- a/drivers/media/platform/sti/delta/delta-v4l2.c ++++ b/drivers/media/platform/sti/delta/delta-v4l2.c +@@ -954,8 +954,10 @@ static void delta_run_work(struct work_struct *work) + /* enable the hardware */ + if (!dec->pm) { + ret = delta_get_sync(ctx); +- if (ret) ++ if (ret) { ++ delta_put_autosuspend(ctx); + goto err; ++ } + } + + /* decode this access unit */ +-- +2.25.1 + diff --git a/queue-5.4/media-staging-intel-ipu3-css-correctly-reset-some-me.patch b/queue-5.4/media-staging-intel-ipu3-css-correctly-reset-some-me.patch new file mode 100644 index 00000000000..b49daef4c0b --- /dev/null +++ b/queue-5.4/media-staging-intel-ipu3-css-correctly-reset-some-me.patch @@ -0,0 +1,38 @@ +From 463d86496235dcea63882d3839184153b508c5df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 15:11:24 +0200 +Subject: media: staging/intel-ipu3: css: Correctly reset some memory + +From: Christophe JAILLET + +[ Upstream commit 08913a8e458e03f886a1a1154a6501fcb9344c39 ] + +The intent here is to reset the whole 'scaler_coeffs_luma' array, not just +the first element. + +Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs") +Signed-off-by: Christophe JAILLET +Reviewed-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/ipu3/ipu3-css-params.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging/media/ipu3/ipu3-css-params.c +index 4533dacad4beb..ef3b5d07137a1 100644 +--- a/drivers/staging/media/ipu3/ipu3-css-params.c ++++ b/drivers/staging/media/ipu3/ipu3-css-params.c +@@ -161,7 +161,7 @@ imgu_css_scaler_calc(u32 input_width, u32 input_height, u32 target_width, + + memset(&cfg->scaler_coeffs_chroma, 0, + sizeof(cfg->scaler_coeffs_chroma)); +- memset(&cfg->scaler_coeffs_luma, 0, sizeof(*cfg->scaler_coeffs_luma)); ++ memset(&cfg->scaler_coeffs_luma, 0, sizeof(cfg->scaler_coeffs_luma)); + do { + phase_step_correction++; + +-- +2.25.1 + diff --git a/queue-5.4/media-sti-fix-reference-count-leaks.patch b/queue-5.4/media-sti-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..4a60de71c24 --- /dev/null +++ b/queue-5.4/media-sti-fix-reference-count-leaks.patch @@ -0,0 +1,45 @@ +From 2355819dd910a137e2427d9698d75b8970db1b08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:31:06 +0200 +Subject: media: sti: Fix reference count leaks + +From: Qiushi Wu + +[ Upstream commit 6f4432bae9f2d12fc1815b5e26cc07e69bcad0df ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/hva/hva-hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index 401aaafa17109..bb13348be0832 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -272,6 +272,7 @@ static unsigned long int hva_hw_get_ip_version(struct hva_dev *hva) + + if (pm_runtime_get_sync(dev) < 0) { + dev_err(dev, "%s failed to get pm_runtime\n", HVA_PREFIX); ++ pm_runtime_put_noidle(dev); + mutex_unlock(&hva->protect_mutex); + return -EFAULT; + } +@@ -553,6 +554,7 @@ void hva_hw_dump_regs(struct hva_dev *hva, struct seq_file *s) + + if (pm_runtime_get_sync(dev) < 0) { + seq_puts(s, "Cannot wake up IP\n"); ++ pm_runtime_put_noidle(dev); + mutex_unlock(&hva->protect_mutex); + return; + } +-- +2.25.1 + diff --git a/queue-5.4/media-stm32-dcmi-fix-a-reference-count-leak.patch b/queue-5.4/media-stm32-dcmi-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..0d336dd5bba --- /dev/null +++ b/queue-5.4/media-stm32-dcmi-fix-a-reference-count-leak.patch @@ -0,0 +1,48 @@ +From 5c717c93cc5d60b1269a5dbe2eeb52fc9aa1fa34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:36:59 +0200 +Subject: media: stm32-dcmi: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 88f50a05f907d96a27a9ce3cc9e8cbb91a6f0f22 ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not +called in error handling paths. Thus replace the jump target +"err_release_buffers" by "err_pm_putw". + +Fixes: 152e0bf60219 ("media: stm32-dcmi: add power saving support") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/stm32/stm32-dcmi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c +index 9392e3409fba0..d41475f56ab54 100644 +--- a/drivers/media/platform/stm32/stm32-dcmi.c ++++ b/drivers/media/platform/stm32/stm32-dcmi.c +@@ -733,7 +733,7 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count) + if (ret < 0) { + dev_err(dcmi->dev, "%s: Failed to start streaming, cannot get sync (%d)\n", + __func__, ret); +- goto err_release_buffers; ++ goto err_pm_put; + } + + ret = media_pipeline_start(&dcmi->vdev->entity, &dcmi->pipeline); +@@ -837,8 +837,6 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count) + + err_pm_put: + pm_runtime_put(dcmi->dev); +- +-err_release_buffers: + spin_lock_irq(&dcmi->irqlock); + /* + * Return all buffers to vb2 in QUEUED state. +-- +2.25.1 + diff --git a/queue-5.4/media-tc358743-cleanup-tc358743_cec_isr.patch b/queue-5.4/media-tc358743-cleanup-tc358743_cec_isr.patch new file mode 100644 index 00000000000..6c8cac52b02 --- /dev/null +++ b/queue-5.4/media-tc358743-cleanup-tc358743_cec_isr.patch @@ -0,0 +1,72 @@ +From a6c9dc1d64535eb9be93fb857665fdb12fb2131f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 20:32:12 +0200 +Subject: media: tc358743: cleanup tc358743_cec_isr + +From: Tom Rix + +[ Upstream commit 877cb8a444dad2304e891294afb0915fe3c278d6 ] + +tc358743_cec_isr is misnammed, it is not the main isr. +So rename it to be consistent with its siblings, +tc358743_cec_handler. + +It also does not check if its input parameter 'handled' is +is non NULL like its siblings, so add a check. + +Fixes: a0ec8d1dc42e ("media: tc358743: add CEC support") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 211caade9f998..cff99cf61ed4d 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -919,8 +919,8 @@ static const struct cec_adap_ops tc358743_cec_adap_ops = { + .adap_monitor_all_enable = tc358743_cec_adap_monitor_all_enable, + }; + +-static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, +- bool *handled) ++static void tc358743_cec_handler(struct v4l2_subdev *sd, u16 intstatus, ++ bool *handled) + { + struct tc358743_state *state = to_state(sd); + unsigned int cec_rxint, cec_txint; +@@ -953,7 +953,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, + cec_transmit_attempt_done(state->cec_adap, + CEC_TX_STATUS_ERROR); + } +- *handled = true; ++ if (handled) ++ *handled = true; + } + if ((intstatus & MASK_CEC_RINT) && + (cec_rxint & MASK_CECRIEND)) { +@@ -968,7 +969,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, + msg.msg[i] = v & 0xff; + } + cec_received_msg(state->cec_adap, &msg); +- *handled = true; ++ if (handled) ++ *handled = true; + } + i2c_wr16(sd, INTSTATUS, + intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)); +@@ -1432,7 +1434,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled) + + #ifdef CONFIG_VIDEO_TC358743_CEC + if (intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)) { +- tc358743_cec_isr(sd, intstatus, handled); ++ tc358743_cec_handler(sd, intstatus, handled); + i2c_wr16(sd, INTSTATUS, + intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)); + intstatus &= ~(MASK_CEC_RINT | MASK_CEC_TINT); +-- +2.25.1 + diff --git a/queue-5.4/media-tc358743-initialize-variable.patch b/queue-5.4/media-tc358743-initialize-variable.patch new file mode 100644 index 00000000000..1c3227c918c --- /dev/null +++ b/queue-5.4/media-tc358743-initialize-variable.patch @@ -0,0 +1,42 @@ +From bb900de15b3abc2d4d3b37cba6a9b103492761a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 18:30:43 +0200 +Subject: media: tc358743: initialize variable + +From: Tom Rix + +[ Upstream commit 274cf92d5dff5c2fec1a518078542ffe70d07646 ] + +clang static analysis flags this error + +tc358743.c:1468:9: warning: Branch condition evaluates + to a garbage value + return handled ? IRQ_HANDLED : IRQ_NONE; + ^~~~~~~ +handled should be initialized to false. + +Fixes: d747b806abf4 ("[media] tc358743: add direct interrupt handling") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index dbbab75f135ec..211caade9f998 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1461,7 +1461,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled) + static irqreturn_t tc358743_irq_handler(int irq, void *dev_id) + { + struct tc358743_state *state = dev_id; +- bool handled; ++ bool handled = false; + + tc358743_isr(&state->sd, 0, &handled); + +-- +2.25.1 + diff --git a/queue-5.4/media-ti-vpe-fix-a-missing-check-and-reference-count.patch b/queue-5.4/media-ti-vpe-fix-a-missing-check-and-reference-count.patch new file mode 100644 index 00000000000..9c36c9cdf11 --- /dev/null +++ b/queue-5.4/media-ti-vpe-fix-a-missing-check-and-reference-count.patch @@ -0,0 +1,42 @@ +From 7ae11afbc10792f63512588c81037a1cfe787381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:56:05 +0200 +Subject: media: ti-vpe: Fix a missing check and reference count leak + +From: Qiushi Wu + +[ Upstream commit 7dae2aaaf432767ca7aa11fa84643a7c2600dbdd ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +And also, when the call of function vpe_runtime_get() failed, +we won't call vpe_runtime_put(). +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails +inside vpe_runtime_get(). + +Fixes: 4571912743ac ("[media] v4l: ti-vpe: Add VPE mem to mem driver") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 8b14ba4a3d9ea..817bd13370eff 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -2435,6 +2435,8 @@ static int vpe_runtime_get(struct platform_device *pdev) + + r = pm_runtime_get_sync(&pdev->dev); + WARN_ON(r < 0); ++ if (r) ++ pm_runtime_put_noidle(&pdev->dev); + return r < 0 ? r : 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/media-tuner-simple-fix-regression-in-simple_set_radi.patch b/queue-5.4/media-tuner-simple-fix-regression-in-simple_set_radi.patch new file mode 100644 index 00000000000..03867c59d7d --- /dev/null +++ b/queue-5.4/media-tuner-simple-fix-regression-in-simple_set_radi.patch @@ -0,0 +1,66 @@ +From f69f138ed9b408699a05725dfcb143a1c02da44c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 23:15:47 +0200 +Subject: media: tuner-simple: fix regression in simple_set_radio_freq + +From: Tom Rix + +[ Upstream commit 505bfc2a142f12ce7bc7a878b44abc3496f2e747 ] + +clang static analysis reports this problem + +tuner-simple.c:714:13: warning: Assigned value is + garbage or undefined + buffer[1] = buffer[3]; + ^ ~~~~~~~~~ +In simple_set_radio_freq buffer[3] used to be done +in-function with a switch of tuner type, now done +by a call to simple_radio_bandswitch which has this case + + case TUNER_TENA_9533_DI: + case TUNER_YMEC_TVF_5533MF: + tuner_dbg("This tuner doesn't ... + return 0; + +which does not set buffer[3]. In the old logic, this case +would have returned 0 from simple_set_radio_freq. + +Recover this old behavior by returning an error for this +codition. Since the old simple_set_radio_freq behavior +returned a 0, do the same. + +Fixes: c7a9f3aa1e1b ("V4L/DVB (7129): tuner-simple: move device-specific code into three separate functions") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/tuner-simple.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/tuners/tuner-simple.c b/drivers/media/tuners/tuner-simple.c +index b6e70fada3fb2..8fb186b25d6af 100644 +--- a/drivers/media/tuners/tuner-simple.c ++++ b/drivers/media/tuners/tuner-simple.c +@@ -500,7 +500,7 @@ static int simple_radio_bandswitch(struct dvb_frontend *fe, u8 *buffer) + case TUNER_TENA_9533_DI: + case TUNER_YMEC_TVF_5533MF: + tuner_dbg("This tuner doesn't have FM. Most cards have a TEA5767 for FM\n"); +- return 0; ++ return -EINVAL; + case TUNER_PHILIPS_FM1216ME_MK3: + case TUNER_PHILIPS_FM1236_MK3: + case TUNER_PHILIPS_FMD1216ME_MK3: +@@ -702,7 +702,8 @@ static int simple_set_radio_freq(struct dvb_frontend *fe, + TUNER_RATIO_SELECT_50; /* 50 kHz step */ + + /* Bandswitch byte */ +- simple_radio_bandswitch(fe, &buffer[0]); ++ if (simple_radio_bandswitch(fe, &buffer[0])) ++ return 0; + + /* Convert from 1/16 kHz V4L steps to 1/20 MHz (=50 kHz) PLL steps + freq * (1 Mhz / 16000 V4L steps) * (20 PLL steps / 1 MHz) = +-- +2.25.1 + diff --git a/queue-5.4/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch b/queue-5.4/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch new file mode 100644 index 00000000000..39099258586 --- /dev/null +++ b/queue-5.4/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch @@ -0,0 +1,84 @@ +From 23b542ddcba971bc801a61345f58727ae042a840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 03:21:33 +0200 +Subject: media: uvcvideo: Ensure all probed info is returned to v4l2 + +From: Adam Goode + +[ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ] + +bFrameIndex and bFormatIndex can be negotiated by the camera during +probing, resulting in the camera choosing a different format than +expected. v4l2 can already accommodate such changes, but the code was +not updating the proper fields. + +Without such a change, v4l2 would potentially interpret the payload +incorrectly, causing corrupted output. This was happening on the +Elgato HD60 S+, which currently always renegotiates to format 1. + +As an aside, the Elgato firmware is buggy and should not be renegotating, +but it is still a valid thing for the camera to do. Both macOS and Windows +will properly probe and read uncorrupted images from this camera. + +With this change, both qv4l2 and chromium can now read uncorrupted video +from the Elgato HD60 S+. + +[Add blank lines, remove periods at the of messages] + +Signed-off-by: Adam Goode +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 0335e69b70abe..5e6f3153b5ff8 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -247,11 +247,41 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + if (ret < 0) + goto done; + ++ /* After the probe, update fmt with the values returned from ++ * negotiation with the device. ++ */ ++ for (i = 0; i < stream->nformats; ++i) { ++ if (probe->bFormatIndex == stream->format[i].index) { ++ format = &stream->format[i]; ++ break; ++ } ++ } ++ ++ if (i == stream->nformats) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n", ++ probe->bFormatIndex); ++ return -EINVAL; ++ } ++ ++ for (i = 0; i < format->nframes; ++i) { ++ if (probe->bFrameIndex == format->frame[i].bFrameIndex) { ++ frame = &format->frame[i]; ++ break; ++ } ++ } ++ ++ if (i == format->nframes) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n", ++ probe->bFrameIndex); ++ return -EINVAL; ++ } ++ + fmt->fmt.pix.width = frame->wWidth; + fmt->fmt.pix.height = frame->wHeight; + fmt->fmt.pix.field = V4L2_FIELD_NONE; + fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(format, frame); + fmt->fmt.pix.sizeimage = probe->dwMaxVideoFrameSize; ++ fmt->fmt.pix.pixelformat = format->fcc; + fmt->fmt.pix.colorspace = format->colorspace; + + if (uvc_format != NULL) +-- +2.25.1 + diff --git a/queue-5.4/media-uvcvideo-set-media-controller-entity-functions.patch b/queue-5.4/media-uvcvideo-set-media-controller-entity-functions.patch new file mode 100644 index 00000000000..c7ff1528682 --- /dev/null +++ b/queue-5.4/media-uvcvideo-set-media-controller-entity-functions.patch @@ -0,0 +1,78 @@ +From 7374b0431b875c7fb9359a048fde768a7f4d0dc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Jun 2020 04:05:49 +0200 +Subject: media: uvcvideo: Set media controller entity functions + +From: Laurent Pinchart + +[ Upstream commit d6834b4b58d110814aaf3469e7fd87d34ae5ae81 ] + +The media controller core prints a warning when an entity is registered +without a function being set. This affects the uvcvideo driver, as the +warning was added without first addressing the issue in existing +drivers. The problem is harmless, but unnecessarily worries users. Fix +it by mapping UVC entity types to MC entity functions as accurately as +possible using the existing functions. + +Fixes: b50bde4e476d ("[media] v4l2-subdev: use MEDIA_ENT_T_UNKNOWN for new subdevs") +Signed-off-by: Laurent Pinchart +Reviewed-by: Kieran Bingham +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_entity.c | 35 ++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c +index b4499cddeffe5..ca3a9c2eec271 100644 +--- a/drivers/media/usb/uvc/uvc_entity.c ++++ b/drivers/media/usb/uvc/uvc_entity.c +@@ -73,10 +73,45 @@ static int uvc_mc_init_entity(struct uvc_video_chain *chain, + int ret; + + if (UVC_ENTITY_TYPE(entity) != UVC_TT_STREAMING) { ++ u32 function; ++ + v4l2_subdev_init(&entity->subdev, &uvc_subdev_ops); + strscpy(entity->subdev.name, entity->name, + sizeof(entity->subdev.name)); + ++ switch (UVC_ENTITY_TYPE(entity)) { ++ case UVC_VC_SELECTOR_UNIT: ++ function = MEDIA_ENT_F_VID_MUX; ++ break; ++ case UVC_VC_PROCESSING_UNIT: ++ case UVC_VC_EXTENSION_UNIT: ++ /* For lack of a better option. */ ++ function = MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER; ++ break; ++ case UVC_COMPOSITE_CONNECTOR: ++ case UVC_COMPONENT_CONNECTOR: ++ function = MEDIA_ENT_F_CONN_COMPOSITE; ++ break; ++ case UVC_SVIDEO_CONNECTOR: ++ function = MEDIA_ENT_F_CONN_SVIDEO; ++ break; ++ case UVC_ITT_CAMERA: ++ function = MEDIA_ENT_F_CAM_SENSOR; ++ break; ++ case UVC_TT_VENDOR_SPECIFIC: ++ case UVC_ITT_VENDOR_SPECIFIC: ++ case UVC_ITT_MEDIA_TRANSPORT_INPUT: ++ case UVC_OTT_VENDOR_SPECIFIC: ++ case UVC_OTT_DISPLAY: ++ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT: ++ case UVC_EXTERNAL_VENDOR_SPECIFIC: ++ default: ++ function = MEDIA_ENT_F_V4L2_SUBDEV_UNKNOWN; ++ break; ++ } ++ ++ entity->subdev.entity.function = function; ++ + ret = media_entity_pads_init(&entity->subdev.entity, + entity->num_pads, entity->pads); + +-- +2.25.1 + diff --git a/queue-5.4/media-uvcvideo-silence-shift-out-of-bounds-warning.patch b/queue-5.4/media-uvcvideo-silence-shift-out-of-bounds-warning.patch new file mode 100644 index 00000000000..6247e137c75 --- /dev/null +++ b/queue-5.4/media-uvcvideo-silence-shift-out-of-bounds-warning.patch @@ -0,0 +1,54 @@ +From a7e427b1fc0d6d6af62588d111095ad306b9c62e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 01:56:49 +0200 +Subject: media: uvcvideo: Silence shift-out-of-bounds warning + +From: Laurent Pinchart + +[ Upstream commit 171994e498a0426cbe17f874c5c6af3c0af45200 ] + +UBSAN reports a shift-out-of-bounds warning in uvc_get_le_value(). The +report is correct, but the issue should be harmless as the computed +value isn't used when the shift is negative. This may however cause +incorrect behaviour if a negative shift could generate adverse side +effects (such as a trap on some architectures for instance). + +Regardless of whether that may happen or not, silence the warning as a +full WARN backtrace isn't nice. + +Reported-by: Bart Van Assche +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Signed-off-by: Laurent Pinchart +Reviewed-by: Bart Van Assche +Tested-by: Bart Van Assche +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_ctrl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index e399b9fad7574..a30a8a731eda8 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -773,12 +773,16 @@ static s32 uvc_get_le_value(struct uvc_control_mapping *mapping, + offset &= 7; + mask = ((1LL << bits) - 1) << offset; + +- for (; bits > 0; data++) { ++ while (1) { + u8 byte = *data & mask; + value |= offset > 0 ? (byte >> offset) : (byte << (-offset)); + bits -= 8 - (offset > 0 ? offset : 0); ++ if (bits <= 0) ++ break; ++ + offset -= 8; + mask = (1 << bits) - 1; ++ data++; + } + + /* Sign-extend the value if needed. */ +-- +2.25.1 + diff --git a/queue-5.4/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch b/queue-5.4/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch new file mode 100644 index 00000000000..9f8a880efb6 --- /dev/null +++ b/queue-5.4/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch @@ -0,0 +1,53 @@ +From 4ad47f46917cc7834a3191fa0c210ca3a7e8fb64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 07:55:23 +0200 +Subject: media: venus: core: Fix runtime PM imbalance in venus_probe + +From: Dinghao Liu + +[ Upstream commit bbe516e976fce538db96bd2b7287df942faa14a3 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. For other error +paths after this call, things are the same. + +Fix this by adding pm_runtime_put_noidle() after 'err_runtime_disable' +label. But in this case, the error path after pm_runtime_put_sync() +will decrease PM usage counter twice. Thus add an extra +pm_runtime_get_noresume() in this path to balance PM counter. + +Signed-off-by: Dinghao Liu +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index 84e982f259a06..bbc430a003443 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -316,8 +316,10 @@ static int venus_probe(struct platform_device *pdev) + goto err_core_deinit; + + ret = pm_runtime_put_sync(dev); +- if (ret) ++ if (ret) { ++ pm_runtime_get_noresume(dev); + goto err_dev_unregister; ++ } + + return 0; + +@@ -328,6 +330,7 @@ static int venus_probe(struct platform_device *pdev) + err_venus_shutdown: + venus_shutdown(core); + err_runtime_disable: ++ pm_runtime_put_noidle(dev); + pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); + hfi_destroy(core); +-- +2.25.1 + diff --git a/queue-5.4/media-venus-fixes-for-list-corruption.patch b/queue-5.4/media-venus-fixes-for-list-corruption.patch new file mode 100644 index 00000000000..93787c34d0e --- /dev/null +++ b/queue-5.4/media-venus-fixes-for-list-corruption.patch @@ -0,0 +1,79 @@ +From 9ec5213f8f76e158a402345d7e733ec5b552a6a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 13:48:45 +0200 +Subject: media: venus: fixes for list corruption + +From: Vikash Garodia + +[ Upstream commit e1c69c4eef61ffe295b747992c6fd849e6cd747d ] + +There are few list handling issues while adding and deleting +node in the registered buf list in the driver. +1. list addition - buffer added into the list during buf_init +while not deleted during cleanup. +2. list deletion - In capture streamoff, the list was reinitialized. +As a result, if any node was present in the list, it would +lead to issue while cleaning up that node during buf_cleanup. + +Corresponding call traces below: +[ 165.751014] Call trace: +[ 165.753541] __list_add_valid+0x58/0x88 +[ 165.757532] venus_helper_vb2_buf_init+0x74/0xa8 [venus_core] +[ 165.763450] vdec_buf_init+0x34/0xb4 [venus_dec] +[ 165.768271] __buf_prepare+0x598/0x8a0 [videobuf2_common] +[ 165.773820] vb2_core_qbuf+0xb4/0x334 [videobuf2_common] +[ 165.779298] vb2_qbuf+0x78/0xb8 [videobuf2_v4l2] +[ 165.784053] v4l2_m2m_qbuf+0x80/0xf8 [v4l2_mem2mem] +[ 165.789067] v4l2_m2m_ioctl_qbuf+0x2c/0x38 [v4l2_mem2mem] +[ 165.794624] v4l_qbuf+0x48/0x58 + +[ 1797.556001] Call trace: +[ 1797.558516] __list_del_entry_valid+0x88/0x9c +[ 1797.562989] vdec_buf_cleanup+0x54/0x228 [venus_dec] +[ 1797.568088] __buf_prepare+0x270/0x8a0 [videobuf2_common] +[ 1797.573625] vb2_core_qbuf+0xb4/0x338 [videobuf2_common] +[ 1797.579082] vb2_qbuf+0x78/0xb8 [videobuf2_v4l2] +[ 1797.583830] v4l2_m2m_qbuf+0x80/0xf8 [v4l2_mem2mem] +[ 1797.588843] v4l2_m2m_ioctl_qbuf+0x2c/0x38 [v4l2_mem2mem] +[ 1797.594389] v4l_qbuf+0x48/0x58 + +Signed-off-by: Vikash Garodia +Reviewed-by: Fritz Koenig +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/vdec.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c +index 05b80a66e80ed..658825b4c4e8d 100644 +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -993,8 +993,6 @@ static int vdec_stop_capture(struct venus_inst *inst) + break; + } + +- INIT_LIST_HEAD(&inst->registeredbufs); +- + return ret; + } + +@@ -1091,6 +1089,14 @@ static int vdec_buf_init(struct vb2_buffer *vb) + static void vdec_buf_cleanup(struct vb2_buffer *vb) + { + struct venus_inst *inst = vb2_get_drv_priv(vb->vb2_queue); ++ struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); ++ struct venus_buffer *buf = to_venus_buffer(vbuf); ++ ++ mutex_lock(&inst->lock); ++ if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) ++ if (!list_empty(&inst->registeredbufs)) ++ list_del_init(&buf->reg_list); ++ mutex_unlock(&inst->lock); + + inst->buf_count--; + if (!inst->buf_count) +-- +2.25.1 + diff --git a/queue-5.4/media-vsp1-fix-runtime-pm-imbalance-on-error.patch b/queue-5.4/media-vsp1-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..7e0da577f2d --- /dev/null +++ b/queue-5.4/media-vsp1-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,59 @@ +From a8f9c42a39abe8a6c29210d8682865028aaeaf11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 07:29:19 +0200 +Subject: media: vsp1: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit 98fae901c8883640202802174a4bd70a1b9118bd ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vsp1/vsp1_drv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c +index c650e45bb0ad1..dc62533cf32ce 100644 +--- a/drivers/media/platform/vsp1/vsp1_drv.c ++++ b/drivers/media/platform/vsp1/vsp1_drv.c +@@ -562,7 +562,12 @@ int vsp1_device_get(struct vsp1_device *vsp1) + int ret; + + ret = pm_runtime_get_sync(vsp1->dev); +- return ret < 0 ? ret : 0; ++ if (ret < 0) { ++ pm_runtime_put_noidle(vsp1->dev); ++ return ret; ++ } ++ ++ return 0; + } + + /* +@@ -845,12 +850,12 @@ static int vsp1_probe(struct platform_device *pdev) + /* Configure device parameters based on the version register. */ + pm_runtime_enable(&pdev->dev); + +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = vsp1_device_get(vsp1); + if (ret < 0) + goto done; + + vsp1->version = vsp1_read(vsp1, VI6_IP_VERSION); +- pm_runtime_put_sync(&pdev->dev); ++ vsp1_device_put(vsp1); + + for (i = 0; i < ARRAY_SIZE(vsp1_device_infos); ++i) { + if ((vsp1->version & VI6_IP_VERSION_MODEL_MASK) == +-- +2.25.1 + diff --git a/queue-5.4/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch b/queue-5.4/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch new file mode 100644 index 00000000000..0ef32f61f06 --- /dev/null +++ b/queue-5.4/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch @@ -0,0 +1,40 @@ +From f1938a2eb49a50da26e2e04f27fe60b1f874cd4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:33:15 +0200 +Subject: memory: fsl-corenet-cf: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit dd85345abca60a8916617e8d75c0f9ce334336dd ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 54afbec0d57f ("memory: Freescale CoreNet Coherency Fabric error reporting driver") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200827073315.29351-1-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl-corenet-cf.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/memory/fsl-corenet-cf.c b/drivers/memory/fsl-corenet-cf.c +index 0b0ed72016da8..0309bd5a18008 100644 +--- a/drivers/memory/fsl-corenet-cf.c ++++ b/drivers/memory/fsl-corenet-cf.c +@@ -211,10 +211,8 @@ static int ccf_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, ccf); + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "%s: no irq\n", __func__); +- return -ENXIO; +- } ++ if (irq < 0) ++ return irq; + + ret = devm_request_irq(&pdev->dev, irq, ccf_irq, 0, pdev->name, ccf); + if (ret) { +-- +2.25.1 + diff --git a/queue-5.4/memory-omap-gpmc-fix-a-couple-off-by-ones.patch b/queue-5.4/memory-omap-gpmc-fix-a-couple-off-by-ones.patch new file mode 100644 index 00000000000..b721923cb34 --- /dev/null +++ b/queue-5.4/memory-omap-gpmc-fix-a-couple-off-by-ones.patch @@ -0,0 +1,48 @@ +From 89b32e46f44ccc74e44a13550cb31c37e295a8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 13:47:07 +0300 +Subject: memory: omap-gpmc: Fix a couple off by ones + +From: Dan Carpenter + +[ Upstream commit 4c54228ac8fd55044195825873c50a524131fa53 ] + +These comparisons should be >= instead of > to prevent reading one +element beyond the end of the gpmc_cs[] array. + +Fixes: cdd6928c589a ("ARM: OMAP2+: Add device-tree support for NOR flash") +Fixes: f37e4580c409 ("ARM: OMAP2: Dynamic allocator for GPMC memory space") +Signed-off-by: Dan Carpenter +Acked-by: Roger Quadros +Link: https://lore.kernel.org/r/20200825104707.GB278587@mwanda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index eff26c1b13940..b5055577843a2 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -949,7 +949,7 @@ static int gpmc_cs_remap(int cs, u32 base) + int ret; + u32 old_base, size; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +@@ -984,7 +984,7 @@ int gpmc_cs_request(int cs, unsigned long size, unsigned long *base) + struct resource *res = &gpmc->mem; + int r = -1; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +-- +2.25.1 + diff --git a/queue-5.4/memory-omap-gpmc-fix-build-error-without-config_of.patch b/queue-5.4/memory-omap-gpmc-fix-build-error-without-config_of.patch new file mode 100644 index 00000000000..53e0a749a1d --- /dev/null +++ b/queue-5.4/memory-omap-gpmc-fix-build-error-without-config_of.patch @@ -0,0 +1,45 @@ +From 1c64a0be8890edfebf57d0562536efad21b2cbf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 20:53:16 +0800 +Subject: memory: omap-gpmc: Fix build error without CONFIG_OF + +From: YueHaibing + +[ Upstream commit 13d029ee51da365aa9c859db0c7395129252bde8 ] + +If CONFIG_OF is n, gcc fails: + +drivers/memory/omap-gpmc.o: In function `gpmc_omap_onenand_set_timings': + omap-gpmc.c:(.text+0x2a88): undefined reference to `gpmc_read_settings_dt' + +Add gpmc_read_settings_dt() helper function, which zero the gpmc_settings +so the caller doesn't proceed with random/invalid settings. + +Fixes: a758f50f10cf ("mtd: onenand: omap2: Configure driver from DT") +Signed-off-by: YueHaibing +Acked-by: Roger Quadros +Link: https://lore.kernel.org/r/20200827125316.20780-1-yuehaibing@huawei.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index b5055577843a2..27bc417029e11 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -2274,6 +2274,10 @@ static void gpmc_probe_dt_children(struct platform_device *pdev) + } + } + #else ++void gpmc_read_settings_dt(struct device_node *np, struct gpmc_settings *p) ++{ ++ memset(p, 0, sizeof(*p)); ++} + static int gpmc_probe_dt(struct platform_device *pdev) + { + return 0; +-- +2.25.1 + diff --git a/queue-5.4/mfd-sm501-fix-leaks-in-probe.patch b/queue-5.4/mfd-sm501-fix-leaks-in-probe.patch new file mode 100644 index 00000000000..bb0b03605d4 --- /dev/null +++ b/queue-5.4/mfd-sm501-fix-leaks-in-probe.patch @@ -0,0 +1,42 @@ +From f04d9401a6c5d6f72969241e5c7489a9b2e9d64c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 14:33:26 +0300 +Subject: mfd: sm501: Fix leaks in probe() + +From: Dan Carpenter + +[ Upstream commit 8ce24f8967df2836b4557a23e74dc4bb098249f1 ] + +This code should clean up if sm501_init_dev() fails. + +Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index 154270f8d8d78..bbcde58e2a11e 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -1424,8 +1424,14 @@ static int sm501_plat_probe(struct platform_device *dev) + goto err_claim; + } + +- return sm501_init_dev(sm); ++ ret = sm501_init_dev(sm); ++ if (ret) ++ goto err_unmap; ++ ++ return 0; + ++ err_unmap: ++ iounmap(sm->regs); + err_claim: + release_resource(sm->regs_claim); + kfree(sm->regs_claim); +-- +2.25.1 + diff --git a/queue-5.4/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch b/queue-5.4/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch new file mode 100644 index 00000000000..38828923caf --- /dev/null +++ b/queue-5.4/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch @@ -0,0 +1,63 @@ +From 759288d57010141e68c69d0b7c7ef5ef8d2e8b48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 17:11:06 +0800 +Subject: mic: vop: copy data to kernel space then write to io memory + +From: Sherry Sun + +[ Upstream commit 675f0ad4046946e80412896436164d172cd92238 ] + +Read and write io memory should address align on ARCH ARM. Change to use +memcpy_toio to avoid kernel panic caused by the address un-align issue. + +Signed-off-by: Sherry Sun +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20200929091106.24624-5-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/vop/vop_vringh.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c +index 30eac172f0170..d069947b09345 100644 +--- a/drivers/misc/mic/vop/vop_vringh.c ++++ b/drivers/misc/mic/vop/vop_vringh.c +@@ -602,6 +602,7 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf, + size_t partlen; + bool dma = VOP_USE_DMA && vi->dma_ch; + int err = 0; ++ size_t offset = 0; + + if (dma) { + dma_alignment = 1 << vi->dma_ch->device->copy_align; +@@ -655,13 +656,20 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf, + * We are copying to IO below and should ideally use something + * like copy_from_user_toio(..) if it existed. + */ +- if (copy_from_user((void __force *)dbuf, ubuf, len)) { +- err = -EFAULT; +- dev_err(vop_dev(vdev), "%s %d err %d\n", +- __func__, __LINE__, err); +- goto err; ++ while (len) { ++ partlen = min_t(size_t, len, VOP_INT_DMA_BUF_SIZE); ++ ++ if (copy_from_user(vvr->buf, ubuf + offset, partlen)) { ++ err = -EFAULT; ++ dev_err(vop_dev(vdev), "%s %d err %d\n", ++ __func__, __LINE__, err); ++ goto err; ++ } ++ memcpy_toio(dbuf + offset, vvr->buf, partlen); ++ offset += partlen; ++ vdev->out_bytes += partlen; ++ len -= partlen; + } +- vdev->out_bytes += len; + err = 0; + err: + vpdev->hw_ops->unmap(vpdev, dbuf); +-- +2.25.1 + diff --git a/queue-5.4/misc-mic-scif-fix-error-handling-path.patch b/queue-5.4/misc-mic-scif-fix-error-handling-path.patch new file mode 100644 index 00000000000..039916c872a --- /dev/null +++ b/queue-5.4/misc-mic-scif-fix-error-handling-path.patch @@ -0,0 +1,65 @@ +From fe2b63b6585b8e61743f6c53bbebd7750374bace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 08:21:35 +0530 +Subject: misc: mic: scif: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit a81072a9c0ae734b7889929b0bc070fe3f353f0e ] + +Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it +will call pin_user_pages_fast() to map nr_pages. However, +pin_user_pages_fast() might fail with a return value -ERRNO. + +The return value is stored in pinned_pages->nr_pages. which in +turn is passed to unpin_user_pages(), which expects +pinned_pages->nr_pages >=0, else disaster. + +Fix this by assigning pinned_pages->nr_pages to 0 if +pin_user_pages_fast() returns -ERRNO. + +Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and unregistration") +Cc: John Hubbard +Cc: Ira Weiny +Cc: Dan Carpenter +Reviewed-by: John Hubbard +Signed-off-by: Souptick Joarder +Link: https://lore.kernel.org/r/1600570295-29546-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/scif/scif_rma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c +index 01e27682ea303..a486c6c7f4077 100644 +--- a/drivers/misc/mic/scif/scif_rma.c ++++ b/drivers/misc/mic/scif/scif_rma.c +@@ -1381,6 +1381,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + (prot & SCIF_PROT_WRITE) ? FOLL_WRITE : 0, + pinned_pages->pages); + if (nr_pages != pinned_pages->nr_pages) { ++ if (pinned_pages->nr_pages < 0) ++ pinned_pages->nr_pages = 0; + if (try_upgrade) { + if (ulimit) + __scif_dec_pinned_vm_lock(mm, nr_pages); +@@ -1400,7 +1402,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + + if (pinned_pages->nr_pages < nr_pages) { + err = -EFAULT; +- pinned_pages->nr_pages = nr_pages; + goto dec_pinned; + } + +@@ -1413,7 +1414,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + __scif_dec_pinned_vm_lock(mm, nr_pages); + /* Something went wrong! Rollback */ + error_unmap: +- pinned_pages->nr_pages = nr_pages; + scif_destroy_pinned_pages(pinned_pages); + *pages = NULL; + dev_dbg(scif_info.mdev.this_device, +-- +2.25.1 + diff --git a/queue-5.4/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch b/queue-5.4/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch new file mode 100644 index 00000000000..e9370a08e28 --- /dev/null +++ b/queue-5.4/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch @@ -0,0 +1,46 @@ +From f8383a2d1d1d0bc474921f2cc6190ff5cb72f795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 07:18:51 +0000 +Subject: misc: rtsx: Fix memory leak in rtsx_pci_probe + +From: Keita Suzuki + +[ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ] + +When mfd_add_devices() fail, pcr->slots should also be freed. However, +the current implementation does not free the member, leading to a memory +leak. + +Fix this by adding a new goto label that frees pcr->slots. + +Signed-off-by: Keita Suzuki +Link: https://lore.kernel.org/r/20200909071853.4053-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cardreader/rtsx_pcr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/cardreader/rtsx_pcr.c b/drivers/misc/cardreader/rtsx_pcr.c +index 1958833b3b74e..4fd57052ddd3d 100644 +--- a/drivers/misc/cardreader/rtsx_pcr.c ++++ b/drivers/misc/cardreader/rtsx_pcr.c +@@ -1534,12 +1534,14 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + ret = mfd_add_devices(&pcidev->dev, pcr->id, rtsx_pcr_cells, + ARRAY_SIZE(rtsx_pcr_cells), NULL, 0, NULL); + if (ret < 0) +- goto disable_irq; ++ goto free_slots; + + schedule_delayed_work(&pcr->idle_work, msecs_to_jiffies(200)); + + return 0; + ++free_slots: ++ kfree(pcr->slots); + disable_irq: + free_irq(pcr->irq, (void *)pcr); + disable_msi: +-- +2.25.1 + diff --git a/queue-5.4/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch b/queue-5.4/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch new file mode 100644 index 00000000000..afd0f506e73 --- /dev/null +++ b/queue-5.4/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch @@ -0,0 +1,91 @@ +From 8005215b5f3fd4992b607129746fe8ddeac50ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 17:11:05 +0800 +Subject: misc: vop: add round_up(x,4) for vring_size to avoid kernel panic + +From: Sherry Sun + +[ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ] + +Since struct _mic_vring_info and vring are allocated together and follow +vring, if the vring_size() is not four bytes aligned, which will cause +the start address of struct _mic_vring_info is not four byte aligned. +For example, when vring entries is 128, the vring_size() will be 5126 +bytes. The _mic_vring_info struct layout in ddr looks like: +0x90002400: 00000000 00390000 EE010000 0000C0FF +Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member. + +When EP use ioread32(magic) to reads the magic in RC's share memory, it +will cause kernel panic on ARM64 platform due to the cross-byte io read. +Here read magic in user space use le32toh(vr0->info->magic) will meet +the same issue. +So add round_up(x,4) for vring_size, then the struct _mic_vring_info +will store in this way: +0x90002400: 00000000 00000000 00000039 C0FFEE01 +Which will avoid kernel panic when read magic in struct _mic_vring_info. + +Signed-off-by: Sherry Sun +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/vop/vop_main.c | 2 +- + drivers/misc/mic/vop/vop_vringh.c | 4 ++-- + samples/mic/mpssd/mpssd.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/misc/mic/vop/vop_main.c b/drivers/misc/mic/vop/vop_main.c +index 85942f6717c57..8aadc6055df17 100644 +--- a/drivers/misc/mic/vop/vop_main.c ++++ b/drivers/misc/mic/vop/vop_main.c +@@ -320,7 +320,7 @@ static struct virtqueue *vop_find_vq(struct virtio_device *dev, + /* First assign the vring's allocated in host memory */ + vqconfig = _vop_vq_config(vdev->desc) + index; + memcpy_fromio(&config, vqconfig, sizeof(config)); +- _vr_size = vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN); ++ _vr_size = round_up(vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN), 4); + vr_size = PAGE_ALIGN(_vr_size + sizeof(struct _mic_vring_info)); + va = vpdev->hw_ops->remap(vpdev, le64_to_cpu(config.address), vr_size); + if (!va) +diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c +index d069947b09345..7014ffe88632e 100644 +--- a/drivers/misc/mic/vop/vop_vringh.c ++++ b/drivers/misc/mic/vop/vop_vringh.c +@@ -296,7 +296,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, + + num = le16_to_cpu(vqconfig[i].num); + mutex_init(&vvr->vr_mutex); +- vr_size = PAGE_ALIGN(vring_size(num, MIC_VIRTIO_RING_ALIGN) + ++ vr_size = PAGE_ALIGN(round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4) + + sizeof(struct _mic_vring_info)); + vr->va = (void *) + __get_free_pages(GFP_KERNEL | __GFP_ZERO, +@@ -308,7 +308,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, + goto err; + } + vr->len = vr_size; +- vr->info = vr->va + vring_size(num, MIC_VIRTIO_RING_ALIGN); ++ vr->info = vr->va + round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4); + vr->info->magic = cpu_to_le32(MIC_MAGIC + vdev->virtio_id + i); + vr_addr = dma_map_single(&vpdev->dev, vr->va, vr_size, + DMA_BIDIRECTIONAL); +diff --git a/samples/mic/mpssd/mpssd.c b/samples/mic/mpssd/mpssd.c +index a11bf6c5b53b4..cd3f16a6f5caf 100644 +--- a/samples/mic/mpssd/mpssd.c ++++ b/samples/mic/mpssd/mpssd.c +@@ -403,9 +403,9 @@ mic_virtio_copy(struct mic_info *mic, int fd, + + static inline unsigned _vring_size(unsigned int num, unsigned long align) + { +- return ((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) ++ return _ALIGN_UP(((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) + + align - 1) & ~(align - 1)) +- + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num; ++ + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num, 4); + } + + /* +-- +2.25.1 + diff --git a/queue-5.4/mm-error_inject-fix-allow_error_inject-function-sign.patch b/queue-5.4/mm-error_inject-fix-allow_error_inject-function-sign.patch new file mode 100644 index 00000000000..4f8199749db --- /dev/null +++ b/queue-5.4/mm-error_inject-fix-allow_error_inject-function-sign.patch @@ -0,0 +1,67 @@ +From e7dd9074f3ff0dd3207a4787047c3d42637091fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 15:01:10 -0700 +Subject: mm/error_inject: Fix allow_error_inject function signatures. + +From: Alexei Starovoitov + +[ Upstream commit 76cd61739fd107a7f7ec4c24a045e98d8ee150f0 ] + +'static' and 'static noinline' function attributes make no guarantees that +gcc/clang won't optimize them. The compiler may decide to inline 'static' +function and in such case ALLOW_ERROR_INJECT becomes meaningless. The compiler +could have inlined __add_to_page_cache_locked() in one callsite and didn't +inline in another. In such case injecting errors into it would cause +unpredictable behavior. It's worse with 'static noinline' which won't be +inlined, but it still can be optimized. Like the compiler may decide to remove +one argument or constant propagate the value depending on the callsite. + +To avoid such issues make sure that these functions are global noinline. + +Fixes: af3b854492f3 ("mm/page_alloc.c: allow error injection") +Fixes: cfcbfb1382db ("mm/filemap.c: enable error injection at add_to_page_cache()") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/bpf/20200827220114.69225-2-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + mm/filemap.c | 8 ++++---- + mm/page_alloc.c | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/mm/filemap.c b/mm/filemap.c +index 51b2cb5aa5030..db542b4948838 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -847,10 +847,10 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask) + } + EXPORT_SYMBOL_GPL(replace_page_cache_page); + +-static int __add_to_page_cache_locked(struct page *page, +- struct address_space *mapping, +- pgoff_t offset, gfp_t gfp_mask, +- void **shadowp) ++noinline int __add_to_page_cache_locked(struct page *page, ++ struct address_space *mapping, ++ pgoff_t offset, gfp_t gfp_mask, ++ void **shadowp) + { + XA_STATE(xas, &mapping->i_pages, offset); + int huge = PageHuge(page); +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index aff0bb4629bdf..2640f67410044 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3385,7 +3385,7 @@ static inline bool __should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) + + #endif /* CONFIG_FAIL_PAGE_ALLOC */ + +-static noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) ++noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) + { + return __should_fail_alloc_page(gfp_mask, order); + } +-- +2.25.1 + diff --git a/queue-5.4/mm-memcg-fix-device-private-memcg-accounting.patch b/queue-5.4/mm-memcg-fix-device-private-memcg-accounting.patch new file mode 100644 index 00000000000..72bcea1dc4a --- /dev/null +++ b/queue-5.4/mm-memcg-fix-device-private-memcg-accounting.patch @@ -0,0 +1,61 @@ +From cc8037f8ef73f4b4050a57c473bc72caafc8fab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:53:13 -0700 +Subject: mm/memcg: fix device private memcg accounting + +From: Ralph Campbell + +[ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ] + +The code in mc_handle_swap_pte() checks for non_swap_entry() and returns +NULL before checking is_device_private_entry() so device private pages are +never handled. Fix this by checking for non_swap_entry() after handling +device private swap PTEs. + +I assume the memory cgroup accounting would be off somehow when moving +a process to another memory cgroup. Currently, the device private page +is charged like a normal anonymous page when allocated and is uncharged +when the page is freed so I think that path is OK. + +Signed-off-by: Ralph Campbell +Signed-off-by: Andrew Morton +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Vladimir Davydov +Cc: Jerome Glisse +Cc: Balbir Singh +Cc: Ira Weiny +Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com +xFixes: c733a82874a7 ("mm/memcontrol: support MEMORY_DEVICE_PRIVATE") +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index ca1632850fb76..edf98f8588eeb 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5398,7 +5398,7 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma, + struct page *page = NULL; + swp_entry_t ent = pte_to_swp_entry(ptent); + +- if (!(mc.flags & MOVE_ANON) || non_swap_entry(ent)) ++ if (!(mc.flags & MOVE_ANON)) + return NULL; + + /* +@@ -5417,6 +5417,9 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma, + return page; + } + ++ if (non_swap_entry(ent)) ++ return NULL; ++ + /* + * Because lookup_swap_cache() updates some statistics counter, + * we call find_get_page() with swapper_space directly. +-- +2.25.1 + diff --git a/queue-5.4/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch b/queue-5.4/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch new file mode 100644 index 00000000000..cf38a8a387e --- /dev/null +++ b/queue-5.4/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch @@ -0,0 +1,187 @@ +From 9ac80e2beb22cc1c655667338a4e33b883c8e164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:58:35 -0700 +Subject: mm, oom_adj: don't loop through tasks in __set_oom_adj when not + necessary + +From: Suren Baghdasaryan + +[ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ] + +Currently __set_oom_adj loops through all processes in the system to keep +oom_score_adj and oom_score_adj_min in sync between processes sharing +their mm. This is done for any task with more that one mm_users, which +includes processes with multiple threads (sharing mm and signals). +However for such processes the loop is unnecessary because their signal +structure is shared as well. + +Android updates oom_score_adj whenever a tasks changes its role +(background/foreground/...) or binds to/unbinds from a service, making it +more/less important. Such operation can happen frequently. We noticed +that updates to oom_score_adj became more expensive and after further +investigation found out that the patch mentioned in "Fixes" introduced a +regression. Using Pixel 4 with a typical Android workload, write time to +oom_score_adj increased from ~3.57us to ~362us. Moreover this regression +linearly depends on the number of multi-threaded processes running on the +system. + +Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with +(CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use +MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj +update should be synchronized between multiple processes. To prevent +races between clone() and __set_oom_adj(), when oom_score_adj of the +process being cloned might be modified from userspace, we use +oom_adj_mutex. Its scope is changed to global. + +The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for +the case of vfork(). To prevent performance regressions of vfork(), we +skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is +specified. Clearing the MMF_MULTIPROCESS flag (when the last process +sharing the mm exits) is left out of this patch to keep it simple and +because it is believed that this threading model is rare. Should there +ever be a need for optimizing that case as well, it can be done by hooking +into the exit path, likely following the mm_update_next_owner pattern. + +With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being +quite rare, the regression is gone after the change is applied. + +[surenb@google.com: v3] + Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com + +Fixes: 44a70adec910 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj") +Reported-by: Tim Murray +Suggested-by: Michal Hocko +Signed-off-by: Suren Baghdasaryan +Signed-off-by: Andrew Morton +Acked-by: Christian Brauner +Acked-by: Michal Hocko +Acked-by: Oleg Nesterov +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Eugene Syromiatnikov +Cc: Christian Kellner +Cc: Adrian Reber +Cc: Shakeel Butt +Cc: Aleksa Sarai +Cc: Alexey Dobriyan +Cc: "Eric W. Biederman" +Cc: Alexey Gladkov +Cc: Michel Lespinasse +Cc: Daniel Jordan +Cc: Andrei Vagin +Cc: Bernd Edlinger +Cc: John Johansen +Cc: Yafang Shao +Link: https://lkml.kernel.org/r/20200824153036.3201505-1-surenb@google.com +Debugged-by: Minchan Kim +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 3 +-- + include/linux/oom.h | 1 + + include/linux/sched/coredump.h | 1 + + kernel/fork.c | 21 +++++++++++++++++++++ + mm/oom_kill.c | 2 ++ + 5 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 529d0c6ec6f9c..b690074e65ffa 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1036,7 +1036,6 @@ static ssize_t oom_adj_read(struct file *file, char __user *buf, size_t count, + + static int __set_oom_adj(struct file *file, int oom_adj, bool legacy) + { +- static DEFINE_MUTEX(oom_adj_mutex); + struct mm_struct *mm = NULL; + struct task_struct *task; + int err = 0; +@@ -1076,7 +1075,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy) + struct task_struct *p = find_lock_task_mm(task); + + if (p) { +- if (atomic_read(&p->mm->mm_users) > 1) { ++ if (test_bit(MMF_MULTIPROCESS, &p->mm->flags)) { + mm = p->mm; + mmgrab(mm); + } +diff --git a/include/linux/oom.h b/include/linux/oom.h +index c696c265f0193..b9df34326772c 100644 +--- a/include/linux/oom.h ++++ b/include/linux/oom.h +@@ -55,6 +55,7 @@ struct oom_control { + }; + + extern struct mutex oom_lock; ++extern struct mutex oom_adj_mutex; + + static inline void set_current_oom_origin(void) + { +diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h +index ecdc6542070f1..dfd82eab29025 100644 +--- a/include/linux/sched/coredump.h ++++ b/include/linux/sched/coredump.h +@@ -72,6 +72,7 @@ static inline int get_dumpable(struct mm_struct *mm) + #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */ + #define MMF_OOM_VICTIM 25 /* mm is the oom victim */ + #define MMF_OOM_REAP_QUEUED 26 /* mm was queued for oom_reaper */ ++#define MMF_MULTIPROCESS 27 /* mm is shared between processes */ + #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP) + + #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ +diff --git a/kernel/fork.c b/kernel/fork.c +index 594272569a80f..e3d5963d8c6f5 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1750,6 +1750,25 @@ static __always_inline void delayed_free_task(struct task_struct *tsk) + free_task(tsk); + } + ++static void copy_oom_score_adj(u64 clone_flags, struct task_struct *tsk) ++{ ++ /* Skip if kernel thread */ ++ if (!tsk->mm) ++ return; ++ ++ /* Skip if spawning a thread or using vfork */ ++ if ((clone_flags & (CLONE_VM | CLONE_THREAD | CLONE_VFORK)) != CLONE_VM) ++ return; ++ ++ /* We need to synchronize with __set_oom_adj */ ++ mutex_lock(&oom_adj_mutex); ++ set_bit(MMF_MULTIPROCESS, &tsk->mm->flags); ++ /* Update the values in case they were changed after copy_signal */ ++ tsk->signal->oom_score_adj = current->signal->oom_score_adj; ++ tsk->signal->oom_score_adj_min = current->signal->oom_score_adj_min; ++ mutex_unlock(&oom_adj_mutex); ++} ++ + /* + * This creates a new process as a copy of the old one, + * but does not actually start it yet. +@@ -2222,6 +2241,8 @@ static __latent_entropy struct task_struct *copy_process( + trace_task_newtask(p, clone_flags); + uprobe_copy_process(p, clone_flags); + ++ copy_oom_score_adj(clone_flags, p); ++ + return p; + + bad_fork_cancel_cgroup: +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index d58c481b3df83..212e718743018 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -63,6 +63,8 @@ int sysctl_oom_dump_tasks = 1; + * and mark_oom_victim + */ + DEFINE_MUTEX(oom_lock); ++/* Serializes oom_score_adj and oom_score_adj_min updates */ ++DEFINE_MUTEX(oom_adj_mutex); + + static inline bool is_memcg_oom(struct oom_control *oc) + { +-- +2.25.1 + diff --git a/queue-5.4/mm-page_owner-change-split_page_owner-to-take-a-coun.patch b/queue-5.4/mm-page_owner-change-split_page_owner-to-take-a-coun.patch new file mode 100644 index 00000000000..7c64b39649f --- /dev/null +++ b/queue-5.4/mm-page_owner-change-split_page_owner-to-take-a-coun.patch @@ -0,0 +1,106 @@ +From fa46d44ff16b7446c0cb7a53a145b36a7364c3f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:05:29 -0700 +Subject: mm/page_owner: change split_page_owner to take a count + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 8fb156c9ee2db94f7127c930c89917634a1a9f56 ] + +The implementation of split_page_owner() prefers a count rather than the +old order of the page. When we support a variable size THP, we won't +have the order at this point, but we will have the number of pages. +So change the interface to what the caller and callee would prefer. + +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Reviewed-by: SeongJae Park +Acked-by: Kirill A. Shutemov +Cc: Huang Ying +Link: https://lkml.kernel.org/r/20200908195539.25896-4-willy@infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/page_owner.h | 6 +++--- + mm/huge_memory.c | 2 +- + mm/page_alloc.c | 2 +- + mm/page_owner.c | 4 ++-- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/include/linux/page_owner.h b/include/linux/page_owner.h +index 8679ccd722e89..3468794f83d23 100644 +--- a/include/linux/page_owner.h ++++ b/include/linux/page_owner.h +@@ -11,7 +11,7 @@ extern struct page_ext_operations page_owner_ops; + extern void __reset_page_owner(struct page *page, unsigned int order); + extern void __set_page_owner(struct page *page, + unsigned int order, gfp_t gfp_mask); +-extern void __split_page_owner(struct page *page, unsigned int order); ++extern void __split_page_owner(struct page *page, unsigned int nr); + extern void __copy_page_owner(struct page *oldpage, struct page *newpage); + extern void __set_page_owner_migrate_reason(struct page *page, int reason); + extern void __dump_page_owner(struct page *page); +@@ -31,10 +31,10 @@ static inline void set_page_owner(struct page *page, + __set_page_owner(page, order, gfp_mask); + } + +-static inline void split_page_owner(struct page *page, unsigned int order) ++static inline void split_page_owner(struct page *page, unsigned int nr) + { + if (static_branch_unlikely(&page_owner_inited)) +- __split_page_owner(page, order); ++ __split_page_owner(page, nr); + } + static inline void copy_page_owner(struct page *oldpage, struct page *newpage) + { +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 873de55d93fb2..9295d9d70681e 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2569,7 +2569,7 @@ static void __split_huge_page(struct page *page, struct list_head *list, + + ClearPageCompound(head); + +- split_page_owner(head, HPAGE_PMD_ORDER); ++ split_page_owner(head, HPAGE_PMD_NR); + + /* See comment in __split_huge_page_tail() */ + if (PageAnon(head)) { +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 2640f67410044..c20e664866c33 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3130,7 +3130,7 @@ void split_page(struct page *page, unsigned int order) + + for (i = 1; i < (1 << order); i++) + set_page_refcounted(page + i); +- split_page_owner(page, order); ++ split_page_owner(page, 1 << order); + } + EXPORT_SYMBOL_GPL(split_page); + +diff --git a/mm/page_owner.c b/mm/page_owner.c +index 18ecde9f45b24..83d08943bcdee 100644 +--- a/mm/page_owner.c ++++ b/mm/page_owner.c +@@ -204,7 +204,7 @@ void __set_page_owner_migrate_reason(struct page *page, int reason) + page_owner->last_migrate_reason = reason; + } + +-void __split_page_owner(struct page *page, unsigned int order) ++void __split_page_owner(struct page *page, unsigned int nr) + { + int i; + struct page_ext *page_ext = lookup_page_ext(page); +@@ -213,7 +213,7 @@ void __split_page_owner(struct page *page, unsigned int order) + if (unlikely(!page_ext)) + return; + +- for (i = 0; i < (1 << order); i++) { ++ for (i = 0; i < nr; i++) { + page_owner = get_page_owner(page_ext); + page_owner->order = 0; + page_ext = page_ext_next(page_ext); +-- +2.25.1 + diff --git a/queue-5.4/mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch b/queue-5.4/mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch new file mode 100644 index 00000000000..c44d184cc81 --- /dev/null +++ b/queue-5.4/mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch @@ -0,0 +1,48 @@ +From d768dda2af5b5fb16c312eaa0419df3957fd6395 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:52:30 -0700 +Subject: mm/swapfile.c: fix potential memory leak in sys_swapon + +From: Miaohe Lin + +[ Upstream commit 822bca52ee7eb279acfba261a423ed7ac47d6f73 ] + +If we failed to drain inode, we would forget to free the swap address +space allocated by init_swap_address_space() above. + +Fixes: dc617f29dbe5 ("vfs: don't allow writes to swap files") +Signed-off-by: Miaohe Lin +Signed-off-by: Andrew Morton +Reviewed-by: Darrick J. Wong +Link: https://lkml.kernel.org/r/20200930101803.53884-1-linmiaohe@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/swapfile.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/swapfile.c b/mm/swapfile.c +index cf62bdb7b3045..ff83ffe7a9108 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -3284,7 +3284,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) + error = inode_drain_writes(inode); + if (error) { + inode->i_flags &= ~S_SWAPFILE; +- goto bad_swap_unlock_inode; ++ goto free_swap_address_space; + } + + mutex_lock(&swapon_mutex); +@@ -3309,6 +3309,8 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) + + error = 0; + goto out; ++free_swap_address_space: ++ exit_swap_address_space(p->type); + bad_swap_unlock_inode: + inode_unlock(inode); + bad_swap: +-- +2.25.1 + diff --git a/queue-5.4/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch b/queue-5.4/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch new file mode 100644 index 00000000000..b58de874e9d --- /dev/null +++ b/queue-5.4/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch @@ -0,0 +1,40 @@ +From 2fb14d2e2974bb5a6b715559e6d531037d8b6c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 15:38:34 +0200 +Subject: mmc: sdio: Check for CISTPL_VERS_1 buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ] + +Before parsing CISTPL_VERS_1 structure check that its size is at least two +bytes to prevent buffer overflow. + +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20200727133837.19086-2-pali@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sdio_cis.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c +index e0655278c5c32..3efaa9534a777 100644 +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -26,6 +26,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, + unsigned i, nr_strings; + char **buffer, *string; + ++ if (size < 2) ++ return 0; ++ + /* Find all null-terminated (including zero length) strings in + the TPLLV1_INFO field. Trailing garbage is ignored. */ + buf += 2; +-- +2.25.1 + diff --git a/queue-5.4/module-statically-initialize-init-section-freeing-da.patch b/queue-5.4/module-statically-initialize-init-section-freeing-da.patch new file mode 100644 index 00000000000..e94d13e666b --- /dev/null +++ b/queue-5.4/module-statically-initialize-init-section-freeing-da.patch @@ -0,0 +1,89 @@ +From e6feb90c23eb19344785ad8b428d0b8ebf8ea523 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 13:32:20 -0400 +Subject: module: statically initialize init section freeing data + +From: Daniel Jordan + +[ Upstream commit fdf09ab887829cd1b671e45d9549f8ec1ffda0fa ] + +Corentin hit the following workqueue warning when running with +CRYPTO_MANAGER_EXTRA_TESTS: + + WARNING: CPU: 2 PID: 147 at kernel/workqueue.c:1473 __queue_work+0x3b8/0x3d0 + Modules linked in: ghash_generic + CPU: 2 PID: 147 Comm: modprobe Not tainted + 5.6.0-rc1-next-20200214-00068-g166c9264f0b1-dirty #545 + Hardware name: Pine H64 model A (DT) + pc : __queue_work+0x3b8/0x3d0 + Call trace: + __queue_work+0x3b8/0x3d0 + queue_work_on+0x6c/0x90 + do_init_module+0x188/0x1f0 + load_module+0x1d00/0x22b0 + +I wasn't able to reproduce on x86 or rpi 3b+. + +This is + + WARN_ON(!list_empty(&work->entry)) + +from __queue_work(), and it happens because the init_free_wq work item +isn't initialized in time for a crypto test that requests the gcm +module. Some crypto tests were recently moved earlier in boot as +explained in commit c4741b230597 ("crypto: run initcalls for generic +implementations earlier"), which went into mainline less than two weeks +before the Fixes commit. + +Avoid the warning by statically initializing init_free_wq and the +corresponding llist. + +Link: https://lore.kernel.org/lkml/20200217204803.GA13479@Red/ +Fixes: 1a7b7d922081 ("modules: Use vmalloc special flag") +Reported-by: Corentin Labbe +Tested-by: Corentin Labbe +Tested-on: sun50i-h6-pine-h64 +Tested-on: imx8mn-ddr4-evk +Tested-on: sun50i-a64-bananapi-m64 +Reviewed-by: Eric Biggers +Signed-off-by: Daniel Jordan +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 819c5d3b4c295..45513909b01d5 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -88,8 +88,9 @@ EXPORT_SYMBOL_GPL(module_mutex); + static LIST_HEAD(modules); + + /* Work queue for freeing init sections in success case */ +-static struct work_struct init_free_wq; +-static struct llist_head init_free_list; ++static void do_free_init(struct work_struct *w); ++static DECLARE_WORK(init_free_wq, do_free_init); ++static LLIST_HEAD(init_free_list); + + #ifdef CONFIG_MODULES_TREE_LOOKUP + +@@ -3563,14 +3564,6 @@ static void do_free_init(struct work_struct *w) + } + } + +-static int __init modules_wq_init(void) +-{ +- INIT_WORK(&init_free_wq, do_free_init); +- init_llist_head(&init_free_list); +- return 0; +-} +-module_init(modules_wq_init); +- + /* + * This is where the real work happens. + * +-- +2.25.1 + diff --git a/queue-5.4/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch b/queue-5.4/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch new file mode 100644 index 00000000000..3d68c99852b --- /dev/null +++ b/queue-5.4/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch @@ -0,0 +1,96 @@ +From 2d807f39a3953b8197bc86cf2e2e697ff5feb275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 16:01:16 +0200 +Subject: mtd: lpddr: fix excessive stack usage with clang + +From: Arnd Bergmann + +[ Upstream commit 3e1b6469f8324bee5927b063e2aca30d3e56b907 ] + +Building lpddr2_nvm with clang can result in a giant stack usage +in one function: + +drivers/mtd/lpddr/lpddr2_nvm.c:399:12: error: stack frame size of 1144 bytes in function 'lpddr2_nvm_probe' [-Werror,-Wframe-larger-than=] + +The problem is that clang decides to build a copy of the mtd_info +structure on the stack and then do a memcpy() into the actual version. It +shouldn't really do it that way, but it's not strictly a bug either. + +As a workaround, use a static const version of the structure to assign +most of the members upfront and then only set the few members that +require runtime knowledge at probe time. + +Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Acked-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200505140136.263461-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/lpddr/lpddr2_nvm.c | 35 ++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c +index 0f1547f09d08b..72f5c7b300790 100644 +--- a/drivers/mtd/lpddr/lpddr2_nvm.c ++++ b/drivers/mtd/lpddr/lpddr2_nvm.c +@@ -393,6 +393,17 @@ static int lpddr2_nvm_lock(struct mtd_info *mtd, loff_t start_add, + return lpddr2_nvm_do_block_op(mtd, start_add, len, LPDDR2_NVM_LOCK); + } + ++static const struct mtd_info lpddr2_nvm_mtd_info = { ++ .type = MTD_RAM, ++ .writesize = 1, ++ .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), ++ ._read = lpddr2_nvm_read, ++ ._write = lpddr2_nvm_write, ++ ._erase = lpddr2_nvm_erase, ++ ._unlock = lpddr2_nvm_unlock, ++ ._lock = lpddr2_nvm_lock, ++}; ++ + /* + * lpddr2_nvm driver probe method + */ +@@ -433,6 +444,7 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + .pfow_base = OW_BASE_ADDRESS, + .fldrv_priv = pcm_data, + }; ++ + if (IS_ERR(map->virt)) + return PTR_ERR(map->virt); + +@@ -444,22 +456,13 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + return PTR_ERR(pcm_data->ctl_regs); + + /* Populate mtd_info data structure */ +- *mtd = (struct mtd_info) { +- .dev = { .parent = &pdev->dev }, +- .name = pdev->dev.init_name, +- .type = MTD_RAM, +- .priv = map, +- .size = resource_size(add_range), +- .erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width, +- .writesize = 1, +- .writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width, +- .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), +- ._read = lpddr2_nvm_read, +- ._write = lpddr2_nvm_write, +- ._erase = lpddr2_nvm_erase, +- ._unlock = lpddr2_nvm_unlock, +- ._lock = lpddr2_nvm_lock, +- }; ++ *mtd = lpddr2_nvm_mtd_info; ++ mtd->dev.parent = &pdev->dev; ++ mtd->name = pdev->dev.init_name; ++ mtd->priv = map; ++ mtd->size = resource_size(add_range); ++ mtd->erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width; ++ mtd->writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width; + + /* Verify the presence of the device looking for PFOW string */ + if (!lpddr2_nvm_pfow_present(map)) { +-- +2.25.1 + diff --git a/queue-5.4/mtd-mtdoops-don-t-write-panic-data-twice.patch b/queue-5.4/mtd-mtdoops-don-t-write-panic-data-twice.patch new file mode 100644 index 00000000000..81150a0f929 --- /dev/null +++ b/queue-5.4/mtd-mtdoops-don-t-write-panic-data-twice.patch @@ -0,0 +1,49 @@ +From 84b259d45f556c1fc2d8ef673b9f7aee7bfa53b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 15:42:17 +1200 +Subject: mtd: mtdoops: Don't write panic data twice + +From: Mark Tomlinson + +[ Upstream commit c1cf1d57d1492235309111ea6a900940213a9166 ] + +If calling mtdoops_write, don't also schedule work to be done later. + +Although this appears to not be causing an issue, possibly because the +scheduled work will never get done, it is confusing. + +Fixes: 016c1291ce70 ("mtd: mtdoops: do not use mtd->panic_write directly") +Signed-off-by: Mark Tomlinson +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200903034217.23079-1-mark.tomlinson@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdoops.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c +index 4ced68be7ed7e..774970bfcf859 100644 +--- a/drivers/mtd/mtdoops.c ++++ b/drivers/mtd/mtdoops.c +@@ -279,12 +279,13 @@ static void mtdoops_do_dump(struct kmsg_dumper *dumper, + kmsg_dump_get_buffer(dumper, true, cxt->oops_buf + MTDOOPS_HEADER_SIZE, + record_size - MTDOOPS_HEADER_SIZE, NULL); + +- /* Panics must be written immediately */ +- if (reason != KMSG_DUMP_OOPS) ++ if (reason != KMSG_DUMP_OOPS) { ++ /* Panics must be written immediately */ + mtdoops_write(cxt, 1); +- +- /* For other cases, schedule work to write it "nicely" */ +- schedule_work(&cxt->work_write); ++ } else { ++ /* For other cases, schedule work to write it "nicely" */ ++ schedule_work(&cxt->work_write); ++ } + } + + static void mtdoops_notify_add(struct mtd_info *mtd) +-- +2.25.1 + diff --git a/queue-5.4/mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch b/queue-5.4/mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch new file mode 100644 index 00000000000..99cf24ce726 --- /dev/null +++ b/queue-5.4/mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch @@ -0,0 +1,43 @@ +From 6f75e139147a653a60a0bb9ee74d0823d2cfcbb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 10:26:34 +0300 +Subject: mtd: rawnand: vf610: disable clk on error handling path in probe + +From: Evgeny Novikov + +[ Upstream commit cb7dc3178a9862614b1e7567d77f4679f027a074 ] + +vf610_nfc_probe() does not invoke clk_disable_unprepare() on one error +handling path. The patch fixes that. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 6f0ce4dfc5a3 ("mtd: rawnand: vf610: Avoid a potential NULL pointer dereference") +Signed-off-by: Evgeny Novikov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200806072634.23528-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/vf610_nfc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/vf610_nfc.c b/drivers/mtd/nand/raw/vf610_nfc.c +index 6b399a75f9aec..b6f114da57143 100644 +--- a/drivers/mtd/nand/raw/vf610_nfc.c ++++ b/drivers/mtd/nand/raw/vf610_nfc.c +@@ -850,8 +850,10 @@ static int vf610_nfc_probe(struct platform_device *pdev) + } + + of_id = of_match_device(vf610_nfc_dt_ids, &pdev->dev); +- if (!of_id) +- return -ENODEV; ++ if (!of_id) { ++ err = -ENODEV; ++ goto err_disable_clk; ++ } + + nfc->variant = (enum vf610_nfc_variant)of_id->data; + +-- +2.25.1 + diff --git a/queue-5.4/mtd-spinand-gigadevice-add-qe-bit.patch b/queue-5.4/mtd-spinand-gigadevice-add-qe-bit.patch new file mode 100644 index 00000000000..e359f559734 --- /dev/null +++ b/queue-5.4/mtd-spinand-gigadevice-add-qe-bit.patch @@ -0,0 +1,80 @@ +From f2058ff2310971f98d4fe823f1bce1ce719cf37c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:51:20 +0200 +Subject: mtd: spinand: gigadevice: Add QE Bit + +From: Hauke Mehrtens + +[ Upstream commit aea7687e77bebce5b67fab9d03347bd8df7933c7 ] + +The following GigaDevice chips have the QE BIT in the feature flags, I +checked the datasheets, but did not try this. +* GD5F1GQ4xExxG +* GD5F1GQ4xFxxG +* GD5F1GQ4UAYIG +* GD5F4GQ4UAYIG + +The Quad operations like 0xEB mention that the QE bit has to be set. + +Fixes: c93c613214ac ("mtd: spinand: add support for GigaDevice GD5FxGQ4xA") +Signed-off-by: Hauke Mehrtens +Tested-by: Chuanhong Guo +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200820165121.3192-3-hauke@hauke-m.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/spi/gigadevice.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/nand/spi/gigadevice.c b/drivers/mtd/nand/spi/gigadevice.c +index 45f4c1f4a3d1c..b13b39763a405 100644 +--- a/drivers/mtd/nand/spi/gigadevice.c ++++ b/drivers/mtd/nand/spi/gigadevice.c +@@ -201,7 +201,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout, + gd5fxgq4xa_ecc_get_status)), + SPINAND_INFO("GD5F2GQ4xA", 0xF2, +@@ -210,7 +210,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout, + gd5fxgq4xa_ecc_get_status)), + SPINAND_INFO("GD5F4GQ4xA", 0xF4, +@@ -219,7 +219,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout, + gd5fxgq4xa_ecc_get_status)), + SPINAND_INFO("GD5F1GQ4UExxG", 0xd1, +@@ -228,7 +228,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4_variant2_ooblayout, + gd5fxgq4uexxg_ecc_get_status)), + SPINAND_INFO("GD5F1GQ4UFxxG", 0xb148, +@@ -237,7 +237,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants_f, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4_variant2_ooblayout, + gd5fxgq4ufxxg_ecc_get_status)), + }; +-- +2.25.1 + diff --git a/queue-5.4/mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch b/queue-5.4/mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch new file mode 100644 index 00000000000..53e4fe06a96 --- /dev/null +++ b/queue-5.4/mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch @@ -0,0 +1,51 @@ +From f3432197baaf47c16bc01fe26d9ce9c8a77ec448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:51:19 +0200 +Subject: mtd: spinand: gigadevice: Only one dummy byte in QUADIO + +From: Hauke Mehrtens + +[ Upstream commit 6387ad9caf8f09747a8569e5876086b72ee9382c ] + +The datasheet only lists one dummy byte in the 0xEH operation for the +following chips: +* GD5F1GQ4xExxG +* GD5F1GQ4xFxxG +* GD5F1GQ4UAYIG +* GD5F4GQ4UAYIG + +Fixes: c93c613214ac ("mtd: spinand: add support for GigaDevice GD5FxGQ4xA") +Signed-off-by: Hauke Mehrtens +Tested-by: Chuanhong Guo +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200820165121.3192-2-hauke@hauke-m.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/spi/gigadevice.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/spi/gigadevice.c b/drivers/mtd/nand/spi/gigadevice.c +index e99d425aa93f5..45f4c1f4a3d1c 100644 +--- a/drivers/mtd/nand/spi/gigadevice.c ++++ b/drivers/mtd/nand/spi/gigadevice.c +@@ -21,7 +21,7 @@ + #define GD5FXGQ4UXFXXG_STATUS_ECC_UNCOR_ERROR (7 << 4) + + static SPINAND_OP_VARIANTS(read_cache_variants, +- SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 2, NULL, 0), ++ SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X4_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_DUALIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X2_OP(0, 1, NULL, 0), +@@ -29,7 +29,7 @@ static SPINAND_OP_VARIANTS(read_cache_variants, + SPINAND_PAGE_READ_FROM_CACHE_OP(false, 0, 1, NULL, 0)); + + static SPINAND_OP_VARIANTS(read_cache_variants_f, +- SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 2, NULL, 0), ++ SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X4_OP_3A(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_DUALIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X2_OP_3A(0, 1, NULL, 0), +-- +2.25.1 + diff --git a/queue-5.4/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch b/queue-5.4/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch new file mode 100644 index 00000000000..ccbcf7b8152 --- /dev/null +++ b/queue-5.4/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch @@ -0,0 +1,51 @@ +From 3b70ca167d6e5a3e98baaf245559b04f85cd18cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 11:29:06 +0200 +Subject: mwifiex: Do not use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit d2ab7f00f4321370a8ee14e5630d4349fdacc42e ] + +A possible call chain is as follow: + mwifiex_sdio_interrupt (sdio.c) + --> mwifiex_main_process (main.c) + --> mwifiex_process_cmdresp (cmdevt.c) + --> mwifiex_process_sta_cmdresp (sta_cmdresp.c) + --> mwifiex_ret_802_11_scan (scan.c) + --> mwifiex_parse_single_response_buf (scan.c) + +'mwifiex_sdio_interrupt()' is an interrupt function. + +Also note that 'mwifiex_ret_802_11_scan()' already uses GFP_ATOMIC. + +So use GFP_ATOMIC instead of GFP_KERNEL when memory is allocated in +'mwifiex_parse_single_response_buf()'. + +Fixes: 7c6fa2a843c5 ("mwifiex: use cfg80211 dynamic scan table and cfg80211_get_bss API") +or +Fixes: 601216e12c65e ("mwifiex: process RX packets in SDIO IRQ thread directly") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200809092906.744621-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 59f0651d148bb..629af26675cf1 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -1891,7 +1891,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info, + chan, CFG80211_BSS_FTYPE_UNKNOWN, + bssid, timestamp, + cap_info_bitmap, beacon_period, +- ie_buf, ie_len, rssi, GFP_KERNEL); ++ ie_buf, ie_len, rssi, GFP_ATOMIC); + if (bss) { + bss_priv = (struct mwifiex_bss_priv *)bss->priv; + bss_priv->band = band; +-- +2.25.1 + diff --git a/queue-5.4/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch b/queue-5.4/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch new file mode 100644 index 00000000000..edde507c9ad --- /dev/null +++ b/queue-5.4/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch @@ -0,0 +1,54 @@ +From bac32c1da444913dafe8a19fadc7141478740f5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 17:27:19 +0900 +Subject: mwifiex: don't call del_timer_sync() on uninitialized timer + +From: Tetsuo Handa + +[ Upstream commit 621a3a8b1c0ecf16e1e5667ea5756a76a082b738 ] + +syzbot is reporting that del_timer_sync() is called from +mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without +checking timer_setup() from mwifiex_usb_tx_init() was called [1]. + +Ganapathi Bhat proposed a possibly cleaner fix, but it seems that +that fix was forgotten [2]. + +"grep -FrB1 'del_timer' drivers/ | grep -FA1 '.function)'" says that +currently there are 28 locations which call del_timer[_sync]() only if +that timer's function field was initialized (because timer_setup() sets +that timer's function field). Therefore, let's use same approach here. + +[1] https://syzkaller.appspot.com/bug?id=26525f643f454dd7be0078423e3cdb0d57744959 +[2] https://lkml.kernel.org/r/CA+ASDXMHt2gq9Hy+iP_BYkWXsSreWdp3_bAfMkNcuqJ3K+-jbQ@mail.gmail.com + +Reported-by: syzbot +Cc: Ganapathi Bhat +Cc: Brian Norris +Signed-off-by: Tetsuo Handa +Reviewed-by: Brian Norris +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200821082720.7716-1-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c +index c2365eeb70168..528107d70c1cb 100644 +--- a/drivers/net/wireless/marvell/mwifiex/usb.c ++++ b/drivers/net/wireless/marvell/mwifiex/usb.c +@@ -1353,7 +1353,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter) + skb_dequeue(&port->tx_aggr.aggr_list))) + mwifiex_write_data_complete(adapter, skb_tmp, + 0, -1); +- del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); ++ if (port->tx_aggr.timer_cnxt.hold_timer.function) ++ del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); + port->tx_aggr.timer_cnxt.is_hold_timer_set = false; + port->tx_aggr.timer_cnxt.hold_tmo_msecs = 0; + } +-- +2.25.1 + diff --git a/queue-5.4/mwifiex-fix-double-free.patch b/queue-5.4/mwifiex-fix-double-free.patch new file mode 100644 index 00000000000..f045784a3d6 --- /dev/null +++ b/queue-5.4/mwifiex-fix-double-free.patch @@ -0,0 +1,50 @@ +From 20f4dba681ac452cf1707c1447dc8417f93b1cf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 06:19:31 -0700 +Subject: mwifiex: fix double free + +From: Tom Rix + +[ Upstream commit 53708f4fd9cfe389beab5c8daa763bcd0e0b4aef ] + +clang static analysis reports this problem: + +sdio.c:2403:3: warning: Attempt to free released memory + kfree(card->mpa_rx.buf); + ^~~~~~~~~~~~~~~~~~~~~~~ + +When mwifiex_init_sdio() fails in its first call to +mwifiex_alloc_sdio_mpa_buffer, it falls back to calling it +again. If the second alloc of mpa_tx.buf fails, the error +handler will try to free the old, previously freed mpa_rx.buf. +Reviewing the code, it looks like a second double free would +happen with mwifiex_cleanup_sdio(). + +So set both pointers to NULL when they are freed. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Tom Rix +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201004131931.29782-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c +index fec38b6e86ffd..b322c2755e9a4 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.c ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c +@@ -1996,6 +1996,8 @@ static int mwifiex_alloc_sdio_mpa_buffers(struct mwifiex_adapter *adapter, + kfree(card->mpa_rx.buf); + card->mpa_tx.buf_size = 0; + card->mpa_rx.buf_size = 0; ++ card->mpa_tx.buf = NULL; ++ card->mpa_rx.buf = NULL; + } + + return ret; +-- +2.25.1 + diff --git a/queue-5.4/net-dsa-rtl8366-check-validity-of-passed-vlans.patch b/queue-5.4/net-dsa-rtl8366-check-validity-of-passed-vlans.patch new file mode 100644 index 00000000000..6bc356d6216 --- /dev/null +++ b/queue-5.4/net-dsa-rtl8366-check-validity-of-passed-vlans.patch @@ -0,0 +1,49 @@ +From 2d256c3cd03056079d284f674fac6a93322ba4db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 00:09:34 +0200 +Subject: net: dsa: rtl8366: Check validity of passed VLANs + +From: Linus Walleij + +[ Upstream commit 6641a2c42b0a307b7638d10e5d4b90debc61389d ] + +The rtl8366_set_vlan() and rtl8366_set_pvid() get invalid +VLANs tossed at it, especially VLAN0, something the hardware +and driver cannot handle. Check validity and bail out like +we do in the other callbacks. + +Reviewed-by: Florian Fainelli +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index 99cdb2f18fa2f..a62d76a048dfa 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -43,6 +43,9 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + int ret; + int i; + ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return -EINVAL; ++ + dev_dbg(smi->dev, + "setting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", + vid, member, untag); +@@ -118,6 +121,9 @@ int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + int ret; + int i; + ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return -EINVAL; ++ + /* Try to find an existing MC entry for this VID */ + for (i = 0; i < smi->num_vlan_mc; i++) { + ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +-- +2.25.1 + diff --git a/queue-5.4/net-dsa-rtl8366-refactor-vlan-pvid-init.patch b/queue-5.4/net-dsa-rtl8366-refactor-vlan-pvid-init.patch new file mode 100644 index 00000000000..19210759e3e --- /dev/null +++ b/queue-5.4/net-dsa-rtl8366-refactor-vlan-pvid-init.patch @@ -0,0 +1,398 @@ +From 85d8612ffacdaa6ac119da3cb580fa85f6e5b1ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 00:09:35 +0200 +Subject: net: dsa: rtl8366: Refactor VLAN/PVID init + +From: Linus Walleij + +[ Upstream commit 7e1301ed1881447d2a25f9c6423738c33cbca133 ] + +The VLANs and PVIDs on the RTL8366 utilizes a "member +configuration" (MC) which is largely unexplained in the +code. + +This set-up requires a special ordering: rtl8366_set_pvid() +must be called first, followed by rtl8366_set_vlan(), +else the MC will not be properly allocated. Relax this +by factoring out the code obtaining an MC and reuse +the helper in both rtl8366_set_pvid() and +rtl8366_set_vlan() so we remove this strict ordering +requirement. + +In the process, add some better comments and debug prints +so people who read the code understand what is going on. + +Reviewed-by: Florian Fainelli +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek-smi-core.h | 4 +- + drivers/net/dsa/rtl8366.c | 273 +++++++++++++++-------------- + 2 files changed, 146 insertions(+), 131 deletions(-) + +diff --git a/drivers/net/dsa/realtek-smi-core.h b/drivers/net/dsa/realtek-smi-core.h +index 9a63b51e1d82f..6f2dab7e33d65 100644 +--- a/drivers/net/dsa/realtek-smi-core.h ++++ b/drivers/net/dsa/realtek-smi-core.h +@@ -25,6 +25,9 @@ struct rtl8366_mib_counter { + const char *name; + }; + ++/** ++ * struct rtl8366_vlan_mc - Virtual LAN member configuration ++ */ + struct rtl8366_vlan_mc { + u16 vid; + u16 untag; +@@ -119,7 +122,6 @@ int realtek_smi_setup_mdio(struct realtek_smi *smi); + int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used); + int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + u32 untag, u32 fid); +-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val); + int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + unsigned int vid); + int rtl8366_enable_vlan4k(struct realtek_smi *smi, bool enable); +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index a62d76a048dfa..b941d45edd641 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -36,12 +36,110 @@ int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used) + } + EXPORT_SYMBOL_GPL(rtl8366_mc_is_used); + ++/** ++ * rtl8366_obtain_mc() - retrieve or allocate a VLAN member configuration ++ * @smi: the Realtek SMI device instance ++ * @vid: the VLAN ID to look up or allocate ++ * @vlanmc: the pointer will be assigned to a pointer to a valid member config ++ * if successful ++ * @return: index of a new member config or negative error number ++ */ ++static int rtl8366_obtain_mc(struct realtek_smi *smi, int vid, ++ struct rtl8366_vlan_mc *vlanmc) ++{ ++ struct rtl8366_vlan_4k vlan4k; ++ int ret; ++ int i; ++ ++ /* Try to find an existing member config entry for this VID */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ if (vid == vlanmc->vid) ++ return i; ++ } ++ ++ /* We have no MC entry for this VID, try to find an empty one */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ if (vlanmc->vid == 0 && vlanmc->member == 0) { ++ /* Update the entry from the 4K table */ ++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); ++ if (ret) { ++ dev_err(smi->dev, "error looking for 4K VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ vlanmc->vid = vid; ++ vlanmc->member = vlan4k.member; ++ vlanmc->untag = vlan4k.untag; ++ vlanmc->fid = vlan4k.fid; ++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ dev_dbg(smi->dev, "created new MC at index %d for VID %d\n", ++ i, vid); ++ return i; ++ } ++ } ++ ++ /* MC table is full, try to find an unused entry and replace it */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ int used; ++ ++ ret = rtl8366_mc_is_used(smi, i, &used); ++ if (ret) ++ return ret; ++ ++ if (!used) { ++ /* Update the entry from the 4K table */ ++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); ++ if (ret) ++ return ret; ++ ++ vlanmc->vid = vid; ++ vlanmc->member = vlan4k.member; ++ vlanmc->untag = vlan4k.untag; ++ vlanmc->fid = vlan4k.fid; ++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ dev_dbg(smi->dev, "recycled MC at index %i for VID %d\n", ++ i, vid); ++ return i; ++ } ++ } ++ ++ dev_err(smi->dev, "all VLAN member configurations are in use\n"); ++ return -ENOSPC; ++} ++ + int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + u32 untag, u32 fid) + { ++ struct rtl8366_vlan_mc vlanmc; + struct rtl8366_vlan_4k vlan4k; ++ int mc; + int ret; +- int i; + + if (!smi->ops->is_vlan_valid(smi, vid)) + return -EINVAL; +@@ -66,136 +164,58 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + "resulting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", + vid, vlan4k.member, vlan4k.untag); + +- /* Try to find an existing MC entry for this VID */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- struct rtl8366_vlan_mc vlanmc; +- +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vid == vlanmc.vid) { +- /* update the MC entry */ +- vlanmc.member |= member; +- vlanmc.untag |= untag; +- vlanmc.fid = fid; +- +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); ++ /* Find or allocate a member config for this VID */ ++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc); ++ if (ret < 0) ++ return ret; ++ mc = ret; + +- dev_dbg(smi->dev, +- "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n", +- vid, vlanmc.member, vlanmc.untag); ++ /* Update the MC entry */ ++ vlanmc.member |= member; ++ vlanmc.untag |= untag; ++ vlanmc.fid = fid; + +- break; +- } +- } ++ /* Commit updates to the MC entry */ ++ ret = smi->ops->set_vlan_mc(smi, mc, &vlanmc); ++ if (ret) ++ dev_err(smi->dev, "failed to commit changes to VLAN MC index %d for VID %d\n", ++ mc, vid); ++ else ++ dev_dbg(smi->dev, ++ "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n", ++ vid, vlanmc.member, vlanmc.untag); + + return ret; + } + EXPORT_SYMBOL_GPL(rtl8366_set_vlan); + +-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val) +-{ +- struct rtl8366_vlan_mc vlanmc; +- int ret; +- int index; +- +- ret = smi->ops->get_mc_index(smi, port, &index); +- if (ret) +- return ret; +- +- ret = smi->ops->get_vlan_mc(smi, index, &vlanmc); +- if (ret) +- return ret; +- +- *val = vlanmc.vid; +- return 0; +-} +-EXPORT_SYMBOL_GPL(rtl8366_get_pvid); +- + int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + unsigned int vid) + { + struct rtl8366_vlan_mc vlanmc; +- struct rtl8366_vlan_4k vlan4k; ++ int mc; + int ret; +- int i; + + if (!smi->ops->is_vlan_valid(smi, vid)) + return -EINVAL; + +- /* Try to find an existing MC entry for this VID */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vid == vlanmc.vid) { +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } +- } +- +- /* We have no MC entry for this VID, try to find an empty one */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vlanmc.vid == 0 && vlanmc.member == 0) { +- /* Update the entry from the 4K table */ +- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); +- if (ret) +- return ret; +- +- vlanmc.vid = vid; +- vlanmc.member = vlan4k.member; +- vlanmc.untag = vlan4k.untag; +- vlanmc.fid = vlan4k.fid; +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } +- } +- +- /* MC table is full, try to find an unused entry and replace it */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- int used; +- +- ret = rtl8366_mc_is_used(smi, i, &used); +- if (ret) +- return ret; +- +- if (!used) { +- /* Update the entry from the 4K table */ +- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); +- if (ret) +- return ret; +- +- vlanmc.vid = vid; +- vlanmc.member = vlan4k.member; +- vlanmc.untag = vlan4k.untag; +- vlanmc.fid = vlan4k.fid; +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; ++ /* Find or allocate a member config for this VID */ ++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc); ++ if (ret < 0) ++ return ret; ++ mc = ret; + +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } ++ ret = smi->ops->set_mc_index(smi, port, mc); ++ if (ret) { ++ dev_err(smi->dev, "set PVID: failed to set MC index %d for port %d\n", ++ mc, port); ++ return ret; + } + +- dev_err(smi->dev, +- "all VLAN member configurations are in use\n"); ++ dev_dbg(smi->dev, "set PVID: the PVID for port %d set to %d using existing MC index %d\n", ++ port, vid, mc); + +- return -ENOSPC; ++ return 0; + } + EXPORT_SYMBOL_GPL(rtl8366_set_pvid); + +@@ -395,7 +415,8 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + if (!smi->ops->is_vlan_valid(smi, vid)) + return; + +- dev_info(smi->dev, "add VLAN on port %d, %s, %s\n", ++ dev_info(smi->dev, "add VLAN %d on port %d, %s, %s\n", ++ vlan->vid_begin, + port, + untagged ? "untagged" : "tagged", + pvid ? " PVID" : "no PVID"); +@@ -404,34 +425,26 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + dev_err(smi->dev, "port is DSA or CPU port\n"); + + for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) { +- int pvid_val = 0; +- +- dev_info(smi->dev, "add VLAN %04x\n", vid); + member |= BIT(port); + + if (untagged) + untag |= BIT(port); + +- /* To ensure that we have a valid MC entry for this VLAN, +- * initialize the port VLAN ID here. +- */ +- ret = rtl8366_get_pvid(smi, port, &pvid_val); +- if (ret < 0) { +- dev_err(smi->dev, "could not lookup PVID for port %d\n", +- port); +- return; +- } +- if (pvid_val == 0) { +- ret = rtl8366_set_pvid(smi, port, vid); +- if (ret < 0) +- return; +- } +- + ret = rtl8366_set_vlan(smi, vid, member, untag, 0); + if (ret) + dev_err(smi->dev, + "failed to set up VLAN %04x", + vid); ++ ++ ret = rtl8366_set_pvid(smi, port, vid); ++ if (ret) ++ dev_err(smi->dev, ++ "failed to set PVID on port %d to VLAN %04x", ++ port, vid); ++ ++ if (!ret) ++ dev_dbg(smi->dev, "VLAN add: added VLAN %d with PVID on port %d\n", ++ vid, port); + } + } + EXPORT_SYMBOL_GPL(rtl8366_vlan_add); +-- +2.25.1 + diff --git a/queue-5.4/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch b/queue-5.4/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch new file mode 100644 index 00000000000..76334246a3b --- /dev/null +++ b/queue-5.4/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch @@ -0,0 +1,38 @@ +From 50a7b8d9dc25b19c0cfdb5599c08f903a4580d30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 00:29:54 +0200 +Subject: net: dsa: rtl8366: Skip PVID setting if not requested + +From: Linus Walleij + +[ Upstream commit 3dfe8dde093a07e82fa472c0f8c29a7f6a2006a5 ] + +We go to lengths to determine whether the PVID should be set +for this port or not, and then fail to take it into account. +Fix this oversight. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index b941d45edd641..49c626a336803 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -436,6 +436,9 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + "failed to set up VLAN %04x", + vid); + ++ if (!pvid) ++ continue; ++ + ret = rtl8366_set_pvid(smi, port, vid); + if (ret) + dev_err(smi->dev, +-- +2.25.1 + diff --git a/queue-5.4/net-dsa-rtl8366rb-support-all-4096-vlans.patch b/queue-5.4/net-dsa-rtl8366rb-support-all-4096-vlans.patch new file mode 100644 index 00000000000..61e29be5ba6 --- /dev/null +++ b/queue-5.4/net-dsa-rtl8366rb-support-all-4096-vlans.patch @@ -0,0 +1,38 @@ +From 990e96862e0917723bc67c4b6754c6f30c0d74e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 22:37:33 +0200 +Subject: net: dsa: rtl8366rb: Support all 4096 VLANs + +From: Linus Walleij + +[ Upstream commit a7920efdd86d8a0d74402dbc80ead03b023294ba ] + +There is an off-by-one error in rtl8366rb_is_vlan_valid() +making VLANs 0..4094 valid while it should be 1..4095. +Fix it. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366rb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/rtl8366rb.c b/drivers/net/dsa/rtl8366rb.c +index f5cc8b0a7c74c..7f731bf369980 100644 +--- a/drivers/net/dsa/rtl8366rb.c ++++ b/drivers/net/dsa/rtl8366rb.c +@@ -1269,7 +1269,7 @@ static bool rtl8366rb_is_vlan_valid(struct realtek_smi *smi, unsigned int vlan) + if (smi->vlan4k_enabled) + max = RTL8366RB_NUM_VIDS - 1; + +- if (vlan == 0 || vlan >= max) ++ if (vlan == 0 || vlan > max) + return false; + + return true; +-- +2.25.1 + diff --git a/queue-5.4/net-enic-cure-the-enic-api-locking-trainwreck.patch b/queue-5.4/net-enic-cure-the-enic-api-locking-trainwreck.patch new file mode 100644 index 00000000000..36b372e1737 --- /dev/null +++ b/queue-5.4/net-enic-cure-the-enic-api-locking-trainwreck.patch @@ -0,0 +1,157 @@ +From fcc06f90bb80f97f754385376d5f860aae3ed0f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 22:25:10 +0200 +Subject: net: enic: Cure the enic api locking trainwreck + +From: Thomas Gleixner + +[ Upstream commit a53b59ece86c86d16d12ccdaa1ad0c78250a9d96 ] + +enic_dev_wait() has a BUG_ON(in_interrupt()). + +Chasing the callers of enic_dev_wait() revealed the gems of enic_reset() +and enic_tx_hang_reset() which are both invoked through work queues in +order to be able to call rtnl_lock(). So far so good. + +After locking rtnl both functions acquire enic::enic_api_lock which +serializes against the (ab)use from infiniband. This is where the +trainwreck starts. + +enic::enic_api_lock is a spin_lock() which implicitly disables preemption, +but both functions invoke a ton of functions under that lock which can +sleep. The BUG_ON(in_interrupt()) does not trigger in that case because it +can't detect the preempt disabled condition. + +This clearly has never been tested with any of the mandatory debug options +for 7+ years, which would have caught that for sure. + +Cure it by adding a enic_api_busy member to struct enic, which is modified +and evaluated with enic::enic_api_lock held. + +If enic_api_devcmd_proxy_by_index() observes enic::enic_api_busy as true, +it drops enic::enic_api_lock and busy waits for enic::enic_api_busy to +become false. + +It would be smarter to wait for a completion of that busy period, but +enic_api_devcmd_proxy_by_index() is called with other spin locks held which +obviously can't sleep. + +Remove the BUG_ON(in_interrupt()) check as well because it's incomplete and +with proper debugging enabled the problem would have been caught from the +debug checks in schedule_timeout(). + +Fixes: 0b038566c0ea ("drivers/net: enic: Add an interface for USNIC to interact with firmware") +Signed-off-by: Thomas Gleixner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic.h | 1 + + drivers/net/ethernet/cisco/enic/enic_api.c | 6 +++++ + drivers/net/ethernet/cisco/enic/enic_main.c | 27 ++++++++++++++++----- + 3 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h +index 0dd64acd2a3fb..08cac1bfacafb 100644 +--- a/drivers/net/ethernet/cisco/enic/enic.h ++++ b/drivers/net/ethernet/cisco/enic/enic.h +@@ -171,6 +171,7 @@ struct enic { + u16 num_vfs; + #endif + spinlock_t enic_api_lock; ++ bool enic_api_busy; + struct enic_port_profile *pp; + + /* work queue cache line section */ +diff --git a/drivers/net/ethernet/cisco/enic/enic_api.c b/drivers/net/ethernet/cisco/enic/enic_api.c +index b161f24522b87..b028ea2dec2b9 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_api.c ++++ b/drivers/net/ethernet/cisco/enic/enic_api.c +@@ -34,6 +34,12 @@ int enic_api_devcmd_proxy_by_index(struct net_device *netdev, int vf, + struct vnic_dev *vdev = enic->vdev; + + spin_lock(&enic->enic_api_lock); ++ while (enic->enic_api_busy) { ++ spin_unlock(&enic->enic_api_lock); ++ cpu_relax(); ++ spin_lock(&enic->enic_api_lock); ++ } ++ + spin_lock_bh(&enic->devcmd_lock); + + vnic_dev_cmd_proxy_by_index_start(vdev, vf); +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 6e2ab10ad2e6f..8314102002b0f 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2142,8 +2142,6 @@ static int enic_dev_wait(struct vnic_dev *vdev, + int done; + int err; + +- BUG_ON(in_interrupt()); +- + err = start(vdev, arg); + if (err) + return err; +@@ -2331,6 +2329,13 @@ static int enic_set_rss_nic_cfg(struct enic *enic) + rss_hash_bits, rss_base_cpu, rss_enable); + } + ++static void enic_set_api_busy(struct enic *enic, bool busy) ++{ ++ spin_lock(&enic->enic_api_lock); ++ enic->enic_api_busy = busy; ++ spin_unlock(&enic->enic_api_lock); ++} ++ + static void enic_reset(struct work_struct *work) + { + struct enic *enic = container_of(work, struct enic, reset); +@@ -2340,7 +2345,9 @@ static void enic_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_stop(enic->netdev); + enic_dev_soft_reset(enic); + enic_reset_addr_lists(enic); +@@ -2348,7 +2355,10 @@ static void enic_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +@@ -2360,7 +2370,9 @@ static void enic_tx_hang_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_dev_hang_notify(enic); + enic_stop(enic->netdev); + enic_dev_hang_reset(enic); +@@ -2369,7 +2381,10 @@ static void enic_tx_hang_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +-- +2.25.1 + diff --git a/queue-5.4/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch b/queue-5.4/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch new file mode 100644 index 00000000000..d7d42eef58b --- /dev/null +++ b/queue-5.4/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch @@ -0,0 +1,49 @@ +From 39a069b84e5ec13f34b35579ad4230777773f82b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 15:52:53 +0200 +Subject: net: fec: Fix PHY init after phy_reset_after_clk_enable() + +From: Marek Vasut + +[ Upstream commit 0da1ccbbefb662915228bc17e1c7d4ad28b3ddab ] + +The phy_reset_after_clk_enable() does a PHY reset, which means the PHY +loses its register settings. The fec_enet_mii_probe() starts the PHY +and does the necessary calls to configure the PHY via PHY framework, +and loads the correct register settings into the PHY. Therefore, +fec_enet_mii_probe() should be called only after the PHY has been +reset, not before as it is now. + +Fixes: 1b0a83ac04e3 ("net: fec: add phy_reset_after_clk_enable() support") +Reviewed-by: Andrew Lunn +Tested-by: Richard Leitner +Signed-off-by: Marek Vasut +Cc: Christoph Niedermaier +Cc: David S. Miller +Cc: NXP Linux Team +Cc: Shawn Guo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index fd7fc6f20c9da..7831fc07c9a6f 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3014,6 +3014,11 @@ fec_enet_open(struct net_device *ndev) + if (ret) + goto err_enet_mii_probe; + ++ /* Probe and connect to PHY when open the interface */ ++ ret = fec_enet_mii_probe(ndev); ++ if (ret) ++ goto err_enet_mii_probe; ++ + if (fep->quirks & FEC_QUIRK_ERR006687) + imx6q_cpuidle_fec_irqs_used(); + +-- +2.25.1 + diff --git a/queue-5.4/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch b/queue-5.4/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch new file mode 100644 index 00000000000..fb1c4af24e2 --- /dev/null +++ b/queue-5.4/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch @@ -0,0 +1,46 @@ +From 344d619cc7e1b630c1587d3e160ec8523ccf2465 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 00:03:29 +0200 +Subject: net: korina: fix kfree of rx/tx descriptor array + +From: Valentin Vidic + +[ Upstream commit 3af5f0f5c74ecbaf757ef06c3f80d56751277637 ] + +kmalloc returns KSEG0 addresses so convert back from KSEG1 +in kfree. Also make sure array is freed when the driver is +unloaded from the kernel. + +Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") +Signed-off-by: Valentin Vidic +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index ae195f8adff58..5bdff77c0ad10 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1113,7 +1113,7 @@ static int korina_probe(struct platform_device *pdev) + return rc; + + probe_err_register: +- kfree(lp->td_ring); ++ kfree(KSEG0ADDR(lp->td_ring)); + probe_err_td_ring: + iounmap(lp->tx_dma_regs); + probe_err_dma_tx: +@@ -1133,6 +1133,7 @@ static int korina_remove(struct platform_device *pdev) + iounmap(lp->eth_regs); + iounmap(lp->rx_dma_regs); + iounmap(lp->tx_dma_regs); ++ kfree(KSEG0ADDR(lp->td_ring)); + + unregister_netdev(bif->dev); + free_netdev(bif->dev); +-- +2.25.1 + diff --git a/queue-5.4/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch b/queue-5.4/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch new file mode 100644 index 00000000000..73dbed96801 --- /dev/null +++ b/queue-5.4/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch @@ -0,0 +1,38 @@ +From ec387c1bd47e027bfb0cdee15085356554a4dcd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 12:07:10 +0300 +Subject: net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow + +From: Eran Ben Elisha + +[ Upstream commit 0d2ffdc8d4002a62de31ff7aa3bef28c843c3cbe ] + +Before calling timecounter_cyc2time(), clock->lock must be taken. +Use mlx5_timecounter_cyc2time instead which guarantees a safe access. + +Fixes: afc98a0b46d8 ("net/mlx5: Update ptp_clock_event foreach PPS event") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +index 75fc283cacc36..492ff2ef9a404 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +@@ -498,8 +498,9 @@ static int mlx5_pps_event(struct notifier_block *nb, + switch (clock->ptp_info.pin_config[pin].func) { + case PTP_PF_EXTTS: + ptp_event.index = pin; +- ptp_event.timestamp = timecounter_cyc2time(&clock->tc, +- be64_to_cpu(eqe->data.pps.time_stamp)); ++ ptp_event.timestamp = ++ mlx5_timecounter_cyc2time(clock, ++ be64_to_cpu(eqe->data.pps.time_stamp)); + if (clock->pps_info.enabled) { + ptp_event.type = PTP_CLOCK_PPSUSR; + ptp_event.pps_times.ts_real = +-- +2.25.1 + diff --git a/queue-5.4/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch b/queue-5.4/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch new file mode 100644 index 00000000000..cf5ec1a7979 --- /dev/null +++ b/queue-5.4/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch @@ -0,0 +1,101 @@ +From 04298b55781ae326923b6cc502248462d55f8abe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:28:40 +0800 +Subject: net: stmmac: use netif_tx_start|stop_all_queues() function + +From: Ong Boon Leong + +[ Upstream commit 9f19306d166688a73356aa636c62e698bf2063cc ] + +The current implementation of stmmac_stop_all_queues() and +stmmac_start_all_queues() will not work correctly when the value of +tx_queues_to_use is changed through ethtool -L DEVNAME rx N tx M command. + +Also, netif_tx_start|stop_all_queues() are only needed in driver open() +and close() only. + +Fixes: c22a3f48 net: stmmac: adding multiple napi mechanism + +Signed-off-by: Ong Boon Leong +Signed-off-by: Voon Weifeng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 33 +------------------ + 1 file changed, 1 insertion(+), 32 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 982be75fde833..189cdb7633671 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -175,32 +175,6 @@ static void stmmac_enable_all_queues(struct stmmac_priv *priv) + } + } + +-/** +- * stmmac_stop_all_queues - Stop all queues +- * @priv: driver private structure +- */ +-static void stmmac_stop_all_queues(struct stmmac_priv *priv) +-{ +- u32 tx_queues_cnt = priv->plat->tx_queues_to_use; +- u32 queue; +- +- for (queue = 0; queue < tx_queues_cnt; queue++) +- netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue)); +-} +- +-/** +- * stmmac_start_all_queues - Start all queues +- * @priv: driver private structure +- */ +-static void stmmac_start_all_queues(struct stmmac_priv *priv) +-{ +- u32 tx_queues_cnt = priv->plat->tx_queues_to_use; +- u32 queue; +- +- for (queue = 0; queue < tx_queues_cnt; queue++) +- netif_tx_start_queue(netdev_get_tx_queue(priv->dev, queue)); +-} +- + static void stmmac_service_event_schedule(struct stmmac_priv *priv) + { + if (!test_bit(STMMAC_DOWN, &priv->state) && +@@ -2737,7 +2711,7 @@ static int stmmac_open(struct net_device *dev) + } + + stmmac_enable_all_queues(priv); +- stmmac_start_all_queues(priv); ++ netif_tx_start_all_queues(priv->dev); + + return 0; + +@@ -2778,8 +2752,6 @@ static int stmmac_release(struct net_device *dev) + phylink_stop(priv->phylink); + phylink_disconnect_phy(priv->phylink); + +- stmmac_stop_all_queues(priv); +- + stmmac_disable_all_queues(priv); + + for (chan = 0; chan < priv->plat->tx_queues_to_use; chan++) +@@ -4770,7 +4742,6 @@ int stmmac_suspend(struct device *dev) + mutex_lock(&priv->lock); + + netif_device_detach(ndev); +- stmmac_stop_all_queues(priv); + + stmmac_disable_all_queues(priv); + +@@ -4883,8 +4854,6 @@ int stmmac_resume(struct device *dev) + + stmmac_enable_all_queues(priv); + +- stmmac_start_all_queues(priv); +- + mutex_unlock(&priv->lock); + + if (!device_may_wakeup(priv->device)) { +-- +2.25.1 + diff --git a/queue-5.4/net-wilc1000-clean-up-resource-in-error-path-of-init.patch b/queue-5.4/net-wilc1000-clean-up-resource-in-error-path-of-init.patch new file mode 100644 index 00000000000..286ecc52111 --- /dev/null +++ b/queue-5.4/net-wilc1000-clean-up-resource-in-error-path-of-init.patch @@ -0,0 +1,44 @@ +From b76f2c1560070318e62a1fa1410cf3172c1cd22f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 08:30:19 -0400 +Subject: net: wilc1000: clean up resource in error path of init mon interface + +From: Huang Guobin + +[ Upstream commit 55bd149978679742374c800e56e8f6bc74378bbe ] + +The wilc_wfi_init_mon_int() forgets to clean up resource when +register_netdevice() failed. Add the missed call to fix it. +And the return value of netdev_priv can't be NULL, so remove +the unnecessary error handling. + +Fixes: 588713006ea4 ("staging: wilc1000: avoid the use of 'wilc_wfi_mon' static variable") +Reported-by: Hulk Robot +Signed-off-by: Huang Guobin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200917123019.206382-1-huangguobin4@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/staging/wilc1000/wilc_mon.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/staging/wilc1000/wilc_mon.c b/drivers/staging/wilc1000/wilc_mon.c +index d6f14f69ad64e..017e8e91334f1 100644 +--- a/drivers/staging/wilc1000/wilc_mon.c ++++ b/drivers/staging/wilc1000/wilc_mon.c +@@ -236,11 +236,10 @@ struct net_device *wilc_wfi_init_mon_interface(struct wilc *wl, + + if (register_netdevice(wl->monitor_dev)) { + netdev_err(real_dev, "register_netdevice failed\n"); ++ free_netdev(wl->monitor_dev); + return NULL; + } + priv = netdev_priv(wl->monitor_dev); +- if (!priv) +- return NULL; + + priv->real_ndev = real_dev; + +-- +2.25.1 + diff --git a/queue-5.4/netfilter-conntrack-connection-timeout-after-re-regi.patch b/queue-5.4/netfilter-conntrack-connection-timeout-after-re-regi.patch new file mode 100644 index 00000000000..06c79a7d17b --- /dev/null +++ b/queue-5.4/netfilter-conntrack-connection-timeout-after-re-regi.patch @@ -0,0 +1,64 @@ +From 7d85fdabe2829470596fb41409385c61126aee2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 12:32:52 -0700 +Subject: netfilter: conntrack: connection timeout after re-register + +From: Francesco Ruggeri + +[ Upstream commit 4f25434bccc28cf8a07876ef5142a2869a674353 ] + +If the first packet conntrack sees after a re-register is an outgoing +keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to +SND.NXT-1. +When the peer correctly acknowledges SND.NXT, tcp_in_window fails +check III (Upper bound for valid (s)ack: sack <= receiver.td_end) and +returns false, which cascades into nf_conntrack_in setting +skb->_nfct = 0 and in later conntrack iptables rules not matching. +In cases where iptables are dropping packets that do not match +conntrack rules this can result in idle tcp connections to time out. + +v2: adjust td_end when getting the reply rather than when sending out + the keepalive packet. + +Fixes: f94e63801ab2 ("netfilter: conntrack: reset tcp maxwin on re-register") +Signed-off-by: Francesco Ruggeri +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_tcp.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index 1926fd56df56a..848b137151c26 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -541,13 +541,20 @@ static bool tcp_in_window(const struct nf_conn *ct, + swin = win << sender->td_scale; + sender->td_maxwin = (swin == 0 ? 1 : swin); + sender->td_maxend = end + sender->td_maxwin; +- /* +- * We haven't seen traffic in the other direction yet +- * but we have to tweak window tracking to pass III +- * and IV until that happens. +- */ +- if (receiver->td_maxwin == 0) ++ if (receiver->td_maxwin == 0) { ++ /* We haven't seen traffic in the other ++ * direction yet but we have to tweak window ++ * tracking to pass III and IV until that ++ * happens. ++ */ + receiver->td_end = receiver->td_maxend = sack; ++ } else if (sack == receiver->td_end + 1) { ++ /* Likely a reply to a keepalive. ++ * Needed for III. ++ */ ++ receiver->td_end++; ++ } ++ + } + } else if (((state->state == TCP_CONNTRACK_SYN_SENT + && dir == IP_CT_DIR_ORIGINAL) +-- +2.25.1 + diff --git a/queue-5.4/netfilter-ebtables-fixes-dropping-of-small-packets-i.patch b/queue-5.4/netfilter-ebtables-fixes-dropping-of-small-packets-i.patch new file mode 100644 index 00000000000..b518c1ede48 --- /dev/null +++ b/queue-5.4/netfilter-ebtables-fixes-dropping-of-small-packets-i.patch @@ -0,0 +1,70 @@ +From 399aab17023bb83776b53d6f70adbbac9de651ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 12:36:15 +0000 +Subject: netfilter: ebtables: Fixes dropping of small packets in bridge nat +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timothée COCAULT + +[ Upstream commit 63137bc5882a1882c553d389fdeeeace86ee1741 ] + +Fixes an error causing small packets to get dropped. skb_ensure_writable +expects the second parameter to be a length in the ethernet payload.=20 +If we want to write the ethernet header (src, dst), we should pass 0. +Otherwise, packets with small payloads (< ETH_ALEN) will get dropped. + +Fixes: c1a831167901 ("netfilter: bridge: convert skb_make_writable to skb_ensure_writable") +Signed-off-by: Timothée COCAULT +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebt_dnat.c | 2 +- + net/bridge/netfilter/ebt_redirect.c | 2 +- + net/bridge/netfilter/ebt_snat.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c +index 12a4f4d936810..3fda71a8579d1 100644 +--- a/net/bridge/netfilter/ebt_dnat.c ++++ b/net/bridge/netfilter/ebt_dnat.c +@@ -21,7 +21,7 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par) + { + const struct ebt_nat_info *info = par->targinfo; + +- if (skb_ensure_writable(skb, ETH_ALEN)) ++ if (skb_ensure_writable(skb, 0)) + return EBT_DROP; + + ether_addr_copy(eth_hdr(skb)->h_dest, info->mac); +diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c +index 0cad62a4052b9..307790562b492 100644 +--- a/net/bridge/netfilter/ebt_redirect.c ++++ b/net/bridge/netfilter/ebt_redirect.c +@@ -21,7 +21,7 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par) + { + const struct ebt_redirect_info *info = par->targinfo; + +- if (skb_ensure_writable(skb, ETH_ALEN)) ++ if (skb_ensure_writable(skb, 0)) + return EBT_DROP; + + if (xt_hooknum(par) != NF_BR_BROUTING) +diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c +index 27443bf229a3b..7dfbcdfc30e5d 100644 +--- a/net/bridge/netfilter/ebt_snat.c ++++ b/net/bridge/netfilter/ebt_snat.c +@@ -22,7 +22,7 @@ ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par) + { + const struct ebt_nat_info *info = par->targinfo; + +- if (skb_ensure_writable(skb, ETH_ALEN * 2)) ++ if (skb_ensure_writable(skb, 0)) + return EBT_DROP; + + ether_addr_copy(eth_hdr(skb)->h_source, info->mac); +-- +2.25.1 + diff --git a/queue-5.4/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch b/queue-5.4/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch new file mode 100644 index 00000000000..a7e131a3f25 --- /dev/null +++ b/queue-5.4/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch @@ -0,0 +1,49 @@ +From ed07639a2b4c1bef9ea0d147fc19dc1564f2a863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 12:55:52 +0200 +Subject: netfilter: nf_fwd_netdev: clear timestamp in forwarding path + +From: Pablo Neira Ayuso + +[ Upstream commit c77761c8a59405cb7aa44188b30fffe13fbdd02d ] + +Similar to 7980d2eabde8 ("ipvs: clear skb->tstamp in forwarding path"). +fq qdisc requires tstamp to be cleared in forwarding path. + +Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths") +Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC") +Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_dup_netdev.c | 1 + + net/netfilter/nft_fwd_netdev.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c +index f108a76925dd8..ec6e7d6860163 100644 +--- a/net/netfilter/nf_dup_netdev.c ++++ b/net/netfilter/nf_dup_netdev.c +@@ -19,6 +19,7 @@ static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev) + skb_push(skb, skb->mac_len); + + skb->dev = dev; ++ skb->tstamp = 0; + dev_queue_xmit(skb); + } + +diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c +index 3087e23297dbf..b77985986b24e 100644 +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -138,6 +138,7 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr, + return; + + skb->dev = dev; ++ skb->tstamp = 0; + neigh_xmit(neigh_table, dev, addr, skb); + out: + regs->verdict.code = verdict; +-- +2.25.1 + diff --git a/queue-5.4/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch b/queue-5.4/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch new file mode 100644 index 00000000000..aed677cdadf --- /dev/null +++ b/queue-5.4/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch @@ -0,0 +1,139 @@ +From af6a380dab03a61af3863672176255ac0b989a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 17:06:06 +0200 +Subject: netfilter: nf_log: missing vlan offload tag and proto + +From: Pablo Neira Ayuso + +[ Upstream commit 0d9826bc18ce356e8909919ad681ad65d0a6061e ] + +Dump vlan tag and proto for the usual vlan offload case if the +NF_LOG_MACDECODE flag is set on. Without this information the logging is +misleading as there is no reference to the VLAN header. + +[12716.993704] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0800 SRC=192.168.10.2 DST=172.217.168.163 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2548 DF PROTO=TCP SPT=55848 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0 +[12721.157643] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0806 ARP HTYPE=1 PTYPE=0x0800 OPCODE=2 MACSRC=86:6c:92:ea:d6:73 IPSRC=192.168.10.2 MACDST=0e:3b:eb:86:73:76 IPDST=192.168.10.1 + +Fixes: 83e96d443b37 ("netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_log.h | 1 + + net/ipv4/netfilter/nf_log_arp.c | 19 +++++++++++++++++-- + net/ipv4/netfilter/nf_log_ipv4.c | 6 ++++-- + net/ipv6/netfilter/nf_log_ipv6.c | 8 +++++--- + net/netfilter/nf_log_common.c | 12 ++++++++++++ + 5 files changed, 39 insertions(+), 7 deletions(-) + +diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h +index 0d3920896d502..716db4a0fed89 100644 +--- a/include/net/netfilter/nf_log.h ++++ b/include/net/netfilter/nf_log.h +@@ -108,6 +108,7 @@ int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, + unsigned int logflags); + void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, + struct sock *sk); ++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb); + void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, + unsigned int hooknum, const struct sk_buff *skb, + const struct net_device *in, +diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c +index 7a83f881efa9e..136030ad2e546 100644 +--- a/net/ipv4/netfilter/nf_log_arp.c ++++ b/net/ipv4/netfilter/nf_log_arp.c +@@ -43,16 +43,31 @@ static void dump_arp_packet(struct nf_log_buf *m, + const struct nf_loginfo *info, + const struct sk_buff *skb, unsigned int nhoff) + { +- const struct arphdr *ah; +- struct arphdr _arph; + const struct arppayload *ap; + struct arppayload _arpp; ++ const struct arphdr *ah; ++ unsigned int logflags; ++ struct arphdr _arph; + + ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); + if (ah == NULL) { + nf_log_buf_add(m, "TRUNCATED"); + return; + } ++ ++ if (info->type == NF_LOG_TYPE_LOG) ++ logflags = info->u.log.logflags; ++ else ++ logflags = NF_LOG_DEFAULT_MASK; ++ ++ if (logflags & NF_LOG_MACDECODE) { ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", ++ ntohs(eth_hdr(skb)->h_proto)); ++ } ++ + nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", + ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); + +diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c +index 4b2d49cc9f1a1..cb288ffbcfde2 100644 +--- a/net/ipv4/netfilter/nf_log_ipv4.c ++++ b/net/ipv4/netfilter/nf_log_ipv4.c +@@ -284,8 +284,10 @@ static void dump_ipv4_mac_header(struct nf_log_buf *m, + + switch (dev->type) { + case ARPHRD_ETHER: +- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", +- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", + ntohs(eth_hdr(skb)->h_proto)); + return; + default: +diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c +index 22b80db6d8826..5b40258d3a5e9 100644 +--- a/net/ipv6/netfilter/nf_log_ipv6.c ++++ b/net/ipv6/netfilter/nf_log_ipv6.c +@@ -297,9 +297,11 @@ static void dump_ipv6_mac_header(struct nf_log_buf *m, + + switch (dev->type) { + case ARPHRD_ETHER: +- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", +- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, +- ntohs(eth_hdr(skb)->h_proto)); ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", ++ ntohs(eth_hdr(skb)->h_proto)); + return; + default: + break; +diff --git a/net/netfilter/nf_log_common.c b/net/netfilter/nf_log_common.c +index ae5628ddbe6d7..fd7c5f0f5c25b 100644 +--- a/net/netfilter/nf_log_common.c ++++ b/net/netfilter/nf_log_common.c +@@ -171,6 +171,18 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, + } + EXPORT_SYMBOL_GPL(nf_log_dump_packet_common); + ++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) ++{ ++ u16 vid; ++ ++ if (!skb_vlan_tag_present(skb)) ++ return; ++ ++ vid = skb_vlan_tag_get(skb); ++ nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); ++} ++EXPORT_SYMBOL_GPL(nf_log_dump_vlan); ++ + /* bridge and netdev logging families share this code. */ + void nf_log_l2packet(struct net *net, u_int8_t pf, + __be16 protocol, +-- +2.25.1 + diff --git a/queue-5.4/nl80211-fix-non-split-wiphy-information.patch b/queue-5.4/nl80211-fix-non-split-wiphy-information.patch new file mode 100644 index 00000000000..156ed120603 --- /dev/null +++ b/queue-5.4/nl80211-fix-non-split-wiphy-information.patch @@ -0,0 +1,49 @@ +From cf4809a955cbb259de9645d3177a2c690550c940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 13:07:18 +0200 +Subject: nl80211: fix non-split wiphy information + +From: Johannes Berg + +[ Upstream commit ab10c22bc3b2024f0c9eafa463899a071eac8d97 ] + +When dumping wiphy information, we try to split the data into +many submessages, but for old userspace we still support the +old mode where this doesn't happen. + +However, in this case we were not resetting our state correctly +and dumping multiple messages for each wiphy, which would have +broken such older userspace. + +This was broken pretty much immediately afterwards because it +only worked in the original commit where non-split dumps didn't +have any more data than split dumps... + +Fixes: fe1abafd942f ("nl80211: re-add channel width and extended capa advertising") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200928130717.3e6d9c6bada2.Ie0f151a8d0d00a8e1e18f6a8c9244dd02496af67@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 3faad3b147376..672b70730e898 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -2227,7 +2227,10 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev, + * case we'll continue with more data in the next round, + * but break unconditionally so unsplit data stops here. + */ +- state->split_start++; ++ if (state->split) ++ state->split_start++; ++ else ++ state->split_start = 0; + break; + case 9: + if (rdev->wiphy.extended_capabilities && +-- +2.25.1 + diff --git a/queue-5.4/nl80211-fix-obss-pd-min-and-max-offset-validation.patch b/queue-5.4/nl80211-fix-obss-pd-min-and-max-offset-validation.patch new file mode 100644 index 00000000000..4254d58e54e --- /dev/null +++ b/queue-5.4/nl80211-fix-obss-pd-min-and-max-offset-validation.patch @@ -0,0 +1,59 @@ +From 826fa3ecd49d44113d2b3a899f3f32e7cbe45863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 00:28:10 -0700 +Subject: nl80211: fix OBSS PD min and max offset validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rajkumar Manoharan + +[ Upstream commit 6c8b6e4a5f745ec49286ac0a3f1d591a34818f82 ] + +The SRG min and max offset won't present when SRG Information Present of +SR control field of Spatial Reuse Parameter Set element set to 0. Per +spec. IEEE802.11ax D7.0, SRG OBSS PD Min Offset ≤ SRG OBSS PD Max +Offset. Hence fix the constrain check to allow same values in both +offset and also call appropriate nla_get function to read the values. + +Fixes: 796e90f42b7e ("cfg80211: add support for parsing OBBS_PD attributes") +Signed-off-by: Rajkumar Manoharan +Link: https://lore.kernel.org/r/1601278091-20313-1-git-send-email-rmanohar@codeaurora.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 7bc4f37655237..3faad3b147376 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4496,16 +4496,14 @@ static int nl80211_parse_he_obss_pd(struct nlattr *attrs, + if (err) + return err; + +- if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] || +- !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]) +- return -EINVAL; +- +- he_obss_pd->min_offset = +- nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]); +- he_obss_pd->max_offset = +- nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]); +- +- if (he_obss_pd->min_offset >= he_obss_pd->max_offset) ++ if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]) ++ he_obss_pd->min_offset = ++ nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]); ++ if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]) ++ he_obss_pd->max_offset = ++ nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]); ++ ++ if (he_obss_pd->min_offset > he_obss_pd->max_offset) + return -EINVAL; + + he_obss_pd->enable = true; +-- +2.25.1 + diff --git a/queue-5.4/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch b/queue-5.4/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch new file mode 100644 index 00000000000..0b4a802f695 --- /dev/null +++ b/queue-5.4/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch @@ -0,0 +1,36 @@ +From 9ab0713e844ee16b8f4758ac96edd6d3c0cac95d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 09:59:57 +0800 +Subject: NTB: hw: amd: fix an issue about leak system resources + +From: Kaige Li + +[ Upstream commit 44a0a3c17919db1498cebb02ecf3cf4abc1ade7b ] + +The related system resources were not released when pci_set_dma_mask(), +pci_set_consistent_dma_mask(), or pci_iomap() return error in the +amd_ntb_init_pci() function. Add pci_release_regions() to fix it. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Kaige Li +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 156c2a18a2394..abb37659de343 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1036,6 +1036,7 @@ static int amd_ntb_init_pci(struct amd_ntb_dev *ndev, + + err_dma_mask: + pci_clear_master(pdev); ++ pci_release_regions(pdev); + err_pci_regions: + pci_disable_device(pdev); + err_pci_enable: +-- +2.25.1 + diff --git a/queue-5.4/ntfs-add-check-for-mft-record-size-in-superblock.patch b/queue-5.4/ntfs-add-check-for-mft-record-size-in-superblock.patch new file mode 100644 index 00000000000..cbb4826afba --- /dev/null +++ b/queue-5.4/ntfs-add-check-for-mft-record-size-in-superblock.patch @@ -0,0 +1,46 @@ +From df4ac570ecd5523891c958555716170203efa8e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:48:17 -0700 +Subject: ntfs: add check for mft record size in superblock + +From: Rustam Kovhaev + +[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ] + +Number of bytes allocated for mft record should be equal to the mft record +size stored in ntfs superblock as reported by syzbot, userspace might +trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() + +Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Signed-off-by: Rustam Kovhaev +Signed-off-by: Andrew Morton +Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Acked-by: Anton Altaparmakov +Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e +Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ntfs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c +index d4359a1df3d5e..84933a0af49b6 100644 +--- a/fs/ntfs/inode.c ++++ b/fs/ntfs/inode.c +@@ -1809,6 +1809,12 @@ int ntfs_read_inode_mount(struct inode *vi) + brelse(bh); + } + ++ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) { ++ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.", ++ le32_to_cpu(m->bytes_allocated), vol->mft_record_size); ++ goto err_out; ++ } ++ + /* Apply the mst fixups. */ + if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) { + /* FIXME: Try to use the $MFTMirr now. */ +-- +2.25.1 + diff --git a/queue-5.4/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch b/queue-5.4/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch new file mode 100644 index 00000000000..f844bc1e2fd --- /dev/null +++ b/queue-5.4/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch @@ -0,0 +1,115 @@ +From d85868b5fbb71c0256d3f0467e396ffbc6ea4655 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 23:44:56 +0300 +Subject: nvmem: core: fix possibly memleak when use + nvmem_cell_info_to_nvmem_cell() + +From: Vadym Kochan + +[ Upstream commit fc9eec4d643597cf4cb2fef17d48110e677610da ] + +Fix missing 'kfree_const(cell->name)' when call to +nvmem_cell_info_to_nvmem_cell() in several places: + + * after nvmem_cell_info_to_nvmem_cell() failed during + nvmem_add_cells() + + * during nvmem_device_cell_{read,write} when cell->name is + kstrdup'ed() without calling kfree_const() at the end, but + really there is no reason to do that 'dup, because the cell + instance is allocated on the stack for some short period to be + read/write without exposing it to the caller. + +So the new nvmem_cell_info_to_nvmem_cell_nodup() helper is introduced +which is used to convert cell_info -> cell without name duplication as +a lighweight version of nvmem_cell_info_to_nvmem_cell(). + +Fixes: e2a5402ec7c6 ("nvmem: Add nvmem_device based consumer apis.") +Reviewed-by: Srinivas Kandagatla +Acked-by: Srinivas Kandagatla +Signed-off-by: Vadym Kochan +Link: https://lore.kernel.org/r/20200923204456.14032-1-vadym.kochan@plvision.eu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/nvmem/core.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c +index 960542dea5adb..84f4078216a36 100644 +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -130,16 +130,14 @@ static void nvmem_cell_add(struct nvmem_cell *cell) + blocking_notifier_call_chain(&nvmem_notifier, NVMEM_CELL_ADD, cell); + } + +-static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, +- const struct nvmem_cell_info *info, +- struct nvmem_cell *cell) ++static int nvmem_cell_info_to_nvmem_cell_nodup(struct nvmem_device *nvmem, ++ const struct nvmem_cell_info *info, ++ struct nvmem_cell *cell) + { + cell->nvmem = nvmem; + cell->offset = info->offset; + cell->bytes = info->bytes; +- cell->name = kstrdup_const(info->name, GFP_KERNEL); +- if (!cell->name) +- return -ENOMEM; ++ cell->name = info->name; + + cell->bit_offset = info->bit_offset; + cell->nbits = info->nbits; +@@ -151,13 +149,30 @@ static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, + if (!IS_ALIGNED(cell->offset, nvmem->stride)) { + dev_err(&nvmem->dev, + "cell %s unaligned to nvmem stride %d\n", +- cell->name, nvmem->stride); ++ cell->name ?: "", nvmem->stride); + return -EINVAL; + } + + return 0; + } + ++static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, ++ const struct nvmem_cell_info *info, ++ struct nvmem_cell *cell) ++{ ++ int err; ++ ++ err = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, cell); ++ if (err) ++ return err; ++ ++ cell->name = kstrdup_const(info->name, GFP_KERNEL); ++ if (!cell->name) ++ return -ENOMEM; ++ ++ return 0; ++} ++ + /** + * nvmem_add_cells() - Add cell information to an nvmem device + * +@@ -1174,7 +1189,7 @@ ssize_t nvmem_device_cell_read(struct nvmem_device *nvmem, + if (!nvmem) + return -EINVAL; + +- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell); ++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell); + if (rc) + return rc; + +@@ -1204,7 +1219,7 @@ int nvmem_device_cell_write(struct nvmem_device *nvmem, + if (!nvmem) + return -EINVAL; + +- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell); ++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell); + if (rc) + return rc; + +-- +2.25.1 + diff --git a/queue-5.4/nvmet-fix-uninitialized-work-for-zero-kato.patch b/queue-5.4/nvmet-fix-uninitialized-work-for-zero-kato.patch new file mode 100644 index 00000000000..f66d0f89449 --- /dev/null +++ b/queue-5.4/nvmet-fix-uninitialized-work-for-zero-kato.patch @@ -0,0 +1,55 @@ +From c56f02d87a10f05cfca89e92e5576f0016379c07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 09:51:40 +0800 +Subject: nvmet: fix uninitialized work for zero kato + +From: zhenwei pi + +[ Upstream commit 85bd23f3dc09a2ae9e56885420e52c54bf983713 ] + +When connecting a controller with a zero kato value using the following +command line + + nvme connect -t tcp -n NQN -a ADDR -s PORT --keep-alive-tmo=0 + +the warning below can be reproduced: + +WARNING: CPU: 1 PID: 241 at kernel/workqueue.c:1627 __queue_delayed_work+0x6d/0x90 +with trace: + mod_delayed_work_on+0x59/0x90 + nvmet_update_cc+0xee/0x100 [nvmet] + nvmet_execute_prop_set+0x72/0x80 [nvmet] + nvmet_tcp_try_recv_pdu+0x2f7/0x770 [nvmet_tcp] + nvmet_tcp_io_work+0x63f/0xb2d [nvmet_tcp] + ... + +This is caused by queuing up an uninitialized work. Althrough the +keep-alive timer is disabled during allocating the controller (fixed in +0d3b6a8d213a), ka_work still has a chance to run (called by +nvmet_start_ctrl). + +Fixes: 0d3b6a8d213a ("nvmet: Disable keep-alive timer when kato is cleared to 0h") +Signed-off-by: zhenwei pi +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 7d7176369edf7..6b2f1e290fa73 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -1048,7 +1048,8 @@ static void nvmet_start_ctrl(struct nvmet_ctrl *ctrl) + * in case a host died before it enabled the controller. Hence, simply + * reset the keep alive timer when the controller is enabled. + */ +- mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ); ++ if (ctrl->kato) ++ mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ); + } + + static void nvmet_clear_ctrl(struct nvmet_ctrl *ctrl) +-- +2.25.1 + diff --git a/queue-5.4/opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch b/queue-5.4/opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch new file mode 100644 index 00000000000..388758714aa --- /dev/null +++ b/queue-5.4/opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch @@ -0,0 +1,55 @@ +From 6d5a51bbef175b4b5cef9ebf3d1f03332cb8fc01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 11:22:37 +0530 +Subject: opp: Prevent memory leak in dev_pm_opp_attach_genpd() + +From: Viresh Kumar + +[ Upstream commit cb60e9602cce1593eb1e9cdc8ee562815078a354 ] + +If dev_pm_opp_attach_genpd() is called multiple times (once for each CPU +sharing the table), then it would result in unwanted behavior like +memory leak, attaching the domain multiple times, etc. + +Handle that by checking and returning earlier if the domains are already +attached. Now that dev_pm_opp_detach_genpd() can get called multiple +times as well, we need to protect that too. + +Note that the virtual device pointers aren't returned in this case, as +they may become unavailable to some callers during the middle of the +operation. + +Reported-by: Stephan Gerhold +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/opp/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/opp/core.c b/drivers/opp/core.c +index 29dfaa591f8b0..8867bab72e171 100644 +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -1796,6 +1796,9 @@ static void _opp_detach_genpd(struct opp_table *opp_table) + { + int index; + ++ if (!opp_table->genpd_virt_devs) ++ return; ++ + for (index = 0; index < opp_table->required_opp_count; index++) { + if (!opp_table->genpd_virt_devs[index]) + continue; +@@ -1842,6 +1845,9 @@ struct opp_table *dev_pm_opp_attach_genpd(struct device *dev, + if (!opp_table) + return ERR_PTR(-ENOMEM); + ++ if (opp_table->genpd_virt_devs) ++ return opp_table; ++ + /* + * If the genpd's OPP table isn't already initialized, parsing of the + * required-opps fail for dev. We should retry this after genpd's OPP +-- +2.25.1 + diff --git a/queue-5.4/overflow-include-header-file-with-size_max-declarati.patch b/queue-5.4/overflow-include-header-file-with-size_max-declarati.patch new file mode 100644 index 00000000000..dd637426b0d --- /dev/null +++ b/queue-5.4/overflow-include-header-file-with-size_max-declarati.patch @@ -0,0 +1,42 @@ +From d1aae1da2d54a01ed290748ddc06dab464b7f887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 13:29:28 +0300 +Subject: overflow: Include header file with SIZE_MAX declaration + +From: Leon Romanovsky + +[ Upstream commit a4947e84f23474803b62a2759b5808147e4e15f9 ] + +The various array_size functions use SIZE_MAX define, but missed limits.h +causes to failure to compile code that needs overflow.h. + + In file included from drivers/infiniband/core/uverbs_std_types_device.c:6: + ./include/linux/overflow.h: In function 'array_size': + ./include/linux/overflow.h:258:10: error: 'SIZE_MAX' undeclared (first use in this function) + 258 | return SIZE_MAX; + | ^~~~~~~~ + +Fixes: 610b15c50e86 ("overflow.h: Add allocation size calculation helpers") +Link: https://lore.kernel.org/r/20200913102928.134985-1-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/linux/overflow.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +index 659045046468f..50c93ca0c3d6f 100644 +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -3,6 +3,7 @@ + #define __LINUX_OVERFLOW_H + + #include ++#include + + /* + * In the fallback code below, we need to compute the minimum and +-- +2.25.1 + diff --git a/queue-5.4/pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch b/queue-5.4/pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch new file mode 100644 index 00000000000..8e366a72bf0 --- /dev/null +++ b/queue-5.4/pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch @@ -0,0 +1,63 @@ +From 5aea523422aaa495f48f21991c2706daf8a26f25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 13:10:35 +0200 +Subject: PCI: aardvark: Check for errors from pci_bridge_emul_init() call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 7862a6134456c8b4f8c39e8c94aa97e5c2f7f2b7 ] + +Function pci_bridge_emul_init() may fail so correctly check for errors. + +Link: https://lore.kernel.org/r/20200907111038.5811-3-pali@kernel.org +Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Marek Behún +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-aardvark.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c +index f2481e80e2723..d0e60441dc8f2 100644 +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -503,7 +503,7 @@ static struct pci_bridge_emul_ops advk_pci_bridge_emul_ops = { + * Initialize the configuration space of the PCI-to-PCI bridge + * associated with the given PCIe interface. + */ +-static void advk_sw_pci_bridge_init(struct advk_pcie *pcie) ++static int advk_sw_pci_bridge_init(struct advk_pcie *pcie) + { + struct pci_bridge_emul *bridge = &pcie->bridge; + +@@ -527,8 +527,7 @@ static void advk_sw_pci_bridge_init(struct advk_pcie *pcie) + bridge->data = pcie; + bridge->ops = &advk_pci_bridge_emul_ops; + +- pci_bridge_emul_init(bridge, 0); +- ++ return pci_bridge_emul_init(bridge, 0); + } + + static bool advk_pcie_valid_device(struct advk_pcie *pcie, struct pci_bus *bus, +@@ -1027,7 +1026,11 @@ static int advk_pcie_probe(struct platform_device *pdev) + + advk_pcie_setup_hw(pcie); + +- advk_sw_pci_bridge_init(pcie); ++ ret = advk_sw_pci_bridge_init(pcie); ++ if (ret) { ++ dev_err(dev, "Failed to register emulated root PCI bridge\n"); ++ return ret; ++ } + + ret = advk_pcie_init_irq_domain(pcie); + if (ret) { +-- +2.25.1 + diff --git a/queue-5.4/pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch b/queue-5.4/pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch new file mode 100644 index 00000000000..a182a2ec1d8 --- /dev/null +++ b/queue-5.4/pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch @@ -0,0 +1,53 @@ +From 461babcb70fdb70b1ade9fd737bc554128cc3a5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:59:55 -0400 +Subject: PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY + +From: Matthew Rosato + +[ Upstream commit 12856e7acde4702b7c3238c15fcba86ff6aa507f ] + +For VFs, the Memory Space Enable bit in the Command Register is +hard-wired to 0. + +Add a new bit to signify devices where the Command Register Memory +Space Enable bit does not control the device's response to MMIO +accesses. + +Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory") +Signed-off-by: Matthew Rosato +Acked-by: Bjorn Helgaas +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/pci/iov.c | 1 + + include/linux/pci.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c +index 9c116cbaa95d8..e15220385666f 100644 +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -158,6 +158,7 @@ int pci_iov_add_virtfn(struct pci_dev *dev, int id) + virtfn->device = iov->vf_device; + virtfn->is_virtfn = 1; + virtfn->physfn = pci_dev_get(dev); ++ virtfn->no_command_memory = 1; + + if (id == 0) + pci_read_vf_config_common(virtfn); +diff --git a/include/linux/pci.h b/include/linux/pci.h +index e92bd9b32f369..6a6a819c5b49b 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -423,6 +423,7 @@ struct pci_dev { + unsigned int is_probed:1; /* Device probing in progress */ + unsigned int link_active_reporting:1;/* Device capable of reporting link active */ + unsigned int no_vf_scan:1; /* Don't scan for VFs after IOV enablement */ ++ unsigned int no_command_memory:1; /* No PCI_COMMAND_MEMORY */ + pci_dev_flags_t dev_flags; + atomic_t enable_cnt; /* pci_enable_device has been called */ + +-- +2.25.1 + diff --git a/queue-5.4/pci-iproc-set-affinity-mask-on-msi-interrupts.patch b/queue-5.4/pci-iproc-set-affinity-mask-on-msi-interrupts.patch new file mode 100644 index 00000000000..f8a551ed8e2 --- /dev/null +++ b/queue-5.4/pci-iproc-set-affinity-mask-on-msi-interrupts.patch @@ -0,0 +1,55 @@ +From d5488c060bced83e195b68ed72d6391a2f208a9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 15:52:40 +1200 +Subject: PCI: iproc: Set affinity mask on MSI interrupts + +From: Mark Tomlinson + +[ Upstream commit eb7eacaa5b9e4f665bd08d416c8f88e63d2f123c ] + +The core interrupt code expects the irq_set_affinity call to update the +effective affinity for the interrupt. This was not being done, so update +iproc_msi_irq_set_affinity() to do so. + +Link: https://lore.kernel.org/r/20200803035241.7737-1-mark.tomlinson@alliedtelesis.co.nz +Fixes: 3bc2b2348835 ("PCI: iproc: Add iProc PCIe MSI support") +Signed-off-by: Mark Tomlinson +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Ray Jui +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-iproc-msi.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c +index 0a3f61be5625b..a1298f6784ac9 100644 +--- a/drivers/pci/controller/pcie-iproc-msi.c ++++ b/drivers/pci/controller/pcie-iproc-msi.c +@@ -209,15 +209,20 @@ static int iproc_msi_irq_set_affinity(struct irq_data *data, + struct iproc_msi *msi = irq_data_get_irq_chip_data(data); + int target_cpu = cpumask_first(mask); + int curr_cpu; ++ int ret; + + curr_cpu = hwirq_to_cpu(msi, data->hwirq); + if (curr_cpu == target_cpu) +- return IRQ_SET_MASK_OK_DONE; ++ ret = IRQ_SET_MASK_OK_DONE; ++ else { ++ /* steer MSI to the target CPU */ ++ data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ ret = IRQ_SET_MASK_OK; ++ } + +- /* steer MSI to the target CPU */ +- data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ irq_data_update_effective_affinity(data, cpumask_of(target_cpu)); + +- return IRQ_SET_MASK_OK; ++ return ret; + } + + static void iproc_msi_irq_compose_msi_msg(struct irq_data *data, +-- +2.25.1 + diff --git a/queue-5.4/perf-correct-snoopx-field-offset.patch b/queue-5.4/perf-correct-snoopx-field-offset.patch new file mode 100644 index 00000000000..ef37a68b3d7 --- /dev/null +++ b/queue-5.4/perf-correct-snoopx-field-offset.patch @@ -0,0 +1,40 @@ +From 328dbae0d669b757e2dc7ea67a1387cc59d43e45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 21:46:37 +0100 +Subject: perf: correct SNOOPX field offset + +From: Al Grant + +[ Upstream commit f3d301c1f2f5676465cdf3259737ea19cc82731f ] + +perf_event.h has macros that define the field offsets in the +data_src bitmask in perf records. The SNOOPX and REMOTE offsets +were both 37. These are distinct fields, and the bitfield layout +in perf_mem_data_src confirms that SNOOPX should be at offset 38. + +Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings") +Signed-off-by: Al Grant +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Andi Kleen +Link: https://lkml.kernel.org/r/4ac9f5cc-4388-b34a-9999-418a4099415d@foss.arm.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/perf_event.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/perf_event.h b/include/uapi/linux/perf_event.h +index bb7b271397a66..ceccd980ffcfe 100644 +--- a/include/uapi/linux/perf_event.h ++++ b/include/uapi/linux/perf_event.h +@@ -1131,7 +1131,7 @@ union perf_mem_data_src { + + #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */ + /* 1 free */ +-#define PERF_MEM_SNOOPX_SHIFT 37 ++#define PERF_MEM_SNOOPX_SHIFT 38 + + /* locked instruction */ + #define PERF_MEM_LOCK_NA 0x01 /* not available */ +-- +2.25.1 + diff --git a/queue-5.4/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch b/queue-5.4/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch new file mode 100644 index 00000000000..a4baddc6391 --- /dev/null +++ b/queue-5.4/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch @@ -0,0 +1,152 @@ +From 43a0f588151acc11583bb1d2c385466567bd0caa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 11:49:23 +0300 +Subject: perf intel-pt: Fix "context_switch event has no tid" error + +From: Adrian Hunter + +[ Upstream commit 7d537a8d2e76bc4fc71e34545ceaa463ac2cd928 ] + +A context_switch event can have no tid because pids can be detached from +a task while the task is still running (in do_exit()). Note this won't +happen with per-task contexts because then tracing stops at +perf_event_exit_task() + +If a task with no tid gets preempted, or a dying task gets preempted and +its parent releases it, when it subsequently gets switched back in, +Intel PT will not be able to determine what task is running and prints +an error "context_switch event has no tid". However, it is not really an +error because the task is in kernel space and the decoder can continue +to decode successfully. Fix by changing the error to be only a logged +message, and make allowance for tid == -1. + +Example: + + Using 5.9-rc4 with Preemptible Kernel (Low-Latency Desktop) e.g. + $ uname -r + 5.9.0-rc4 + $ grep PREEMPT .config + # CONFIG_PREEMPT_NONE is not set + # CONFIG_PREEMPT_VOLUNTARY is not set + CONFIG_PREEMPT=y + CONFIG_PREEMPT_COUNT=y + CONFIG_PREEMPTION=y + CONFIG_PREEMPT_RCU=y + CONFIG_PREEMPT_NOTIFIERS=y + CONFIG_DRM_I915_PREEMPT_TIMEOUT=640 + CONFIG_DEBUG_PREEMPT=y + # CONFIG_PREEMPT_TRACER is not set + # CONFIG_PREEMPTIRQ_DELAY_TEST is not set + +Before: + + $ cat forkit.c + + #include + #include + #include + + int main() + { + pid_t child; + int status = 0; + + child = fork(); + if (child == 0) + return 123; + wait(&status); + return 0; + } + + $ gcc -o forkit forkit.c + $ sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k & + [1] 11016 + $ taskset 2 ./forkit + $ sudo pkill perf + $ [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 17.262 MB perf.data ] + + [1]+ Terminated sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + context_switch event has no tid + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + +After: + + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + forkit 11019 [001] 66663.271688752: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: -1/-1 + :-1 -1 [001] 66663.271692086: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + :-1 -1 [001] 66663.271707466: 1 instructions:k: ffffffffb18eb096 update_load_avg+0x306 ([kernel.kallsyms]) + +Fixes: 86c2786994bd7c ("perf intel-pt: Add support for PERF_RECORD_SWITCH") +Signed-off-by: Adrian Hunter +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Yu-cheng Yu +Link: http://lore.kernel.org/lkml/20200909084923.9096-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index c5cce3a60476b..8aeaeba48a41f 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -974,6 +974,8 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt, + + if (queue->tid == -1 || pt->have_sched_switch) { + ptq->tid = machine__get_current_tid(pt->machine, ptq->cpu); ++ if (ptq->tid == -1) ++ ptq->pid = -1; + thread__zput(ptq->thread); + } + +@@ -2488,10 +2490,8 @@ static int intel_pt_context_switch(struct intel_pt *pt, union perf_event *event, + tid = sample->tid; + } + +- if (tid == -1) { +- pr_err("context_switch event has no tid\n"); +- return -EINVAL; +- } ++ if (tid == -1) ++ intel_pt_log("context_switch event has no tid\n"); + + intel_pt_log("context_switch: cpu %d pid %d tid %d time %"PRIu64" tsc %#"PRIx64"\n", + cpu, pid, tid, sample->time, perf_time_to_tsc(sample->time, +-- +2.25.1 + diff --git a/queue-5.4/perf-stat-skip-duration_time-in-setup_system_wide.patch b/queue-5.4/perf-stat-skip-duration_time-in-setup_system_wide.patch new file mode 100644 index 00000000000..4c29580a7cf --- /dev/null +++ b/queue-5.4/perf-stat-skip-duration_time-in-setup_system_wide.patch @@ -0,0 +1,75 @@ +From 01a42027133e240630819952113e74c3c329ff1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 09:50:04 +0800 +Subject: perf stat: Skip duration_time in setup_system_wide + +From: Jin Yao + +[ Upstream commit 002a3d690f95804bdef6b70b26154103518e13d9 ] + +Some metrics (such as DRAM_BW_Use) consists of uncore events and +duration_time. For uncore events, counter->core.system_wide is true. But +for duration_time, counter->core.system_wide is false so +target.system_wide is set to false. + +Then 'enable_on_exec' is set in perf_event_attr of uncore event. Kernel +will return error when trying to open the uncore event. + +This patch skips the duration_time in setup_system_wide then +target.system_wide will be set to true for the evlist of uncore events + +duration_time. + +Before (tested on skylake desktop): + + # perf stat -M DRAM_BW_Use -- sleep 1 + Error: + The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (arb/event=0x84,umask=0x1/). + /bin/dmesg | grep -i perf may provide additional information. + +After: + + # perf stat -M DRAM_BW_Use -- sleep 1 + + Performance counter stats for 'system wide': + + 169 arb/event=0x84,umask=0x1/ # 0.00 DRAM_BW_Use + 40,427 arb/event=0x81,umask=0x1/ + 1,000,902,197 ns duration_time + + 1.000902197 seconds time elapsed + +Fixes: e3ba76deef23064f ("perf tools: Force uncore events to system wide monitoring") +Signed-off-by: Jin Yao +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20200922015004.30114-1-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-stat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c +index ac2feddc75fdd..ea183922c4ef1 100644 +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -1671,8 +1671,10 @@ static void setup_system_wide(int forks) + struct evsel *counter; + + evlist__for_each_entry(evsel_list, counter) { +- if (!counter->core.system_wide) ++ if (!counter->core.system_wide && ++ strcmp(counter->name, "duration_time")) { + return; ++ } + } + + if (evsel_list->core.nr_entries) +-- +2.25.1 + diff --git a/queue-5.4/perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch b/queue-5.4/perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch new file mode 100644 index 00000000000..0ed9bf0c0d8 --- /dev/null +++ b/queue-5.4/perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch @@ -0,0 +1,161 @@ +From b29ebe8e5e1888bc7b85470ed4608ff712192090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:06:49 -0700 +Subject: perf/x86/intel/ds: Fix x86_pmu_stop warning for large PEBS + +From: Kan Liang + +[ Upstream commit 35d1ce6bec133679ff16325d335217f108b84871 ] + +A warning as below may be triggered when sampling with large PEBS. + +[ 410.411250] perf: interrupt took too long (72145 > 71975), lowering +kernel.perf_event_max_sample_rate to 2000 +[ 410.724923] ------------[ cut here ]------------ +[ 410.729822] WARNING: CPU: 0 PID: 16397 at arch/x86/events/core.c:1422 +x86_pmu_stop+0x95/0xa0 +[ 410.933811] x86_pmu_del+0x50/0x150 +[ 410.937304] event_sched_out.isra.0+0xbc/0x210 +[ 410.941751] group_sched_out.part.0+0x53/0xd0 +[ 410.946111] ctx_sched_out+0x193/0x270 +[ 410.949862] __perf_event_task_sched_out+0x32c/0x890 +[ 410.954827] ? set_next_entity+0x98/0x2d0 +[ 410.958841] __schedule+0x592/0x9c0 +[ 410.962332] schedule+0x5f/0xd0 +[ 410.965477] exit_to_usermode_loop+0x73/0x120 +[ 410.969837] prepare_exit_to_usermode+0xcd/0xf0 +[ 410.974369] ret_from_intr+0x2a/0x3a +[ 410.977946] RIP: 0033:0x40123c +[ 411.079661] ---[ end trace bc83adaea7bb664a ]--- + +In the non-overflow context, e.g., context switch, with large PEBS, perf +may stop an event twice. An example is below. + + //max_samples_per_tick is adjusted to 2 + //NMI is triggered + intel_pmu_handle_irq() + handle_pmi_common() + drain_pebs() + __intel_pmu_pebs_event() + perf_event_overflow() + __perf_event_account_interrupt() + hwc->interrupts = 1 + return 0 + //A context switch happens right after the NMI. + //In the same tick, the perf_throttled_seq is not changed. + perf_event_task_sched_out() + perf_pmu_sched_task() + intel_pmu_drain_pebs_buffer() + __intel_pmu_pebs_event() + perf_event_overflow() + __perf_event_account_interrupt() + ++hwc->interrupts >= max_samples_per_tick + return 1 + x86_pmu_stop(); # First stop + perf_event_context_sched_out() + task_ctx_sched_out() + ctx_sched_out() + event_sched_out() + x86_pmu_del() + x86_pmu_stop(); # Second stop and trigger the warning + +Perf should only invoke the perf_event_overflow() in the overflow +context. + +Current drain_pebs() is called from: +- handle_pmi_common() -- overflow context +- intel_pmu_pebs_sched_task() -- non-overflow context +- intel_pmu_pebs_disable() -- non-overflow context +- intel_pmu_auto_reload_read() -- possible overflow context + With PERF_SAMPLE_READ + PERF_FORMAT_GROUP, the function may be + invoked in the NMI handler. But, before calling the function, the + PEBS buffer has already been drained. The __intel_pmu_pebs_event() + will not be called in the possible overflow context. + +To fix the issue, an indicator is required to distinguish between the +overflow context aka handle_pmi_common() and other cases. +The dummy regs pointer can be used as the indicator. + +In the non-overflow context, perf should treat the last record the same +as other PEBS records, and doesn't invoke the generic overflow handler. + +Fixes: 21509084f999 ("perf/x86/intel: Handle multiple records in the PEBS buffer") +Reported-by: Like Xu +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Like Xu +Link: https://lkml.kernel.org/r/20200902210649.2743-1-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/ds.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index e5ad97a823426..1aaba2c8a9ba6 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -669,9 +669,7 @@ int intel_pmu_drain_bts_buffer(void) + + static inline void intel_pmu_drain_pebs_buffer(void) + { +- struct pt_regs regs; +- +- x86_pmu.drain_pebs(®s); ++ x86_pmu.drain_pebs(NULL); + } + + /* +@@ -1736,6 +1734,7 @@ static void __intel_pmu_pebs_event(struct perf_event *event, + struct x86_perf_regs perf_regs; + struct pt_regs *regs = &perf_regs.regs; + void *at = get_next_pebs_record_by_bit(base, top, bit); ++ struct pt_regs dummy_iregs; + + if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) { + /* +@@ -1748,6 +1747,9 @@ static void __intel_pmu_pebs_event(struct perf_event *event, + } else if (!intel_pmu_save_and_restart(event)) + return; + ++ if (!iregs) ++ iregs = &dummy_iregs; ++ + while (count > 1) { + setup_sample(event, iregs, at, &data, regs); + perf_event_output(event, &data, regs); +@@ -1757,16 +1759,22 @@ static void __intel_pmu_pebs_event(struct perf_event *event, + } + + setup_sample(event, iregs, at, &data, regs); +- +- /* +- * All but the last records are processed. +- * The last one is left to be able to call the overflow handler. +- */ +- if (perf_event_overflow(event, &data, regs)) { +- x86_pmu_stop(event, 0); +- return; ++ if (iregs == &dummy_iregs) { ++ /* ++ * The PEBS records may be drained in the non-overflow context, ++ * e.g., large PEBS + context switch. Perf should treat the ++ * last record the same as other PEBS records, and doesn't ++ * invoke the generic overflow handler. ++ */ ++ perf_event_output(event, &data, regs); ++ } else { ++ /* ++ * All but the last records are processed. ++ * The last one is left to be able to call the overflow handler. ++ */ ++ if (perf_event_overflow(event, &data, regs)) ++ x86_pmu_stop(event, 0); + } +- + } + + static void intel_pmu_drain_pebs_core(struct pt_regs *iregs) +-- +2.25.1 + diff --git a/queue-5.4/perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch b/queue-5.4/perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch new file mode 100644 index 00000000000..c67e2916cd6 --- /dev/null +++ b/queue-5.4/perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch @@ -0,0 +1,47 @@ +From a6c0dac9498f8b2a44e9b95212448df474a39066 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:49:05 -0700 +Subject: perf/x86/intel/uncore: Reduce the number of CBOX counters + +From: Kan Liang + +[ Upstream commit ee139385432e919f4d1f59b80edbc073cdae1391 ] + +An oops is triggered by the fuzzy test. + +[ 327.853081] unchecked MSR access error: RDMSR from 0x70c at rIP: +0xffffffffc082c820 (uncore_msr_read_counter+0x10/0x50 [intel_uncore]) +[ 327.853083] Call Trace: +[ 327.853085] +[ 327.853089] uncore_pmu_event_start+0x85/0x170 [intel_uncore] +[ 327.853093] uncore_pmu_event_add+0x1a4/0x410 [intel_uncore] +[ 327.853097] ? event_sched_in.isra.118+0xca/0x240 + +There are 2 GP counters for each CBOX, but the current code claims 4 +counters. Accessing the invalid registers triggers the oops. + +Fixes: 6e394376ee89 ("perf/x86/intel/uncore: Add Intel Icelake uncore support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200925134905.8839-3-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c +index ad9798bd89cf6..aec6e63c6a04a 100644 +--- a/arch/x86/events/intel/uncore_snb.c ++++ b/arch/x86/events/intel/uncore_snb.c +@@ -309,7 +309,7 @@ static struct intel_uncore_ops icl_uncore_msr_ops = { + + static struct intel_uncore_type icl_uncore_cbox = { + .name = "cbox", +- .num_counters = 4, ++ .num_counters = 2, + .perf_ctr_bits = 44, + .perf_ctr = ICL_UNC_CBO_0_PER_CTR0, + .event_ctl = SNB_UNC_CBO_0_PERFEVTSEL0, +-- +2.25.1 + diff --git a/queue-5.4/perf-x86-intel-uncore-update-ice-lake-uncore-units.patch b/queue-5.4/perf-x86-intel-uncore-update-ice-lake-uncore-units.patch new file mode 100644 index 00000000000..a63d7a42b60 --- /dev/null +++ b/queue-5.4/perf-x86-intel-uncore-update-ice-lake-uncore-units.patch @@ -0,0 +1,118 @@ +From e8fc727d2aa5b6da37f6287bcfeae778967b3add Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:49:04 -0700 +Subject: perf/x86/intel/uncore: Update Ice Lake uncore units + +From: Kan Liang + +[ Upstream commit 8f5d41f3a0f495435c88ebba8fc150c931c10fef ] + +There are some updates for the Icelake model specific uncore performance +monitors. (The update can be found at 10th generation intel core +processors families specification update Revision 004, ICL068) + +1) Counter 0 of ARB uncore unit is not available for software use +2) The global 'enable bit' (bit 29) and 'freeze bit' (bit 31) of + MSR_UNC_PERF_GLOBAL_CTRL cannot be used to control counter behavior. + Needs to use local enable in event select MSR. + +Accessing the modified bit/registers will be ignored by HW. Users may +observe inaccurate results with the current code. + +The changes of the MSR_UNC_PERF_GLOBAL_CTRL imply that groups cannot be +read atomically anymore. Although the error of the result for a group +becomes a bit bigger, it still far lower than not using a group. The +group support is still kept. Only Remove the *_box() related +implementation. + +Since the counter 0 of ARB uncore unit is not available, update the MSR +address for the ARB uncore unit. + +There is no change for IMC uncore unit, which only include free-running +counters. + +Fixes: 6e394376ee89 ("perf/x86/intel/uncore: Add Intel Icelake uncore support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200925134905.8839-2-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snb.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c +index c37cb12d0ef68..ad9798bd89cf6 100644 +--- a/arch/x86/events/intel/uncore_snb.c ++++ b/arch/x86/events/intel/uncore_snb.c +@@ -110,6 +110,10 @@ + #define ICL_UNC_CBO_0_PER_CTR0 0x702 + #define ICL_UNC_CBO_MSR_OFFSET 0x8 + ++/* ICL ARB register */ ++#define ICL_UNC_ARB_PER_CTR 0x3b1 ++#define ICL_UNC_ARB_PERFEVTSEL 0x3b3 ++ + DEFINE_UNCORE_FORMAT_ATTR(event, event, "config:0-7"); + DEFINE_UNCORE_FORMAT_ATTR(umask, umask, "config:8-15"); + DEFINE_UNCORE_FORMAT_ATTR(edge, edge, "config:18"); +@@ -297,6 +301,12 @@ void skl_uncore_cpu_init(void) + snb_uncore_arb.ops = &skl_uncore_msr_ops; + } + ++static struct intel_uncore_ops icl_uncore_msr_ops = { ++ .disable_event = snb_uncore_msr_disable_event, ++ .enable_event = snb_uncore_msr_enable_event, ++ .read_counter = uncore_msr_read_counter, ++}; ++ + static struct intel_uncore_type icl_uncore_cbox = { + .name = "cbox", + .num_counters = 4, +@@ -305,7 +315,7 @@ static struct intel_uncore_type icl_uncore_cbox = { + .event_ctl = SNB_UNC_CBO_0_PERFEVTSEL0, + .event_mask = SNB_UNC_RAW_EVENT_MASK, + .msr_offset = ICL_UNC_CBO_MSR_OFFSET, +- .ops = &skl_uncore_msr_ops, ++ .ops = &icl_uncore_msr_ops, + .format_group = &snb_uncore_format_group, + }; + +@@ -334,13 +344,25 @@ static struct intel_uncore_type icl_uncore_clockbox = { + .single_fixed = 1, + .event_mask = SNB_UNC_CTL_EV_SEL_MASK, + .format_group = &icl_uncore_clock_format_group, +- .ops = &skl_uncore_msr_ops, ++ .ops = &icl_uncore_msr_ops, + .event_descs = icl_uncore_events, + }; + ++static struct intel_uncore_type icl_uncore_arb = { ++ .name = "arb", ++ .num_counters = 1, ++ .num_boxes = 1, ++ .perf_ctr_bits = 44, ++ .perf_ctr = ICL_UNC_ARB_PER_CTR, ++ .event_ctl = ICL_UNC_ARB_PERFEVTSEL, ++ .event_mask = SNB_UNC_RAW_EVENT_MASK, ++ .ops = &icl_uncore_msr_ops, ++ .format_group = &snb_uncore_format_group, ++}; ++ + static struct intel_uncore_type *icl_msr_uncores[] = { + &icl_uncore_cbox, +- &snb_uncore_arb, ++ &icl_uncore_arb, + &icl_uncore_clockbox, + NULL, + }; +@@ -358,7 +380,6 @@ void icl_uncore_cpu_init(void) + { + uncore_msr_uncores = icl_msr_uncores; + icl_uncore_cbox.num_boxes = icl_get_cbox_num(); +- snb_uncore_arb.ops = &skl_uncore_msr_ops; + } + + enum { +-- +2.25.1 + diff --git a/queue-5.4/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch b/queue-5.4/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch new file mode 100644 index 00000000000..6c6ca22a0e4 --- /dev/null +++ b/queue-5.4/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch @@ -0,0 +1,47 @@ +From 9140ca8f4d4d945316e2e432950d00c23140d8c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 17:40:26 +0300 +Subject: pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB + +From: Necip Fazil Yildiran + +[ Upstream commit 513034d8b089b9a49dab57845aee70e830fe7334 ] + +When PINCTRL_BCM2835 is enabled and GPIOLIB is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for GPIOLIB_IRQCHIP + Depends on [n]: GPIOLIB [=n] + Selected by [y]: + - PINCTRL_BCM2835 [=y] && PINCTRL [=y] && OF [=y] && (ARCH_BCM2835 [=n] || ARCH_BRCMSTB [=n] || COMPILE_TEST [=y]) + +The reason is that PINCTRL_BCM2835 selects GPIOLIB_IRQCHIP without +depending on or selecting GPIOLIB while GPIOLIB_IRQCHIP is subordinate to +GPIOLIB. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: 85ae9e512f43 ("pinctrl: bcm2835: switch to GPIOLIB_IRQCHIP") +Signed-off-by: Necip Fazil Yildiran +Link: https://lore.kernel.org/r/20200914144025.371370-1-fazilyildiran@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/bcm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/bcm/Kconfig b/drivers/pinctrl/bcm/Kconfig +index dcf7df797af75..0ed14de0134cf 100644 +--- a/drivers/pinctrl/bcm/Kconfig ++++ b/drivers/pinctrl/bcm/Kconfig +@@ -23,6 +23,7 @@ config PINCTRL_BCM2835 + select PINMUX + select PINCONF + select GENERIC_PINCONF ++ select GPIOLIB + select GPIOLIB_IRQCHIP + default ARCH_BCM2835 || ARCH_BRCMSTB + help +-- +2.25.1 + diff --git a/queue-5.4/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch b/queue-5.4/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch new file mode 100644 index 00000000000..e4cfada96be --- /dev/null +++ b/queue-5.4/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch @@ -0,0 +1,42 @@ +From dbb52b51b5f645106c060a0f737721734d3c2e96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 22:32:26 +0100 +Subject: pinctrl: mcp23s08: Fix mcp23x17 precious range + +From: Thomas Preston + +[ Upstream commit b9b7fb29433b906635231d0a111224efa009198c ] + +On page 23 of the datasheet [0] it says "The register remains unchanged +until the interrupt is cleared via a read of INTCAP or GPIO." Include +INTCAPA and INTCAPB registers in precious range, so that they aren't +accidentally cleared when we read via debugfs. + +[0] https://ww1.microchip.com/downloads/en/DeviceDoc/20001952C.pdf + +Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") +Signed-off-by: Thomas Preston +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200828213226.1734264-3-thomas.preston@codethink.co.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 676ff9a4459e3..d8bcbefcba890 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -144,7 +144,7 @@ static const struct regmap_access_table mcp23x17_volatile_table = { + }; + + static const struct regmap_range mcp23x17_precious_range = { +- .range_min = MCP_GPIO << 1, ++ .range_min = MCP_INTCAP << 1, + .range_max = MCP_GPIO << 1, + }; + +-- +2.25.1 + diff --git a/queue-5.4/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch b/queue-5.4/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch new file mode 100644 index 00000000000..6fa08d08d1d --- /dev/null +++ b/queue-5.4/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch @@ -0,0 +1,84 @@ +From 1cd3d9ca8386cc3cbaa31955d879d7cb9b9b0b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 22:32:25 +0100 +Subject: pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser + +From: Thomas Preston + +[ Upstream commit b445f6237744df5e8d4f56f8733b2108c611220a ] + +The mcp23x17_regmap is initialised with structs named "mcp23x16". +However, the mcp23s08 driver doesn't support the MCP23016 device yet, so +this appears to be a typo. + +Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") +Signed-off-by: Thomas Preston +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200828213226.1734264-2-thomas.preston@codethink.co.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 3a235487e38d7..676ff9a4459e3 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -122,7 +122,7 @@ static const struct regmap_config mcp23x08_regmap = { + .max_register = MCP_OLAT, + }; + +-static const struct reg_default mcp23x16_defaults[] = { ++static const struct reg_default mcp23x17_defaults[] = { + {.reg = MCP_IODIR << 1, .def = 0xffff}, + {.reg = MCP_IPOL << 1, .def = 0x0000}, + {.reg = MCP_GPINTEN << 1, .def = 0x0000}, +@@ -133,23 +133,23 @@ static const struct reg_default mcp23x16_defaults[] = { + {.reg = MCP_OLAT << 1, .def = 0x0000}, + }; + +-static const struct regmap_range mcp23x16_volatile_range = { ++static const struct regmap_range mcp23x17_volatile_range = { + .range_min = MCP_INTF << 1, + .range_max = MCP_GPIO << 1, + }; + +-static const struct regmap_access_table mcp23x16_volatile_table = { +- .yes_ranges = &mcp23x16_volatile_range, ++static const struct regmap_access_table mcp23x17_volatile_table = { ++ .yes_ranges = &mcp23x17_volatile_range, + .n_yes_ranges = 1, + }; + +-static const struct regmap_range mcp23x16_precious_range = { ++static const struct regmap_range mcp23x17_precious_range = { + .range_min = MCP_GPIO << 1, + .range_max = MCP_GPIO << 1, + }; + +-static const struct regmap_access_table mcp23x16_precious_table = { +- .yes_ranges = &mcp23x16_precious_range, ++static const struct regmap_access_table mcp23x17_precious_table = { ++ .yes_ranges = &mcp23x17_precious_range, + .n_yes_ranges = 1, + }; + +@@ -159,10 +159,10 @@ static const struct regmap_config mcp23x17_regmap = { + + .reg_stride = 2, + .max_register = MCP_OLAT << 1, +- .volatile_table = &mcp23x16_volatile_table, +- .precious_table = &mcp23x16_precious_table, +- .reg_defaults = mcp23x16_defaults, +- .num_reg_defaults = ARRAY_SIZE(mcp23x16_defaults), ++ .volatile_table = &mcp23x17_volatile_table, ++ .precious_table = &mcp23x17_precious_table, ++ .reg_defaults = mcp23x17_defaults, ++ .num_reg_defaults = ARRAY_SIZE(mcp23x17_defaults), + .cache_type = REGCACHE_FLAT, + .val_format_endian = REGMAP_ENDIAN_LITTLE, + }; +-- +2.25.1 + diff --git a/queue-5.4/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch b/queue-5.4/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch new file mode 100644 index 00000000000..1a7e89b3a24 --- /dev/null +++ b/queue-5.4/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch @@ -0,0 +1,71 @@ +From e1219fd1a053df00f4a4fd1edea37c78dfa7e185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 20:20:49 +0300 +Subject: platform/x86: mlx-platform: Remove PSU EEPROM configuration + +From: Vadim Pasternak + +[ Upstream commit c071afcea6ecf24a3c119f25ce9f71ffd55b5dc2 ] + +Remove PSU EEPROM configuration for systems class equipped with +Mellanox chip Spectrume-2. Till now all the systems from this class +used few types of power units, all equipped with EEPROM device with +address space two bytes. Thus, all these devices have been handled by +EEPROM driver "24c32". +There is a new requirement is to support power unit replacement by "off +the shelf" device, matching electrical required parameters. Such device +could be equipped with different EEPROM type, which could be one byte +address space addressing or even could be not equipped with EEPROM. +In such case "24c32" will not work. + +Fixes: 1bd42d94ccab ("platform/x86: mlx-platform: Add support for new 200G IB and Ethernet systems") +Signed-off-by: Vadim Pasternak +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20200923172053.26296-2-vadimp@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/mlx-platform.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/platform/x86/mlx-platform.c b/drivers/platform/x86/mlx-platform.c +index 8fe51e43f1bc1..59b5b7eebb05a 100644 +--- a/drivers/platform/x86/mlx-platform.c ++++ b/drivers/platform/x86/mlx-platform.c +@@ -243,15 +243,6 @@ static struct i2c_board_info mlxplat_mlxcpld_psu[] = { + }, + }; + +-static struct i2c_board_info mlxplat_mlxcpld_ng_psu[] = { +- { +- I2C_BOARD_INFO("24c32", 0x51), +- }, +- { +- I2C_BOARD_INFO("24c32", 0x50), +- }, +-}; +- + static struct i2c_board_info mlxplat_mlxcpld_pwr[] = { + { + I2C_BOARD_INFO("dps460", 0x59), +@@ -611,15 +602,13 @@ static struct mlxreg_core_data mlxplat_mlxcpld_default_ng_psu_items_data[] = { + .label = "psu1", + .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET, + .mask = BIT(0), +- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[0], +- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR, ++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE, + }, + { + .label = "psu2", + .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET, + .mask = BIT(1), +- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[1], +- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR, ++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE, + }, + }; + +-- +2.25.1 + diff --git a/queue-5.4/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch b/queue-5.4/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch new file mode 100644 index 00000000000..1eb4a96cdf9 --- /dev/null +++ b/queue-5.4/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch @@ -0,0 +1,49 @@ +From 1556ee657e3d83395a49cf1cbb4013bf18bd5211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 18:14:47 +0200 +Subject: PM: hibernate: remove the bogus call to get_gendisk() in + software_resume() + +From: Christoph Hellwig + +[ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ] + +get_gendisk grabs a reference on the disk and file operation, so this +code will leak both of them while having absolutely no use for the +gendisk itself. + +This effectively reverts commit 2df83fa4bce421f ("PM / Hibernate: Use +get_gendisk to verify partition if resume_file is integer format") + +Signed-off-by: Christoph Hellwig +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index b6c5895ced36b..69c4cd472def3 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -839,17 +839,6 @@ static int software_resume(void) + + /* Check if the device is there */ + swsusp_resume_device = name_to_dev_t(resume_file); +- +- /* +- * name_to_dev_t is ineffective to verify parition if resume_file is in +- * integer format. (e.g. major:minor) +- */ +- if (isdigit(resume_file[0]) && resume_wait) { +- int partno; +- while (!get_gendisk(swsusp_resume_device, &partno)) +- msleep(10); +- } +- + if (!swsusp_resume_device) { + /* + * Some device discovery might still be in progress; we need +-- +2.25.1 + diff --git a/queue-5.4/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch b/queue-5.4/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch new file mode 100644 index 00000000000..fd2eaeaa75c --- /dev/null +++ b/queue-5.4/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch @@ -0,0 +1,116 @@ +From 1930f7ff98bac2c0fb05b788451c2469b7f46df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:19 +1000 +Subject: powerpc/64s/radix: Fix mm_cpumask trimming race vs kthread_use_mm + +From: Nicholas Piggin + +[ Upstream commit a665eec0a22e11cdde708c1c256a465ebe768047 ] + +Commit 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of +single-threaded mm_cpumask") added a mechanism to trim the mm_cpumask of +a process under certain conditions. One of the assumptions is that +mm_users would not be incremented via a reference outside the process +context with mmget_not_zero() then go on to kthread_use_mm() via that +reference. + +That invariant was broken by io_uring code (see previous sparc64 fix), +but I'll point Fixes: to the original powerpc commit because we are +changing that assumption going forward, so this will make backports +match up. + +Fix this by no longer relying on that assumption, but by having each CPU +check the mm is not being used, and clearing their own bit from the mask +only if it hasn't been switched-to by the time the IPI is processed. + +This relies on commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB +invalidate") and ARCH_WANT_IRQS_OFF_ACTIVATE_MM to disable irqs over mm +switch sequences. + +Fixes: 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of single-threaded mm_cpumask") +Signed-off-by: Nicholas Piggin +Reviewed-by: Michael Ellerman +Depends-on: 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB invalidate") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-5-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/tlb.h | 13 ------------- + arch/powerpc/mm/book3s64/radix_tlb.c | 23 ++++++++++++++++------- + 2 files changed, 16 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/include/asm/tlb.h b/arch/powerpc/include/asm/tlb.h +index 7f3a8b9023254..02a1c18cdba3d 100644 +--- a/arch/powerpc/include/asm/tlb.h ++++ b/arch/powerpc/include/asm/tlb.h +@@ -67,19 +67,6 @@ static inline int mm_is_thread_local(struct mm_struct *mm) + return false; + return cpumask_test_cpu(smp_processor_id(), mm_cpumask(mm)); + } +-static inline void mm_reset_thread_local(struct mm_struct *mm) +-{ +- WARN_ON(atomic_read(&mm->context.copros) > 0); +- /* +- * It's possible for mm_access to take a reference on mm_users to +- * access the remote mm from another thread, but it's not allowed +- * to set mm_cpumask, so mm_users may be > 1 here. +- */ +- WARN_ON(current->mm != mm); +- atomic_set(&mm->context.active_cpus, 1); +- cpumask_clear(mm_cpumask(mm)); +- cpumask_set_cpu(smp_processor_id(), mm_cpumask(mm)); +-} + #else /* CONFIG_PPC_BOOK3S_64 */ + static inline int mm_is_thread_local(struct mm_struct *mm) + { +diff --git a/arch/powerpc/mm/book3s64/radix_tlb.c b/arch/powerpc/mm/book3s64/radix_tlb.c +index 67af871190c6d..b0f240afffa22 100644 +--- a/arch/powerpc/mm/book3s64/radix_tlb.c ++++ b/arch/powerpc/mm/book3s64/radix_tlb.c +@@ -639,19 +639,29 @@ static void do_exit_flush_lazy_tlb(void *arg) + struct mm_struct *mm = arg; + unsigned long pid = mm->context.id; + ++ /* ++ * A kthread could have done a mmget_not_zero() after the flushing CPU ++ * checked mm_is_singlethreaded, and be in the process of ++ * kthread_use_mm when interrupted here. In that case, current->mm will ++ * be set to mm, because kthread_use_mm() setting ->mm and switching to ++ * the mm is done with interrupts off. ++ */ + if (current->mm == mm) +- return; /* Local CPU */ ++ goto out_flush; + + if (current->active_mm == mm) { +- /* +- * Must be a kernel thread because sender is single-threaded. +- */ +- BUG_ON(current->mm); ++ WARN_ON_ONCE(current->mm != NULL); ++ /* Is a kernel thread and is using mm as the lazy tlb */ + mmgrab(&init_mm); +- switch_mm(mm, &init_mm, current); + current->active_mm = &init_mm; ++ switch_mm_irqs_off(mm, &init_mm, current); + mmdrop(mm); + } ++ ++ atomic_dec(&mm->context.active_cpus); ++ cpumask_clear_cpu(smp_processor_id(), mm_cpumask(mm)); ++ ++out_flush: + _tlbiel_pid(pid, RIC_FLUSH_ALL); + } + +@@ -666,7 +676,6 @@ static void exit_flush_lazy_tlbs(struct mm_struct *mm) + */ + smp_call_function_many(mm_cpumask(mm), do_exit_flush_lazy_tlb, + (void *)mm, 1); +- mm_reset_thread_local(mm); + } + + void radix__flush_tlb_mm(struct mm_struct *mm) +-- +2.25.1 + diff --git a/queue-5.4/powerpc-book3s64-hash-4k-support-large-linear-mappin.patch b/queue-5.4/powerpc-book3s64-hash-4k-support-large-linear-mappin.patch new file mode 100644 index 00000000000..4462d7290d6 --- /dev/null +++ b/queue-5.4/powerpc-book3s64-hash-4k-support-large-linear-mappin.patch @@ -0,0 +1,74 @@ +From 469f1f23653cff7bfe63d44c758e607e7f43b297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 12:39:03 +0530 +Subject: powerpc/book3s64/hash/4k: Support large linear mapping range with 4K + +From: Aneesh Kumar K.V + +[ Upstream commit 7746406baa3bc9e23fdd7b7da2f04d86e25ab837 ] + +With commit: 0034d395f89d ("powerpc/mm/hash64: Map all the kernel +regions in the same 0xc range"), we now split the 64TB address range +into 4 contexts each of 16TB. That implies we can do only 16TB linear +mapping. + +On some systems, eg. Power9, memory attached to nodes > 0 will appear +above 16TB in the linear mapping. This resulted in kernel crash when +we boot such systems in hash translation mode with 4K PAGE_SIZE. + +This patch updates the kernel mapping such that we now start supporting upto +61TB of memory with 4K. The kernel mapping now looks like below 4K PAGE_SIZE +and hash translation. + + vmalloc start = 0xc0003d0000000000 + IO start = 0xc0003e0000000000 + vmemmap start = 0xc0003f0000000000 + +Our MAX_PHYSMEM_BITS for 4K is still 64TB even though we can only map 61TB. +We prevent bolt mapping anything outside 61TB range by checking against +H_VMALLOC_START. + +Fixes: 0034d395f89d ("powerpc/mm/hash64: Map all the kernel regions in the same 0xc range") +Reported-by: Cameron Berkenpas +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200608070904.387440-3-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/hash-4k.h | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h +index 3f9ae3585ab98..80c9534148821 100644 +--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h +@@ -13,20 +13,19 @@ + */ + #define MAX_EA_BITS_PER_CONTEXT 46 + +-#define REGION_SHIFT (MAX_EA_BITS_PER_CONTEXT - 2) + + /* +- * Our page table limit us to 64TB. Hence for the kernel mapping, +- * each MAP area is limited to 16 TB. +- * The four map areas are: linear mapping, vmap, IO and vmemmap ++ * Our page table limit us to 64TB. For 64TB physical memory, we only need 64GB ++ * of vmemmap space. To better support sparse memory layout, we use 61TB ++ * linear map range, 1TB of vmalloc, 1TB of I/O and 1TB of vmememmap. + */ ++#define REGION_SHIFT (40) + #define H_KERN_MAP_SIZE (ASM_CONST(1) << REGION_SHIFT) + + /* +- * Define the address range of the kernel non-linear virtual area +- * 16TB ++ * Define the address range of the kernel non-linear virtual area (61TB) + */ +-#define H_KERN_VIRT_START ASM_CONST(0xc000100000000000) ++#define H_KERN_VIRT_START ASM_CONST(0xc0003d0000000000) + + #ifndef __ASSEMBLY__ + #define H_PTE_TABLE_SIZE (sizeof(pte_t) << H_PTE_INDEX_SIZE) +-- +2.25.1 + diff --git a/queue-5.4/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch b/queue-5.4/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch new file mode 100644 index 00000000000..4d724e770e6 --- /dev/null +++ b/queue-5.4/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch @@ -0,0 +1,37 @@ +From f70fe0826c5dddffcd95e1fe62fef99cd5465130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jul 2018 10:03:27 +0200 +Subject: powerpc/icp-hv: Fix missing of_node_put() in success path + +From: Nicholas Mc Guire + +[ Upstream commit d3e669f31ec35856f5e85df9224ede5bdbf1bc7b ] + +Both of_find_compatible_node() and of_find_node_by_type() will return +a refcounted node on success - thus for the success path the node must +be explicitly released with a of_node_put(). + +Fixes: 0b05ac6e2480 ("powerpc/xics: Rewrite XICS driver") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530691407-3991-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-hv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-hv.c b/arch/powerpc/sysdev/xics/icp-hv.c +index ad8117148ea3b..21b9d1bf39ff6 100644 +--- a/arch/powerpc/sysdev/xics/icp-hv.c ++++ b/arch/powerpc/sysdev/xics/icp-hv.c +@@ -174,6 +174,7 @@ int icp_hv_init(void) + + icp_ops = &icp_hv_ops; + ++ of_node_put(np); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch b/queue-5.4/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch new file mode 100644 index 00000000000..b4240be0ae5 --- /dev/null +++ b/queue-5.4/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch @@ -0,0 +1,61 @@ +From a891f78d295d75a246068957d482f4660c210dbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 03:10:04 -0400 +Subject: powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group + constraints + +From: Athira Rajeev + +[ Upstream commit 3b6c3adbb2fa42749c3d38cfc4d4d0b7e096bb7b ] + +PMU counter support functions enforces event constraints for group of +events to check if all events in a group can be monitored. Incase of +event codes using PMC5 and PMC6 ( 500fa and 600f4 respectively ), not +all constraints are applicable, say the threshold or sample bits. But +current code includes pmc5 and pmc6 in some group constraints (like +IC_DC Qualifier bits) which is actually not applicable and hence +results in those events not getting counted when scheduled along with +group of other events. Patch fixes this by excluding PMC5/6 from +constraints which are not relevant for it. + +Fixes: 7ffd948 ("powerpc/perf: factor out power8 pmu functions") +Signed-off-by: Athira Rajeev +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1600672204-1610-1-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/isa207-common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c +index 4c86da5eb28ab..0b5c8f4fbdbfd 100644 +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -269,6 +269,15 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp) + + mask |= CNST_PMC_MASK(pmc); + value |= CNST_PMC_VAL(pmc); ++ ++ /* ++ * PMC5 and PMC6 are used to count cycles and instructions and ++ * they do not support most of the constraint bits. Add a check ++ * to exclude PMC5/6 from most of the constraints except for ++ * EBB/BHRB. ++ */ ++ if (pmc >= 5) ++ goto ebb_bhrb; + } + + if (pmc <= 4) { +@@ -335,6 +344,7 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp) + } + } + ++ebb_bhrb: + if (!pmc && ebb) + /* EBB events must specify the PMC */ + return -1; +-- +2.25.1 + diff --git a/queue-5.4/powerpc-perf-hv-gpci-fix-starting-index-value.patch b/queue-5.4/powerpc-perf-hv-gpci-fix-starting-index-value.patch new file mode 100644 index 00000000000..0b1f209856d --- /dev/null +++ b/queue-5.4/powerpc-perf-hv-gpci-fix-starting-index-value.patch @@ -0,0 +1,76 @@ +From 231b6d3162eb0602c6f56ec6f43872d2be0c5bf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 13:19:39 +0530 +Subject: powerpc/perf/hv-gpci: Fix starting index value + +From: Kajol Jain + +[ Upstream commit 0f9866f7e85765bbda86666df56c92f377c3bc10 ] + +Commit 9e9f60108423f ("powerpc/perf/{hv-gpci, hv-common}: generate +requests with counters annotated") adds a framework for defining +gpci counters. +In this patch, they adds starting_index value as '0xffffffffffffffff'. +which is wrong as starting_index is of size 32 bits. + +Because of this, incase we try to run hv-gpci event we get error. + +In power9 machine: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + -C 0 -I 1000 +event syntax error: '..bie_count_and_time_tlbie_instructions_issued/' + \___ value too big for format, maximum is 4294967295 + +This patch fix this issue and changes starting_index value to '0xffffffff' + +After this patch: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000 + 1.000085786 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.000287818 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.439113909 17,408 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + +Fixes: 9e9f60108423 ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated") +Signed-off-by: Kajol Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201003074943.338618-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci-requests.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h +index e608f9db12ddc..8965b4463d433 100644 +--- a/arch/powerpc/perf/hv-gpci-requests.h ++++ b/arch/powerpc/perf/hv-gpci-requests.h +@@ -95,7 +95,7 @@ REQUEST(__field(0, 8, partition_id) + + #define REQUEST_NAME system_performance_capabilities + #define REQUEST_NUM 0x40 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__field(0, 1, perf_collect_privileged) + __field(0x1, 1, capability_mask) +@@ -223,7 +223,7 @@ REQUEST(__field(0, 2, partition_id) + + #define REQUEST_NAME system_hypervisor_times + #define REQUEST_NUM 0xF0 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + __count(0x8, 8, time_spent_processing_virtual_processor_timers) +@@ -234,7 +234,7 @@ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + + #define REQUEST_NAME system_tlbie_count_and_time + #define REQUEST_NUM 0xF4 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, tlbie_instructions_issued) + /* +-- +2.25.1 + diff --git a/queue-5.4/powerpc-powernv-dump-fix-race-while-processing-opal-.patch b/queue-5.4/powerpc-powernv-dump-fix-race-while-processing-opal-.patch new file mode 100644 index 00000000000..30c638aa010 --- /dev/null +++ b/queue-5.4/powerpc-powernv-dump-fix-race-while-processing-opal-.patch @@ -0,0 +1,117 @@ +From 89e9bbe045769400eedaae2fc5253a6f7f816fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Oct 2020 22:12:10 +0530 +Subject: powerpc/powernv/dump: Fix race while processing OPAL dump + +From: Vasant Hegde + +[ Upstream commit 0a43ae3e2beb77e3481d812834d33abe270768ab ] + +Every dump reported by OPAL is exported to userspace through a sysfs +interface and notified using kobject_uevent(). The userspace daemon +(opal_errd) then reads the dump and acknowledges that the dump is +saved safely to disk. Once acknowledged the kernel removes the +respective sysfs file entry causing respective resources to be +released including kobject. + +However it's possible the userspace daemon may already be scanning +dump entries when a new sysfs dump entry is created by the kernel. +User daemon may read this new entry and ack it even before kernel can +notify userspace about it through kobject_uevent() call. If that +happens then we have a potential race between +dump_ack_store->kobject_put() and kobject_uevent which can lead to +use-after-free of a kernfs object resulting in a kernel crash. + +This patch fixes this race by protecting the sysfs file +creation/notification by holding a reference count on kobject until we +safely send kobject_uevent(). + +The function create_dump_obj() returns the dump object which if used +by caller function will end up in use-after-free problem again. +However, the return value of create_dump_obj() function isn't being +used today and there is no need as well. Hence change it to return +void to make this fix complete. + +Fixes: c7e64b9ce04a ("powerpc/powernv Platform dump interface") +Signed-off-by: Vasant Hegde +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201017164210.264619-1-hegdevasant@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-dump.c | 41 +++++++++++++++------- + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/opal-dump.c b/arch/powerpc/platforms/powernv/opal-dump.c +index 543c816fa99ef..0e6693bacb7e7 100644 +--- a/arch/powerpc/platforms/powernv/opal-dump.c ++++ b/arch/powerpc/platforms/powernv/opal-dump.c +@@ -318,15 +318,14 @@ static ssize_t dump_attr_read(struct file *filep, struct kobject *kobj, + return count; + } + +-static struct dump_obj *create_dump_obj(uint32_t id, size_t size, +- uint32_t type) ++static void create_dump_obj(uint32_t id, size_t size, uint32_t type) + { + struct dump_obj *dump; + int rc; + + dump = kzalloc(sizeof(*dump), GFP_KERNEL); + if (!dump) +- return NULL; ++ return; + + dump->kobj.kset = dump_kset; + +@@ -346,21 +345,39 @@ static struct dump_obj *create_dump_obj(uint32_t id, size_t size, + rc = kobject_add(&dump->kobj, NULL, "0x%x-0x%x", type, id); + if (rc) { + kobject_put(&dump->kobj); +- return NULL; ++ return; + } + ++ /* ++ * As soon as the sysfs file for this dump is created/activated there is ++ * a chance the opal_errd daemon (or any userspace) might read and ++ * acknowledge the dump before kobject_uevent() is called. If that ++ * happens then there is a potential race between ++ * dump_ack_store->kobject_put() and kobject_uevent() which leads to a ++ * use-after-free of a kernfs object resulting in a kernel crash. ++ * ++ * To avoid that, we need to take a reference on behalf of the bin file, ++ * so that our reference remains valid while we call kobject_uevent(). ++ * We then drop our reference before exiting the function, leaving the ++ * bin file to drop the last reference (if it hasn't already). ++ */ ++ ++ /* Take a reference for the bin file */ ++ kobject_get(&dump->kobj); + rc = sysfs_create_bin_file(&dump->kobj, &dump->dump_attr); +- if (rc) { ++ if (rc == 0) { ++ kobject_uevent(&dump->kobj, KOBJ_ADD); ++ ++ pr_info("%s: New platform dump. ID = 0x%x Size %u\n", ++ __func__, dump->id, dump->size); ++ } else { ++ /* Drop reference count taken for bin file */ + kobject_put(&dump->kobj); +- return NULL; + } + +- pr_info("%s: New platform dump. ID = 0x%x Size %u\n", +- __func__, dump->id, dump->size); +- +- kobject_uevent(&dump->kobj, KOBJ_ADD); +- +- return dump; ++ /* Drop our reference */ ++ kobject_put(&dump->kobj); ++ return; + } + + static irqreturn_t process_dump(int irq, void *data) +-- +2.25.1 + diff --git a/queue-5.4/powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch b/queue-5.4/powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch new file mode 100644 index 00000000000..d2ffd3d5dcd --- /dev/null +++ b/queue-5.4/powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch @@ -0,0 +1,219 @@ +From 7b1bc27c26c13644c53d52382640dabb0a20d0ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 12:09:46 +0530 +Subject: powerpc/pseries: Avoid using addr_to_pfn in real mode + +From: Ganesh Goudar + +[ Upstream commit 4ff753feab021242144818b9a3ba011238218145 ] + +When an UE or memory error exception is encountered the MCE handler +tries to find the pfn using addr_to_pfn() which takes effective +address as an argument, later pfn is used to poison the page where +memory error occurred, recent rework in this area made addr_to_pfn +to run in real mode, which can be fatal as it may try to access +memory outside RMO region. + +Have two helper functions to separate things to be done in real mode +and virtual mode without changing any functionality. This also fixes +the following error as the use of addr_to_pfn is now moved to virtual +mode. + +Without this change following kernel crash is seen on hitting UE. + +[ 485.128036] Oops: Kernel access of bad area, sig: 11 [#1] +[ 485.128040] LE SMP NR_CPUS=2048 NUMA pSeries +[ 485.128047] Modules linked in: +[ 485.128067] CPU: 15 PID: 6536 Comm: insmod Kdump: loaded Tainted: G OE 5.7.0 #22 +[ 485.128074] NIP: c00000000009b24c LR: c0000000000398d8 CTR: c000000000cd57c0 +[ 485.128078] REGS: c000000003f1f970 TRAP: 0300 Tainted: G OE (5.7.0) +[ 485.128082] MSR: 8000000000001003 CR: 28008284 XER: 00000001 +[ 485.128088] CFAR: c00000000009b190 DAR: c0000001fab00000 DSISR: 40000000 IRQMASK: 1 +[ 485.128088] GPR00: 0000000000000001 c000000003f1fbf0 c000000001634300 0000b0fa01000000 +[ 485.128088] GPR04: d000000002220000 0000000000000000 00000000fab00000 0000000000000022 +[ 485.128088] GPR08: c0000001fab00000 0000000000000000 c0000001fab00000 c000000003f1fc14 +[ 485.128088] GPR12: 0000000000000008 c000000003ff5880 d000000002100008 0000000000000000 +[ 485.128088] GPR16: 000000000000ff20 000000000000fff1 000000000000fff2 d0000000021a1100 +[ 485.128088] GPR20: d000000002200000 c00000015c893c50 c000000000d49b28 c00000015c893c50 +[ 485.128088] GPR24: d0000000021a0d08 c0000000014e5da8 d0000000021a0818 000000000000000a +[ 485.128088] GPR28: 0000000000000008 000000000000000a c0000000017e2970 000000000000000a +[ 485.128125] NIP [c00000000009b24c] __find_linux_pte+0x11c/0x310 +[ 485.128130] LR [c0000000000398d8] addr_to_pfn+0x138/0x170 +[ 485.128133] Call Trace: +[ 485.128135] Instruction dump: +[ 485.128138] 3929ffff 7d4a3378 7c883c36 7d2907b4 794a1564 7d294038 794af082 3900ffff +[ 485.128144] 79291f24 790af00e 78e70020 7d095214 <7c69502a> 2fa30000 419e011c 70690040 +[ 485.128152] ---[ end trace d34b27e29ae0e340 ]--- + +Fixes: 9ca766f9891d ("powerpc/64s/pseries: machine check convert to use common event code") +Signed-off-by: Ganesh Goudar +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200724063946.21378-1-ganeshgr@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/ras.c | 118 ++++++++++++++++----------- + 1 file changed, 69 insertions(+), 49 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c +index b3c4848869e52..b658fa627a34b 100644 +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -494,18 +494,55 @@ int pSeries_system_reset_exception(struct pt_regs *regs) + return 0; /* need to perform reset */ + } + ++static int mce_handle_err_realmode(int disposition, u8 error_type) ++{ ++#ifdef CONFIG_PPC_BOOK3S_64 ++ if (disposition == RTAS_DISP_NOT_RECOVERED) { ++ switch (error_type) { ++ case MC_ERROR_TYPE_SLB: ++ case MC_ERROR_TYPE_ERAT: ++ /* ++ * Store the old slb content in paca before flushing. ++ * Print this when we go to virtual mode. ++ * There are chances that we may hit MCE again if there ++ * is a parity error on the SLB entry we trying to read ++ * for saving. Hence limit the slb saving to single ++ * level of recursion. ++ */ ++ if (local_paca->in_mce == 1) ++ slb_save_contents(local_paca->mce_faulty_slbs); ++ flush_and_reload_slb(); ++ disposition = RTAS_DISP_FULLY_RECOVERED; ++ break; ++ default: ++ break; ++ } ++ } else if (disposition == RTAS_DISP_LIMITED_RECOVERY) { ++ /* Platform corrected itself but could be degraded */ ++ pr_err("MCE: limited recovery, system may be degraded\n"); ++ disposition = RTAS_DISP_FULLY_RECOVERED; ++ } ++#endif ++ return disposition; ++} + +-static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) ++static int mce_handle_err_virtmode(struct pt_regs *regs, ++ struct rtas_error_log *errp, ++ struct pseries_mc_errorlog *mce_log, ++ int disposition) + { + struct mce_error_info mce_err = { 0 }; +- unsigned long eaddr = 0, paddr = 0; +- struct pseries_errorlog *pseries_log; +- struct pseries_mc_errorlog *mce_log; +- int disposition = rtas_error_disposition(errp); + int initiator = rtas_error_initiator(errp); + int severity = rtas_error_severity(errp); ++ unsigned long eaddr = 0, paddr = 0; + u8 error_type, err_sub_type; + ++ if (!mce_log) ++ goto out; ++ ++ error_type = mce_log->error_type; ++ err_sub_type = rtas_mc_error_sub_type(mce_log); ++ + if (initiator == RTAS_INITIATOR_UNKNOWN) + mce_err.initiator = MCE_INITIATOR_UNKNOWN; + else if (initiator == RTAS_INITIATOR_CPU) +@@ -544,18 +581,7 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) + mce_err.error_type = MCE_ERROR_TYPE_UNKNOWN; + mce_err.error_class = MCE_ECLASS_UNKNOWN; + +- if (!rtas_error_extended(errp)) +- goto out; +- +- pseries_log = get_pseries_errorlog(errp, PSERIES_ELOG_SECT_ID_MCE); +- if (pseries_log == NULL) +- goto out; +- +- mce_log = (struct pseries_mc_errorlog *)pseries_log->data; +- error_type = mce_log->error_type; +- err_sub_type = rtas_mc_error_sub_type(mce_log); +- +- switch (mce_log->error_type) { ++ switch (error_type) { + case MC_ERROR_TYPE_UE: + mce_err.error_type = MCE_ERROR_TYPE_UE; + switch (err_sub_type) { +@@ -652,37 +678,31 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) + mce_err.error_type = MCE_ERROR_TYPE_UNKNOWN; + break; + } ++out: ++ save_mce_event(regs, disposition == RTAS_DISP_FULLY_RECOVERED, ++ &mce_err, regs->nip, eaddr, paddr); ++ return disposition; ++} + +-#ifdef CONFIG_PPC_BOOK3S_64 +- if (disposition == RTAS_DISP_NOT_RECOVERED) { +- switch (error_type) { +- case MC_ERROR_TYPE_SLB: +- case MC_ERROR_TYPE_ERAT: +- /* +- * Store the old slb content in paca before flushing. +- * Print this when we go to virtual mode. +- * There are chances that we may hit MCE again if there +- * is a parity error on the SLB entry we trying to read +- * for saving. Hence limit the slb saving to single +- * level of recursion. +- */ +- if (local_paca->in_mce == 1) +- slb_save_contents(local_paca->mce_faulty_slbs); +- flush_and_reload_slb(); +- disposition = RTAS_DISP_FULLY_RECOVERED; +- break; +- default: +- break; +- } +- } else if (disposition == RTAS_DISP_LIMITED_RECOVERY) { +- /* Platform corrected itself but could be degraded */ +- printk(KERN_ERR "MCE: limited recovery, system may " +- "be degraded\n"); +- disposition = RTAS_DISP_FULLY_RECOVERED; +- } +-#endif ++static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) ++{ ++ struct pseries_errorlog *pseries_log; ++ struct pseries_mc_errorlog *mce_log = NULL; ++ int disposition = rtas_error_disposition(errp); ++ u8 error_type; ++ ++ if (!rtas_error_extended(errp)) ++ goto out; ++ ++ pseries_log = get_pseries_errorlog(errp, PSERIES_ELOG_SECT_ID_MCE); ++ if (!pseries_log) ++ goto out; ++ ++ mce_log = (struct pseries_mc_errorlog *)pseries_log->data; ++ error_type = mce_log->error_type; ++ ++ disposition = mce_handle_err_realmode(disposition, error_type); + +-out: + /* + * Enable translation as we will be accessing per-cpu variables + * in save_mce_event() which may fall outside RMO region, also +@@ -693,10 +713,10 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) + * Note: All the realmode handling like flushing SLB entries for + * SLB multihit is done by now. + */ ++out: + mtmsr(mfmsr() | MSR_IR | MSR_DR); +- save_mce_event(regs, disposition == RTAS_DISP_FULLY_RECOVERED, +- &mce_err, regs->nip, eaddr, paddr); +- ++ disposition = mce_handle_err_virtmode(regs, errp, mce_log, ++ disposition); + return disposition; + } + +-- +2.25.1 + diff --git a/queue-5.4/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch b/queue-5.4/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch new file mode 100644 index 00000000000..9dbd3f8c417 --- /dev/null +++ b/queue-5.4/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch @@ -0,0 +1,76 @@ +From d592f4eb98122ad5c37e8a039ada2aa98d080d70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 10:11:31 -0500 +Subject: powerpc/pseries: explicitly reschedule during drmem_lmb list + traversal + +From: Nathan Lynch + +[ Upstream commit 9d6792ffe140240ae54c881cc4183f9acc24b4df ] + +The drmem lmb list can have hundreds of thousands of entries, and +unfortunately lookups take the form of linear searches. As long as +this is the case, traversals have the potential to monopolize the CPU +and provoke lockup reports, workqueue stalls, and the like unless +they explicitly yield. + +Rather than placing cond_resched() calls within various +for_each_drmem_lmb() loop blocks in the code, put it in the iteration +expression of the loop macro itself so users can't omit it. + +Introduce a drmem_lmb_next() iteration helper function which calls +cond_resched() at a regular interval during array traversal. Each +iteration of the loop in DLPAR code paths can involve around ten RTAS +calls which can each take up to 250us, so this ensures the check is +performed at worst every few milliseconds. + +Fixes: 6c6ea53725b3 ("powerpc/mm: Separate ibm, dynamic-memory data from DT format") +Signed-off-by: Nathan Lynch +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200813151131.2070161-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/drmem.h | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/drmem.h b/arch/powerpc/include/asm/drmem.h +index 28c3d936fdf32..dcd6ac098a6e4 100644 +--- a/arch/powerpc/include/asm/drmem.h ++++ b/arch/powerpc/include/asm/drmem.h +@@ -8,6 +8,8 @@ + #ifndef _ASM_POWERPC_LMB_H + #define _ASM_POWERPC_LMB_H + ++#include ++ + struct drmem_lmb { + u64 base_addr; + u32 drc_index; +@@ -26,8 +28,22 @@ struct drmem_lmb_info { + + extern struct drmem_lmb_info *drmem_info; + ++static inline struct drmem_lmb *drmem_lmb_next(struct drmem_lmb *lmb, ++ const struct drmem_lmb *start) ++{ ++ /* ++ * DLPAR code paths can take several milliseconds per element ++ * when interacting with firmware. Ensure that we don't ++ * unfairly monopolize the CPU. ++ */ ++ if (((++lmb - start) % 16) == 0) ++ cond_resched(); ++ ++ return lmb; ++} ++ + #define for_each_drmem_lmb_in_range(lmb, start, end) \ +- for ((lmb) = (start); (lmb) < (end); (lmb)++) ++ for ((lmb) = (start); (lmb) < (end); lmb = drmem_lmb_next(lmb, start)) + + #define for_each_drmem_lmb(lmb) \ + for_each_drmem_lmb_in_range((lmb), \ +-- +2.25.1 + diff --git a/queue-5.4/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch b/queue-5.4/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch new file mode 100644 index 00000000000..6a46bb0275d --- /dev/null +++ b/queue-5.4/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch @@ -0,0 +1,37 @@ +From bd29023d16d0723cec8ab5feb02cae919f7fc966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jul 2018 11:08:16 +0200 +Subject: powerpc/pseries: Fix missing of_node_put() in rng_init() + +From: Nicholas Mc Guire + +[ Upstream commit 67c3e59443f5fc77be39e2ce0db75fbfa78c7965 ] + +The call to of_find_compatible_node() returns a node pointer with +refcount incremented thus it must be explicitly decremented here +before returning. + +Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530522496-14816-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c +index bbb97169bf63e..6268545947b83 100644 +--- a/arch/powerpc/platforms/pseries/rng.c ++++ b/arch/powerpc/platforms/pseries/rng.c +@@ -36,6 +36,7 @@ static __init int rng_init(void) + + ppc_md.get_random_seed = pseries_get_random_long; + ++ of_node_put(dn); + return 0; + } + machine_subsys_initcall(pseries, rng_init); +-- +2.25.1 + diff --git a/queue-5.4/powerpc-tau-check-processor-type-before-enabling-tau.patch b/queue-5.4/powerpc-tau-check-processor-type-before-enabling-tau.patch new file mode 100644 index 00000000000..448e29373ac --- /dev/null +++ b/queue-5.4/powerpc-tau-check-processor-type-before-enabling-tau.patch @@ -0,0 +1,116 @@ +From 97fe1f031a630ecedd0913c6fe1e0cd98a79a38b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Check processor type before enabling TAU interrupt + +From: Finn Thain + +[ Upstream commit 5e3119e15fed5b9a9a7e528665ff098a4a8dbdbc ] + +According to Freescale's documentation, MPC74XX processors have an +erratum that prevents the TAU interrupt from working, so don't try to +use it when running on those processors. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/c281611544768e758bd58fe812cf702a5bd2d042.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 33 ++++++++++++++------------------- + arch/powerpc/platforms/Kconfig | 5 ++--- + 2 files changed, 16 insertions(+), 22 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index b8d7e7d498e0a..614b5b272d9c6 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -40,6 +40,8 @@ static struct tau_temp + unsigned char grew; + } tau[NR_CPUS]; + ++static bool tau_int_enable; ++ + #undef DEBUG + + /* TODO: put these in a /proc interface, with some sanity checks, and maybe +@@ -54,22 +56,13 @@ static struct tau_temp + + static void set_thresholds(unsigned long cpu) + { +-#ifdef CONFIG_TAU_INT +- /* +- * setup THRM1, +- * threshold, valid bit, enable interrupts, interrupt when below threshold +- */ +- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TIE | THRM1_TID); ++ u32 maybe_tie = tau_int_enable ? THRM1_TIE : 0; + +- /* setup THRM2, +- * threshold, valid bit, enable interrupts, interrupt when above threshold +- */ +- mtspr (SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | THRM1_TIE); +-#else +- /* same thing but don't enable interrupts */ +- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TID); +- mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V); +-#endif ++ /* setup THRM1, threshold, valid bit, interrupt when below threshold */ ++ mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | maybe_tie | THRM1_TID); ++ ++ /* setup THRM2, threshold, valid bit, interrupt when above threshold */ ++ mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | maybe_tie); + } + + static void TAUupdate(int cpu) +@@ -142,9 +135,8 @@ static void tau_timeout(void * info) + local_irq_save(flags); + cpu = smp_processor_id(); + +-#ifndef CONFIG_TAU_INT +- TAUupdate(cpu); +-#endif ++ if (!tau_int_enable) ++ TAUupdate(cpu); + + size = tau[cpu].high - tau[cpu].low; + if (size > min_window && ! tau[cpu].grew) { +@@ -225,6 +217,9 @@ static int __init TAU_init(void) + return 1; + } + ++ tau_int_enable = IS_ENABLED(CONFIG_TAU_INT) && ++ !strcmp(cur_cpu_spec->platform, "ppc750"); ++ + tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0); + if (!tau_workq) + return -ENOMEM; +@@ -234,7 +229,7 @@ static int __init TAU_init(void) + queue_work(tau_workq, &tau_work); + + pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n", +- IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer); ++ tau_int_enable ? "interrupts" : "workqueue", shrink_timer); + tau_initialized = 1; + + return 0; +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index d82e3664ffdf8..92d7f2a7936e7 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -219,9 +219,8 @@ config TAU + temperature within 2-4 degrees Celsius. This option shows the current + on-die temperature in /proc/cpuinfo if the cpu supports it. + +- Unfortunately, on some chip revisions, this sensor is very inaccurate +- and in many cases, does not work at all, so don't assume the cpu +- temp is actually what /proc/cpuinfo says it is. ++ Unfortunately, this sensor is very inaccurate when uncalibrated, so ++ don't assume the cpu temp is actually what /proc/cpuinfo says it is. + + config TAU_INT + bool "Interrupt driven TAU driver (DANGEROUS)" +-- +2.25.1 + diff --git a/queue-5.4/powerpc-tau-convert-from-timer-to-workqueue.patch b/queue-5.4/powerpc-tau-convert-from-timer-to-workqueue.patch new file mode 100644 index 00000000000..6bb169d096a --- /dev/null +++ b/queue-5.4/powerpc-tau-convert-from-timer-to-workqueue.patch @@ -0,0 +1,153 @@ +From 3b19a6fb3286614403f619927c3c3c326a9c59b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Convert from timer to workqueue + +From: Finn Thain + +[ Upstream commit b1c6a0a10bfaf36ec82fde6f621da72407fa60a1 ] + +Since commit 19dbdcb8039cf ("smp: Warn on function calls from softirq +context") the Thermal Assist Unit driver causes a warning like the +following when CONFIG_SMP is enabled. + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at kernel/smp.c:428 smp_call_function_many_cond+0xf4/0x38c + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac #3 + NIP: c00b37a8 LR: c00b3abc CTR: c001218c + REGS: c0799c60 TRAP: 0700 Not tainted (5.7.0-pmac) + MSR: 00029032 CR: 42000224 XER: 00000000 + GPR00: c00b3abc c0799d18 c076e300 c079ef5c c0011fec 00000000 00000000 00000000 + GPR08: 00000100 00000100 00008000 ffffffff 42000224 00000000 c079d040 c079d044 + GPR16: 00000001 00000000 00000004 c0799da0 c079f054 c07a0000 c07a0000 00000000 + GPR24: c0011fec 00000000 c079ef5c c079ef5c 00000000 00000000 00000000 00000000 + NIP [c00b37a8] smp_call_function_many_cond+0xf4/0x38c + LR [c00b3abc] on_each_cpu+0x38/0x68 + Call Trace: + [c0799d18] [ffffffff] 0xffffffff (unreliable) + [c0799d68] [c00b3abc] on_each_cpu+0x38/0x68 + [c0799d88] [c0096704] call_timer_fn.isra.26+0x20/0x7c + [c0799d98] [c0096b40] run_timer_softirq+0x1d4/0x3fc + [c0799df8] [c05b4368] __do_softirq+0x118/0x240 + [c0799e58] [c0039c44] irq_exit+0xc4/0xcc + [c0799e68] [c000ade8] timer_interrupt+0x1b0/0x230 + [c0799ea8] [c0013520] ret_from_except+0x0/0x14 + --- interrupt: 901 at arch_cpu_idle+0x24/0x6c + LR = arch_cpu_idle+0x24/0x6c + [c0799f70] [00000001] 0x1 (unreliable) + [c0799f80] [c0060990] do_idle+0xd8/0x17c + [c0799fa0] [c0060ba8] cpu_startup_entry+0x24/0x28 + [c0799fb0] [c072d220] start_kernel+0x434/0x44c + [c0799ff0] [00003860] 0x3860 + Instruction dump: + 8129f204 2f890000 40beff98 3d20c07a 8929eec4 2f890000 40beff88 0fe00000 + 81220000 552805de 550802ef 4182ff84 <0fe00000> 3860ffff 7f65db78 7f44d378 + ---[ end trace 34a886e47819c2eb ]--- + +Don't call on_each_cpu() from a timer callback, call it from a worker +thread instead. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/bb61650bea4f4c91fb8e24b9a6f130a1438651a7.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 38 +++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 976d5bc1b5176..268205cc347da 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -13,13 +13,14 @@ + */ + + #include +-#include + #include + #include + #include + #include + #include + #include ++#include ++#include + + #include + #include +@@ -39,8 +40,6 @@ static struct tau_temp + unsigned char grew; + } tau[NR_CPUS]; + +-struct timer_list tau_timer; +- + #undef DEBUG + + /* TODO: put these in a /proc interface, with some sanity checks, and maybe +@@ -50,7 +49,7 @@ struct timer_list tau_timer; + #define step_size 2 /* step size when temp goes out of range */ + #define window_expand 1 /* expand the window by this much */ + /* configurable values for shrinking the window */ +-#define shrink_timer 2*HZ /* period between shrinking the window */ ++#define shrink_timer 2000 /* period between shrinking the window */ + #define min_window 2 /* minimum window size, degrees C */ + + static void set_thresholds(unsigned long cpu) +@@ -187,14 +186,18 @@ static void tau_timeout(void * info) + local_irq_restore(flags); + } + +-static void tau_timeout_smp(struct timer_list *unused) +-{ ++static struct workqueue_struct *tau_workq; + +- /* schedule ourselves to be run again */ +- mod_timer(&tau_timer, jiffies + shrink_timer) ; ++static void tau_work_func(struct work_struct *work) ++{ ++ msleep(shrink_timer); + on_each_cpu(tau_timeout, NULL, 0); ++ /* schedule ourselves to be run again */ ++ queue_work(tau_workq, work); + } + ++DECLARE_WORK(tau_work, tau_work_func); ++ + /* + * setup the TAU + * +@@ -227,21 +230,16 @@ static int __init TAU_init(void) + return 1; + } + +- +- /* first, set up the window shrinking timer */ +- timer_setup(&tau_timer, tau_timeout_smp, 0); +- tau_timer.expires = jiffies + shrink_timer; +- add_timer(&tau_timer); ++ tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0); ++ if (!tau_workq) ++ return -ENOMEM; + + on_each_cpu(TAU_init_smp, NULL, 0); + +- printk("Thermal assist unit "); +-#ifdef CONFIG_TAU_INT +- printk("using interrupts, "); +-#else +- printk("using timers, "); +-#endif +- printk("shrink_timer: %d jiffies\n", shrink_timer); ++ queue_work(tau_workq, &tau_work); ++ ++ pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n", ++ IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer); + tau_initialized = 1; + + return 0; +-- +2.25.1 + diff --git a/queue-5.4/powerpc-tau-disable-tau-between-measurements.patch b/queue-5.4/powerpc-tau-disable-tau-between-measurements.patch new file mode 100644 index 00000000000..77656b000f3 --- /dev/null +++ b/queue-5.4/powerpc-tau-disable-tau-between-measurements.patch @@ -0,0 +1,199 @@ +From 4ca6542c6e5fc0fddda5e8f5cc867650eaa98f39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Disable TAU between measurements + +From: Finn Thain + +[ Upstream commit e63d6fb5637e92725cf143559672a34b706bca4f ] + +Enabling CONFIG_TAU_INT causes random crashes: + +Unrecoverable exception 1700 at c0009414 (msr=1000) +Oops: Unrecoverable exception, sig: 6 [#1] +BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac-00043-gd5f545e1a8593 #5 +NIP: c0009414 LR: c0009414 CTR: c00116fc +REGS: c0799eb8 TRAP: 1700 Not tainted (5.7.0-pmac-00043-gd5f545e1a8593) +MSR: 00001000 CR: 22000228 XER: 00000100 + +GPR00: 00000000 c0799f70 c076e300 00800000 0291c0ac 00e00000 c076e300 00049032 +GPR08: 00000001 c00116fc 00000000 dfbd3200 ffffffff 007f80a8 00000000 00000000 +GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c075ce04 +GPR24: c075ce04 dfff8880 c07b0000 c075ce04 00080000 00000001 c079ef98 c079ef5c +NIP [c0009414] arch_cpu_idle+0x24/0x6c +LR [c0009414] arch_cpu_idle+0x24/0x6c +Call Trace: +[c0799f70] [00000001] 0x1 (unreliable) +[c0799f80] [c0060990] do_idle+0xd8/0x17c +[c0799fa0] [c0060ba4] cpu_startup_entry+0x20/0x28 +[c0799fb0] [c072d220] start_kernel+0x434/0x44c +[c0799ff0] [00003860] 0x3860 +Instruction dump: +XXXXXXXX XXXXXXXX XXXXXXXX 3d20c07b XXXXXXXX XXXXXXXX XXXXXXXX 7c0802a6 +XXXXXXXX XXXXXXXX XXXXXXXX 4e800421 XXXXXXXX XXXXXXXX XXXXXXXX 7d2000a6 +---[ end trace 3a0c9b5cb216db6b ]--- + +Resolve this problem by disabling each THRMn comparator when handling +the associated THRMn interrupt and by disabling the TAU entirely when +updating THRMn thresholds. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/5a0ba3dc5612c7aac596727331284a3676c08472.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 65 +++++++++++++--------------------- + arch/powerpc/platforms/Kconfig | 9 ++--- + 2 files changed, 26 insertions(+), 48 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 614b5b272d9c6..0b4694b8d2482 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -42,8 +42,6 @@ static struct tau_temp + + static bool tau_int_enable; + +-#undef DEBUG +- + /* TODO: put these in a /proc interface, with some sanity checks, and maybe + * dynamic adjustment to minimize # of interrupts */ + /* configurable values for step size and how much to expand the window when +@@ -67,42 +65,33 @@ static void set_thresholds(unsigned long cpu) + + static void TAUupdate(int cpu) + { +- unsigned thrm; +- +-#ifdef DEBUG +- printk("TAUupdate "); +-#endif ++ u32 thrm; ++ u32 bits = THRM1_TIV | THRM1_TIN | THRM1_V; + + /* if both thresholds are crossed, the step_sizes cancel out + * and the window winds up getting expanded twice. */ +- if((thrm = mfspr(SPRN_THRM1)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed low threshold */ +- if (tau[cpu].low >= step_size){ +- tau[cpu].low -= step_size; +- tau[cpu].high -= (step_size - window_expand); +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("low threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM1); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM1, 0); ++ ++ if (tau[cpu].low >= step_size) { ++ tau[cpu].low -= step_size; ++ tau[cpu].high -= (step_size - window_expand); + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: low threshold crossed\n", __func__); + } +- if((thrm = mfspr(SPRN_THRM2)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed high threshold */ +- if (tau[cpu].high <= 127-step_size){ +- tau[cpu].low += (step_size - window_expand); +- tau[cpu].high += step_size; +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("high threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM2); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM2, 0); ++ ++ if (tau[cpu].high <= 127 - step_size) { ++ tau[cpu].low += (step_size - window_expand); ++ tau[cpu].high += step_size; + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: high threshold crossed\n", __func__); + } +- +-#ifdef DEBUG +- printk("grew = %d\n", tau[cpu].grew); +-#endif + } + + #ifdef CONFIG_TAU_INT +@@ -127,17 +116,17 @@ void TAUException(struct pt_regs * regs) + static void tau_timeout(void * info) + { + int cpu; +- unsigned long flags; + int size; + int shrink; + +- /* disabling interrupts *should* be okay */ +- local_irq_save(flags); + cpu = smp_processor_id(); + + if (!tau_int_enable) + TAUupdate(cpu); + ++ /* Stop thermal sensor comparisons and interrupts */ ++ mtspr(SPRN_THRM3, 0); ++ + size = tau[cpu].high - tau[cpu].low; + if (size > min_window && ! tau[cpu].grew) { + /* do an exponential shrink of half the amount currently over size */ +@@ -159,18 +148,12 @@ static void tau_timeout(void * info) + + set_thresholds(cpu); + +- /* +- * Do the enable every time, since otherwise a bunch of (relatively) +- * complex sleep code needs to be added. One mtspr every time +- * tau_timeout is called is probably not a big deal. +- * ++ /* Restart thermal sensor comparisons and interrupts. + * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" + * recommends that "the maximum value be set in THRM3 under all + * conditions." + */ + mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); +- +- local_irq_restore(flags); + } + + static struct workqueue_struct *tau_workq; +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index 92d7f2a7936e7..18792a5b003a0 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -223,7 +223,7 @@ config TAU + don't assume the cpu temp is actually what /proc/cpuinfo says it is. + + config TAU_INT +- bool "Interrupt driven TAU driver (DANGEROUS)" ++ bool "Interrupt driven TAU driver (EXPERIMENTAL)" + depends on TAU + ---help--- + The TAU supports an interrupt driven mode which causes an interrupt +@@ -231,12 +231,7 @@ config TAU_INT + to get notified the temp has exceeded a range. With this option off, + a timer is used to re-check the temperature periodically. + +- However, on some cpus it appears that the TAU interrupt hardware +- is buggy and can cause a situation which would lead unexplained hard +- lockups. +- +- Unless you are extending the TAU driver, or enjoy kernel/hardware +- debugging, leave this option off. ++ If in doubt, say N here. + + config TAU_AVERAGE + bool "Average high and low temp" +-- +2.25.1 + diff --git a/queue-5.4/powerpc-tau-remove-duplicated-set_thresholds-call.patch b/queue-5.4/powerpc-tau-remove-duplicated-set_thresholds-call.patch new file mode 100644 index 00000000000..893c7211270 --- /dev/null +++ b/queue-5.4/powerpc-tau-remove-duplicated-set_thresholds-call.patch @@ -0,0 +1,44 @@ +From 93d752018bcd630ab92d8db6539824a304c01af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Remove duplicated set_thresholds() call + +From: Finn Thain + +[ Upstream commit 420ab2bc7544d978a5d0762ee736412fe9c796ab ] + +The commentary at the call site seems to disagree with the code. The +conditional prevents calling set_thresholds() via the exception handler, +which appears to crash. Perhaps that's because it immediately triggers +another TAU exception. Anyway, calling set_thresholds() from TAUupdate() +is redundant because tau_timeout() does so. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/d7c7ee33232cf72a6a6bbb6ef05838b2e2b113c0.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 268205cc347da..b8d7e7d498e0a 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -110,11 +110,6 @@ static void TAUupdate(int cpu) + #ifdef DEBUG + printk("grew = %d\n", tau[cpu].grew); + #endif +- +-#ifndef CONFIG_TAU_INT /* tau_timeout will do this if not using interrupts */ +- set_thresholds(cpu); +-#endif +- + } + + #ifdef CONFIG_TAU_INT +-- +2.25.1 + diff --git a/queue-5.4/powerpc-tau-use-appropriate-temperature-sample-inter.patch b/queue-5.4/powerpc-tau-use-appropriate-temperature-sample-inter.patch new file mode 100644 index 00000000000..f975a7eb4f4 --- /dev/null +++ b/queue-5.4/powerpc-tau-use-appropriate-temperature-sample-inter.patch @@ -0,0 +1,68 @@ +From 2d3ba5ee0b190dbb8a6a6755c95fa64ebe9739b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Use appropriate temperature sample interval + +From: Finn Thain + +[ Upstream commit 66943005cc41f48e4d05614e8f76c0ca1812f0fd ] + +According to the MPC750 Users Manual, the SITV value in Thermal +Management Register 3 is 13 bits long. The present code calculates the +SITV value as 60 * 500 cycles. This would overflow to give 10 us on +a 500 MHz CPU rather than the intended 60 us. (But according to the +Microprocessor Datasheet, there is also a factor of 266 that has to be +applied to this value on certain parts i.e. speed sort above 266 MHz.) +Always use the maximum cycle count, as recommended by the Datasheet. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/896f542e5f0f1d6cf8218524c2b67d79f3d69b3c.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/reg.h | 2 +- + arch/powerpc/kernel/tau_6xx.c | 12 ++++-------- + 2 files changed, 5 insertions(+), 9 deletions(-) + +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index b3cbb1136bce0..34d08ff21b988 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -796,7 +796,7 @@ + #define THRM1_TIN (1 << 31) + #define THRM1_TIV (1 << 30) + #define THRM1_THRES(x) ((x&0x7f)<<23) +-#define THRM3_SITV(x) ((x&0x3fff)<<1) ++#define THRM3_SITV(x) ((x & 0x1fff) << 1) + #define THRM1_TID (1<<2) + #define THRM1_TIE (1<<1) + #define THRM1_V (1<<0) +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index e2ab8a111b693..976d5bc1b5176 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -178,15 +178,11 @@ static void tau_timeout(void * info) + * complex sleep code needs to be added. One mtspr every time + * tau_timeout is called is probably not a big deal. + * +- * Enable thermal sensor and set up sample interval timer +- * need 20 us to do the compare.. until a nice 'cpu_speed' function +- * call is implemented, just assume a 500 mhz clock. It doesn't really +- * matter if we take too long for a compare since it's all interrupt +- * driven anyway. +- * +- * use a extra long time.. (60 us @ 500 mhz) ++ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" ++ * recommends that "the maximum value be set in THRM3 under all ++ * conditions." + */ +- mtspr(SPRN_THRM3, THRM3_SITV(500*60) | THRM3_E); ++ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); + + local_irq_restore(flags); + } +-- +2.25.1 + diff --git a/queue-5.4/pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch b/queue-5.4/pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch new file mode 100644 index 00000000000..0ec847a90f4 --- /dev/null +++ b/queue-5.4/pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch @@ -0,0 +1,210 @@ +From cf56d5b1f30d61c2c2ec995e31bf70c4d27bfa03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 20:51:15 -0500 +Subject: pseries/drmem: don't cache node id in drmem_lmb struct + +From: Scott Cheloha + +[ Upstream commit e5e179aa3a39c818db8fbc2dce8d2cd24adaf657 ] + +At memory hot-remove time we can retrieve an LMB's nid from its +corresponding memory_block. There is no need to store the nid +in multiple locations. + +Note that lmb_to_memblock() uses find_memory_block() to get the +corresponding memory_block. As find_memory_block() runs in sub-linear +time this approach is negligibly slower than what we do at present. + +In exchange for this lookup at hot-remove time we no longer need to +call memory_add_physaddr_to_nid() during drmem_init() for each LMB. +On powerpc, memory_add_physaddr_to_nid() is a linear search, so this +spares us an O(n^2) initialization during boot. + +On systems with many LMBs that initialization overhead is palpable and +disruptive. For example, on a box with 249854 LMBs we're seeing +drmem_init() take upwards of 30 seconds to complete: + +[ 53.721639] drmem: initializing drmem v2 +[ 80.604346] watchdog: BUG: soft lockup - CPU#65 stuck for 23s! [swapper/0:1] +[ 80.604377] Modules linked in: +[ 80.604389] CPU: 65 PID: 1 Comm: swapper/0 Not tainted 5.6.0-rc2+ #4 +[ 80.604397] NIP: c0000000000a4980 LR: c0000000000a4940 CTR: 0000000000000000 +[ 80.604407] REGS: c0002dbff8493830 TRAP: 0901 Not tainted (5.6.0-rc2+) +[ 80.604412] MSR: 8000000002009033 CR: 44000248 XER: 0000000d +[ 80.604431] CFAR: c0000000000a4a38 IRQMASK: 0 +[ 80.604431] GPR00: c0000000000a4940 c0002dbff8493ac0 c000000001904400 c0003cfffffede30 +[ 80.604431] GPR04: 0000000000000000 c000000000f4095a 000000000000002f 0000000010000000 +[ 80.604431] GPR08: c0000bf7ecdb7fb8 c0000bf7ecc2d3c8 0000000000000008 c00c0002fdfb2001 +[ 80.604431] GPR12: 0000000000000000 c00000001e8ec200 +[ 80.604477] NIP [c0000000000a4980] hot_add_scn_to_nid+0xa0/0x3e0 +[ 80.604486] LR [c0000000000a4940] hot_add_scn_to_nid+0x60/0x3e0 +[ 80.604492] Call Trace: +[ 80.604498] [c0002dbff8493ac0] [c0000000000a4940] hot_add_scn_to_nid+0x60/0x3e0 (unreliable) +[ 80.604509] [c0002dbff8493b20] [c000000000087c10] memory_add_physaddr_to_nid+0x20/0x60 +[ 80.604521] [c0002dbff8493b40] [c0000000010d4880] drmem_init+0x25c/0x2f0 +[ 80.604530] [c0002dbff8493c10] [c000000000010154] do_one_initcall+0x64/0x2c0 +[ 80.604540] [c0002dbff8493ce0] [c0000000010c4aa0] kernel_init_freeable+0x2d8/0x3a0 +[ 80.604550] [c0002dbff8493db0] [c000000000010824] kernel_init+0x2c/0x148 +[ 80.604560] [c0002dbff8493e20] [c00000000000b648] ret_from_kernel_thread+0x5c/0x74 +[ 80.604567] Instruction dump: +[ 80.604574] 392918e8 e9490000 e90a000a e92a0000 80ea000c 1d080018 3908ffe8 7d094214 +[ 80.604586] 7fa94040 419d00dc e9490010 714a0088 <2faa0008> 409e00ac e9490000 7fbe5040 +[ 89.047390] drmem: 249854 LMB(s) + +With a patched kernel on the same machine we're no longer seeing the +soft lockup. drmem_init() now completes in negligible time, even when +the LMB count is large. + +Fixes: b2d3b5ee66f2 ("powerpc/pseries: Track LMB nid instead of using device tree") +Signed-off-by: Scott Cheloha +Reviewed-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200811015115.63677-1-cheloha@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/drmem.h | 21 ---------------- + arch/powerpc/mm/drmem.c | 6 +---- + .../platforms/pseries/hotplug-memory.c | 24 ++++++++++++------- + 3 files changed, 17 insertions(+), 34 deletions(-) + +diff --git a/arch/powerpc/include/asm/drmem.h b/arch/powerpc/include/asm/drmem.h +index dcd6ac098a6e4..bea7a2405ba5d 100644 +--- a/arch/powerpc/include/asm/drmem.h ++++ b/arch/powerpc/include/asm/drmem.h +@@ -15,9 +15,6 @@ struct drmem_lmb { + u32 drc_index; + u32 aa_index; + u32 flags; +-#ifdef CONFIG_MEMORY_HOTPLUG +- int nid; +-#endif + }; + + struct drmem_lmb_info { +@@ -119,22 +116,4 @@ static inline void invalidate_lmb_associativity_index(struct drmem_lmb *lmb) + lmb->aa_index = 0xffffffff; + } + +-#ifdef CONFIG_MEMORY_HOTPLUG +-static inline void lmb_set_nid(struct drmem_lmb *lmb) +-{ +- lmb->nid = memory_add_physaddr_to_nid(lmb->base_addr); +-} +-static inline void lmb_clear_nid(struct drmem_lmb *lmb) +-{ +- lmb->nid = -1; +-} +-#else +-static inline void lmb_set_nid(struct drmem_lmb *lmb) +-{ +-} +-static inline void lmb_clear_nid(struct drmem_lmb *lmb) +-{ +-} +-#endif +- + #endif /* _ASM_POWERPC_LMB_H */ +diff --git a/arch/powerpc/mm/drmem.c b/arch/powerpc/mm/drmem.c +index 59327cefbc6a6..873fcfc7b8756 100644 +--- a/arch/powerpc/mm/drmem.c ++++ b/arch/powerpc/mm/drmem.c +@@ -362,10 +362,8 @@ static void __init init_drmem_v1_lmbs(const __be32 *prop) + if (!drmem_info->lmbs) + return; + +- for_each_drmem_lmb(lmb) { ++ for_each_drmem_lmb(lmb) + read_drconf_v1_cell(lmb, &prop); +- lmb_set_nid(lmb); +- } + } + + static void __init init_drmem_v2_lmbs(const __be32 *prop) +@@ -410,8 +408,6 @@ static void __init init_drmem_v2_lmbs(const __be32 *prop) + + lmb->aa_index = dr_cell.aa_index; + lmb->flags = dr_cell.flags; +- +- lmb_set_nid(lmb); + } + } + } +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index e7d23a933a0d3..66b32f46702de 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -376,25 +376,32 @@ static int dlpar_add_lmb(struct drmem_lmb *); + + static int dlpar_remove_lmb(struct drmem_lmb *lmb) + { ++ struct memory_block *mem_block; + unsigned long block_sz; + int rc; + + if (!lmb_is_removable(lmb)) + return -EINVAL; + ++ mem_block = lmb_to_memblock(lmb); ++ if (mem_block == NULL) ++ return -EINVAL; ++ + rc = dlpar_offline_lmb(lmb); +- if (rc) ++ if (rc) { ++ put_device(&mem_block->dev); + return rc; ++ } + + block_sz = pseries_memory_block_size(); + +- __remove_memory(lmb->nid, lmb->base_addr, block_sz); ++ __remove_memory(mem_block->nid, lmb->base_addr, block_sz); ++ put_device(&mem_block->dev); + + /* Update memory regions for memory remove */ + memblock_remove(lmb->base_addr, block_sz); + + invalidate_lmb_associativity_index(lmb); +- lmb_clear_nid(lmb); + lmb->flags &= ~DRCONF_MEM_ASSIGNED; + + return 0; +@@ -651,7 +658,7 @@ static int dlpar_memory_remove_by_ic(u32 lmbs_to_remove, u32 drc_index) + static int dlpar_add_lmb(struct drmem_lmb *lmb) + { + unsigned long block_sz; +- int rc; ++ int nid, rc; + + if (lmb->flags & DRCONF_MEM_ASSIGNED) + return -EINVAL; +@@ -662,11 +669,13 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb) + return rc; + } + +- lmb_set_nid(lmb); + block_sz = memory_block_size_bytes(); + ++ /* Find the node id for this address. */ ++ nid = memory_add_physaddr_to_nid(lmb->base_addr); ++ + /* Add the memory */ +- rc = __add_memory(lmb->nid, lmb->base_addr, block_sz); ++ rc = __add_memory(nid, lmb->base_addr, block_sz); + if (rc) { + invalidate_lmb_associativity_index(lmb); + return rc; +@@ -674,9 +683,8 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb) + + rc = dlpar_online_lmb(lmb); + if (rc) { +- __remove_memory(lmb->nid, lmb->base_addr, block_sz); ++ __remove_memory(nid, lmb->base_addr, block_sz); + invalidate_lmb_associativity_index(lmb); +- lmb_clear_nid(lmb); + } else { + lmb->flags |= DRCONF_MEM_ASSIGNED; + } +-- +2.25.1 + diff --git a/queue-5.4/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch b/queue-5.4/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch new file mode 100644 index 00000000000..543eb9e45c5 --- /dev/null +++ b/queue-5.4/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch @@ -0,0 +1,140 @@ +From 6adff8244b8ac706bdea56354b88064a88b8ef4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:00:45 +0200 +Subject: pty: do tty_flip_buffer_push without port->lock in pty_write + +From: Artem Savkov + +[ Upstream commit 71a174b39f10b4b93223d374722aa894b5d8a82e ] + +b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag" +puts tty_flip_buffer_push under port->lock introducing the following +possible circular locking dependency: + +[30129.876566] ====================================================== +[30129.876566] WARNING: possible circular locking dependency detected +[30129.876567] 5.9.0-rc2+ #3 Tainted: G S W +[30129.876568] ------------------------------------------------------ +[30129.876568] sysrq.sh/1222 is trying to acquire lock: +[30129.876569] ffffffff92c39480 (console_owner){....}-{0:0}, at: console_unlock+0x3fe/0xa90 + +[30129.876572] but task is already holding lock: +[30129.876572] ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca + +[30129.876576] which lock already depends on the new lock. + +[30129.876577] the existing dependency chain (in reverse order) is: + +[30129.876578] -> #3 (&pool->lock/1){-.-.}-{2:2}: +[30129.876581] _raw_spin_lock+0x30/0x70 +[30129.876581] __queue_work+0x1a3/0x10f0 +[30129.876582] queue_work_on+0x78/0x80 +[30129.876582] pty_write+0x165/0x1e0 +[30129.876583] n_tty_write+0x47f/0xf00 +[30129.876583] tty_write+0x3d6/0x8d0 +[30129.876584] vfs_write+0x1a8/0x650 + +[30129.876588] -> #2 (&port->lock#2){-.-.}-{2:2}: +[30129.876590] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876591] tty_port_tty_get+0x1d/0xb0 +[30129.876592] tty_port_default_wakeup+0xb/0x30 +[30129.876592] serial8250_tx_chars+0x3d6/0x970 +[30129.876593] serial8250_handle_irq.part.12+0x216/0x380 +[30129.876593] serial8250_default_handle_irq+0x82/0xe0 +[30129.876594] serial8250_interrupt+0xdd/0x1b0 +[30129.876595] __handle_irq_event_percpu+0xfc/0x850 + +[30129.876602] -> #1 (&port->lock){-.-.}-{2:2}: +[30129.876605] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876605] serial8250_console_write+0x12d/0x900 +[30129.876606] console_unlock+0x679/0xa90 +[30129.876606] register_console+0x371/0x6e0 +[30129.876607] univ8250_console_init+0x24/0x27 +[30129.876607] console_init+0x2f9/0x45e + +[30129.876609] -> #0 (console_owner){....}-{0:0}: +[30129.876611] __lock_acquire+0x2f70/0x4e90 +[30129.876612] lock_acquire+0x1ac/0xad0 +[30129.876612] console_unlock+0x460/0xa90 +[30129.876613] vprintk_emit+0x130/0x420 +[30129.876613] printk+0x9f/0xc5 +[30129.876614] show_pwq+0x154/0x618 +[30129.876615] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876615] __handle_sysrq+0x244/0x460 +[30129.876616] write_sysrq_trigger+0x48/0x4a +[30129.876616] proc_reg_write+0x1a6/0x240 +[30129.876617] vfs_write+0x1a8/0x650 + +[30129.876619] other info that might help us debug this: + +[30129.876620] Chain exists of: +[30129.876621] console_owner --> &port->lock#2 --> &pool->lock/1 + +[30129.876625] Possible unsafe locking scenario: + +[30129.876626] CPU0 CPU1 +[30129.876626] ---- ---- +[30129.876627] lock(&pool->lock/1); +[30129.876628] lock(&port->lock#2); +[30129.876630] lock(&pool->lock/1); +[30129.876631] lock(console_owner); + +[30129.876633] *** DEADLOCK *** + +[30129.876634] 5 locks held by sysrq.sh/1222: +[30129.876634] #0: ffff8881d3ce0470 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x359/0x650 +[30129.876637] #1: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: __handle_sysrq+0x4d/0x460 +[30129.876640] #2: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: show_workqueue_state+0x5/0xf0 +[30129.876642] #3: ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca +[30129.876645] #4: ffffffff92c39980 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x123/0x420 + +[30129.876648] stack backtrace: +[30129.876649] CPU: 3 PID: 1222 Comm: sysrq.sh Tainted: G S W 5.9.0-rc2+ #3 +[30129.876649] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012 +[30129.876650] Call Trace: +[30129.876650] dump_stack+0x9d/0xe0 +[30129.876651] check_noncircular+0x34f/0x410 +[30129.876653] __lock_acquire+0x2f70/0x4e90 +[30129.876656] lock_acquire+0x1ac/0xad0 +[30129.876658] console_unlock+0x460/0xa90 +[30129.876660] vprintk_emit+0x130/0x420 +[30129.876660] printk+0x9f/0xc5 +[30129.876661] show_pwq+0x154/0x618 +[30129.876662] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876664] __handle_sysrq+0x244/0x460 +[30129.876665] write_sysrq_trigger+0x48/0x4a +[30129.876665] proc_reg_write+0x1a6/0x240 +[30129.876666] vfs_write+0x1a8/0x650 + +It looks like the commit was aimed to protect tty_insert_flip_string and +there is no need for tty_flip_buffer_push to be under this lock. + +Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag") +Signed-off-by: Artem Savkov +Acked-by: Jiri Slaby +Link: https://lore.kernel.org/r/20200902120045.3693075-1-asavkov@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/pty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 00099a8439d21..c6a1d8c4e6894 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -120,10 +120,10 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + spin_lock_irqsave(&to->port->lock, flags); + /* Stuff the data into the input queue of the other end */ + c = tty_insert_flip_string(to->port, buf, c); ++ spin_unlock_irqrestore(&to->port->lock, flags); + /* And shovel */ + if (c) + tty_flip_buffer_push(to->port); +- spin_unlock_irqrestore(&to->port->lock, flags); + } + return c; + } +-- +2.25.1 + diff --git a/queue-5.4/pwm-img-fix-null-pointer-access-in-probe.patch b/queue-5.4/pwm-img-fix-null-pointer-access-in-probe.patch new file mode 100644 index 00000000000..4bd460d3ab8 --- /dev/null +++ b/queue-5.4/pwm-img-fix-null-pointer-access-in-probe.patch @@ -0,0 +1,53 @@ +From b261b53539d8070d58dce7597a01d2067d5327ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 19:14:25 +0200 +Subject: pwm: img: Fix null pointer access in probe + +From: Hauke Mehrtens + +[ Upstream commit b39c0615d0667b3a6f2f5c4bf99ffadf3b518bb1 ] + +dev_get_drvdata() is called in img_pwm_runtime_resume() before the +driver data is set. +When pm_runtime_enabled() returns false in img_pwm_probe() it calls +img_pwm_runtime_resume() which results in a null pointer access. + +This patch fixes the problem by setting the driver data earlier in the +img_pwm_probe() function. + +This crash was seen when booting the Imagination Technologies Creator +Ci40 (Marduk) with kernel 5.4 in OpenWrt. + +Fixes: e690ae526216 ("pwm: img: Add runtime PM") +Signed-off-by: Hauke Mehrtens +Acked-by: Lee Jones +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-img.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-img.c b/drivers/pwm/pwm-img.c +index 599a0f66a3845..a34d95ed70b20 100644 +--- a/drivers/pwm/pwm-img.c ++++ b/drivers/pwm/pwm-img.c +@@ -277,6 +277,8 @@ static int img_pwm_probe(struct platform_device *pdev) + return PTR_ERR(pwm->pwm_clk); + } + ++ platform_set_drvdata(pdev, pwm); ++ + pm_runtime_set_autosuspend_delay(&pdev->dev, IMG_PWM_PM_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_enable(&pdev->dev); +@@ -313,7 +315,6 @@ static int img_pwm_probe(struct platform_device *pdev) + goto err_suspend; + } + +- platform_set_drvdata(pdev, pwm); + return 0; + + err_suspend: +-- +2.25.1 + diff --git a/queue-5.4/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch b/queue-5.4/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch new file mode 100644 index 00000000000..166e3ff8d0a --- /dev/null +++ b/queue-5.4/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch @@ -0,0 +1,68 @@ +From 59b34eac5b50006e0bb7bef5bdc4f9fe1e430962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 13:23:24 +0200 +Subject: pwm: lpss: Add range limit check for the base_unit register value + +From: Hans de Goede + +[ Upstream commit ef9f60daab309558c8bb3e086a9a11ee40bd6061 ] + +When the user requests a high enough period ns value, then the +calculations in pwm_lpss_prepare() might result in a base_unit value of 0. + +But according to the data-sheet the way the PWM controller works is that +each input clock-cycle the base_unit gets added to a N bit counter and +that counter overflowing determines the PWM output frequency. Adding 0 +to the counter is a no-op. The data-sheet even explicitly states that +writing 0 to the base_unit bits will result in the PWM outputting a +continuous 0 signal. + +When the user requestes a low enough period ns value, then the +calculations in pwm_lpss_prepare() might result in a base_unit value +which is bigger then base_unit_range - 1. Currently the codes for this +deals with this by applying a mask: + + base_unit &= (base_unit_range - 1); + +But this means that we let the value overflow the range, we throw away the +higher bits and store whatever value is left in the lower bits into the +register leading to a random output frequency, rather then clamping the +output frequency to the highest frequency which the hardware can do. + +This commit fixes both issues by clamping the base_unit value to be +between 1 and (base_unit_range - 1). + +Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") +Reviewed-by: Andy Shevchenko +Acked-by: Thierry Reding +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-5-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c +index 16f32576b320c..d77cec2769b76 100644 +--- a/drivers/pwm/pwm-lpss.c ++++ b/drivers/pwm/pwm-lpss.c +@@ -97,6 +97,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + freq *= base_unit_range; + + base_unit = DIV_ROUND_CLOSEST_ULL(freq, c); ++ /* base_unit must not be 0 and we also want to avoid overflowing it */ ++ base_unit = clamp_val(base_unit, 1, base_unit_range - 1); + + on_time_div = 255ULL * duty_ns; + do_div(on_time_div, period_ns); +@@ -105,7 +107,6 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + orig_ctrl = ctrl = pwm_lpss_read(pwm); + ctrl &= ~PWM_ON_TIME_DIV_MASK; + ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT); +- base_unit &= (base_unit_range - 1); + ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT; + ctrl |= on_time_div; + +-- +2.25.1 + diff --git a/queue-5.4/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch b/queue-5.4/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch new file mode 100644 index 00000000000..88a5d0a54db --- /dev/null +++ b/queue-5.4/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch @@ -0,0 +1,68 @@ +From 9cf5c9b70a6cbe1af424abee0c45e78c07aee7d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 13:23:23 +0200 +Subject: pwm: lpss: Fix off by one error in base_unit math in + pwm_lpss_prepare() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit 181f4d2f44463fe09fe4df02e03095cb87151c29 ] + +According to the data-sheet the way the PWM controller works is that +each input clock-cycle the base_unit gets added to a N bit counter and +that counter overflowing determines the PWM output frequency. + +So assuming e.g. a 16 bit counter this means that if base_unit is set to 1, +after 65535 input clock-cycles the counter has been increased from 0 to +65535 and it will overflow on the next cycle, so it will overflow after +every 65536 clock cycles and thus the calculations done in +pwm_lpss_prepare() should use 65536 and not 65535. + +This commit fixes this. Note this also aligns the calculations in +pwm_lpss_prepare() with those in pwm_lpss_get_state(). + +Note this effectively reverts commit 684309e5043e ("pwm: lpss: Avoid +potential overflow of base_unit"). The next patch in this series really +fixes the potential overflow of the base_unit value. + +Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") +Reviewed-by: Andy Shevchenko +Acked-by: Uwe Kleine-König +Acked-by: Thierry Reding +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-4-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpss.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c +index 75bbfe5f3bc29..16f32576b320c 100644 +--- a/drivers/pwm/pwm-lpss.c ++++ b/drivers/pwm/pwm-lpss.c +@@ -93,7 +93,7 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + * The equation is: + * base_unit = round(base_unit_range * freq / c) + */ +- base_unit_range = BIT(lpwm->info->base_unit_bits) - 1; ++ base_unit_range = BIT(lpwm->info->base_unit_bits); + freq *= base_unit_range; + + base_unit = DIV_ROUND_CLOSEST_ULL(freq, c); +@@ -104,8 +104,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + + orig_ctrl = ctrl = pwm_lpss_read(pwm); + ctrl &= ~PWM_ON_TIME_DIV_MASK; +- ctrl &= ~(base_unit_range << PWM_BASE_UNIT_SHIFT); +- base_unit &= base_unit_range; ++ ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT); ++ base_unit &= (base_unit_range - 1); + ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT; + ctrl |= on_time_div; + +-- +2.25.1 + diff --git a/queue-5.4/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch b/queue-5.4/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch new file mode 100644 index 00000000000..e06d1a1d679 --- /dev/null +++ b/queue-5.4/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch @@ -0,0 +1,46 @@ +From fe4fc84ca95f1e7250b12adeb344df4fe70b4bd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:22:24 +0100 +Subject: qtnfmac: fix resource leaks on unsupported iftype error return path + +From: Colin Ian King + +[ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ] + +Currently if an unsupported iftype is detected the error return path +does not free the cmd_skb leading to a resource leak. Fix this by +free'ing cmd_skb. + +Addresses-Coverity: ("Resource leak") +Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support") +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/quantenna/qtnfmac/commands.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c +index c0c32805fb8de..106f1a846f499 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/commands.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c +@@ -834,6 +834,7 @@ int qtnf_cmd_send_del_intf(struct qtnf_vif *vif) + default: + pr_warn("VIF%u.%u: unsupported iftype %d\n", vif->mac->macid, + vif->vifid, vif->wdev.iftype); ++ dev_kfree_skb(cmd_skb); + ret = -EINVAL; + goto out; + } +@@ -1996,6 +1997,7 @@ int qtnf_cmd_send_change_sta(struct qtnf_vif *vif, const u8 *mac, + break; + default: + pr_err("unsupported iftype %d\n", vif->wdev.iftype); ++ dev_kfree_skb(cmd_skb); + ret = -EINVAL; + goto out; + } +-- +2.25.1 + diff --git a/queue-5.4/quota-clear-padding-in-v2r1_mem2diskdqb.patch b/queue-5.4/quota-clear-padding-in-v2r1_mem2diskdqb.patch new file mode 100644 index 00000000000..5abe76a507f --- /dev/null +++ b/queue-5.4/quota-clear-padding-in-v2r1_mem2diskdqb.patch @@ -0,0 +1,114 @@ +From ada0f5d7359b35714383b46fedf43b7f6f2735da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 11:36:19 -0700 +Subject: quota: clear padding in v2r1_mem2diskdqb() + +From: Eric Dumazet + +[ Upstream commit 3d3dc274ce736227e3197868ff749cff2f175f63 ] + +Freshly allocated memory contains garbage, better make sure +to init all struct v2r1_disk_dqblk fields to avoid KMSAN report: + +BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 +CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219 + qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 + v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285 + qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c +RIP: 0023:0xf7ff4549 +Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127 +RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000 +RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80 + slab_alloc_node mm/slub.c:2907 [inline] + slab_alloc mm/slub.c:2916 [inline] + __kmalloc+0x2bb/0x4b0 mm/slub.c:3982 + kmalloc include/linux/slab.h:559 [inline] + getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52 + qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits") +Link: https://lore.kernel.org/r/20200924183619.4176790-1-edumazet@google.com +Signed-off-by: Eric Dumazet +Cc: Jan Kara +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/quota_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c +index 53429c29c7842..276c27fb99280 100644 +--- a/fs/quota/quota_v2.c ++++ b/fs/quota/quota_v2.c +@@ -284,6 +284,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot) + d->dqb_curspace = cpu_to_le64(m->dqb_curspace); + d->dqb_btime = cpu_to_le64(m->dqb_btime); + d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id)); ++ d->dqb_pad = 0; + if (qtree_entry_unused(info, dp)) + d->dqb_itime = cpu_to_le64(1); + } +-- +2.25.1 + diff --git a/queue-5.4/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch b/queue-5.4/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch new file mode 100644 index 00000000000..714a1ddae73 --- /dev/null +++ b/queue-5.4/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch @@ -0,0 +1,42 @@ +From 64a9365e3ac6f68aea032fbcba8407ec432eb411 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:04 -0700 +Subject: ramfs: fix nommu mmap with gaps in the page cache + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 50b7d85680086126d7bd91dae81d57d4cb1ab6b7 ] + +ramfs needs to check that pages are both physically contiguous and +contiguous in the file. If the page cache happens to have, eg, page A for +index 0 of the file, no page for index 1, and page A+1 for index 2, then +an mmap of the first two pages of the file will succeed when it should +fail. + +Fixes: 642fb4d1f1dd ("[PATCH] NOMMU: Provide shared-writable mmap support on ramfs") +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Cc: David Howells +Link: https://lkml.kernel.org/r/20200914122239.GO6583@casper.infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ramfs/file-nommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c +index 4146954549560..355523f4a4bf3 100644 +--- a/fs/ramfs/file-nommu.c ++++ b/fs/ramfs/file-nommu.c +@@ -224,7 +224,7 @@ static unsigned long ramfs_nommu_get_unmapped_area(struct file *file, + if (!pages) + goto out_free; + +- nr = find_get_pages(inode->i_mapping, &pgoff, lpages, pages); ++ nr = find_get_pages_contig(inode->i_mapping, pgoff, lpages, pages); + if (nr != lpages) + goto out_free_pages; /* leave if some pages were missing */ + +-- +2.25.1 + diff --git a/queue-5.4/rapidio-fix-error-handling-path.patch b/queue-5.4/rapidio-fix-error-handling-path.patch new file mode 100644 index 00000000000..867e46b7bf2 --- /dev/null +++ b/queue-5.4/rapidio-fix-error-handling-path.patch @@ -0,0 +1,71 @@ +From 8f729c0209e5a3c43f80c2edf96e1aeafd4c307f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:15 -0700 +Subject: rapidio: fix error handling path + +From: Souptick Joarder + +[ Upstream commit fa63f083b3492b5ed5332b8d7c90b03b5ef24a1d ] + +rio_dma_transfer() attempts to clamp the return value of +pin_user_pages_fast() to be >= 0. However, the attempt fails because +nr_pages is overridden a few lines later, and restored to the undesirable +-ERRNO value. + +The return value is ultimately stored in nr_pages, which in turn is passed +to unpin_user_pages(), which expects nr_pages >= 0, else, disaster. + +Fix this by fixing the nesting of the assignment to nr_pages: nr_pages +should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or set +to the return value of pin_user_pages_fast(), otherwise. + +[jhubbard@nvidia.com: new changelog] + +Fixes: e8de370188d09 ("rapidio: add mport char device driver") +Signed-off-by: Souptick Joarder +Signed-off-by: Andrew Morton +Reviewed-by: Ira Weiny +Reviewed-by: John Hubbard +Cc: Matthew Wilcox +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Gustavo A. R. Silva +Cc: Madhuparna Bhowmik +Cc: Dan Carpenter +Link: https://lkml.kernel.org/r/1600227737-20785-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 0b85a80ae7ef6..1222522b4ae76 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -873,15 +873,16 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode, + rmcd_error("get_user_pages_unlocked err=%ld", + pinned); + nr_pages = 0; +- } else ++ } else { + rmcd_error("pinned %ld out of %ld pages", + pinned, nr_pages); ++ /* ++ * Set nr_pages up to mean "how many pages to unpin, in ++ * the error handler: ++ */ ++ nr_pages = pinned; ++ } + ret = -EFAULT; +- /* +- * Set nr_pages up to mean "how many pages to unpin, in +- * the error handler: +- */ +- nr_pages = pinned; + goto err_pg; + } + +-- +2.25.1 + diff --git a/queue-5.4/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch b/queue-5.4/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch new file mode 100644 index 00000000000..7e3f0951cc7 --- /dev/null +++ b/queue-5.4/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch @@ -0,0 +1,56 @@ +From 1d7e77ad8938276756b9f8bff1048a7db82aebc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:18 -0700 +Subject: rapidio: fix the missed put_device() for rio_mport_add_riodev + +From: Jing Xiangfeng + +[ Upstream commit 85094c05eeb47d195a74a25366a2db066f1c9d47 ] + +rio_mport_add_riodev() misses to call put_device() when the device already +exists. Add the missed function call to fix it. + +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Andrew Morton +Reviewed-by: Dan Carpenter +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Gustavo A. R. Silva +Cc: John Hubbard +Cc: Kees Cook +Cc: Madhuparna Bhowmik +Link: https://lkml.kernel.org/r/20200922072525.42330-1-jingxiangfeng@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 1222522b4ae76..2b08fdeb87c18 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1683,6 +1683,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + struct rio_dev *rdev; + struct rio_switch *rswitch = NULL; + struct rio_mport *mport; ++ struct device *dev; + size_t size; + u32 rval; + u32 swpinfo = 0; +@@ -1697,8 +1698,10 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, + dev_info.comptag, dev_info.destid, dev_info.hopcount); + +- if (bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name)) { ++ dev = bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name); ++ if (dev) { + rmcd_debug(RDEV, "device %s already exists", dev_info.name); ++ put_device(dev); + return -EEXIST; + } + +-- +2.25.1 + diff --git a/queue-5.4/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch b/queue-5.4/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch new file mode 100644 index 00000000000..7b302d1190e --- /dev/null +++ b/queue-5.4/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch @@ -0,0 +1,116 @@ +From dd77768ad1a1ce3c3fd0908bcd72071b04e6a151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:21 +0300 +Subject: RDMA/cma: Consolidate the destruction of a cma_multicast in one place + +From: Jason Gunthorpe + +[ Upstream commit 3788d2997bc0150ea911a964d5b5a2e11808a936 ] + +Two places were open coding this sequence, and also pull in +cma_leave_roce_mc_group() which was called only once. + +Link: https://lore.kernel.org/r/20200902081122.745412-8-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 63 +++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 32 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 10525c91cac6c..98d2d74b96f78 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1803,19 +1803,30 @@ static void cma_release_port(struct rdma_id_private *id_priv) + mutex_unlock(&lock); + } + +-static void cma_leave_roce_mc_group(struct rdma_id_private *id_priv, +- struct cma_multicast *mc) ++static void destroy_mc(struct rdma_id_private *id_priv, ++ struct cma_multicast *mc) + { +- struct rdma_dev_addr *dev_addr = &id_priv->id.route.addr.dev_addr; +- struct net_device *ndev = NULL; ++ if (rdma_cap_ib_mcast(id_priv->id.device, id_priv->id.port_num)) { ++ ib_sa_free_multicast(mc->multicast.ib); ++ kfree(mc); ++ return; ++ } + +- if (dev_addr->bound_dev_if) +- ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); +- if (ndev) { +- cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false); +- dev_put(ndev); ++ if (rdma_protocol_roce(id_priv->id.device, ++ id_priv->id.port_num)) { ++ struct rdma_dev_addr *dev_addr = ++ &id_priv->id.route.addr.dev_addr; ++ struct net_device *ndev = NULL; ++ ++ if (dev_addr->bound_dev_if) ++ ndev = dev_get_by_index(dev_addr->net, ++ dev_addr->bound_dev_if); ++ if (ndev) { ++ cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false); ++ dev_put(ndev); ++ } ++ kref_put(&mc->mcref, release_mc); + } +- kref_put(&mc->mcref, release_mc); + } + + static void cma_leave_mc_groups(struct rdma_id_private *id_priv) +@@ -1823,16 +1834,10 @@ static void cma_leave_mc_groups(struct rdma_id_private *id_priv) + struct cma_multicast *mc; + + while (!list_empty(&id_priv->mc_list)) { +- mc = container_of(id_priv->mc_list.next, +- struct cma_multicast, list); ++ mc = list_first_entry(&id_priv->mc_list, struct cma_multicast, ++ list); + list_del(&mc->list); +- if (rdma_cap_ib_mcast(id_priv->cma_dev->device, +- id_priv->id.port_num)) { +- ib_sa_free_multicast(mc->multicast.ib); +- kfree(mc); +- } else { +- cma_leave_roce_mc_group(id_priv, mc); +- } ++ destroy_mc(id_priv, mc); + } + } + +@@ -4490,20 +4495,14 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr) + id_priv = container_of(id, struct rdma_id_private, id); + spin_lock_irq(&id_priv->lock); + list_for_each_entry(mc, &id_priv->mc_list, list) { +- if (!memcmp(&mc->addr, addr, rdma_addr_size(addr))) { +- list_del(&mc->list); +- spin_unlock_irq(&id_priv->lock); +- +- BUG_ON(id_priv->cma_dev->device != id->device); ++ if (memcmp(&mc->addr, addr, rdma_addr_size(addr)) != 0) ++ continue; ++ list_del(&mc->list); ++ spin_unlock_irq(&id_priv->lock); + +- if (rdma_cap_ib_mcast(id->device, id->port_num)) { +- ib_sa_free_multicast(mc->multicast.ib); +- kfree(mc); +- } else if (rdma_protocol_roce(id->device, id->port_num)) { +- cma_leave_roce_mc_group(id_priv, mc); +- } +- return; +- } ++ WARN_ON(id_priv->cma_dev->device != id->device); ++ destroy_mc(id_priv, mc); ++ return; + } + spin_unlock_irq(&id_priv->lock); + } +-- +2.25.1 + diff --git a/queue-5.4/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch b/queue-5.4/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch new file mode 100644 index 00000000000..8fe1318502a --- /dev/null +++ b/queue-5.4/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch @@ -0,0 +1,69 @@ +From 256baf2bf04f5ae11ca89b6b97954ff5ca2f3920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:20 +0300 +Subject: RDMA/cma: Remove dead code for kernel rdmacm multicast + +From: Jason Gunthorpe + +[ Upstream commit 1bb5091def706732c749df9aae45fbca003696f2 ] + +There is no kernel user of RDMA CM multicast so this code managing the +multicast subscription of the kernel-only internal QP is dead. Remove it. + +This makes the bug fixes in the next patches much simpler. + +Link: https://lore.kernel.org/r/20200902081122.745412-7-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index e3cd9d2b0dd2b..10525c91cac6c 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4182,16 +4182,6 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast) + else + pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n", + status); +- mutex_lock(&id_priv->qp_mutex); +- if (!status && id_priv->id.qp) { +- status = ib_attach_mcast(id_priv->id.qp, &multicast->rec.mgid, +- be16_to_cpu(multicast->rec.mlid)); +- if (status) +- pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to attach QP. status %d\n", +- status); +- } +- mutex_unlock(&id_priv->qp_mutex); +- + event.status = status; + event.param.ud.private_data = mc->context; + if (!status) { +@@ -4446,6 +4436,10 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + struct cma_multicast *mc; + int ret; + ++ /* Not supported for kernel QPs */ ++ if (WARN_ON(id->qp)) ++ return -EINVAL; ++ + if (!id->device) + return -EINVAL; + +@@ -4500,11 +4494,6 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr) + list_del(&mc->list); + spin_unlock_irq(&id_priv->lock); + +- if (id->qp) +- ib_detach_mcast(id->qp, +- &mc->multicast.ib->rec.mgid, +- be16_to_cpu(mc->multicast.ib->rec.mlid)); +- + BUG_ON(id_priv->cma_dev->device != id->device); + + if (rdma_cap_ib_mcast(id->device, id->port_num)) { +-- +2.25.1 + diff --git a/queue-5.4/rdma-efa-use-ib_umem_num_dma_pages.patch b/queue-5.4/rdma-efa-use-ib_umem_num_dma_pages.patch new file mode 100644 index 00000000000..b0c01375b60 --- /dev/null +++ b/queue-5.4/rdma-efa-use-ib_umem_num_dma_pages.patch @@ -0,0 +1,50 @@ +From 39a52745de943c72c9ce7488cef9e3cafe962d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 19:41:48 -0300 +Subject: RDMA/efa: Use ib_umem_num_dma_pages() + +From: Jason Gunthorpe + +[ Upstream commit 1f9b6827c85f9d9786f31a1434a16c917aae23b2 ] + +If ib_umem_find_best_pgsz() returns > PAGE_SIZE then the equation here is +not correct. 'start' should be 'virt'. Change it to use the core code for +page_num and the canonical calculation of page_shift. + +Fixes: 40ddb3f02083 ("RDMA/efa: Use API to get contiguous memory blocks aligned to device supported page size") +Link: https://lore.kernel.org/r/7-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com +Tested-by: Gal Pressman +Acked-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 4edae89e8e3ca..4a8830d3a9599 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -4,6 +4,7 @@ + */ + + #include ++#include + + #include + #include +@@ -1446,9 +1447,8 @@ struct ib_mr *efa_reg_mr(struct ib_pd *ibpd, u64 start, u64 length, + goto err_unmap; + } + +- params.page_shift = __ffs(pg_sz); +- params.page_num = DIV_ROUND_UP(length + (start & (pg_sz - 1)), +- pg_sz); ++ params.page_shift = order_base_2(pg_sz); ++ params.page_num = ib_umem_num_dma_blocks(mr->umem, pg_sz); + + ibdev_dbg(&dev->ibdev, + "start %#llx length %#llx params.page_shift %u params.page_num %u\n", +-- +2.25.1 + diff --git a/queue-5.4/rdma-hns-add-a-check-for-current-state-before-modify.patch b/queue-5.4/rdma-hns-add-a-check-for-current-state-before-modify.patch new file mode 100644 index 00000000000..7352d73c313 --- /dev/null +++ b/queue-5.4/rdma-hns-add-a-check-for-current-state-before-modify.patch @@ -0,0 +1,45 @@ +From 7e9b9f02dbf326d38a1bf505d2f6cba53b52e357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 19:07:54 +0800 +Subject: RDMA/hns: Add a check for current state before modifying QP + +From: Lang Cheng + +[ Upstream commit e0ef0f68c4c0d85b1eb63f38d5d10324361280e8 ] + +It should be considered an illegal operation if the ULP attempts to modify +a QP from another state to the current hardware state. Otherwise, the ULP +can modify some fields of QPC at any time. For example, for a QP in state +of RTS, modify it from RTR to RTS can change the PSN, which is always not +as expected. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Link: https://lore.kernel.org/r/1598353674-24270-1-git-send-email-liweihang@huawei.com +Signed-off-by: Lang Cheng +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index 8dd2d666f6875..730e50c87a760 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -1181,8 +1181,10 @@ int hns_roce_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + + mutex_lock(&hr_qp->mutex); + +- cur_state = attr_mask & IB_QP_CUR_STATE ? +- attr->cur_qp_state : (enum ib_qp_state)hr_qp->state; ++ if (attr_mask & IB_QP_CUR_STATE && attr->cur_qp_state != hr_qp->state) ++ goto out; ++ ++ cur_state = hr_qp->state; + new_state = attr_mask & IB_QP_STATE ? attr->qp_state : cur_state; + + if (ibqp->uobject && +-- +2.25.1 + diff --git a/queue-5.4/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch b/queue-5.4/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch new file mode 100644 index 00000000000..fb8761bab7e --- /dev/null +++ b/queue-5.4/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch @@ -0,0 +1,36 @@ +From 3aabce0535fcc94cdbe869162fc0899daf85ed7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:22 +0800 +Subject: RDMA/hns: Fix missing sq_sig_type when querying QP + +From: Weihang Li + +[ Upstream commit 05df49279f8926178ecb3ce88e61b63104cd6293 ] + +The sq_sig_type field should be filled when querying QP, or the users may +get a wrong value. + +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Link: https://lore.kernel.org/r/1600509802-44382-9-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index def266626223a..bb75328193957 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4634,6 +4634,7 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + } + + qp_init_attr->cap = qp_attr->cap; ++ qp_init_attr->sq_sig_type = hr_qp->sq_signal_bits; + + out: + mutex_unlock(&hr_qp->mutex); +-- +2.25.1 + diff --git a/queue-5.4/rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch b/queue-5.4/rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch new file mode 100644 index 00000000000..510e914a1d8 --- /dev/null +++ b/queue-5.4/rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch @@ -0,0 +1,40 @@ +From 5874cec461d147a4137c597f94880c5a337e2798 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:20 +0800 +Subject: RDMA/hns: Fix the wrong value of rnr_retry when querying qp + +From: Wenpeng Liang + +[ Upstream commit 99fcf82521d91468ee6115a3c253aa032dc63cbc ] + +The rnr_retry returned to the user is not correct, it should be got from +another fields in QPC. + +Fixes: bfe860351e31 ("RDMA/hns: Fix cast from or to restricted __le32 for driver") +Link: https://lore.kernel.org/r/1600509802-44382-7-git-send-email-liweihang@huawei.com +Signed-off-by: Wenpeng Liang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 0502c90c83edd..def266626223a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4616,7 +4616,9 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + qp_attr->retry_cnt = roce_get_field(context.byte_212_lsn, + V2_QPC_BYTE_212_RETRY_CNT_M, + V2_QPC_BYTE_212_RETRY_CNT_S); +- qp_attr->rnr_retry = le32_to_cpu(context.rq_rnr_timer); ++ qp_attr->rnr_retry = roce_get_field(context.byte_244_rnr_rxack, ++ V2_QPC_BYTE_244_RNR_CNT_M, ++ V2_QPC_BYTE_244_RNR_CNT_S); + + done: + qp_attr->cur_qp_state = qp_attr->qp_state; +-- +2.25.1 + diff --git a/queue-5.4/rdma-hns-set-the-unsupported-wr-opcode.patch b/queue-5.4/rdma-hns-set-the-unsupported-wr-opcode.patch new file mode 100644 index 00000000000..51d7a3563c7 --- /dev/null +++ b/queue-5.4/rdma-hns-set-the-unsupported-wr-opcode.patch @@ -0,0 +1,37 @@ +From c409516f0e5b22f413a2c7ca76c18af1af2591ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 21:50:15 +0800 +Subject: RDMA/hns: Set the unsupported wr opcode + +From: Lijun Ou + +[ Upstream commit 22d3e1ed2cc837af87f76c3c8a4ccf4455e225c5 ] + +hip06 does not support IB_WR_LOCAL_INV, so the ps_opcode should be set to +an invalid value instead of being left uninitialized. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Fixes: a2f3d4479fe9 ("RDMA/hns: Avoid unncessary initialization") +Link: https://lore.kernel.org/r/1600350615-115217-1-git-send-email-oulijun@huawei.com +Signed-off-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +index a79fa67df8715..a405c64d2a82b 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +@@ -271,7 +271,6 @@ static int hns_roce_v1_post_send(struct ib_qp *ibqp, + ps_opcode = HNS_ROCE_WQE_OPCODE_SEND; + break; + case IB_WR_LOCAL_INV: +- break; + case IB_WR_ATOMIC_CMP_AND_SWP: + case IB_WR_ATOMIC_FETCH_AND_ADD: + case IB_WR_LSO: +-- +2.25.1 + diff --git a/queue-5.4/rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch b/queue-5.4/rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch new file mode 100644 index 00000000000..b4a86a6a4dc --- /dev/null +++ b/queue-5.4/rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch @@ -0,0 +1,84 @@ +From 581677fc633e10c0ebec1febf5c0cbb3ddb8109b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 16:29:48 +0300 +Subject: RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces + +From: Kamal Heib + +[ Upstream commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 ] + +Report the "ipoib pkey", "mode" and "umcast" netlink attributes for every +IPoiB interface type, not just children created with 'ip link add'. + +After setting the rtnl_link_ops for the parent interface, implement the +dellink() callback to block users from trying to remove it. + +Fixes: 862096a8bbf8 ("IB/ipoib: Add more rtnl_link_ops callbacks") +Link: https://lore.kernel.org/r/20201004132948.26669-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 ++ + drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 11 +++++++++++ + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 2 ++ + 3 files changed, 15 insertions(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 044bcacad6e48..69ecf37053a81 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -2463,6 +2463,8 @@ static struct net_device *ipoib_add_port(const char *format, + /* call event handler to ensure pkey in sync */ + queue_work(ipoib_workqueue, &priv->flush_heavy); + ++ ndev->rtnl_link_ops = ipoib_get_link_ops(); ++ + result = register_netdev(ndev); + if (result) { + pr_warn("%s: couldn't register ipoib port %d; error %d\n", +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +index 38c984d16996d..d5a90a66b45cf 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +@@ -144,6 +144,16 @@ static int ipoib_new_child_link(struct net *src_net, struct net_device *dev, + return 0; + } + ++static void ipoib_del_child_link(struct net_device *dev, struct list_head *head) ++{ ++ struct ipoib_dev_priv *priv = ipoib_priv(dev); ++ ++ if (!priv->parent) ++ return; ++ ++ unregister_netdevice_queue(dev, head); ++} ++ + static size_t ipoib_get_size(const struct net_device *dev) + { + return nla_total_size(2) + /* IFLA_IPOIB_PKEY */ +@@ -158,6 +168,7 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = { + .priv_size = sizeof(struct ipoib_dev_priv), + .setup = ipoib_setup_common, + .newlink = ipoib_new_child_link, ++ .dellink = ipoib_del_child_link, + .changelink = ipoib_changelink, + .get_size = ipoib_get_size, + .fill_info = ipoib_fill_info, +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +index 8ac8e18fbe0c3..58ca5e9c6079c 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -192,6 +192,8 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) + } + priv = ipoib_priv(ndev); + ++ ndev->rtnl_link_ops = ipoib_get_link_ops(); ++ + result = __ipoib_vlan_add(ppriv, priv, pkey, IPOIB_LEGACY_CHILD); + + if (result && ndev->reg_state == NETREG_UNINITIALIZED) +-- +2.25.1 + diff --git a/queue-5.4/rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch b/queue-5.4/rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch new file mode 100644 index 00000000000..6b8073d3317 --- /dev/null +++ b/queue-5.4/rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch @@ -0,0 +1,42 @@ +From 2d9779e77b2821d1a0dce99e8dcdd86a8dac11e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:26:52 +0300 +Subject: RDMA/mlx5: Disable IB_DEVICE_MEM_MGT_EXTENSIONS if IB_WR_REG_MR can't + work + +From: Jason Gunthorpe + +[ Upstream commit 0ec52f0194638e2d284ad55eba5a7aff753de1b9 ] + +set_reg_wr() always fails if !umr_modify_entity_size_disabled because +mlx5_ib_can_use_umr() always fails. Without set_reg_wr() IB_WR_REG_MR +doesn't work and that means the device should not advertise +IB_DEVICE_MEM_MGT_EXTENSIONS. + +Fixes: 841b07f99a47 ("IB/mlx5: Block MR WR if UMR is not possible") +Link: https://lore.kernel.org/r/20200914112653.345244-5-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index b781ad74e6de4..40c1a05c2445d 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -888,7 +888,9 @@ static int mlx5_ib_query_device(struct ib_device *ibdev, + /* We support 'Gappy' memory registration too */ + props->device_cap_flags |= IB_DEVICE_SG_GAPS_REG; + } +- props->device_cap_flags |= IB_DEVICE_MEM_MGT_EXTENSIONS; ++ /* IB_WR_REG_MR always requires changing the entity size with UMR */ ++ if (!MLX5_CAP_GEN(dev->mdev, umr_modify_entity_size_disabled)) ++ props->device_cap_flags |= IB_DEVICE_MEM_MGT_EXTENSIONS; + if (MLX5_CAP_GEN(mdev, sho)) { + props->device_cap_flags |= IB_DEVICE_INTEGRITY_HANDOVER; + /* At this stage no support for signature handover */ +-- +2.25.1 + diff --git a/queue-5.4/rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch b/queue-5.4/rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch new file mode 100644 index 00000000000..1f8c8b3a13e --- /dev/null +++ b/queue-5.4/rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch @@ -0,0 +1,47 @@ +From 510c422f48ae8a4fc506ff208d29b13857e4388a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 11:40:04 +0300 +Subject: RDMA/mlx5: Fix potential race between destroy and CQE poll + +From: Leon Romanovsky + +[ Upstream commit 4b916ed9f9e85f705213ca8d69771d3c1cd6ee5a ] + +The SRQ can be destroyed right before mlx5_cmd_get_srq is called. +In such case the latter will return NULL instead of expected SRQ. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Link: https://lore.kernel.org/r/20200830084010.102381-5-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/cq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index ff664355de550..73d5b8dc74d86 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -167,7 +167,7 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe, + { + enum rdma_link_layer ll = rdma_port_get_link_layer(qp->ibqp.device, 1); + struct mlx5_ib_dev *dev = to_mdev(qp->ibqp.device); +- struct mlx5_ib_srq *srq; ++ struct mlx5_ib_srq *srq = NULL; + struct mlx5_ib_wq *wq; + u16 wqe_ctr; + u8 roce_packet_type; +@@ -179,7 +179,8 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe, + + if (qp->ibqp.xrcd) { + msrq = mlx5_cmd_get_srq(dev, be32_to_cpu(cqe->srqn)); +- srq = to_mibsrq(msrq); ++ if (msrq) ++ srq = to_mibsrq(msrq); + } else { + srq = to_msrq(qp->ibqp.srq); + } +-- +2.25.1 + diff --git a/queue-5.4/rdma-qedr-fix-inline-size-returned-for-iwarp.patch b/queue-5.4/rdma-qedr-fix-inline-size-returned-for-iwarp.patch new file mode 100644 index 00000000000..9c4cf7fe4df --- /dev/null +++ b/queue-5.4/rdma-qedr-fix-inline-size-returned-for-iwarp.patch @@ -0,0 +1,40 @@ +From 53229cf0071f90359c0a75e6e2381adec5db943c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:40 +0300 +Subject: RDMA/qedr: Fix inline size returned for iWARP + +From: Michal Kalderon + +[ Upstream commit fbf58026b2256e9cd5f241a4801d79d3b2b7b89d ] + +commit 59e8970b3798 ("RDMA/qedr: Return max inline data in QP query +result") changed query_qp max_inline size to return the max roce inline +size. When iwarp was introduced, this should have been modified to return +the max inline size based on protocol. This size is cached in the device +attributes + +Fixes: 69ad0e7fe845 ("RDMA/qedr: Add support for iWARP in user space") +Link: https://lore.kernel.org/r/20200902165741.8355-8-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 682329789d00d..4408d33646647 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2405,7 +2405,7 @@ int qedr_query_qp(struct ib_qp *ibqp, + qp_attr->cap.max_recv_wr = qp->rq.max_wr; + qp_attr->cap.max_send_sge = qp->sq.max_sges; + qp_attr->cap.max_recv_sge = qp->rq.max_sges; +- qp_attr->cap.max_inline_data = ROCE_REQ_MAX_INLINE_DATA_SIZE; ++ qp_attr->cap.max_inline_data = dev->attr.max_inline; + qp_init_attr->cap = qp_attr->cap; + + qp_attr->ah_attr.type = RDMA_AH_ATTR_TYPE_ROCE; +-- +2.25.1 + diff --git a/queue-5.4/rdma-qedr-fix-qp-structure-memory-leak.patch b/queue-5.4/rdma-qedr-fix-qp-structure-memory-leak.patch new file mode 100644 index 00000000000..df3ce2dd5bc --- /dev/null +++ b/queue-5.4/rdma-qedr-fix-qp-structure-memory-leak.patch @@ -0,0 +1,52 @@ +From 438d8a19a5adbeff8d3afd0224b70fcf8ec50840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:34 +0300 +Subject: RDMA/qedr: Fix qp structure memory leak + +From: Michal Kalderon + +[ Upstream commit 098e345a1a8faaad6e4e54d138773466cecc45d4 ] + +The qedr_qp structure wasn't freed when the protocol was RoCE. kmemleak +output when running basic RoCE scenario. + +unreferenced object 0xffff927ad7e22c00 (size 1024): + comm "ib_send_bw", pid 7082, jiffies 4384133693 (age 274.698s) + hex dump (first 32 bytes): + 00 b0 cd a2 79 92 ff ff 00 3f a1 a2 79 92 ff ff ....y....?..y... + 00 ee 5c dd 80 92 ff ff 00 f6 5c dd 80 92 ff ff ..\.......\..... + backtrace: + [<00000000b2ba0f35>] qedr_create_qp+0xb3/0x6c0 [qedr] + [<00000000e85a43dd>] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x555/0xad0 [ib_uverbs] + [<00000000fee4d029>] ib_uverbs_cmd_verbs+0xa5a/0xb80 [ib_uverbs] + [<000000005d622660>] ib_uverbs_ioctl+0xa4/0x110 [ib_uverbs] + [<00000000eb4cdc71>] ksys_ioctl+0x87/0xc0 + [<00000000abe6b23a>] __x64_sys_ioctl+0x16/0x20 + [<0000000046e7cef4>] do_syscall_64+0x4d/0x90 + [<00000000c6948f76>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1212767e23bb ("qedr: Add wrapping generic structure for qpidr and adjust idr routines.") +Link: https://lore.kernel.org/r/20200902165741.8355-2-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 16a994fd7d0a7..682329789d00d 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2518,6 +2518,8 @@ int qedr_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + + if (rdma_protocol_iwarp(&dev->ibdev, 1)) + qedr_iw_qp_rem_ref(&qp->ibqp); ++ else ++ kfree(qp); + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch b/queue-5.4/rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch new file mode 100644 index 00000000000..9e9195f604e --- /dev/null +++ b/queue-5.4/rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch @@ -0,0 +1,49 @@ +From 40eb19e26ef6d4140622d33293e5685452ea949a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:37 +0300 +Subject: RDMA/qedr: Fix return code if accept is called on a destroyed qp + +From: Michal Kalderon + +[ Upstream commit 8a5a10a1a74465065c75d9de1aa6685e1f1aa117 ] + +In iWARP, accept could be called after a QP is already destroyed. In this +case an error should be returned and not success. + +Fixes: 82af6d19d8d9 ("RDMA/qedr: Fix synchronization methods and memory leaks in qedr") +Link: https://lore.kernel.org/r/20200902165741.8355-5-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/qedr_iw_cm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +index 6dea49e11f5f0..e521f3c3dbbf1 100644 +--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c ++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +@@ -736,7 +736,7 @@ int qedr_iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + struct qedr_dev *dev = ep->dev; + struct qedr_qp *qp; + struct qed_iwarp_accept_in params; +- int rc = 0; ++ int rc; + + DP_DEBUG(dev, QEDR_MSG_IWARP, "Accept on qpid=%d\n", conn_param->qpn); + +@@ -759,8 +759,10 @@ int qedr_iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + params.ord = conn_param->ord; + + if (test_and_set_bit(QEDR_IWARP_CM_WAIT_FOR_CONNECT, +- &qp->iwarp_cm_flags)) ++ &qp->iwarp_cm_flags)) { ++ rc = -EINVAL; + goto err; /* QP already destroyed */ ++ } + + rc = dev->ops->iwarp_accept(dev->rdma_ctx, ¶ms); + if (rc) { +-- +2.25.1 + diff --git a/queue-5.4/rdma-qedr-fix-use-of-uninitialized-field.patch b/queue-5.4/rdma-qedr-fix-use-of-uninitialized-field.patch new file mode 100644 index 00000000000..217e6245a00 --- /dev/null +++ b/queue-5.4/rdma-qedr-fix-use-of-uninitialized-field.patch @@ -0,0 +1,37 @@ +From c6aa3c380c943389f6a4f2af418fb2d1dc23aa47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:36 +0300 +Subject: RDMA/qedr: Fix use of uninitialized field + +From: Michal Kalderon + +[ Upstream commit a379ad54e55a12618cae7f6333fd1b3071de9606 ] + +dev->attr.page_size_caps was used uninitialized when setting device +attributes + +Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init") +Link: https://lore.kernel.org/r/20200902165741.8355-4-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c +index 4494dab8c3d83..93040c994e2e3 100644 +--- a/drivers/infiniband/hw/qedr/main.c ++++ b/drivers/infiniband/hw/qedr/main.c +@@ -601,7 +601,7 @@ static int qedr_set_device_attr(struct qedr_dev *dev) + qed_attr = dev->ops->rdma_query_device(dev->rdma_ctx); + + /* Part 2 - check capabilities */ +- page_size = ~dev->attr.page_size_caps + 1; ++ page_size = ~qed_attr->page_size_caps + 1; + if (page_size > PAGE_SIZE) { + DP_ERR(dev, + "Kernel PAGE_SIZE is %ld which is smaller than minimum page size (%d) required by qedr\n", +-- +2.25.1 + diff --git a/queue-5.4/rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch b/queue-5.4/rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch new file mode 100644 index 00000000000..e95f99df19b --- /dev/null +++ b/queue-5.4/rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch @@ -0,0 +1,79 @@ +From a5fa90b8b6f42f2f689e2a0e0015e5920ef11a98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 15:36:52 -0500 +Subject: RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt() + +From: Bob Pearson + +[ Upstream commit e7ec96fc7932f48a6d6cdd05bf82004a1a04285b ] + +The changes referenced below replaced sbk_clone)_ by taking additional +references, passing the skb along and then freeing the skb. This +deleted the packets before they could be processed and additionally +passed bad data in each packet. Since pkt is stored in skb->cb +changing pkt->qp changed it for all the packets. + +Replace skb_get() by sbk_clone() in rxe_rcv_mcast_pkt() for cases where +multiple QPs are receiving multicast packets on the same address. + +Delete kfree_skb() because the packets need to live until they have been +processed by each QP. They are freed later. + +Fixes: 86af61764151 ("IB/rxe: remove unnecessary skb_clone") +Fixes: fe896ceb5772 ("IB/rxe: replace refcount_inc with skb_get") +Link: https://lore.kernel.org/r/20201008203651.256958-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 46e111c218fd4..be6416a982c70 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -281,6 +281,8 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + struct rxe_mc_elem *mce; + struct rxe_qp *qp; + union ib_gid dgid; ++ struct sk_buff *per_qp_skb; ++ struct rxe_pkt_info *per_qp_pkt; + int err; + + if (skb->protocol == htons(ETH_P_IP)) +@@ -309,21 +311,26 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + if (err) + continue; + +- /* if *not* the last qp in the list +- * increase the users of the skb then post to the next qp ++ /* for all but the last qp create a new clone of the ++ * skb and pass to the qp. + */ + if (mce->qp_list.next != &mcg->qp_list) +- skb_get(skb); ++ per_qp_skb = skb_clone(skb, GFP_ATOMIC); ++ else ++ per_qp_skb = skb; + +- pkt->qp = qp; ++ per_qp_pkt = SKB_TO_PKT(per_qp_skb); ++ per_qp_pkt->qp = qp; + rxe_add_ref(qp); +- rxe_rcv_pkt(pkt, skb); ++ rxe_rcv_pkt(per_qp_pkt, per_qp_skb); + } + + spin_unlock_bh(&mcg->mcg_lock); + + rxe_drop_ref(mcg); /* drop ref from rxe_pool_get_key. */ + ++ return; ++ + err1: + kfree_skb(skb); + } +-- +2.25.1 + diff --git a/queue-5.4/rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch b/queue-5.4/rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch new file mode 100644 index 00000000000..eac9ba716ff --- /dev/null +++ b/queue-5.4/rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch @@ -0,0 +1,43 @@ +From 864015e1fe3c6191442c59a9883783507ea9e069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 13:42:37 -0500 +Subject: RDMA/rxe: Handle skb_clone() failure in rxe_recv.c + +From: Bob Pearson + +[ Upstream commit 71abf20b28ff87fee6951ec2218d5ce7969c4e87 ] + +If skb_clone() is unable to allocate memory for a new sk_buff this is not +detected by the current code. + +Check for a NULL return and continue. This is similar to other errors in +this loop over QPs attached to the multicast address and consistent with +the unreliable UD transport. + +Fixes: e7ec96fc7932f ("RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt()") +Addresses-Coverity-ID: 1497804: Null pointer dereferences (NULL_RETURNS) +Link: https://lore.kernel.org/r/20201013184236.5231-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index be6416a982c70..9bfb98056fc2a 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -319,6 +319,9 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + else + per_qp_skb = skb; + ++ if (unlikely(!per_qp_skb)) ++ continue; ++ + per_qp_pkt = SKB_TO_PKT(per_qp_skb); + per_qp_pkt->qp = qp; + rxe_add_ref(qp); +-- +2.25.1 + diff --git a/queue-5.4/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch b/queue-5.4/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch new file mode 100644 index 00000000000..2103af7b19a --- /dev/null +++ b/queue-5.4/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch @@ -0,0 +1,38 @@ +From 0b706f5adaadd777d5db0ee5f829faf9f53b8f93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:05:22 +0300 +Subject: RDMA/ucma: Add missing locking around rdma_leave_multicast() + +From: Jason Gunthorpe + +[ Upstream commit 38e03d092699891c3237b5aee9e8029d4ede0956 ] + +All entry points to the rdma_cm from a ULP must be single threaded, +even this error unwinds. Add the missing locking. + +Fixes: 7c11910783a1 ("RDMA/ucma: Put a lock around every call to the rdma_cm layer") +Link: https://lore.kernel.org/r/20200818120526.702120-11-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index d7c74f095805a..ef4be14af3bb9 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1473,7 +1473,9 @@ static ssize_t ucma_process_join(struct ucma_file *file, + return 0; + + err3: ++ mutex_lock(&ctx->mutex); + rdma_leave_multicast(ctx->cm_id, (struct sockaddr *) &mc->addr); ++ mutex_unlock(&ctx->mutex); + ucma_cleanup_mc_events(mc); + err2: + xa_erase(&multicast_table, mc->id); +-- +2.25.1 + diff --git a/queue-5.4/rdma-ucma-fix-locking-for-ctx-events_reported.patch b/queue-5.4/rdma-ucma-fix-locking-for-ctx-events_reported.patch new file mode 100644 index 00000000000..e987454e2f1 --- /dev/null +++ b/queue-5.4/rdma-ucma-fix-locking-for-ctx-events_reported.patch @@ -0,0 +1,58 @@ +From e7a68fc79cae0f997a3653f3a7744def2130c609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:05:21 +0300 +Subject: RDMA/ucma: Fix locking for ctx->events_reported + +From: Jason Gunthorpe + +[ Upstream commit 98837c6c3d7285f6eca86480b6f7fac6880e27a8 ] + +This value is locked under the file->mut, ensure it is held whenever +touching it. + +The case in ucma_migrate_id() is a race, while in ucma_free_uctx() it is +already not possible for the write side to run, the movement is just for +clarity. + +Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()") +Link: https://lore.kernel.org/r/20200818120526.702120-10-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index f4f79f1292b91..d7c74f095805a 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -581,6 +581,7 @@ static int ucma_free_ctx(struct ucma_context *ctx) + list_move_tail(&uevent->list, &list); + } + list_del(&ctx->list); ++ events_reported = ctx->events_reported; + mutex_unlock(&ctx->file->mut); + + list_for_each_entry_safe(uevent, tmp, &list, list) { +@@ -590,7 +591,6 @@ static int ucma_free_ctx(struct ucma_context *ctx) + kfree(uevent); + } + +- events_reported = ctx->events_reported; + mutex_destroy(&ctx->mutex); + kfree(ctx); + return events_reported; +@@ -1639,7 +1639,9 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, + + cur_file = ctx->file; + if (cur_file == new_file) { ++ mutex_lock(&cur_file->mut); + resp.events_reported = ctx->events_reported; ++ mutex_unlock(&cur_file->mut); + goto response; + } + +-- +2.25.1 + diff --git a/queue-5.4/rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch b/queue-5.4/rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch new file mode 100644 index 00000000000..67d952c9297 --- /dev/null +++ b/queue-5.4/rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch @@ -0,0 +1,60 @@ +From 519d26c11b4f2c6bf77a4c92f511a1ebac8fbb03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 19:41:42 -0300 +Subject: RDMA/umem: Fix ib_umem_find_best_pgsz() for mappings that cross a + page boundary + +From: Jason Gunthorpe + +[ Upstream commit a40c20dabdf9045270767c75918feb67f0727c89 ] + +It is possible for a single SGL to span an aligned boundary, eg if the SGL +is + + 61440 -> 90112 + +Then the length is 28672, which currently limits the block size to +32k. With a 32k page size the two covering blocks will be: + + 32768->65536 and 65536->98304 + +However, the correct answer is a 128K block size which will span the whole +28672 bytes in a single block. + +Instead of limiting based on length figure out which high IOVA bits don't +change between the start and end addresses. That is the highest useful +page size. + +Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR") +Link: https://lore.kernel.org/r/1-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com +Reviewed-by: Leon Romanovsky +Reviewed-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/umem.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 0d42ba8c0b696..9be8f6c622db0 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -156,8 +156,13 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem, + return 0; + + va = virt; +- /* max page size not to exceed MR length */ +- mask = roundup_pow_of_two(umem->length); ++ /* The best result is the smallest page size that results in the minimum ++ * number of required pages. Compute the largest page size that could ++ * work based on VA address bits that don't change. ++ */ ++ mask = pgsz_bitmap & ++ GENMASK(BITS_PER_LONG - 1, ++ bits_per((umem->length - 1 + virt) ^ virt)); + /* offset into first SGL */ + pgoff = umem->address & ~PAGE_MASK; + +-- +2.25.1 + diff --git a/queue-5.4/rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch b/queue-5.4/rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch new file mode 100644 index 00000000000..1138c1e2dbf --- /dev/null +++ b/queue-5.4/rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch @@ -0,0 +1,44 @@ +From a0c6e13a7c4b36a67f641be9b10c5808a46825ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 15:17:08 -0300 +Subject: RDMA/umem: Fix signature of stub ib_umem_find_best_pgsz() + +From: Jason Gunthorpe + +[ Upstream commit 61690d01db32eb1f94adc9ac2b8bb741d34e4671 ] + +The original function returns unsigned long and 0 on failure. + +Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR") +Link: https://lore.kernel.org/r/0-v1-982a13cc5c6d+501ae-fix_best_pgsz_stub_jgg@nvidia.com +Reviewed-by: Gal Pressman +Acked-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/rdma/ib_umem.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/include/rdma/ib_umem.h b/include/rdma/ib_umem.h +index a91b2af64ec47..8e94279af47df 100644 +--- a/include/rdma/ib_umem.h ++++ b/include/rdma/ib_umem.h +@@ -95,10 +95,11 @@ static inline int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offs + size_t length) { + return -EINVAL; + } +-static inline int ib_umem_find_best_pgsz(struct ib_umem *umem, +- unsigned long pgsz_bitmap, +- unsigned long virt) { +- return -EINVAL; ++static inline unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem, ++ unsigned long pgsz_bitmap, ++ unsigned long virt) ++{ ++ return 0; + } + + #endif /* CONFIG_INFINIBAND_USER_MEM */ +-- +2.25.1 + diff --git a/queue-5.4/rdma-umem-prevent-small-pages-from-being-returned-by.patch b/queue-5.4/rdma-umem-prevent-small-pages-from-being-returned-by.patch new file mode 100644 index 00000000000..f09f399484e --- /dev/null +++ b/queue-5.4/rdma-umem-prevent-small-pages-from-being-returned-by.patch @@ -0,0 +1,53 @@ +From b5dbaaadac9789c8bf9d1856400892ca0b15d90b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 19:41:43 -0300 +Subject: RDMA/umem: Prevent small pages from being returned by + ib_umem_find_best_pgsz() + +From: Jason Gunthorpe + +[ Upstream commit 10c75ccb54e4fe548cb16d7ed426d7d709e6ae76 ] + +rdma_for_each_block() makes assumptions about how the SGL is constructed +that don't work if the block size is below the page size used to to build +the SGL. + +The rules for umem SGL construction require that the SG's all be PAGE_SIZE +aligned and we don't encode the actual byte offset of the VA range inside +the SGL using offset and length. So rdma_for_each_block() has no idea +where the actual starting/ending point is to compute the first/last block +boundary if the starting address should be within a SGL. + +Fixing the SGL construction turns out to be really hard, and will be the +subject of other patches. For now block smaller pages. + +Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR") +Link: https://lore.kernel.org/r/2-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com +Reviewed-by: Leon Romanovsky +Reviewed-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/umem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 9be8f6c622db0..650f71dd4ab93 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -151,6 +151,12 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem, + dma_addr_t mask; + int i; + ++ /* rdma_for_each_block() has a bug if the page size is smaller than the ++ * page size used to build the umem. For now prevent smaller page sizes ++ * from being returned. ++ */ ++ pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT); ++ + /* At minimum, drivers must support PAGE_SIZE or smaller */ + if (WARN_ON(!(pgsz_bitmap & GENMASK(PAGE_SHIFT, 0)))) + return 0; +-- +2.25.1 + diff --git a/queue-5.4/regulator-resolve-supply-after-creating-regulator.patch b/queue-5.4/regulator-resolve-supply-after-creating-regulator.patch new file mode 100644 index 00000000000..16d6e4ed166 --- /dev/null +++ b/queue-5.4/regulator-resolve-supply-after-creating-regulator.patch @@ -0,0 +1,67 @@ +From 8d48db6979283bdd3d72dbf1aab639e3696a032a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 23:32:41 +0200 +Subject: regulator: resolve supply after creating regulator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +[ Upstream commit aea6cb99703e17019e025aa71643b4d3e0a24413 ] + +When creating a new regulator its supply cannot create the sysfs link +because the device is not yet published. Remove early supply resolving +since it will be done later anyway. This makes the following error +disappear and the symlinks get created instead. + + DCDC_REG1: supplied by VSYS + VSYS: could not add device link regulator.3 err -2 + +Note: It doesn't fix the problem for bypassed regulators, though. + +Fixes: 45389c47526d ("regulator: core: Add early supply resolution for regulators") +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/ba09e0a8617ffeeb25cb4affffe6f3149319cef8.1601155770.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 55fc80de5ef16..ee850cffe1542 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5158,15 +5158,20 @@ regulator_register(const struct regulator_desc *regulator_desc, + else if (regulator_desc->supply_name) + rdev->supply_name = regulator_desc->supply_name; + +- /* +- * Attempt to resolve the regulator supply, if specified, +- * but don't return an error if we fail because we will try +- * to resolve it again later as more regulators are added. +- */ +- if (regulator_resolve_supply(rdev)) +- rdev_dbg(rdev, "unable to resolve supply\n"); +- + ret = set_machine_constraints(rdev, constraints); ++ if (ret == -EPROBE_DEFER) { ++ /* Regulator might be in bypass mode and so needs its supply ++ * to set the constraints */ ++ /* FIXME: this currently triggers a chicken-and-egg problem ++ * when creating -SUPPLY symlink in sysfs to a regulator ++ * that is just being created */ ++ ret = regulator_resolve_supply(rdev); ++ if (!ret) ++ ret = set_machine_constraints(rdev, constraints); ++ else ++ rdev_dbg(rdev, "unable to resolve supply early: %pe\n", ++ ERR_PTR(ret)); ++ } + if (ret < 0) + goto wash; + +-- +2.25.1 + diff --git a/queue-5.4/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch b/queue-5.4/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch new file mode 100644 index 00000000000..2949c605553 --- /dev/null +++ b/queue-5.4/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch @@ -0,0 +1,49 @@ +From f6c38da8139e042f58aa64a255a091f07e57fbf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2020 14:01:44 +0100 +Subject: reiserfs: Fix memory leak in reiserfs_parse_options() + +From: Jan Kara + +[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ] + +When a usrjquota or grpjquota mount option is used multiple times, we +will leak memory allocated for the file name. Make sure the last setting +is used and all the previous ones are properly freed. + +Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index a6bce5b1fb1dc..1b9c7a387dc71 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1258,6 +1258,10 @@ static int reiserfs_parse_options(struct super_block *s, + "turned on."); + return 0; + } ++ if (qf_names[qtype] != ++ REISERFS_SB(s)->s_qf_names[qtype]) ++ kfree(qf_names[qtype]); ++ qf_names[qtype] = NULL; + if (*arg) { /* Some filename specified? */ + if (REISERFS_SB(s)->s_qf_names[qtype] + && strcmp(REISERFS_SB(s)->s_qf_names[qtype], +@@ -1287,10 +1291,6 @@ static int reiserfs_parse_options(struct super_block *s, + else + *mount_options |= 1 << REISERFS_GRPQUOTA; + } else { +- if (qf_names[qtype] != +- REISERFS_SB(s)->s_qf_names[qtype]) +- kfree(qf_names[qtype]); +- qf_names[qtype] = NULL; + if (qtype == USRQUOTA) + *mount_options &= ~(1 << REISERFS_USRQUOTA); + else +-- +2.25.1 + diff --git a/queue-5.4/reiserfs-only-call-unlock_new_inode-if-i_new.patch b/queue-5.4/reiserfs-only-call-unlock_new_inode-if-i_new.patch new file mode 100644 index 00000000000..e113d639f1a --- /dev/null +++ b/queue-5.4/reiserfs-only-call-unlock_new_inode-if-i_new.patch @@ -0,0 +1,44 @@ +From 2c0903a9a23d2acf3e4120aecdad7bea5de163de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 00:00:57 -0700 +Subject: reiserfs: only call unlock_new_inode() if I_NEW + +From: Eric Biggers + +[ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ] + +unlock_new_inode() is only meant to be called after a new inode has +already been inserted into the hash table. But reiserfs_new_inode() can +call it even before it has inserted the inode, triggering the WARNING in +unlock_new_inode(). Fix this by only calling unlock_new_inode() if the +inode has the I_NEW flag set, indicating that it's in the table. + +This addresses the syzbot report "WARNING in unlock_new_inode" +(https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7). + +Link: https://lore.kernel.org/r/20200628070057.820213-1-ebiggers@kernel.org +Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c +index 70387650436cf..ac35ddf0dd603 100644 +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -2161,7 +2161,8 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, + out_inserted_sd: + clear_nlink(inode); + th->t_trans_id = 0; /* so the caller can't use this handle later */ +- unlock_new_inode(inode); /* OK to do even if we hadn't locked it */ ++ if (inode->i_state & I_NEW) ++ unlock_new_inode(inode); + iput(inode); + return err; + } +-- +2.25.1 + diff --git a/queue-5.4/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch b/queue-5.4/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch new file mode 100644 index 00000000000..490621bae7b --- /dev/null +++ b/queue-5.4/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch @@ -0,0 +1,111 @@ +From 32f7543ecd5b0f7b2fc66260431c8faf36ac29b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:18:41 +0300 +Subject: rpmsg: smd: Fix a kobj leak in in qcom_smd_parse_edge() + +From: Dan Carpenter + +[ Upstream commit e69ee0cf655e8e0c4a80f4319e36019b74f17639 ] + +We need to call of_node_put(node) on the error paths for this function. + +Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200908071841.GA294938@mwanda +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index 4abbeea782fa4..19903de6268db 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1338,7 +1338,7 @@ static int qcom_smd_parse_edge(struct device *dev, + ret = of_property_read_u32(node, key, &edge->edge_id); + if (ret) { + dev_err(dev, "edge missing %s property\n", key); +- return -EINVAL; ++ goto put_node; + } + + edge->remote_pid = QCOM_SMEM_HOST_ANY; +@@ -1349,32 +1349,37 @@ static int qcom_smd_parse_edge(struct device *dev, + edge->mbox_client.knows_txdone = true; + edge->mbox_chan = mbox_request_channel(&edge->mbox_client, 0); + if (IS_ERR(edge->mbox_chan)) { +- if (PTR_ERR(edge->mbox_chan) != -ENODEV) +- return PTR_ERR(edge->mbox_chan); ++ if (PTR_ERR(edge->mbox_chan) != -ENODEV) { ++ ret = PTR_ERR(edge->mbox_chan); ++ goto put_node; ++ } + + edge->mbox_chan = NULL; + + syscon_np = of_parse_phandle(node, "qcom,ipc", 0); + if (!syscon_np) { + dev_err(dev, "no qcom,ipc node\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto put_node; + } + + edge->ipc_regmap = syscon_node_to_regmap(syscon_np); +- if (IS_ERR(edge->ipc_regmap)) +- return PTR_ERR(edge->ipc_regmap); ++ if (IS_ERR(edge->ipc_regmap)) { ++ ret = PTR_ERR(edge->ipc_regmap); ++ goto put_node; ++ } + + key = "qcom,ipc"; + ret = of_property_read_u32_index(node, key, 1, &edge->ipc_offset); + if (ret < 0) { + dev_err(dev, "no offset in %s\n", key); +- return -EINVAL; ++ goto put_node; + } + + ret = of_property_read_u32_index(node, key, 2, &edge->ipc_bit); + if (ret < 0) { + dev_err(dev, "no bit in %s\n", key); +- return -EINVAL; ++ goto put_node; + } + } + +@@ -1385,7 +1390,8 @@ static int qcom_smd_parse_edge(struct device *dev, + irq = irq_of_parse_and_map(node, 0); + if (irq < 0) { + dev_err(dev, "required smd interrupt missing\n"); +- return -EINVAL; ++ ret = irq; ++ goto put_node; + } + + ret = devm_request_irq(dev, irq, +@@ -1393,12 +1399,18 @@ static int qcom_smd_parse_edge(struct device *dev, + node->name, edge); + if (ret) { + dev_err(dev, "failed to request smd irq\n"); +- return ret; ++ goto put_node; + } + + edge->irq = irq; + + return 0; ++ ++put_node: ++ of_node_put(node); ++ edge->of_node = NULL; ++ ++ return ret; + } + + /* +-- +2.25.1 + diff --git a/queue-5.4/rtl8xxxu-prevent-potential-memory-leak.patch b/queue-5.4/rtl8xxxu-prevent-potential-memory-leak.patch new file mode 100644 index 00000000000..2c347b1cdb5 --- /dev/null +++ b/queue-5.4/rtl8xxxu-prevent-potential-memory-leak.patch @@ -0,0 +1,65 @@ +From 11e553b2d2939020c638250750dc09f547395159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 12:04:24 +0800 +Subject: rtl8xxxu: prevent potential memory leak + +From: Chris Chiu + +[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ] + +Free the skb if usb_submit_urb fails on rx_urb. And free the urb +no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb. + +Signed-off-by: Chris Chiu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 3499b211dad51..048984ca81fdb 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5447,7 +5447,6 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + ret = usb_submit_urb(urb, GFP_KERNEL); + if (ret) { + usb_unanchor_urb(urb); +- usb_free_urb(urb); + goto error; + } + +@@ -5456,6 +5455,7 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + rtl8xxxu_write32(priv, REG_USB_HIMR, val32); + + error: ++ usb_free_urb(urb); + return ret; + } + +@@ -5781,6 +5781,7 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + struct rtl8xxxu_priv *priv = hw->priv; + struct rtl8xxxu_rx_urb *rx_urb; + struct rtl8xxxu_tx_urb *tx_urb; ++ struct sk_buff *skb; + unsigned long flags; + int ret, i; + +@@ -5831,6 +5832,13 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + rx_urb->hw = hw; + + ret = rtl8xxxu_submit_rx_urb(priv, rx_urb); ++ if (ret) { ++ if (ret != -ENOMEM) { ++ skb = (struct sk_buff *)rx_urb->urb.context; ++ dev_kfree_skb(skb); ++ } ++ rtl8xxxu_queue_rx_urb(priv, rx_urb); ++ } + } + exit: + /* +-- +2.25.1 + diff --git a/queue-5.4/rtw88-increse-the-size-of-rx-buffer-size.patch b/queue-5.4/rtw88-increse-the-size-of-rx-buffer-size.patch new file mode 100644 index 00000000000..7c9385589df --- /dev/null +++ b/queue-5.4/rtw88-increse-the-size-of-rx-buffer-size.patch @@ -0,0 +1,39 @@ +From 02e76eb60bf3ff9151a3fd4fbf4077d21615e80b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:12:15 +0800 +Subject: rtw88: increse the size of rx buffer size + +From: Tzu-En Huang + +[ Upstream commit ee755732b7a16af018daa77d9562d2493fb7092f ] + +The vht capability of MAX_MPDU_LENGTH is 11454 in rtw88; however, the rx +buffer size for each packet is 8192. When receiving packets that are +larger than rx buffer size, it will leads to rx buffer ring overflow. + +Signed-off-by: Tzu-En Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200925061219.23754-2-tehuang@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/pci.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/pci.h b/drivers/net/wireless/realtek/rtw88/pci.h +index 87824a4caba98..a47d871ae506a 100644 +--- a/drivers/net/wireless/realtek/rtw88/pci.h ++++ b/drivers/net/wireless/realtek/rtw88/pci.h +@@ -13,8 +13,8 @@ + #define RTK_BEQ_TX_DESC_NUM 256 + + #define RTK_MAX_RX_DESC_NUM 512 +-/* 8K + rx desc size */ +-#define RTK_PCI_RX_BUF_SIZE (8192 + 24) ++/* 11K + rx desc size */ ++#define RTK_PCI_RX_BUF_SIZE (11454 + 24) + + #define RTK_PCI_CTRL 0x300 + #define BIT_RST_TRXDMA_INTF BIT(20) +-- +2.25.1 + diff --git a/queue-5.4/sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch b/queue-5.4/sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch new file mode 100644 index 00000000000..c6345defb15 --- /dev/null +++ b/queue-5.4/sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch @@ -0,0 +1,80 @@ +From e1c0fdf39d0e0ec4f281dbb57a1b1cdd95a838a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 14:48:47 +0800 +Subject: sched/fair: Fix wrong cpu selecting from isolated domain + +From: Xunlei Pang + +[ Upstream commit df3cb4ea1fb63ff326488efd671ba3c39034255e ] + +We've met problems that occasionally tasks with full cpumask +(e.g. by putting it into a cpuset or setting to full affinity) +were migrated to our isolated cpus in production environment. + +After some analysis, we found that it is due to the current +select_idle_smt() not considering the sched_domain mask. + +Steps to reproduce on my 31-CPU hyperthreads machine: +1. with boot parameter: "isolcpus=domain,2-31" + (thread lists: 0,16 and 1,17) +2. cgcreate -g cpu:test; cgexec -g cpu:test "test_threads" +3. some threads will be migrated to the isolated cpu16~17. + +Fix it by checking the valid domain mask in select_idle_smt(). + +Fixes: 10e2f1acd010 ("sched/core: Rewrite and improve select_idle_siblings()) +Reported-by: Wetp Zhang +Signed-off-by: Xunlei Pang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Jiang Biao +Reviewed-by: Vincent Guittot +Link: https://lkml.kernel.org/r/1600930127-76857-1-git-send-email-xlpang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index b02a83ff40687..dddaf61378f62 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -5936,7 +5936,7 @@ static int select_idle_core(struct task_struct *p, struct sched_domain *sd, int + /* + * Scan the local SMT mask for idle CPUs. + */ +-static int select_idle_smt(struct task_struct *p, int target) ++static int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int target) + { + int cpu, si_cpu = -1; + +@@ -5944,7 +5944,8 @@ static int select_idle_smt(struct task_struct *p, int target) + return -1; + + for_each_cpu(cpu, cpu_smt_mask(target)) { +- if (!cpumask_test_cpu(cpu, p->cpus_ptr)) ++ if (!cpumask_test_cpu(cpu, p->cpus_ptr) || ++ !cpumask_test_cpu(cpu, sched_domain_span(sd))) + continue; + if (available_idle_cpu(cpu)) + return cpu; +@@ -5962,7 +5963,7 @@ static inline int select_idle_core(struct task_struct *p, struct sched_domain *s + return -1; + } + +-static inline int select_idle_smt(struct task_struct *p, int target) ++static inline int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int target) + { + return -1; + } +@@ -6072,7 +6073,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) + if ((unsigned)i < nr_cpumask_bits) + return i; + +- i = select_idle_smt(p, target); ++ i = select_idle_smt(p, sd, target); + if ((unsigned)i < nr_cpumask_bits) + return i; + +-- +2.25.1 + diff --git a/queue-5.4/sched-features-fix-config_jump_label-case.patch b/queue-5.4/sched-features-fix-config_jump_label-case.patch new file mode 100644 index 00000000000..5e683904df1 --- /dev/null +++ b/queue-5.4/sched-features-fix-config_jump_label-case.patch @@ -0,0 +1,99 @@ +From 1f32deefcfd13d4dd1e6979b238d4e8311948af8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 07:31:14 +0200 +Subject: sched/features: Fix !CONFIG_JUMP_LABEL case + +From: Juri Lelli + +[ Upstream commit a73f863af4ce9730795eab7097fb2102e6854365 ] + +Commit: + + 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds") + +made sched features static for !CONFIG_SCHED_DEBUG configurations, but +overlooked the CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL cases. + +For the latter echoing changes to /sys/kernel/debug/sched_features has +the nasty effect of effectively changing what sched_features reports, +but without actually changing the scheduler behaviour (since different +translation units get different sysctl_sched_features). + +Fix CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL configurations by properly +restructuring ifdefs. + +Fixes: 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds") +Co-developed-by: Daniel Bristot de Oliveira +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Juri Lelli +Signed-off-by: Ingo Molnar +Acked-by: Patrick Bellasi +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/20201013053114.160628-1-juri.lelli@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + kernel/sched/sched.h | 13 ++++++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 79ce22de44095..4511532b08b84 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -36,7 +36,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(sched_overutilized_tp); + + DEFINE_PER_CPU_SHARED_ALIGNED(struct rq, runqueues); + +-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) ++#ifdef CONFIG_SCHED_DEBUG + /* + * Debugging: various feature bits + * +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 9f2a9e34a78d5..3e7590813844f 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1568,7 +1568,7 @@ enum { + + #undef SCHED_FEAT + +-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) ++#ifdef CONFIG_SCHED_DEBUG + + /* + * To support run-time toggling of sched features, all the translation units +@@ -1576,6 +1576,7 @@ enum { + */ + extern const_debug unsigned int sysctl_sched_features; + ++#ifdef CONFIG_JUMP_LABEL + #define SCHED_FEAT(name, enabled) \ + static __always_inline bool static_branch_##name(struct static_key *key) \ + { \ +@@ -1588,7 +1589,13 @@ static __always_inline bool static_branch_##name(struct static_key *key) \ + extern struct static_key sched_feat_keys[__SCHED_FEAT_NR]; + #define sched_feat(x) (static_branch_##x(&sched_feat_keys[__SCHED_FEAT_##x])) + +-#else /* !(SCHED_DEBUG && CONFIG_JUMP_LABEL) */ ++#else /* !CONFIG_JUMP_LABEL */ ++ ++#define sched_feat(x) (sysctl_sched_features & (1UL << __SCHED_FEAT_##x)) ++ ++#endif /* CONFIG_JUMP_LABEL */ ++ ++#else /* !SCHED_DEBUG */ + + /* + * Each translation unit has its own copy of sysctl_sched_features to allow +@@ -1604,7 +1611,7 @@ static const_debug __maybe_unused unsigned int sysctl_sched_features = + + #define sched_feat(x) !!(sysctl_sched_features & (1UL << __SCHED_FEAT_##x)) + +-#endif /* SCHED_DEBUG && CONFIG_JUMP_LABEL */ ++#endif /* SCHED_DEBUG */ + + extern struct static_key_false sched_numa_balancing; + extern struct static_key_false sched_schedstats; +-- +2.25.1 + diff --git a/queue-5.4/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch b/queue-5.4/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch new file mode 100644 index 00000000000..86b4c6f9782 --- /dev/null +++ b/queue-5.4/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch @@ -0,0 +1,62 @@ +From 58337e944fa677a6cb0da1f7caffdfbef62cb183 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 12:13:00 +0300 +Subject: scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() + +From: Dan Carpenter + +[ Upstream commit 38b2db564d9ab7797192ef15d7aade30633ceeae ] + +The be_fill_queue() function can only fail when "eq_vaddress" is NULL and +since it's non-NULL here that means the function call can't fail. But +imagine if it could, then in that situation we would want to store the +"paddr" so that dma memory can be released. + +Link: https://lore.kernel.org/r/20200928091300.GD377727@mwanda +Fixes: bfead3b2cb46 ("[SCSI] be2iscsi: Adding msix and mcc_rings V3") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/be2iscsi/be_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c +index 0760d0bd8a10b..0fa455357594e 100644 +--- a/drivers/scsi/be2iscsi/be_main.c ++++ b/drivers/scsi/be2iscsi/be_main.c +@@ -3020,6 +3020,7 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba, + goto create_eq_error; + } + ++ mem->dma = paddr; + mem->va = eq_vaddress; + ret = be_fill_queue(eq, phba->params.num_eq_entries, + sizeof(struct be_eq_entry), eq_vaddress); +@@ -3029,7 +3030,6 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba, + goto create_eq_error; + } + +- mem->dma = paddr; + ret = beiscsi_cmd_eq_create(&phba->ctrl, eq, + BEISCSI_EQ_DELAY_DEF); + if (ret) { +@@ -3086,6 +3086,7 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba, + goto create_cq_error; + } + ++ mem->dma = paddr; + ret = be_fill_queue(cq, phba->params.num_cq_entries, + sizeof(struct sol_cqe), cq_vaddress); + if (ret) { +@@ -3095,7 +3096,6 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba, + goto create_cq_error; + } + +- mem->dma = paddr; + ret = beiscsi_cmd_cq_create(&phba->ctrl, cq, eq, false, + false, 0); + if (ret) { +-- +2.25.1 + diff --git a/queue-5.4/scsi-bfa-fix-error-return-in-bfad_pci_init.patch b/queue-5.4/scsi-bfa-fix-error-return-in-bfad_pci_init.patch new file mode 100644 index 00000000000..113eccfffc7 --- /dev/null +++ b/queue-5.4/scsi-bfa-fix-error-return-in-bfad_pci_init.patch @@ -0,0 +1,35 @@ +From 9ba7cdd37961f067c755477648928776687fec13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:24:23 +0800 +Subject: scsi: bfa: Fix error return in bfad_pci_init() + +From: Jing Xiangfeng + +[ Upstream commit f0f6c3a4fcb80fcbcce4ff6739996dd98c228afd ] + +Fix to return error code -ENODEV from the error handling case instead of 0. + +Link: https://lore.kernel.org/r/20200925062423.161504-1-jingxiangfeng@huawei.com +Fixes: 11ea3824140c ("scsi: bfa: fix calls to dma_set_mask_and_coherent()") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bfa/bfad.c b/drivers/scsi/bfa/bfad.c +index 2f9213b257a4a..93e4011809919 100644 +--- a/drivers/scsi/bfa/bfad.c ++++ b/drivers/scsi/bfa/bfad.c +@@ -749,6 +749,7 @@ bfad_pci_init(struct pci_dev *pdev, struct bfad_s *bfad) + + if (bfad->pci_bar0_kva == NULL) { + printk(KERN_ERR "Fail to map bar0\n"); ++ rc = -ENODEV; + goto out_release_region; + } + +-- +2.25.1 + diff --git a/queue-5.4/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch b/queue-5.4/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch new file mode 100644 index 00000000000..d40eafd9c0f --- /dev/null +++ b/queue-5.4/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch @@ -0,0 +1,38 @@ +From 7e5b325836ffab0708d5aec0938a9a6e8b5ddd59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:31 +0800 +Subject: scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() + +From: Tianjia Zhang + +[ Upstream commit 44f4daf8678ae5f08c93bbe70792f90cd88e4649 ] + +On an error exit path, a negative error code should be returned instead of +a positive return value. + +Link: https://lore.kernel.org/r/20200802111531.5065-1-tianjia.zhang@linux.alibaba.com +Fixes: f40e74ffa3de ("csiostor:firmware upgrade fix") +Cc: Praveen Madhavan +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c +index e519238864758..1b6f9351b43f9 100644 +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -2384,7 +2384,7 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info, + FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c), + FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k), + FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k)); +- ret = EINVAL; ++ ret = -EINVAL; + goto bye; + } + +-- +2.25.1 + diff --git a/queue-5.4/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch b/queue-5.4/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch new file mode 100644 index 00000000000..44558b5729b --- /dev/null +++ b/queue-5.4/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch @@ -0,0 +1,36 @@ +From fb775891efbee64b155cbfb95ca6b36e3e7474bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 16:39:49 +0800 +Subject: scsi: ibmvfc: Fix error return in ibmvfc_probe() + +From: Jing Xiangfeng + +[ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ] + +Fix to return error code PTR_ERR() from the error handling case instead of +0. + +Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com +Acked-by: Tyrel Datwyler +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index df897df5cafee..8a76284b59b08 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4788,6 +4788,7 @@ static int ibmvfc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + if (IS_ERR(vhost->work_thread)) { + dev_err(dev, "Couldn't create kernel thread: %ld\n", + PTR_ERR(vhost->work_thread)); ++ rc = PTR_ERR(vhost->work_thread); + goto free_host_mem; + } + +-- +2.25.1 + diff --git a/queue-5.4/scsi-mpt3sas-fix-sync-irqs.patch b/queue-5.4/scsi-mpt3sas-fix-sync-irqs.patch new file mode 100644 index 00000000000..cd2f8bafe89 --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-fix-sync-irqs.patch @@ -0,0 +1,60 @@ +From 92574abd450a53c449789e0e8895db66c036aff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 16:21:26 +0200 +Subject: scsi: mpt3sas: Fix sync irqs + +From: Tomas Henzl + +[ Upstream commit 45181eab8ba79ed7a41b549f00500c0093828521 ] + +_base_process_reply_queue() called from _base_interrupt() may schedule a +new irq poll. Fix this by calling synchronize_irq() first. + +Also ensure that enable_irq() is called only when necessary to avoid +"Unbalanced enable for IRQ..." errors. + +Link: https://lore.kernel.org/r/20200910142126.8147-1-thenzl@redhat.com +Fixes: 320e77acb327 ("scsi: mpt3sas: Irq poll to avoid CPU hard lockups") +Acked-by: Sreekanth Reddy +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index b7e44634d0dc2..3d58d24de6b61 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -1708,18 +1708,22 @@ mpt3sas_base_sync_reply_irqs(struct MPT3SAS_ADAPTER *ioc) + /* TMs are on msix_index == 0 */ + if (reply_q->msix_index == 0) + continue; ++ synchronize_irq(pci_irq_vector(ioc->pdev, reply_q->msix_index)); + if (reply_q->irq_poll_scheduled) { + /* Calling irq_poll_disable will wait for any pending + * callbacks to have completed. + */ + irq_poll_disable(&reply_q->irqpoll); + irq_poll_enable(&reply_q->irqpoll); +- reply_q->irq_poll_scheduled = false; +- reply_q->irq_line_enable = true; +- enable_irq(reply_q->os_irq); +- continue; ++ /* check how the scheduled poll has ended, ++ * clean up only if necessary ++ */ ++ if (reply_q->irq_poll_scheduled) { ++ reply_q->irq_poll_scheduled = false; ++ reply_q->irq_line_enable = true; ++ enable_irq(reply_q->os_irq); ++ } + } +- synchronize_irq(pci_irq_vector(ioc->pdev, reply_q->msix_index)); + } + } + +-- +2.25.1 + diff --git a/queue-5.4/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch b/queue-5.4/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch new file mode 100644 index 00000000000..4ec122c4af7 --- /dev/null +++ b/queue-5.4/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch @@ -0,0 +1,34 @@ +From e2b9308d11c44e7e1db0125ce003a8957cdb4132 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 20:38:48 +0800 +Subject: scsi: mvumi: Fix error return in mvumi_io_attach() + +From: Jing Xiangfeng + +[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ] + +Return PTR_ERR() from the error handling case instead of 0. + +Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangfeng@huawei.com +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvumi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c +index 8906aceda4c43..0354898d7cac1 100644 +--- a/drivers/scsi/mvumi.c ++++ b/drivers/scsi/mvumi.c +@@ -2425,6 +2425,7 @@ static int mvumi_io_attach(struct mvumi_hba *mhba) + if (IS_ERR(mhba->dm_thread)) { + dev_err(&mhba->pdev->dev, + "failed to create device scan thread\n"); ++ ret = PTR_ERR(mhba->dm_thread); + mutex_unlock(&mhba->sas_discovery_mutex); + goto fail_create_thread; + } +-- +2.25.1 + diff --git a/queue-5.4/scsi-qedf-return-success-if-stale-rport-is-encounter.patch b/queue-5.4/scsi-qedf-return-success-if-stale-rport-is-encounter.patch new file mode 100644 index 00000000000..b319fd7f8f3 --- /dev/null +++ b/queue-5.4/scsi-qedf-return-success-if-stale-rport-is-encounter.patch @@ -0,0 +1,37 @@ +From 0480bcc01ba0ae1068868344ca7a234789fc2f55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 05:14:40 -0700 +Subject: scsi: qedf: Return SUCCESS if stale rport is encountered + +From: Saurav Kashyap + +[ Upstream commit 10aff62fab263ad7661780816551420cea956ebb ] + +If SUCCESS is not returned, error handling will escalate. Return SUCCESS +similar to other conditions in this function. + +Link: https://lore.kernel.org/r/20200907121443.5150-6-jhasan@marvell.com +Signed-off-by: Saurav Kashyap +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 3d0e345947c1f..9c0955c334e3e 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -668,7 +668,7 @@ static int qedf_eh_abort(struct scsi_cmnd *sc_cmd) + rdata = fcport->rdata; + if (!rdata || !kref_get_unless_zero(&rdata->kref)) { + QEDF_ERR(&qedf->dbg_ctx, "stale rport, sc_cmd=%p\n", sc_cmd); +- rc = 1; ++ rc = SUCCESS; + goto out; + } + +-- +2.25.1 + diff --git a/queue-5.4/scsi-qedi-fix-list_del-corruption-while-removing-act.patch b/queue-5.4/scsi-qedi-fix-list_del-corruption-while-removing-act.patch new file mode 100644 index 00000000000..365c27b4d3e --- /dev/null +++ b/queue-5.4/scsi-qedi-fix-list_del-corruption-while-removing-act.patch @@ -0,0 +1,71 @@ +From dc00df248fbac40648c9412ebc8c399d82a1648c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 02:56:52 -0700 +Subject: scsi: qedi: Fix list_del corruption while removing active I/O + +From: Nilesh Javali + +[ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ] + +While aborting the I/O, the firmware cleanup task timed out and driver +deleted the I/O from active command list. Some time later the firmware +sent the cleanup task response and driver again deleted the I/O from +active command list causing firmware to send completion for non-existent +I/O and list_del corruption of active command list. + +Add fix to check if I/O is present before deleting it from the active +command list to ensure firmware sends valid I/O completion and protect +against list_del corruption. + +Link: https://lore.kernel.org/r/20200908095657.26821-4-mrangankar@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_fw.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c +index 32586800620bd..90aa64604ad78 100644 +--- a/drivers/scsi/qedi/qedi_fw.c ++++ b/drivers/scsi/qedi/qedi_fw.c +@@ -825,8 +825,11 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi, + qedi_clear_task_idx(qedi_conn->qedi, rtid); + + spin_lock(&qedi_conn->list_lock); +- list_del_init(&dbg_cmd->io_cmd); +- qedi_conn->active_cmd_count--; ++ if (likely(dbg_cmd->io_cmd_in_list)) { ++ dbg_cmd->io_cmd_in_list = false; ++ list_del_init(&dbg_cmd->io_cmd); ++ qedi_conn->active_cmd_count--; ++ } + spin_unlock(&qedi_conn->list_lock); + qedi_cmd->state = CLEANUP_RECV; + wake_up_interruptible(&qedi_conn->wait_queue); +@@ -1244,6 +1247,7 @@ int qedi_cleanup_all_io(struct qedi_ctx *qedi, struct qedi_conn *qedi_conn, + qedi_conn->cmd_cleanup_req++; + qedi_iscsi_cleanup_task(ctask, true); + ++ cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + QEDI_WARN(&qedi->dbg_ctx, +@@ -1455,8 +1459,11 @@ static void qedi_tmf_work(struct work_struct *work) + spin_unlock_bh(&qedi_conn->tmf_work_lock); + + spin_lock(&qedi_conn->list_lock); +- list_del_init(&cmd->io_cmd); +- qedi_conn->active_cmd_count--; ++ if (likely(cmd->io_cmd_in_list)) { ++ cmd->io_cmd_in_list = false; ++ list_del_init(&cmd->io_cmd); ++ qedi_conn->active_cmd_count--; ++ } + spin_unlock(&qedi_conn->list_lock); + + clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags); +-- +2.25.1 + diff --git a/queue-5.4/scsi-qedi-protect-active-command-list-to-avoid-list-.patch b/queue-5.4/scsi-qedi-protect-active-command-list-to-avoid-list-.patch new file mode 100644 index 00000000000..82984854220 --- /dev/null +++ b/queue-5.4/scsi-qedi-protect-active-command-list-to-avoid-list-.patch @@ -0,0 +1,108 @@ +From 53baa10689a8e978fdaaf70ed2ce21adeb0d20e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 02:56:53 -0700 +Subject: scsi: qedi: Protect active command list to avoid list corruption + +From: Nilesh Javali + +[ Upstream commit c0650e28448d606c84f76c34333dba30f61de993 ] + +Protect active command list for non-I/O commands like login response, +logout response, text response, and recovery cleanup of active list to +avoid list corruption. + +Link: https://lore.kernel.org/r/20200908095657.26821-5-mrangankar@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_fw.c | 8 ++++++++ + drivers/scsi/qedi/qedi_iscsi.c | 2 ++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c +index 946cebc4c9322..32586800620bd 100644 +--- a/drivers/scsi/qedi/qedi_fw.c ++++ b/drivers/scsi/qedi/qedi_fw.c +@@ -59,6 +59,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi, + "Freeing tid=0x%x for cid=0x%x\n", + cmd->task_id, qedi_conn->iscsi_conn_id); + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); +@@ -69,6 +70,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi, + cmd->task_id, qedi_conn->iscsi_conn_id, + &cmd->io_cmd); + } ++ spin_unlock(&qedi_conn->list_lock); + + cmd->state = RESPONSE_RECEIVED; + qedi_clear_task_idx(qedi, cmd->task_id); +@@ -122,6 +124,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi, + "Freeing tid=0x%x for cid=0x%x\n", + cmd->task_id, qedi_conn->iscsi_conn_id); + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); +@@ -132,6 +135,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi, + cmd->task_id, qedi_conn->iscsi_conn_id, + &cmd->io_cmd); + } ++ spin_unlock(&qedi_conn->list_lock); + + cmd->state = RESPONSE_RECEIVED; + qedi_clear_task_idx(qedi, cmd->task_id); +@@ -222,11 +226,13 @@ static void qedi_process_tmf_resp(struct qedi_ctx *qedi, + + tmf_hdr = (struct iscsi_tm *)qedi_cmd->task->hdr; + ++ spin_lock(&qedi_conn->list_lock); + if (likely(qedi_cmd->io_cmd_in_list)) { + qedi_cmd->io_cmd_in_list = false; + list_del_init(&qedi_cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + + if (((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) == + ISCSI_TM_FUNC_LOGICAL_UNIT_RESET) || +@@ -288,11 +294,13 @@ static void qedi_process_login_resp(struct qedi_ctx *qedi, + ISCSI_LOGIN_RESPONSE_HDR_DATA_SEG_LEN_MASK; + qedi_conn->gen_pdu.resp_wr_ptr = qedi_conn->gen_pdu.resp_buf + pld_len; + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + + memset(task_ctx, '\0', sizeof(*task_ctx)); + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index 0f2622a48311c..755f66b1ff9c7 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -972,11 +972,13 @@ static void qedi_cleanup_active_cmd_list(struct qedi_conn *qedi_conn) + { + struct qedi_cmd *cmd, *cmd_tmp; + ++ spin_lock(&qedi_conn->list_lock); + list_for_each_entry_safe(cmd, cmd_tmp, &qedi_conn->active_cmd_list, + io_cmd) { + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + } + + static void qedi_ep_disconnect(struct iscsi_endpoint *ep) +-- +2.25.1 + diff --git a/queue-5.4/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch b/queue-5.4/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch new file mode 100644 index 00000000000..b87ac2f934b --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch @@ -0,0 +1,38 @@ +From 20c76a913950758dc193d78114360ce5b5d552d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:30 +0800 +Subject: scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() + +From: Tianjia Zhang + +[ Upstream commit ca4fb89a3d714a770e9c73c649da830f3f4a5326 ] + +On an error exit path, a negative error code should be returned instead of +a positive return value. + +Link: https://lore.kernel.org/r/20200802111530.5020-1-tianjia.zhang@linux.alibaba.com +Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine") +Cc: Quinn Tran +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_nvme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c +index f4815a4084d8c..11656e864fca9 100644 +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -682,7 +682,7 @@ int qla_nvme_register_hba(struct scsi_qla_host *vha) + struct nvme_fc_port_template *tmpl; + struct qla_hw_data *ha; + struct nvme_fc_port_info pinfo; +- int ret = EINVAL; ++ int ret = -EINVAL; + + if (!IS_ENABLED(CONFIG_NVME_FC)) + return ret; +-- +2.25.1 + diff --git a/queue-5.4/scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch b/queue-5.4/scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch new file mode 100644 index 00000000000..4fbf6b76343 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch @@ -0,0 +1,41 @@ +From fd6c6773935997f82d92c23eecd1403eae86a504 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:28 +0800 +Subject: scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg() + +From: Tianjia Zhang + +[ Upstream commit bbf2d06a9d767718bfe6028d6288c03edb98554a ] + +In the case of a failed retry, a positive value EIO is returned here. I +think this is a typo error. It is necessary to return an error value. + +[mkp: caller checks != 0 but the rest of the file uses -Exxx so fix this up +to be consistent] + +Link: https://lore.kernel.org/r/20200802111528.4974-1-tianjia.zhang@linux.alibaba.com +Fixes: 0691094ff3f2 ("scsi: qla2xxx: Add logic to detect ABTS hang and response completion") +Cc: Quinn Tran +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index a7acc266cec06..d84d95cac2a13 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -5677,7 +5677,7 @@ static int qlt_chk_unresolv_exchg(struct scsi_qla_host *vha, + /* found existing exchange */ + qpair->retry_term_cnt++; + if (qpair->retry_term_cnt >= 5) { +- rc = EIO; ++ rc = -EIO; + qpair->retry_term_cnt = 0; + ql_log(ql_log_warn, vha, 0xffff, + "Unable to send ABTS Respond. Dumping firmware.\n"); +-- +2.25.1 + diff --git a/queue-5.4/scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch b/queue-5.4/scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch new file mode 100644 index 00000000000..f1a4aaf53c9 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch @@ -0,0 +1,76 @@ +From fc75702aa7ccf922451c8b4e920fe5533de960b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:15:13 +0200 +Subject: scsi: qla2xxx: Warn if done() or free() are called on an already + freed srb + +From: Daniel Wagner + +[ Upstream commit c0014f94218ea3a312f6235febea0d626c5f2154 ] + +Emit a warning when ->done or ->free are called on an already freed +srb. There is a hidden use-after-free bug in the driver which corrupts +the srb memory pool which originates from the cleanup callbacks. + +An extensive search didn't bring any lights on the real problem. The +initial fix was to set both pointers to NULL and try to catch invalid +accesses. But instead the memory corruption was gone and the driver +didn't crash. Since not all calling places check for NULL pointer, add +explicitly default handlers. With this we workaround the memory +corruption and add a debug help. + +Link: https://lore.kernel.org/r/20200908081516.8561-2-dwagner@suse.de +Reviewed-by: Martin Wilck +Reviewed-by: Arun Easi +Signed-off-by: Daniel Wagner +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 10 ++++++++++ + drivers/scsi/qla2xxx/qla_inline.h | 5 +++++ + 2 files changed, 15 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 62d2ee825c97a..b300e11095828 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -71,6 +71,16 @@ void qla2x00_sp_free(srb_t *sp) + qla2x00_rel_sp(sp); + } + ++void qla2xxx_rel_done_warning(srb_t *sp, int res) ++{ ++ WARN_ONCE(1, "Calling done() of an already freed srb %p object\n", sp); ++} ++ ++void qla2xxx_rel_free_warning(srb_t *sp) ++{ ++ WARN_ONCE(1, "Calling free() of an already freed srb %p object\n", sp); ++} ++ + /* Asynchronous Login/Logout Routines -------------------------------------- */ + + unsigned long +diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h +index 0c3d907af7692..6dfde42d799b5 100644 +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -183,10 +183,15 @@ qla2xxx_get_qpair_sp(scsi_qla_host_t *vha, struct qla_qpair *qpair, + return sp; + } + ++void qla2xxx_rel_done_warning(srb_t *sp, int res); ++void qla2xxx_rel_free_warning(srb_t *sp); ++ + static inline void + qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp) + { + sp->qpair = NULL; ++ sp->done = qla2xxx_rel_done_warning; ++ sp->free = qla2xxx_rel_free_warning; + mempool_free(sp, qpair->srb_mempool); + QLA_QPAIR_MARK_NOT_BUSY(qpair); + } +-- +2.25.1 + diff --git a/queue-5.4/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch b/queue-5.4/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch new file mode 100644 index 00000000000..c77f4e397f6 --- /dev/null +++ b/queue-5.4/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch @@ -0,0 +1,38 @@ +From 0012998fb42fc4e2573ddb4f2fb6f2553cdcafe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 12:15:27 +0200 +Subject: scsi: qla4xxx: Fix an error handling path in + 'qla4xxx_get_host_stats()' + +From: Christophe JAILLET + +[ Upstream commit 574918e69720fe62ab3eb42ec3750230c8d16b06 ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +Link: https://lore.kernel.org/r/20200802101527.676054-1-christophe.jaillet@wanadoo.fr +Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 5504ab11decc7..df43cf6405a8e 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -1220,7 +1220,7 @@ static int qla4xxx_get_host_stats(struct Scsi_Host *shost, char *buf, int len) + le64_to_cpu(ql_iscsi_stats->iscsi_sequence_error); + exit_host_stats: + if (ql_iscsi_stats) +- dma_free_coherent(&ha->pdev->dev, host_stats_size, ++ dma_free_coherent(&ha->pdev->dev, stats_size, + ql_iscsi_stats, iscsi_stats_dma); + + ql4_printk(KERN_INFO, ha, "%s: Get host stats done\n", +-- +2.25.1 + diff --git a/queue-5.4/scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch b/queue-5.4/scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch new file mode 100644 index 00000000000..d9cdc5529c5 --- /dev/null +++ b/queue-5.4/scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch @@ -0,0 +1,247 @@ +From 62d48b9320e53cf3fb99ef8a6e07e6cd6e6ff5c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 16:01:33 -0500 +Subject: scsi: smartpqi: Avoid crashing kernel for controller issues + +From: Kevin Barnett + +[ Upstream commit 9e68cccc8ef7206f0bccd590378d0dca8f9b4f57 ] + +Eliminate kernel panics when getting invalid responses from controller. +Take controller offline instead of causing kernel panics. + +Link: https://lore.kernel.org/r/159622929306.30579.16523318707596752828.stgit@brunhilda +Reviewed-by: Scott Teel +Reviewed-by: Scott Benesh +Reviewed-by: Prasad Munirathnam +Reviewed-by: Martin Wilck +Signed-off-by: Kevin Barnett +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi.h | 2 +- + drivers/scsi/smartpqi/smartpqi_init.c | 101 +++++++++++++++++--------- + 2 files changed, 68 insertions(+), 35 deletions(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi.h b/drivers/scsi/smartpqi/smartpqi.h +index 7a3a942b40df0..dd2175e9bfa17 100644 +--- a/drivers/scsi/smartpqi/smartpqi.h ++++ b/drivers/scsi/smartpqi/smartpqi.h +@@ -357,7 +357,7 @@ struct pqi_event_response { + struct pqi_iu_header header; + u8 event_type; + u8 reserved2 : 7; +- u8 request_acknowlege : 1; ++ u8 request_acknowledge : 1; + __le16 event_id; + __le32 additional_event_id; + union { +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 5ae074505386a..093ed5d1eef20 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -527,8 +527,7 @@ static int pqi_build_raid_path_request(struct pqi_ctrl_info *ctrl_info, + put_unaligned_be16(cdb_length, &cdb[7]); + break; + default: +- dev_err(&ctrl_info->pci_dev->dev, "unknown command 0x%c\n", +- cmd); ++ dev_err(&ctrl_info->pci_dev->dev, "unknown command 0x%c\n", cmd); + break; + } + +@@ -2450,7 +2449,6 @@ static int pqi_raid_bypass_submit_scsi_cmd(struct pqi_ctrl_info *ctrl_info, + offload_to_mirror = + (offload_to_mirror >= layout_map_count - 1) ? + 0 : offload_to_mirror + 1; +- WARN_ON(offload_to_mirror >= layout_map_count); + device->offload_to_mirror = offload_to_mirror; + /* + * Avoid direct use of device->offload_to_mirror within this +@@ -2903,10 +2901,14 @@ static int pqi_interpret_task_management_response( + return rc; + } + +-static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, +- struct pqi_queue_group *queue_group) ++static inline void pqi_invalid_response(struct pqi_ctrl_info *ctrl_info) ++{ ++ pqi_take_ctrl_offline(ctrl_info); ++} ++ ++static int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, struct pqi_queue_group *queue_group) + { +- unsigned int num_responses; ++ int num_responses; + pqi_index_t oq_pi; + pqi_index_t oq_ci; + struct pqi_io_request *io_request; +@@ -2918,6 +2920,13 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, + + while (1) { + oq_pi = readl(queue_group->oq_pi); ++ if (oq_pi >= ctrl_info->num_elements_per_oq) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "I/O interrupt: producer index (%u) out of range (0-%u): consumer index: %u\n", ++ oq_pi, ctrl_info->num_elements_per_oq - 1, oq_ci); ++ return -1; ++ } + if (oq_pi == oq_ci) + break; + +@@ -2926,10 +2935,22 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, + (oq_ci * PQI_OPERATIONAL_OQ_ELEMENT_LENGTH); + + request_id = get_unaligned_le16(&response->request_id); +- WARN_ON(request_id >= ctrl_info->max_io_slots); ++ if (request_id >= ctrl_info->max_io_slots) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "request ID in response (%u) out of range (0-%u): producer index: %u consumer index: %u\n", ++ request_id, ctrl_info->max_io_slots - 1, oq_pi, oq_ci); ++ return -1; ++ } + + io_request = &ctrl_info->io_request_pool[request_id]; +- WARN_ON(atomic_read(&io_request->refcount) == 0); ++ if (atomic_read(&io_request->refcount) == 0) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "request ID in response (%u) does not match an outstanding I/O request: producer index: %u consumer index: %u\n", ++ request_id, oq_pi, oq_ci); ++ return -1; ++ } + + switch (response->header.iu_type) { + case PQI_RESPONSE_IU_RAID_PATH_IO_SUCCESS: +@@ -2959,24 +2980,22 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, + io_request->error_info = ctrl_info->error_buffer + + (get_unaligned_le16(&response->error_index) * + PQI_ERROR_BUFFER_ELEMENT_LENGTH); +- pqi_process_io_error(response->header.iu_type, +- io_request); ++ pqi_process_io_error(response->header.iu_type, io_request); + break; + default: ++ pqi_invalid_response(ctrl_info); + dev_err(&ctrl_info->pci_dev->dev, +- "unexpected IU type: 0x%x\n", +- response->header.iu_type); +- break; ++ "unexpected IU type: 0x%x: producer index: %u consumer index: %u\n", ++ response->header.iu_type, oq_pi, oq_ci); ++ return -1; + } + +- io_request->io_complete_callback(io_request, +- io_request->context); ++ io_request->io_complete_callback(io_request, io_request->context); + + /* + * Note that the I/O request structure CANNOT BE TOUCHED after + * returning from the I/O completion callback! + */ +- + oq_ci = (oq_ci + 1) % ctrl_info->num_elements_per_oq; + } + +@@ -3289,9 +3308,9 @@ static void pqi_ofa_capture_event_payload(struct pqi_event *event, + } + } + +-static unsigned int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info) ++static int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info) + { +- unsigned int num_events; ++ int num_events; + pqi_index_t oq_pi; + pqi_index_t oq_ci; + struct pqi_event_queue *event_queue; +@@ -3305,26 +3324,31 @@ static unsigned int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info) + + while (1) { + oq_pi = readl(event_queue->oq_pi); ++ if (oq_pi >= PQI_NUM_EVENT_QUEUE_ELEMENTS) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "event interrupt: producer index (%u) out of range (0-%u): consumer index: %u\n", ++ oq_pi, PQI_NUM_EVENT_QUEUE_ELEMENTS - 1, oq_ci); ++ return -1; ++ } ++ + if (oq_pi == oq_ci) + break; + + num_events++; +- response = event_queue->oq_element_array + +- (oq_ci * PQI_EVENT_OQ_ELEMENT_LENGTH); ++ response = event_queue->oq_element_array + (oq_ci * PQI_EVENT_OQ_ELEMENT_LENGTH); + + event_index = + pqi_event_type_to_event_index(response->event_type); + +- if (event_index >= 0) { +- if (response->request_acknowlege) { +- event = &ctrl_info->events[event_index]; +- event->pending = true; +- event->event_type = response->event_type; +- event->event_id = response->event_id; +- event->additional_event_id = +- response->additional_event_id; ++ if (event_index >= 0 && response->request_acknowledge) { ++ event = &ctrl_info->events[event_index]; ++ event->pending = true; ++ event->event_type = response->event_type; ++ event->event_id = response->event_id; ++ event->additional_event_id = response->additional_event_id; ++ if (event->event_type == PQI_EVENT_TYPE_OFA) + pqi_ofa_capture_event_payload(event, response); +- } + } + + oq_ci = (oq_ci + 1) % PQI_NUM_EVENT_QUEUE_ELEMENTS; +@@ -3439,7 +3463,8 @@ static irqreturn_t pqi_irq_handler(int irq, void *data) + { + struct pqi_ctrl_info *ctrl_info; + struct pqi_queue_group *queue_group; +- unsigned int num_responses_handled; ++ int num_io_responses_handled; ++ int num_events_handled; + + queue_group = data; + ctrl_info = queue_group->ctrl_info; +@@ -3447,17 +3472,25 @@ static irqreturn_t pqi_irq_handler(int irq, void *data) + if (!pqi_is_valid_irq(ctrl_info)) + return IRQ_NONE; + +- num_responses_handled = pqi_process_io_intr(ctrl_info, queue_group); ++ num_io_responses_handled = pqi_process_io_intr(ctrl_info, queue_group); ++ if (num_io_responses_handled < 0) ++ goto out; + +- if (irq == ctrl_info->event_irq) +- num_responses_handled += pqi_process_event_intr(ctrl_info); ++ if (irq == ctrl_info->event_irq) { ++ num_events_handled = pqi_process_event_intr(ctrl_info); ++ if (num_events_handled < 0) ++ goto out; ++ } else { ++ num_events_handled = 0; ++ } + +- if (num_responses_handled) ++ if (num_io_responses_handled + num_events_handled > 0) + atomic_inc(&ctrl_info->num_interrupts); + + pqi_start_io(ctrl_info, queue_group, RAID_PATH, NULL); + pqi_start_io(ctrl_info, queue_group, AIO_PATH, NULL); + ++out: + return IRQ_HANDLED; + } + +-- +2.25.1 + diff --git a/queue-5.4/scsi-target-core-add-control-field-for-trace-events.patch b/queue-5.4/scsi-target-core-add-control-field-for-trace-events.patch new file mode 100644 index 00000000000..4a182d123ab --- /dev/null +++ b/queue-5.4/scsi-target-core-add-control-field-for-trace-events.patch @@ -0,0 +1,113 @@ +From b47397e6ac725a0163077c56cc8ac16dd2742743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 15:59:57 +0300 +Subject: scsi: target: core: Add CONTROL field for trace events + +From: Roman Bolshakov + +[ Upstream commit 7010645ba7256992818b518163f46bd4cdf8002a ] + +trace-cmd report doesn't show events from target subsystem because +scsi_command_size() leaks through event format string: + + [target:target_sequencer_start] function scsi_command_size not defined + [target:target_cmd_complete] function scsi_command_size not defined + +Addition of scsi_command_size() to plugin_scsi.c in trace-cmd doesn't +help because an expression is used inside TP_printk(). trace-cmd event +parser doesn't understand minus sign inside [ ]: + + Error: expected ']' but read '-' + +Rather than duplicating kernel code in plugin_scsi.c, provide a dedicated +field for CONTROL byte. + +Link: https://lore.kernel.org/r/20200929125957.83069-1-r.bolshakov@yadro.com +Reviewed-by: Mike Christie +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + include/scsi/scsi_common.h | 7 +++++++ + include/trace/events/target.h | 12 ++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/scsi/scsi_common.h b/include/scsi/scsi_common.h +index 731ac09ed2313..5b567b43e1b16 100644 +--- a/include/scsi/scsi_common.h ++++ b/include/scsi/scsi_common.h +@@ -25,6 +25,13 @@ scsi_command_size(const unsigned char *cmnd) + scsi_varlen_cdb_length(cmnd) : COMMAND_SIZE(cmnd[0]); + } + ++static inline unsigned char ++scsi_command_control(const unsigned char *cmnd) ++{ ++ return (cmnd[0] == VARIABLE_LENGTH_CMD) ? ++ cmnd[1] : cmnd[COMMAND_SIZE(cmnd[0]) - 1]; ++} ++ + /* Returns a human-readable name for the device */ + extern const char *scsi_device_type(unsigned type); + +diff --git a/include/trace/events/target.h b/include/trace/events/target.h +index 914a872dd3435..e87a3716b0ac9 100644 +--- a/include/trace/events/target.h ++++ b/include/trace/events/target.h +@@ -140,6 +140,7 @@ TRACE_EVENT(target_sequencer_start, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) + __string( initiator, cmd->se_sess->se_node_acl->initiatorname ) + ), +@@ -149,6 +150,7 @@ TRACE_EVENT(target_sequencer_start, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + memcpy(__entry->cdb, cmd->t_task_cdb, TCM_MAX_COMMAND_SIZE); + __assign_str(initiator, cmd->se_sess->se_node_acl->initiatorname); + ), +@@ -158,9 +160,7 @@ TRACE_EVENT(target_sequencer_start, + show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +@@ -175,6 +175,7 @@ TRACE_EVENT(target_cmd_complete, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __field( unsigned char, scsi_status ) + __field( unsigned char, sense_length ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) +@@ -187,6 +188,7 @@ TRACE_EVENT(target_cmd_complete, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + __entry->scsi_status = cmd->scsi_status; + __entry->sense_length = cmd->scsi_status == SAM_STAT_CHECK_CONDITION ? + min(18, ((u8 *) cmd->sense_buffer)[SPC_ADD_SENSE_LEN_OFFSET] + 8) : 0; +@@ -203,9 +205,7 @@ TRACE_EVENT(target_cmd_complete, + show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +-- +2.25.1 + diff --git a/queue-5.4/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch b/queue-5.4/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch new file mode 100644 index 00000000000..a41038955f6 --- /dev/null +++ b/queue-5.4/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch @@ -0,0 +1,39 @@ +From 5f5910bbe4484b4db0b87c03873ba6d6fbe7f0cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 17:19:20 -0700 +Subject: scsi: target: tcmu: Fix warning: 'page' may be used uninitialized + +From: John Donnelly + +[ Upstream commit 61741d8699e1fc764a309ebd20211bb1cb193110 ] + +Corrects drivers/target/target_core_user.c:688:6: warning: 'page' may be +used uninitialized. + +Link: https://lore.kernel.org/r/20200924001920.43594-1-john.p.donnelly@oracle.com +Fixes: 3c58f737231e ("scsi: target: tcmu: Optimize use of flush_dcache_page") +Cc: Mike Christie +Acked-by: Mike Christie +Signed-off-by: John Donnelly +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index ea925b102b322..d6634baebb474 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -669,7 +669,7 @@ static void scatter_data_area(struct tcmu_dev *udev, + void *from, *to = NULL; + size_t copy_bytes, to_offset, offset; + struct scatterlist *sg; +- struct page *page; ++ struct page *page = NULL; + + for_each_sg(data_sg, sg, data_nents, i) { + int sg_remaining = sg->length; +-- +2.25.1 + diff --git a/queue-5.4/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch b/queue-5.4/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch new file mode 100644 index 00000000000..07a6e328cf5 --- /dev/null +++ b/queue-5.4/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch @@ -0,0 +1,53 @@ +From 3d74887a96b5545f65d281106259b96335f59233 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 05:15:48 -0700 +Subject: scsi: ufs: ufs-qcom: Fix race conditions caused by + ufs_qcom_testbus_config() + +From: Can Guo + +[ Upstream commit 89dd87acd40a44de8ff3358138aedf8f73f4efc6 ] + +If ufs_qcom_dump_dbg_regs() calls ufs_qcom_testbus_config() from +ufshcd_suspend/resume and/or clk gate/ungate context, pm_runtime_get_sync() +and ufshcd_hold() will cause a race condition. Fix this by removing the +unnecessary calls of pm_runtime_get_sync() and ufshcd_hold(). + +Link: https://lore.kernel.org/r/1596975355-39813-3-git-send-email-cang@codeaurora.org +Reviewed-by: Hongwu Su +Reviewed-by: Avri Altman +Reviewed-by: Bean Huo +Reviewed-by: Asutosh Das +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-qcom.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c +index c49e9f6c46f87..4f066e3b19af1 100644 +--- a/drivers/scsi/ufs/ufs-qcom.c ++++ b/drivers/scsi/ufs/ufs-qcom.c +@@ -1492,9 +1492,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host) + */ + } + mask <<= offset; +- +- pm_runtime_get_sync(host->hba->dev); +- ufshcd_hold(host->hba, false); + ufshcd_rmwl(host->hba, TEST_BUS_SEL, + (u32)host->testbus.select_major << 19, + REG_UFS_CFG1); +@@ -1507,8 +1504,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host) + * committed before returning. + */ + mb(); +- ufshcd_release(host->hba); +- pm_runtime_put_sync(host->hba->dev); + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch b/queue-5.4/selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch new file mode 100644 index 00000000000..894afd5bae1 --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch @@ -0,0 +1,129 @@ +From 8964a64847a8a3efdcaa04b220f64a1214544ff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 10:15:42 -0700 +Subject: selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change + +From: Yonghong Song + +[ Upstream commit 7fb5eefd76394cfefb380724a87ca40b47d44405 ] + +Andrii reported that with latest clang, when building selftests, we have +error likes: + error: progs/test_sysctl_loop1.c:23:16: in function sysctl_tcp_mem i32 (%struct.bpf_sysctl*): + Looks like the BPF stack limit of 512 bytes is exceeded. + Please move large on stack variables into BPF per-cpu array map. + +The error is triggered by the following LLVM patch: + https://reviews.llvm.org/D87134 + +For example, the following code is from test_sysctl_loop1.c: + static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx) + { + volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string"; + ... + } +Without the above LLVM patch, the compiler did optimization to load the string +(59 bytes long) with 7 64bit loads, 1 8bit load and 1 16bit load, +occupying 64 byte stack size. + +With the above LLVM patch, the compiler only uses 8bit loads, but subregister is 32bit. +So stack requirements become 4 * 59 = 236 bytes. Together with other stuff on +the stack, total stack size exceeds 512 bytes, hence compiler complains and quits. + +To fix the issue, removing "volatile" key word or changing "volatile" to +"const"/"static const" does not work, the string is put in .rodata.str1.1 section, +which libbpf did not process it and errors out with + libbpf: elf: skipping unrecognized data section(6) .rodata.str1.1 + libbpf: prog 'sysctl_tcp_mem': bad map relo against '.L__const.is_tcp_mem.tcp_mem_name' + in section '.rodata.str1.1' + +Defining the string const as global variable can fix the issue as it puts the string constant +in '.rodata' section which is recognized by libbpf. In the future, when libbpf can process +'.rodata.str*.*' properly, the global definition can be changed back to local definition. + +Defining tcp_mem_name as a global, however, triggered a verifier failure. + ./test_progs -n 7/21 + libbpf: load bpf program failed: Permission denied + libbpf: -- BEGIN DUMP LOG --- + libbpf: + invalid stack off=0 size=1 + verification time 6975 usec + stack depth 160+64 + processed 889 insns (limit 1000000) max_states_per_insn 4 total_states + 14 peak_states 14 mark_read 10 + + libbpf: -- END LOG -- + libbpf: failed to load program 'sysctl_tcp_mem' + libbpf: failed to load object 'test_sysctl_loop2.o' + test_bpf_verif_scale:FAIL:114 + #7/21 test_sysctl_loop2.o:FAIL +This actually exposed a bpf program bug. In test_sysctl_loop{1,2}, we have code +like + const char tcp_mem_name[] = "<...long string...>"; + ... + char name[64]; + ... + for (i = 0; i < sizeof(tcp_mem_name); ++i) + if (name[i] != tcp_mem_name[i]) + return 0; +In the above code, if sizeof(tcp_mem_name) > 64, name[i] access may be +out of bound. The sizeof(tcp_mem_name) is 59 for test_sysctl_loop1.c and +79 for test_sysctl_loop2.c. + +Without promotion-to-global change, old compiler generates code where +the overflowed stack access is actually filled with valid value, so hiding +the bpf program bug. With promotion-to-global change, the code is different, +more specifically, the previous loading constants to stack is gone, and +"name" occupies stack[-64:0] and overflow access triggers a verifier error. +To fix the issue, adjust "name" buffer size properly. + +Reported-by: Andrii Nakryiko +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200909171542.3673449-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_sysctl_loop1.c | 4 ++-- + tools/testing/selftests/bpf/progs/test_sysctl_loop2.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c b/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c +index d22e438198cf7..9af8822ece477 100644 +--- a/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c ++++ b/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c +@@ -18,11 +18,11 @@ + #define MAX_ULONG_STR_LEN 7 + #define MAX_VALUE_STR_LEN (TCP_MEM_LOOPS * MAX_ULONG_STR_LEN) + ++const char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string"; + static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx) + { +- volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string"; + unsigned char i; +- char name[64]; ++ char name[sizeof(tcp_mem_name)]; + int ret; + + memset(name, 0, sizeof(name)); +diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c b/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c +index cb201cbe11e77..55251046c9b73 100644 +--- a/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c ++++ b/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c +@@ -18,11 +18,11 @@ + #define MAX_ULONG_STR_LEN 7 + #define MAX_VALUE_STR_LEN (TCP_MEM_LOOPS * MAX_ULONG_STR_LEN) + ++const char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string_to_stress_byte_loop"; + static __attribute__((noinline)) int is_tcp_mem(struct bpf_sysctl *ctx) + { +- volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string_to_stress_byte_loop"; + unsigned char i; +- char name[64]; ++ char name[sizeof(tcp_mem_name)]; + int ret; + + memset(name, 0, sizeof(name)); +-- +2.25.1 + diff --git a/queue-5.4/selftests-ftrace-change-synthetic-event-name-for-int.patch b/queue-5.4/selftests-ftrace-change-synthetic-event-name-for-int.patch new file mode 100644 index 00000000000..8ba37197596 --- /dev/null +++ b/queue-5.4/selftests-ftrace-change-synthetic-event-name-for-int.patch @@ -0,0 +1,52 @@ +From ef1648721732675af1d7385855af2d39a6b7cb4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 09:17:56 -0500 +Subject: selftests/ftrace: Change synthetic event name for + inter-event-combined test + +From: Tom Zanussi + +[ Upstream commit 96378b2088faea68f1fb05ea6b9a566fc569a44c ] + +This test uses waking+wakeup_latency as an event name, which doesn't +make sense since it includes an operator. Illegal names are now +detected by the synthetic event command parsing, which causes this +test to fail. Change the name to 'waking_plus_wakeup_latency' to +prevent this. + +Link: https://lkml.kernel.org/r/a1ee2f76ff28ef7166fb788ca8be968887808920.1602598160.git.zanussi@kernel.org + +Fixes: f06eec4d0f2c (selftests: ftrace: Add inter-event hist triggers testcases) +Acked-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Signed-off-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + .../inter-event/trigger-inter-event-combined-hist.tc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc +index f3eb8aacec0e7..a2b0e4eb1fe4c 100644 +--- a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc ++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc +@@ -34,12 +34,12 @@ echo 'wakeup_latency u64 lat pid_t pid' >> synthetic_events + echo 'hist:keys=pid:ts1=common_timestamp.usecs if comm=="ping"' >> events/sched/sched_wakeup/trigger + echo 'hist:keys=next_pid:wakeup_lat=common_timestamp.usecs-$ts1:onmatch(sched.sched_wakeup).wakeup_latency($wakeup_lat,next_pid) if next_comm=="ping"' > events/sched/sched_switch/trigger + +-echo 'waking+wakeup_latency u64 lat; pid_t pid' >> synthetic_events +-echo 'hist:keys=pid,lat:sort=pid,lat:ww_lat=$waking_lat+$wakeup_lat:onmatch(synthetic.wakeup_latency).waking+wakeup_latency($ww_lat,pid)' >> events/synthetic/wakeup_latency/trigger +-echo 'hist:keys=pid,lat:sort=pid,lat' >> events/synthetic/waking+wakeup_latency/trigger ++echo 'waking_plus_wakeup_latency u64 lat; pid_t pid' >> synthetic_events ++echo 'hist:keys=pid,lat:sort=pid,lat:ww_lat=$waking_lat+$wakeup_lat:onmatch(synthetic.wakeup_latency).waking_plus_wakeup_latency($ww_lat,pid)' >> events/synthetic/wakeup_latency/trigger ++echo 'hist:keys=pid,lat:sort=pid,lat' >> events/synthetic/waking_plus_wakeup_latency/trigger + + ping $LOCALHOST -c 3 +-if ! grep -q "pid:" events/synthetic/waking+wakeup_latency/hist; then ++if ! grep -q "pid:" events/synthetic/waking_plus_wakeup_latency/hist; then + fail "Failed to create combined histogram" + fi + +-- +2.25.1 + diff --git a/queue-5.4/selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch b/queue-5.4/selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch new file mode 100644 index 00000000000..1b3b28cfbd2 --- /dev/null +++ b/queue-5.4/selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch @@ -0,0 +1,63 @@ +From a22b09221f0dcb6745b94b9ba17792c5ef8f3df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 13:47:11 +1100 +Subject: selftests/powerpc: Fix eeh-basic.sh exit codes + +From: Oliver O'Halloran + +[ Upstream commit 996f9e0f93f16211945c8d5f18f296a88cb32f91 ] + +The kselftests test running infrastructure expects tests to finish with an +exit code of 4 if the test decided it should be skipped. Currently +eeh-basic.sh exits with the number of devices that failed to recover, so if +four devices didn't recover we'll report a skip instead of a fail. + +Fix this by checking if the return code is non-zero and report success +and failure by returning 0 or 1 respectively. For the cases where should +actually skip return 4. + +Fixes: 85d86c8aa52e ("selftests/powerpc: Add basic EEH selftest") +Signed-off-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201014024711.1138386-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/eeh/eeh-basic.sh | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/eeh/eeh-basic.sh b/tools/testing/selftests/powerpc/eeh/eeh-basic.sh +index f988d2f42e8f2..cf001a2c69420 100755 +--- a/tools/testing/selftests/powerpc/eeh/eeh-basic.sh ++++ b/tools/testing/selftests/powerpc/eeh/eeh-basic.sh +@@ -1,17 +1,19 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0-only + ++KSELFTESTS_SKIP=4 ++ + . ./eeh-functions.sh + + if ! eeh_supported ; then + echo "EEH not supported on this system, skipping" +- exit 0; ++ exit $KSELFTESTS_SKIP; + fi + + if [ ! -e "/sys/kernel/debug/powerpc/eeh_dev_check" ] && \ + [ ! -e "/sys/kernel/debug/powerpc/eeh_dev_break" ] ; then + echo "debugfs EEH testing files are missing. Is debugfs mounted?" +- exit 1; ++ exit $KSELFTESTS_SKIP; + fi + + pre_lspci=`mktemp` +@@ -79,4 +81,5 @@ echo "$failed devices failed to recover ($dev_count tested)" + lspci | diff -u $pre_lspci - + rm -f $pre_lspci + +-exit $failed ++test "$failed" == 0 ++exit $? +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 007436d3c5b..cf7a3fd9071 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -52,3 +52,351 @@ kvm-svm-initialize-prev_ga_tag-before-use.patch ima-don-t-ignore-errors-from-crypto_shash_update.patch crypto-algif_aead-do-not-set-may_backlog-on-the-async-path.patch crypto-caam-qi-add-fallback-for-xts-with-more-than-8b-iv.patch +edac-i5100-fix-error-handling-order-in-i5100_init_on.patch +edac-aspeed-fix-handling-of-platform_get_irq-error.patch +edac-ti-fix-handling-of-platform_get_irq-error.patch +perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch +x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch +drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch +drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch +sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch +perf-x86-intel-uncore-update-ice-lake-uncore-units.patch +perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch +x86-nmi-fix-nmi_handle-duration-miscalculation.patch +x86-events-amd-iommu-fix-sizeof-mismatch.patch +crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch +crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch +crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch +crypto-picoxcell-fix-potential-race-condition-bug.patch +media-tuner-simple-fix-regression-in-simple_set_radi.patch +media-revert-media-exynos4-is-add-missed-check-for-p.patch +media-ov5640-correct-bit-div-register-in-clock-tree-.patch +media-m5mols-check-function-pointer-in-m5mols_sensor.patch +media-uvcvideo-set-media-controller-entity-functions.patch +media-uvcvideo-silence-shift-out-of-bounds-warning.patch +media-staging-intel-ipu3-css-correctly-reset-some-me.patch +media-omap3isp-fix-memleak-in-isp_probe.patch +media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch +media-i2c-ov5640-separate-out-mipi-configuration-fro.patch +media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch +media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch +media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch +media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch +crypto-omap-sham-fix-digcnt-register-handling-with-e.patch +hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch +cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch +media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch +media-tc358743-initialize-variable.patch +media-tc358743-cleanup-tc358743_cec_isr.patch +media-rcar-vin-fix-a-reference-count-leak.patch +media-rockchip-rga-fix-a-reference-count-leak.patch +media-platform-fcp-fix-a-reference-count-leak.patch +media-camss-fix-a-reference-count-leak.patch +media-s5p-mfc-fix-a-reference-count-leak.patch +media-stm32-dcmi-fix-a-reference-count-leak.patch +media-ti-vpe-fix-a-missing-check-and-reference-count.patch +regulator-resolve-supply-after-creating-regulator.patch +pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch +spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch +spi-spi-s3c64xx-check-return-values.patch +blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch +ath10k-provide-survey-info-as-accumulated-data.patch +drm-vkms-fix-xrgb-on-compute-crc.patch +bluetooth-hci_uart-cancel-init-work-before-unregiste.patch +drm-amd-display-fix-wrong-return-value-in-dm_update_.patch +drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch +ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch +ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch +ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch +wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch +asoc-qcom-lpass-platform-fix-memory-leak.patch +asoc-qcom-lpass-cpu-fix-concurrency-issue.patch +brcmfmac-check-ndev-pointer.patch +mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch +staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch +drm-gma500-fix-error-check.patch +scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch +scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch +scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch +scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch +drm-radeon-prefer-lower-feedback-dividers.patch +backlight-sky81452-backlight-fix-refcount-imbalance-.patch +staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch +vmci-check-return-value-of-get_user_pages_fast-for-e.patch +mm-error_inject-fix-allow_error_inject-function-sign.patch +drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch +drm-crc-debugfs-fix-memleak-in-crc_control_write.patch +binder-remove-bogus-warning-on-failed-same-process-t.patch +tty-serial-earlycon-dependency.patch +tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch +pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch +pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch +pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch +drivers-virt-fsl_hypervisor-fix-error-handling-path.patch +video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch +video-fbdev-sis-fix-null-ptr-dereference.patch +video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch +asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch +hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch +drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch +drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch +iomap-clear-page-error-before-beginning-a-write.patch +pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch +pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch +net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch +scsi-mpt3sas-fix-sync-irqs.patch +net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch +cpufreq-armada-37xx-add-missing-module_device_table.patch +drm-mxsfb-check-framebuffer-pitch.patch +coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch +xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch +net-dsa-rtl8366-check-validity-of-passed-vlans.patch +net-dsa-rtl8366-refactor-vlan-pvid-init.patch +net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch +net-wilc1000-clean-up-resource-in-error-path-of-init.patch +asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch +net-dsa-rtl8366rb-support-all-4096-vlans.patch +spi-omap2-mcspi-improve-performance-waiting-for-chst.patch +ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch +dmaengine-dmatest-check-list-for-emptiness-before-ac.patch +misc-mic-scif-fix-error-handling-path.patch +alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch +usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch +quota-clear-padding-in-v2r1_mem2diskdqb.patch +slimbus-core-check-get_addr-before-removing-laddr-id.patch +slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch +slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch +asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch +hid-hid-input-fix-stylus-battery-reporting.patch +nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch +nl80211-fix-obss-pd-min-and-max-offset-validation.patch +coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch +ibmvnic-set-up-200gbps-speed.patch +qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch +iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch +net-enic-cure-the-enic-api-locking-trainwreck.patch +mfd-sm501-fix-leaks-in-probe.patch +iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch +usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch +usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch +nl80211-fix-non-split-wiphy-information.patch +usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch +scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch +scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch +ipmi_si-fix-wrong-return-value-in-try_smi_init.patch +platform-x86-mlx-platform-remove-psu-eeprom-configur.patch +mwifiex-fix-double-free.patch +net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch +ipvs-clear-skb-tstamp-in-forwarding-path.patch +net-korina-fix-kfree-of-rx-tx-descriptor-array.patch +netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch +mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch +mm-memcg-fix-device-private-memcg-accounting.patch +mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch +fs-fix-null-dereference-due-to-data-race-in-prepend_.patch +selftests-ftrace-change-synthetic-event-name-for-int.patch +i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch +ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch +ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch +powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch +powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch +rdma-ucma-fix-locking-for-ctx-events_reported.patch +rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch +mtd-lpddr-fix-excessive-stack-usage-with-clang.patch +rdma-hns-add-a-check-for-current-state-before-modify.patch +rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch +powerpc-pseries-explicitly-reschedule-during-drmem_l.patch +pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch +rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch +mtd-mtdoops-don-t-write-panic-data-twice.patch +arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch +arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch +ida-free-allocated-bitmap-in-error-path.patch +xfs-limit-entries-returned-when-counting-fsmap-recor.patch +xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch +xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch +rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch +rdma-umem-prevent-small-pages-from-being-returned-by.patch +rdma-efa-use-ib_umem_num_dma_pages.patch +rdma-qedr-fix-qp-structure-memory-leak.patch +rdma-qedr-fix-use-of-uninitialized-field.patch +rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch +rdma-qedr-fix-inline-size-returned-for-iwarp.patch +powerpc-book3s64-hash-4k-support-large-linear-mappin.patch +powerpc-tau-use-appropriate-temperature-sample-inter.patch +powerpc-tau-convert-from-timer-to-workqueue.patch +powerpc-tau-remove-duplicated-set_thresholds-call.patch +powerpc-tau-check-processor-type-before-enabling-tau.patch +powerpc-tau-disable-tau-between-measurements.patch +powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch +rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch +rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch +perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch +rdma-hns-set-the-unsupported-wr-opcode.patch +rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch +i40iw-add-support-to-make-destroy-qp-synchronous.patch +perf-stat-skip-duration_time-in-setup_system_wide.patch +rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch +rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch +mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch +mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch +mtd-spinand-gigadevice-add-qe-bit.patch +kdb-fix-pager-search-for-multi-line-strings.patch +overflow-include-header-file-with-size_max-declarati.patch +rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch +powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch +powerpc-perf-hv-gpci-fix-starting-index-value.patch +i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch +cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch +ib-rdmavt-fix-sizeof-mismatch.patch +rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch +maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch +selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch +f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch +rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch +mm-page_owner-change-split_page_owner-to-take-a-coun.patch +lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch +ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch +rapidio-fix-error-handling-path.patch +rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch +mailbox-avoid-timer-start-from-callback.patch +i2c-rcar-auto-select-reset_controller.patch +clk-meson-g12a-mark-fclk_div2-as-critical.patch +pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch +pci-iproc-set-affinity-mask-on-msi-interrupts.patch +rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch +pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch +vfio-pci-decouple-pci_command_memory-bit-checks-from.patch +clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch +clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch +pwm-img-fix-null-pointer-access-in-probe.patch +clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch +clk-mediatek-add-uart0-clock-support.patch +module-statically-initialize-init-section-freeing-da.patch +clk-at91-clk-main-update-key-before-writing-at91_ckg.patch +clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch +watchdog-fix-memleak-in-watchdog_cdev_register.patch +watchdog-use-put_device-on-error.patch +watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch +svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch +ext4-limit-entries-returned-when-counting-fsmap-reco.patch +vfio-pci-clear-token-on-bypass-registration-failure.patch +vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch +clk-imx8mq-fix-usdhc-parents-order.patch +sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch +input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch +input-stmfts-fix-a-vs-typo.patch +input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch +input-omap4-keypad-fix-handling-of-platform_get_irq-.patch +input-twl4030_keypad-fix-handling-of-platform_get_ir.patch +input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch +kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch +scsi-bfa-fix-error-return-in-bfad_pci_init.patch +netfilter-conntrack-connection-timeout-after-re-regi.patch +netfilter-ebtables-fixes-dropping-of-small-packets-i.patch +netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch +arm64-dts-meson-vim3-correct-led-polarity.patch +arm-dts-imx6sl-fix-rng-node.patch +arm-at91-pm-of_node_put-after-its-usage.patch +arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch +arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch +arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch +memory-omap-gpmc-fix-a-couple-off-by-ones.patch +memory-omap-gpmc-fix-build-error-without-config_of.patch +memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch +arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch +arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch +arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch +arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch +arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch +arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch +arm64-dts-actions-limit-address-range-for-pinctrl-no.patch +arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch +soc-fsl-qbman-fix-return-value-on-success.patch +arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch +arm64-dts-zynqmp-remove-additional-compatible-string.patch +arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch +lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch +powerpc-powernv-dump-fix-race-while-processing-opal-.patch +powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch +nvmet-fix-uninitialized-work-for-zero-kato.patch +ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch +sched-features-fix-config_jump_label-case.patch +perf-correct-snoopx-field-offset.patch +i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch +md-bitmap-fix-memory-leak-of-temporary-bitmap.patch +block-ratelimit-handle_bad_sector-message.patch +crypto-ccp-fix-error-handling.patch +x86-asm-replace-__force_order-with-a-memory-clobber.patch +x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch +media-firewire-fix-memory-leak.patch +media-ati_remote-sanity-check-for-both-endpoints.patch +media-st-delta-fix-reference-count-leak-in-delta_run.patch +media-sti-fix-reference-count-leaks.patch +media-exynos4-is-fix-several-reference-count-leaks-d.patch +media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch +media-exynos4-is-fix-a-reference-count-leak.patch +media-vsp1-fix-runtime-pm-imbalance-on-error.patch +media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch +media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch +media-bdisp-fix-runtime-pm-imbalance-on-error.patch +media-media-pci-prevent-memory-leak-in-bttv_probe.patch +x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch +media-uvcvideo-ensure-all-probed-info-is-returned-to.patch +mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch +media-saa7134-avoid-a-shift-overflow.patch +media-venus-fixes-for-list-corruption.patch +fs-dlm-fix-configfs-memory-leak.patch +media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch +ntfs-add-check-for-mft-record-size-in-superblock.patch +ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch +mac80211-handle-lack-of-sband-bitrates-in-rates.patch +pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch +scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch +scsi-target-core-add-control-field-for-trace-events.patch +mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch +misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch +usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch +usb-gadget-function-printer-fix-use-after-free-in-__.patch +udf-limit-sparing-table-size.patch +udf-avoid-accessing-uninitialized-data-on-failed-ino.patch +rtw88-increse-the-size-of-rx-buffer-size.patch +usb-cdc-acm-handle-broken-union-descriptors.patch +usb-dwc3-simple-add-support-for-hikey-970.patch +can-flexcan-flexcan_chip_stop-add-error-handling-and.patch +ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch +drm-panfrost-add-amlogic-reset-quirk-callback.patch +bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch +misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch +reiserfs-only-call-unlock_new_inode-if-i_new.patch +opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch +xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch +usb-ohci-default-to-per-port-over-current-protection.patch +bluetooth-only-mark-socket-zapped-after-unlocking.patch +drm-msm-a6xx-fix-a-potential-overflow-issue.patch +iomap-fix-warn_on_once-from-unprivileged-users.patch +scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch +scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch +selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch +brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch +rtl8xxxu-prevent-potential-memory-leak.patch +fix-use-after-free-in-get_capset_info-callback.patch +hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch +scsi-qedf-return-success-if-stale-rport-is-encounter.patch +scsi-qedi-protect-active-command-list-to-avoid-list-.patch +scsi-qedi-fix-list_del-corruption-while-removing-act.patch +fbmem-add-margin-check-to-fb_check_caps.patch +tty-ipwireless-fix-error-handling.patch +bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch +ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch +reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch +mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch +alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch +alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch +scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch +brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch +usb-core-solve-race-condition-in-anchor-cleanup-func.patch +scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch +dmaengine-dw-add-dma-channels-mask-cell-support.patch +dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch +ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch diff --git a/queue-5.4/slimbus-core-check-get_addr-before-removing-laddr-id.patch b/queue-5.4/slimbus-core-check-get_addr-before-removing-laddr-id.patch new file mode 100644 index 00000000000..b53f9cfc696 --- /dev/null +++ b/queue-5.4/slimbus-core-check-get_addr-before-removing-laddr-id.patch @@ -0,0 +1,42 @@ +From db62c00597595c558ca3434da213a66be650e3f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:18 +0100 +Subject: slimbus: core: check get_addr before removing laddr ida + +From: Srinivas Kandagatla + +[ Upstream commit f97769fde678e111a1b7b165b380d8a3dfe54f4e ] + +logical address can be either assigned by the SLIMBus controller or the core. +Core uses IDA in cases where get_addr callback is not provided by the +controller. +Core already has this check while allocating IDR, however during absence +reporting this is not checked. This patch fixes this issue. + +Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c +index 63ee96eb58c68..42a233fc5dc6c 100644 +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -327,8 +327,8 @@ void slim_report_absent(struct slim_device *sbdev) + mutex_lock(&ctrl->lock); + sbdev->is_laddr_valid = false; + mutex_unlock(&ctrl->lock); +- +- ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr); ++ if (!ctrl->get_laddr) ++ ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr); + slim_device_update_status(sbdev, SLIM_DEVICE_STATUS_DOWN); + } + EXPORT_SYMBOL_GPL(slim_report_absent); +-- +2.25.1 + diff --git a/queue-5.4/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch b/queue-5.4/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch new file mode 100644 index 00000000000..9016259d7e4 --- /dev/null +++ b/queue-5.4/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch @@ -0,0 +1,38 @@ +From 21a3057725ad1b34aa5abbb2f861547d2ea5d454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:19 +0100 +Subject: slimbus: core: do not enter to clock pause mode in core + +From: Srinivas Kandagatla + +[ Upstream commit df2c471c4ae07e18a0396db670dca2ef867c5153 ] + +Let the controller logic decide when to enter into clock pause mode! +Entering in to pause mode during unregistration does not really make +sense as the controller is totally going down at that point in time. + +Fixes: 4b14e62ad3c9e ("slimbus: Add support for 'clock-pause' feature") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c +index 42a233fc5dc6c..130c798921b5d 100644 +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -302,8 +302,6 @@ int slim_unregister_controller(struct slim_controller *ctrl) + { + /* Remove all clients */ + device_for_each_child(ctrl->dev, NULL, slim_ctrl_remove_device); +- /* Enter Clock Pause */ +- slim_ctrl_clk_pause(ctrl, false, 0); + ida_simple_remove(&ctrl_ida, ctrl->id); + + return 0; +-- +2.25.1 + diff --git a/queue-5.4/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch b/queue-5.4/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch new file mode 100644 index 00000000000..f900845ae8a --- /dev/null +++ b/queue-5.4/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch @@ -0,0 +1,45 @@ +From 6fa4e9d0c2cc763d5e85af25490b94eea10344da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:20 +0100 +Subject: slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback + +From: Srinivas Kandagatla + +[ Upstream commit 709ec3f7fc5773ac4aa6fb22c3f0ac8103c674db ] + +In QMI new server notification we enable the NGD however during +delete server notification we do not disable the NGD. + +This can lead to multiple instances of NGD being enabled, so make +sure that we disable NGD in delete server callback to fix this issue! + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/qcom-ngd-ctrl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c +index 01a17d84b6064..ce265bf7de868 100644 +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1273,9 +1273,13 @@ static void qcom_slim_ngd_qmi_del_server(struct qmi_handle *hdl, + { + struct qcom_slim_ngd_qmi *qmi = + container_of(hdl, struct qcom_slim_ngd_qmi, svc_event_hdl); ++ struct qcom_slim_ngd_ctrl *ctrl = ++ container_of(qmi, struct qcom_slim_ngd_ctrl, qmi); + + qmi->svc_info.sq_node = 0; + qmi->svc_info.sq_port = 0; ++ ++ qcom_slim_ngd_enable(ctrl, false); + } + + static struct qmi_ops qcom_slim_ngd_qmi_svc_event_ops = { +-- +2.25.1 + diff --git a/queue-5.4/soc-fsl-qbman-fix-return-value-on-success.patch b/queue-5.4/soc-fsl-qbman-fix-return-value-on-success.patch new file mode 100644 index 00000000000..487047ffe8e --- /dev/null +++ b/queue-5.4/soc-fsl-qbman-fix-return-value-on-success.patch @@ -0,0 +1,38 @@ +From 726a2e353814e4917286f9b969f35d6fd5f74019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 22:26:25 +0200 +Subject: soc: fsl: qbman: Fix return value on success + +From: Krzysztof Kozlowski + +[ Upstream commit 750cf40c0f7088f36a8a5d102e0488b1ac47faf5 ] + +On error the function was meant to return -ERRNO. This also fixes +compile warning: + + drivers/soc/fsl/qbman/bman.c:640:6: warning: variable 'err' set but not used [-Wunused-but-set-variable] + +Fixes: 0505d00c8dba ("soc/fsl/qbman: Cleanup buffer pools if BMan was initialized prior to bootup") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/bman.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/fsl/qbman/bman.c b/drivers/soc/fsl/qbman/bman.c +index f4fb527d83018..c5dd026fe889f 100644 +--- a/drivers/soc/fsl/qbman/bman.c ++++ b/drivers/soc/fsl/qbman/bman.c +@@ -660,7 +660,7 @@ int bm_shutdown_pool(u32 bpid) + } + done: + put_affine_portal(); +- return 0; ++ return err; + } + + struct gen_pool *bm_bpalloc; +-- +2.25.1 + diff --git a/queue-5.4/spi-omap2-mcspi-improve-performance-waiting-for-chst.patch b/queue-5.4/spi-omap2-mcspi-improve-performance-waiting-for-chst.patch new file mode 100644 index 00000000000..70c9b1fcb71 --- /dev/null +++ b/queue-5.4/spi-omap2-mcspi-improve-performance-waiting-for-chst.patch @@ -0,0 +1,74 @@ +From 113fc336211185e7a7a8cc64872f64572ebd3b0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 17:56:24 +0530 +Subject: spi: omap2-mcspi: Improve performance waiting for CHSTAT + +From: Aswath Govindraju + +[ Upstream commit 7b1d96813317358312440d0d07abbfbeb0ef8d22 ] + +This reverts commit 13d515c796 (spi: omap2-mcspi: Switch to +readl_poll_timeout()). + +The amount of time spent polling for the MCSPI_CHSTAT bits to be set on +AM335x-icev2 platform is less than 1us (about 0.6us) in most cases, with +or without using DMA. So, in most cases the function need not sleep. +Also, setting the sleep_usecs to zero would not be optimal here because +ktime_add_us() used in readl_poll_timeout() is slower compared to the +direct addition used after the revert. So, it is sub-optimal to use +readl_poll_timeout in this case. + +When DMA is not enabled, this revert results in an increase of about 27% +in throughput and decrease of about 20% in CPU usage. However, the CPU +usage and throughput are almost the same when used with DMA. + +Therefore, fix this by reverting the commit which switched to using +readl_poll_timeout(). + +Fixes: 13d515c796ad ("spi: omap2-mcspi: Switch to readl_poll_timeout()") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20200910122624.8769-1-a-govindraju@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap2-mcspi.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c +index 4433cb4de564e..7646b4b56bed9 100644 +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -24,7 +24,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -348,9 +347,19 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi, + + static int mcspi_wait_for_reg_bit(void __iomem *reg, unsigned long bit) + { +- u32 val; +- +- return readl_poll_timeout(reg, val, val & bit, 1, MSEC_PER_SEC); ++ unsigned long timeout; ++ ++ timeout = jiffies + msecs_to_jiffies(1000); ++ while (!(readl_relaxed(reg) & bit)) { ++ if (time_after(jiffies, timeout)) { ++ if (!(readl_relaxed(reg) & bit)) ++ return -ETIMEDOUT; ++ else ++ return 0; ++ } ++ cpu_relax(); ++ } ++ return 0; + } + + static int mcspi_wait_for_completion(struct omap2_mcspi *mcspi, +-- +2.25.1 + diff --git a/queue-5.4/spi-spi-s3c64xx-check-return-values.patch b/queue-5.4/spi-spi-s3c64xx-check-return-values.patch new file mode 100644 index 00000000000..c8f00bd0e36 --- /dev/null +++ b/queue-5.4/spi-spi-s3c64xx-check-return-values.patch @@ -0,0 +1,183 @@ +From 0a14aed7b36b34a76af1bdfb00610742c72922e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:22:37 +0200 +Subject: spi: spi-s3c64xx: Check return values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +[ Upstream commit 2f4db6f705c5cba85d23836c19b44d9687dc1334 ] + +Check return values in prepare_dma() and s3c64xx_spi_config() and +propagate errors upwards. + +Fixes: 788437273fa8 ("spi: s3c64xx: move to generic dmaengine API") +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Łukasz Stelmach +Link: https://lore.kernel.org/r/20201002122243.26849-4-l.stelmach@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 50 ++++++++++++++++++++++++++++++++------- + 1 file changed, 41 insertions(+), 9 deletions(-) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 322f75f89c713..1d948fee1a039 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -122,6 +122,7 @@ + + struct s3c64xx_spi_dma_data { + struct dma_chan *ch; ++ dma_cookie_t cookie; + enum dma_transfer_direction direction; + }; + +@@ -264,12 +265,13 @@ static void s3c64xx_spi_dmacb(void *data) + spin_unlock_irqrestore(&sdd->lock, flags); + } + +-static void prepare_dma(struct s3c64xx_spi_dma_data *dma, ++static int prepare_dma(struct s3c64xx_spi_dma_data *dma, + struct sg_table *sgt) + { + struct s3c64xx_spi_driver_data *sdd; + struct dma_slave_config config; + struct dma_async_tx_descriptor *desc; ++ int ret; + + memset(&config, 0, sizeof(config)); + +@@ -293,12 +295,24 @@ static void prepare_dma(struct s3c64xx_spi_dma_data *dma, + + desc = dmaengine_prep_slave_sg(dma->ch, sgt->sgl, sgt->nents, + dma->direction, DMA_PREP_INTERRUPT); ++ if (!desc) { ++ dev_err(&sdd->pdev->dev, "unable to prepare %s scatterlist", ++ dma->direction == DMA_DEV_TO_MEM ? "rx" : "tx"); ++ return -ENOMEM; ++ } + + desc->callback = s3c64xx_spi_dmacb; + desc->callback_param = dma; + +- dmaengine_submit(desc); ++ dma->cookie = dmaengine_submit(desc); ++ ret = dma_submit_error(dma->cookie); ++ if (ret) { ++ dev_err(&sdd->pdev->dev, "DMA submission failed"); ++ return -EIO; ++ } ++ + dma_async_issue_pending(dma->ch); ++ return 0; + } + + static void s3c64xx_spi_set_cs(struct spi_device *spi, bool enable) +@@ -348,11 +362,12 @@ static bool s3c64xx_spi_can_dma(struct spi_master *master, + return xfer->len > (FIFO_LVL_MASK(sdd) >> 1) + 1; + } + +-static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, ++static int s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + struct spi_transfer *xfer, int dma_mode) + { + void __iomem *regs = sdd->regs; + u32 modecfg, chcfg; ++ int ret = 0; + + modecfg = readl(regs + S3C64XX_SPI_MODE_CFG); + modecfg &= ~(S3C64XX_SPI_MODE_TXDMA_ON | S3C64XX_SPI_MODE_RXDMA_ON); +@@ -378,7 +393,7 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + chcfg |= S3C64XX_SPI_CH_TXCH_ON; + if (dma_mode) { + modecfg |= S3C64XX_SPI_MODE_TXDMA_ON; +- prepare_dma(&sdd->tx_dma, &xfer->tx_sg); ++ ret = prepare_dma(&sdd->tx_dma, &xfer->tx_sg); + } else { + switch (sdd->cur_bpw) { + case 32: +@@ -410,12 +425,17 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + writel(((xfer->len * 8 / sdd->cur_bpw) & 0xffff) + | S3C64XX_SPI_PACKET_CNT_EN, + regs + S3C64XX_SPI_PACKET_CNT); +- prepare_dma(&sdd->rx_dma, &xfer->rx_sg); ++ ret = prepare_dma(&sdd->rx_dma, &xfer->rx_sg); + } + } + ++ if (ret) ++ return ret; ++ + writel(modecfg, regs + S3C64XX_SPI_MODE_CFG); + writel(chcfg, regs + S3C64XX_SPI_CH_CFG); ++ ++ return 0; + } + + static u32 s3c64xx_spi_wait_for_timeout(struct s3c64xx_spi_driver_data *sdd, +@@ -548,9 +568,10 @@ static int s3c64xx_wait_for_pio(struct s3c64xx_spi_driver_data *sdd, + return 0; + } + +-static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) ++static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + { + void __iomem *regs = sdd->regs; ++ int ret; + u32 val; + + /* Disable Clock */ +@@ -598,7 +619,9 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + + if (sdd->port_conf->clk_from_cmu) { + /* The src_clk clock is divided internally by 2 */ +- clk_set_rate(sdd->src_clk, sdd->cur_speed * 2); ++ ret = clk_set_rate(sdd->src_clk, sdd->cur_speed * 2); ++ if (ret) ++ return ret; + } else { + /* Configure Clock */ + val = readl(regs + S3C64XX_SPI_CLK_CFG); +@@ -612,6 +635,8 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + val |= S3C64XX_SPI_ENCLK_ENABLE; + writel(val, regs + S3C64XX_SPI_CLK_CFG); + } ++ ++ return 0; + } + + #define XFER_DMAADDR_INVALID DMA_BIT_MASK(32) +@@ -654,7 +679,9 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + sdd->cur_bpw = bpw; + sdd->cur_speed = speed; + sdd->cur_mode = spi->mode; +- s3c64xx_spi_config(sdd); ++ status = s3c64xx_spi_config(sdd); ++ if (status) ++ return status; + } + + if (!is_polling(sdd) && (xfer->len > fifo_len) && +@@ -681,10 +708,15 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + /* Start the signals */ + s3c64xx_spi_set_cs(spi, true); + +- s3c64xx_enable_datapath(sdd, xfer, use_dma); ++ status = s3c64xx_enable_datapath(sdd, xfer, use_dma); + + spin_unlock_irqrestore(&sdd->lock, flags); + ++ if (status) { ++ dev_err(&spi->dev, "failed to enable data path for transfer: %d\n", status); ++ break; ++ } ++ + if (use_dma) + status = s3c64xx_wait_for_dma(sdd, xfer); + else +-- +2.25.1 + diff --git a/queue-5.4/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch b/queue-5.4/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch new file mode 100644 index 00000000000..3f036d995fa --- /dev/null +++ b/queue-5.4/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch @@ -0,0 +1,47 @@ +From f1b492083a8502f7a75c39ef03708562622f1c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:22:35 +0200 +Subject: spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and + s3c64xx_enable_datapath() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +[ Upstream commit 581e2b41977dfc2d4c26c8e976f89c43bb92f9bf ] + +Fix issues with DMA transfers bigger than 512 bytes on Exynos3250. Without +the patches such transfers fail to complete. This solution to the problem +is found in the vendor kernel for ARTIK5 boards based on Exynos3250. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Łukasz Stelmach +Link: https://lore.kernel.org/r/20201002122243.26849-2-l.stelmach@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 7b7151ec14c8a..322f75f89c713 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -678,11 +678,11 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + sdd->state &= ~RXBUSY; + sdd->state &= ~TXBUSY; + +- s3c64xx_enable_datapath(sdd, xfer, use_dma); +- + /* Start the signals */ + s3c64xx_spi_set_cs(spi, true); + ++ s3c64xx_enable_datapath(sdd, xfer, use_dma); ++ + spin_unlock_irqrestore(&sdd->lock, flags); + + if (use_dma) +-- +2.25.1 + diff --git a/queue-5.4/staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch b/queue-5.4/staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch new file mode 100644 index 00000000000..d3694a9ca27 --- /dev/null +++ b/queue-5.4/staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch @@ -0,0 +1,51 @@ +From 8e96598466fa239244e984475b8c62021a9ec129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 10:19:28 +0100 +Subject: staging: emxx_udc: Fix passing of NULL to dma_alloc_coherent() + +From: Alex Dewar + +[ Upstream commit cc34073c6248e9cec801bf690d1455f264d12357 ] + +In nbu2ss_eq_queue() memory is allocated with dma_alloc_coherent(), +though, strangely, NULL is passed as the struct device* argument. Pass +the UDC's device instead. Fix up the corresponding call to +dma_free_coherent() in the same way. + +Build-tested on x86 only. + +Fixes: 33aa8d45a4fe ("staging: emxx_udc: Add Emma Mobile USB Gadget driver") +Reported-by: Dan Carpenter +Signed-off-by: Alex Dewar +Link: https://lore.kernel.org/r/20200825091928.55794-1-alex.dewar90@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/emxx_udc/emxx_udc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/emxx_udc/emxx_udc.c b/drivers/staging/emxx_udc/emxx_udc.c +index 147481bf680c3..a6c893ddbf280 100644 +--- a/drivers/staging/emxx_udc/emxx_udc.c ++++ b/drivers/staging/emxx_udc/emxx_udc.c +@@ -2594,7 +2594,7 @@ static int nbu2ss_ep_queue(struct usb_ep *_ep, + + if (req->unaligned) { + if (!ep->virt_buf) +- ep->virt_buf = dma_alloc_coherent(NULL, PAGE_SIZE, ++ ep->virt_buf = dma_alloc_coherent(udc->dev, PAGE_SIZE, + &ep->phys_buf, + GFP_ATOMIC | GFP_DMA); + if (ep->epnum > 0) { +@@ -3153,7 +3153,7 @@ static int nbu2ss_drv_remove(struct platform_device *pdev) + for (i = 0; i < NUM_ENDPOINTS; i++) { + ep = &udc->ep[i]; + if (ep->virt_buf) +- dma_free_coherent(NULL, PAGE_SIZE, (void *)ep->virt_buf, ++ dma_free_coherent(udc->dev, PAGE_SIZE, (void *)ep->virt_buf, + ep->phys_buf); + } + +-- +2.25.1 + diff --git a/queue-5.4/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch b/queue-5.4/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch new file mode 100644 index 00000000000..23957da0fd5 --- /dev/null +++ b/queue-5.4/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch @@ -0,0 +1,47 @@ +From 04ca5c137198230cff6aae433536b90fb406cacc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 19:34:58 +0200 +Subject: staging: rtl8192u: Do not use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit acac75bb451fd39344eb54fad6602dfc9482e970 ] + +'rtl8192_irq_rx_tasklet()' is a tasklet initialized in +'rtl8192_init_priv_task()'. +>From this function it is possible to allocate some memory with the +GFP_KERNEL flag, which is not allowed in the atomic context of a tasklet. + +Use GFP_ATOMIC instead. + +The call chain is: + rtl8192_irq_rx_tasklet (in r8192U_core.c) + --> rtl8192_rx_nomal (in r8192U_core.c) + --> ieee80211_rx (in ieee80211/ieee80211_rx.c) + --> RxReorderIndicatePacket (in ieee80211/ieee80211_rx.c) + +Fixes: 79a5ccd97209 ("staging: rtl8192u: fix large frame size compiler warning") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20200813173458.758284-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +index 5c33bcb0db2ee..00e34c392a388 100644 +--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c ++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +@@ -585,7 +585,7 @@ static void RxReorderIndicatePacket(struct ieee80211_device *ieee, + + prxbIndicateArray = kmalloc_array(REORDER_WIN_SIZE, + sizeof(struct ieee80211_rxb *), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!prxbIndicateArray) + return; + +-- +2.25.1 + diff --git a/queue-5.4/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch b/queue-5.4/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch new file mode 100644 index 00000000000..1f16962415c --- /dev/null +++ b/queue-5.4/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch @@ -0,0 +1,84 @@ +From 8b45b960531d92f83b4b18537ca8b4d3cfd2e266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 13:42:27 +0200 +Subject: SUNRPC: fix copying of multiple pages in gss_read_proxy_verf() + +From: Martijn de Gouw + +[ Upstream commit d48c8124749c9a5081fe68680f83605e272c984b ] + +When the passed token is longer than 4032 bytes, the remaining part +of the token must be copied from the rqstp->rq_arg.pages. But the +copy must make sure it happens in a consecutive way. + +With the existing code, the first memcpy copies 'length' bytes from +argv->iobase, but since the header is in front, this never fills the +whole first page of in_token->pages. + +The mecpy in the loop copies the following bytes, but starts writing at +the next page of in_token->pages. This leaves the last bytes of page 0 +unwritten. + +Symptoms were that users with many groups were not able to access NFS +exports, when using Active Directory as the KDC. + +Signed-off-by: Martijn de Gouw +Fixes: 5866efa8cbfb "SUNRPC: Fix svcauth_gss_proxy_init()" +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/svcauth_gss.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 3645cd241d3ea..cf4d6d7e72822 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1095,9 +1095,9 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, + struct gssp_in_token *in_token) + { + struct kvec *argv = &rqstp->rq_arg.head[0]; +- unsigned int page_base, length; +- int pages, i, res; +- size_t inlen; ++ unsigned int length, pgto_offs, pgfrom_offs; ++ int pages, i, res, pgto, pgfrom; ++ size_t inlen, to_offs, from_offs; + + res = gss_read_common_verf(gc, argv, authp, in_handle); + if (res) +@@ -1125,17 +1125,24 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, + memcpy(page_address(in_token->pages[0]), argv->iov_base, length); + inlen -= length; + +- i = 1; +- page_base = rqstp->rq_arg.page_base; ++ to_offs = length; ++ from_offs = rqstp->rq_arg.page_base; + while (inlen) { +- length = min_t(unsigned int, inlen, PAGE_SIZE); +- memcpy(page_address(in_token->pages[i]), +- page_address(rqstp->rq_arg.pages[i]) + page_base, ++ pgto = to_offs >> PAGE_SHIFT; ++ pgfrom = from_offs >> PAGE_SHIFT; ++ pgto_offs = to_offs & ~PAGE_MASK; ++ pgfrom_offs = from_offs & ~PAGE_MASK; ++ ++ length = min_t(unsigned int, inlen, ++ min_t(unsigned int, PAGE_SIZE - pgto_offs, ++ PAGE_SIZE - pgfrom_offs)); ++ memcpy(page_address(in_token->pages[pgto]) + pgto_offs, ++ page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs, + length); + ++ to_offs += length; ++ from_offs += length; + inlen -= length; +- page_base = 0; +- i++; + } + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch b/queue-5.4/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch new file mode 100644 index 00000000000..e8cadc64812 --- /dev/null +++ b/queue-5.4/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch @@ -0,0 +1,40 @@ +From 8666121918174c8bbabe6e9f49a6e3eacefc18c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 22:33:43 +0300 +Subject: svcrdma: fix bounce buffers for unaligned offsets and multiple pages + +From: Dan Aloni + +[ Upstream commit c327a310ec4d6ecbea13185ed56c11def441d9ab ] + +This was discovered using O_DIRECT at the client side, with small +unaligned file offsets or IOs that span multiple file pages. + +Fixes: e248aa7be86 ("svcrdma: Remove max_sge check at connect time") +Signed-off-by: Dan Aloni +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +index 217106c66a13c..25e8922c10b28 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +@@ -609,10 +609,11 @@ static int svc_rdma_pull_up_reply_msg(struct svcxprt_rdma *rdma, + while (remaining) { + len = min_t(u32, PAGE_SIZE - pageoff, remaining); + +- memcpy(dst, page_address(*ppages), len); ++ memcpy(dst, page_address(*ppages) + pageoff, len); + remaining -= len; + dst += len; + pageoff = 0; ++ ppages++; + } + } + +-- +2.25.1 + diff --git a/queue-5.4/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch b/queue-5.4/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch new file mode 100644 index 00000000000..2fe3575545d --- /dev/null +++ b/queue-5.4/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch @@ -0,0 +1,66 @@ +From de3cf1b0ccb50e1f648150837bf758ebd3bd979d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:46:38 -0500 +Subject: tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() + +From: Tyrel Datwyler + +[ Upstream commit 63ffcbdad738e3d1c857027789a2273df3337624 ] + +The code currently NULLs tty->driver_data in hvcs_close() with the +intent of informing the next call to hvcs_open() that device needs to be +reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from +tty->driver_data which was previoulsy NULLed by hvcs_close() and our +call to tty_port_put(&hvcsd->port) doesn't actually do anything since +&hvcsd->port ends up translating to NULL by chance. This has the side +effect that when hvcs_remove() is called we have one too many port +references preventing hvcs_destuct_port() from ever being called. This +also prevents us from reusing the /dev/hvcsX node in a future +hvcs_probe() and we can eventually run out of /dev/hvcsX devices. + +Fix this by waiting to NULL tty->driver_data in hvcs_cleanup(). + +Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install") +Signed-off-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20200820234643.70412-1-tyreld@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvcs.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index ee0604cd9c6b2..0c498b20d8cb5 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -1218,13 +1218,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp) + + tty_wait_until_sent(tty, HVCS_CLOSE_WAIT); + +- /* +- * This line is important because it tells hvcs_open that this +- * device needs to be re-configured the next time hvcs_open is +- * called. +- */ +- tty->driver_data = NULL; +- + free_irq(irq, hvcsd); + return; + } else if (hvcsd->port.count < 0) { +@@ -1239,6 +1232,13 @@ static void hvcs_cleanup(struct tty_struct * tty) + { + struct hvcs_struct *hvcsd = tty->driver_data; + ++ /* ++ * This line is important because it tells hvcs_open that this ++ * device needs to be re-configured the next time hvcs_open is ++ * called. ++ */ ++ tty->driver_data = NULL; ++ + tty_port_put(&hvcsd->port); + } + +-- +2.25.1 + diff --git a/queue-5.4/tty-ipwireless-fix-error-handling.patch b/queue-5.4/tty-ipwireless-fix-error-handling.patch new file mode 100644 index 00000000000..921c9e2fa48 --- /dev/null +++ b/queue-5.4/tty-ipwireless-fix-error-handling.patch @@ -0,0 +1,60 @@ +From 4a87becaf27a98cbdc423eb4eaaa4b040b1b8dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 12:19:40 -0400 +Subject: tty: ipwireless: fix error handling + +From: Tong Zhang + +[ Upstream commit db332356222d9429731ab9395c89cca403828460 ] + +ipwireless_send_packet() can only return 0 on success and -ENOMEM on +error, the caller should check non zero for error condition + +Signed-off-by: Tong Zhang +Acked-by: David Sterba +Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/ipwireless/network.c | 4 ++-- + drivers/tty/ipwireless/tty.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/ipwireless/network.c b/drivers/tty/ipwireless/network.c +index cf20616340a1a..fe569f6294a24 100644 +--- a/drivers/tty/ipwireless/network.c ++++ b/drivers/tty/ipwireless/network.c +@@ -117,7 +117,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + skb->len, + notify_packet_sent, + network); +- if (ret == -1) { ++ if (ret < 0) { + skb_pull(skb, 2); + return 0; + } +@@ -134,7 +134,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + notify_packet_sent, + network); + kfree(buf); +- if (ret == -1) ++ if (ret < 0) + return 0; + } + kfree_skb(skb); +diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c +index fad3401e604d9..23584769fc292 100644 +--- a/drivers/tty/ipwireless/tty.c ++++ b/drivers/tty/ipwireless/tty.c +@@ -218,7 +218,7 @@ static int ipw_write(struct tty_struct *linux_tty, + ret = ipwireless_send_packet(tty->hardware, IPW_CHANNEL_RAS, + buf, count, + ipw_write_packet_sent_callback, tty); +- if (ret == -1) { ++ if (ret < 0) { + mutex_unlock(&tty->ipw_tty_mutex); + return 0; + } +-- +2.25.1 + diff --git a/queue-5.4/tty-serial-earlycon-dependency.patch b/queue-5.4/tty-serial-earlycon-dependency.patch new file mode 100644 index 00000000000..61f0bacb0d5 --- /dev/null +++ b/queue-5.4/tty-serial-earlycon-dependency.patch @@ -0,0 +1,38 @@ +From 12e1696e03f925c503fa727550d6ba4ace086978 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 08:39:50 -0400 +Subject: tty: serial: earlycon dependency + +From: Tong Zhang + +[ Upstream commit 0fb9342d06b0f667b915ba58bfefc030e534a218 ] + +parse_options() in drivers/tty/serial/earlycon.c calls uart_parse_earlycon +in drivers/tty/serial/serial_core.c therefore selecting SERIAL_EARLYCON +should automatically select SERIAL_CORE, otherwise will result in symbol +not found error during linking if SERIAL_CORE is not configured as builtin + +Fixes: 9aac5887595b ("tty/serial: add generic serial earlycon") +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20200828123949.2642-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig +index 67a9eb3f94cec..a9751a83d5dbb 100644 +--- a/drivers/tty/serial/Kconfig ++++ b/drivers/tty/serial/Kconfig +@@ -10,6 +10,7 @@ menu "Serial drivers" + + config SERIAL_EARLYCON + bool ++ depends on SERIAL_CORE + help + Support for early consoles with the earlycon parameter. This enables + the console before standard serial driver is probed. The console is +-- +2.25.1 + diff --git a/queue-5.4/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch b/queue-5.4/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch new file mode 100644 index 00000000000..ed98f88178f --- /dev/null +++ b/queue-5.4/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch @@ -0,0 +1,62 @@ +From 7f45a20061f30871ca2cbf04b52bf9fb58caca6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 12:14:03 +0200 +Subject: udf: Avoid accessing uninitialized data on failed inode read + +From: Jan Kara + +[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ] + +When we fail to read inode, some data accessed in udf_evict_inode() may +be uninitialized. Move the accesses to !is_bad_inode() branch. + +Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index ea80036d7897b..97a192eb9949c 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -139,21 +139,24 @@ void udf_evict_inode(struct inode *inode) + struct udf_inode_info *iinfo = UDF_I(inode); + int want_delete = 0; + +- if (!inode->i_nlink && !is_bad_inode(inode)) { +- want_delete = 1; +- udf_setsize(inode, 0); +- udf_update_inode(inode, IS_SYNC(inode)); ++ if (!is_bad_inode(inode)) { ++ if (!inode->i_nlink) { ++ want_delete = 1; ++ udf_setsize(inode, 0); ++ udf_update_inode(inode, IS_SYNC(inode)); ++ } ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && ++ inode->i_size != iinfo->i_lenExtents) { ++ udf_warn(inode->i_sb, ++ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", ++ inode->i_ino, inode->i_mode, ++ (unsigned long long)inode->i_size, ++ (unsigned long long)iinfo->i_lenExtents); ++ } + } + truncate_inode_pages_final(&inode->i_data); + invalidate_inode_buffers(inode); + clear_inode(inode); +- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && +- inode->i_size != iinfo->i_lenExtents) { +- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", +- inode->i_ino, inode->i_mode, +- (unsigned long long)inode->i_size, +- (unsigned long long)iinfo->i_lenExtents); +- } + kfree(iinfo->i_ext.i_data); + iinfo->i_ext.i_data = NULL; + udf_clear_extent_cache(inode); +-- +2.25.1 + diff --git a/queue-5.4/udf-limit-sparing-table-size.patch b/queue-5.4/udf-limit-sparing-table-size.patch new file mode 100644 index 00000000000..dd78268949e --- /dev/null +++ b/queue-5.4/udf-limit-sparing-table-size.patch @@ -0,0 +1,40 @@ +From 545d1f61f90483ef10eb96fa7d7b01bcedd518c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:53:08 +0200 +Subject: udf: Limit sparing table size + +From: Jan Kara + +[ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ] + +Although UDF standard allows it, we don't support sparing table larger +than a single block. Check it during mount so that we don't try to +access memory beyond end of buffer. + +Reported-by: syzbot+9991561e714f597095da@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 4baa1ca91e9be..a0cd766b41cdb 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1352,6 +1352,12 @@ static int udf_load_sparable_map(struct super_block *sb, + (int)spm->numSparingTables); + return -EIO; + } ++ if (le32_to_cpu(spm->sizeSparingTable) > sb->s_blocksize) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too big sparing table size (%u)\n", ++ le32_to_cpu(spm->sizeSparingTable)); ++ return -EIO; ++ } + + for (i = 0; i < spm->numSparingTables; i++) { + loc = le32_to_cpu(spm->locSparingTable[i]); +-- +2.25.1 + diff --git a/queue-5.4/usb-cdc-acm-handle-broken-union-descriptors.patch b/queue-5.4/usb-cdc-acm-handle-broken-union-descriptors.patch new file mode 100644 index 00000000000..d72066265d4 --- /dev/null +++ b/queue-5.4/usb-cdc-acm-handle-broken-union-descriptors.patch @@ -0,0 +1,61 @@ +From b51e99b032053cae5d8d53f8e4eadae6b4fed365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 15:59:49 +0200 +Subject: USB: cdc-acm: handle broken union descriptors + +From: Johan Hovold + +[ Upstream commit 960c7339de27c6d6fec13b54880501c3576bb08d ] + +Handle broken union functional descriptors where the master-interface +doesn't exist or where its class is of neither Communication or Data +type (as required by the specification) by falling back to +"combined-interface" probing. + +Note that this still allows for handling union descriptors with switched +interfaces. + +This specifically makes the Whistler radio scanners TRX series devices +work with the driver without adding further quirks to the device-id +table. + +Reported-by: Daniel Caujolle-Bert +Tested-by: Daniel Caujolle-Bert +Acked-by: Oliver Neukum +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20200921135951.24045-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/class/cdc-acm.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 7499ba118665a..c02488d469185 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1243,9 +1243,21 @@ static int acm_probe(struct usb_interface *intf, + } + } + } else { ++ int class = -1; ++ + data_intf_num = union_header->bSlaveInterface0; + control_interface = usb_ifnum_to_if(usb_dev, union_header->bMasterInterface0); + data_interface = usb_ifnum_to_if(usb_dev, data_intf_num); ++ ++ if (control_interface) ++ class = control_interface->cur_altsetting->desc.bInterfaceClass; ++ ++ if (class != USB_CLASS_COMM && class != USB_CLASS_CDC_DATA) { ++ dev_dbg(&intf->dev, "Broken union descriptor, assuming single interface\n"); ++ combined_interfaces = 1; ++ control_interface = data_interface = intf; ++ goto look_for_collapsed_interface; ++ } + } + + if (!control_interface || !data_interface) { +-- +2.25.1 + diff --git a/queue-5.4/usb-core-solve-race-condition-in-anchor-cleanup-func.patch b/queue-5.4/usb-core-solve-race-condition-in-anchor-cleanup-func.patch new file mode 100644 index 00000000000..9d50acf3a75 --- /dev/null +++ b/queue-5.4/usb-core-solve-race-condition-in-anchor-cleanup-func.patch @@ -0,0 +1,202 @@ +From 7c6be3c1717a23abc8c8950e826fe733d934e552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 08:46:50 +0300 +Subject: usb: core: Solve race condition in anchor cleanup functions + +From: Eli Billauer + +[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ] + +usb_kill_anchored_urbs() is commonly used to cancel all URBs on an +anchor just before releasing resources which the URBs rely on. By doing +so, users of this function rely on that no completer callbacks will take +place from any URB on the anchor after it returns. + +However if this function is called in parallel with __usb_hcd_giveback_urb +processing a URB on the anchor, the latter may call the completer +callback after usb_kill_anchored_urbs() returns. This can lead to a +kernel panic due to use after release of memory in interrupt context. + +The race condition is that __usb_hcd_giveback_urb() first unanchors the URB +and then makes the completer callback. Such URB is hence invisible to +usb_kill_anchored_urbs(), allowing it to return before the completer has +been called, since the anchor's urb_list is empty. + +Even worse, if the racing completer callback resubmits the URB, it may +remain in the system long after usb_kill_anchored_urbs() returns. + +Hence list_empty(&anchor->urb_list), which is used in the existing +while-loop, doesn't reliably ensure that all URBs of the anchor are gone. + +A similar problem exists with usb_poison_anchored_urbs() and +usb_scuttle_anchored_urbs(). + +This patch adds an external do-while loop, which ensures that all URBs +are indeed handled before these three functions return. This change has +no effect at all unless the race condition occurs, in which case the +loop will busy-wait until the racing completer callback has finished. +This is a rare condition, so the CPU waste of this spinning is +negligible. + +The additional do-while loop relies on usb_anchor_check_wakeup(), which +returns true iff the anchor list is empty, and there is no +__usb_hcd_giveback_urb() in the system that is in the middle of the +unanchor-before-complete phase. The @suspend_wakeups member of +struct usb_anchor is used for this purpose, which was introduced to solve +another problem which the same race condition causes, in commit +6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up +till completion is done"). + +The surely_empty variable is necessary, because usb_anchor_check_wakeup() +must be called with the lock held to prevent races. However the spinlock +must be released and reacquired if the outer loop spins with an empty +URB list while waiting for the unanchor-before-complete passage to finish: +The completer callback may very well attempt to take the very same lock. + +To summarize, using usb_anchor_check_wakeup() means that the patched +functions can return only when the anchor's list is empty, and there is +no invisible URB being processed. Since the inner while loop finishes on +the empty list condition, the new do-while loop will terminate as well, +except for when the said race condition occurs. + +Signed-off-by: Eli Billauer +Acked-by: Oliver Neukum +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/urb.c | 89 +++++++++++++++++++++++++----------------- + 1 file changed, 54 insertions(+), 35 deletions(-) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index da923ec176122..31ca5abb4c12a 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -772,11 +772,12 @@ void usb_block_urb(struct urb *urb) + EXPORT_SYMBOL_GPL(usb_block_urb); + + /** +- * usb_kill_anchored_urbs - cancel transfer requests en masse ++ * usb_kill_anchored_urbs - kill all URBs associated with an anchor + * @anchor: anchor the requests are bound to + * +- * this allows all outstanding URBs to be killed starting +- * from the back of the queue ++ * This kills all outstanding URBs starting from the back of the queue, ++ * with guarantee that no completer callbacks will take place from the ++ * anchor after this function returns. + * + * This routine should not be called by a driver after its disconnect + * method has returned. +@@ -784,20 +785,26 @@ EXPORT_SYMBOL_GPL(usb_block_urb); + void usb_kill_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_kill_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_kill_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + +@@ -816,21 +823,27 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + void usb_poison_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- anchor->poisoned = 1; +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_poison_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ anchor->poisoned = 1; ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_poison_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs); + +@@ -970,14 +983,20 @@ void usb_scuttle_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; + unsigned long flags; ++ int surely_empty; ++ ++ do { ++ spin_lock_irqsave(&anchor->lock, flags); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ __usb_unanchor_urb(victim, anchor); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); + +- spin_lock_irqsave(&anchor->lock, flags); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- __usb_unanchor_urb(victim, anchor); +- } +- spin_unlock_irqrestore(&anchor->lock, flags); ++ spin_unlock_irqrestore(&anchor->lock, flags); ++ cpu_relax(); ++ } while (!surely_empty); + } + + EXPORT_SYMBOL_GPL(usb_scuttle_anchored_urbs); +-- +2.25.1 + diff --git a/queue-5.4/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch b/queue-5.4/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch new file mode 100644 index 00000000000..5054b2da08e --- /dev/null +++ b/queue-5.4/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch @@ -0,0 +1,143 @@ +From 64b725bbd7ff6f5ce2ce6b1b2a38c0ab644f2b07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 18:08:39 +0400 +Subject: usb: dwc2: Fix INTR OUT transfers in DDMA mode. + +From: Minas Harutyunyan + +[ Upstream commit b2c586eb07efab982419f32b7c3bd96829bc8bcd ] + +In DDMA mode if INTR OUT transfers mps not multiple of 4 then single packet +corresponds to single descriptor. + +Descriptor limit set to mps and desc chain limit set to mps * +MAX_DMA_DESC_NUM_GENERIC. On that descriptors complete, to calculate +transfer size should be considered correction value for each descriptor. + +In start request function, if "continue" is true then dma buffer address +should be incremmented by offset for all type of transfers, not only for +Control DATA_OUT transfers. + +Fixes: cf77b5fb9b394 ("usb: dwc2: gadget: Transfer length limit checking for DDMA") +Fixes: e02f9aa6119e0 ("usb: dwc2: gadget: EP 0 specific DDMA programming") +Fixes: aa3e8bc81311e ("usb: dwc2: gadget: DDMA transfer start and complete") + +Signed-off-by: Minas Harutyunyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 40 ++++++++++++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index f7528f732b2aa..70ac47a341ac2 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -712,8 +712,11 @@ static u32 dwc2_hsotg_read_frameno(struct dwc2_hsotg *hsotg) + */ + static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + int is_isoc = hs_ep->isochronous; + unsigned int maxsize; ++ u32 mps = hs_ep->ep.maxpacket; ++ int dir_in = hs_ep->dir_in; + + if (is_isoc) + maxsize = (hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT : +@@ -722,6 +725,11 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + else + maxsize = DEV_DMA_NBYTES_LIMIT * MAX_DMA_DESC_NUM_GENERIC; + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) ++ maxsize = mps * MAX_DMA_DESC_NUM_GENERIC; ++ + return maxsize; + } + +@@ -737,11 +745,14 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + * Isochronous - descriptor rx/tx bytes bitfield limit, + * Control In/Bulk/Interrupt - multiple of mps. This will allow to not + * have concatenations from various descriptors within one packet. ++ * Interrupt OUT - if mps not multiple of 4 then a single packet corresponds ++ * to a single descriptor. + * + * Selects corresponding mask for RX/TX bytes as well. + */ + static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + u32 mps = hs_ep->ep.maxpacket; + int dir_in = hs_ep->dir_in; + u32 desc_size = 0; +@@ -765,6 +776,13 @@ static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask) + desc_size -= desc_size % mps; + } + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) { ++ desc_size = mps; ++ *mask = DEV_DMA_NBYTES_MASK; ++ } ++ + return desc_size; + } + +@@ -1123,13 +1141,7 @@ static void dwc2_hsotg_start_req(struct dwc2_hsotg *hsotg, + length += (mps - (length % mps)); + } + +- /* +- * If more data to send, adjust DMA for EP0 out data stage. +- * ureq->dma stays unchanged, hence increment it by already +- * passed passed data count before starting new transaction. +- */ +- if (!index && hsotg->ep0_state == DWC2_EP0_DATA_OUT && +- continuing) ++ if (continuing) + offset = ureq->actual; + + /* Fill DDMA chain entries */ +@@ -2319,22 +2331,36 @@ static void dwc2_hsotg_change_ep_iso_parity(struct dwc2_hsotg *hsotg, + */ + static unsigned int dwc2_gadget_get_xfersize_ddma(struct dwc2_hsotg_ep *hs_ep) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + struct dwc2_hsotg *hsotg = hs_ep->parent; + unsigned int bytes_rem = 0; ++ unsigned int bytes_rem_correction = 0; + struct dwc2_dma_desc *desc = hs_ep->desc_list; + int i; + u32 status; ++ u32 mps = hs_ep->ep.maxpacket; ++ int dir_in = hs_ep->dir_in; + + if (!desc) + return -EINVAL; + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) ++ bytes_rem_correction = 4 - (mps % 4); ++ + for (i = 0; i < hs_ep->desc_count; ++i) { + status = desc->status; + bytes_rem += status & DEV_DMA_NBYTES_MASK; ++ bytes_rem -= bytes_rem_correction; + + if (status & DEV_DMA_STS_MASK) + dev_err(hsotg->dev, "descriptor %d closed with %x\n", + i, status & DEV_DMA_STS_MASK); ++ ++ if (status & DEV_DMA_L) ++ break; ++ + desc++; + } + +-- +2.25.1 + diff --git a/queue-5.4/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch b/queue-5.4/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch new file mode 100644 index 00000000000..e1f2f18fc8b --- /dev/null +++ b/queue-5.4/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch @@ -0,0 +1,88 @@ +From acfc91cb45aed1e8ee09c1bc12ebb9dd65cf61d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 23:03:54 -0700 +Subject: usb: dwc2: Fix parameter type in function pointer prototype + +From: Nathan Chancellor + +[ Upstream commit 362b9398c962c9ec563653444e15ef9032ef3a90 ] + +When booting up on a Raspberry Pi 4 with Control Flow Integrity checking +enabled, the following warning/panic happens: + +[ 1.626435] CFI failure (target: dwc2_set_bcm_params+0x0/0x4): +[ 1.632408] WARNING: CPU: 0 PID: 32 at kernel/cfi.c:30 __cfi_check_fail+0x54/0x5c +[ 1.640021] Modules linked in: +[ 1.643137] CPU: 0 PID: 32 Comm: kworker/0:1 Not tainted 5.8.0-rc6-next-20200724-00051-g89ba619726de #1 +[ 1.652693] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT) +[ 1.658637] Workqueue: events deferred_probe_work_func +[ 1.663870] pstate: 60000005 (nZCv daif -PAN -UAO BTYPE=--) +[ 1.669542] pc : __cfi_check_fail+0x54/0x5c +[ 1.673798] lr : __cfi_check_fail+0x54/0x5c +[ 1.678050] sp : ffff8000102bbaa0 +[ 1.681419] x29: ffff8000102bbaa0 x28: ffffab09e21c7000 +[ 1.686829] x27: 0000000000000402 x26: ffff0000f6e7c228 +[ 1.692238] x25: 00000000fb7cdb0d x24: 0000000000000005 +[ 1.697647] x23: ffffab09e2515000 x22: ffffab09e069a000 +[ 1.703055] x21: 4c550309df1cf4c1 x20: ffffab09e2433c60 +[ 1.708462] x19: ffffab09e160dc50 x18: ffff0000f6e8cc78 +[ 1.713870] x17: 0000000000000041 x16: ffffab09e0bce6f8 +[ 1.719278] x15: ffffab09e1c819b7 x14: 0000000000000003 +[ 1.724686] x13: 00000000ffffefff x12: 0000000000000000 +[ 1.730094] x11: 0000000000000000 x10: 00000000ffffffff +[ 1.735501] x9 : c932f7abfc4bc600 x8 : c932f7abfc4bc600 +[ 1.740910] x7 : 077207610770075f x6 : ffff0000f6c38f00 +[ 1.746317] x5 : 0000000000000000 x4 : 0000000000000000 +[ 1.751723] x3 : 0000000000000000 x2 : 0000000000000000 +[ 1.757129] x1 : ffff8000102bb7d8 x0 : 0000000000000032 +[ 1.762539] Call trace: +[ 1.765030] __cfi_check_fail+0x54/0x5c +[ 1.768938] __cfi_check+0x5fa6c/0x66afc +[ 1.772932] dwc2_init_params+0xd74/0xd78 +[ 1.777012] dwc2_driver_probe+0x484/0x6ec +[ 1.781180] platform_drv_probe+0xb4/0x100 +[ 1.785350] really_probe+0x228/0x63c +[ 1.789076] driver_probe_device+0x80/0xc0 +[ 1.793247] __device_attach_driver+0x114/0x160 +[ 1.797857] bus_for_each_drv+0xa8/0x128 +[ 1.801851] __device_attach.llvm.14901095709067289134+0xc0/0x170 +[ 1.808050] bus_probe_device+0x44/0x100 +[ 1.812044] deferred_probe_work_func+0x78/0xb8 +[ 1.816656] process_one_work+0x204/0x3c4 +[ 1.820736] worker_thread+0x2f0/0x4c4 +[ 1.824552] kthread+0x174/0x184 +[ 1.827837] ret_from_fork+0x10/0x18 + +CFI validates that all indirect calls go to a function with the same +exact function pointer prototype. In this case, dwc2_set_bcm_params +is the target, which has a parameter of type 'struct dwc2_hsotg *', +but it is being implicitly cast to have a parameter of type 'void *' +because that is the set_params function pointer prototype. Make the +function pointer protoype match the definitions so that there is no +more violation. + +Fixes: 7de1debcd2de ("usb: dwc2: Remove platform static params") +Link: https://github.com/ClangBuiltLinux/linux/issues/1107 +Signed-off-by: Nathan Chancellor +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/params.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c +index 31e090ac9f1ec..6d3812678b8c6 100644 +--- a/drivers/usb/dwc2/params.c ++++ b/drivers/usb/dwc2/params.c +@@ -846,7 +846,7 @@ int dwc2_get_hwparams(struct dwc2_hsotg *hsotg) + int dwc2_init_params(struct dwc2_hsotg *hsotg) + { + const struct of_device_id *match; +- void (*set_params)(void *data); ++ void (*set_params)(struct dwc2_hsotg *data); + + dwc2_set_default_params(hsotg); + dwc2_get_device_properties(hsotg); +-- +2.25.1 + diff --git a/queue-5.4/usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch b/queue-5.4/usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch new file mode 100644 index 00000000000..086df1cfe07 --- /dev/null +++ b/queue-5.4/usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch @@ -0,0 +1,126 @@ +From 025d0fc6c500a911f3ed61be4e38e1ac316eb0bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 09:20:56 +0200 +Subject: usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc + +From: Yu Chen + +[ Upstream commit f580170f135af14e287560d94045624d4242d712 ] + +SPLIT_BOUNDARY_DISABLE should be set for DesignWare USB3 DRD Core +of Hisilicon Kirin Soc when dwc3 core act as host. + +[mchehab: dropped a dev_dbg() as only traces are now allowwed on this driver] + +Signed-off-by: Yu Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 25 +++++++++++++++++++++++++ + drivers/usb/dwc3/core.h | 7 +++++++ + 2 files changed, 32 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 526c275ad0bc5..4cbf295390062 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -117,6 +117,7 @@ static void __dwc3_set_mode(struct work_struct *work) + struct dwc3 *dwc = work_to_dwc(work); + unsigned long flags; + int ret; ++ u32 reg; + + if (dwc->dr_mode != USB_DR_MODE_OTG) + return; +@@ -168,6 +169,11 @@ static void __dwc3_set_mode(struct work_struct *work) + otg_set_vbus(dwc->usb2_phy->otg, true); + phy_set_mode(dwc->usb2_generic_phy, PHY_MODE_USB_HOST); + phy_set_mode(dwc->usb3_generic_phy, PHY_MODE_USB_HOST); ++ if (dwc->dis_split_quirk) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL3); ++ reg |= DWC3_GUCTL3_SPLITDISABLE; ++ dwc3_writel(dwc->regs, DWC3_GUCTL3, reg); ++ } + } + break; + case DWC3_GCTL_PRTCAP_DEVICE: +@@ -1323,6 +1329,9 @@ static void dwc3_get_properties(struct dwc3 *dwc) + dwc->dis_metastability_quirk = device_property_read_bool(dev, + "snps,dis_metastability_quirk"); + ++ dwc->dis_split_quirk = device_property_read_bool(dev, ++ "snps,dis-split-quirk"); ++ + dwc->lpm_nyet_threshold = lpm_nyet_threshold; + dwc->tx_de_emphasis = tx_de_emphasis; + +@@ -1835,10 +1844,26 @@ static int dwc3_resume(struct device *dev) + + return 0; + } ++ ++static void dwc3_complete(struct device *dev) ++{ ++ struct dwc3 *dwc = dev_get_drvdata(dev); ++ u32 reg; ++ ++ if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST && ++ dwc->dis_split_quirk) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL3); ++ reg |= DWC3_GUCTL3_SPLITDISABLE; ++ dwc3_writel(dwc->regs, DWC3_GUCTL3, reg); ++ } ++} ++#else ++#define dwc3_complete NULL + #endif /* CONFIG_PM_SLEEP */ + + static const struct dev_pm_ops dwc3_dev_pm_ops = { + SET_SYSTEM_SLEEP_PM_OPS(dwc3_suspend, dwc3_resume) ++ .complete = dwc3_complete, + SET_RUNTIME_PM_OPS(dwc3_runtime_suspend, dwc3_runtime_resume, + dwc3_runtime_idle) + }; +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index ce4acbf7fef90..4dfbffa944de1 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -136,6 +136,7 @@ + #define DWC3_GEVNTCOUNT(n) (0xc40c + ((n) * 0x10)) + + #define DWC3_GHWPARAMS8 0xc600 ++#define DWC3_GUCTL3 0xc60c + #define DWC3_GFLADJ 0xc630 + + /* Device Registers */ +@@ -375,6 +376,9 @@ + /* Global User Control Register 2 */ + #define DWC3_GUCTL2_RST_ACTBITLATER BIT(14) + ++/* Global User Control Register 3 */ ++#define DWC3_GUCTL3_SPLITDISABLE BIT(14) ++ + /* Device Configuration Register */ + #define DWC3_DCFG_DEVADDR(addr) ((addr) << 3) + #define DWC3_DCFG_DEVADDR_MASK DWC3_DCFG_DEVADDR(0x7f) +@@ -1038,6 +1042,7 @@ struct dwc3_scratchpad_array { + * 2 - No de-emphasis + * 3 - Reserved + * @dis_metastability_quirk: set to disable metastability quirk. ++ * @dis_split_quirk: set to disable split boundary. + * @imod_interval: set the interrupt moderation interval in 250ns + * increments or 0 to disable. + */ +@@ -1229,6 +1234,8 @@ struct dwc3 { + + unsigned dis_metastability_quirk:1; + ++ unsigned dis_split_quirk:1; ++ + u16 imod_interval; + }; + +-- +2.25.1 + diff --git a/queue-5.4/usb-dwc3-simple-add-support-for-hikey-970.patch b/queue-5.4/usb-dwc3-simple-add-support-for-hikey-970.patch new file mode 100644 index 00000000000..053ba452855 --- /dev/null +++ b/queue-5.4/usb-dwc3-simple-add-support-for-hikey-970.patch @@ -0,0 +1,95 @@ +From bfb6ea509d2dbf913b2187dead6e85a32c5b683e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 11:58:23 +0200 +Subject: usb: dwc3: simple: add support for Hikey 970 + +From: Mauro Carvalho Chehab + +[ Upstream commit b68d9251561f33661e53dd618f1cafe7ec9ec3c2 ] + +This binding driver is needed for Hikey 970 to work, +as otherwise a Serror is produced: + + [ 1.837458] SError Interrupt on CPU0, code 0xbf000002 -- SError + [ 1.837462] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205 + [ 1.837463] Hardware name: HiKey970 (DT) + [ 1.837465] Workqueue: events deferred_probe_work_func + [ 1.837467] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--) + [ 1.837468] pc : _raw_spin_unlock_irqrestore+0x18/0x50 + [ 1.837469] lr : regmap_unlock_spinlock+0x14/0x20 + [ 1.837470] sp : ffff8000124dba60 + [ 1.837471] x29: ffff8000124dba60 x28: 0000000000000000 + [ 1.837474] x27: ffff0001b7e854c8 x26: ffff80001204ea18 + [ 1.837476] x25: 0000000000000005 x24: ffff800011f918f8 + [ 1.837479] x23: ffff800011fbb588 x22: ffff0001b7e40e00 + [ 1.837481] x21: 0000000000000100 x20: 0000000000000000 + [ 1.837483] x19: ffff0001b767ec00 x18: 00000000ff10c000 + [ 1.837485] x17: 0000000000000002 x16: 0000b0740fdb9950 + [ 1.837488] x15: ffff8000116c1198 x14: ffffffffffffffff + [ 1.837490] x13: 0000000000000030 x12: 0101010101010101 + [ 1.837493] x11: 0000000000000020 x10: ffff0001bf17d130 + [ 1.837495] x9 : 0000000000000000 x8 : ffff0001b6938080 + [ 1.837497] x7 : 0000000000000000 x6 : 000000000000003f + [ 1.837500] x5 : 0000000000000000 x4 : 0000000000000000 + [ 1.837502] x3 : ffff80001096a880 x2 : 0000000000000000 + [ 1.837505] x1 : ffff0001b7e40e00 x0 : 0000000100000001 + [ 1.837507] Kernel panic - not syncing: Asynchronous SError Interrupt + [ 1.837509] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205 + [ 1.837510] Hardware name: HiKey970 (DT) + [ 1.837511] Workqueue: events deferred_probe_work_func + [ 1.837513] Call trace: + [ 1.837514] dump_backtrace+0x0/0x1e0 + [ 1.837515] show_stack+0x18/0x24 + [ 1.837516] dump_stack+0xc0/0x11c + [ 1.837517] panic+0x15c/0x324 + [ 1.837518] nmi_panic+0x8c/0x90 + [ 1.837519] arm64_serror_panic+0x78/0x84 + [ 1.837520] do_serror+0x158/0x15c + [ 1.837521] el1_error+0x84/0x100 + [ 1.837522] _raw_spin_unlock_irqrestore+0x18/0x50 + [ 1.837523] regmap_write+0x58/0x80 + [ 1.837524] hi3660_reset_deassert+0x28/0x34 + [ 1.837526] reset_control_deassert+0x50/0x260 + [ 1.837527] reset_control_deassert+0xf4/0x260 + [ 1.837528] dwc3_probe+0x5dc/0xe6c + [ 1.837529] platform_drv_probe+0x54/0xb0 + [ 1.837530] really_probe+0xe0/0x490 + [ 1.837531] driver_probe_device+0xf4/0x160 + [ 1.837532] __device_attach_driver+0x8c/0x114 + [ 1.837533] bus_for_each_drv+0x78/0xcc + [ 1.837534] __device_attach+0x108/0x1a0 + [ 1.837535] device_initial_probe+0x14/0x20 + [ 1.837537] bus_probe_device+0x98/0xa0 + [ 1.837538] deferred_probe_work_func+0x88/0xe0 + [ 1.837539] process_one_work+0x1cc/0x350 + [ 1.837540] worker_thread+0x2c0/0x470 + [ 1.837541] kthread+0x154/0x160 + [ 1.837542] ret_from_fork+0x10/0x30 + [ 1.837569] SMP: stopping secondary CPUs + [ 1.837570] Kernel Offset: 0x1d0000 from 0xffff800010000000 + [ 1.837571] PHYS_OFFSET: 0x0 + [ 1.837572] CPU features: 0x240002,20882004 + [ 1.837573] Memory Limit: none + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-of-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/dwc3-of-simple.c b/drivers/usb/dwc3/dwc3-of-simple.c +index bdac3e7d7b184..d055e00f81808 100644 +--- a/drivers/usb/dwc3/dwc3-of-simple.c ++++ b/drivers/usb/dwc3/dwc3-of-simple.c +@@ -183,6 +183,7 @@ static const struct of_device_id of_dwc3_simple_match[] = { + { .compatible = "amlogic,meson-axg-dwc3" }, + { .compatible = "amlogic,meson-gxl-dwc3" }, + { .compatible = "allwinner,sun50i-h6-dwc3" }, ++ { .compatible = "hisilicon,hi3670-dwc3" }, + { /* Sentinel */ } + }; + MODULE_DEVICE_TABLE(of, of_dwc3_simple_match); +-- +2.25.1 + diff --git a/queue-5.4/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch b/queue-5.4/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch new file mode 100644 index 00000000000..09a15e2c66c --- /dev/null +++ b/queue-5.4/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch @@ -0,0 +1,70 @@ +From e93a5c57171ebf1644631bf7256d9d80328c3367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 14:55:03 +0900 +Subject: usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Colitti + +[ Upstream commit 986499b1569af980a819817f17238015b27793f6 ] + +Currently, SuperSpeed NCM gadgets report a speed of 851 Mbps +in USB_CDC_NOTIFY_SPEED_CHANGE. But the calculation appears to +assume 16 packets per microframe, and USB 3 and above no longer +use microframes. + +Maximum speed is actually much higher. On a direct connection, +theoretical throughput is at most 3.86 Gbps for gen1x1 and +9.36 Gbps for gen2x1, and I have seen gadget->host iperf +throughput of >2 Gbps for gen1x1 and >4 Gbps for gen2x1. + +Unfortunately the ConnectionSpeedChange defined in the CDC spec +only uses 32-bit values, so we can't report accurate numbers for +10Gbps and above. So, report 3.75Gbps for SuperSpeed (which is +roughly maximum theoretical performance) and 4.25Gbps for +SuperSpeed Plus (which is close to the maximum that we can report +in a 32-bit unsigned integer). + +This results in: + +[50879.191272] cdc_ncm 2-2:1.0 enx228b127e050c: renamed from usb0 +[50879.234778] cdc_ncm 2-2:1.0 enx228b127e050c: 3750 mbit/s downlink 3750 mbit/s uplink + +on SuperSpeed and: + +[50798.434527] cdc_ncm 8-2:1.0 enx228b127e050c: renamed from usb0 +[50798.524278] cdc_ncm 8-2:1.0 enx228b127e050c: 4250 mbit/s downlink 4250 mbit/s uplink + +on SuperSpeed Plus. + +Fixes: 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM") +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Lorenzo Colitti +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_ncm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c +index 1f638759a9533..7672fa25085b0 100644 +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -85,8 +85,10 @@ static inline struct f_ncm *func_to_ncm(struct usb_function *f) + /* peak (theoretical) bulk transfer rate in bits-per-second */ + static inline unsigned ncm_bitrate(struct usb_gadget *g) + { +- if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER) +- return 13 * 1024 * 8 * 1000 * 8; ++ if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS) ++ return 4250000000U; ++ else if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER) ++ return 3750000000U; + else if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH) + return 13 * 512 * 8 * 1000 * 8; + else +-- +2.25.1 + diff --git a/queue-5.4/usb-gadget-function-printer-fix-use-after-free-in-__.patch b/queue-5.4/usb-gadget-function-printer-fix-use-after-free-in-__.patch new file mode 100644 index 00000000000..b7f89c90357 --- /dev/null +++ b/queue-5.4/usb-gadget-function-printer-fix-use-after-free-in-__.patch @@ -0,0 +1,181 @@ +From 6c997ed371bb5dc495a25074115863e21d0893f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 11:05:33 +0800 +Subject: usb: gadget: function: printer: fix use-after-free in __lock_acquire + +From: Zqiang + +[ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ] + +Fix this by increase object reference count. + +BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180 +kernel/locking/lockdep.c:3831 +Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377 + +CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 + __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 + lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 + printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723 + vfs_ioctl fs/ioctl.c:47 [inline] + ksys_ioctl+0xfb/0x130 fs/ioctl.c:763 + __do_sys_ioctl fs/ioctl.c:772 [inline] + __se_sys_ioctl fs/ioctl.c:770 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4531a9 +Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9 +RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003 +RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61 +R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff + +Allocated by task 2393: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416 + usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 + config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444 + configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202 + vfs_symlink+0x33d/0x5b0 fs/namei.c:4201 + do_symlinkat+0x11b/0x1d0 fs/namei.c:4228 + __do_sys_symlinkat fs/namei.c:4242 [inline] + __se_sys_symlinkat fs/namei.c:4239 [inline] + __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 3368: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + slab_free_hook mm/slub.c:1444 [inline] + slab_free_freelist_hook mm/slub.c:1477 [inline] + slab_free mm/slub.c:3034 [inline] + kfree+0xf7/0x410 mm/slub.c:3995 + gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353 + usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 + config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485 + configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250 + vfs_unlink+0x287/0x570 fs/namei.c:4073 + do_unlinkat+0x4f9/0x620 fs/namei.c:4137 + __do_sys_unlink fs/namei.c:4184 [inline] + __se_sys_unlink fs/namei.c:4182 [inline] + __x64_sys_unlink+0x42/0x50 fs/namei.c:4182 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880683b0000 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 24 bytes inside of + 1024-byte region [ffff8880683b0000, ffff8880683b0400) +The buggy address belongs to the page: +page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300 +index:0xffff8880683b1800 compound_mapcount: 0 +flags: 0x100000000010200(slab|head) +raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300 +raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Reported-by: Kyungtae Kim +Signed-off-by: Zqiang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_printer.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c +index 9c7ed2539ff77..8ed1295d7e350 100644 +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -64,7 +65,7 @@ struct printer_dev { + struct usb_gadget *gadget; + s8 interface; + struct usb_ep *in_ep, *out_ep; +- ++ struct kref kref; + struct list_head rx_reqs; /* List of free RX structs */ + struct list_head rx_reqs_active; /* List of Active RX xfers */ + struct list_head rx_buffers; /* List of completed xfers */ +@@ -218,6 +219,13 @@ static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget, + + /*-------------------------------------------------------------------------*/ + ++static void printer_dev_free(struct kref *kref) ++{ ++ struct printer_dev *dev = container_of(kref, struct printer_dev, kref); ++ ++ kfree(dev); ++} ++ + static struct usb_request * + printer_req_alloc(struct usb_ep *ep, unsigned len, gfp_t gfp_flags) + { +@@ -348,6 +356,7 @@ printer_open(struct inode *inode, struct file *fd) + + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_get(&dev->kref); + DBG(dev, "printer_open returned %x\n", ret); + return ret; + } +@@ -365,6 +374,7 @@ printer_close(struct inode *inode, struct file *fd) + dev->printer_status &= ~PRINTER_SELECTED; + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_put(&dev->kref, printer_dev_free); + DBG(dev, "printer_close\n"); + + return 0; +@@ -1350,7 +1360,8 @@ static void gprinter_free(struct usb_function *f) + struct f_printer_opts *opts; + + opts = container_of(f->fi, struct f_printer_opts, func_inst); +- kfree(dev); ++ ++ kref_put(&dev->kref, printer_dev_free); + mutex_lock(&opts->lock); + --opts->refcnt; + mutex_unlock(&opts->lock); +@@ -1419,6 +1430,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) + return ERR_PTR(-ENOMEM); + } + ++ kref_init(&dev->kref); + ++opts->refcnt; + dev->minor = opts->minor; + dev->pnp_string = opts->pnp_string; +-- +2.25.1 + diff --git a/queue-5.4/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch b/queue-5.4/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch new file mode 100644 index 00000000000..4db6da2893f --- /dev/null +++ b/queue-5.4/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch @@ -0,0 +1,56 @@ +From 31e2324c58b6e3d798d22ed0664bc77dfc6f69fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 01:19:49 +0900 +Subject: usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Colitti + +[ Upstream commit 4eea21dc67b0c6ba15ae41b1defa113a680a858e ] + +The u_ether driver has a qmult setting that multiplies the +transmit queue length (which by default is 2). + +The intent is that it should be enabled at high/super speed, but +because the code does not explicitly check for USB_SUPER_PLUS, +it is disabled at that speed. + +Fix this by ensuring that the queue multiplier is enabled for any +wired link at high speed or above. Using >= for USB_SPEED_* +constants seems correct because it is what the gadget_is_xxxspeed +functions do. + +The queue multiplier substantially helps performance at higher +speeds. On a direct SuperSpeed Plus link to a Linux laptop, +iperf3 single TCP stream: + +Before (qmult=1): 1.3 Gbps +After (qmult=5): 3.2 Gbps + +Fixes: 04617db7aa68 ("usb: gadget: add SS descriptors to Ethernet gadget") +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Lorenzo Colitti +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_ether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index fbe96ef1ac7a4..891e9f7f40d59 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -93,7 +93,7 @@ struct eth_dev { + static inline int qlen(struct usb_gadget *gadget, unsigned qmult) + { + if (gadget_is_dualspeed(gadget) && (gadget->speed == USB_SPEED_HIGH || +- gadget->speed == USB_SPEED_SUPER)) ++ gadget->speed >= USB_SPEED_SUPER)) + return qmult * DEFAULT_QLEN; + else + return DEFAULT_QLEN; +-- +2.25.1 + diff --git a/queue-5.4/usb-ohci-default-to-per-port-over-current-protection.patch b/queue-5.4/usb-ohci-default-to-per-port-over-current-protection.patch new file mode 100644 index 00000000000..8dcda98c819 --- /dev/null +++ b/queue-5.4/usb-ohci-default-to-per-port-over-current-protection.patch @@ -0,0 +1,78 @@ +From 8480a55d72150b2e3f2ff418d4551827e3718d1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 09:25:11 +1200 +Subject: usb: ohci: Default to per-port over-current protection + +From: Hamish Martin + +[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ] + +Some integrated OHCI controller hubs do not expose all ports of the hub +to pins on the SoC. In some cases the unconnected ports generate +spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC +contains a nominally 3 port hub but only the first port is wired. + +Default behaviour for ohci-platform driver is to use global over-current +protection mode (AKA "ganged"). This leads to the spurious over-current +events affecting all ports in the hub. + +We now alter the default to use per-port over-current protection. + +This patch results in the following configuration changes depending +on quirks: +- For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up + for ganged power switching and no over-current protection. +- For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching + remains at none, while over-current protection is now guaranteed to be + set to per-port rather than the previous behaviour where it was either + none or global over-current protection depending on the value at + function entry. + +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Hamish Martin +Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-hcd.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c +index 4de91653a2c7b..5eb62240c7f87 100644 +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -673,20 +673,24 @@ static int ohci_run (struct ohci_hcd *ohci) + + /* handle root hub init quirks ... */ + val = roothub_a (ohci); +- val &= ~(RH_A_PSM | RH_A_OCPM); ++ /* Configure for per-port over-current protection by default */ ++ val &= ~RH_A_NOCP; ++ val |= RH_A_OCPM; + if (ohci->flags & OHCI_QUIRK_SUPERIO) { +- /* NSC 87560 and maybe others */ ++ /* NSC 87560 and maybe others. ++ * Ganged power switching, no over-current protection. ++ */ + val |= RH_A_NOCP; +- val &= ~(RH_A_POTPGT | RH_A_NPS); +- ohci_writel (ohci, val, &ohci->regs->roothub.a); ++ val &= ~(RH_A_POTPGT | RH_A_NPS | RH_A_PSM | RH_A_OCPM); + } else if ((ohci->flags & OHCI_QUIRK_AMD756) || + (ohci->flags & OHCI_QUIRK_HUB_POWER)) { + /* hub power always on; required for AMD-756 and some +- * Mac platforms. ganged overcurrent reporting, if any. ++ * Mac platforms. + */ + val |= RH_A_NPS; +- ohci_writel (ohci, val, &ohci->regs->roothub.a); + } ++ ohci_writel(ohci, val, &ohci->regs->roothub.a); ++ + ohci_writel (ohci, RH_HS_LPSC, &ohci->regs->roothub.status); + ohci_writel (ohci, (val & RH_A_NPS) ? 0 : RH_B_PPCM, + &ohci->regs->roothub.b); +-- +2.25.1 + diff --git a/queue-5.4/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch b/queue-5.4/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch new file mode 100644 index 00000000000..c00c19dfce5 --- /dev/null +++ b/queue-5.4/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch @@ -0,0 +1,39 @@ +From c3518e8586eb85b6555ad319e1471ae2251bd052 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 17:35:58 +0800 +Subject: vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages + +From: Xiaoyang Xu + +[ Upstream commit 2e6cfd496f5b57034cf2aec738799571b5a52124 ] + +pfn is not added to pfn_list when vfio_add_to_pfn_list fails. +vfio_unpin_page_external will exit directly without calling +vfio_iova_put_vfio_pfn. This will lead to a memory leak. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Signed-off-by: Xiaoyang Xu +[aw: simplified logic, add Fixes] +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index c6220f57fdf3e..3b31e83a92155 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -631,7 +631,8 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data, + + ret = vfio_add_to_pfn_list(dma, iova, phys_pfn[i]); + if (ret) { +- vfio_unpin_page_external(dma, iova, do_accounting); ++ if (put_pfn(phys_pfn[i], dma->prot) && do_accounting) ++ vfio_lock_acct(dma, -1, true); + goto pin_unwind; + } + } +-- +2.25.1 + diff --git a/queue-5.4/vfio-pci-clear-token-on-bypass-registration-failure.patch b/queue-5.4/vfio-pci-clear-token-on-bypass-registration-failure.patch new file mode 100644 index 00000000000..5166903a985 --- /dev/null +++ b/queue-5.4/vfio-pci-clear-token-on-bypass-registration-failure.patch @@ -0,0 +1,47 @@ +From eee6f797c066cc43852bc2312fc573ee0af37290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 07:13:55 -0600 +Subject: vfio/pci: Clear token on bypass registration failure + +From: Alex Williamson + +[ Upstream commit 852b1beecb6ff9326f7ca4bc0fe69ae860ebdb9e ] + +The eventfd context is used as our irqbypass token, therefore if an +eventfd is re-used, our token is the same. The irqbypass code will +return an -EBUSY in this case, but we'll still attempt to unregister +the producer, where if that duplicate token still exists, results in +removing the wrong object. Clear the token of failed producers so +that they harmlessly fall out when unregistered. + +Fixes: 6d7425f109d2 ("vfio: Register/unregister irq_bypass_producer") +Reported-by: guomin chen +Tested-by: guomin chen +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_intrs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index 1d9fb25929459..869dce5f134dd 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -352,11 +352,13 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + vdev->ctx[vector].producer.token = trigger; + vdev->ctx[vector].producer.irq = irq; + ret = irq_bypass_register_producer(&vdev->ctx[vector].producer); +- if (unlikely(ret)) ++ if (unlikely(ret)) { + dev_info(&pdev->dev, + "irq bypass producer (token %p) registration fails: %d\n", + vdev->ctx[vector].producer.token, ret); + ++ vdev->ctx[vector].producer.token = NULL; ++ } + vdev->ctx[vector].trigger = trigger; + + return 0; +-- +2.25.1 + diff --git a/queue-5.4/vfio-pci-decouple-pci_command_memory-bit-checks-from.patch b/queue-5.4/vfio-pci-decouple-pci_command_memory-bit-checks-from.patch new file mode 100644 index 00000000000..7c3fd9117c6 --- /dev/null +++ b/queue-5.4/vfio-pci-decouple-pci_command_memory-bit-checks-from.patch @@ -0,0 +1,88 @@ +From aaf9c50f2de7b926d3ab34a0812b6aaf6bebc28a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:59:57 -0400 +Subject: vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn + +From: Matthew Rosato + +[ Upstream commit 515ecd5368f1510152fa4f9b9ce55b66ac56c334 ] + +While it is true that devices with is_virtfn=1 will have a Memory Space +Enable bit that is hard-wired to 0, this is not the only case where we +see this behavior -- For example some bare-metal hypervisors lack +Memory Space Enable bit emulation for devices not setting is_virtfn +(s390). Fix this by instead checking for the newly-added +no_command_memory bit which directly denotes the need for +PCI_COMMAND_MEMORY emulation in vfio. + +Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory") +Signed-off-by: Matthew Rosato +Reviewed-by: Niklas Schnelle +Reviewed-by: Pierre Morel +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index 927b608461c82..bf32997c557ff 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -406,7 +406,7 @@ bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev) + * PF SR-IOV capability, there's therefore no need to trigger + * faults based on the virtual value. + */ +- return pdev->is_virtfn || (cmd & PCI_COMMAND_MEMORY); ++ return pdev->no_command_memory || (cmd & PCI_COMMAND_MEMORY); + } + + /* +@@ -518,8 +518,8 @@ static int vfio_basic_config_read(struct vfio_pci_device *vdev, int pos, + + count = vfio_default_config_read(vdev, pos, count, perm, offset, val); + +- /* Mask in virtual memory enable for SR-IOV devices */ +- if (offset == PCI_COMMAND && vdev->pdev->is_virtfn) { ++ /* Mask in virtual memory enable */ ++ if (offset == PCI_COMMAND && vdev->pdev->no_command_memory) { + u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]); + u32 tmp_val = le32_to_cpu(*val); + +@@ -587,9 +587,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + * shows it disabled (phys_mem/io, then the device has + * undergone some kind of backdoor reset and needs to be + * restored before we allow it to enable the bars. +- * SR-IOV devices will trigger this, but we catch them later ++ * SR-IOV devices will trigger this - for mem enable let's ++ * catch this now and for io enable it will be caught later + */ +- if ((new_mem && virt_mem && !phys_mem) || ++ if ((new_mem && virt_mem && !phys_mem && ++ !pdev->no_command_memory) || + (new_io && virt_io && !phys_io) || + vfio_need_bar_restore(vdev)) + vfio_bar_restore(vdev); +@@ -1732,12 +1734,14 @@ int vfio_config_init(struct vfio_pci_device *vdev) + vconfig[PCI_INTERRUPT_PIN]); + + vconfig[PCI_INTERRUPT_PIN] = 0; /* Gratuitous for good VFs */ +- ++ } ++ if (pdev->no_command_memory) { + /* +- * VFs do no implement the memory enable bit of the COMMAND +- * register therefore we'll not have it set in our initial +- * copy of config space after pci_enable_device(). For +- * consistency with PFs, set the virtual enable bit here. ++ * VFs and devices that set pdev->no_command_memory do not ++ * implement the memory enable bit of the COMMAND register ++ * therefore we'll not have it set in our initial copy of ++ * config space after pci_enable_device(). For consistency ++ * with PFs, set the virtual enable bit here. + */ + *(__le16 *)&vconfig[PCI_COMMAND] |= + cpu_to_le16(PCI_COMMAND_MEMORY); +-- +2.25.1 + diff --git a/queue-5.4/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch b/queue-5.4/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch new file mode 100644 index 00000000000..00d632acbcf --- /dev/null +++ b/queue-5.4/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch @@ -0,0 +1,40 @@ +From b46a93d36a58f184fa261abe5f2eb0d82dffed13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 14:29:00 +0800 +Subject: video: fbdev: radeon: Fix memleak in radeonfb_pci_register + +From: Dinghao Liu + +[ Upstream commit fe6c6a4af2be8c15bac77f7ea160f947c04840d1 ] + +When radeon_kick_out_firmware_fb() fails, info should be +freed just like the subsequent error paths. + +Fixes: 069ee21a82344 ("fbdev: Fix loading of module radeonfb on PowerMac") +Signed-off-by: Dinghao Liu +Reviewed-by: Mathieu Malaterre +Cc: Kangjie Lu +Cc: Benjamin Herrenschmidt +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200825062900.11210-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/aty/radeon_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c +index 4ca07866f2f66..5dda824d0da3f 100644 +--- a/drivers/video/fbdev/aty/radeon_base.c ++++ b/drivers/video/fbdev/aty/radeon_base.c +@@ -2323,7 +2323,7 @@ static int radeonfb_pci_register(struct pci_dev *pdev, + + ret = radeon_kick_out_firmware_fb(pdev); + if (ret) +- return ret; ++ goto err_release_fb; + + /* request the mem regions */ + ret = pci_request_region(pdev, 0, "radeonfb framebuffer"); +-- +2.25.1 + diff --git a/queue-5.4/video-fbdev-sis-fix-null-ptr-dereference.patch b/queue-5.4/video-fbdev-sis-fix-null-ptr-dereference.patch new file mode 100644 index 00000000000..54b08218649 --- /dev/null +++ b/queue-5.4/video-fbdev-sis-fix-null-ptr-dereference.patch @@ -0,0 +1,78 @@ +From 6fcae34066a9ec28db79abe0947f2ed5a1b251df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 07:52:08 -0700 +Subject: video: fbdev: sis: fix null ptr dereference + +From: Tom Rix + +[ Upstream commit ad6f93e9cd56f0b10e9b22e3e137d17a1a035242 ] + +Clang static analysis reports this representative error + +init.c:2501:18: warning: Array access (from variable 'queuedata') results + in a null pointer dereference + templ |= ((queuedata[i] & 0xc0) << 3); + +This is the problem block of code + + if(ModeNo > 0x13) { + ... + if(SiS_Pr->ChipType == SIS_730) { + queuedata = &FQBQData730[0]; + } else { + queuedata = &FQBQData[0]; + } + } else { + + } + +queuedata is not set in the else block + +Reviewing the old code, the arrays FQBQData730 and FQBQData were +used directly. + +So hoist the setting of queuedata out of the if-else block. + +Fixes: 544393fe584d ("[PATCH] sisfb update") +Signed-off-by: Tom Rix +Cc: Thomas Winischhofer +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200805145208.17727-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c +index dfe3eb769638b..fde27feae5d0c 100644 +--- a/drivers/video/fbdev/sis/init.c ++++ b/drivers/video/fbdev/sis/init.c +@@ -2428,6 +2428,11 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + + i = 0; + ++ if (SiS_Pr->ChipType == SIS_730) ++ queuedata = &FQBQData730[0]; ++ else ++ queuedata = &FQBQData[0]; ++ + if(ModeNo > 0x13) { + + /* Get VCLK */ +@@ -2445,12 +2450,6 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + /* Get half colordepth */ + colorth = colortharray[(SiS_Pr->SiS_ModeType - ModeEGA)]; + +- if(SiS_Pr->ChipType == SIS_730) { +- queuedata = &FQBQData730[0]; +- } else { +- queuedata = &FQBQData[0]; +- } +- + do { + templ = SiS_CalcDelay2(SiS_Pr, queuedata[i]) * VCLK * colorth; + +-- +2.25.1 + diff --git a/queue-5.4/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch b/queue-5.4/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch new file mode 100644 index 00000000000..3ce0bd69df1 --- /dev/null +++ b/queue-5.4/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch @@ -0,0 +1,87 @@ +From 96e6970275651af69c297b390da5e944a8fb132c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:02:27 +0100 +Subject: video: fbdev: vga16fb: fix setting of pixclock because a + pass-by-value error + +From: Colin Ian King + +[ Upstream commit c72fab81ceaa54408b827a2f0486d9a0f4be34cf ] + +The pixclock is being set locally because it is being passed as a +pass-by-value argument rather than pass-by-reference, so the computed +pixclock is never being set in var->pixclock. Fix this by passing +by reference. + +[This dates back to 2002, I found the offending commit from the git +history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git ] + +Addresses-Coverity: ("Unused value") +Signed-off-by: Colin Ian King +Cc: Daniel Vetter +Cc: Jani Nikula +[b.zolnierkie: minor patch summary fixup] +[b.zolnierkie: removed "Fixes:" tag (not in upstream tree)] +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200723170227.996229-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/vga16fb.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c +index 4b83109202b1c..3c4d20618de4c 100644 +--- a/drivers/video/fbdev/vga16fb.c ++++ b/drivers/video/fbdev/vga16fb.c +@@ -243,7 +243,7 @@ static void vga16fb_update_fix(struct fb_info *info) + } + + static void vga16fb_clock_chip(struct vga16fb_par *par, +- unsigned int pixclock, ++ unsigned int *pixclock, + const struct fb_info *info, + int mul, int div) + { +@@ -259,14 +259,14 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + { 0 /* bad */, 0x00, 0x00}}; + int err; + +- pixclock = (pixclock * mul) / div; ++ *pixclock = (*pixclock * mul) / div; + best = vgaclocks; +- err = pixclock - best->pixclock; ++ err = *pixclock - best->pixclock; + if (err < 0) err = -err; + for (ptr = vgaclocks + 1; ptr->pixclock; ptr++) { + int tmp; + +- tmp = pixclock - ptr->pixclock; ++ tmp = *pixclock - ptr->pixclock; + if (tmp < 0) tmp = -tmp; + if (tmp < err) { + err = tmp; +@@ -275,7 +275,7 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + } + par->misc |= best->misc; + par->clkdiv = best->seq_clock_mode; +- pixclock = (best->pixclock * div) / mul; ++ *pixclock = (best->pixclock * div) / mul; + } + + #define FAIL(X) return -EINVAL +@@ -497,10 +497,10 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var, + + if (mode & MODE_8BPP) + /* pixel clock == vga clock / 2 */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 2); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 2); + else + /* pixel clock == vga clock */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 1); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 1); + + var->red.offset = var->green.offset = var->blue.offset = + var->transp.offset = 0; +-- +2.25.1 + diff --git a/queue-5.4/vmci-check-return-value-of-get_user_pages_fast-for-e.patch b/queue-5.4/vmci-check-return-value-of-get_user_pages_fast-for-e.patch new file mode 100644 index 00000000000..4020cdeb96d --- /dev/null +++ b/queue-5.4/vmci-check-return-value-of-get_user_pages_fast-for-e.patch @@ -0,0 +1,57 @@ +From 571b365b43adec8bb0e210841ef6461e9718334e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:45:18 +0100 +Subject: VMCI: check return value of get_user_pages_fast() for errors + +From: Alex Dewar + +[ Upstream commit 90ca6333fd65f318c47bff425e1ea36c0a5539f6 ] + +In a couple of places in qp_host_get_user_memory(), +get_user_pages_fast() is called without properly checking for errors. If +e.g. -EFAULT is returned, this negative value will then be passed on to +qp_release_pages(), which expects a u64 as input. + +Fix this by only calling qp_release_pages() when we have a positive +number returned. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Signed-off-by: Alex Dewar +Link: https://lore.kernel.org/r/20200825164522.412392-1-alex.dewar90@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index 8531ae7811956..c49065887e8f5 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -657,8 +657,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)produce_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(produce) failed (retval=%d)", + retval); +- qp_release_pages(produce_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(produce_q->kernel_if->u.h.header_page, ++ retval, false); + err = VMCI_ERROR_NO_MEM; + goto out; + } +@@ -670,8 +671,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)consume_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(consume) failed (retval=%d)", + retval); +- qp_release_pages(consume_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(consume_q->kernel_if->u.h.header_page, ++ retval, false); + qp_release_pages(produce_q->kernel_if->u.h.header_page, + produce_q->kernel_if->num_pages, false); + err = VMCI_ERROR_NO_MEM; +-- +2.25.1 + diff --git a/queue-5.4/watchdog-fix-memleak-in-watchdog_cdev_register.patch b/queue-5.4/watchdog-fix-memleak-in-watchdog_cdev_register.patch new file mode 100644 index 00000000000..d3271b16250 --- /dev/null +++ b/queue-5.4/watchdog-fix-memleak-in-watchdog_cdev_register.patch @@ -0,0 +1,42 @@ +From c5b298e357f0aac5f8ea77704c3dbb91dcfec82e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 10:40:01 +0800 +Subject: watchdog: Fix memleak in watchdog_cdev_register + +From: Dinghao Liu + +[ Upstream commit 5afb6d203d0293512aa2c6ae098274a2a4f6ed02 ] + +When watchdog_kworker is NULL, we should free wd_data +before the function returns to prevent memleak. + +Fixes: 664a39236e718 ("watchdog: Introduce hardware maximum heartbeat in watchdog core") +Signed-off-by: Dinghao Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200824024001.25474-1-dinghao.liu@zju.edu.cn +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 3729f99fd8eca..694357f2816b3 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -971,8 +971,10 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + wd_data->wdd = wdd; + wdd->wd_data = wd_data; + +- if (IS_ERR_OR_NULL(watchdog_kworker)) ++ if (IS_ERR_OR_NULL(watchdog_kworker)) { ++ kfree(wd_data); + return -ENODEV; ++ } + + device_initialize(&wd_data->dev); + wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); +-- +2.25.1 + diff --git a/queue-5.4/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch b/queue-5.4/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch new file mode 100644 index 00000000000..6540795deae --- /dev/null +++ b/queue-5.4/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch @@ -0,0 +1,39 @@ +From b67978acde52b366e4606433b3d19cca23ff0907 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 09:31:08 -0700 +Subject: watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 + +From: Guenter Roeck + +[ Upstream commit 08c619b4923056b5dd2d5045757468c76ad0e3fe ] + +EFCH_PM_DECODEEN3 is supposed to access DECODEEN register bits 24..31, +in other words the register at byte offset 3. + +Cc: Jan Kiszka +Fixes: 887d2ec51e34b ("watchdog: sp5100_tco: Add support for recent FCH versions") +Tested-by: Jan Kiszka +Link: https://lore.kernel.org/r/20200910163109.235136-1-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/sp5100_tco.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/sp5100_tco.h b/drivers/watchdog/sp5100_tco.h +index 87eaf357ae01f..adf015aa4126f 100644 +--- a/drivers/watchdog/sp5100_tco.h ++++ b/drivers/watchdog/sp5100_tco.h +@@ -70,7 +70,7 @@ + #define EFCH_PM_DECODEEN_WDT_TMREN BIT(7) + + +-#define EFCH_PM_DECODEEN3 0x00 ++#define EFCH_PM_DECODEEN3 0x03 + #define EFCH_PM_DECODEEN_SECOND_RES GENMASK(1, 0) + #define EFCH_PM_WATCHDOG_DISABLE ((u8)GENMASK(3, 2)) + +-- +2.25.1 + diff --git a/queue-5.4/watchdog-use-put_device-on-error.patch b/queue-5.4/watchdog-use-put_device-on-error.patch new file mode 100644 index 00000000000..c70feb0ea0d --- /dev/null +++ b/queue-5.4/watchdog-use-put_device-on-error.patch @@ -0,0 +1,39 @@ +From 1d5a4ef5f53b988d84cc8e205f9630706f8bc51d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:12:30 +0800 +Subject: watchdog: Use put_device on error + +From: Dinghao Liu + +[ Upstream commit 937425d4cd3ae4e2882b41e332bbbab616bcf0ad ] + +We should use put_device() instead of freeing device +directly after device_initialize(). + +Fixes: cb36e29bb0e4b ("watchdog: initialize device before misc_register") +Signed-off-by: Dinghao Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200824031230.31050-1-dinghao.liu@zju.edu.cn +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 694357f2816b3..8494846ccdc5f 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -1000,7 +1000,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + pr_err("%s: a legacy watchdog module is probably present.\n", + wdd->info->identity); + old_wd_data = NULL; +- kfree(wd_data); ++ put_device(&wd_data->dev); + return err; + } + } +-- +2.25.1 + diff --git a/queue-5.4/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch b/queue-5.4/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch new file mode 100644 index 00000000000..c5e8d87b966 --- /dev/null +++ b/queue-5.4/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch @@ -0,0 +1,41 @@ +From 7d52a94f4dad8d4c5060bbdc5815c4fbf97df73c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 01:48:24 +0100 +Subject: wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 + +From: Bryan O'Donoghue + +[ Upstream commit 3b9fb6791e7113679b1eb472e6ce1659e80f5797 ] + +Qualcomm's document "80-WL007-1 Rev. J" states that the highest rx rate for +the WCN3660 and WCN3680 on MCS 7 is 150 Mbps not the 72 Mbps stated here. + +This patch fixes the data-rate declared in the 5GHz table. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 +hardware") + +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802004824.1307124-1-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index ad051f34e65b2..46ae4ec4ad47d 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -163,7 +163,7 @@ static struct ieee80211_supported_band wcn_band_5ghz = { + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16, + .mcs = { + .rx_mask = { 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, }, +- .rx_highest = cpu_to_le16(72), ++ .rx_highest = cpu_to_le16(150), + .tx_params = IEEE80211_HT_MCS_TX_DEFINED, + } + } +-- +2.25.1 + diff --git a/queue-5.4/x86-asm-replace-__force_order-with-a-memory-clobber.patch b/queue-5.4/x86-asm-replace-__force_order-with-a-memory-clobber.patch new file mode 100644 index 00000000000..4d295132ae2 --- /dev/null +++ b/queue-5.4/x86-asm-replace-__force_order-with-a-memory-clobber.patch @@ -0,0 +1,177 @@ +From 61bf9ed1739f9774e2d9ded482d4196a44d49447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:21:52 -0400 +Subject: x86/asm: Replace __force_order with a memory clobber + +From: Arvind Sankar + +[ Upstream commit aa5cacdc29d76a005cbbee018a47faa6e724dd2d ] + +The CRn accessor functions use __force_order as a dummy operand to +prevent the compiler from reordering CRn reads/writes with respect to +each other. + +The fact that the asm is volatile should be enough to prevent this: +volatile asm statements should be executed in program order. However GCC +4.9.x and 5.x have a bug that might result in reordering. This was fixed +in 8.1, 7.3 and 6.5. Versions prior to these, including 5.x and 4.9.x, +may reorder volatile asm statements with respect to each other. + +There are some issues with __force_order as implemented: +- It is used only as an input operand for the write functions, and hence + doesn't do anything additional to prevent reordering writes. +- It allows memory accesses to be cached/reordered across write + functions, but CRn writes affect the semantics of memory accesses, so + this could be dangerous. +- __force_order is not actually defined in the kernel proper, but the + LLVM toolchain can in some cases require a definition: LLVM (as well + as GCC 4.9) requires it for PIE code, which is why the compressed + kernel has a definition, but also the clang integrated assembler may + consider the address of __force_order to be significant, resulting in + a reference that requires a definition. + +Fix this by: +- Using a memory clobber for the write functions to additionally prevent + caching/reordering memory accesses across CRn writes. +- Using a dummy input operand with an arbitrary constant address for the + read functions, instead of a global variable. This will prevent reads + from being reordered across writes, while allowing memory loads to be + cached/reordered across CRn reads, which should be safe. + +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Reviewed-by: Kees Cook +Reviewed-by: Miguel Ojeda +Tested-by: Nathan Chancellor +Tested-by: Sedat Dilek +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82602 +Link: https://lore.kernel.org/lkml/20200527135329.1172644-1-arnd@arndb.de/ +Link: https://lkml.kernel.org/r/20200902232152.3709896-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/pgtable_64.c | 9 --------- + arch/x86/include/asm/special_insns.h | 28 ++++++++++++++------------- + arch/x86/kernel/cpu/common.c | 4 ++-- + 3 files changed, 17 insertions(+), 24 deletions(-) + +diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c +index c8862696a47b9..7d0394f4ebf97 100644 +--- a/arch/x86/boot/compressed/pgtable_64.c ++++ b/arch/x86/boot/compressed/pgtable_64.c +@@ -5,15 +5,6 @@ + #include "pgtable.h" + #include "../string.h" + +-/* +- * __force_order is used by special_insns.h asm code to force instruction +- * serialization. +- * +- * It is not referenced from the code, but GCC < 5 with -fPIE would fail +- * due to an undefined symbol. Define it to make these ancient GCCs work. +- */ +-unsigned long __force_order; +- + #define BIOS_START_MIN 0x20000U /* 128K, less than this is insane */ + #define BIOS_START_MAX 0x9f000U /* 640K, absolute maximum */ + +diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h +index 6d37b8fcfc778..2e0cdc64cb50d 100644 +--- a/arch/x86/include/asm/special_insns.h ++++ b/arch/x86/include/asm/special_insns.h +@@ -10,45 +10,47 @@ + #include + + /* +- * Volatile isn't enough to prevent the compiler from reordering the +- * read/write functions for the control registers and messing everything up. +- * A memory clobber would solve the problem, but would prevent reordering of +- * all loads stores around it, which can hurt performance. Solution is to +- * use a variable and mimic reads and writes to it to enforce serialization ++ * The compiler should not reorder volatile asm statements with respect to each ++ * other: they should execute in program order. However GCC 4.9.x and 5.x have ++ * a bug (which was fixed in 8.1, 7.3 and 6.5) where they might reorder ++ * volatile asm. The write functions are not affected since they have memory ++ * clobbers preventing reordering. To prevent reads from being reordered with ++ * respect to writes, use a dummy memory operand. + */ +-extern unsigned long __force_order; ++ ++#define __FORCE_ORDER "m"(*(unsigned int *)0x1000UL) + + void native_write_cr0(unsigned long val); + + static inline unsigned long native_read_cr0(void) + { + unsigned long val; +- asm volatile("mov %%cr0,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr0,%0\n\t" : "=r" (val) : __FORCE_ORDER); + return val; + } + + static inline unsigned long native_read_cr2(void) + { + unsigned long val; +- asm volatile("mov %%cr2,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr2,%0\n\t" : "=r" (val) : __FORCE_ORDER); + return val; + } + + static inline void native_write_cr2(unsigned long val) + { +- asm volatile("mov %0,%%cr2": : "r" (val), "m" (__force_order)); ++ asm volatile("mov %0,%%cr2": : "r" (val) : "memory"); + } + + static inline unsigned long __native_read_cr3(void) + { + unsigned long val; +- asm volatile("mov %%cr3,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr3,%0\n\t" : "=r" (val) : __FORCE_ORDER); + return val; + } + + static inline void native_write_cr3(unsigned long val) + { +- asm volatile("mov %0,%%cr3": : "r" (val), "m" (__force_order)); ++ asm volatile("mov %0,%%cr3": : "r" (val) : "memory"); + } + + static inline unsigned long native_read_cr4(void) +@@ -63,10 +65,10 @@ static inline unsigned long native_read_cr4(void) + asm volatile("1: mov %%cr4, %0\n" + "2:\n" + _ASM_EXTABLE(1b, 2b) +- : "=r" (val), "=m" (__force_order) : "0" (0)); ++ : "=r" (val) : "0" (0), __FORCE_ORDER); + #else + /* CR4 always exists on x86_64. */ +- asm volatile("mov %%cr4,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr4,%0\n\t" : "=r" (val) : __FORCE_ORDER); + #endif + return val; + } +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 9b3f25e146087..8a85c2e144a6f 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -377,7 +377,7 @@ void native_write_cr0(unsigned long val) + unsigned long bits_missing = 0; + + set_register: +- asm volatile("mov %0,%%cr0": "+r" (val), "+m" (__force_order)); ++ asm volatile("mov %0,%%cr0": "+r" (val) : : "memory"); + + if (static_branch_likely(&cr_pinning)) { + if (unlikely((val & X86_CR0_WP) != X86_CR0_WP)) { +@@ -396,7 +396,7 @@ void native_write_cr4(unsigned long val) + unsigned long bits_changed = 0; + + set_register: +- asm volatile("mov %0,%%cr4": "+r" (val), "+m" (cr4_pinned_bits)); ++ asm volatile("mov %0,%%cr4": "+r" (val) : : "memory"); + + if (static_branch_likely(&cr_pinning)) { + if (unlikely((val & cr4_pinned_mask) != cr4_pinned_bits)) { +-- +2.25.1 + diff --git a/queue-5.4/x86-events-amd-iommu-fix-sizeof-mismatch.patch b/queue-5.4/x86-events-amd-iommu-fix-sizeof-mismatch.patch new file mode 100644 index 00000000000..5492939b3bf --- /dev/null +++ b/queue-5.4/x86-events-amd-iommu-fix-sizeof-mismatch.patch @@ -0,0 +1,40 @@ +From 16432f693895d9b560e5845c5a77db342673da16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 12:39:00 +0100 +Subject: x86/events/amd/iommu: Fix sizeof mismatch + +From: Colin Ian King + +[ Upstream commit 59d5396a4666195f89a67e118e9e627ddd6f53a1 ] + +An incorrect sizeof is being used, struct attribute ** is not correct, +it should be struct attribute *. Note that since ** is the same size as +* this is not causing any issues. Improve this fix by using sizeof(*attrs) +as this allows us to not even reference the type of the pointer. + +Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") +Fixes: 51686546304f ("x86/events/amd/iommu: Fix sysfs perf attribute groups") +Signed-off-by: Colin Ian King +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20201001113900.58889-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/amd/iommu.c b/arch/x86/events/amd/iommu.c +index fb616203ce427..be50ef8572cce 100644 +--- a/arch/x86/events/amd/iommu.c ++++ b/arch/x86/events/amd/iommu.c +@@ -379,7 +379,7 @@ static __init int _init_events_attrs(void) + while (amd_iommu_v2_event_descs[i].attr.attr.name) + i++; + +- attrs = kcalloc(i + 1, sizeof(struct attribute **), GFP_KERNEL); ++ attrs = kcalloc(i + 1, sizeof(*attrs), GFP_KERNEL); + if (!attrs) + return -ENOMEM; + +-- +2.25.1 + diff --git a/queue-5.4/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch b/queue-5.4/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch new file mode 100644 index 00000000000..3b097c71f2f --- /dev/null +++ b/queue-5.4/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch @@ -0,0 +1,102 @@ +From ffa20b99eacac8c248d1ea4082d96b01b6be701b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 17:39:19 -0400 +Subject: x86/fpu: Allow multiple bits in clearcpuid= parameter + +From: Arvind Sankar + +[ Upstream commit 0a4bb5e5507a585532cc413125b921c8546fc39f ] + +Commit + + 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") + +changed clearcpuid parsing from __setup() to cmdline_find_option(). +While the __setup() function would have been called for each clearcpuid= +parameter on the command line, cmdline_find_option() will only return +the last one, so the change effectively made it impossible to disable +more than one bit. + +Allow a comma-separated list of bit numbers as the argument for +clearcpuid to allow multiple bits to be disabled again. Log the bits +being disabled for informational purposes. + +Also fix the check on the return value of cmdline_find_option(). It +returns -1 when the option is not found, so testing as a boolean is +incorrect. + +Fixes: 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200907213919.2423441-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 2 +- + arch/x86/kernel/fpu/init.c | 30 ++++++++++++++----- + 2 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 13984b6cc3225..988a0d2535b25 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -567,7 +567,7 @@ + loops can be debugged more effectively on production + systems. + +- clearcpuid=BITNUM [X86] ++ clearcpuid=BITNUM[,BITNUM...] [X86] + Disable CPUID feature X for the kernel. See + arch/x86/include/asm/cpufeatures.h for the valid bit + numbers. Note the Linux specific bits are not necessarily +diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c +index 6ce7e0a23268f..b271da0fa2193 100644 +--- a/arch/x86/kernel/fpu/init.c ++++ b/arch/x86/kernel/fpu/init.c +@@ -242,9 +242,9 @@ static void __init fpu__init_system_ctx_switch(void) + */ + static void __init fpu__init_parse_early_param(void) + { +- char arg[32]; ++ char arg[128]; + char *argptr = arg; +- int bit; ++ int arglen, res, bit; + + #ifdef CONFIG_X86_32 + if (cmdline_find_option_bool(boot_command_line, "no387")) +@@ -267,12 +267,26 @@ static void __init fpu__init_parse_early_param(void) + if (cmdline_find_option_bool(boot_command_line, "noxsaves")) + setup_clear_cpu_cap(X86_FEATURE_XSAVES); + +- if (cmdline_find_option(boot_command_line, "clearcpuid", arg, +- sizeof(arg)) && +- get_option(&argptr, &bit) && +- bit >= 0 && +- bit < NCAPINTS * 32) +- setup_clear_cpu_cap(bit); ++ arglen = cmdline_find_option(boot_command_line, "clearcpuid", arg, sizeof(arg)); ++ if (arglen <= 0) ++ return; ++ ++ pr_info("Clearing CPUID bits:"); ++ do { ++ res = get_option(&argptr, &bit); ++ if (res == 0 || res == 3) ++ break; ++ ++ /* If the argument was too long, the last bit may be cut off */ ++ if (res == 1 && arglen >= sizeof(arg)) ++ break; ++ ++ if (bit >= 0 && bit < NCAPINTS * 32) { ++ pr_cont(" " X86_CAP_FMT, x86_cap_flag(bit)); ++ setup_clear_cpu_cap(bit); ++ } ++ } while (res == 2); ++ pr_cont("\n"); + } + + /* +-- +2.25.1 + diff --git a/queue-5.4/x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch b/queue-5.4/x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch new file mode 100644 index 00000000000..7479de532ca --- /dev/null +++ b/queue-5.4/x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch @@ -0,0 +1,108 @@ +From 9bb7a592a1d5e5cc89d0a702d4c0e8b024ff8921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 19:13:12 -0700 +Subject: x86/mce: Add Skylake quirk for patrol scrub reported errors + +From: Borislav Petkov + +[ Upstream commit fd258dc4442c5c1c069c6b5b42bfe7d10cddda95 ] + +The patrol scrubber in Skylake and Cascade Lake systems can be configured +to report uncorrected errors using a special signature in the machine +check bank and to signal using CMCI instead of machine check. + +Update the severity calculation mechanism to allow specifying the model, +minimum stepping and range of machine check bank numbers. + +Add a new rule to detect the special signature (on model 0x55, stepping +>=4 in any of the memory controller banks). + + [ bp: Rewrite it. + aegl: Productize it. ] + +Suggested-by: Youquan Song +Signed-off-by: Borislav Petkov +Co-developed-by: Tony Luck +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200930021313.31810-2-tony.luck@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/severity.c | 28 ++++++++++++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c +index 87bcdc6dc2f0c..0d09eb13743b4 100644 +--- a/arch/x86/kernel/cpu/mce/severity.c ++++ b/arch/x86/kernel/cpu/mce/severity.c +@@ -9,9 +9,11 @@ + #include + #include + #include +-#include + #include + ++#include ++#include ++ + #include "internal.h" + + /* +@@ -40,9 +42,14 @@ static struct severity { + unsigned char context; + unsigned char excp; + unsigned char covered; ++ unsigned char cpu_model; ++ unsigned char cpu_minstepping; ++ unsigned char bank_lo, bank_hi; + char *msg; + } severities[] = { + #define MCESEV(s, m, c...) { .sev = MCE_ ## s ## _SEVERITY, .msg = m, ## c } ++#define BANK_RANGE(l, h) .bank_lo = l, .bank_hi = h ++#define MODEL_STEPPING(m, s) .cpu_model = m, .cpu_minstepping = s + #define KERNEL .context = IN_KERNEL + #define USER .context = IN_USER + #define KERNEL_RECOV .context = IN_KERNEL_RECOV +@@ -97,7 +104,6 @@ static struct severity { + KEEP, "Corrected error", + NOSER, BITCLR(MCI_STATUS_UC) + ), +- + /* + * known AO MCACODs reported via MCE or CMC: + * +@@ -113,6 +119,18 @@ static struct severity { + AO, "Action optional: last level cache writeback error", + SER, MASK(MCI_UC_AR|MCACOD, MCI_STATUS_UC|MCACOD_L3WB) + ), ++ /* ++ * Quirk for Skylake/Cascade Lake. Patrol scrubber may be configured ++ * to report uncorrected errors using CMCI with a special signature. ++ * UC=0, MSCOD=0x0010, MCACOD=binary(000X 0000 1100 XXXX) reported ++ * in one of the memory controller banks. ++ * Set severity to "AO" for same action as normal patrol scrub error. ++ */ ++ MCESEV( ++ AO, "Uncorrected Patrol Scrub Error", ++ SER, MASK(MCI_STATUS_UC|MCI_ADDR|0xffffeff0, MCI_ADDR|0x001000c0), ++ MODEL_STEPPING(INTEL_FAM6_SKYLAKE_X, 4), BANK_RANGE(13, 18) ++ ), + + /* ignore OVER for UCNA */ + MCESEV( +@@ -320,6 +338,12 @@ static int mce_severity_intel(struct mce *m, int tolerant, char **msg, bool is_e + continue; + if (s->excp && excp != s->excp) + continue; ++ if (s->cpu_model && boot_cpu_data.x86_model != s->cpu_model) ++ continue; ++ if (s->cpu_minstepping && boot_cpu_data.x86_stepping < s->cpu_minstepping) ++ continue; ++ if (s->bank_lo && (m->bank < s->bank_lo || m->bank > s->bank_hi)) ++ continue; + if (msg) + *msg = s->msg; + s->covered = 1; +-- +2.25.1 + diff --git a/queue-5.4/x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch b/queue-5.4/x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch new file mode 100644 index 00000000000..b76db613749 --- /dev/null +++ b/queue-5.4/x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch @@ -0,0 +1,178 @@ +From 600f1137dcb7d8288e88ca003b9c04a838e879e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 23:02:52 +0200 +Subject: x86/mce: Make mce_rdmsrl() panic on an inaccessible MSR + +From: Borislav Petkov + +[ Upstream commit e2def7d49d0812ea40a224161b2001b2e815dce2 ] + +If an exception needs to be handled while reading an MSR - which is in +most of the cases caused by a #GP on a non-existent MSR - then this +is most likely the incarnation of a BIOS or a hardware bug. Such bug +violates the architectural guarantee that MCA banks are present with all +MSRs belonging to them. + +The proper fix belongs in the hardware/firmware - not in the kernel. + +Handling an #MC exception which is raised while an NMI is being handled +would cause the nasty NMI nesting issue because of the shortcoming of +IRET of reenabling NMIs when executed. And the machine is in an #MC +context already so be at its side. + +Tracing MSR accesses while in #MC is another no-no due to tracing being +inherently a bad idea in atomic context: + + vmlinux.o: warning: objtool: do_machine_check()+0x4a: call to mce_rdmsrl() leaves .noinstr.text section + +so remove all that "additional" functionality from mce_rdmsrl() and +provide it with a special exception handler which panics the machine +when that MSR is not accessible. + +The exception handler prints a human-readable message explaining what +the panic reason is but, what is more, it panics while in the #GP +handler and latter won't have executed an IRET, thus opening the NMI +nesting issue in the case when the #MC has happened while handling +an NMI. (#MC itself won't be reenabled until MCG_STATUS hasn't been +cleared). + +Suggested-by: Andy Lutomirski +Suggested-by: Peter Zijlstra +[ Add missing prototypes for ex_handler_* ] +Reported-by: kernel test robot +Signed-off-by: Borislav Petkov +Reviewed-by: Tony Luck +Link: https://lkml.kernel.org/r/20200906212130.GA28456@zn.tnic +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 72 +++++++++++++++++++++++++----- + arch/x86/kernel/cpu/mce/internal.h | 10 +++++ + 2 files changed, 70 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index fd76e3733dd3d..92331de16d70e 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -388,10 +388,28 @@ static int msr_to_offset(u32 msr) + return -1; + } + ++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr) ++{ ++ pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", ++ (unsigned int)regs->cx, regs->ip, (void *)regs->ip); ++ ++ show_stack_regs(regs); ++ ++ panic("MCA architectural violation!\n"); ++ ++ while (true) ++ cpu_relax(); ++ ++ return true; ++} ++ + /* MSR access wrappers used for error injection */ + static u64 mce_rdmsrl(u32 msr) + { +- u64 v; ++ DECLARE_ARGS(val, low, high); + + if (__this_cpu_read(injectm.finished)) { + int offset = msr_to_offset(msr); +@@ -401,21 +419,43 @@ static u64 mce_rdmsrl(u32 msr) + return *(u64 *)((char *)this_cpu_ptr(&injectm) + offset); + } + +- if (rdmsrl_safe(msr, &v)) { +- WARN_ONCE(1, "mce: Unable to read MSR 0x%x!\n", msr); +- /* +- * Return zero in case the access faulted. This should +- * not happen normally but can happen if the CPU does +- * something weird, or if the code is buggy. +- */ +- v = 0; +- } ++ /* ++ * RDMSR on MCA MSRs should not fault. If they do, this is very much an ++ * architectural violation and needs to be reported to hw vendor. Panic ++ * the box to not allow any further progress. ++ */ ++ asm volatile("1: rdmsr\n" ++ "2:\n" ++ _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_rdmsr_fault) ++ : EAX_EDX_RET(val, low, high) : "c" (msr)); + +- return v; ++ ++ return EAX_EDX_VAL(val, low, high); ++} ++ ++__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr) ++{ ++ pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n", ++ (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, ++ regs->ip, (void *)regs->ip); ++ ++ show_stack_regs(regs); ++ ++ panic("MCA architectural violation!\n"); ++ ++ while (true) ++ cpu_relax(); ++ ++ return true; + } + + static void mce_wrmsrl(u32 msr, u64 v) + { ++ u32 low, high; ++ + if (__this_cpu_read(injectm.finished)) { + int offset = msr_to_offset(msr); + +@@ -423,7 +463,15 @@ static void mce_wrmsrl(u32 msr, u64 v) + *(u64 *)((char *)this_cpu_ptr(&injectm) + offset) = v; + return; + } +- wrmsrl(msr, v); ++ ++ low = (u32)v; ++ high = (u32)(v >> 32); ++ ++ /* See comment in mce_rdmsrl() */ ++ asm volatile("1: wrmsr\n" ++ "2:\n" ++ _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_wrmsr_fault) ++ : : "c" (msr), "a"(low), "d" (high) : "memory"); + } + + /* +diff --git a/arch/x86/kernel/cpu/mce/internal.h b/arch/x86/kernel/cpu/mce/internal.h +index 43031db429d24..231954fe5b4e6 100644 +--- a/arch/x86/kernel/cpu/mce/internal.h ++++ b/arch/x86/kernel/cpu/mce/internal.h +@@ -172,4 +172,14 @@ extern bool amd_filter_mce(struct mce *m); + static inline bool amd_filter_mce(struct mce *m) { return false; }; + #endif + ++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr); ++ ++__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr); ++ + #endif /* __X86_MCE_INTERNAL_H__ */ +-- +2.25.1 + diff --git a/queue-5.4/x86-nmi-fix-nmi_handle-duration-miscalculation.patch b/queue-5.4/x86-nmi-fix-nmi_handle-duration-miscalculation.patch new file mode 100644 index 00000000000..3320b3f4d77 --- /dev/null +++ b/queue-5.4/x86-nmi-fix-nmi_handle-duration-miscalculation.patch @@ -0,0 +1,57 @@ +From f3b4636e3c87bdc33868cfa28d3bc7d77844658f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 10:56:41 +0800 +Subject: x86/nmi: Fix nmi_handle() duration miscalculation + +From: Libing Zhou + +[ Upstream commit f94c91f7ba3ba7de2bc8aa31be28e1abb22f849e ] + +When nmi_check_duration() is checking the time an NMI handler took to +execute, the whole_msecs value used should be read from the @duration +argument, not from the ->max_duration, the latter being used to store +the current maximal duration. + + [ bp: Rewrite commit message. ] + +Fixes: 248ed51048c4 ("x86/nmi: Remove irq_work from the long duration NMI handler") +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Libing Zhou +Signed-off-by: Borislav Petkov +Cc: Changbin Du +Link: https://lkml.kernel.org/r/20200820025641.44075-1-libing.zhou@nokia-sbell.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/nmi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c +index 54c21d6abd5ac..5bb001c0c771a 100644 +--- a/arch/x86/kernel/nmi.c ++++ b/arch/x86/kernel/nmi.c +@@ -106,7 +106,6 @@ fs_initcall(nmi_warning_debugfs); + + static void nmi_check_duration(struct nmiaction *action, u64 duration) + { +- u64 whole_msecs = READ_ONCE(action->max_duration); + int remainder_ns, decimal_msecs; + + if (duration < nmi_longest_ns || duration < action->max_duration) +@@ -114,12 +113,12 @@ static void nmi_check_duration(struct nmiaction *action, u64 duration) + + action->max_duration = duration; + +- remainder_ns = do_div(whole_msecs, (1000 * 1000)); ++ remainder_ns = do_div(duration, (1000 * 1000)); + decimal_msecs = remainder_ns / 1000; + + printk_ratelimited(KERN_INFO + "INFO: NMI handler (%ps) took too long to run: %lld.%03d msecs\n", +- action->handler, whole_msecs, decimal_msecs); ++ action->handler, duration, decimal_msecs); + } + + static int nmi_handle(unsigned int type, struct pt_regs *regs) +-- +2.25.1 + diff --git a/queue-5.4/xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch b/queue-5.4/xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch new file mode 100644 index 00000000000..4eaf7747c5f --- /dev/null +++ b/queue-5.4/xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch @@ -0,0 +1,341 @@ +From 7929943db0f0ee5d8b5e81d4ea944ed9147baa68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 10:56:07 -0700 +Subject: xfs: fix deadlock and streamline xfs_getfsmap performance + +From: Darrick J. Wong + +[ Upstream commit 8ffa90e1145c70c7ac47f14b59583b2296d89e72 ] + +Refactor xfs_getfsmap to improve its performance: instead of indirectly +calling a function that copies one record to userspace at a time, create +a shadow buffer in the kernel and copy the whole array once at the end. +On the author's computer, this reduces the runtime on his /home by ~20%. + +This also eliminates a deadlock when running GETFSMAP against the +realtime device. The current code locks the rtbitmap to create +fsmappings and copies them into userspace, having not released the +rtbitmap lock. If the userspace buffer is an mmap of a sparse file that +itself resides on the realtime device, the write page fault will recurse +into the fs for allocation, which will deadlock on the rtbitmap lock. + +Fixes: 4c934c7dd60c ("xfs: report realtime space information via the rtbitmap") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_fsmap.c | 45 +++++++------- + fs/xfs/xfs_fsmap.h | 6 +- + fs/xfs/xfs_ioctl.c | 144 ++++++++++++++++++++++++++++++--------------- + 3 files changed, 124 insertions(+), 71 deletions(-) + +diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c +index 5b864985bc648..01c0933a4d10d 100644 +--- a/fs/xfs/xfs_fsmap.c ++++ b/fs/xfs/xfs_fsmap.c +@@ -26,7 +26,7 @@ + #include "xfs_rtalloc.h" + + /* Convert an xfs_fsmap to an fsmap. */ +-void ++static void + xfs_fsmap_from_internal( + struct fsmap *dest, + struct xfs_fsmap *src) +@@ -154,8 +154,7 @@ xfs_fsmap_owner_from_rmap( + /* getfsmap query state */ + struct xfs_getfsmap_info { + struct xfs_fsmap_head *head; +- xfs_fsmap_format_t formatter; /* formatting fn */ +- void *format_arg; /* format buffer */ ++ struct fsmap *fsmap_recs; /* mapping records */ + struct xfs_buf *agf_bp; /* AGF, for refcount queries */ + xfs_daddr_t next_daddr; /* next daddr we expect */ + u64 missing_owner; /* owner of holes */ +@@ -223,6 +222,20 @@ xfs_getfsmap_is_shared( + return 0; + } + ++static inline void ++xfs_getfsmap_format( ++ struct xfs_mount *mp, ++ struct xfs_fsmap *xfm, ++ struct xfs_getfsmap_info *info) ++{ ++ struct fsmap *rec; ++ ++ trace_xfs_getfsmap_mapping(mp, xfm); ++ ++ rec = &info->fsmap_recs[info->head->fmh_entries++]; ++ xfs_fsmap_from_internal(rec, xfm); ++} ++ + /* + * Format a reverse mapping for getfsmap, having translated rm_startblock + * into the appropriate daddr units. +@@ -287,10 +300,7 @@ xfs_getfsmap_helper( + fmr.fmr_offset = 0; + fmr.fmr_length = rec_daddr - info->next_daddr; + fmr.fmr_flags = FMR_OF_SPECIAL_OWNER; +- error = info->formatter(&fmr, info->format_arg); +- if (error) +- return error; +- info->head->fmh_entries++; ++ xfs_getfsmap_format(mp, &fmr, info); + } + + if (info->last) +@@ -322,11 +332,8 @@ xfs_getfsmap_helper( + if (shared) + fmr.fmr_flags |= FMR_OF_SHARED; + } +- error = info->formatter(&fmr, info->format_arg); +- if (error) +- return error; +- info->head->fmh_entries++; + ++ xfs_getfsmap_format(mp, &fmr, info); + out: + rec_daddr += XFS_FSB_TO_BB(mp, rec->rm_blockcount); + if (info->next_daddr < rec_daddr) +@@ -794,11 +801,11 @@ xfs_getfsmap_check_keys( + #endif /* CONFIG_XFS_RT */ + + /* +- * Get filesystem's extents as described in head, and format for +- * output. Calls formatter to fill the user's buffer until all +- * extents are mapped, until the passed-in head->fmh_count slots have +- * been filled, or until the formatter short-circuits the loop, if it +- * is tracking filled-in extents on its own. ++ * Get filesystem's extents as described in head, and format for output. Fills ++ * in the supplied records array until there are no more reverse mappings to ++ * return or head.fmh_entries == head.fmh_count. In the second case, this ++ * function returns -ECANCELED to indicate that more records would have been ++ * returned. + * + * Key to Confusion + * ---------------- +@@ -818,8 +825,7 @@ int + xfs_getfsmap( + struct xfs_mount *mp, + struct xfs_fsmap_head *head, +- xfs_fsmap_format_t formatter, +- void *arg) ++ struct fsmap *fsmap_recs) + { + struct xfs_trans *tp = NULL; + struct xfs_fsmap dkeys[2]; /* per-dev keys */ +@@ -894,8 +900,7 @@ xfs_getfsmap( + + info.next_daddr = head->fmh_keys[0].fmr_physical + + head->fmh_keys[0].fmr_length; +- info.formatter = formatter; +- info.format_arg = arg; ++ info.fsmap_recs = fsmap_recs; + info.head = head; + + /* +diff --git a/fs/xfs/xfs_fsmap.h b/fs/xfs/xfs_fsmap.h +index c6c57739b8626..a0775788e7b13 100644 +--- a/fs/xfs/xfs_fsmap.h ++++ b/fs/xfs/xfs_fsmap.h +@@ -27,13 +27,9 @@ struct xfs_fsmap_head { + struct xfs_fsmap fmh_keys[2]; /* low and high keys */ + }; + +-void xfs_fsmap_from_internal(struct fsmap *dest, struct xfs_fsmap *src); + void xfs_fsmap_to_internal(struct xfs_fsmap *dest, struct fsmap *src); + +-/* fsmap to userspace formatter - copy to user & advance pointer */ +-typedef int (*xfs_fsmap_format_t)(struct xfs_fsmap *, void *); +- + int xfs_getfsmap(struct xfs_mount *mp, struct xfs_fsmap_head *head, +- xfs_fsmap_format_t formatter, void *arg); ++ struct fsmap *out_recs); + + #endif /* __XFS_FSMAP_H__ */ +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index 60c4526312771..bf0435dbec436 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -1832,39 +1832,17 @@ xfs_ioc_getbmap( + return error; + } + +-struct getfsmap_info { +- struct xfs_mount *mp; +- struct fsmap_head __user *data; +- unsigned int idx; +- __u32 last_flags; +-}; +- +-STATIC int +-xfs_getfsmap_format(struct xfs_fsmap *xfm, void *priv) +-{ +- struct getfsmap_info *info = priv; +- struct fsmap fm; +- +- trace_xfs_getfsmap_mapping(info->mp, xfm); +- +- info->last_flags = xfm->fmr_flags; +- xfs_fsmap_from_internal(&fm, xfm); +- if (copy_to_user(&info->data->fmh_recs[info->idx++], &fm, +- sizeof(struct fsmap))) +- return -EFAULT; +- +- return 0; +-} +- + STATIC int + xfs_ioc_getfsmap( + struct xfs_inode *ip, + struct fsmap_head __user *arg) + { +- struct getfsmap_info info = { NULL }; + struct xfs_fsmap_head xhead = {0}; + struct fsmap_head head; +- bool aborted = false; ++ struct fsmap *recs; ++ unsigned int count; ++ __u32 last_flags = 0; ++ bool done = false; + int error; + + if (copy_from_user(&head, arg, sizeof(struct fsmap_head))) +@@ -1876,38 +1854,112 @@ xfs_ioc_getfsmap( + sizeof(head.fmh_keys[1].fmr_reserved))) + return -EINVAL; + ++ /* ++ * Use an internal memory buffer so that we don't have to copy fsmap ++ * data to userspace while holding locks. Start by trying to allocate ++ * up to 128k for the buffer, but fall back to a single page if needed. ++ */ ++ count = min_t(unsigned int, head.fmh_count, ++ 131072 / sizeof(struct fsmap)); ++ recs = kvzalloc(count * sizeof(struct fsmap), GFP_KERNEL); ++ if (!recs) { ++ count = min_t(unsigned int, head.fmh_count, ++ PAGE_SIZE / sizeof(struct fsmap)); ++ recs = kvzalloc(count * sizeof(struct fsmap), GFP_KERNEL); ++ if (!recs) ++ return -ENOMEM; ++ } ++ + xhead.fmh_iflags = head.fmh_iflags; +- xhead.fmh_count = head.fmh_count; + xfs_fsmap_to_internal(&xhead.fmh_keys[0], &head.fmh_keys[0]); + xfs_fsmap_to_internal(&xhead.fmh_keys[1], &head.fmh_keys[1]); + + trace_xfs_getfsmap_low_key(ip->i_mount, &xhead.fmh_keys[0]); + trace_xfs_getfsmap_high_key(ip->i_mount, &xhead.fmh_keys[1]); + +- info.mp = ip->i_mount; +- info.data = arg; +- error = xfs_getfsmap(ip->i_mount, &xhead, xfs_getfsmap_format, &info); +- if (error == -ECANCELED) { +- error = 0; +- aborted = true; +- } else if (error) +- return error; ++ head.fmh_entries = 0; ++ do { ++ struct fsmap __user *user_recs; ++ struct fsmap *last_rec; ++ ++ user_recs = &arg->fmh_recs[head.fmh_entries]; ++ xhead.fmh_entries = 0; ++ xhead.fmh_count = min_t(unsigned int, count, ++ head.fmh_count - head.fmh_entries); ++ ++ /* Run query, record how many entries we got. */ ++ error = xfs_getfsmap(ip->i_mount, &xhead, recs); ++ switch (error) { ++ case 0: ++ /* ++ * There are no more records in the result set. Copy ++ * whatever we got to userspace and break out. ++ */ ++ done = true; ++ break; ++ case -ECANCELED: ++ /* ++ * The internal memory buffer is full. Copy whatever ++ * records we got to userspace and go again if we have ++ * not yet filled the userspace buffer. ++ */ ++ error = 0; ++ break; ++ default: ++ goto out_free; ++ } ++ head.fmh_entries += xhead.fmh_entries; ++ head.fmh_oflags = xhead.fmh_oflags; + +- /* If we didn't abort, set the "last" flag in the last fmx */ +- if (!aborted && info.idx) { +- info.last_flags |= FMR_OF_LAST; +- if (copy_to_user(&info.data->fmh_recs[info.idx - 1].fmr_flags, +- &info.last_flags, sizeof(info.last_flags))) +- return -EFAULT; ++ /* ++ * If the caller wanted a record count or there aren't any ++ * new records to return, we're done. ++ */ ++ if (head.fmh_count == 0 || xhead.fmh_entries == 0) ++ break; ++ ++ /* Copy all the records we got out to userspace. */ ++ if (copy_to_user(user_recs, recs, ++ xhead.fmh_entries * sizeof(struct fsmap))) { ++ error = -EFAULT; ++ goto out_free; ++ } ++ ++ /* Remember the last record flags we copied to userspace. */ ++ last_rec = &recs[xhead.fmh_entries - 1]; ++ last_flags = last_rec->fmr_flags; ++ ++ /* Set up the low key for the next iteration. */ ++ xfs_fsmap_to_internal(&xhead.fmh_keys[0], last_rec); ++ trace_xfs_getfsmap_low_key(ip->i_mount, &xhead.fmh_keys[0]); ++ } while (!done && head.fmh_entries < head.fmh_count); ++ ++ /* ++ * If there are no more records in the query result set and we're not ++ * in counting mode, mark the last record returned with the LAST flag. ++ */ ++ if (done && head.fmh_count > 0 && head.fmh_entries > 0) { ++ struct fsmap __user *user_rec; ++ ++ last_flags |= FMR_OF_LAST; ++ user_rec = &arg->fmh_recs[head.fmh_entries - 1]; ++ ++ if (copy_to_user(&user_rec->fmr_flags, &last_flags, ++ sizeof(last_flags))) { ++ error = -EFAULT; ++ goto out_free; ++ } + } + + /* copy back header */ +- head.fmh_entries = xhead.fmh_entries; +- head.fmh_oflags = xhead.fmh_oflags; +- if (copy_to_user(arg, &head, sizeof(struct fsmap_head))) +- return -EFAULT; ++ if (copy_to_user(arg, &head, sizeof(struct fsmap_head))) { ++ error = -EFAULT; ++ goto out_free; ++ } + +- return 0; ++out_free: ++ kmem_free(recs); ++ return error; + } + + STATIC int +-- +2.25.1 + diff --git a/queue-5.4/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch b/queue-5.4/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch new file mode 100644 index 00000000000..81d1f92e848 --- /dev/null +++ b/queue-5.4/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch @@ -0,0 +1,100 @@ +From cff648f8ce7389fda85a285a12e434d5e1e3e752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 08:46:27 -0700 +Subject: xfs: fix high key handling in the rt allocator's query_range function + +From: Darrick J. Wong + +[ Upstream commit d88850bd5516a77c6f727e8b6cefb64e0cc929c7 ] + +Fix some off-by-one errors in xfs_rtalloc_query_range. The highest key +in the realtime bitmap is always one less than the number of rt extents, +which means that the key clamp at the start of the function is wrong. +The 4th argument to xfs_rtfind_forw is the highest rt extent that we +want to probe, which means that passing 1 less than the high key is +wrong. Finally, drop the rem variable that controls the loop because we +can compare the iteration point (rtstart) against the high key directly. + +The sordid history of this function is that the original commit (fb3c3) +incorrectly passed (high_rec->ar_startblock - 1) as the 'limit' parameter +to xfs_rtfind_forw. This was wrong because the "high key" is supposed +to be the largest key for which the caller wants result rows, not the +key for the first row that could possibly be outside the range that the +caller wants to see. + +A subsequent attempt (8ad56) to strengthen the parameter checking added +incorrect clamping of the parameters to the number of rt blocks in the +system (despite the bitmap functions all taking units of rt extents) to +avoid querying ranges past the end of rt bitmap file but failed to fix +the incorrect _rtfind_forw parameter. The original _rtfind_forw +parameter error then survived the conversion of the startblock and +blockcount fields to rt extents (a0e5c), and the most recent off-by-one +fix (a3a37) thought it was patching a problem when the end of the rt +volume is not in use, but none of these fixes actually solved the +original problem that the author was confused about the "limit" argument +to xfs_rtfind_forw. + +Sadly, all four of these patches were written by this author and even +his own usage of this function and rt testing were inadequate to get +this fixed quickly. + +Original-problem: fb3c3de2f65c ("xfs: add a couple of queries to iterate free extents in the rtbitmap") +Not-fixed-by: 8ad560d2565e ("xfs: strengthen rtalloc query range checks") +Not-fixed-by: a0e5c435babd ("xfs: fix xfs_rtalloc_rec units") +Fixes: a3a374bf1889 ("xfs: fix off-by-one error in xfs_rtalloc_query_range") +Signed-off-by: Darrick J. Wong +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_rtbitmap.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c +index 8ea1efc97b41d..42085e70c01ac 100644 +--- a/fs/xfs/libxfs/xfs_rtbitmap.c ++++ b/fs/xfs/libxfs/xfs_rtbitmap.c +@@ -1018,7 +1018,6 @@ xfs_rtalloc_query_range( + struct xfs_mount *mp = tp->t_mountp; + xfs_rtblock_t rtstart; + xfs_rtblock_t rtend; +- xfs_rtblock_t rem; + int is_free; + int error = 0; + +@@ -1027,13 +1026,12 @@ xfs_rtalloc_query_range( + if (low_rec->ar_startext >= mp->m_sb.sb_rextents || + low_rec->ar_startext == high_rec->ar_startext) + return 0; +- if (high_rec->ar_startext > mp->m_sb.sb_rextents) +- high_rec->ar_startext = mp->m_sb.sb_rextents; ++ high_rec->ar_startext = min(high_rec->ar_startext, ++ mp->m_sb.sb_rextents - 1); + + /* Iterate the bitmap, looking for discrepancies. */ + rtstart = low_rec->ar_startext; +- rem = high_rec->ar_startext - rtstart; +- while (rem) { ++ while (rtstart <= high_rec->ar_startext) { + /* Is the first block free? */ + error = xfs_rtcheck_range(mp, tp, rtstart, 1, 1, &rtend, + &is_free); +@@ -1042,7 +1040,7 @@ xfs_rtalloc_query_range( + + /* How long does the extent go for? */ + error = xfs_rtfind_forw(mp, tp, rtstart, +- high_rec->ar_startext - 1, &rtend); ++ high_rec->ar_startext, &rtend); + if (error) + break; + +@@ -1055,7 +1053,6 @@ xfs_rtalloc_query_range( + break; + } + +- rem -= rtend - rtstart + 1; + rtstart = rtend + 1; + } + +-- +2.25.1 + diff --git a/queue-5.4/xfs-limit-entries-returned-when-counting-fsmap-recor.patch b/queue-5.4/xfs-limit-entries-returned-when-counting-fsmap-recor.patch new file mode 100644 index 00000000000..be623922c0e --- /dev/null +++ b/queue-5.4/xfs-limit-entries-returned-when-counting-fsmap-recor.patch @@ -0,0 +1,40 @@ +From c53150ed001828504edf58257d019aed5bfedaed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 10:56:07 -0700 +Subject: xfs: limit entries returned when counting fsmap records + +From: Darrick J. Wong + +[ Upstream commit acd1ac3aa22fd58803a12d26b1ab7f70232f8d8d ] + +If userspace asked fsmap to count the number of entries, we cannot +return more than UINT_MAX entries because fmh_entries is u32. +Therefore, stop counting if we hit this limit or else we will waste time +to return truncated results. + +Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_fsmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c +index c13754e119be1..5b864985bc648 100644 +--- a/fs/xfs/xfs_fsmap.c ++++ b/fs/xfs/xfs_fsmap.c +@@ -255,6 +255,9 @@ xfs_getfsmap_helper( + + /* Are we just counting mappings? */ + if (info->head->fmh_count == 0) { ++ if (info->head->fmh_entries == UINT_MAX) ++ return -ECANCELED; ++ + if (rec_daddr > info->next_daddr) + info->head->fmh_entries++; + +-- +2.25.1 + diff --git a/queue-5.4/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch b/queue-5.4/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch new file mode 100644 index 00000000000..9bccba9108d --- /dev/null +++ b/queue-5.4/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch @@ -0,0 +1,58 @@ +From f4477e692641e7a37eb35a49bdb7868a553b8cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 14:21:06 -0700 +Subject: xfs: make sure the rt allocator doesn't run off the end + +From: Darrick J. Wong + +[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ] + +There's an overflow bug in the realtime allocator. If the rt volume is +large enough to handle a single allocation request that is larger than +the maximum bmap extent length and the rt bitmap ends exactly on a +bitmap block boundary, it's possible that the near allocator will try to +check the freeness of a range that extends past the end of the bitmap. +This fails with a corruption error and shuts down the fs. + +Therefore, constrain maxlen so that the range scan cannot run off the +end of the rt bitmap. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 4a48a8c75b4f7..b583669370825 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -247,6 +247,9 @@ xfs_rtallocate_extent_block( + end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1; + i <= end; + i++) { ++ /* Make sure we don't scan off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i; ++ + /* + * See if there's a free extent of maxlen starting at i. + * If it's not so then next will contain the first non-free. +@@ -442,6 +445,14 @@ xfs_rtallocate_extent_near( + */ + if (bno >= mp->m_sb.sb_rextents) + bno = mp->m_sb.sb_rextents - 1; ++ ++ /* Make sure we don't run off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno; ++ if (maxlen < minlen) { ++ *rtblock = NULLRTBLOCK; ++ return 0; ++ } ++ + /* + * Try the exact allocation first. + */ +-- +2.25.1 + diff --git a/queue-5.4/xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch b/queue-5.4/xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch new file mode 100644 index 00000000000..23d8f950bca --- /dev/null +++ b/queue-5.4/xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch @@ -0,0 +1,51 @@ +From 150fbbd379b836cfdafd832d939f3a528cb3d6c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 16:17:51 +0300 +Subject: xhci: don't create endpoint debugfs entry before ring buffer is set. + +From: Mathias Nyman + +[ Upstream commit 167657a1bb5fcde53ac304ce6c564bd90a2f9185 ] + +Make sure xHC completes the configure endpoint command and xhci driver +sets the ring pointers correctly before we create the user readable +debugfs file. + +In theory there was a small gap where a user could have read the +debugfs file and cause a NULL pointer dereference error as ring +pointer was not yet set, in practise we want this change to simplify +the upcoming streams debugfs support. + +Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200918131752.16488-10-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index bad154f446f8d..0d10ede581cbd 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1915,8 +1915,6 @@ static int xhci_add_endpoint(struct usb_hcd *hcd, struct usb_device *udev, + ep_ctx = xhci_get_ep_ctx(xhci, virt_dev->in_ctx, ep_index); + trace_xhci_add_endpoint(ep_ctx); + +- xhci_debugfs_create_endpoint(xhci, virt_dev, ep_index); +- + xhci_dbg(xhci, "add ep 0x%x, slot id %d, new drop flags = %#x, new add flags = %#x\n", + (unsigned int) ep->desc.bEndpointAddress, + udev->slot_id, +@@ -2949,6 +2947,7 @@ static int xhci_check_bandwidth(struct usb_hcd *hcd, struct usb_device *udev) + xhci_check_bw_drop_ep_streams(xhci, virt_dev, i); + virt_dev->eps[i].ring = virt_dev->eps[i].new_ring; + virt_dev->eps[i].new_ring = NULL; ++ xhci_debugfs_create_endpoint(xhci, virt_dev, i); + } + command_cleanup: + kfree(command->completion); +-- +2.25.1 +