From: Greg Kroah-Hartman Date: Mon, 20 Jul 2020 12:51:40 +0000 (+0200) Subject: 5.7-stable patches X-Git-Tag: v4.4.231~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3eef646a8247da77641fbc0af88fe0951b4295a0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.7-stable patches added patches: arm-dts-imx6qdl-gw551x-fix-audio-ssi.patch arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch arm64-dts-agilex-add-status-to-qspi-dts-node.patch arm64-dts-stratix10-add-status-to-qspi-dts-node.patch arm64-dts-stratix10-increase-qspi-reg-address-in-nand-dts-file.patch arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch coresight-etmv4-fix-cpu-power-management-setup-in-probe-function.patch dmabuf-use-spinlock-to-access-dmabuf-name.patch dmaengine-fsl-edma-common-correct-dsize_32byte.patch dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch dmaengine-mcf-edma-fix-null-pointer-exception-in-mcf_edma_tx_handler.patch drm-amd-display-handle-failed-allocation-during-stream-construction.patch drm-amd-display-oled-panel-backlight-adjust-not-work-with-external-display-connected.patch drm-amdgpu-display-create-fake-mst-encoders-ahead-of-time-v4.patch drm-amdgpu-powerplay-modify-smc-message-name-for-setting-power-profile-mode.patch drm-amdgpu-sdma5-fix-wptr-overwritten-in-get_wptr.patch drm-i915-gt-ignore-irq-enabling-on-the-virtual-engines.patch drm-i915-gt-only-swap-to-a-random-sibling-once-upon-creation.patch drm-i915-move-cec_notifier-to-intel_hdmi_connector_unregister-v2.patch drm-vmwgfx-fix-update-of-display-surface-when-resolution-changes.patch fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch fuse-ignore-data-argument-of-mount-...-ms_remount.patch fuse-use-reconfigure-instead-of-remount_fs.patch genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch hwmon-drivetemp-avoid-sct-usage-on-toshiba-dt01aca-family-drives.patch hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch input-elan_i2c-add-more-hardware-id-for-lenovo-laptops.patch input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch intel_th-pci-add-emmitsburg-pch-support.patch intel_th-pci-add-jasper-lake-cpu-support.patch intel_th-pci-add-tiger-lake-pch-h-support.patch mei-bus-don-t-clean-driver-pointer.patch misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch opp-increase-parsed_static_opps-in-_of_add_opp_table_v1.patch ovl-fix-unneeded-call-to-ovl_change_flags.patch ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch powerpc-pseries-svm-fix-incorrect-check-for-shared_lppaca_size.patch revert-input-elants_i2c-report-resolution-information-for-touch-major.patch revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch riscv-use-16kb-kernel-stack-on-64-bit.patch sched-fair-handle-case-of-task_h_load-returning-0.patch sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch scsi-megaraid_sas-remove-undefined-enable_irq_poll-macro.patch thermal-int3403_thermal-downgrade-error-message.patch timer-fix-wheel-index-calculation-on-last-level.patch timer-prevent-base-clk-from-moving-backward.patch uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch uio_pdrv_genirq-remove-warning-when-irq-is-not-specified.patch x86-ioperm-fix-io-bitmap-invalidation-on-xen-pv.patch --- diff --git a/queue-5.7/arm-dts-imx6qdl-gw551x-fix-audio-ssi.patch b/queue-5.7/arm-dts-imx6qdl-gw551x-fix-audio-ssi.patch new file mode 100644 index 00000000000..a8ce98be0ec --- /dev/null +++ b/queue-5.7/arm-dts-imx6qdl-gw551x-fix-audio-ssi.patch @@ -0,0 +1,33 @@ +From 4237c625304b212a3f30adf787901082082511ec Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Tue, 23 Jun 2020 12:06:54 -0700 +Subject: ARM: dts: imx6qdl-gw551x: fix audio SSI + +From: Tim Harvey + +commit 4237c625304b212a3f30adf787901082082511ec upstream. + +The audio codec on the GW551x routes to ssi1. It fixes audio capture on +the device. + +Cc: stable@vger.kernel.org +Fixes: 3117e851cef1 ("ARM: dts: imx: Add TDA19971 HDMI Receiver to GW551x") +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6qdl-gw551x.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6qdl-gw551x.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-gw551x.dtsi +@@ -110,7 +110,7 @@ + simple-audio-card,frame-master = <&sound_codec>; + + sound_cpu: simple-audio-card,cpu { +- sound-dai = <&ssi2>; ++ sound-dai = <&ssi1>; + }; + + sound_codec: simple-audio-card,codec { diff --git a/queue-5.7/arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch b/queue-5.7/arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch new file mode 100644 index 00000000000..83f61c648ed --- /dev/null +++ b/queue-5.7/arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch @@ -0,0 +1,70 @@ +From 15956689a0e60aa0c795174f3c310b60d8794235 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 3 Jul 2020 12:08:42 +0100 +Subject: arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return + +From: Will Deacon + +commit 15956689a0e60aa0c795174f3c310b60d8794235 upstream. + +Although we zero the upper bits of x0 on entry to the kernel from an +AArch32 task, we do not clear them on the exception return path and can +therefore expose 64-bit sign extended syscall return values to userspace +via interfaces such as the 'perf_regs' ABI, which deal exclusively with +64-bit registers. + +Explicitly clear the upper 32 bits of x0 on return from a compat system +call. + +Cc: +Cc: Mark Rutland +Cc: Keno Fischer +Cc: Luis Machado +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/syscall.h | 12 +++++++++++- + arch/arm64/kernel/syscall.c | 3 +++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/syscall.h ++++ b/arch/arm64/include/asm/syscall.h +@@ -34,6 +34,10 @@ static inline long syscall_get_error(str + struct pt_regs *regs) + { + unsigned long error = regs->regs[0]; ++ ++ if (is_compat_thread(task_thread_info(task))) ++ error = sign_extend64(error, 31); ++ + return IS_ERR_VALUE(error) ? error : 0; + } + +@@ -47,7 +51,13 @@ static inline void syscall_set_return_va + struct pt_regs *regs, + int error, long val) + { +- regs->regs[0] = (long) error ? error : val; ++ if (error) ++ val = error; ++ ++ if (is_compat_thread(task_thread_info(task))) ++ val = lower_32_bits(val); ++ ++ regs->regs[0] = val; + } + + #define SYSCALL_MAX_ARGS 6 +--- a/arch/arm64/kernel/syscall.c ++++ b/arch/arm64/kernel/syscall.c +@@ -50,6 +50,9 @@ static void invoke_syscall(struct pt_reg + ret = do_ni_syscall(regs, scno); + } + ++ if (is_compat_task()) ++ ret = lower_32_bits(ret); ++ + regs->regs[0] = ret; + } + diff --git a/queue-5.7/arm64-dts-agilex-add-status-to-qspi-dts-node.patch b/queue-5.7/arm64-dts-agilex-add-status-to-qspi-dts-node.patch new file mode 100644 index 00000000000..60c28de8a3b --- /dev/null +++ b/queue-5.7/arm64-dts-agilex-add-status-to-qspi-dts-node.patch @@ -0,0 +1,30 @@ +From 60176e6be0bb6f629b15aea7dcab5a95ecb158e9 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Mon, 29 Jun 2020 11:19:21 -0500 +Subject: arm64: dts: agilex: add status to qspi dts node + +From: Dinh Nguyen + +commit 60176e6be0bb6f629b15aea7dcab5a95ecb158e9 upstream. + +Add status = "okay" to QSPI node. + +Fixes: c4c8757b2d895 ("arm64: dts: agilex: add QSPI support for Intel Agilex") +Cc: linux-stable # >= v5.5 +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/intel/socfpga_agilex_socdk.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/intel/socfpga_agilex_socdk.dts ++++ b/arch/arm64/boot/dts/intel/socfpga_agilex_socdk.dts +@@ -98,6 +98,7 @@ + }; + + &qspi { ++ status = "okay"; + flash@0 { + #address-cells = <1>; + #size-cells = <1>; diff --git a/queue-5.7/arm64-dts-stratix10-add-status-to-qspi-dts-node.patch b/queue-5.7/arm64-dts-stratix10-add-status-to-qspi-dts-node.patch new file mode 100644 index 00000000000..3d0ceefa428 --- /dev/null +++ b/queue-5.7/arm64-dts-stratix10-add-status-to-qspi-dts-node.patch @@ -0,0 +1,41 @@ +From 263a0269a59c0b4145829462a107fe7f7327105f Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Mon, 29 Jun 2020 11:25:43 -0500 +Subject: arm64: dts: stratix10: add status to qspi dts node + +From: Dinh Nguyen + +commit 263a0269a59c0b4145829462a107fe7f7327105f upstream. + +Add status = "okay" to QSPI node. + +Fixes: 0cb140d07fc75 ("arm64: dts: stratix10: Add QSPI support for Stratix10") +Cc: linux-stable # >= v5.6 +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts | 1 + + arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts +@@ -155,6 +155,7 @@ + }; + + &qspi { ++ status = "okay"; + flash@0 { + #address-cells = <1>; + #size-cells = <1>; +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts +@@ -188,6 +188,7 @@ + }; + + &qspi { ++ status = "okay"; + flash@0 { + #address-cells = <1>; + #size-cells = <1>; diff --git a/queue-5.7/arm64-dts-stratix10-increase-qspi-reg-address-in-nand-dts-file.patch b/queue-5.7/arm64-dts-stratix10-increase-qspi-reg-address-in-nand-dts-file.patch new file mode 100644 index 00000000000..e5288c27a67 --- /dev/null +++ b/queue-5.7/arm64-dts-stratix10-increase-qspi-reg-address-in-nand-dts-file.patch @@ -0,0 +1,38 @@ +From 3bf9b8ffc8980c1090bdd3a5570cf42420620838 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Mon, 29 Jun 2020 12:47:35 -0500 +Subject: arm64: dts: stratix10: increase QSPI reg address in nand dts file + +From: Dinh Nguyen + +commit 3bf9b8ffc8980c1090bdd3a5570cf42420620838 upstream. + +Match the QSPI reg address in the socfpga_stratix10_socdk.dts file. + +Fixes: 80f132d73709 ("arm64: dts: increase the QSPI reg address for Stratix10 and Agilex") +Cc: linux-stable # >= v5.6 +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts ++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts +@@ -212,12 +212,12 @@ + + qspi_boot: partition@0 { + label = "Boot and fpga data"; +- reg = <0x0 0x034B0000>; ++ reg = <0x0 0x03FE0000>; + }; + +- qspi_rootfs: partition@4000000 { ++ qspi_rootfs: partition@3FE0000 { + label = "Root Filesystem - JFFS2"; +- reg = <0x034B0000 0x0EB50000>; ++ reg = <0x03FE0000 0x0C020000>; + }; + }; + }; diff --git a/queue-5.7/arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch b/queue-5.7/arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch new file mode 100644 index 00000000000..a46e92888b8 --- /dev/null +++ b/queue-5.7/arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch @@ -0,0 +1,139 @@ +From ac2081cdc4d99c57f219c1a6171526e0fa0a6fff Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 2 Jul 2020 21:16:20 +0100 +Subject: arm64: ptrace: Consistently use pseudo-singlestep exceptions + +From: Will Deacon + +commit ac2081cdc4d99c57f219c1a6171526e0fa0a6fff upstream. + +Although the arm64 single-step state machine can be fast-forwarded in +cases where we wish to generate a SIGTRAP without actually executing an +instruction, this has two major limitations outside of simply skipping +an instruction due to emulation. + +1. Stepping out of a ptrace signal stop into a signal handler where + SIGTRAP is blocked. Fast-forwarding the stepping state machine in + this case will result in a forced SIGTRAP, with the handler reset to + SIG_DFL. + +2. The hardware implicitly fast-forwards the state machine when executing + an SVC instruction for issuing a system call. This can interact badly + with subsequent ptrace stops signalled during the execution of the + system call (e.g. SYSCALL_EXIT or seccomp traps), as they may corrupt + the stepping state by updating the PSTATE for the tracee. + +Resolve both of these issues by injecting a pseudo-singlestep exception +on entry to a signal handler and also on return to userspace following a +system call. + +Cc: +Cc: Mark Rutland +Tested-by: Luis Machado +Reported-by: Keno Fischer +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/thread_info.h | 1 + + arch/arm64/kernel/ptrace.c | 27 ++++++++++++++++++++------- + arch/arm64/kernel/signal.c | 11 ++--------- + arch/arm64/kernel/syscall.c | 2 +- + 4 files changed, 24 insertions(+), 17 deletions(-) + +--- a/arch/arm64/include/asm/thread_info.h ++++ b/arch/arm64/include/asm/thread_info.h +@@ -89,6 +89,7 @@ void arch_release_task_struct(struct tas + #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU) + #define _TIF_UPROBE (1 << TIF_UPROBE) + #define _TIF_FSCHECK (1 << TIF_FSCHECK) ++#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) + #define _TIF_32BIT (1 << TIF_32BIT) + #define _TIF_SVE (1 << TIF_SVE) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1819,12 +1819,23 @@ static void tracehook_report_syscall(str + saved_reg = regs->regs[regno]; + regs->regs[regno] = dir; + +- if (dir == PTRACE_SYSCALL_EXIT) ++ if (dir == PTRACE_SYSCALL_ENTER) { ++ if (tracehook_report_syscall_entry(regs)) ++ forget_syscall(regs); ++ regs->regs[regno] = saved_reg; ++ } else if (!test_thread_flag(TIF_SINGLESTEP)) { + tracehook_report_syscall_exit(regs, 0); +- else if (tracehook_report_syscall_entry(regs)) +- forget_syscall(regs); +- +- regs->regs[regno] = saved_reg; ++ regs->regs[regno] = saved_reg; ++ } else { ++ regs->regs[regno] = saved_reg; ++ ++ /* ++ * Signal a pseudo-step exception since we are stepping but ++ * tracer modifications to the registers may have rewound the ++ * state machine. ++ */ ++ tracehook_report_syscall_exit(regs, 1); ++ } + } + + int syscall_trace_enter(struct pt_regs *regs) +@@ -1852,12 +1863,14 @@ int syscall_trace_enter(struct pt_regs * + + void syscall_trace_exit(struct pt_regs *regs) + { ++ unsigned long flags = READ_ONCE(current_thread_info()->flags); ++ + audit_syscall_exit(regs); + +- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) ++ if (flags & _TIF_SYSCALL_TRACEPOINT) + trace_sys_exit(regs, regs_return_value(regs)); + +- if (test_thread_flag(TIF_SYSCALL_TRACE)) ++ if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); + + rseq_syscall(regs); +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -784,7 +784,6 @@ static void setup_restart_syscall(struct + */ + static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) + { +- struct task_struct *tsk = current; + sigset_t *oldset = sigmask_to_save(); + int usig = ksig->sig; + int ret; +@@ -808,14 +807,8 @@ static void handle_signal(struct ksignal + */ + ret |= !valid_user_regs(®s->user_regs, current); + +- /* +- * Fast forward the stepping logic so we step into the signal +- * handler. +- */ +- if (!ret) +- user_fastforward_single_step(tsk); +- +- signal_setup_done(ret, ksig, 0); ++ /* Step into the signal handler if we are stepping */ ++ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); + } + + /* +--- a/arch/arm64/kernel/syscall.c ++++ b/arch/arm64/kernel/syscall.c +@@ -121,7 +121,7 @@ static void el0_svc_common(struct pt_reg + if (!has_syscall_work(flags) && !IS_ENABLED(CONFIG_DEBUG_RSEQ)) { + local_daif_mask(); + flags = current_thread_info()->flags; +- if (!has_syscall_work(flags)) { ++ if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP)) { + /* + * We're off to userspace, where interrupts are + * always enabled after we restore the flags from diff --git a/queue-5.7/arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch b/queue-5.7/arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch new file mode 100644 index 00000000000..633f6b2305b --- /dev/null +++ b/queue-5.7/arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch @@ -0,0 +1,110 @@ +From 3a5a4366cecc25daa300b9a9174f7fdd352b9068 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 13 Feb 2020 12:06:26 +0000 +Subject: arm64: ptrace: Override SPSR.SS when single-stepping is enabled + +From: Will Deacon + +commit 3a5a4366cecc25daa300b9a9174f7fdd352b9068 upstream. + +Luis reports that, when reverse debugging with GDB, single-step does not +function as expected on arm64: + + | I've noticed, under very specific conditions, that a PTRACE_SINGLESTEP + | request by GDB won't execute the underlying instruction. As a consequence, + | the PC doesn't move, but we return a SIGTRAP just like we would for a + | regular successful PTRACE_SINGLESTEP request. + +The underlying problem is that when the CPU register state is restored +as part of a reverse step, the SPSR.SS bit is cleared and so the hardware +single-step state can transition to the "active-pending" state, causing +an unexpected step exception to be taken immediately if a step operation +is attempted. + +In hindsight, we probably shouldn't have exposed SPSR.SS in the pstate +accessible by the GPR regset, but it's a bit late for that now. Instead, +simply prevent userspace from configuring the bit to a value which is +inconsistent with the TIF_SINGLESTEP state for the task being traced. + +Cc: +Cc: Mark Rutland +Cc: Keno Fischer +Link: https://lore.kernel.org/r/1eed6d69-d53d-9657-1fc9-c089be07f98c@linaro.org +Reported-by: Luis Machado +Tested-by: Luis Machado +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/debug-monitors.h | 2 ++ + arch/arm64/kernel/debug-monitors.c | 20 ++++++++++++++++---- + arch/arm64/kernel/ptrace.c | 4 ++-- + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/arch/arm64/include/asm/debug-monitors.h ++++ b/arch/arm64/include/asm/debug-monitors.h +@@ -109,6 +109,8 @@ void disable_debug_monitors(enum dbg_act + + void user_rewind_single_step(struct task_struct *task); + void user_fastforward_single_step(struct task_struct *task); ++void user_regs_reset_single_step(struct user_pt_regs *regs, ++ struct task_struct *task); + + void kernel_enable_single_step(struct pt_regs *regs); + void kernel_disable_single_step(void); +--- a/arch/arm64/kernel/debug-monitors.c ++++ b/arch/arm64/kernel/debug-monitors.c +@@ -141,17 +141,20 @@ postcore_initcall(debug_monitors_init); + /* + * Single step API and exception handling. + */ +-static void set_regs_spsr_ss(struct pt_regs *regs) ++static void set_user_regs_spsr_ss(struct user_pt_regs *regs) + { + regs->pstate |= DBG_SPSR_SS; + } +-NOKPROBE_SYMBOL(set_regs_spsr_ss); ++NOKPROBE_SYMBOL(set_user_regs_spsr_ss); + +-static void clear_regs_spsr_ss(struct pt_regs *regs) ++static void clear_user_regs_spsr_ss(struct user_pt_regs *regs) + { + regs->pstate &= ~DBG_SPSR_SS; + } +-NOKPROBE_SYMBOL(clear_regs_spsr_ss); ++NOKPROBE_SYMBOL(clear_user_regs_spsr_ss); ++ ++#define set_regs_spsr_ss(r) set_user_regs_spsr_ss(&(r)->user_regs) ++#define clear_regs_spsr_ss(r) clear_user_regs_spsr_ss(&(r)->user_regs) + + static DEFINE_SPINLOCK(debug_hook_lock); + static LIST_HEAD(user_step_hook); +@@ -404,6 +407,15 @@ void user_fastforward_single_step(struct + clear_regs_spsr_ss(task_pt_regs(task)); + } + ++void user_regs_reset_single_step(struct user_pt_regs *regs, ++ struct task_struct *task) ++{ ++ if (test_tsk_thread_flag(task, TIF_SINGLESTEP)) ++ set_user_regs_spsr_ss(regs); ++ else ++ clear_user_regs_spsr_ss(regs); ++} ++ + /* Kernel API */ + void kernel_enable_single_step(struct pt_regs *regs) + { +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1935,8 +1935,8 @@ static int valid_native_regs(struct user + */ + int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task) + { +- if (!test_tsk_thread_flag(task, TIF_SINGLESTEP)) +- regs->pstate &= ~DBG_SPSR_SS; ++ /* https://lore.kernel.org/lkml/20191118131525.GA4180@willie-the-truck */ ++ user_regs_reset_single_step(regs, task); + + if (is_compat_thread(task_thread_info(task))) + return valid_compat_regs(regs); diff --git a/queue-5.7/coresight-etmv4-fix-cpu-power-management-setup-in-probe-function.patch b/queue-5.7/coresight-etmv4-fix-cpu-power-management-setup-in-probe-function.patch new file mode 100644 index 00000000000..d639b6b0902 --- /dev/null +++ b/queue-5.7/coresight-etmv4-fix-cpu-power-management-setup-in-probe-function.patch @@ -0,0 +1,153 @@ +From 9b6a3f3633a5cc928b78627764793b60cb62e0f6 Mon Sep 17 00:00:00 2001 +From: Mike Leach +Date: Wed, 1 Jul 2020 10:08:52 -0600 +Subject: coresight: etmv4: Fix CPU power management setup in probe() function + +From: Mike Leach + +commit 9b6a3f3633a5cc928b78627764793b60cb62e0f6 upstream. + +The current probe() function calls a pair of cpuhp_xxx API functions to +setup CPU hotplug handling. The hotplug lock is held for the duration of +the two calls and other CPU related code using cpus_read_lock() / +cpus_read_unlock() calls. + +The problem is that on error states, goto: statements bypass the +cpus_read_unlock() call. This code has increased in complexity as the +driver has developed. + +This patch introduces a pair of helper functions etm4_pm_setup_cpuslocked() +and etm4_pm_clear() which correct the issues above and group the PM code a +little better. + +The two functions etm4_cpu_pm_register() and etm4_cpu_pm_unregister() are +dropped as these call cpu_pm_register_notifier() / ..unregister_notifier() +dependent on CONFIG_CPU_PM - but this define is used to nop these functions +out in the pm headers - so the wrapper functions are superfluous. + +Fixes: f188b5e76aae ("coresight: etm4x: Save/restore state across CPU low power states") +Fixes: e9f5d63f84fe ("hwtracing/coresight-etm4x: Use cpuhp_setup_state_nocalls_cpuslocked()") +Fixes: 58eb457be028 ("hwtracing/coresight-etm4x: Convert to hotplug state machine") +Signed-off-by: Mike Leach +Cc: stable +Reviewed-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200701160852.2782823-3-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 82 ++++++++++++++++---------- + 1 file changed, 53 insertions(+), 29 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -1399,18 +1399,57 @@ static struct notifier_block etm4_cpu_pm + .notifier_call = etm4_cpu_pm_notify, + }; + +-static int etm4_cpu_pm_register(void) ++/* Setup PM. Called with cpus locked. Deals with error conditions and counts */ ++static int etm4_pm_setup_cpuslocked(void) + { +- if (IS_ENABLED(CONFIG_CPU_PM)) +- return cpu_pm_register_notifier(&etm4_cpu_pm_nb); ++ int ret; + +- return 0; ++ if (etm4_count++) ++ return 0; ++ ++ ret = cpu_pm_register_notifier(&etm4_cpu_pm_nb); ++ if (ret) ++ goto reduce_count; ++ ++ ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING, ++ "arm/coresight4:starting", ++ etm4_starting_cpu, etm4_dying_cpu); ++ ++ if (ret) ++ goto unregister_notifier; ++ ++ ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ONLINE_DYN, ++ "arm/coresight4:online", ++ etm4_online_cpu, NULL); ++ ++ /* HP dyn state ID returned in ret on success */ ++ if (ret > 0) { ++ hp_online = ret; ++ return 0; ++ } ++ ++ /* failed dyn state - remove others */ ++ cpuhp_remove_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING); ++ ++unregister_notifier: ++ cpu_pm_unregister_notifier(&etm4_cpu_pm_nb); ++ ++reduce_count: ++ --etm4_count; ++ return ret; + } + +-static void etm4_cpu_pm_unregister(void) ++static void etm4_pm_clear(void) + { +- if (IS_ENABLED(CONFIG_CPU_PM)) +- cpu_pm_unregister_notifier(&etm4_cpu_pm_nb); ++ if (--etm4_count != 0) ++ return; ++ ++ cpu_pm_unregister_notifier(&etm4_cpu_pm_nb); ++ cpuhp_remove_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING); ++ if (hp_online) { ++ cpuhp_remove_state_nocalls(hp_online); ++ hp_online = 0; ++ } + } + + static int etm4_probe(struct amba_device *adev, const struct amba_id *id) +@@ -1464,24 +1503,15 @@ static int etm4_probe(struct amba_device + etm4_init_arch_data, drvdata, 1)) + dev_err(dev, "ETM arch init failed\n"); + +- if (!etm4_count++) { +- cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING, +- "arm/coresight4:starting", +- etm4_starting_cpu, etm4_dying_cpu); +- ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ONLINE_DYN, +- "arm/coresight4:online", +- etm4_online_cpu, NULL); +- if (ret < 0) +- goto err_arch_supported; +- hp_online = ret; ++ ret = etm4_pm_setup_cpuslocked(); ++ cpus_read_unlock(); + +- ret = etm4_cpu_pm_register(); +- if (ret) +- goto err_arch_supported; ++ /* etm4_pm_setup_cpuslocked() does its own cleanup - exit on error */ ++ if (ret) { ++ etmdrvdata[drvdata->cpu] = NULL; ++ return ret; + } + +- cpus_read_unlock(); +- + if (etm4_arch_supported(drvdata->arch) == false) { + ret = -EINVAL; + goto err_arch_supported; +@@ -1528,13 +1558,7 @@ static int etm4_probe(struct amba_device + + err_arch_supported: + etmdrvdata[drvdata->cpu] = NULL; +- if (--etm4_count == 0) { +- etm4_cpu_pm_unregister(); +- +- cpuhp_remove_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING); +- if (hp_online) +- cpuhp_remove_state_nocalls(hp_online); +- } ++ etm4_pm_clear(); + return ret; + } + diff --git a/queue-5.7/dmabuf-use-spinlock-to-access-dmabuf-name.patch b/queue-5.7/dmabuf-use-spinlock-to-access-dmabuf-name.patch new file mode 100644 index 00000000000..842cd12929b --- /dev/null +++ b/queue-5.7/dmabuf-use-spinlock-to-access-dmabuf-name.patch @@ -0,0 +1,131 @@ +From 6348dd291e3653534a9e28e6917569bc9967b35b Mon Sep 17 00:00:00 2001 +From: Charan Teja Kalla +Date: Fri, 19 Jun 2020 17:27:19 +0530 +Subject: dmabuf: use spinlock to access dmabuf->name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Charan Teja Kalla + +commit 6348dd291e3653534a9e28e6917569bc9967b35b upstream. + +There exists a sleep-while-atomic bug while accessing the dmabuf->name +under mutex in the dmabuffs_dname(). This is caused from the SELinux +permissions checks on a process where it tries to validate the inherited +files from fork() by traversing them through iterate_fd() (which +traverse files under spin_lock) and call +match_file(security/selinux/hooks.c) where the permission checks happen. +This audit information is logged using dump_common_audit_data() where it +calls d_path() to get the file path name. If the file check happen on +the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to +access dmabuf->name. The flow will be like below: +flush_unauthorized_files() + iterate_fd() + spin_lock() --> Start of the atomic section. + match_file() + file_has_perm() + avc_has_perm() + avc_audit() + slow_avc_audit() + common_lsm_audit() + dump_common_audit_data() + audit_log_d_path() + d_path() + dmabuffs_dname() + mutex_lock()--> Sleep while atomic. + +Call trace captured (on 4.19 kernels) is below: +___might_sleep+0x204/0x208 +__might_sleep+0x50/0x88 +__mutex_lock_common+0x5c/0x1068 +__mutex_lock_common+0x5c/0x1068 +mutex_lock_nested+0x40/0x50 +dmabuffs_dname+0xa0/0x170 +d_path+0x84/0x290 +audit_log_d_path+0x74/0x130 +common_lsm_audit+0x334/0x6e8 +slow_avc_audit+0xb8/0xf8 +avc_has_perm+0x154/0x218 +file_has_perm+0x70/0x180 +match_file+0x60/0x78 +iterate_fd+0x128/0x168 +selinux_bprm_committing_creds+0x178/0x248 +security_bprm_committing_creds+0x30/0x48 +install_exec_creds+0x1c/0x68 +load_elf_binary+0x3a4/0x14e0 +search_binary_handler+0xb0/0x1e0 + +So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. + +Cc: [5.3+] +Signed-off-by: Charan Teja Kalla +Reviewed-by: Michael J. Ruhl +Acked-by: Christian König + [sumits: added comment to spinlock_t definition to avoid warning] +Signed-off-by: Sumit Semwal +Link: https://patchwork.freedesktop.org/patch/msgid/a83e7f0d-4e54-9848-4b58-e1acdbe06735@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma-buf/dma-buf.c | 11 +++++++---- + include/linux/dma-buf.h | 1 + + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/dma-buf/dma-buf.c ++++ b/drivers/dma-buf/dma-buf.c +@@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentr + size_t ret = 0; + + dmabuf = dentry->d_fsdata; +- dma_resv_lock(dmabuf->resv, NULL); ++ spin_lock(&dmabuf->name_lock); + if (dmabuf->name) + ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); +- dma_resv_unlock(dmabuf->resv); ++ spin_unlock(&dmabuf->name_lock); + + return dynamic_dname(dentry, buffer, buflen, "/%s:%s", + dentry->d_name.name, ret > 0 ? name : ""); +@@ -338,8 +338,10 @@ static long dma_buf_set_name(struct dma_ + kfree(name); + goto out_unlock; + } ++ spin_lock(&dmabuf->name_lock); + kfree(dmabuf->name); + dmabuf->name = name; ++ spin_unlock(&dmabuf->name_lock); + + out_unlock: + dma_resv_unlock(dmabuf->resv); +@@ -402,10 +404,10 @@ static void dma_buf_show_fdinfo(struct s + /* Don't count the temporary reference taken inside procfs seq_show */ + seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); + seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); +- dma_resv_lock(dmabuf->resv, NULL); ++ spin_lock(&dmabuf->name_lock); + if (dmabuf->name) + seq_printf(m, "name:\t%s\n", dmabuf->name); +- dma_resv_unlock(dmabuf->resv); ++ spin_unlock(&dmabuf->name_lock); + } + + static const struct file_operations dma_buf_fops = { +@@ -542,6 +544,7 @@ struct dma_buf *dma_buf_export(const str + dmabuf->size = exp_info->size; + dmabuf->exp_name = exp_info->exp_name; + dmabuf->owner = exp_info->owner; ++ spin_lock_init(&dmabuf->name_lock); + init_waitqueue_head(&dmabuf->poll); + dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; + dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; +--- a/include/linux/dma-buf.h ++++ b/include/linux/dma-buf.h +@@ -311,6 +311,7 @@ struct dma_buf { + void *vmap_ptr; + const char *exp_name; + const char *name; ++ spinlock_t name_lock; /* spinlock to protect name access */ + struct module *owner; + struct list_head list_node; + void *priv; diff --git a/queue-5.7/dmaengine-fsl-edma-common-correct-dsize_32byte.patch b/queue-5.7/dmaengine-fsl-edma-common-correct-dsize_32byte.patch new file mode 100644 index 00000000000..5d139a35340 --- /dev/null +++ b/queue-5.7/dmaengine-fsl-edma-common-correct-dsize_32byte.patch @@ -0,0 +1,35 @@ +From e142087b15960a4e1e5932942e5abae1f49d2318 Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Tue, 30 Jun 2020 00:59:58 +0800 +Subject: dmaengine: fsl-edma-common: correct DSIZE_32BYTE + +From: Robin Gong + +commit e142087b15960a4e1e5932942e5abae1f49d2318 upstream. + +Correct EDMA_TCD_ATTR_DSIZE_32BYTE define since it's broken by the below: +'0x0005 --> BIT(3) | BIT(0))' + +Fixes: 4d6d3a90e4ac ("dmaengine: fsl-edma: fix macros") +Signed-off-by: Robin Gong +Tested-by: Angelo Dureghello +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1593449998-32091-1-git-send-email-yibin.gong@nxp.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/fsl-edma-common.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/fsl-edma-common.h ++++ b/drivers/dma/fsl-edma-common.h +@@ -33,7 +33,7 @@ + #define EDMA_TCD_ATTR_DSIZE_16BIT BIT(0) + #define EDMA_TCD_ATTR_DSIZE_32BIT BIT(1) + #define EDMA_TCD_ATTR_DSIZE_64BIT (BIT(0) | BIT(1)) +-#define EDMA_TCD_ATTR_DSIZE_32BYTE (BIT(3) | BIT(0)) ++#define EDMA_TCD_ATTR_DSIZE_32BYTE (BIT(2) | BIT(0)) + #define EDMA_TCD_ATTR_SSIZE_8BIT 0 + #define EDMA_TCD_ATTR_SSIZE_16BIT (EDMA_TCD_ATTR_DSIZE_16BIT << 8) + #define EDMA_TCD_ATTR_SSIZE_32BIT (EDMA_TCD_ATTR_DSIZE_32BIT << 8) diff --git a/queue-5.7/dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch b/queue-5.7/dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch new file mode 100644 index 00000000000..aeed67d63f8 --- /dev/null +++ b/queue-5.7/dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch @@ -0,0 +1,77 @@ +From f5e5677c420346b4e9788051c2e4d750996c428c Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 11 Jun 2020 14:17:41 +0200 +Subject: dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler + +From: Krzysztof Kozlowski + +commit f5e5677c420346b4e9788051c2e4d750996c428c upstream. + +NULL pointer exception happens occasionally on serial output initiated +by login timeout. This was reproduced only if kernel was built with +significant debugging options and EDMA driver is used with serial +console. + + col-vf50 login: root + Password: + Login timed out after 60 seconds. + Unable to handle kernel NULL pointer dereference at virtual address 00000044 + Internal error: Oops: 5 [#1] ARM + CPU: 0 PID: 157 Comm: login Not tainted 5.7.0-next-20200610-dirty #4 + Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) + (fsl_edma_tx_handler) from [<8016eb10>] (__handle_irq_event_percpu+0x64/0x304) + (__handle_irq_event_percpu) from [<8016eddc>] (handle_irq_event_percpu+0x2c/0x7c) + (handle_irq_event_percpu) from [<8016ee64>] (handle_irq_event+0x38/0x5c) + (handle_irq_event) from [<801729e4>] (handle_fasteoi_irq+0xa4/0x160) + (handle_fasteoi_irq) from [<8016ddcc>] (generic_handle_irq+0x34/0x44) + (generic_handle_irq) from [<8016e40c>] (__handle_domain_irq+0x54/0xa8) + (__handle_domain_irq) from [<80508bc8>] (gic_handle_irq+0x4c/0x80) + (gic_handle_irq) from [<80100af0>] (__irq_svc+0x70/0x98) + Exception stack(0x8459fe80 to 0x8459fec8) + fe80: 72286b00 e3359f64 00000001 0000412d a0070013 85c98840 85c98840 a0070013 + fea0: 8054e0d4 00000000 00000002 00000000 00000002 8459fed0 8081fbe8 8081fbec + fec0: 60070013 ffffffff + (__irq_svc) from [<8081fbec>] (_raw_spin_unlock_irqrestore+0x30/0x58) + (_raw_spin_unlock_irqrestore) from [<8056cb48>] (uart_flush_buffer+0x88/0xf8) + (uart_flush_buffer) from [<80554e60>] (tty_ldisc_hangup+0x38/0x1ac) + (tty_ldisc_hangup) from [<8054c7f4>] (__tty_hangup+0x158/0x2bc) + (__tty_hangup) from [<80557b90>] (disassociate_ctty.part.1+0x30/0x23c) + (disassociate_ctty.part.1) from [<8011fc18>] (do_exit+0x580/0xba0) + (do_exit) from [<801214f8>] (do_group_exit+0x3c/0xb4) + (do_group_exit) from [<80121580>] (__wake_up_parent+0x0/0x14) + +Issue looks like race condition between interrupt handler fsl_edma_tx_handler() +(called as result of fsl_edma_xfer_desc()) and terminating the transfer with +fsl_edma_terminate_all(). + +The fsl_edma_tx_handler() handles interrupt for a transfer with already freed +edesc and idle==true. + +Fixes: d6be34fbd39b ("dma: Add Freescale eDMA engine driver support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Robin Gong +Cc: +Link: https://lore.kernel.org/r/1591877861-28156-2-git-send-email-krzk@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/fsl-edma.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/dma/fsl-edma.c ++++ b/drivers/dma/fsl-edma.c +@@ -45,6 +45,13 @@ static irqreturn_t fsl_edma_tx_handler(i + fsl_chan = &fsl_edma->chans[ch]; + + spin_lock(&fsl_chan->vchan.lock); ++ ++ if (!fsl_chan->edesc) { ++ /* terminate_all called before */ ++ spin_unlock(&fsl_chan->vchan.lock); ++ continue; ++ } ++ + if (!fsl_chan->edesc->iscyclic) { + list_del(&fsl_chan->edesc->vdesc.node); + vchan_cookie_complete(&fsl_chan->edesc->vdesc); diff --git a/queue-5.7/dmaengine-mcf-edma-fix-null-pointer-exception-in-mcf_edma_tx_handler.patch b/queue-5.7/dmaengine-mcf-edma-fix-null-pointer-exception-in-mcf_edma_tx_handler.patch new file mode 100644 index 00000000000..0cc74441b83 --- /dev/null +++ b/queue-5.7/dmaengine-mcf-edma-fix-null-pointer-exception-in-mcf_edma_tx_handler.patch @@ -0,0 +1,55 @@ +From 8995aa3d164ddd9200e6abcf25c449cf5298c858 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 11 Jun 2020 15:21:05 +0200 +Subject: dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler + +From: Krzysztof Kozlowski + +commit 8995aa3d164ddd9200e6abcf25c449cf5298c858 upstream. + +On Toradex Colibri VF50 (Vybrid VF5xx) with fsl-edma driver NULL pointer +exception happens occasionally on serial output initiated by login +timeout. + +This was reproduced only if kernel was built with significant debugging +options and EDMA driver is used with serial console. + +Issue looks like a race condition between interrupt handler +fsl_edma_tx_handler() (called as a result of fsl_edma_xfer_desc()) and +terminating the transfer with fsl_edma_terminate_all(). + +The fsl_edma_tx_handler() handles interrupt for a transfer with already +freed edesc and idle==true. + +The mcf-edma driver shares design and lot of code with fsl-edma. It +looks like being affected by same problem. Fix this pattern the same +way as fix for fsl-edma driver. + +Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Robin Gong +Link: https://lore.kernel.org/r/1591881665-25592-1-git-send-email-krzk@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/mcf-edma.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/dma/mcf-edma.c ++++ b/drivers/dma/mcf-edma.c +@@ -35,6 +35,13 @@ static irqreturn_t mcf_edma_tx_handler(i + mcf_chan = &mcf_edma->chans[ch]; + + spin_lock(&mcf_chan->vchan.lock); ++ ++ if (!mcf_chan->edesc) { ++ /* terminate_all called before */ ++ spin_unlock(&mcf_chan->vchan.lock); ++ continue; ++ } ++ + if (!mcf_chan->edesc->iscyclic) { + list_del(&mcf_chan->edesc->vdesc.node); + vchan_cookie_complete(&mcf_chan->edesc->vdesc); diff --git a/queue-5.7/drm-amd-display-handle-failed-allocation-during-stream-construction.patch b/queue-5.7/drm-amd-display-handle-failed-allocation-during-stream-construction.patch new file mode 100644 index 00000000000..eae50fcda63 --- /dev/null +++ b/queue-5.7/drm-amd-display-handle-failed-allocation-during-stream-construction.patch @@ -0,0 +1,79 @@ +From be73e608ae2711dc8a1ab8b9549d9e348061b2ee Mon Sep 17 00:00:00 2001 +From: Josip Pavic +Date: Mon, 6 Jul 2020 15:43:39 -0400 +Subject: drm/amd/display: handle failed allocation during stream construction + +From: Josip Pavic + +commit be73e608ae2711dc8a1ab8b9549d9e348061b2ee upstream. + +[Why] +Failing to allocate a transfer function during stream construction leads +to a null pointer dereference + +[How] +Handle the failed allocation by failing the stream construction + +Cc: stable@vger.kernel.org +Signed-off-by: Josip Pavic +Reviewed-by: Aric Cyr +Acked-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +@@ -56,7 +56,7 @@ void update_stream_signal(struct dc_stre + } + } + +-static void dc_stream_construct(struct dc_stream_state *stream, ++static bool dc_stream_construct(struct dc_stream_state *stream, + struct dc_sink *dc_sink_data) + { + uint32_t i = 0; +@@ -118,11 +118,17 @@ static void dc_stream_construct(struct d + update_stream_signal(stream, dc_sink_data); + + stream->out_transfer_func = dc_create_transfer_func(); ++ if (stream->out_transfer_func == NULL) { ++ dc_sink_release(dc_sink_data); ++ return false; ++ } + stream->out_transfer_func->type = TF_TYPE_BYPASS; + stream->out_transfer_func->ctx = stream->ctx; + + stream->stream_id = stream->ctx->dc_stream_id_count; + stream->ctx->dc_stream_id_count++; ++ ++ return true; + } + + static void dc_stream_destruct(struct dc_stream_state *stream) +@@ -164,13 +170,20 @@ struct dc_stream_state *dc_create_stream + + stream = kzalloc(sizeof(struct dc_stream_state), GFP_KERNEL); + if (stream == NULL) +- return NULL; ++ goto alloc_fail; + +- dc_stream_construct(stream, sink); ++ if (dc_stream_construct(stream, sink) == false) ++ goto construct_fail; + + kref_init(&stream->refcount); + + return stream; ++ ++construct_fail: ++ kfree(stream); ++ ++alloc_fail: ++ return NULL; + } + + struct dc_stream_state *dc_copy_stream(const struct dc_stream_state *stream) diff --git a/queue-5.7/drm-amd-display-oled-panel-backlight-adjust-not-work-with-external-display-connected.patch b/queue-5.7/drm-amd-display-oled-panel-backlight-adjust-not-work-with-external-display-connected.patch new file mode 100644 index 00000000000..935f08f1a7c --- /dev/null +++ b/queue-5.7/drm-amd-display-oled-panel-backlight-adjust-not-work-with-external-display-connected.patch @@ -0,0 +1,52 @@ +From b448d30b0c303d5454ea572b772d1ffae96bc6e7 Mon Sep 17 00:00:00 2001 +From: hersen wu +Date: Mon, 22 Jun 2020 13:29:16 -0400 +Subject: drm/amd/display: OLED panel backlight adjust not work with external display connected + +From: hersen wu + +commit b448d30b0c303d5454ea572b772d1ffae96bc6e7 upstream. + +[Why] +amdgpu_dm->backlight_caps is for single eDP only. the caps are upddated +for very connector. Real eDP caps will be overwritten by other external +display. For OLED panel, caps->aux_support is set to 1 for OLED pnael. +after external connected, caps+.aux_support is set to 0. This causes +OLED backlight adjustment not work. + +[How] +within update_conector_ext_caps, backlight caps will be updated only for +eDP connector. + +Cc: stable@vger.kernel.org +Signed-off-by: hersen wu +Reviewed-by: Nicholas Kazlauskas +Acked-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1804,6 +1804,7 @@ static void update_connector_ext_caps(st + struct amdgpu_display_manager *dm; + struct drm_connector *conn_base; + struct amdgpu_device *adev; ++ struct dc_link *link = NULL; + static const u8 pre_computed_values[] = { + 50, 51, 52, 53, 55, 56, 57, 58, 59, 61, 62, 63, 65, 66, 68, 69, + 71, 72, 74, 75, 77, 79, 81, 82, 84, 86, 88, 90, 92, 94, 96, 98}; +@@ -1811,6 +1812,10 @@ static void update_connector_ext_caps(st + if (!aconnector || !aconnector->dc_link) + return; + ++ link = aconnector->dc_link; ++ if (link->connector_signal != SIGNAL_TYPE_EDP) ++ return; ++ + conn_base = &aconnector->base; + adev = conn_base->dev->dev_private; + dm = &adev->dm; diff --git a/queue-5.7/drm-amdgpu-display-create-fake-mst-encoders-ahead-of-time-v4.patch b/queue-5.7/drm-amdgpu-display-create-fake-mst-encoders-ahead-of-time-v4.patch new file mode 100644 index 00000000000..cdf6b0c4c79 --- /dev/null +++ b/queue-5.7/drm-amdgpu-display-create-fake-mst-encoders-ahead-of-time-v4.patch @@ -0,0 +1,205 @@ +From 3168470142e0a82b5732c04ed4c031a9322ae170 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 10 Jul 2020 17:50:00 -0400 +Subject: drm/amdgpu/display: create fake mst encoders ahead of time (v4) + +From: Alex Deucher + +commit 3168470142e0a82b5732c04ed4c031a9322ae170 upstream. + +Prevents a warning in the MST create connector case. + +v2: create global fake encoders rather per connector fake encoders +to avoid running out of encoder indices. + +v3: use the actual number of crtcs on the asic rather than the max +to conserve encoders. + +v4: v3 plus missing hunk I forgot to git add. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1108 +Fixes: c6385e503aeaf9 ("drm/amdgpu: drop legacy drm load and unload callbacks") +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 5.7.x +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 + + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 11 ++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 57 +++++------- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h | 3 + 4 files changed, 50 insertions(+), 30 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -956,6 +956,9 @@ static int amdgpu_dm_init(struct amdgpu_ + /* Update the actual used number of crtc */ + adev->mode_info.num_crtc = adev->dm.display_indexes_num; + ++ /* create fake encoders for MST */ ++ dm_dp_create_fake_mst_encoders(adev); ++ + /* TODO: Add_display_info? */ + + /* TODO use dynamic cursor width */ +@@ -979,6 +982,12 @@ error: + + static void amdgpu_dm_fini(struct amdgpu_device *adev) + { ++ int i; ++ ++ for (i = 0; i < adev->dm.display_indexes_num; i++) { ++ drm_encoder_cleanup(&adev->dm.mst_encoders[i].base); ++ } ++ + amdgpu_dm_audio_fini(adev); + + amdgpu_dm_destroy_drm_device(&adev->dm); +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h +@@ -43,6 +43,9 @@ + */ + + #define AMDGPU_DM_MAX_DISPLAY_INDEX 31 ++ ++#define AMDGPU_DM_MAX_CRTC 6 ++ + /* + #include "include/amdgpu_dal_power_if.h" + #include "amdgpu_dm_irq.h" +@@ -327,6 +330,13 @@ struct amdgpu_display_manager { + * available in FW + */ + const struct gpu_info_soc_bounding_box_v1_0 *soc_bounding_box; ++ ++ /** ++ * @mst_encoders: ++ * ++ * fake encoders used for DP MST. ++ */ ++ struct amdgpu_encoder mst_encoders[AMDGPU_DM_MAX_CRTC]; + }; + + struct amdgpu_dm_connector { +@@ -355,7 +365,6 @@ struct amdgpu_dm_connector { + struct amdgpu_dm_dp_aux dm_dp_aux; + struct drm_dp_mst_port *port; + struct amdgpu_dm_connector *mst_port; +- struct amdgpu_encoder *mst_encoder; + struct drm_dp_aux *dsc_aux; + + /* TODO see if we can merge with ddc_bus or make a dm_connector */ +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -137,13 +137,10 @@ static void + dm_dp_mst_connector_destroy(struct drm_connector *connector) + { + struct amdgpu_dm_connector *amdgpu_dm_connector = to_amdgpu_dm_connector(connector); +- struct amdgpu_encoder *amdgpu_encoder = amdgpu_dm_connector->mst_encoder; + + kfree(amdgpu_dm_connector->edid); + amdgpu_dm_connector->edid = NULL; + +- drm_encoder_cleanup(&amdgpu_encoder->base); +- kfree(amdgpu_encoder); + drm_connector_cleanup(connector); + drm_dp_mst_put_port_malloc(amdgpu_dm_connector->port); + kfree(amdgpu_dm_connector); +@@ -280,7 +277,11 @@ static struct drm_encoder * + dm_mst_atomic_best_encoder(struct drm_connector *connector, + struct drm_connector_state *connector_state) + { +- return &to_amdgpu_dm_connector(connector)->mst_encoder->base; ++ struct drm_device *dev = connector->dev; ++ struct amdgpu_device *adev = dev->dev_private; ++ struct amdgpu_crtc *acrtc = to_amdgpu_crtc(connector_state->crtc); ++ ++ return &adev->dm.mst_encoders[acrtc->crtc_id].base; + } + + static int +@@ -343,31 +344,27 @@ static const struct drm_encoder_funcs am + .destroy = amdgpu_dm_encoder_destroy, + }; + +-static struct amdgpu_encoder * +-dm_dp_create_fake_mst_encoder(struct amdgpu_dm_connector *connector) ++void ++dm_dp_create_fake_mst_encoders(struct amdgpu_device *adev) + { +- struct drm_device *dev = connector->base.dev; +- struct amdgpu_device *adev = dev->dev_private; +- struct amdgpu_encoder *amdgpu_encoder; +- struct drm_encoder *encoder; +- +- amdgpu_encoder = kzalloc(sizeof(*amdgpu_encoder), GFP_KERNEL); +- if (!amdgpu_encoder) +- return NULL; ++ struct drm_device *dev = adev->ddev; ++ int i; + +- encoder = &amdgpu_encoder->base; +- encoder->possible_crtcs = amdgpu_dm_get_encoder_crtc_mask(adev); ++ for (i = 0; i < adev->dm.display_indexes_num; i++) { ++ struct amdgpu_encoder *amdgpu_encoder = &adev->dm.mst_encoders[i]; ++ struct drm_encoder *encoder = &amdgpu_encoder->base; ++ ++ encoder->possible_crtcs = amdgpu_dm_get_encoder_crtc_mask(adev); ++ ++ drm_encoder_init( ++ dev, ++ &amdgpu_encoder->base, ++ &amdgpu_dm_encoder_funcs, ++ DRM_MODE_ENCODER_DPMST, ++ NULL); + +- drm_encoder_init( +- dev, +- &amdgpu_encoder->base, +- &amdgpu_dm_encoder_funcs, +- DRM_MODE_ENCODER_DPMST, +- NULL); +- +- drm_encoder_helper_add(encoder, &amdgpu_dm_encoder_helper_funcs); +- +- return amdgpu_encoder; ++ drm_encoder_helper_add(encoder, &amdgpu_dm_encoder_helper_funcs); ++ } + } + + static struct drm_connector * +@@ -380,6 +377,7 @@ dm_dp_add_mst_connector(struct drm_dp_ms + struct amdgpu_device *adev = dev->dev_private; + struct amdgpu_dm_connector *aconnector; + struct drm_connector *connector; ++ int i; + + aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL); + if (!aconnector) +@@ -406,9 +404,10 @@ dm_dp_add_mst_connector(struct drm_dp_ms + master->dc_link, + master->connector_id); + +- aconnector->mst_encoder = dm_dp_create_fake_mst_encoder(master); +- drm_connector_attach_encoder(&aconnector->base, +- &aconnector->mst_encoder->base); ++ for (i = 0; i < adev->dm.display_indexes_num; i++) { ++ drm_connector_attach_encoder(&aconnector->base, ++ &adev->dm.mst_encoders[i].base); ++ } + + connector->max_bpc_property = master->base.max_bpc_property; + if (connector->max_bpc_property) +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h +@@ -35,6 +35,9 @@ void amdgpu_dm_initialize_dp_connector(s + struct amdgpu_dm_connector *aconnector, + int link_index); + ++void ++dm_dp_create_fake_mst_encoders(struct amdgpu_device *adev); ++ + #if defined(CONFIG_DRM_AMD_DC_DCN) + bool compute_mst_dsc_configs_for_state(struct drm_atomic_state *state, + struct dc_state *dc_state); diff --git a/queue-5.7/drm-amdgpu-powerplay-modify-smc-message-name-for-setting-power-profile-mode.patch b/queue-5.7/drm-amdgpu-powerplay-modify-smc-message-name-for-setting-power-profile-mode.patch new file mode 100644 index 00000000000..171d2236248 --- /dev/null +++ b/queue-5.7/drm-amdgpu-powerplay-modify-smc-message-name-for-setting-power-profile-mode.patch @@ -0,0 +1,37 @@ +From 98a34cf931e848f8489d3fb15a8f5fc03802ad65 Mon Sep 17 00:00:00 2001 +From: chen gong +Date: Mon, 13 Jul 2020 16:11:24 +0800 +Subject: drm/amdgpu/powerplay: Modify SMC message name for setting power profile mode + +From: chen gong + +commit 98a34cf931e848f8489d3fb15a8f5fc03802ad65 upstream. + +I consulted Cai Land(Chuntian.Cai@amd.com), he told me corresponding smc +message name to fSMC_MSG_SetWorkloadMask() is +"PPSMC_MSG_ActiveProcessNotify" in firmware code of Renoir. + +Strange though it may seem, but it's a fact. + +Signed-off-by: chen gong +Reviewed-by: Evan Quan +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/renoir_ppt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/powerplay/renoir_ppt.c ++++ b/drivers/gpu/drm/amd/powerplay/renoir_ppt.c +@@ -687,7 +687,7 @@ static int renoir_set_power_profile_mode + return -EINVAL; + } + +- ret = smu_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask, ++ ret = smu_send_smc_msg_with_param(smu, SMU_MSG_ActiveProcessNotify, + 1 << workload_type, + NULL); + if (ret) { diff --git a/queue-5.7/drm-amdgpu-sdma5-fix-wptr-overwritten-in-get_wptr.patch b/queue-5.7/drm-amdgpu-sdma5-fix-wptr-overwritten-in-get_wptr.patch new file mode 100644 index 00000000000..038f2569163 --- /dev/null +++ b/queue-5.7/drm-amdgpu-sdma5-fix-wptr-overwritten-in-get_wptr.patch @@ -0,0 +1,76 @@ +From 05051496b2622e4d12e2036b35165969aa502f89 Mon Sep 17 00:00:00 2001 +From: Xiaojie Yuan +Date: Tue, 14 Jul 2020 15:47:31 +0800 +Subject: drm/amdgpu/sdma5: fix wptr overwritten in ->get_wptr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaojie Yuan + +commit 05051496b2622e4d12e2036b35165969aa502f89 upstream. + +"u64 *wptr" points to the the wptr value in write back buffer and +"*wptr = (*wptr) >> 2;" results in the value being overwritten each time +when ->get_wptr() is called. + +umr uses /sys/kernel/debug/dri/0/amdgpu_ring_sdma0 to get rptr/wptr and +decode ring content and it is affected by this issue. + +fix and simplify the logic similar as sdma_v4_0_ring_get_wptr(). + +v2: fix for sdma5.2 as well +v3: drop sdma 5.2 changes for 5.8 and stable + +Suggested-by: Le Ma +Signed-off-by: Xiaojie Yuan +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c | 26 ++++++++------------------ + 1 file changed, 8 insertions(+), 18 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c +@@ -286,30 +286,20 @@ static uint64_t sdma_v5_0_ring_get_rptr( + static uint64_t sdma_v5_0_ring_get_wptr(struct amdgpu_ring *ring) + { + struct amdgpu_device *adev = ring->adev; +- u64 *wptr = NULL; +- uint64_t local_wptr = 0; ++ u64 wptr; + + if (ring->use_doorbell) { + /* XXX check if swapping is necessary on BE */ +- wptr = ((u64 *)&adev->wb.wb[ring->wptr_offs]); +- DRM_DEBUG("wptr/doorbell before shift == 0x%016llx\n", *wptr); +- *wptr = (*wptr) >> 2; +- DRM_DEBUG("wptr/doorbell after shift == 0x%016llx\n", *wptr); ++ wptr = READ_ONCE(*((u64 *)&adev->wb.wb[ring->wptr_offs])); ++ DRM_DEBUG("wptr/doorbell before shift == 0x%016llx\n", wptr); + } else { +- u32 lowbit, highbit; +- +- wptr = &local_wptr; +- lowbit = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR)) >> 2; +- highbit = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI)) >> 2; +- +- DRM_DEBUG("wptr [%i]high== 0x%08x low==0x%08x\n", +- ring->me, highbit, lowbit); +- *wptr = highbit; +- *wptr = (*wptr) << 32; +- *wptr |= lowbit; ++ wptr = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI)); ++ wptr = wptr << 32; ++ wptr |= RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR)); ++ DRM_DEBUG("wptr before shift [%i] wptr == 0x%016llx\n", ring->me, wptr); + } + +- return *wptr; ++ return wptr >> 2; + } + + /** diff --git a/queue-5.7/drm-i915-gt-ignore-irq-enabling-on-the-virtual-engines.patch b/queue-5.7/drm-i915-gt-ignore-irq-enabling-on-the-virtual-engines.patch new file mode 100644 index 00000000000..b29ecf4eee2 --- /dev/null +++ b/queue-5.7/drm-i915-gt-ignore-irq-enabling-on-the-virtual-engines.patch @@ -0,0 +1,42 @@ +From 858f1299fd6f7518ddef19ddd304c8398ac79fa5 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sat, 11 Jul 2020 21:32:36 +0100 +Subject: drm/i915/gt: Ignore irq enabling on the virtual engines + +From: Chris Wilson + +commit 858f1299fd6f7518ddef19ddd304c8398ac79fa5 upstream. + +We do not use the virtual engines for interrupts (they have physical +components), but we do use them to decouple the fence signaling during +submission. Currently, when we submit a completed request, we try to +enable the interrupt handler for the virtual engine, but we never disarm +it. A quick fix is then to mark the irq as enabled, and it will then +remain enabled -- and this prevents us from waking the device and never +letting it sleep again. + +Fixes: f8db4d051b5e ("drm/i915: Initialise breadcrumb lists on the virtual engine") +Signed-off-by: Chris Wilson +Cc: Mika Kuoppala +Cc: Tvrtko Ursulin +Cc: # v5.5+ +Reviewed-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20200711203236.12330-1-chris@chris-wilson.co.uk +(cherry picked from commit 4fe6abb8f51355224808ab02a9febf65d184c40b) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_lrc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/gt/intel_lrc.c ++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c +@@ -5188,6 +5188,7 @@ intel_execlists_create_virtual(struct in + intel_engine_init_active(&ve->base, ENGINE_VIRTUAL); + intel_engine_init_breadcrumbs(&ve->base); + intel_engine_init_execlists(&ve->base); ++ ve->base.breadcrumbs.irq_armed = true; /* fake HW, used for irq_work */ + + ve->base.cops = &virtual_context_ops; + ve->base.request_alloc = execlists_request_alloc; diff --git a/queue-5.7/drm-i915-gt-only-swap-to-a-random-sibling-once-upon-creation.patch b/queue-5.7/drm-i915-gt-only-swap-to-a-random-sibling-once-upon-creation.patch new file mode 100644 index 00000000000..1be04e2307e --- /dev/null +++ b/queue-5.7/drm-i915-gt-only-swap-to-a-random-sibling-once-upon-creation.patch @@ -0,0 +1,72 @@ +From 110f9efa858f584c6bed177cd48d0c0f526940e1 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Mon, 13 Jul 2020 17:05:49 +0100 +Subject: drm/i915/gt: Only swap to a random sibling once upon creation + +From: Chris Wilson + +commit 110f9efa858f584c6bed177cd48d0c0f526940e1 upstream. + +The danger in switching at random upon intel_context_pin is that the +context may still actually be inflight, as it will not be scheduled out +until a context switch after it is complete -- that may be a long time +after we do a final intel_context_unpin. + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2118 +Fixes: 6d06779e8672 ("drm/i915: Load balancing across a virtual engine") +Signed-off-by: Chris Wilson +Cc: Tvrtko Ursulin +Cc: # v5.3+ +Reviewed-by: Tvrtko Ursulin +Link: https://patchwork.freedesktop.org/patch/msgid/20200713160549.17344-1-chris@chris-wilson.co.uk +(cherry picked from commit 90a987205c6cf74116a102ed446d22d92cdaf915) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_lrc.c | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_lrc.c ++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c +@@ -4897,13 +4897,8 @@ static void virtual_engine_initial_hint( + * typically be the first we inspect for submission. + */ + swp = prandom_u32_max(ve->num_siblings); +- if (!swp) +- return; +- +- swap(ve->siblings[swp], ve->siblings[0]); +- if (!intel_engine_has_relative_mmio(ve->siblings[0])) +- virtual_update_register_offsets(ve->context.lrc_reg_state, +- ve->siblings[0]); ++ if (swp) ++ swap(ve->siblings[swp], ve->siblings[0]); + } + + static int virtual_context_alloc(struct intel_context *ce) +@@ -4916,15 +4911,9 @@ static int virtual_context_alloc(struct + static int virtual_context_pin(struct intel_context *ce) + { + struct virtual_engine *ve = container_of(ce, typeof(*ve), context); +- int err; + + /* Note: we must use a real engine class for setting up reg state */ +- err = __execlists_context_pin(ce, ve->siblings[0]); +- if (err) +- return err; +- +- virtual_engine_initial_hint(ve); +- return 0; ++ return __execlists_context_pin(ce, ve->siblings[0]); + } + + static void virtual_context_enter(struct intel_context *ce) +@@ -5270,6 +5259,7 @@ intel_execlists_create_virtual(struct in + + ve->base.flags |= I915_ENGINE_IS_VIRTUAL; + ++ virtual_engine_initial_hint(ve); + return &ve->context; + + err_put: diff --git a/queue-5.7/drm-i915-move-cec_notifier-to-intel_hdmi_connector_unregister-v2.patch b/queue-5.7/drm-i915-move-cec_notifier-to-intel_hdmi_connector_unregister-v2.patch new file mode 100644 index 00000000000..97def0430db --- /dev/null +++ b/queue-5.7/drm-i915-move-cec_notifier-to-intel_hdmi_connector_unregister-v2.patch @@ -0,0 +1,146 @@ +From 6647e6cdba753e71170be7da2acfead7154f56d8 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Wed, 12 Feb 2020 14:54:45 +0100 +Subject: drm/i915: Move cec_notifier to intel_hdmi_connector_unregister, v2. + +From: Maarten Lankhorst + +commit 6647e6cdba753e71170be7da2acfead7154f56d8 upstream. + +This fixes the following KASAN splash on module reload: +[ 145.136327] ================================================================== +[ 145.136502] BUG: KASAN: use-after-free in intel_hdmi_destroy+0x74/0x80 [i915] +[ 145.136514] Read of size 8 at addr ffff888216641830 by task kworker/1:1/134 + +[ 145.136535] CPU: 1 PID: 134 Comm: kworker/1:1 Tainted: G U T 5.5.0-rc7-valkyria+ #5783 +[ 145.136539] Hardware name: GIGABYTE GB-BKi3A-7100/MFLP3AP-00, BIOS F1 07/27/2016 +[ 145.136546] Workqueue: events drm_connector_free_work_fn +[ 145.136551] Call Trace: +[ 145.136560] dump_stack+0xa1/0xe0 +[ 145.136571] print_address_description.constprop.0+0x1e/0x210 +[ 145.136639] ? intel_hdmi_destroy+0x74/0x80 [i915] +[ 145.136703] ? intel_hdmi_destroy+0x74/0x80 [i915] +[ 145.136710] __kasan_report.cold+0x1b/0x37 +[ 145.136790] ? intel_hdmi_destroy+0x74/0x80 [i915] +[ 145.136863] ? intel_hdmi_destroy+0x74/0x80 [i915] +[ 145.136870] kasan_report+0x27/0x30 +[ 145.136881] __asan_report_load8_noabort+0x1c/0x20 +[ 145.136946] intel_hdmi_destroy+0x74/0x80 [i915] +[ 145.136954] drm_connector_free_work_fn+0xd1/0x100 +[ 145.136967] process_one_work+0x86e/0x1610 +[ 145.136987] ? pwq_dec_nr_in_flight+0x2f0/0x2f0 +[ 145.137004] ? move_linked_works+0x128/0x2c0 +[ 145.137021] worker_thread+0x63e/0xc90 +[ 145.137048] kthread+0x2f6/0x3f0 +[ 145.137054] ? calculate_sigpending+0x81/0xa0 +[ 145.137059] ? process_one_work+0x1610/0x1610 +[ 145.137064] ? kthread_bind+0x40/0x40 +[ 145.137075] ret_from_fork+0x24/0x30 + +[ 145.137111] Allocated by task 0: +[ 145.137119] (stack is not available) + +[ 145.137137] Freed by task 5053: +[ 145.137147] save_stack+0x28/0x90 +[ 145.137152] __kasan_slab_free+0x136/0x180 +[ 145.137157] kasan_slab_free+0x26/0x30 +[ 145.137161] kfree+0xe6/0x350 +[ 145.137242] intel_ddi_encoder_destroy+0x60/0x80 [i915] +[ 145.137252] drm_mode_config_cleanup+0x11d/0x8f0 +[ 145.137329] intel_modeset_driver_remove+0x1f5/0x350 [i915] +[ 145.137403] i915_driver_remove+0xc4/0x130 [i915] +[ 145.137482] i915_pci_remove+0x3e/0x90 [i915] +[ 145.137489] pci_device_remove+0x108/0x2d0 +[ 145.137494] device_release_driver_internal+0x1e6/0x4a0 +[ 145.137499] driver_detach+0xcb/0x198 +[ 145.137503] bus_remove_driver+0xde/0x204 +[ 145.137508] driver_unregister+0x6d/0xa0 +[ 145.137513] pci_unregister_driver+0x2e/0x230 +[ 145.137576] i915_exit+0x1f/0x26 [i915] +[ 145.137157] kasan_slab_free+0x26/0x30 +[ 145.137161] kfree+0xe6/0x350 +[ 145.137242] intel_ddi_encoder_destroy+0x60/0x80 [i915] +[ 145.137252] drm_mode_config_cleanup+0x11d/0x8f0 +[ 145.137329] intel_modeset_driver_remove+0x1f5/0x350 [i915] +[ 145.137403] i915_driver_remove+0xc4/0x130 [i915] +[ 145.137482] i915_pci_remove+0x3e/0x90 [i915] +[ 145.137489] pci_device_remove+0x108/0x2d0 +[ 145.137494] device_release_driver_internal+0x1e6/0x4a0 +[ 145.137499] driver_detach+0xcb/0x198 +[ 145.137503] bus_remove_driver+0xde/0x204 +[ 145.137508] driver_unregister+0x6d/0xa0 +[ 145.137513] pci_unregister_driver+0x2e/0x230 +[ 145.137576] i915_exit+0x1f/0x26 [i915] +[ 145.137581] __x64_sys_delete_module+0x35b/0x470 +[ 145.137586] do_syscall_64+0x99/0x4e0 +[ 145.137591] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +[ 145.137606] The buggy address belongs to the object at ffff888216640000 + which belongs to the cache kmalloc-8k of size 8192 +[ 145.137618] The buggy address is located 6192 bytes inside of + 8192-byte region [ffff888216640000, ffff888216642000) +[ 145.137630] The buggy address belongs to the page: +[ 145.137640] page:ffffea0008599000 refcount:1 mapcount:0 mapping:ffff888107c02a80 index:0xffff888216644000 compound_mapcount: 0 +[ 145.137647] raw: 0200000000010200 0000000000000000 0000000100000001 ffff888107c02a80 +[ 145.137652] raw: ffff888216644000 0000000080020001 00000001ffffffff 0000000000000000 +[ 145.137656] page dumped because: kasan: bad access detected + +[ 145.137668] Memory state around the buggy address: +[ 145.137678] ffff888216641700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 145.137687] ffff888216641780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 145.137697] >ffff888216641800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 145.137706] ^ +[ 145.137715] ffff888216641880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 145.137724] ffff888216641900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 145.137733] ================================================================== +[ 145.137742] Disabling lock debugging due to kernel taint + +Changes since v1: +- Add fixes tags. +- Use early unregister. + +Signed-off-by: Maarten Lankhorst +Fixes: 9c229127aee2 ("drm/i915: hdmi: add CEC notifier to intel_hdmi") +Cc: # v4.19+ +Reviewed-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200212135445.1469133-1-maarten.lankhorst@linux.intel.com +(cherry picked from commit a581483b1e5466d28fc50ff623fba31cea2cccb6) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/display/intel_hdmi.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_hdmi.c ++++ b/drivers/gpu/drm/i915/display/intel_hdmi.c +@@ -2821,19 +2821,13 @@ intel_hdmi_connector_register(struct drm + return ret; + } + +-static void intel_hdmi_destroy(struct drm_connector *connector) ++static void intel_hdmi_connector_unregister(struct drm_connector *connector) + { + struct cec_notifier *n = intel_attached_hdmi(to_intel_connector(connector))->cec_notifier; + + cec_notifier_conn_unregister(n); + +- intel_connector_destroy(connector); +-} +- +-static void intel_hdmi_connector_unregister(struct drm_connector *connector) +-{ + intel_hdmi_remove_i2c_symlink(connector); +- + intel_connector_unregister(connector); + } + +@@ -2845,7 +2839,7 @@ static const struct drm_connector_funcs + .atomic_set_property = intel_digital_connector_atomic_set_property, + .late_register = intel_hdmi_connector_register, + .early_unregister = intel_hdmi_connector_unregister, +- .destroy = intel_hdmi_destroy, ++ .destroy = intel_connector_destroy, + .atomic_destroy_state = drm_atomic_helper_connector_destroy_state, + .atomic_duplicate_state = intel_digital_connector_duplicate_state, + }; diff --git a/queue-5.7/drm-vmwgfx-fix-update-of-display-surface-when-resolution-changes.patch b/queue-5.7/drm-vmwgfx-fix-update-of-display-surface-when-resolution-changes.patch new file mode 100644 index 00000000000..8c1442fd2a7 --- /dev/null +++ b/queue-5.7/drm-vmwgfx-fix-update-of-display-surface-when-resolution-changes.patch @@ -0,0 +1,49 @@ +From 1f054fd26e29784d373c3d29c348ee48f1c41fb2 Mon Sep 17 00:00:00 2001 +From: Roland Scheidegger +Date: Thu, 9 Jul 2020 18:54:14 +0200 +Subject: drm/vmwgfx: fix update of display surface when resolution changes + +From: Roland Scheidegger + +commit 1f054fd26e29784d373c3d29c348ee48f1c41fb2 upstream. + +The assignment of metadata overwrote the new display resolution values, +hence we'd miss the size actually changed and wouldn't redefine the +surface. This would then lead to command buffer error when trying to +update the screen target (due to the size mismatch), and result in a +VM with black screen. + +Fixes: 504901dbb0b5 ("drm/vmwgfx: Refactor surface_define to use vmw_surface_metadata") +Reviewed-by: Charmaine Lee +Signed-off-by: Roland Scheidegger +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +@@ -1069,10 +1069,6 @@ vmw_stdu_primary_plane_prepare_fb(struct + if (new_content_type != SAME_AS_DISPLAY) { + struct vmw_surface_metadata metadata = {0}; + +- metadata.base_size.width = hdisplay; +- metadata.base_size.height = vdisplay; +- metadata.base_size.depth = 1; +- + /* + * If content buffer is a buffer object, then we have to + * construct surface info +@@ -1104,6 +1100,10 @@ vmw_stdu_primary_plane_prepare_fb(struct + metadata = new_vfbs->surface->metadata; + } + ++ metadata.base_size.width = hdisplay; ++ metadata.base_size.height = vdisplay; ++ metadata.base_size.depth = 1; ++ + if (vps->surf) { + struct drm_vmw_size cur_base_size = + vps->surf->metadata.base_size; diff --git a/queue-5.7/fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch b/queue-5.7/fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch new file mode 100644 index 00000000000..fe5b7af1ec1 --- /dev/null +++ b/queue-5.7/fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch @@ -0,0 +1,65 @@ +From 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 Mon Sep 17 00:00:00 2001 +From: Chirantan Ekbote +Date: Tue, 14 Jul 2020 19:26:39 +0900 +Subject: fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS + +From: Chirantan Ekbote + +commit 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 upstream. + +The ioctl encoding for this parameter is a long but the documentation says +it should be an int and the kernel drivers expect it to be an int. If the +fuse driver treats this as a long it might end up scribbling over the stack +of a userspace process that only allocated enough space for an int. + +This was previously discussed in [1] and a patch for fuse was proposed in +[2]. From what I can tell the patch in [2] was nacked in favor of adding +new, "fixed" ioctls and using those from userspace. However there is still +no "fixed" version of these ioctls and the fact is that it's sometimes +infeasible to change all userspace to use the new one. + +Handling the ioctls specially in the fuse driver seems like the most +pragmatic way for fuse servers to support them without causing crashes in +userspace applications that call them. + +[1]: https://lore.kernel.org/linux-fsdevel/20131126200559.GH20559@hall.aurel32.net/T/ +[2]: https://sourceforge.net/p/fuse/mailman/message/31771759/ + +Signed-off-by: Chirantan Ekbote +Fixes: 59efec7b9039 ("fuse: implement ioctl support") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + static struct page **fuse_pages_alloc(unsigned int npages, gfp_t flags, + struct fuse_page_desc **desc) +@@ -2758,7 +2759,16 @@ long fuse_do_ioctl(struct file *file, un + struct iovec *iov = iov_page; + + iov->iov_base = (void __user *)arg; +- iov->iov_len = _IOC_SIZE(cmd); ++ ++ switch (cmd) { ++ case FS_IOC_GETFLAGS: ++ case FS_IOC_SETFLAGS: ++ iov->iov_len = sizeof(int); ++ break; ++ default: ++ iov->iov_len = _IOC_SIZE(cmd); ++ break; ++ } + + if (_IOC_DIR(cmd) & _IOC_WRITE) { + in_iov = iov; diff --git a/queue-5.7/fuse-ignore-data-argument-of-mount-...-ms_remount.patch b/queue-5.7/fuse-ignore-data-argument-of-mount-...-ms_remount.patch new file mode 100644 index 00000000000..2274feec75d --- /dev/null +++ b/queue-5.7/fuse-ignore-data-argument-of-mount-...-ms_remount.patch @@ -0,0 +1,50 @@ +From e8b20a474cf2c42698d1942f939ff2128819f151 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 14 Jul 2020 14:45:41 +0200 +Subject: fuse: ignore 'data' argument of mount(..., MS_REMOUNT) + +From: Miklos Szeredi + +commit e8b20a474cf2c42698d1942f939ff2128819f151 upstream. + +The command + + mount -o remount -o unknownoption /mnt/fuse + +succeeds on kernel versions prior to v5.4 and fails on kernel version at or +after. This is because fuse_parse_param() rejects any unrecognised options +in case of FS_CONTEXT_FOR_RECONFIGURE, just as for FS_CONTEXT_FOR_MOUNT. + +This causes a regression in case the fuse filesystem is in fstab, since +remount sends all options found there to the kernel; even ones that are +meant for the initial mount and are consumed by the userspace fuse server. + +Fix this by ignoring mount options, just as fuse_remount_fs() did prior to +the conversion to the new API. + +Reported-by: Stefan Priebe +Fixes: c30da2e981a7 ("fuse: convert to use the new mount API") +Cc: # v5.4 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -468,6 +468,13 @@ static int fuse_parse_param(struct fs_co + struct fuse_fs_context *ctx = fc->fs_private; + int opt; + ++ /* ++ * Ignore options coming from mount(MS_REMOUNT) for backward ++ * compatibility. ++ */ ++ if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) ++ return 0; ++ + opt = fs_parse(fc, fuse_fs_parameters, param, &result); + if (opt < 0) + return opt; diff --git a/queue-5.7/fuse-use-reconfigure-instead-of-remount_fs.patch b/queue-5.7/fuse-use-reconfigure-instead-of-remount_fs.patch new file mode 100644 index 00000000000..2ae0b87c08e --- /dev/null +++ b/queue-5.7/fuse-use-reconfigure-instead-of-remount_fs.patch @@ -0,0 +1,57 @@ +From 0189a2d367f49729622fdafaef5da73161591859 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 14 Jul 2020 14:45:41 +0200 +Subject: fuse: use ->reconfigure() instead of ->remount_fs() + +From: Miklos Szeredi + +commit 0189a2d367f49729622fdafaef5da73161591859 upstream. + +s_op->remount_fs() is only called from legacy_reconfigure(), which is not +used after being converted to the new API. + +Convert to using ->reconfigure(). This restores the previous behavior of +syncing the filesystem and rejecting MS_MANDLOCK on remount. + +Fixes: c30da2e981a7 ("fuse: convert to use the new mount API") +Cc: # v5.4 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/inode.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -121,10 +121,12 @@ static void fuse_evict_inode(struct inod + } + } + +-static int fuse_remount_fs(struct super_block *sb, int *flags, char *data) ++static int fuse_reconfigure(struct fs_context *fc) + { ++ struct super_block *sb = fc->root->d_sb; ++ + sync_filesystem(sb); +- if (*flags & SB_MANDLOCK) ++ if (fc->sb_flags & SB_MANDLOCK) + return -EINVAL; + + return 0; +@@ -817,7 +819,6 @@ static const struct super_operations fus + .evict_inode = fuse_evict_inode, + .write_inode = fuse_write_inode, + .drop_inode = generic_delete_inode, +- .remount_fs = fuse_remount_fs, + .put_super = fuse_put_super, + .umount_begin = fuse_umount_begin, + .statfs = fuse_statfs, +@@ -1291,6 +1292,7 @@ static int fuse_get_tree(struct fs_conte + static const struct fs_context_operations fuse_context_ops = { + .free = fuse_free_fc, + .parse_param = fuse_parse_param, ++ .reconfigure = fuse_reconfigure, + .get_tree = fuse_get_tree, + }; + diff --git a/queue-5.7/genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch b/queue-5.7/genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch new file mode 100644 index 00000000000..a91f93763ce --- /dev/null +++ b/queue-5.7/genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch @@ -0,0 +1,164 @@ +From baedb87d1b53532f81b4bd0387f83b05d4f7eb9a Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 17 Jul 2020 18:00:02 +0200 +Subject: genirq/affinity: Handle affinity setting on inactive interrupts correctly + +From: Thomas Gleixner + +commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream. + +Setting interrupt affinity on inactive interrupts is inconsistent when +hierarchical irq domains are enabled. The core code should just store the +affinity and not call into the irq chip driver for inactive interrupts +because the chip drivers may not be in a state to handle such requests. + +X86 has a hacky workaround for that but all other irq chips have not which +causes problems e.g. on GIC V3 ITS. + +Instead of adding more ugly hacks all over the place, solve the problem in +the core code. If the affinity is set on an inactive interrupt then: + + - Store it in the irq descriptors affinity mask + - Update the effective affinity to reflect that so user space has + a consistent view + - Don't call into the irq chip driver + +This is the core equivalent of the X86 workaround and works correctly +because the affinity setting is established in the irq chip when the +interrupt is activated later on. + +Note, that this is only effective when hierarchical irq domains are enabled +by the architecture. Doing it unconditionally would break legacy irq chip +implementations. + +For hierarchial irq domains this works correctly as none of the drivers can +have a dependency on affinity setting in inactive state by design. + +Remove the X86 workaround as it is not longer required. + +Fixes: 02edee152d6e ("x86/apic/vector: Ignore set_affinity call for inactive interrupts") +Reported-by: Ali Saidi +Signed-off-by: Thomas Gleixner +Tested-by: Ali Saidi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200529015501.15771-1-alisaidi@amazon.com +Link: https://lkml.kernel.org/r/877dv2rv25.fsf@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/vector.c | 22 +++++----------------- + kernel/irq/manage.c | 37 +++++++++++++++++++++++++++++++++++-- + 2 files changed, 40 insertions(+), 19 deletions(-) + +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -446,12 +446,10 @@ static int x86_vector_activate(struct ir + trace_vector_activate(irqd->irq, apicd->is_managed, + apicd->can_reserve, reserve); + +- /* Nothing to do for fixed assigned vectors */ +- if (!apicd->can_reserve && !apicd->is_managed) +- return 0; +- + raw_spin_lock_irqsave(&vector_lock, flags); +- if (reserve || irqd_is_managed_and_shutdown(irqd)) ++ if (!apicd->can_reserve && !apicd->is_managed) ++ assign_irq_vector_any_locked(irqd); ++ else if (reserve || irqd_is_managed_and_shutdown(irqd)) + vector_assign_managed_shutdown(irqd); + else if (apicd->is_managed) + ret = activate_managed(irqd); +@@ -775,20 +773,10 @@ void lapic_offline(void) + static int apic_set_affinity(struct irq_data *irqd, + const struct cpumask *dest, bool force) + { +- struct apic_chip_data *apicd = apic_chip_data(irqd); + int err; + +- /* +- * Core code can call here for inactive interrupts. For inactive +- * interrupts which use managed or reservation mode there is no +- * point in going through the vector assignment right now as the +- * activation will assign a vector which fits the destination +- * cpumask. Let the core code store the destination mask and be +- * done with it. +- */ +- if (!irqd_is_activated(irqd) && +- (apicd->is_managed || apicd->can_reserve)) +- return IRQ_SET_MASK_OK; ++ if (WARN_ON_ONCE(!irqd_is_activated(irqd))) ++ return -EIO; + + raw_spin_lock(&vector_lock); + cpumask_and(vector_searchmask, dest, cpu_online_mask); +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -195,9 +195,9 @@ void irq_set_thread_affinity(struct irq_ + set_bit(IRQTF_AFFINITY, &action->thread_flags); + } + ++#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK + static void irq_validate_effective_affinity(struct irq_data *data) + { +-#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK + const struct cpumask *m = irq_data_get_effective_affinity_mask(data); + struct irq_chip *chip = irq_data_get_irq_chip(data); + +@@ -205,9 +205,19 @@ static void irq_validate_effective_affin + return; + pr_warn_once("irq_chip %s did not update eff. affinity mask of irq %u\n", + chip->name, data->irq); +-#endif + } + ++static inline void irq_init_effective_affinity(struct irq_data *data, ++ const struct cpumask *mask) ++{ ++ cpumask_copy(irq_data_get_effective_affinity_mask(data), mask); ++} ++#else ++static inline void irq_validate_effective_affinity(struct irq_data *data) { } ++static inline void irq_init_effective_affinity(struct irq_data *data, ++ const struct cpumask *mask) { } ++#endif ++ + int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask, + bool force) + { +@@ -304,6 +314,26 @@ static int irq_try_set_affinity(struct i + return ret; + } + ++static bool irq_set_affinity_deactivated(struct irq_data *data, ++ const struct cpumask *mask, bool force) ++{ ++ struct irq_desc *desc = irq_data_to_desc(data); ++ ++ /* ++ * If the interrupt is not yet activated, just store the affinity ++ * mask and do not call the chip driver at all. On activation the ++ * driver has to make sure anyway that the interrupt is in a ++ * useable state so startup works. ++ */ ++ if (!IS_ENABLED(CONFIG_IRQ_DOMAIN_HIERARCHY) || irqd_is_activated(data)) ++ return false; ++ ++ cpumask_copy(desc->irq_common_data.affinity, mask); ++ irq_init_effective_affinity(data, mask); ++ irqd_set(data, IRQD_AFFINITY_SET); ++ return true; ++} ++ + int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask, + bool force) + { +@@ -314,6 +344,9 @@ int irq_set_affinity_locked(struct irq_d + if (!chip || !chip->irq_set_affinity) + return -EINVAL; + ++ if (irq_set_affinity_deactivated(data, mask, force)) ++ return 0; ++ + if (irq_can_move_pcntxt(data) && !irqd_is_setaffinity_pending(data)) { + ret = irq_try_set_affinity(data, mask, force); + } else { diff --git a/queue-5.7/hwmon-drivetemp-avoid-sct-usage-on-toshiba-dt01aca-family-drives.patch b/queue-5.7/hwmon-drivetemp-avoid-sct-usage-on-toshiba-dt01aca-family-drives.patch new file mode 100644 index 00000000000..e755916d667 --- /dev/null +++ b/queue-5.7/hwmon-drivetemp-avoid-sct-usage-on-toshiba-dt01aca-family-drives.patch @@ -0,0 +1,90 @@ +From c66ef39eb27fe123ee05082b90eb2985c33c7715 Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Sat, 18 Jul 2020 14:32:10 +0200 +Subject: hwmon: (drivetemp) Avoid SCT usage on Toshiba DT01ACA family drives + +From: Maciej S. Szmigiero + +commit c66ef39eb27fe123ee05082b90eb2985c33c7715 upstream. + +It has been observed that Toshiba DT01ACA family drives have +WRITE FPDMA QUEUED command timeouts and sometimes just freeze until +power-cycled under heavy write loads when their temperature is getting +polled in SCT mode. The SMART mode seems to be fine, though. + +Let's make sure we don't use SCT mode for these drives then. + +While only the 3 TB model was actually caught exhibiting the problem let's +play safe here to avoid data corruption and extend the ban to the whole +family. + +Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") +Cc: stable@vger.kernel.org +Signed-off-by: Maciej S. Szmigiero +Link: https://lore.kernel.org/r/0cb2e7022b66c6d21d3f189a12a97878d0e7511b.1595075458.git.mail@maciej.szmigiero.name +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/drivetemp.c | 43 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +--- a/drivers/hwmon/drivetemp.c ++++ b/drivers/hwmon/drivetemp.c +@@ -285,6 +285,42 @@ static int drivetemp_get_scttemp(struct + return err; + } + ++static const char * const sct_avoid_models[] = { ++/* ++ * These drives will have WRITE FPDMA QUEUED command timeouts and sometimes just ++ * freeze until power-cycled under heavy write loads when their temperature is ++ * getting polled in SCT mode. The SMART mode seems to be fine, though. ++ * ++ * While only the 3 TB model (DT01ACA3) was actually caught exhibiting the ++ * problem let's play safe here to avoid data corruption and ban the whole ++ * DT01ACAx family. ++ ++ * The models from this array are prefix-matched. ++ */ ++ "TOSHIBA DT01ACA", ++}; ++ ++static bool drivetemp_sct_avoid(struct drivetemp_data *st) ++{ ++ struct scsi_device *sdev = st->sdev; ++ unsigned int ctr; ++ ++ if (!sdev->model) ++ return false; ++ ++ /* ++ * The "model" field contains just the raw SCSI INQUIRY response ++ * "product identification" field, which has a width of 16 bytes. ++ * This field is space-filled, but is NOT NULL-terminated. ++ */ ++ for (ctr = 0; ctr < ARRAY_SIZE(sct_avoid_models); ctr++) ++ if (!strncmp(sdev->model, sct_avoid_models[ctr], ++ strlen(sct_avoid_models[ctr]))) ++ return true; ++ ++ return false; ++} ++ + static int drivetemp_identify_sata(struct drivetemp_data *st) + { + struct scsi_device *sdev = st->sdev; +@@ -326,6 +362,13 @@ static int drivetemp_identify_sata(struc + /* bail out if this is not a SATA device */ + if (!is_ata || !is_sata) + return -ENODEV; ++ ++ if (have_sct && drivetemp_sct_avoid(st)) { ++ dev_notice(&sdev->sdev_gendev, ++ "will avoid using SCT for temperature monitoring\n"); ++ have_sct = false; ++ } ++ + if (!have_sct) + goto skip_sct; + diff --git a/queue-5.7/hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch b/queue-5.7/hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch new file mode 100644 index 00000000000..fe4b70a0f3d --- /dev/null +++ b/queue-5.7/hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch @@ -0,0 +1,40 @@ +From 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc Mon Sep 17 00:00:00 2001 +From: Vishwas M +Date: Tue, 7 Jul 2020 19:57:47 +0530 +Subject: hwmon: (emc2103) fix unable to change fan pwm1_enable attribute + +From: Vishwas M + +commit 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc upstream. + +This patch fixes a bug which does not let FAN mode to be changed from +sysfs(pwm1_enable). i.e pwm1_enable can not be set to 3, it will always +remain at 0. + +This is caused because the device driver handles the result of +"read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg)" incorrectly. The +driver thinks an error has occurred if the (result != 0). This has been +fixed by changing the condition to (result < 0). + +Signed-off-by: Vishwas M +Link: https://lore.kernel.org/r/20200707142747.118414-1-vishwas.reddy.vr@gmail.com +Fixes: 9df7305b5a86 ("hwmon: Add driver for SMSC EMC2103 temperature monitor and fan controller") +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/emc2103.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/emc2103.c ++++ b/drivers/hwmon/emc2103.c +@@ -443,7 +443,7 @@ static ssize_t pwm1_enable_store(struct + } + + result = read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg); +- if (result) { ++ if (result < 0) { + count = result; + goto err; + } diff --git a/queue-5.7/input-elan_i2c-add-more-hardware-id-for-lenovo-laptops.patch b/queue-5.7/input-elan_i2c-add-more-hardware-id-for-lenovo-laptops.patch new file mode 100644 index 00000000000..2112c910956 --- /dev/null +++ b/queue-5.7/input-elan_i2c-add-more-hardware-id-for-lenovo-laptops.patch @@ -0,0 +1,40 @@ +From a50ca29523b18baea548bdf5df9b4b923c2bb4f6 Mon Sep 17 00:00:00 2001 +From: Dave Wang +Date: Wed, 8 Jul 2020 22:25:03 -0700 +Subject: Input: elan_i2c - add more hardware ID for Lenovo laptops + +From: Dave Wang + +commit a50ca29523b18baea548bdf5df9b4b923c2bb4f6 upstream. + +This adds more hardware IDs for Elan touchpads found in various Lenovo +laptops. + +Signed-off-by: Dave Wang +Link: https://lore.kernel.org/r/000201d5a8bd$9fead3f0$dfc07bd0$@emc.com.tw +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/input/elan-i2c-ids.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/include/linux/input/elan-i2c-ids.h ++++ b/include/linux/input/elan-i2c-ids.h +@@ -67,8 +67,15 @@ static const struct acpi_device_id elan_ + { "ELAN062B", 0 }, + { "ELAN062C", 0 }, + { "ELAN062D", 0 }, ++ { "ELAN062E", 0 }, /* Lenovo V340 Whiskey Lake U */ ++ { "ELAN062F", 0 }, /* Lenovo V340 Comet Lake U */ + { "ELAN0631", 0 }, + { "ELAN0632", 0 }, ++ { "ELAN0633", 0 }, /* Lenovo S145 */ ++ { "ELAN0634", 0 }, /* Lenovo V340 Ice lake */ ++ { "ELAN0635", 0 }, /* Lenovo V1415-IIL */ ++ { "ELAN0636", 0 }, /* Lenovo V1415-Dali */ ++ { "ELAN0637", 0 }, /* Lenovo V1415-IGLR */ + { "ELAN1000", 0 }, + { } + }; diff --git a/queue-5.7/input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch b/queue-5.7/input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch new file mode 100644 index 00000000000..bc07aaf86dc --- /dev/null +++ b/queue-5.7/input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch @@ -0,0 +1,39 @@ +From 17d51429da722cd8fc77a365a112f008abf4f8b3 Mon Sep 17 00:00:00 2001 +From: David Pedersen +Date: Mon, 6 Jul 2020 18:48:51 -0700 +Subject: Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list + +From: David Pedersen + +commit 17d51429da722cd8fc77a365a112f008abf4f8b3 upstream. + +This fixes two finger trackpad scroll on the Lenovo XiaoXin Air 12. +Without nomux, the trackpad behaves as if only one finger is present and +moves the cursor when trying to scroll. + +Signed-off-by: David Pedersen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200625133754.291325-1-limero1337@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -426,6 +426,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Lenovo XiaoXin Air 12 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "80UN"), ++ }, ++ }, ++ { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Acer"), + DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 1360"), diff --git a/queue-5.7/intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch b/queue-5.7/intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch new file mode 100644 index 00000000000..9039f14acad --- /dev/null +++ b/queue-5.7/intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch @@ -0,0 +1,91 @@ +From e78e1fdb282726beaf88aa75943682217e6ded0e Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:39 +0300 +Subject: intel_th: Fix a NULL dereference when hub driver is not loaded + +From: Alexander Shishkin + +commit e78e1fdb282726beaf88aa75943682217e6ded0e upstream. + +Connecting master to an output port when GTH driver module is not loaded +triggers a NULL dereference: + +> RIP: 0010:intel_th_set_output+0x35/0x70 [intel_th] +> Call Trace: +> ? sth_stm_link+0x12/0x20 [intel_th_sth] +> stm_source_link_store+0x164/0x270 [stm_core] +> dev_attr_store+0x17/0x30 +> sysfs_kf_write+0x3e/0x50 +> kernfs_fop_write+0xda/0x1b0 +> __vfs_write+0x1b/0x40 +> vfs_write+0xb9/0x1a0 +> ksys_write+0x67/0xe0 +> __x64_sys_write+0x1a/0x20 +> do_syscall_64+0x57/0x1d0 +> entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Make sure the module in question is loaded and return an error if not. + +Signed-off-by: Alexander Shishkin +Fixes: 39f4034693b7c ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") +Reviewed-by: Andy Shevchenko +Reported-by: Ammy Yi +Tested-by: Ammy Yi +Cc: stable@vger.kernel.org # v4.4 +Link: https://lore.kernel.org/r/20200706161339.55468-5-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 21 ++++++++++++++++++--- + drivers/hwtracing/intel_th/sth.c | 4 +--- + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -1021,15 +1021,30 @@ int intel_th_set_output(struct intel_th_ + { + struct intel_th_device *hub = to_intel_th_hub(thdev); + struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver); ++ int ret; + + /* In host mode, this is up to the external debugger, do nothing. */ + if (hub->host_mode) + return 0; + +- if (!hubdrv->set_output) +- return -ENOTSUPP; ++ /* ++ * hub is instantiated together with the source device that ++ * calls here, so guaranteed to be present. ++ */ ++ hubdrv = to_intel_th_driver(hub->dev.driver); ++ if (!hubdrv || !try_module_get(hubdrv->driver.owner)) ++ return -EINVAL; + +- return hubdrv->set_output(hub, master); ++ if (!hubdrv->set_output) { ++ ret = -ENOTSUPP; ++ goto out; ++ } ++ ++ ret = hubdrv->set_output(hub, master); ++ ++out: ++ module_put(hubdrv->driver.owner); ++ return ret; + } + EXPORT_SYMBOL_GPL(intel_th_set_output); + +--- a/drivers/hwtracing/intel_th/sth.c ++++ b/drivers/hwtracing/intel_th/sth.c +@@ -161,9 +161,7 @@ static int sth_stm_link(struct stm_data + { + struct sth_device *sth = container_of(stm_data, struct sth_device, stm); + +- intel_th_set_output(to_intel_th_device(sth->dev), master); +- +- return 0; ++ return intel_th_set_output(to_intel_th_device(sth->dev), master); + } + + static int intel_th_sw_init(struct sth_device *sth) diff --git a/queue-5.7/intel_th-pci-add-emmitsburg-pch-support.patch b/queue-5.7/intel_th-pci-add-emmitsburg-pch-support.patch new file mode 100644 index 00000000000..05a91e45ab1 --- /dev/null +++ b/queue-5.7/intel_th-pci-add-emmitsburg-pch-support.patch @@ -0,0 +1,35 @@ +From fd73d74a32bfaaf259441322cc5a1c83caaa94f2 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:38 +0300 +Subject: intel_th: pci: Add Emmitsburg PCH support + +From: Alexander Shishkin + +commit fd73d74a32bfaaf259441322cc5a1c83caaa94f2 upstream. + +This adds support for the Trace Hub in Emmitsburg PCH. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20200706161339.55468-4-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -258,6 +258,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4b26), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, ++ { ++ /* Emmitsburg PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1bcc), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-5.7/intel_th-pci-add-jasper-lake-cpu-support.patch b/queue-5.7/intel_th-pci-add-jasper-lake-cpu-support.patch new file mode 100644 index 00000000000..2c3a0d0ee9d --- /dev/null +++ b/queue-5.7/intel_th-pci-add-jasper-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From 203c1f615052921901b7a8fbe2005d8ea6add076 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:36 +0300 +Subject: intel_th: pci: Add Jasper Lake CPU support + +From: Alexander Shishkin + +commit 203c1f615052921901b7a8fbe2005d8ea6add076 upstream. + +This adds support for the Trace Hub in Jasper Lake CPU. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20200706161339.55468-2-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -239,6 +239,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Jasper Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4e29), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Elkhart Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4529), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.7/intel_th-pci-add-tiger-lake-pch-h-support.patch b/queue-5.7/intel_th-pci-add-tiger-lake-pch-h-support.patch new file mode 100644 index 00000000000..9c08e3f52ac --- /dev/null +++ b/queue-5.7/intel_th-pci-add-tiger-lake-pch-h-support.patch @@ -0,0 +1,35 @@ +From 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:37 +0300 +Subject: intel_th: pci: Add Tiger Lake PCH-H support + +From: Alexander Shishkin + +commit 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 upstream. + +This adds support for the Trace Hub in Tiger Lake PCH-H. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20200706161339.55468-3-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -234,6 +234,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Tiger Lake PCH-H */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x43a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Jasper Lake PCH */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4da6), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.7/mei-bus-don-t-clean-driver-pointer.patch b/queue-5.7/mei-bus-don-t-clean-driver-pointer.patch new file mode 100644 index 00000000000..c56a901bc8d --- /dev/null +++ b/queue-5.7/mei-bus-don-t-clean-driver-pointer.patch @@ -0,0 +1,50 @@ +From e852c2c251ed9c23ae6e3efebc5ec49adb504207 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Mon, 29 Jun 2020 01:53:59 +0300 +Subject: mei: bus: don't clean driver pointer + +From: Alexander Usyskin + +commit e852c2c251ed9c23ae6e3efebc5ec49adb504207 upstream. + +It's not needed to set driver to NULL in mei_cl_device_remove() +which is bus_type remove() handler as this is done anyway +in __device_release_driver(). + +Actually this is causing an endless loop in driver_detach() +on ubuntu patched kernel, while removing (rmmod) the mei_hdcp module. +The reason list_empty(&drv->p->klist_devices.k_list) is always not-empty. +as the check is always true in __device_release_driver() + if (dev->driver != drv) + return; + +The non upstream patch is causing this behavior, titled: +'vfio -- release device lock before userspace requests' + +Nevertheless the fix is correct also for the upstream. + +Link: https://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20180912085046.3401-2-apw@canonical.com/ +Cc: +Cc: Andy Whitcroft +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20200628225359.2185929-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/bus.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/mei/bus.c ++++ b/drivers/misc/mei/bus.c +@@ -745,9 +745,8 @@ static int mei_cl_device_remove(struct d + + mei_cl_bus_module_put(cldev); + module_put(THIS_MODULE); +- dev->driver = NULL; +- return ret; + ++ return ret; + } + + static ssize_t name_show(struct device *dev, struct device_attribute *a, diff --git a/queue-5.7/misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch b/queue-5.7/misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch new file mode 100644 index 00000000000..86b72b1c0c7 --- /dev/null +++ b/queue-5.7/misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch @@ -0,0 +1,118 @@ +From b037d60a3b1d1227609fd858fa34321f41829911 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Wed, 24 Jun 2020 13:35:41 +0200 +Subject: misc: atmel-ssc: lock with mutex instead of spinlock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +commit b037d60a3b1d1227609fd858fa34321f41829911 upstream. + +Uninterruptible context is not needed in the driver and causes lockdep +warning because of mutex taken in of_alias_get_id(). Convert the lock to +mutex to avoid the issue. + +Cc: stable@vger.kernel.org +Fixes: 099343c64e16 ("ARM: at91: atmel-ssc: add device tree support") +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/50f0d7fa107f318296afb49477c3571e4d6978c5.1592998403.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/atmel-ssc.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/misc/atmel-ssc.c ++++ b/drivers/misc/atmel-ssc.c +@@ -10,7 +10,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -20,7 +20,7 @@ + #include "../../sound/soc/atmel/atmel_ssc_dai.h" + + /* Serialize access to ssc_list and user count */ +-static DEFINE_SPINLOCK(user_lock); ++static DEFINE_MUTEX(user_lock); + static LIST_HEAD(ssc_list); + + struct ssc_device *ssc_request(unsigned int ssc_num) +@@ -28,7 +28,7 @@ struct ssc_device *ssc_request(unsigned + int ssc_valid = 0; + struct ssc_device *ssc; + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + list_for_each_entry(ssc, &ssc_list, list) { + if (ssc->pdev->dev.of_node) { + if (of_alias_get_id(ssc->pdev->dev.of_node, "ssc") +@@ -44,18 +44,18 @@ struct ssc_device *ssc_request(unsigned + } + + if (!ssc_valid) { +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + pr_err("ssc: ssc%d platform device is missing\n", ssc_num); + return ERR_PTR(-ENODEV); + } + + if (ssc->user) { +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + dev_dbg(&ssc->pdev->dev, "module busy\n"); + return ERR_PTR(-EBUSY); + } + ssc->user++; +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + clk_prepare(ssc->clk); + +@@ -67,14 +67,14 @@ void ssc_free(struct ssc_device *ssc) + { + bool disable_clk = true; + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + if (ssc->user) + ssc->user--; + else { + disable_clk = false; + dev_dbg(&ssc->pdev->dev, "device already free\n"); + } +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + if (disable_clk) + clk_unprepare(ssc->clk); +@@ -237,9 +237,9 @@ static int ssc_probe(struct platform_dev + return -ENXIO; + } + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + list_add_tail(&ssc->list, &ssc_list); +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + platform_set_drvdata(pdev, ssc); + +@@ -258,9 +258,9 @@ static int ssc_remove(struct platform_de + + ssc_sound_dai_remove(ssc); + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + list_del(&ssc->list); +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + return 0; + } diff --git a/queue-5.7/opp-increase-parsed_static_opps-in-_of_add_opp_table_v1.patch b/queue-5.7/opp-increase-parsed_static_opps-in-_of_add_opp_table_v1.patch new file mode 100644 index 00000000000..d0237013286 --- /dev/null +++ b/queue-5.7/opp-increase-parsed_static_opps-in-_of_add_opp_table_v1.patch @@ -0,0 +1,43 @@ +From 6544abc520f0fff701e9da382110dc29676c683a Mon Sep 17 00:00:00 2001 +From: Walter Lozano +Date: Wed, 15 Jul 2020 23:54:52 -0300 +Subject: opp: Increase parsed_static_opps in _of_add_opp_table_v1() + +From: Walter Lozano + +commit 6544abc520f0fff701e9da382110dc29676c683a upstream. + +Currently, when using _of_add_opp_table_v2 parsed_static_opps is +increased and this value is used in _opp_remove_all_static() to +check if there are static opp entries that need to be freed. +Unfortunately this does not happen when using _of_add_opp_table_v1(), +which leads to warnings. + +This patch increases parsed_static_opps in _of_add_opp_table_v1() in a +similar way as in _of_add_opp_table_v2(). + +Fixes: 03758d60265c ("opp: Replace list_kref with a local counter") +Cc: v5.6+ # v5.6+ +Signed-off-by: Walter Lozano +[ Viresh: Do the operation with lock held and set the value to 1 instead + of incrementing it ] +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/opp/of.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/opp/of.c ++++ b/drivers/opp/of.c +@@ -733,6 +733,10 @@ static int _of_add_opp_table_v1(struct d + return -EINVAL; + } + ++ mutex_lock(&opp_table->lock); ++ opp_table->parsed_static_opps = 1; ++ mutex_unlock(&opp_table->lock); ++ + val = prop->value; + while (nr) { + unsigned long freq = be32_to_cpup(val++) * 1000; diff --git a/queue-5.7/ovl-fix-unneeded-call-to-ovl_change_flags.patch b/queue-5.7/ovl-fix-unneeded-call-to-ovl_change_flags.patch new file mode 100644 index 00000000000..a6867487cf3 --- /dev/null +++ b/queue-5.7/ovl-fix-unneeded-call-to-ovl_change_flags.patch @@ -0,0 +1,61 @@ +From 81a33c1ee941c3bb9ffc6bac8f676be13351344e Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 18 Jun 2020 18:43:53 +0300 +Subject: ovl: fix unneeded call to ovl_change_flags() + +From: Amir Goldstein + +commit 81a33c1ee941c3bb9ffc6bac8f676be13351344e upstream. + +The check if user has changed the overlay file was wrong, causing unneeded +call to ovl_change_flags() including taking f_lock on every file access. + +Fixes: d989903058a8 ("ovl: do not generate duplicate fsnotify events for "fake" path") +Cc: # v4.19+ +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -32,13 +32,16 @@ static char ovl_whatisit(struct inode *i + return 'm'; + } + ++/* No atime modificaton nor notify on underlying */ ++#define OVL_OPEN_FLAGS (O_NOATIME | FMODE_NONOTIFY) ++ + static struct file *ovl_open_realfile(const struct file *file, + struct inode *realinode) + { + struct inode *inode = file_inode(file); + struct file *realfile; + const struct cred *old_cred; +- int flags = file->f_flags | O_NOATIME | FMODE_NONOTIFY; ++ int flags = file->f_flags | OVL_OPEN_FLAGS; + + old_cred = ovl_override_creds(inode->i_sb); + realfile = open_with_fake_path(&file->f_path, flags, realinode, +@@ -59,8 +62,7 @@ static int ovl_change_flags(struct file + struct inode *inode = file_inode(file); + int err; + +- /* No atime modificaton on underlying */ +- flags |= O_NOATIME | FMODE_NONOTIFY; ++ flags |= OVL_OPEN_FLAGS; + + /* If some flag changed that cannot be changed then something's amiss */ + if (WARN_ON((file->f_flags ^ flags) & ~OVL_SETFL_MASK)) +@@ -113,7 +115,7 @@ static int ovl_real_fdget_meta(const str + } + + /* Did the flags change since open? */ +- if (unlikely((file->f_flags ^ real->file->f_flags) & ~O_NOATIME)) ++ if (unlikely((file->f_flags ^ real->file->f_flags) & ~OVL_OPEN_FLAGS)) + return ovl_change_flags(real->file, file->f_flags); + + return 0; diff --git a/queue-5.7/ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch b/queue-5.7/ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch new file mode 100644 index 00000000000..ec63d2aa70e --- /dev/null +++ b/queue-5.7/ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch @@ -0,0 +1,50 @@ +From 24f14009b8f1754ec2ae4c168940c01259b0f88a Mon Sep 17 00:00:00 2001 +From: youngjun +Date: Tue, 16 Jun 2020 17:30:43 +0900 +Subject: ovl: inode reference leak in ovl_is_inuse true case. + +From: youngjun + +commit 24f14009b8f1754ec2ae4c168940c01259b0f88a upstream. + +When "ovl_is_inuse" true case, trap inode reference not put. plus adding +the comment explaining sequence of ovl_is_inuse after ovl_setup_trap. + +Fixes: 0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection") +Cc: # v4.19+ +Reviewed-by: Amir Goldstein +Signed-off-by: youngjun +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -1450,14 +1450,23 @@ static int ovl_get_layers(struct super_b + if (err < 0) + goto out; + ++ /* ++ * Check if lower root conflicts with this overlay layers before ++ * checking if it is in-use as upperdir/workdir of "another" ++ * mount, because we do not bother to check in ovl_is_inuse() if ++ * the upperdir/workdir is in fact in-use by our ++ * upperdir/workdir. ++ */ + err = ovl_setup_trap(sb, stack[i].dentry, &trap, "lowerdir"); + if (err) + goto out; + + if (ovl_is_inuse(stack[i].dentry)) { + err = ovl_report_in_use(ofs, "lowerdir"); +- if (err) ++ if (err) { ++ iput(trap); + goto out; ++ } + } + + mnt = clone_private_mount(&stack[i]); diff --git a/queue-5.7/ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch b/queue-5.7/ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch new file mode 100644 index 00000000000..1ea4420ecf5 --- /dev/null +++ b/queue-5.7/ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch @@ -0,0 +1,65 @@ +From 124c2de2c0aee96271e4ddab190083d8aa7aa71a Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Wed, 17 Jun 2020 09:57:11 +0300 +Subject: ovl: relax WARN_ON() when decoding lower directory file handle + +From: Amir Goldstein + +commit 124c2de2c0aee96271e4ddab190083d8aa7aa71a upstream. + +Decoding a lower directory file handle to overlay path with cold +inode/dentry cache may go as follows: + +1. Decode real lower file handle to lower dir path +2. Check if lower dir is indexed (was copied up) +3. If indexed, get the upper dir path from index +4. Lookup upper dir path in overlay +5. If overlay path found, verify that overlay lower is the lower dir + from step 1 + +On failure to verify step 5 above, user will get an ESTALE error and a +WARN_ON will be printed. + +A mismatch in step 5 could be a result of lower directory that was renamed +while overlay was offline, after that lower directory has been copied up +and indexed. + +This is a scripted reproducer based on xfstest overlay/052: + + # Create lower subdir + create_dirs + create_test_files $lower/lowertestdir/subdir + mount_dirs + # Copy up lower dir and encode lower subdir file handle + touch $SCRATCH_MNT/lowertestdir + test_file_handles $SCRATCH_MNT/lowertestdir/subdir -p -o $tmp.fhandle + # Rename lower dir offline + unmount_dirs + mv $lower/lowertestdir $lower/lowertestdir.new/ + mount_dirs + # Attempt to decode lower subdir file handle + test_file_handles $SCRATCH_MNT -p -i $tmp.fhandle + +Since this WARN_ON() can be triggered by user we need to relax it. + +Fixes: 4b91c30a5a19 ("ovl: lookup connected ancestor of dir in inode cache") +Cc: # v4.16+ +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/overlayfs/export.c ++++ b/fs/overlayfs/export.c +@@ -478,7 +478,7 @@ static struct dentry *ovl_lookup_real_in + if (IS_ERR_OR_NULL(this)) + return this; + +- if (WARN_ON(ovl_dentry_real_at(this, layer->idx) != real)) { ++ if (ovl_dentry_real_at(this, layer->idx) != real) { + dput(this); + this = ERR_PTR(-EIO); + } diff --git a/queue-5.7/powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch b/queue-5.7/powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch new file mode 100644 index 00000000000..22bf83eba4f --- /dev/null +++ b/queue-5.7/powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch @@ -0,0 +1,155 @@ +From 192b6a780598976feb7321ff007754f8511a4129 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Sun, 12 Jul 2020 18:50:47 +0530 +Subject: powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey + +From: Aneesh Kumar K.V + +commit 192b6a780598976feb7321ff007754f8511a4129 upstream. + +Even if the IAMR value denies execute access, the current code returns +true from pkey_access_permitted() for an execute permission check, if +the AMR read pkey bit is cleared. + +This results in repeated page fault loop with a test like below: + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + + #include + #include + #include + #include + #include + + #ifdef SYS_pkey_mprotect + #undef SYS_pkey_mprotect + #endif + + #ifdef SYS_pkey_alloc + #undef SYS_pkey_alloc + #endif + + #ifdef SYS_pkey_free + #undef SYS_pkey_free + #endif + + #undef PKEY_DISABLE_EXECUTE + #define PKEY_DISABLE_EXECUTE 0x4 + + #define SYS_pkey_mprotect 386 + #define SYS_pkey_alloc 384 + #define SYS_pkey_free 385 + + #define PPC_INST_NOP 0x60000000 + #define PPC_INST_BLR 0x4e800020 + #define PROT_RWX (PROT_READ | PROT_WRITE | PROT_EXEC) + + static int sys_pkey_mprotect(void *addr, size_t len, int prot, int pkey) + { + return syscall(SYS_pkey_mprotect, addr, len, prot, pkey); + } + + static int sys_pkey_alloc(unsigned long flags, unsigned long access_rights) + { + return syscall(SYS_pkey_alloc, flags, access_rights); + } + + static int sys_pkey_free(int pkey) + { + return syscall(SYS_pkey_free, pkey); + } + + static void do_execute(void *region) + { + /* jump to region */ + asm volatile( + "mtctr %0;" + "bctrl" + : : "r"(region) : "ctr", "lr"); + } + + static void do_protect(void *region) + { + size_t pgsize; + int i, pkey; + + pgsize = getpagesize(); + + pkey = sys_pkey_alloc(0, PKEY_DISABLE_EXECUTE); + assert (pkey > 0); + + /* perform mprotect */ + assert(!sys_pkey_mprotect(region, pgsize, PROT_RWX, pkey)); + do_execute(region); + + /* free pkey */ + assert(!sys_pkey_free(pkey)); + + } + + int main(int argc, char **argv) + { + size_t pgsize, numinsns; + unsigned int *region; + int i; + + /* allocate memory region to protect */ + pgsize = getpagesize(); + region = memalign(pgsize, pgsize); + assert(region != NULL); + assert(!mprotect(region, pgsize, PROT_RWX)); + + /* fill page with NOPs with a BLR at the end */ + numinsns = pgsize / sizeof(region[0]); + for (i = 0; i < numinsns - 1; i++) + region[i] = PPC_INST_NOP; + region[i] = PPC_INST_BLR; + + do_protect(region); + + return EXIT_SUCCESS; + } + +The fix is to only check the IAMR for an execute check, the AMR value +is not relevant. + +Fixes: f2407ef3ba22 ("powerpc: helper to validate key-access permissions of a pte") +Cc: stable@vger.kernel.org # v4.16+ +Reported-by: Sandipan Das +Signed-off-by: Aneesh Kumar K.V +[mpe: Add detail to change log, tweak wording & formatting] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200712132047.1038594-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/book3s64/pkeys.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/mm/book3s64/pkeys.c ++++ b/arch/powerpc/mm/book3s64/pkeys.c +@@ -357,12 +357,14 @@ static bool pkey_access_permitted(int pk + return true; + + pkey_shift = pkeyshift(pkey); +- if (execute && !(read_iamr() & (IAMR_EX_BIT << pkey_shift))) +- return true; ++ if (execute) ++ return !(read_iamr() & (IAMR_EX_BIT << pkey_shift)); ++ ++ amr = read_amr(); ++ if (write) ++ return !(amr & (AMR_WR_BIT << pkey_shift)); + +- amr = read_amr(); /* Delay reading amr until absolutely needed */ +- return ((!write && !(amr & (AMR_RD_BIT << pkey_shift))) || +- (write && !(amr & (AMR_WR_BIT << pkey_shift)))); ++ return !(amr & (AMR_RD_BIT << pkey_shift)); + } + + bool arch_pte_access_permitted(u64 pte, bool write, bool execute) diff --git a/queue-5.7/powerpc-pseries-svm-fix-incorrect-check-for-shared_lppaca_size.patch b/queue-5.7/powerpc-pseries-svm-fix-incorrect-check-for-shared_lppaca_size.patch new file mode 100644 index 00000000000..6b79491217b --- /dev/null +++ b/queue-5.7/powerpc-pseries-svm-fix-incorrect-check-for-shared_lppaca_size.patch @@ -0,0 +1,49 @@ +From b710d27bf72068b15b2f0305d825988183e2ff28 Mon Sep 17 00:00:00 2001 +From: Satheesh Rajendran +Date: Fri, 19 Jun 2020 12:31:13 +0530 +Subject: powerpc/pseries/svm: Fix incorrect check for shared_lppaca_size + +From: Satheesh Rajendran + +commit b710d27bf72068b15b2f0305d825988183e2ff28 upstream. + +Early secure guest boot hits the below crash while booting with +vcpus numbers aligned with page boundary for PAGE size of 64k +and LPPACA size of 1k i.e 64, 128 etc. + + Partition configured for 64 cpus. + CPU maps initialized for 1 thread per core + ------------[ cut here ]------------ + kernel BUG at arch/powerpc/kernel/paca.c:89! + Oops: Exception in kernel mode, sig: 5 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries + +This is due to the BUG_ON() for shared_lppaca_total_size equal to +shared_lppaca_size. Instead the code should only BUG_ON() if we have +exceeded the total_size, which indicates we've overflowed the array. + +Fixes: bd104e6db6f0 ("powerpc/pseries/svm: Use shared memory for LPPACA structures") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Satheesh Rajendran +Reviewed-by: Laurent Dufour +Reviewed-by: Thiago Jung Bauermann +[mpe: Reword change log to clarify we're fixing not removing the check] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200619070113.16696-1-sathnaga@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/paca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/paca.c ++++ b/arch/powerpc/kernel/paca.c +@@ -86,7 +86,7 @@ static void *__init alloc_shared_lppaca( + * This is very early in boot, so no harm done if the kernel crashes at + * this point. + */ +- BUG_ON(shared_lppaca_size >= shared_lppaca_total_size); ++ BUG_ON(shared_lppaca_size > shared_lppaca_total_size); + + return ptr; + } diff --git a/queue-5.7/revert-input-elants_i2c-report-resolution-information-for-touch-major.patch b/queue-5.7/revert-input-elants_i2c-report-resolution-information-for-touch-major.patch new file mode 100644 index 00000000000..057e1100931 --- /dev/null +++ b/queue-5.7/revert-input-elants_i2c-report-resolution-information-for-touch-major.patch @@ -0,0 +1,33 @@ +From 93b9de223c0135db495c25334e66cb669bef13e2 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 6 Jul 2020 17:47:35 -0700 +Subject: Revert "Input: elants_i2c - report resolution information for touch major" + +From: Dmitry Torokhov + +commit 93b9de223c0135db495c25334e66cb669bef13e2 upstream. + +This reverts commit 061706716384f1633d3d5090b22a99f33f1fcf2f - it turns +out that the resolution of 1 unit per mm was not correct for a number of +touch screens, causing touch sizes to be reported as way too large. +See https://crbug.com/1085648 + +Reported-by: Harry Cutts +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/elants_i2c.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/input/touchscreen/elants_i2c.c ++++ b/drivers/input/touchscreen/elants_i2c.c +@@ -1318,7 +1318,6 @@ static int elants_i2c_probe(struct i2c_c + 0, MT_TOOL_PALM, 0, 0); + input_abs_set_res(ts->input, ABS_MT_POSITION_X, ts->x_res); + input_abs_set_res(ts->input, ABS_MT_POSITION_Y, ts->y_res); +- input_abs_set_res(ts->input, ABS_MT_TOUCH_MAJOR, 1); + + error = input_register_device(ts->input); + if (error) { diff --git a/queue-5.7/revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch b/queue-5.7/revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch new file mode 100644 index 00000000000..be135f2d159 --- /dev/null +++ b/queue-5.7/revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch @@ -0,0 +1,39 @@ +From 853eab68afc80f59f36bbdeb715e5c88c501e680 Mon Sep 17 00:00:00 2001 +From: Wade Mealing +Date: Wed, 17 Jun 2020 13:49:47 +0200 +Subject: Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()" + +From: Wade Mealing + +commit 853eab68afc80f59f36bbdeb715e5c88c501e680 upstream. + +Turns out that the permissions for 0400 really are what we want here, +otherwise any user can read from this file. + +[fixed formatting, added changelog, and made attribute static - gregkh] + +Reported-by: Wade Mealing +Cc: stable +Fixes: f40609d1591f ("zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()") +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1847832 +Reviewed-by: Steffen Maier +Acked-by: Minchan Kim +Link: https://lore.kernel.org/r/20200617114946.GA2131650@kroah.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/zram/zram_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -2025,7 +2025,8 @@ static ssize_t hot_add_show(struct class + return ret; + return scnprintf(buf, PAGE_SIZE, "%d\n", ret); + } +-static CLASS_ATTR_RO(hot_add); ++static struct class_attribute class_attr_hot_add = ++ __ATTR(hot_add, 0400, hot_add_show, NULL); + + static ssize_t hot_remove_store(struct class *class, + struct class_attribute *attr, diff --git a/queue-5.7/riscv-use-16kb-kernel-stack-on-64-bit.patch b/queue-5.7/riscv-use-16kb-kernel-stack-on-64-bit.patch new file mode 100644 index 00000000000..8826e14b842 --- /dev/null +++ b/queue-5.7/riscv-use-16kb-kernel-stack-on-64-bit.patch @@ -0,0 +1,39 @@ +From 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Mon, 6 Jul 2020 14:32:26 +0200 +Subject: riscv: use 16KB kernel stack on 64-bit + +From: Andreas Schwab + +commit 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed upstream. + +With the current 8KB stack size there are frequent overflows in a 64-bit +configuration. We may split IRQ stacks off in the future, but this fixes a +number of issues right now. + +Signed-off-by: Andreas Schwab +Reviewed-by: Anup Patel +[Palmer: mention irqstack in the commit text] +Fixes: 7db91e57a0ac ("RISC-V: Task implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/riscv/include/asm/thread_info.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/riscv/include/asm/thread_info.h ++++ b/arch/riscv/include/asm/thread_info.h +@@ -12,7 +12,11 @@ + #include + + /* thread information allocation */ ++#ifdef CONFIG_64BIT ++#define THREAD_SIZE_ORDER (2) ++#else + #define THREAD_SIZE_ORDER (1) ++#endif + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + + #ifndef __ASSEMBLY__ diff --git a/queue-5.7/sched-fair-handle-case-of-task_h_load-returning-0.patch b/queue-5.7/sched-fair-handle-case-of-task_h_load-returning-0.patch new file mode 100644 index 00000000000..af643ac689c --- /dev/null +++ b/queue-5.7/sched-fair-handle-case-of-task_h_load-returning-0.patch @@ -0,0 +1,68 @@ +From 01cfcde9c26d8555f0e6e9aea9d6049f87683998 Mon Sep 17 00:00:00 2001 +From: Vincent Guittot +Date: Fri, 10 Jul 2020 17:24:26 +0200 +Subject: sched/fair: handle case of task_h_load() returning 0 + +From: Vincent Guittot + +commit 01cfcde9c26d8555f0e6e9aea9d6049f87683998 upstream. + +task_h_load() can return 0 in some situations like running stress-ng +mmapfork, which forks thousands of threads, in a sched group on a 224 cores +system. The load balance doesn't handle this correctly because +env->imbalance never decreases and it will stop pulling tasks only after +reaching loop_max, which can be equal to the number of running tasks of +the cfs. Make sure that imbalance will be decreased by at least 1. + +misfit task is the other feature that doesn't handle correctly such +situation although it's probably more difficult to face the problem +because of the smaller number of CPUs and running tasks on heterogenous +system. + +We can't simply ensure that task_h_load() returns at least one because it +would imply to handle underflow in other places. + +Signed-off-by: Vincent Guittot +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Reviewed-by: Dietmar Eggemann +Tested-by: Dietmar Eggemann +Cc: # v4.4+ +Link: https://lkml.kernel.org/r/20200710152426.16981-1-vincent.guittot@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/fair.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4033,7 +4033,11 @@ static inline void update_misfit_status( + return; + } + +- rq->misfit_task_load = task_h_load(p); ++ /* ++ * Make sure that misfit_task_load will not be null even if ++ * task_h_load() returns 0. ++ */ ++ rq->misfit_task_load = max_t(unsigned long, task_h_load(p), 1); + } + + #else /* CONFIG_SMP */ +@@ -7633,7 +7637,14 @@ static int detach_tasks(struct lb_env *e + + switch (env->migration_type) { + case migrate_load: +- load = task_h_load(p); ++ /* ++ * Depending of the number of CPUs and tasks and the ++ * cgroup hierarchy, task_h_load() can return a null ++ * value. Make sure that env->imbalance decreases ++ * otherwise detach_tasks() will stop only after ++ * detaching up to loop_max tasks. ++ */ ++ load = max_t(unsigned long, task_h_load(p), 1); + + if (sched_feat(LB_MIN) && + load < 16 && !env->sd->nr_balance_failed) diff --git a/queue-5.7/sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch b/queue-5.7/sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch new file mode 100644 index 00000000000..e827406c9b2 --- /dev/null +++ b/queue-5.7/sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch @@ -0,0 +1,81 @@ +From ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Mon, 6 Jul 2020 16:49:10 -0400 +Subject: sched: Fix unreliable rseq cpu_id for new tasks + +From: Mathieu Desnoyers + +commit ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db upstream. + +While integrating rseq into glibc and replacing glibc's sched_getcpu +implementation with rseq, glibc's tests discovered an issue with +incorrect __rseq_abi.cpu_id field value right after the first time +a newly created process issues sched_setaffinity. + +For the records, it triggers after building glibc and running tests, and +then issuing: + + for x in {1..2000} ; do posix/tst-affinity-static & done + +and shows up as: + +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 138, expected 0 +error: Unexpected CPU 138, expected 0 +error: Unexpected CPU 138, expected 0 +error: Unexpected CPU 138, expected 0 + +This is caused by the scheduler invoking __set_task_cpu() directly from +sched_fork() and wake_up_new_task(), thus bypassing rseq_migrate() which +is done by set_task_cpu(). + +Add the missing rseq_migrate() to both functions. The only other direct +use of __set_task_cpu() is done by init_idle(), which does not involve a +user-space task. + +Based on my testing with the glibc test-case, just adding rseq_migrate() +to wake_up_new_task() is sufficient to fix the observed issue. Also add +it to sched_fork() to keep things consistent. + +The reason why this never triggered so far with the rseq/basic_test +selftest is unclear. + +The current use of sched_getcpu(3) does not typically require it to be +always accurate. However, use of the __rseq_abi.cpu_id field within rseq +critical sections requires it to be accurate. If it is not accurate, it +can cause corruption in the per-cpu data targeted by rseq critical +sections in user-space. + +Reported-By: Florian Weimer +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Peter Zijlstra (Intel) +Tested-By: Florian Weimer +Cc: stable@vger.kernel.org # v4.18+ +Link: https://lkml.kernel.org/r/20200707201505.2632-1-mathieu.desnoyers@efficios.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2876,6 +2876,7 @@ int sched_fork(unsigned long clone_flags + * Silence PROVE_RCU. + */ + raw_spin_lock_irqsave(&p->pi_lock, flags); ++ rseq_migrate(p); + /* + * We're setting the CPU for the first time, we don't migrate, + * so use __set_task_cpu(). +@@ -2940,6 +2941,7 @@ void wake_up_new_task(struct task_struct + * as we're not fully set-up yet. + */ + p->recent_used_cpu = task_cpu(p); ++ rseq_migrate(p); + __set_task_cpu(p, select_task_rq(p, task_cpu(p), SD_BALANCE_FORK, 0)); + #endif + rq = __task_rq_lock(p, &rf); diff --git a/queue-5.7/scsi-megaraid_sas-remove-undefined-enable_irq_poll-macro.patch b/queue-5.7/scsi-megaraid_sas-remove-undefined-enable_irq_poll-macro.patch new file mode 100644 index 00000000000..721755f0a25 --- /dev/null +++ b/queue-5.7/scsi-megaraid_sas-remove-undefined-enable_irq_poll-macro.patch @@ -0,0 +1,40 @@ +From 07d3f04550023395bbf34b99ec7e00fc50d9859f Mon Sep 17 00:00:00 2001 +From: Chandrakanth Patil +Date: Wed, 15 Jul 2020 17:31:53 +0530 +Subject: scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro + +From: Chandrakanth Patil + +commit 07d3f04550023395bbf34b99ec7e00fc50d9859f upstream. + +As the ENABLE_IRQ_POLL macro is undefined, the check for ENABLE_IRQ_POLL +macro in ISR will always be false. This leads to irq polling being +non-functional. + +Remove ENABLE_IRQ_POLL check from ISR. + +Link: https://lore.kernel.org/r/20200715120153.20512-1-chandrakanth.patil@broadcom.com +Fixes: a6ffd5bf6819 ("scsi: megaraid_sas: Call disable_irq from process IRQ") +Cc: # v5.3+ +Signed-off-by: Chandrakanth Patil +Signed-off-by: Kashyap Desai +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -3797,10 +3797,8 @@ static irqreturn_t megasas_isr_fusion(in + if (instance->mask_interrupts) + return IRQ_NONE; + +-#if defined(ENABLE_IRQ_POLL) + if (irq_context->irq_poll_scheduled) + return IRQ_HANDLED; +-#endif + + if (!instance->msix_vectors) { + mfiStatus = instance->instancet->clear_intr(instance); diff --git a/queue-5.7/series b/queue-5.7/series index 55d2cb1def8..682729fa27a 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -176,3 +176,56 @@ serial-mxs-auart-add-missed-iounmap-in-probe-failure-and-remove.patch revert-serial-core-refactor-uart_unlock_and_check_sysrq.patch serial-core-fix-sysrq-overhead-regression.patch ovl-fix-regression-with-re-formatted-lower-squashfs.patch +ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch +ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch +ovl-fix-unneeded-call-to-ovl_change_flags.patch +fuse-ignore-data-argument-of-mount-...-ms_remount.patch +fuse-use-reconfigure-instead-of-remount_fs.patch +fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch +revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch +mei-bus-don-t-clean-driver-pointer.patch +revert-input-elants_i2c-report-resolution-information-for-touch-major.patch +input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch +input-elan_i2c-add-more-hardware-id-for-lenovo-laptops.patch +coresight-etmv4-fix-cpu-power-management-setup-in-probe-function.patch +uio_pdrv_genirq-remove-warning-when-irq-is-not-specified.patch +uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch +scsi-megaraid_sas-remove-undefined-enable_irq_poll-macro.patch +timer-prevent-base-clk-from-moving-backward.patch +timer-fix-wheel-index-calculation-on-last-level.patch +riscv-use-16kb-kernel-stack-on-64-bit.patch +hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch +hwmon-drivetemp-avoid-sct-usage-on-toshiba-dt01aca-family-drives.patch +powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch +powerpc-pseries-svm-fix-incorrect-check-for-shared_lppaca_size.patch +intel_th-pci-add-jasper-lake-cpu-support.patch +intel_th-pci-add-tiger-lake-pch-h-support.patch +intel_th-pci-add-emmitsburg-pch-support.patch +intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch +opp-increase-parsed_static_opps-in-_of_add_opp_table_v1.patch +dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch +dmaengine-mcf-edma-fix-null-pointer-exception-in-mcf_edma_tx_handler.patch +dmaengine-fsl-edma-common-correct-dsize_32byte.patch +misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch +dmabuf-use-spinlock-to-access-dmabuf-name.patch +thermal-int3403_thermal-downgrade-error-message.patch +arm-dts-imx6qdl-gw551x-fix-audio-ssi.patch +arm64-dts-agilex-add-status-to-qspi-dts-node.patch +arm64-dts-stratix10-add-status-to-qspi-dts-node.patch +arm64-dts-stratix10-increase-qspi-reg-address-in-nand-dts-file.patch +arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch +arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch +arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch +sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch +sched-fair-handle-case-of-task_h_load-returning-0.patch +x86-ioperm-fix-io-bitmap-invalidation-on-xen-pv.patch +genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch +drm-vmwgfx-fix-update-of-display-surface-when-resolution-changes.patch +drm-amdgpu-powerplay-modify-smc-message-name-for-setting-power-profile-mode.patch +drm-amdgpu-sdma5-fix-wptr-overwritten-in-get_wptr.patch +drm-amd-display-handle-failed-allocation-during-stream-construction.patch +drm-amd-display-oled-panel-backlight-adjust-not-work-with-external-display-connected.patch +drm-amdgpu-display-create-fake-mst-encoders-ahead-of-time-v4.patch +drm-i915-move-cec_notifier-to-intel_hdmi_connector_unregister-v2.patch +drm-i915-gt-ignore-irq-enabling-on-the-virtual-engines.patch +drm-i915-gt-only-swap-to-a-random-sibling-once-upon-creation.patch diff --git a/queue-5.7/thermal-int3403_thermal-downgrade-error-message.patch b/queue-5.7/thermal-int3403_thermal-downgrade-error-message.patch new file mode 100644 index 00000000000..5d78d232537 --- /dev/null +++ b/queue-5.7/thermal-int3403_thermal-downgrade-error-message.patch @@ -0,0 +1,35 @@ +From f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 Mon Sep 17 00:00:00 2001 +From: Alex Hung +Date: Mon, 15 Jun 2020 16:39:57 -0600 +Subject: thermal: int3403_thermal: Downgrade error message + +From: Alex Hung + +commit f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 upstream. + +Downgrade "Unsupported event" message from dev_err to dev_dbg to avoid +flooding with this message on some platforms. + +Cc: stable@vger.kernel.org # v5.4+ +Suggested-by: Zhang Rui +Signed-off-by: Alex Hung +[ rzhang: fix typo in changelog ] +Signed-off-by: Zhang Rui +Link: https://lore.kernel.org/r/20200615223957.183153-1-alex.hung@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thermal/intel/int340x_thermal/int3403_thermal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thermal/intel/int340x_thermal/int3403_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3403_thermal.c +@@ -74,7 +74,7 @@ static void int3403_notify(acpi_handle h + THERMAL_TRIP_CHANGED); + break; + default: +- dev_err(&priv->pdev->dev, "Unsupported event [0x%x]\n", event); ++ dev_dbg(&priv->pdev->dev, "Unsupported event [0x%x]\n", event); + break; + } + } diff --git a/queue-5.7/timer-fix-wheel-index-calculation-on-last-level.patch b/queue-5.7/timer-fix-wheel-index-calculation-on-last-level.patch new file mode 100644 index 00000000000..b5d3c3fcda2 --- /dev/null +++ b/queue-5.7/timer-fix-wheel-index-calculation-on-last-level.patch @@ -0,0 +1,44 @@ +From e2a71bdea81690b6ef11f4368261ec6f5b6891aa Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Fri, 17 Jul 2020 16:05:40 +0200 +Subject: timer: Fix wheel index calculation on last level + +From: Frederic Weisbecker + +commit e2a71bdea81690b6ef11f4368261ec6f5b6891aa upstream. + +When an expiration delta falls into the last level of the wheel, that delta +has be compared against the maximum possible delay and reduced to fit in if +necessary. + +However instead of comparing the delta against the maximum, the code +compares the actual expiry against the maximum. Then instead of fixing the +delta to fit in, it sets the maximum delta as the expiry value. + +This can result in various undesired outcomes, the worst possible one +being a timer expiring 15 days ahead to fire immediately. + +Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") +Signed-off-by: Frederic Weisbecker +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200717140551.29076-2-frederic@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -522,8 +522,8 @@ static int calc_wheel_index(unsigned lon + * Force expire obscene large timeouts to expire at the + * capacity limit of the wheel. + */ +- if (expires >= WHEEL_TIMEOUT_CUTOFF) +- expires = WHEEL_TIMEOUT_MAX; ++ if (delta >= WHEEL_TIMEOUT_CUTOFF) ++ expires = clk + WHEEL_TIMEOUT_MAX; + + idx = calc_index(expires, LVL_DEPTH - 1); + } diff --git a/queue-5.7/timer-prevent-base-clk-from-moving-backward.patch b/queue-5.7/timer-prevent-base-clk-from-moving-backward.patch new file mode 100644 index 00000000000..be80927fba9 --- /dev/null +++ b/queue-5.7/timer-prevent-base-clk-from-moving-backward.patch @@ -0,0 +1,74 @@ +From 30c66fc30ee7a98c4f3adf5fb7e213b61884474f Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Fri, 3 Jul 2020 03:06:57 +0200 +Subject: timer: Prevent base->clk from moving backward + +From: Frederic Weisbecker + +commit 30c66fc30ee7a98c4f3adf5fb7e213b61884474f upstream. + +When a timer is enqueued with a negative delta (ie: expiry is below +base->clk), it gets added to the wheel as expiring now (base->clk). + +Yet the value that gets stored in base->next_expiry, while calling +trigger_dyntick_cpu(), is the initial timer->expires value. The +resulting state becomes: + + base->next_expiry < base->clk + +On the next timer enqueue, forward_timer_base() may accidentally +rewind base->clk. As a possible outcome, timers may expire way too +early, the worst case being that the highest wheel levels get spuriously +processed again. + +To prevent from that, make sure that base->next_expiry doesn't get below +base->clk. + +Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible") +Signed-off-by: Frederic Weisbecker +Signed-off-by: Thomas Gleixner +Reviewed-by: Anna-Maria Behnsen +Tested-by: Juri Lelli +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200703010657.2302-1-frederic@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -585,7 +585,15 @@ trigger_dyntick_cpu(struct timer_base *b + * Set the next expiry time and kick the CPU so it can reevaluate the + * wheel: + */ +- base->next_expiry = timer->expires; ++ if (time_before(timer->expires, base->clk)) { ++ /* ++ * Prevent from forward_timer_base() moving the base->clk ++ * backward ++ */ ++ base->next_expiry = base->clk; ++ } else { ++ base->next_expiry = timer->expires; ++ } + wake_up_nohz_cpu(base->cpu); + } + +@@ -897,10 +905,13 @@ static inline void forward_timer_base(st + * If the next expiry value is > jiffies, then we fast forward to + * jiffies otherwise we forward to the next expiry value. + */ +- if (time_after(base->next_expiry, jnow)) ++ if (time_after(base->next_expiry, jnow)) { + base->clk = jnow; +- else ++ } else { ++ if (WARN_ON_ONCE(time_before(base->next_expiry, base->clk))) ++ return; + base->clk = base->next_expiry; ++ } + #endif + } + diff --git a/queue-5.7/uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch b/queue-5.7/uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch new file mode 100644 index 00000000000..b506f5dff74 --- /dev/null +++ b/queue-5.7/uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch @@ -0,0 +1,42 @@ +From bf12fdf0ab728ca8e5933aac46dd972c0dd0421e Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Wed, 1 Jul 2020 16:56:58 +0200 +Subject: uio_pdrv_genirq: fix use without device tree and no interrupt + +From: Esben Haabendal + +commit bf12fdf0ab728ca8e5933aac46dd972c0dd0421e upstream. + +While e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no +interrupt") added support for using uio_pdrv_genirq for devices without +interrupt for device tree platforms, the removal of uio_pdrv in +26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") +broke the support for non device tree platforms. + +This change fixes this, so that uio_pdrv_genirq can be used without +interrupt on all platforms. + +This still leaves the support that uio_pdrv had for custom interrupt +handler lacking, as uio_pdrv_genirq does not handle it (yet). + +Fixes: 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") +Signed-off-by: Esben Haabendal +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200701145659.3978-3-esben@geanix.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio_pdrv_genirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/uio/uio_pdrv_genirq.c ++++ b/drivers/uio/uio_pdrv_genirq.c +@@ -161,7 +161,7 @@ static int uio_pdrv_genirq_probe(struct + if (!uioinfo->irq) { + ret = platform_get_irq_optional(pdev, 0); + uioinfo->irq = ret; +- if (ret == -ENXIO && pdev->dev.of_node) ++ if (ret == -ENXIO) + uioinfo->irq = UIO_IRQ_NONE; + else if (ret == -EPROBE_DEFER) + return ret; diff --git a/queue-5.7/uio_pdrv_genirq-remove-warning-when-irq-is-not-specified.patch b/queue-5.7/uio_pdrv_genirq-remove-warning-when-irq-is-not-specified.patch new file mode 100644 index 00000000000..6b4a1dc238f --- /dev/null +++ b/queue-5.7/uio_pdrv_genirq-remove-warning-when-irq-is-not-specified.patch @@ -0,0 +1,35 @@ +From 324ac45f25e634eca6346953ae531e8da3e0c73d Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Wed, 1 Jul 2020 16:56:57 +0200 +Subject: uio_pdrv_genirq: Remove warning when irq is not specified + +From: Esben Haabendal + +commit 324ac45f25e634eca6346953ae531e8da3e0c73d upstream. + +Since e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no +interrupt"), the uio_pdrv_genirq has supported use without interrupt, +so the change in 7723f4c5ecdb ("driver core: platform: Add an error +message to") added false warnings for those cases. + +Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()") +Signed-off-by: Esben Haabendal +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200701145659.3978-2-esben@geanix.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio_pdrv_genirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/uio/uio_pdrv_genirq.c ++++ b/drivers/uio/uio_pdrv_genirq.c +@@ -159,7 +159,7 @@ static int uio_pdrv_genirq_probe(struct + priv->pdev = pdev; + + if (!uioinfo->irq) { +- ret = platform_get_irq(pdev, 0); ++ ret = platform_get_irq_optional(pdev, 0); + uioinfo->irq = ret; + if (ret == -ENXIO && pdev->dev.of_node) + uioinfo->irq = UIO_IRQ_NONE; diff --git a/queue-5.7/x86-ioperm-fix-io-bitmap-invalidation-on-xen-pv.patch b/queue-5.7/x86-ioperm-fix-io-bitmap-invalidation-on-xen-pv.patch new file mode 100644 index 00000000000..9341c3845dc --- /dev/null +++ b/queue-5.7/x86-ioperm-fix-io-bitmap-invalidation-on-xen-pv.patch @@ -0,0 +1,171 @@ +From cadfad870154e14f745ec845708bc17d166065f2 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Fri, 17 Jul 2020 16:53:55 -0700 +Subject: x86/ioperm: Fix io bitmap invalidation on Xen PV + +From: Andy Lutomirski + +commit cadfad870154e14f745ec845708bc17d166065f2 upstream. + +tss_invalidate_io_bitmap() wasn't wired up properly through the pvop +machinery, so the TSS and Xen's io bitmap would get out of sync +whenever disabling a valid io bitmap. + +Add a new pvop for tss_invalidate_io_bitmap() to fix it. + +This is XSA-329. + +Fixes: 22fe5b0439dd ("x86/ioperm: Move TSS bitmap update to exit to user work") +Signed-off-by: Andy Lutomirski +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Reviewed-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/d53075590e1f91c19f8af705059d3ff99424c020.1595030016.git.luto@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/io_bitmap.h | 16 ++++++++++++++++ + arch/x86/include/asm/paravirt.h | 5 +++++ + arch/x86/include/asm/paravirt_types.h | 1 + + arch/x86/kernel/paravirt.c | 3 ++- + arch/x86/kernel/process.c | 18 ++---------------- + arch/x86/xen/enlighten_pv.c | 12 ++++++++++++ + 6 files changed, 38 insertions(+), 17 deletions(-) + +--- a/arch/x86/include/asm/io_bitmap.h ++++ b/arch/x86/include/asm/io_bitmap.h +@@ -19,12 +19,28 @@ struct task_struct; + void io_bitmap_share(struct task_struct *tsk); + void io_bitmap_exit(struct task_struct *tsk); + ++static inline void native_tss_invalidate_io_bitmap(void) ++{ ++ /* ++ * Invalidate the I/O bitmap by moving io_bitmap_base outside the ++ * TSS limit so any subsequent I/O access from user space will ++ * trigger a #GP. ++ * ++ * This is correct even when VMEXIT rewrites the TSS limit ++ * to 0x67 as the only requirement is that the base points ++ * outside the limit. ++ */ ++ this_cpu_write(cpu_tss_rw.x86_tss.io_bitmap_base, ++ IO_BITMAP_OFFSET_INVALID); ++} ++ + void native_tss_update_io_bitmap(void); + + #ifdef CONFIG_PARAVIRT_XXL + #include + #else + #define tss_update_io_bitmap native_tss_update_io_bitmap ++#define tss_invalidate_io_bitmap native_tss_invalidate_io_bitmap + #endif + + #else +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -296,6 +296,11 @@ static inline void write_idt_entry(gate_ + } + + #ifdef CONFIG_X86_IOPL_IOPERM ++static inline void tss_invalidate_io_bitmap(void) ++{ ++ PVOP_VCALL0(cpu.invalidate_io_bitmap); ++} ++ + static inline void tss_update_io_bitmap(void) + { + PVOP_VCALL0(cpu.update_io_bitmap); +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -141,6 +141,7 @@ struct pv_cpu_ops { + void (*load_sp0)(unsigned long sp0); + + #ifdef CONFIG_X86_IOPL_IOPERM ++ void (*invalidate_io_bitmap)(void); + void (*update_io_bitmap)(void); + #endif + +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -343,7 +343,8 @@ struct paravirt_patch_template pv_ops = + .cpu.swapgs = native_swapgs, + + #ifdef CONFIG_X86_IOPL_IOPERM +- .cpu.update_io_bitmap = native_tss_update_io_bitmap, ++ .cpu.invalidate_io_bitmap = native_tss_invalidate_io_bitmap, ++ .cpu.update_io_bitmap = native_tss_update_io_bitmap, + #endif + + .cpu.start_context_switch = paravirt_nop, +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -322,20 +322,6 @@ void arch_setup_new_exec(void) + } + + #ifdef CONFIG_X86_IOPL_IOPERM +-static inline void tss_invalidate_io_bitmap(struct tss_struct *tss) +-{ +- /* +- * Invalidate the I/O bitmap by moving io_bitmap_base outside the +- * TSS limit so any subsequent I/O access from user space will +- * trigger a #GP. +- * +- * This is correct even when VMEXIT rewrites the TSS limit +- * to 0x67 as the only requirement is that the base points +- * outside the limit. +- */ +- tss->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET_INVALID; +-} +- + static inline void switch_to_bitmap(unsigned long tifp) + { + /* +@@ -346,7 +332,7 @@ static inline void switch_to_bitmap(unsi + * user mode. + */ + if (tifp & _TIF_IO_BITMAP) +- tss_invalidate_io_bitmap(this_cpu_ptr(&cpu_tss_rw)); ++ tss_invalidate_io_bitmap(); + } + + static void tss_copy_io_bitmap(struct tss_struct *tss, struct io_bitmap *iobm) +@@ -380,7 +366,7 @@ void native_tss_update_io_bitmap(void) + u16 *base = &tss->x86_tss.io_bitmap_base; + + if (!test_thread_flag(TIF_IO_BITMAP)) { +- tss_invalidate_io_bitmap(tss); ++ native_tss_invalidate_io_bitmap(); + return; + } + +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -841,6 +841,17 @@ static void xen_load_sp0(unsigned long s + } + + #ifdef CONFIG_X86_IOPL_IOPERM ++static void xen_invalidate_io_bitmap(void) ++{ ++ struct physdev_set_iobitmap iobitmap = { ++ .bitmap = 0, ++ .nr_ports = 0, ++ }; ++ ++ native_tss_invalidate_io_bitmap(); ++ HYPERVISOR_physdev_op(PHYSDEVOP_set_iobitmap, &iobitmap); ++} ++ + static void xen_update_io_bitmap(void) + { + struct physdev_set_iobitmap iobitmap; +@@ -1070,6 +1081,7 @@ static const struct pv_cpu_ops xen_cpu_o + .load_sp0 = xen_load_sp0, + + #ifdef CONFIG_X86_IOPL_IOPERM ++ .invalidate_io_bitmap = xen_invalidate_io_bitmap, + .update_io_bitmap = xen_update_io_bitmap, + #endif + .io_delay = xen_io_delay,