From: Sasha Levin Date: Mon, 26 Oct 2020 04:58:11 +0000 (-0400) Subject: Fixes for 5.9 X-Git-Tag: v4.4.241~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4474fe98f1d5dd5a0b0d98968e45415003823813;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.9 Signed-off-by: Sasha Levin --- diff --git a/queue-5.9/afs-fix-cell-purging-with-aliases.patch b/queue-5.9/afs-fix-cell-purging-with-aliases.patch new file mode 100644 index 00000000000..a1bebe744d1 --- /dev/null +++ b/queue-5.9/afs-fix-cell-purging-with-aliases.patch @@ -0,0 +1,61 @@ +From 04c22add29beec98db950e4cdb455aa61f53184f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 11:05:01 +0100 +Subject: afs: Fix cell purging with aliases + +From: David Howells + +[ Upstream commit 286377f6bdf71568a4cf07104fe44006ae0dba6d ] + +When the afs module is removed, one of the things that has to be done is to +purge the cell database. afs_cell_purge() cancels the management timer and +then starts the cell manager work item to do the purging. This does a +single run through and then assumes that all cells are now purged - but +this is no longer the case. + +With the introduction of alias detection, a later cell in the database can +now be holding an active count on an earlier cell (cell->alias_of). The +purge scan passes by the earlier cell first, but this can't be got rid of +until it has discarded the alias. Ordinarily, afs_unuse_cell() would +handle this by setting the management timer to trigger another pass - but +afs_set_cell_timer() doesn't do anything if the namespace is being removed +(net->live == false). rmmod then hangs in the wait on cells_outstanding in +afs_cell_purge(). + +Fix this by making afs_set_cell_timer() directly queue the cell manager if +net->live is false. This causes additional management passes. + +Queueing the cell manager increments cells_outstanding to make sure the +wait won't complete until all cells are destroyed. + +Fixes: 8a070a964877 ("afs: Detect cell aliases 1 - Cells with root volumes") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index c906000b0ff84..1944be78e9b0d 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -19,6 +19,7 @@ static unsigned __read_mostly afs_cell_gc_delay = 10; + static unsigned __read_mostly afs_cell_min_ttl = 10 * 60; + static unsigned __read_mostly afs_cell_max_ttl = 24 * 60 * 60; + ++static void afs_queue_cell_manager(struct afs_net *); + static void afs_manage_cell_work(struct work_struct *); + + static void afs_dec_cells_outstanding(struct afs_net *net) +@@ -37,6 +38,8 @@ static void afs_set_cell_timer(struct afs_net *net, time64_t delay) + atomic_inc(&net->cells_outstanding); + if (timer_reduce(&net->cells_timer, jiffies + delay * HZ)) + afs_dec_cells_outstanding(net); ++ } else { ++ afs_queue_cell_manager(net); + } + } + +-- +2.25.1 + diff --git a/queue-5.9/afs-fix-cell-refcounting-by-splitting-the-usage-coun.patch b/queue-5.9/afs-fix-cell-refcounting-by-splitting-the-usage-coun.patch new file mode 100644 index 00000000000..063f2f66d44 --- /dev/null +++ b/queue-5.9/afs-fix-cell-refcounting-by-splitting-the-usage-coun.patch @@ -0,0 +1,665 @@ +From 064d6c22f2ce72b050958334e0f820a2d7ed3ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2019 11:24:59 +0100 +Subject: afs: Fix cell refcounting by splitting the usage counter + +From: David Howells + +[ Upstream commit 88c853c3f5c0a07c5db61b494ee25152535cfeee ] + +Management of the lifetime of afs_cell struct has some problems due to the +usage counter being used to determine whether objects of that type are in +use in addition to whether anyone might be interested in the structure. + +This is made trickier by cell objects being cached for a period of time in +case they're quickly reused as they hold the result of a setup process that +may be slow (DNS lookups, AFS RPC ops). + +Problems include the cached root volume from alias resolution pinning its +parent cell record, rmmod occasionally hanging and occasionally producing +assertion failures. + +Fix this by splitting the count of active users from the struct reference +count. Things then work as follows: + + (1) The cell cache keeps +1 on the cell's activity count and this has to + be dropped before the cell can be removed. afs_manage_cell() tries to + exchange the 1 to a 0 with the cells_lock write-locked, and if + successful, the record is removed from the net->cells. + + (2) One struct ref is 'owned' by the activity count. That is put when the + active count is reduced to 0 (final_destruction label). + + (3) A ref can be held on a cell whilst it is queued for management on a + work queue without confusing the active count. afs_queue_cell() is + added to wrap this. + + (4) The queue's ref is dropped at the end of the management. This is + split out into a separate function, afs_manage_cell_work(). + + (5) The root volume record is put after a cell is removed (at the + final_destruction label) rather then in the RCU destruction routine. + + (6) Volumes hold struct refs, but aren't active users. + + (7) Both counts are displayed in /proc/net/afs/cells. + +There are some management function changes: + + (*) afs_put_cell() now just decrements the refcount and triggers the RCU + destruction if it becomes 0. It no longer sets a timer to have the + manager do this. + + (*) afs_use_cell() and afs_unuse_cell() are added to increase and decrease + the active count. afs_unuse_cell() sets the management timer. + + (*) afs_queue_cell() is added to queue a cell with approprate refs. + +There are also some other fixes: + + (*) Don't let /proc/net/afs/cells access a cell's vllist if it's NULL. + + (*) Make sure that candidate cells in lookups are properly destroyed + rather than being simply kfree'd. This ensures the bits it points to + are destroyed also. + + (*) afs_dec_cells_outstanding() is now called in cell destruction rather + than at "final_destruction". This ensures that cell->net is still + valid to the end of the destructor. + + (*) As a consequence of the previous two changes, move the increment of + net->cells_outstanding that was at the point of insertion into the + tree to the allocation routine to correctly balance things. + +Fixes: 989782dcdc91 ("afs: Overhaul cell database management") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 149 +++++++++++++++++++++++++++++++-------------- + fs/afs/dynroot.c | 2 +- + fs/afs/internal.h | 8 ++- + fs/afs/mntpt.c | 4 +- + fs/afs/proc.c | 23 ++++--- + fs/afs/super.c | 12 ++-- + fs/afs/vl_alias.c | 8 +-- + fs/afs/vl_rotate.c | 2 +- + fs/afs/volume.c | 4 +- + 9 files changed, 136 insertions(+), 76 deletions(-) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index 5da83e84952a2..c906000b0ff84 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -19,7 +19,7 @@ static unsigned __read_mostly afs_cell_gc_delay = 10; + static unsigned __read_mostly afs_cell_min_ttl = 10 * 60; + static unsigned __read_mostly afs_cell_max_ttl = 24 * 60 * 60; + +-static void afs_manage_cell(struct work_struct *); ++static void afs_manage_cell_work(struct work_struct *); + + static void afs_dec_cells_outstanding(struct afs_net *net) + { +@@ -62,8 +62,7 @@ static struct afs_cell *afs_find_cell_locked(struct afs_net *net, + cell = net->ws_cell; + if (!cell) + return ERR_PTR(-EDESTADDRREQ); +- afs_get_cell(cell); +- return cell; ++ goto found; + } + + p = net->cells.rb_node; +@@ -85,12 +84,12 @@ static struct afs_cell *afs_find_cell_locked(struct afs_net *net, + return ERR_PTR(-ENOENT); + + found: +- if (!atomic_inc_not_zero(&cell->usage)) +- return ERR_PTR(-ENOENT); +- +- return cell; ++ return afs_use_cell(cell); + } + ++/* ++ * Look up and get an activation reference on a cell record. ++ */ + struct afs_cell *afs_find_cell(struct afs_net *net, + const char *name, unsigned int namesz) + { +@@ -153,8 +152,9 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net, + cell->name[i] = tolower(name[i]); + cell->name[i] = 0; + +- atomic_set(&cell->usage, 2); +- INIT_WORK(&cell->manager, afs_manage_cell); ++ atomic_set(&cell->ref, 1); ++ atomic_set(&cell->active, 0); ++ INIT_WORK(&cell->manager, afs_manage_cell_work); + cell->volumes = RB_ROOT; + INIT_HLIST_HEAD(&cell->proc_volumes); + seqlock_init(&cell->volume_lock); +@@ -193,6 +193,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net, + cell->dns_source = vllist->source; + cell->dns_status = vllist->status; + smp_store_release(&cell->dns_lookup_count, 1); /* vs source/status */ ++ atomic_inc(&net->cells_outstanding); + + _leave(" = %p", cell); + return cell; +@@ -275,12 +276,12 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + + cell = candidate; + candidate = NULL; ++ atomic_set(&cell->active, 2); + rb_link_node_rcu(&cell->net_node, parent, pp); + rb_insert_color(&cell->net_node, &net->cells); +- atomic_inc(&net->cells_outstanding); + up_write(&net->cells_lock); + +- queue_work(afs_wq, &cell->manager); ++ afs_queue_cell(cell); + + wait_for_cell: + _debug("wait_for_cell"); +@@ -305,16 +306,17 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + if (excl) { + ret = -EEXIST; + } else { +- afs_get_cell(cursor); ++ afs_use_cell(cursor); + ret = 0; + } + up_write(&net->cells_lock); +- kfree(candidate); ++ if (candidate) ++ afs_put_cell(candidate); + if (ret == 0) + goto wait_for_cell; + goto error_noput; + error: +- afs_put_cell(net, cell); ++ afs_unuse_cell(net, cell); + error_noput: + _leave(" = %d [error]", ret); + return ERR_PTR(ret); +@@ -359,7 +361,7 @@ int afs_cell_init(struct afs_net *net, const char *rootcell) + } + + if (!test_and_set_bit(AFS_CELL_FL_NO_GC, &new_root->flags)) +- afs_get_cell(new_root); ++ afs_use_cell(new_root); + + /* install the new cell */ + down_write(&net->cells_lock); +@@ -367,7 +369,7 @@ int afs_cell_init(struct afs_net *net, const char *rootcell) + net->ws_cell = new_root; + up_write(&net->cells_lock); + +- afs_put_cell(net, old_root); ++ afs_unuse_cell(net, old_root); + _leave(" = 0"); + return 0; + } +@@ -473,18 +475,21 @@ static int afs_update_cell(struct afs_cell *cell) + static void afs_cell_destroy(struct rcu_head *rcu) + { + struct afs_cell *cell = container_of(rcu, struct afs_cell, rcu); ++ struct afs_net *net = cell->net; ++ int u; + + _enter("%p{%s}", cell, cell->name); + +- ASSERTCMP(atomic_read(&cell->usage), ==, 0); ++ u = atomic_read(&cell->ref); ++ ASSERTCMP(u, ==, 0); + +- afs_put_volume(cell->net, cell->root_volume, afs_volume_trace_put_cell_root); +- afs_put_vlserverlist(cell->net, rcu_access_pointer(cell->vl_servers)); +- afs_put_cell(cell->net, cell->alias_of); ++ afs_put_vlserverlist(net, rcu_access_pointer(cell->vl_servers)); ++ afs_unuse_cell(net, cell->alias_of); + key_put(cell->anonymous_key); + kfree(cell->name); + kfree(cell); + ++ afs_dec_cells_outstanding(net); + _leave(" [destroyed]"); + } + +@@ -519,16 +524,50 @@ void afs_cells_timer(struct timer_list *timer) + */ + struct afs_cell *afs_get_cell(struct afs_cell *cell) + { +- atomic_inc(&cell->usage); ++ if (atomic_read(&cell->ref) <= 0) ++ BUG(); ++ ++ atomic_inc(&cell->ref); + return cell; + } + + /* + * Drop a reference on a cell record. + */ +-void afs_put_cell(struct afs_net *net, struct afs_cell *cell) ++void afs_put_cell(struct afs_cell *cell) ++{ ++ if (cell) { ++ unsigned int u, a; ++ ++ u = atomic_dec_return(&cell->ref); ++ if (u == 0) { ++ a = atomic_read(&cell->active); ++ WARN(a != 0, "Cell active count %u > 0\n", a); ++ call_rcu(&cell->rcu, afs_cell_destroy); ++ } ++ } ++} ++ ++/* ++ * Note a cell becoming more active. ++ */ ++struct afs_cell *afs_use_cell(struct afs_cell *cell) ++{ ++ if (atomic_read(&cell->ref) <= 0) ++ BUG(); ++ ++ atomic_inc(&cell->active); ++ return cell; ++} ++ ++/* ++ * Record a cell becoming less active. When the active counter reaches 1, it ++ * is scheduled for destruction, but may get reactivated. ++ */ ++void afs_unuse_cell(struct afs_net *net, struct afs_cell *cell) + { + time64_t now, expire_delay; ++ int a; + + if (!cell) + return; +@@ -541,11 +580,21 @@ void afs_put_cell(struct afs_net *net, struct afs_cell *cell) + if (cell->vl_servers->nr_servers) + expire_delay = afs_cell_gc_delay; + +- if (atomic_dec_return(&cell->usage) > 1) +- return; ++ a = atomic_dec_return(&cell->active); ++ WARN_ON(a == 0); ++ if (a == 1) ++ /* 'cell' may now be garbage collected. */ ++ afs_set_cell_timer(net, expire_delay); ++} + +- /* 'cell' may now be garbage collected. */ +- afs_set_cell_timer(net, expire_delay); ++/* ++ * Queue a cell for management, giving the workqueue a ref to hold. ++ */ ++void afs_queue_cell(struct afs_cell *cell) ++{ ++ afs_get_cell(cell); ++ if (!queue_work(afs_wq, &cell->manager)) ++ afs_put_cell(cell); + } + + /* +@@ -645,12 +694,11 @@ static void afs_deactivate_cell(struct afs_net *net, struct afs_cell *cell) + * Manage a cell record, initialising and destroying it, maintaining its DNS + * records. + */ +-static void afs_manage_cell(struct work_struct *work) ++static void afs_manage_cell(struct afs_cell *cell) + { +- struct afs_cell *cell = container_of(work, struct afs_cell, manager); + struct afs_net *net = cell->net; + bool deleted; +- int ret, usage; ++ int ret, active; + + _enter("%s", cell->name); + +@@ -660,10 +708,11 @@ static void afs_manage_cell(struct work_struct *work) + case AFS_CELL_INACTIVE: + case AFS_CELL_FAILED: + down_write(&net->cells_lock); +- usage = 1; +- deleted = atomic_try_cmpxchg_relaxed(&cell->usage, &usage, 0); +- if (deleted) ++ active = 1; ++ deleted = atomic_try_cmpxchg_relaxed(&cell->active, &active, 0); ++ if (deleted) { + rb_erase(&cell->net_node, &net->cells); ++ } + up_write(&net->cells_lock); + if (deleted) + goto final_destruction; +@@ -688,7 +737,7 @@ static void afs_manage_cell(struct work_struct *work) + goto again; + + case AFS_CELL_ACTIVE: +- if (atomic_read(&cell->usage) > 1) { ++ if (atomic_read(&cell->active) > 1) { + if (test_and_clear_bit(AFS_CELL_FL_DO_LOOKUP, &cell->flags)) { + ret = afs_update_cell(cell); + if (ret < 0) +@@ -701,7 +750,7 @@ static void afs_manage_cell(struct work_struct *work) + goto again; + + case AFS_CELL_DEACTIVATING: +- if (atomic_read(&cell->usage) > 1) ++ if (atomic_read(&cell->active) > 1) + goto reverse_deactivation; + afs_deactivate_cell(net, cell); + smp_store_release(&cell->state, AFS_CELL_INACTIVE); +@@ -733,9 +782,18 @@ static void afs_manage_cell(struct work_struct *work) + return; + + final_destruction: +- call_rcu(&cell->rcu, afs_cell_destroy); +- afs_dec_cells_outstanding(net); +- _leave(" [destruct %d]", atomic_read(&net->cells_outstanding)); ++ /* The root volume is pinning the cell */ ++ afs_put_volume(cell->net, cell->root_volume, afs_volume_trace_put_cell_root); ++ cell->root_volume = NULL; ++ afs_put_cell(cell); ++} ++ ++static void afs_manage_cell_work(struct work_struct *work) ++{ ++ struct afs_cell *cell = container_of(work, struct afs_cell, manager); ++ ++ afs_manage_cell(cell); ++ afs_put_cell(cell); + } + + /* +@@ -769,21 +827,20 @@ void afs_manage_cells(struct work_struct *work) + for (cursor = rb_first(&net->cells); cursor; cursor = rb_next(cursor)) { + struct afs_cell *cell = + rb_entry(cursor, struct afs_cell, net_node); +- unsigned usage; ++ unsigned active; + bool sched_cell = false; + +- usage = atomic_read(&cell->usage); +- _debug("manage %s %u", cell->name, usage); ++ active = atomic_read(&cell->active); ++ _debug("manage %s %u %u", cell->name, atomic_read(&cell->ref), active); + +- ASSERTCMP(usage, >=, 1); ++ ASSERTCMP(active, >=, 1); + + if (purging) { + if (test_and_clear_bit(AFS_CELL_FL_NO_GC, &cell->flags)) +- usage = atomic_dec_return(&cell->usage); +- ASSERTCMP(usage, ==, 1); ++ atomic_dec(&cell->active); + } + +- if (usage == 1) { ++ if (active == 1) { + struct afs_vlserver_list *vllist; + time64_t expire_at = cell->last_inactive; + +@@ -806,7 +863,7 @@ void afs_manage_cells(struct work_struct *work) + } + + if (sched_cell) +- queue_work(afs_wq, &cell->manager); ++ afs_queue_cell(cell); + } + + up_read(&net->cells_lock); +@@ -843,7 +900,7 @@ void afs_cell_purge(struct afs_net *net) + ws = net->ws_cell; + net->ws_cell = NULL; + up_write(&net->cells_lock); +- afs_put_cell(net, ws); ++ afs_unuse_cell(net, ws); + + _debug("del timer"); + if (del_timer_sync(&net->cells_timer)) +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 5b8de4fee6cda..da32797dd4257 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -125,7 +125,7 @@ static int afs_probe_cell_name(struct dentry *dentry) + + cell = afs_find_cell(net, name, len); + if (!IS_ERR(cell)) { +- afs_put_cell(net, cell); ++ afs_unuse_cell(net, cell); + return 0; + } + +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 257c0f07742fb..0363511290c8d 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -363,7 +363,8 @@ struct afs_cell { + #endif + time64_t dns_expiry; /* Time AFSDB/SRV record expires */ + time64_t last_inactive; /* Time of last drop of usage count */ +- atomic_t usage; ++ atomic_t ref; /* Struct refcount */ ++ atomic_t active; /* Active usage counter */ + unsigned long flags; + #define AFS_CELL_FL_NO_GC 0 /* The cell was added manually, don't auto-gc */ + #define AFS_CELL_FL_DO_LOOKUP 1 /* DNS lookup requested */ +@@ -920,8 +921,11 @@ extern int afs_cell_init(struct afs_net *, const char *); + extern struct afs_cell *afs_find_cell(struct afs_net *, const char *, unsigned); + extern struct afs_cell *afs_lookup_cell(struct afs_net *, const char *, unsigned, + const char *, bool); ++extern struct afs_cell *afs_use_cell(struct afs_cell *); ++extern void afs_unuse_cell(struct afs_net *, struct afs_cell *); + extern struct afs_cell *afs_get_cell(struct afs_cell *); +-extern void afs_put_cell(struct afs_net *, struct afs_cell *); ++extern void afs_put_cell(struct afs_cell *); ++extern void afs_queue_cell(struct afs_cell *); + extern void afs_manage_cells(struct work_struct *); + extern void afs_cells_timer(struct timer_list *); + extern void __net_exit afs_cell_purge(struct afs_net *); +diff --git a/fs/afs/mntpt.c b/fs/afs/mntpt.c +index 79bc5f1338edf..c69a0282960cc 100644 +--- a/fs/afs/mntpt.c ++++ b/fs/afs/mntpt.c +@@ -88,7 +88,7 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt) + ctx->force = true; + } + if (ctx->cell) { +- afs_put_cell(ctx->net, ctx->cell); ++ afs_unuse_cell(ctx->net, ctx->cell); + ctx->cell = NULL; + } + if (test_bit(AFS_VNODE_PSEUDODIR, &vnode->flags)) { +@@ -124,7 +124,7 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt) + char *buf; + + if (src_as->cell) +- ctx->cell = afs_get_cell(src_as->cell); ++ ctx->cell = afs_use_cell(src_as->cell); + + if (size < 2 || size > PAGE_SIZE - 1) + return -EINVAL; +diff --git a/fs/afs/proc.c b/fs/afs/proc.c +index e8babb62ed442..76fbe0560cfb7 100644 +--- a/fs/afs/proc.c ++++ b/fs/afs/proc.c +@@ -38,7 +38,7 @@ static int afs_proc_cells_show(struct seq_file *m, void *v) + + if (v == SEQ_START_TOKEN) { + /* display header on line 1 */ +- seq_puts(m, "USE TTL SV ST NAME\n"); ++ seq_puts(m, "USE ACT TTL SV ST NAME\n"); + return 0; + } + +@@ -46,10 +46,11 @@ static int afs_proc_cells_show(struct seq_file *m, void *v) + vllist = rcu_dereference(cell->vl_servers); + + /* display one cell per line on subsequent lines */ +- seq_printf(m, "%3u %6lld %2u %2u %s\n", +- atomic_read(&cell->usage), ++ seq_printf(m, "%3u %3u %6lld %2u %2u %s\n", ++ atomic_read(&cell->ref), ++ atomic_read(&cell->active), + cell->dns_expiry - ktime_get_real_seconds(), +- vllist->nr_servers, ++ vllist ? vllist->nr_servers : 0, + cell->state, + cell->name); + return 0; +@@ -128,7 +129,7 @@ static int afs_proc_cells_write(struct file *file, char *buf, size_t size) + } + + if (test_and_set_bit(AFS_CELL_FL_NO_GC, &cell->flags)) +- afs_put_cell(net, cell); ++ afs_unuse_cell(net, cell); + } else { + goto inval; + } +@@ -154,13 +155,11 @@ static int afs_proc_rootcell_show(struct seq_file *m, void *v) + struct afs_net *net; + + net = afs_seq2net_single(m); +- if (rcu_access_pointer(net->ws_cell)) { +- rcu_read_lock(); +- cell = rcu_dereference(net->ws_cell); +- if (cell) +- seq_printf(m, "%s\n", cell->name); +- rcu_read_unlock(); +- } ++ down_read(&net->cells_lock); ++ cell = net->ws_cell; ++ if (cell) ++ seq_printf(m, "%s\n", cell->name); ++ up_read(&net->cells_lock); + return 0; + } + +diff --git a/fs/afs/super.c b/fs/afs/super.c +index 0be99016ecfb9..e72c223f831d2 100644 +--- a/fs/afs/super.c ++++ b/fs/afs/super.c +@@ -294,7 +294,7 @@ static int afs_parse_source(struct fs_context *fc, struct fs_parameter *param) + cellnamesz, cellnamesz, cellname ?: ""); + return PTR_ERR(cell); + } +- afs_put_cell(ctx->net, ctx->cell); ++ afs_unuse_cell(ctx->net, ctx->cell); + ctx->cell = cell; + } + +@@ -389,8 +389,8 @@ static int afs_validate_fc(struct fs_context *fc) + _debug("switch to alias"); + key_put(ctx->key); + ctx->key = NULL; +- cell = afs_get_cell(ctx->cell->alias_of); +- afs_put_cell(ctx->net, ctx->cell); ++ cell = afs_use_cell(ctx->cell->alias_of); ++ afs_unuse_cell(ctx->net, ctx->cell); + ctx->cell = cell; + goto reget_key; + } +@@ -508,7 +508,7 @@ static struct afs_super_info *afs_alloc_sbi(struct fs_context *fc) + if (ctx->dyn_root) { + as->dyn_root = true; + } else { +- as->cell = afs_get_cell(ctx->cell); ++ as->cell = afs_use_cell(ctx->cell); + as->volume = afs_get_volume(ctx->volume, + afs_volume_trace_get_alloc_sbi); + } +@@ -521,7 +521,7 @@ static void afs_destroy_sbi(struct afs_super_info *as) + if (as) { + struct afs_net *net = afs_net(as->net_ns); + afs_put_volume(net, as->volume, afs_volume_trace_put_destroy_sbi); +- afs_put_cell(net, as->cell); ++ afs_unuse_cell(net, as->cell); + put_net(as->net_ns); + kfree(as); + } +@@ -607,7 +607,7 @@ static void afs_free_fc(struct fs_context *fc) + + afs_destroy_sbi(fc->s_fs_info); + afs_put_volume(ctx->net, ctx->volume, afs_volume_trace_put_free_fc); +- afs_put_cell(ctx->net, ctx->cell); ++ afs_unuse_cell(ctx->net, ctx->cell); + key_put(ctx->key); + kfree(ctx); + } +diff --git a/fs/afs/vl_alias.c b/fs/afs/vl_alias.c +index 5082ef04e99c5..ddb4cb67d0fd9 100644 +--- a/fs/afs/vl_alias.c ++++ b/fs/afs/vl_alias.c +@@ -177,7 +177,7 @@ static int afs_compare_cell_roots(struct afs_cell *cell) + + is_alias: + rcu_read_unlock(); +- cell->alias_of = afs_get_cell(p); ++ cell->alias_of = afs_use_cell(p); + return 1; + } + +@@ -247,18 +247,18 @@ static int afs_query_for_alias(struct afs_cell *cell, struct key *key) + continue; + if (p->root_volume) + continue; /* Ignore cells that have a root.cell volume. */ +- afs_get_cell(p); ++ afs_use_cell(p); + mutex_unlock(&cell->net->proc_cells_lock); + + if (afs_query_for_alias_one(cell, key, p) != 0) + goto is_alias; + + if (mutex_lock_interruptible(&cell->net->proc_cells_lock) < 0) { +- afs_put_cell(cell->net, p); ++ afs_unuse_cell(cell->net, p); + return -ERESTARTSYS; + } + +- afs_put_cell(cell->net, p); ++ afs_unuse_cell(cell->net, p); + } + + mutex_unlock(&cell->net->proc_cells_lock); +diff --git a/fs/afs/vl_rotate.c b/fs/afs/vl_rotate.c +index c0458c903b310..da3b072d4d638 100644 +--- a/fs/afs/vl_rotate.c ++++ b/fs/afs/vl_rotate.c +@@ -45,7 +45,7 @@ static bool afs_start_vl_iteration(struct afs_vl_cursor *vc) + cell->dns_expiry <= ktime_get_real_seconds()) { + dns_lookup_count = smp_load_acquire(&cell->dns_lookup_count); + set_bit(AFS_CELL_FL_DO_LOOKUP, &cell->flags); +- queue_work(afs_wq, &cell->manager); ++ afs_queue_cell(cell); + + if (cell->dns_source == DNS_RECORD_UNAVAILABLE) { + if (wait_var_event_interruptible( +diff --git a/fs/afs/volume.c b/fs/afs/volume.c +index 9bc0509e3634c..a838030e95634 100644 +--- a/fs/afs/volume.c ++++ b/fs/afs/volume.c +@@ -106,7 +106,7 @@ static struct afs_volume *afs_alloc_volume(struct afs_fs_context *params, + return volume; + + error_1: +- afs_put_cell(params->net, volume->cell); ++ afs_put_cell(volume->cell); + kfree(volume); + error_0: + return ERR_PTR(ret); +@@ -228,7 +228,7 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume) + + afs_remove_volume_from_cell(volume); + afs_put_serverlist(net, rcu_access_pointer(volume->servers)); +- afs_put_cell(net, volume->cell); ++ afs_put_cell(volume->cell); + trace_afs_volume(volume->vid, atomic_read(&volume->usage), + afs_volume_trace_free); + kfree_rcu(volume, rcu); +-- +2.25.1 + diff --git a/queue-5.9/afs-fix-cell-removal.patch b/queue-5.9/afs-fix-cell-removal.patch new file mode 100644 index 00000000000..f2f32cc2c6b --- /dev/null +++ b/queue-5.9/afs-fix-cell-removal.patch @@ -0,0 +1,104 @@ +From 1e31695102c14ff273d52b35b910a77e8ac70af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 13:21:14 +0100 +Subject: afs: Fix cell removal + +From: David Howells + +[ Upstream commit 1d0e850a49a5b56f8f3cb51e74a11e2fedb96be6 ] + +Fix cell removal by inserting a more final state than AFS_CELL_FAILED that +indicates that the cell has been unpublished in case the manager is already +requeued and will go through again. The new AFS_CELL_REMOVED state will +just immediately leave the manager function. + +Going through a second time in the AFS_CELL_FAILED state will cause it to +try to remove the cell again, potentially leading to the proc list being +removed. + +Fixes: 989782dcdc91 ("afs: Overhaul cell database management") +Reported-by: syzbot+b994ecf2b023f14832c1@syzkaller.appspotmail.com +Reported-by: syzbot+0e0db88e1eb44a91ae8d@syzkaller.appspotmail.com +Reported-by: syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com +Reported-by: syzbot+1ecc2f9d3387f1d79d42@syzkaller.appspotmail.com +Reported-by: syzbot+18d51774588492bf3f69@syzkaller.appspotmail.com +Reported-by: syzbot+a5e4946b04d6ca8fa5f3@syzkaller.appspotmail.com +Suggested-by: Hillf Danton +Signed-off-by: David Howells +cc: Hillf Danton +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 16 ++++++++++------ + fs/afs/internal.h | 1 + + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index 1944be78e9b0d..bc7ed46aaca9f 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -291,11 +291,11 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + wait_var_event(&cell->state, + ({ + state = smp_load_acquire(&cell->state); /* vs error */ +- state == AFS_CELL_ACTIVE || state == AFS_CELL_FAILED; ++ state == AFS_CELL_ACTIVE || state == AFS_CELL_REMOVED; + })); + + /* Check the state obtained from the wait check. */ +- if (state == AFS_CELL_FAILED) { ++ if (state == AFS_CELL_REMOVED) { + ret = cell->error; + goto error; + } +@@ -700,7 +700,6 @@ static void afs_deactivate_cell(struct afs_net *net, struct afs_cell *cell) + static void afs_manage_cell(struct afs_cell *cell) + { + struct afs_net *net = cell->net; +- bool deleted; + int ret, active; + + _enter("%s", cell->name); +@@ -712,13 +711,15 @@ static void afs_manage_cell(struct afs_cell *cell) + case AFS_CELL_FAILED: + down_write(&net->cells_lock); + active = 1; +- deleted = atomic_try_cmpxchg_relaxed(&cell->active, &active, 0); +- if (deleted) { ++ if (atomic_try_cmpxchg_relaxed(&cell->active, &active, 0)) { + rb_erase(&cell->net_node, &net->cells); ++ smp_store_release(&cell->state, AFS_CELL_REMOVED); + } + up_write(&net->cells_lock); +- if (deleted) ++ if (cell->state == AFS_CELL_REMOVED) { ++ wake_up_var(&cell->state); + goto final_destruction; ++ } + if (cell->state == AFS_CELL_FAILED) + goto done; + smp_store_release(&cell->state, AFS_CELL_UNSET); +@@ -760,6 +761,9 @@ static void afs_manage_cell(struct afs_cell *cell) + wake_up_var(&cell->state); + goto again; + ++ case AFS_CELL_REMOVED: ++ goto done; ++ + default: + break; + } +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 0363511290c8d..06e617ee4cd1e 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -326,6 +326,7 @@ enum afs_cell_state { + AFS_CELL_DEACTIVATING, + AFS_CELL_INACTIVE, + AFS_CELL_FAILED, ++ AFS_CELL_REMOVED, + }; + + /* +-- +2.25.1 + diff --git a/queue-5.9/afs-fix-rapid-cell-addition-removal-by-not-using-rcu.patch b/queue-5.9/afs-fix-rapid-cell-addition-removal-by-not-using-rcu.patch new file mode 100644 index 00000000000..4a7d119c7eb --- /dev/null +++ b/queue-5.9/afs-fix-rapid-cell-addition-removal-by-not-using-rcu.patch @@ -0,0 +1,394 @@ +From 7835564e4becb6231db76def45869ef6946e0b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 14:11:58 +0100 +Subject: afs: Fix rapid cell addition/removal by not using RCU on cells tree + +From: David Howells + +[ Upstream commit 92e3cc91d8f51ce64a8b7c696377180953dd316e ] + +There are a number of problems that are being seen by the rapidly mounting +and unmounting an afs dynamic root with an explicit cell and volume +specified (which should probably be rejected, but that's a separate issue): + +What the tests are doing is to look up/create a cell record for the name +given and then tear it down again without actually using it to try to talk +to a server. This is repeated endlessly, very fast, and the new cell +collides with the old one if it's not quick enough to reuse it. + +It appears (as suggested by Hillf Danton) that the search through the RB +tree under a read_seqbegin_or_lock() under RCU conditions isn't safe and +that it's not blocking the write_seqlock(), despite taking two passes at +it. He suggested that the code should take a ref on the cell it's +attempting to look at - but this shouldn't be necessary until we've +compared the cell names. It's possible that I'm missing a barrier +somewhere. + +However, using an RCU search for this is overkill, really - we only need to +access the cell name in a few places, and they're places where we're may +end up sleeping anyway. + +Fix this by switching to an R/W semaphore instead. + +Additionally, draw the down_read() call inside the function (renamed to +afs_find_cell()) since all the callers were taking the RCU read lock (or +should've been[*]). + +[*] afs_probe_cell_name() should have been, but that doesn't appear to be +involved in the bug reports. + +The symptoms of this look like: + + general protection fault, probably for non-canonical address 0xf27d208691691fdb: 0000 [#1] PREEMPT SMP KASAN + KASAN: maybe wild-memory-access in range [0x93e924348b48fed8-0x93e924348b48fedf] + ... + RIP: 0010:strncasecmp lib/string.c:52 [inline] + RIP: 0010:strncasecmp+0x5f/0x240 lib/string.c:43 + afs_lookup_cell_rcu+0x313/0x720 fs/afs/cell.c:88 + afs_lookup_cell+0x2ee/0x1440 fs/afs/cell.c:249 + afs_parse_source fs/afs/super.c:290 [inline] + ... + +Fixes: 989782dcdc91 ("afs: Overhaul cell database management") +Reported-by: syzbot+459a5dce0b4cb70fd076@syzkaller.appspotmail.com +Signed-off-by: David Howells +cc: Hillf Danton +cc: syzkaller-bugs@googlegroups.com +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 131 ++++++++++++++++++++-------------------------- + fs/afs/dynroot.c | 21 +++----- + fs/afs/internal.h | 6 +-- + fs/afs/main.c | 2 +- + fs/afs/super.c | 4 +- + 5 files changed, 71 insertions(+), 93 deletions(-) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index 5b79cdceefa0f..5da83e84952a2 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -41,15 +41,15 @@ static void afs_set_cell_timer(struct afs_net *net, time64_t delay) + } + + /* +- * Look up and get an activation reference on a cell record under RCU +- * conditions. The caller must hold the RCU read lock. ++ * Look up and get an activation reference on a cell record. The caller must ++ * hold net->cells_lock at least read-locked. + */ +-struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net, +- const char *name, unsigned int namesz) ++static struct afs_cell *afs_find_cell_locked(struct afs_net *net, ++ const char *name, unsigned int namesz) + { + struct afs_cell *cell = NULL; + struct rb_node *p; +- int n, seq = 0, ret = 0; ++ int n; + + _enter("%*.*s", namesz, namesz, name); + +@@ -58,61 +58,48 @@ struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net, + if (namesz > AFS_MAXCELLNAME) + return ERR_PTR(-ENAMETOOLONG); + +- do { +- /* Unfortunately, rbtree walking doesn't give reliable results +- * under just the RCU read lock, so we have to check for +- * changes. +- */ +- if (cell) +- afs_put_cell(net, cell); +- cell = NULL; +- ret = -ENOENT; +- +- read_seqbegin_or_lock(&net->cells_lock, &seq); +- +- if (!name) { +- cell = rcu_dereference_raw(net->ws_cell); +- if (cell) { +- afs_get_cell(cell); +- ret = 0; +- break; +- } +- ret = -EDESTADDRREQ; +- continue; +- } ++ if (!name) { ++ cell = net->ws_cell; ++ if (!cell) ++ return ERR_PTR(-EDESTADDRREQ); ++ afs_get_cell(cell); ++ return cell; ++ } + +- p = rcu_dereference_raw(net->cells.rb_node); +- while (p) { +- cell = rb_entry(p, struct afs_cell, net_node); +- +- n = strncasecmp(cell->name, name, +- min_t(size_t, cell->name_len, namesz)); +- if (n == 0) +- n = cell->name_len - namesz; +- if (n < 0) { +- p = rcu_dereference_raw(p->rb_left); +- } else if (n > 0) { +- p = rcu_dereference_raw(p->rb_right); +- } else { +- if (atomic_inc_not_zero(&cell->usage)) { +- ret = 0; +- break; +- } +- /* We want to repeat the search, this time with +- * the lock properly locked. +- */ +- } +- cell = NULL; +- } ++ p = net->cells.rb_node; ++ while (p) { ++ cell = rb_entry(p, struct afs_cell, net_node); + +- } while (need_seqretry(&net->cells_lock, seq)); ++ n = strncasecmp(cell->name, name, ++ min_t(size_t, cell->name_len, namesz)); ++ if (n == 0) ++ n = cell->name_len - namesz; ++ if (n < 0) ++ p = p->rb_left; ++ else if (n > 0) ++ p = p->rb_right; ++ else ++ goto found; ++ } ++ ++ return ERR_PTR(-ENOENT); + +- done_seqretry(&net->cells_lock, seq); ++found: ++ if (!atomic_inc_not_zero(&cell->usage)) ++ return ERR_PTR(-ENOENT); + +- if (ret != 0 && cell) +- afs_put_cell(net, cell); ++ return cell; ++} + +- return ret == 0 ? cell : ERR_PTR(ret); ++struct afs_cell *afs_find_cell(struct afs_net *net, ++ const char *name, unsigned int namesz) ++{ ++ struct afs_cell *cell; ++ ++ down_read(&net->cells_lock); ++ cell = afs_find_cell_locked(net, name, namesz); ++ up_read(&net->cells_lock); ++ return cell; + } + + /* +@@ -245,9 +232,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + _enter("%s,%s", name, vllist); + + if (!excl) { +- rcu_read_lock(); +- cell = afs_lookup_cell_rcu(net, name, namesz); +- rcu_read_unlock(); ++ cell = afs_find_cell(net, name, namesz); + if (!IS_ERR(cell)) + goto wait_for_cell; + } +@@ -268,7 +253,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + /* Find the insertion point and check to see if someone else added a + * cell whilst we were allocating. + */ +- write_seqlock(&net->cells_lock); ++ down_write(&net->cells_lock); + + pp = &net->cells.rb_node; + parent = NULL; +@@ -293,7 +278,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + rb_link_node_rcu(&cell->net_node, parent, pp); + rb_insert_color(&cell->net_node, &net->cells); + atomic_inc(&net->cells_outstanding); +- write_sequnlock(&net->cells_lock); ++ up_write(&net->cells_lock); + + queue_work(afs_wq, &cell->manager); + +@@ -323,7 +308,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + afs_get_cell(cursor); + ret = 0; + } +- write_sequnlock(&net->cells_lock); ++ up_write(&net->cells_lock); + kfree(candidate); + if (ret == 0) + goto wait_for_cell; +@@ -377,10 +362,10 @@ int afs_cell_init(struct afs_net *net, const char *rootcell) + afs_get_cell(new_root); + + /* install the new cell */ +- write_seqlock(&net->cells_lock); +- old_root = rcu_access_pointer(net->ws_cell); +- rcu_assign_pointer(net->ws_cell, new_root); +- write_sequnlock(&net->cells_lock); ++ down_write(&net->cells_lock); ++ old_root = net->ws_cell; ++ net->ws_cell = new_root; ++ up_write(&net->cells_lock); + + afs_put_cell(net, old_root); + _leave(" = 0"); +@@ -674,12 +659,12 @@ static void afs_manage_cell(struct work_struct *work) + switch (cell->state) { + case AFS_CELL_INACTIVE: + case AFS_CELL_FAILED: +- write_seqlock(&net->cells_lock); ++ down_write(&net->cells_lock); + usage = 1; + deleted = atomic_try_cmpxchg_relaxed(&cell->usage, &usage, 0); + if (deleted) + rb_erase(&cell->net_node, &net->cells); +- write_sequnlock(&net->cells_lock); ++ up_write(&net->cells_lock); + if (deleted) + goto final_destruction; + if (cell->state == AFS_CELL_FAILED) +@@ -779,7 +764,7 @@ void afs_manage_cells(struct work_struct *work) + * lack of use and cells whose DNS results have expired and dispatch + * their managers. + */ +- read_seqlock_excl(&net->cells_lock); ++ down_read(&net->cells_lock); + + for (cursor = rb_first(&net->cells); cursor; cursor = rb_next(cursor)) { + struct afs_cell *cell = +@@ -824,7 +809,7 @@ void afs_manage_cells(struct work_struct *work) + queue_work(afs_wq, &cell->manager); + } + +- read_sequnlock_excl(&net->cells_lock); ++ up_read(&net->cells_lock); + + /* Update the timer on the way out. We have to pass an increment on + * cells_outstanding in the namespace that we are in to the timer or +@@ -854,10 +839,10 @@ void afs_cell_purge(struct afs_net *net) + + _enter(""); + +- write_seqlock(&net->cells_lock); +- ws = rcu_access_pointer(net->ws_cell); +- RCU_INIT_POINTER(net->ws_cell, NULL); +- write_sequnlock(&net->cells_lock); ++ down_write(&net->cells_lock); ++ ws = net->ws_cell; ++ net->ws_cell = NULL; ++ up_write(&net->cells_lock); + afs_put_cell(net, ws); + + _debug("del timer"); +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 7b784af604fd9..5b8de4fee6cda 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -123,7 +123,7 @@ static int afs_probe_cell_name(struct dentry *dentry) + len--; + } + +- cell = afs_lookup_cell_rcu(net, name, len); ++ cell = afs_find_cell(net, name, len); + if (!IS_ERR(cell)) { + afs_put_cell(net, cell); + return 0; +@@ -179,7 +179,6 @@ static struct dentry *afs_lookup_atcell(struct dentry *dentry) + struct afs_cell *cell; + struct afs_net *net = afs_d2net(dentry); + struct dentry *ret; +- unsigned int seq = 0; + char *name; + int len; + +@@ -191,17 +190,13 @@ static struct dentry *afs_lookup_atcell(struct dentry *dentry) + if (!name) + goto out_p; + +- rcu_read_lock(); +- do { +- read_seqbegin_or_lock(&net->cells_lock, &seq); +- cell = rcu_dereference_raw(net->ws_cell); +- if (cell) { +- len = cell->name_len; +- memcpy(name, cell->name, len + 1); +- } +- } while (need_seqretry(&net->cells_lock, seq)); +- done_seqretry(&net->cells_lock, seq); +- rcu_read_unlock(); ++ down_read(&net->cells_lock); ++ cell = net->ws_cell; ++ if (cell) { ++ len = cell->name_len; ++ memcpy(name, cell->name, len + 1); ++ } ++ up_read(&net->cells_lock); + + ret = ERR_PTR(-ENOENT); + if (!cell) +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index e5f0446f27e5f..257c0f07742fb 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -263,11 +263,11 @@ struct afs_net { + + /* Cell database */ + struct rb_root cells; +- struct afs_cell __rcu *ws_cell; ++ struct afs_cell *ws_cell; + struct work_struct cells_manager; + struct timer_list cells_timer; + atomic_t cells_outstanding; +- seqlock_t cells_lock; ++ struct rw_semaphore cells_lock; + struct mutex cells_alias_lock; + + struct mutex proc_cells_lock; +@@ -917,7 +917,7 @@ static inline bool afs_cb_is_broken(unsigned int cb_break, + * cell.c + */ + extern int afs_cell_init(struct afs_net *, const char *); +-extern struct afs_cell *afs_lookup_cell_rcu(struct afs_net *, const char *, unsigned); ++extern struct afs_cell *afs_find_cell(struct afs_net *, const char *, unsigned); + extern struct afs_cell *afs_lookup_cell(struct afs_net *, const char *, unsigned, + const char *, bool); + extern struct afs_cell *afs_get_cell(struct afs_cell *); +diff --git a/fs/afs/main.c b/fs/afs/main.c +index 31b472f7c734c..accdd8970e7c0 100644 +--- a/fs/afs/main.c ++++ b/fs/afs/main.c +@@ -78,7 +78,7 @@ static int __net_init afs_net_init(struct net *net_ns) + mutex_init(&net->socket_mutex); + + net->cells = RB_ROOT; +- seqlock_init(&net->cells_lock); ++ init_rwsem(&net->cells_lock); + INIT_WORK(&net->cells_manager, afs_manage_cells); + timer_setup(&net->cells_timer, afs_cells_timer, 0); + +diff --git a/fs/afs/super.c b/fs/afs/super.c +index b552357b1d137..0be99016ecfb9 100644 +--- a/fs/afs/super.c ++++ b/fs/afs/super.c +@@ -634,9 +634,7 @@ static int afs_init_fs_context(struct fs_context *fc) + ctx->net = afs_net(fc->net_ns); + + /* Default to the workstation cell. */ +- rcu_read_lock(); +- cell = afs_lookup_cell_rcu(ctx->net, NULL, 0); +- rcu_read_unlock(); ++ cell = afs_find_cell(ctx->net, NULL, 0); + if (IS_ERR(cell)) + cell = NULL; + ctx->cell = cell; +-- +2.25.1 + diff --git a/queue-5.9/alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch b/queue-5.9/alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch new file mode 100644 index 00000000000..fc281be57e0 --- /dev/null +++ b/queue-5.9/alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch @@ -0,0 +1,70 @@ +From 961afecf16f4260443da33b83f840c532a6b9cd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 16:10:37 -0400 +Subject: ALSA: hda/ca0132 - Add AE-7 microphone selection commands. + +From: Connor McAdams + +[ Upstream commit ed93f9750c6c2ed371347d0aac3dcd31cb9cf256 ] + +Add AE-7 quirk data for setting of microphone. The AE-7 has no front +panel connector, so only rear-mic/line-in have new commands. + +Signed-off-by: Connor McAdams +Link: https://lore.kernel.org/r/20200825201040.30339-19-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index b7dbf2e7f77af..c68669911de0a 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4675,6 +4675,15 @@ static int ca0132_alt_select_in(struct hda_codec *codec) + ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); + tmp = FLOAT_THREE; + break; ++ case QUIRK_AE7: ++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); ++ tmp = FLOAT_THREE; ++ chipio_set_conn_rate(codec, MEM_CONNID_MICIN2, ++ SR_96_000); ++ chipio_set_conn_rate(codec, MEM_CONNID_MICOUT2, ++ SR_96_000); ++ dspio_set_uint_param(codec, 0x80, 0x01, FLOAT_ZERO); ++ break; + default: + tmp = FLOAT_ONE; + break; +@@ -4720,6 +4729,14 @@ static int ca0132_alt_select_in(struct hda_codec *codec) + case QUIRK_AE5: + ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00); + break; ++ case QUIRK_AE7: ++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x3f); ++ chipio_set_conn_rate(codec, MEM_CONNID_MICIN2, ++ SR_96_000); ++ chipio_set_conn_rate(codec, MEM_CONNID_MICOUT2, ++ SR_96_000); ++ dspio_set_uint_param(codec, 0x80, 0x01, FLOAT_ZERO); ++ break; + default: + break; + } +@@ -4729,7 +4746,10 @@ static int ca0132_alt_select_in(struct hda_codec *codec) + if (ca0132_quirk(spec) == QUIRK_R3DI) + chipio_set_conn_rate(codec, 0x0F, SR_96_000); + +- tmp = FLOAT_ZERO; ++ if (ca0132_quirk(spec) == QUIRK_AE7) ++ tmp = FLOAT_THREE; ++ else ++ tmp = FLOAT_ZERO; + dspio_set_uint_param(codec, 0x80, 0x00, tmp); + + switch (ca0132_quirk(spec)) { +-- +2.25.1 + diff --git a/queue-5.9/alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch b/queue-5.9/alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch new file mode 100644 index 00000000000..f7e0a90c279 --- /dev/null +++ b/queue-5.9/alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch @@ -0,0 +1,42 @@ +From a7f3cb5cd4703d83fad7e81ffd1af357cdfe6429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 16:10:29 -0400 +Subject: ALSA: hda/ca0132 - Add new quirk ID for SoundBlaster AE-7. + +From: Connor McAdams + +[ Upstream commit 620f08eea6d6961b789af3fa3ea86725c8c93ece ] + +Add a new PCI subsystem ID for the SoundBlaster AE-7 card. + +Signed-off-by: Connor McAdams +Link: https://lore.kernel.org/r/20200825201040.30339-11-conmanx360@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index c68669911de0a..a3eecdf9185e8 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1065,6 +1065,7 @@ enum { + QUIRK_R3DI, + QUIRK_R3D, + QUIRK_AE5, ++ QUIRK_AE7, + }; + + #ifdef CONFIG_PCI +@@ -1184,6 +1185,7 @@ static const struct snd_pci_quirk ca0132_quirks[] = { + SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D), + SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D), + SND_PCI_QUIRK(0x1102, 0x0051, "Sound Blaster AE-5", QUIRK_AE5), ++ SND_PCI_QUIRK(0x1102, 0x0081, "Sound Blaster AE-7", QUIRK_AE7), + {} + }; + +-- +2.25.1 + diff --git a/queue-5.9/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch b/queue-5.9/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch new file mode 100644 index 00000000000..edaa20b9a50 --- /dev/null +++ b/queue-5.9/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch @@ -0,0 +1,51 @@ +From 31c08ea19a5ebb28d7b7173bc494d3850dfcdceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 10:38:56 +0200 +Subject: ALSA: seq: oss: Avoid mutex lock for a long-time ioctl + +From: Takashi Iwai + +[ Upstream commit 2759caad2600d503c3b0ed800e7e03d2cd7a4c05 ] + +Recently we applied a fix to cover the whole OSS sequencer ioctls with +the mutex for dealing with the possible races. This works fine in +general, but in theory, this may lead to unexpectedly long stall if an +ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future +timestamp was queued. + +For fixing such a potential stall, this patch changes the mutex lock +applied conditionally excluding such an ioctl command. Also, change +the mutex_lock() with the interruptible version for user to allow +escaping from the big-hammer mutex. + +Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls") +Suggested-by: Pavel Machek +Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/oss/seq_oss.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c +index c8b9c0b315d8f..250a92b187265 100644 +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -174,9 +174,12 @@ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + if (snd_BUG_ON(!dp)) + return -ENXIO; + +- mutex_lock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC && ++ mutex_lock_interruptible(®ister_mutex)) ++ return -ERESTARTSYS; + rc = snd_seq_oss_ioctl(dp, cmd, arg); +- mutex_unlock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC) ++ mutex_unlock(®ister_mutex); + return rc; + } + +-- +2.25.1 + diff --git a/queue-5.9/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch b/queue-5.9/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch new file mode 100644 index 00000000000..5f32b078ca7 --- /dev/null +++ b/queue-5.9/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch @@ -0,0 +1,45 @@ +From 5d6867525bd22d1ed120c4efb502a88945433f00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:46:52 +0300 +Subject: arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER + +From: Necip Fazil Yildiran + +[ Upstream commit 63bcf87cb1c57956e1179f1a78dde625c7e3cba7 ] + +When ARC_SOC_HSDK is enabled and RESET_CONTROLLER is disabled, it results +in the following Kbuild warning: + +WARNING: unmet direct dependencies detected for RESET_HSDK + Depends on [n]: RESET_CONTROLLER [=n] && HAS_IOMEM [=y] && (ARC_SOC_HSDK [=y] || COMPILE_TEST [=n]) + Selected by [y]: + - ARC_SOC_HSDK [=y] && ISA_ARCV2 [=y] + +The reason is that ARC_SOC_HSDK selects RESET_HSDK without depending on or +selecting RESET_CONTROLLER while RESET_HSDK is subordinate to +RESET_CONTROLLER. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: a528629dfd3b ("ARC: [plat-hsdk] select CONFIG_RESET_HSDK from Kconfig") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/plat-hsdk/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig +index ce81018345184..6b5c54576f54d 100644 +--- a/arch/arc/plat-hsdk/Kconfig ++++ b/arch/arc/plat-hsdk/Kconfig +@@ -8,5 +8,6 @@ menuconfig ARC_SOC_HSDK + select ARC_HAS_ACCL_REGS + select ARC_IRQ_NO_AUTOSAVE + select CLK_HSDK ++ select RESET_CONTROLLER + select RESET_HSDK + select HAVE_PCI +-- +2.25.1 + diff --git a/queue-5.9/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch b/queue-5.9/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch new file mode 100644 index 00000000000..1c6092125c7 --- /dev/null +++ b/queue-5.9/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch @@ -0,0 +1,68 @@ +From 3298f9314f2e12af45703d58050d9f766f2a4381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 16:58:06 +0100 +Subject: ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT + values + +From: Guillaume Tucker + +[ Upstream commit 8e007b367a59bcdf484c81f6df9bd5a4cc179ca6 ] + +The L310_PREFETCH_CTRL register bits 28 and 29 to enable data and +instruction prefetch respectively can also be accessed via the +L2X0_AUX_CTRL register. They appear to be actually wired together in +hardware between the registers. Changing them in the prefetch +register only will get undone when restoring the aux control register +later on. For this reason, set these bits in both registers during +initialisation according to the devicetree property values. + +Link: https://lore.kernel.org/lkml/76f2f3ad5e77e356e0a5b99ceee1e774a2842c25.1597061474.git.guillaume.tucker@collabora.com/ + +Fixes: ec3bd0e68a67 ("ARM: 8391/1: l2c: add options to overwrite prefetching behavior") +Signed-off-by: Guillaume Tucker +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/cache-l2x0.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c +index 12c26eb88afbc..43d91bfd23600 100644 +--- a/arch/arm/mm/cache-l2x0.c ++++ b/arch/arm/mm/cache-l2x0.c +@@ -1249,20 +1249,28 @@ static void __init l2c310_of_parse(const struct device_node *np, + + ret = of_property_read_u32(np, "prefetch-data", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_DATA_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-data property value is missing\n"); + } + + ret = of_property_read_u32(np, "prefetch-instr", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_INSTR_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-instr property value is missing\n"); + } +-- +2.25.1 + diff --git a/queue-5.9/arm-at91-pm-of_node_put-after-its-usage.patch b/queue-5.9/arm-at91-pm-of_node_put-after-its-usage.patch new file mode 100644 index 00000000000..6e38c3df43c --- /dev/null +++ b/queue-5.9/arm-at91-pm-of_node_put-after-its-usage.patch @@ -0,0 +1,35 @@ +From 70d9ac6381862810b32cf50704a2bb36c29ca61a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:36:50 +0300 +Subject: ARM: at91: pm: of_node_put() after its usage + +From: Claudiu Beznea + +[ Upstream commit e222f943519564978e082c152b4140a47e93392c ] + +Put node after it has been used. + +Fixes: 13f16017d3e3f ("ARM: at91: pm: Tie the USB clock mask to the pmc") +Signed-off-by: Claudiu Beznea +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/1596616610-15460-4-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/mach-at91/pm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 2aab043441e8f..eae8aaaadc3bf 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -800,6 +800,7 @@ static void __init at91_pm_init(void (*pm_idle)(void)) + + pmc_np = of_find_matching_node_and_match(NULL, atmel_pmc_ids, &of_id); + soc_pm.data.pmc = of_iomap(pmc_np, 0); ++ of_node_put(pmc_np); + if (!soc_pm.data.pmc) { + pr_err("AT91: PM not supported, PMC not found\n"); + return; +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-imx6sl-fix-rng-node.patch b/queue-5.9/arm-dts-imx6sl-fix-rng-node.patch new file mode 100644 index 00000000000..b4d140a2ab1 --- /dev/null +++ b/queue-5.9/arm-dts-imx6sl-fix-rng-node.patch @@ -0,0 +1,45 @@ +From 0dfe2852385edccc7c8cc549f26a40b9a502f73d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jul 2020 18:26:01 +0300 +Subject: ARM: dts: imx6sl: fix rng node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +[ Upstream commit 82ffb35c2ce63ef8e0325f75eb48022abcf8edbe ] + +rng DT node was added without a compatible string. + +i.MX driver for RNGC (drivers/char/hw_random/imx-rngc.c) also claims +support for RNGB, and is currently used for i.MX25. + +Let's use this driver also for RNGB block in i.MX6SL. + +Fixes: e29fe21cff96 ("ARM: dts: add device tree source for imx6sl SoC") +Signed-off-by: Horia Geantă +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index 1c7180f285393..91a8c54d5e113 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -939,8 +939,10 @@ memory-controller@21b0000 { + }; + + rngb: rngb@21b4000 { ++ compatible = "fsl,imx6sl-rngb", "fsl,imx25-rngb"; + reg = <0x021b4000 0x4000>; + interrupts = <0 5 IRQ_TYPE_LEVEL_HIGH>; ++ clocks = <&clks IMX6SL_CLK_DUMMY>; + }; + + weim: weim@21b8000 { +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-iwg20d-q7-common-fix-touch-controller-probe-.patch b/queue-5.9/arm-dts-iwg20d-q7-common-fix-touch-controller-probe-.patch new file mode 100644 index 00000000000..7e9ba6128d7 --- /dev/null +++ b/queue-5.9/arm-dts-iwg20d-q7-common-fix-touch-controller-probe-.patch @@ -0,0 +1,75 @@ +From 8e756bb782079009082ec7b05c8c8473d6b6485b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 09:05:35 +0100 +Subject: ARM: dts: iwg20d-q7-common: Fix touch controller probe failure + +From: Biju Das + +[ Upstream commit 08d7a73fffb6769b1cf2278bf697e692daba3abf ] + +As per the iWave RZ/G1M schematic, the signal LVDS_PPEN controls the +supply voltage for the touch panel, LVDS receiver and RGB LCD panel. Add +a regulator for these device nodes and remove the powerdown-gpios +property from the lvds-receiver node as it results in a touch controller +driver probe failure. + +Fixes: 6f89dd9e9325 ("ARM: dts: iwg20d-q7-common: Add LCD support") +Signed-off-by: Biju Das +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20200924080535.3641-1-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/iwg20d-q7-common.dtsi | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/iwg20d-q7-common.dtsi b/arch/arm/boot/dts/iwg20d-q7-common.dtsi +index ebbe1518ef8a6..63cafd220dba1 100644 +--- a/arch/arm/boot/dts/iwg20d-q7-common.dtsi ++++ b/arch/arm/boot/dts/iwg20d-q7-common.dtsi +@@ -57,7 +57,7 @@ lcd_backlight: backlight { + + lvds-receiver { + compatible = "ti,ds90cf384a", "lvds-decoder"; +- powerdown-gpios = <&gpio7 25 GPIO_ACTIVE_LOW>; ++ power-supply = <&vcc_3v3_tft1>; + + ports { + #address-cells = <1>; +@@ -81,6 +81,7 @@ lvds_receiver_out: endpoint { + panel { + compatible = "edt,etm0700g0dh6"; + backlight = <&lcd_backlight>; ++ power-supply = <&vcc_3v3_tft1>; + + port { + panel_in: endpoint { +@@ -113,6 +114,17 @@ sndcodec: simple-audio-card,codec { + }; + }; + ++ vcc_3v3_tft1: regulator-panel { ++ compatible = "regulator-fixed"; ++ ++ regulator-name = "vcc-3v3-tft1"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ enable-active-high; ++ startup-delay-us = <500>; ++ gpio = <&gpio7 25 GPIO_ACTIVE_HIGH>; ++ }; ++ + vcc_sdhi1: regulator-vcc-sdhi1 { + compatible = "regulator-fixed"; + +@@ -207,6 +219,7 @@ touch: touchpanel@38 { + reg = <0x38>; + interrupt-parent = <&gpio2>; + interrupts = <12 IRQ_TYPE_EDGE_FALLING>; ++ vcc-supply = <&vcc_3v3_tft1>; + }; + }; + +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch b/queue-5.9/arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch new file mode 100644 index 00000000000..1375cca34f4 --- /dev/null +++ b/queue-5.9/arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch @@ -0,0 +1,71 @@ +From 7c2a2c4d0c94242372afc6aadeb753945cdaa39c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Aug 2020 20:19:57 +0200 +Subject: ARM: dts: meson8: remove two invalid interrupt lines from the GPU + node + +From: Martin Blumenstingl + +[ Upstream commit 737e7610b545cc901a9696083c1824a7104b8d1b ] + +The 3.10 vendor kernel defines the following GPU 20 interrupt lines: + #define INT_MALI_GP AM_IRQ(160) + #define INT_MALI_GP_MMU AM_IRQ(161) + #define INT_MALI_PP AM_IRQ(162) + #define INT_MALI_PMU AM_IRQ(163) + #define INT_MALI_PP0 AM_IRQ(164) + #define INT_MALI_PP0_MMU AM_IRQ(165) + #define INT_MALI_PP1 AM_IRQ(166) + #define INT_MALI_PP1_MMU AM_IRQ(167) + #define INT_MALI_PP2 AM_IRQ(168) + #define INT_MALI_PP2_MMU AM_IRQ(169) + #define INT_MALI_PP3 AM_IRQ(170) + #define INT_MALI_PP3_MMU AM_IRQ(171) + #define INT_MALI_PP4 AM_IRQ(172) + #define INT_MALI_PP4_MMU AM_IRQ(173) + #define INT_MALI_PP5 AM_IRQ(174) + #define INT_MALI_PP5_MMU AM_IRQ(175) + #define INT_MALI_PP6 AM_IRQ(176) + #define INT_MALI_PP6_MMU AM_IRQ(177) + #define INT_MALI_PP7 AM_IRQ(178) + #define INT_MALI_PP7_MMU AM_IRQ(179) + +However, the driver from the 3.10 vendor kernel does not use the +following four interrupt lines: +- INT_MALI_PP3 +- INT_MALI_PP3_MMU +- INT_MALI_PP7 +- INT_MALI_PP7_MMU + +Drop the "pp3" and "ppmmu3" interrupt lines. This is also important +because there is no matching entry in interrupt-names for it (meaning +the "pp2" interrupt is actually assigned to the "pp3" interrupt line). + +Fixes: 7d3f6b536e72c9 ("ARM: dts: meson8: add the Mali-450 MP6 GPU") +Reported-by: Thomas Graichen +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Tested-by: thomas graichen +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20200815181957.408649-1-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/meson8.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm/boot/dts/meson8.dtsi b/arch/arm/boot/dts/meson8.dtsi +index 277c0bb104534..04688e8abce2c 100644 +--- a/arch/arm/boot/dts/meson8.dtsi ++++ b/arch/arm/boot/dts/meson8.dtsi +@@ -240,8 +240,6 @@ mali: gpu@c0000 { + , + , + , +- , +- , + , + , + , +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch b/queue-5.9/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch new file mode 100644 index 00000000000..3fd6925f014 --- /dev/null +++ b/queue-5.9/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch @@ -0,0 +1,53 @@ +From bce6e16c9e519cfc65013a182f860f869d2a9b6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 16:53:17 +0300 +Subject: ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers + +From: Cristian Ciocaltea + +[ Upstream commit 55f6c9931f7c32f19cf221211f099dfd8dab3af9 ] + +The PPI interrupts for cortex-a9 were incorrectly specified, fix them. + +Fixes: fdfe7f4f9d85 ("ARM: dts: Add Actions Semi S500 and LeMaker Guitar") +Signed-off-by: Cristian Ciocaltea +Reviewed-by: Peter Korsgaard +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/owl-s500.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/owl-s500.dtsi b/arch/arm/boot/dts/owl-s500.dtsi +index 5ceb6cc4451d2..1dbe4e8b38ac7 100644 +--- a/arch/arm/boot/dts/owl-s500.dtsi ++++ b/arch/arm/boot/dts/owl-s500.dtsi +@@ -84,21 +84,21 @@ scu: scu@b0020000 { + global_timer: timer@b0020200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0xb0020200 0x100>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + twd_timer: timer@b0020600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xb0020600 0x20>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + twd_wdt: wdt@b0020620 { + compatible = "arm,cortex-a9-twd-wdt"; + reg = <0xb0020620 0xe0>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-stm32-fix-dh-pdk2-display-pwm-channel.patch b/queue-5.9/arm-dts-stm32-fix-dh-pdk2-display-pwm-channel.patch new file mode 100644 index 00000000000..541fcf8ed09 --- /dev/null +++ b/queue-5.9/arm-dts-stm32-fix-dh-pdk2-display-pwm-channel.patch @@ -0,0 +1,41 @@ +From 6d2bebe9357ee447d78388ce9e2ea564f9fa140a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 22:32:55 +0200 +Subject: ARM: dts: stm32: Fix DH PDK2 display PWM channel + +From: Marek Vasut + +[ Upstream commit 57592d2a98dbc3bde3ddc062e91a8486bdcb211e ] + +The display PWM channel is number 3 (PWM2 CH4), make it so. + +Fixes: 34e0c7847dcf ("ARM: dts: stm32: Add DH Electronics DHCOM STM32MP1 SoM and PDK2 board") +Signed-off-by: Marek Vasut +Cc: Alexandre Torgue +Cc: Maxime Coquelin +Cc: Patrice Chotard +Cc: Patrick Delaunay +Cc: linux-stm32@st-md-mailman.stormreply.com +To: linux-arm-kernel@lists.infradead.org +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi +index 9cf6d90fbf69f..e4e3c92eb30d3 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi +@@ -25,7 +25,7 @@ clk_ext_audio_codec: clock-codec { + + display_bl: display-bl { + compatible = "pwm-backlight"; +- pwms = <&pwm2 0 500000 PWM_POLARITY_INVERTED>; ++ pwms = <&pwm2 3 500000 PWM_POLARITY_INVERTED>; + brightness-levels = <0 16 22 30 40 55 75 102 138 188 255>; + default-brightness-level = <8>; + enable-gpios = <&gpioi 0 GPIO_ACTIVE_HIGH>; +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-stm32-fix-sdmmc2-pins-on-av96.patch b/queue-5.9/arm-dts-stm32-fix-sdmmc2-pins-on-av96.patch new file mode 100644 index 00000000000..af3d613bcc1 --- /dev/null +++ b/queue-5.9/arm-dts-stm32-fix-sdmmc2-pins-on-av96.patch @@ -0,0 +1,49 @@ +From 12f7b1434a9baae30b53555d92c89f4b963da73b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 01:27:57 +0200 +Subject: ARM: dts: stm32: Fix sdmmc2 pins on AV96 + +From: Marek Vasut + +[ Upstream commit 1ad6e36ec266cedb0d274aa13253ff1fb2eed4ba ] + +The AV96 uses sdmmc2_d47_pins_c and sdmmc2_d47_sleep_pins_c, which +differ from sdmmc2_d47_pins_b and sdmmc2_d47_sleep_pins_b in one +pin, SDMMC2_D5, which is PA15 in the former and PA9 in the later. +The PA15 is correct on AV96, so fix this. This error is likely a +result of rebasing across the stm32mp1 DT pinctrl rework. + +Fixes: 611325f68102 ("ARM: dts: stm32: Add eMMC attached to SDMMC2 on AV96") +Signed-off-by: Marek Vasut +Cc: Alexandre Torgue +Cc: Maxime Coquelin +Cc: Patrice Chotard +Cc: Patrick Delaunay +Cc: linux-stm32@st-md-mailman.stormreply.com +To: linux-arm-kernel@lists.infradead.org +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi +index 930202742a3f6..905cd7bb98cf0 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi +@@ -295,9 +295,9 @@ &sdmmc1 { + + &sdmmc2 { + pinctrl-names = "default", "opendrain", "sleep"; +- pinctrl-0 = <&sdmmc2_b4_pins_a &sdmmc2_d47_pins_b>; +- pinctrl-1 = <&sdmmc2_b4_od_pins_a &sdmmc2_d47_pins_b>; +- pinctrl-2 = <&sdmmc2_b4_sleep_pins_a &sdmmc2_d47_sleep_pins_b>; ++ pinctrl-0 = <&sdmmc2_b4_pins_a &sdmmc2_d47_pins_c>; ++ pinctrl-1 = <&sdmmc2_b4_od_pins_a &sdmmc2_d47_pins_c>; ++ pinctrl-2 = <&sdmmc2_b4_sleep_pins_a &sdmmc2_d47_sleep_pins_c>; + bus-width = <8>; + mmc-ddr-1_8v; + no-sd; +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-stm32-lxa-mc1-fix-kernel-warning-about-phy-d.patch b/queue-5.9/arm-dts-stm32-lxa-mc1-fix-kernel-warning-about-phy-d.patch new file mode 100644 index 00000000000..e3bcbb38e64 --- /dev/null +++ b/queue-5.9/arm-dts-stm32-lxa-mc1-fix-kernel-warning-about-phy-d.patch @@ -0,0 +1,49 @@ +From 714f02c46477c4108bc59ec7c44b6f05e4ab1e38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 17:03:56 +0200 +Subject: ARM: dts: stm32: lxa-mc1: Fix kernel warning about PHY delays + +From: Holger Assmann + +[ Upstream commit 42a31ac6698681363363d48335559d212a26a7ca ] + +The KSZ9031 PHY skew timings for rxc/txc, originally set to achieve +the desired phase shift between clock- and data-signal, now trigger a +kernel warning when used in rgmii-id mode: + + *-skew-ps values should be used only with phy-mode = "rgmii" + +This is because commit bcf3440c6dd7 ("net: phy: micrel: add phy-mode +support for the KSZ9031 PHY") now configures own timings when +phy-mode = "rgmii-id". Device trees wanting to set their own delays +should use phy-mode "rgmii" instead as the warning prescribes. + +The "standard" timings now used with "rgmii-id" work fine on this +board, so drop the explicit timings in the device tree and thereby +silence the warning. + +Fixes: 666b5ca85cd3 ("ARM: dts: stm32: add STM32MP1-based Linux Automation MC-1 board") +Signed-off-by: Holger Assmann +Acked-by: Ahmad Fatoum +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp157c-lxa-mc1.dts | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp157c-lxa-mc1.dts b/arch/arm/boot/dts/stm32mp157c-lxa-mc1.dts +index 5700e6b700d36..b85025d009437 100644 +--- a/arch/arm/boot/dts/stm32mp157c-lxa-mc1.dts ++++ b/arch/arm/boot/dts/stm32mp157c-lxa-mc1.dts +@@ -121,8 +121,6 @@ ethphy: ethernet-phy@3 { /* KSZ9031RN */ + reset-gpios = <&gpiog 0 GPIO_ACTIVE_LOW>; /* ETH_RST# */ + interrupt-parent = <&gpioa>; + interrupts = <6 IRQ_TYPE_EDGE_FALLING>; /* ETH_MDINT# */ +- rxc-skew-ps = <1860>; +- txc-skew-ps = <1860>; + reset-assert-us = <10000>; + reset-deassert-us = <300>; + micrel,force-master; +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-stm32-move-ethernet-phy-into-dh-som-dt.patch b/queue-5.9/arm-dts-stm32-move-ethernet-phy-into-dh-som-dt.patch new file mode 100644 index 00000000000..3fc982b5016 --- /dev/null +++ b/queue-5.9/arm-dts-stm32-move-ethernet-phy-into-dh-som-dt.patch @@ -0,0 +1,148 @@ +From 204c6540cd96148f7e8adc9ec9c3642851b094f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 18:51:40 +0200 +Subject: ARM: dts: stm32: Move ethernet PHY into DH SoM DT + +From: Marek Vasut + +[ Upstream commit b0a07f609600b6fa4c30f783db50c38456804485 ] + +The PHY and the VIO regulator is populated on the SoM, move it +into the SoM DT. + +Signed-off-by: Marek Vasut +Cc: Alexandre Torgue +Cc: Maxime Coquelin +Cc: Patrice Chotard +Cc: Patrick Delaunay +Cc: linux-stm32@st-md-mailman.stormreply.com +To: linux-arm-kernel@lists.infradead.org +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi | 33 ----------------- + arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi | 36 +++++++++++++++++++ + 2 files changed, 36 insertions(+), 33 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi +index 7c4bd615b3115..9cf6d90fbf69f 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi +@@ -11,7 +11,6 @@ aliases { + serial0 = &uart4; + serial1 = &usart3; + serial2 = &uart8; +- ethernet0 = ðernet0; + }; + + chosen { +@@ -33,16 +32,6 @@ display_bl: display-bl { + status = "okay"; + }; + +- ethernet_vio: vioregulator { +- compatible = "regulator-fixed"; +- regulator-name = "vio"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; +- gpio = <&gpiog 3 GPIO_ACTIVE_LOW>; +- regulator-always-on; +- regulator-boot-on; +- }; +- + gpio-keys-polled { + compatible = "gpio-keys-polled"; + #size-cells = <0>; +@@ -141,28 +130,6 @@ &cec { + status = "okay"; + }; + +-ðernet0 { +- status = "okay"; +- pinctrl-0 = <ðernet0_rmii_pins_a>; +- pinctrl-1 = <ðernet0_rmii_sleep_pins_a>; +- pinctrl-names = "default", "sleep"; +- phy-mode = "rmii"; +- max-speed = <100>; +- phy-handle = <&phy0>; +- st,eth-ref-clk-sel; +- phy-reset-gpios = <&gpioh 15 GPIO_ACTIVE_LOW>; +- +- mdio0 { +- #address-cells = <1>; +- #size-cells = <0>; +- compatible = "snps,dwmac-mdio"; +- +- phy0: ethernet-phy@1 { +- reg = <1>; +- }; +- }; +-}; +- + &i2c2 { /* Header X22 */ + pinctrl-names = "default"; + pinctrl-0 = <&i2c2_pins_a>; +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi +index ba905196fb549..d30a3c60da9b0 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi +@@ -9,6 +9,10 @@ + #include + + / { ++ aliases { ++ ethernet0 = ðernet0; ++ }; ++ + memory@c0000000 { + device_type = "memory"; + reg = <0xC0000000 0x40000000>; +@@ -55,6 +59,16 @@ retram: retram@38000000 { + no-map; + }; + }; ++ ++ ethernet_vio: vioregulator { ++ compatible = "regulator-fixed"; ++ regulator-name = "vio"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ gpio = <&gpiog 3 GPIO_ACTIVE_LOW>; ++ regulator-always-on; ++ regulator-boot-on; ++ }; + }; + + &adc { +@@ -94,6 +108,28 @@ &dts { + status = "okay"; + }; + ++ðernet0 { ++ status = "okay"; ++ pinctrl-0 = <ðernet0_rmii_pins_a>; ++ pinctrl-1 = <ðernet0_rmii_sleep_pins_a>; ++ pinctrl-names = "default", "sleep"; ++ phy-mode = "rmii"; ++ max-speed = <100>; ++ phy-handle = <&phy0>; ++ st,eth-ref-clk-sel; ++ phy-reset-gpios = <&gpioh 15 GPIO_ACTIVE_LOW>; ++ ++ mdio0 { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ compatible = "snps,dwmac-mdio"; ++ ++ phy0: ethernet-phy@1 { ++ reg = <1>; ++ }; ++ }; ++}; ++ + &i2c4 { + pinctrl-names = "default"; + pinctrl-0 = <&i2c4_pins_a>; +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-stm32-swap-phy-reset-gpio-and-tsc2004-irq-on.patch b/queue-5.9/arm-dts-stm32-swap-phy-reset-gpio-and-tsc2004-irq-on.patch new file mode 100644 index 00000000000..9c11bcfd881 --- /dev/null +++ b/queue-5.9/arm-dts-stm32-swap-phy-reset-gpio-and-tsc2004-irq-on.patch @@ -0,0 +1,52 @@ +From 0903ced998b01ed7ba9fc88f48fe1b0db490d974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 14:14:12 +0200 +Subject: ARM: dts: stm32: Swap PHY reset GPIO and TSC2004 IRQ on DHCOM SOM + +From: Marek Vasut + +[ Upstream commit 9ad98319e95263469d8ca2cb543c37c5a2f40980 ] + +On the production revision of the SoM, 587-200, the PHY reset GPIO and +touchscreen IRQs are swapped to prevent collision between EXTi IRQs, +reflect that in DT. + +Fixes: 34e0c7847dcf ("ARM: dts: stm32: Add DH Electronics DHCOM STM32MP1 SoM and PDK2 board") +Signed-off-by: Marek Vasut +Cc: Alexandre Torgue +Cc: Maxime Coquelin +Cc: Patrice Chotard +Cc: Patrick Delaunay +Cc: linux-stm32@st-md-mailman.stormreply.com +To: linux-arm-kernel@lists.infradead.org +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi +index d30a3c60da9b0..a87ebc4843963 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi +@@ -117,7 +117,7 @@ ðernet0 { + max-speed = <100>; + phy-handle = <&phy0>; + st,eth-ref-clk-sel; +- phy-reset-gpios = <&gpioh 15 GPIO_ACTIVE_LOW>; ++ phy-reset-gpios = <&gpioh 3 GPIO_ACTIVE_LOW>; + + mdio0 { + #address-cells = <1>; +@@ -285,7 +285,7 @@ touchscreen@49 { + compatible = "ti,tsc2004"; + reg = <0x49>; + vio-supply = <&v3v3>; +- interrupts-extended = <&gpioh 3 IRQ_TYPE_EDGE_FALLING>; ++ interrupts-extended = <&gpioh 15 IRQ_TYPE_EDGE_FALLING>; + }; + + eeprom@50 { +-- +2.25.1 + diff --git a/queue-5.9/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch b/queue-5.9/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch new file mode 100644 index 00000000000..88d4f0288c0 --- /dev/null +++ b/queue-5.9/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch @@ -0,0 +1,54 @@ +From 8095e1788e86081d22666da3c35a2e0a081980d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 21:36:49 +0200 +Subject: ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator + +From: Jernej Skrabec + +[ Upstream commit 3658a2b7f3e16c7053eb8d70657b94bb62c5a0f4 ] + +DCDC1 regulator powers many different subsystems. While some of them can +work at 3.0 V, some of them can not. For example, VCC-HDMI can only work +between 3.24 V and 3.36 V. According to OS images provided by the board +manufacturer this regulator should be set to 3.3 V. + +Set DCDC1 and DCDC1SW to 3.3 V in order to fix this. + +Fixes: da7ac948fa93 ("ARM: dts: sun8i: Add board dts file for Banana Pi M2 Ultra") +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20200824193649.978197-1-jernej.skrabec@siol.net +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts +index 42d62d1ba1dc7..ea15073f0c79c 100644 +--- a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts ++++ b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts +@@ -223,16 +223,16 @@ ®_aldo3 { + }; + + ®_dc1sw { +- regulator-min-microvolt = <3000000>; +- regulator-max-microvolt = <3000000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + regulator-name = "vcc-gmac-phy"; + }; + + ®_dcdc1 { + regulator-always-on; +- regulator-min-microvolt = <3000000>; +- regulator-max-microvolt = <3000000>; +- regulator-name = "vcc-3v0"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-3v3"; + }; + + ®_dcdc2 { +-- +2.25.1 + diff --git a/queue-5.9/arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch b/queue-5.9/arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch new file mode 100644 index 00000000000..97f727f5dad --- /dev/null +++ b/queue-5.9/arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch @@ -0,0 +1,42 @@ +From 83348db2dd3165aae10b314dfe8f1a77be7a4089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 09:16:22 +0300 +Subject: ARM: OMAP2+: Restore MPU power domain if cpu_cluster_pm_enter() fails + +From: Tony Lindgren + +[ Upstream commit 8f04aea048d56f3e39a7e543939450246542a6fc ] + +If cpu_cluster_pm_enter() fails, we need to set MPU power domain back +to enabled to prevent the next WFI from potentially triggering an +undesired MPU power domain state change. + +We already do this for omap_enter_idle_smp() but are missing it for +omap_enter_idle_coupled(). + +Fixes: 55be2f50336f ("ARM: OMAP2+: Handle errors for cpu_pm") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/cpuidle44xx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c +index 6f5f89711f256..a92d277f81a08 100644 +--- a/arch/arm/mach-omap2/cpuidle44xx.c ++++ b/arch/arm/mach-omap2/cpuidle44xx.c +@@ -174,8 +174,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + */ + if (mpuss_can_lose_context) { + error = cpu_cluster_pm_enter(); +- if (error) ++ if (error) { ++ omap_set_pwrdm_state(mpu_pd, PWRDM_POWER_ON); + goto cpu_cluster_pm_out; ++ } + } + } + +-- +2.25.1 + diff --git a/queue-5.9/arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch b/queue-5.9/arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch new file mode 100644 index 00000000000..418cdc48008 --- /dev/null +++ b/queue-5.9/arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch @@ -0,0 +1,107 @@ +From 04342a59be2b0f787287f9608cd444e87378e4e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 20:20:20 +0200 +Subject: ARM: s3c24xx: fix mmc gpio lookup tables + +From: Arnd Bergmann + +[ Upstream commit 3af4e8774b6d03683932b0961998e01355bccd74 ] + +The gpio controller names differ between s3c24xx and s3c64xx, +and it seems that these all got the wrong names, using GPx instead +of GPIOx. + +Fixes: d2951dfa070d ("mmc: s3cmci: Use the slot GPIO descriptor") +Signed-off-by: Arnd Bergmann +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20200806182059.2431-3-krzk@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/mach-s3c24xx/mach-at2440evb.c | 2 +- + arch/arm/mach-s3c24xx/mach-h1940.c | 4 ++-- + arch/arm/mach-s3c24xx/mach-mini2440.c | 4 ++-- + arch/arm/mach-s3c24xx/mach-n30.c | 4 ++-- + arch/arm/mach-s3c24xx/mach-rx1950.c | 4 ++-- + 5 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/mach-s3c24xx/mach-at2440evb.c b/arch/arm/mach-s3c24xx/mach-at2440evb.c +index 58c5ef3cf1d7e..2d370f7f75fa2 100644 +--- a/arch/arm/mach-s3c24xx/mach-at2440evb.c ++++ b/arch/arm/mach-s3c24xx/mach-at2440evb.c +@@ -143,7 +143,7 @@ static struct gpiod_lookup_table at2440evb_mci_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPG(10) */ +- GPIO_LOOKUP("GPG", 10, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOG", 10, "cd", GPIO_ACTIVE_LOW), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-h1940.c b/arch/arm/mach-s3c24xx/mach-h1940.c +index f4710052843ac..3601c7abe69dc 100644 +--- a/arch/arm/mach-s3c24xx/mach-h1940.c ++++ b/arch/arm/mach-s3c24xx/mach-h1940.c +@@ -468,9 +468,9 @@ static struct gpiod_lookup_table h1940_mmc_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPF(5) */ +- GPIO_LOOKUP("GPF", 5, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOF", 5, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPH(8) */ +- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_LOW), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-mini2440.c b/arch/arm/mach-s3c24xx/mach-mini2440.c +index 2357494483118..5729bf07a6232 100644 +--- a/arch/arm/mach-s3c24xx/mach-mini2440.c ++++ b/arch/arm/mach-s3c24xx/mach-mini2440.c +@@ -244,9 +244,9 @@ static struct gpiod_lookup_table mini2440_mmc_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPG(8) */ +- GPIO_LOOKUP("GPG", 8, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOG", 8, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPH(8) */ +- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_HIGH), ++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_HIGH), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-n30.c b/arch/arm/mach-s3c24xx/mach-n30.c +index 998ccff3c174b..ed993bc666351 100644 +--- a/arch/arm/mach-s3c24xx/mach-n30.c ++++ b/arch/arm/mach-s3c24xx/mach-n30.c +@@ -389,9 +389,9 @@ static struct gpiod_lookup_table n30_mci_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPF(1) */ +- GPIO_LOOKUP("GPF", 1, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOF", 1, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPG(10) */ +- GPIO_LOOKUP("GPG", 10, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOG", 10, "wp", GPIO_ACTIVE_LOW), + { }, + }, + }; +diff --git a/arch/arm/mach-s3c24xx/mach-rx1950.c b/arch/arm/mach-s3c24xx/mach-rx1950.c +index fde98b175c752..c0a06f123cfea 100644 +--- a/arch/arm/mach-s3c24xx/mach-rx1950.c ++++ b/arch/arm/mach-s3c24xx/mach-rx1950.c +@@ -571,9 +571,9 @@ static struct gpiod_lookup_table rx1950_mmc_gpio_table = { + .dev_id = "s3c2410-sdi", + .table = { + /* Card detect S3C2410_GPF(5) */ +- GPIO_LOOKUP("GPF", 5, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOF", 5, "cd", GPIO_ACTIVE_LOW), + /* Write protect S3C2410_GPH(8) */ +- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_LOW), + { }, + }, + }; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-actions-limit-address-range-for-pinctrl-no.patch b/queue-5.9/arm64-dts-actions-limit-address-range-for-pinctrl-no.patch new file mode 100644 index 00000000000..00d1fab5dbf --- /dev/null +++ b/queue-5.9/arm64-dts-actions-limit-address-range-for-pinctrl-no.patch @@ -0,0 +1,54 @@ +From 3a53392a683b4eda555a5b5bdaad8054d9f17a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 23:12:02 +0530 +Subject: arm64: dts: actions: limit address range for pinctrl node + +From: Amit Singh Tomar + +[ Upstream commit 4bb1eb3cd4bd6241d5e5f99bbfd801ea5a007b6c ] + +After commit 7cdf8446ed1d ("arm64: dts: actions: Add pinctrl node for +Actions Semi S700") following error has been observed while booting +Linux on Cubieboard7-lite(based on S700 SoC). + +[ 0.257415] pinctrl-s700 e01b0000.pinctrl: can't request region for +resource [mem 0xe01b0000-0xe01b0fff] +[ 0.266902] pinctrl-s700: probe of e01b0000.pinctrl failed with error -16 + +This is due to the fact that memory range for "sps" power domain controller +clashes with pinctrl. + +One way to fix it, is to limit pinctrl address range which is safe +to do as current pinctrl driver uses address range only up to 0x100. + +This commit limits the pinctrl address range to 0x100 so that it doesn't +conflict with sps range. + +Fixes: 7cdf8446ed1d ("arm64: dts: actions: Add pinctrl node for Actions +Semi S700") + +Reviewed-by: Manivannan Sadhasivam +Suggested-by: Andre Przywara +Signed-off-by: Amit Singh Tomar +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/actions/s700.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/actions/s700.dtsi b/arch/arm64/boot/dts/actions/s700.dtsi +index 2006ad5424fa6..f8eb72bb41254 100644 +--- a/arch/arm64/boot/dts/actions/s700.dtsi ++++ b/arch/arm64/boot/dts/actions/s700.dtsi +@@ -231,7 +231,7 @@ timer: timer@e024c000 { + + pinctrl: pinctrl@e01b0000 { + compatible = "actions,s700-pinctrl"; +- reg = <0x0 0xe01b0000 0x0 0x1000>; ++ reg = <0x0 0xe01b0000 0x0 0x100>; + clocks = <&cmu CLK_GPIO>; + gpio-controller; + gpio-ranges = <&pinctrl 0 0 136>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch b/queue-5.9/arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch new file mode 100644 index 00000000000..76ba2ba8e1f --- /dev/null +++ b/queue-5.9/arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch @@ -0,0 +1,52 @@ +From aa0cc2d56b2a40974ad8a77587a5f58073071dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 14:27:55 +0800 +Subject: arm64: dts: allwinner: h5: remove Mali GPU PMU module + +From: Qiang Yu + +[ Upstream commit 2933bf3528007f834fb7f5eab033f9c5b0683f91 ] + +H5's Mali GPU PMU is not present or working corretly although +H5 datasheet record its interrupt vector. + +Adding this module will miss lead lima driver try to shutdown +it and get waiting timeout. This problem is not exposed before +lima runtime PM support is added. + +Fixes: bb39ed07e55b ("arm64: dts: allwinner: h5: Add device node for Mali-450 GPU") +Signed-off-by: Qiang Yu +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20200822062755.534761-1-yuq825@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi +index 6735e316a39c3..6c6053a18413d 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi +@@ -139,8 +139,7 @@ mali: gpu@1e80000 { + , + , + , +- , +- ; ++ ; + interrupt-names = "gp", + "gpmmu", + "pp", +@@ -151,8 +150,7 @@ mali: gpu@1e80000 { + "pp2", + "ppmmu2", + "pp3", +- "ppmmu3", +- "pmu"; ++ "ppmmu3"; + clocks = <&ccu CLK_BUS_GPU>, <&ccu CLK_GPU>; + clock-names = "bus", "core"; + resets = <&ccu RST_BUS_GPU>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch b/queue-5.9/arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch new file mode 100644 index 00000000000..61471129d79 --- /dev/null +++ b/queue-5.9/arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch @@ -0,0 +1,41 @@ +From c43cb6c18fd7a3f39052e654f56a14695dd2c4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 16:53:09 +0200 +Subject: arm64: dts: imx8mq: Add missing interrupts to GPC + +From: Krzysztof Kozlowski + +[ Upstream commit 791619f66843a213784efb2f171be98933bad991 ] + +The i.MX General Power Controller v2 device node was missing interrupts +property necessary to route its interrupt to GIC. This also fixes the +dbts_check warnings like: + + arch/arm64/boot/dts/freescale/imx8mq-evk.dt.yaml: gpc@303a0000: + {'compatible': ... '$nodename': ['gpc@303a0000']} is not valid under any of the given schemas + arch/arm64/boot/dts/freescale/imx8mq-evk.dt.yaml: gpc@303a0000: 'interrupts' is a required property + +Fixes: fdbcc04da246 ("arm64: dts: imx8mq: add GPC power domains") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Lucas Stach +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index 561fa792fe5a9..58c08398d4ba7 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -617,6 +617,7 @@ src: reset-controller@30390000 { + gpc: gpc@303a0000 { + compatible = "fsl,imx8mq-gpc"; + reg = <0x303a0000 0x10000>; ++ interrupts = ; + interrupt-parent = <&gic>; + interrupt-controller; + #interrupt-cells = <3>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-meson-vim3-correct-led-polarity.patch b/queue-5.9/arm64-dts-meson-vim3-correct-led-polarity.patch new file mode 100644 index 00000000000..a3b897986bb --- /dev/null +++ b/queue-5.9/arm64-dts-meson-vim3-correct-led-polarity.patch @@ -0,0 +1,43 @@ +From 7cca584e3a5792c964b0149f7293aafcac5e5df7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 16:18:50 +0200 +Subject: arm64: dts: meson: vim3: correct led polarity + +From: Jerome Brunet + +[ Upstream commit 1f9d87d08e4a2299e86f8a1600aedf87ecd3b636 ] + +The LEDs on the vim3 are active when the gpio is high, not low. + +Fixes: c6d29c66e582 ("arm64: dts: meson-g12b-khadas-vim3: add initial device-tree") +Signed-off-by: Jerome Brunet +Signed-off-by: Kevin Hilman +Link: https://lore.kernel.org/r/20200803141850.172704-1-jbrunet@baylibre.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi b/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi +index 94f75b4465044..73783692e30ee 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi +@@ -41,13 +41,13 @@ leds { + + led-white { + label = "vim3:white:sys"; +- gpios = <&gpio_ao GPIOAO_4 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio_ao GPIOAO_4 GPIO_ACTIVE_HIGH>; + linux,default-trigger = "heartbeat"; + }; + + led-red { + label = "vim3:red"; +- gpios = <&gpio_expander 5 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio_expander 5 GPIO_ACTIVE_HIGH>; + }; + }; + +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-mt8173-elm-fix-nor_flash-node-property.patch b/queue-5.9/arm64-dts-mt8173-elm-fix-nor_flash-node-property.patch new file mode 100644 index 00000000000..4e7e9a1094d --- /dev/null +++ b/queue-5.9/arm64-dts-mt8173-elm-fix-nor_flash-node-property.patch @@ -0,0 +1,45 @@ +From c6c2bc12533b407af244a216e71332ff119bf6c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 15:41:24 +0800 +Subject: arm64: dts: mt8173: elm: Fix nor_flash node property + +From: Hsin-Yi Wang + +[ Upstream commit 1276be23fd53e1c4e752966d0eab42aa54a343da ] + +bus-width and non-removable is not used by the driver. +max-frequency should be spi-max-frequency for flash node. + +Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board") +Reported-by: Nicolas Boichat +Signed-off-by: Hsin-Yi Wang +Reviewed-by: Enric Balletbo i Serra +Link: https://lore.kernel.org/r/20200727074124.3779237-1-hsinyi@chromium.org +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +index bdec719a6b62f..44a0346133cde 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +@@ -433,12 +433,11 @@ &nor_flash { + status = "okay"; + pinctrl-names = "default"; + pinctrl-0 = <&nor_gpio1_pins>; +- bus-width = <8>; +- max-frequency = <50000000>; +- non-removable; ++ + flash@0 { + compatible = "jedec,spi-nor"; + reg = <0>; ++ spi-max-frequency = <50000000>; + }; + }; + +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-mt8173-elm-fix-supported-values-for-regula.patch b/queue-5.9/arm64-dts-mt8173-elm-fix-supported-values-for-regula.patch new file mode 100644 index 00000000000..ebf864a3b95 --- /dev/null +++ b/queue-5.9/arm64-dts-mt8173-elm-fix-supported-values-for-regula.patch @@ -0,0 +1,51 @@ +From b2c1394e9b2b4e2d8f7a1c7a0f415827e6240f32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 16:28:19 +0200 +Subject: arm64: dts: mt8173-elm: fix supported values for + regulator-allowed-modes of da9211 + +From: Dafna Hirschfeld + +[ Upstream commit 9d955478a89b4a1ff4e7442216f2822dee8fde73 ] + +According to the datasheet the allowed modes for the da9211 +regulator are sync and auto mode. This should be changed in the +devicetree. This also fix an error message +'BUCKA: invalid regulator-allowed-modes element 0' +since value 0 is invalid. + +Fixes: 689b937beddeb ("arm64: dts: mediatek: add mt8173 elm and hana board") +Signed-off-by: Dafna Hirschfeld +Tested-by: Enric Balletbo i Serra +Link: https://lore.kernel.org/r/20200903142819.24487-1-dafna.hirschfeld@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +index a5a12b2599a4a..bdec719a6b62f 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +@@ -5,6 +5,7 @@ + + #include + #include ++#include + #include + #include "mt8173.dtsi" + +@@ -294,7 +295,8 @@ da9211_vcpu_reg: BUCKA { + regulator-max-microamp = <4400000>; + regulator-ramp-delay = <10000>; + regulator-always-on; +- regulator-allowed-modes = <0 1>; ++ regulator-allowed-modes = ; + }; + + da9211_vgpu_reg: BUCKB { +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch b/queue-5.9/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch new file mode 100644 index 00000000000..5fbba464c0d --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch @@ -0,0 +1,54 @@ +From 37550b47371e600fd5ca0241c54473e7955d6747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:11 +0200 +Subject: arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts + +From: Stephan Gerhold + +[ Upstream commit 027cca9eb5b450c3f6bb916ba999144c2ec23cb7 ] + +The mdss node sets #interrupt-cells = <1>, so its interrupts +should be referenced using a single cell (in this case: only the +interrupt number). + +However, right now the mdp/dsi node both have two interrupt cells +set, e.g. interrupts = <4 0>. The 0 is probably meant to say +IRQ_TYPE_NONE (= 0), but with #interrupt-cells = <1> this is +actually interpreted as a second interrupt line. + +Remove the IRQ flags from both interrupts to fix this. + +Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-5-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index c2fb9f7291c5e..75687442d5827 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -1052,7 +1052,7 @@ mdp: mdp@1a01000 { + reg-names = "mdp_phys"; + + interrupt-parent = <&mdss>; +- interrupts = <0 0>; ++ interrupts = <0>; + + clocks = <&gcc GCC_MDSS_AHB_CLK>, + <&gcc GCC_MDSS_AXI_CLK>, +@@ -1084,7 +1084,7 @@ dsi0: dsi@1a98000 { + reg-names = "dsi_ctrl"; + + interrupt-parent = <&mdss>; +- interrupts = <4 0>; ++ interrupts = <4>; + + assigned-clocks = <&gcc BYTE0_CLK_SRC>, + <&gcc PCLK0_CLK_SRC>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch b/queue-5.9/arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch new file mode 100644 index 00000000000..e69b2f22cec --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch @@ -0,0 +1,71 @@ +From a549cf5ee09fa96010b725d711e53ead5034f77c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:09 +0200 +Subject: arm64: dts: qcom: msm8916: Remove one more thermal trip point unit + name + +From: Stephan Gerhold + +[ Upstream commit e6859ae8603c5946b8f3ecbd9b4f02b72955b9d0 ] + +Commit fe2aff0c574d2 ("arm64: dts: qcom: msm8916: remove unit name for thermal trip points") +removed the unit names for most of the thermal trip points defined +in msm8916.dtsi, but missed to update the one for cpu0_1-thermal. + +So why wasn't this spotted by "make dtbs_check"? Apparently, the name +of the thermal zone is already invalid: thermal-zones.yaml specifies +a regex of ^[a-zA-Z][a-zA-Z0-9\\-]{1,12}-thermal$, so it is not allowed +to contain underscores. Therefore the thermal zone was never verified +using the DTB schema. + +After replacing the underscore in the thermal zone name, the warning +shows up: + + apq8016-sbc.dt.yaml: thermal-zones: cpu0-1-thermal:trips: 'trip-point@0' + does not match any of the regexes: '^[a-zA-Z][a-zA-Z0-9\\-_]{0,63}$', 'pinctrl-[0-9]+' + +Fix up the thermal zone names and remove the unit name for the trip point. + +Cc: Amit Kucheria +Fixes: fe2aff0c574d2 ("arm64: dts: qcom: msm8916: remove unit name for thermal trip points") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-3-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 67cae5f9e47e6..c2fb9f7291c5e 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -229,14 +229,14 @@ pmu { + }; + + thermal-zones { +- cpu0_1-thermal { ++ cpu0-1-thermal { + polling-delay-passive = <250>; + polling-delay = <1000>; + + thermal-sensors = <&tsens 5>; + + trips { +- cpu0_1_alert0: trip-point@0 { ++ cpu0_1_alert0: trip-point0 { + temperature = <75000>; + hysteresis = <2000>; + type = "passive"; +@@ -259,7 +259,7 @@ map0 { + }; + }; + +- cpu2_3-thermal { ++ cpu2-3-thermal { + polling-delay-passive = <250>; + polling-delay = <1000>; + +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-msm8992-fix-uart-interrupt-property.patch b/queue-5.9/arm64-dts-qcom-msm8992-fix-uart-interrupt-property.patch new file mode 100644 index 00000000000..4914cfc3d2f --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-msm8992-fix-uart-interrupt-property.patch @@ -0,0 +1,36 @@ +From be34f7159988fe4d43b9fad50d8775af224327ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 13:12:09 +0200 +Subject: arm64: dts: qcom: msm8992: Fix UART interrupt property + +From: Krzysztof Kozlowski + +[ Upstream commit aa551bd7a04159cf2ca8806abe5da8012b59d058 ] + +"interrupt" is not a valid property. + +Fixes: 7f8bcc0c4cfe ("arm64: dts: qcom: msm8992: Add BLSP2_UART2 and I2C nodes") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200829111209.32685-1-krzk@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8992.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8992.dtsi b/arch/arm64/boot/dts/qcom/msm8992.dtsi +index 188fff2095f11..8626b3a50eda7 100644 +--- a/arch/arm64/boot/dts/qcom/msm8992.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8992.dtsi +@@ -335,7 +335,7 @@ blsp_i2c6: i2c@f9928000 { + blsp2_uart2: serial@f995e000 { + compatible = "qcom,msm-uartdm-v1.4", "qcom,msm-uartdm"; + reg = <0xf995e000 0x1000>; +- interrupt = ; ++ interrupts = ; + clock-names = "core", "iface"; + clocks = <&gcc GCC_BLSP2_UART2_APPS_CLK>, + <&gcc GCC_BLSP2_AHB_CLK>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch b/queue-5.9/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch new file mode 100644 index 00000000000..d19da2c6bd8 --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch @@ -0,0 +1,48 @@ +From 6896ff1130f094ae29ffac6d3bcf82cfc1d11455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:10 +0200 +Subject: arm64: dts: qcom: pm8916: Remove invalid reg size from wcd_codec + +From: Stephan Gerhold + +[ Upstream commit c2f0cbb57dbac6da3d38b47b5b96de0fe4e23884 ] + +Tha parent node of "wcd_codec" specifies #address-cells = <1> +and #size-cells = <0>, which means that each resource should be +described by one cell for the address and size omitted. + +However, wcd_codec currently lists 0x200 as second cell (probably +the size of the resource). When parsing this would be treated like +another memory resource - which is entirely wrong. + +To quote the device tree specification [1]: + "If the parent node specifies a value of 0 for #size-cells, + the length field in the value of reg shall be omitted." + +[1]: https://www.devicetree.org/specifications/ + +Fixes: 5582fcb3829f ("arm64: dts: apq8016-sbc: add analog audio support with multicodec") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-4-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pm8916.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/pm8916.dtsi b/arch/arm64/boot/dts/qcom/pm8916.dtsi +index 0bcdf04711079..adf9a5988cdc2 100644 +--- a/arch/arm64/boot/dts/qcom/pm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/pm8916.dtsi +@@ -119,7 +119,7 @@ pm8916_vib: vibrator@c000 { + + wcd_codec: codec@f000 { + compatible = "qcom,pm8916-wcd-analog-codec"; +- reg = <0xf000 0x200>; ++ reg = <0xf000>; + reg-names = "pmic-codec-core"; + clocks = <&gcc GCC_CODEC_DIGCODEC_CLK>; + clock-names = "mclk"; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-sc7180-drop-flags-on-mdss-irqs.patch b/queue-5.9/arm64-dts-qcom-sc7180-drop-flags-on-mdss-irqs.patch new file mode 100644 index 00000000000..e3d08f7510e --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-sc7180-drop-flags-on-mdss-irqs.patch @@ -0,0 +1,50 @@ +From ae058bd3a0d9bcba09d738139c9fb2d234e72948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 12:25:03 -0700 +Subject: arm64: dts: qcom: sc7180: Drop flags on mdss irqs + +From: Stephen Boyd + +[ Upstream commit 51e9874d382e089f664b3ce12773bbbaece5f369 ] + +The number of interrupt cells for the mdss interrupt controller is 1, +meaning there should only be one cell for the interrupt number, not two +where the second cell is the irq flags. Drop the second cell to match +the binding. + +Cc: Kalyan Thota +Cc: Harigovindan P +Link: https://lore.kernel.org/r/20200811192503.1811462-1-swboyd@chromium.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7180.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7180.dtsi b/arch/arm64/boot/dts/qcom/sc7180.dtsi +index e875f6c3b6639..a6be72d8f6fde 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi +@@ -2785,7 +2785,7 @@ mdp: mdp@ae01000 { + power-domains = <&rpmhpd SC7180_CX>; + + interrupt-parent = <&mdss>; +- interrupts = <0 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <0>; + + status = "disabled"; + +@@ -2833,7 +2833,7 @@ dsi0: dsi@ae94000 { + reg-names = "dsi_ctrl"; + + interrupt-parent = <&mdss>; +- interrupts = <4 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts = <4>; + + clocks = <&dispcc DISP_CC_MDSS_BYTE0_CLK>, + <&dispcc DISP_CC_MDSS_BYTE0_INTF_CLK>, +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-sc7180-fix-the-llcc-base-register-siz.patch b/queue-5.9/arm64-dts-qcom-sc7180-fix-the-llcc-base-register-siz.patch new file mode 100644 index 00000000000..316af6e27b9 --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-sc7180-fix-the-llcc-base-register-siz.patch @@ -0,0 +1,40 @@ +From be4af3d84fb54fdbee87e0eb230e3c8d679b69a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 20:25:14 +0530 +Subject: arm64: dts: qcom: sc7180: Fix the LLCC base register size + +From: Sai Prakash Ranjan + +[ Upstream commit efe788361f72914017515223414d3f20abe4b403 ] + +There is one LLCC logical bank(LLCC0) on SC7180 SoC and the +size of the LLCC0 base is 0x50000(320KB) not 2MB, so correct +the size and fix copy paste mistake carried over from SDM845. + +Reviewed-by: Douglas Anderson +Fixes: 7cee5c742899 ("arm64: dts: qcom: sc7180: Fix node order") +Fixes: c831fa299996 ("arm64: dts: qcom: sc7180: Add Last level cache controller node") +Signed-off-by: Sai Prakash Ranjan +Link: https://lore.kernel.org/r/20200818145514.16262-1-saiprakash.ranjan@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7180.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7180.dtsi b/arch/arm64/boot/dts/qcom/sc7180.dtsi +index d46b3833e52fd..e875f6c3b6639 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi +@@ -2618,7 +2618,7 @@ dc_noc: interconnect@9160000 { + + system-cache-controller@9200000 { + compatible = "qcom,sc7180-llcc"; +- reg = <0 0x09200000 0 0x200000>, <0 0x09600000 0 0x50000>; ++ reg = <0 0x09200000 0 0x50000>, <0 0x09600000 0 0x50000>; + reg-names = "llcc_base", "llcc_broadcast_base"; + interrupts = ; + }; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-sdm845-db845c-fix-hdmi-nodes.patch b/queue-5.9/arm64-dts-qcom-sdm845-db845c-fix-hdmi-nodes.patch new file mode 100644 index 00000000000..ee5cc6800fc --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-sdm845-db845c-fix-hdmi-nodes.patch @@ -0,0 +1,52 @@ +From 5a84b098695053d977ea569f282f28039adf889f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 13:13:47 +0530 +Subject: arm64: dts: qcom: sdm845-db845c: Fix hdmi nodes + +From: Vinod Koul + +[ Upstream commit bca4339bda0989e49189c164795b120eb261970c ] + +As per binding documentation, we should have dsi as node 0 and hdmi +audio as node 1, so fix it + +Reported-by: Dmitry Baryshkov +Fixes: aef9a119dfb9 ("arm64: dts: qcom: sdm845-db845c: Add hdmi bridge nodes") +Signed-off-by: Vinod Koul +Link: https://lore.kernel.org/r/20200828074347.3788518-1-vkoul@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts +index a2a98680ccf53..99d33955270ec 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts +@@ -451,16 +451,16 @@ ports { + port@0 { + reg = <0>; + +- lt9611_out: endpoint { +- remote-endpoint = <&hdmi_con>; ++ lt9611_a: endpoint { ++ remote-endpoint = <&dsi0_out>; + }; + }; + +- port@1 { +- reg = <1>; ++ port@2 { ++ reg = <2>; + +- lt9611_a: endpoint { +- remote-endpoint = <&dsi0_out>; ++ lt9611_out: endpoint { ++ remote-endpoint = <&hdmi_con>; + }; + }; + }; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-sm8150-fix-up-primary-usb-nodes.patch b/queue-5.9/arm64-dts-qcom-sm8150-fix-up-primary-usb-nodes.patch new file mode 100644 index 00000000000..121ea2510d0 --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-sm8150-fix-up-primary-usb-nodes.patch @@ -0,0 +1,47 @@ +From 547386966e93e05910337c7faeb9a1d8ba765fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 12:04:43 -0400 +Subject: arm64: dts: qcom: sm8150: fix up primary USB nodes + +From: Jonathan Marek + +[ Upstream commit 79493db5bb573017767b4f48b0fc69bfd01b82d2 ] + +The compatible for hsphy has out of place indentation, and the assigned +clock rate for GCC_USB30_PRIM_MASTER_CLK is incorrect, the clock doesn't +support a rate of 150000000. Use a rate of 200000000 to match downstream. + +Fixes: b33d2868e8d3 ("arm64: dts: qcom: sm8150: Add USB and PHY device nodes") +Signed-off-by: Jonathan Marek +Link: https://lore.kernel.org/r/20200818160445.14008-1-jonathan@marek.ca +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8150.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8150.dtsi b/arch/arm64/boot/dts/qcom/sm8150.dtsi +index b86a7ead30067..ab8680c6672e4 100644 +--- a/arch/arm64/boot/dts/qcom/sm8150.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8150.dtsi +@@ -767,7 +767,7 @@ glink-edge { + + usb_1_hsphy: phy@88e2000 { + compatible = "qcom,sm8150-usb-hs-phy", +- "qcom,usb-snps-hs-7nm-phy"; ++ "qcom,usb-snps-hs-7nm-phy"; + reg = <0 0x088e2000 0 0x400>; + status = "disabled"; + #phy-cells = <0>; +@@ -833,7 +833,7 @@ usb_1: usb@a6f8800 { + + assigned-clocks = <&gcc GCC_USB30_PRIM_MOCK_UTMI_CLK>, + <&gcc GCC_USB30_PRIM_MASTER_CLK>; +- assigned-clock-rates = <19200000>, <150000000>; ++ assigned-clock-rates = <19200000>, <200000000>; + + interrupts = , + , +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-qcom-sm8250-rename-uart2-node-to-uart12.patch b/queue-5.9/arm64-dts-qcom-sm8250-rename-uart2-node-to-uart12.patch new file mode 100644 index 00000000000..4b399a9efea --- /dev/null +++ b/queue-5.9/arm64-dts-qcom-sm8250-rename-uart2-node-to-uart12.patch @@ -0,0 +1,81 @@ +From 2b81fbf32f64858b182f9f08bc736443bff441f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 12:06:33 +0530 +Subject: arm64: dts: qcom: sm8250: Rename UART2 node to UART12 + +From: Manivannan Sadhasivam + +[ Upstream commit bb1dfb4da1d031380cd631dd0d6884d4e79a8d51 ] + +The UART12 node has been mistakenly mentioned as UART2. Let's fix that +for both SM8250 SoC and MTP board and also add pinctrl definition for +it. + +Fixes: 60378f1a171e ("arm64: dts: qcom: sm8250: Add sm8250 dts file") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20200904063637.28632-3-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8250-mtp.dts | 4 ++-- + arch/arm64/boot/dts/qcom/sm8250.dtsi | 11 ++++++++++- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250-mtp.dts b/arch/arm64/boot/dts/qcom/sm8250-mtp.dts +index 6894f8490dae7..6e2f7ae1d6211 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250-mtp.dts ++++ b/arch/arm64/boot/dts/qcom/sm8250-mtp.dts +@@ -17,7 +17,7 @@ / { + compatible = "qcom,sm8250-mtp"; + + aliases { +- serial0 = &uart2; ++ serial0 = &uart12; + }; + + chosen { +@@ -371,7 +371,7 @@ &tlmm { + gpio-reserved-ranges = <28 4>, <40 4>; + }; + +-&uart2 { ++&uart12 { + status = "okay"; + }; + +diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi +index 377172e8967b7..e7d139e1a6cec 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi +@@ -935,11 +935,13 @@ spi12: spi@a90000 { + status = "disabled"; + }; + +- uart2: serial@a90000 { ++ uart12: serial@a90000 { + compatible = "qcom,geni-debug-uart"; + reg = <0x0 0x00a90000 0x0 0x4000>; + clock-names = "se"; + clocks = <&gcc GCC_QUPV3_WRAP1_S4_CLK>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&qup_uart12_default>; + interrupts = ; + status = "disabled"; + }; +@@ -1880,6 +1882,13 @@ config { + bias-disable; + }; + }; ++ ++ qup_uart12_default: qup-uart12-default { ++ mux { ++ pins = "gpio34", "gpio35"; ++ function = "qup12"; ++ }; ++ }; + }; + + adsp: remoteproc@17300000 { +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch b/queue-5.9/arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch new file mode 100644 index 00000000000..956ad5f08f5 --- /dev/null +++ b/queue-5.9/arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch @@ -0,0 +1,39 @@ +From 507aea6bb67f3a358c0a00db5dce9eb829a2a815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 15:21:17 +0200 +Subject: arm64: dts: renesas: r8a774c0: Fix MSIOF1 DMA channels + +From: Geert Uytterhoeven + +[ Upstream commit c91dfc9818df5f43c10c727f1cecaebdb5e2fa92 ] + +According to Technical Update TN-RCT-S0352A/E, MSIOF1 DMA can only be +used with SYS-DMAC0 on R-Car E3. + +Fixes: 62c0056f1c3eb15d ("arm64: dts: renesas: r8a774c0: Add MSIOF nodes") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20200917132117.8515-3-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r8a774c0.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r8a774c0.dtsi b/arch/arm64/boot/dts/renesas/r8a774c0.dtsi +index 42171190cce46..065e8fe3a071c 100644 +--- a/arch/arm64/boot/dts/renesas/r8a774c0.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a774c0.dtsi +@@ -1214,9 +1214,8 @@ msiof1: spi@e6ea0000 { + reg = <0 0xe6ea0000 0 0x0064>; + interrupts = ; + clocks = <&cpg CPG_MOD 210>; +- dmas = <&dmac1 0x43>, <&dmac1 0x42>, +- <&dmac2 0x43>, <&dmac2 0x42>; +- dma-names = "tx", "rx", "tx", "rx"; ++ dmas = <&dmac0 0x43>, <&dmac0 0x42>; ++ dma-names = "tx", "rx"; + power-domains = <&sysc R8A774C0_PD_ALWAYS_ON>; + resets = <&cpg 210>; + #address-cells = <1>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch b/queue-5.9/arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch new file mode 100644 index 00000000000..efa89e284b3 --- /dev/null +++ b/queue-5.9/arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch @@ -0,0 +1,39 @@ +From ae8d19646a7ddadcab98c7ca660ce62f536e2c80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 15:21:16 +0200 +Subject: arm64: dts: renesas: r8a77990: Fix MSIOF1 DMA channels + +From: Geert Uytterhoeven + +[ Upstream commit 453802c463abd003a7c38ffbc90b67ba162335b6 ] + +According to Technical Update TN-RCT-S0352A/E, MSIOF1 DMA can only be +used with SYS-DMAC0 on R-Car E3. + +Fixes: 8517042060b55a37 ("arm64: dts: renesas: r8a77990: Add DMA properties to MSIOF nodes") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20200917132117.8515-2-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r8a77990.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r8a77990.dtsi b/arch/arm64/boot/dts/renesas/r8a77990.dtsi +index 1991bdc36792f..27f74df8efbde 100644 +--- a/arch/arm64/boot/dts/renesas/r8a77990.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a77990.dtsi +@@ -1192,9 +1192,8 @@ msiof1: spi@e6ea0000 { + reg = <0 0xe6ea0000 0 0x0064>; + interrupts = ; + clocks = <&cpg CPG_MOD 210>; +- dmas = <&dmac1 0x43>, <&dmac1 0x42>, +- <&dmac2 0x43>, <&dmac2 0x42>; +- dma-names = "tx", "rx", "tx", "rx"; ++ dmas = <&dmac0 0x43>, <&dmac0 0x42>; ++ dma-names = "tx", "rx"; + power-domains = <&sysc R8A77990_PD_ALWAYS_ON>; + resets = <&cpg 210>; + #address-cells = <1>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-sdm845-fixup-opp-table-for-all-qup-devices.patch b/queue-5.9/arm64-dts-sdm845-fixup-opp-table-for-all-qup-devices.patch new file mode 100644 index 00000000000..77f28b7e186 --- /dev/null +++ b/queue-5.9/arm64-dts-sdm845-fixup-opp-table-for-all-qup-devices.patch @@ -0,0 +1,60 @@ +From eaf60195fccdb4e204394ae327a78ed935676ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 15:52:10 +0530 +Subject: arm64: dts: sdm845: Fixup OPP table for all qup devices + +From: Rajendra Nayak + +[ Upstream commit e0b760a5f6c9e54db8bd22b1d6b19223e6b92264 ] + +This OPP table was based on the clock VDD-FMAX tables seen in +downstream code, however it turns out the downstream clock +driver does update these tables based on later/production +rev of the chip and whats seen in the tables belongs to an +early engineering rev of the SoC. +Fix up the OPP tables such that it now matches with the +production rev of sdm845 SoC. + +Tested-by: Amit Pundir +Tested-by: John Stultz +Tested-by: Steev Klimaszewski +Fixes: 13cadb34e593 ("arm64: dts: sdm845: Add OPP table for all qup devices") +Reported-by: John Stultz +Signed-off-by: Rajendra Nayak +Link: https://lore.kernel.org/r/1597227730-16477-1-git-send-email-rnayak@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index 2884577dcb777..eca81cffd2c19 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -1093,8 +1093,8 @@ rng: rng@793000 { + qup_opp_table: qup-opp-table { + compatible = "operating-points-v2"; + +- opp-19200000 { +- opp-hz = /bits/ 64 <19200000>; ++ opp-50000000 { ++ opp-hz = /bits/ 64 <50000000>; + required-opps = <&rpmhpd_opp_min_svs>; + }; + +@@ -1107,6 +1107,11 @@ opp-100000000 { + opp-hz = /bits/ 64 <100000000>; + required-opps = <&rpmhpd_opp_svs>; + }; ++ ++ opp-128000000 { ++ opp-hz = /bits/ 64 <128000000>; ++ required-opps = <&rpmhpd_opp_nom>; ++ }; + }; + + qupv3_id_0: geniqup@8c0000 { +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-ti-k3-j721e-rename-mux-header-and-update-m.patch b/queue-5.9/arm64-dts-ti-k3-j721e-rename-mux-header-and-update-m.patch new file mode 100644 index 00000000000..8974201b556 --- /dev/null +++ b/queue-5.9/arm64-dts-ti-k3-j721e-rename-mux-header-and-update-m.patch @@ -0,0 +1,224 @@ +From 383d6a786b98bba00386ad351a19545f9e75c1ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 19:59:30 +0300 +Subject: arm64: dts: ti: k3-j721e: Rename mux header and update macro names + +From: Roger Quadros + +[ Upstream commit c65176fd49f45bd5a5ffaa1790109745d1fa462c ] + +We intend to use one header file for SERDES MUX for all +TI SoCs so rename the header file. + +The exsting macros are too generic. Prefix them with SoC name. + +While at that, add the missing configurations for completeness. + +Fixes: b766e3b0d5f6 ("arm64: dts: ti: k3-j721e-main: Add system controller node and SERDES lane mux") +Reported-by: Peter Rosin +Signed-off-by: Roger Quadros +Signed-off-by: Nishanth Menon +Acked-by: Peter Rosin +Link: https://lore.kernel.org/r/20200918165930.2031-1-rogerq@ti.com +Signed-off-by: Sasha Levin +--- + .../dts/ti/k3-j721e-common-proc-board.dts | 11 +-- + arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 13 ++-- + include/dt-bindings/mux/mux-j721e-wiz.h | 53 -------------- + include/dt-bindings/mux/ti-serdes.h | 71 +++++++++++++++++++ + 4 files changed, 84 insertions(+), 64 deletions(-) + delete mode 100644 include/dt-bindings/mux/mux-j721e-wiz.h + create mode 100644 include/dt-bindings/mux/ti-serdes.h + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts +index e8fc01d97adad..6f7490efc438b 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts ++++ b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts +@@ -404,11 +404,12 @@ &usb_serdes_mux { + }; + + &serdes_ln_ctrl { +- idle-states = , , +- , , +- , , +- , , +- , , , ; ++ idle-states = , , ++ , , ++ , , ++ , , ++ , , ++ , ; + }; + + &serdes_wiz3 { +diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi +index 12ceea9b3c9ae..63d221aee9bc0 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi +@@ -6,7 +6,7 @@ + */ + #include + #include +-#include ++#include + + &cbass_main { + msmc_ram: sram@70000000 { +@@ -38,11 +38,12 @@ serdes_ln_ctrl: serdes-ln-ctrl@4080 { + <0x40b0 0x3>, <0x40b4 0x3>, /* SERDES3 lane0/1 select */ + <0x40c0 0x3>, <0x40c4 0x3>, <0x40c8 0x3>, <0x40cc 0x3>; + /* SERDES4 lane0/1/2/3 select */ +- idle-states = , , +- , , +- , , +- , , +- , , , ; ++ idle-states = , , ++ , , ++ , , ++ , , ++ , , ++ , ; + }; + + usb_serdes_mux: mux-controller@4000 { +diff --git a/include/dt-bindings/mux/mux-j721e-wiz.h b/include/dt-bindings/mux/mux-j721e-wiz.h +deleted file mode 100644 +index fd1c4ea9fc7f0..0000000000000 +--- a/include/dt-bindings/mux/mux-j721e-wiz.h ++++ /dev/null +@@ -1,53 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ +-/* +- * This header provides constants for J721E WIZ. +- */ +- +-#ifndef _DT_BINDINGS_J721E_WIZ +-#define _DT_BINDINGS_J721E_WIZ +- +-#define SERDES0_LANE0_QSGMII_LANE1 0x0 +-#define SERDES0_LANE0_PCIE0_LANE0 0x1 +-#define SERDES0_LANE0_USB3_0_SWAP 0x2 +- +-#define SERDES0_LANE1_QSGMII_LANE2 0x0 +-#define SERDES0_LANE1_PCIE0_LANE1 0x1 +-#define SERDES0_LANE1_USB3_0 0x2 +- +-#define SERDES1_LANE0_QSGMII_LANE3 0x0 +-#define SERDES1_LANE0_PCIE1_LANE0 0x1 +-#define SERDES1_LANE0_USB3_1_SWAP 0x2 +-#define SERDES1_LANE0_SGMII_LANE0 0x3 +- +-#define SERDES1_LANE1_QSGMII_LANE4 0x0 +-#define SERDES1_LANE1_PCIE1_LANE1 0x1 +-#define SERDES1_LANE1_USB3_1 0x2 +-#define SERDES1_LANE1_SGMII_LANE1 0x3 +- +-#define SERDES2_LANE0_PCIE2_LANE0 0x1 +-#define SERDES2_LANE0_SGMII_LANE0 0x3 +-#define SERDES2_LANE0_USB3_1_SWAP 0x2 +- +-#define SERDES2_LANE1_PCIE2_LANE1 0x1 +-#define SERDES2_LANE1_USB3_1 0x2 +-#define SERDES2_LANE1_SGMII_LANE1 0x3 +- +-#define SERDES3_LANE0_PCIE3_LANE0 0x1 +-#define SERDES3_LANE0_USB3_0_SWAP 0x2 +- +-#define SERDES3_LANE1_PCIE3_LANE1 0x1 +-#define SERDES3_LANE1_USB3_0 0x2 +- +-#define SERDES4_LANE0_EDP_LANE0 0x0 +-#define SERDES4_LANE0_QSGMII_LANE5 0x2 +- +-#define SERDES4_LANE1_EDP_LANE1 0x0 +-#define SERDES4_LANE1_QSGMII_LANE6 0x2 +- +-#define SERDES4_LANE2_EDP_LANE2 0x0 +-#define SERDES4_LANE2_QSGMII_LANE7 0x2 +- +-#define SERDES4_LANE3_EDP_LANE3 0x0 +-#define SERDES4_LANE3_QSGMII_LANE8 0x2 +- +-#endif /* _DT_BINDINGS_J721E_WIZ */ +diff --git a/include/dt-bindings/mux/ti-serdes.h b/include/dt-bindings/mux/ti-serdes.h +new file mode 100644 +index 0000000000000..146d0685a9251 +--- /dev/null ++++ b/include/dt-bindings/mux/ti-serdes.h +@@ -0,0 +1,71 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * This header provides constants for SERDES MUX for TI SoCs ++ */ ++ ++#ifndef _DT_BINDINGS_MUX_TI_SERDES ++#define _DT_BINDINGS_MUX_TI_SERDES ++ ++/* J721E */ ++ ++#define J721E_SERDES0_LANE0_QSGMII_LANE1 0x0 ++#define J721E_SERDES0_LANE0_PCIE0_LANE0 0x1 ++#define J721E_SERDES0_LANE0_USB3_0_SWAP 0x2 ++#define J721E_SERDES0_LANE0_IP4_UNUSED 0x3 ++ ++#define J721E_SERDES0_LANE1_QSGMII_LANE2 0x0 ++#define J721E_SERDES0_LANE1_PCIE0_LANE1 0x1 ++#define J721E_SERDES0_LANE1_USB3_0 0x2 ++#define J721E_SERDES0_LANE1_IP4_UNUSED 0x3 ++ ++#define J721E_SERDES1_LANE0_QSGMII_LANE3 0x0 ++#define J721E_SERDES1_LANE0_PCIE1_LANE0 0x1 ++#define J721E_SERDES1_LANE0_USB3_1_SWAP 0x2 ++#define J721E_SERDES1_LANE0_SGMII_LANE0 0x3 ++ ++#define J721E_SERDES1_LANE1_QSGMII_LANE4 0x0 ++#define J721E_SERDES1_LANE1_PCIE1_LANE1 0x1 ++#define J721E_SERDES1_LANE1_USB3_1 0x2 ++#define J721E_SERDES1_LANE1_SGMII_LANE1 0x3 ++ ++#define J721E_SERDES2_LANE0_IP1_UNUSED 0x0 ++#define J721E_SERDES2_LANE0_PCIE2_LANE0 0x1 ++#define J721E_SERDES2_LANE0_USB3_1_SWAP 0x2 ++#define J721E_SERDES2_LANE0_SGMII_LANE0 0x3 ++ ++#define J721E_SERDES2_LANE1_IP1_UNUSED 0x0 ++#define J721E_SERDES2_LANE1_PCIE2_LANE1 0x1 ++#define J721E_SERDES2_LANE1_USB3_1 0x2 ++#define J721E_SERDES2_LANE1_SGMII_LANE1 0x3 ++ ++#define J721E_SERDES3_LANE0_IP1_UNUSED 0x0 ++#define J721E_SERDES3_LANE0_PCIE3_LANE0 0x1 ++#define J721E_SERDES3_LANE0_USB3_0_SWAP 0x2 ++#define J721E_SERDES3_LANE0_IP4_UNUSED 0x3 ++ ++#define J721E_SERDES3_LANE1_IP1_UNUSED 0x0 ++#define J721E_SERDES3_LANE1_PCIE3_LANE1 0x1 ++#define J721E_SERDES3_LANE1_USB3_0 0x2 ++#define J721E_SERDES3_LANE1_IP4_UNUSED 0x3 ++ ++#define J721E_SERDES4_LANE0_EDP_LANE0 0x0 ++#define J721E_SERDES4_LANE0_IP2_UNUSED 0x1 ++#define J721E_SERDES4_LANE0_QSGMII_LANE5 0x2 ++#define J721E_SERDES4_LANE0_IP4_UNUSED 0x3 ++ ++#define J721E_SERDES4_LANE1_EDP_LANE1 0x0 ++#define J721E_SERDES4_LANE1_IP2_UNUSED 0x1 ++#define J721E_SERDES4_LANE1_QSGMII_LANE6 0x2 ++#define J721E_SERDES4_LANE1_IP4_UNUSED 0x3 ++ ++#define J721E_SERDES4_LANE2_EDP_LANE2 0x0 ++#define J721E_SERDES4_LANE2_IP2_UNUSED 0x1 ++#define J721E_SERDES4_LANE2_QSGMII_LANE7 0x2 ++#define J721E_SERDES4_LANE2_IP4_UNUSED 0x3 ++ ++#define J721E_SERDES4_LANE3_EDP_LANE3 0x0 ++#define J721E_SERDES4_LANE3_IP2_UNUSED 0x1 ++#define J721E_SERDES4_LANE3_QSGMII_LANE8 0x2 ++#define J721E_SERDES4_LANE3_IP4_UNUSED 0x3 ++ ++#endif /* _DT_BINDINGS_MUX_TI_SERDES */ +-- +2.25.1 + diff --git a/queue-5.9/arm64-dts-zynqmp-remove-additional-compatible-string.patch b/queue-5.9/arm64-dts-zynqmp-remove-additional-compatible-string.patch new file mode 100644 index 00000000000..193d35704db --- /dev/null +++ b/queue-5.9/arm64-dts-zynqmp-remove-additional-compatible-string.patch @@ -0,0 +1,60 @@ +From 0f072f9322b5ae70ceac756be410575d5cf36467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 10:59:14 +0200 +Subject: arm64: dts: zynqmp: Remove additional compatible string for i2c IPs + +From: Michal Simek + +[ Upstream commit 35292518cb0a626fcdcabf739aed75060a018ab5 ] + +DT binding permits only one compatible string which was decribed in past by +commit 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq +Ultrascale+ MPSoC"). +The commit aea37006e183 ("dt-bindings: i2c: cadence: Migrate i2c-cadence +documentation to YAML") has converted binding to yaml and the following +issues is reported: +...: i2c@ff030000: compatible: Additional items are not allowed +('cdns,i2c-r1p10' was unexpected) + From schema: +.../Documentation/devicetree/bindings/i2c/cdns,i2c-r1p10.yaml fds +...: i2c@ff030000: compatible: ['cdns,i2c-r1p14', 'cdns,i2c-r1p10'] is too +long + +The commit c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +has added the second compatible string but without removing origin one. +The patch is only keeping one compatible string "cdns,i2c-r1p14". + +Fixes: c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/cc294ae1a79ef845af6809ddb4049f0c0f5bb87a.1598259551.git.michal.simek@xilinx.com +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +index 3ec99f13c259e..a6d869727a92e 100644 +--- a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi ++++ b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +@@ -501,7 +501,7 @@ gpio: gpio@ff0a0000 { + }; + + i2c0: i2c@ff020000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 17 4>; +@@ -512,7 +512,7 @@ i2c0: i2c@ff020000 { + }; + + i2c1: i2c@ff030000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 18 4>; +-- +2.25.1 + diff --git a/queue-5.9/arm64-kprobe-add-checks-for-armv8.3-pauth-combined-i.patch b/queue-5.9/arm64-kprobe-add-checks-for-armv8.3-pauth-combined-i.patch new file mode 100644 index 00000000000..56cf3967645 --- /dev/null +++ b/queue-5.9/arm64-kprobe-add-checks-for-armv8.3-pauth-combined-i.patch @@ -0,0 +1,125 @@ +From c48e1b088a6426a9e73db57e4684fabcc393283f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:06:51 +0530 +Subject: arm64: kprobe: add checks for ARMv8.3-PAuth combined instructions + +From: Amit Daniel Kachhap + +[ Upstream commit 93396936ed0ce2c6f44140bd14728611d0bb065e ] + +Currently the ARMv8.3-PAuth combined branch instructions (braa, retaa +etc.) are not simulated for out-of-line execution with a handler. Hence the +uprobe of such instructions leads to kernel warnings in a loop as they are +not explicitly checked and fall into INSN_GOOD categories. Other combined +instructions like LDRAA and LDRBB can be probed. + +The issue of the combined branch instructions is fixed by adding +group definitions of all such instructions and rejecting their probes. +The instruction groups added are br_auth(braa, brab, braaz and brabz), +blr_auth(blraa, blrab, blraaz and blrabz), ret_auth(retaa and retab) and +eret_auth(eretaa and eretab). + +Warning log: + WARNING: CPU: 0 PID: 156 at arch/arm64/kernel/probes/uprobes.c:182 uprobe_single_step_handler+0x34/0x50 + Modules linked in: + CPU: 0 PID: 156 Comm: func Not tainted 5.9.0-rc3 #188 + Hardware name: Foundation-v8A (DT) + pstate: 804003c9 (Nzcv DAIF +PAN -UAO BTYPE=--) + pc : uprobe_single_step_handler+0x34/0x50 + lr : single_step_handler+0x70/0xf8 + sp : ffff800012af3e30 + x29: ffff800012af3e30 x28: ffff000878723b00 + x27: 0000000000000000 x26: 0000000000000000 + x25: 0000000000000000 x24: 0000000000000000 + x23: 0000000060001000 x22: 00000000cb000022 + x21: ffff800012065ce8 x20: ffff800012af3ec0 + x19: ffff800012068d50 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 + x9 : ffff800010085c90 x8 : 0000000000000000 + x7 : 0000000000000000 x6 : ffff80001205a9c8 + x5 : ffff80001205a000 x4 : ffff80001233db80 + x3 : ffff8000100a7a60 x2 : 0020000000000003 + x1 : 0000fffffffff008 x0 : ffff800012af3ec0 + Call trace: + uprobe_single_step_handler+0x34/0x50 + single_step_handler+0x70/0xf8 + do_debug_exception+0xb8/0x130 + el0_sync_handler+0x138/0x1b8 + el0_sync+0x158/0x180 + +Fixes: 74afda4016a7 ("arm64: compile the kernel with ptrauth return address signing") +Fixes: 04ca3204fa09 ("arm64: enable pointer authentication") +Signed-off-by: Amit Daniel Kachhap +Reviewed-by: Dave Martin +Link: https://lore.kernel.org/r/20200914083656.21428-2-amit.kachhap@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/insn.h | 4 ++++ + arch/arm64/kernel/insn.c | 5 ++++- + arch/arm64/kernel/probes/decode-insn.c | 3 ++- + 3 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/insn.h b/arch/arm64/include/asm/insn.h +index 0bc46149e4917..4b39293d0f72d 100644 +--- a/arch/arm64/include/asm/insn.h ++++ b/arch/arm64/include/asm/insn.h +@@ -359,9 +359,13 @@ __AARCH64_INSN_FUNCS(brk, 0xFFE0001F, 0xD4200000) + __AARCH64_INSN_FUNCS(exception, 0xFF000000, 0xD4000000) + __AARCH64_INSN_FUNCS(hint, 0xFFFFF01F, 0xD503201F) + __AARCH64_INSN_FUNCS(br, 0xFFFFFC1F, 0xD61F0000) ++__AARCH64_INSN_FUNCS(br_auth, 0xFEFFF800, 0xD61F0800) + __AARCH64_INSN_FUNCS(blr, 0xFFFFFC1F, 0xD63F0000) ++__AARCH64_INSN_FUNCS(blr_auth, 0xFEFFF800, 0xD63F0800) + __AARCH64_INSN_FUNCS(ret, 0xFFFFFC1F, 0xD65F0000) ++__AARCH64_INSN_FUNCS(ret_auth, 0xFFFFFBFF, 0xD65F0BFF) + __AARCH64_INSN_FUNCS(eret, 0xFFFFFFFF, 0xD69F03E0) ++__AARCH64_INSN_FUNCS(eret_auth, 0xFFFFFBFF, 0xD69F0BFF) + __AARCH64_INSN_FUNCS(mrs, 0xFFF00000, 0xD5300000) + __AARCH64_INSN_FUNCS(msr_imm, 0xFFF8F01F, 0xD500401F) + __AARCH64_INSN_FUNCS(msr_reg, 0xFFF00000, 0xD5100000) +diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c +index a107375005bc9..ccc8c9e22b258 100644 +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -176,7 +176,7 @@ bool __kprobes aarch64_insn_uses_literal(u32 insn) + + bool __kprobes aarch64_insn_is_branch(u32 insn) + { +- /* b, bl, cb*, tb*, b.cond, br, blr */ ++ /* b, bl, cb*, tb*, ret*, b.cond, br*, blr* */ + + return aarch64_insn_is_b(insn) || + aarch64_insn_is_bl(insn) || +@@ -185,8 +185,11 @@ bool __kprobes aarch64_insn_is_branch(u32 insn) + aarch64_insn_is_tbz(insn) || + aarch64_insn_is_tbnz(insn) || + aarch64_insn_is_ret(insn) || ++ aarch64_insn_is_ret_auth(insn) || + aarch64_insn_is_br(insn) || ++ aarch64_insn_is_br_auth(insn) || + aarch64_insn_is_blr(insn) || ++ aarch64_insn_is_blr_auth(insn) || + aarch64_insn_is_bcond(insn); + } + +diff --git a/arch/arm64/kernel/probes/decode-insn.c b/arch/arm64/kernel/probes/decode-insn.c +index 263d5fba4c8a3..c541fb48886e3 100644 +--- a/arch/arm64/kernel/probes/decode-insn.c ++++ b/arch/arm64/kernel/probes/decode-insn.c +@@ -29,7 +29,8 @@ static bool __kprobes aarch64_insn_is_steppable(u32 insn) + aarch64_insn_is_msr_imm(insn) || + aarch64_insn_is_msr_reg(insn) || + aarch64_insn_is_exception(insn) || +- aarch64_insn_is_eret(insn)) ++ aarch64_insn_is_eret(insn) || ++ aarch64_insn_is_eret_auth(insn)) + return false; + + /* +-- +2.25.1 + diff --git a/queue-5.9/arm64-mm-use-single-quantity-to-represent-the-pa-to-.patch b/queue-5.9/arm64-mm-use-single-quantity-to-represent-the-pa-to-.patch new file mode 100644 index 00000000000..27b1b215f15 --- /dev/null +++ b/queue-5.9/arm64-mm-use-single-quantity-to-represent-the-pa-to-.patch @@ -0,0 +1,153 @@ +From 46d4f33931add03028b82247afbd24dae091aa89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 17:35:59 +0200 +Subject: arm64: mm: use single quantity to represent the PA to VA translation + +From: Ard Biesheuvel + +[ Upstream commit 7bc1a0f9e1765830e945669c99c59c35cf9bca82 ] + +On arm64, the global variable memstart_addr represents the physical +address of PAGE_OFFSET, and so physical to virtual translations or +vice versa used to come down to simple additions or subtractions +involving the values of PAGE_OFFSET and memstart_addr. + +When support for 52-bit virtual addressing was introduced, we had to +deal with PAGE_OFFSET potentially being outside of the region that +can be covered by the virtual range (as the 52-bit VA capable build +needs to be able to run on systems that are only 48-bit VA capable), +and for this reason, another translation was introduced, and recorded +in the global variable physvirt_offset. + +However, if we go back to the original definition of memstart_addr, +i.e., the physical address of PAGE_OFFSET, it turns out that there is +no need for two separate translations: instead, we can simply subtract +the size of the unaddressable VA space from memstart_addr to make the +available physical memory appear in the 48-bit addressable VA region. + +This simplifies things, but also fixes a bug on KASLR builds, which +may update memstart_addr later on in arm64_memblock_init(), but fails +to update vmemmap and physvirt_offset accordingly. + +Fixes: 5383cc6efed1 ("arm64: mm: Introduce vabits_actual") +Signed-off-by: Ard Biesheuvel +Reviewed-by: Steve Capper +Link: https://lore.kernel.org/r/20201008153602.9467-2-ardb@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/memory.h | 5 ++--- + arch/arm64/include/asm/pgtable.h | 4 ++-- + arch/arm64/mm/init.c | 30 ++++++++++-------------------- + 3 files changed, 14 insertions(+), 25 deletions(-) + +diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h +index afa722504bfde..1ded73189874d 100644 +--- a/arch/arm64/include/asm/memory.h ++++ b/arch/arm64/include/asm/memory.h +@@ -164,7 +164,6 @@ + extern u64 vabits_actual; + #define PAGE_END (_PAGE_END(vabits_actual)) + +-extern s64 physvirt_offset; + extern s64 memstart_addr; + /* PHYS_OFFSET - the physical address of the start of memory. */ + #define PHYS_OFFSET ({ VM_BUG_ON(memstart_addr & 1); memstart_addr; }) +@@ -240,7 +239,7 @@ static inline const void *__tag_set(const void *addr, u8 tag) + */ + #define __is_lm_address(addr) (!(((u64)addr) & BIT(vabits_actual - 1))) + +-#define __lm_to_phys(addr) (((addr) + physvirt_offset)) ++#define __lm_to_phys(addr) (((addr) & ~PAGE_OFFSET) + PHYS_OFFSET) + #define __kimg_to_phys(addr) ((addr) - kimage_voffset) + + #define __virt_to_phys_nodebug(x) ({ \ +@@ -258,7 +257,7 @@ extern phys_addr_t __phys_addr_symbol(unsigned long x); + #define __phys_addr_symbol(x) __pa_symbol_nodebug(x) + #endif /* CONFIG_DEBUG_VIRTUAL */ + +-#define __phys_to_virt(x) ((unsigned long)((x) - physvirt_offset)) ++#define __phys_to_virt(x) ((unsigned long)((x) - PHYS_OFFSET) | PAGE_OFFSET) + #define __phys_to_kimg(x) ((unsigned long)((x) + kimage_voffset)) + + /* +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index d5d3fbe739534..88233d42d9c29 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -23,6 +23,8 @@ + #define VMALLOC_START (MODULES_END) + #define VMALLOC_END (- PUD_SIZE - VMEMMAP_SIZE - SZ_64K) + ++#define vmemmap ((struct page *)VMEMMAP_START - (memstart_addr >> PAGE_SHIFT)) ++ + #define FIRST_USER_ADDRESS 0UL + + #ifndef __ASSEMBLY__ +@@ -33,8 +35,6 @@ + #include + #include + +-extern struct page *vmemmap; +- + extern void __pte_error(const char *file, int line, unsigned long val); + extern void __pmd_error(const char *file, int line, unsigned long val); + extern void __pud_error(const char *file, int line, unsigned long val); +diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c +index 481d22c32a2e7..324f0e0894f6e 100644 +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -54,12 +54,6 @@ + s64 memstart_addr __ro_after_init = -1; + EXPORT_SYMBOL(memstart_addr); + +-s64 physvirt_offset __ro_after_init; +-EXPORT_SYMBOL(physvirt_offset); +- +-struct page *vmemmap __ro_after_init; +-EXPORT_SYMBOL(vmemmap); +- + /* + * We create both ZONE_DMA and ZONE_DMA32. ZONE_DMA covers the first 1G of + * memory as some devices, namely the Raspberry Pi 4, have peripherals with +@@ -290,20 +284,6 @@ void __init arm64_memblock_init(void) + memstart_addr = round_down(memblock_start_of_DRAM(), + ARM64_MEMSTART_ALIGN); + +- physvirt_offset = PHYS_OFFSET - PAGE_OFFSET; +- +- vmemmap = ((struct page *)VMEMMAP_START - (memstart_addr >> PAGE_SHIFT)); +- +- /* +- * If we are running with a 52-bit kernel VA config on a system that +- * does not support it, we have to offset our vmemmap and physvirt_offset +- * s.t. we avoid the 52-bit portion of the direct linear map +- */ +- if (IS_ENABLED(CONFIG_ARM64_VA_BITS_52) && (vabits_actual != 52)) { +- vmemmap += (_PAGE_OFFSET(48) - _PAGE_OFFSET(52)) >> PAGE_SHIFT; +- physvirt_offset = PHYS_OFFSET - _PAGE_OFFSET(48); +- } +- + /* + * Remove the memory that we will not be able to cover with the + * linear mapping. Take care not to clip the kernel which may be +@@ -318,6 +298,16 @@ void __init arm64_memblock_init(void) + memblock_remove(0, memstart_addr); + } + ++ /* ++ * If we are running with a 52-bit kernel VA config on a system that ++ * does not support it, we have to place the available physical ++ * memory in the 48-bit addressable part of the linear region, i.e., ++ * we have to move it upward. Since memstart_addr represents the ++ * physical address of PAGE_OFFSET, we have to *subtract* from it. ++ */ ++ if (IS_ENABLED(CONFIG_ARM64_VA_BITS_52) && (vabits_actual != 52)) ++ memstart_addr -= _PAGE_OFFSET(48) - _PAGE_OFFSET(52); ++ + /* + * Apply the memory limit if it was set. Since the kernel may be loaded + * high up in memory, add back the kernel region that must be accessible +-- +2.25.1 + diff --git a/queue-5.9/arm64-perf-add-missing-isb-in-armv8pmu_enable_counte.patch b/queue-5.9/arm64-perf-add-missing-isb-in-armv8pmu_enable_counte.patch new file mode 100644 index 00000000000..7eec81f20d4 --- /dev/null +++ b/queue-5.9/arm64-perf-add-missing-isb-in-armv8pmu_enable_counte.patch @@ -0,0 +1,62 @@ +From fb027c3c400ab4ad008d9a4bbafee4d1acbedefb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 12:07:00 +0100 +Subject: arm64: perf: Add missing ISB in armv8pmu_enable_counter() + +From: Alexandru Elisei + +[ Upstream commit 490d7b7c0845eacf5593db333fd2ae7715416e16 ] + +Writes to the PMXEVTYPER_EL0 register are not self-synchronising. In +armv8pmu_enable_event(), the PE can reorder configuring the event type +after we have enabled the counter and the interrupt. This can lead to an +interrupt being asserted because of the previous event type that we were +counting using the same counter, not the one that we've just configured. + +The same rationale applies to writes to the PMINTENSET_EL1 register. The PE +can reorder enabling the interrupt at any point in the future after we have +enabled the event. + +Prevent both situations from happening by adding an ISB just before we +enable the event counter. + +Fixes: 030896885ade ("arm64: Performance counters support") +Reported-by: Julien Thierry +Signed-off-by: Alexandru Elisei +Tested-by: Sumit Garg (Developerbox) +Cc: Julien Thierry +Cc: Will Deacon +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Catalin Marinas +Link: https://lore.kernel.org/r/20200924110706.254996-2-alexandru.elisei@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/perf_event.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c +index 462f9a9cc44be..481d48e3872b8 100644 +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -532,6 +532,11 @@ static u32 armv8pmu_event_cnten_mask(struct perf_event *event) + + static inline void armv8pmu_enable_counter(u32 mask) + { ++ /* ++ * Make sure event configuration register writes are visible before we ++ * enable the counter. ++ * */ ++ isb(); + write_sysreg(mask, pmcntenset_el0); + } + +-- +2.25.1 + diff --git a/queue-5.9/asoc-cros_ec_codec-fix-kconfig-dependency-warning-fo.patch b/queue-5.9/asoc-cros_ec_codec-fix-kconfig-dependency-warning-fo.patch new file mode 100644 index 00000000000..4a353e5eba3 --- /dev/null +++ b/queue-5.9/asoc-cros_ec_codec-fix-kconfig-dependency-warning-fo.patch @@ -0,0 +1,48 @@ +From affc7a604339ed58491e791ef985adfb444f5340 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 17:18:04 +0300 +Subject: ASoC: cros_ec_codec: fix kconfig dependency warning for + SND_SOC_CROS_EC_CODEC + +From: Necip Fazil Yildiran + +[ Upstream commit 50b18e4a2608e3897f3787eaa7dfa869b40d9923 ] + +When SND_SOC_CROS_EC_CODEC is enabled and CRYPTO is disabled, it results +in the following Kbuild warning: + +WARNING: unmet direct dependencies detected for CRYPTO_LIB_SHA256 + Depends on [n]: CRYPTO [=n] + Selected by [y]: + - SND_SOC_CROS_EC_CODEC [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && CROS_EC [=y] + +The reason is that SND_SOC_CROS_EC_CODEC selects CRYPTO_LIB_SHA256 without +depending on or selecting CRYPTO while CRYPTO_LIB_SHA256 is subordinate to +CRYPTO. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: 93fa0af4790a ("ASoC: cros_ec_codec: switch to library API for SHA-256") +Signed-off-by: Necip Fazil Yildiran +Link: https://lore.kernel.org/r/20200917141803.92889-1-fazilyildiran@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig +index 946a70210f492..601ea45d3ea66 100644 +--- a/sound/soc/codecs/Kconfig ++++ b/sound/soc/codecs/Kconfig +@@ -540,6 +540,7 @@ config SND_SOC_CQ0093VC + config SND_SOC_CROS_EC_CODEC + tristate "codec driver for ChromeOS EC" + depends on CROS_EC ++ select CRYPTO + select CRYPTO_LIB_SHA256 + help + If you say yes here you will get support for the +-- +2.25.1 + diff --git a/queue-5.9/asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch b/queue-5.9/asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch new file mode 100644 index 00000000000..a5ace130494 --- /dev/null +++ b/queue-5.9/asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch @@ -0,0 +1,75 @@ +From a68a74f02ad7dc79142548a3777d57be6d917152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 21:02:24 +0800 +Subject: ASoC: fsl: imx-es8328: add missing put_device() call in + imx_es8328_probe() + +From: Yu Kuai + +[ Upstream commit e525db7e4b44c5b2b5aac0dad24e23cb58c54d22 ] + +if of_find_device_by_node() succeed, imx_es8328_probe() doesn't have +a corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20200825130224.1488694-1-yukuai3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-es8328.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/fsl/imx-es8328.c b/sound/soc/fsl/imx-es8328.c +index 15a27a2cd0cae..fad1eb6253d53 100644 +--- a/sound/soc/fsl/imx-es8328.c ++++ b/sound/soc/fsl/imx-es8328.c +@@ -145,13 +145,13 @@ static int imx_es8328_probe(struct platform_device *pdev) + data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL); + if (!data) { + ret = -ENOMEM; +- goto fail; ++ goto put_device; + } + + comp = devm_kzalloc(dev, 3 * sizeof(*comp), GFP_KERNEL); + if (!comp) { + ret = -ENOMEM; +- goto fail; ++ goto put_device; + } + + data->dev = dev; +@@ -182,12 +182,12 @@ static int imx_es8328_probe(struct platform_device *pdev) + ret = snd_soc_of_parse_card_name(&data->card, "model"); + if (ret) { + dev_err(dev, "Unable to parse card name\n"); +- goto fail; ++ goto put_device; + } + ret = snd_soc_of_parse_audio_routing(&data->card, "audio-routing"); + if (ret) { + dev_err(dev, "Unable to parse routing: %d\n", ret); +- goto fail; ++ goto put_device; + } + data->card.num_links = 1; + data->card.owner = THIS_MODULE; +@@ -196,10 +196,12 @@ static int imx_es8328_probe(struct platform_device *pdev) + ret = snd_soc_register_card(&data->card); + if (ret) { + dev_err(dev, "Unable to register: %d\n", ret); +- goto fail; ++ goto put_device; + } + + platform_set_drvdata(pdev, data); ++put_device: ++ put_device(&ssi_pdev->dev); + fail: + of_node_put(ssi_np); + of_node_put(codec_np); +-- +2.25.1 + diff --git a/queue-5.9/asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch b/queue-5.9/asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch new file mode 100644 index 00000000000..90388a58a59 --- /dev/null +++ b/queue-5.9/asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch @@ -0,0 +1,92 @@ +From 1a0a1157b5bc48362c5cb36db9acb74b7fd1ceea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 18:26:00 +0800 +Subject: ASoC: fsl_sai: Instantiate snd_soc_dai_driver + +From: Shengjiu Wang + +[ Upstream commit 22a16145af824f91014d07f8664114859900b9e6 ] + +Instantiate snd_soc_dai_driver for independent symmetric control. +Otherwise the symmetric setting may be overwritten by other +instance. + +Fixes: 08fdf65e37d5 ("ASoC: fsl_sai: Add asynchronous mode support") +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1600424760-32071-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 19 +++++++++++-------- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index cdff739924e2e..2ea354dd5434f 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -694,7 +694,7 @@ static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai) + return 0; + } + +-static struct snd_soc_dai_driver fsl_sai_dai = { ++static struct snd_soc_dai_driver fsl_sai_dai_template = { + .probe = fsl_sai_dai_probe, + .playback = { + .stream_name = "CPU-Playback", +@@ -966,12 +966,15 @@ static int fsl_sai_probe(struct platform_device *pdev) + return ret; + } + ++ memcpy(&sai->cpu_dai_drv, &fsl_sai_dai_template, ++ sizeof(fsl_sai_dai_template)); ++ + /* Sync Tx with Rx as default by following old DT binding */ + sai->synchronous[RX] = true; + sai->synchronous[TX] = false; +- fsl_sai_dai.symmetric_rates = 1; +- fsl_sai_dai.symmetric_channels = 1; +- fsl_sai_dai.symmetric_samplebits = 1; ++ sai->cpu_dai_drv.symmetric_rates = 1; ++ sai->cpu_dai_drv.symmetric_channels = 1; ++ sai->cpu_dai_drv.symmetric_samplebits = 1; + + if (of_find_property(np, "fsl,sai-synchronous-rx", NULL) && + of_find_property(np, "fsl,sai-asynchronous", NULL)) { +@@ -988,9 +991,9 @@ static int fsl_sai_probe(struct platform_device *pdev) + /* Discard all settings for asynchronous mode */ + sai->synchronous[RX] = false; + sai->synchronous[TX] = false; +- fsl_sai_dai.symmetric_rates = 0; +- fsl_sai_dai.symmetric_channels = 0; +- fsl_sai_dai.symmetric_samplebits = 0; ++ sai->cpu_dai_drv.symmetric_rates = 0; ++ sai->cpu_dai_drv.symmetric_channels = 0; ++ sai->cpu_dai_drv.symmetric_samplebits = 0; + } + + if (of_find_property(np, "fsl,sai-mclk-direction-output", NULL) && +@@ -1020,7 +1023,7 @@ static int fsl_sai_probe(struct platform_device *pdev) + regcache_cache_only(sai->regmap, true); + + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_component, +- &fsl_sai_dai, 1); ++ &sai->cpu_dai_drv, 1); + if (ret) + goto err_pm_disable; + +diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h +index 6aba7d28f5f34..677ecfc1ec68f 100644 +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -180,6 +180,7 @@ struct fsl_sai { + unsigned int bclk_ratio; + + const struct fsl_sai_soc_data *soc_data; ++ struct snd_soc_dai_driver cpu_dai_drv; + struct snd_dmaengine_dai_dma_data dma_params_rx; + struct snd_dmaengine_dai_dma_data dma_params_tx; + }; +-- +2.25.1 + diff --git a/queue-5.9/asoc-intel-sof_rt5682-override-quirk-data-for-tgl_ma.patch b/queue-5.9/asoc-intel-sof_rt5682-override-quirk-data-for-tgl_ma.patch new file mode 100644 index 00000000000..caf15efbffa --- /dev/null +++ b/queue-5.9/asoc-intel-sof_rt5682-override-quirk-data-for-tgl_ma.patch @@ -0,0 +1,51 @@ +From 78a344af69a25ce33703ed33303ede403f2328de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 14:55:59 -0500 +Subject: ASoC: Intel: sof_rt5682: override quirk data for tgl_max98373_rt5682 + +From: Sathyanarayana Nujella + +[ Upstream commit 3e1734b64ce786c54dc98adcfe67941e6011d735 ] + +A Chrome System based on tgl_max98373_rt5682 has different SSP interface +configurations. Using DMI data of this variant DUT, override quirk +data. + +Reviewed-by: Guennadi Liakhovetski +Signed-off-by: Sathyanarayana Nujella +Signed-off-by: Mac Chiang +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200821195603.215535-13-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_rt5682.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/sound/soc/intel/boards/sof_rt5682.c b/sound/soc/intel/boards/sof_rt5682.c +index 0129d23694ed5..9a6f10ede427e 100644 +--- a/sound/soc/intel/boards/sof_rt5682.c ++++ b/sound/soc/intel/boards/sof_rt5682.c +@@ -119,6 +119,19 @@ static const struct dmi_system_id sof_rt5682_quirk_table[] = { + .driver_data = (void *)(SOF_RT5682_MCLK_EN | + SOF_RT5682_SSP_CODEC(0)), + }, ++ { ++ .callback = sof_rt5682_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_FAMILY, "Google_Volteer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Terrador"), ++ }, ++ .driver_data = (void *)(SOF_RT5682_MCLK_EN | ++ SOF_RT5682_SSP_CODEC(0) | ++ SOF_SPEAKER_AMP_PRESENT | ++ SOF_MAX98373_SPEAKER_AMP_PRESENT | ++ SOF_RT5682_SSP_AMP(2) | ++ SOF_RT5682_NUM_HDMIDEV(4)), ++ }, + {} + }; + +-- +2.25.1 + diff --git a/queue-5.9/asoc-mediatek-mt8183-da7219-fix-wrong-ops-for-i2s3.patch b/queue-5.9/asoc-mediatek-mt8183-da7219-fix-wrong-ops-for-i2s3.patch new file mode 100644 index 00000000000..da56ed0fa7a --- /dev/null +++ b/queue-5.9/asoc-mediatek-mt8183-da7219-fix-wrong-ops-for-i2s3.patch @@ -0,0 +1,46 @@ +From 0f29c3c68abc3b2c2e3d21811f1976b60f886b01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 18:12:52 +0800 +Subject: ASoC: mediatek: mt8183-da7219: fix wrong ops for I2S3 + +From: Tzung-Bi Shih + +[ Upstream commit ebb11d1d9fe2d6b4a47755f7f09b2b631046e308 ] + +DA7219 uses I2S2 and I2S3 for input and output respectively. Commit +9e30251fb22e ("ASoC: mediatek: mt8183-da7219: support machine driver +with rt1015") introduces a bug that: +- If using I2S2 solely, MCLK to DA7219 is 256FS. +- If using I2S3 solely, MCLK to DA7219 is 128FS. +- If using I2S3 first and then I2S2, the MCLK changes from 128FS to + 256FS. As a result, no sound output to the headset. Also no sound + input from the headset microphone. + +Both I2S2 and I2S3 should set MCLK to 256FS. Fixes the wrong ops for +I2S3. + +Fixes: 9e30251fb22e ("ASoC: mediatek: mt8183-da7219: support machine driver with rt1015") +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20201006101252.1890385-1-tzungbi@google.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c +index 06d0a4f80fc17..a6c690c5308d3 100644 +--- a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c ++++ b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c +@@ -673,7 +673,7 @@ static int mt8183_da7219_max98357_dev_probe(struct platform_device *pdev) + if (card == &mt8183_da7219_max98357_card) { + dai_link->be_hw_params_fixup = + mt8183_i2s_hw_params_fixup; +- dai_link->ops = &mt8183_mt6358_i2s_ops; ++ dai_link->ops = &mt8183_da7219_i2s_ops; + dai_link->cpus = i2s3_max98357a_cpus; + dai_link->num_cpus = + ARRAY_SIZE(i2s3_max98357a_cpus); +-- +2.25.1 + diff --git a/queue-5.9/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch b/queue-5.9/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch new file mode 100644 index 00000000000..4a26d09dfbf --- /dev/null +++ b/queue-5.9/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch @@ -0,0 +1,62 @@ +From fe3c016fe9157e6bbb2dc4532043b55f460bcfc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 16:23:02 +0530 +Subject: ASoC: qcom: lpass-cpu: fix concurrency issue + +From: Rohit kumar + +[ Upstream commit 753a6e17942f6f425ca622e1610625998312ad89 ] + +i2sctl register value is set to 0 during hw_free(). This +impacts any ongoing concurrent session on the same i2s +port. As trigger() stop already resets enable bit to 0, +there is no need of explicit hw_free. Removing it to +fix the issue. + +Fixes: 80beab8e1d86 ("ASoC: qcom: Add LPASS CPU DAI driver") +Signed-off-by: Rohit kumar +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/1597402388-14112-7-git-send-email-rohitkr@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/lpass-cpu.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/sound/soc/qcom/lpass-cpu.c b/sound/soc/qcom/lpass-cpu.c +index e00a4af29c13f..f25da84f175ac 100644 +--- a/sound/soc/qcom/lpass-cpu.c ++++ b/sound/soc/qcom/lpass-cpu.c +@@ -209,21 +209,6 @@ static int lpass_cpu_daiops_hw_params(struct snd_pcm_substream *substream, + return 0; + } + +-static int lpass_cpu_daiops_hw_free(struct snd_pcm_substream *substream, +- struct snd_soc_dai *dai) +-{ +- struct lpass_data *drvdata = snd_soc_dai_get_drvdata(dai); +- int ret; +- +- ret = regmap_write(drvdata->lpaif_map, +- LPAIF_I2SCTL_REG(drvdata->variant, dai->driver->id), +- 0); +- if (ret) +- dev_err(dai->dev, "error writing to i2sctl reg: %d\n", ret); +- +- return ret; +-} +- + static int lpass_cpu_daiops_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { +@@ -304,7 +289,6 @@ const struct snd_soc_dai_ops asoc_qcom_lpass_cpu_dai_ops = { + .startup = lpass_cpu_daiops_startup, + .shutdown = lpass_cpu_daiops_shutdown, + .hw_params = lpass_cpu_daiops_hw_params, +- .hw_free = lpass_cpu_daiops_hw_free, + .prepare = lpass_cpu_daiops_prepare, + .trigger = lpass_cpu_daiops_trigger, + }; +-- +2.25.1 + diff --git a/queue-5.9/asoc-qcom-lpass-platform-fix-memory-leak.patch b/queue-5.9/asoc-qcom-lpass-platform-fix-memory-leak.patch new file mode 100644 index 00000000000..03e9c42385e --- /dev/null +++ b/queue-5.9/asoc-qcom-lpass-platform-fix-memory-leak.patch @@ -0,0 +1,46 @@ +From 12040da35c4dac301006cf68c46e16084fc7f374 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 16:23:00 +0530 +Subject: ASoC: qcom: lpass-platform: fix memory leak + +From: Rohit kumar + +[ Upstream commit 5fd188215d4eb52703600d8986b22311099a5940 ] + +lpass_pcm_data is never freed. Free it in close +ops to avoid memory leak. + +Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage") +Signed-off-by: Rohit kumar +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/1597402388-14112-5-git-send-email-rohitkr@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/lpass-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/qcom/lpass-platform.c b/sound/soc/qcom/lpass-platform.c +index 01179bc0e5e57..e62ac7e650785 100644 +--- a/sound/soc/qcom/lpass-platform.c ++++ b/sound/soc/qcom/lpass-platform.c +@@ -61,7 +61,7 @@ static int lpass_platform_pcmops_open(struct snd_soc_component *component, + int ret, dma_ch, dir = substream->stream; + struct lpass_pcm_data *data; + +- data = devm_kzalloc(soc_runtime->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -118,6 +118,7 @@ static int lpass_platform_pcmops_close(struct snd_soc_component *component, + if (v->free_dma_channel) + v->free_dma_channel(drvdata, data->dma_ch); + ++ kfree(data); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/asoc-sof-add-topology-filename-override-based-on-dmi.patch b/queue-5.9/asoc-sof-add-topology-filename-override-based-on-dmi.patch new file mode 100644 index 00000000000..72b0aa2d56a --- /dev/null +++ b/queue-5.9/asoc-sof-add-topology-filename-override-based-on-dmi.patch @@ -0,0 +1,94 @@ +From 24ad1ee8e557280240d0aafc52a56f5522f13003 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 14:56:00 -0500 +Subject: ASoC: SOF: Add topology filename override based on dmi data match + +From: Sathyanarayana Nujella + +[ Upstream commit 5253a73d567dcd75e62834ff5f502ea9470e5722 ] + +Add topology filename override based on system DMI data matching, +typically to account for a different hardware layout. + +In ACPI based systems, the tplg_filename is pre-defined in an ACPI +machine table. When a DMI quirk is detected, the +sof_pdata->tplg_filename is not set with the hard-coded ACPI value, +and instead is set with the DMI-specific filename. + +Reviewed-by: Guennadi Liakhovetski +Signed-off-by: Sathyanarayana Nujella +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200821195603.215535-14-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda.c | 8 +++++++- + sound/soc/sof/sof-pci-dev.c | 24 ++++++++++++++++++++++++ + 2 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c +index 63ca920c8e6e0..7152e6d1cf673 100644 +--- a/sound/soc/sof/intel/hda.c ++++ b/sound/soc/sof/intel/hda.c +@@ -1179,7 +1179,13 @@ void hda_machine_select(struct snd_sof_dev *sdev) + + mach = snd_soc_acpi_find_machine(desc->machines); + if (mach) { +- sof_pdata->tplg_filename = mach->sof_tplg_filename; ++ /* ++ * If tplg file name is overridden, use it instead of ++ * the one set in mach table ++ */ ++ if (!sof_pdata->tplg_filename) ++ sof_pdata->tplg_filename = mach->sof_tplg_filename; ++ + sof_pdata->machine = mach; + + if (mach->link_mask) { +diff --git a/sound/soc/sof/sof-pci-dev.c b/sound/soc/sof/sof-pci-dev.c +index aa3532ba14349..f3a8140773db5 100644 +--- a/sound/soc/sof/sof-pci-dev.c ++++ b/sound/soc/sof/sof-pci-dev.c +@@ -35,8 +35,28 @@ static int sof_pci_debug; + module_param_named(sof_pci_debug, sof_pci_debug, int, 0444); + MODULE_PARM_DESC(sof_pci_debug, "SOF PCI debug options (0x0 all off)"); + ++static const char *sof_override_tplg_name; ++ + #define SOF_PCI_DISABLE_PM_RUNTIME BIT(0) + ++static int sof_tplg_cb(const struct dmi_system_id *id) ++{ ++ sof_override_tplg_name = id->driver_data; ++ return 1; ++} ++ ++static const struct dmi_system_id sof_tplg_table[] = { ++ { ++ .callback = sof_tplg_cb, ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_FAMILY, "Google_Volteer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Terrador"), ++ }, ++ .driver_data = "sof-tgl-rt5682-ssp0-max98373-ssp2.tplg", ++ }, ++ {} ++}; ++ + static const struct dmi_system_id community_key_platforms[] = { + { + .ident = "Up Squared", +@@ -347,6 +367,10 @@ static int sof_pci_probe(struct pci_dev *pci, + sof_pdata->tplg_filename_prefix = + sof_pdata->desc->default_tplg_path; + ++ dmi_check_system(sof_tplg_table); ++ if (sof_override_tplg_name) ++ sof_pdata->tplg_filename = sof_override_tplg_name; ++ + #if IS_ENABLED(CONFIG_SND_SOC_SOF_PROBE_WORK_QUEUE) + /* set callback to enable runtime_pm */ + sof_pdata->sof_probe_complete = sof_pci_probe_complete; +-- +2.25.1 + diff --git a/queue-5.9/asoc-sof-control-add-size-checks-for-ext_bytes-contr.patch b/queue-5.9/asoc-sof-control-add-size-checks-for-ext_bytes-contr.patch new file mode 100644 index 00000000000..e15f531890b --- /dev/null +++ b/queue-5.9/asoc-sof-control-add-size-checks-for-ext_bytes-contr.patch @@ -0,0 +1,56 @@ +From 5d693d36e4ed4fdac349bc181e910acbc5033163 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 14:08:12 +0300 +Subject: ASoC: SOF: control: add size checks for ext_bytes control .put() + +From: Pierre-Louis Bossart + +[ Upstream commit 2ca210112ad91880d2d5a3f85fecc838600afbce ] + +Make sure the TLV header and size are consistent before copying from +userspace. + +Fixes: c3078f5397046 ('ASoC: SOF: Add Sound Open Firmware KControl support') +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Guennadi Liakhovetski +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200921110814.2910477-4-kai.vehmanen@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/control.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c +index 186eea105bb15..009938d45ddd9 100644 +--- a/sound/soc/sof/control.c ++++ b/sound/soc/sof/control.c +@@ -298,6 +298,10 @@ int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol, + const struct snd_ctl_tlv __user *tlvd = + (const struct snd_ctl_tlv __user *)binary_data; + ++ /* make sure we have at least a header */ ++ if (size < sizeof(struct snd_ctl_tlv)) ++ return -EINVAL; ++ + /* + * The beginning of bytes data contains a header from where + * the length (as bytes) is needed to know the correct copy +@@ -306,6 +310,13 @@ int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol, + if (copy_from_user(&header, tlvd, sizeof(const struct snd_ctl_tlv))) + return -EFAULT; + ++ /* make sure TLV info is consistent */ ++ if (header.length + sizeof(struct snd_ctl_tlv) > size) { ++ dev_err_ratelimited(scomp->dev, "error: inconsistent TLV, data %d + header %zu > %d\n", ++ header.length, sizeof(struct snd_ctl_tlv), size); ++ return -EINVAL; ++ } ++ + /* be->max is coming from topology */ + if (header.length > be->max) { + dev_err_ratelimited(scomp->dev, "error: Bytes data size %d exceeds max %d.\n", +-- +2.25.1 + diff --git a/queue-5.9/asoc-tas2770-add-missing-bias-level-power-states.patch b/queue-5.9/asoc-tas2770-add-missing-bias-level-power-states.patch new file mode 100644 index 00000000000..d22a95ae462 --- /dev/null +++ b/queue-5.9/asoc-tas2770-add-missing-bias-level-power-states.patch @@ -0,0 +1,43 @@ +From 250e42d2ec92309a58eb23c8b61a290a0dac01a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 14:05:41 -0500 +Subject: ASoC: tas2770: Add missing bias level power states + +From: Dan Murphy + +[ Upstream commit 4272caf34aa4699eca8e6e7f4a8e5ea2bde275c9 ] + +Add the BIAS_STANDBY and BIAS_PREPARE to the set_bias_level or else the +driver will return -EINVAL which is not correct as they are valid +states. + +Fixes: 1a476abc723e6 ("tas2770: add tas2770 smart PA kernel driver") +Signed-off-by: Dan Murphy +Link: https://lore.kernel.org/r/20200918190548.12598-2-dmurphy@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2770.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c +index 03d7ad1885b81..7c6f61946ab39 100644 +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -57,7 +57,12 @@ static int tas2770_set_bias_level(struct snd_soc_component *component, + TAS2770_PWR_CTRL_MASK, + TAS2770_PWR_CTRL_ACTIVE); + break; +- ++ case SND_SOC_BIAS_STANDBY: ++ case SND_SOC_BIAS_PREPARE: ++ snd_soc_component_update_bits(component, ++ TAS2770_PWR_CTRL, ++ TAS2770_PWR_CTRL_MASK, TAS2770_PWR_CTRL_MUTE); ++ break; + case SND_SOC_BIAS_OFF: + snd_soc_component_update_bits(component, + TAS2770_PWR_CTRL, +-- +2.25.1 + diff --git a/queue-5.9/asoc-tas2770-fix-calling-reset-in-probe.patch b/queue-5.9/asoc-tas2770-fix-calling-reset-in-probe.patch new file mode 100644 index 00000000000..40360022242 --- /dev/null +++ b/queue-5.9/asoc-tas2770-fix-calling-reset-in-probe.patch @@ -0,0 +1,48 @@ +From 263b016beb4aafd8abb9708b87a8d821b0e0e3e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 14:05:40 -0500 +Subject: ASoC: tas2770: Fix calling reset in probe + +From: Dan Murphy + +[ Upstream commit b0bcbe615756d5923eec4e95996e4041627e5741 ] + +tas2770_reset is called during i2c probe. The reset calls the +snd_soc_component_write which depends on the tas2770->component being +available. The component pointer is not set until codec_probe so move +the reset to the codec_probe after the pointer is set. + +Fixes: 1a476abc723e6 ("tas2770: add tas2770 smart PA kernel driver") +Signed-off-by: Dan Murphy +Link: https://lore.kernel.org/r/20200918190548.12598-1-dmurphy@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2770.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c +index c098518343959..03d7ad1885b81 100644 +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -575,6 +575,8 @@ static int tas2770_codec_probe(struct snd_soc_component *component) + + tas2770->component = component; + ++ tas2770_reset(tas2770); ++ + return 0; + } + +@@ -771,8 +773,6 @@ static int tas2770_i2c_probe(struct i2c_client *client, + tas2770->channel_size = 0; + tas2770->slot_width = 0; + +- tas2770_reset(tas2770); +- + result = tas2770_register_codec(tas2770); + if (result) + dev_err(tas2770->dev, "Register codec failed.\n"); +-- +2.25.1 + diff --git a/queue-5.9/asoc-tas2770-fix-error-handling-with-update_bits.patch b/queue-5.9/asoc-tas2770-fix-error-handling-with-update_bits.patch new file mode 100644 index 00000000000..be8098ef1b7 --- /dev/null +++ b/queue-5.9/asoc-tas2770-fix-error-handling-with-update_bits.patch @@ -0,0 +1,180 @@ +From 1633bf11d523c677622c7036df045d7c2ebbfe07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 14:05:46 -0500 +Subject: ASoC: tas2770: Fix error handling with update_bits + +From: Dan Murphy + +[ Upstream commit cadab0aefcbadf488b16caf2770430e69f4d7839 ] + +snd_soc_update_bits returns a 1 when the bit was successfully updated, +returns a 0 is no update was needed and a negative if the call failed. +The code is currently failing the case of a successful update by just +checking for a non-zero number. Modify these checks and return the error +code only if there is a negative. + +Fixes: 1a476abc723e6 ("tas2770: add tas2770 smart PA kernel driver") +Signed-off-by: Dan Murphy +Link: https://lore.kernel.org/r/20200918190548.12598-7-dmurphy@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2770.c | 52 ++++++++++++++++++-------------------- + 1 file changed, 24 insertions(+), 28 deletions(-) + +diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c +index bdfdad5f4f644..15cdd8b11a67a 100644 +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -140,23 +140,18 @@ static int tas2770_dac_event(struct snd_soc_dapm_widget *w, + TAS2770_PWR_CTRL, + TAS2770_PWR_CTRL_MASK, + TAS2770_PWR_CTRL_MUTE); +- if (ret) +- goto end; + break; + case SND_SOC_DAPM_PRE_PMD: + ret = snd_soc_component_update_bits(component, + TAS2770_PWR_CTRL, + TAS2770_PWR_CTRL_MASK, + TAS2770_PWR_CTRL_SHUTDOWN); +- if (ret) +- goto end; + break; + default: + dev_err(tas2770->dev, "Not supported evevt\n"); + return -EINVAL; + } + +-end: + if (ret < 0) + return ret; + +@@ -248,6 +243,9 @@ static int tas2770_set_bitwidth(struct tas2770_priv *tas2770, int bitwidth) + return -EINVAL; + } + ++ if (ret < 0) ++ return ret; ++ + tas2770->channel_size = bitwidth; + + ret = snd_soc_component_update_bits(component, +@@ -256,16 +254,15 @@ static int tas2770_set_bitwidth(struct tas2770_priv *tas2770, int bitwidth) + TAS2770_TDM_CFG_REG5_50_MASK, + TAS2770_TDM_CFG_REG5_VSNS_ENABLE | + tas2770->v_sense_slot); +- if (ret) +- goto end; ++ if (ret < 0) ++ return ret; ++ + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG6, + TAS2770_TDM_CFG_REG6_ISNS_MASK | + TAS2770_TDM_CFG_REG6_50_MASK, + TAS2770_TDM_CFG_REG6_ISNS_ENABLE | + tas2770->i_sense_slot); +- +-end: + if (ret < 0) + return ret; + +@@ -283,36 +280,35 @@ static int tas2770_set_samplerate(struct tas2770_priv *tas2770, int samplerate) + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_SMP_MASK, + TAS2770_TDM_CFG_REG0_SMP_48KHZ); +- if (ret) +- goto end; ++ if (ret < 0) ++ return ret; ++ + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_31_MASK, + TAS2770_TDM_CFG_REG0_31_44_1_48KHZ); +- if (ret) +- goto end; + break; + case 44100: + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_SMP_MASK, + TAS2770_TDM_CFG_REG0_SMP_44_1KHZ); +- if (ret) +- goto end; ++ if (ret < 0) ++ return ret; ++ + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_31_MASK, + TAS2770_TDM_CFG_REG0_31_44_1_48KHZ); +- if (ret) +- goto end; + break; + case 96000: + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_SMP_MASK, + TAS2770_TDM_CFG_REG0_SMP_48KHZ); +- if (ret) +- goto end; ++ if (ret < 0) ++ return ret; ++ + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_31_MASK, +@@ -323,8 +319,9 @@ static int tas2770_set_samplerate(struct tas2770_priv *tas2770, int samplerate) + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_SMP_MASK, + TAS2770_TDM_CFG_REG0_SMP_44_1KHZ); +- if (ret) +- goto end; ++ if (ret < 0) ++ return ret; ++ + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_31_MASK, +@@ -335,22 +332,22 @@ static int tas2770_set_samplerate(struct tas2770_priv *tas2770, int samplerate) + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_SMP_MASK, + TAS2770_TDM_CFG_REG0_SMP_48KHZ); +- if (ret) +- goto end; ++ if (ret < 0) ++ return ret; ++ + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_31_MASK, + TAS2770_TDM_CFG_REG0_31_176_4_192KHZ); +- if (ret) +- goto end; + break; + case 17640: + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_SMP_MASK, + TAS2770_TDM_CFG_REG0_SMP_44_1KHZ); +- if (ret) +- goto end; ++ if (ret < 0) ++ return ret; ++ + ret = snd_soc_component_update_bits(component, + TAS2770_TDM_CFG_REG0, + TAS2770_TDM_CFG_REG0_31_MASK, +@@ -360,7 +357,6 @@ static int tas2770_set_samplerate(struct tas2770_priv *tas2770, int samplerate) + ret = -EINVAL; + } + +-end: + if (ret < 0) + return ret; + +-- +2.25.1 + diff --git a/queue-5.9/asoc-tas2770-fix-required-dt-properties-in-the-code.patch b/queue-5.9/asoc-tas2770-fix-required-dt-properties-in-the-code.patch new file mode 100644 index 00000000000..d57580480a3 --- /dev/null +++ b/queue-5.9/asoc-tas2770-fix-required-dt-properties-in-the-code.patch @@ -0,0 +1,71 @@ +From 80830f8c9ad8ecb8a819b00aa967110e9aeedf03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 14:05:43 -0500 +Subject: ASoC: tas2770: Fix required DT properties in the code + +From: Dan Murphy + +[ Upstream commit 4b8ab8a7761fe2ba1c4e741703a848cb8f390f79 ] + +The devicetree binding indicates that the ti,asi-format, ti,imon-slot-no +and ti,vmon-slot-no are not required but the driver requires them or it +fails to probe. Honor the binding and allow these entries to be optional +and set the corresponding values to the default values for each as defined +in the data sheet. + +Fixes: 1a476abc723e6 ("tas2770: add tas2770 smart PA kernel driver") +Signed-off-by: Dan Murphy +Link: https://lore.kernel.org/r/20200918190548.12598-4-dmurphy@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2770.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c +index 7c6f61946ab39..bdfdad5f4f644 100644 +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -708,29 +708,28 @@ static int tas2770_parse_dt(struct device *dev, struct tas2770_priv *tas2770) + rc = fwnode_property_read_u32(dev->fwnode, "ti,asi-format", + &tas2770->asi_format); + if (rc) { +- dev_err(tas2770->dev, "Looking up %s property failed %d\n", +- "ti,asi-format", rc); +- goto end; ++ dev_info(tas2770->dev, "Property %s is missing setting default slot\n", ++ "ti,asi-format"); ++ tas2770->asi_format = 0; + } + + rc = fwnode_property_read_u32(dev->fwnode, "ti,imon-slot-no", + &tas2770->i_sense_slot); + if (rc) { +- dev_err(tas2770->dev, "Looking up %s property failed %d\n", +- "ti,imon-slot-no", rc); +- goto end; ++ dev_info(tas2770->dev, "Property %s is missing setting default slot\n", ++ "ti,imon-slot-no"); ++ tas2770->i_sense_slot = 0; + } + + rc = fwnode_property_read_u32(dev->fwnode, "ti,vmon-slot-no", + &tas2770->v_sense_slot); + if (rc) { +- dev_err(tas2770->dev, "Looking up %s property failed %d\n", +- "ti,vmon-slot-no", rc); +- goto end; ++ dev_info(tas2770->dev, "Property %s is missing setting default slot\n", ++ "ti,vmon-slot-no"); ++ tas2770->v_sense_slot = 2; + } + +-end: +- return rc; ++ return 0; + } + + static int tas2770_i2c_probe(struct i2c_client *client, +-- +2.25.1 + diff --git a/queue-5.9/asoc-tas2770-fix-unbalanced-calls-to-pm_runtime.patch b/queue-5.9/asoc-tas2770-fix-unbalanced-calls-to-pm_runtime.patch new file mode 100644 index 00000000000..be9851611f9 --- /dev/null +++ b/queue-5.9/asoc-tas2770-fix-unbalanced-calls-to-pm_runtime.patch @@ -0,0 +1,59 @@ +From 2e11d0fe0b6c52932d73fda2dc87af486b525729 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 14:05:44 -0500 +Subject: ASoC: tas2770: Fix unbalanced calls to pm_runtime + +From: Dan Murphy + +[ Upstream commit d3d71c99b541040da198f43da3bbd85d8e9598cb ] + +Fix the unbalanced call to the pm_runtime_disable when removing the +module. pm_runtime_enable is not called nor is the pm_runtime setup in +the code. Remove the i2c_remove function and the pm_runtime_disable. + +Fixes: 1a476abc723e6 ("tas2770: add tas2770 smart PA kernel driver") +Signed-off-by: Dan Murphy +Link: https://lore.kernel.org/r/20200918190548.12598-5-dmurphy@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2770.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c +index 15cdd8b11a67a..3226c6d4493eb 100644 +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -16,7 +16,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -781,13 +780,6 @@ static int tas2770_i2c_probe(struct i2c_client *client, + return result; + } + +-static int tas2770_i2c_remove(struct i2c_client *client) +-{ +- pm_runtime_disable(&client->dev); +- return 0; +-} +- +- + static const struct i2c_device_id tas2770_i2c_id[] = { + { "tas2770", 0}, + { } +@@ -808,7 +800,6 @@ static struct i2c_driver tas2770_i2c_driver = { + .of_match_table = of_match_ptr(tas2770_of_match), + }, + .probe = tas2770_i2c_probe, +- .remove = tas2770_i2c_remove, + .id_table = tas2770_i2c_id, + }; + +-- +2.25.1 + diff --git a/queue-5.9/asoc-tlv320adcx140-fix-digital-gain-range.patch b/queue-5.9/asoc-tlv320adcx140-fix-digital-gain-range.patch new file mode 100644 index 00000000000..faa961ba5b2 --- /dev/null +++ b/queue-5.9/asoc-tlv320adcx140-fix-digital-gain-range.patch @@ -0,0 +1,39 @@ +From bd57a13fa65af2d9bae741123a0c20bef1fd4390 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 11:04:17 +0200 +Subject: ASoC: tlv320adcx140: Fix digital gain range + +From: Camel Guo + +[ Upstream commit 73154aca4a03a2ab4833fd36683feb884af06d4b ] + +According to its datasheet, the digital gain should be -100 dB when +CHx_DVOL is 1 and 27 dB when CHx_DVOL is 255. But with the current +dig_vol_tlv, "Digital CHx Out Volume" shows 27.5 dB if CHx_DVOL is 255 +and -95.5 dB if CHx_DVOL is 1. This commit fixes this bug. + +Fixes: 689c7655b50c ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") +Signed-off-by: Camel Guo +Link: https://lore.kernel.org/r/20200908090417.16695-1-camel.guo@axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 8efe20605f9be..c7c782d279d0d 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -161,7 +161,7 @@ static const struct regmap_config adcx140_i2c_regmap = { + }; + + /* Digital Volume control. From -100 to 27 dB in 0.5 dB steps */ +-static DECLARE_TLV_DB_SCALE(dig_vol_tlv, -10000, 50, 0); ++static DECLARE_TLV_DB_SCALE(dig_vol_tlv, -10050, 50, 0); + + /* ADC gain. From 0 to 42 dB in 1 dB steps */ + static DECLARE_TLV_DB_SCALE(adc_tlv, 0, 100, 0); +-- +2.25.1 + diff --git a/queue-5.9/asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch b/queue-5.9/asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch new file mode 100644 index 00000000000..861cf1da96d --- /dev/null +++ b/queue-5.9/asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch @@ -0,0 +1,60 @@ +From 36a0bdb1850e6afbb1737d9f5601ff811be69dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 19:31:39 +0200 +Subject: ASoC: tlv320aic32x4: Fix bdiv clock rate derivation + +From: Miquel Raynal + +[ Upstream commit 40b37136287ba6b34aa2f1f6123f3d6d205dc2f0 ] + +Current code expects a single channel to be always used. Fix this +situation by forwarding the number of channels used. Then fix the +derivation of the bdiv clock rate. + +Fixes: 96c3bb00239d ("ASoC: tlv320aic32x4: Dynamically Determine Clocking") +Suggested-by: Alexandre Belloni +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20200911173140.29984-3-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320aic32x4.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/tlv320aic32x4.c b/sound/soc/codecs/tlv320aic32x4.c +index 467802875c133..2e2d8e463655a 100644 +--- a/sound/soc/codecs/tlv320aic32x4.c ++++ b/sound/soc/codecs/tlv320aic32x4.c +@@ -665,7 +665,7 @@ static int aic32x4_set_processing_blocks(struct snd_soc_component *component, + } + + static int aic32x4_setup_clocks(struct snd_soc_component *component, +- unsigned int sample_rate) ++ unsigned int sample_rate, unsigned int channels) + { + u8 aosr; + u16 dosr; +@@ -753,7 +753,9 @@ static int aic32x4_setup_clocks(struct snd_soc_component *component, + dosr); + + clk_set_rate(clocks[5].clk, +- sample_rate * 32); ++ sample_rate * 32 * ++ channels); ++ + return 0; + } + } +@@ -775,7 +777,8 @@ static int aic32x4_hw_params(struct snd_pcm_substream *substream, + u8 iface1_reg = 0; + u8 dacsetup_reg = 0; + +- aic32x4_setup_clocks(component, params_rate(params)); ++ aic32x4_setup_clocks(component, params_rate(params), ++ params_channels(params)); + + switch (params_width(params)) { + case 16: +-- +2.25.1 + diff --git a/queue-5.9/asoc-topology-disable-size-checks-for-bytes_ext-cont.patch b/queue-5.9/asoc-topology-disable-size-checks-for-bytes_ext-cont.patch new file mode 100644 index 00000000000..95d00aa7d3a --- /dev/null +++ b/queue-5.9/asoc-topology-disable-size-checks-for-bytes_ext-cont.patch @@ -0,0 +1,70 @@ +From db5032d7a16124dd87f4396a285490da2ffd6f5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 13:39:12 +0300 +Subject: ASoC: topology: disable size checks for bytes_ext controls if needed + +From: Pierre-Louis Bossart + +[ Upstream commit 6788fc1a66a0c1d1cec7a0f84f94b517eae8611c ] + +When CONFIG_SND_CTL_VALIDATION is set, accesses to extended bytes +control generate spurious error messages when the size exceeds 512 +bytes, such as + +[ 11.224223] sof_sdw sof_sdw: control 2:0:0:EQIIR5.0 eqiir_coef_5:0: +invalid count 1024 + +In addition the error check returns -EINVAL which has the nasty side +effect of preventing applications accessing controls from working, +e.g. + +root@plb:~# alsamixer +cannot load mixer controls: Invalid argument + +It's agreed that the control interface has been abused since 2014, but +forcing a check should not prevent existing solutions from working. + +This patch skips the checks conditionally if CONFIG_SND_CTL_VALIDATION +is set and the byte array provided by topology is > 512. This +preserves the checks for all other cases. + +Fixes: 1a3232d2f61d2 ('ASoC: topology: Add support for TLV bytes controls') +BugLink: https://github.com/thesofproject/linux/issues/2430 +Reported-by: Takashi Iwai +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Reviewed-by: Jaska Uimonen +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200917103912.2565907-1-kai.vehmanen@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-topology.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index 5b60379237bff..d1e7dbb9fea36 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -592,6 +592,17 @@ static int soc_tplg_kcontrol_bind_io(struct snd_soc_tplg_ctl_hdr *hdr, + k->info = snd_soc_bytes_info_ext; + k->tlv.c = snd_soc_bytes_tlv_callback; + ++ /* ++ * When a topology-based implementation abuses the ++ * control interface and uses bytes_ext controls of ++ * more than 512 bytes, we need to disable the size ++ * checks, otherwise accesses to such controls will ++ * return an -EINVAL error and prevent the card from ++ * being configured. ++ */ ++ if (IS_ENABLED(CONFIG_SND_CTL_VALIDATION) && sbe->max > 512) ++ k->access |= SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK; ++ + ext_ops = tplg->bytes_ext_ops; + num_ops = tplg->bytes_ext_ops_count; + for (i = 0; i < num_ops; i++) { +-- +2.25.1 + diff --git a/queue-5.9/asoc-wm_adsp-pass-full-name-to-snd_ctl_notify.patch b/queue-5.9/asoc-wm_adsp-pass-full-name-to-snd_ctl_notify.patch new file mode 100644 index 00000000000..9dffdf46a7d --- /dev/null +++ b/queue-5.9/asoc-wm_adsp-pass-full-name-to-snd_ctl_notify.patch @@ -0,0 +1,70 @@ +From 303f96227c389f8a6a1943019617621c28877bc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 16:24:25 +0100 +Subject: ASoC: wm_adsp: Pass full name to snd_ctl_notify + +From: Adam Brickman + +[ Upstream commit 20441614d89867142060d3bcd79cc111d8ba7a8e ] + +A call to wm_adsp_write_ctl() could cause a kernel crash if it +does not retrieve a valid kcontrol from snd_soc_card_get_kcontrol(). +This can happen due to a missing control name prefix. Then, +snd_ctl_notify() crashes when it tries to use the id field. + +Modified wm_adsp_write_ctl() to incorporate the name_prefix (if applicable) +such that it is able to retrieve a valid id field from the kcontrol +once the platform has booted. + +Fixes: eb65ccdb0836 ("ASoC: wm_adsp: Expose mixer control API") +Signed-off-by: Adam Brickman +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20201001152425.8590-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index 410cca57da52d..344bd2c33bea1 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -2049,6 +2049,7 @@ int wm_adsp_write_ctl(struct wm_adsp *dsp, const char *name, int type, + { + struct wm_coeff_ctl *ctl; + struct snd_kcontrol *kcontrol; ++ char ctl_name[SNDRV_CTL_ELEM_ID_NAME_MAXLEN]; + int ret; + + ctl = wm_adsp_get_ctl(dsp, name, type, alg); +@@ -2059,8 +2060,25 @@ int wm_adsp_write_ctl(struct wm_adsp *dsp, const char *name, int type, + return -EINVAL; + + ret = wm_coeff_write_ctrl(ctl, buf, len); ++ if (ret) ++ return ret; ++ ++ if (ctl->flags & WMFW_CTL_FLAG_SYS) ++ return 0; ++ ++ if (dsp->component->name_prefix) ++ snprintf(ctl_name, SNDRV_CTL_ELEM_ID_NAME_MAXLEN, "%s %s", ++ dsp->component->name_prefix, ctl->name); ++ else ++ snprintf(ctl_name, SNDRV_CTL_ELEM_ID_NAME_MAXLEN, "%s", ++ ctl->name); ++ ++ kcontrol = snd_soc_card_get_kcontrol(dsp->component->card, ctl_name); ++ if (!kcontrol) { ++ adsp_err(dsp, "Can't find kcontrol %s\n", ctl_name); ++ return -EINVAL; ++ } + +- kcontrol = snd_soc_card_get_kcontrol(dsp->component->card, ctl->name); + snd_ctl_notify(dsp->component->card->snd_card, + SNDRV_CTL_EVENT_MASK_VALUE, &kcontrol->id); + +-- +2.25.1 + diff --git a/queue-5.9/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch b/queue-5.9/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch new file mode 100644 index 00000000000..ab3339d192e --- /dev/null +++ b/queue-5.9/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch @@ -0,0 +1,68 @@ +From 0948ac22322e6119ea329a2f6d319005392ef259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 18:11:05 -0400 +Subject: ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() + +From: Zekun Shen + +[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ] + +The idx in __ath10k_htt_rx_ring_fill_n function lives in +consistent dma region writable by the device. Malfunctional +or malicious device could manipulate such idx to have a OOB +write. Either by + htt->rx_ring.netbufs_ring[idx] = skb; +or by + ath10k_htt_set_paddrs_ring(htt, paddr, idx); + +The idx can also be negative as it's signed, giving a large +memory space to write to. + +It's possibly exploitable by corruptting a legit pointer with +a skb pointer. And then fill skb with payload as rougue object. + +Part of the log here. Sometimes it appears as UAF when writing +to a freed memory by chance. + + [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 + [ 15.595483] #PF: supervisor write access in kernel mode + [ 15.596250] #PF: error_code(0x0002) - not-present page + [ 15.597013] PGD 0 P4D 0 + [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI + [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 + [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] + [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n + (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index d787cbead56ab..215ade6faf328 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -142,6 +142,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num) + BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2); + + idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr); ++ ++ if (idx < 0 || idx >= htt->rx_ring.size) { ++ ath10k_err(htt->ar, "rx ring index is not valid, firmware malfunctioning?\n"); ++ idx &= htt->rx_ring.size_mask; ++ ret = -ENOMEM; ++ goto fail; ++ } ++ + while (num > 0) { + skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN); + if (!skb) { +-- +2.25.1 + diff --git a/queue-5.9/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch b/queue-5.9/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch new file mode 100644 index 00000000000..f968aff9696 --- /dev/null +++ b/queue-5.9/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch @@ -0,0 +1,39 @@ +From ec1aa2de45387c4a4854cd69c534e650994e5c13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 14:22:27 +0200 +Subject: ath10k: Fix the size used in a 'dma_free_coherent()' call in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit 454530a9950b5a26d4998908249564cedfc4babc ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +Fixes: 1863008369ae ("ath10k: fix shadow register implementation for WCN3990") +Signed-off-by: Christophe JAILLET +Reviewed-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802122227.678637-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/ce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c +index 294fbc1e89ab8..e6e0284e47837 100644 +--- a/drivers/net/wireless/ath/ath10k/ce.c ++++ b/drivers/net/wireless/ath/ath10k/ce.c +@@ -1555,7 +1555,7 @@ ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id, + ret = ath10k_ce_alloc_shadow_base(ar, src_ring, nentries); + if (ret) { + dma_free_coherent(ar->dev, +- (nentries * sizeof(struct ce_desc_64) + ++ (nentries * sizeof(struct ce_desc) + + CE_DESC_RING_ALIGN), + src_ring->base_addr_owner_space_unaligned, + base_addr); +-- +2.25.1 + diff --git a/queue-5.9/ath10k-provide-survey-info-as-accumulated-data.patch b/queue-5.9/ath10k-provide-survey-info-as-accumulated-data.patch new file mode 100644 index 00000000000..21ca6f814e0 --- /dev/null +++ b/queue-5.9/ath10k-provide-survey-info-as-accumulated-data.patch @@ -0,0 +1,73 @@ +From a976f5d3e7bd7ec1e8289e7daa79a68eae135c43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 20:29:03 +0300 +Subject: ath10k: provide survey info as accumulated data + +From: Venkateswara Naralasetty + +[ Upstream commit 720e5c03e5cb26d33d97f55192b791bb48478aa5 ] + +It is expected that the returned counters by .get_survey are monotonic +increasing. But the data from ath10k gets reset to zero regularly. Channel +active/busy time are then showing incorrect values (less than previous or +sometimes zero) for the currently active channel during successive survey +dump commands. + +example: + + $ iw dev wlan0 survey dump + Survey data from wlan0 + frequency: 5180 MHz [in use] + channel active time: 54995 ms + channel busy time: 432 ms + channel receive time: 0 ms + channel transmit time: 59 ms + ... + + $ iw dev wlan0 survey dump + Survey data from wlan0 + frequency: 5180 MHz [in use] + channel active time: 32592 ms + channel busy time: 254 ms + channel receive time: 0 ms + channel transmit time: 0 ms + ... + +The correct way to handle this is to use the non-clearing +WMI_BSS_SURVEY_REQ_TYPE_READ wmi_bss_survey_req_type. The firmware will +then accumulate the survey data and handle wrap arounds. + +Tested-on: QCA9984 hw1.0 10.4-3.5.3-00057 +Tested-on: QCA988X hw2.0 10.2.4-1.0-00047 +Tested-on: QCA9888 hw2.0 10.4-3.9.0.2-00024 +Tested-on: QCA4019 hw1.0 10.4-3.6-00140 + +Fixes: fa7937e3d5c2 ("ath10k: update bss channel survey information") +Signed-off-by: Venkateswara Naralasetty +Tested-by: Markus Theil +Tested-by: John Deere <24601deerej@gmail.com> +[sven@narfation.org: adjust commit message] +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1592232686-28712-1-git-send-email-kvalo@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 3c0c33a9f30cb..2177e9d92bdff 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7278,7 +7278,7 @@ ath10k_mac_update_bss_chan_survey(struct ath10k *ar, + struct ieee80211_channel *channel) + { + int ret; +- enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ_CLEAR; ++ enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ; + + lockdep_assert_held(&ar->conf_mutex); + +-- +2.25.1 + diff --git a/queue-5.9/ath11k-add-checked-value-for-ath11k_ahb_remove.patch b/queue-5.9/ath11k-add-checked-value-for-ath11k_ahb_remove.patch new file mode 100644 index 00000000000..b512ba96d6b --- /dev/null +++ b/queue-5.9/ath11k-add-checked-value-for-ath11k_ahb_remove.patch @@ -0,0 +1,49 @@ +From 19c246cf78450ed0aeccacd12d6ed67f6d151eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 16:21:22 +0300 +Subject: ath11k: Add checked value for ath11k_ahb_remove + +From: Bo YU + +[ Upstream commit 80b892fc8a90e91498babf0f6817139e5ec64b5c ] + +Return value form wait_for_completion_timeout should to be checked. + +This is detected by Coverity: #CID:1464479 (CHECKED_RETURN) + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Bo YU +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200621095136.7xdbzkthoxuw2qow@debian.debian-2 +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/ahb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c +index 30092841ac464..a0314c1c84653 100644 +--- a/drivers/net/wireless/ath/ath11k/ahb.c ++++ b/drivers/net/wireless/ath/ath11k/ahb.c +@@ -981,12 +981,16 @@ static int ath11k_ahb_probe(struct platform_device *pdev) + static int ath11k_ahb_remove(struct platform_device *pdev) + { + struct ath11k_base *ab = platform_get_drvdata(pdev); ++ unsigned long left; + + reinit_completion(&ab->driver_recovery); + +- if (test_bit(ATH11K_FLAG_RECOVERY, &ab->dev_flags)) +- wait_for_completion_timeout(&ab->driver_recovery, +- ATH11K_AHB_RECOVERY_TIMEOUT); ++ if (test_bit(ATH11K_FLAG_RECOVERY, &ab->dev_flags)) { ++ left = wait_for_completion_timeout(&ab->driver_recovery, ++ ATH11K_AHB_RECOVERY_TIMEOUT); ++ if (!left) ++ ath11k_warn(ab, "failed to receive recovery response completion\n"); ++ } + + set_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags); + cancel_work_sync(&ab->restart_work); +-- +2.25.1 + diff --git a/queue-5.9/ath11k-fix-a-double-free-and-a-memory-leak.patch b/queue-5.9/ath11k-fix-a-double-free-and-a-memory-leak.patch new file mode 100644 index 00000000000..93a2d26a838 --- /dev/null +++ b/queue-5.9/ath11k-fix-a-double-free-and-a-memory-leak.patch @@ -0,0 +1,58 @@ +From 2e686a797f5777c095982dee9259a9d304eac47b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 14:26:25 -0700 +Subject: ath11k: fix a double free and a memory leak + +From: Tom Rix + +[ Upstream commit 7e8453e35e406981d7c529ff8f804285bc894ba3 ] + +clang static analyzer reports this problem + +mac.c:6204:2: warning: Attempt to free released memory + kfree(ar->mac.sbands[NL80211_BAND_2GHZ].channels); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The channels pointer is allocated in ath11k_mac_setup_channels_rates() +When it fails midway, it cleans up the memory it has already allocated. +So the error handling needs to skip freeing the memory. + +There is a second problem. +ath11k_mac_setup_channels_rates(), allocates 3 channels. err_free +misses releasing ar->mac.sbands[NL80211_BAND_6GHZ].channels + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Tom Rix +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200906212625.17059-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 94ae2b9ea6635..4674f0aca8e9b 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -6006,7 +6006,7 @@ static int __ath11k_mac_register(struct ath11k *ar) + ret = ath11k_mac_setup_channels_rates(ar, + cap->supported_bands); + if (ret) +- goto err_free; ++ goto err; + + ath11k_mac_setup_ht_vht_cap(ar, cap, &ht_cap); + ath11k_mac_setup_he_cap(ar, cap); +@@ -6120,7 +6120,9 @@ static int __ath11k_mac_register(struct ath11k *ar) + err_free: + kfree(ar->mac.sbands[NL80211_BAND_2GHZ].channels); + kfree(ar->mac.sbands[NL80211_BAND_5GHZ].channels); ++ kfree(ar->mac.sbands[NL80211_BAND_6GHZ].channels); + ++err: + SET_IEEE80211_DEV(ar->hw, NULL); + return ret; + } +-- +2.25.1 + diff --git a/queue-5.9/ath11k-fix-possible-memleak-in-ath11k_qmi_init_servi.patch b/queue-5.9/ath11k-fix-possible-memleak-in-ath11k_qmi_init_servi.patch new file mode 100644 index 00000000000..37fd65458b6 --- /dev/null +++ b/queue-5.9/ath11k-fix-possible-memleak-in-ath11k_qmi_init_servi.patch @@ -0,0 +1,36 @@ +From e10a8dff0e094d8913fd1816595c203caac9b56b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 17:36:44 +0800 +Subject: ath11k: Fix possible memleak in ath11k_qmi_init_service + +From: Wang Yufen + +[ Upstream commit 28f1632118818d9dccabf4c0fccfe49686742317 ] + +When qmi_add_lookup fail, we should destroy the workqueue + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Reported-by: Hulk Robot +Signed-off-by: Wang Yufen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595237804-66297-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/qmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c +index c00a99ad8dbc1..497cff7e64cc5 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -2419,6 +2419,7 @@ int ath11k_qmi_init_service(struct ath11k_base *ab) + ATH11K_QMI_WLFW_SERVICE_INS_ID_V01); + if (ret < 0) { + ath11k_warn(ab, "failed to add qmi lookup\n"); ++ destroy_workqueue(ab->qmi.event_wq); + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.9/ath11k-fix-uninitialized-return-in-ath11k_spectral_p.patch b/queue-5.9/ath11k-fix-uninitialized-return-in-ath11k_spectral_p.patch new file mode 100644 index 00000000000..30073a4032e --- /dev/null +++ b/queue-5.9/ath11k-fix-uninitialized-return-in-ath11k_spectral_p.patch @@ -0,0 +1,37 @@ +From 6583e1736250270a503202d58661dbefc7da985c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 09:22:03 +0300 +Subject: ath11k: fix uninitialized return in ath11k_spectral_process_data() + +From: Dan Carpenter + +[ Upstream commit c7187acc3cd08a17e7b506b2b5277f42d1504d29 ] + +There is a success path where "ret" isn't initialized where we never +have a ATH11K_SPECTRAL_TAG_SCAN_SEARCH and then ret isn't initialized. + +Fixes: 9d11b7bff950 ("ath11k: add support for spectral scan") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200619142922.GA267142@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/spectral.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/spectral.c b/drivers/net/wireless/ath/ath11k/spectral.c +index 1c5d65bb411f7..6d6a7e34645f2 100644 +--- a/drivers/net/wireless/ath/ath11k/spectral.c ++++ b/drivers/net/wireless/ath/ath11k/spectral.c +@@ -773,6 +773,8 @@ static int ath11k_spectral_process_data(struct ath11k *ar, + i += sizeof(*tlv) + tlv_len; + } + ++ ret = 0; ++ + err: + kfree(fft_sample); + unlock: +-- +2.25.1 + diff --git a/queue-5.9/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch b/queue-5.9/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch new file mode 100644 index 00000000000..5d8dc932219 --- /dev/null +++ b/queue-5.9/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch @@ -0,0 +1,39 @@ +From 3f33a35a6141347fcf33dd220a636cc146a14dcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:13:15 +0300 +Subject: ath6kl: prevent potential array overflow in ath6kl_add_new_sta() + +From: Dan Carpenter + +[ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ] + +The value for "aid" comes from skb->data so Smatch marks it as +untrusted. If it's invalid then it can result in an out of bounds array +access in ath6kl_add_new_sta(). + +Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c +index 5e7ea838a9218..814131a0680a4 100644 +--- a/drivers/net/wireless/ath/ath6kl/main.c ++++ b/drivers/net/wireless/ath/ath6kl/main.c +@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr, + + ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid); + ++ if (aid < 1 || aid > AP_MAX_NUM_STA) ++ return; ++ + if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) { + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *) assoc_info; +-- +2.25.1 + diff --git a/queue-5.9/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch b/queue-5.9/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch new file mode 100644 index 00000000000..ecd1356d82a --- /dev/null +++ b/queue-5.9/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch @@ -0,0 +1,43 @@ +From e19307092201de4e719e084d0d1d1dd4f7f92e2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 17:27:32 +0300 +Subject: ath6kl: wmi: prevent a shift wrapping bug in + ath6kl_wmi_delete_pstream_cmd() + +From: Dan Carpenter + +[ Upstream commit 6a950755cec1a90ddaaff3e4acb5333617441c32 ] + +The "tsid" is a user controlled u8 which comes from debugfs. Values +more than 15 are invalid because "active_tsids" is a 16 bit variable. +If the value of "tsid" is more than 31 then that leads to a shift +wrapping bug. + +Fixes: 8fffd9e5ec9e ("ath6kl: Implement support for QOS-enable and QOS-disable from userspace") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200918142732.GA909725@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index 6885d2ded53a8..3d5db84d64650 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -2645,6 +2645,11 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class, + return -EINVAL; + } + ++ if (tsid >= 16) { ++ ath6kl_err("invalid tsid: %d\n", tsid); ++ return -EINVAL; ++ } ++ + skb = ath6kl_wmi_get_new_buf(sizeof(*cmd)); + if (!skb) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-5.9/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch b/queue-5.9/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch new file mode 100644 index 00000000000..f4bd014dfc2 --- /dev/null +++ b/queue-5.9/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch @@ -0,0 +1,42 @@ +From f93d04a5b201253e4a33fe0841c9520501935248 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:12:53 +0300 +Subject: ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() + +From: Dan Carpenter + +[ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ] + +The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks +it as untrusted so we have to check it before using it as an array +offset. + +This is similar to a bug that syzkaller found in commit e4ff08a4d727 +("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is +probably a real issue. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index d2e062eaf5614..510e61e97dbcb 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -339,6 +339,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + + if (skb) { + htc_hdr = (struct htc_frame_hdr *) skb->data; ++ if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint)) ++ goto ret; + endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id]; + skb_pull(skb, sizeof(struct htc_frame_hdr)); + +-- +2.25.1 + diff --git a/queue-5.9/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch b/queue-5.9/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch new file mode 100644 index 00000000000..23caba6bc2a --- /dev/null +++ b/queue-5.9/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch @@ -0,0 +1,92 @@ +From 25d84864400279b5dc291dace125a85a900202a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 03:14:27 -0400 +Subject: ath9k: hif_usb: fix race condition between usb_get_urb() and + usb_kill_anchored_urbs() + +From: Brooke Basile + +[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ] + +Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor +systems create a race condition in which usb_kill_anchored_urbs() deallocates +the URB before the completer callback is called in usb_kill_urb(), resulting +in a use-after-free. +To fix this, add proper lock protection to usb_kill_urb() calls that can +possibly run concurrently with usb_kill_anchored_urbs(). + +Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf +Signed-off-by: Brooke Basile +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 3f563e02d17da..2ed98aaed6fb5 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle) + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + /* The pending URBs have to be canceled. */ ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); ++ list_del(&tx_buf->list); ++ usb_free_urb(tx_buf->urb); ++ kfree(tx_buf->buf); ++ kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +@@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) + struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; + unsigned long flags; + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_buf, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + hif_dev->tx.flags |= HIF_USB_TX_FLUSH; + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +-- +2.25.1 + diff --git a/queue-5.9/backlight-sky81452-backlight-fix-refcount-imbalance-.patch b/queue-5.9/backlight-sky81452-backlight-fix-refcount-imbalance-.patch new file mode 100644 index 00000000000..96dc4e06d5c --- /dev/null +++ b/queue-5.9/backlight-sky81452-backlight-fix-refcount-imbalance-.patch @@ -0,0 +1,37 @@ +From 4469e3beaefc680323497ddf7088cdf59bb10321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:38:17 +0800 +Subject: backlight: sky81452-backlight: Fix refcount imbalance on error + +From: dinghao.liu@zju.edu.cn + +[ Upstream commit b7a4f80bc316a56d6ec8750e93e66f42431ed960 ] + +When of_property_read_u32_array() returns an error code, a +pairing refcount decrement is needed to keep np's refcount +balanced. + +Fixes: f705806c9f355 ("backlight: Add support Skyworks SKY81452 backlight driver") +Signed-off-by: Dinghao Liu +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/sky81452-backlight.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c +index 0ce1815850080..8268ac43d54f7 100644 +--- a/drivers/video/backlight/sky81452-backlight.c ++++ b/drivers/video/backlight/sky81452-backlight.c +@@ -217,6 +217,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( + num_entry); + if (ret < 0) { + dev_err(dev, "led-sources node is invalid.\n"); ++ of_node_put(np); + return ERR_PTR(-EINVAL); + } + +-- +2.25.1 + diff --git a/queue-5.9/binder-remove-bogus-warning-on-failed-same-process-t.patch b/queue-5.9/binder-remove-bogus-warning-on-failed-same-process-t.patch new file mode 100644 index 00000000000..1a325f0f013 --- /dev/null +++ b/queue-5.9/binder-remove-bogus-warning-on-failed-same-process-t.patch @@ -0,0 +1,47 @@ +From b69bdd71320e0a610300e6250828f0c48589c6ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 18:53:59 +0200 +Subject: binder: Remove bogus warning on failed same-process transaction + +From: Jann Horn + +[ Upstream commit e8b8ae7ce32e17a5c29f0289e9e2a39c7dcaa1b8 ] + +While binder transactions with the same binder_proc as sender and recipient +are forbidden, transactions with the same task_struct as sender and +recipient are possible (even though currently there is a weird check in +binder_transaction() that rejects them in the target==0 case). +Therefore, task_struct identities can't be used to distinguish whether +the caller is running in the context of the sender or the recipient. + +Since I see no easy way to make this WARN_ON() useful and correct, let's +just remove it. + +Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds") +Reported-by: syzbot+e113a0b970b7b3f394ba@syzkaller.appspotmail.com +Acked-by: Christian Brauner +Acked-by: Todd Kjos +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20200806165359.2381483-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/android/binder.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index e8a1db4a86ed8..b27b6bf0c1186 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2323,8 +2323,6 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, + * file is done when the transaction is torn + * down. + */ +- WARN_ON(failed_at && +- proc->tsk == current->group_leader); + } break; + case BINDER_TYPE_PTR: + /* +-- +2.25.1 + diff --git a/queue-5.9/blk-mq-always-allow-reserved-allocation-in-hctx_may_.patch b/queue-5.9/blk-mq-always-allow-reserved-allocation-in-hctx_may_.patch new file mode 100644 index 00000000000..0ad10e0d26f --- /dev/null +++ b/queue-5.9/blk-mq-always-allow-reserved-allocation-in-hctx_may_.patch @@ -0,0 +1,71 @@ +From bcc9e12168bd4e08081b8514157e2de7534e20b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 18:41:14 +0800 +Subject: blk-mq: always allow reserved allocation in hctx_may_queue + +From: Ming Lei + +[ Upstream commit 285008501c65a3fcee05d2c2c26cbf629ceff2f0 ] + +NVMe shares tagset between fabric queue and admin queue or between +connect_q and NS queue, so hctx_may_queue() can be called to allocate +request for these queues. + +Tags can be reserved in these tagset. Before error recovery, there is +often lots of in-flight requests which can't be completed, and new +reserved request may be needed in error recovery path. However, +hctx_may_queue() can always return false because there is too many +in-flight requests which can't be completed during error handling. +Finally, nothing can proceed. + +Fix this issue by always allowing reserved tag allocation in +hctx_may_queue(). This is reasonable because reserved tags are supposed +to always be available. + +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Cc: David Milburn +Cc: Ewan D. Milne +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-tag.c | 3 ++- + block/blk-mq.c | 5 +++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c +index 32d82e23b0953..a1c1e7c611f7b 100644 +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -59,7 +59,8 @@ void __blk_mq_tag_idle(struct blk_mq_hw_ctx *hctx) + static int __blk_mq_get_tag(struct blk_mq_alloc_data *data, + struct sbitmap_queue *bt) + { +- if (!data->q->elevator && !hctx_may_queue(data->hctx, bt)) ++ if (!data->q->elevator && !(data->flags & BLK_MQ_REQ_RESERVED) && ++ !hctx_may_queue(data->hctx, bt)) + return BLK_MQ_NO_TAG; + + if (data->shallow_depth) +diff --git a/block/blk-mq.c b/block/blk-mq.c +index c27a61029cdd0..94a53d779c12b 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1105,10 +1105,11 @@ static bool __blk_mq_get_driver_tag(struct request *rq) + if (blk_mq_tag_is_reserved(rq->mq_hctx->sched_tags, rq->internal_tag)) { + bt = &rq->mq_hctx->tags->breserved_tags; + tag_offset = 0; ++ } else { ++ if (!hctx_may_queue(rq->mq_hctx, bt)) ++ return false; + } + +- if (!hctx_may_queue(rq->mq_hctx, bt)) +- return false; + tag = __sbitmap_queue_get(bt); + if (tag == BLK_MQ_NO_TAG) + return false; +-- +2.25.1 + diff --git a/queue-5.9/blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch b/queue-5.9/blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch new file mode 100644 index 00000000000..528228dd44f --- /dev/null +++ b/queue-5.9/blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch @@ -0,0 +1,61 @@ +From 9d6f2049eb0525e5a66d36ad22f8961d2367955f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 01:00:14 -0700 +Subject: blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue + +From: Yang Yang + +[ Upstream commit 47ce030b7ac5a5259a9a5919f230b52497afc31a ] + +blk_exit_queue will free elevator_data, while blk_mq_run_work_fn +will access it. Move cancel of hctx->run_work to the front of +blk_exit_queue to avoid use-after-free. + +Fixes: 1b97871b501f ("blk-mq: move cancel of hctx->run_work into blk_mq_hw_sysfs_release") +Signed-off-by: Yang Yang +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sysfs.c | 2 -- + block/blk-sysfs.c | 9 ++++++++- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c +index 062229395a507..7b52e7657b2d1 100644 +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -36,8 +36,6 @@ static void blk_mq_hw_sysfs_release(struct kobject *kobj) + struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx, + kobj); + +- cancel_delayed_work_sync(&hctx->run_work); +- + if (hctx->flags & BLK_MQ_F_BLOCKING) + cleanup_srcu_struct(hctx->srcu); + blk_free_flush_queue(hctx->fq); +diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c +index 7dda709f3ccb6..8c6bafc801dd9 100644 +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -934,9 +934,16 @@ static void blk_release_queue(struct kobject *kobj) + + blk_free_queue_stats(q->stats); + +- if (queue_is_mq(q)) ++ if (queue_is_mq(q)) { ++ struct blk_mq_hw_ctx *hctx; ++ int i; ++ + cancel_delayed_work_sync(&q->requeue_work); + ++ queue_for_each_hw_ctx(q, hctx, i) ++ cancel_delayed_work_sync(&hctx->run_work); ++ } ++ + blk_exit_queue(q); + + blk_queue_free_zone_bitmaps(q); +-- +2.25.1 + diff --git a/queue-5.9/block-ratelimit-handle_bad_sector-message.patch b/queue-5.9/block-ratelimit-handle_bad_sector-message.patch new file mode 100644 index 00000000000..bb331f63911 --- /dev/null +++ b/queue-5.9/block-ratelimit-handle_bad_sector-message.patch @@ -0,0 +1,47 @@ +From 50ff68c6c620ae6a85160611f51b2dc1314e3d68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 22:37:23 +0900 +Subject: block: ratelimit handle_bad_sector() message + +From: Tetsuo Handa + +[ Upstream commit f4ac712e4fe009635344b9af5d890fe25fcc8c0d ] + +syzbot is reporting unkillable task [1], for the caller is failing to +handle a corrupted filesystem image which attempts to access beyond +the end of the device. While we need to fix the caller, flooding the +console with handle_bad_sector() message is unlikely useful. + +[1] https://syzkaller.appspot.com/bug?id=f1f49fb971d7a3e01bd8ab8cff2ff4572ccf3092 + +Signed-off-by: Tetsuo Handa +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 10c08ac506978..0014e7caae3d2 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -803,11 +803,10 @@ static void handle_bad_sector(struct bio *bio, sector_t maxsector) + { + char b[BDEVNAME_SIZE]; + +- printk(KERN_INFO "attempt to access beyond end of device\n"); +- printk(KERN_INFO "%s: rw=%d, want=%Lu, limit=%Lu\n", +- bio_devname(bio, b), bio->bi_opf, +- (unsigned long long)bio_end_sector(bio), +- (long long)maxsector); ++ pr_info_ratelimited("attempt to access beyond end of device\n" ++ "%s: rw=%d, want=%llu, limit=%llu\n", ++ bio_devname(bio, b), bio->bi_opf, ++ bio_end_sector(bio), maxsector); + } + + #ifdef CONFIG_FAIL_MAKE_REQUEST +-- +2.25.1 + diff --git a/queue-5.9/bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch b/queue-5.9/bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch new file mode 100644 index 00000000000..01e58d00e02 --- /dev/null +++ b/queue-5.9/bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch @@ -0,0 +1,34 @@ +From bf10d9811c217440f63d44c0b6710d417ae9a2de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 15:44:21 +0800 +Subject: Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb + +From: Dinghao Liu + +[ Upstream commit d33fe77bdf75806d785dabf90d21d962122e5296 ] + +When kmalloc() on buf fails, urb should be freed just like +when kmalloc() on dr fails. + +Signed-off-by: Dinghao Liu +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 8d2608ddfd087..f88968bcdd6a8 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2896,6 +2896,7 @@ static int btusb_mtk_submit_wmt_recv_urb(struct hci_dev *hdev) + buf = kmalloc(size, GFP_KERNEL); + if (!buf) { + kfree(dr); ++ usb_free_urb(urb); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-5.9/bluetooth-clear-suspend-tasks-on-unregister.patch b/queue-5.9/bluetooth-clear-suspend-tasks-on-unregister.patch new file mode 100644 index 00000000000..fbcc31e9522 --- /dev/null +++ b/queue-5.9/bluetooth-clear-suspend-tasks-on-unregister.patch @@ -0,0 +1,53 @@ +From d288f7e7a1ca163e058c5c13047bdee46b38fa8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 09:51:27 -0700 +Subject: Bluetooth: Clear suspend tasks on unregister + +From: Abhishek Pandit-Subedi + +[ Upstream commit 0e9952804ec9c8ba60f131225eab80634339f042 ] + +While unregistering, make sure to clear the suspend tasks before +cancelling the work. If the unregister is called during resume from +suspend, this will unnecessarily add 2s to the resume time otherwise. + +Fixes: 4e8c36c3b0d73d (Bluetooth: Fix suspend notifier race) +Signed-off-by: Abhishek Pandit-Subedi +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 68bfe57b66250..efc0fe2b47dac 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3442,6 +3442,16 @@ void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr, + } + } + ++static void hci_suspend_clear_tasks(struct hci_dev *hdev) ++{ ++ int i; ++ ++ for (i = 0; i < __SUSPEND_NUM_TASKS; i++) ++ clear_bit(i, hdev->suspend_tasks); ++ ++ wake_up(&hdev->suspend_wait_q); ++} ++ + static int hci_suspend_wait_event(struct hci_dev *hdev) + { + #define WAKE_COND \ +@@ -3785,6 +3795,7 @@ void hci_unregister_dev(struct hci_dev *hdev) + cancel_work_sync(&hdev->power_on); + + unregister_pm_notifier(&hdev->suspend_notifier); ++ hci_suspend_clear_tasks(hdev); + cancel_work_sync(&hdev->suspend_prepare); + + hci_dev_do_close(hdev); +-- +2.25.1 + diff --git a/queue-5.9/bluetooth-fix-auto-creation-of-hci_conn-at-conn-comp.patch b/queue-5.9/bluetooth-fix-auto-creation-of-hci_conn-at-conn-comp.patch new file mode 100644 index 00000000000..1f15326f867 --- /dev/null +++ b/queue-5.9/bluetooth-fix-auto-creation-of-hci_conn-at-conn-comp.patch @@ -0,0 +1,67 @@ +From b001e212be419d5246fc720fabd8a67062bcf1a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 12:09:09 -0700 +Subject: Bluetooth: Fix auto-creation of hci_conn at Conn Complete event + +From: Sonny Sasaka + +[ Upstream commit a46b7ed4d52d09bd6c7ab53b2217d04fc2f02c65 ] + +Currently the code auto-creates hci_conn only if the remote address has +been discovered before. This may not be the case. For example, the +remote device may trigger connection after reboot at already-paired +state so there is no inquiry result found, but it is still correct to +create the hci_conn when Connection Complete event is received. + +A better guard is to check against bredr allowlist. Devices in the +allowlist have been given permission to auto-connect. + +Fixes: 4f40afc6c764 ("Bluetooth: Handle BR/EDR devices during suspend") +Signed-off-by: Sonny Sasaka +Reviewed-by: Abhishek Pandit-Subedi +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 4b7fc430793cf..7cf42b9d3dfc8 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2569,7 +2569,6 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) + static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) + { + struct hci_ev_conn_complete *ev = (void *) skb->data; +- struct inquiry_entry *ie; + struct hci_conn *conn; + + BT_DBG("%s", hdev->name); +@@ -2578,13 +2577,19 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) + + conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); + if (!conn) { +- /* Connection may not exist if auto-connected. Check the inquiry +- * cache to see if we've already discovered this bdaddr before. +- * If found and link is an ACL type, create a connection class ++ /* Connection may not exist if auto-connected. Check the bredr ++ * allowlist to see if this device is allowed to auto connect. ++ * If link is an ACL type, create a connection class + * automatically. ++ * ++ * Auto-connect will only occur if the event filter is ++ * programmed with a given address. Right now, event filter is ++ * only used during suspend. + */ +- ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); +- if (ie && ev->link_type == ACL_LINK) { ++ if (ev->link_type == ACL_LINK && ++ hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, ++ &ev->bdaddr, ++ BDADDR_BREDR)) { + conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, + HCI_ROLE_SLAVE); + if (!conn) { +-- +2.25.1 + diff --git a/queue-5.9/bluetooth-fix-memory-leak-in-read_adv_mon_features.patch b/queue-5.9/bluetooth-fix-memory-leak-in-read_adv_mon_features.patch new file mode 100644 index 00000000000..ba316a13cf4 --- /dev/null +++ b/queue-5.9/bluetooth-fix-memory-leak-in-read_adv_mon_features.patch @@ -0,0 +1,54 @@ +From e1ca94c7bf42577925791a019a398086d43fbcbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 03:25:51 -0400 +Subject: Bluetooth: Fix memory leak in read_adv_mon_features() + +From: Peilin Ye + +[ Upstream commit cafd472a10ff3bccd8afd25a69f20a491cd8d7b8 ] + +read_adv_mon_features() is leaking memory. Free `rp` before returning. + +Fixes: e5e1e7fd470c ("Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES") +Reported-and-tested-by: syzbot+f7f6e564f4202d8601c6@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=f7f6e564f4202d8601c6 +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 5758ccb524ef7..12a7cc9840b4d 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -4162,7 +4162,7 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev, + { + struct adv_monitor *monitor = NULL; + struct mgmt_rp_read_adv_monitor_features *rp = NULL; +- int handle; ++ int handle, err; + size_t rp_size = 0; + __u32 supported = 0; + __u16 num_handles = 0; +@@ -4197,9 +4197,13 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev, + if (num_handles) + memcpy(&rp->handles, &handles, (num_handles * sizeof(u16))); + +- return mgmt_cmd_complete(sk, hdev->id, +- MGMT_OP_READ_ADV_MONITOR_FEATURES, +- MGMT_STATUS_SUCCESS, rp, rp_size); ++ err = mgmt_cmd_complete(sk, hdev->id, ++ MGMT_OP_READ_ADV_MONITOR_FEATURES, ++ MGMT_STATUS_SUCCESS, rp, rp_size); ++ ++ kfree(rp); ++ ++ return err; + } + + static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, +-- +2.25.1 + diff --git a/queue-5.9/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch b/queue-5.9/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch new file mode 100644 index 00000000000..4fbe1cf84ea --- /dev/null +++ b/queue-5.9/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch @@ -0,0 +1,51 @@ +From a5c2765202d7e1ed0e5454a0d32654adab780cac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Aug 2020 11:29:56 -0500 +Subject: Bluetooth: hci_uart: Cancel init work before unregistering + +From: Samuel Holland + +[ Upstream commit 3b799254cf6f481460719023d7a18f46651e5e7f ] + +If hci_uart_tty_close() or hci_uart_unregister_device() is called while +hu->init_ready is scheduled, hci_register_dev() could be called after +the hci_uart is torn down. Avoid this by ensuring the work is complete +or canceled before checking the HCI_UART_REGISTERED flag. + +Fixes: 9f2aee848fe6 ("Bluetooth: Add delayed init sequence support for UART controllers") +Signed-off-by: Samuel Holland +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 1 + + drivers/bluetooth/hci_serdev.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 85a30fb9177bb..f83d67eafc9f0 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -538,6 +538,7 @@ static void hci_uart_tty_close(struct tty_struct *tty) + clear_bit(HCI_UART_PROTO_READY, &hu->flags); + percpu_up_write(&hu->proto_lock); + ++ cancel_work_sync(&hu->init_ready); + cancel_work_sync(&hu->write_work); + + if (hdev) { +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index 7b233312e723f..3977bba485c22 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -355,6 +355,8 @@ void hci_uart_unregister_device(struct hci_uart *hu) + struct hci_dev *hdev = hu->hdev; + + clear_bit(HCI_UART_PROTO_READY, &hu->flags); ++ ++ cancel_work_sync(&hu->init_ready); + if (test_bit(HCI_UART_REGISTERED, &hu->flags)) + hci_unregister_dev(hdev); + hci_free_dev(hdev); +-- +2.25.1 + diff --git a/queue-5.9/bluetooth-only-mark-socket-zapped-after-unlocking.patch b/queue-5.9/bluetooth-only-mark-socket-zapped-after-unlocking.patch new file mode 100644 index 00000000000..b5249f76227 --- /dev/null +++ b/queue-5.9/bluetooth-only-mark-socket-zapped-after-unlocking.patch @@ -0,0 +1,73 @@ +From 911cfa57d44d1993664175b3f22aeb38f30de80c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 15:33:18 -0700 +Subject: Bluetooth: Only mark socket zapped after unlocking + +From: Abhishek Pandit-Subedi + +[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ] + +Since l2cap_sock_teardown_cb doesn't acquire the channel lock before +setting the socket as zapped, it could potentially race with +l2cap_sock_release which frees the socket. Thus, wait until the cleanup +is complete before marking the socket as zapped. + +This race was reproduced on a JBL GO speaker after the remote device +rejected L2CAP connection due to resource unavailability. + +Here is a dmesg log with debug logs from a repro of this bug: +[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002 +[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0 +[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2 +[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001 +[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952 +[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c +[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00 +[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4 +[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT +[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT +[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3 +[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6 +[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159 +[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053 +[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +[ 3465.430332] Causing a watchdog bite! + +Signed-off-by: Abhishek Pandit-Subedi +Reported-by: Balakrishna Godavarthi +Reviewed-by: Manish Mandlik +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 79b4c01c515b9..f1b1edd0b6974 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1521,8 +1521,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + parent = bt_sk(sk)->parent; + +- sock_set_flag(sk, SOCK_ZAPPED); +- + switch (chan->state) { + case BT_OPEN: + case BT_BOUND: +@@ -1549,8 +1547,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + break; + } +- + release_sock(sk); ++ ++ /* Only zap after cleanup to avoid use after free race */ ++ sock_set_flag(sk, SOCK_ZAPPED); ++ + } + + static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, +-- +2.25.1 + diff --git a/queue-5.9/bluetooth-re-order-clearing-suspend-tasks.patch b/queue-5.9/bluetooth-re-order-clearing-suspend-tasks.patch new file mode 100644 index 00000000000..eb8595cc330 --- /dev/null +++ b/queue-5.9/bluetooth-re-order-clearing-suspend-tasks.patch @@ -0,0 +1,38 @@ +From f2aa9f814147b92e3e66e0611b5b469d9f02109e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 16:53:59 -0700 +Subject: Bluetooth: Re-order clearing suspend tasks + +From: Abhishek Pandit-Subedi + +[ Upstream commit 3eec158d5eca7dd455118d9e00568aad2371219f ] + +Unregister_pm_notifier is a blocking call so suspend tasks should be +cleared beforehand. Otherwise, the notifier will wait for completion +before returning (and we encounter a 2s timeout on resume). + +Fixes: 0e9952804ec9c8 (Bluetooth: Clear suspend tasks on unregister) +Signed-off-by: Abhishek Pandit-Subedi +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index efc0fe2b47dac..be9cdf5dabe5d 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3794,8 +3794,8 @@ void hci_unregister_dev(struct hci_dev *hdev) + + cancel_work_sync(&hdev->power_on); + +- unregister_pm_notifier(&hdev->suspend_notifier); + hci_suspend_clear_tasks(hdev); ++ unregister_pm_notifier(&hdev->suspend_notifier); + cancel_work_sync(&hdev->suspend_prepare); + + hci_dev_do_close(hdev); +-- +2.25.1 + diff --git a/queue-5.9/bpf-disallow-attaching-modify_return-tracing-functio.patch b/queue-5.9/bpf-disallow-attaching-modify_return-tracing-functio.patch new file mode 100644 index 00000000000..7be3a062f0d --- /dev/null +++ b/queue-5.9/bpf-disallow-attaching-modify_return-tracing-functio.patch @@ -0,0 +1,52 @@ +From 98ce5b6c0d3acccd77aab211e2025090078ee16b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 23:25:00 +0200 +Subject: bpf: disallow attaching modify_return tracing functions to other BPF + programs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 1af9270e908cd50a4f5d815c9b6f794c7d57ed07 ] + +From the checks and commit messages for modify_return, it seems it was +never the intention that it should be possible to attach a tracing program +with expected_attach_type == BPF_MODIFY_RETURN to another BPF program. +However, check_attach_modify_return() will only look at the function name, +so if the target function starts with "security_", the attach will be +allowed even for bpf2bpf attachment. + +Fix this oversight by also blocking the modification if a target program is +supplied. + +Fixes: 18644cec714a ("bpf: Fix use-after-free in fmod_ret check") +Fixes: 6ba43b761c41 ("bpf: Attachment verification for BPF_MODIFY_RETURN") +Acked-by: Andrii Nakryiko +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index fba52d9ec8fc4..5b9d2cf06fc6b 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -11046,6 +11046,11 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) + } + + if (prog->expected_attach_type == BPF_MODIFY_RETURN) { ++ if (tgt_prog) { ++ verbose(env, "can't modify return codes of BPF programs\n"); ++ ret = -EINVAL; ++ goto out; ++ } + ret = check_attach_modify_return(prog, addr); + if (ret) + verbose(env, "%s() is not modifiable\n", +-- +2.25.1 + diff --git a/queue-5.9/bpf-enforce-id-generation-for-all-may-be-null-regist.patch b/queue-5.9/bpf-enforce-id-generation-for-all-may-be-null-regist.patch new file mode 100644 index 00000000000..d555b636e33 --- /dev/null +++ b/queue-5.9/bpf-enforce-id-generation-for-all-may-be-null-regist.patch @@ -0,0 +1,103 @@ +From 5bd1ec95f53d43d7c818249dcf0511ee8b113668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 12:42:12 -0700 +Subject: bpf: Enforce id generation for all may-be-null register type + +From: Martin KaFai Lau + +[ Upstream commit 93c230e3f5bd6e1d2b2759d582fdfe9c2731473b ] + +The commit af7ec1383361 ("bpf: Add bpf_skc_to_tcp6_sock() helper") +introduces RET_PTR_TO_BTF_ID_OR_NULL and +the commit eaa6bcb71ef6 ("bpf: Introduce bpf_per_cpu_ptr()") +introduces RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL. +Note that for RET_PTR_TO_MEM_OR_BTF_ID_OR_NULL, the reg0->type +could become PTR_TO_MEM_OR_NULL which is not covered by +BPF_PROBE_MEM. + +The BPF_REG_0 will then hold a _OR_NULL pointer type. This _OR_NULL +pointer type requires the bpf program to explicitly do a NULL check first. +After NULL check, the verifier will mark all registers having +the same reg->id as safe to use. However, the reg->id +is not set for those new _OR_NULL return types. One of the ways +that may be wrong is, checking NULL for one btf_id typed pointer will +end up validating all other btf_id typed pointers because +all of them have id == 0. The later tests will exercise +this path. + +To fix it and also avoid similar issue in the future, this patch +moves the id generation logic out of each individual RET type +test in check_helper_call(). Instead, it does one +reg_type_may_be_null() test and then do the id generation +if needed. + +This patch also adds a WARN_ON_ONCE in mark_ptr_or_null_reg() +to catch future breakage. + +The _OR_NULL pointer usage in the bpf_iter_reg.ctx_arg_info is +fine because it just happens that the existing id generation after +check_ctx_access() has covered it. It is also using the +reg_type_may_be_null() to decide if id generation is needed or not. + +Fixes: af7ec1383361 ("bpf: Add bpf_skc_to_tcp6_sock() helper") +Fixes: eaa6bcb71ef6 ("bpf: Introduce bpf_per_cpu_ptr()") +Signed-off-by: Martin KaFai Lau +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20201019194212.1050855-1-kafai@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 5b9d2cf06fc6b..c38ebc9af9468 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4885,24 +4885,19 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn + regs[BPF_REG_0].id = ++env->id_gen; + } else { + regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; +- regs[BPF_REG_0].id = ++env->id_gen; + } + } else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) { + mark_reg_known_zero(env, regs, BPF_REG_0); + regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL; +- regs[BPF_REG_0].id = ++env->id_gen; + } else if (fn->ret_type == RET_PTR_TO_SOCK_COMMON_OR_NULL) { + mark_reg_known_zero(env, regs, BPF_REG_0); + regs[BPF_REG_0].type = PTR_TO_SOCK_COMMON_OR_NULL; +- regs[BPF_REG_0].id = ++env->id_gen; + } else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) { + mark_reg_known_zero(env, regs, BPF_REG_0); + regs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL; +- regs[BPF_REG_0].id = ++env->id_gen; + } else if (fn->ret_type == RET_PTR_TO_ALLOC_MEM_OR_NULL) { + mark_reg_known_zero(env, regs, BPF_REG_0); + regs[BPF_REG_0].type = PTR_TO_MEM_OR_NULL; +- regs[BPF_REG_0].id = ++env->id_gen; + regs[BPF_REG_0].mem_size = meta.mem_size; + } else if (fn->ret_type == RET_PTR_TO_BTF_ID_OR_NULL) { + int ret_btf_id; +@@ -4922,6 +4917,9 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn + return -EINVAL; + } + ++ if (reg_type_may_be_null(regs[BPF_REG_0].type)) ++ regs[BPF_REG_0].id = ++env->id_gen; ++ + if (is_ptr_cast_function(func_id)) { + /* For release_reference() */ + regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id; +@@ -6847,7 +6845,8 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, + struct bpf_reg_state *reg, u32 id, + bool is_null) + { +- if (reg_type_may_be_null(reg->type) && reg->id == id) { ++ if (reg_type_may_be_null(reg->type) && reg->id == id && ++ !WARN_ON_ONCE(!reg->id)) { + /* Old offset (both fixed and variable parts) should + * have been known-zero, because we don't allow pointer + * arithmetic on pointers that might be NULL. +-- +2.25.1 + diff --git a/queue-5.9/bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch b/queue-5.9/bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch new file mode 100644 index 00000000000..e584b1236c0 --- /dev/null +++ b/queue-5.9/bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch @@ -0,0 +1,85 @@ +From 53ae8b02a39c493acf1f7715b8dfd2f5aab09dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 23:10:07 +0200 +Subject: bpf: Limit caller's stack depth 256 for subprogs with tailcalls + +From: Maciej Fijalkowski + +[ Upstream commit 7f6e4312e15a5c370e84eaa685879b6bdcc717e4 ] + +Protect against potential stack overflow that might happen when bpf2bpf +calls get combined with tailcalls. Limit the caller's stack depth for +such case down to 256 so that the worst case scenario would result in 8k +stack size (32 which is tailcall limit * 256 = 8k). + +Suggested-by: Alexei Starovoitov +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 1 + + kernel/bpf/verifier.c | 29 +++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 53c7bd568c5d4..5026b75db9725 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -358,6 +358,7 @@ struct bpf_subprog_info { + u32 start; /* insn idx of function entry point */ + u32 linfo_idx; /* The idx to the main_prog->aux->linfo */ + u16 stack_depth; /* max. stack depth used by this function */ ++ bool has_tail_call; + }; + + /* single container for all structs +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index c38ebc9af9468..43cd175c66a55 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1489,6 +1489,10 @@ static int check_subprogs(struct bpf_verifier_env *env) + for (i = 0; i < insn_cnt; i++) { + u8 code = insn[i].code; + ++ if (code == (BPF_JMP | BPF_CALL) && ++ insn[i].imm == BPF_FUNC_tail_call && ++ insn[i].src_reg != BPF_PSEUDO_CALL) ++ subprog[cur_subprog].has_tail_call = true; + if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32) + goto next; + if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL) +@@ -2974,6 +2978,31 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + int ret_prog[MAX_CALL_FRAMES]; + + process_func: ++ /* protect against potential stack overflow that might happen when ++ * bpf2bpf calls get combined with tailcalls. Limit the caller's stack ++ * depth for such case down to 256 so that the worst case scenario ++ * would result in 8k stack size (32 which is tailcall limit * 256 = ++ * 8k). ++ * ++ * To get the idea what might happen, see an example: ++ * func1 -> sub rsp, 128 ++ * subfunc1 -> sub rsp, 256 ++ * tailcall1 -> add rsp, 256 ++ * func2 -> sub rsp, 192 (total stack size = 128 + 192 = 320) ++ * subfunc2 -> sub rsp, 64 ++ * subfunc22 -> sub rsp, 128 ++ * tailcall2 -> add rsp, 128 ++ * func3 -> sub rsp, 32 (total stack size 128 + 192 + 64 + 32 = 416) ++ * ++ * tailcall will unwind the current stack frame but it will not get rid ++ * of caller's stack as shown on the example above. ++ */ ++ if (idx && subprog[idx].has_tail_call && depth >= 256) { ++ verbose(env, ++ "tail_calls are not allowed when call stack of previous frames is %d bytes. Too large\n", ++ depth); ++ return -EACCES; ++ } + /* round up to 32-bytes, since this is granularity + * of interpreter stack size + */ +-- +2.25.1 + diff --git a/queue-5.9/bpf-sockmap-remove-skb_orphan-and-let-normal-skb_kfr.patch b/queue-5.9/bpf-sockmap-remove-skb_orphan-and-let-normal-skb_kfr.patch new file mode 100644 index 00000000000..a94e581a325 --- /dev/null +++ b/queue-5.9/bpf-sockmap-remove-skb_orphan-and-let-normal-skb_kfr.patch @@ -0,0 +1,66 @@ +From 533b5c4a02666ed75080cf9e520d243c5fa9a7d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 11:37:35 -0700 +Subject: bpf, sockmap: Remove skb_orphan and let normal skb_kfree do cleanup + +From: John Fastabend + +[ Upstream commit 10d58d006356a075a7b056e0f6502db416d1a261 ] + +Calling skb_orphan() is unnecessary in the strp rcv handler because the skb +is from a skb_clone() in __strp_recv. So it never has a destructor or a +sk assigned. Plus its confusing to read because it might hint to the reader +that the skb could have an sk assigned which is not true. Even if we did +have an sk assigned it would be cleaner to simply wait for the upcoming +kfree_skb(). + +Additionally, move the comment about strparser clone up so its closer to +the logic it is describing and add to it so that it is more complete. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/160226865548.5692.9098315689984599579.stgit@john-Precision-5820-Tower +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 649583158983a..30ddca6db6c6b 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -662,15 +662,16 @@ static int sk_psock_bpf_run(struct sk_psock *psock, struct bpf_prog *prog, + { + int ret; + ++ /* strparser clones the skb before handing it to a upper layer, ++ * meaning we have the same data, but sk is NULL. We do want an ++ * sk pointer though when we run the BPF program. So we set it ++ * here and then NULL it to ensure we don't trigger a BUG_ON() ++ * in skb/sk operations later if kfree_skb is called with a ++ * valid skb->sk pointer and no destructor assigned. ++ */ + skb->sk = psock->sk; + bpf_compute_data_end_sk_skb(skb); + ret = bpf_prog_run_pin_on_cpu(prog, skb); +- /* strparser clones the skb before handing it to a upper layer, +- * meaning skb_orphan has been called. We NULL sk on the way out +- * to ensure we don't trigger a BUG_ON() in skb/sk operations +- * later and because we are not charging the memory of this skb +- * to any socket yet. +- */ + skb->sk = NULL; + return ret; + } +@@ -794,7 +795,6 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + } + prog = READ_ONCE(psock->progs.skb_verdict); + if (likely(prog)) { +- skb_orphan(skb); + tcp_skb_bpf_redirect_clear(skb); + ret = sk_psock_bpf_run(psock, prog, skb); + ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb)); +-- +2.25.1 + diff --git a/queue-5.9/bpf-use-raw_spin_trylock-for-pcpu_freelist_push-pop-.patch b/queue-5.9/bpf-use-raw_spin_trylock-for-pcpu_freelist_push-pop-.patch new file mode 100644 index 00000000000..4f3edd8d424 --- /dev/null +++ b/queue-5.9/bpf-use-raw_spin_trylock-for-pcpu_freelist_push-pop-.patch @@ -0,0 +1,252 @@ +From c1a652c315ec505dbe95860e9cbc3e420d90bc05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 09:58:38 -0700 +Subject: bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI + +From: Song Liu + +[ Upstream commit 39d8f0d1026a990604770a658708f5845f7dbec0 ] + +Recent improvements in LOCKDEP highlighted a potential A-A deadlock with +pcpu_freelist in NMI: + +./tools/testing/selftests/bpf/test_progs -t stacktrace_build_id_nmi + +[ 18.984807] ================================ +[ 18.984807] WARNING: inconsistent lock state +[ 18.984808] 5.9.0-rc6-01771-g1466de1330e1 #2967 Not tainted +[ 18.984809] -------------------------------- +[ 18.984809] inconsistent {INITIAL USE} -> {IN-NMI} usage. +[ 18.984810] test_progs/1990 [HC2[2]:SC0[0]:HE0:SE1] takes: +[ 18.984810] ffffe8ffffc219c0 (&head->lock){....}-{2:2}, at: __pcpu_freelist_pop+0xe3/0x180 +[ 18.984813] {INITIAL USE} state was registered at: +[ 18.984814] lock_acquire+0x175/0x7c0 +[ 18.984814] _raw_spin_lock+0x2c/0x40 +[ 18.984815] __pcpu_freelist_pop+0xe3/0x180 +[ 18.984815] pcpu_freelist_pop+0x31/0x40 +[ 18.984816] htab_map_alloc+0xbbf/0xf40 +[ 18.984816] __do_sys_bpf+0x5aa/0x3ed0 +[ 18.984817] do_syscall_64+0x2d/0x40 +[ 18.984818] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 18.984818] irq event stamp: 12 +[...] +[ 18.984822] other info that might help us debug this: +[ 18.984823] Possible unsafe locking scenario: +[ 18.984823] +[ 18.984824] CPU0 +[ 18.984824] ---- +[ 18.984824] lock(&head->lock); +[ 18.984826] +[ 18.984826] lock(&head->lock); +[ 18.984827] +[ 18.984828] *** DEADLOCK *** +[ 18.984828] +[ 18.984829] 2 locks held by test_progs/1990: +[...] +[ 18.984838] +[ 18.984838] dump_stack+0x9a/0xd0 +[ 18.984839] lock_acquire+0x5c9/0x7c0 +[ 18.984839] ? lock_release+0x6f0/0x6f0 +[ 18.984840] ? __pcpu_freelist_pop+0xe3/0x180 +[ 18.984840] _raw_spin_lock+0x2c/0x40 +[ 18.984841] ? __pcpu_freelist_pop+0xe3/0x180 +[ 18.984841] __pcpu_freelist_pop+0xe3/0x180 +[ 18.984842] pcpu_freelist_pop+0x17/0x40 +[ 18.984842] ? lock_release+0x6f0/0x6f0 +[ 18.984843] __bpf_get_stackid+0x534/0xaf0 +[ 18.984843] bpf_prog_1fd9e30e1438d3c5_oncpu+0x73/0x350 +[ 18.984844] bpf_overflow_handler+0x12f/0x3f0 + +This is because pcpu_freelist_head.lock is accessed in both NMI and +non-NMI context. Fix this issue by using raw_spin_trylock() in NMI. + +Since NMI interrupts non-NMI context, when NMI context tries to lock the +raw_spinlock, non-NMI context of the same CPU may already have locked a +lock and is blocked from unlocking the lock. For a system with N CPUs, +there could be N NMIs at the same time, and they may block N non-NMI +raw_spinlocks. This is tricky for pcpu_freelist_push(), where unlike +_pop(), failing _push() means leaking memory. This issue is more likely to +trigger in non-SMP system. + +Fix this issue with an extra list, pcpu_freelist.extralist. The extralist +is primarily used to take _push() when raw_spin_trylock() failed on all +the per CPU lists. It should be empty most of the time. The following +table summarizes the behavior of pcpu_freelist in NMI and non-NMI: + +non-NMI pop(): use _lock(); check per CPU lists first; + if all per CPU lists are empty, check extralist; + if extralist is empty, return NULL. + +non-NMI push(): use _lock(); only push to per CPU lists. + +NMI pop(): use _trylock(); check per CPU lists first; + if all per CPU lists are locked or empty, check extralist; + if extralist is locked or empty, return NULL. + +NMI push(): use _trylock(); check per CPU lists first; + if all per CPU lists are locked; try push to extralist; + if extralist is also locked, keep trying on per CPU lists. + +Reported-by: Alexei Starovoitov +Signed-off-by: Song Liu +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20201005165838.3735218-1-songliubraving@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/percpu_freelist.c | 101 +++++++++++++++++++++++++++++++++-- + kernel/bpf/percpu_freelist.h | 1 + + 2 files changed, 97 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/percpu_freelist.c b/kernel/bpf/percpu_freelist.c +index b367430e611c7..3d897de890612 100644 +--- a/kernel/bpf/percpu_freelist.c ++++ b/kernel/bpf/percpu_freelist.c +@@ -17,6 +17,8 @@ int pcpu_freelist_init(struct pcpu_freelist *s) + raw_spin_lock_init(&head->lock); + head->first = NULL; + } ++ raw_spin_lock_init(&s->extralist.lock); ++ s->extralist.first = NULL; + return 0; + } + +@@ -40,12 +42,50 @@ static inline void ___pcpu_freelist_push(struct pcpu_freelist_head *head, + raw_spin_unlock(&head->lock); + } + ++static inline bool pcpu_freelist_try_push_extra(struct pcpu_freelist *s, ++ struct pcpu_freelist_node *node) ++{ ++ if (!raw_spin_trylock(&s->extralist.lock)) ++ return false; ++ ++ pcpu_freelist_push_node(&s->extralist, node); ++ raw_spin_unlock(&s->extralist.lock); ++ return true; ++} ++ ++static inline void ___pcpu_freelist_push_nmi(struct pcpu_freelist *s, ++ struct pcpu_freelist_node *node) ++{ ++ int cpu, orig_cpu; ++ ++ orig_cpu = cpu = raw_smp_processor_id(); ++ while (1) { ++ struct pcpu_freelist_head *head; ++ ++ head = per_cpu_ptr(s->freelist, cpu); ++ if (raw_spin_trylock(&head->lock)) { ++ pcpu_freelist_push_node(head, node); ++ raw_spin_unlock(&head->lock); ++ return; ++ } ++ cpu = cpumask_next(cpu, cpu_possible_mask); ++ if (cpu >= nr_cpu_ids) ++ cpu = 0; ++ ++ /* cannot lock any per cpu lock, try extralist */ ++ if (cpu == orig_cpu && ++ pcpu_freelist_try_push_extra(s, node)) ++ return; ++ } ++} ++ + void __pcpu_freelist_push(struct pcpu_freelist *s, + struct pcpu_freelist_node *node) + { +- struct pcpu_freelist_head *head = this_cpu_ptr(s->freelist); +- +- ___pcpu_freelist_push(head, node); ++ if (in_nmi()) ++ ___pcpu_freelist_push_nmi(s, node); ++ else ++ ___pcpu_freelist_push(this_cpu_ptr(s->freelist), node); + } + + void pcpu_freelist_push(struct pcpu_freelist *s, +@@ -81,7 +121,7 @@ void pcpu_freelist_populate(struct pcpu_freelist *s, void *buf, u32 elem_size, + } + } + +-struct pcpu_freelist_node *__pcpu_freelist_pop(struct pcpu_freelist *s) ++static struct pcpu_freelist_node *___pcpu_freelist_pop(struct pcpu_freelist *s) + { + struct pcpu_freelist_head *head; + struct pcpu_freelist_node *node; +@@ -102,8 +142,59 @@ struct pcpu_freelist_node *__pcpu_freelist_pop(struct pcpu_freelist *s) + if (cpu >= nr_cpu_ids) + cpu = 0; + if (cpu == orig_cpu) +- return NULL; ++ break; ++ } ++ ++ /* per cpu lists are all empty, try extralist */ ++ raw_spin_lock(&s->extralist.lock); ++ node = s->extralist.first; ++ if (node) ++ s->extralist.first = node->next; ++ raw_spin_unlock(&s->extralist.lock); ++ return node; ++} ++ ++static struct pcpu_freelist_node * ++___pcpu_freelist_pop_nmi(struct pcpu_freelist *s) ++{ ++ struct pcpu_freelist_head *head; ++ struct pcpu_freelist_node *node; ++ int orig_cpu, cpu; ++ ++ orig_cpu = cpu = raw_smp_processor_id(); ++ while (1) { ++ head = per_cpu_ptr(s->freelist, cpu); ++ if (raw_spin_trylock(&head->lock)) { ++ node = head->first; ++ if (node) { ++ head->first = node->next; ++ raw_spin_unlock(&head->lock); ++ return node; ++ } ++ raw_spin_unlock(&head->lock); ++ } ++ cpu = cpumask_next(cpu, cpu_possible_mask); ++ if (cpu >= nr_cpu_ids) ++ cpu = 0; ++ if (cpu == orig_cpu) ++ break; + } ++ ++ /* cannot pop from per cpu lists, try extralist */ ++ if (!raw_spin_trylock(&s->extralist.lock)) ++ return NULL; ++ node = s->extralist.first; ++ if (node) ++ s->extralist.first = node->next; ++ raw_spin_unlock(&s->extralist.lock); ++ return node; ++} ++ ++struct pcpu_freelist_node *__pcpu_freelist_pop(struct pcpu_freelist *s) ++{ ++ if (in_nmi()) ++ return ___pcpu_freelist_pop_nmi(s); ++ return ___pcpu_freelist_pop(s); + } + + struct pcpu_freelist_node *pcpu_freelist_pop(struct pcpu_freelist *s) +diff --git a/kernel/bpf/percpu_freelist.h b/kernel/bpf/percpu_freelist.h +index fbf8a8a289791..3c76553cfe571 100644 +--- a/kernel/bpf/percpu_freelist.h ++++ b/kernel/bpf/percpu_freelist.h +@@ -13,6 +13,7 @@ struct pcpu_freelist_head { + + struct pcpu_freelist { + struct pcpu_freelist_head __percpu *freelist; ++ struct pcpu_freelist_head extralist; + }; + + struct pcpu_freelist_node { +-- +2.25.1 + diff --git a/queue-5.9/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch b/queue-5.9/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch new file mode 100644 index 00000000000..0a182b18eab --- /dev/null +++ b/queue-5.9/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch @@ -0,0 +1,37 @@ +From e835e1ff154865ec8e5641512c0a7f623fbc89ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 17:36:05 +0800 +Subject: brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach + +From: Wang Yufen + +[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ] + +When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL, +we should destroy the workqueue. + +Reported-by: Hulk Robot +Signed-off-by: Wang Yufen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +index f1a20db8daab9..bfddb851e386e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -1620,6 +1620,8 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr) + BRCMF_TX_IOCTL_MAX_MSG_SIZE, + msgbuf->ioctbuf, + msgbuf->ioctbuf_handle); ++ if (msgbuf->txflow_wq) ++ destroy_workqueue(msgbuf->txflow_wq); + kfree(msgbuf); + } + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-5.9/brcmfmac-check-ndev-pointer.patch b/queue-5.9/brcmfmac-check-ndev-pointer.patch new file mode 100644 index 00000000000..8855dbb1a87 --- /dev/null +++ b/queue-5.9/brcmfmac-check-ndev-pointer.patch @@ -0,0 +1,54 @@ +From 076167f8d53abfd1395a3c2526ab02b51ce289b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 09:18:04 -0700 +Subject: brcmfmac: check ndev pointer + +From: Tom Rix + +[ Upstream commit 9c9f015bc9f8839831c7ba0a6d731a3853c464e2 ] + +Clang static analysis reports this error + +brcmfmac/core.c:490:4: warning: Dereference of null pointer + (*ifp)->ndev->stats.rx_errors++; + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In this block of code + + if (ret || !(*ifp) || !(*ifp)->ndev) { + if (ret != -ENODATA && *ifp) + (*ifp)->ndev->stats.rx_errors++; + brcmu_pkt_buf_free_skb(skb); + return -ENODATA; + } + +(*ifp)->ndev being NULL is caught as an error +But then it is used to report the error. + +So add a check before using it. + +Fixes: 91b632803ee4 ("brcmfmac: Use net_device_stats from struct net_device") +Signed-off-by: Tom Rix +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802161804.6126-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index f89010a81ffbe..aa9ced3c86fbd 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -486,7 +486,7 @@ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb, + ret = brcmf_proto_hdrpull(drvr, true, skb, ifp); + + if (ret || !(*ifp) || !(*ifp)->ndev) { +- if (ret != -ENODATA && *ifp) ++ if (ret != -ENODATA && *ifp && (*ifp)->ndev) + (*ifp)->ndev->stats.rx_errors++; + brcmu_pkt_buf_free_skb(skb); + return -ENODATA; +-- +2.25.1 + diff --git a/queue-5.9/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch b/queue-5.9/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch new file mode 100644 index 00000000000..2a4492b8251 --- /dev/null +++ b/queue-5.9/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch @@ -0,0 +1,43 @@ +From 05e9b738b68e24240b141f5dfd82b788cacdbbb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 12:17:41 +0000 +Subject: brcmsmac: fix memory leak in wlc_phy_attach_lcnphy + +From: Keita Suzuki + +[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ] + +When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy, +the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be +freed in the caller function. + +Fix this by calling wlc_phy_detach_lcnphy in the error handler of +wlc_phy_txpwr_srom_read_lcnphy before returning. + +Signed-off-by: Keita Suzuki +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +index 7ef36234a25dc..66797dc5e90d5 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +@@ -5065,8 +5065,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi) + pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft; + pi->pi_fptr.detach = wlc_phy_detach_lcnphy; + +- if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) ++ if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) { ++ kfree(pi->u.pi_lcnphy); + return false; ++ } + + if (LCNREV_IS(pi->pubpi.phy_rev, 1)) { + if (pi_lcn->lcnphy_tempsense_option == 3) { +-- +2.25.1 + diff --git a/queue-5.9/btrfs-add-owner-and-fs_info-to-alloc_state-io_tree.patch b/queue-5.9/btrfs-add-owner-and-fs_info-to-alloc_state-io_tree.patch new file mode 100644 index 00000000000..0879105608b --- /dev/null +++ b/queue-5.9/btrfs-add-owner-and-fs_info-to-alloc_state-io_tree.patch @@ -0,0 +1,83 @@ +From fa7647b4683e6415632fba1429dc25dda600caf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 15:42:46 +0800 +Subject: btrfs: add owner and fs_info to alloc_state io_tree + +From: Qu Wenruo + +[ Upstream commit 154f7cb86809a3a796bffbc7a5a7ce0dee585eaa ] + +Commit 1c11b63eff2a ("btrfs: replace pending/pinned chunks lists with io +tree") introduced btrfs_device::alloc_state extent io tree, but it +doesn't initialize the fs_info and owner member. + +This means the following features are not properly supported: + +- Fs owner report for insert_state() error + Without fs_info initialized, although btrfs_err() won't panic, it + won't output which fs is causing the error. + +- Wrong owner for trace events + alloc_state will get the owner as pinned extents. + +Fix this by assiging proper fs_info and owner for +btrfs_device::alloc_state. + +Fixes: 1c11b63eff2a ("btrfs: replace pending/pinned chunks lists with io tree") +Reviewed-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-io-tree.h | 1 + + fs/btrfs/volumes.c | 7 ++++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/extent-io-tree.h b/fs/btrfs/extent-io-tree.h +index 219a09a2b7340..250b8cbaaf97a 100644 +--- a/fs/btrfs/extent-io-tree.h ++++ b/fs/btrfs/extent-io-tree.h +@@ -48,6 +48,7 @@ enum { + IO_TREE_INODE_FILE_EXTENT, + IO_TREE_LOG_CSUM_RANGE, + IO_TREE_SELFTEST, ++ IO_TREE_DEVICE_ALLOC_STATE, + }; + + struct extent_io_tree { +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 1997a7d67f22f..e61c298ce2b42 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -406,7 +406,7 @@ void __exit btrfs_cleanup_fs_uuids(void) + * Returned struct is not linked onto any lists and must be destroyed using + * btrfs_free_device. + */ +-static struct btrfs_device *__alloc_device(void) ++static struct btrfs_device *__alloc_device(struct btrfs_fs_info *fs_info) + { + struct btrfs_device *dev; + +@@ -433,7 +433,8 @@ static struct btrfs_device *__alloc_device(void) + btrfs_device_data_ordered_init(dev); + INIT_RADIX_TREE(&dev->reada_zones, GFP_NOFS & ~__GFP_DIRECT_RECLAIM); + INIT_RADIX_TREE(&dev->reada_extents, GFP_NOFS & ~__GFP_DIRECT_RECLAIM); +- extent_io_tree_init(NULL, &dev->alloc_state, 0, NULL); ++ extent_io_tree_init(fs_info, &dev->alloc_state, ++ IO_TREE_DEVICE_ALLOC_STATE, NULL); + + return dev; + } +@@ -6529,7 +6530,7 @@ struct btrfs_device *btrfs_alloc_device(struct btrfs_fs_info *fs_info, + if (WARN_ON(!devid && !fs_info)) + return ERR_PTR(-EINVAL); + +- dev = __alloc_device(); ++ dev = __alloc_device(fs_info); + if (IS_ERR(dev)) + return dev; + +-- +2.25.1 + diff --git a/queue-5.9/bus-mhi-core-fix-the-building-of-mhi-module.patch b/queue-5.9/bus-mhi-core-fix-the-building-of-mhi-module.patch new file mode 100644 index 00000000000..976b84bcccd --- /dev/null +++ b/queue-5.9/bus-mhi-core-fix-the-building-of-mhi-module.patch @@ -0,0 +1,40 @@ +From ef06003572bbc8c21f4353e43ceb2e8ab6fdffbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 23:22:17 +0530 +Subject: bus: mhi: core: Fix the building of MHI module + +From: Manivannan Sadhasivam + +[ Upstream commit 5fc4997fd9d065c98fb312ef56ffadffccc6d61d ] + +The Kbuild rule to build MHI should use the append operator. This fixes +the below warning reported by Kbuild test bot. + +WARNING: modpost: missing MODULE_LICENSE() in +drivers/bus/mhi/core/main.o +WARNING: modpost: missing MODULE_LICENSE() in drivers/bus/mhi/core/pm.o +WARNING: modpost: missing MODULE_LICENSE() in +drivers/bus/mhi/core/boot.o + +Fixes: 0cbf260820fa ("bus: mhi: core: Add support for registering MHI controllers") +Reported-by: kernel test robot +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20200929175218.8178-19-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/core/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/mhi/core/Makefile b/drivers/bus/mhi/core/Makefile +index 66e2700c9032a..bc1469778cf87 100644 +--- a/drivers/bus/mhi/core/Makefile ++++ b/drivers/bus/mhi/core/Makefile +@@ -1,3 +1,3 @@ +-obj-$(CONFIG_MHI_BUS) := mhi.o ++obj-$(CONFIG_MHI_BUS) += mhi.o + + mhi-y := init.o main.o pm.o boot.o +-- +2.25.1 + diff --git a/queue-5.9/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch b/queue-5.9/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch new file mode 100644 index 00000000000..0a22e03328f --- /dev/null +++ b/queue-5.9/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch @@ -0,0 +1,95 @@ +From 89bf56881ff9a80addbf69406f0fe65134dcb529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 16:44:19 +0200 +Subject: can: flexcan: flexcan_chip_stop(): add error handling and propagate + error value + +From: Joakim Zhang + +[ Upstream commit 9ad02c7f4f279504bdd38ab706fdc97d5f2b2a9c ] + +This patch implements error handling and propagates the error value of +flexcan_chip_stop(). This function will be called from flexcan_suspend() +in an upcoming patch in some SoCs which support LPSR mode. + +Add a new function flexcan_chip_stop_disable_on_error() that tries to +disable the chip even in case of errors. + +Signed-off-by: Joakim Zhang +[mkl: introduce flexcan_chip_stop_disable_on_error() and use it in flexcan_close()] +Signed-off-by: Marc Kleine-Budde +Link: https://lore.kernel.org/r/20200922144429.2613631-11-mkl@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index 94d10ec954a05..2ac7a667bde35 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1260,18 +1260,23 @@ static int flexcan_chip_start(struct net_device *dev) + return err; + } + +-/* flexcan_chip_stop ++/* __flexcan_chip_stop + * +- * this functions is entered with clocks enabled ++ * this function is entered with clocks enabled + */ +-static void flexcan_chip_stop(struct net_device *dev) ++static int __flexcan_chip_stop(struct net_device *dev, bool disable_on_error) + { + struct flexcan_priv *priv = netdev_priv(dev); + struct flexcan_regs __iomem *regs = priv->regs; ++ int err; + + /* freeze + disable module */ +- flexcan_chip_freeze(priv); +- flexcan_chip_disable(priv); ++ err = flexcan_chip_freeze(priv); ++ if (err && !disable_on_error) ++ return err; ++ err = flexcan_chip_disable(priv); ++ if (err && !disable_on_error) ++ goto out_chip_unfreeze; + + /* Disable all interrupts */ + priv->write(0, ®s->imask2); +@@ -1281,6 +1286,23 @@ static void flexcan_chip_stop(struct net_device *dev) + + flexcan_transceiver_disable(priv); + priv->can.state = CAN_STATE_STOPPED; ++ ++ return 0; ++ ++ out_chip_unfreeze: ++ flexcan_chip_unfreeze(priv); ++ ++ return err; ++} ++ ++static inline int flexcan_chip_stop_disable_on_error(struct net_device *dev) ++{ ++ return __flexcan_chip_stop(dev, true); ++} ++ ++static inline int flexcan_chip_stop(struct net_device *dev) ++{ ++ return __flexcan_chip_stop(dev, false); + } + + static int flexcan_open(struct net_device *dev) +@@ -1362,7 +1384,7 @@ static int flexcan_close(struct net_device *dev) + + netif_stop_queue(dev); + can_rx_offload_disable(&priv->offload); +- flexcan_chip_stop(dev); ++ flexcan_chip_stop_disable_on_error(dev); + + can_rx_offload_del(&priv->offload); + free_irq(dev->irq, dev); +-- +2.25.1 + diff --git a/queue-5.9/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch b/queue-5.9/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch new file mode 100644 index 00000000000..18be539c9ee --- /dev/null +++ b/queue-5.9/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch @@ -0,0 +1,52 @@ +From b63a8c4b5208ecf7ea10239578cad2c0861b8788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 09:59:10 +0300 +Subject: clk: at91: clk-main: update key before writing AT91_CKGR_MOR + +From: Claudiu Beznea + +[ Upstream commit 85d071e7f19a6a9abf30476b90b3819642568756 ] + +SAMA5D2 datasheet specifies on chapter 33.22.8 (PMC Clock Generator +Main Oscillator Register) that writing any value other than +0x37 on KEY field aborts the write operation. Use the key when +selecting main clock parent. + +Fixes: 27cb1c2083373 ("clk: at91: rework main clk implementation") +Signed-off-by: Claudiu Beznea +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/1598338751-20607-3-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/at91/clk-main.c b/drivers/clk/at91/clk-main.c +index 5c83e899084ff..cfae2f59df665 100644 +--- a/drivers/clk/at91/clk-main.c ++++ b/drivers/clk/at91/clk-main.c +@@ -437,12 +437,17 @@ static int clk_sam9x5_main_set_parent(struct clk_hw *hw, u8 index) + return -EINVAL; + + regmap_read(regmap, AT91_CKGR_MOR, &tmp); +- tmp &= ~MOR_KEY_MASK; + + if (index && !(tmp & AT91_PMC_MOSCSEL)) +- regmap_write(regmap, AT91_CKGR_MOR, tmp | AT91_PMC_MOSCSEL); ++ tmp = AT91_PMC_MOSCSEL; + else if (!index && (tmp & AT91_PMC_MOSCSEL)) +- regmap_write(regmap, AT91_CKGR_MOR, tmp & ~AT91_PMC_MOSCSEL); ++ tmp = 0; ++ else ++ return 0; ++ ++ regmap_update_bits(regmap, AT91_CKGR_MOR, ++ AT91_PMC_MOSCSEL | MOR_KEY_MASK, ++ tmp | AT91_PMC_KEY); + + while (!clk_sam9x5_main_ready(regmap)) + cpu_relax(); +-- +2.25.1 + diff --git a/queue-5.9/clk-at91-sam9x60-support-only-two-programmable-clock.patch b/queue-5.9/clk-at91-sam9x60-support-only-two-programmable-clock.patch new file mode 100644 index 00000000000..783b4b6fea3 --- /dev/null +++ b/queue-5.9/clk-at91-sam9x60-support-only-two-programmable-clock.patch @@ -0,0 +1,38 @@ +From 63fedd07d41dee47a845fb8b8c8db22c83556d6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 17:34:32 +0300 +Subject: clk: at91: sam9x60: support only two programmable clocks + +From: Claudiu Beznea + +[ Upstream commit fcedb589b5a88d73d3155c4a8690d6dda91a3156 ] + +According to datasheet (Chapter 29.16.13, PMC Programmable Clock Register) +there are only two programmable clocks on SAM9X60. + +Fixes: 01e2113de9a5 ("clk: at91: add sam9x60 pmc driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/1602686072-28296-1-git-send-email-claudiu.beznea@microchip.com +Acked-by: Nicolas Ferre +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/sam9x60.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/at91/sam9x60.c b/drivers/clk/at91/sam9x60.c +index ab6318c0589e9..3c4c956035954 100644 +--- a/drivers/clk/at91/sam9x60.c ++++ b/drivers/clk/at91/sam9x60.c +@@ -279,7 +279,7 @@ static void __init sam9x60_pmc_setup(struct device_node *np) + parent_names[3] = "masterck"; + parent_names[4] = "pllack_divck"; + parent_names[5] = "upllck_divck"; +- for (i = 0; i < 8; i++) { ++ for (i = 0; i < 2; i++) { + char name[6]; + + snprintf(name, sizeof(name), "prog%d", i); +-- +2.25.1 + diff --git a/queue-5.9/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch b/queue-5.9/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch new file mode 100644 index 00000000000..d8cdc47cd84 --- /dev/null +++ b/queue-5.9/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch @@ -0,0 +1,41 @@ +From d0641af40f172cfbac960aa22c8d1be6ea79b86c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 18:11:58 -0500 +Subject: clk: bcm2835: add missing release if devm_clk_hw_register fails + +From: Navid Emamdoost + +[ Upstream commit f6c992ca7dd4f49042eec61f3fb426c94d901675 ] + +In the implementation of bcm2835_register_pll(), the allocated pll is +leaked if devm_clk_hw_register() fails to register hw. Release pll if +devm_clk_hw_register() fails. + +Signed-off-by: Navid Emamdoost +Link: https://lore.kernel.org/r/20200809231202.15811-1-navid.emamdoost@gmail.com +Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 3439bc65bb4e3..1ac803e14fa3e 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1338,8 +1338,10 @@ static struct clk_hw *bcm2835_register_pll(struct bcm2835_cprman *cprman, + pll->hw.init = &init; + + ret = devm_clk_hw_register(cprman->dev, &pll->hw); +- if (ret) ++ if (ret) { ++ kfree(pll); + return NULL; ++ } + return &pll->hw; + } + +-- +2.25.1 + diff --git a/queue-5.9/clk-imx8mq-fix-usdhc-parents-order.patch b/queue-5.9/clk-imx8mq-fix-usdhc-parents-order.patch new file mode 100644 index 00000000000..032931a1415 --- /dev/null +++ b/queue-5.9/clk-imx8mq-fix-usdhc-parents-order.patch @@ -0,0 +1,54 @@ +From feda8ce242ef022931d96f5d660e86c9e20cfbad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 12:25:44 +0300 +Subject: clk: imx8mq: Fix usdhc parents order + +From: Abel Vesa + +[ Upstream commit b159c63d82ff8ffddc6c6f0eb881b113b36ecad7 ] + +According to the latest RM (see Table 5-1. Clock Root Table), +both usdhc root clocks have the parent order as follows: + +000 - 25M_REF_CLK +001 - SYSTEM_PLL1_DIV2 +010 - SYSTEM_PLL1_CLK +011 - SYSTEM_PLL2_DIV2 +100 - SYSTEM_PLL3_CLK +101 - SYSTEM_PLL1_DIV3 +110 - AUDIO_PLL2_CLK +111 - SYSTEM_PLL1_DIV8 + +So the audio_pll2_out and sys3_pll_out have to be swapped. + +Fixes: b80522040cd3 ("clk: imx: Add clock driver for i.MX8MQ CCM") +Signed-off-by: Abel Vesa +Reported-by: Cosmin Stefan Stoica +Link: https://lore.kernel.org/r/1602753944-30757-1-git-send-email-abel.vesa@nxp.com +Reviewed-by: Fabio Estevam +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mq.c b/drivers/clk/imx/clk-imx8mq.c +index a64aace213c27..7762c5825e77d 100644 +--- a/drivers/clk/imx/clk-imx8mq.c ++++ b/drivers/clk/imx/clk-imx8mq.c +@@ -157,10 +157,10 @@ static const char * const imx8mq_qspi_sels[] = {"osc_25m", "sys1_pll_400m", "sys + "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", }; + + static const char * const imx8mq_usdhc1_sels[] = {"osc_25m", "sys1_pll_400m", "sys1_pll_800m", "sys2_pll_500m", +- "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", }; ++ "sys3_pll_out", "sys1_pll_266m", "audio_pll2_out", "sys1_pll_100m", }; + + static const char * const imx8mq_usdhc2_sels[] = {"osc_25m", "sys1_pll_400m", "sys1_pll_800m", "sys2_pll_500m", +- "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", }; ++ "sys3_pll_out", "sys1_pll_266m", "audio_pll2_out", "sys1_pll_100m", }; + + static const char * const imx8mq_i2c1_sels[] = {"osc_25m", "sys1_pll_160m", "sys2_pll_50m", "sys3_pll_out", "audio_pll1_out", + "video_pll1_out", "audio_pll2_out", "sys1_pll_133m", }; +-- +2.25.1 + diff --git a/queue-5.9/clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch b/queue-5.9/clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch new file mode 100644 index 00000000000..1d4e8852c76 --- /dev/null +++ b/queue-5.9/clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch @@ -0,0 +1,40 @@ +From 5c061e1b52f80fdb29c16c2c11c15bfe7204fc9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:57:38 +0300 +Subject: clk: keystone: sci-clk: fix parsing assigned-clock data during probe + +From: Tero Kristo + +[ Upstream commit 2f05cced7307489faab873367fb20cd212e1d890 ] + +The DT clock probe loop incorrectly terminates after processing "clocks" +only, fix this by re-starting the loop when all entries for current +DT property have been parsed. + +Fixes: 8e48b33f9def ("clk: keystone: sci-clk: probe clocks from DT instead of firmware") +Reported-by: Peter Ujfalusi +Signed-off-by: Tero Kristo +Link: https://lore.kernel.org/r/20200907085740.1083-2-t-kristo@ti.com +Acked-by: Santosh Shilimkar +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/sci-clk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c +index 2ad26cb927fdb..f126b6045afa7 100644 +--- a/drivers/clk/keystone/sci-clk.c ++++ b/drivers/clk/keystone/sci-clk.c +@@ -522,7 +522,7 @@ static int ti_sci_scan_clocks_from_dt(struct sci_clk_provider *provider) + np = of_find_node_with_property(np, *clk_name); + if (!np) { + clk_name++; +- break; ++ continue; + } + + if (!of_device_is_available(np)) +-- +2.25.1 + diff --git a/queue-5.9/clk-mediatek-add-uart0-clock-support.patch b/queue-5.9/clk-mediatek-add-uart0-clock-support.patch new file mode 100644 index 00000000000..3f008e46a5b --- /dev/null +++ b/queue-5.9/clk-mediatek-add-uart0-clock-support.patch @@ -0,0 +1,37 @@ +From ec43b42614f16e814f649f47683860266a7f3306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 21:30:16 +0800 +Subject: clk: mediatek: add UART0 clock support + +From: Hanks Chen + +[ Upstream commit 804a892456b73604b7ecfb1b00a96a29f3d2aedf ] + +Add MT6779 UART0 clock support. + +Fixes: 710774e04861 ("clk: mediatek: Add MT6779 clock support") +Signed-off-by: Wendell Lin +Signed-off-by: Hanks Chen +Reviewed-by: Matthias Brugger +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt6779.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/mediatek/clk-mt6779.c b/drivers/clk/mediatek/clk-mt6779.c +index 9766cccf5844c..6e0d3a1667291 100644 +--- a/drivers/clk/mediatek/clk-mt6779.c ++++ b/drivers/clk/mediatek/clk-mt6779.c +@@ -919,6 +919,8 @@ static const struct mtk_gate infra_clks[] = { + "pwm_sel", 19), + GATE_INFRA0(CLK_INFRA_PWM, "infra_pwm", + "pwm_sel", 21), ++ GATE_INFRA0(CLK_INFRA_UART0, "infra_uart0", ++ "uart_sel", 22), + GATE_INFRA0(CLK_INFRA_UART1, "infra_uart1", + "uart_sel", 23), + GATE_INFRA0(CLK_INFRA_UART2, "infra_uart2", +-- +2.25.1 + diff --git a/queue-5.9/clk-meson-axg-audio-separate-axg-and-g12a-regmap-tab.patch b/queue-5.9/clk-meson-axg-audio-separate-axg-and-g12a-regmap-tab.patch new file mode 100644 index 00000000000..663f762d4e5 --- /dev/null +++ b/queue-5.9/clk-meson-axg-audio-separate-axg-and-g12a-regmap-tab.patch @@ -0,0 +1,177 @@ +From 8f8ac71809a3af11736fccd5a8938f347cb58590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 17:43:58 +0200 +Subject: clk: meson: axg-audio: separate axg and g12a regmap tables + +From: Jerome Brunet + +[ Upstream commit cdabb1ffc7c2349b8930f752df1edcafc1d37cc1 ] + +There are more differences than what we initially thought. +Let's keeps things clear and separate the axg and g12a regmap tables of the +audio clock controller. + +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20200729154359.1983085-3-jbrunet@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/axg-audio.c | 135 ++++++++++++++++++++++++++++++++-- + 1 file changed, 127 insertions(+), 8 deletions(-) + +diff --git a/drivers/clk/meson/axg-audio.c b/drivers/clk/meson/axg-audio.c +index 53715e36326c6..9918cb375de30 100644 +--- a/drivers/clk/meson/axg-audio.c ++++ b/drivers/clk/meson/axg-audio.c +@@ -1209,13 +1209,132 @@ static struct clk_hw_onecell_data sm1_audio_hw_onecell_data = { + }; + + +-/* Convenience table to populate regmap in .probe() +- * Note that this table is shared between both AXG and G12A, +- * with spdifout_b clocks being exclusive to G12A. Since those +- * clocks are not declared within the AXG onecell table, we do not +- * feel the need to have separate AXG/G12A regmap tables. +- */ ++/* Convenience table to populate regmap in .probe(). */ + static struct clk_regmap *const axg_clk_regmaps[] = { ++ &ddr_arb, ++ &pdm, ++ &tdmin_a, ++ &tdmin_b, ++ &tdmin_c, ++ &tdmin_lb, ++ &tdmout_a, ++ &tdmout_b, ++ &tdmout_c, ++ &frddr_a, ++ &frddr_b, ++ &frddr_c, ++ &toddr_a, ++ &toddr_b, ++ &toddr_c, ++ &loopback, ++ &spdifin, ++ &spdifout, ++ &resample, ++ &power_detect, ++ &mst_a_mclk_sel, ++ &mst_b_mclk_sel, ++ &mst_c_mclk_sel, ++ &mst_d_mclk_sel, ++ &mst_e_mclk_sel, ++ &mst_f_mclk_sel, ++ &mst_a_mclk_div, ++ &mst_b_mclk_div, ++ &mst_c_mclk_div, ++ &mst_d_mclk_div, ++ &mst_e_mclk_div, ++ &mst_f_mclk_div, ++ &mst_a_mclk, ++ &mst_b_mclk, ++ &mst_c_mclk, ++ &mst_d_mclk, ++ &mst_e_mclk, ++ &mst_f_mclk, ++ &spdifout_clk_sel, ++ &spdifout_clk_div, ++ &spdifout_clk, ++ &spdifin_clk_sel, ++ &spdifin_clk_div, ++ &spdifin_clk, ++ &pdm_dclk_sel, ++ &pdm_dclk_div, ++ &pdm_dclk, ++ &pdm_sysclk_sel, ++ &pdm_sysclk_div, ++ &pdm_sysclk, ++ &mst_a_sclk_pre_en, ++ &mst_b_sclk_pre_en, ++ &mst_c_sclk_pre_en, ++ &mst_d_sclk_pre_en, ++ &mst_e_sclk_pre_en, ++ &mst_f_sclk_pre_en, ++ &mst_a_sclk_div, ++ &mst_b_sclk_div, ++ &mst_c_sclk_div, ++ &mst_d_sclk_div, ++ &mst_e_sclk_div, ++ &mst_f_sclk_div, ++ &mst_a_sclk_post_en, ++ &mst_b_sclk_post_en, ++ &mst_c_sclk_post_en, ++ &mst_d_sclk_post_en, ++ &mst_e_sclk_post_en, ++ &mst_f_sclk_post_en, ++ &mst_a_sclk, ++ &mst_b_sclk, ++ &mst_c_sclk, ++ &mst_d_sclk, ++ &mst_e_sclk, ++ &mst_f_sclk, ++ &mst_a_lrclk_div, ++ &mst_b_lrclk_div, ++ &mst_c_lrclk_div, ++ &mst_d_lrclk_div, ++ &mst_e_lrclk_div, ++ &mst_f_lrclk_div, ++ &mst_a_lrclk, ++ &mst_b_lrclk, ++ &mst_c_lrclk, ++ &mst_d_lrclk, ++ &mst_e_lrclk, ++ &mst_f_lrclk, ++ &tdmin_a_sclk_sel, ++ &tdmin_b_sclk_sel, ++ &tdmin_c_sclk_sel, ++ &tdmin_lb_sclk_sel, ++ &tdmout_a_sclk_sel, ++ &tdmout_b_sclk_sel, ++ &tdmout_c_sclk_sel, ++ &tdmin_a_sclk_pre_en, ++ &tdmin_b_sclk_pre_en, ++ &tdmin_c_sclk_pre_en, ++ &tdmin_lb_sclk_pre_en, ++ &tdmout_a_sclk_pre_en, ++ &tdmout_b_sclk_pre_en, ++ &tdmout_c_sclk_pre_en, ++ &tdmin_a_sclk_post_en, ++ &tdmin_b_sclk_post_en, ++ &tdmin_c_sclk_post_en, ++ &tdmin_lb_sclk_post_en, ++ &tdmout_a_sclk_post_en, ++ &tdmout_b_sclk_post_en, ++ &tdmout_c_sclk_post_en, ++ &tdmin_a_sclk, ++ &tdmin_b_sclk, ++ &tdmin_c_sclk, ++ &tdmin_lb_sclk, ++ &tdmout_a_sclk, ++ &tdmout_b_sclk, ++ &tdmout_c_sclk, ++ &tdmin_a_lrclk, ++ &tdmin_b_lrclk, ++ &tdmin_c_lrclk, ++ &tdmin_lb_lrclk, ++ &tdmout_a_lrclk, ++ &tdmout_b_lrclk, ++ &tdmout_c_lrclk, ++}; ++ ++static struct clk_regmap *const g12a_clk_regmaps[] = { + &ddr_arb, + &pdm, + &tdmin_a, +@@ -1713,8 +1832,8 @@ static const struct audioclk_data axg_audioclk_data = { + }; + + static const struct audioclk_data g12a_audioclk_data = { +- .regmap_clks = axg_clk_regmaps, +- .regmap_clk_num = ARRAY_SIZE(axg_clk_regmaps), ++ .regmap_clks = g12a_clk_regmaps, ++ .regmap_clk_num = ARRAY_SIZE(g12a_clk_regmaps), + .hw_onecell_data = &g12a_audio_hw_onecell_data, + .reset_offset = AUDIO_SW_RESET, + .reset_num = 26, +-- +2.25.1 + diff --git a/queue-5.9/clk-meson-g12a-mark-fclk_div2-as-critical.patch b/queue-5.9/clk-meson-g12a-mark-fclk_div2-as-critical.patch new file mode 100644 index 00000000000..97225f4003e --- /dev/null +++ b/queue-5.9/clk-meson-g12a-mark-fclk_div2-as-critical.patch @@ -0,0 +1,55 @@ +From 05ad2a8f1aa8232430c57019e699d148111abe62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 17:52:05 +0200 +Subject: clk: meson: g12a: mark fclk_div2 as critical + +From: Stefan Agner + +[ Upstream commit 2c4e80e06790cb49ad2603855d30c5aac2209c47 ] + +On Amlogic Meson G12b platform, similar to fclk_div3, the fclk_div2 +seems to be necessary for the system to operate correctly as well. + +Typically, the clock also gets chosen by the eMMC peripheral. This +probably masked the problem so far. However, when booting from a SD +card the clock seems to get disabled which leads to a system freeze. + +Let's mark this clock as critical, fixing boot from SD card on G12b +platforms. + +Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") +Signed-off-by: Stefan Agner +Signed-off-by: Jerome Brunet +Tested-by: Anand Moon +Cc: Marek Szyprowski +Link: https://lore.kernel.org/r/577e0129e8ee93972d92f13187ff4e4286182f67.1598629915.git.stefan@agner.ch +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index 9803d44bb1578..b814d44917a5d 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -298,6 +298,17 @@ static struct clk_regmap g12a_fclk_div2 = { + &g12a_fclk_div2_div.hw + }, + .num_parents = 1, ++ /* ++ * Similar to fclk_div3, it seems that this clock is used by ++ * the resident firmware and is required by the platform to ++ * operate correctly. ++ * Until the following condition are met, we need this clock to ++ * be marked as critical: ++ * a) Mark the clock used by a firmware resource, if possible ++ * b) CCF has a clock hand-off mechanism to make the sure the ++ * clock stays on until the proper driver comes along ++ */ ++ .flags = CLK_IS_CRITICAL, + }, + }; + +-- +2.25.1 + diff --git a/queue-5.9/clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch b/queue-5.9/clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch new file mode 100644 index 00000000000..c7bcf5fc9db --- /dev/null +++ b/queue-5.9/clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch @@ -0,0 +1,37 @@ +From e3b8076edab4e76724bb54544f6335a3f5ddca4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 14:09:09 +0200 +Subject: clk: qcom: gcc-sdm660: Fix wrong parent_map + +From: Konrad Dybcio + +[ Upstream commit d46e5a39f9be9288f1ce2170c4c7f8098f4e7f68 ] + +This was likely overlooked while porting the driver upstream. + +Reported-by: Pavel Dubrova +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20200922120909.97203-1-konradybcio@gmail.com +Fixes: f2a76a2955c0 ("clk: qcom: Add Global Clock controller (GCC) driver for SDM660") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sdm660.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-sdm660.c b/drivers/clk/qcom/gcc-sdm660.c +index f0b47b7d50ca6..31258795e7b86 100644 +--- a/drivers/clk/qcom/gcc-sdm660.c ++++ b/drivers/clk/qcom/gcc-sdm660.c +@@ -666,7 +666,7 @@ static struct clk_rcg2 hmss_rbcpr_clk_src = { + .cmd_rcgr = 0x48044, + .mnd_width = 0, + .hid_width = 5, +- .parent_map = gcc_parent_map_xo_gpll0_gpll0_early_div, ++ .parent_map = gcc_parent_map_xo_gpll0, + .freq_tbl = ftbl_hmss_rbcpr_clk_src, + .clkr.hw.init = &(struct clk_init_data){ + .name = "hmss_rbcpr_clk_src", +-- +2.25.1 + diff --git a/queue-5.9/clk-qcom-gdsc-keep-retain_ff-bit-set-if-gdsc-is-alre.patch b/queue-5.9/clk-qcom-gdsc-keep-retain_ff-bit-set-if-gdsc-is-alre.patch new file mode 100644 index 00000000000..94e9b60d95a --- /dev/null +++ b/queue-5.9/clk-qcom-gdsc-keep-retain_ff-bit-set-if-gdsc-is-alre.patch @@ -0,0 +1,60 @@ +From 468a443e3f7146470f9ccd1646e9703a54353a83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 19:01:37 -0700 +Subject: clk: qcom: gdsc: Keep RETAIN_FF bit set if gdsc is already on + +From: Stephen Boyd + +[ Upstream commit fda48bf5c86d88fd7074e318f290ad636dff4eaa ] + +If the GDSC is enabled out of boot but doesn't have the retain ff bit +set we will get confusing results where the registers that are powered +by the GDSC lose their contents on the first power off of the GDSC but +thereafter they retain their contents. This is because gdsc_init() fails +to make sure the RETAIN_FF bit is set when it probes the GDSC the first +time and thus powering off the GDSC causes the register contents to be +reset. We do set the RETAIN_FF bit the next time we power on the GDSC, +see gdsc_enable(), so that subsequent GDSC power off's don't lose +register contents state. + +Forcibly set the bit at device probe time so that the kernel's assumed +view of the GDSC is consistent with the state of the hardware. This +fixes a problem where the audio PLL doesn't work on sc7180 when the +bootloader leaves the lpass_core_hm GDSC enabled at boot (e.g. to make a +noise) but critically doesn't set the RETAIN_FF bit. + +Cc: Douglas Anderson +Cc: Taniya Das +Cc: Rajendra Nayak +Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR") +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20201017020137.1251319-1-sboyd@kernel.org +Reviewed-by: Taniya Das +Reviewed-by: Douglas Anderson Tested-by: Douglas Anderson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gdsc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index bfc4ac02f9ea2..af26e0695b866 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -358,6 +358,14 @@ static int gdsc_init(struct gdsc *sc) + if ((sc->flags & VOTABLE) && on) + gdsc_enable(&sc->pd); + ++ /* ++ * Make sure the retain bit is set if the GDSC is already on, otherwise ++ * we end up turning off the GDSC and destroying all the register ++ * contents that we thought we were saving. ++ */ ++ if ((sc->flags & RETAIN_FF_ENABLE) && on) ++ gdsc_retain_ff_on(sc); ++ + /* If ALWAYS_ON GDSCs are not ON, turn them ON */ + if (sc->flags & ALWAYS_ON) { + if (!on) +-- +2.25.1 + diff --git a/queue-5.9/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch b/queue-5.9/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch new file mode 100644 index 00000000000..c0d14fa7cbc --- /dev/null +++ b/queue-5.9/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch @@ -0,0 +1,44 @@ +From f4215fccc90c5b3fdc0ef2e62e20a4ce07a80387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 17:41:44 -0700 +Subject: clk: rockchip: Initialize hw to error to avoid undefined behavior + +From: Stephen Boyd + +[ Upstream commit b608f11d49ec671739604cc763248d8e8fadbbeb ] + +We can get down to this return value from ERR_CAST() without +initializing hw. Set it to -ENOMEM so that we always return something +sane. + +Fixes the following smatch warning: + +drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() error: uninitialized symbol 'hw'. +drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() warn: passing zero to 'ERR_CAST' + +Cc: Elaine Zhang +Cc: Heiko Stuebner +Fixes: 956060a52795 ("clk: rockchip: add support for half divider") +Reviewed-by: Heiko Stuebner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-half-divider.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-half-divider.c b/drivers/clk/rockchip/clk-half-divider.c +index b333fc28c94b6..37c858d689e0d 100644 +--- a/drivers/clk/rockchip/clk-half-divider.c ++++ b/drivers/clk/rockchip/clk-half-divider.c +@@ -166,7 +166,7 @@ struct clk *rockchip_clk_register_halfdiv(const char *name, + unsigned long flags, + spinlock_t *lock) + { +- struct clk *clk; ++ struct clk *clk = ERR_PTR(-ENOMEM); + struct clk_mux *mux = NULL; + struct clk_gate *gate = NULL; + struct clk_divider *div = NULL; +-- +2.25.1 + diff --git a/queue-5.9/coresight-cti-disclaim-device-only-when-it-s-claimed.patch b/queue-5.9/coresight-cti-disclaim-device-only-when-it-s-claimed.patch new file mode 100644 index 00000000000..7b21bc39807 --- /dev/null +++ b/queue-5.9/coresight-cti-disclaim-device-only-when-it-s-claimed.patch @@ -0,0 +1,64 @@ +From 23f860a6fc6ef8490ce1354d562e4d22d7568011 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:26 -0600 +Subject: coresight: cti: disclaim device only when it's claimed + +From: Tingwei Zhang + +[ Upstream commit 0dee28268ddbe53a981d4d87faf5dc0f1700e698 ] + +Coresight_claim_device() is called in cti_starting_cpu() only +when CTI is enabled while coresight_disclaim_device() is called +uncontionally in cti_dying_cpu(). This triggered below WARNING. +Only call disclaim device when CTI device is enabled to fix it. + +[ 75.989643] WARNING: CPU: 1 PID: 14 at +kernel/drivers/hwtracing/coresight/coresight.c:209 +coresight_disclaim_device_unlocked+0x10/0x24 +[ 75.989697] CPU: 1 PID: 14 Comm: migration/1 Not tainted +5.9.0-rc1-gff1304be0a05-dirty #21 +[ 75.989709] Hardware name: Thundercomm Dragonboard 845c (DT) +[ 75.989737] pstate: 80c00085 (Nzcv daIf +PAN +UAO BTYPE=--) +[ 75.989758] pc : coresight_disclaim_device_unlocked+0x10/0x24 +[ 75.989775] lr : coresight_disclaim_device+0x24/0x38 +[ 75.989783] sp : ffff800011cd3c90 +. +[ 75.990018] Call trace: +[ 75.990041] coresight_disclaim_device_unlocked+0x10/0x24 +[ 75.990066] cti_dying_cpu+0x34/0x4c +[ 75.990101] cpuhp_invoke_callback+0x84/0x1e0 +[ 75.990121] take_cpu_down+0x90/0xe0 +[ 75.990154] multi_cpu_stop+0x134/0x160 +[ 75.990171] cpu_stopper_thread+0xb0/0x13c +[ 75.990196] smpboot_thread_fn+0x1c4/0x270 +[ 75.990222] kthread+0x128/0x154 +[ 75.990251] ret_from_fork+0x10/0x18 + +Fixes: e9b880581d55 ("coresight: cti: Add CPU Hotplug handling to CTI driver") +Reviewed-by: Mike Leach +Signed-off-by: Tingwei Zhang +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-6-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cti.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-cti.c b/drivers/hwtracing/coresight/coresight-cti.c +index 3ccc703dc9409..d6fea6efec71f 100644 +--- a/drivers/hwtracing/coresight/coresight-cti.c ++++ b/drivers/hwtracing/coresight/coresight-cti.c +@@ -742,7 +742,8 @@ static int cti_dying_cpu(unsigned int cpu) + + spin_lock(&drvdata->spinlock); + drvdata->config.hw_powered = false; +- coresight_disclaim_device(drvdata->base); ++ if (drvdata->config.hw_enabled) ++ coresight_disclaim_device(drvdata->base); + spin_unlock(&drvdata->spinlock); + return 0; + } +-- +2.25.1 + diff --git a/queue-5.9/coresight-cti-fix-bug-clearing-sysfs-links-on-callba.patch b/queue-5.9/coresight-cti-fix-bug-clearing-sysfs-links-on-callba.patch new file mode 100644 index 00000000000..f913a5b6d84 --- /dev/null +++ b/queue-5.9/coresight-cti-fix-bug-clearing-sysfs-links-on-callba.patch @@ -0,0 +1,70 @@ +From 44d9a031f3642abc6dddb933ebeaacf3c5fe43aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 10:35:06 -0600 +Subject: coresight: cti: Fix bug clearing sysfs links on callback + +From: Mike Leach + +[ Upstream commit cab280bf3533c72f95ebdb65ce534b5cdc4729dc ] + +During module unload, a coresight driver module will call back into +the CTI driver to remove any links between the two devices. + +The current code has 2 issues:- +1) in the CTI driver the matching code is matching to the wrong device +so misses all the links. +2) The callback is called too late in the unload process resulting in a +crash. + +This fixes both the issues. + +Fixes: 177af8285b59 ("coresight: cti: Enable CTI associated with devices") +Reported-by: Tingwei Zhang +Acked-by: Suzuki K Poulose +Signed-off-by: Mike Leach +Signed-off-by: Tingwei Zhang +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200928163513.70169-19-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cti.c | 2 +- + drivers/hwtracing/coresight/coresight.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-cti.c b/drivers/hwtracing/coresight/coresight-cti.c +index 92aa535f9e134..167fbc2e7033f 100644 +--- a/drivers/hwtracing/coresight/coresight-cti.c ++++ b/drivers/hwtracing/coresight/coresight-cti.c +@@ -592,7 +592,7 @@ void cti_remove_assoc_from_csdev(struct coresight_device *csdev) + ctidrv = csdev_to_cti_drvdata(csdev->ect_dev); + ctidev = &ctidrv->ctidev; + list_for_each_entry(tc, &ctidev->trig_cons, node) { +- if (tc->con_dev == csdev->ect_dev) { ++ if (tc->con_dev == csdev) { + cti_remove_sysfs_link(ctidrv, tc); + tc->con_dev = NULL; + break; +diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c +index e9c90f2de34ac..cdcb1917216fd 100644 +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -1188,7 +1188,6 @@ static void coresight_device_release(struct device *dev) + { + struct coresight_device *csdev = to_coresight_device(dev); + +- cti_remove_assoc_from_csdev(csdev); + fwnode_handle_put(csdev->dev.fwnode); + kfree(csdev->refcnt); + kfree(csdev); +@@ -1522,6 +1521,7 @@ void coresight_unregister(struct coresight_device *csdev) + { + etm_perf_del_symlink_sink(csdev); + /* Remove references of that device in the topology */ ++ cti_remove_assoc_from_csdev(csdev); + coresight_remove_conns(csdev); + coresight_clear_default_sink(csdev); + coresight_release_platform_data(csdev, csdev->pdata); +-- +2.25.1 + diff --git a/queue-5.9/coresight-cti-fix-remove-sysfs-link-error.patch b/queue-5.9/coresight-cti-fix-remove-sysfs-link-error.patch new file mode 100644 index 00000000000..adb8b14be16 --- /dev/null +++ b/queue-5.9/coresight-cti-fix-remove-sysfs-link-error.patch @@ -0,0 +1,69 @@ +From 40f5dca2bfd38fa1aea093d5e4376f4c4a73d9b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 10:35:05 -0600 +Subject: coresight: cti: Fix remove sysfs link error + +From: Mike Leach + +[ Upstream commit 1cce921bce7dcf6fef9bdfa4dcc9406383274408 ] + +CTI code to remove sysfs link to other devices on shutdown, incorrectly +tries to remove a single ended link when these are all double ended. This +implementation leaves elements in the link info structure undefined which +results in a crash in recent tests for driver module unload. + +This patch corrects the link removal code. + +Fixes: 73274abb6557 ("coresight: cti: Add in sysfs links to other coresight devices") +Reported-by: Tingwei Zhang +Signed-off-by: Mike Leach +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200928163513.70169-18-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cti.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-cti.c b/drivers/hwtracing/coresight/coresight-cti.c +index 47f3c9abae303..92aa535f9e134 100644 +--- a/drivers/hwtracing/coresight/coresight-cti.c ++++ b/drivers/hwtracing/coresight/coresight-cti.c +@@ -494,12 +494,15 @@ static bool cti_add_sysfs_link(struct cti_drvdata *drvdata, + return !link_err; + } + +-static void cti_remove_sysfs_link(struct cti_trig_con *tc) ++static void cti_remove_sysfs_link(struct cti_drvdata *drvdata, ++ struct cti_trig_con *tc) + { + struct coresight_sysfs_link link_info; + ++ link_info.orig = drvdata->csdev; + link_info.orig_name = tc->con_dev_name; + link_info.target = tc->con_dev; ++ link_info.target_name = dev_name(&drvdata->csdev->dev); + coresight_remove_sysfs_link(&link_info); + } + +@@ -590,7 +593,7 @@ void cti_remove_assoc_from_csdev(struct coresight_device *csdev) + ctidev = &ctidrv->ctidev; + list_for_each_entry(tc, &ctidev->trig_cons, node) { + if (tc->con_dev == csdev->ect_dev) { +- cti_remove_sysfs_link(tc); ++ cti_remove_sysfs_link(ctidrv, tc); + tc->con_dev = NULL; + break; + } +@@ -634,7 +637,7 @@ static void cti_remove_conn_xrefs(struct cti_drvdata *drvdata) + if (tc->con_dev) { + coresight_set_assoc_ectdev_mutex(tc->con_dev, + NULL); +- cti_remove_sysfs_link(tc); ++ cti_remove_sysfs_link(drvdata, tc); + tc->con_dev = NULL; + } + } +-- +2.25.1 + diff --git a/queue-5.9/coresight-cti-remove-pm_runtime_get_sync-from-cpu-ho.patch b/queue-5.9/coresight-cti-remove-pm_runtime_get_sync-from-cpu-ho.patch new file mode 100644 index 00000000000..d82fb8cee8b --- /dev/null +++ b/queue-5.9/coresight-cti-remove-pm_runtime_get_sync-from-cpu-ho.patch @@ -0,0 +1,81 @@ +From 2636d865198dca473a5ac0527efa0055743735f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:27 -0600 +Subject: coresight: cti: remove pm_runtime_get_sync() from CPU hotplug + +From: Tingwei Zhang + +[ Upstream commit 6e8836c6df5327bdb24211424f1ad1411d1ed64a ] + +Below BUG is triggered by call pm_runtime_get_sync() in +cti_cpuhp_enable_hw(). It's in CPU hotplug callback with interrupt +disabled. Pm_runtime_get_sync() calls clock driver to enable clock +which could sleep. Remove pm_runtime_get_sync() in cti_cpuhp_enable_hw() +since pm_runtime_get_sync() is called in cti_enabld and pm_runtime_put() +is called in cti_disabled. No need to increase pm count when CPU gets +online since it's not decreased when CPU is offline. + +[ 105.800279] BUG: scheduling while atomic: swapper/1/0/0x00000002 +[ 105.800290] Modules linked in: +[ 105.800327] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W +5.9.0-rc1-gff1304be0a05-dirty #21 +[ 105.800337] Hardware name: Thundercomm Dragonboard 845c (DT) +[ 105.800353] Call trace: +[ 105.800414] dump_backtrace+0x0/0x1d4 +[ 105.800439] show_stack+0x14/0x1c +[ 105.800462] dump_stack+0xc0/0x100 +[ 105.800490] __schedule_bug+0x58/0x74 +[ 105.800523] __schedule+0x590/0x65c +[ 105.800538] schedule+0x78/0x10c +[ 105.800553] schedule_timeout+0x188/0x250 +[ 105.800585] qmp_send.constprop.10+0x12c/0x1b0 +[ 105.800599] qmp_qdss_clk_prepare+0x18/0x20 +[ 105.800622] clk_core_prepare+0x48/0xd4 +[ 105.800639] clk_prepare+0x20/0x34 +[ 105.800663] amba_pm_runtime_resume+0x54/0x90 +[ 105.800695] __rpm_callback+0xdc/0x138 +[ 105.800709] rpm_callback+0x24/0x78 +[ 105.800724] rpm_resume+0x328/0x47c +[ 105.800739] __pm_runtime_resume+0x50/0x74 +[ 105.800768] cti_starting_cpu+0x40/0xa4 +[ 105.800795] cpuhp_invoke_callback+0x84/0x1e0 +[ 105.800814] notify_cpu_starting+0x9c/0xb8 +[ 105.800834] secondary_start_kernel+0xd8/0x164 +[ 105.800933] CPU1: Booted secondary processor 0x0000000100 [0x517f803c] + +Fixes: e9b880581d55 ("coresight: cti: Add CPU Hotplug handling to CTI driver") +Reviewed-by: Mike Leach +Signed-off-by: Tingwei Zhang +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-7-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cti.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-cti.c b/drivers/hwtracing/coresight/coresight-cti.c +index d6fea6efec71f..c4e9cc7034ab7 100644 +--- a/drivers/hwtracing/coresight/coresight-cti.c ++++ b/drivers/hwtracing/coresight/coresight-cti.c +@@ -141,9 +141,7 @@ static int cti_enable_hw(struct cti_drvdata *drvdata) + static void cti_cpuhp_enable_hw(struct cti_drvdata *drvdata) + { + struct cti_config *config = &drvdata->config; +- struct device *dev = &drvdata->csdev->dev; + +- pm_runtime_get_sync(dev->parent); + spin_lock(&drvdata->spinlock); + config->hw_powered = true; + +@@ -163,7 +161,6 @@ static void cti_cpuhp_enable_hw(struct cti_drvdata *drvdata) + /* did not re-enable due to no claim / no request */ + cti_hp_not_enabled: + spin_unlock(&drvdata->spinlock); +- pm_runtime_put(dev->parent); + } + + /* disable hardware */ +-- +2.25.1 + diff --git a/queue-5.9/coresight-cti-write-regsiters-directly-in-cti_enable.patch b/queue-5.9/coresight-cti-write-regsiters-directly-in-cti_enable.patch new file mode 100644 index 00000000000..d45578f32a6 --- /dev/null +++ b/queue-5.9/coresight-cti-write-regsiters-directly-in-cti_enable.patch @@ -0,0 +1,117 @@ +From 719c4ce07ca33327c8a6d8e54edea8c4c0f39e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:30 -0600 +Subject: coresight: cti: Write regsiters directly in cti_enable_hw() + +From: Tingwei Zhang + +[ Upstream commit 984f37efa3857dcefa649fbdf64abb94591935c3 ] + +Deadlock as below is triggered by one CPU holds drvdata->spinlock +and calls cti_enable_hw(). Smp_call_function_single() is called +in cti_enable_hw() and tries to let another CPU write CTI registers. +That CPU is trying to get drvdata->spinlock in cti_cpu_pm_notify() +and doesn't response to IPI from smp_call_function_single(). + +[ 988.335937] CPU: 6 PID: 10258 Comm: sh Tainted: G W L +5.8.0-rc6-mainline-16783-gc38daa79b26b-dirty #1 +[ 988.346364] Hardware name: Thundercomm Dragonboard 845c (DT) +[ 988.352073] pstate: 20400005 (nzCv daif +PAN -UAO BTYPE=--) +[ 988.357689] pc : smp_call_function_single+0x158/0x1b8 +[ 988.362782] lr : smp_call_function_single+0x124/0x1b8 +... +[ 988.451638] Call trace: +[ 988.454119] smp_call_function_single+0x158/0x1b8 +[ 988.458866] cti_enable+0xb4/0xf8 [coresight_cti] +[ 988.463618] coresight_control_assoc_ectdev+0x6c/0x128 [coresight] +[ 988.469855] coresight_enable+0x1f0/0x364 [coresight] +[ 988.474957] enable_source_store+0x5c/0x9c [coresight] +[ 988.480140] dev_attr_store+0x14/0x28 +[ 988.483839] sysfs_kf_write+0x38/0x4c +[ 988.487532] kernfs_fop_write+0x1c0/0x2b0 +[ 988.491585] vfs_write+0xfc/0x300 +[ 988.494931] ksys_write+0x78/0xe0 +[ 988.498283] __arm64_sys_write+0x18/0x20 +[ 988.502240] el0_svc_common+0x98/0x160 +[ 988.506024] do_el0_svc+0x78/0x80 +[ 988.509377] el0_sync_handler+0xd4/0x270 +[ 988.513337] el0_sync+0x164/0x180 + +This change write CTI registers directly in cti_enable_hw(). +Config->hw_powered has been checked to be true with spinlock holded. +CTI is powered and can be programmed until spinlock is released. + +Fixes: 6a0953ce7de9 ("coresight: cti: Add CPU idle pm notifer to CTI devices") +Signed-off-by: Tingwei Zhang +[Re-ordered variable declaration] +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-10-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cti.c | 24 +++++---------------- + 1 file changed, 5 insertions(+), 19 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-cti.c b/drivers/hwtracing/coresight/coresight-cti.c +index c4e9cc7034ab7..47f3c9abae303 100644 +--- a/drivers/hwtracing/coresight/coresight-cti.c ++++ b/drivers/hwtracing/coresight/coresight-cti.c +@@ -86,22 +86,16 @@ void cti_write_all_hw_regs(struct cti_drvdata *drvdata) + CS_LOCK(drvdata->base); + } + +-static void cti_enable_hw_smp_call(void *info) +-{ +- struct cti_drvdata *drvdata = info; +- +- cti_write_all_hw_regs(drvdata); +-} +- + /* write regs to hardware and enable */ + static int cti_enable_hw(struct cti_drvdata *drvdata) + { + struct cti_config *config = &drvdata->config; + struct device *dev = &drvdata->csdev->dev; ++ unsigned long flags; + int rc = 0; + + pm_runtime_get_sync(dev->parent); +- spin_lock(&drvdata->spinlock); ++ spin_lock_irqsave(&drvdata->spinlock, flags); + + /* no need to do anything if enabled or unpowered*/ + if (config->hw_enabled || !config->hw_powered) +@@ -112,19 +106,11 @@ static int cti_enable_hw(struct cti_drvdata *drvdata) + if (rc) + goto cti_err_not_enabled; + +- if (drvdata->ctidev.cpu >= 0) { +- rc = smp_call_function_single(drvdata->ctidev.cpu, +- cti_enable_hw_smp_call, +- drvdata, 1); +- if (rc) +- goto cti_err_not_enabled; +- } else { +- cti_write_all_hw_regs(drvdata); +- } ++ cti_write_all_hw_regs(drvdata); + + config->hw_enabled = true; + atomic_inc(&drvdata->config.enable_req_count); +- spin_unlock(&drvdata->spinlock); ++ spin_unlock_irqrestore(&drvdata->spinlock, flags); + return rc; + + cti_state_unchanged: +@@ -132,7 +118,7 @@ static int cti_enable_hw(struct cti_drvdata *drvdata) + + /* cannot enable due to error */ + cti_err_not_enabled: +- spin_unlock(&drvdata->spinlock); ++ spin_unlock_irqrestore(&drvdata->spinlock, flags); + pm_runtime_put(dev->parent); + return rc; + } +-- +2.25.1 + diff --git a/queue-5.9/coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch b/queue-5.9/coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch new file mode 100644 index 00000000000..a433c6fab87 --- /dev/null +++ b/queue-5.9/coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch @@ -0,0 +1,47 @@ +From b858f3f07fb125401efdf5d080ff2fdc3f4f1c41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 10:34:56 -0600 +Subject: coresight: etm: perf: Fix warning caused by etm_setup_aux failure + +From: Tingwei Zhang + +[ Upstream commit 716f5652a13122364a65e694386b9b26f5e98c51 ] + +When coresight_build_path() fails on all the cpus, etm_setup_aux +calls etm_free_aux() to free allocated event_data. +WARN_ON(cpumask_empty(mask) will be triggered since cpu mask is empty. +Check event_data->snk_config is not NULL first to avoid this +warning. + +Fixes: f5200aa9831f38 ("coresight: perf: Refactor function free_event_data()") +Reviewed-by: Mike Leach +Reviewed-by: Suzuki K Poulose +Signed-off-by: Tingwei Zhang +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200928163513.70169-9-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm-perf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c +index 9d61a71da96f7..be591b557df94 100644 +--- a/drivers/hwtracing/coresight/coresight-etm-perf.c ++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c +@@ -126,10 +126,10 @@ static void free_sink_buffer(struct etm_event_data *event_data) + cpumask_t *mask = &event_data->mask; + struct coresight_device *sink; + +- if (WARN_ON(cpumask_empty(mask))) ++ if (!event_data->snk_config) + return; + +- if (!event_data->snk_config) ++ if (WARN_ON(cpumask_empty(mask))) + return; + + cpu = cpumask_first(mask); +-- +2.25.1 + diff --git a/queue-5.9/coresight-etm4x-ensure-default-perf-settings-filter-.patch b/queue-5.9/coresight-etm4x-ensure-default-perf-settings-filter-.patch new file mode 100644 index 00000000000..5576f8ba9a1 --- /dev/null +++ b/queue-5.9/coresight-etm4x-ensure-default-perf-settings-filter-.patch @@ -0,0 +1,124 @@ +From a43c74e94f460d44a1dbe2f19c56c3e44168ed1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:28 -0600 +Subject: coresight: etm4x: Ensure default perf settings filter user/kernel + +From: Mike Leach + +[ Upstream commit 096dcfb9cd6fefa7c03884b50c247593dc5f7dd3 ] + +Moving from using an address filter to trace the default "all addresses" +range to no filtering to acheive the same result, has caused the perf +filtering of kernel/user address spaces from not working unless an +explicit address filter was used. + +This is due to the original code using a side-effect of the address +filtering rather than setting the global TRCVICTLR exception level +filtering. + +The use of the mode sysfs file is also similarly affected. + +A helper function is added to fix both instances. + +Fixes: ae2041510d5d ("coresight: etmv4: Update default filter and initialisation") +Reported-by: Leo Yan +Tested-by: Leo Yan +Reviewed-by: Leo Yan +Signed-off-by: Mike Leach +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-8-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 32 +++++++++++++------ + drivers/hwtracing/coresight/coresight-etm4x.h | 3 ++ + 2 files changed, 25 insertions(+), 10 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 45d169a2512cf..2bcc8d4a82c8e 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -52,6 +52,7 @@ static struct etmv4_drvdata *etmdrvdata[NR_CPUS]; + static void etm4_set_default_config(struct etmv4_config *config); + static int etm4_set_event_filters(struct etmv4_drvdata *drvdata, + struct perf_event *event); ++static u64 etm4_get_access_type(struct etmv4_config *config); + + static enum cpuhp_state hp_online; + +@@ -783,6 +784,22 @@ static void etm4_init_arch_data(void *info) + CS_LOCK(drvdata->base); + } + ++/* Set ELx trace filter access in the TRCVICTLR register */ ++static void etm4_set_victlr_access(struct etmv4_config *config) ++{ ++ u64 access_type; ++ ++ config->vinst_ctrl &= ~(ETM_EXLEVEL_S_VICTLR_MASK | ETM_EXLEVEL_NS_VICTLR_MASK); ++ ++ /* ++ * TRCVICTLR::EXLEVEL_NS:EXLEVELS: Set kernel / user filtering ++ * bits in vinst_ctrl, same bit pattern as TRCACATRn values returned by ++ * etm4_get_access_type() but with a relative shift in this register. ++ */ ++ access_type = etm4_get_access_type(config) << ETM_EXLEVEL_LSHIFT_TRCVICTLR; ++ config->vinst_ctrl |= (u32)access_type; ++} ++ + static void etm4_set_default_config(struct etmv4_config *config) + { + /* disable all events tracing */ +@@ -800,6 +817,9 @@ static void etm4_set_default_config(struct etmv4_config *config) + + /* TRCVICTLR::EVENT = 0x01, select the always on logic */ + config->vinst_ctrl = BIT(0); ++ ++ /* TRCVICTLR::EXLEVEL_NS:EXLEVELS: Set kernel / user filtering */ ++ etm4_set_victlr_access(config); + } + + static u64 etm4_get_ns_access_type(struct etmv4_config *config) +@@ -1064,7 +1084,7 @@ static int etm4_set_event_filters(struct etmv4_drvdata *drvdata, + + void etm4_config_trace_mode(struct etmv4_config *config) + { +- u32 addr_acc, mode; ++ u32 mode; + + mode = config->mode; + mode &= (ETM_MODE_EXCL_KERN | ETM_MODE_EXCL_USER); +@@ -1076,15 +1096,7 @@ void etm4_config_trace_mode(struct etmv4_config *config) + if (!(mode & ETM_MODE_EXCL_KERN) && !(mode & ETM_MODE_EXCL_USER)) + return; + +- addr_acc = config->addr_acc[ETM_DEFAULT_ADDR_COMP]; +- /* clear default config */ +- addr_acc &= ~(ETM_EXLEVEL_NS_APP | ETM_EXLEVEL_NS_OS | +- ETM_EXLEVEL_NS_HYP); +- +- addr_acc |= etm4_get_ns_access_type(config); +- +- config->addr_acc[ETM_DEFAULT_ADDR_COMP] = addr_acc; +- config->addr_acc[ETM_DEFAULT_ADDR_COMP + 1] = addr_acc; ++ etm4_set_victlr_access(config); + } + + static int etm4_online_cpu(unsigned int cpu) +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.h b/drivers/hwtracing/coresight/coresight-etm4x.h +index b8283e1d6d88c..5259f96fd28a0 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.h ++++ b/drivers/hwtracing/coresight/coresight-etm4x.h +@@ -192,6 +192,9 @@ + #define ETM_EXLEVEL_NS_HYP BIT(14) + #define ETM_EXLEVEL_NS_NA BIT(15) + ++/* access level control in TRCVICTLR - same bits as TRCACATRn but shifted */ ++#define ETM_EXLEVEL_LSHIFT_TRCVICTLR 8 ++ + /* secure / non secure masks - TRCVICTLR, IDR3 */ + #define ETM_EXLEVEL_S_VICTLR_MASK GENMASK(19, 16) + /* NS MON (EL3) mode never implemented */ +-- +2.25.1 + diff --git a/queue-5.9/coresight-etm4x-fix-etm4_count-race-by-moving-cpuhp-.patch b/queue-5.9/coresight-etm4x-fix-etm4_count-race-by-moving-cpuhp-.patch new file mode 100644 index 00000000000..8a0264b3eaf --- /dev/null +++ b/queue-5.9/coresight-etm4x-fix-etm4_count-race-by-moving-cpuhp-.patch @@ -0,0 +1,178 @@ +From a41eb7576b44bf2a8fd648112fae5b6c7654ad6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:22 -0600 +Subject: coresight: etm4x: Fix etm4_count race by moving cpuhp callbacks to + init + +From: Sai Prakash Ranjan + +[ Upstream commit 2d1a8bfb61ec0177343e99ebd745e3e4ceb0d0d5 ] + +etm4_count keeps track of number of ETMv4 registered and on some systems, +a race is observed on etm4_count variable which can lead to multiple calls +to cpuhp_setup_state_nocalls_cpuslocked(). This function internally calls +cpuhp_store_callbacks() which prevents multiple registrations of callbacks +for a given state and due to this race, it returns -EBUSY leading to ETM +probe failures like below. + + coresight-etm4x: probe of 7040000.etm failed with error -16 + +This race can easily be triggered with async probe by setting probe type +as PROBE_PREFER_ASYNCHRONOUS and with ETM power management property +"arm,coresight-loses-context-with-cpu". + +Prevent this race by moving cpuhp callbacks to etm driver init since the +cpuhp callbacks doesn't have to depend on the etm4_count and can be once +setup during driver init. Similarly we move cpu_pm notifier registration +to driver init and completely remove etm4_count usage. Also now we can +use non cpuslocked version of cpuhp callbacks with this movement. + +Fixes: 9b6a3f3633a5 ("coresight: etmv4: Fix CPU power management setup in probe() function") +Fixes: 58eb457be028 ("hwtracing/coresight-etm4x: Convert to hotplug state machine") +Suggested-by: Suzuki K Poulose +Tested-by: Stephen Boyd +Reviewed-by: Stephen Boyd +Reviewed-by: Suzuki K Poulose +Signed-off-by: Sai Prakash Ranjan +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-2-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 65 +++++++++---------- + 1 file changed, 31 insertions(+), 34 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 96425e818fc20..45d169a2512cf 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -48,8 +48,6 @@ module_param(pm_save_enable, int, 0444); + MODULE_PARM_DESC(pm_save_enable, + "Save/restore state on power down: 1 = never, 2 = self-hosted"); + +-/* The number of ETMv4 currently registered */ +-static int etm4_count; + static struct etmv4_drvdata *etmdrvdata[NR_CPUS]; + static void etm4_set_default_config(struct etmv4_config *config); + static int etm4_set_event_filters(struct etmv4_drvdata *drvdata, +@@ -1397,28 +1395,25 @@ static struct notifier_block etm4_cpu_pm_nb = { + .notifier_call = etm4_cpu_pm_notify, + }; + +-/* Setup PM. Called with cpus locked. Deals with error conditions and counts */ +-static int etm4_pm_setup_cpuslocked(void) ++/* Setup PM. Deals with error conditions and counts */ ++static int __init etm4_pm_setup(void) + { + int ret; + +- if (etm4_count++) +- return 0; +- + ret = cpu_pm_register_notifier(&etm4_cpu_pm_nb); + if (ret) +- goto reduce_count; ++ return ret; + +- ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING, +- "arm/coresight4:starting", +- etm4_starting_cpu, etm4_dying_cpu); ++ ret = cpuhp_setup_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING, ++ "arm/coresight4:starting", ++ etm4_starting_cpu, etm4_dying_cpu); + + if (ret) + goto unregister_notifier; + +- ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ONLINE_DYN, +- "arm/coresight4:online", +- etm4_online_cpu, NULL); ++ ret = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN, ++ "arm/coresight4:online", ++ etm4_online_cpu, NULL); + + /* HP dyn state ID returned in ret on success */ + if (ret > 0) { +@@ -1427,21 +1422,15 @@ static int etm4_pm_setup_cpuslocked(void) + } + + /* failed dyn state - remove others */ +- cpuhp_remove_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING); ++ cpuhp_remove_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING); + + unregister_notifier: + cpu_pm_unregister_notifier(&etm4_cpu_pm_nb); +- +-reduce_count: +- --etm4_count; + return ret; + } + +-static void etm4_pm_clear(void) ++static void __init etm4_pm_clear(void) + { +- if (--etm4_count != 0) +- return; +- + cpu_pm_unregister_notifier(&etm4_cpu_pm_nb); + cpuhp_remove_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING); + if (hp_online) { +@@ -1497,22 +1486,12 @@ static int etm4_probe(struct amba_device *adev, const struct amba_id *id) + if (!desc.name) + return -ENOMEM; + +- cpus_read_lock(); + etmdrvdata[drvdata->cpu] = drvdata; + + if (smp_call_function_single(drvdata->cpu, + etm4_init_arch_data, drvdata, 1)) + dev_err(dev, "ETM arch init failed\n"); + +- ret = etm4_pm_setup_cpuslocked(); +- cpus_read_unlock(); +- +- /* etm4_pm_setup_cpuslocked() does its own cleanup - exit on error */ +- if (ret) { +- etmdrvdata[drvdata->cpu] = NULL; +- return ret; +- } +- + if (etm4_arch_supported(drvdata->arch) == false) { + ret = -EINVAL; + goto err_arch_supported; +@@ -1559,7 +1538,6 @@ static int etm4_probe(struct amba_device *adev, const struct amba_id *id) + + err_arch_supported: + etmdrvdata[drvdata->cpu] = NULL; +- etm4_pm_clear(); + return ret; + } + +@@ -1597,4 +1575,23 @@ static struct amba_driver etm4x_driver = { + .probe = etm4_probe, + .id_table = etm4_ids, + }; +-builtin_amba_driver(etm4x_driver); ++ ++static int __init etm4x_init(void) ++{ ++ int ret; ++ ++ ret = etm4_pm_setup(); ++ ++ /* etm4_pm_setup() does its own cleanup - exit on error */ ++ if (ret) ++ return ret; ++ ++ ret = amba_driver_register(&etm4x_driver); ++ if (ret) { ++ pr_err("Error registering etm4x driver\n"); ++ etm4_pm_clear(); ++ } ++ ++ return ret; ++} ++device_initcall(etm4x_init); +-- +2.25.1 + diff --git a/queue-5.9/coresight-etm4x-fix-issues-on-trcseqevr-access.patch b/queue-5.9/coresight-etm4x-fix-issues-on-trcseqevr-access.patch new file mode 100644 index 00000000000..e86864ae5a9 --- /dev/null +++ b/queue-5.9/coresight-etm4x-fix-issues-on-trcseqevr-access.patch @@ -0,0 +1,52 @@ +From a47c98717077ed9021970221998f41c7df0c1ce9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:32 -0600 +Subject: coresight: etm4x: Fix issues on trcseqevr access + +From: Jonathan Zhou + +[ Upstream commit 4cd83037cd957ad97756055355ab4ee63f259380 ] + +The TRCSEQEVR(3) is reserved, using '@nrseqstate - 1' instead to avoid +accessing the reserved register. + +Fixes: f188b5e76aae ("coresight: etm4x: Save/restore state across CPU low power states") +Cc: Mathieu Poirier +Cc: Suzuki K Poulose +Cc: Mike Leach +Cc: Shaokun Zhang +Signed-off-by: Jonathan Zhou +[Fixed capital letter in title] +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-12-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 2bcc8d4a82c8e..944c7a7cc1d91 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -1193,7 +1193,7 @@ static int etm4_cpu_save(struct etmv4_drvdata *drvdata) + state->trcvdsacctlr = readl(drvdata->base + TRCVDSACCTLR); + state->trcvdarcctlr = readl(drvdata->base + TRCVDARCCTLR); + +- for (i = 0; i < drvdata->nrseqstate; i++) ++ for (i = 0; i < drvdata->nrseqstate - 1; i++) + state->trcseqevr[i] = readl(drvdata->base + TRCSEQEVRn(i)); + + state->trcseqrstevr = readl(drvdata->base + TRCSEQRSTEVR); +@@ -1298,7 +1298,7 @@ static void etm4_cpu_restore(struct etmv4_drvdata *drvdata) + writel_relaxed(state->trcvdsacctlr, drvdata->base + TRCVDSACCTLR); + writel_relaxed(state->trcvdarcctlr, drvdata->base + TRCVDARCCTLR); + +- for (i = 0; i < drvdata->nrseqstate; i++) ++ for (i = 0; i < drvdata->nrseqstate - 1; i++) + writel_relaxed(state->trcseqevr[i], + drvdata->base + TRCSEQEVRn(i)); + +-- +2.25.1 + diff --git a/queue-5.9/coresight-etm4x-fix-issues-within-reset-interface-of.patch b/queue-5.9/coresight-etm4x-fix-issues-within-reset-interface-of.patch new file mode 100644 index 00000000000..e9c48550aa1 --- /dev/null +++ b/queue-5.9/coresight-etm4x-fix-issues-within-reset-interface-of.patch @@ -0,0 +1,42 @@ +From 6321f522a2b4f778587151165289556cde9cb03b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:29 -0600 +Subject: coresight: etm4x: Fix issues within reset interface of sysfs + +From: Jonathan Zhou + +[ Upstream commit 4020fc8d4658dc1dbc27c5644bcb6254caa05e5e ] + +The member @nr_addr_cmp is not a bool value, using operator '>' +instead to avoid unexpected failure. + +Fixes: a77de2637c9e ("coresight: etm4x: moving sysFS entries to a dedicated file") +Cc: Mathieu Poirier +Cc: Suzuki K Poulose +Cc: Mike Leach +Cc: Shaokun Zhang +Signed-off-by: Jonathan Zhou +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-9-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +index b673e738bc9a8..a588cd6de01c7 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +@@ -206,7 +206,7 @@ static ssize_t reset_store(struct device *dev, + * each trace run. + */ + config->vinst_ctrl = BIT(0); +- if (drvdata->nr_addr_cmp == true) { ++ if (drvdata->nr_addr_cmp > 0) { + config->mode |= ETM_MODE_VIEWINST_STARTSTOP; + /* SSSTATUS, bit[9] */ + config->vinst_ctrl |= BIT(9); +-- +2.25.1 + diff --git a/queue-5.9/coresight-etm4x-fix-save-and-restore-of-trcvmidcctlr.patch b/queue-5.9/coresight-etm4x-fix-save-and-restore-of-trcvmidcctlr.patch new file mode 100644 index 00000000000..bb6b5ba71ab --- /dev/null +++ b/queue-5.9/coresight-etm4x-fix-save-and-restore-of-trcvmidcctlr.patch @@ -0,0 +1,53 @@ +From 884b5ad4be38fb6b63b0107df1113ee39af226a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 10:35:13 -0600 +Subject: coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register + +From: Sai Prakash Ranjan + +[ Upstream commit 3477326277451000bc667dfcc4fd0774c039184c ] + +In commit f188b5e76aae ("coresight: etm4x: Save/restore state +across CPU low power states"), mistakenly TRCVMIDCCTLR1 register +value was saved in trcvmidcctlr0 state variable which is used to +store TRCVMIDCCTLR0 register value in etm4x_cpu_save() and then +same value is written back to both TRCVMIDCCTLR0 and TRCVMIDCCTLR1 +in etm4x_cpu_restore(). There is already a trcvmidcctlr1 state +variable available for TRCVMIDCCTLR1, so use it. + +Fixes: f188b5e76aae ("coresight: etm4x: Save/restore state across CPU low power states") +Reviewed-by: Suzuki K Poulose +Signed-off-by: Sai Prakash Ranjan +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200928163513.70169-26-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 944c7a7cc1d91..fd678792b755d 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -1237,7 +1237,7 @@ static int etm4_cpu_save(struct etmv4_drvdata *drvdata) + state->trccidcctlr1 = readl(drvdata->base + TRCCIDCCTLR1); + + state->trcvmidcctlr0 = readl(drvdata->base + TRCVMIDCCTLR0); +- state->trcvmidcctlr0 = readl(drvdata->base + TRCVMIDCCTLR1); ++ state->trcvmidcctlr1 = readl(drvdata->base + TRCVMIDCCTLR1); + + state->trcclaimset = readl(drvdata->base + TRCCLAIMCLR); + +@@ -1347,7 +1347,7 @@ static void etm4_cpu_restore(struct etmv4_drvdata *drvdata) + writel_relaxed(state->trccidcctlr1, drvdata->base + TRCCIDCCTLR1); + + writel_relaxed(state->trcvmidcctlr0, drvdata->base + TRCVMIDCCTLR0); +- writel_relaxed(state->trcvmidcctlr0, drvdata->base + TRCVMIDCCTLR1); ++ writel_relaxed(state->trcvmidcctlr1, drvdata->base + TRCVMIDCCTLR1); + + writel_relaxed(state->trcclaimset, drvdata->base + TRCCLAIMSET); + +-- +2.25.1 + diff --git a/queue-5.9/coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch b/queue-5.9/coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch new file mode 100644 index 00000000000..c45f3d94f27 --- /dev/null +++ b/queue-5.9/coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch @@ -0,0 +1,120 @@ +From 726110c70d5562a172857c8aff64e893992834eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:31 -0600 +Subject: coresight: etm4x: Handle unreachable sink in perf mode + +From: Suzuki K Poulose + +[ Upstream commit 859d510e58dac94f0b204b7b5cccafbc130d2291 ] + +If the specified/hinted sink is not reachable from a subset of the CPUs, +we could end up unable to trace the event on those CPUs. This +is the best effort we could do until we support 1:1 configurations. +Fail gracefully in such cases avoiding a WARN_ON, which can be easily +triggered by the user on certain platforms (Arm N1SDP), with the following +trace paths : + + CPU0 + \ + -- Funnel0 --> ETF0 --> + / \ + CPU1 \ + MainFunnel + CPU2 / + \ / + -- Funnel1 --> ETF1 --> + / + CPU1 + +$ perf record --per-thread -e cs_etm/@ETF0/u -- + +could trigger the following WARNING, when the event is scheduled +on CPU2. + +[10919.513250] ------------[ cut here ]------------ +[10919.517861] WARNING: CPU: 2 PID: 24021 at +drivers/hwtracing/coresight/coresight-etm-perf.c:316 etm_event_start+0xf8/0x100 +... + +[10919.564403] CPU: 2 PID: 24021 Comm: perf Not tainted 5.8.0+ #24 +[10919.570308] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--) +[10919.575865] pc : etm_event_start+0xf8/0x100 +[10919.580034] lr : etm_event_start+0x80/0x100 +[10919.584202] sp : fffffe001932f940 +[10919.587502] x29: fffffe001932f940 x28: fffffc834995f800 +[10919.592799] x27: 0000000000000000 x26: fffffe0011f3ced0 +[10919.598095] x25: fffffc837fce244c x24: fffffc837fce2448 +[10919.603391] x23: 0000000000000002 x22: fffffc8353529c00 +[10919.608688] x21: fffffc835bb31000 x20: 0000000000000000 +[10919.613984] x19: fffffc837fcdcc70 x18: 0000000000000000 +[10919.619281] x17: 0000000000000000 x16: 0000000000000000 +[10919.624577] x15: 0000000000000000 x14: 00000000000009f8 +[10919.629874] x13: 00000000000009f8 x12: 0000000000000018 +[10919.635170] x11: 0000000000000000 x10: 0000000000000000 +[10919.640467] x9 : fffffe00108cd168 x8 : 0000000000000000 +[10919.645763] x7 : 0000000000000020 x6 : 0000000000000001 +[10919.651059] x5 : 0000000000000002 x4 : 0000000000000001 +[10919.656356] x3 : 0000000000000000 x2 : 0000000000000000 +[10919.661652] x1 : fffffe836eb40000 x0 : 0000000000000000 +[10919.666949] Call trace: +[10919.669382] etm_event_start+0xf8/0x100 +[10919.673203] etm_event_add+0x40/0x60 +[10919.676765] event_sched_in.isra.134+0xcc/0x210 +[10919.681281] merge_sched_in+0xb0/0x2a8 +[10919.685017] visit_groups_merge.constprop.140+0x15c/0x4b8 +[10919.690400] ctx_sched_in+0x15c/0x170 +[10919.694048] perf_event_sched_in+0x6c/0xa0 +[10919.698130] ctx_resched+0x60/0xa0 +[10919.701517] perf_event_exec+0x288/0x2f0 +[10919.705425] begin_new_exec+0x4c8/0xf58 +[10919.709247] load_elf_binary+0x66c/0xf30 +[10919.713155] exec_binprm+0x15c/0x450 +[10919.716716] __do_execve_file+0x508/0x748 +[10919.720711] __arm64_sys_execve+0x40/0x50 +[10919.724707] do_el0_svc+0xf4/0x1b8 +[10919.728095] el0_sync_handler+0xf8/0x124 +[10919.732003] el0_sync+0x140/0x180 + +Even though we don't support using separate sinks for the ETMs yet (e.g, +for 1:1 configurations), we should at least honor the user's choice and +handle the limitations gracefully, by simply skipping the tracing on ETMs +which can't reach the requested sink. + +Fixes: f9d81a657bb8 ("coresight: perf: Allow tracing on hotplugged CPUs") +Cc: Mathieu Poirier +Cc: Mike Leach +Reported-by: Jeremy Linton +Tested-by: Jeremy Linton +Signed-off-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-11-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm-perf.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c +index 1a3169e69bb19..9d61a71da96f7 100644 +--- a/drivers/hwtracing/coresight/coresight-etm-perf.c ++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c +@@ -321,6 +321,16 @@ static void etm_event_start(struct perf_event *event, int flags) + if (!event_data) + goto fail; + ++ /* ++ * Check if this ETM is allowed to trace, as decided ++ * at etm_setup_aux(). This could be due to an unreachable ++ * sink from this ETM. We can't do much in this case if ++ * the sink was specified or hinted to the driver. For ++ * now, simply don't record anything on this ETM. ++ */ ++ if (!cpumask_test_cpu(cpu, &event_data->mask)) ++ goto fail_end_stop; ++ + path = etm_event_cpu_path(event_data, cpu); + /* We need a sink, no need to continue without one */ + sink = coresight_get_sink(path); +-- +2.25.1 + diff --git a/queue-5.9/coresight-fix-offset-by-one-error-in-counting-ports.patch b/queue-5.9/coresight-fix-offset-by-one-error-in-counting-ports.patch new file mode 100644 index 00000000000..abfaf28c247 --- /dev/null +++ b/queue-5.9/coresight-fix-offset-by-one-error-in-counting-ports.patch @@ -0,0 +1,105 @@ +From 8d01f644181a4b3fdf3fc579594b09269e60550b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:24 -0600 +Subject: coresight: fix offset by one error in counting ports + +From: Mian Yousaf Kaukab + +[ Upstream commit 9554c3551ed35d79b029e5e69383ae33117d9765 ] + +Since port-numbers start from 0, add 1 to port-number to get the port +count. + +Fix following crash when Coresight is enabled on ACPI based systems: + +[ 61.061736] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 +... +[ 61.135494] pc : acpi_coresight_parse_graph+0x1c4/0x37c +[ 61.140705] lr : acpi_coresight_parse_graph+0x160/0x37c +[ 61.145915] sp : ffff800012f4ba40 +[ 61.145917] x29: ffff800012f4ba40 x28: ffff00becce62f98 +[ 61.159896] x27: 0000000000000005 x26: ffff00becd8a7c88 +[ 61.165195] x25: ffff00becd8a7d88 x24: ffff00becce62f80 +[ 61.170492] x23: ffff800011ef99c0 x22: ffff009efb8bc010 +[ 61.175790] x21: 0000000000000018 x20: 0000000000000005 +[ 61.181087] x19: ffff00becce62e80 x18: 0000000000000020 +[ 61.186385] x17: 0000000000000001 x16: 00000000000002a8 +[ 61.191682] x15: ffff000838648550 x14: ffffffffffffffff +[ 61.196980] x13: 0000000000000000 x12: ffff00becce62d87 +[ 61.202277] x11: 00000000ffffff76 x10: 000000000000002e +[ 61.207575] x9 : ffff8000107e1a68 x8 : ffff00becce63000 +[ 61.212873] x7 : 0000000000000018 x6 : 000000000000003f +[ 61.218170] x5 : 0000000000000000 x4 : 0000000000000000 +[ 61.223467] x3 : 0000000000000000 x2 : 0000000000000000 +[ 61.228764] x1 : ffff00becce62f80 x0 : 0000000000000000 +[ 61.234062] Call trace: +[ 61.236497] acpi_coresight_parse_graph+0x1c4/0x37c +[ 61.241361] coresight_get_platform_data+0xdc/0x130 +[ 61.246225] tmc_probe+0x138/0x2dc +[ 61.246227] amba_probe+0xdc/0x220 +[ 61.255779] really_probe+0xe8/0x49c +[ 61.255781] driver_probe_device+0xec/0x140 +[ 61.255782] device_driver_attach+0xc8/0xd0 +[ 61.255785] __driver_attach+0xac/0x180 +[ 61.265857] bus_for_each_dev+0x78/0xcc +[ 61.265859] driver_attach+0x2c/0x40 +[ 61.265861] bus_add_driver+0x150/0x244 +[ 61.265863] driver_register+0x80/0x13c +[ 61.273591] amba_driver_register+0x60/0x70 +[ 61.273594] tmc_driver_init+0x20/0x2c +[ 61.281582] do_one_initcall+0x50/0x230 +[ 61.281585] do_initcalls+0x104/0x144 +[ 61.291831] kernel_init_freeable+0x168/0x1dc +[ 61.291834] kernel_init+0x1c/0x120 +[ 61.299215] ret_from_fork+0x10/0x18 +[ 61.299219] Code: b9400022 f9400660 9b277c42 8b020000 (f9400404) +[ 61.307381] ---[ end trace 63c6c3d7ec6a9b7c ]--- +[ 61.315225] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +Fixes: d375b356e687 ("coresight: Fix support for sparsely populated ports") +Reported-by: Ruediger Oertel +Tested-by: Jeremy Linton +Reviewed-by: Suzuki K Poulose +Reviewed-by: Jeremy Linton +Signed-off-by: Mian Yousaf Kaukab +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-4-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-platform.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-platform.c b/drivers/hwtracing/coresight/coresight-platform.c +index bfd44231d7ad5..227e234a24701 100644 +--- a/drivers/hwtracing/coresight/coresight-platform.c ++++ b/drivers/hwtracing/coresight/coresight-platform.c +@@ -711,11 +711,11 @@ static int acpi_coresight_parse_graph(struct acpi_device *adev, + return dir; + + if (dir == ACPI_CORESIGHT_LINK_MASTER) { +- if (ptr->outport > pdata->nr_outport) +- pdata->nr_outport = ptr->outport; ++ if (ptr->outport >= pdata->nr_outport) ++ pdata->nr_outport = ptr->outport + 1; + ptr++; + } else { +- WARN_ON(pdata->nr_inport == ptr->child_port); ++ WARN_ON(pdata->nr_inport == ptr->child_port + 1); + /* + * We do not track input port connections for a device. + * However we need the highest port number described, +@@ -723,8 +723,8 @@ static int acpi_coresight_parse_graph(struct acpi_device *adev, + * record for an output connection. Hence, do not move + * the ptr for input connections + */ +- if (ptr->child_port > pdata->nr_inport) +- pdata->nr_inport = ptr->child_port; ++ if (ptr->child_port >= pdata->nr_inport) ++ pdata->nr_inport = ptr->child_port + 1; + } + } + +-- +2.25.1 + diff --git a/queue-5.9/cpufreq-armada-37xx-add-missing-module_device_table.patch b/queue-5.9/cpufreq-armada-37xx-add-missing-module_device_table.patch new file mode 100644 index 00000000000..346e74dad71 --- /dev/null +++ b/queue-5.9/cpufreq-armada-37xx-add-missing-module_device_table.patch @@ -0,0 +1,47 @@ +From 96eebff234645719319dff63cb233f1e59c52c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 15:27:16 +0200 +Subject: cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit c942d1542f1bc5001216fabce9cb8ffbe515777e ] + +CONFIG_ARM_ARMADA_37XX_CPUFREQ is tristate option and therefore this +cpufreq driver can be compiled as a module. This patch adds missing +MODULE_DEVICE_TABLE which generates correct modalias for automatic +loading of this cpufreq driver when is compiled as an external module. + +Reviewed-by: Andrew Lunn +Signed-off-by: Pali Rohár +Fixes: 92ce45fb875d7 ("cpufreq: Add DVFS support for Armada 37xx") +[ Viresh: Added __maybe_unused ] +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/armada-37xx-cpufreq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c +index df1c941260d14..b4af4094309b0 100644 +--- a/drivers/cpufreq/armada-37xx-cpufreq.c ++++ b/drivers/cpufreq/armada-37xx-cpufreq.c +@@ -484,6 +484,12 @@ static int __init armada37xx_cpufreq_driver_init(void) + /* late_initcall, to guarantee the driver is loaded after A37xx clock driver */ + late_initcall(armada37xx_cpufreq_driver_init); + ++static const struct of_device_id __maybe_unused armada37xx_cpufreq_of_match[] = { ++ { .compatible = "marvell,armada-3700-nb-pm" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, armada37xx_cpufreq_of_match); ++ + MODULE_AUTHOR("Gregory CLEMENT "); + MODULE_DESCRIPTION("Armada 37xx cpufreq driver"); + MODULE_LICENSE("GPL"); +-- +2.25.1 + diff --git a/queue-5.9/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch b/queue-5.9/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch new file mode 100644 index 00000000000..c6eb177b7d4 --- /dev/null +++ b/queue-5.9/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch @@ -0,0 +1,52 @@ +From c1748022cb3119a037e5b7ffa79dcd328c40c5ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 13:32:54 +0530 +Subject: cpufreq: powernv: Fix frame-size-overflow in + powernv_cpufreq_reboot_notifier + +From: Srikar Dronamraju + +[ Upstream commit a2d0230b91f7e23ceb5d8fb6a9799f30517ec33a ] + +The patch avoids allocating cpufreq_policy on stack hence fixing frame +size overflow in 'powernv_cpufreq_reboot_notifier': + + drivers/cpufreq/powernv-cpufreq.c: In function powernv_cpufreq_reboot_notifier: + drivers/cpufreq/powernv-cpufreq.c:906:1: error: the frame size of 2064 bytes is larger than 2048 bytes + +Fixes: cf30af76 ("cpufreq: powernv: Set the cpus to nominal frequency during reboot/kexec") +Signed-off-by: Srikar Dronamraju +Reviewed-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200922080254.41497-1-srikar@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernv-cpufreq.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index a9af15e994ccf..e439b43c19ebe 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -885,12 +885,15 @@ static int powernv_cpufreq_reboot_notifier(struct notifier_block *nb, + unsigned long action, void *unused) + { + int cpu; +- struct cpufreq_policy cpu_policy; ++ struct cpufreq_policy *cpu_policy; + + rebooting = true; + for_each_online_cpu(cpu) { +- cpufreq_get_policy(&cpu_policy, cpu); +- powernv_cpufreq_target_index(&cpu_policy, get_nominal_index()); ++ cpu_policy = cpufreq_cpu_get(cpu); ++ if (!cpu_policy) ++ continue; ++ powernv_cpufreq_target_index(cpu_policy, get_nominal_index()); ++ cpufreq_cpu_put(cpu_policy); + } + + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-5.9/cpufreq-qcom-don-t-add-frequencies-without-an-opp.patch b/queue-5.9/cpufreq-qcom-don-t-add-frequencies-without-an-opp.patch new file mode 100644 index 00000000000..118c578e7ed --- /dev/null +++ b/queue-5.9/cpufreq-qcom-don-t-add-frequencies-without-an-opp.patch @@ -0,0 +1,67 @@ +From 5a245f1faeefcf4532a339580b3aabd83956d4f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 10:10:54 -0700 +Subject: cpufreq: qcom: Don't add frequencies without an OPP + +From: Matthias Kaehlcke + +[ Upstream commit bc9b9c5ab9d8d16157737db539929d57562926e9 ] + +The driver currently adds all frequencies from the hardware LUT to +the cpufreq table, regardless of whether the corresponding OPP +exists. This prevents devices from disabling certain OPPs through +the device tree and can result in CPU frequencies for which the +interconnect bandwidth can't be adjusted. Only add frequencies +with an OPP entry. + +Fixes: 55538fbc79e9 ("cpufreq: qcom: Read voltage LUT and populate OPP") +Signed-off-by: Matthias Kaehlcke +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/qcom-cpufreq-hw.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c +index 3fb044b907a83..47b7d394d2abb 100644 +--- a/drivers/cpufreq/qcom-cpufreq-hw.c ++++ b/drivers/cpufreq/qcom-cpufreq-hw.c +@@ -177,10 +177,15 @@ static int qcom_cpufreq_hw_read_lut(struct device *cpu_dev, + freq = cpu_hw_rate / 1000; + + if (freq != prev_freq && core_count != LUT_TURBO_IND) { +- table[i].frequency = freq; +- qcom_cpufreq_update_opp(cpu_dev, freq, volt); +- dev_dbg(cpu_dev, "index=%d freq=%d, core_count %d\n", i, ++ if (!qcom_cpufreq_update_opp(cpu_dev, freq, volt)) { ++ table[i].frequency = freq; ++ dev_dbg(cpu_dev, "index=%d freq=%d, core_count %d\n", i, + freq, core_count); ++ } else { ++ dev_warn(cpu_dev, "failed to update OPP for freq=%d\n", freq); ++ table[i].frequency = CPUFREQ_ENTRY_INVALID; ++ } ++ + } else if (core_count == LUT_TURBO_IND) { + table[i].frequency = CPUFREQ_ENTRY_INVALID; + } +@@ -197,9 +202,13 @@ static int qcom_cpufreq_hw_read_lut(struct device *cpu_dev, + * as the boost frequency + */ + if (prev->frequency == CPUFREQ_ENTRY_INVALID) { +- prev->frequency = prev_freq; +- prev->flags = CPUFREQ_BOOST_FREQ; +- qcom_cpufreq_update_opp(cpu_dev, prev_freq, volt); ++ if (!qcom_cpufreq_update_opp(cpu_dev, prev_freq, volt)) { ++ prev->frequency = prev_freq; ++ prev->flags = CPUFREQ_BOOST_FREQ; ++ } else { ++ dev_warn(cpu_dev, "failed to update OPP for freq=%d\n", ++ freq); ++ } + } + + break; +-- +2.25.1 + diff --git a/queue-5.9/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch b/queue-5.9/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch new file mode 100644 index 00000000000..208301aa697 --- /dev/null +++ b/queue-5.9/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch @@ -0,0 +1,37 @@ +From b90ed03ce5ac7d2d9a96a715b3feced35e040c51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 17:03:27 +1000 +Subject: crypto: algif_skcipher - EBUSY on aio should be an error + +From: Herbert Xu + +[ Upstream commit 2a05b029c1ee045b886ebf9efef9985ca23450de ] + +I removed the MAY_BACKLOG flag on the aio path a while ago but +the error check still incorrectly interpreted EBUSY as success. +This may cause the submitter to wait for a request that will never +complete. + +Fixes: dad419970637 ("crypto: algif_skcipher - Do not set...") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_skcipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index 478f3b8f5bd52..ee8890ee8f332 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -123,7 +123,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, + crypto_skcipher_decrypt(&areq->cra_u.skcipher_req); + + /* AIO operation in progress */ +- if (err == -EINPROGRESS || err == -EBUSY) ++ if (err == -EINPROGRESS) + return -EIOCBQUEUED; + + sock_put(sk); +-- +2.25.1 + diff --git a/queue-5.9/crypto-ccp-fix-error-handling.patch b/queue-5.9/crypto-ccp-fix-error-handling.patch new file mode 100644 index 00000000000..00dcf772b37 --- /dev/null +++ b/queue-5.9/crypto-ccp-fix-error-handling.patch @@ -0,0 +1,35 @@ +From 183b526be49d4f9aaadf4cf521ce2a55a9b42ead Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 13:34:35 +0200 +Subject: crypto: ccp - fix error handling + +From: Pavel Machek + +[ Upstream commit e356c49c6cf0db3f00e1558749170bd56e47652d ] + +Fix resource leak in error handling. + +Signed-off-by: Pavel Machek (CIP) +Acked-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index bd270e66185e9..40869ea1ed20f 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -1744,7 +1744,7 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + break; + default: + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + } else { + /* Stash the context */ +-- +2.25.1 + diff --git a/queue-5.9/crypto-ccree-fix-runtime-pm-imbalance-on-error.patch b/queue-5.9/crypto-ccree-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..7f77fd92236 --- /dev/null +++ b/queue-5.9/crypto-ccree-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,44 @@ +From 2c58011c7e09969d48bf5a7b20143181aa7e4af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 16:15:13 +0800 +Subject: crypto: ccree - fix runtime PM imbalance on error + +From: dinghao.liu@zju.edu.cn + +[ Upstream commit b7b57a5643c2ae45afe6aa5e73363b553cacd14b ] + +pm_runtime_get_sync() increments the runtime PM usage counter +even when it returns an error code. However, users of cc_pm_get(), +a direct wrapper of pm_runtime_get_sync(), assume that PM usage +counter will not change on error. Thus a pairing decrement is needed +on the error handling path to keep the counter balanced. + +Fixes: 8c7849a30255c ("crypto: ccree - simplify Runtime PM handling") +Signed-off-by: Dinghao Liu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccree/cc_pm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccree/cc_pm.c b/drivers/crypto/ccree/cc_pm.c +index d39e1664fc7ed..3c65bf070c908 100644 +--- a/drivers/crypto/ccree/cc_pm.c ++++ b/drivers/crypto/ccree/cc_pm.c +@@ -65,8 +65,12 @@ const struct dev_pm_ops ccree_pm = { + int cc_pm_get(struct device *dev) + { + int rc = pm_runtime_get_sync(dev); ++ if (rc < 0) { ++ pm_runtime_put_noidle(dev); ++ return rc; ++ } + +- return (rc == 1 ? 0 : rc); ++ return 0; + } + + void cc_pm_put_suspend(struct device *dev) +-- +2.25.1 + diff --git a/queue-5.9/crypto-hisilicon-fixed-memory-allocation-error.patch b/queue-5.9/crypto-hisilicon-fixed-memory-allocation-error.patch new file mode 100644 index 00000000000..4904a306812 --- /dev/null +++ b/queue-5.9/crypto-hisilicon-fixed-memory-allocation-error.patch @@ -0,0 +1,72 @@ +From c74d1641ce057bb65cfbc838e65fc39018bb2761 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 19:56:43 +0800 +Subject: crypto: hisilicon - fixed memory allocation error + +From: Longfang Liu + +[ Upstream commit 24efcec2919afa7d56f848c83a605b46c8042a53 ] + +1. Fix the bug of 'mac' memory leak as allocating 'pbuf' failing. +2. Fix the bug of 'qps' leak as allocating 'qp_ctx' failing. + +Signed-off-by: Longfang Liu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/sec2/sec_crypto.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c +index 497969ae8b230..b9973d152a24a 100644 +--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c ++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c +@@ -342,11 +342,14 @@ static int sec_alg_resource_alloc(struct sec_ctx *ctx, + ret = sec_alloc_pbuf_resource(dev, res); + if (ret) { + dev_err(dev, "fail to alloc pbuf dma resource!\n"); +- goto alloc_fail; ++ goto alloc_pbuf_fail; + } + } + + return 0; ++alloc_pbuf_fail: ++ if (ctx->alg_type == SEC_AEAD) ++ sec_free_mac_resource(dev, qp_ctx->res); + alloc_fail: + sec_free_civ_resource(dev, res); + +@@ -457,8 +460,10 @@ static int sec_ctx_base_init(struct sec_ctx *ctx) + ctx->fake_req_limit = QM_Q_DEPTH >> 1; + ctx->qp_ctx = kcalloc(sec->ctx_q_num, sizeof(struct sec_qp_ctx), + GFP_KERNEL); +- if (!ctx->qp_ctx) +- return -ENOMEM; ++ if (!ctx->qp_ctx) { ++ ret = -ENOMEM; ++ goto err_destroy_qps; ++ } + + for (i = 0; i < sec->ctx_q_num; i++) { + ret = sec_create_qp_ctx(&sec->qm, ctx, i, 0); +@@ -467,12 +472,15 @@ static int sec_ctx_base_init(struct sec_ctx *ctx) + } + + return 0; ++ + err_sec_release_qp_ctx: + for (i = i - 1; i >= 0; i--) + sec_release_qp_ctx(ctx, &ctx->qp_ctx[i]); + +- sec_destroy_qps(ctx->qps, sec->ctx_q_num); + kfree(ctx->qp_ctx); ++err_destroy_qps: ++ sec_destroy_qps(ctx->qps, sec->ctx_q_num); ++ + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.9/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch b/queue-5.9/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch new file mode 100644 index 00000000000..c2d0cabc2d4 --- /dev/null +++ b/queue-5.9/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch @@ -0,0 +1,36 @@ +From 10b3ee42612ac6c97a89efa5c7e08c9033c94900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 16:56:48 +0200 +Subject: crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit f7ade9aaf66bd5599690acf0597df2c0f6cd825a ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in 'setup_crypt_desc()'. + +Fixes: 81bef0150074 ("crypto: ixp4xx - Hardware crypto support for IXP4xx CPUs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ixp4xx_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index f478bb0a566af..276012e7c482f 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -528,7 +528,7 @@ static void release_ixp_crypto(struct device *dev) + + if (crypt_virt) { + dma_free_coherent(dev, +- NPE_QLEN_TOTAL * sizeof( struct crypt_ctl), ++ NPE_QLEN * sizeof(struct crypt_ctl), + crypt_virt, crypt_phys); + } + } +-- +2.25.1 + diff --git a/queue-5.9/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch b/queue-5.9/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch new file mode 100644 index 00000000000..6401e999b69 --- /dev/null +++ b/queue-5.9/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch @@ -0,0 +1,46 @@ +From 004f5255c334e5a901f5f258b313894dfc22ebff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:32 +0800 +Subject: crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() + +From: Tianjia Zhang + +[ Upstream commit 8cbde6c6a6d2b1599ff90f932304aab7e32fce89 ] + +In case of memory allocation failure, a negative error code should +be returned. + +Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") +Cc: Ryder Lee +Signed-off-by: Tianjia Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mediatek/mtk-platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c +index 7e3ad085b5bdd..ef4339e84d034 100644 +--- a/drivers/crypto/mediatek/mtk-platform.c ++++ b/drivers/crypto/mediatek/mtk-platform.c +@@ -442,7 +442,7 @@ static void mtk_desc_dma_free(struct mtk_cryp *cryp) + static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + { + struct mtk_ring **ring = cryp->ring; +- int i, err = ENOMEM; ++ int i; + + for (i = 0; i < MTK_RING_MAX; i++) { + ring[i] = kzalloc(sizeof(**ring), GFP_KERNEL); +@@ -476,7 +476,7 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + ring[i]->cmd_base, ring[i]->cmd_dma); + kfree(ring[i]); + } +- return err; ++ return -ENOMEM; + } + + static int mtk_crypto_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-5.9/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch b/queue-5.9/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch new file mode 100644 index 00000000000..f2c25209f48 --- /dev/null +++ b/queue-5.9/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch @@ -0,0 +1,39 @@ +From 878eabf34b8ed92ede8c888291c89a390752ad9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 10:56:24 +0300 +Subject: crypto: omap-sham - fix digcnt register handling with export/import + +From: Tero Kristo + +[ Upstream commit 3faf757bad75f3fc1b2736f0431e295a073a7423 ] + +Running export/import for hashes in peculiar order (mostly done by +openssl) can mess up the internal book keeping of the OMAP SHA core. +Fix by forcibly writing the correct DIGCNT back to hardware. This issue +was noticed while transitioning to openssl 1.1 support. + +Fixes: 0d373d603202 ("crypto: omap-sham - Add OMAP4/AM33XX SHAM Support") +Signed-off-by: Tero Kristo +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index 954d703f29811..89ed055f21bf4 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -456,6 +456,9 @@ static void omap_sham_write_ctrl_omap4(struct omap_sham_dev *dd, size_t length, + struct omap_sham_reqctx *ctx = ahash_request_ctx(dd->req); + u32 val, mask; + ++ if (likely(ctx->digcnt)) ++ omap_sham_write(dd, SHA_REG_DIGCNT(dd), ctx->digcnt); ++ + /* + * Setting ALGO_CONST only for the first iteration and + * CLOSE_HASH only for the last one. Note that flags mode bits +-- +2.25.1 + diff --git a/queue-5.9/crypto-picoxcell-fix-potential-race-condition-bug.patch b/queue-5.9/crypto-picoxcell-fix-potential-race-condition-bug.patch new file mode 100644 index 00000000000..735862cd6d6 --- /dev/null +++ b/queue-5.9/crypto-picoxcell-fix-potential-race-condition-bug.patch @@ -0,0 +1,55 @@ +From a76d357fb25b699ec0d0e8616f17ffa770d3cdf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:00:24 +0530 +Subject: crypto: picoxcell - Fix potential race condition bug + +From: Madhuparna Bhowmik + +[ Upstream commit 64f4a62e3b17f1e473f971127c2924cae42afc82 ] + +engine->stat_irq_thresh was initialized after device_create_file() in +the probe function, the initialization may race with call to +spacc_stat_irq_thresh_store() which updates engine->stat_irq_thresh, +therefore initialize it before creating the file in probe function. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: ce92136843cb ("crypto: picoxcell - add support for the...") +Signed-off-by: Madhuparna Bhowmik +Acked-by: Jamie Iles +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/picoxcell_crypto.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/picoxcell_crypto.c b/drivers/crypto/picoxcell_crypto.c +index dac6eb37fff93..fb34bf92861d1 100644 +--- a/drivers/crypto/picoxcell_crypto.c ++++ b/drivers/crypto/picoxcell_crypto.c +@@ -1685,11 +1685,6 @@ static int spacc_probe(struct platform_device *pdev) + goto err_clk_put; + } + +- ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh); +- if (ret) +- goto err_clk_disable; +- +- + /* + * Use an IRQ threshold of 50% as a default. This seems to be a + * reasonable trade off of latency against throughput but can be +@@ -1697,6 +1692,10 @@ static int spacc_probe(struct platform_device *pdev) + */ + engine->stat_irq_thresh = (engine->fifo_sz / 2); + ++ ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh); ++ if (ret) ++ goto err_clk_disable; ++ + /* + * Configure the interrupts. We only use the STAT_CNT interrupt as we + * only submit a new packet for processing when we complete another in +-- +2.25.1 + diff --git a/queue-5.9/crypto-sa2ul-fix-compiler-warning-produced-by-clang.patch b/queue-5.9/crypto-sa2ul-fix-compiler-warning-produced-by-clang.patch new file mode 100644 index 00000000000..4a957420136 --- /dev/null +++ b/queue-5.9/crypto-sa2ul-fix-compiler-warning-produced-by-clang.patch @@ -0,0 +1,45 @@ +From d145672eff480d348062cb26b897b8b37192e049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 16:31:06 +0300 +Subject: crypto: sa2ul - fix compiler warning produced by clang + +From: Tero Kristo + +[ Upstream commit 17bce37e1b5eca95f9da783a07930b6d608c1389 ] + +Clang detects a warning for an assignment that doesn't really do +anything. Fix this by removing the offending piece of code. + +Fixes: 7694b6ca649f ("crypto: sa2ul - Add crypto driver") +Reported-by: Nathan Chancellor +Signed-off-by: Tero Kristo +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor # build +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sa2ul.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c +index 5bc099052bd20..ff8bbdb4d235d 100644 +--- a/drivers/crypto/sa2ul.c ++++ b/drivers/crypto/sa2ul.c +@@ -1148,12 +1148,10 @@ static int sa_run(struct sa_req *req) + ret = sg_split(req->dst, mapped_dst_nents, 0, 1, + &split_size, &dst, &dst_nents, + gfp_flags); +- if (ret) { +- dst_nents = dst_nents; ++ if (ret) + dst = req->dst; +- } else { ++ else + rxd->split_dst_sg = dst; +- } + } + } + +-- +2.25.1 + diff --git a/queue-5.9/crypto-sa2ul-fix-pm_runtime_get_sync-error-checking.patch b/queue-5.9/crypto-sa2ul-fix-pm_runtime_get_sync-error-checking.patch new file mode 100644 index 00000000000..cfbc1453894 --- /dev/null +++ b/queue-5.9/crypto-sa2ul-fix-pm_runtime_get_sync-error-checking.patch @@ -0,0 +1,36 @@ +From c879f67f96d3858db7ae03e4c20214123c730a8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 12:45:28 +0300 +Subject: crypto: sa2ul - Fix pm_runtime_get_sync() error checking + +From: Dan Carpenter + +[ Upstream commit 2baace5feb86c6916221911f391f11fcd8e1a259 ] + +The pm_runtime_get_sync() function returns either 0 or 1 on success but +this code treats a return of 1 as a failure. + +Fixes: 7694b6ca649f ("crypto: sa2ul - Add crypto driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sa2ul.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c +index ff8bbdb4d235d..039579b7cc818 100644 +--- a/drivers/crypto/sa2ul.c ++++ b/drivers/crypto/sa2ul.c +@@ -2331,7 +2331,7 @@ static int sa_ul_probe(struct platform_device *pdev) + + pm_runtime_enable(dev); + ret = pm_runtime_get_sync(dev); +- if (ret) { ++ if (ret < 0) { + dev_err(&pdev->dev, "%s: failed to get sync: %d\n", __func__, + ret); + return ret; +-- +2.25.1 + diff --git a/queue-5.9/crypto-sa2ul-select-crypto_authenc.patch b/queue-5.9/crypto-sa2ul-select-crypto_authenc.patch new file mode 100644 index 00000000000..e4720efdc04 --- /dev/null +++ b/queue-5.9/crypto-sa2ul-select-crypto_authenc.patch @@ -0,0 +1,37 @@ +From ca297c0e6058cd676eda75f799664fb9a66cc771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 16:22:40 +1000 +Subject: crypto: sa2ul - Select CRYPTO_AUTHENC + +From: Herbert Xu + +[ Upstream commit 61f033ba18c37e6b9ddfc4ee6dffe049d981fe7e ] + +The sa2ul driver uses crypto_authenc_extractkeys and therefore +must select CRYPTO_AUTHENC. + +Fixes: 7694b6ca649f ("crypto: sa2ul - Add crypto driver") +Reported-by: kernel test robot +Signed-off-by: Herbert Xu +Reviewed-by: Keerthy +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig +index 52a9b7cf6576f..ab941cfd27a88 100644 +--- a/drivers/crypto/Kconfig ++++ b/drivers/crypto/Kconfig +@@ -876,6 +876,7 @@ config CRYPTO_DEV_SA2UL + select CRYPTO_SHA1 + select CRYPTO_SHA256 + select CRYPTO_SHA512 ++ select CRYPTO_AUTHENC + select HW_RANDOM + select SG_SPLIT + help +-- +2.25.1 + diff --git a/queue-5.9/crypto-stm32-crc32-avoid-lock-if-hardware-is-already.patch b/queue-5.9/crypto-stm32-crc32-avoid-lock-if-hardware-is-already.patch new file mode 100644 index 00000000000..6e3eb2103e8 --- /dev/null +++ b/queue-5.9/crypto-stm32-crc32-avoid-lock-if-hardware-is-already.patch @@ -0,0 +1,87 @@ +From 9e754d3b28a291303d9c3ba591da5486e63cae31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 08:33:44 +0200 +Subject: crypto: stm32/crc32 - Avoid lock if hardware is already used + +From: Nicolas Toromanoff + +[ Upstream commit bbf2cb1ea1e1428589d7f4d652bed15b265ce92d ] + +If STM32 CRC device is already in use, calculate CRC by software. + +This will release CPU constraint for a concurrent access to the +hardware, and avoid masking irqs during the whole block processing. + +Fixes: 7795c0baf5ac ("crypto: stm32/crc32 - protect from concurrent accesses") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/Kconfig | 1 + + drivers/crypto/stm32/stm32-crc32.c | 15 ++++++++++++--- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/stm32/Kconfig b/drivers/crypto/stm32/Kconfig +index 4ef3eb11361c2..4a4c3284ae1f3 100644 +--- a/drivers/crypto/stm32/Kconfig ++++ b/drivers/crypto/stm32/Kconfig +@@ -3,6 +3,7 @@ config CRYPTO_DEV_STM32_CRC + tristate "Support for STM32 crc accelerators" + depends on ARCH_STM32 + select CRYPTO_HASH ++ select CRC32 + help + This enables support for the CRC32 hw accelerator which can be found + on STMicroelectronics STM32 SOC. +diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c +index 3ba41148c2a46..2c13f5214d2cf 100644 +--- a/drivers/crypto/stm32/stm32-crc32.c ++++ b/drivers/crypto/stm32/stm32-crc32.c +@@ -6,6 +6,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -147,7 +148,6 @@ static int burst_update(struct shash_desc *desc, const u8 *d8, + struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc); + struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm); + struct stm32_crc *crc; +- unsigned long flags; + + crc = stm32_crc_get_next_crc(); + if (!crc) +@@ -155,7 +155,15 @@ static int burst_update(struct shash_desc *desc, const u8 *d8, + + pm_runtime_get_sync(crc->dev); + +- spin_lock_irqsave(&crc->lock, flags); ++ if (!spin_trylock(&crc->lock)) { ++ /* Hardware is busy, calculate crc32 by software */ ++ if (mctx->poly == CRC32_POLY_LE) ++ ctx->partial = crc32_le(ctx->partial, d8, length); ++ else ++ ctx->partial = __crc32c_le(ctx->partial, d8, length); ++ ++ goto pm_out; ++ } + + /* + * Restore previously calculated CRC for this context as init value +@@ -195,8 +203,9 @@ static int burst_update(struct shash_desc *desc, const u8 *d8, + /* Store partial result */ + ctx->partial = readl_relaxed(crc->regs + CRC_DR); + +- spin_unlock_irqrestore(&crc->lock, flags); ++ spin_unlock(&crc->lock); + ++pm_out: + pm_runtime_mark_last_busy(crc->dev); + pm_runtime_put_autosuspend(crc->dev); + +-- +2.25.1 + diff --git a/queue-5.9/crypto-sun8i-ce-handle-endianness-of-t_common_ctl.patch b/queue-5.9/crypto-sun8i-ce-handle-endianness-of-t_common_ctl.patch new file mode 100644 index 00000000000..61bee570fc5 --- /dev/null +++ b/queue-5.9/crypto-sun8i-ce-handle-endianness-of-t_common_ctl.patch @@ -0,0 +1,40 @@ +From 37ceee9e7b8ed9f2e9e1516422092279ef22026f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 07:23:05 +0000 +Subject: crypto: sun8i-ce - handle endianness of t_common_ctl + +From: Corentin Labbe + +[ Upstream commit 87f34260f5e09a4578132ad1c05aef2d707dd4bf ] + +t_common_ctl is LE32 so we need to convert its value before using it. +This value is only used on H6 (ignored on other SoCs) and not handling +the endianness cause failure on xRNG/hashes operations on H6 when running BE. + +Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c +index 138759dc8190e..08ed1ca12baf9 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c +@@ -120,7 +120,10 @@ int sun8i_ce_run_task(struct sun8i_ce_dev *ce, int flow, const char *name) + /* Be sure all data is written before enabling the task */ + wmb(); + +- v = 1 | (ce->chanlist[flow].tl->t_common_ctl & 0x7F) << 8; ++ /* Only H6 needs to write a part of t_common_ctl along with "1", but since it is ignored ++ * on older SoCs, we have no reason to complicate things. ++ */ ++ v = 1 | ((le32_to_cpu(ce->chanlist[flow].tl->t_common_ctl) & 0x7F) << 8); + writel(v, ce->base + CE_TLR); + mutex_unlock(&ce->mlock); + +-- +2.25.1 + diff --git a/queue-5.9/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch b/queue-5.9/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch new file mode 100644 index 00000000000..7a410c4de0d --- /dev/null +++ b/queue-5.9/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch @@ -0,0 +1,46 @@ +From ecd3ad9bf39f4fc05eb3711c75f8aae8bae176e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 11:00:51 +0800 +Subject: cypto: mediatek - fix leaks in mtk_desc_ring_alloc + +From: Xiaoliang Pang + +[ Upstream commit 228d284aac61283cde508a925d666f854b57af63 ] + +In the init loop, if an error occurs in function 'dma_alloc_coherent', +then goto the err_cleanup section, after run i--, +in the array ring, the struct mtk_ring with index i will not be released, +causing memory leaks + +Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") +Cc: Ryder Lee +Signed-off-by: Xiaoliang Pang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mediatek/mtk-platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c +index ef4339e84d034..efce3a83b35a8 100644 +--- a/drivers/crypto/mediatek/mtk-platform.c ++++ b/drivers/crypto/mediatek/mtk-platform.c +@@ -469,13 +469,13 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + return 0; + + err_cleanup: +- for (; i--; ) { ++ do { + dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ, + ring[i]->res_base, ring[i]->res_dma); + dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ, + ring[i]->cmd_base, ring[i]->cmd_dma); + kfree(ring[i]); +- } ++ } while (i--); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-5.9/dm-fix-missing-imposition-of-queue_limits-from-dm_wq.patch b/queue-5.9/dm-fix-missing-imposition-of-queue_limits-from-dm_wq.patch new file mode 100644 index 00000000000..17e76d88bca --- /dev/null +++ b/queue-5.9/dm-fix-missing-imposition-of-queue_limits-from-dm_wq.patch @@ -0,0 +1,104 @@ +From d7c53b89109f065cfd3ccf0331535963419a0b03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 13:41:36 -0400 +Subject: dm: fix missing imposition of queue_limits from dm_wq_work() thread + +From: Mike Snitzer + +[ Upstream commit 0c2915b8c6db108b1dfb240391cc5a175f97f15b ] + +If a DM device was suspended when bios were issued to it, those bios +would be deferred using queue_io(). Once the DM device was resumed +dm_process_bio() could be called by dm_wq_work() for original bio that +still needs splitting. dm_process_bio()'s check for current->bio_list +(meaning call chain is within ->submit_bio) as a prerequisite for +calling blk_queue_split() for "abnormal IO" would result in +dm_process_bio() never imposing corresponding queue_limits +(e.g. discard_granularity, discard_max_bytes, etc). + +Fix this by always having dm_wq_work() resubmit deferred bios using +submit_bio_noacct(). + +Side-effect is blk_queue_split() is always called for "abnormal IO" from +->submit_bio, be it from application thread or dm_wq_work() workqueue, +so proper bio splitting and depth-first bio submission is performed. +For sake of clarity, remove current->bio_list check before call to +blk_queue_split(). + +Also, remove dm_wq_work()'s use of dm_{get,put}_live_table() -- no +longer needed since IO will be reissued in terms of ->submit_bio. +And rename bio variable from 'c' to 'bio'. + +Fixes: cf9c37865557 ("dm: fix comment in dm_process_bio()") +Reported-by: Jeffle Xu +Reviewed-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 34 +++++++++------------------------- + 1 file changed, 9 insertions(+), 25 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 6ed05ca65a0f8..b060a28ff1c6d 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1744,17 +1744,11 @@ static blk_qc_t dm_process_bio(struct mapped_device *md, + } + + /* +- * If in ->submit_bio we need to use blk_queue_split(), otherwise +- * queue_limits for abnormal requests (e.g. discard, writesame, etc) +- * won't be imposed. +- * If called from dm_wq_work() for deferred bio processing, bio +- * was already handled by following code with previous ->submit_bio. ++ * Use blk_queue_split() for abnormal IO (e.g. discard, writesame, etc) ++ * otherwise associated queue_limits won't be imposed. + */ +- if (current->bio_list) { +- if (is_abnormal_io(bio)) +- blk_queue_split(&bio); +- /* regular IO is split by __split_and_process_bio */ +- } ++ if (is_abnormal_io(bio)) ++ blk_queue_split(&bio); + + if (dm_get_md_type(md) == DM_TYPE_NVME_BIO_BASED) + return __process_bio(md, map, bio, ti); +@@ -2461,29 +2455,19 @@ static int dm_wait_for_completion(struct mapped_device *md, long task_state) + */ + static void dm_wq_work(struct work_struct *work) + { +- struct mapped_device *md = container_of(work, struct mapped_device, +- work); +- struct bio *c; +- int srcu_idx; +- struct dm_table *map; +- +- map = dm_get_live_table(md, &srcu_idx); ++ struct mapped_device *md = container_of(work, struct mapped_device, work); ++ struct bio *bio; + + while (!test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags)) { + spin_lock_irq(&md->deferred_lock); +- c = bio_list_pop(&md->deferred); ++ bio = bio_list_pop(&md->deferred); + spin_unlock_irq(&md->deferred_lock); + +- if (!c) ++ if (!bio) + break; + +- if (dm_request_based(md)) +- (void) submit_bio_noacct(c); +- else +- (void) dm_process_bio(md, map, c); ++ submit_bio_noacct(bio); + } +- +- dm_put_live_table(md, srcu_idx); + } + + static void dm_queue_flush(struct mapped_device *md) +-- +2.25.1 + diff --git a/queue-5.9/dm-fix-request-based-dm-to-not-bounce-through-indire.patch b/queue-5.9/dm-fix-request-based-dm-to-not-bounce-through-indire.patch new file mode 100644 index 00000000000..2c398e47202 --- /dev/null +++ b/queue-5.9/dm-fix-request-based-dm-to-not-bounce-through-indire.patch @@ -0,0 +1,103 @@ +From e150ea29bb53e8f7411f9704242c6a715f12b791 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 16:41:01 -0400 +Subject: dm: fix request-based DM to not bounce through indirect dm_submit_bio + +From: Mike Snitzer + +[ Upstream commit 681cc5e8667e8579a2da8fa4090c48a2d73fc3bb ] + +It is unnecessary to force request-based DM to call into bio-based +dm_submit_bio (via indirect disk->fops->submit_bio) only to have it then +call blk_mq_submit_bio(). + +Fix this by establishing a request-based DM block_device_operations +(dm_rq_blk_dops, which doesn't have .submit_bio) and update +dm_setup_md_queue() to set md->disk->fops to it for +DM_TYPE_REQUEST_BASED. + +Remove DM_TYPE_REQUEST_BASED conditional in dm_submit_bio and unexport +blk_mq_submit_bio. + +Fixes: c62b37d96b6eb ("block: move ->make_request_fn to struct block_device_operations") +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 1 - + drivers/md/dm.c | 25 ++++++++++++------------- + 2 files changed, 12 insertions(+), 14 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index cdced4aca2e81..c27a61029cdd0 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2264,7 +2264,6 @@ blk_qc_t blk_mq_submit_bio(struct bio *bio) + blk_queue_exit(q); + return BLK_QC_T_NONE; + } +-EXPORT_SYMBOL_GPL(blk_mq_submit_bio); /* only for request based dm */ + + void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags, + unsigned int hctx_idx) +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index b060a28ff1c6d..9b005e144014f 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1762,18 +1762,6 @@ static blk_qc_t dm_submit_bio(struct bio *bio) + int srcu_idx; + struct dm_table *map; + +- if (dm_get_md_type(md) == DM_TYPE_REQUEST_BASED) { +- /* +- * We are called with a live reference on q_usage_counter, but +- * that one will be released as soon as we return. Grab an +- * extra one as blk_mq_submit_bio expects to be able to consume +- * a reference (which lives until the request is freed in case a +- * request is allocated). +- */ +- percpu_ref_get(&bio->bi_disk->queue->q_usage_counter); +- return blk_mq_submit_bio(bio); +- } +- + map = dm_get_live_table(md, &srcu_idx); + + /* if we're suspended, we have to queue this io for later */ +@@ -1843,6 +1831,7 @@ static int next_free_minor(int *minor) + } + + static const struct block_device_operations dm_blk_dops; ++static const struct block_device_operations dm_rq_blk_dops; + static const struct dax_operations dm_dax_ops; + + static void dm_wq_work(struct work_struct *work); +@@ -2242,9 +2231,10 @@ int dm_setup_md_queue(struct mapped_device *md, struct dm_table *t) + + switch (type) { + case DM_TYPE_REQUEST_BASED: ++ md->disk->fops = &dm_rq_blk_dops; + r = dm_mq_init_request_queue(md, t); + if (r) { +- DMERR("Cannot initialize queue for request-based dm-mq mapped device"); ++ DMERR("Cannot initialize queue for request-based dm mapped device"); + return r; + } + break; +@@ -3227,6 +3217,15 @@ static const struct block_device_operations dm_blk_dops = { + .owner = THIS_MODULE + }; + ++static const struct block_device_operations dm_rq_blk_dops = { ++ .open = dm_blk_open, ++ .release = dm_blk_close, ++ .ioctl = dm_blk_ioctl, ++ .getgeo = dm_blk_getgeo, ++ .pr_ops = &dm_pr_ops, ++ .owner = THIS_MODULE ++}; ++ + static const struct dax_operations dm_dax_ops = { + .direct_access = dm_dax_direct_access, + .dax_supported = dm_dax_supported, +-- +2.25.1 + diff --git a/queue-5.9/dma-direct-fix-potential-null-pointer-dereference.patch b/queue-5.9/dma-direct-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..9a70dd8782e --- /dev/null +++ b/queue-5.9/dma-direct-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,76 @@ +From 7efdd5790597863553ff44e16630140df7b271c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 18:43:03 +0200 +Subject: dma-direct: Fix potential NULL pointer dereference + +From: Thomas Tai + +[ Upstream commit f959dcd6ddfd29235030e8026471ac1b022ad2b0 ] + +When booting the kernel v5.9-rc4 on a VM, the kernel would panic when +printing a warning message in swiotlb_map(). The dev->dma_mask must not +be a NULL pointer when calling the dma mapping layer. A NULL pointer +check can potentially avoid the panic. + +Signed-off-by: Thomas Tai +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + include/linux/dma-direct.h | 3 --- + kernel/dma/mapping.c | 11 +++++++++++ + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/include/linux/dma-direct.h b/include/linux/dma-direct.h +index 6e87225600ae3..064870844f06c 100644 +--- a/include/linux/dma-direct.h ++++ b/include/linux/dma-direct.h +@@ -62,9 +62,6 @@ static inline bool dma_capable(struct device *dev, dma_addr_t addr, size_t size, + { + dma_addr_t end = addr + size - 1; + +- if (!dev->dma_mask) +- return false; +- + if (is_ram && !IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) && + min(addr, end) < phys_to_dma(dev, PFN_PHYS(min_low_pfn))) + return false; +diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c +index 0d129421e75fc..7133d5c6e1a6d 100644 +--- a/kernel/dma/mapping.c ++++ b/kernel/dma/mapping.c +@@ -144,6 +144,10 @@ dma_addr_t dma_map_page_attrs(struct device *dev, struct page *page, + dma_addr_t addr; + + BUG_ON(!valid_dma_direction(dir)); ++ ++ if (WARN_ON_ONCE(!dev->dma_mask)) ++ return DMA_MAPPING_ERROR; ++ + if (dma_map_direct(dev, ops)) + addr = dma_direct_map_page(dev, page, offset, size, dir, attrs); + else +@@ -179,6 +183,10 @@ int dma_map_sg_attrs(struct device *dev, struct scatterlist *sg, int nents, + int ents; + + BUG_ON(!valid_dma_direction(dir)); ++ ++ if (WARN_ON_ONCE(!dev->dma_mask)) ++ return 0; ++ + if (dma_map_direct(dev, ops)) + ents = dma_direct_map_sg(dev, sg, nents, dir, attrs); + else +@@ -213,6 +221,9 @@ dma_addr_t dma_map_resource(struct device *dev, phys_addr_t phys_addr, + + BUG_ON(!valid_dma_direction(dir)); + ++ if (WARN_ON_ONCE(!dev->dma_mask)) ++ return DMA_MAPPING_ERROR; ++ + /* Don't allow RAM to be mapped */ + if (WARN_ON_ONCE(pfn_valid(PHYS_PFN(phys_addr)))) + return DMA_MAPPING_ERROR; +-- +2.25.1 + diff --git a/queue-5.9/dmaengine-dmatest-check-list-for-emptiness-before-ac.patch b/queue-5.9/dmaengine-dmatest-check-list-for-emptiness-before-ac.patch new file mode 100644 index 00000000000..5e18a083cba --- /dev/null +++ b/queue-5.9/dmaengine-dmatest-check-list-for-emptiness-before-ac.patch @@ -0,0 +1,58 @@ +From 49690acd40993dad68e969147337c5d6bbd42ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 14:58:46 +0300 +Subject: dmaengine: dmatest: Check list for emptiness before access its last + entry + +From: Andy Shevchenko + +[ Upstream commit b28de385b71abf31ce68ec0387638bee26ae9024 ] + +After writing a garbage to the channel we get an Oops in dmatest_chan_set() +due to access to last entry in the empty list. + +[ 212.670672] BUG: unable to handle page fault for address: fffffff000000020 +[ 212.677562] #PF: supervisor read access in kernel mode +[ 212.682702] #PF: error_code(0x0000) - not-present page +... +[ 212.710074] RIP: 0010:dmatest_chan_set+0x149/0x2d0 [dmatest] +[ 212.715739] Code: e8 cc f9 ff ff 48 8b 1d 0d 55 00 00 48 83 7b 10 00 0f 84 63 01 00 00 48 c7 c7 d0 65 4d c0 e8 ee 4a f5 e1 48 89 c6 48 8b 43 10 <48> 8b 40 20 48 8b 78 58 48 85 ff 0f 84 f5 00 00 00 e8 b1 41 f5 e1 + +Fix this by checking list for emptiness before accessing its last entry. + +Fixes: d53513d5dc28 ("dmaengine: dmatest: Add support for multi channel testing") +Cc: Vladimir Murzin +Signed-off-by: Andy Shevchenko +Tested-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200922115847.30100-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index a819611b8892c..146c3f39f576b 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -1249,15 +1249,14 @@ static int dmatest_chan_set(const char *val, const struct kernel_param *kp) + add_threaded_test(info); + + /* Check if channel was added successfully */ +- dtc = list_last_entry(&info->channels, struct dmatest_chan, node); +- +- if (dtc->chan) { ++ if (!list_empty(&info->channels)) { + /* + * if new channel was not successfully added, revert the + * "test_channel" string to the name of the last successfully + * added channel. exception for when users issues empty string + * to channel parameter. + */ ++ dtc = list_last_entry(&info->channels, struct dmatest_chan, node); + if ((strcmp(dma_chan_name(dtc->chan), strim(test_channel)) != 0) + && (strcmp("", strim(test_channel)) != 0)) { + ret = -EINVAL; +-- +2.25.1 + diff --git a/queue-5.9/dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch b/queue-5.9/dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch new file mode 100644 index 00000000000..568fefb3333 --- /dev/null +++ b/queue-5.9/dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch @@ -0,0 +1,65 @@ +From 142a782a878886f8d5c2040c2adcee592b1587fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 23:08:23 +0300 +Subject: dmaengine: dw: Activate FIFO-mode for memory peripherals only + +From: Serge Semin + +[ Upstream commit 6d9459d04081c796fc67c2bb771f4e4ebb5744c4 ] + +CFGx.FIFO_MODE field controls a DMA-controller "FIFO readiness" criterion. +In other words it determines when to start pushing data out of a DW +DMAC channel FIFO to a destination peripheral or from a source +peripheral to the DW DMAC channel FIFO. Currently FIFO-mode is set to one +for all DW DMAC channels. It means they are tuned to flush data out of +FIFO (to a memory peripheral or by accepting the burst transaction +requests) when FIFO is at least half-full (except at the end of the block +transfer, when FIFO-flush mode is activated) and are configured to get +data to the FIFO when it's at least half-empty. + +Such configuration is a good choice when there is no slave device involved +in the DMA transfers. In that case the number of bursts per block is less +than when CFGx.FIFO_MODE = 0 and, hence, the bus utilization will improve. +But the latency of DMA transfers may increase when CFGx.FIFO_MODE = 1, +since DW DMAC will wait for the channel FIFO contents to be either +half-full or half-empty depending on having the destination or the source +transfers. Such latencies might be dangerous in case if the DMA transfers +are expected to be performed from/to a slave device. Since normally +peripheral devices keep data in internal FIFOs, any latency at some +critical moment may cause one being overflown and consequently losing +data. This especially concerns a case when either a peripheral device is +relatively fast or the DW DMAC engine is relatively slow with respect to +the incoming data pace. + +In order to solve problems, which might be caused by the latencies +described above, let's enable the FIFO half-full/half-empty "FIFO +readiness" criterion only for DMA transfers with no slave device involved. +Thanks to the commit 99ba8b9b0d97 ("dmaengine: dw: Initialize channel +before each transfer") we can freely do that in the generic +dw_dma_initialize_chan() method. + +Signed-off-by: Serge Semin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200731200826.9292-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw/dw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/dw/dw.c b/drivers/dma/dw/dw.c +index 7a085b3c1854c..d9810980920a1 100644 +--- a/drivers/dma/dw/dw.c ++++ b/drivers/dma/dw/dw.c +@@ -14,7 +14,7 @@ + static void dw_dma_initialize_chan(struct dw_dma_chan *dwc) + { + struct dw_dma *dw = to_dw_dma(dwc->chan.device); +- u32 cfghi = DWC_CFGH_FIFO_MODE; ++ u32 cfghi = is_slave_direction(dwc->direction) ? 0 : DWC_CFGH_FIFO_MODE; + u32 cfglo = DWC_CFGL_CH_PRIOR(dwc->priority); + bool hs_polarity = dwc->dws.hs_polarity; + +-- +2.25.1 + diff --git a/queue-5.9/dmaengine-dw-add-dma-channels-mask-cell-support.patch b/queue-5.9/dmaengine-dw-add-dma-channels-mask-cell-support.patch new file mode 100644 index 00000000000..5ad5e09f46e --- /dev/null +++ b/queue-5.9/dmaengine-dw-add-dma-channels-mask-cell-support.patch @@ -0,0 +1,114 @@ +From 661acd90ea7226cb79cc77d3a93c09cfa899241f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 23:08:26 +0300 +Subject: dmaengine: dw: Add DMA-channels mask cell support + +From: Serge Semin + +[ Upstream commit e8ee6c8cb61b676f1a2d6b942329e98224bd8ee9 ] + +DW DMA IP-core provides a way to synthesize the DMA controller with +channels having different parameters like maximum burst-length, +multi-block support, maximum data width, etc. Those parameters both +explicitly and implicitly affect the channels performance. Since DMA slave +devices might be very demanding to the DMA performance, let's provide a +functionality for the slaves to be assigned with DW DMA channels, which +performance according to the platform engineer fulfill their requirements. +After this patch is applied it can be done by passing the mask of suitable +DMA-channels either directly in the dw_dma_slave structure instance or as +a fifth cell of the DMA DT-property. If mask is zero or not provided, then +there is no limitation on the channels allocation. + +For instance Baikal-T1 SoC is equipped with a DW DMAC engine, which first +two channels are synthesized with max burst length of 16, while the rest +of the channels have been created with max-burst-len=4. It would seem that +the first two channels must be faster than the others and should be more +preferable for the time-critical DMA slave devices. In practice it turned +out that the situation is quite the opposite. The channels with +max-burst-len=4 demonstrated a better performance than the channels with +max-burst-len=16 even when they both had been initialized with the same +settings. The performance drop of the first two DMA-channels made them +unsuitable for the DW APB SSI slave device. No matter what settings they +are configured with, full-duplex SPI transfers occasionally experience the +Rx FIFO overflow. It means that the DMA-engine doesn't keep up with +incoming data pace even though the SPI-bus is enabled with speed of 25MHz +while the DW DMA controller is clocked with 50MHz signal. There is no such +problem has been noticed for the channels synthesized with +max-burst-len=4. + +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200731200826.9292-6-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw/core.c | 4 ++++ + drivers/dma/dw/of.c | 7 +++++-- + include/linux/platform_data/dma-dw.h | 2 ++ + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c +index 4700f2e87a627..d9333ee14527e 100644 +--- a/drivers/dma/dw/core.c ++++ b/drivers/dma/dw/core.c +@@ -772,6 +772,10 @@ bool dw_dma_filter(struct dma_chan *chan, void *param) + if (dws->dma_dev != chan->device->dev) + return false; + ++ /* permit channels in accordance with the channels mask */ ++ if (dws->channels && !(dws->channels & dwc->mask)) ++ return false; ++ + /* We have to copy data since dws can be temporary storage */ + memcpy(&dwc->dws, dws, sizeof(struct dw_dma_slave)); + +diff --git a/drivers/dma/dw/of.c b/drivers/dma/dw/of.c +index 1474b3817ef4f..c1cf7675b9d10 100644 +--- a/drivers/dma/dw/of.c ++++ b/drivers/dma/dw/of.c +@@ -22,18 +22,21 @@ static struct dma_chan *dw_dma_of_xlate(struct of_phandle_args *dma_spec, + }; + dma_cap_mask_t cap; + +- if (dma_spec->args_count != 3) ++ if (dma_spec->args_count < 3 || dma_spec->args_count > 4) + return NULL; + + slave.src_id = dma_spec->args[0]; + slave.dst_id = dma_spec->args[0]; + slave.m_master = dma_spec->args[1]; + slave.p_master = dma_spec->args[2]; ++ if (dma_spec->args_count >= 4) ++ slave.channels = dma_spec->args[3]; + + if (WARN_ON(slave.src_id >= DW_DMA_MAX_NR_REQUESTS || + slave.dst_id >= DW_DMA_MAX_NR_REQUESTS || + slave.m_master >= dw->pdata->nr_masters || +- slave.p_master >= dw->pdata->nr_masters)) ++ slave.p_master >= dw->pdata->nr_masters || ++ slave.channels >= BIT(dw->pdata->nr_channels))) + return NULL; + + dma_cap_zero(cap); +diff --git a/include/linux/platform_data/dma-dw.h b/include/linux/platform_data/dma-dw.h +index fbbeb2f6189b8..b34a094b2258d 100644 +--- a/include/linux/platform_data/dma-dw.h ++++ b/include/linux/platform_data/dma-dw.h +@@ -26,6 +26,7 @@ struct device; + * @dst_id: dst request line + * @m_master: memory master for transfers on allocated channel + * @p_master: peripheral master for transfers on allocated channel ++ * @channels: mask of the channels permitted for allocation (zero value means any) + * @hs_polarity:set active low polarity of handshake interface + */ + struct dw_dma_slave { +@@ -34,6 +35,7 @@ struct dw_dma_slave { + u8 dst_id; + u8 m_master; + u8 p_master; ++ u8 channels; + bool hs_polarity; + }; + +-- +2.25.1 + diff --git a/queue-5.9/dmaengine-ioat-allocate-correct-size-for-descriptor-.patch b/queue-5.9/dmaengine-ioat-allocate-correct-size-for-descriptor-.patch new file mode 100644 index 00000000000..135923682dc --- /dev/null +++ b/queue-5.9/dmaengine-ioat-allocate-correct-size-for-descriptor-.patch @@ -0,0 +1,49 @@ +From af96e8e3b11c43e84827b1e572a958e190813d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 14:08:44 -0600 +Subject: dmaengine: ioat: Allocate correct size for descriptor chunk + +From: Logan Gunthorpe + +[ Upstream commit 028926e4ac8f21af343c25794117fd13c08b1712 ] + +dma_alloc_coherent() is called with a fixed SZ_2M size, but frees happen +with IOAT_CHUNK_SIZE. Recently, IOAT_CHUNK_SIZE was reduced to 512M but +the allocation did not change. To fix, change to using the +IOAT_CHUNK_SIZE define. + +This was caught with the upcoming patchset for converting Intel platforms to the +dma-iommu implementation. It has a warning when the unmapped size differs from +the mapped size. + +Fixes: a02254f8a676 ("dmaengine: ioat: Decreasing allocation chunk size 2M->512K") +Suggested-by: Robin Murphy +Signed-off-by: Logan Gunthorpe +Acked-by: Dave Jiang +Cc: Vinod Koul +Cc: Dave Jiang +Cc: Dan Williams +Link: https://lore.kernel.org/intel-gfx/776771a2-247a-d1be-d882-bee02d919ae0@deltatee.com/ +Link: https://lore.kernel.org/r/20200922200844.2982-1-logang@deltatee.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ioat/dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c +index a814b200299bf..07296171e2bbc 100644 +--- a/drivers/dma/ioat/dma.c ++++ b/drivers/dma/ioat/dma.c +@@ -389,7 +389,7 @@ ioat_alloc_ring(struct dma_chan *c, int order, gfp_t flags) + struct ioat_descs *descs = &ioat_chan->descs[i]; + + descs->virt = dma_alloc_coherent(to_dev(ioat_chan), +- SZ_2M, &descs->hw, flags); ++ IOAT_CHUNK_SIZE, &descs->hw, flags); + if (!descs->virt) { + int idx; + +-- +2.25.1 + diff --git a/queue-5.9/dmaengine-ti-k3-udma-glue-fix-channel-enable-functio.patch b/queue-5.9/dmaengine-ti-k3-udma-glue-fix-channel-enable-functio.patch new file mode 100644 index 00000000000..e54115488dd --- /dev/null +++ b/queue-5.9/dmaengine-ti-k3-udma-glue-fix-channel-enable-functio.patch @@ -0,0 +1,78 @@ +From 7ccf4901a2468dff72d0db6f63afd08677627163 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 15:09:55 +0300 +Subject: dmaengine: ti: k3-udma-glue: fix channel enable functions + +From: Grygorii Strashko + +[ Upstream commit 52c74d3d356b60f3c53dc69e5109752347e144e8 ] + +Now the K3 UDMA glue layer enable functions perform RMW operation on UDMA +RX/TX RT_CTL registers to set EN bit and enable channel, which is +incorrect, because only EN bit has to be set in those registers to enable +channel (all other bits should be cleared 0). +More over, this causes issues when bootloader leaves UDMA channel RX/TX +RT_CTL registers in incorrect state - TDOWN bit set, for example. As +result, UDMA channel will just perform teardown right after it's enabled. + +Hence, fix it by writing correct values (EN=1) directly in UDMA channel +RX/TX RT_CTL registers in k3_udma_glue_enable_tx/rx_chn() functions. + +Fixes: d70241913413 ("dmaengine: ti: k3-udma: Add glue layer for non DMAengine users") +Signed-off-by: Grygorii Strashko +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20200916120955.7963-1-grygorii.strashko@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma-glue.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/drivers/dma/ti/k3-udma-glue.c b/drivers/dma/ti/k3-udma-glue.c +index 3a5d33ea5ebe7..42c8ad10d75eb 100644 +--- a/drivers/dma/ti/k3-udma-glue.c ++++ b/drivers/dma/ti/k3-udma-glue.c +@@ -378,17 +378,11 @@ EXPORT_SYMBOL_GPL(k3_udma_glue_pop_tx_chn); + + int k3_udma_glue_enable_tx_chn(struct k3_udma_glue_tx_channel *tx_chn) + { +- u32 txrt_ctl; +- +- txrt_ctl = UDMA_PEER_RT_EN_ENABLE; + xudma_tchanrt_write(tx_chn->udma_tchanx, UDMA_CHAN_RT_PEER_RT_EN_REG, +- txrt_ctl); ++ UDMA_PEER_RT_EN_ENABLE); + +- txrt_ctl = xudma_tchanrt_read(tx_chn->udma_tchanx, +- UDMA_CHAN_RT_CTL_REG); +- txrt_ctl |= UDMA_CHAN_RT_CTL_EN; + xudma_tchanrt_write(tx_chn->udma_tchanx, UDMA_CHAN_RT_CTL_REG, +- txrt_ctl); ++ UDMA_CHAN_RT_CTL_EN); + + k3_udma_glue_dump_tx_rt_chn(tx_chn, "txchn en"); + return 0; +@@ -1058,19 +1052,14 @@ EXPORT_SYMBOL_GPL(k3_udma_glue_rx_flow_disable); + + int k3_udma_glue_enable_rx_chn(struct k3_udma_glue_rx_channel *rx_chn) + { +- u32 rxrt_ctl; +- + if (rx_chn->remote) + return -EINVAL; + + if (rx_chn->flows_ready < rx_chn->flow_num) + return -EINVAL; + +- rxrt_ctl = xudma_rchanrt_read(rx_chn->udma_rchanx, +- UDMA_CHAN_RT_CTL_REG); +- rxrt_ctl |= UDMA_CHAN_RT_CTL_EN; + xudma_rchanrt_write(rx_chn->udma_rchanx, UDMA_CHAN_RT_CTL_REG, +- rxrt_ctl); ++ UDMA_CHAN_RT_CTL_EN); + + xudma_rchanrt_write(rx_chn->udma_rchanx, UDMA_CHAN_RT_PEER_RT_EN_REG, + UDMA_PEER_RT_EN_ENABLE); +-- +2.25.1 + diff --git a/queue-5.9/dmaengine-ti-k3-udma-glue-fix-parameters-for-rx-ring.patch b/queue-5.9/dmaengine-ti-k3-udma-glue-fix-parameters-for-rx-ring.patch new file mode 100644 index 00000000000..c97afcfc5ca --- /dev/null +++ b/queue-5.9/dmaengine-ti-k3-udma-glue-fix-parameters-for-rx-ring.patch @@ -0,0 +1,39 @@ +From b18d1c5f0686c6e8d3fc4ef322cb0c992ab176eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 21:47:39 -0700 +Subject: dmaengine: ti: k3-udma-glue: Fix parameters for rx ring pair request + +From: Peter Ujfalusi + +[ Upstream commit 6259c8441c4de3f1727a0db61465a8dc8f340c05 ] + +The original commit mixed up the forward and completion ring IDs for the +rx flow configuration. + +Acked-by: Vinod Koul +Reviewed-by: Grygorii Strashko +Fixes: 4927b1ab2047 ("dmaengine: ti: k3-udma: Switch to k3_ringacc_request_rings_pair") +Signed-off-by: Peter Ujfalusi +Signed-off-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/ti/k3-udma-glue.c b/drivers/dma/ti/k3-udma-glue.c +index 42c8ad10d75eb..a367584f0d7b3 100644 +--- a/drivers/dma/ti/k3-udma-glue.c ++++ b/drivers/dma/ti/k3-udma-glue.c +@@ -573,8 +573,8 @@ static int k3_udma_glue_cfg_rx_flow(struct k3_udma_glue_rx_channel *rx_chn, + + /* request and cfg rings */ + ret = k3_ringacc_request_rings_pair(rx_chn->common.ringacc, +- flow_cfg->ring_rxq_id, + flow_cfg->ring_rxfdq0_id, ++ flow_cfg->ring_rxq_id, + &flow->ringrxfdq, + &flow->ringrx); + if (ret) { +-- +2.25.1 + diff --git a/queue-5.9/drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch b/queue-5.9/drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch new file mode 100644 index 00000000000..0c0cb9de21b --- /dev/null +++ b/queue-5.9/drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch @@ -0,0 +1,59 @@ +From 488107a300c73145e78f6c12fb1ef457fa531ff4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 16:41:10 -0400 +Subject: drivers/perf: thunderx2_pmu: Fix memory resource error handling + +From: Mark Salter + +[ Upstream commit 688494a407d1419a6b158c644b262c61cde39f48 ] + +In tx2_uncore_pmu_init_dev(), a call to acpi_dev_get_resources() is used +to create a list _CRS resources which is searched for the device base +address. There is an error check following this: + + if (!rentry->res) + return NULL + +In no case, will rentry->res be NULL, so the test is useless. Even +if the test worked, it comes before the resource list memory is +freed. None of this really matters as long as the ACPI table has +the memory resource. Let's clean it up so that it makes sense and +will give a meaningful error should firmware leave out the memory +resource. + +Fixes: 69c32972d593 ("drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver") +Signed-off-by: Mark Salter +Link: https://lore.kernel.org/r/20200915204110.326138-2-msalter@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/thunderx2_pmu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/perf/thunderx2_pmu.c b/drivers/perf/thunderx2_pmu.c +index aac9823b0c6bb..e116815fa8092 100644 +--- a/drivers/perf/thunderx2_pmu.c ++++ b/drivers/perf/thunderx2_pmu.c +@@ -805,14 +805,17 @@ static struct tx2_uncore_pmu *tx2_uncore_pmu_init_dev(struct device *dev, + list_for_each_entry(rentry, &list, node) { + if (resource_type(rentry->res) == IORESOURCE_MEM) { + res = *rentry->res; ++ rentry = NULL; + break; + } + } ++ acpi_dev_free_resource_list(&list); + +- if (!rentry->res) ++ if (rentry) { ++ dev_err(dev, "PMU type %d: Fail to find resource\n", type); + return NULL; ++ } + +- acpi_dev_free_resource_list(&list); + base = devm_ioremap_resource(dev, &res); + if (IS_ERR(base)) { + dev_err(dev, "PMU type %d: Fail to map resource\n", type); +-- +2.25.1 + diff --git a/queue-5.9/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch b/queue-5.9/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch new file mode 100644 index 00000000000..7a0e50a733c --- /dev/null +++ b/queue-5.9/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch @@ -0,0 +1,126 @@ +From e738df6056202133dd3172dbbd3f08be08087478 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 16:41:09 -0400 +Subject: drivers/perf: xgene_pmu: Fix uninitialized resource struct + +From: Mark Salter + +[ Upstream commit a76b8236edcf5b785d044b930f9e14ad02b4a484 ] + +This splat was reported on newer Fedora kernels booting on certain +X-gene based machines: + + xgene-pmu APMC0D83:00: X-Gene PMU version 3 + Unable to handle kernel read from unreadable memory at virtual \ + address 0000000000004006 + ... + Call trace: + string+0x50/0x100 + vsnprintf+0x160/0x750 + devm_kvasprintf+0x5c/0xb4 + devm_kasprintf+0x54/0x60 + __devm_ioremap_resource+0xdc/0x1a0 + devm_ioremap_resource+0x14/0x20 + acpi_get_pmu_hw_inf.isra.0+0x84/0x15c + acpi_pmu_dev_add+0xbc/0x21c + acpi_ns_walk_namespace+0x16c/0x1e4 + acpi_walk_namespace+0xb4/0xfc + xgene_pmu_probe_pmu_dev+0x7c/0xe0 + xgene_pmu_probe.part.0+0x2c0/0x310 + xgene_pmu_probe+0x54/0x64 + platform_drv_probe+0x60/0xb4 + really_probe+0xe8/0x4a0 + driver_probe_device+0xe4/0x100 + device_driver_attach+0xcc/0xd4 + __driver_attach+0xb0/0x17c + bus_for_each_dev+0x6c/0xb0 + driver_attach+0x30/0x40 + bus_add_driver+0x154/0x250 + driver_register+0x84/0x140 + __platform_driver_register+0x54/0x60 + xgene_pmu_driver_init+0x28/0x34 + do_one_initcall+0x40/0x204 + do_initcalls+0x104/0x144 + kernel_init_freeable+0x198/0x210 + kernel_init+0x20/0x12c + ret_from_fork+0x10/0x18 + Code: 91000400 110004e1 eb08009f 540000c0 (38646846) + ---[ end trace f08c10566496a703 ]--- + +This is due to use of an uninitialized local resource struct in the xgene +pmu driver. The thunderx2_pmu driver avoids this by using the resource list +constructed by acpi_dev_get_resources() rather than using a callback from +that function. The callback in the xgene driver didn't fully initialize +the resource. So get rid of the callback and search the resource list as +done by thunderx2. + +Fixes: 832c927d119b ("perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver") +Signed-off-by: Mark Salter +Link: https://lore.kernel.org/r/20200915204110.326138-1-msalter@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/xgene_pmu.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/drivers/perf/xgene_pmu.c b/drivers/perf/xgene_pmu.c +index edac28cd25ddc..633cf07ba6723 100644 +--- a/drivers/perf/xgene_pmu.c ++++ b/drivers/perf/xgene_pmu.c +@@ -1453,17 +1453,6 @@ static char *xgene_pmu_dev_name(struct device *dev, u32 type, int id) + } + + #if defined(CONFIG_ACPI) +-static int acpi_pmu_dev_add_resource(struct acpi_resource *ares, void *data) +-{ +- struct resource *res = data; +- +- if (ares->type == ACPI_RESOURCE_TYPE_FIXED_MEMORY32) +- acpi_dev_resource_memory(ares, res); +- +- /* Always tell the ACPI core to skip this resource */ +- return 1; +-} +- + static struct + xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + struct acpi_device *adev, u32 type) +@@ -1475,6 +1464,7 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + struct hw_pmu_info *inf; + void __iomem *dev_csr; + struct resource res; ++ struct resource_entry *rentry; + int enable_bit; + int rc; + +@@ -1483,11 +1473,23 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + return NULL; + + INIT_LIST_HEAD(&resource_list); +- rc = acpi_dev_get_resources(adev, &resource_list, +- acpi_pmu_dev_add_resource, &res); ++ rc = acpi_dev_get_resources(adev, &resource_list, NULL, NULL); ++ if (rc <= 0) { ++ dev_err(dev, "PMU type %d: No resources found\n", type); ++ return NULL; ++ } ++ ++ list_for_each_entry(rentry, &resource_list, node) { ++ if (resource_type(rentry->res) == IORESOURCE_MEM) { ++ res = *rentry->res; ++ rentry = NULL; ++ break; ++ } ++ } + acpi_dev_free_resource_list(&resource_list); +- if (rc < 0) { +- dev_err(dev, "PMU type %d: No resource address found\n", type); ++ ++ if (rentry) { ++ dev_err(dev, "PMU type %d: No memory resource found\n", type); + return NULL; + } + +-- +2.25.1 + diff --git a/queue-5.9/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch b/queue-5.9/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch new file mode 100644 index 00000000000..7b32bb7a130 --- /dev/null +++ b/queue-5.9/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch @@ -0,0 +1,99 @@ +From a31cac53aad68dfa9c586a82b35af94a00d61fde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 02:51:11 +0530 +Subject: drivers/virt/fsl_hypervisor: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit 7f360bec37857bfd5a48cef21d86f58a09a3df63 ] + +First, when memory allocation for sg_list_unaligned failed, there +is a bug of calling put_pages() as we haven't pinned any pages. + +Second, if get_user_pages_fast() failed we should unpin num_pinned +pages. + +This will address both. + +As part of these changes, minor update in documentation. + +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Souptick Joarder +Reviewed-by: Dan Carpenter +Reviewed-by: John Hubbard +Link: https://lore.kernel.org/r/1598995271-6755-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/virt/fsl_hypervisor.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c +index 1b0b11b55d2a0..46ee0a0998b6f 100644 +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -157,7 +157,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + unsigned int i; + long ret = 0; +- int num_pinned; /* return value from get_user_pages() */ ++ int num_pinned = 0; /* return value from get_user_pages_fast() */ + phys_addr_t remote_paddr; /* The next address in the remote buffer */ + uint32_t count; /* The number of bytes left to copy */ + +@@ -174,7 +174,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + return -EINVAL; + + /* +- * The array of pages returned by get_user_pages() covers only ++ * The array of pages returned by get_user_pages_fast() covers only + * page-aligned memory. Since the user buffer is probably not + * page-aligned, we need to handle the discrepancy. + * +@@ -224,7 +224,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + /* + * 'pages' is an array of struct page pointers that's initialized by +- * get_user_pages(). ++ * get_user_pages_fast(). + */ + pages = kcalloc(num_pages, sizeof(struct page *), GFP_KERNEL); + if (!pages) { +@@ -241,7 +241,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + if (!sg_list_unaligned) { + pr_debug("fsl-hv: could not allocate S/G list\n"); + ret = -ENOMEM; +- goto exit; ++ goto free_pages; + } + sg_list = PTR_ALIGN(sg_list_unaligned, sizeof(struct fh_sg_list)); + +@@ -250,7 +250,6 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + num_pages, param.source != -1 ? FOLL_WRITE : 0, pages); + + if (num_pinned != num_pages) { +- /* get_user_pages() failed */ + pr_debug("fsl-hv: could not lock source buffer\n"); + ret = (num_pinned < 0) ? num_pinned : -EFAULT; + goto exit; +@@ -292,13 +291,13 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + virt_to_phys(sg_list), num_pages); + + exit: +- if (pages) { +- for (i = 0; i < num_pages; i++) +- if (pages[i]) +- put_page(pages[i]); ++ if (pages && (num_pinned > 0)) { ++ for (i = 0; i < num_pinned; i++) ++ put_page(pages[i]); + } + + kfree(sg_list_unaligned); ++free_pages: + kfree(pages); + + if (!ret) +-- +2.25.1 + diff --git a/queue-5.9/drm-amd-display-disconnect-pipe-separetely-when-disa.patch b/queue-5.9/drm-amd-display-disconnect-pipe-separetely-when-disa.patch new file mode 100644 index 00000000000..9973d1e4637 --- /dev/null +++ b/queue-5.9/drm-amd-display-disconnect-pipe-separetely-when-disa.patch @@ -0,0 +1,313 @@ +From a007c4ef0075390efb898f6eefe3e3da99164874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 23:08:59 -0400 +Subject: drm/amd/display: Disconnect pipe separetely when disable pipe split + +From: Alvin Lee + +[ Upstream commit 81b437f57e35a6caa3a4304e6fff0eba0a9f3266 ] + +[Why] +When changing pixel formats for HDR (e.g. ARGB -> FP16) +there are configurations that change from 2 pipes to 1 pipe. +In these cases, it seems that disconnecting MPCC and doing +a surface update at the same time(after unlocking) causes +some registers to be updated slightly faster than others +after unlocking (e.g. if the pixel format is updated to FP16 +before the new surface address is programmed, we get +corruption on the screen because the pixel formats aren't +matching). We separate disconnecting MPCC from the rest +of the pipe programming sequence to prevent this. + +[How] +Move MPCC disconnect into separate operation than the +rest of the pipe programming. + +Signed-off-by: Alvin Lee +Reviewed-by: Aric Cyr +Acked-by: Qingqing Zhuo +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 10 ++ + .../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 146 ++++++++++++++++++ + .../amd/display/dc/dcn10/dcn10_hw_sequencer.h | 6 + + .../gpu/drm/amd/display/dc/dcn10/dcn10_init.c | 2 + + .../gpu/drm/amd/display/dc/dcn20/dcn20_init.c | 2 + + .../gpu/drm/amd/display/dc/dcn21/dcn21_init.c | 2 + + .../gpu/drm/amd/display/dc/dcn30/dcn30_init.c | 2 + + .../gpu/drm/amd/display/dc/inc/hw_sequencer.h | 4 + + 8 files changed, 174 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 22cbfda6ab338..95ec8ae5a7739 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -2295,6 +2295,7 @@ static void commit_planes_for_stream(struct dc *dc, + enum surface_update_type update_type, + struct dc_state *context) + { ++ bool mpcc_disconnected = false; + int i, j; + struct pipe_ctx *top_pipe_to_program = NULL; + +@@ -2325,6 +2326,15 @@ static void commit_planes_for_stream(struct dc *dc, + context_clock_trace(dc, context); + } + ++ if (update_type != UPDATE_TYPE_FAST && dc->hwss.interdependent_update_lock && ++ dc->hwss.disconnect_pipes && dc->hwss.wait_for_pending_cleared){ ++ dc->hwss.interdependent_update_lock(dc, context, true); ++ mpcc_disconnected = dc->hwss.disconnect_pipes(dc, context); ++ dc->hwss.interdependent_update_lock(dc, context, false); ++ if (mpcc_disconnected) ++ dc->hwss.wait_for_pending_cleared(dc, context); ++ } ++ + for (j = 0; j < dc->res_pool->pipe_count; j++) { + struct pipe_ctx *pipe_ctx = &context->res_ctx.pipe_ctx[j]; + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index fa643ec5a8760..4bbfd8a26a606 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -2769,6 +2769,152 @@ static struct pipe_ctx *dcn10_find_top_pipe_for_stream( + return NULL; + } + ++bool dcn10_disconnect_pipes( ++ struct dc *dc, ++ struct dc_state *context) ++{ ++ bool found_stream = false; ++ int i, j; ++ struct dce_hwseq *hws = dc->hwseq; ++ struct dc_state *old_ctx = dc->current_state; ++ bool mpcc_disconnected = false; ++ struct pipe_ctx *old_pipe; ++ struct pipe_ctx *new_pipe; ++ DC_LOGGER_INIT(dc->ctx->logger); ++ ++ /* Set pipe update flags and lock pipes */ ++ for (i = 0; i < dc->res_pool->pipe_count; i++) { ++ old_pipe = &dc->current_state->res_ctx.pipe_ctx[i]; ++ new_pipe = &context->res_ctx.pipe_ctx[i]; ++ new_pipe->update_flags.raw = 0; ++ ++ if (!old_pipe->plane_state && !new_pipe->plane_state) ++ continue; ++ ++ if (old_pipe->plane_state && !new_pipe->plane_state) ++ new_pipe->update_flags.bits.disable = 1; ++ ++ /* Check for scl update */ ++ if (memcmp(&old_pipe->plane_res.scl_data, &new_pipe->plane_res.scl_data, sizeof(struct scaler_data))) ++ new_pipe->update_flags.bits.scaler = 1; ++ ++ /* Check for vp update */ ++ if (memcmp(&old_pipe->plane_res.scl_data.viewport, &new_pipe->plane_res.scl_data.viewport, sizeof(struct rect)) ++ || memcmp(&old_pipe->plane_res.scl_data.viewport_c, ++ &new_pipe->plane_res.scl_data.viewport_c, sizeof(struct rect))) ++ new_pipe->update_flags.bits.viewport = 1; ++ ++ } ++ ++ if (!IS_DIAG_DC(dc->ctx->dce_environment)) { ++ /* Disconnect mpcc here only if losing pipe split*/ ++ for (i = 0; i < dc->res_pool->pipe_count; i++) { ++ if (context->res_ctx.pipe_ctx[i].update_flags.bits.disable && ++ old_ctx->res_ctx.pipe_ctx[i].top_pipe) { ++ ++ /* Find the top pipe in the new ctx for the bottom pipe that we ++ * want to remove by comparing the streams. If both pipes are being ++ * disabled then do it in the regular pipe programming sequence ++ */ ++ for (j = 0; j < dc->res_pool->pipe_count; j++) { ++ if (old_ctx->res_ctx.pipe_ctx[i].top_pipe->stream == context->res_ctx.pipe_ctx[j].stream && ++ !context->res_ctx.pipe_ctx[j].top_pipe && ++ !context->res_ctx.pipe_ctx[j].update_flags.bits.disable) { ++ found_stream = true; ++ break; ++ } ++ } ++ ++ // Disconnect if the top pipe lost it's pipe split ++ if (found_stream && !context->res_ctx.pipe_ctx[j].bottom_pipe) { ++ hws->funcs.plane_atomic_disconnect(dc, &dc->current_state->res_ctx.pipe_ctx[i]); ++ DC_LOG_DC("Reset mpcc for pipe %d\n", dc->current_state->res_ctx.pipe_ctx[i].pipe_idx); ++ mpcc_disconnected = true; ++ } ++ } ++ found_stream = false; ++ } ++ } ++ ++ if (mpcc_disconnected) { ++ for (i = 0; i < dc->res_pool->pipe_count; i++) { ++ struct pipe_ctx *pipe_ctx = &context->res_ctx.pipe_ctx[i]; ++ struct pipe_ctx *old_pipe = &dc->current_state->res_ctx.pipe_ctx[i]; ++ struct dc_plane_state *plane_state = pipe_ctx->plane_state; ++ struct hubp *hubp = pipe_ctx->plane_res.hubp; ++ ++ if (!pipe_ctx || !plane_state || !pipe_ctx->stream) ++ continue; ++ ++ // Only update scaler and viewport here if we lose a pipe split. ++ // This is to prevent half the screen from being black when we ++ // unlock after disconnecting MPCC. ++ if (!(old_pipe && !pipe_ctx->top_pipe && ++ !pipe_ctx->bottom_pipe && old_pipe->bottom_pipe)) ++ continue; ++ ++ if (pipe_ctx->update_flags.raw || pipe_ctx->plane_state->update_flags.raw || pipe_ctx->stream->update_flags.raw) { ++ if (pipe_ctx->update_flags.bits.scaler || ++ plane_state->update_flags.bits.scaling_change || ++ plane_state->update_flags.bits.position_change || ++ plane_state->update_flags.bits.per_pixel_alpha_change || ++ pipe_ctx->stream->update_flags.bits.scaling) { ++ ++ pipe_ctx->plane_res.scl_data.lb_params.alpha_en = pipe_ctx->plane_state->per_pixel_alpha; ++ ASSERT(pipe_ctx->plane_res.scl_data.lb_params.depth == LB_PIXEL_DEPTH_30BPP); ++ /* scaler configuration */ ++ pipe_ctx->plane_res.dpp->funcs->dpp_set_scaler( ++ pipe_ctx->plane_res.dpp, &pipe_ctx->plane_res.scl_data); ++ } ++ ++ if (pipe_ctx->update_flags.bits.viewport || ++ (context == dc->current_state && plane_state->update_flags.bits.position_change) || ++ (context == dc->current_state && plane_state->update_flags.bits.scaling_change) || ++ (context == dc->current_state && pipe_ctx->stream->update_flags.bits.scaling)) { ++ ++ hubp->funcs->mem_program_viewport( ++ hubp, ++ &pipe_ctx->plane_res.scl_data.viewport, ++ &pipe_ctx->plane_res.scl_data.viewport_c); ++ } ++ } ++ } ++ } ++ return mpcc_disconnected; ++} ++ ++void dcn10_wait_for_pending_cleared(struct dc *dc, ++ struct dc_state *context) ++{ ++ struct pipe_ctx *pipe_ctx; ++ struct timing_generator *tg; ++ int i; ++ ++ for (i = 0; i < dc->res_pool->pipe_count; i++) { ++ pipe_ctx = &context->res_ctx.pipe_ctx[i]; ++ tg = pipe_ctx->stream_res.tg; ++ ++ /* ++ * Only wait for top pipe's tg penindg bit ++ * Also skip if pipe is disabled. ++ */ ++ if (pipe_ctx->top_pipe || ++ !pipe_ctx->stream || !pipe_ctx->plane_state || ++ !tg->funcs->is_tg_enabled(tg)) ++ continue; ++ ++ /* ++ * Wait for VBLANK then VACTIVE to ensure we get VUPDATE. ++ * For some reason waiting for OTG_UPDATE_PENDING cleared ++ * seems to not trigger the update right away, and if we ++ * lock again before VUPDATE then we don't get a separated ++ * operation. ++ */ ++ pipe_ctx->stream_res.tg->funcs->wait_for_state(pipe_ctx->stream_res.tg, CRTC_STATE_VBLANK); ++ pipe_ctx->stream_res.tg->funcs->wait_for_state(pipe_ctx->stream_res.tg, CRTC_STATE_VACTIVE); ++ } ++} ++ + void dcn10_apply_ctx_for_surface( + struct dc *dc, + const struct dc_stream_state *stream, +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h +index 6d891166da8a4..e5691e4990231 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h +@@ -194,6 +194,12 @@ void dcn10_get_surface_visual_confirm_color( + void dcn10_get_hdr_visual_confirm_color( + struct pipe_ctx *pipe_ctx, + struct tg_color *color); ++bool dcn10_disconnect_pipes( ++ struct dc *dc, ++ struct dc_state *context); ++ ++void dcn10_wait_for_pending_cleared(struct dc *dc, ++ struct dc_state *context); + void dcn10_set_hdr_multiplier(struct pipe_ctx *pipe_ctx); + void dcn10_verify_allow_pstate_change_high(struct dc *dc); + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c +index 5c98b71c1d47a..a1d1559bb5d73 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c +@@ -34,6 +34,8 @@ static const struct hw_sequencer_funcs dcn10_funcs = { + .apply_ctx_to_hw = dce110_apply_ctx_to_hw, + .apply_ctx_for_surface = dcn10_apply_ctx_for_surface, + .post_unlock_program_front_end = dcn10_post_unlock_program_front_end, ++ .disconnect_pipes = dcn10_disconnect_pipes, ++ .wait_for_pending_cleared = dcn10_wait_for_pending_cleared, + .update_plane_addr = dcn10_update_plane_addr, + .update_dchub = dcn10_update_dchub, + .update_pending_status = dcn10_update_pending_status, +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_init.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_init.c +index 3dde6f26de474..966e1790b9bfd 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_init.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_init.c +@@ -34,6 +34,8 @@ static const struct hw_sequencer_funcs dcn20_funcs = { + .apply_ctx_to_hw = dce110_apply_ctx_to_hw, + .apply_ctx_for_surface = NULL, + .program_front_end_for_ctx = dcn20_program_front_end_for_ctx, ++ .disconnect_pipes = dcn10_disconnect_pipes, ++ .wait_for_pending_cleared = dcn10_wait_for_pending_cleared, + .post_unlock_program_front_end = dcn20_post_unlock_program_front_end, + .update_plane_addr = dcn20_update_plane_addr, + .update_dchub = dcn10_update_dchub, +diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_init.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_init.c +index b187f71afa652..2ba880c3943c3 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_init.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_init.c +@@ -35,6 +35,8 @@ static const struct hw_sequencer_funcs dcn21_funcs = { + .apply_ctx_to_hw = dce110_apply_ctx_to_hw, + .apply_ctx_for_surface = NULL, + .program_front_end_for_ctx = dcn20_program_front_end_for_ctx, ++ .disconnect_pipes = dcn10_disconnect_pipes, ++ .wait_for_pending_cleared = dcn10_wait_for_pending_cleared, + .post_unlock_program_front_end = dcn20_post_unlock_program_front_end, + .update_plane_addr = dcn20_update_plane_addr, + .update_dchub = dcn10_update_dchub, +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_init.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_init.c +index 9afee71604902..19daa456e3bfe 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_init.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_init.c +@@ -35,6 +35,8 @@ static const struct hw_sequencer_funcs dcn30_funcs = { + .apply_ctx_to_hw = dce110_apply_ctx_to_hw, + .apply_ctx_for_surface = NULL, + .program_front_end_for_ctx = dcn20_program_front_end_for_ctx, ++ .disconnect_pipes = dcn10_disconnect_pipes, ++ .wait_for_pending_cleared = dcn10_wait_for_pending_cleared, + .post_unlock_program_front_end = dcn20_post_unlock_program_front_end, + .update_plane_addr = dcn20_update_plane_addr, + .update_dchub = dcn10_update_dchub, +diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h b/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h +index 3c986717dcd56..64c1be818b0e8 100644 +--- a/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h +@@ -67,6 +67,10 @@ struct hw_sequencer_funcs { + int num_planes, struct dc_state *context); + void (*program_front_end_for_ctx)(struct dc *dc, + struct dc_state *context); ++ bool (*disconnect_pipes)(struct dc *dc, ++ struct dc_state *context); ++ void (*wait_for_pending_cleared)(struct dc *dc, ++ struct dc_state *context); + void (*post_unlock_program_front_end)(struct dc *dc, + struct dc_state *context); + void (*update_plane_addr)(const struct dc *dc, +-- +2.25.1 + diff --git a/queue-5.9/drm-amd-display-fix-potential-integer-overflow-when-.patch b/queue-5.9/drm-amd-display-fix-potential-integer-overflow-when-.patch new file mode 100644 index 00000000000..85e14a4d57c --- /dev/null +++ b/queue-5.9/drm-amd-display-fix-potential-integer-overflow-when-.patch @@ -0,0 +1,40 @@ +From 82a7d2f600d4ca274913a87d41cd89547425a176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 13:09:14 +0100 +Subject: drm/amd/display: fix potential integer overflow when shifting 32 bit + variable bl_pwm + +From: Colin Ian King + +[ Upstream commit 1d5503331b12a76266049289747dfd94f1643fde ] + +The 32 bit unsigned integer bl_pwm is being shifted using 32 bit arithmetic +and then being assigned to a 64 bit unsigned integer. There is a potential +for a 32 bit overflow so cast bl_pwm to enforce a 64 bit shift operation +to avoid this. + +Addresses-Coverity: ("unintentional integer overflow") +Fixes: 3ba01817365c ("drm/amd/display: Move panel_cntl specific register from abm to panel_cntl.") +Signed-off-by: Colin Ian King +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c b/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c +index 43781e77be431..f9456ff6845b6 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_panel_cntl.c +@@ -75,7 +75,7 @@ static unsigned int calculate_16_bit_backlight_from_pwm(struct dce_panel_cntl *d + else + bl_pwm &= 0xFFFF; + +- current_backlight = bl_pwm << (1 + bl_int_count); ++ current_backlight = (uint64_t)bl_pwm << (1 + bl_int_count); + + if (bl_period == 0) + bl_period = 0xFFFF; +-- +2.25.1 + diff --git a/queue-5.9/drm-amd-display-fix-wrong-return-value-in-dm_update_.patch b/queue-5.9/drm-amd-display-fix-wrong-return-value-in-dm_update_.patch new file mode 100644 index 00000000000..56f50eb3c62 --- /dev/null +++ b/queue-5.9/drm-amd-display-fix-wrong-return-value-in-dm_update_.patch @@ -0,0 +1,38 @@ +From 001ac683fe2e8162a363ddf7187301d4e7189b74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:36 +0800 +Subject: drm/amd/display: Fix wrong return value in dm_update_plane_state() + +From: Tianjia Zhang + +[ Upstream commit c35376137e940c3389df2726a92649c01a9844b4 ] + +On an error exit path, a negative error code should be returned +instead of a positive return value. + +Fixes: 9e869063b0021 ("drm/amd/display: Move iteration out of dm_update_planes") +Cc: Leo Li +Signed-off-by: Tianjia Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index a717a4904268e..5474f7e4c75b1 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8217,8 +8217,7 @@ static int dm_update_plane_state(struct dc *dc, + dm_old_plane_state->dc_state, + dm_state->context)) { + +- ret = EINVAL; +- return ret; ++ return -EINVAL; + } + + +-- +2.25.1 + diff --git a/queue-5.9/drm-amd-display-screen-corruption-on-dual-displays-d.patch b/queue-5.9/drm-amd-display-screen-corruption-on-dual-displays-d.patch new file mode 100644 index 00000000000..1973aacba83 --- /dev/null +++ b/queue-5.9/drm-amd-display-screen-corruption-on-dual-displays-d.patch @@ -0,0 +1,76 @@ +From 59c9dccf31e1550972cc64a6adb97c928208c1c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 15:35:41 -0400 +Subject: drm/amd/display: Screen corruption on dual displays (DP+USB-C) + +From: Qingqing Zhuo + +[ Upstream commit ce271b40a91f781af3dee985c39e841ac5148766 ] + +[why] +Current pipe merge and split logic only supports cases where new +dc_state is allocated and relies on dc->current_state to gather +information from previous dc_state. + +Calls to validate_bandwidth on UPDATE_TYPE_MED would cause an issue +because there is no new dc_state allocated, and data in +dc->current_state would be overwritten during pipe merge. + +[how] +Only allow validate_bandwidth when new dc_state space is created. + +Signed-off-by: Qingqing Zhuo +Reviewed-by: Nicholas Kazlauskas +Acked-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 3 +++ + drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 3 +++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 92eb1ca1634fc..22cbfda6ab338 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -2621,7 +2621,7 @@ void dc_commit_updates_for_stream(struct dc *dc, + + copy_stream_update_to_stream(dc, context, stream, stream_update); + +- if (update_type > UPDATE_TYPE_FAST) { ++ if (update_type >= UPDATE_TYPE_FULL) { + if (!dc->res_pool->funcs->validate_bandwidth(dc, context, false)) { + DC_ERROR("Mode validation failed for stream update!\n"); + dc_release_state(context); +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +index f31f48dd0da29..aaf9a99f9f045 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +@@ -3209,6 +3209,9 @@ static noinline bool dcn20_validate_bandwidth_fp(struct dc *dc, + context->bw_ctx.dml.soc.allow_dram_clock_one_display_vactive = + dc->debug.enable_dram_clock_change_one_display_vactive; + ++ /*Unsafe due to current pipe merge and split logic*/ ++ ASSERT(context != dc->current_state); ++ + if (fast_validate) { + return dcn20_validate_bandwidth_internal(dc, context, true); + } +diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +index 88d41a385add8..a4f37d83d5cc9 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +@@ -1184,6 +1184,9 @@ bool dcn21_validate_bandwidth(struct dc *dc, struct dc_state *context, + + BW_VAL_TRACE_COUNT(); + ++ /*Unsafe due to current pipe merge and split logic*/ ++ ASSERT(context != dc->current_state); ++ + out = dcn20_fast_validate_bw(dc, context, pipes, &pipe_cnt, pipe_split_from, &vlevel); + + if (pipe_cnt == 0) +-- +2.25.1 + diff --git a/queue-5.9/drm-amdgpu-fix-invalid-number-of-character-in-amdgpu.patch b/queue-5.9/drm-amdgpu-fix-invalid-number-of-character-in-amdgpu.patch new file mode 100644 index 00000000000..7c0fb972daa --- /dev/null +++ b/queue-5.9/drm-amdgpu-fix-invalid-number-of-character-in-amdgpu.patch @@ -0,0 +1,53 @@ +From 3e269b66376083e76b2ed108fc9eb5ba57ce7609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 15:42:18 +0800 +Subject: drm/amdgpu: Fix invalid number of character '{' in amdgpu_acpi_init + +From: Ye Bin + +[ Upstream commit 9c27bc97aff8bbe62b5b29ebf528291dd85d9c86 ] + +Fix follow warning: +Checking drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c... +[drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:770]: (error) Invalid number +of character '{' when these macros are defined: ''. +Checking drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c: CONFIG_ACPI... +[drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:770]: (error) Invalid number +of character '{' when these macros are defined: 'CONFIG_ACPI'. +...... +Checking drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c: CONFIG_X86... +[drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:770]: (error) Invalid number +of character '{' when these macros are defined: 'CONFIG_X86'. +Checking drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c: _X86_... +[drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:770]: (error) Invalid number +of character '{' when these macros are defined: '_X86_'. +Checking drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c: __linux__... +[drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:770]: (error) Invalid number +of character '{' when these macros are defined: '__linux__'. + +Fixes: 97d798b276e9 ("drm/amdgpu: simplify ATIF backlight handling") +Reported-by: Hulk Robot +Signed-off-by: Ye Bin +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +index 913c8f0513bd3..5b7dc1d1b44c7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -806,8 +806,8 @@ int amdgpu_acpi_init(struct amdgpu_device *adev) + } + adev->atif = atif; + +- if (atif->notifications.brightness_change) { + #if defined(CONFIG_BACKLIGHT_CLASS_DEVICE) || defined(CONFIG_BACKLIGHT_CLASS_DEVICE_MODULE) ++ if (atif->notifications.brightness_change) { + if (amdgpu_device_has_dc_support(adev)) { + #if defined(CONFIG_DRM_AMD_DC) + struct amdgpu_display_manager *dm = &adev->dm; +-- +2.25.1 + diff --git a/queue-5.9/drm-amdgpu-fix-max_entries-calculation-v4.patch b/queue-5.9/drm-amdgpu-fix-max_entries-calculation-v4.patch new file mode 100644 index 00000000000..0a91b0eda8f --- /dev/null +++ b/queue-5.9/drm-amdgpu-fix-max_entries-calculation-v4.patch @@ -0,0 +1,61 @@ +From 70880d65c3abfcf5ee4777f92e44c3ff1ba8b79f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:07:14 +0200 +Subject: drm/amdgpu: fix max_entries calculation v4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +[ Upstream commit ee354ff1c7c210fb41952ebf0a820fb714eae7b1 ] + +Calculate the correct value for max_entries or we might run after the +page_address array. + +v2: Xinhui pointed out we don't need the shift +v3: use local copy of start and simplify some calculation +v4: fix the case that we map less VA range than BO size + +Signed-off-by: Christian König +Fixes: 1e691e244487 drm/amdgpu: stop allocating dummy GTT nodes +Reviewed-by: xinhui pan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index 71e005cf29522..479735c448478 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -1691,13 +1691,13 @@ static int amdgpu_vm_bo_split_mapping(struct amdgpu_device *adev, + uint64_t max_entries; + uint64_t addr, last; + ++ max_entries = mapping->last - start + 1; + if (nodes) { + addr = nodes->start << PAGE_SHIFT; +- max_entries = (nodes->size - pfn) * +- AMDGPU_GPU_PAGES_IN_CPU_PAGE; ++ max_entries = min((nodes->size - pfn) * ++ AMDGPU_GPU_PAGES_IN_CPU_PAGE, max_entries); + } else { + addr = 0; +- max_entries = S64_MAX; + } + + if (pages_addr) { +@@ -1727,7 +1727,7 @@ static int amdgpu_vm_bo_split_mapping(struct amdgpu_device *adev, + addr += pfn << PAGE_SHIFT; + } + +- last = min((uint64_t)mapping->last, start + max_entries - 1); ++ last = start + max_entries - 1; + r = amdgpu_vm_bo_update_mapping(adev, vm, false, false, resv, + start, last, flags, addr, + dma_addr, fence); +-- +2.25.1 + diff --git a/queue-5.9/drm-crc-debugfs-fix-memleak-in-crc_control_write.patch b/queue-5.9/drm-crc-debugfs-fix-memleak-in-crc_control_write.patch new file mode 100644 index 00000000000..6308d4c6c7f --- /dev/null +++ b/queue-5.9/drm-crc-debugfs-fix-memleak-in-crc_control_write.patch @@ -0,0 +1,43 @@ +From 9f0e489c2b16648542cc30f79b9365746ea70ea0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 16:22:28 +0800 +Subject: drm/crc-debugfs: Fix memleak in crc_control_write + +From: Dinghao Liu + +[ Upstream commit f7ec68b341dbd5da13d4c65ce444dcd605f1c42e ] + +When verify_crc_source() fails, source needs to be freed. +However, current code is returning directly and ends up +leaking memory. + +Fixes: d5cc15a0c66e ("drm: crc: Introduce verify_crc_source callback") +Signed-off-by: Dinghao Liu +Reviewed-by: Laurent Pinchart +[danvet: change Fixes: tag per Laurent's review] +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200819082228.26847-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs_crc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_debugfs_crc.c b/drivers/gpu/drm/drm_debugfs_crc.c +index 5d67a41f7c3a8..3dd70d813f694 100644 +--- a/drivers/gpu/drm/drm_debugfs_crc.c ++++ b/drivers/gpu/drm/drm_debugfs_crc.c +@@ -144,8 +144,10 @@ static ssize_t crc_control_write(struct file *file, const char __user *ubuf, + source[len - 1] = '\0'; + + ret = crtc->funcs->verify_crc_source(crtc, source, &values_cnt); +- if (ret) ++ if (ret) { ++ kfree(source); + return ret; ++ } + + spin_lock_irq(&crc->lock); + +-- +2.25.1 + diff --git a/queue-5.9/drm-fix-double-free-for-gbo-in-drm_gem_vram_init-and.patch b/queue-5.9/drm-fix-double-free-for-gbo-in-drm_gem_vram_init-and.patch new file mode 100644 index 00000000000..22cd5b87fb4 --- /dev/null +++ b/queue-5.9/drm-fix-double-free-for-gbo-in-drm_gem_vram_init-and.patch @@ -0,0 +1,172 @@ +From 513f6d03849b230b7fa0be72e4c965481f9e674f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 10:32:36 +0200 +Subject: drm: fix double free for gbo in drm_gem_vram_init and + drm_gem_vram_create + +From: Jia Yang + +[ Upstream commit da62cb7230f0871c30dc9789071f63229158d261 ] + +I got a use-after-free report when doing some fuzz test: + +If ttm_bo_init() fails, the "gbo" and "gbo->bo.base" will be +freed by ttm_buffer_object_destroy() in ttm_bo_init(). But +then drm_gem_vram_create() and drm_gem_vram_init() will free +"gbo" and "gbo->bo.base" again. + +BUG: KMSAN: use-after-free in drm_vma_offset_remove+0xb3/0x150 +CPU: 0 PID: 24282 Comm: syz-executor.1 Tainted: G B W 5.7.0-rc4-msan #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack + dump_stack+0x1c9/0x220 + kmsan_report+0xf7/0x1e0 + __msan_warning+0x58/0xa0 + drm_vma_offset_remove+0xb3/0x150 + drm_gem_free_mmap_offset + drm_gem_object_release+0x159/0x180 + drm_gem_vram_init + drm_gem_vram_create+0x7c5/0x990 + drm_gem_vram_fill_create_dumb + drm_gem_vram_driver_dumb_create+0x238/0x590 + drm_mode_create_dumb + drm_mode_create_dumb_ioctl+0x41d/0x450 + drm_ioctl_kernel+0x5a4/0x710 + drm_ioctl+0xc6f/0x1240 + vfs_ioctl + ksys_ioctl + __do_sys_ioctl + __se_sys_ioctl+0x2e9/0x410 + __x64_sys_ioctl+0x4a/0x70 + do_syscall_64+0xb8/0x160 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x4689b9 +Code: fd e0 fa ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb e0 fa ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f368fa4dc98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 000000000076bf00 RCX: 00000000004689b9 +RDX: 0000000020000240 RSI: 00000000c02064b2 RDI: 0000000000000003 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00000000004d17e0 R14: 00007f368fa4e6d4 R15: 000000000076bf0c + +Uninit was created at: + kmsan_save_stack_with_flags + kmsan_internal_poison_shadow+0x66/0xd0 + kmsan_slab_free+0x6e/0xb0 + slab_free_freelist_hook + slab_free + kfree+0x571/0x30a0 + drm_gem_vram_destroy + ttm_buffer_object_destroy+0xc8/0x130 + ttm_bo_release + kref_put + ttm_bo_put+0x117d/0x23e0 + ttm_bo_init_reserved+0x11c0/0x11d0 + ttm_bo_init+0x289/0x3f0 + drm_gem_vram_init + drm_gem_vram_create+0x775/0x990 + drm_gem_vram_fill_create_dumb + drm_gem_vram_driver_dumb_create+0x238/0x590 + drm_mode_create_dumb + drm_mode_create_dumb_ioctl+0x41d/0x450 + drm_ioctl_kernel+0x5a4/0x710 + drm_ioctl+0xc6f/0x1240 + vfs_ioctl + ksys_ioctl + __do_sys_ioctl + __se_sys_ioctl+0x2e9/0x410 + __x64_sys_ioctl+0x4a/0x70 + do_syscall_64+0xb8/0x160 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +If ttm_bo_init() fails, the "gbo" will be freed by +ttm_buffer_object_destroy() in ttm_bo_init(). But then +drm_gem_vram_create() and drm_gem_vram_init() will free +"gbo" again. + +Reported-by: Hulk Robot +Reported-by: butt3rflyh4ck +Signed-off-by: Jia Yang +Signed-off-by: Thomas Zimmermann +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20200714083238.28479-2-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_gem_vram_helper.c | 28 +++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/drm_gem_vram_helper.c b/drivers/gpu/drm/drm_gem_vram_helper.c +index 3296ed3df3580..8b65ca164bf4b 100644 +--- a/drivers/gpu/drm/drm_gem_vram_helper.c ++++ b/drivers/gpu/drm/drm_gem_vram_helper.c +@@ -167,6 +167,10 @@ static void drm_gem_vram_placement(struct drm_gem_vram_object *gbo, + } + } + ++/* ++ * Note that on error, drm_gem_vram_init will free the buffer object. ++ */ ++ + static int drm_gem_vram_init(struct drm_device *dev, + struct drm_gem_vram_object *gbo, + size_t size, unsigned long pg_align) +@@ -176,15 +180,19 @@ static int drm_gem_vram_init(struct drm_device *dev, + int ret; + size_t acc_size; + +- if (WARN_ONCE(!vmm, "VRAM MM not initialized")) ++ if (WARN_ONCE(!vmm, "VRAM MM not initialized")) { ++ kfree(gbo); + return -EINVAL; ++ } + bdev = &vmm->bdev; + + gbo->bo.base.funcs = &drm_gem_vram_object_funcs; + + ret = drm_gem_object_init(dev, &gbo->bo.base, size); +- if (ret) ++ if (ret) { ++ kfree(gbo); + return ret; ++ } + + acc_size = ttm_bo_dma_acc_size(bdev, size, sizeof(*gbo)); + +@@ -195,13 +203,13 @@ static int drm_gem_vram_init(struct drm_device *dev, + &gbo->placement, pg_align, false, acc_size, + NULL, NULL, ttm_buffer_object_destroy); + if (ret) +- goto err_drm_gem_object_release; ++ /* ++ * A failing ttm_bo_init will call ttm_buffer_object_destroy ++ * to release gbo->bo.base and kfree gbo. ++ */ ++ return ret; + + return 0; +- +-err_drm_gem_object_release: +- drm_gem_object_release(&gbo->bo.base); +- return ret; + } + + /** +@@ -235,13 +243,9 @@ struct drm_gem_vram_object *drm_gem_vram_create(struct drm_device *dev, + + ret = drm_gem_vram_init(dev, gbo, size, pg_align); + if (ret < 0) +- goto err_kfree; ++ return ERR_PTR(ret); + + return gbo; +- +-err_kfree: +- kfree(gbo); +- return ERR_PTR(ret); + } + EXPORT_SYMBOL(drm_gem_vram_create); + +-- +2.25.1 + diff --git a/queue-5.9/drm-gma500-fix-error-check.patch b/queue-5.9/drm-gma500-fix-error-check.patch new file mode 100644 index 00000000000..fa288101c90 --- /dev/null +++ b/queue-5.9/drm-gma500-fix-error-check.patch @@ -0,0 +1,54 @@ +From 4fe02acd50f4172d61703d4b4abf7244476c0db6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 13:59:11 -0700 +Subject: drm/gma500: fix error check + +From: Tom Rix + +[ Upstream commit cdd296cdae1af2d27dae3fcfbdf12c5252ab78cf ] + +Reviewing this block of code in cdv_intel_dp_init() + +ret = cdv_intel_dp_aux_native_read(gma_encoder, DP_DPCD_REV, ... + +cdv_intel_edp_panel_vdd_off(gma_encoder); +if (ret == 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + drm_encoder_cleanup(encoder); + cdv_intel_dp_destroy(connector); + goto err_priv; +} else { + +The (ret == 0) is not strict enough. +cdv_intel_dp_aux_native_read() returns > 0 on success +otherwise it is failure. + +So change to <= + +Fixes: d112a8163f83 ("gma500/cdv: Add eDP support") + +Signed-off-by: Tom Rix +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20200805205911.20927-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c +index f41cbb753bb46..720a767118c9c 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c +@@ -2078,7 +2078,7 @@ cdv_intel_dp_init(struct drm_device *dev, struct psb_intel_mode_device *mode_dev + intel_dp->dpcd, + sizeof(intel_dp->dpcd)); + cdv_intel_edp_panel_vdd_off(gma_encoder); +- if (ret == 0) { ++ if (ret <= 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + drm_encoder_cleanup(encoder); +-- +2.25.1 + diff --git a/queue-5.9/drm-hisilicon-code-refactoring-for-hibmc_drv_de.patch b/queue-5.9/drm-hisilicon-code-refactoring-for-hibmc_drv_de.patch new file mode 100644 index 00000000000..9110e056002 --- /dev/null +++ b/queue-5.9/drm-hisilicon-code-refactoring-for-hibmc_drv_de.patch @@ -0,0 +1,121 @@ +From b641fd1cfd43eaf7e3cc4f57e94fb3a159a58edf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 15:42:59 +0800 +Subject: drm/hisilicon: Code refactoring for hibmc_drv_de + +From: Tian Tao + +[ Upstream commit 13b0d4a9ae0c2d650993c48be797992eaf621332 ] + +The memory used to be allocated with devres helpers and released +automatically. In rare circumstances, the memory's release could +have happened before the DRM device got released, which would have +caused memory corruption of some kind. Now we're embedding the data +structures in struct hibmc_drm_private. The whole release problem +has been resolved, because struct hibmc_drm_private is allocated +with drmm_kzalloc and always released with the DRM device. + +Signed-off-by: Tian Tao +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/1597218179-3938-3-git-send-email-tiantao6@hisilicon.com +Signed-off-by: Sasha Levin +--- + .../gpu/drm/hisilicon/hibmc/hibmc_drm_de.c | 55 +++++-------------- + .../gpu/drm/hisilicon/hibmc/hibmc_drm_drv.h | 2 + + 2 files changed, 15 insertions(+), 42 deletions(-) + +diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c +index cc70e836522f0..8758958e16893 100644 +--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c ++++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_de.c +@@ -160,37 +160,6 @@ static const struct drm_plane_helper_funcs hibmc_plane_helper_funcs = { + .atomic_update = hibmc_plane_atomic_update, + }; + +-static struct drm_plane *hibmc_plane_init(struct hibmc_drm_private *priv) +-{ +- struct drm_device *dev = priv->dev; +- struct drm_plane *plane; +- int ret = 0; +- +- plane = devm_kzalloc(dev->dev, sizeof(*plane), GFP_KERNEL); +- if (!plane) { +- DRM_ERROR("failed to alloc memory when init plane\n"); +- return ERR_PTR(-ENOMEM); +- } +- /* +- * plane init +- * TODO: Now only support primary plane, overlay planes +- * need to do. +- */ +- ret = drm_universal_plane_init(dev, plane, 1, &hibmc_plane_funcs, +- channel_formats1, +- ARRAY_SIZE(channel_formats1), +- NULL, +- DRM_PLANE_TYPE_PRIMARY, +- NULL); +- if (ret) { +- DRM_ERROR("failed to init plane: %d\n", ret); +- return ERR_PTR(ret); +- } +- +- drm_plane_helper_add(plane, &hibmc_plane_helper_funcs); +- return plane; +-} +- + static void hibmc_crtc_dpms(struct drm_crtc *crtc, int dpms) + { + struct hibmc_drm_private *priv = crtc->dev->dev_private; +@@ -537,22 +506,24 @@ static const struct drm_crtc_helper_funcs hibmc_crtc_helper_funcs = { + int hibmc_de_init(struct hibmc_drm_private *priv) + { + struct drm_device *dev = priv->dev; +- struct drm_crtc *crtc; +- struct drm_plane *plane; ++ struct drm_crtc *crtc = &priv->crtc; ++ struct drm_plane *plane = &priv->primary_plane; + int ret; + +- plane = hibmc_plane_init(priv); +- if (IS_ERR(plane)) { +- DRM_ERROR("failed to create plane: %ld\n", PTR_ERR(plane)); +- return PTR_ERR(plane); +- } ++ ret = drm_universal_plane_init(dev, plane, 1, &hibmc_plane_funcs, ++ channel_formats1, ++ ARRAY_SIZE(channel_formats1), ++ NULL, ++ DRM_PLANE_TYPE_PRIMARY, ++ NULL); + +- crtc = devm_kzalloc(dev->dev, sizeof(*crtc), GFP_KERNEL); +- if (!crtc) { +- DRM_ERROR("failed to alloc memory when init crtc\n"); +- return -ENOMEM; ++ if (ret) { ++ DRM_ERROR("failed to init plane: %d\n", ret); ++ return ret; + } + ++ drm_plane_helper_add(plane, &hibmc_plane_helper_funcs); ++ + ret = drm_crtc_init_with_planes(dev, crtc, plane, + NULL, &hibmc_crtc_funcs, NULL); + if (ret) { +diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.h b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.h +index 609768748de65..0a74ba220cac5 100644 +--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.h ++++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.h +@@ -29,6 +29,8 @@ struct hibmc_drm_private { + + /* drm */ + struct drm_device *dev; ++ struct drm_plane primary_plane; ++ struct drm_crtc crtc; + struct drm_encoder encoder; + struct drm_connector connector; + bool mode_config_initialized; +-- +2.25.1 + diff --git a/queue-5.9/drm-malidp-use-struct-drm_gem_object_funcs.get_sg_ta.patch b/queue-5.9/drm-malidp-use-struct-drm_gem_object_funcs.get_sg_ta.patch new file mode 100644 index 00000000000..66577f82bb3 --- /dev/null +++ b/queue-5.9/drm-malidp-use-struct-drm_gem_object_funcs.get_sg_ta.patch @@ -0,0 +1,41 @@ +From 0c128755608fb48b7f8cd5324deb9e686b8a04a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 13:10:22 +0200 +Subject: drm/malidp: Use struct drm_gem_object_funcs.get_sg_table internally + +From: Thomas Zimmermann + +[ Upstream commit d3d1bbe794ab4f7cce13e8ba08a2ac978133375e ] + +The malidp driver uses GEM object functions for callbacks. Fix it to +use them internally as well. + +Signed-off-by: Thomas Zimmermann +Reviewed-by: Daniel Vetter +Fixes: ecdd6474644f ("drm/malidp: Use GEM CMA object functions") +Cc: Thomas Zimmermann +Cc: Emil Velikov +Cc: Liviu Dudau +Cc: Brian Starkey +Link: https://patchwork.freedesktop.org/patch/msgid/20200807111022.12117-1-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/arm/malidp_planes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/arm/malidp_planes.c b/drivers/gpu/drm/arm/malidp_planes.c +index ab45ac445045a..351a85088d0ec 100644 +--- a/drivers/gpu/drm/arm/malidp_planes.c ++++ b/drivers/gpu/drm/arm/malidp_planes.c +@@ -346,7 +346,7 @@ static bool malidp_check_pages_threshold(struct malidp_plane_state *ms, + if (cma_obj->sgt) + sgt = cma_obj->sgt; + else +- sgt = obj->dev->driver->gem_prime_get_sg_table(obj); ++ sgt = obj->funcs->get_sg_table(obj); + + if (!sgt) + return false; +-- +2.25.1 + diff --git a/queue-5.9/drm-mediatek-reduce-clear-event.patch b/queue-5.9/drm-mediatek-reduce-clear-event.patch new file mode 100644 index 00000000000..63f2967182b --- /dev/null +++ b/queue-5.9/drm-mediatek-reduce-clear-event.patch @@ -0,0 +1,40 @@ +From 9508fe0600d435e8296400379282751c1d5a422c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 23:45:14 +0800 +Subject: drm/mediatek: reduce clear event + +From: Dennis YC Hsieh + +[ Upstream commit bee1abc9cc021f50b90f22a589d9ddc816a80db0 ] + +No need to clear event again since event always clear before wait. +This fix depend on patch: + "soc: mediatek: cmdq: add clear option in cmdq_pkt_wfe api" + +Fixes: 2f965be7f9008 ("drm/mediatek: apply CMDQ control flow") +Signed-off-by: Dennis YC Hsieh +Reviewed-by: Bibby Hsieh +Acked-by: Chun-Kuang Hu +Link: https://lore.kernel.org/r/1594136714-11650-10-git-send-email-dennis-yc.hsieh@mediatek.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index a4977009d3076..ac038572164d3 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -481,7 +481,7 @@ static void mtk_drm_crtc_hw_config(struct mtk_drm_crtc *mtk_crtc) + mbox_flush(mtk_crtc->cmdq_client->chan, 2000); + cmdq_handle = cmdq_pkt_create(mtk_crtc->cmdq_client, PAGE_SIZE); + cmdq_pkt_clear_event(cmdq_handle, mtk_crtc->cmdq_event); +- cmdq_pkt_wfe(cmdq_handle, mtk_crtc->cmdq_event, true); ++ cmdq_pkt_wfe(cmdq_handle, mtk_crtc->cmdq_event, false); + mtk_crtc_ddp_config(crtc, cmdq_handle); + cmdq_pkt_finalize(cmdq_handle); + cmdq_pkt_flush_async(cmdq_handle, ddp_cmdq_cb, cmdq_handle); +-- +2.25.1 + diff --git a/queue-5.9/drm-msm-a6xx-fix-a-potential-overflow-issue.patch b/queue-5.9/drm-msm-a6xx-fix-a-potential-overflow-issue.patch new file mode 100644 index 00000000000..92bacb5a4cd --- /dev/null +++ b/queue-5.9/drm-msm-a6xx-fix-a-potential-overflow-issue.patch @@ -0,0 +1,37 @@ +From 9cae6794abb7e9117076fcae5e52dce3f999cb0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Sep 2020 18:25:58 +0800 +Subject: drm/msm/a6xx: fix a potential overflow issue + +From: Zhenzhong Duan + +[ Upstream commit 08d3ab4b46339bc6f97e83b54a3fb4f8bf8f4cd9 ] + +It's allocating an array of a6xx_gpu_state_obj structure rathor than +its pointers. + +This patch fix it. + +Signed-off-by: Zhenzhong Duan +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c +index b12f5b4a1bea9..e9ede19193b0e 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c +@@ -875,7 +875,7 @@ static void a6xx_get_indexed_registers(struct msm_gpu *gpu, + int i; + + a6xx_state->indexed_regs = state_kcalloc(a6xx_state, count, +- sizeof(a6xx_state->indexed_regs)); ++ sizeof(*a6xx_state->indexed_regs)); + if (!a6xx_state->indexed_regs) + return; + +-- +2.25.1 + diff --git a/queue-5.9/drm-msm-adreno-fix-probe-without-iommu.patch b/queue-5.9/drm-msm-adreno-fix-probe-without-iommu.patch new file mode 100644 index 00000000000..0ee23ee48b6 --- /dev/null +++ b/queue-5.9/drm-msm-adreno-fix-probe-without-iommu.patch @@ -0,0 +1,48 @@ +From e677d91963f362476960f92a322bdf1f713c6106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 18:08:53 +0200 +Subject: drm/msm/adreno: fix probe without iommu + +From: Luca Weiss + +[ Upstream commit 0a48db562c6264da2ae8013491efd6e8dc780520 ] + +The function iommu_domain_alloc returns NULL on platforms without IOMMU +such as msm8974. This resulted in PTR_ERR(-ENODEV) being assigned to +gpu->aspace so the correct code path wasn't taken. + +Fixes: ccac7ce373c1 ("drm/msm: Refactor address space initialization") +Signed-off-by: Luca Weiss +Reviewed-by: Jordan Crouse +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/adreno_gpu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +index 862dd35b27d3d..6e8bef1a9ea25 100644 +--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +@@ -189,10 +189,16 @@ struct msm_gem_address_space * + adreno_iommu_create_address_space(struct msm_gpu *gpu, + struct platform_device *pdev) + { +- struct iommu_domain *iommu = iommu_domain_alloc(&platform_bus_type); +- struct msm_mmu *mmu = msm_iommu_new(&pdev->dev, iommu); ++ struct iommu_domain *iommu; ++ struct msm_mmu *mmu; + struct msm_gem_address_space *aspace; + ++ iommu = iommu_domain_alloc(&platform_bus_type); ++ if (!iommu) ++ return NULL; ++ ++ mmu = msm_iommu_new(&pdev->dev, iommu); ++ + aspace = msm_gem_address_space_create(mmu, "gpu", SZ_16M, + 0xffffffff - SZ_16M); + +-- +2.25.1 + diff --git a/queue-5.9/drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch b/queue-5.9/drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch new file mode 100644 index 00000000000..fc2a15c97b3 --- /dev/null +++ b/queue-5.9/drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch @@ -0,0 +1,83 @@ +From 60b9576199cacb2135a39a887b8e3b4d62c874b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 14:59:41 -0700 +Subject: drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() + +From: Stephen Boyd + +[ Upstream commit 22f760941844dbcee6ee446e1896532f6dff01ef ] + +The cstate->num_mixers member is only set to a non-zero value once +dpu_encoder_virt_mode_set() is called, but the atomic check function can +be called by userspace before that. Let's avoid the div-by-zero here and +inside _dpu_crtc_setup_lm_bounds() by skipping this part of the atomic +check if dpu_encoder_virt_mode_set() hasn't been called yet. This fixes +an UBSAN warning: + + UBSAN: Undefined behaviour in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c:860:31 + division by zero + CPU: 7 PID: 409 Comm: frecon Tainted: G S 5.4.31 #128 + Hardware name: Google Trogdor (rev0) (DT) + Call trace: + dump_backtrace+0x0/0x14c + show_stack+0x20/0x2c + dump_stack+0xa0/0xd8 + __ubsan_handle_divrem_overflow+0xec/0x110 + dpu_crtc_atomic_check+0x97c/0x9d4 + drm_atomic_helper_check_planes+0x160/0x1c8 + drm_atomic_helper_check+0x54/0xbc + drm_atomic_check_only+0x6a8/0x880 + drm_atomic_commit+0x20/0x5c + drm_atomic_helper_set_config+0x98/0xa0 + drm_mode_setcrtc+0x308/0x5dc + drm_ioctl_kernel+0x9c/0x114 + drm_ioctl+0x2ac/0x4b0 + drm_compat_ioctl+0xe8/0x13c + __arm64_compat_sys_ioctl+0x184/0x324 + el0_svc_common+0xa4/0x154 + el0_svc_compat_handler+0x + +Cc: Abhinav Kumar +Cc: Jeykumar Sankaran +Cc: Jordan Crouse +Cc: Sean Paul +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Stephen Boyd +Reviewed-by: Abhinav Kumar +Tested-by: Sai Prakash Ranjan +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index c2729f71e2fa7..f9cb1e0da1a59 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -881,7 +881,7 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + struct drm_plane *plane; + struct drm_display_mode *mode; + +- int cnt = 0, rc = 0, mixer_width, i, z_pos; ++ int cnt = 0, rc = 0, mixer_width = 0, i, z_pos; + + struct dpu_multirect_plane_states multirect_plane[DPU_STAGE_MAX * 2]; + int multirect_count = 0; +@@ -914,9 +914,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + + memset(pipe_staged, 0, sizeof(pipe_staged)); + +- mixer_width = mode->hdisplay / cstate->num_mixers; ++ if (cstate->num_mixers) { ++ mixer_width = mode->hdisplay / cstate->num_mixers; + +- _dpu_crtc_setup_lm_bounds(crtc, state); ++ _dpu_crtc_setup_lm_bounds(crtc, state); ++ } + + crtc_rect.x2 = mode->hdisplay; + crtc_rect.y2 = mode->vdisplay; +-- +2.25.1 + diff --git a/queue-5.9/drm-msm-fix-the-a650-hw_apriv-check.patch b/queue-5.9/drm-msm-fix-the-a650-hw_apriv-check.patch new file mode 100644 index 00000000000..271c1dd4a2b --- /dev/null +++ b/queue-5.9/drm-msm-fix-the-a650-hw_apriv-check.patch @@ -0,0 +1,58 @@ +From eae518731863aa0d63b56be0f98ffadde0e35bb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 10:35:51 -0600 +Subject: drm/msm: Fix the a650 hw_apriv check + +From: Jordan Crouse + +[ Upstream commit e9ba8d550dd1e28870a0bdc7c11af026c2a94702 ] + +Commit 604234f33658 ("drm/msm: Enable expanded apriv support for a650") +was checking the result of adreno_is_a650() before the gpu revision +got probed in adreno_gpu_init() so it was always coming across as +false. Snoop into the revision ID ahead of time to correctly set the +hw_apriv flag so that it can be used by msm_gpu to properly setup +global buffers. + +Fixes: 604234f33658 ("drm/msm: Enable expanded apriv support for a650") +Reported-by: Jonathan Marek +Signed-off-by: Jordan Crouse +Tested-by: Jonathan Marek +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +index 66a95e22b7b3d..456d729c81c39 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +@@ -1048,6 +1048,8 @@ struct msm_gpu *a6xx_gpu_init(struct drm_device *dev) + { + struct msm_drm_private *priv = dev->dev_private; + struct platform_device *pdev = priv->gpu_pdev; ++ struct adreno_platform_config *config = pdev->dev.platform_data; ++ const struct adreno_info *info; + struct device_node *node; + struct a6xx_gpu *a6xx_gpu; + struct adreno_gpu *adreno_gpu; +@@ -1064,7 +1066,14 @@ struct msm_gpu *a6xx_gpu_init(struct drm_device *dev) + adreno_gpu->registers = NULL; + adreno_gpu->reg_offsets = a6xx_register_offsets; + +- if (adreno_is_a650(adreno_gpu)) ++ /* ++ * We need to know the platform type before calling into adreno_gpu_init ++ * so that the hw_apriv flag can be correctly set. Snoop into the info ++ * and grab the revision number ++ */ ++ info = adreno_info(config->rev); ++ ++ if (info && info->revn == 650) + adreno_gpu->base.hw_apriv = true; + + ret = adreno_gpu_init(dev, pdev, adreno_gpu, &funcs, 1); +-- +2.25.1 + diff --git a/queue-5.9/drm-mxsfb-check-framebuffer-pitch.patch b/queue-5.9/drm-mxsfb-check-framebuffer-pitch.patch new file mode 100644 index 00000000000..220db937b38 --- /dev/null +++ b/queue-5.9/drm-mxsfb-check-framebuffer-pitch.patch @@ -0,0 +1,71 @@ +From 3e7c51ac0dffac7b83badd04ba092d3878bd4fd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 16:16:54 +0200 +Subject: drm: mxsfb: check framebuffer pitch + +From: Stefan Agner + +[ Upstream commit d5a0c816900419105a12e7471bf074319dfa34be ] + +The lcdif IP does not support a framebuffer pitch (stride) other than +framebuffer width. Check for equality and reject the framebuffer +otherwise. + +This prevents a distorted picture when using 640x800 and running the +Mesa graphics stack. Mesa tries to use a cache aligned stride, which +leads at that particular resolution to width != stride. Currently +Mesa has no fallback behavior, but rejecting this configuration allows +userspace to handle the issue correctly. + +Fixes: 45d59d704080 ("drm: Add new driver for MXSFB controller") +Signed-off-by: Stefan Agner +Reviewed-by: Laurent Pinchart +Link: https://patchwork.freedesktop.org/patch/msgid/20200908141654.266836-1-stefan@agner.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/mxsfb_drv.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mxsfb/mxsfb_drv.c b/drivers/gpu/drm/mxsfb/mxsfb_drv.c +index 508764fccd27d..27ccfa531d31f 100644 +--- a/drivers/gpu/drm/mxsfb/mxsfb_drv.c ++++ b/drivers/gpu/drm/mxsfb/mxsfb_drv.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -92,8 +93,26 @@ void mxsfb_disable_axi_clk(struct mxsfb_drm_private *mxsfb) + clk_disable_unprepare(mxsfb->clk_axi); + } + ++static struct drm_framebuffer * ++mxsfb_fb_create(struct drm_device *dev, struct drm_file *file_priv, ++ const struct drm_mode_fb_cmd2 *mode_cmd) ++{ ++ const struct drm_format_info *info; ++ ++ info = drm_get_format_info(dev, mode_cmd); ++ if (!info) ++ return ERR_PTR(-EINVAL); ++ ++ if (mode_cmd->width * info->cpp[0] != mode_cmd->pitches[0]) { ++ dev_dbg(dev->dev, "Invalid pitch: fb width must match pitch\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ ++ return drm_gem_fb_create(dev, file_priv, mode_cmd); ++} ++ + static const struct drm_mode_config_funcs mxsfb_mode_config_funcs = { +- .fb_create = drm_gem_fb_create, ++ .fb_create = mxsfb_fb_create, + .atomic_check = drm_atomic_helper_check, + .atomic_commit = drm_atomic_helper_commit, + }; +-- +2.25.1 + diff --git a/queue-5.9/drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch b/queue-5.9/drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch new file mode 100644 index 00000000000..150a159cc97 --- /dev/null +++ b/queue-5.9/drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch @@ -0,0 +1,39 @@ +From 6cb0c885816e0a80acc1304a5f839e2851b6ebeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 03:32:54 +0300 +Subject: drm: panel: Fix bpc for OrtusTech COM43H4M85ULC panel + +From: Laurent Pinchart + +[ Upstream commit 3b8095169982ff4ec2a1b4be61b7224bbef23b48 ] + +The OrtusTech COM43H4M85ULC panel is a 18-bit RGB panel. Commit +f098f168e91c ("drm: panel: Fix bus format for OrtusTech COM43H4M85ULC +panel") has fixed the bus formats, but forgot to address the bpc value. +Set it to 6. + +Fixes: f098f168e91c ("drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200824003254.21904-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 7bd5ffe8c88f3..eabc9e41d92b4 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2941,7 +2941,7 @@ static const struct drm_display_mode ortustech_com43h4m85ulc_mode = { + static const struct panel_desc ortustech_com43h4m85ulc = { + .modes = &ortustech_com43h4m85ulc_mode, + .num_modes = 1, +- .bpc = 8, ++ .bpc = 6, + .size = { + .width = 56, + .height = 93, +-- +2.25.1 + diff --git a/queue-5.9/drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch b/queue-5.9/drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch new file mode 100644 index 00000000000..e7edf9e83c2 --- /dev/null +++ b/queue-5.9/drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch @@ -0,0 +1,37 @@ +From 6fcc8821aeeb8652fe24b3bbf6875870c512231a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 01:02:44 +0300 +Subject: drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel + +From: Laurent Pinchart + +[ Upstream commit f098f168e91ca915c6cf8aa316136af647792f2f ] + +The OrtusTech COM43H4M85ULC panel is a 18-bit RGB panel, set the bus +format to MEDIA_BUS_FMT_RGB666_1X18. + +Fixes: 725c9d40f3fe ("drm/panel: Add support for OrtusTech COM43H4M85ULC panel") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200812220244.24500-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index cb6550d37e858..7bd5ffe8c88f3 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2946,7 +2946,7 @@ static const struct panel_desc ortustech_com43h4m85ulc = { + .width = 56, + .height = 93, + }, +- .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18, + .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE, + .connector_type = DRM_MODE_CONNECTOR_DPI, + }; +-- +2.25.1 + diff --git a/queue-5.9/drm-panfrost-add-amlogic-gpu-integration-quirks.patch b/queue-5.9/drm-panfrost-add-amlogic-gpu-integration-quirks.patch new file mode 100644 index 00000000000..e9b2069d39a --- /dev/null +++ b/queue-5.9/drm-panfrost-add-amlogic-gpu-integration-quirks.patch @@ -0,0 +1,49 @@ +From c605f5caeea9ebf89d3fadfed42e0bfa03f07698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 17:01:47 +0200 +Subject: drm/panfrost: add Amlogic GPU integration quirks + +From: Neil Armstrong + +[ Upstream commit afcd0c7d3d4c22afc8befcfc906db6ce3058d3ee ] + +This adds the required GPU quirks, including the quirk in the PWR +registers at the GPU reset time and the IOMMU quirk for shareability +issues observed on G52 in Amlogic G12B SoCs. + +Signed-off-by: Neil Armstrong +Reviewed-by: Steven Price +Reviewed-by: Alyssa Rosenzweig +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20200916150147.25753-4-narmstrong@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_drv.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c +index ada51df9a7a32..f6d5d03201fad 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c +@@ -667,7 +667,18 @@ static const struct panfrost_compatible default_data = { + .pm_domain_names = NULL, + }; + ++static const struct panfrost_compatible amlogic_data = { ++ .num_supplies = ARRAY_SIZE(default_supplies), ++ .supply_names = default_supplies, ++ .vendor_quirk = panfrost_gpu_amlogic_quirk, ++}; ++ + static const struct of_device_id dt_match[] = { ++ /* Set first to probe before the generic compatibles */ ++ { .compatible = "amlogic,meson-gxm-mali", ++ .data = &amlogic_data, }, ++ { .compatible = "amlogic,meson-g12a-mali", ++ .data = &amlogic_data, }, + { .compatible = "arm,mali-t604", .data = &default_data, }, + { .compatible = "arm,mali-t624", .data = &default_data, }, + { .compatible = "arm,mali-t628", .data = &default_data, }, +-- +2.25.1 + diff --git a/queue-5.9/drm-panfrost-add-amlogic-reset-quirk-callback.patch b/queue-5.9/drm-panfrost-add-amlogic-reset-quirk-callback.patch new file mode 100644 index 00000000000..1ca57979c0a --- /dev/null +++ b/queue-5.9/drm-panfrost-add-amlogic-reset-quirk-callback.patch @@ -0,0 +1,81 @@ +From 40d16b707d28978d4cf389d3e0db5510e63196ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 17:01:46 +0200 +Subject: drm/panfrost: add amlogic reset quirk callback + +From: Neil Armstrong + +[ Upstream commit 110003002291525bb209f47e6dbf121a63249a97 ] + +The T820, G31 & G52 GPUs integrated by Amlogic in the respective GXM, +G12A/SM1 & G12B SoCs needs a quirk in the PWR registers at the GPU reset +time. + +Since the Amlogic's integration of the GPU cores with the SoC is not +publicly documented we do not know what does these values, but they +permit having a fully functional GPU running with Panfrost. + +Signed-off-by: Neil Armstrong +[Steven: Fix typo in commit log] +Reviewed-by: Steven Price +Reviewed-by: Alyssa Rosenzweig +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20200916150147.25753-3-narmstrong@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_gpu.c | 11 +++++++++++ + drivers/gpu/drm/panfrost/panfrost_gpu.h | 2 ++ + drivers/gpu/drm/panfrost/panfrost_regs.h | 4 ++++ + 3 files changed, 17 insertions(+) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c +index dfe4c9151eaf2..a9d08a2927aa3 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c +@@ -75,6 +75,17 @@ int panfrost_gpu_soft_reset(struct panfrost_device *pfdev) + return 0; + } + ++void panfrost_gpu_amlogic_quirk(struct panfrost_device *pfdev) ++{ ++ /* ++ * The Amlogic integrated Mali-T820, Mali-G31 & Mali-G52 needs ++ * these undocumented bits in GPU_PWR_OVERRIDE1 to be set in order ++ * to operate correctly. ++ */ ++ gpu_write(pfdev, GPU_PWR_KEY, GPU_PWR_KEY_UNLOCK); ++ gpu_write(pfdev, GPU_PWR_OVERRIDE1, 0xfff | (0x20 << 16)); ++} ++ + static void panfrost_gpu_init_quirks(struct panfrost_device *pfdev) + { + u32 quirks = 0; +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.h b/drivers/gpu/drm/panfrost/panfrost_gpu.h +index 4112412087b27..468c51e7e46db 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.h ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.h +@@ -16,4 +16,6 @@ int panfrost_gpu_soft_reset(struct panfrost_device *pfdev); + void panfrost_gpu_power_on(struct panfrost_device *pfdev); + void panfrost_gpu_power_off(struct panfrost_device *pfdev); + ++void panfrost_gpu_amlogic_quirk(struct panfrost_device *pfdev); ++ + #endif +diff --git a/drivers/gpu/drm/panfrost/panfrost_regs.h b/drivers/gpu/drm/panfrost/panfrost_regs.h +index ea38ac60581c6..eddaa62ad8b0e 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_regs.h ++++ b/drivers/gpu/drm/panfrost/panfrost_regs.h +@@ -51,6 +51,10 @@ + #define GPU_STATUS 0x34 + #define GPU_STATUS_PRFCNT_ACTIVE BIT(2) + #define GPU_LATEST_FLUSH_ID 0x38 ++#define GPU_PWR_KEY 0x50 /* (WO) Power manager key register */ ++#define GPU_PWR_KEY_UNLOCK 0x2968A819 ++#define GPU_PWR_OVERRIDE0 0x54 /* (RW) Power manager override settings */ ++#define GPU_PWR_OVERRIDE1 0x58 /* (RW) Power manager override settings */ + #define GPU_FAULT_STATUS 0x3C + #define GPU_FAULT_ADDRESS_LO 0x40 + #define GPU_FAULT_ADDRESS_HI 0x44 +-- +2.25.1 + diff --git a/queue-5.9/drm-panfrost-add-support-for-vendor-quirk.patch b/queue-5.9/drm-panfrost-add-support-for-vendor-quirk.patch new file mode 100644 index 00000000000..21a3c0edfc0 --- /dev/null +++ b/queue-5.9/drm-panfrost-add-support-for-vendor-quirk.patch @@ -0,0 +1,58 @@ +From 21a64aed44f8dbcb8b04f64f27111747f1042d1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 17:01:45 +0200 +Subject: drm/panfrost: add support for vendor quirk + +From: Neil Armstrong + +[ Upstream commit 91e89097b86f566636ea5a7329c79d5521be46d2 ] + +The T820, G31 & G52 GPUs integrated by Amlogic in the respective GXM, +G12A/SM1 & G12B SoCs needs a quirk in the PWR registers after each reset. + +This adds a callback in the device compatible struct of permit this. + +Signed-off-by: Neil Armstrong +[Steven: Fix typo in commit log] +Reviewed-by: Steven Price +Reviewed-by: Alyssa Rosenzweig +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20200916150147.25753-2-narmstrong@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_device.h | 3 +++ + drivers/gpu/drm/panfrost/panfrost_gpu.c | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_device.h b/drivers/gpu/drm/panfrost/panfrost_device.h +index c30c719a80594..3c4a85213c15f 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_device.h ++++ b/drivers/gpu/drm/panfrost/panfrost_device.h +@@ -69,6 +69,9 @@ struct panfrost_compatible { + int num_pm_domains; + /* Only required if num_pm_domains > 1. */ + const char * const *pm_domain_names; ++ ++ /* Vendor implementation quirks callback */ ++ void (*vendor_quirk)(struct panfrost_device *pfdev); + }; + + struct panfrost_device { +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c +index a9d08a2927aa3..165403878ad9b 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c +@@ -146,6 +146,10 @@ static void panfrost_gpu_init_quirks(struct panfrost_device *pfdev) + + if (quirks) + gpu_write(pfdev, GPU_JM_CONFIG, quirks); ++ ++ /* Here goes platform specific quirks */ ++ if (pfdev->comp->vendor_quirk) ++ pfdev->comp->vendor_quirk(pfdev); + } + + #define MAX_HW_REVS 6 +-- +2.25.1 + diff --git a/queue-5.9/drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch b/queue-5.9/drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch new file mode 100644 index 00000000000..7a8500d452b --- /dev/null +++ b/queue-5.9/drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch @@ -0,0 +1,50 @@ +From dc249be19538e697f6f4ee9d31626f8a036fad7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 13:29:57 +0100 +Subject: drm/panfrost: Ensure GPU quirks are always initialised + +From: Steven Price + +[ Upstream commit 8c3c818c23a5bbce6ff180dd2ee04415241df77c ] + +The GPU 'CONFIG' registers used to work around hardware issues are +cleared on reset so need to be programmed every time the GPU is reset. +However panfrost_device_reset() failed to do this. + +To avoid this in future instead move the call to +panfrost_gpu_init_quirks() to panfrost_gpu_power_on() so that the +regsiters are always programmed just before the cores are powered. + +Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") +Signed-off-by: Steven Price +Reviewed-by: Alyssa Rosenzweig +Link: https://patchwork.freedesktop.org/patch/msgid/20200909122957.51667-1-steven.price@arm.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_gpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c +index f2c1ddc41a9bf..689b92893e0e1 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c +@@ -304,6 +304,8 @@ void panfrost_gpu_power_on(struct panfrost_device *pfdev) + int ret; + u32 val; + ++ panfrost_gpu_init_quirks(pfdev); ++ + /* Just turn on everything for now */ + gpu_write(pfdev, L2_PWRON_LO, pfdev->features.l2_present); + ret = readl_relaxed_poll_timeout(pfdev->iomem + L2_READY_LO, +@@ -355,7 +357,6 @@ int panfrost_gpu_init(struct panfrost_device *pfdev) + return err; + } + +- panfrost_gpu_init_quirks(pfdev); + panfrost_gpu_power_on(pfdev); + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/drm-panfrost-increase-readl_relaxed_poll_timeout-val.patch b/queue-5.9/drm-panfrost-increase-readl_relaxed_poll_timeout-val.patch new file mode 100644 index 00000000000..1a503ced4a2 --- /dev/null +++ b/queue-5.9/drm-panfrost-increase-readl_relaxed_poll_timeout-val.patch @@ -0,0 +1,54 @@ +From 2c31789a81a06bd3188175342092ee4e59c76235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 14:17:38 +0000 +Subject: drm/panfrost: increase readl_relaxed_poll_timeout values + +From: Christian Hewitt + +[ Upstream commit c2df75ad2a9f205820e4bc0db936d3d9af3da1ae ] + +Amlogic SoC devices report the following errors frequently causing excessive +dmesg log spam and early log rotataion, although the errors appear to be +harmless as everything works fine: + +[ 7.202702] panfrost ffe40000.gpu: error powering up gpu L2 +[ 7.203760] panfrost ffe40000.gpu: error powering up gpu shader + +ARM staff have advised increasing the timeout values to eliminate the errors +in most normal scenarios, and testing with several different G31/G52 devices +shows 20000 to be a reliable value. + +Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") +Suggested-by: Steven Price +Signed-off-by: Christian Hewitt +Reviewed-by: Steven Price +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20201008141738.13560-1-christianshewitt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_gpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c +index 689b92893e0e1..dfe4c9151eaf2 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c +@@ -309,13 +309,13 @@ void panfrost_gpu_power_on(struct panfrost_device *pfdev) + /* Just turn on everything for now */ + gpu_write(pfdev, L2_PWRON_LO, pfdev->features.l2_present); + ret = readl_relaxed_poll_timeout(pfdev->iomem + L2_READY_LO, +- val, val == pfdev->features.l2_present, 100, 1000); ++ val, val == pfdev->features.l2_present, 100, 20000); + if (ret) + dev_err(pfdev->dev, "error powering up gpu L2"); + + gpu_write(pfdev, SHADER_PWRON_LO, pfdev->features.shader_present); + ret = readl_relaxed_poll_timeout(pfdev->iomem + SHADER_READY_LO, +- val, val == pfdev->features.shader_present, 100, 1000); ++ val, val == pfdev->features.shader_present, 100, 20000); + if (ret) + dev_err(pfdev->dev, "error powering up gpu shader"); + +-- +2.25.1 + diff --git a/queue-5.9/drm-panfrost-perfcnt-fix-ref-count-leak-in-panfrost_.patch b/queue-5.9/drm-panfrost-perfcnt-fix-ref-count-leak-in-panfrost_.patch new file mode 100644 index 00000000000..03481e602fd --- /dev/null +++ b/queue-5.9/drm-panfrost-perfcnt-fix-ref-count-leak-in-panfrost_.patch @@ -0,0 +1,56 @@ +From 6bbc23e6d0f37cf6acc531ca1280a269756d35e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:36:19 -0500 +Subject: drm/panfrost: perfcnt: fix ref count leak in + panfrost_perfcnt_enable_locked + +From: Navid Emamdoost + +[ Upstream commit 9df0e0c1889677175037445d5ad1654d54176369 ] + +in panfrost_perfcnt_enable_locked, pm_runtime_get_sync is called which +increments the counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Acked-by: Alyssa Rosenzweig +Signed-off-by: Navid Emamdoost +Signed-off-by: Rob Herring +Link: https://patchwork.freedesktop.org/patch/msgid/20200614063619.44944-1-navid.emamdoost@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_perfcnt.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_perfcnt.c b/drivers/gpu/drm/panfrost/panfrost_perfcnt.c +index ec4695cf3caf3..fdbc8d9491356 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_perfcnt.c ++++ b/drivers/gpu/drm/panfrost/panfrost_perfcnt.c +@@ -83,11 +83,13 @@ static int panfrost_perfcnt_enable_locked(struct panfrost_device *pfdev, + + ret = pm_runtime_get_sync(pfdev->dev); + if (ret < 0) +- return ret; ++ goto err_put_pm; + + bo = drm_gem_shmem_create(pfdev->ddev, perfcnt->bosize); +- if (IS_ERR(bo)) +- return PTR_ERR(bo); ++ if (IS_ERR(bo)) { ++ ret = PTR_ERR(bo); ++ goto err_put_pm; ++ } + + /* Map the perfcnt buf in the address space attached to file_priv. */ + ret = panfrost_gem_open(&bo->base, file_priv); +@@ -168,6 +170,8 @@ static int panfrost_perfcnt_enable_locked(struct panfrost_device *pfdev, + panfrost_gem_close(&bo->base, file_priv); + err_put_bo: + drm_gem_object_put(&bo->base); ++err_put_pm: ++ pm_runtime_put(pfdev->dev); + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.9/drm-radeon-prefer-lower-feedback-dividers.patch b/queue-5.9/drm-radeon-prefer-lower-feedback-dividers.patch new file mode 100644 index 00000000000..dd9a7b64165 --- /dev/null +++ b/queue-5.9/drm-radeon-prefer-lower-feedback-dividers.patch @@ -0,0 +1,48 @@ +From 3fa04dfbb55a95e7c6075d0644f64bcb6e7f4ef8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:33:48 +0800 +Subject: drm/radeon: Prefer lower feedback dividers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai-Heng Feng + +[ Upstream commit 5150dd85bdfa08143cacf1b4249121651bed3c35 ] + +Commit 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +fixed screen flicker for HP Compaq nx9420 but breaks other laptops like +Asus X50SL. + +Turns out we also need to favor lower feedback dividers. + +Users confirmed this change fixes the regression and doesn't regress the +original fix. + +Fixes: 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +BugLink: https://bugs.launchpad.net/bugs/1791312 +BugLink: https://bugs.launchpad.net/bugs/1861554 +Reviewed-by: Christian König +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index e0ae911ef427d..7b69d6dfe44a3 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -933,7 +933,7 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div, + + /* get matching reference and feedback divider */ + *ref_div = min(max(den/post_div, 1u), ref_div_max); +- *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den); ++ *fb_div = max(nom * *ref_div * post_div / den, 1u); + + /* limit fb divider to its maximum */ + if (*fb_div > fb_div_max) { +-- +2.25.1 + diff --git a/queue-5.9/drm-rcar-du-put-reference-to-vsp-device.patch b/queue-5.9/drm-rcar-du-put-reference-to-vsp-device.patch new file mode 100644 index 00000000000..e8fa1388801 --- /dev/null +++ b/queue-5.9/drm-rcar-du-put-reference-to-vsp-device.patch @@ -0,0 +1,62 @@ +From e12c231e43419a7cd67bba588dd4c9c6c1e71603 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 02:23:47 +0300 +Subject: drm: rcar-du: Put reference to VSP device + +From: Laurent Pinchart + +[ Upstream commit 2a32dbdc2c7db5463483fa01fb220fd1b770c6bc ] + +The reference to the VSP device acquired with of_find_device_by_node() +in rcar_du_vsp_init() is never released. Fix it with a drmm action, +which gets run both in the probe error path and in the remove path. + +Fixes: 6d62ef3ac30b ("drm: rcar-du: Expose the VSP1 compositor through KMS planes") +Reported-by: Yu Kuai +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rcar-du/rcar_du_vsp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c +index f1a81c9b184d4..fa09b3ae8b9d4 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_vsp.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_vsp.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -341,6 +342,13 @@ static const struct drm_plane_funcs rcar_du_vsp_plane_funcs = { + .atomic_destroy_state = rcar_du_vsp_plane_atomic_destroy_state, + }; + ++static void rcar_du_vsp_cleanup(struct drm_device *dev, void *res) ++{ ++ struct rcar_du_vsp *vsp = res; ++ ++ put_device(vsp->vsp); ++} ++ + int rcar_du_vsp_init(struct rcar_du_vsp *vsp, struct device_node *np, + unsigned int crtcs) + { +@@ -357,6 +365,10 @@ int rcar_du_vsp_init(struct rcar_du_vsp *vsp, struct device_node *np, + + vsp->vsp = &pdev->dev; + ++ ret = drmm_add_action(rcdu->ddev, rcar_du_vsp_cleanup, vsp); ++ if (ret < 0) ++ return ret; ++ + ret = vsp1_du_init(vsp->vsp); + if (ret < 0) + return ret; +-- +2.25.1 + diff --git a/queue-5.9/drm-vc4-crtc-rework-a-bit-the-crtc-state-code.patch b/queue-5.9/drm-vc4-crtc-rework-a-bit-the-crtc-state-code.patch new file mode 100644 index 00000000000..eca0ab30c07 --- /dev/null +++ b/queue-5.9/drm-vc4-crtc-rework-a-bit-the-crtc-state-code.patch @@ -0,0 +1,57 @@ +From d1075d109352e8b31a3f0ebbdd33bafa91f9c8a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 10:40:31 +0200 +Subject: drm/vc4: crtc: Rework a bit the CRTC state code + +From: Maxime Ripard + +[ Upstream commit 427c4a0680a28f87bb9c7bbfeac26b39ef8682ad ] + +The current CRTC state reset hook in vc4 allocates a vc4_crtc_state +structure as a drm_crtc_state, and relies on the fact that vc4_crtc_state +embeds drm_crtc_state as its first member, and therefore can be safely +cast. + +However, this is pretty fragile especially since there's no check for this +in place, and we're going to need to access vc4_crtc_state member at reset +so this looks like a good occasion to make it more robust. + +Fixes: 6d6e50039187 ("drm/vc4: Allocate the right amount of space for boot-time CRTC state.") +Signed-off-by: Maxime Ripard +Tested-by: Dave Stevenson +Reviewed-by: Dave Stevenson +Link: https://patchwork.freedesktop.org/patch/msgid/20200923084032.218619-1-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_crtc.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c +index 6d8fa6118fc1a..eaad187c41f07 100644 +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -723,11 +723,18 @@ void vc4_crtc_destroy_state(struct drm_crtc *crtc, + + void vc4_crtc_reset(struct drm_crtc *crtc) + { ++ struct vc4_crtc_state *vc4_crtc_state; ++ + if (crtc->state) + vc4_crtc_destroy_state(crtc, crtc->state); +- crtc->state = kzalloc(sizeof(struct vc4_crtc_state), GFP_KERNEL); +- if (crtc->state) +- __drm_atomic_helper_crtc_reset(crtc, crtc->state); ++ ++ vc4_crtc_state = kzalloc(sizeof(*vc4_crtc_state), GFP_KERNEL); ++ if (!vc4_crtc_state) { ++ crtc->state = NULL; ++ return; ++ } ++ ++ __drm_atomic_helper_crtc_reset(crtc, &vc4_crtc_state->base); + } + + static const struct drm_crtc_funcs vc4_crtc_funcs = { +-- +2.25.1 + diff --git a/queue-5.9/drm-vgem-add-missing-platform_device_unregister-in-v.patch b/queue-5.9/drm-vgem-add-missing-platform_device_unregister-in-v.patch new file mode 100644 index 00000000000..d31a5e44551 --- /dev/null +++ b/queue-5.9/drm-vgem-add-missing-platform_device_unregister-in-v.patch @@ -0,0 +1,38 @@ +From 3f3c4fe972f46b48a042d805048f2cb39fc521c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 20:59:42 +0800 +Subject: drm/vgem: add missing platform_device_unregister() in vgem_init() + +From: Qinglang Miao + +[ Upstream commit 57fb54082d5d14512dfd21bc39d91945d3ad1ee9 ] + +When vgem_init() get into out_put, the unregister call of +vgem_device->platform is missing. So add it before return. + +Fixes: 363de9e7d4f6 ("drm/vgem: Use drmm_add_final_kfree") +Signed-off-by: Qinglang Miao +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200810125942.186637-1-miaoqinglang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vgem/vgem_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c +index a775feda1cc73..313339bbff901 100644 +--- a/drivers/gpu/drm/vgem/vgem_drv.c ++++ b/drivers/gpu/drm/vgem/vgem_drv.c +@@ -471,8 +471,8 @@ static int __init vgem_init(void) + + out_put: + drm_dev_put(&vgem_device->drm); ++ platform_device_unregister(vgem_device->platform); + return ret; +- + out_unregister: + platform_device_unregister(vgem_device->platform); + out_free: +-- +2.25.1 + diff --git a/queue-5.9/drm-vkms-add-missing-platform_device_unregister-in-v.patch b/queue-5.9/drm-vkms-add-missing-platform_device_unregister-in-v.patch new file mode 100644 index 00000000000..0e55e2a15d1 --- /dev/null +++ b/queue-5.9/drm-vkms-add-missing-platform_device_unregister-in-v.patch @@ -0,0 +1,38 @@ +From 29d6e4c275acc265440cd4a9abf98b148fc2f27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 21:00:11 +0800 +Subject: drm/vkms: add missing platform_device_unregister() in vkms_init() + +From: Qinglang Miao + +[ Upstream commit 7995bd13296111d672d8c5959f5e81dbbbda5286 ] + +When vkms_init() get into out_put, the unregister call of +vkms_device->platform is missing. So add it before return. + +Fixes: ac19f140bc27 ("drm/vkms: Use drmm_add_final_kfree") +Signed-off-by: Qinglang Miao +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200810130011.187691-1-miaoqinglang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c +index 57a8a397d5e84..83dd5567de8b5 100644 +--- a/drivers/gpu/drm/vkms/vkms_drv.c ++++ b/drivers/gpu/drm/vkms/vkms_drv.c +@@ -190,8 +190,8 @@ static int __init vkms_init(void) + + out_put: + drm_dev_put(&vkms_device->drm); ++ platform_device_unregister(vkms_device->platform); + return ret; +- + out_unregister: + platform_device_unregister(vkms_device->platform); + out_free: +-- +2.25.1 + diff --git a/queue-5.9/drm-vkms-fix-xrgb-on-compute-crc.patch b/queue-5.9/drm-vkms-fix-xrgb-on-compute-crc.patch new file mode 100644 index 00000000000..d3d7bd944a9 --- /dev/null +++ b/queue-5.9/drm-vkms-fix-xrgb-on-compute-crc.patch @@ -0,0 +1,39 @@ +From e7d04c1c16609f032dd869691e98fc84bb9273e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 17:25:24 -0300 +Subject: drm/vkms: fix xrgb on compute crc + +From: Melissa Wen + +[ Upstream commit 0986191186128b10b6bbfa5220fc587ed5725e49 ] + +The previous memset operation was not correctly zeroing the alpha +channel to compute the crc, and as a result, the IGT subtest +kms_cursor_crc/pipe-A-cursor-alpha-transparent fails. + +Fixes: db7f419c06d7c ("drm/vkms: Compute CRC with Cursor Plane") + +Signed-off-by: Melissa Wen +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200730202524.5upzuh4irboru7my@smtp.gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_composer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vkms_composer.c +index 4af2f19480f4f..b8b060354667e 100644 +--- a/drivers/gpu/drm/vkms/vkms_composer.c ++++ b/drivers/gpu/drm/vkms/vkms_composer.c +@@ -33,7 +33,7 @@ static uint32_t compute_crc(void *vaddr_out, struct vkms_composer *composer) + + (i * composer->pitch) + + (j * composer->cpp); + /* XRGB format ignores Alpha channel */ +- memset(vaddr_out + src_offset + 24, 0, 8); ++ bitmap_clear(vaddr_out + src_offset, 24, 8); + crc = crc32_le(crc, vaddr_out + src_offset, + sizeof(u32)); + } +-- +2.25.1 + diff --git a/queue-5.9/drm-xlnx-use-devm_drm_dev_alloc.patch b/queue-5.9/drm-xlnx-use-devm_drm_dev_alloc.patch new file mode 100644 index 00000000000..72e7762f7dd --- /dev/null +++ b/queue-5.9/drm-xlnx-use-devm_drm_dev_alloc.patch @@ -0,0 +1,108 @@ +From db076a255b3ef8f6d07b35abe1221b6687bedf24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 10:22:25 +0200 +Subject: drm/xlnx: Use devm_drm_dev_alloc + +From: Daniel Vetter + +[ Upstream commit 075342ea3d93044d68f821cf91c1a1a7d2fa569e ] + +Gets rid of drmm_add_final_kfree, which I want to unexport so that it +stops confusion people about this transitional state of rolling drm +managed memory out. + +This also fixes the missing drm_dev_put in the error path of the probe +code. + +v2: Drop the misplaced drm_dev_put from zynqmp_dpsub_drm_init (all +other paths leaked on error, this should have been in +zynqmp_dpsub_probe), now that subsumed by the auto-cleanup of +devm_drm_dev_alloc. + +Reviewed-by: Hyun Kwon +Signed-off-by: Daniel Vetter +Cc: Hyun Kwon +Cc: Laurent Pinchart +Cc: Michal Simek +Cc: linux-arm-kernel@lists.infradead.org +Link: https://patchwork.freedesktop.org/patch/msgid/20200907082225.150837-1-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 27 ++++++--------------------- + 1 file changed, 6 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +index 26328c76305be..8e69303aad3f7 100644 +--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c ++++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +@@ -111,7 +111,7 @@ static int zynqmp_dpsub_drm_init(struct zynqmp_dpsub *dpsub) + /* Initialize mode config, vblank and the KMS poll helper. */ + ret = drmm_mode_config_init(drm); + if (ret < 0) +- goto err_dev_put; ++ return ret; + + drm->mode_config.funcs = &zynqmp_dpsub_mode_config_funcs; + drm->mode_config.min_width = 0; +@@ -121,7 +121,7 @@ static int zynqmp_dpsub_drm_init(struct zynqmp_dpsub *dpsub) + + ret = drm_vblank_init(drm, 1); + if (ret) +- goto err_dev_put; ++ return ret; + + drm->irq_enabled = 1; + +@@ -154,8 +154,6 @@ static int zynqmp_dpsub_drm_init(struct zynqmp_dpsub *dpsub) + + err_poll_fini: + drm_kms_helper_poll_fini(drm); +-err_dev_put: +- drm_dev_put(drm); + return ret; + } + +@@ -208,27 +206,16 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev) + int ret; + + /* Allocate private data. */ +- dpsub = kzalloc(sizeof(*dpsub), GFP_KERNEL); +- if (!dpsub) +- return -ENOMEM; ++ dpsub = devm_drm_dev_alloc(&pdev->dev, &zynqmp_dpsub_drm_driver, ++ struct zynqmp_dpsub, drm); ++ if (IS_ERR(dpsub)) ++ return PTR_ERR(dpsub); + + dpsub->dev = &pdev->dev; + platform_set_drvdata(pdev, dpsub); + + dma_set_mask(dpsub->dev, DMA_BIT_MASK(ZYNQMP_DISP_MAX_DMA_BIT)); + +- /* +- * Initialize the DRM device early, as the DRM core mandates usage of +- * the managed memory helpers tied to the DRM device. +- */ +- ret = drm_dev_init(&dpsub->drm, &zynqmp_dpsub_drm_driver, &pdev->dev); +- if (ret < 0) { +- kfree(dpsub); +- return ret; +- } +- +- drmm_add_final_kfree(&dpsub->drm, dpsub); +- + /* Try the reserved memory. Proceed if there's none. */ + of_reserved_mem_device_init(&pdev->dev); + +@@ -286,8 +273,6 @@ static int zynqmp_dpsub_remove(struct platform_device *pdev) + clk_disable_unprepare(dpsub->apb_clk); + of_reserved_mem_device_release(&pdev->dev); + +- drm_dev_put(drm); +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/dt-bindings-crypto-specify-that-allwinner-sun8i-a33-.patch b/queue-5.9/dt-bindings-crypto-specify-that-allwinner-sun8i-a33-.patch new file mode 100644 index 00000000000..9258648ecbf --- /dev/null +++ b/queue-5.9/dt-bindings-crypto-specify-that-allwinner-sun8i-a33-.patch @@ -0,0 +1,51 @@ +From a83fdab9fdcb89ef78c91f4f673e6bb6ddc38549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 19:54:37 +0200 +Subject: dt-bindings: crypto: Specify that allwinner, sun8i-a33-crypto needs + reset + +From: Corentin Labbe + +[ Upstream commit 884d1a334ae8130fabede56f59b224619ad6bca4 ] + +When adding allwinner,sun8i-a33-crypto, I forgot to add that it needs reset. +Furthermore, there are no need to use items to list only one compatible +in compatible list. + +Fixes: f81547ba7a98 ("dt-bindings: crypto: add new compatible for A33 SS") +Signed-off-by: Corentin Labbe +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20200907175437.4464-1-clabbe.montjoie@gmail.com +Signed-off-by: Sasha Levin +--- + .../bindings/crypto/allwinner,sun4i-a10-crypto.yaml | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/Documentation/devicetree/bindings/crypto/allwinner,sun4i-a10-crypto.yaml b/Documentation/devicetree/bindings/crypto/allwinner,sun4i-a10-crypto.yaml +index fc823572bcff2..90c6d039b91b0 100644 +--- a/Documentation/devicetree/bindings/crypto/allwinner,sun4i-a10-crypto.yaml ++++ b/Documentation/devicetree/bindings/crypto/allwinner,sun4i-a10-crypto.yaml +@@ -23,8 +23,7 @@ properties: + - items: + - const: allwinner,sun7i-a20-crypto + - const: allwinner,sun4i-a10-crypto +- - items: +- - const: allwinner,sun8i-a33-crypto ++ - const: allwinner,sun8i-a33-crypto + + reg: + maxItems: 1 +@@ -59,7 +58,9 @@ if: + properties: + compatible: + contains: +- const: allwinner,sun6i-a31-crypto ++ enum: ++ - allwinner,sun6i-a31-crypto ++ - allwinner,sun8i-a33-crypto + + then: + required: +-- +2.25.1 + diff --git a/queue-5.9/edac-aspeed-fix-handling-of-platform_get_irq-error.patch b/queue-5.9/edac-aspeed-fix-handling-of-platform_get_irq-error.patch new file mode 100644 index 00000000000..ed39d42c0cb --- /dev/null +++ b/queue-5.9/edac-aspeed-fix-handling-of-platform_get_irq-error.patch @@ -0,0 +1,43 @@ +From 024a933c744dea46ec00998235d5999f833fca26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:07:42 +0200 +Subject: EDAC/aspeed: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit afce6996943be265fa39240b67025cfcb1bcdfb1 ] + +platform_get_irq() returns a negative error number on error. In such a +case, comparison to 0 would pass the check therefore check the return +value properly, whether it is negative. + + [ bp: Massage commit message. ] + +Fixes: 9b7e6242ee4e ("EDAC, aspeed: Add an Aspeed AST2500 EDAC driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Borislav Petkov +Reviewed-by: Stefan Schaeckeler +Link: https://lkml.kernel.org/r/20200827070743.26628-1-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/aspeed_edac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/edac/aspeed_edac.c b/drivers/edac/aspeed_edac.c +index b194658b8b5c9..fbec28dc661d7 100644 +--- a/drivers/edac/aspeed_edac.c ++++ b/drivers/edac/aspeed_edac.c +@@ -209,8 +209,8 @@ static int config_irq(void *ctx, struct platform_device *pdev) + /* register interrupt handler */ + irq = platform_get_irq(pdev, 0); + dev_dbg(&pdev->dev, "got irq %d\n", irq); +- if (!irq) +- return -ENODEV; ++ if (irq < 0) ++ return irq; + + rc = devm_request_irq(&pdev->dev, irq, mcr_isr, IRQF_TRIGGER_HIGH, + DRV_NAME, ctx); +-- +2.25.1 + diff --git a/queue-5.9/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch b/queue-5.9/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch new file mode 100644 index 00000000000..7219d7d8d6d --- /dev/null +++ b/queue-5.9/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch @@ -0,0 +1,69 @@ +From c94d9d34baba62af22a349f53e43f4575624e575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 20:14:37 +0800 +Subject: EDAC/i5100: Fix error handling order in i5100_init_one() + +From: Dinghao Liu + +[ Upstream commit 857a3139bd8be4f702c030c8ca06f3fd69c1741a ] + +When pci_get_device_func() fails, the driver doesn't need to execute +pci_dev_put(). mci should still be freed, though, to prevent a memory +leak. When pci_enable_device() fails, the error injection PCI device +"einj" doesn't need to be disabled either. + + [ bp: Massage commit message, rename label to "bail_mc_free". ] + +Fixes: 52608ba205461 ("i5100_edac: probe for device 19 function 0") +Signed-off-by: Dinghao Liu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200826121437.31606-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/edac/i5100_edac.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c +index 191aa7c19ded7..324a46b8479b0 100644 +--- a/drivers/edac/i5100_edac.c ++++ b/drivers/edac/i5100_edac.c +@@ -1061,16 +1061,15 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + PCI_DEVICE_ID_INTEL_5100_19, 0); + if (!einj) { + ret = -ENODEV; +- goto bail_einj; ++ goto bail_mc_free; + } + + rc = pci_enable_device(einj); + if (rc < 0) { + ret = rc; +- goto bail_disable_einj; ++ goto bail_einj; + } + +- + mci->pdev = &pdev->dev; + + priv = mci->pvt_info; +@@ -1136,14 +1135,14 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + bail_scrub: + priv->scrub_enable = 0; + cancel_delayed_work_sync(&(priv->i5100_scrubbing)); +- edac_mc_free(mci); +- +-bail_disable_einj: + pci_disable_device(einj); + + bail_einj: + pci_dev_put(einj); + ++bail_mc_free: ++ edac_mc_free(mci); ++ + bail_disable_ch1: + pci_disable_device(ch1mm); + +-- +2.25.1 + diff --git a/queue-5.9/edac-ti-fix-handling-of-platform_get_irq-error.patch b/queue-5.9/edac-ti-fix-handling-of-platform_get_irq-error.patch new file mode 100644 index 00000000000..28a2823ea86 --- /dev/null +++ b/queue-5.9/edac-ti-fix-handling-of-platform_get_irq-error.patch @@ -0,0 +1,42 @@ +From 3ed73531ce27cba49b6efafcb4de81f9fa9ec786 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:07:43 +0200 +Subject: EDAC/ti: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 66077adb70a2a9e92540155b2ace33ec98299c90 ] + +platform_get_irq() returns a negative error number on error. In such a +case, comparison to 0 would pass the check therefore check the return +value properly, whether it is negative. + + [ bp: Massage commit message. ] + +Fixes: 86a18ee21e5e ("EDAC, ti: Add support for TI keystone and DRA7xx EDAC") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Borislav Petkov +Reviewed-by: Tero Kristo +Link: https://lkml.kernel.org/r/20200827070743.26628-2-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/ti_edac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c +index 8be3e89a510e4..d7419a90a2f5b 100644 +--- a/drivers/edac/ti_edac.c ++++ b/drivers/edac/ti_edac.c +@@ -278,7 +278,8 @@ static int ti_edac_probe(struct platform_device *pdev) + + /* add EMIF ECC error handler */ + error_irq = platform_get_irq(pdev, 0); +- if (!error_irq) { ++ if (error_irq < 0) { ++ ret = error_irq; + edac_printk(KERN_ERR, EDAC_MOD_NAME, + "EMIF irq number not defined.\n"); + goto err; +-- +2.25.1 + diff --git a/queue-5.9/ext4-disallow-modifying-dax-inode-flag-if-inline_dat.patch b/queue-5.9/ext4-disallow-modifying-dax-inode-flag-if-inline_dat.patch new file mode 100644 index 00000000000..cb83d49bf3e --- /dev/null +++ b/queue-5.9/ext4-disallow-modifying-dax-inode-flag-if-inline_dat.patch @@ -0,0 +1,55 @@ +From 4bd47989493b1dd955dc018f29ddff2551786cf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 16:43:30 +0800 +Subject: ext4: disallow modifying DAX inode flag if inline_data has been set + +From: Xiao Yang + +[ Upstream commit aa2f77920b743c44e02e2dc8474bbf8bd30007a2 ] + +inline_data is mutually exclusive to DAX so enabling both of them triggers +the following issue: +------------------------------------------ +# mkfs.ext4 -F -O inline_data /dev/pmem1 +... +# mount /dev/pmem1 /mnt +# echo 'test' >/mnt/file +# lsattr -l /mnt/file +/mnt/file Inline_Data +# xfs_io -c "chattr +x" /mnt/file +# xfs_io -c "lsattr -v" /mnt/file +[dax] /mnt/file +# umount /mnt +# mount /dev/pmem1 /mnt +# cat /mnt/file +cat: /mnt/file: Numerical result out of range +------------------------------------------ + +Fixes: b383a73f2b83 ("fs/ext4: Introduce DAX inode flag") +Signed-off-by: Xiao Yang +Reviewed-by: Jan Kara +Reviewed-by: Ira Weiny +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/20200828084330.15776-1-yangx.jy@cn.fujitsu.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ext4.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 523e00d7b3924..69187b6205b2b 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -492,7 +492,7 @@ struct flex_groups { + + /* Flags which are mutually exclusive to DAX */ + #define EXT4_DAX_MUT_EXCL (EXT4_VERITY_FL | EXT4_ENCRYPT_FL |\ +- EXT4_JOURNAL_DATA_FL) ++ EXT4_JOURNAL_DATA_FL | EXT4_INLINE_DATA_FL) + + /* Mask out flags that are inappropriate for the given type of inode. */ + static inline __u32 ext4_mask_flags(umode_t mode, __u32 flags) +-- +2.25.1 + diff --git a/queue-5.9/ext4-discard-preallocations-before-releasing-group-l.patch b/queue-5.9/ext4-discard-preallocations-before-releasing-group-l.patch new file mode 100644 index 00000000000..8938d8161f2 --- /dev/null +++ b/queue-5.9/ext4-discard-preallocations-before-releasing-group-l.patch @@ -0,0 +1,99 @@ +From f7e79eebadb85deb94e6953ebabbc774a6efb708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 17:09:59 +0200 +Subject: ext4: discard preallocations before releasing group lock + +From: Jan Kara + +[ Upstream commit 5b3dc19dda6691e8ab574e8eede1aef6f02a4f1c ] + +ext4_mb_discard_group_preallocations() can be releasing group lock with +preallocations accumulated on its local list. Thus although +discard_pa_seq was incremented and concurrent allocating processes will +be retrying allocations, it can happen that premature ENOSPC error is +returned because blocks used for preallocations are not available for +reuse yet. Make sure we always free locally accumulated preallocations +before releasing group lock. + +Fixes: 07b5b8e1ac40 ("ext4: mballoc: introduce pcpu seqcnt for freeing PA to improve ENOSPC handling") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20200924150959.4335-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 33 +++++++++++++-------------------- + 1 file changed, 13 insertions(+), 20 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index ff47347012f4b..a8d99f676fb1f 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4160,7 +4160,7 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + struct ext4_buddy e4b; + int err; + int busy = 0; +- int free = 0; ++ int free, free_total = 0; + + mb_debug(sb, "discard preallocation for group %u\n", group); + if (list_empty(&grp->bb_prealloc_list)) +@@ -4188,6 +4188,7 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + + INIT_LIST_HEAD(&list); + repeat: ++ free = 0; + ext4_lock_group(sb, group); + list_for_each_entry_safe(pa, tmp, + &grp->bb_prealloc_list, pa_group_list) { +@@ -4217,22 +4218,6 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + list_add(&pa->u.pa_tmp_list, &list); + } + +- /* if we still need more blocks and some PAs were used, try again */ +- if (free < needed && busy) { +- busy = 0; +- ext4_unlock_group(sb, group); +- cond_resched(); +- goto repeat; +- } +- +- /* found anything to free? */ +- if (list_empty(&list)) { +- BUG_ON(free != 0); +- mb_debug(sb, "Someone else may have freed PA for this group %u\n", +- group); +- goto out; +- } +- + /* now free all selected PAs */ + list_for_each_entry_safe(pa, tmp, &list, u.pa_tmp_list) { + +@@ -4250,14 +4235,22 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + call_rcu(&(pa)->u.pa_rcu, ext4_mb_pa_callback); + } + +-out: ++ free_total += free; ++ ++ /* if we still need more blocks and some PAs were used, try again */ ++ if (free_total < needed && busy) { ++ ext4_unlock_group(sb, group); ++ cond_resched(); ++ busy = 0; ++ goto repeat; ++ } + ext4_unlock_group(sb, group); + ext4_mb_unload_buddy(&e4b); + put_bh(bitmap_bh); + out_dbg: + mb_debug(sb, "discarded (%d) blocks preallocated for group %u bb_free (%d)\n", +- free, group, grp->bb_free); +- return free; ++ free_total, group, grp->bb_free); ++ return free_total; + } + + /* +-- +2.25.1 + diff --git a/queue-5.9/ext4-fix-dead-loop-in-ext4_mb_new_blocks.patch b/queue-5.9/ext4-fix-dead-loop-in-ext4_mb_new_blocks.patch new file mode 100644 index 00000000000..2be5e2c5d1f --- /dev/null +++ b/queue-5.9/ext4-fix-dead-loop-in-ext4_mb_new_blocks.patch @@ -0,0 +1,73 @@ +From 6e2d9385db271ed7e66a21ee7d6e76173fca6221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 19:38:59 +0800 +Subject: ext4: fix dead loop in ext4_mb_new_blocks + +From: Ye Bin + +[ Upstream commit 70022da804f0f3f152115688885608c39182082e ] + +As we test disk offline/online with running fsstress, we find fsstress +process is keeping running state. +kworker/u32:3-262 [004] ...1 140.787471: ext4_mb_discard_preallocations: dev 8,32 needed 114 +.... +kworker/u32:3-262 [004] ...1 140.787471: ext4_mb_discard_preallocations: dev 8,32 needed 114 + +ext4_mb_new_blocks +repeat: + ext4_mb_discard_preallocations_should_retry(sb, ac, &seq) + freed = ext4_mb_discard_preallocations + ext4_mb_discard_group_preallocations + this_cpu_inc(discard_pa_seq); + ---> freed == 0 + seq_retry = ext4_get_discard_pa_seq_sum + for_each_possible_cpu(__cpu) + __seq += per_cpu(discard_pa_seq, __cpu); + if (seq_retry != *seq) { + *seq = seq_retry; + ret = true; + } + +As we see seq_retry is sum of discard_pa_seq every cpu, if +ext4_mb_discard_group_preallocations return zero discard_pa_seq in this +cpu maybe increase one, so condition "seq_retry != *seq" have always +been met. +Ritesh Harjani suggest to in ext4_mb_discard_group_preallocations function we +only increase discard_pa_seq when there is some PA to free. + +Fixes: 07b5b8e1ac40 ("ext4: mballoc: introduce pcpu seqcnt for freeing PA to improve ENOSPC handling") +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Reviewed-by: Ritesh Harjani +Link: https://lore.kernel.org/r/20200916113859.1556397-3-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 132c118d12e15..ff47347012f4b 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4189,7 +4189,6 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + INIT_LIST_HEAD(&list); + repeat: + ext4_lock_group(sb, group); +- this_cpu_inc(discard_pa_seq); + list_for_each_entry_safe(pa, tmp, + &grp->bb_prealloc_list, pa_group_list) { + spin_lock(&pa->pa_lock); +@@ -4206,6 +4205,9 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + /* seems this one can be freed ... */ + ext4_mb_mark_pa_deleted(sb, pa); + ++ if (!free) ++ this_cpu_inc(discard_pa_seq); ++ + /* we can trust pa_free ... */ + free += pa->pa_free; + +-- +2.25.1 + diff --git a/queue-5.9/ext4-limit-entries-returned-when-counting-fsmap-reco.patch b/queue-5.9/ext4-limit-entries-returned-when-counting-fsmap-reco.patch new file mode 100644 index 00000000000..2a19a80caa2 --- /dev/null +++ b/queue-5.9/ext4-limit-entries-returned-when-counting-fsmap-reco.patch @@ -0,0 +1,40 @@ +From 2ec2a6729fac8645a72060613f9826baa803f194 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 15:21:48 -0700 +Subject: ext4: limit entries returned when counting fsmap records + +From: Darrick J. Wong + +[ Upstream commit af8c53c8bc087459b1aadd4c94805d8272358d79 ] + +If userspace asked fsmap to try to count the number of entries, we cannot +return more than UINT_MAX entries because fmh_entries is u32. +Therefore, stop counting if we hit this limit or else we will waste time +to return truncated results. + +Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls") +Signed-off-by: Darrick J. Wong +Link: https://lore.kernel.org/r/20201001222148.GA49520@magnolia +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/fsmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/fsmap.c b/fs/ext4/fsmap.c +index dbccf46f17709..37347ba868b70 100644 +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -108,6 +108,9 @@ static int ext4_getfsmap_helper(struct super_block *sb, + + /* Are we just counting mappings? */ + if (info->gfi_head->fmh_count == 0) { ++ if (info->gfi_head->fmh_entries == UINT_MAX) ++ return EXT4_QUERY_RANGE_ABORT; ++ + if (rec_fsblk > info->gfi_next_fsblk) + info->gfi_head->fmh_entries++; + +-- +2.25.1 + diff --git a/queue-5.9/f2fs-reject-casefold-inode-flag-without-casefold-fea.patch b/queue-5.9/f2fs-reject-casefold-inode-flag-without-casefold-fea.patch new file mode 100644 index 00000000000..a7bfb660ff4 --- /dev/null +++ b/queue-5.9/f2fs-reject-casefold-inode-flag-without-casefold-fea.patch @@ -0,0 +1,69 @@ +From 6c9c32f17044f0e2b394dd77db11cd56d034bd08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 12:15:22 -0700 +Subject: f2fs: reject CASEFOLD inode flag without casefold feature + +From: Eric Biggers + +[ Upstream commit f6322f3f1212e005e7e6aa82ceb62be53030a64b ] + +syzbot reported: + + general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] + CPU: 0 PID: 6860 Comm: syz-executor835 Not tainted 5.9.0-rc8-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + RIP: 0010:utf8_casefold+0x43/0x1b0 fs/unicode/utf8-core.c:107 + [...] + Call Trace: + f2fs_init_casefolded_name fs/f2fs/dir.c:85 [inline] + __f2fs_setup_filename fs/f2fs/dir.c:118 [inline] + f2fs_prepare_lookup+0x3bf/0x640 fs/f2fs/dir.c:163 + f2fs_lookup+0x10d/0x920 fs/f2fs/namei.c:494 + __lookup_hash+0x115/0x240 fs/namei.c:1445 + filename_create+0x14b/0x630 fs/namei.c:3467 + user_path_create fs/namei.c:3524 [inline] + do_mkdirat+0x56/0x310 fs/namei.c:3664 + do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [...] + +The problem is that an inode has F2FS_CASEFOLD_FL set, but the +filesystem doesn't have the casefold feature flag set, and therefore +super_block::s_encoding is NULL. + +Fix this by making sanity_check_inode() reject inodes that have +F2FS_CASEFOLD_FL when the filesystem doesn't have the casefold feature. + +Reported-by: syzbot+05139c4039d0679e19ff@syzkaller.appspotmail.com +Fixes: 2c2eb7a300cd ("f2fs: Support case-insensitive file name lookups") +Signed-off-by: Eric Biggers +Reviewed-by: Gabriel Krisman Bertazi +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 66969ae852b97..5195e083fc1e6 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -287,6 +287,13 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) + return false; + } + ++ if ((fi->i_flags & F2FS_CASEFOLD_FL) && !f2fs_sb_has_casefold(sbi)) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_warn(sbi, "%s: inode (ino=%lx) has casefold flag, but casefold feature is off", ++ __func__, inode->i_ino); ++ return false; ++ } ++ + if (f2fs_has_extra_attr(inode) && f2fs_sb_has_compression(sbi) && + fi->i_flags & F2FS_COMPR_FL && + F2FS_FITS_IN_INODE(ri, fi->i_extra_isize, +-- +2.25.1 + diff --git a/queue-5.9/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch b/queue-5.9/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch new file mode 100644 index 00000000000..613c6e5ec86 --- /dev/null +++ b/queue-5.9/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch @@ -0,0 +1,78 @@ +From 27641608212f787f1c7fb7216ae103c786b9e9a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 14:09:48 +0100 +Subject: f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info + +From: Jamie Iles + +[ Upstream commit ae284d87abade58c8db7760c808f311ef1ce693c ] + +syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an +f2fs filesystem could result in the following splat: + + kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250) + kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750) + ------------[ cut here ]------------ + ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 + WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101 + Hardware name: linux,dummy-virt (DT) + Call trace: + dump_backtrace+0x0/0x4d8 + show_stack+0x34/0x48 + dump_stack+0x174/0x1f8 + panic+0x360/0x7a0 + __warn+0x244/0x2ec + report_bug+0x240/0x398 + bug_handler+0x50/0xc0 + call_break_hook+0x160/0x1d8 + brk_handler+0x30/0xc0 + do_debug_exception+0x184/0x340 + el1_dbg+0x48/0xb0 + el1_sync_handler+0x170/0x1c8 + el1_sync+0x80/0x100 + debug_print_object+0x180/0x240 + debug_check_no_obj_freed+0x200/0x430 + slab_free_freelist_hook+0x190/0x210 + kfree+0x13c/0x460 + f2fs_put_super+0x624/0xa58 + generic_shutdown_super+0x120/0x300 + kill_block_super+0x94/0xf8 + kill_f2fs_super+0x244/0x308 + deactivate_locked_super+0x104/0x150 + deactivate_super+0x118/0x148 + cleanup_mnt+0x27c/0x3c0 + __cleanup_mnt+0x28/0x38 + task_work_run+0x10c/0x248 + do_notify_resume+0x9d4/0x1188 + work_pending+0x8/0x34c + +Like the error handling for f2fs_register_sysfs(), we need to wait for +the kobject to be destroyed before returning to prevent a potential +use-after-free. + +Fixes: bf9e697ecd42 ("f2fs: expose features to sysfs entry") +Cc: Jaegeuk Kim +Cc: Chao Yu +Signed-off-by: Jamie Iles +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 88ed9969cc862..5fe7d8fa93801 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -968,4 +968,5 @@ void f2fs_unregister_sysfs(struct f2fs_sb_info *sbi) + } + kobject_del(&sbi->s_kobj); + kobject_put(&sbi->s_kobj); ++ wait_for_completion(&sbi->s_kobj_unregister); + } +-- +2.25.1 + diff --git a/queue-5.9/fbmem-add-margin-check-to-fb_check_caps.patch b/queue-5.9/fbmem-add-margin-check-to-fb_check_caps.patch new file mode 100644 index 00000000000..3cf3199b31b --- /dev/null +++ b/queue-5.9/fbmem-add-margin-check-to-fb_check_caps.patch @@ -0,0 +1,47 @@ +From cd03b92a7023afe3c45b63337f56b5cc96661e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 15:26:03 -0400 +Subject: fbmem: add margin check to fb_check_caps() + +From: George Kennedy + +[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ] + +A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting +or yres setting in struct fb_var_screeninfo will result in a +KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as +the margins are being cleared. The margins are cleared in +chunks and if the xres setting or yres setting is a value of +zero upto the chunk size, the failure will occur. + +Add a margin check to validate xres and yres settings. + +Signed-off-by: George Kennedy +Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com +Reviewed-by: Dan Carpenter +Cc: Dhaval Giani +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index 6815bfb7f5724..e33bf1c386926 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1006,6 +1006,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var) + return 0; + } + ++ /* bitfill_aligned() assumes that it's at least 8x8 */ ++ if (var->xres < 8 || var->yres < 8) ++ return -EINVAL; ++ + ret = info->fbops->fb_check_var(var, info); + + if (ret) +-- +2.25.1 + diff --git a/queue-5.9/firmware-arm_scmi-fix-null-pointer-dereference-in-ma.patch b/queue-5.9/firmware-arm_scmi-fix-null-pointer-dereference-in-ma.patch new file mode 100644 index 00000000000..fc29907d430 --- /dev/null +++ b/queue-5.9/firmware-arm_scmi-fix-null-pointer-dereference-in-ma.patch @@ -0,0 +1,72 @@ +From 735d9dc71927cf15b81a28b531802959b12b9f5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 12:26:11 +0100 +Subject: firmware: arm_scmi: Fix NULL pointer dereference in mailbox_chan_free + +From: Sudeep Holla + +[ Upstream commit 6ed6c558234f0b6c22e47a3c2feddce3d02324dd ] + +scmi_mailbox is obtained from cinfo->transport_info and the first +call to mailbox_chan_free frees the channel and sets cinfo->transport_info +to NULL. Care is taken to check for non NULL smbox->chan but smbox can +itself be NULL. Fix it by checking for it without which, kernel crashes +with below NULL pointer dereference and eventually kernel panic. + + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000038 + Modules linked in: scmi_module(-) + Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno + Development Platform, BIOS EDK II Sep 2 2020 + pstate: 80000005 (Nzcv daif -PAN -UAO BTYPE=--) + pc : mailbox_chan_free+0x2c/0x70 [scmi_module] + lr : idr_for_each+0x6c/0xf8 + Call trace: + mailbox_chan_free+0x2c/0x70 [scmi_module] + idr_for_each+0x6c/0xf8 + scmi_remove+0xa8/0xf0 [scmi_module] + platform_drv_remove+0x34/0x58 + device_release_driver_internal+0x118/0x1f0 + driver_detach+0x58/0xe8 + bus_remove_driver+0x64/0xe0 + driver_unregister+0x38/0x68 + platform_driver_unregister+0x1c/0x28 + scmi_driver_exit+0x38/0x44 [scmi_module] + ---[ end trace 17bde19f50436de9 ]--- + Kernel panic - not syncing: Fatal exception + SMP: stopping secondary CPUs + Kernel Offset: 0x1d0000 from 0xffff800010000000 + PHYS_OFFSET: 0x80000000 + CPU features: 0x0240022,25806004 + Memory Limit: none + ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Link: https://lore.kernel.org/r/20200908112611.31515-1-sudeep.holla@arm.com +Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type") +Cc: Cristian Marussi +Cc: Viresh Kumar +Tested-by: Cristian Marussi +Reviewed-by: Cristian Marussi +Reviewed-by: Viresh Kumar +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_scmi/mailbox.c b/drivers/firmware/arm_scmi/mailbox.c +index 6998dc86b5ce8..b797a713c3313 100644 +--- a/drivers/firmware/arm_scmi/mailbox.c ++++ b/drivers/firmware/arm_scmi/mailbox.c +@@ -110,7 +110,7 @@ static int mailbox_chan_free(int id, void *p, void *data) + struct scmi_chan_info *cinfo = p; + struct scmi_mailbox *smbox = cinfo->transport_info; + +- if (!IS_ERR(smbox->chan)) { ++ if (smbox && !IS_ERR(smbox->chan)) { + mbox_free_channel(smbox->chan); + cinfo->transport_info = NULL; + smbox->chan = NULL; +-- +2.25.1 + diff --git a/queue-5.9/fix-use-after-free-in-get_capset_info-callback.patch b/queue-5.9/fix-use-after-free-in-get_capset_info-callback.patch new file mode 100644 index 00000000000..1d41b3985a1 --- /dev/null +++ b/queue-5.9/fix-use-after-free-in-get_capset_info-callback.patch @@ -0,0 +1,61 @@ +From 7a4104928dbaa33f0adbfc7b0f8908ec7d99fb6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:08:25 -0700 +Subject: Fix use after free in get_capset_info callback. + +From: Doug Horn + +[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ] + +If a response to virtio_gpu_cmd_get_capset_info takes longer than +five seconds to return, the callback will access freed kernel memory +in vg->capsets. + +Signed-off-by: Doug Horn +Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_kms.c | 2 ++ + drivers/gpu/drm/virtio/virtgpu_vq.c | 10 +++++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c +index 4d944a0dff3e9..fdd7671a7b126 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_kms.c ++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c +@@ -80,8 +80,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev, + vgdev->capsets[i].id > 0, 5 * HZ); + if (ret == 0) { + DRM_ERROR("timed out waiting for cap set %d\n", i); ++ spin_lock(&vgdev->display_info_lock); + kfree(vgdev->capsets); + vgdev->capsets = NULL; ++ spin_unlock(&vgdev->display_info_lock); + return; + } + DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n", +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 53af60d484a44..9d2abdbd865a7 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -684,9 +684,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev, + int i = le32_to_cpu(cmd->capset_index); + + spin_lock(&vgdev->display_info_lock); +- vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); +- vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); +- vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ if (vgdev->capsets) { ++ vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); ++ vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); ++ vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ } else { ++ DRM_ERROR("invalid capset memory."); ++ } + spin_unlock(&vgdev->display_info_lock); + wake_up(&vgdev->resp_wq); + } +-- +2.25.1 + diff --git a/queue-5.9/fs-dlm-fix-configfs-memory-leak.patch b/queue-5.9/fs-dlm-fix-configfs-memory-leak.patch new file mode 100644 index 00000000000..cb3f5fa4b48 --- /dev/null +++ b/queue-5.9/fs-dlm-fix-configfs-memory-leak.patch @@ -0,0 +1,70 @@ +From 1131c28b43b79685fb7c648d7a4b76c4797253d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 15:02:51 -0400 +Subject: fs: dlm: fix configfs memory leak + +From: Alexander Aring + +[ Upstream commit 3d2825c8c6105b0f36f3ff72760799fa2e71420e ] + +This patch fixes the following memory detected by kmemleak and umount +gfs2 filesystem which removed the last lockspace: + +unreferenced object 0xffff9264f482f600 (size 192): + comm "dlm_controld", pid 325, jiffies 4294690276 (age 48.136s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 6e 6f 64 65 73 00 00 00 ........nodes... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000060481d7>] make_space+0x41/0x130 + [<000000008d905d46>] configfs_mkdir+0x1a2/0x5f0 + [<00000000729502cf>] vfs_mkdir+0x155/0x210 + [<000000000369bcf1>] do_mkdirat+0x6d/0x110 + [<00000000cc478a33>] do_syscall_64+0x33/0x40 + [<00000000ce9ccf01>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The patch just remembers the "nodes" entry pointer in space as I think +it's created as subdirectory when parent "spaces" is created. In +function drop_space() we will lost the pointer reference to nds because +configfs_remove_default_groups(). However as this subdirectory is always +available when "spaces" exists it will just be freed when "spaces" will be +freed. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/config.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/dlm/config.c b/fs/dlm/config.c +index 47f0b98b707f8..f33a7e4ae917b 100644 +--- a/fs/dlm/config.c ++++ b/fs/dlm/config.c +@@ -221,6 +221,7 @@ struct dlm_space { + struct list_head members; + struct mutex members_lock; + int members_count; ++ struct dlm_nodes *nds; + }; + + struct dlm_comms { +@@ -430,6 +431,7 @@ static struct config_group *make_space(struct config_group *g, const char *name) + INIT_LIST_HEAD(&sp->members); + mutex_init(&sp->members_lock); + sp->members_count = 0; ++ sp->nds = nds; + return &sp->group; + + fail: +@@ -451,6 +453,7 @@ static void drop_space(struct config_group *g, struct config_item *i) + static void release_space(struct config_item *i) + { + struct dlm_space *sp = config_item_to_space(i); ++ kfree(sp->nds); + kfree(sp); + } + +-- +2.25.1 + diff --git a/queue-5.9/fs-fix-null-dereference-due-to-data-race-in-prepend_.patch b/queue-5.9/fs-fix-null-dereference-due-to-data-race-in-prepend_.patch new file mode 100644 index 00000000000..b839c52d2f3 --- /dev/null +++ b/queue-5.9/fs-fix-null-dereference-due-to-data-race-in-prepend_.patch @@ -0,0 +1,68 @@ +From 3320f2d2ab5b85998e8ca47fcab30fae1df20864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 13:45:28 -0700 +Subject: fs: fix NULL dereference due to data race in prepend_path() + +From: Andrii Nakryiko + +[ Upstream commit 09cad07547445bf3a41683e4d3abcd154c123ef5 ] + +Fix data race in prepend_path() with re-reading mnt->mnt_ns twice +without holding the lock. + +is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns) might +re-read the pointer again which could be NULL already, if in between +reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets +mnt->mnt_ns to NULL. + +This is seen in production with the following stack trace: + + BUG: kernel NULL pointer dereference, address: 0000000000000048 + ... + RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0 + Call Trace: + d_path+0xe6/0x150 + proc_pid_readlink+0x8f/0x100 + vfs_readlink+0xf8/0x110 + do_readlinkat+0xfd/0x120 + __x64_sys_readlinkat+0x1a/0x20 + do_syscall_64+0x42/0x110 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: f2683bd8d5bd ("[PATCH] fix d_absolute_path() interplay with fsmount()") +Signed-off-by: Andrii Nakryiko +Reviewed-by: Josef Bacik +Cc: Alexander Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/d_path.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/d_path.c b/fs/d_path.c +index 0f1fc1743302f..a69e2cd36e6e3 100644 +--- a/fs/d_path.c ++++ b/fs/d_path.c +@@ -102,6 +102,8 @@ static int prepend_path(const struct path *path, + + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) { + struct mount *parent = READ_ONCE(mnt->mnt_parent); ++ struct mnt_namespace *mnt_ns; ++ + /* Escaped? */ + if (dentry != vfsmnt->mnt_root) { + bptr = *buffer; +@@ -116,7 +118,9 @@ static int prepend_path(const struct path *path, + vfsmnt = &mnt->mnt; + continue; + } +- if (is_mounted(vfsmnt) && !is_anon_ns(mnt->mnt_ns)) ++ mnt_ns = READ_ONCE(mnt->mnt_ns); ++ /* open-coded is_mounted() to use local mnt_ns */ ++ if (!IS_ERR_OR_NULL(mnt_ns) && !is_anon_ns(mnt_ns)) + error = 1; // absolute root + else + error = 2; // detached or not attached yet +-- +2.25.1 + diff --git a/queue-5.9/fscrypt-restrict-iv_ino_lblk_32-to-ino_bits-32.patch b/queue-5.9/fscrypt-restrict-iv_ino_lblk_32-to-ino_bits-32.patch new file mode 100644 index 00000000000..d961377c81c --- /dev/null +++ b/queue-5.9/fscrypt-restrict-iv_ino_lblk_32-to-ino_bits-32.patch @@ -0,0 +1,65 @@ +From 2a682a26c090d88cb730fab0714fe423c40679e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 13:38:41 -0700 +Subject: fscrypt: restrict IV_INO_LBLK_32 to ino_bits <= 32 + +From: Eric Biggers + +[ Upstream commit 5e895bd4d5233cb054447d0491d4e63c8496d419 ] + +When an encryption policy has the IV_INO_LBLK_32 flag set, the IV +generation method involves hashing the inode number. This is different +from fscrypt's other IV generation methods, where the inode number is +either not used at all or is included directly in the IVs. + +Therefore, in principle IV_INO_LBLK_32 can work with any length inode +number. However, currently fscrypt gets the inode number from +inode::i_ino, which is 'unsigned long'. So currently the implementation +limit is actually 32 bits (like IV_INO_LBLK_64), since longer inode +numbers will have been truncated by the VFS on 32-bit platforms. + +Fix fscrypt_supported_v2_policy() to enforce the correct limit. + +This doesn't actually matter currently, since only ext4 and f2fs support +IV_INO_LBLK_32, and they both only support 32-bit inode numbers. But we +might as well fix it in case it matters in the future. + +Ideally inode::i_ino would instead be made 64-bit, but for now it's not +needed. (Note, this limit does *not* prevent filesystems with 64-bit +inode numbers from adding fscrypt support, since IV_INO_LBLK_* support +is optional and is useful only on certain hardware.) + +Fixes: e3b1078bedd3 ("fscrypt: add support for IV_INO_LBLK_32 policies") +Reported-by: Jeff Layton +Link: https://lore.kernel.org/r/20200824203841.1707847-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + fs/crypto/policy.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c +index 2d73fd39ad96f..b92f345231780 100644 +--- a/fs/crypto/policy.c ++++ b/fs/crypto/policy.c +@@ -192,10 +192,15 @@ static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy, + 32, 32)) + return false; + ++ /* ++ * IV_INO_LBLK_32 hashes the inode number, so in principle it can ++ * support any ino_bits. However, currently the inode number is gotten ++ * from inode::i_ino which is 'unsigned long'. So for now the ++ * implementation limit is 32 bits. ++ */ + if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) && +- /* This uses hashed inode numbers, so ino_bits doesn't matter. */ + !supported_iv_ino_lblk_policy(policy, inode, "IV_INO_LBLK_32", +- INT_MAX, 32)) ++ 32, 32)) + return false; + + if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) { +-- +2.25.1 + diff --git a/queue-5.9/habanalabs-cast-to-u64-before-shift-31-bits.patch b/queue-5.9/habanalabs-cast-to-u64-before-shift-31-bits.patch new file mode 100644 index 00000000000..7e5aed7ee19 --- /dev/null +++ b/queue-5.9/habanalabs-cast-to-u64-before-shift-31-bits.patch @@ -0,0 +1,91 @@ +From 15883ad203ec6d25ca5759458eaceb10728492a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 11:24:03 +0300 +Subject: habanalabs: cast to u64 before shift > 31 bits + +From: Oded Gabbay + +[ Upstream commit f763946aefe67b3ea58696b75a930ba1ed886a83 ] + +When shifting a boolean variable by more than 31 bits and putting the +result into a u64 variable, we need to cast the boolean into unsigned 64 +bits to prevent possible overflow. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/gaudi/gaudi.c | 8 +++++--- + drivers/misc/habanalabs/goya/goya.c | 8 +++++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c +index 4009b7df4cafe..2e55890ad6a61 100644 +--- a/drivers/misc/habanalabs/gaudi/gaudi.c ++++ b/drivers/misc/habanalabs/gaudi/gaudi.c +@@ -6099,7 +6099,7 @@ static bool gaudi_is_device_idle(struct hl_device *hdev, u32 *mask, + is_idle &= is_eng_idle; + + if (mask) +- *mask |= !is_eng_idle << ++ *mask |= ((u64) !is_eng_idle) << + (GAUDI_ENGINE_ID_DMA_0 + dma_id); + if (s) + seq_printf(s, fmt, dma_id, +@@ -6122,7 +6122,8 @@ static bool gaudi_is_device_idle(struct hl_device *hdev, u32 *mask, + is_idle &= is_eng_idle; + + if (mask) +- *mask |= !is_eng_idle << (GAUDI_ENGINE_ID_TPC_0 + i); ++ *mask |= ((u64) !is_eng_idle) << ++ (GAUDI_ENGINE_ID_TPC_0 + i); + if (s) + seq_printf(s, fmt, i, + is_eng_idle ? "Y" : "N", +@@ -6150,7 +6151,8 @@ static bool gaudi_is_device_idle(struct hl_device *hdev, u32 *mask, + is_idle &= is_eng_idle; + + if (mask) +- *mask |= !is_eng_idle << (GAUDI_ENGINE_ID_MME_0 + i); ++ *mask |= ((u64) !is_eng_idle) << ++ (GAUDI_ENGINE_ID_MME_0 + i); + if (s) { + if (!is_slave) + seq_printf(s, fmt, i, +diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c +index 33cd2ae653d23..c09742f440f96 100644 +--- a/drivers/misc/habanalabs/goya/goya.c ++++ b/drivers/misc/habanalabs/goya/goya.c +@@ -5166,7 +5166,8 @@ static bool goya_is_device_idle(struct hl_device *hdev, u32 *mask, + is_idle &= is_eng_idle; + + if (mask) +- *mask |= !is_eng_idle << (GOYA_ENGINE_ID_DMA_0 + i); ++ *mask |= ((u64) !is_eng_idle) << ++ (GOYA_ENGINE_ID_DMA_0 + i); + if (s) + seq_printf(s, dma_fmt, i, is_eng_idle ? "Y" : "N", + qm_glbl_sts0, dma_core_sts0); +@@ -5189,7 +5190,8 @@ static bool goya_is_device_idle(struct hl_device *hdev, u32 *mask, + is_idle &= is_eng_idle; + + if (mask) +- *mask |= !is_eng_idle << (GOYA_ENGINE_ID_TPC_0 + i); ++ *mask |= ((u64) !is_eng_idle) << ++ (GOYA_ENGINE_ID_TPC_0 + i); + if (s) + seq_printf(s, fmt, i, is_eng_idle ? "Y" : "N", + qm_glbl_sts0, cmdq_glbl_sts0, tpc_cfg_sts); +@@ -5209,7 +5211,7 @@ static bool goya_is_device_idle(struct hl_device *hdev, u32 *mask, + is_idle &= is_eng_idle; + + if (mask) +- *mask |= !is_eng_idle << GOYA_ENGINE_ID_MME_0; ++ *mask |= ((u64) !is_eng_idle) << GOYA_ENGINE_ID_MME_0; + if (s) { + seq_printf(s, fmt, 0, is_eng_idle ? "Y" : "N", qm_glbl_sts0, + cmdq_glbl_sts0, mme_arch_sts); +-- +2.25.1 + diff --git a/queue-5.9/hid-hid-input-fix-stylus-battery-reporting.patch b/queue-5.9/hid-hid-input-fix-stylus-battery-reporting.patch new file mode 100644 index 00000000000..2562ae6ce73 --- /dev/null +++ b/queue-5.9/hid-hid-input-fix-stylus-battery-reporting.patch @@ -0,0 +1,49 @@ +From 0473c98f1eef491492ebe994ca5ccf9d26c149e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 16:35:52 -0700 +Subject: HID: hid-input: fix stylus battery reporting + +From: Dmitry Torokhov + +[ Upstream commit 505f394fa239cecb76d916aa858f87ed7ea7fde4 ] + +With commit 4f3882177240 hid-input started clearing of "ignored" usages +to avoid using garbage that might have been left in them. However +"battery strength" usages should not be ignored, as we do want to +use them. + +Fixes: 4f3882177240 ("HID: hid-input: clear unmapped usages") +Reported-by: Kenneth Albanowski +Tested-by: Kenneth Albanowski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 88e19996427e6..9770db624bfaf 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -797,7 +797,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x3b: /* Battery Strength */ + hidinput_setup_battery(device, HID_INPUT_REPORT, field); + usage->type = EV_PWR; +- goto ignore; ++ return; + + case 0x3c: /* Invert */ + map_key_clear(BTN_TOOL_RUBBER); +@@ -1059,7 +1059,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case HID_DC_BATTERYSTRENGTH: + hidinput_setup_battery(device, HID_INPUT_REPORT, field); + usage->type = EV_PWR; +- goto ignore; ++ return; + } + goto unknown; + +-- +2.25.1 + diff --git a/queue-5.9/hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch b/queue-5.9/hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch new file mode 100644 index 00000000000..8973c1f454c --- /dev/null +++ b/queue-5.9/hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch @@ -0,0 +1,61 @@ +From 4ff5a847debf0a07cdbd539105c3c795024fe36d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 09:56:42 +0200 +Subject: HID: ite: Add USB id match for Acer One S1003 keyboard dock + +From: Hans de Goede + +[ Upstream commit 5bf2f2f331ad812c9b7eea6e14a3ea328acbffc0 ] + +The Acer One S1003 2-in-1 keyboard dock uses a Synaptics S910xx touchpad +which is connected to an ITE 8910 USB keyboard controller chip. + +This keyboard has the same quirk for its rfkill / airplane mode hotkey as +other keyboards with ITE keyboard chips, it only sends a single release +event when pressed and released, it never sends a press event. + +This commit adds this keyboards USB id to the hid-ite id-table, fixing +the rfkill key not working on this keyboard. Note that like for the +Acer Aspire Switch 10 (SW5-012) the id-table entry matches on the +HID_GROUP_GENERIC generic group so that hid-ite only binds to the +keyboard interface and the mouse/touchpad interface is left untouched +so that hid-multitouch can bind to it. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-ite.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 6a6e2c1b60900..79495e218b7fc 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1124,6 +1124,7 @@ + #define USB_DEVICE_ID_SYNAPTICS_DELL_K12A 0x2819 + #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012 0x2968 + #define USB_DEVICE_ID_SYNAPTICS_TP_V103 0x5710 ++#define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003 0x73f5 + #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5 0x81a7 + + #define USB_VENDOR_ID_TEXAS_INSTRUMENTS 0x2047 +diff --git a/drivers/hid/hid-ite.c b/drivers/hid/hid-ite.c +index 6c55682c59740..044a93f3c1178 100644 +--- a/drivers/hid/hid-ite.c ++++ b/drivers/hid/hid-ite.c +@@ -44,6 +44,10 @@ static const struct hid_device_id ite_devices[] = { + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_SYNAPTICS, + USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, ++ /* ITE8910 USB kbd ctlr, with Synaptics touchpad connected to it. */ ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_SYNAPTICS, ++ USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003) }, + { } + }; + MODULE_DEVICE_TABLE(hid, ite_devices); +-- +2.25.1 + diff --git a/queue-5.9/hid-multitouch-lenovo-x1-tablet-gen3-trackpoint-and-.patch b/queue-5.9/hid-multitouch-lenovo-x1-tablet-gen3-trackpoint-and-.patch new file mode 100644 index 00000000000..d15219f2230 --- /dev/null +++ b/queue-5.9/hid-multitouch-lenovo-x1-tablet-gen3-trackpoint-and-.patch @@ -0,0 +1,57 @@ +From 7c8d549ed15740a39ad938f43a5a79edeab5a02d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 11:48:10 +0200 +Subject: HID: multitouch: Lenovo X1 Tablet Gen3 trackpoint and buttons +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mikael Wikström + +[ Upstream commit 140958da9ab53a7df9e9ccc7678ea64655279ac1 ] + +One more device that needs 40d5bb87 to resolve regression for the trackpoint +and three mouse buttons on the type cover of the Lenovo X1 Tablet Gen3. + +It is probably also needed for the Lenovo X1 Tablet Gen2 with PID 0x60a3 + +Signed-off-by: Mikael Wikström +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-multitouch.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 74fc1df6e3c27..6a6e2c1b60900 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -727,6 +727,7 @@ + #define USB_DEVICE_ID_LENOVO_TP10UBKBD 0x6062 + #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067 + #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085 ++#define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5 + #define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_608D 0x608d + #define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6019 0x6019 + #define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_602E 0x602e +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index e3152155c4b85..99f041afd5c0c 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1973,6 +1973,12 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_GENERIC, + USB_VENDOR_ID_LG, I2C_DEVICE_ID_LG_7010) }, + ++ /* Lenovo X1 TAB Gen 3 */ ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_LENOVO, ++ USB_DEVICE_ID_LENOVO_X1_TAB3) }, ++ + /* MosArt panels */ + { .driver_data = MT_CLS_CONFIDENCE_MINUS_ONE, + MT_USB_DEVICE(USB_VENDOR_ID_ASUS, +-- +2.25.1 + diff --git a/queue-5.9/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch b/queue-5.9/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch new file mode 100644 index 00000000000..0855c81eb40 --- /dev/null +++ b/queue-5.9/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch @@ -0,0 +1,78 @@ +From 8a7386b7f17baea808490fcd3700e369481f87cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:57:35 +0300 +Subject: HID: roccat: add bounds checking in kone_sysfs_write_settings() + +From: Dan Carpenter + +[ Upstream commit d4f98dbfe717490e771b6e701904bfcf4b4557f0 ] + +This code doesn't check if "settings->startup_profile" is within bounds +and that could result in an out of bounds array access. What the code +does do is it checks if the settings can be written to the firmware, so +it's possible that the firmware has a bounds check? It's safer and +easier to verify when the bounds checking is done in the kernel. + +Fixes: 14bf62cde794 ("HID: add driver for Roccat Kone gaming mouse") +Signed-off-by: Dan Carpenter +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat-kone.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c +index 2ff4c8e366ff2..1ca64481145ee 100644 +--- a/drivers/hid/hid-roccat-kone.c ++++ b/drivers/hid/hid-roccat-kone.c +@@ -294,31 +294,40 @@ static ssize_t kone_sysfs_write_settings(struct file *fp, struct kobject *kobj, + struct kone_device *kone = hid_get_drvdata(dev_get_drvdata(dev)); + struct usb_device *usb_dev = interface_to_usbdev(to_usb_interface(dev)); + int retval = 0, difference, old_profile; ++ struct kone_settings *settings = (struct kone_settings *)buf; + + /* I need to get my data in one piece */ + if (off != 0 || count != sizeof(struct kone_settings)) + return -EINVAL; + + mutex_lock(&kone->kone_lock); +- difference = memcmp(buf, &kone->settings, sizeof(struct kone_settings)); ++ difference = memcmp(settings, &kone->settings, ++ sizeof(struct kone_settings)); + if (difference) { +- retval = kone_set_settings(usb_dev, +- (struct kone_settings const *)buf); +- if (retval) { +- mutex_unlock(&kone->kone_lock); +- return retval; ++ if (settings->startup_profile < 1 || ++ settings->startup_profile > 5) { ++ retval = -EINVAL; ++ goto unlock; + } + ++ retval = kone_set_settings(usb_dev, settings); ++ if (retval) ++ goto unlock; ++ + old_profile = kone->settings.startup_profile; +- memcpy(&kone->settings, buf, sizeof(struct kone_settings)); ++ memcpy(&kone->settings, settings, sizeof(struct kone_settings)); + + kone_profile_activated(kone, kone->settings.startup_profile); + + if (kone->settings.startup_profile != old_profile) + kone_profile_report(kone, kone->settings.startup_profile); + } ++unlock: + mutex_unlock(&kone->kone_lock); + ++ if (retval) ++ return retval; ++ + return sizeof(struct kone_settings); + } + static BIN_ATTR(settings, 0660, kone_sysfs_read_settings, +-- +2.25.1 + diff --git a/queue-5.9/hv-clocksource-add-notrace-attribute-to-read_hv_sche.patch b/queue-5.9/hv-clocksource-add-notrace-attribute-to-read_hv_sche.patch new file mode 100644 index 00000000000..0dec57711a9 --- /dev/null +++ b/queue-5.9/hv-clocksource-add-notrace-attribute-to-read_hv_sche.patch @@ -0,0 +1,96 @@ +From f8f0aaea94c8d673bbf89404b6d4fa52ed59dba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 17:11:17 +0200 +Subject: hv: clocksource: Add notrace attribute to read_hv_sched_clock_*() + functions + +From: Mohammed Gamal + +[ Upstream commit 1f3aed01473c41c9f896fbf4c30d330655e8aa7c ] + +When selecting function_graph tracer with the command: + # echo function_graph > /sys/kernel/debug/tracing/current_tracer + +The kernel crashes with the following stack trace: + +[69703.122389] BUG: stack guard page was hit at 000000001056545c (stack is 00000000fa3f8fed..0000000005d39503) +[69703.122403] kernel stack overflow (double-fault): 0000 [#1] SMP PTI +[69703.122413] CPU: 0 PID: 16982 Comm: bash Kdump: loaded Not tainted 4.18.0-236.el8.x86_64 #1 +[69703.122420] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 +[69703.122433] RIP: 0010repare_ftrace_return+0xa/0x110 +[69703.122458] Code: 05 00 0f 0b 48 c7 c7 10 ca 69 ae 0f b6 f0 e8 4b 52 0c 00 31 c0 eb ca 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 41 54 <53> 48 83 ec 18 65 48 8b 04 25 28 00 00 00 48 89 45 d8 31 c0 48 85 +[69703.122467] RSP: 0018:ffffbd6d01118000 EFLAGS: 00010086 +[69703.122476] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000003 +[69703.122484] RDX: 0000000000000000 RSI: ffffbd6d011180d8 RDI: ffffffffadce7550 +[69703.122491] RBP: ffffbd6d01118018 R08: 0000000000000000 R09: ffff9d4b09266000 +[69703.122498] R10: ffff9d4b0fc04540 R11: ffff9d4b0fc20a00 R12: ffff9d4b6e42aa90 +[69703.122506] R13: ffff9d4b0fc20ab8 R14: 00000000000003e8 R15: ffffbd6d0111837c +[69703.122514] FS: 00007fd5f2588740(0000) GS:ffff9d4b6e400000(0000) knlGS:0000000000000000 +[69703.122521] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[69703.122528] CR2: ffffbd6d01117ff8 CR3: 00000000565d8001 CR4: 00000000003606f0 +[69703.122538] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[69703.122545] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[69703.122552] Call Trace: +[69703.122568] ftrace_graph_caller+0x6b/0xa0 +[69703.122589] ? read_hv_sched_clock_tsc+0x5/0x20 +[69703.122599] read_hv_sched_clock_tsc+0x5/0x20 +[69703.122611] sched_clock+0x5/0x10 +[69703.122621] sched_clock_local+0x12/0x80 +[69703.122631] sched_clock_cpu+0x8c/0xb0 +[69703.122644] trace_clock_global+0x21/0x90 +[69703.122655] ring_buffer_lock_reserve+0x100/0x3c0 +[69703.122671] trace_buffer_lock_reserve+0x16/0x50 +[69703.122683] __trace_graph_entry+0x28/0x90 +[69703.122695] trace_graph_entry+0xfd/0x1a0 +[69703.122705] ? read_hv_clock_tsc_cs+0x10/0x10 +[69703.122714] ? sched_clock+0x5/0x10 +[69703.122723] prepare_ftrace_return+0x99/0x110 +[69703.122734] ? read_hv_clock_tsc_cs+0x10/0x10 +[69703.122743] ? sched_clock+0x5/0x10 +[69703.122752] ftrace_graph_caller+0x6b/0xa0 +[69703.122768] ? read_hv_clock_tsc_cs+0x10/0x10 +[69703.122777] ? sched_clock+0x5/0x10 +[69703.122786] ? read_hv_sched_clock_tsc+0x5/0x20 +[69703.122796] ? ring_buffer_unlock_commit+0x1d/0xa0 +[69703.122805] read_hv_sched_clock_tsc+0x5/0x20 +[69703.122814] ftrace_graph_caller+0xa0/0xa0 +[ ... recursion snipped ... ] + +Setting the notrace attribute for read_hv_sched_clock_msr() and +read_hv_sched_clock_tsc() fixes it. + +Fixes: bd00cd52d5be ("clocksource/drivers/hyperv: Add Hyper-V specific sched clock function") +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Mohammed Gamal +Link: https://lore.kernel.org/r/20200924151117.767442-1-mgamal@redhat.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/clocksource/hyperv_timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clocksource/hyperv_timer.c b/drivers/clocksource/hyperv_timer.c +index 09aa44cb8a91d..ba04cb381cd3f 100644 +--- a/drivers/clocksource/hyperv_timer.c ++++ b/drivers/clocksource/hyperv_timer.c +@@ -341,7 +341,7 @@ static u64 notrace read_hv_clock_tsc_cs(struct clocksource *arg) + return read_hv_clock_tsc(); + } + +-static u64 read_hv_sched_clock_tsc(void) ++static u64 notrace read_hv_sched_clock_tsc(void) + { + return (read_hv_clock_tsc() - hv_sched_clock_offset) * + (NSEC_PER_SEC / HV_CLOCK_HZ); +@@ -404,7 +404,7 @@ static u64 notrace read_hv_clock_msr_cs(struct clocksource *arg) + return read_hv_clock_msr(); + } + +-static u64 read_hv_sched_clock_msr(void) ++static u64 notrace read_hv_sched_clock_msr(void) + { + return (read_hv_clock_msr() - hv_sched_clock_offset) * + (NSEC_PER_SEC / HV_CLOCK_HZ); +-- +2.25.1 + diff --git a/queue-5.9/hwmon-bt1-pvt-cache-current-update-timeout.patch b/queue-5.9/hwmon-bt1-pvt-cache-current-update-timeout.patch new file mode 100644 index 00000000000..3f73ca37e8a --- /dev/null +++ b/queue-5.9/hwmon-bt1-pvt-cache-current-update-timeout.patch @@ -0,0 +1,207 @@ +From a7f2c08a8df663be15e01a66e893fe4d42153ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 14:09:22 +0300 +Subject: hwmon: (bt1-pvt) Cache current update timeout + +From: Serge Semin + +[ Upstream commit 0015503e5f6357f286bef34d039e43359fa4efd4 ] + +Instead of converting the update timeout data to the milliseconds each +time on the read procedure let's preserve the currently set timeout in the +dedicated driver private data cache. The cached value will be then used in +the timeout read method and in the alarm-less data conversion to prevent +the caller task hanging up in case if the PVT sensor is suddenly powered +down. + +Fixes: 87976ce2825d ("hwmon: Add Baikal-T1 PVT sensor driver") +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200920110924.19741-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/bt1-pvt.c | 85 ++++++++++++++++++++++------------------- + drivers/hwmon/bt1-pvt.h | 3 ++ + 2 files changed, 49 insertions(+), 39 deletions(-) + +diff --git a/drivers/hwmon/bt1-pvt.c b/drivers/hwmon/bt1-pvt.c +index f4b7353c078a8..2600426a3b21c 100644 +--- a/drivers/hwmon/bt1-pvt.c ++++ b/drivers/hwmon/bt1-pvt.c +@@ -655,44 +655,16 @@ static int pvt_write_trim(struct pvt_hwmon *pvt, long val) + + static int pvt_read_timeout(struct pvt_hwmon *pvt, long *val) + { +- unsigned long rate; +- ktime_t kt; +- u32 data; +- +- rate = clk_get_rate(pvt->clks[PVT_CLOCK_REF].clk); +- if (!rate) +- return -ENODEV; +- +- /* +- * Don't bother with mutex here, since we just read data from MMIO. +- * We also have to scale the ticks timeout up to compensate the +- * ms-ns-data translations. +- */ +- data = readl(pvt->regs + PVT_TTIMEOUT) + 1; ++ int ret; + +- /* +- * Calculate ref-clock based delay (Ttotal) between two consecutive +- * data samples of the same sensor. So we first must calculate the +- * delay introduced by the internal ref-clock timer (Tref * Fclk). +- * Then add the constant timeout cuased by each conversion latency +- * (Tmin). The basic formulae for each conversion is following: +- * Ttotal = Tref * Fclk + Tmin +- * Note if alarms are enabled the sensors are polled one after +- * another, so in order to have the delay being applicable for each +- * sensor the requested value must be equally redistirbuted. +- */ +-#if defined(CONFIG_SENSORS_BT1_PVT_ALARMS) +- kt = ktime_set(PVT_SENSORS_NUM * (u64)data, 0); +- kt = ktime_divns(kt, rate); +- kt = ktime_add_ns(kt, PVT_SENSORS_NUM * PVT_TOUT_MIN); +-#else +- kt = ktime_set(data, 0); +- kt = ktime_divns(kt, rate); +- kt = ktime_add_ns(kt, PVT_TOUT_MIN); +-#endif ++ ret = mutex_lock_interruptible(&pvt->iface_mtx); ++ if (ret) ++ return ret; + + /* Return the result in msec as hwmon sysfs interface requires. */ +- *val = ktime_to_ms(kt); ++ *val = ktime_to_ms(pvt->timeout); ++ ++ mutex_unlock(&pvt->iface_mtx); + + return 0; + } +@@ -700,7 +672,7 @@ static int pvt_read_timeout(struct pvt_hwmon *pvt, long *val) + static int pvt_write_timeout(struct pvt_hwmon *pvt, long val) + { + unsigned long rate; +- ktime_t kt; ++ ktime_t kt, cache; + u32 data; + int ret; + +@@ -713,7 +685,7 @@ static int pvt_write_timeout(struct pvt_hwmon *pvt, long val) + * between all available sensors to have the requested delay + * applicable to each individual sensor. + */ +- kt = ms_to_ktime(val); ++ cache = kt = ms_to_ktime(val); + #if defined(CONFIG_SENSORS_BT1_PVT_ALARMS) + kt = ktime_divns(kt, PVT_SENSORS_NUM); + #endif +@@ -742,6 +714,7 @@ static int pvt_write_timeout(struct pvt_hwmon *pvt, long val) + return ret; + + pvt_set_tout(pvt, data); ++ pvt->timeout = cache; + + mutex_unlock(&pvt->iface_mtx); + +@@ -1018,10 +991,17 @@ static int pvt_check_pwr(struct pvt_hwmon *pvt) + return ret; + } + +-static void pvt_init_iface(struct pvt_hwmon *pvt) ++static int pvt_init_iface(struct pvt_hwmon *pvt) + { ++ unsigned long rate; + u32 trim, temp; + ++ rate = clk_get_rate(pvt->clks[PVT_CLOCK_REF].clk); ++ if (!rate) { ++ dev_err(pvt->dev, "Invalid reference clock rate\n"); ++ return -ENODEV; ++ } ++ + /* + * Make sure all interrupts and controller are disabled so not to + * accidentally have ISR executed before the driver data is fully +@@ -1036,12 +1016,37 @@ static void pvt_init_iface(struct pvt_hwmon *pvt) + pvt_set_mode(pvt, pvt_info[pvt->sensor].mode); + pvt_set_tout(pvt, PVT_TOUT_DEF); + ++ /* ++ * Preserve the current ref-clock based delay (Ttotal) between the ++ * sensors data samples in the driver data so not to recalculate it ++ * each time on the data requests and timeout reads. It consists of the ++ * delay introduced by the internal ref-clock timer (N / Fclk) and the ++ * constant timeout caused by each conversion latency (Tmin): ++ * Ttotal = N / Fclk + Tmin ++ * If alarms are enabled the sensors are polled one after another and ++ * in order to get the next measurement of a particular sensor the ++ * caller will have to wait for at most until all the others are ++ * polled. In that case the formulae will look a bit different: ++ * Ttotal = 5 * (N / Fclk + Tmin) ++ */ ++#if defined(CONFIG_SENSORS_BT1_PVT_ALARMS) ++ pvt->timeout = ktime_set(PVT_SENSORS_NUM * PVT_TOUT_DEF, 0); ++ pvt->timeout = ktime_divns(pvt->timeout, rate); ++ pvt->timeout = ktime_add_ns(pvt->timeout, PVT_SENSORS_NUM * PVT_TOUT_MIN); ++#else ++ pvt->timeout = ktime_set(PVT_TOUT_DEF, 0); ++ pvt->timeout = ktime_divns(pvt->timeout, rate); ++ pvt->timeout = ktime_add_ns(pvt->timeout, PVT_TOUT_MIN); ++#endif ++ + trim = PVT_TRIM_DEF; + if (!of_property_read_u32(pvt->dev->of_node, + "baikal,pvt-temp-offset-millicelsius", &temp)) + trim = pvt_calc_trim(temp); + + pvt_set_trim(pvt, trim); ++ ++ return 0; + } + + static int pvt_request_irq(struct pvt_hwmon *pvt) +@@ -1149,7 +1154,9 @@ static int pvt_probe(struct platform_device *pdev) + if (ret) + return ret; + +- pvt_init_iface(pvt); ++ ret = pvt_init_iface(pvt); ++ if (ret) ++ return ret; + + ret = pvt_request_irq(pvt); + if (ret) +diff --git a/drivers/hwmon/bt1-pvt.h b/drivers/hwmon/bt1-pvt.h +index 5eac73e948854..93b8dd5e7c944 100644 +--- a/drivers/hwmon/bt1-pvt.h ++++ b/drivers/hwmon/bt1-pvt.h +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -201,6 +202,7 @@ struct pvt_cache { + * if alarms are disabled). + * @sensor: current PVT sensor the data conversion is being performed for. + * @cache: data cache descriptor. ++ * @timeout: conversion timeout cache. + */ + struct pvt_hwmon { + struct device *dev; +@@ -214,6 +216,7 @@ struct pvt_hwmon { + struct mutex iface_mtx; + enum pvt_sensor_type sensor; + struct pvt_cache cache[PVT_SENSORS_NUM]; ++ ktime_t timeout; + }; + + /* +-- +2.25.1 + diff --git a/queue-5.9/hwmon-bt1-pvt-test-sensor-power-supply-on-probe.patch b/queue-5.9/hwmon-bt1-pvt-test-sensor-power-supply-on-probe.patch new file mode 100644 index 00000000000..8d41b8d57f3 --- /dev/null +++ b/queue-5.9/hwmon-bt1-pvt-test-sensor-power-supply-on-probe.patch @@ -0,0 +1,95 @@ +From 1377ecf10fefb92cfeada868016a63be9a076c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 14:09:21 +0300 +Subject: hwmon: (bt1-pvt) Test sensor power supply on probe + +From: Serge Semin + +[ Upstream commit a6db1561291fc0f2f9aa23bf38f381adc63e7b14 ] + +Baikal-T1 PVT sensor has got a dedicated power supply domain (feed up by +the external GPVT/VPVT_18 pins). In case if it isn't powered up, the +registers will be accessible, but the sensor conversion just won't happen. +Due to that an attempt to read data from any PVT sensor will cause the +task hanging up. For instance that will happen if XP11 jumper isn't +installed on the Baikal-T1-based BFK3.1 board. Let's at least test whether +the conversion work on the device probe procedure. By doing so will make +sure that the PVT sensor is powered up at least at boot time. + +Fixes: 87976ce2825d ("hwmon: Add Baikal-T1 PVT sensor driver") +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200920110924.19741-2-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/bt1-pvt.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/drivers/hwmon/bt1-pvt.c b/drivers/hwmon/bt1-pvt.c +index 94698cae04971..f4b7353c078a8 100644 +--- a/drivers/hwmon/bt1-pvt.c ++++ b/drivers/hwmon/bt1-pvt.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -982,6 +983,41 @@ static int pvt_request_clks(struct pvt_hwmon *pvt) + return 0; + } + ++static int pvt_check_pwr(struct pvt_hwmon *pvt) ++{ ++ unsigned long tout; ++ int ret = 0; ++ u32 data; ++ ++ /* ++ * Test out the sensor conversion functionality. If it is not done on ++ * time then the domain must have been unpowered and we won't be able ++ * to use the device later in this driver. ++ * Note If the power source is lost during the normal driver work the ++ * data read procedure will either return -ETIMEDOUT (for the ++ * alarm-less driver configuration) or just stop the repeated ++ * conversion. In the later case alas we won't be able to detect the ++ * problem. ++ */ ++ pvt_update(pvt->regs + PVT_INTR_MASK, PVT_INTR_ALL, PVT_INTR_ALL); ++ pvt_update(pvt->regs + PVT_CTRL, PVT_CTRL_EN, PVT_CTRL_EN); ++ pvt_set_tout(pvt, 0); ++ readl(pvt->regs + PVT_DATA); ++ ++ tout = PVT_TOUT_MIN / NSEC_PER_USEC; ++ usleep_range(tout, 2 * tout); ++ ++ data = readl(pvt->regs + PVT_DATA); ++ if (!(data & PVT_DATA_VALID)) { ++ ret = -ENODEV; ++ dev_err(pvt->dev, "Sensor is powered down\n"); ++ } ++ ++ pvt_update(pvt->regs + PVT_CTRL, PVT_CTRL_EN, 0); ++ ++ return ret; ++} ++ + static void pvt_init_iface(struct pvt_hwmon *pvt) + { + u32 trim, temp; +@@ -1109,6 +1145,10 @@ static int pvt_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ ret = pvt_check_pwr(pvt); ++ if (ret) ++ return ret; ++ + pvt_init_iface(pvt); + + ret = pvt_request_irq(pvt); +-- +2.25.1 + diff --git a/queue-5.9/hwmon-bt1-pvt-wait-for-the-completion-with-timeout.patch b/queue-5.9/hwmon-bt1-pvt-wait-for-the-completion-with-timeout.patch new file mode 100644 index 00000000000..f3bbb28efae --- /dev/null +++ b/queue-5.9/hwmon-bt1-pvt-wait-for-the-completion-with-timeout.patch @@ -0,0 +1,66 @@ +From 63d56e541a2357052a6ec0f856711f5d0ce3a6eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 14:09:23 +0300 +Subject: hwmon: (bt1-pvt) Wait for the completion with timeout + +From: Serge Semin + +[ Upstream commit 0ffd21d5985506d164ada9e8fff6daae8ef469a1 ] + +If the PVT sensor is suddenly powered down while a caller is waiting for +the conversion completion, the request won't be finished and the task will +hang up on this procedure until the power is back up again. Let's call the +wait_for_completion_timeout() method instead to prevent that. The cached +timeout is exactly what we need to predict for how long conversion could +normally last. + +Fixes: 87976ce2825d ("hwmon: Add Baikal-T1 PVT sensor driver") +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200920110924.19741-4-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/bt1-pvt.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/bt1-pvt.c b/drivers/hwmon/bt1-pvt.c +index 2600426a3b21c..3e1d56585b91a 100644 +--- a/drivers/hwmon/bt1-pvt.c ++++ b/drivers/hwmon/bt1-pvt.c +@@ -477,6 +477,7 @@ static int pvt_read_data(struct pvt_hwmon *pvt, enum pvt_sensor_type type, + long *val) + { + struct pvt_cache *cache = &pvt->cache[type]; ++ unsigned long timeout; + u32 data; + int ret; + +@@ -500,7 +501,14 @@ static int pvt_read_data(struct pvt_hwmon *pvt, enum pvt_sensor_type type, + pvt_update(pvt->regs + PVT_INTR_MASK, PVT_INTR_DVALID, 0); + pvt_update(pvt->regs + PVT_CTRL, PVT_CTRL_EN, PVT_CTRL_EN); + +- wait_for_completion(&cache->conversion); ++ /* ++ * Wait with timeout since in case if the sensor is suddenly powered ++ * down the request won't be completed and the caller will hang up on ++ * this procedure until the power is back up again. Multiply the ++ * timeout by the factor of two to prevent a false timeout. ++ */ ++ timeout = 2 * usecs_to_jiffies(ktime_to_us(pvt->timeout)); ++ ret = wait_for_completion_timeout(&cache->conversion, timeout); + + pvt_update(pvt->regs + PVT_CTRL, PVT_CTRL_EN, 0); + pvt_update(pvt->regs + PVT_INTR_MASK, PVT_INTR_DVALID, +@@ -510,6 +518,9 @@ static int pvt_read_data(struct pvt_hwmon *pvt, enum pvt_sensor_type type, + + mutex_unlock(&pvt->iface_mtx); + ++ if (!ret) ++ return -ETIMEDOUT; ++ + if (type == PVT_TEMP) + *val = pvt_calc_poly(&poly_N_to_temp, data); + else +-- +2.25.1 + diff --git a/queue-5.9/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch b/queue-5.9/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch new file mode 100644 index 00000000000..b755a8365f0 --- /dev/null +++ b/queue-5.9/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch @@ -0,0 +1,55 @@ +From f8e47bbb8d1848cb898286157febca9deffd96ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 14:39:29 -0700 +Subject: hwmon: (pmbus/max34440) Fix status register reads for + MAX344{51,60,61} + +From: Guenter Roeck + +[ Upstream commit 6c094b31ea2ad773824362ba0fccb88d36f8d32d ] + +Starting with MAX34451, the chips of this series support STATUS_IOUT and +STATUS_TEMPERATURE commands, and no longer report over-current and +over-temperature status with STATUS_MFR_SPECIFIC. + +Fixes: 7a001dbab4ade ("hwmon: (pmbus/max34440) Add support for MAX34451.") +Fixes: 50115ac9b6f35 ("hwmon: (pmbus/max34440) Add support for MAX34460 and MAX34461") +Reported-by: Steve Foreman +Cc: Steve Foreman +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/max34440.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/hwmon/pmbus/max34440.c b/drivers/hwmon/pmbus/max34440.c +index 18b4e071067f7..de04dff28945b 100644 +--- a/drivers/hwmon/pmbus/max34440.c ++++ b/drivers/hwmon/pmbus/max34440.c +@@ -388,7 +388,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[18] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +@@ -419,7 +418,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[15] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[16] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[17] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +@@ -455,7 +453,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[21] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +-- +2.25.1 + diff --git a/queue-5.9/hwmon-w83627ehf-fix-a-resource-leak-in-probe.patch b/queue-5.9/hwmon-w83627ehf-fix-a-resource-leak-in-probe.patch new file mode 100644 index 00000000000..75c5cbb2958 --- /dev/null +++ b/queue-5.9/hwmon-w83627ehf-fix-a-resource-leak-in-probe.patch @@ -0,0 +1,47 @@ +From 7151cb55edc0b53ea61347c49f99fb82a6dd3b69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 15:52:12 +0300 +Subject: hwmon: (w83627ehf) Fix a resource leak in probe + +From: Dan Carpenter + +[ Upstream commit 18360b33a071e5883250fd1e04bfdeff8c3887a3 ] + +Smatch has a new check for resource leaks which found a bug in probe: + + drivers/hwmon/w83627ehf.c:2417 w83627ehf_probe() + warn: 'res->start' not released on lines: 2412. + +We need to clean up if devm_hwmon_device_register_with_info() fails. + +Fixes: 266cd5835947 ("hwmon: (w83627ehf) convert to with_info interface") +Signed-off-by: Dan Carpenter +Reviewed-by: Dr. David Alan Gilbert +Link: https://lore.kernel.org/r/20200921125212.GA1128194@mwanda +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/w83627ehf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c +index 5a5120121e507..3964ceab2817c 100644 +--- a/drivers/hwmon/w83627ehf.c ++++ b/drivers/hwmon/w83627ehf.c +@@ -1951,8 +1951,12 @@ static int w83627ehf_probe(struct platform_device *pdev) + data, + &w83627ehf_chip_info, + w83627ehf_groups); ++ if (IS_ERR(hwmon_dev)) { ++ err = PTR_ERR(hwmon_dev); ++ goto exit_release; ++ } + +- return PTR_ERR_OR_ZERO(hwmon_dev); ++ return 0; + + exit_release: + release_region(res->start, IOREGION_LENGTH); +-- +2.25.1 + diff --git a/queue-5.9/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch b/queue-5.9/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch new file mode 100644 index 00000000000..6a19f3c5272 --- /dev/null +++ b/queue-5.9/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch @@ -0,0 +1,79 @@ +From 004c531d9c89d5ce54ee4c17724f95b621954fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 16:41:58 +0200 +Subject: i2c: core: Restore acpi_walk_dep_device_list() getting called after + registering the ACPI i2c devs + +From: Hans de Goede + +[ Upstream commit 8058d69905058ec8f467a120b5ec5bb831ea67f3 ] + +Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() +before i2c_acpi_register_devices()")'s intention was to only move the +acpi_install_address_space_handler() call to the point before where +the ACPI declared i2c-children of the adapter where instantiated by +i2c_acpi_register_devices(). + +But i2c_acpi_install_space_handler() had a call to +acpi_walk_dep_device_list() hidden (that is I missed it) at the end +of it, so as an unwanted side-effect now acpi_walk_dep_device_list() +was also being called before i2c_acpi_register_devices(). + +Move the acpi_walk_dep_device_list() call to the end of +i2c_acpi_register_devices(), so that it is once again called *after* +the i2c_client-s hanging of the adapter have been created. + +This fixes the Microsoft Surface Go 2 hanging at boot. + +Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209627 +Reported-by: Rainer Finke +Reported-by: Kieran Bingham +Suggested-by: Maximilian Luz +Tested-by: Kieran Bingham +Signed-off-by: Hans de Goede +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index e627d7b2790f7..37c510d9347a7 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -264,6 +264,7 @@ static acpi_status i2c_acpi_add_device(acpi_handle handle, u32 level, + void i2c_acpi_register_devices(struct i2c_adapter *adap) + { + acpi_status status; ++ acpi_handle handle; + + if (!has_acpi_companion(&adap->dev)) + return; +@@ -274,6 +275,15 @@ void i2c_acpi_register_devices(struct i2c_adapter *adap) + adap, NULL); + if (ACPI_FAILURE(status)) + dev_warn(&adap->dev, "failed to enumerate I2C slaves\n"); ++ ++ if (!adap->dev.parent) ++ return; ++ ++ handle = ACPI_HANDLE(adap->dev.parent); ++ if (!handle) ++ return; ++ ++ acpi_walk_dep_device_list(handle); + } + + static const struct acpi_device_id i2c_acpi_force_400khz_device_ids[] = { +@@ -719,7 +729,6 @@ int i2c_acpi_install_space_handler(struct i2c_adapter *adapter) + return -ENOMEM; + } + +- acpi_walk_dep_device_list(handle); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/i2c-rcar-auto-select-reset_controller.patch b/queue-5.9/i2c-rcar-auto-select-reset_controller.patch new file mode 100644 index 00000000000..73ff8e735dc --- /dev/null +++ b/queue-5.9/i2c-rcar-auto-select-reset_controller.patch @@ -0,0 +1,39 @@ +From 80ccb8d871d900b9f03f4d434a1a45a5475104b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 11:23:30 +0200 +Subject: i2c: rcar: Auto select RESET_CONTROLLER + +From: Dirk Behme + +[ Upstream commit 5b9bacf28a973a6b16510493416baeefa2c06289 ] + +The i2c-rcar driver utilizes the Generic Reset Controller kernel +feature, so select the RESET_CONTROLLER option when the I2C_RCAR +option is selected with a Gen3 SoC. + +Fixes: 2b16fd63059ab9 ("i2c: rcar: handle RXDMA HW behaviour on Gen3") +Signed-off-by: Dirk Behme +Signed-off-by: Andy Lowe +[erosca: Add "if ARCH_RCAR_GEN3" per Wolfram's request] +Signed-off-by: Eugeniu Rosca +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index 293e7a0760e77..7ccbfbcb02e9a 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -1181,6 +1181,7 @@ config I2C_RCAR + tristate "Renesas R-Car I2C Controller" + depends on ARCH_RENESAS || COMPILE_TEST + select I2C_SLAVE ++ select RESET_CONTROLLER if ARCH_RCAR_GEN3 + help + If you say yes to this option, support will be included for the + R-Car I2C controller. +-- +2.25.1 + diff --git a/queue-5.9/i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch b/queue-5.9/i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch new file mode 100644 index 00000000000..b58ea0c7f9e --- /dev/null +++ b/queue-5.9/i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch @@ -0,0 +1,66 @@ +From 7badefa8208debc39224264f581091ae45896964 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 11:32:22 +0200 +Subject: i3c: master add i3c_master_attach_boardinfo to preserve boardinfo + +From: Parshuram Thombare + +[ Upstream commit 9da36a7ec42135428e1d41621e3703429bda3b2e ] + +Boardinfo was lost if I3C object for devices with boardinfo +available are not created or not added to the I3C device list +because of some failure e.g. SETDASA failed, retrieve info failed etc +This patch adds i3c_master_attach_boardinfo which scan boardinfo list +in the master object and 'attach' it to the I3C device object. + +Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") +Signed-off-by: Parshuram Thombare +Signed-off-by: Boris Brezillon +Link: https://lore.kernel.org/linux-i3c/1590053542-389-1-git-send-email-pthombar@cadence.com +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 97f2e29265da7..cc7564446ccd2 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1782,6 +1782,21 @@ static void i3c_master_bus_cleanup(struct i3c_master_controller *master) + i3c_master_detach_free_devs(master); + } + ++static void i3c_master_attach_boardinfo(struct i3c_dev_desc *i3cdev) ++{ ++ struct i3c_master_controller *master = i3cdev->common.master; ++ struct i3c_dev_boardinfo *i3cboardinfo; ++ ++ list_for_each_entry(i3cboardinfo, &master->boardinfo.i3c, node) { ++ if (i3cdev->info.pid != i3cboardinfo->pid) ++ continue; ++ ++ i3cdev->boardinfo = i3cboardinfo; ++ i3cdev->info.static_addr = i3cboardinfo->static_addr; ++ return; ++ } ++} ++ + static struct i3c_dev_desc * + i3c_master_search_i3c_dev_duplicate(struct i3c_dev_desc *refdev) + { +@@ -1837,10 +1852,10 @@ int i3c_master_add_i3c_dev_locked(struct i3c_master_controller *master, + if (ret) + goto err_detach_dev; + ++ i3c_master_attach_boardinfo(newdev); ++ + olddev = i3c_master_search_i3c_dev_duplicate(newdev); + if (olddev) { +- newdev->boardinfo = olddev->boardinfo; +- newdev->info.static_addr = olddev->info.static_addr; + newdev->dev = olddev->dev; + if (newdev->dev) + newdev->dev->desc = newdev; +-- +2.25.1 + diff --git a/queue-5.9/i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch b/queue-5.9/i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch new file mode 100644 index 00000000000..db2748f9128 --- /dev/null +++ b/queue-5.9/i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch @@ -0,0 +1,40 @@ +From 2a67af7ad755b145e3a5829196324b9062625cae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 11:33:50 +0800 +Subject: i3c: master: Fix error return in cdns_i3c_master_probe() + +From: Jing Xiangfeng + +[ Upstream commit abea14bfdebbe9bd02f2ad24a1f3a878ed21c8f0 ] + +Fix to return negative error code -ENOMEM from the error handling +case instead of 0. + +Fixes: 603f2bee2c54 ("i3c: master: Add driver for Cadence IP") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Boris Brezillon +Link: https://lore.kernel.org/linux-i3c/20200911033350.23904-1-jingxiangfeng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/i3c-master-cdns.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c +index 3fee8bd7fe20b..3f2226928fe05 100644 +--- a/drivers/i3c/master/i3c-master-cdns.c ++++ b/drivers/i3c/master/i3c-master-cdns.c +@@ -1635,8 +1635,10 @@ static int cdns_i3c_master_probe(struct platform_device *pdev) + master->ibi.slots = devm_kcalloc(&pdev->dev, master->ibi.num_slots, + sizeof(*master->ibi.slots), + GFP_KERNEL); +- if (!master->ibi.slots) ++ if (!master->ibi.slots) { ++ ret = -ENOMEM; + goto err_disable_sysclk; ++ } + + writel(IBIR_THR(1), master->regs + CMD_IBI_THR_CTRL); + writel(MST_INT_IBIR_THR, master->regs + MST_IER); +-- +2.25.1 + diff --git a/queue-5.9/i40iw-add-support-to-make-destroy-qp-synchronous.patch b/queue-5.9/i40iw-add-support-to-make-destroy-qp-synchronous.patch new file mode 100644 index 00000000000..1a25c3f3f66 --- /dev/null +++ b/queue-5.9/i40iw-add-support-to-make-destroy-qp-synchronous.patch @@ -0,0 +1,408 @@ +From bb06f830478dc4c0c556d39ff06ba7e6f4cf3bdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 08:18:12 -0500 +Subject: i40iw: Add support to make destroy QP synchronous + +From: Sindhu, Devale + +[ Upstream commit f2334964e969762e266a616acf9377f6046470a2 ] + +Occasionally ib_write_bw crash is seen due to access of a pd object in +i40iw_sc_qp_destroy after it is freed. Destroy qp is not synchronous in +i40iw and thus the iwqp object could be referencing a pd object that is +freed by ib core as a result of successful return from i40iw_destroy_qp. + +Wait in i40iw_destroy_qp till all QP references are released and destroy +the QP and its associated resources before returning. Switch to use the +refcount API vs atomic API for lifetime management of the qp. + + RIP: 0010:i40iw_sc_qp_destroy+0x4b/0x120 [i40iw] + [...] + RSP: 0018:ffffb4a7042e3ba8 EFLAGS: 00010002 + RAX: 0000000000000000 RBX: 0000000000000001 RCX: dead000000000122 + RDX: ffffb4a7042e3bac RSI: ffff8b7ef9b1e940 RDI: ffff8b7efbf09080 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 + R10: 8080808080808080 R11: 0000000000000010 R12: ffff8b7efbf08050 + R13: 0000000000000001 R14: ffff8b7f15042928 R15: ffff8b7ef9b1e940 + FS: 0000000000000000(0000) GS:ffff8b7f2fa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000400 CR3: 000000020d60a006 CR4: 00000000001606e0 + Call Trace: + i40iw_exec_cqp_cmd+0x4d3/0x5c0 [i40iw] + ? try_to_wake_up+0x1ea/0x5d0 + ? __switch_to_asm+0x40/0x70 + i40iw_process_cqp_cmd+0x95/0xa0 [i40iw] + i40iw_handle_cqp_op+0x42/0x1a0 [i40iw] + ? cm_event_handler+0x13c/0x1f0 [iw_cm] + i40iw_rem_ref+0xa0/0xf0 [i40iw] + cm_work_handler+0x99c/0xd10 [iw_cm] + process_one_work+0x1a1/0x360 + worker_thread+0x30/0x380 + ? process_one_work+0x360/0x360 + kthread+0x10c/0x130 + ? kthread_park+0x80/0x80 + ret_from_fork+0x35/0x40 + +Fixes: d37498417947 ("i40iw: add files for iwarp interface") +Link: https://lore.kernel.org/r/20200916131811.2077-1-shiraz.saleem@intel.com +Reported-by: Kamal Heib +Signed-off-by: Sindhu, Devale +Signed-off-by: Shiraz, Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw.h | 9 ++-- + drivers/infiniband/hw/i40iw/i40iw_cm.c | 10 ++-- + drivers/infiniband/hw/i40iw/i40iw_hw.c | 4 +- + drivers/infiniband/hw/i40iw/i40iw_utils.c | 59 ++++------------------- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 31 ++++++++---- + drivers/infiniband/hw/i40iw/i40iw_verbs.h | 3 +- + 6 files changed, 45 insertions(+), 71 deletions(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw.h b/drivers/infiniband/hw/i40iw/i40iw.h +index 25747b85a79c7..832b80de004fb 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw.h ++++ b/drivers/infiniband/hw/i40iw/i40iw.h +@@ -409,8 +409,8 @@ static inline struct i40iw_qp *to_iwqp(struct ib_qp *ibqp) + } + + /* i40iw.c */ +-void i40iw_add_ref(struct ib_qp *); +-void i40iw_rem_ref(struct ib_qp *); ++void i40iw_qp_add_ref(struct ib_qp *ibqp); ++void i40iw_qp_rem_ref(struct ib_qp *ibqp); + struct ib_qp *i40iw_get_qp(struct ib_device *, int); + + void i40iw_flush_wqes(struct i40iw_device *iwdev, +@@ -554,9 +554,8 @@ enum i40iw_status_code i40iw_manage_qhash(struct i40iw_device *iwdev, + bool wait); + void i40iw_receive_ilq(struct i40iw_sc_vsi *vsi, struct i40iw_puda_buf *rbuf); + void i40iw_free_sqbuf(struct i40iw_sc_vsi *vsi, void *bufp); +-void i40iw_free_qp_resources(struct i40iw_device *iwdev, +- struct i40iw_qp *iwqp, +- u32 qp_num); ++void i40iw_free_qp_resources(struct i40iw_qp *iwqp); ++ + enum i40iw_status_code i40iw_obj_aligned_mem(struct i40iw_device *iwdev, + struct i40iw_dma_mem *memptr, + u32 size, u32 mask); +diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c +index a3b95805c154e..3053c345a5a34 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -2322,7 +2322,7 @@ static void i40iw_rem_ref_cm_node(struct i40iw_cm_node *cm_node) + iwqp = cm_node->iwqp; + if (iwqp) { + iwqp->cm_node = NULL; +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + cm_node->iwqp = NULL; + } else if (cm_node->qhash_set) { + i40iw_get_addr_info(cm_node, &nfo); +@@ -3452,7 +3452,7 @@ void i40iw_cm_disconn(struct i40iw_qp *iwqp) + kfree(work); + return; + } +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + + work->iwqp = iwqp; +@@ -3623,7 +3623,7 @@ static void i40iw_disconnect_worker(struct work_struct *work) + + kfree(dwork); + i40iw_cm_disconn_true(iwqp); +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +@@ -3745,7 +3745,7 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + cm_node->lsmm_size = accept.size + conn_param->private_data_len; + i40iw_cm_init_tsa_conn(iwqp, cm_node); + cm_id->add_ref(cm_id); +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + + attr.qp_state = IB_QPS_RTS; + cm_node->qhash_set = false; +@@ -3908,7 +3908,7 @@ int i40iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + iwqp->cm_node = cm_node; + cm_node->iwqp = iwqp; + iwqp->cm_id = cm_id; +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + + if (cm_node->state != I40IW_CM_STATE_OFFLOADED) { + cm_node->state = I40IW_CM_STATE_SYN_SENT; +diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c +index e1085634b8d9d..56fdc161f6f8e 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c +@@ -313,7 +313,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev) + __func__, info->qp_cq_id); + continue; + } +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + qp = &iwqp->sc_qp; + spin_lock_irqsave(&iwqp->lock, flags); +@@ -426,7 +426,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev) + break; + } + if (info->qp) +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } while (1); + + if (aeqcnt) +diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c +index e07fb37af0865..5e196bd49a583 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c +@@ -477,25 +477,6 @@ void i40iw_cleanup_pending_cqp_op(struct i40iw_device *iwdev) + } + } + +-/** +- * i40iw_free_qp - callback after destroy cqp completes +- * @cqp_request: cqp request for destroy qp +- * @num: not used +- */ +-static void i40iw_free_qp(struct i40iw_cqp_request *cqp_request, u32 num) +-{ +- struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)cqp_request->param; +- struct i40iw_qp *iwqp = (struct i40iw_qp *)qp->back_qp; +- struct i40iw_device *iwdev; +- u32 qp_num = iwqp->ibqp.qp_num; +- +- iwdev = iwqp->iwdev; +- +- i40iw_rem_pdusecount(iwqp->iwpd, iwdev); +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); +- i40iw_rem_devusecount(iwdev); +-} +- + /** + * i40iw_wait_event - wait for completion + * @iwdev: iwarp device +@@ -616,26 +597,23 @@ void i40iw_rem_pdusecount(struct i40iw_pd *iwpd, struct i40iw_device *iwdev) + } + + /** +- * i40iw_add_ref - add refcount for qp ++ * i40iw_qp_add_ref - add refcount for qp + * @ibqp: iqarp qp + */ +-void i40iw_add_ref(struct ib_qp *ibqp) ++void i40iw_qp_add_ref(struct ib_qp *ibqp) + { + struct i40iw_qp *iwqp = (struct i40iw_qp *)ibqp; + +- atomic_inc(&iwqp->refcount); ++ refcount_inc(&iwqp->refcount); + } + + /** +- * i40iw_rem_ref - rem refcount for qp and free if 0 ++ * i40iw_qp_rem_ref - rem refcount for qp and free if 0 + * @ibqp: iqarp qp + */ +-void i40iw_rem_ref(struct ib_qp *ibqp) ++void i40iw_qp_rem_ref(struct ib_qp *ibqp) + { + struct i40iw_qp *iwqp; +- enum i40iw_status_code status; +- struct i40iw_cqp_request *cqp_request; +- struct cqp_commands_info *cqp_info; + struct i40iw_device *iwdev; + u32 qp_num; + unsigned long flags; +@@ -643,7 +621,7 @@ void i40iw_rem_ref(struct ib_qp *ibqp) + iwqp = to_iwqp(ibqp); + iwdev = iwqp->iwdev; + spin_lock_irqsave(&iwdev->qptable_lock, flags); +- if (!atomic_dec_and_test(&iwqp->refcount)) { ++ if (!refcount_dec_and_test(&iwqp->refcount)) { + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); + return; + } +@@ -651,25 +629,8 @@ void i40iw_rem_ref(struct ib_qp *ibqp) + qp_num = iwqp->ibqp.qp_num; + iwdev->qp_table[qp_num] = NULL; + spin_unlock_irqrestore(&iwdev->qptable_lock, flags); +- cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false); +- if (!cqp_request) +- return; +- +- cqp_request->callback_fcn = i40iw_free_qp; +- cqp_request->param = (void *)&iwqp->sc_qp; +- cqp_info = &cqp_request->info; +- cqp_info->cqp_cmd = OP_QP_DESTROY; +- cqp_info->post_sq = 1; +- cqp_info->in.u.qp_destroy.qp = &iwqp->sc_qp; +- cqp_info->in.u.qp_destroy.scratch = (uintptr_t)cqp_request; +- cqp_info->in.u.qp_destroy.remove_hash_idx = true; +- status = i40iw_handle_cqp_op(iwdev, cqp_request); +- if (!status) +- return; ++ complete(&iwqp->free_qp); + +- i40iw_rem_pdusecount(iwqp->iwpd, iwdev); +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); +- i40iw_rem_devusecount(iwdev); + } + + /** +@@ -936,7 +897,7 @@ static void i40iw_terminate_timeout(struct timer_list *t) + struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)&iwqp->sc_qp; + + i40iw_terminate_done(qp, 1); +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +@@ -948,7 +909,7 @@ void i40iw_terminate_start_timer(struct i40iw_sc_qp *qp) + struct i40iw_qp *iwqp; + + iwqp = (struct i40iw_qp *)qp->back_qp; +- i40iw_add_ref(&iwqp->ibqp); ++ i40iw_qp_add_ref(&iwqp->ibqp); + timer_setup(&iwqp->terminate_timer, i40iw_terminate_timeout, 0); + iwqp->terminate_timer.expires = jiffies + HZ; + add_timer(&iwqp->terminate_timer); +@@ -964,7 +925,7 @@ void i40iw_terminate_del_timer(struct i40iw_sc_qp *qp) + + iwqp = (struct i40iw_qp *)qp->back_qp; + if (del_timer(&iwqp->terminate_timer)) +- i40iw_rem_ref(&iwqp->ibqp); ++ i40iw_qp_rem_ref(&iwqp->ibqp); + } + + /** +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +index 1321e3a36491b..09caad228aa4f 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -363,11 +363,11 @@ static struct i40iw_pbl *i40iw_get_pbl(unsigned long va, + * @iwqp: qp ptr (user or kernel) + * @qp_num: qp number assigned + */ +-void i40iw_free_qp_resources(struct i40iw_device *iwdev, +- struct i40iw_qp *iwqp, +- u32 qp_num) ++void i40iw_free_qp_resources(struct i40iw_qp *iwqp) + { + struct i40iw_pbl *iwpbl = &iwqp->iwpbl; ++ struct i40iw_device *iwdev = iwqp->iwdev; ++ u32 qp_num = iwqp->ibqp.qp_num; + + i40iw_ieq_cleanup_qp(iwdev->vsi.ieq, &iwqp->sc_qp); + i40iw_dealloc_push_page(iwdev, &iwqp->sc_qp); +@@ -401,6 +401,10 @@ static void i40iw_clean_cqes(struct i40iw_qp *iwqp, struct i40iw_cq *iwcq) + static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + { + struct i40iw_qp *iwqp = to_iwqp(ibqp); ++ struct ib_qp_attr attr; ++ struct i40iw_device *iwdev = iwqp->iwdev; ++ ++ memset(&attr, 0, sizeof(attr)); + + iwqp->destroyed = 1; + +@@ -415,7 +419,15 @@ static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + } + } + +- i40iw_rem_ref(&iwqp->ibqp); ++ attr.qp_state = IB_QPS_ERR; ++ i40iw_modify_qp(&iwqp->ibqp, &attr, IB_QP_STATE, NULL); ++ i40iw_qp_rem_ref(&iwqp->ibqp); ++ wait_for_completion(&iwqp->free_qp); ++ i40iw_cqp_qp_destroy_cmd(&iwdev->sc_dev, &iwqp->sc_qp); ++ i40iw_rem_pdusecount(iwqp->iwpd, iwdev); ++ i40iw_free_qp_resources(iwqp); ++ i40iw_rem_devusecount(iwdev); ++ + return 0; + } + +@@ -576,6 +588,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + qp->back_qp = (void *)iwqp; + qp->push_idx = I40IW_INVALID_PUSH_PAGE_INDEX; + ++ iwqp->iwdev = iwdev; + iwqp->ctx_info.iwarp_info = &iwqp->iwarp_info; + + if (i40iw_allocate_dma_mem(dev->hw, +@@ -600,7 +613,6 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + goto error; + } + +- iwqp->iwdev = iwdev; + iwqp->iwpd = iwpd; + iwqp->ibqp.qp_num = qp_num; + qp = &iwqp->sc_qp; +@@ -714,7 +726,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + goto error; + } + +- i40iw_add_ref(&iwqp->ibqp); ++ refcount_set(&iwqp->refcount, 1); + spin_lock_init(&iwqp->lock); + iwqp->sig_all = (init_attr->sq_sig_type == IB_SIGNAL_ALL_WR) ? 1 : 0; + iwdev->qp_table[qp_num] = iwqp; +@@ -736,10 +748,11 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd, + } + init_completion(&iwqp->sq_drained); + init_completion(&iwqp->rq_drained); ++ init_completion(&iwqp->free_qp); + + return &iwqp->ibqp; + error: +- i40iw_free_qp_resources(iwdev, iwqp, qp_num); ++ i40iw_free_qp_resources(iwqp); + return ERR_PTR(err_code); + } + +@@ -2637,13 +2650,13 @@ static const struct ib_device_ops i40iw_dev_ops = { + .get_hw_stats = i40iw_get_hw_stats, + .get_port_immutable = i40iw_port_immutable, + .iw_accept = i40iw_accept, +- .iw_add_ref = i40iw_add_ref, ++ .iw_add_ref = i40iw_qp_add_ref, + .iw_connect = i40iw_connect, + .iw_create_listen = i40iw_create_listen, + .iw_destroy_listen = i40iw_destroy_listen, + .iw_get_qp = i40iw_get_qp, + .iw_reject = i40iw_reject, +- .iw_rem_ref = i40iw_rem_ref, ++ .iw_rem_ref = i40iw_qp_rem_ref, + .map_mr_sg = i40iw_map_mr_sg, + .mmap = i40iw_mmap, + .modify_qp = i40iw_modify_qp, +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.h b/drivers/infiniband/hw/i40iw/i40iw_verbs.h +index 331bc21cbcc73..bab71f3e56374 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.h ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.h +@@ -139,7 +139,7 @@ struct i40iw_qp { + struct i40iw_qp_host_ctx_info ctx_info; + struct i40iwarp_offload_info iwarp_info; + void *allocated_buffer; +- atomic_t refcount; ++ refcount_t refcount; + struct iw_cm_id *cm_id; + void *cm_node; + struct ib_mr *lsmm_mr; +@@ -174,5 +174,6 @@ struct i40iw_qp { + struct i40iw_dma_mem ietf_mem; + struct completion sq_drained; + struct completion rq_drained; ++ struct completion free_qp; + }; + #endif +-- +2.25.1 + diff --git a/queue-5.9/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch b/queue-5.9/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch new file mode 100644 index 00000000000..00e4a7798ec --- /dev/null +++ b/queue-5.9/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch @@ -0,0 +1,41 @@ +From 0fb9404388770ed369a71578829e7e2edcf02761 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 08:19:41 +0200 +Subject: IB/mlx4: Adjust delayed work when a dup is observed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit 785167a114855c5aa75efca97000e405c2cc85bf ] + +When scheduling delayed work to clean up the cache, if the entry already +has been scheduled for deletion, we adjust the delay. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-7-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index b591861934b3c..81d6a3460b55d 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -280,6 +280,9 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id) + if (!sriov->is_going_down && !id->scheduled_delete) { + id->scheduled_delete = 1; + schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT); ++ } else if (id->scheduled_delete) { ++ /* Adjust timeout if already scheduled */ ++ mod_delayed_work(system_wq, &id->timeout, CM_CLEANUP_CACHE_TIMEOUT); + } + spin_unlock_irqrestore(&sriov->going_down_lock, flags); + spin_unlock(&sriov->id_map_lock); +-- +2.25.1 + diff --git a/queue-5.9/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch b/queue-5.9/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch new file mode 100644 index 00000000000..afa562c1d45 --- /dev/null +++ b/queue-5.9/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch @@ -0,0 +1,181 @@ +From be56d6ac54f6ae153e972df15e08c3a50aef5f7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 08:19:39 +0200 +Subject: IB/mlx4: Fix starvation in paravirt mux/demux +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit 7fd1507df7cee9c533f38152fcd1dd769fcac6ce ] + +The mlx4 driver will proxy MAD packets through the PF driver. A VM or an +instantiated VF will send its MAD packets to the PF driver using +loop-back. The PF driver will be informed by an interrupt, but defer the +handling and polling of CQEs to a worker thread running on an ordered +work-queue. + +Consider the following scenario: the VMs will in short proximity in time, +for example due to a network event, send many MAD packets to the PF +driver. Lets say there are K VMs, each sending N packets. + +The interrupt from the first VM will start the worker thread, which will +poll N CQEs. A common case here is where the PF driver will multiplex the +packets received from the VMs out on the wire QP. + +But before the wire QP has returned a send CQE and associated interrupt, +the other K - 1 VMs have sent their N packets as well. + +The PF driver has to multiplex K * N packets out on the wire QP. But the +send-queue on the wire QP has a finite capacity. + +So, in this scenario, if K * N is larger than the send-queue capacity of +the wire QP, we will get MAD packets dropped on the floor with this +dynamic debug message: + +mlx4_ib_multiplex_mad: failed sending GSI to wire on behalf of slave 2 (-11) + +and this despite the fact that the wire send-queue could have capacity, +but the PF driver isn't aware, because the wire send CQEs have not yet +been polled. + +We can also have a similar scenario inbound, with a wire recv-queue larger +than the tunnel QP's send-queue. If many remote peers send MAD packets to +the very same VM, the tunnel send-queue destined to the VM could allegedly +be construed to be full by the PF driver. + +This starvation is fixed by introducing separate work queues for the wire +QPs vs. the tunnel QPs. + +With this fix, using a dual ported HCA, 8 VFs instantiated, we could run +cmtime on each of the 18 interfaces towards a similar configured peer, +each cmtime instance with 800 QPs (all in all 14400 QPs) without a single +CM packet getting lost. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-5-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/mad.c | 34 +++++++++++++++++++++++++--- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 ++ + 2 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index abe68708d6d6e..2cbdba4da9dfe 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1299,6 +1299,18 @@ static void mlx4_ib_tunnel_comp_handler(struct ib_cq *cq, void *arg) + spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags); + } + ++static void mlx4_ib_wire_comp_handler(struct ib_cq *cq, void *arg) ++{ ++ unsigned long flags; ++ struct mlx4_ib_demux_pv_ctx *ctx = cq->cq_context; ++ struct mlx4_ib_dev *dev = to_mdev(ctx->ib_dev); ++ ++ spin_lock_irqsave(&dev->sriov.going_down_lock, flags); ++ if (!dev->sriov.is_going_down && ctx->state == DEMUX_PV_STATE_ACTIVE) ++ queue_work(ctx->wi_wq, &ctx->work); ++ spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags); ++} ++ + static int mlx4_ib_post_pv_qp_buf(struct mlx4_ib_demux_pv_ctx *ctx, + struct mlx4_ib_demux_pv_qp *tun_qp, + int index) +@@ -2001,7 +2013,8 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + cq_size *= 2; + + cq_attr.cqe = cq_size; +- ctx->cq = ib_create_cq(ctx->ib_dev, mlx4_ib_tunnel_comp_handler, ++ ctx->cq = ib_create_cq(ctx->ib_dev, ++ create_tun ? mlx4_ib_tunnel_comp_handler : mlx4_ib_wire_comp_handler, + NULL, ctx, &cq_attr); + if (IS_ERR(ctx->cq)) { + ret = PTR_ERR(ctx->cq); +@@ -2038,6 +2051,7 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + INIT_WORK(&ctx->work, mlx4_ib_sqp_comp_worker); + + ctx->wq = to_mdev(ibdev)->sriov.demux[port - 1].wq; ++ ctx->wi_wq = to_mdev(ibdev)->sriov.demux[port - 1].wi_wq; + + ret = ib_req_notify_cq(ctx->cq, IB_CQ_NEXT_COMP); + if (ret) { +@@ -2181,7 +2195,7 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + goto err_mcg; + } + +- snprintf(name, sizeof name, "mlx4_ibt%d", port); ++ snprintf(name, sizeof(name), "mlx4_ibt%d", port); + ctx->wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); + if (!ctx->wq) { + pr_err("Failed to create tunnelling WQ for port %d\n", port); +@@ -2189,7 +2203,15 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + goto err_wq; + } + +- snprintf(name, sizeof name, "mlx4_ibud%d", port); ++ snprintf(name, sizeof(name), "mlx4_ibwi%d", port); ++ ctx->wi_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); ++ if (!ctx->wi_wq) { ++ pr_err("Failed to create wire WQ for port %d\n", port); ++ ret = -ENOMEM; ++ goto err_wiwq; ++ } ++ ++ snprintf(name, sizeof(name), "mlx4_ibud%d", port); + ctx->ud_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); + if (!ctx->ud_wq) { + pr_err("Failed to create up/down WQ for port %d\n", port); +@@ -2200,6 +2222,10 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + return 0; + + err_udwq: ++ destroy_workqueue(ctx->wi_wq); ++ ctx->wi_wq = NULL; ++ ++err_wiwq: + destroy_workqueue(ctx->wq); + ctx->wq = NULL; + +@@ -2247,12 +2273,14 @@ static void mlx4_ib_free_demux_ctx(struct mlx4_ib_demux_ctx *ctx) + ctx->tun[i]->state = DEMUX_PV_STATE_DOWNING; + } + flush_workqueue(ctx->wq); ++ flush_workqueue(ctx->wi_wq); + for (i = 0; i < dev->dev->caps.sqp_demux; i++) { + destroy_pv_resources(dev, i, ctx->port, ctx->tun[i], 0); + free_pv_object(dev, i, ctx->port); + } + kfree(ctx->tun); + destroy_workqueue(ctx->ud_wq); ++ destroy_workqueue(ctx->wi_wq); + destroy_workqueue(ctx->wq); + } + } +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index 38e87a700a2a2..75af838365c93 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -454,6 +454,7 @@ struct mlx4_ib_demux_pv_ctx { + struct ib_pd *pd; + struct work_struct work; + struct workqueue_struct *wq; ++ struct workqueue_struct *wi_wq; + struct mlx4_ib_demux_pv_qp qp[2]; + }; + +@@ -461,6 +462,7 @@ struct mlx4_ib_demux_ctx { + struct ib_device *ib_dev; + int port; + struct workqueue_struct *wq; ++ struct workqueue_struct *wi_wq; + struct workqueue_struct *ud_wq; + spinlock_t ud_lock; + atomic64_t subnet_prefix; +-- +2.25.1 + diff --git a/queue-5.9/ib-rdmavt-fix-sizeof-mismatch.patch b/queue-5.9/ib-rdmavt-fix-sizeof-mismatch.patch new file mode 100644 index 00000000000..026c2e4055b --- /dev/null +++ b/queue-5.9/ib-rdmavt-fix-sizeof-mismatch.patch @@ -0,0 +1,46 @@ +From 1606666337b69e53928aa063db1316d7a11404a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 10:52:04 +0100 +Subject: IB/rdmavt: Fix sizeof mismatch + +From: Colin Ian King + +[ Upstream commit 8e71f694e0c819db39af2336f16eb9689f1ae53f ] + +An incorrect sizeof is being used, struct rvt_ibport ** is not correct, it +should be struct rvt_ibport *. Note that since ** is the same size as +* this is not causing any issues. Improve this fix by using +sizeof(*rdi->ports) as this allows us to not even reference the type +of the pointer. Also remove line breaks as the entire statement can +fit on one line. + +Link: https://lore.kernel.org/r/20201008095204.82683-1-colin.king@canonical.com +Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") +Fixes: ff6acd69518e ("IB/rdmavt: Add device structure allocation") +Signed-off-by: Colin Ian King +Reviewed-by: Ira Weiny +Acked-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/vt.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c +index f904bb34477ae..2d534c450f3c8 100644 +--- a/drivers/infiniband/sw/rdmavt/vt.c ++++ b/drivers/infiniband/sw/rdmavt/vt.c +@@ -95,9 +95,7 @@ struct rvt_dev_info *rvt_alloc_device(size_t size, int nports) + if (!rdi) + return rdi; + +- rdi->ports = kcalloc(nports, +- sizeof(struct rvt_ibport **), +- GFP_KERNEL); ++ rdi->ports = kcalloc(nports, sizeof(*rdi->ports), GFP_KERNEL); + if (!rdi->ports) + ib_dealloc_device(&rdi->ibdev); + +-- +2.25.1 + diff --git a/queue-5.9/ibmvnic-set-up-200gbps-speed.patch b/queue-5.9/ibmvnic-set-up-200gbps-speed.patch new file mode 100644 index 00000000000..c7b6dbea982 --- /dev/null +++ b/queue-5.9/ibmvnic-set-up-200gbps-speed.patch @@ -0,0 +1,60 @@ +From 169730ddb95533d015fe9476cd1f0e4a8469e9c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 19:06:25 -0500 +Subject: ibmvnic: set up 200GBPS speed + +From: Lijun Pan + +[ Upstream commit b9cd795b0e4860f482bf3741d12e1c8f3ec1cfc9 ] + +Set up the speed according to crq->query_phys_parms.rsp.speed. +Fix IBMVNIC_10GBPS typo. + +Fixes: f8d6ae0d27ec ("ibmvnic: Report actual backing device speed and duplex values") +Signed-off-by: Lijun Pan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 5 ++++- + drivers/net/ethernet/ibm/ibmvnic.h | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 4dd3625a4fbc8..3e0aab04d86fb 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -4610,7 +4610,7 @@ static int handle_query_phys_parms_rsp(union ibmvnic_crq *crq, + case IBMVNIC_1GBPS: + adapter->speed = SPEED_1000; + break; +- case IBMVNIC_10GBP: ++ case IBMVNIC_10GBPS: + adapter->speed = SPEED_10000; + break; + case IBMVNIC_25GBPS: +@@ -4625,6 +4625,9 @@ static int handle_query_phys_parms_rsp(union ibmvnic_crq *crq, + case IBMVNIC_100GBPS: + adapter->speed = SPEED_100000; + break; ++ case IBMVNIC_200GBPS: ++ adapter->speed = SPEED_200000; ++ break; + default: + if (netif_carrier_ok(netdev)) + netdev_warn(netdev, "Unknown speed 0x%08x\n", rspeed); +diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h +index f8416e1d4cf09..43feb96b0a68a 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.h ++++ b/drivers/net/ethernet/ibm/ibmvnic.h +@@ -373,7 +373,7 @@ struct ibmvnic_phys_parms { + #define IBMVNIC_10MBPS 0x40000000 + #define IBMVNIC_100MBPS 0x20000000 + #define IBMVNIC_1GBPS 0x10000000 +-#define IBMVNIC_10GBP 0x08000000 ++#define IBMVNIC_10GBPS 0x08000000 + #define IBMVNIC_40GBPS 0x04000000 + #define IBMVNIC_100GBPS 0x02000000 + #define IBMVNIC_25GBPS 0x01000000 +-- +2.25.1 + diff --git a/queue-5.9/ida-free-allocated-bitmap-in-error-path.patch b/queue-5.9/ida-free-allocated-bitmap-in-error-path.patch new file mode 100644 index 00000000000..4d9a39568ae --- /dev/null +++ b/queue-5.9/ida-free-allocated-bitmap-in-error-path.patch @@ -0,0 +1,88 @@ +From 3115e2da69df1e66f04c2666c82b6f18d8754dff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2020 14:26:13 -0400 +Subject: ida: Free allocated bitmap in error path + +From: Matthew Wilcox (Oracle) + +[ Upstream commit a219b856a2b993da234108307be772448f22b0ce ] + +If a bitmap needs to be allocated, and then by the time the thread +is scheduled to be run again all the indices which would satisfy the +allocation have been allocated then we would leak the allocation. Almost +impossible to hit in practice, but a trivial fix. Found by Coverity. + +Fixes: f32f004cddf8 ("ida: Convert to XArray") +Reported-by: coverity-bot +Reviewed-by: Kees Cook +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + lib/idr.c | 1 + + tools/testing/radix-tree/idr-test.c | 29 +++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/lib/idr.c b/lib/idr.c +index c2cf2c52bbde5..4d2eef0259d2c 100644 +--- a/lib/idr.c ++++ b/lib/idr.c +@@ -470,6 +470,7 @@ int ida_alloc_range(struct ida *ida, unsigned int min, unsigned int max, + goto retry; + nospc: + xas_unlock_irqrestore(&xas, flags); ++ kfree(alloc); + return -ENOSPC; + } + EXPORT_SYMBOL(ida_alloc_range); +diff --git a/tools/testing/radix-tree/idr-test.c b/tools/testing/radix-tree/idr-test.c +index 8995092d541ec..3b796dd5e5772 100644 +--- a/tools/testing/radix-tree/idr-test.c ++++ b/tools/testing/radix-tree/idr-test.c +@@ -523,8 +523,27 @@ static void *ida_random_fn(void *arg) + return NULL; + } + ++static void *ida_leak_fn(void *arg) ++{ ++ struct ida *ida = arg; ++ time_t s = time(NULL); ++ int i, ret; ++ ++ rcu_register_thread(); ++ ++ do for (i = 0; i < 1000; i++) { ++ ret = ida_alloc_range(ida, 128, 128, GFP_KERNEL); ++ if (ret >= 0) ++ ida_free(ida, 128); ++ } while (time(NULL) < s + 2); ++ ++ rcu_unregister_thread(); ++ return NULL; ++} ++ + void ida_thread_tests(void) + { ++ DEFINE_IDA(ida); + pthread_t threads[20]; + int i; + +@@ -536,6 +555,16 @@ void ida_thread_tests(void) + + while (i--) + pthread_join(threads[i], NULL); ++ ++ for (i = 0; i < ARRAY_SIZE(threads); i++) ++ if (pthread_create(&threads[i], NULL, ida_leak_fn, &ida)) { ++ perror("creating ida thread"); ++ exit(1); ++ } ++ ++ while (i--) ++ pthread_join(threads[i], NULL); ++ assert(ida_is_empty(&ida)); + } + + void ida_tests(void) +-- +2.25.1 + diff --git a/queue-5.9/iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch b/queue-5.9/iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch new file mode 100644 index 00000000000..f29548a9104 --- /dev/null +++ b/queue-5.9/iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch @@ -0,0 +1,72 @@ +From be59a1bccf2598574e10fb06a84da272a2b27d61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 16:55:28 +0200 +Subject: iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling + +From: Fabrice Gasnier + +[ Upstream commit c537d3457542a398caa1fe58e0976c5f83cf7281 ] + +When the ADC is runtime suspended and starting a conversion, the stm32-adc +driver calls pm_runtime_get_sync() that gets cascaded to the parent +(e.g. runtime resume of stm32-adc-core driver). This also kicks the +autosuspend delay (e.g. 2s) of the parent. +Once the ADC is active, calling pm_runtime_get_sync() again (upon a new +capture) won't kick the autosuspend delay for the parent (stm32-adc-core +driver) as already active. + +Currently, this makes the stm32-adc-core driver go in suspend state +every 2s when doing slow polling. As an example, doing a capture, e.g. +cat in_voltageY_raw at a 0.2s rate, the auto suspend delay for the parent +isn't refreshed. Once it expires, the parent immediately falls into +runtime suspended state, in between two captures, as soon as the child +driver falls into runtime suspend state: +- e.g. after 2s, + child calls pm_runtime_put_autosuspend() + 100ms + autosuspend delay of the child. +- stm32-adc-core switches off regulators, clocks and so on. +- They get switched on back again 100ms later in this example (at 2.2s). + +So, use runtime_idle() callback in stm32-adc-core driver to call +pm_runtime_mark_last_busy() for the parent driver (stm32-adc-core), +to avoid this. + +Fixes: 9bdbb1139ca1 ("iio: adc: stm32-adc: add power management support") +Signed-off-by: Fabrice Gasnier +Reviewed-by: Ulf Hansson +Link: https://lore.kernel.org/r/1593615328-5180-1-git-send-email-fabrice.gasnier@st.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/stm32-adc-core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/stm32-adc-core.c b/drivers/iio/adc/stm32-adc-core.c +index 0e2068ec068b8..358636954619d 100644 +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -794,6 +794,13 @@ static int stm32_adc_core_runtime_resume(struct device *dev) + { + return stm32_adc_core_hw_start(dev); + } ++ ++static int stm32_adc_core_runtime_idle(struct device *dev) ++{ ++ pm_runtime_mark_last_busy(dev); ++ ++ return 0; ++} + #endif + + static const struct dev_pm_ops stm32_adc_core_pm_ops = { +@@ -801,7 +808,7 @@ static const struct dev_pm_ops stm32_adc_core_pm_ops = { + pm_runtime_force_resume) + SET_RUNTIME_PM_OPS(stm32_adc_core_runtime_suspend, + stm32_adc_core_runtime_resume, +- NULL) ++ stm32_adc_core_runtime_idle) + }; + + static const struct stm32_adc_priv_cfg stm32f4_adc_priv_cfg = { +-- +2.25.1 + diff --git a/queue-5.9/ima-fail-rule-parsing-when-asymmetric-key-measuremen.patch b/queue-5.9/ima-fail-rule-parsing-when-asymmetric-key-measuremen.patch new file mode 100644 index 00000000000..023efa034ae --- /dev/null +++ b/queue-5.9/ima-fail-rule-parsing-when-asymmetric-key-measuremen.patch @@ -0,0 +1,57 @@ +From a69fe54047c5ed76deb82fda3a17ebdc89139782 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 14:26:21 -0500 +Subject: ima: Fail rule parsing when asymmetric key measurement isn't + supportable + +From: Tyler Hicks + +[ Upstream commit 48ce1ddce16b0d1e3ff948da40a0d5125a4ee1a0 ] + +Measuring keys is currently only supported for asymmetric keys. In the +future, this might change. + +For now, the "func=KEY_CHECK" and "keyrings=" options are only +appropriate when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Make +this clear at policy load so that IMA policy authors don't assume that +these policy language constructs are supported. + +Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy") +Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") +Suggested-by: Nayna Jain +Signed-off-by: Tyler Hicks +Reviewed-by: Lakshmi Ramasubramanian +Reviewed-by: Nayna Jain +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_policy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 9354e7cf4a09f..4a7a4b6bf79b2 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -1233,7 +1233,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + entry->func = POLICY_CHECK; + else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) + entry->func = KEXEC_CMDLINE; +- else if (strcmp(args[0].from, "KEY_CHECK") == 0) ++ else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && ++ strcmp(args[0].from, "KEY_CHECK") == 0) + entry->func = KEY_CHECK; + else + result = -EINVAL; +@@ -1290,7 +1291,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + case Opt_keyrings: + ima_log_string(ab, "keyrings", args[0].from); + +- if (entry->keyrings) { ++ if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || ++ entry->keyrings) { + result = -EINVAL; + break; + } +-- +2.25.1 + diff --git a/queue-5.9/ima-fix-null-pointer-dereference-in-ima_file_hash.patch b/queue-5.9/ima-fix-null-pointer-dereference-in-ima_file_hash.patch new file mode 100644 index 00000000000..814a0c207b3 --- /dev/null +++ b/queue-5.9/ima-fix-null-pointer-dereference-in-ima_file_hash.patch @@ -0,0 +1,78 @@ +From f412a47d888ba10c7ed9c448203beddf099c9c95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 18:02:42 +0000 +Subject: ima: Fix NULL pointer dereference in ima_file_hash + +From: KP Singh + +[ Upstream commit aa662fc04f5b290b3979332588bf8d812b189962 ] + +ima_file_hash can be called when there is no iint->ima_hash available +even though the inode exists in the integrity cache. It is fairly +common for a file to not have a hash. (e.g. an mknodat, prior to the +file being closed). + +Another example where this can happen (suggested by Jann Horn): + +Process A does: + + while(1) { + unlink("/tmp/imafoo"); + fd = open("/tmp/imafoo", O_RDWR|O_CREAT|O_TRUNC, 0700); + if (fd == -1) { + perror("open"); + continue; + } + write(fd, "A", 1); + close(fd); + } + +and Process B does: + + while (1) { + int fd = open("/tmp/imafoo", O_RDONLY); + if (fd == -1) + continue; + char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_EXEC, + MAP_PRIVATE, fd, 0); + if (mapping != MAP_FAILED) + munmap(mapping, 0x1000); + close(fd); + } + +Due to the race to get the iint->mutex between ima_file_hash and +process_measurement iint->ima_hash could still be NULL. + +Fixes: 6beea7afcc72 ("ima: add the ability to query the cached hash of a given file") +Signed-off-by: KP Singh +Reviewed-by: Florent Revest +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index 8a91711ca79b2..4c86cd4eece0c 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -531,6 +531,16 @@ int ima_file_hash(struct file *file, char *buf, size_t buf_size) + return -EOPNOTSUPP; + + mutex_lock(&iint->mutex); ++ ++ /* ++ * ima_file_hash can be called when ima_collect_measurement has still ++ * not been called, we might not always have a hash. ++ */ ++ if (!iint->ima_hash) { ++ mutex_unlock(&iint->mutex); ++ return -EOPNOTSUPP; ++ } ++ + if (buf) { + size_t copied_size; + +-- +2.25.1 + diff --git a/queue-5.9/ima-pre-parse-the-list-of-keyrings-in-a-key_check-ru.patch b/queue-5.9/ima-pre-parse-the-list-of-keyrings-in-a-key_check-ru.patch new file mode 100644 index 00000000000..4327bbc2dbf --- /dev/null +++ b/queue-5.9/ima-pre-parse-the-list-of-keyrings-in-a-key_check-ru.patch @@ -0,0 +1,297 @@ +From 4753d2a86950da94bd685d81d4c556d27b84da65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 14:26:20 -0500 +Subject: ima: Pre-parse the list of keyrings in a KEY_CHECK rule + +From: Tyler Hicks + +[ Upstream commit 176377d97d6a3fae971ecb1f47d9b9cb7dab05ef ] + +The ima_keyrings buffer was used as a work buffer for strsep()-based +parsing of the "keyrings=" option of an IMA policy rule. This parsing +was re-performed each time an asymmetric key was added to a kernel +keyring for each loaded policy rule that contained a "keyrings=" option. + +An example rule specifying this option is: + + measure func=KEY_CHECK keyrings=a|b|c + +The rule says to measure asymmetric keys added to any of the kernel +keyrings named "a", "b", or "c". The size of the buffer size was +equal to the size of the largest "keyrings=" value seen in a previously +loaded rule (5 + 1 for the NUL-terminator in the previous example) and +the buffer was pre-allocated at the time of policy load. + +The pre-allocated buffer approach suffered from a couple bugs: + +1) There was no locking around the use of the buffer so concurrent key + add operations, to two different keyrings, would result in the + strsep() loop of ima_match_keyring() to modify the buffer at the same + time. This resulted in unexpected results from ima_match_keyring() + and, therefore, could cause unintended keys to be measured or keys to + not be measured when IMA policy intended for them to be measured. + +2) If the kstrdup() that initialized entry->keyrings in ima_parse_rule() + failed, the ima_keyrings buffer was freed and set to NULL even when a + valid KEY_CHECK rule was previously loaded. The next KEY_CHECK event + would trigger a call to strcpy() with a NULL destination pointer and + crash the kernel. + +Remove the need for a pre-allocated global buffer by parsing the list of +keyrings in a KEY_CHECK rule at the time of policy load. The +ima_rule_entry will contain an array of string pointers which point to +the name of each keyring specified in the rule. No string processing +needs to happen at the time of asymmetric key add so iterating through +the list and doing a string comparison is all that's required at the +time of policy check. + +In the process of changing how the "keyrings=" policy option is handled, +a couple additional bugs were fixed: + +1) The rule parser accepted rules containing invalid "keyrings=" values + such as "a|b||c", "a|b|", or simply "|". + +2) The /sys/kernel/security/ima/policy file did not display the entire + "keyrings=" value if the list of keyrings was longer than what could + fit in the fixed size tbuf buffer in ima_policy_show(). + +Fixes: 5c7bac9fb2c5 ("IMA: pre-allocate buffer to hold keyrings string") +Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy") +Signed-off-by: Tyler Hicks +Reviewed-by: Lakshmi Ramasubramanian +Reviewed-by: Nayna Jain +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_policy.c | 138 +++++++++++++++++++--------- + 1 file changed, 93 insertions(+), 45 deletions(-) + +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index b4de33074b37d..9354e7cf4a09f 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -59,6 +59,11 @@ enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; + + enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY }; + ++struct ima_rule_opt_list { ++ size_t count; ++ char *items[]; ++}; ++ + struct ima_rule_entry { + struct list_head list; + int action; +@@ -78,7 +83,7 @@ struct ima_rule_entry { + int type; /* audit type */ + } lsm[MAX_LSM_RULES]; + char *fsname; +- char *keyrings; /* Measure keys added to these keyrings */ ++ struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ + struct ima_template_desc *template; + }; + +@@ -206,10 +211,6 @@ static LIST_HEAD(ima_policy_rules); + static LIST_HEAD(ima_temp_rules); + static struct list_head *ima_rules = &ima_default_rules; + +-/* Pre-allocated buffer used for matching keyrings. */ +-static char *ima_keyrings; +-static size_t ima_keyrings_len; +- + static int ima_policy __initdata; + + static int __init default_measure_policy_setup(char *str) +@@ -253,6 +254,72 @@ static int __init default_appraise_policy_setup(char *str) + } + __setup("ima_appraise_tcb", default_appraise_policy_setup); + ++static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src) ++{ ++ struct ima_rule_opt_list *opt_list; ++ size_t count = 0; ++ char *src_copy; ++ char *cur, *next; ++ size_t i; ++ ++ src_copy = match_strdup(src); ++ if (!src_copy) ++ return ERR_PTR(-ENOMEM); ++ ++ next = src_copy; ++ while ((cur = strsep(&next, "|"))) { ++ /* Don't accept an empty list item */ ++ if (!(*cur)) { ++ kfree(src_copy); ++ return ERR_PTR(-EINVAL); ++ } ++ count++; ++ } ++ ++ /* Don't accept an empty list */ ++ if (!count) { ++ kfree(src_copy); ++ return ERR_PTR(-EINVAL); ++ } ++ ++ opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL); ++ if (!opt_list) { ++ kfree(src_copy); ++ return ERR_PTR(-ENOMEM); ++ } ++ ++ /* ++ * strsep() has already replaced all instances of '|' with '\0', ++ * leaving a byte sequence of NUL-terminated strings. Reference each ++ * string with the array of items. ++ * ++ * IMPORTANT: Ownership of the allocated buffer is transferred from ++ * src_copy to the first element in the items array. To free the ++ * buffer, kfree() must only be called on the first element of the ++ * array. ++ */ ++ for (i = 0, cur = src_copy; i < count; i++) { ++ opt_list->items[i] = cur; ++ cur = strchr(cur, '\0') + 1; ++ } ++ opt_list->count = count; ++ ++ return opt_list; ++} ++ ++static void ima_free_rule_opt_list(struct ima_rule_opt_list *opt_list) ++{ ++ if (!opt_list) ++ return; ++ ++ if (opt_list->count) { ++ kfree(opt_list->items[0]); ++ opt_list->count = 0; ++ } ++ ++ kfree(opt_list); ++} ++ + static void ima_lsm_free_rule(struct ima_rule_entry *entry) + { + int i; +@@ -274,7 +341,7 @@ static void ima_free_rule(struct ima_rule_entry *entry) + * the defined_templates list and cannot be freed here + */ + kfree(entry->fsname); +- kfree(entry->keyrings); ++ ima_free_rule_opt_list(entry->keyrings); + ima_lsm_free_rule(entry); + kfree(entry); + } +@@ -394,8 +461,8 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, + static bool ima_match_keyring(struct ima_rule_entry *rule, + const char *keyring, const struct cred *cred) + { +- char *next_keyring, *keyrings_ptr; + bool matched = false; ++ size_t i; + + if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) + return false; +@@ -406,15 +473,8 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, + if (!keyring) + return false; + +- strcpy(ima_keyrings, rule->keyrings); +- +- /* +- * "keyrings=" is specified in the policy in the format below: +- * keyrings=.builtin_trusted_keys|.ima|.evm +- */ +- keyrings_ptr = ima_keyrings; +- while ((next_keyring = strsep(&keyrings_ptr, "|")) != NULL) { +- if (!strcmp(next_keyring, keyring)) { ++ for (i = 0; i < rule->keyrings->count; i++) { ++ if (!strcmp(rule->keyrings->items[i], keyring)) { + matched = true; + break; + } +@@ -1065,7 +1125,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + bool uid_token; + struct ima_template_desc *template_desc; + int result = 0; +- size_t keyrings_len; + + ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, + AUDIT_INTEGRITY_POLICY_RULE); +@@ -1231,37 +1290,18 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + case Opt_keyrings: + ima_log_string(ab, "keyrings", args[0].from); + +- keyrings_len = strlen(args[0].from) + 1; +- +- if ((entry->keyrings) || +- (keyrings_len < 2)) { ++ if (entry->keyrings) { + result = -EINVAL; + break; + } + +- if (keyrings_len > ima_keyrings_len) { +- char *tmpbuf; +- +- tmpbuf = krealloc(ima_keyrings, keyrings_len, +- GFP_KERNEL); +- if (!tmpbuf) { +- result = -ENOMEM; +- break; +- } +- +- ima_keyrings = tmpbuf; +- ima_keyrings_len = keyrings_len; +- } +- +- entry->keyrings = kstrdup(args[0].from, GFP_KERNEL); +- if (!entry->keyrings) { +- kfree(ima_keyrings); +- ima_keyrings = NULL; +- ima_keyrings_len = 0; +- result = -ENOMEM; ++ entry->keyrings = ima_alloc_rule_opt_list(args); ++ if (IS_ERR(entry->keyrings)) { ++ result = PTR_ERR(entry->keyrings); ++ entry->keyrings = NULL; + break; + } +- result = 0; ++ + entry->flags |= IMA_KEYRINGS; + break; + case Opt_fsuuid: +@@ -1574,6 +1614,15 @@ static void policy_func_show(struct seq_file *m, enum ima_hooks func) + seq_printf(m, "func=%d ", func); + } + ++static void ima_show_rule_opt_list(struct seq_file *m, ++ const struct ima_rule_opt_list *opt_list) ++{ ++ size_t i; ++ ++ for (i = 0; i < opt_list->count; i++) ++ seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); ++} ++ + int ima_policy_show(struct seq_file *m, void *v) + { + struct ima_rule_entry *entry = v; +@@ -1630,9 +1679,8 @@ int ima_policy_show(struct seq_file *m, void *v) + } + + if (entry->flags & IMA_KEYRINGS) { +- if (entry->keyrings != NULL) +- snprintf(tbuf, sizeof(tbuf), "%s", entry->keyrings); +- seq_printf(m, pt(Opt_keyrings), tbuf); ++ seq_puts(m, "keyrings="); ++ ima_show_rule_opt_list(m, entry->keyrings); + seq_puts(m, " "); + } + +-- +2.25.1 + diff --git a/queue-5.9/input-elants_i2c-fix-typo-for-an-attribute-to-show-c.patch b/queue-5.9/input-elants_i2c-fix-typo-for-an-attribute-to-show-c.patch new file mode 100644 index 00000000000..81a82e0df58 --- /dev/null +++ b/queue-5.9/input-elants_i2c-fix-typo-for-an-attribute-to-show-c.patch @@ -0,0 +1,37 @@ +From 5e2e30d700e085aded05868f50e6629d0e44c2a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 10:26:57 -0700 +Subject: Input: elants_i2c - fix typo for an attribute to show calibration + count + +From: Johnny Chuang + +[ Upstream commit 93f634069707cfe562c38739f5062feccbe9a834 ] + +Fixed typo for command from 0xE0 to 0xD0. + +Fixes: cf520c643012 ("Input: elants_i2c - provide an attribute to show calibration count") +Signed-off-by: Johnny Chuang +Link: https://lore.kernel.org/r/1600238783-32303-1-git-send-email-johnny.chuang.emc@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/elants_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c +index b0bd5bb079bec..75b39ef39b743 100644 +--- a/drivers/input/touchscreen/elants_i2c.c ++++ b/drivers/input/touchscreen/elants_i2c.c +@@ -90,7 +90,7 @@ + /* FW read command, 0x53 0x?? 0x0, 0x01 */ + #define E_ELAN_INFO_FW_VER 0x00 + #define E_ELAN_INFO_BC_VER 0x10 +-#define E_ELAN_INFO_REK 0xE0 ++#define E_ELAN_INFO_REK 0xD0 + #define E_ELAN_INFO_TEST_VER 0xE0 + #define E_ELAN_INFO_FW_ID 0xF0 + #define E_INFO_OSR 0xD6 +-- +2.25.1 + diff --git a/queue-5.9/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch b/queue-5.9/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch new file mode 100644 index 00000000000..49c7a8934ed --- /dev/null +++ b/queue-5.9/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch @@ -0,0 +1,39 @@ +From 516562b4dea9c45a9ba81bab159df397fff63828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:51:05 -0700 +Subject: Input: ep93xx_keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 7d50f6656dacf085a00beeedbc48b19a37d17881 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 60214f058f44 ("Input: ep93xx_keypad - update driver to new core support") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-1-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/ep93xx_keypad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/ep93xx_keypad.c b/drivers/input/keyboard/ep93xx_keypad.c +index 7c70492d9d6b5..f831f01501d58 100644 +--- a/drivers/input/keyboard/ep93xx_keypad.c ++++ b/drivers/input/keyboard/ep93xx_keypad.c +@@ -250,8 +250,8 @@ static int ep93xx_keypad_probe(struct platform_device *pdev) + } + + keypad->irq = platform_get_irq(pdev, 0); +- if (!keypad->irq) { +- err = -ENXIO; ++ if (keypad->irq < 0) { ++ err = keypad->irq; + goto failed_free; + } + +-- +2.25.1 + diff --git a/queue-5.9/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch b/queue-5.9/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch new file mode 100644 index 00000000000..5fbe09d31b1 --- /dev/null +++ b/queue-5.9/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch @@ -0,0 +1,67 @@ +From 98a2beb96f30e0b0281f6eae123342a011088013 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 10:17:01 -0700 +Subject: Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() + +From: Dan Carpenter + +[ Upstream commit 30df23c5ecdfb8da5b0bc17ceef67eff9e1b0957 ] + +If imx6ul_tsc_init() fails then we need to clean up the clocks. + +I reversed the "if (input_dev->users) {" condition to make the code a +bit simpler. + +Fixes: 6cc527b05847 ("Input: imx6ul_tsc - propagate the errors") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200905124942.GC183976@mwanda +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/imx6ul_tsc.c | 27 +++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/input/touchscreen/imx6ul_tsc.c b/drivers/input/touchscreen/imx6ul_tsc.c +index 9ed258854349b..5e6ba5c4eca2a 100644 +--- a/drivers/input/touchscreen/imx6ul_tsc.c ++++ b/drivers/input/touchscreen/imx6ul_tsc.c +@@ -530,20 +530,25 @@ static int __maybe_unused imx6ul_tsc_resume(struct device *dev) + + mutex_lock(&input_dev->mutex); + +- if (input_dev->users) { +- retval = clk_prepare_enable(tsc->adc_clk); +- if (retval) +- goto out; +- +- retval = clk_prepare_enable(tsc->tsc_clk); +- if (retval) { +- clk_disable_unprepare(tsc->adc_clk); +- goto out; +- } ++ if (!input_dev->users) ++ goto out; + +- retval = imx6ul_tsc_init(tsc); ++ retval = clk_prepare_enable(tsc->adc_clk); ++ if (retval) ++ goto out; ++ ++ retval = clk_prepare_enable(tsc->tsc_clk); ++ if (retval) { ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; + } + ++ retval = imx6ul_tsc_init(tsc); ++ if (retval) { ++ clk_disable_unprepare(tsc->tsc_clk); ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; ++ } + out: + mutex_unlock(&input_dev->mutex); + return retval; +-- +2.25.1 + diff --git a/queue-5.9/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch b/queue-5.9/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch new file mode 100644 index 00000000000..c4a81f2ff2f --- /dev/null +++ b/queue-5.9/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch @@ -0,0 +1,41 @@ +From 18cfdbe6ee81b75a573a1a5121b6cebe549638fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:52:15 -0700 +Subject: Input: omap4-keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 4738dd1992fa13acfbbd71800c71c612f466fa44 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: f3a1ba60dbdb ("Input: omap4-keypad - use platform device helpers") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-2-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/omap4-keypad.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c +index 94c94d7f5155f..d6c924032aaa8 100644 +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -240,10 +240,8 @@ static int omap4_keypad_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "no keyboard irq assigned\n"); +- return -EINVAL; +- } ++ if (irq < 0) ++ return irq; + + keypad_data = kzalloc(sizeof(struct omap4_keypad), GFP_KERNEL); + if (!keypad_data) { +-- +2.25.1 + diff --git a/queue-5.9/input-stmfts-fix-a-vs-typo.patch b/queue-5.9/input-stmfts-fix-a-vs-typo.patch new file mode 100644 index 00000000000..a6dec845898 --- /dev/null +++ b/queue-5.9/input-stmfts-fix-a-vs-typo.patch @@ -0,0 +1,37 @@ +From ddcefb53655067571e3cfe624d4e5be012fddff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 10:26:09 -0700 +Subject: Input: stmfts - fix a & vs && typo + +From: YueHaibing + +[ Upstream commit d04afe14b23651e7a8bc89727a759e982a8458e4 ] + +In stmfts_sysfs_hover_enable_write(), we should check value and +sdata->hover_enabled is all true. + +Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20200916141941.16684-1-yuehaibing@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/stmfts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/stmfts.c b/drivers/input/touchscreen/stmfts.c +index df946869d4cd1..9a64e1dbc04ad 100644 +--- a/drivers/input/touchscreen/stmfts.c ++++ b/drivers/input/touchscreen/stmfts.c +@@ -479,7 +479,7 @@ static ssize_t stmfts_sysfs_hover_enable_write(struct device *dev, + + mutex_lock(&sdata->mutex); + +- if (value & sdata->hover_enabled) ++ if (value && sdata->hover_enabled) + goto out; + + if (sdata->running) +-- +2.25.1 + diff --git a/queue-5.9/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch b/queue-5.9/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch new file mode 100644 index 00000000000..b04ee8fae37 --- /dev/null +++ b/queue-5.9/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch @@ -0,0 +1,55 @@ +From 90d805458953942c47370cab92ee77f6f50a0da5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:56:40 -0700 +Subject: Input: sun4i-ps2 - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit cafb3abea6136e59ea534004e5773361e196bb94 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: e443631d20f5 ("Input: serio - add support for Alwinner A10/A20 PS/2 controller") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20200828145744.3636-4-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/sun4i-ps2.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/serio/sun4i-ps2.c b/drivers/input/serio/sun4i-ps2.c +index a681a2c04e399..f15ed3dcdb9b2 100644 +--- a/drivers/input/serio/sun4i-ps2.c ++++ b/drivers/input/serio/sun4i-ps2.c +@@ -211,7 +211,6 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + struct sun4i_ps2data *drvdata; + struct serio *serio; + struct device *dev = &pdev->dev; +- unsigned int irq; + int error; + + drvdata = kzalloc(sizeof(struct sun4i_ps2data), GFP_KERNEL); +@@ -264,14 +263,12 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + writel(0, drvdata->reg_base + PS2_REG_GCTL); + + /* Get IRQ for the device */ +- irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(dev, "no IRQ found\n"); +- error = -ENXIO; ++ drvdata->irq = platform_get_irq(pdev, 0); ++ if (drvdata->irq < 0) { ++ error = drvdata->irq; + goto err_disable_clk; + } + +- drvdata->irq = irq; + drvdata->serio = serio; + drvdata->dev = dev; + +-- +2.25.1 + diff --git a/queue-5.9/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch b/queue-5.9/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch new file mode 100644 index 00000000000..a3f80ad4aca --- /dev/null +++ b/queue-5.9/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch @@ -0,0 +1,51 @@ +From e88eb07df10d973318f6b98b1c29f7f938ec5fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:56:19 -0700 +Subject: Input: twl4030_keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit c277e1f0dc3c7d7b5b028e20dd414df241642036 ] + +platform_get_irq() returns -ERRNO on error. In such case casting to +unsigned and comparing to 0 would pass the check. + +Fixes: 7abf38d6d13c ("Input: twl4030-keypad - add device tree support") +Reported-by: kernel test robot +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-3-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/twl4030_keypad.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/input/keyboard/twl4030_keypad.c b/drivers/input/keyboard/twl4030_keypad.c +index af3a6824f1a4d..77e0743a3cf85 100644 +--- a/drivers/input/keyboard/twl4030_keypad.c ++++ b/drivers/input/keyboard/twl4030_keypad.c +@@ -50,7 +50,7 @@ struct twl4030_keypad { + bool autorepeat; + unsigned int n_rows; + unsigned int n_cols; +- unsigned int irq; ++ int irq; + + struct device *dbg_dev; + struct input_dev *input; +@@ -376,10 +376,8 @@ static int twl4030_kp_probe(struct platform_device *pdev) + } + + kp->irq = platform_get_irq(pdev, 0); +- if (!kp->irq) { +- dev_err(&pdev->dev, "no keyboard irq assigned\n"); +- return -EINVAL; +- } ++ if (kp->irq < 0) ++ return kp->irq; + + error = matrix_keypad_build_keymap(keymap_data, NULL, + TWL4030_MAX_ROWS, +-- +2.25.1 + diff --git a/queue-5.9/iomap-clear-page-error-before-beginning-a-write.patch b/queue-5.9/iomap-clear-page-error-before-beginning-a-write.patch new file mode 100644 index 00000000000..076d323084e --- /dev/null +++ b/queue-5.9/iomap-clear-page-error-before-beginning-a-write.patch @@ -0,0 +1,51 @@ +From ae106401a0849a0496594861b7f1d7e72c0eead2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 08:26:17 -0700 +Subject: iomap: Clear page error before beginning a write + +From: Matthew Wilcox (Oracle) + +[ Upstream commit e6e7ca92623a43156100306861272e04d46385fc ] + +If we find a page in write_begin which is !Uptodate, we need +to clear any error on the page before starting to read data +into it. This matches how filemap_fault(), do_read_cache_page() +and generic_file_buffered_read() handle PageError on !Uptodate pages. +When calling iomap_set_range_uptodate() in __iomap_write_begin(), blocks +were not being marked as uptodate. + +This was found with generic/127 and a specially modified kernel which +would fail (some) readahead I/Os. The test read some bytes in a prior +page which caused readahead to extend into page 0x34. There was +a subsequent write to page 0x34, followed by a read to page 0x34. +Because the blocks were still marked as !Uptodate, the read caused all +blocks to be re-read, overwriting the write. With this change, and the +next one, the bytes which were written are marked as being Uptodate, so +even though the page is still marked as !Uptodate, the blocks containing +the written data are not re-read from storage. + +Fixes: 9dc55f1389f9 ("iomap: add support for sub-pagesize buffered I/O without buffer heads") +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index bcfc288dba3fb..c95454784df48 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -578,6 +578,7 @@ __iomap_write_begin(struct inode *inode, loff_t pos, unsigned len, int flags, + + if (PageUptodate(page)) + return 0; ++ ClearPageError(page); + + do { + iomap_adjust_read_range(inode, iop, &block_start, +-- +2.25.1 + diff --git a/queue-5.9/iomap-fix-warn_on_once-from-unprivileged-users.patch b/queue-5.9/iomap-fix-warn_on_once-from-unprivileged-users.patch new file mode 100644 index 00000000000..9bb891ee23a --- /dev/null +++ b/queue-5.9/iomap-fix-warn_on_once-from-unprivileged-users.patch @@ -0,0 +1,48 @@ +From c567df6f9b7812168fed41eac12a18f3ac29f5c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 08:26:15 -0700 +Subject: iomap: fix WARN_ON_ONCE() from unprivileged users + +From: Qian Cai + +[ Upstream commit a805c111650cdba6ee880f528abdd03c1af82089 ] + +It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by +unprivileged users which would taint the kernel, or worse - panic if +panic_on_warn or panic_on_taint is set. Hence, just convert it to +pr_warn_ratelimited() to let users know their workloads are racing. +Thank Dave Chinner for the initial analysis of the racing reproducers. + +Signed-off-by: Qian Cai +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/iomap/direct-io.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c +index c1aafb2ab9907..9519113ebc352 100644 +--- a/fs/iomap/direct-io.c ++++ b/fs/iomap/direct-io.c +@@ -388,6 +388,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length, + return iomap_dio_bio_actor(inode, pos, length, dio, iomap); + case IOMAP_INLINE: + return iomap_dio_inline_actor(inode, pos, length, dio, iomap); ++ case IOMAP_DELALLOC: ++ /* ++ * DIO is not serialised against mmap() access at all, and so ++ * if the page_mkwrite occurs between the writeback and the ++ * iomap_apply() call in the DIO path, then it will see the ++ * DELALLOC block that the page-mkwrite allocated. ++ */ ++ pr_warn_ratelimited("Direct I/O collision with buffered writes! File: %pD4 Comm: %.20s\n", ++ dio->iocb->ki_filp, current->comm); ++ return -EIO; + default: + WARN_ON_ONCE(1); + return -EIO; +-- +2.25.1 + diff --git a/queue-5.9/iomap-mark-read-blocks-uptodate-in-write_begin.patch b/queue-5.9/iomap-mark-read-blocks-uptodate-in-write_begin.patch new file mode 100644 index 00000000000..55c7f464e3d --- /dev/null +++ b/queue-5.9/iomap-mark-read-blocks-uptodate-in-write_begin.patch @@ -0,0 +1,62 @@ +From 072240c3f55268439b4493d4949839fde6599bdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 08:26:18 -0700 +Subject: iomap: Mark read blocks uptodate in write_begin + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 14284fedf59f1647264f4603d64418cf1fcd3eb0 ] + +When bringing (portions of) a page uptodate, we were marking blocks that +were zeroed as being uptodate, but not blocks that were read from storage. + +Like the previous commit, this problem was found with generic/127 and +a kernel which failed readahead I/Os. This bug causes writes to be +silently lost when working with flaky storage. + +Fixes: 9dc55f1389f9 ("iomap: add support for sub-pagesize buffered I/O without buffer heads") +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index c95454784df48..897ab9a26a74c 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -574,7 +574,6 @@ __iomap_write_begin(struct inode *inode, loff_t pos, unsigned len, int flags, + loff_t block_start = pos & ~(block_size - 1); + loff_t block_end = (pos + len + block_size - 1) & ~(block_size - 1); + unsigned from = offset_in_page(pos), to = from + len, poff, plen; +- int status; + + if (PageUptodate(page)) + return 0; +@@ -595,14 +594,13 @@ __iomap_write_begin(struct inode *inode, loff_t pos, unsigned len, int flags, + if (WARN_ON_ONCE(flags & IOMAP_WRITE_F_UNSHARE)) + return -EIO; + zero_user_segments(page, poff, from, to, poff + plen); +- iomap_set_range_uptodate(page, poff, plen); +- continue; ++ } else { ++ int status = iomap_read_page_sync(block_start, page, ++ poff, plen, srcmap); ++ if (status) ++ return status; + } +- +- status = iomap_read_page_sync(block_start, page, poff, plen, +- srcmap); +- if (status) +- return status; ++ iomap_set_range_uptodate(page, poff, plen); + } while ((block_start += plen) < block_end); + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/iomap-use-kzalloc-to-allocate-iomap_page.patch b/queue-5.9/iomap-use-kzalloc-to-allocate-iomap_page.patch new file mode 100644 index 00000000000..aa92e0c5a29 --- /dev/null +++ b/queue-5.9/iomap-use-kzalloc-to-allocate-iomap_page.patch @@ -0,0 +1,49 @@ +From 74c23764afdb909d8022e5a11ddf6e5a3d953ebd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 08:58:39 -0700 +Subject: iomap: Use kzalloc to allocate iomap_page + +From: Matthew Wilcox (Oracle) + +[ Upstream commit a6901d4d148dcbad7efb3174afbdf68c995618c2 ] + +We can skip most of the initialisation, although spinlocks still +need explicit initialisation as architectures may use a non-zero +value to indicate unlocked. The comment is no longer useful as +attach_page_private() handles the refcount now. + +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Christoph Hellwig +Reviewed-by: Dave Chinner +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index 897ab9a26a74c..b115e7d47fcec 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -49,16 +49,8 @@ iomap_page_create(struct inode *inode, struct page *page) + if (iop || i_blocksize(inode) == PAGE_SIZE) + return iop; + +- iop = kmalloc(sizeof(*iop), GFP_NOFS | __GFP_NOFAIL); +- atomic_set(&iop->read_count, 0); +- atomic_set(&iop->write_count, 0); ++ iop = kzalloc(sizeof(*iop), GFP_NOFS | __GFP_NOFAIL); + spin_lock_init(&iop->uptodate_lock); +- bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE); +- +- /* +- * migrate_page_move_mapping() assumes that pages with private data have +- * their count elevated by 1. +- */ + attach_page_private(page, iop); + return iop; + } +-- +2.25.1 + diff --git a/queue-5.9/iommu-qcom-add-missing-put_device-call-in-qcom_iommu.patch b/queue-5.9/iommu-qcom-add-missing-put_device-call-in-qcom_iommu.patch new file mode 100644 index 00000000000..12ba1e6e012 --- /dev/null +++ b/queue-5.9/iommu-qcom-add-missing-put_device-call-in-qcom_iommu.patch @@ -0,0 +1,54 @@ +From 3b089d3a266bacb50a025f6d6a1c038b4e7e42ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 09:40:37 +0800 +Subject: iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() + +From: Yu Kuai + +[ Upstream commit e2eae09939a89e0994f7965ba3c676a5eac8b4b0 ] + +if of_find_device_by_node() succeed, qcom_iommu_of_xlate() doesn't have +a corresponding put_device(). Thus add put_device() to fix the exception +handling for this function implementation. + +Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu") +Acked-by: Rob Clark +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20200929014037.2436663-1-yukuai3@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/qcom_iommu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c +index af6bec3ace007..ef3dd32aa6d97 100644 +--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c ++++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c +@@ -584,8 +584,10 @@ static int qcom_iommu_of_xlate(struct device *dev, struct of_phandle_args *args) + * index into qcom_iommu->ctxs: + */ + if (WARN_ON(asid < 1) || +- WARN_ON(asid > qcom_iommu->num_ctxs)) ++ WARN_ON(asid > qcom_iommu->num_ctxs)) { ++ put_device(&iommu_pdev->dev); + return -EINVAL; ++ } + + if (!dev_iommu_priv_get(dev)) { + dev_iommu_priv_set(dev, qcom_iommu); +@@ -594,8 +596,10 @@ static int qcom_iommu_of_xlate(struct device *dev, struct of_phandle_args *args) + * multiple different iommu devices. Multiple context + * banks are ok, but multiple devices are not: + */ +- if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) ++ if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) { ++ put_device(&iommu_pdev->dev); + return -EINVAL; ++ } + } + + return iommu_fwspec_add_ids(dev, &asid, 1); +-- +2.25.1 + diff --git a/queue-5.9/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch b/queue-5.9/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch new file mode 100644 index 00000000000..0e924b3f3f7 --- /dev/null +++ b/queue-5.9/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch @@ -0,0 +1,90 @@ +From 0e6fe91c8795e6570fa4d9d06ca613e8a8a40f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 16:17:21 -0700 +Subject: ip_gre: set dev->hard_header_len and dev->needed_headroom properly + +From: Cong Wang + +[ Upstream commit fdafed459998e2be0e877e6189b24cb7a0183224 ] + +GRE tunnel has its own header_ops, ipgre_header_ops, and sets it +conditionally. When it is set, it assumes the outer IP header is +already created before ipgre_xmit(). + +This is not true when we send packets through a raw packet socket, +where L2 headers are supposed to be constructed by user. Packet +socket calls dev_validate_header() to validate the header. But +GRE tunnel does not set dev->hard_header_len, so that check can +be simply bypassed, therefore uninit memory could be passed down +to ipgre_xmit(). Similar for dev->needed_headroom. + +dev->hard_header_len is supposed to be the length of the header +created by dev->header_ops->create(), so it should be used whenever +header_ops is set, and dev->needed_headroom should be used when it +is not set. + +Reported-and-tested-by: syzbot+4a2c52677a8a1aa283cb@syzkaller.appspotmail.com +Cc: William Tu +Acked-by: Willem de Bruijn +Signed-off-by: Cong Wang +Acked-by: Xie He +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 4e31f23e4117e..e70291748889b 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -625,9 +625,7 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { +- /* Need space for new headers */ +- if (skb_cow_head(skb, dev->needed_headroom - +- (tunnel->hlen + sizeof(struct iphdr)))) ++ if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; +@@ -748,7 +746,11 @@ static void ipgre_link_update(struct net_device *dev, bool set_mtu) + len = tunnel->tun_hlen - len; + tunnel->hlen = tunnel->hlen + len; + +- dev->needed_headroom = dev->needed_headroom + len; ++ if (dev->header_ops) ++ dev->hard_header_len += len; ++ else ++ dev->needed_headroom += len; ++ + if (set_mtu) + dev->mtu = max_t(int, dev->mtu - len, 68); + +@@ -944,6 +946,7 @@ static void __gre_tunnel_init(struct net_device *dev) + tunnel->parms.iph.protocol = IPPROTO_GRE; + + tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen; ++ dev->needed_headroom = tunnel->hlen + sizeof(tunnel->parms.iph); + + dev->features |= GRE_FEATURES; + dev->hw_features |= GRE_FEATURES; +@@ -987,10 +990,14 @@ static int ipgre_tunnel_init(struct net_device *dev) + return -EINVAL; + dev->flags = IFF_BROADCAST; + dev->header_ops = &ipgre_header_ops; ++ dev->hard_header_len = tunnel->hlen + sizeof(*iph); ++ dev->needed_headroom = 0; + } + #endif + } else if (!tunnel->collect_md) { + dev->header_ops = &ipgre_header_ops; ++ dev->hard_header_len = tunnel->hlen + sizeof(*iph); ++ dev->needed_headroom = 0; + } + + return ip_tunnel_init(dev); +-- +2.25.1 + diff --git a/queue-5.9/ipmi_si-fix-wrong-return-value-in-try_smi_init.patch b/queue-5.9/ipmi_si-fix-wrong-return-value-in-try_smi_init.patch new file mode 100644 index 00000000000..2e2531ce73a --- /dev/null +++ b/queue-5.9/ipmi_si-fix-wrong-return-value-in-try_smi_init.patch @@ -0,0 +1,38 @@ +From 4e161649b47a8e69f7cb4bc9adfe2696cfcc9046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 22:52:12 +0800 +Subject: ipmi_si: Fix wrong return value in try_smi_init() + +From: Tianjia Zhang + +[ Upstream commit 8fe7990ceda8597e407d06bffc4bdbe835a93ece ] + +On an error exit path, a negative error code should be returned +instead of a positive return value. + +Fixes: 90b2d4f15ff7 ("ipmi_si: Remove hacks for adding a dummy platform devices") +Cc: Corey Minyard +Signed-off-by: Tianjia Zhang +Message-Id: <20201005145212.84435-1-tianjia.zhang@linux.alibaba.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_si_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c +index 77b8d551ae7fe..dd559661c15b3 100644 +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -1963,7 +1963,7 @@ static int try_smi_init(struct smi_info *new_smi) + /* Do this early so it's available for logs. */ + if (!new_smi->io.dev) { + pr_err("IPMI interface added with no device\n"); +- rv = EIO; ++ rv = -EIO; + goto out_err; + } + +-- +2.25.1 + diff --git a/queue-5.9/ipvs-clear-skb-tstamp-in-forwarding-path.patch b/queue-5.9/ipvs-clear-skb-tstamp-in-forwarding-path.patch new file mode 100644 index 00000000000..19b55e4984b --- /dev/null +++ b/queue-5.9/ipvs-clear-skb-tstamp-in-forwarding-path.patch @@ -0,0 +1,59 @@ +From 3381a95ac1c69ea73282d28067581512aee27697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 21:24:25 +0300 +Subject: ipvs: clear skb->tstamp in forwarding path + +From: Julian Anastasov + +[ Upstream commit 7980d2eabde82be86c5be18aa3d07e88ec13c6a1 ] + +fq qdisc requires tstamp to be cleared in forwarding path + +Reported-by: Evgeny B +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209427 +Suggested-by: Eric Dumazet +Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths") +Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC") +Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.") +Signed-off-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_xmit.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c +index b00866d777fe0..d2e5a8f644b80 100644 +--- a/net/netfilter/ipvs/ip_vs_xmit.c ++++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -609,6 +609,8 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb, + if (ret == NF_ACCEPT) { + nf_reset_ct(skb); + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + } + return ret; + } +@@ -649,6 +651,8 @@ static inline int ip_vs_nat_send_or_cont(int pf, struct sk_buff *skb, + + if (!local) { + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb, + NULL, skb_dst(skb)->dev, dst_output); + } else +@@ -669,6 +673,8 @@ static inline int ip_vs_send_or_cont(int pf, struct sk_buff *skb, + if (!local) { + ip_vs_drop_early_demux_sk(skb); + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb, + NULL, skb_dst(skb)->dev, dst_output); + } else +-- +2.25.1 + diff --git a/queue-5.9/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch b/queue-5.9/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch new file mode 100644 index 00000000000..e641fb7661e --- /dev/null +++ b/queue-5.9/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch @@ -0,0 +1,52 @@ +From b9c99b9d702d72e49cc131fea3cc39bfe3b92477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 03:46:40 -0400 +Subject: ipvs: Fix uninit-value in do_ip_vs_set_ctl() + +From: Peilin Ye + +[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ] + +do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is +zero. Fix it. + +Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 +Suggested-by: Julian Anastasov +Signed-off-by: Peilin Ye +Acked-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 678c5b14841c1..8dbfd84322a88 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2508,6 +2508,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, sockptr_t ptr, unsigned int len) + /* Set timeout values for (tcp tcpfin udp) */ + ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); + goto out_unlock; ++ } else if (!len) { ++ /* No more commands with len == 0 below */ ++ ret = -EINVAL; ++ goto out_unlock; + } + + usvc_compat = (struct ip_vs_service_user *)arg; +@@ -2584,9 +2588,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, sockptr_t ptr, unsigned int len) + break; + case IP_VS_SO_SET_DELDEST: + ret = ip_vs_del_dest(svc, &udest); +- break; +- default: +- ret = -EINVAL; + } + + out_unlock: +-- +2.25.1 + diff --git a/queue-5.9/irqchip-ti-sci-inta-fix-unsigned-comparison-to-zero.patch b/queue-5.9/irqchip-ti-sci-inta-fix-unsigned-comparison-to-zero.patch new file mode 100644 index 00000000000..9e0350f991b --- /dev/null +++ b/queue-5.9/irqchip-ti-sci-inta-fix-unsigned-comparison-to-zero.patch @@ -0,0 +1,40 @@ +From fde2c6cb8186a281e42e82000f585bf014e21909 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 11:54:30 +0800 +Subject: irqchip/ti-sci-inta: Fix unsigned comparison to zero + +From: YueHaibing + +[ Upstream commit 4c9b1bfaa5039fee650f4de514a8e70ae976fc2f ] + +ti_sci_inta_xlate_irq() return -ENOENT on fail, p_hwirq +should be int type. + +Fixes: 5c4b585d2910 ("irqchip/ti-sci-inta: Add support for INTA directly connecting to GIC") +Signed-off-by: YueHaibing +Signed-off-by: Marc Zyngier +Acked-by: Lokesh Vutla +Link: https://lore.kernel.org/r/20200826035430.21060-1-yuehaibing@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-ti-sci-inta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-ti-sci-inta.c b/drivers/irqchip/irq-ti-sci-inta.c +index d4e97605456bb..05bf94b87b938 100644 +--- a/drivers/irqchip/irq-ti-sci-inta.c ++++ b/drivers/irqchip/irq-ti-sci-inta.c +@@ -175,8 +175,8 @@ static struct ti_sci_inta_vint_desc *ti_sci_inta_alloc_parent_irq(struct irq_dom + struct irq_fwspec parent_fwspec; + struct device_node *parent_node; + unsigned int parent_virq; +- u16 vint_id, p_hwirq; +- int ret; ++ int p_hwirq, ret; ++ u16 vint_id; + + vint_id = ti_sci_get_free_resource(inta->vint); + if (vint_id == TI_SCI_RESOURCE_NULL) +-- +2.25.1 + diff --git a/queue-5.9/irqchip-ti-sci-intr-fix-unsigned-comparison-to-zero.patch b/queue-5.9/irqchip-ti-sci-intr-fix-unsigned-comparison-to-zero.patch new file mode 100644 index 00000000000..f0c1507b86b --- /dev/null +++ b/queue-5.9/irqchip-ti-sci-intr-fix-unsigned-comparison-to-zero.patch @@ -0,0 +1,40 @@ +From 0cf4e99fa34d8035ed22ff165a8648c8ff25e496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 11:53:21 +0800 +Subject: irqchip/ti-sci-intr: Fix unsigned comparison to zero + +From: YueHaibing + +[ Upstream commit 8ddf1905a904ca86d71ca1c435e4b0b2a0b70df8 ] + +ti_sci_intr_xlate_irq() return -ENOENT on fail, p_hwirq +should be int type. + +Fixes: a5b659bd4bc7 ("irqchip/ti-sci-intr: Add support for INTR being a parent to INTR") +Signed-off-by: YueHaibing +Signed-off-by: Marc Zyngier +Acked-by: Lokesh Vutla +Link: https://lore.kernel.org/r/20200826035321.18620-1-yuehaibing@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-ti-sci-intr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-ti-sci-intr.c b/drivers/irqchip/irq-ti-sci-intr.c +index cbc1758228d9e..85a72b56177cf 100644 +--- a/drivers/irqchip/irq-ti-sci-intr.c ++++ b/drivers/irqchip/irq-ti-sci-intr.c +@@ -137,8 +137,8 @@ static int ti_sci_intr_alloc_parent_irq(struct irq_domain *domain, + struct ti_sci_intr_irq_domain *intr = domain->host_data; + struct device_node *parent_node; + struct irq_fwspec fwspec; +- u16 out_irq, p_hwirq; +- int err = 0; ++ int p_hwirq, err = 0; ++ u16 out_irq; + + out_irq = ti_sci_get_free_resource(intr->out_irqs); + if (out_irq == TI_SCI_RESOURCE_NULL) +-- +2.25.1 + diff --git a/queue-5.9/iwlwifi-dbg-remove-no-filter-condition.patch b/queue-5.9/iwlwifi-dbg-remove-no-filter-condition.patch new file mode 100644 index 00000000000..42f12401dd1 --- /dev/null +++ b/queue-5.9/iwlwifi-dbg-remove-no-filter-condition.patch @@ -0,0 +1,43 @@ +From d475aebec6386e275b8f026f94b3cdc5e56b98a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 16:31:19 +0300 +Subject: iwlwifi: dbg: remove no filter condition + +From: Mordechay Goodstein + +[ Upstream commit bfdb157127dab2a85d4096a68a00ad568c9eb590 ] + +Currently if group-id and command-id values are zero we +trigger and collect every RX frame, +this is not the right behavior and zero value +should be handled like any other filter. + +Signed-off-by: Mordechay Goodstein +Fixes: 3ed34fbf9d3b ("iwlwifi: dbg_ini: support FW response/notification region type") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200930161256.6a0aae2c0507.I7bd72968279d586af420472707d53106b35efc08@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +index 9ce7207d9ec5b..e575fc09d3fa4 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +@@ -947,9 +947,8 @@ static bool iwl_dbg_tlv_check_fw_pkt(struct iwl_fw_runtime *fwrt, + struct iwl_rx_packet *pkt = tp_data->fw_pkt; + struct iwl_cmd_header *wanted_hdr = (void *)&trig_data; + +- if (pkt && ((wanted_hdr->cmd == 0 && wanted_hdr->group_id == 0) || +- (pkt->hdr.cmd == wanted_hdr->cmd && +- pkt->hdr.group_id == wanted_hdr->group_id))) { ++ if (pkt && (pkt->hdr.cmd == wanted_hdr->cmd && ++ pkt->hdr.group_id == wanted_hdr->group_id)) { + struct iwl_rx_packet *fw_pkt = + kmemdup(pkt, + sizeof(*pkt) + iwl_rx_packet_payload_len(pkt), +-- +2.25.1 + diff --git a/queue-5.9/iwlwifi-dbg-run-init_cfg-function-once-per-driver-lo.patch b/queue-5.9/iwlwifi-dbg-run-init_cfg-function-once-per-driver-lo.patch new file mode 100644 index 00000000000..b3a0370f828 --- /dev/null +++ b/queue-5.9/iwlwifi-dbg-run-init_cfg-function-once-per-driver-lo.patch @@ -0,0 +1,40 @@ +From a60f495a75b454923ec83f1bd51c000db528c5f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 16:31:21 +0300 +Subject: iwlwifi: dbg: run init_cfg function once per driver load + +From: Mordechay Goodstein + +[ Upstream commit 42f8a2735cc218b6b372134684d4cd3c1423f123 ] + +Every time we call init_cfg driver appends the enabled triggers +to the active triggers while this should be done only once per +driver load. + +Signed-off-by: Mordechay Goodstein +Fixes: 14124b25780d ("iwlwifi: dbg_ini: implement monitor allocation flow") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200930161256.79bd622e604a.Ie0f79d2ea90ca5cdf363f56194ead81b0a2c6202@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +index e575fc09d3fa4..83caaa3c60a95 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +@@ -1011,6 +1011,9 @@ static void iwl_dbg_tlv_init_cfg(struct iwl_fw_runtime *fwrt) + enum iwl_fw_ini_buffer_location *ini_dest = &fwrt->trans->dbg.ini_dest; + int ret, i; + ++ if (*ini_dest != IWL_FW_INI_LOCATION_INVALID) ++ return; ++ + IWL_DEBUG_FW(fwrt, + "WRT: Generating active triggers list, domain 0x%x\n", + fwrt->trans->dbg.domains_bitmap); +-- +2.25.1 + diff --git a/queue-5.9/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch b/queue-5.9/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch new file mode 100644 index 00000000000..a4dc9e0b7f9 --- /dev/null +++ b/queue-5.9/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch @@ -0,0 +1,45 @@ +From 566127f843a3664d56bff005bdcb606246468d81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 10:31:20 +0300 +Subject: iwlwifi: mvm: split a print to avoid a WARNING in ROC + +From: Emmanuel Grumbach + +[ Upstream commit 903b3f9badf1d54f77b468b96706dab679b45b14 ] + +A print in the remain on channel code was too long and caused +a WARNING, split it. + +Signed-off-by: Emmanuel Grumbach +Fixes: dc28e12f2125 ("iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200930102759.58d57c0bdc68.Ib06008665e7bf1199c360aa92691d9c74fb84990@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 9374c85c5caf9..c918c0887ed01 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -3693,9 +3693,12 @@ static int iwl_mvm_send_aux_roc_cmd(struct iwl_mvm *mvm, + tail->apply_time_max_delay = cpu_to_le32(delay); + + IWL_DEBUG_TE(mvm, +- "ROC: Requesting to remain on channel %u for %ums (requested = %ums, max_delay = %ums, dtim_interval = %ums)\n", +- channel->hw_value, req_dur, duration, delay, +- dtim_interval); ++ "ROC: Requesting to remain on channel %u for %ums\n", ++ channel->hw_value, req_dur); ++ IWL_DEBUG_TE(mvm, ++ "\t(requested = %ums, max_delay = %ums, dtim_interval = %ums)\n", ++ duration, delay, dtim_interval); ++ + /* Set the node address */ + memcpy(tail->node_addr, vif->addr, ETH_ALEN); + +-- +2.25.1 + diff --git a/queue-5.9/kbuild-deb-pkg-do-not-build-linux-headers-package-if.patch b/queue-5.9/kbuild-deb-pkg-do-not-build-linux-headers-package-if.patch new file mode 100644 index 00000000000..086ce5bf075 --- /dev/null +++ b/queue-5.9/kbuild-deb-pkg-do-not-build-linux-headers-package-if.patch @@ -0,0 +1,88 @@ +From dfd79d235871ad4cc266f4edf926b0fb5926d71c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 03:38:19 +0900 +Subject: kbuild: deb-pkg: do not build linux-headers package if + CONFIG_MODULES=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Masahiro Yamada + +[ Upstream commit bac977cbc0d6731fb8e67c2be0e4acbd959e10b3 ] + +Since commit 269a535ca931 ("modpost: generate vmlinux.symvers and +reuse it for the second modpost"), with CONFIG_MODULES disabled, +"make deb-pkg" (or "make bindeb-pkg") fails with: + + find: ‘Module.symvers’: No such file or directory + +If CONFIG_MODULES is disabled, it doesn't really make sense to build +the linux-headers package. + +Fixes: 269a535ca931 ("modpost: generate vmlinux.symvers and reuse it for the second modpost") +Reported-by: Josh Triplett +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/package/builddeb | 6 ++++-- + scripts/package/mkdebian | 19 ++++++++++++------- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 6df3c9f8b2da6..8277144298a00 100755 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -202,8 +202,10 @@ EOF + done + + if [ "$ARCH" != "um" ]; then +- deploy_kernel_headers debian/linux-headers +- create_package linux-headers-$version debian/linux-headers ++ if is_enabled CONFIG_MODULES; then ++ deploy_kernel_headers debian/linux-headers ++ create_package linux-headers-$version debian/linux-headers ++ fi + + deploy_libc_headers debian/linux-libc-dev + create_package linux-libc-dev debian/linux-libc-dev +diff --git a/scripts/package/mkdebian b/scripts/package/mkdebian +index 48fbd3d0284a8..ccd46aad1dff6 100755 +--- a/scripts/package/mkdebian ++++ b/scripts/package/mkdebian +@@ -183,13 +183,6 @@ Description: Linux kernel, version $version + This package contains the Linux kernel, modules and corresponding other + files, version: $version. + +-Package: $kernel_headers_packagename +-Architecture: $debarch +-Description: Linux kernel headers for $version on $debarch +- This package provides kernel header files for $version on $debarch +- . +- This is useful for people who need to build external modules +- + Package: linux-libc-dev + Section: devel + Provides: linux-kernel-headers +@@ -200,6 +193,18 @@ Description: Linux support headers for userspace development + Multi-Arch: same + EOF + ++if is_enabled CONFIG_MODULES; then ++cat <> debian/control ++ ++Package: $kernel_headers_packagename ++Architecture: $debarch ++Description: Linux kernel headers for $version on $debarch ++ This package provides kernel header files for $version on $debarch ++ . ++ This is useful for people who need to build external modules ++EOF ++fi ++ + if is_enabled CONFIG_DEBUG_INFO; then + cat <> debian/control + +-- +2.25.1 + diff --git a/queue-5.9/kdb-fix-pager-search-for-multi-line-strings.patch b/queue-5.9/kdb-fix-pager-search-for-multi-line-strings.patch new file mode 100644 index 00000000000..03a7d2408fd --- /dev/null +++ b/queue-5.9/kdb-fix-pager-search-for-multi-line-strings.patch @@ -0,0 +1,55 @@ +From 23d26e70bab25ce96c8e64749c70fec743708214 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 15:17:08 +0100 +Subject: kdb: Fix pager search for multi-line strings + +From: Daniel Thompson + +[ Upstream commit d081a6e353168f15e63eb9e9334757f20343319f ] + +Currently using forward search doesn't handle multi-line strings correctly. +The search routine replaces line breaks with \0 during the search and, for +regular searches ("help | grep Common\n"), there is code after the line +has been discarded or printed to replace the break character. + +However during a pager search ("help\n" followed by "/Common\n") when the +string is matched we will immediately return to normal output and the code +that should restore the \n becomes unreachable. Fix this by restoring the +replaced character when we disable the search mode and update the comment +accordingly. + +Fixes: fb6daa7520f9d ("kdb: Provide forward search at more prompt") +Link: https://lore.kernel.org/r/20200909141708.338273-1-daniel.thompson@linaro.org +Reviewed-by: Douglas Anderson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 9d847ab851dbe..e240c97086e20 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -706,12 +706,16 @@ int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap) + size_avail = sizeof(kdb_buffer) - len; + goto kdb_print_out; + } +- if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) ++ if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) { + /* + * This was a interactive search (using '/' at more +- * prompt) and it has completed. Clear the flag. ++ * prompt) and it has completed. Replace the \0 with ++ * its original value to ensure multi-line strings ++ * are handled properly, and return to normal mode. + */ ++ *cphold = replaced_byte; + kdb_grepping_flag = 0; ++ } + /* + * at this point the string is a full line and + * should be printed, up to the null. +-- +2.25.1 + diff --git a/queue-5.9/kvm-ioapic-break-infinite-recursion-on-lazy-eoi.patch b/queue-5.9/kvm-ioapic-break-infinite-recursion-on-lazy-eoi.patch new file mode 100644 index 00000000000..9bcf29cac4a --- /dev/null +++ b/queue-5.9/kvm-ioapic-break-infinite-recursion-on-lazy-eoi.patch @@ -0,0 +1,72 @@ +From f2b548813723bb3563317ad181073caca21dc8f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Oct 2020 04:13:24 -0400 +Subject: KVM: ioapic: break infinite recursion on lazy EOI + +From: Vitaly Kuznetsov + +[ Upstream commit 77377064c3a94911339f13ce113b3abf265e06da ] + +During shutdown the IOAPIC trigger mode is reset to edge triggered +while the vfio-pci INTx is still registered with a resampler. +This allows us to get into an infinite loop: + +ioapic_set_irq + -> ioapic_lazy_update_eoi + -> kvm_ioapic_update_eoi_one + -> kvm_notify_acked_irq + -> kvm_notify_acked_gsi + -> (via irq_acked fn ptr) irqfd_resampler_ack + -> kvm_set_irq + -> (via set fn ptr) kvm_set_ioapic_irq + -> kvm_ioapic_set_irq + -> ioapic_set_irq + +Commit 8be8f932e3db ("kvm: ioapic: Restrict lazy EOI update to +edge-triggered interrupts", 2020-05-04) acknowledges that this recursion +loop exists and tries to avoid it at the call to ioapic_lazy_update_eoi, +but at this point the scenario is already set, we have an edge interrupt +with resampler on the same gsi. + +Fortunately, the only user of irq ack notifiers (in addition to resamplefd) +is i8254 timer interrupt reinjection. These are edge-triggered, so in +principle they would need the call to kvm_ioapic_update_eoi_one from +ioapic_lazy_update_eoi, but they already disable AVIC(*), so they don't +need the lazy EOI behavior. Therefore, remove the call to +kvm_ioapic_update_eoi_one from ioapic_lazy_update_eoi. + +This fixes CVE-2020-27152. Note that this issue cannot happen with +SR-IOV assigned devices because virtual functions do not have INTx, +only MSI. + +Fixes: f458d039db7e ("kvm: ioapic: Lazy update IOAPIC EOI") +Suggested-by: Paolo Bonzini +Tested-by: Alex Williamson +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/ioapic.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index d057376bd3d33..698969e18fe35 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -197,12 +197,9 @@ static void ioapic_lazy_update_eoi(struct kvm_ioapic *ioapic, int irq) + + /* + * If no longer has pending EOI in LAPICs, update +- * EOI for this vetor. ++ * EOI for this vector. + */ + rtc_irq_eoi(ioapic, vcpu, entry->fields.vector); +- kvm_ioapic_update_eoi_one(vcpu, ioapic, +- entry->fields.trig_mode, +- irq); + break; + } + } +-- +2.25.1 + diff --git a/queue-5.9/kvm-nsvm-cr3-mbz-bits-are-only-63-52.patch b/queue-5.9/kvm-nsvm-cr3-mbz-bits-are-only-63-52.patch new file mode 100644 index 00000000000..828249bc518 --- /dev/null +++ b/queue-5.9/kvm-nsvm-cr3-mbz-bits-are-only-63-52.patch @@ -0,0 +1,51 @@ +From ffd59ebd0c8aaa56ebe4ea1ec303cf20d9176842 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 00:48:22 +0000 +Subject: KVM: nSVM: CR3 MBZ bits are only 63:52 + +From: Krish Sadhukhan + +[ Upstream commit fb0f33fdefe9f473dc5f7b71345096c8d60ab9dd ] + +Commit 761e4169346553c180bbd4a383aedd72f905bc9a created a wrong mask for the +CR3 MBZ bits. According to APM vol 2, only the upper 12 bits are MBZ. + +Fixes: 761e41693465 ("KVM: nSVM: Check that MBZ bits in CR3 and CR4 are not set on vmrun of nested guests", 2020-07-08) +Signed-off-by: Krish Sadhukhan +Message-Id: <20200829004824.4577-2-krish.sadhukhan@oracle.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm/nested.c | 2 +- + arch/x86/kvm/svm/svm.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c +index e90bc436f5849..27042c9ea40d6 100644 +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -243,7 +243,7 @@ static bool nested_vmcb_checks(struct vcpu_svm *svm, struct vmcb *vmcb) + } else { + if (!(vmcb->save.cr4 & X86_CR4_PAE) || + !(vmcb->save.cr0 & X86_CR0_PE) || +- (vmcb->save.cr3 & MSR_CR3_LONG_RESERVED_MASK)) ++ (vmcb->save.cr3 & MSR_CR3_LONG_MBZ_MASK)) + return false; + } + if (kvm_valid_cr4(&svm->vcpu, vmcb->save.cr4)) +diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h +index a798e17317094..c0d75b1e06645 100644 +--- a/arch/x86/kvm/svm/svm.h ++++ b/arch/x86/kvm/svm/svm.h +@@ -345,7 +345,7 @@ static inline bool gif_set(struct vcpu_svm *svm) + /* svm.c */ + #define MSR_CR3_LEGACY_RESERVED_MASK 0xfe7U + #define MSR_CR3_LEGACY_PAE_RESERVED_MASK 0x7U +-#define MSR_CR3_LONG_RESERVED_MASK 0xfff0000000000fe7U ++#define MSR_CR3_LONG_MBZ_MASK 0xfff0000000000000U + #define MSR_INVALID 0xffffffffU + + u32 svm_msrpm_offset(u32 msr); +-- +2.25.1 + diff --git a/queue-5.9/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch b/queue-5.9/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch new file mode 100644 index 00000000000..2c4494cceb5 --- /dev/null +++ b/queue-5.9/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch @@ -0,0 +1,39 @@ +From 67428a005dde22508783e0756569f356567bc9e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 10:23:42 +0800 +Subject: KVM: x86: emulating RDPID failure shall return #UD rather than #GP + +From: Robert Hoo + +[ Upstream commit a9e2e0ae686094571378c72d8146b5a1a92d0652 ] + +Per Intel's SDM, RDPID takes a #UD if it is unsupported, which is more or +less what KVM is emulating when MSR_TSC_AUX is not available. In fact, +there are no scenarios in which RDPID is supposed to #GP. + +Fixes: fb6d4d340e ("KVM: x86: emulate RDPID") +Signed-off-by: Robert Hoo +Message-Id: <1598581422-76264-1-git-send-email-robert.hu@linux.intel.com> +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 2f6510de6b0c0..85111cd0adcd0 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3606,7 +3606,7 @@ static int em_rdpid(struct x86_emulate_ctxt *ctxt) + u64 tsc_aux = 0; + + if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux)) +- return emulate_gp(ctxt, 0); ++ return emulate_ud(ctxt); + ctxt->dst.val = tsc_aux; + return X86EMUL_CONTINUE; + } +-- +2.25.1 + diff --git a/queue-5.9/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch b/queue-5.9/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch new file mode 100644 index 00000000000..82637fa1bda --- /dev/null +++ b/queue-5.9/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch @@ -0,0 +1,45 @@ +From 3794b9d9f1c14250a9d3394625a897ee5e693bfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:11:38 -0700 +Subject: lib/crc32.c: fix trivial typo in preprocessor condition + +From: Tobias Jordan + +[ Upstream commit 904542dc56524f921a6bab0639ff6249c01e775f ] + +Whether crc32_be needs a lookup table is chosen based on CRC_LE_BITS. +Obviously, the _be function should be governed by the _BE_ define. + +This probably never pops up as it's hard to come up with a configuration +where CRC_BE_BITS isn't the same as CRC_LE_BITS and as nobody is using +bitwise CRC anyway. + +Fixes: 46c5801eaf86 ("crc32: bolt on crc32c") +Signed-off-by: Tobias Jordan +Signed-off-by: Andrew Morton +Cc: Krzysztof Kozlowski +Cc: Jonathan Corbet +Cc: Mauro Carvalho Chehab +Link: https://lkml.kernel.org/r/20200923182122.GA3338@agrajag.zerfleddert.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/crc32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/crc32.c b/lib/crc32.c +index 35a03d03f9738..2a68dfd3b96c8 100644 +--- a/lib/crc32.c ++++ b/lib/crc32.c +@@ -331,7 +331,7 @@ static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p, + return crc; + } + +-#if CRC_LE_BITS == 1 ++#if CRC_BE_BITS == 1 + u32 __pure crc32_be(u32 crc, unsigned char const *p, size_t len) + { + return crc32_be_generic(crc, p, len, NULL, CRC32_POLY_BE); +-- +2.25.1 + diff --git a/queue-5.9/libbpf-close-map-fd-if-init-map-slots-failed.patch b/queue-5.9/libbpf-close-map-fd-if-init-map-slots-failed.patch new file mode 100644 index 00000000000..0be6088d82b --- /dev/null +++ b/queue-5.9/libbpf-close-map-fd-if-init-map-slots-failed.patch @@ -0,0 +1,102 @@ +From db1bf3b351e46faa78eb379632f8e845c16ccf65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 10:13:43 +0800 +Subject: libbpf: Close map fd if init map slots failed + +From: Hangbin Liu + +[ Upstream commit a0f2b7acb4b1d29127ff99c714233b973afd1411 ] + +Previously we forgot to close the map fd if bpf_map_update_elem() +failed during map slot init, which will leak map fd. + +Let's move map slot initialization to new function init_map_slots() to +simplify the code. And close the map fd if init slot failed. + +Reported-by: Andrii Nakryiko +Signed-off-by: Hangbin Liu +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20201006021345.3817033-2-liuhangbin@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 55 ++++++++++++++++++++++++++---------------- + 1 file changed, 34 insertions(+), 21 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 8b71a31ca4a97..edd6f7b7d9b82 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -3841,6 +3841,36 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map) + return 0; + } + ++static int init_map_slots(struct bpf_map *map) ++{ ++ const struct bpf_map *targ_map; ++ unsigned int i; ++ int fd, err; ++ ++ for (i = 0; i < map->init_slots_sz; i++) { ++ if (!map->init_slots[i]) ++ continue; ++ ++ targ_map = map->init_slots[i]; ++ fd = bpf_map__fd(targ_map); ++ err = bpf_map_update_elem(map->fd, &i, &fd, 0); ++ if (err) { ++ err = -errno; ++ pr_warn("map '%s': failed to initialize slot [%d] to map '%s' fd=%d: %d\n", ++ map->name, i, targ_map->name, ++ fd, err); ++ return err; ++ } ++ pr_debug("map '%s': slot [%d] set to map '%s' fd=%d\n", ++ map->name, i, targ_map->name, fd); ++ } ++ ++ zfree(&map->init_slots); ++ map->init_slots_sz = 0; ++ ++ return 0; ++} ++ + static int + bpf_object__create_maps(struct bpf_object *obj) + { +@@ -3883,28 +3913,11 @@ bpf_object__create_maps(struct bpf_object *obj) + } + + if (map->init_slots_sz) { +- for (j = 0; j < map->init_slots_sz; j++) { +- const struct bpf_map *targ_map; +- int fd; +- +- if (!map->init_slots[j]) +- continue; +- +- targ_map = map->init_slots[j]; +- fd = bpf_map__fd(targ_map); +- err = bpf_map_update_elem(map->fd, &j, &fd, 0); +- if (err) { +- err = -errno; +- pr_warn("map '%s': failed to initialize slot [%d] to map '%s' fd=%d: %d\n", +- map->name, j, targ_map->name, +- fd, err); +- goto err_out; +- } +- pr_debug("map '%s': slot [%d] set to map '%s' fd=%d\n", +- map->name, j, targ_map->name, fd); ++ err = init_map_slots(map); ++ if (err < 0) { ++ zclose(map->fd); ++ goto err_out; + } +- zfree(&map->init_slots); +- map->init_slots_sz = 0; + } + + if (map->pin_path && !map->pinned) { +-- +2.25.1 + diff --git a/queue-5.9/libbpf-fix-unintentional-success-return-code-in-bpf_.patch b/queue-5.9/libbpf-fix-unintentional-success-return-code-in-bpf_.patch new file mode 100644 index 00000000000..175e22d0add --- /dev/null +++ b/queue-5.9/libbpf-fix-unintentional-success-return-code-in-bpf_.patch @@ -0,0 +1,40 @@ +From 59447084a981b34fbf05a65fca3ef41f8a0c9b60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 00:55:49 -0700 +Subject: libbpf: Fix unintentional success return code in bpf_object__load + +From: Alex Gartrell + +[ Upstream commit ef05afa66c59c2031a3798916ef3ff3778232129 ] + +There are code paths where EINVAL is returned directly without setting +errno. In that case, errno could be 0, which would mask the +failure. For example, if a careless programmer set log_level to 10000 +out of laziness, they would have to spend a long time trying to figure +out why. + +Fixes: 4f33ddb4e3e2 ("libbpf: Propagate EPERM to caller on program load") +Signed-off-by: Alex Gartrell +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200826075549.1858580-1-alexgartrell@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index e493d6048143f..8b71a31ca4a97 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -5425,7 +5425,7 @@ load_program(struct bpf_program *prog, struct bpf_insn *insns, int insns_cnt, + free(log_buf); + goto retry_load; + } +- ret = -errno; ++ ret = errno ? -errno : -LIBBPF_ERRNO__LOAD; + cp = libbpf_strerror_r(errno, errmsg, sizeof(errmsg)); + pr_warn("load bpf program failed: %s\n", cp); + pr_perm_msg(ret); +-- +2.25.1 + diff --git a/queue-5.9/lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch b/queue-5.9/lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch new file mode 100644 index 00000000000..c82e25af24f --- /dev/null +++ b/queue-5.9/lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch @@ -0,0 +1,42 @@ +From 2a9763de49d29a1460088fc3250163406a4d0b42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 15:33:51 +0100 +Subject: lightnvm: fix out-of-bounds write to array devices->info[] + +From: Colin Ian King + +[ Upstream commit a48faebe65b0db55a73b9220c3d919eee849bb79 ] + +There is an off-by-one array check that can lead to a out-of-bounds +write to devices->info[i]. Fix this by checking by using >= rather +than > for the size check. Also replace hard-coded array size limit +with ARRAY_SIZE on the array. + +Addresses-Coverity: ("Out-of-bounds write") +Fixes: cd9e9808d18f ("lightnvm: Support for Open-Channel SSDs") +Signed-off-by: Colin Ian King +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/lightnvm/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c +index fe78bf0fdce54..c1bcac71008c6 100644 +--- a/drivers/lightnvm/core.c ++++ b/drivers/lightnvm/core.c +@@ -1311,8 +1311,9 @@ static long nvm_ioctl_get_devices(struct file *file, void __user *arg) + strlcpy(info->bmname, "gennvm", sizeof(info->bmname)); + i++; + +- if (i > 31) { +- pr_err("max 31 devices can be reported.\n"); ++ if (i >= ARRAY_SIZE(devices->info)) { ++ pr_err("max %zd devices can be reported.\n", ++ ARRAY_SIZE(devices->info)); + break; + } + } +-- +2.25.1 + diff --git a/queue-5.9/lockdep-fix-lockdep-recursion.patch b/queue-5.9/lockdep-fix-lockdep-recursion.patch new file mode 100644 index 00000000000..33ef6caefc9 --- /dev/null +++ b/queue-5.9/lockdep-fix-lockdep-recursion.patch @@ -0,0 +1,397 @@ +From 1ef1b251048a1634ab684bbecfddb32f0127fd83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 11:04:21 +0200 +Subject: lockdep: Fix lockdep recursion + +From: Peter Zijlstra + +[ Upstream commit 4d004099a668c41522242aa146a38cc4eb59cb1e ] + +Steve reported that lockdep_assert*irq*(), when nested inside lockdep +itself, will trigger a false-positive. + +One example is the stack-trace code, as called from inside lockdep, +triggering tracing, which in turn calls RCU, which then uses +lockdep_assert_irqs_disabled(). + +Fixes: a21ee6055c30 ("lockdep: Change hardirq{s_enabled,_context} to per-cpu variables") +Reported-by: Steven Rostedt +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + include/linux/lockdep.h | 13 ++++-- + kernel/locking/lockdep.c | 99 ++++++++++++++++++++++++---------------- + 2 files changed, 67 insertions(+), 45 deletions(-) + +diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h +index 6a584b3e5c74f..b1227be47496c 100644 +--- a/include/linux/lockdep.h ++++ b/include/linux/lockdep.h +@@ -534,6 +534,7 @@ do { \ + + DECLARE_PER_CPU(int, hardirqs_enabled); + DECLARE_PER_CPU(int, hardirq_context); ++DECLARE_PER_CPU(unsigned int, lockdep_recursion); + + /* + * The below lockdep_assert_*() macros use raw_cpu_read() to access the above +@@ -543,25 +544,27 @@ DECLARE_PER_CPU(int, hardirq_context); + * read the value from our previous CPU. + */ + ++#define __lockdep_enabled (debug_locks && !raw_cpu_read(lockdep_recursion)) ++ + #define lockdep_assert_irqs_enabled() \ + do { \ +- WARN_ON_ONCE(debug_locks && !raw_cpu_read(hardirqs_enabled)); \ ++ WARN_ON_ONCE(__lockdep_enabled && !raw_cpu_read(hardirqs_enabled)); \ + } while (0) + + #define lockdep_assert_irqs_disabled() \ + do { \ +- WARN_ON_ONCE(debug_locks && raw_cpu_read(hardirqs_enabled)); \ ++ WARN_ON_ONCE(__lockdep_enabled && raw_cpu_read(hardirqs_enabled)); \ + } while (0) + + #define lockdep_assert_in_irq() \ + do { \ +- WARN_ON_ONCE(debug_locks && !raw_cpu_read(hardirq_context)); \ ++ WARN_ON_ONCE(__lockdep_enabled && !raw_cpu_read(hardirq_context)); \ + } while (0) + + #define lockdep_assert_preemption_enabled() \ + do { \ + WARN_ON_ONCE(IS_ENABLED(CONFIG_PREEMPT_COUNT) && \ +- debug_locks && \ ++ __lockdep_enabled && \ + (preempt_count() != 0 || \ + !raw_cpu_read(hardirqs_enabled))); \ + } while (0) +@@ -569,7 +572,7 @@ do { \ + #define lockdep_assert_preemption_disabled() \ + do { \ + WARN_ON_ONCE(IS_ENABLED(CONFIG_PREEMPT_COUNT) && \ +- debug_locks && \ ++ __lockdep_enabled && \ + (preempt_count() == 0 && \ + raw_cpu_read(hardirqs_enabled))); \ + } while (0) +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index a430fbb01eb16..85d15f0362dc5 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -76,6 +76,23 @@ module_param(lock_stat, int, 0644); + #define lock_stat 0 + #endif + ++DEFINE_PER_CPU(unsigned int, lockdep_recursion); ++EXPORT_PER_CPU_SYMBOL_GPL(lockdep_recursion); ++ ++static inline bool lockdep_enabled(void) ++{ ++ if (!debug_locks) ++ return false; ++ ++ if (raw_cpu_read(lockdep_recursion)) ++ return false; ++ ++ if (current->lockdep_recursion) ++ return false; ++ ++ return true; ++} ++ + /* + * lockdep_lock: protects the lockdep graph, the hashes and the + * class/list/hash allocators. +@@ -93,7 +110,7 @@ static inline void lockdep_lock(void) + + arch_spin_lock(&__lock); + __owner = current; +- current->lockdep_recursion++; ++ __this_cpu_inc(lockdep_recursion); + } + + static inline void lockdep_unlock(void) +@@ -101,7 +118,7 @@ static inline void lockdep_unlock(void) + if (debug_locks && DEBUG_LOCKS_WARN_ON(__owner != current)) + return; + +- current->lockdep_recursion--; ++ __this_cpu_dec(lockdep_recursion); + __owner = NULL; + arch_spin_unlock(&__lock); + } +@@ -393,10 +410,15 @@ void lockdep_init_task(struct task_struct *task) + task->lockdep_recursion = 0; + } + ++static __always_inline void lockdep_recursion_inc(void) ++{ ++ __this_cpu_inc(lockdep_recursion); ++} ++ + static __always_inline void lockdep_recursion_finish(void) + { +- if (WARN_ON_ONCE((--current->lockdep_recursion) & LOCKDEP_RECURSION_MASK)) +- current->lockdep_recursion = 0; ++ if (WARN_ON_ONCE(__this_cpu_dec_return(lockdep_recursion))) ++ __this_cpu_write(lockdep_recursion, 0); + } + + void lockdep_set_selftest_task(struct task_struct *task) +@@ -3659,7 +3681,7 @@ void lockdep_hardirqs_on_prepare(unsigned long ip) + if (unlikely(in_nmi())) + return; + +- if (unlikely(current->lockdep_recursion & LOCKDEP_RECURSION_MASK)) ++ if (unlikely(__this_cpu_read(lockdep_recursion))) + return; + + if (unlikely(lockdep_hardirqs_enabled())) { +@@ -3695,7 +3717,7 @@ void lockdep_hardirqs_on_prepare(unsigned long ip) + + current->hardirq_chain_key = current->curr_chain_key; + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + __trace_hardirqs_on_caller(); + lockdep_recursion_finish(); + } +@@ -3728,7 +3750,7 @@ void noinstr lockdep_hardirqs_on(unsigned long ip) + goto skip_checks; + } + +- if (unlikely(current->lockdep_recursion & LOCKDEP_RECURSION_MASK)) ++ if (unlikely(__this_cpu_read(lockdep_recursion))) + return; + + if (lockdep_hardirqs_enabled()) { +@@ -3781,7 +3803,7 @@ void noinstr lockdep_hardirqs_off(unsigned long ip) + if (in_nmi()) { + if (!IS_ENABLED(CONFIG_TRACE_IRQFLAGS_NMI)) + return; +- } else if (current->lockdep_recursion & LOCKDEP_RECURSION_MASK) ++ } else if (__this_cpu_read(lockdep_recursion)) + return; + + /* +@@ -3814,7 +3836,7 @@ void lockdep_softirqs_on(unsigned long ip) + { + struct irqtrace_events *trace = ¤t->irqtrace; + +- if (unlikely(!debug_locks || current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return; + + /* +@@ -3829,7 +3851,7 @@ void lockdep_softirqs_on(unsigned long ip) + return; + } + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + /* + * We'll do an OFF -> ON transition: + */ +@@ -3852,7 +3874,7 @@ void lockdep_softirqs_on(unsigned long ip) + */ + void lockdep_softirqs_off(unsigned long ip) + { +- if (unlikely(!debug_locks || current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return; + + /* +@@ -4233,11 +4255,11 @@ void lockdep_init_map_waits(struct lockdep_map *lock, const char *name, + if (subclass) { + unsigned long flags; + +- if (DEBUG_LOCKS_WARN_ON(current->lockdep_recursion)) ++ if (DEBUG_LOCKS_WARN_ON(!lockdep_enabled())) + return; + + raw_local_irq_save(flags); +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + register_lock_class(lock, subclass, 1); + lockdep_recursion_finish(); + raw_local_irq_restore(flags); +@@ -4920,11 +4942,11 @@ void lock_set_class(struct lockdep_map *lock, const char *name, + { + unsigned long flags; + +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return; + + raw_local_irq_save(flags); +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + check_flags(flags); + if (__lock_set_class(lock, name, key, subclass, ip)) + check_chain_key(current); +@@ -4937,11 +4959,11 @@ void lock_downgrade(struct lockdep_map *lock, unsigned long ip) + { + unsigned long flags; + +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return; + + raw_local_irq_save(flags); +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + check_flags(flags); + if (__lock_downgrade(lock, ip)) + check_chain_key(current); +@@ -4979,7 +5001,7 @@ static void verify_lock_unused(struct lockdep_map *lock, struct held_lock *hlock + + static bool lockdep_nmi(void) + { +- if (current->lockdep_recursion & LOCKDEP_RECURSION_MASK) ++ if (raw_cpu_read(lockdep_recursion)) + return false; + + if (!in_nmi()) +@@ -5000,7 +5022,10 @@ void lock_acquire(struct lockdep_map *lock, unsigned int subclass, + + trace_lock_acquire(lock, subclass, trylock, read, check, nest_lock, ip); + +- if (unlikely(current->lockdep_recursion)) { ++ if (!debug_locks) ++ return; ++ ++ if (unlikely(!lockdep_enabled())) { + /* XXX allow trylock from NMI ?!? */ + if (lockdep_nmi() && !trylock) { + struct held_lock hlock; +@@ -5023,7 +5048,7 @@ void lock_acquire(struct lockdep_map *lock, unsigned int subclass, + raw_local_irq_save(flags); + check_flags(flags); + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + __lock_acquire(lock, subclass, trylock, read, check, + irqs_disabled_flags(flags), nest_lock, ip, 0, 0); + lockdep_recursion_finish(); +@@ -5037,13 +5062,13 @@ void lock_release(struct lockdep_map *lock, unsigned long ip) + + trace_lock_release(lock, ip); + +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return; + + raw_local_irq_save(flags); + check_flags(flags); + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + if (__lock_release(lock, ip)) + check_chain_key(current); + lockdep_recursion_finish(); +@@ -5056,13 +5081,13 @@ noinstr int lock_is_held_type(const struct lockdep_map *lock, int read) + unsigned long flags; + int ret = 0; + +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return 1; /* avoid false negative lockdep_assert_held() */ + + raw_local_irq_save(flags); + check_flags(flags); + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + ret = __lock_is_held(lock, read); + lockdep_recursion_finish(); + raw_local_irq_restore(flags); +@@ -5077,13 +5102,13 @@ struct pin_cookie lock_pin_lock(struct lockdep_map *lock) + struct pin_cookie cookie = NIL_COOKIE; + unsigned long flags; + +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return cookie; + + raw_local_irq_save(flags); + check_flags(flags); + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + cookie = __lock_pin_lock(lock); + lockdep_recursion_finish(); + raw_local_irq_restore(flags); +@@ -5096,13 +5121,13 @@ void lock_repin_lock(struct lockdep_map *lock, struct pin_cookie cookie) + { + unsigned long flags; + +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return; + + raw_local_irq_save(flags); + check_flags(flags); + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + __lock_repin_lock(lock, cookie); + lockdep_recursion_finish(); + raw_local_irq_restore(flags); +@@ -5113,13 +5138,13 @@ void lock_unpin_lock(struct lockdep_map *lock, struct pin_cookie cookie) + { + unsigned long flags; + +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lockdep_enabled())) + return; + + raw_local_irq_save(flags); + check_flags(flags); + +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + __lock_unpin_lock(lock, cookie); + lockdep_recursion_finish(); + raw_local_irq_restore(flags); +@@ -5249,15 +5274,12 @@ void lock_contended(struct lockdep_map *lock, unsigned long ip) + + trace_lock_acquired(lock, ip); + +- if (unlikely(!lock_stat || !debug_locks)) +- return; +- +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lock_stat || !lockdep_enabled())) + return; + + raw_local_irq_save(flags); + check_flags(flags); +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + __lock_contended(lock, ip); + lockdep_recursion_finish(); + raw_local_irq_restore(flags); +@@ -5270,15 +5292,12 @@ void lock_acquired(struct lockdep_map *lock, unsigned long ip) + + trace_lock_contended(lock, ip); + +- if (unlikely(!lock_stat || !debug_locks)) +- return; +- +- if (unlikely(current->lockdep_recursion)) ++ if (unlikely(!lock_stat || !lockdep_enabled())) + return; + + raw_local_irq_save(flags); + check_flags(flags); +- current->lockdep_recursion++; ++ lockdep_recursion_inc(); + __lock_acquired(lock, ip); + lockdep_recursion_finish(); + raw_local_irq_restore(flags); +-- +2.25.1 + diff --git a/queue-5.9/lockdep-fix-usage_traceoverflow.patch b/queue-5.9/lockdep-fix-usage_traceoverflow.patch new file mode 100644 index 00000000000..f3836f7ecbe --- /dev/null +++ b/queue-5.9/lockdep-fix-usage_traceoverflow.patch @@ -0,0 +1,158 @@ +From c6581132f806012933992fc8a6bc457c91de2092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 11:49:37 +0200 +Subject: lockdep: Fix usage_traceoverflow + +From: Peter Zijlstra + +[ Upstream commit 2bb8945bcc1a768f2bc402a16c9610bba8d5187d ] + +Basically print_lock_class_header()'s for loop is out of sync with the +the size of of ->usage_traces[]. + +Also clean things up a bit while at it, to avoid such mishaps in the future. + +Fixes: 23870f122768 ("locking/lockdep: Fix "USED" <- "IN-NMI" inversions") +Reported-by: Qian Cai +Debugged-by: Boqun Feng +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Tested-by: Qian Cai +Link: https://lkml.kernel.org/r/20200930094937.GE2651@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + include/linux/lockdep_types.h | 8 ++++++-- + kernel/locking/lockdep.c | 32 ++++++++++++++---------------- + kernel/locking/lockdep_internals.h | 7 +++++-- + 3 files changed, 26 insertions(+), 21 deletions(-) + +diff --git a/include/linux/lockdep_types.h b/include/linux/lockdep_types.h +index bb35b449f5330..9a1fd49df17f6 100644 +--- a/include/linux/lockdep_types.h ++++ b/include/linux/lockdep_types.h +@@ -35,8 +35,12 @@ enum lockdep_wait_type { + /* + * We'd rather not expose kernel/lockdep_states.h this wide, but we do need + * the total number of states... :-( ++ * ++ * XXX_LOCK_USAGE_STATES is the number of lines in lockdep_states.h, for each ++ * of those we generates 4 states, Additionally we report on USED and USED_READ. + */ +-#define XXX_LOCK_USAGE_STATES (1+2*4) ++#define XXX_LOCK_USAGE_STATES 2 ++#define LOCK_TRACE_STATES (XXX_LOCK_USAGE_STATES*4 + 2) + + /* + * NR_LOCKDEP_CACHING_CLASSES ... Number of classes +@@ -106,7 +110,7 @@ struct lock_class { + * IRQ/softirq usage tracking bits: + */ + unsigned long usage_mask; +- const struct lock_trace *usage_traces[XXX_LOCK_USAGE_STATES]; ++ const struct lock_trace *usage_traces[LOCK_TRACE_STATES]; + + /* + * Generation counter, when doing certain classes of graph walking, +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 2facbbd146ec2..a430fbb01eb16 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -585,6 +585,8 @@ static const char *usage_str[] = + #include "lockdep_states.h" + #undef LOCKDEP_STATE + [LOCK_USED] = "INITIAL USE", ++ [LOCK_USED_READ] = "INITIAL READ USE", ++ /* abused as string storage for verify_lock_unused() */ + [LOCK_USAGE_STATES] = "IN-NMI", + }; + #endif +@@ -1939,7 +1941,7 @@ static void print_lock_class_header(struct lock_class *class, int depth) + #endif + printk(KERN_CONT " {\n"); + +- for (bit = 0; bit < LOCK_USAGE_STATES; bit++) { ++ for (bit = 0; bit < LOCK_TRACE_STATES; bit++) { + if (class->usage_mask & (1 << bit)) { + int len = depth; + +@@ -3969,7 +3971,7 @@ static int separate_irq_context(struct task_struct *curr, + static int mark_lock(struct task_struct *curr, struct held_lock *this, + enum lock_usage_bit new_bit) + { +- unsigned int old_mask, new_mask, ret = 1; ++ unsigned int new_mask, ret = 1; + + if (new_bit >= LOCK_USAGE_STATES) { + DEBUG_LOCKS_WARN_ON(1); +@@ -3996,30 +3998,26 @@ static int mark_lock(struct task_struct *curr, struct held_lock *this, + if (unlikely(hlock_class(this)->usage_mask & new_mask)) + goto unlock; + +- old_mask = hlock_class(this)->usage_mask; + hlock_class(this)->usage_mask |= new_mask; + +- /* +- * Save one usage_traces[] entry and map both LOCK_USED and +- * LOCK_USED_READ onto the same entry. +- */ +- if (new_bit == LOCK_USED || new_bit == LOCK_USED_READ) { +- if (old_mask & (LOCKF_USED | LOCKF_USED_READ)) +- goto unlock; +- new_bit = LOCK_USED; ++ if (new_bit < LOCK_TRACE_STATES) { ++ if (!(hlock_class(this)->usage_traces[new_bit] = save_trace())) ++ return 0; + } + +- if (!(hlock_class(this)->usage_traces[new_bit] = save_trace())) +- return 0; +- + switch (new_bit) { ++ case 0 ... LOCK_USED-1: ++ ret = mark_lock_irq(curr, this, new_bit); ++ if (!ret) ++ return 0; ++ break; ++ + case LOCK_USED: + debug_atomic_dec(nr_unused_locks); + break; ++ + default: +- ret = mark_lock_irq(curr, this, new_bit); +- if (!ret) +- return 0; ++ break; + } + + unlock: +diff --git a/kernel/locking/lockdep_internals.h b/kernel/locking/lockdep_internals.h +index b0be1560ed17a..de49f9e1c11ba 100644 +--- a/kernel/locking/lockdep_internals.h ++++ b/kernel/locking/lockdep_internals.h +@@ -20,9 +20,12 @@ enum lock_usage_bit { + #undef LOCKDEP_STATE + LOCK_USED, + LOCK_USED_READ, +- LOCK_USAGE_STATES ++ LOCK_USAGE_STATES, + }; + ++/* states after LOCK_USED_READ are not traced and printed */ ++static_assert(LOCK_TRACE_STATES == LOCK_USAGE_STATES); ++ + #define LOCK_USAGE_READ_MASK 1 + #define LOCK_USAGE_DIR_MASK 2 + #define LOCK_USAGE_STATE_MASK (~(LOCK_USAGE_READ_MASK | LOCK_USAGE_DIR_MASK)) +@@ -121,7 +124,7 @@ static const unsigned long LOCKF_USED_IN_IRQ_READ = + extern struct list_head all_lock_classes; + extern struct lock_chain lock_chains[]; + +-#define LOCK_USAGE_CHARS (1+LOCK_USAGE_STATES/2) ++#define LOCK_USAGE_CHARS (2*XXX_LOCK_USAGE_STATES + 1) + + extern void get_usage_chars(struct lock_class *class, + char usage[LOCK_USAGE_CHARS]); +-- +2.25.1 + diff --git a/queue-5.9/lockdep-revert-lockdep-use-raw_cpu_-for-per-cpu-vari.patch b/queue-5.9/lockdep-revert-lockdep-use-raw_cpu_-for-per-cpu-vari.patch new file mode 100644 index 00000000000..99f5cbb3450 --- /dev/null +++ b/queue-5.9/lockdep-revert-lockdep-use-raw_cpu_-for-per-cpu-vari.patch @@ -0,0 +1,118 @@ +From 792459e86f7caace60dd5f095017f5683b57e4f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 09:56:57 +0200 +Subject: lockdep: Revert "lockdep: Use raw_cpu_*() for per-cpu variables" + +From: Peter Zijlstra + +[ Upstream commit baffd723e44dc3d7f84f0b8f1fe1ece00ddd2710 ] + +The thinking in commit: + + fddf9055a60d ("lockdep: Use raw_cpu_*() for per-cpu variables") + +is flawed. While it is true that when we're migratable both CPUs will +have a 0 value, it doesn't hold that when we do get migrated in the +middle of a raw_cpu_op(), the old CPU will still have 0 by the time we +get around to reading it on the new CPU. + +Luckily, the reason for that commit (s390 using preempt_disable() +instead of preempt_disable_notrace() in their percpu code), has since +been fixed by commit: + + 1196f12a2c96 ("s390: don't trace preemption in percpu macros") + +An audit of arch/*/include/asm/percpu*.h shows there are no other +architectures affected by this particular issue. + +Fixes: fddf9055a60d ("lockdep: Use raw_cpu_*() for per-cpu variables") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Link: https://lkml.kernel.org/r/20201005095958.GJ2651@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + include/linux/lockdep.h | 26 +++++++++----------------- + 1 file changed, 9 insertions(+), 17 deletions(-) + +diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h +index b1227be47496c..1130f271de669 100644 +--- a/include/linux/lockdep.h ++++ b/include/linux/lockdep.h +@@ -512,19 +512,19 @@ static inline void print_irqtrace_events(struct task_struct *curr) + #define lock_map_release(l) lock_release(l, _THIS_IP_) + + #ifdef CONFIG_PROVE_LOCKING +-# define might_lock(lock) \ ++# define might_lock(lock) \ + do { \ + typecheck(struct lockdep_map *, &(lock)->dep_map); \ + lock_acquire(&(lock)->dep_map, 0, 0, 0, 1, NULL, _THIS_IP_); \ + lock_release(&(lock)->dep_map, _THIS_IP_); \ + } while (0) +-# define might_lock_read(lock) \ ++# define might_lock_read(lock) \ + do { \ + typecheck(struct lockdep_map *, &(lock)->dep_map); \ + lock_acquire(&(lock)->dep_map, 0, 0, 1, 1, NULL, _THIS_IP_); \ + lock_release(&(lock)->dep_map, _THIS_IP_); \ + } while (0) +-# define might_lock_nested(lock, subclass) \ ++# define might_lock_nested(lock, subclass) \ + do { \ + typecheck(struct lockdep_map *, &(lock)->dep_map); \ + lock_acquire(&(lock)->dep_map, subclass, 0, 1, 1, NULL, \ +@@ -536,29 +536,21 @@ DECLARE_PER_CPU(int, hardirqs_enabled); + DECLARE_PER_CPU(int, hardirq_context); + DECLARE_PER_CPU(unsigned int, lockdep_recursion); + +-/* +- * The below lockdep_assert_*() macros use raw_cpu_read() to access the above +- * per-cpu variables. This is required because this_cpu_read() will potentially +- * call into preempt/irq-disable and that obviously isn't right. This is also +- * correct because when IRQs are enabled, it doesn't matter if we accidentally +- * read the value from our previous CPU. +- */ +- +-#define __lockdep_enabled (debug_locks && !raw_cpu_read(lockdep_recursion)) ++#define __lockdep_enabled (debug_locks && !this_cpu_read(lockdep_recursion)) + + #define lockdep_assert_irqs_enabled() \ + do { \ +- WARN_ON_ONCE(__lockdep_enabled && !raw_cpu_read(hardirqs_enabled)); \ ++ WARN_ON_ONCE(__lockdep_enabled && !this_cpu_read(hardirqs_enabled)); \ + } while (0) + + #define lockdep_assert_irqs_disabled() \ + do { \ +- WARN_ON_ONCE(__lockdep_enabled && raw_cpu_read(hardirqs_enabled)); \ ++ WARN_ON_ONCE(__lockdep_enabled && this_cpu_read(hardirqs_enabled)); \ + } while (0) + + #define lockdep_assert_in_irq() \ + do { \ +- WARN_ON_ONCE(__lockdep_enabled && !raw_cpu_read(hardirq_context)); \ ++ WARN_ON_ONCE(__lockdep_enabled && !this_cpu_read(hardirq_context)); \ + } while (0) + + #define lockdep_assert_preemption_enabled() \ +@@ -566,7 +558,7 @@ do { \ + WARN_ON_ONCE(IS_ENABLED(CONFIG_PREEMPT_COUNT) && \ + __lockdep_enabled && \ + (preempt_count() != 0 || \ +- !raw_cpu_read(hardirqs_enabled))); \ ++ !this_cpu_read(hardirqs_enabled))); \ + } while (0) + + #define lockdep_assert_preemption_disabled() \ +@@ -574,7 +566,7 @@ do { \ + WARN_ON_ONCE(IS_ENABLED(CONFIG_PREEMPT_COUNT) && \ + __lockdep_enabled && \ + (preempt_count() == 0 && \ +- raw_cpu_read(hardirqs_enabled))); \ ++ this_cpu_read(hardirqs_enabled))); \ + } while (0) + + #else +-- +2.25.1 + diff --git a/queue-5.9/m68knommu-include-sdhc-support-only-when-hardware-ha.patch b/queue-5.9/m68knommu-include-sdhc-support-only-when-hardware-ha.patch new file mode 100644 index 00000000000..fd6ca2bb549 --- /dev/null +++ b/queue-5.9/m68knommu-include-sdhc-support-only-when-hardware-ha.patch @@ -0,0 +1,79 @@ +From 5341a22f700b36fa788086690dce01edf64c0c29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 12:55:20 +1000 +Subject: m68knommu: include SDHC support only when hardware has it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Ungerer + +[ Upstream commit 322c512f476f07e960cecd447ef22c15bed0e5f1 ] + +The mere fact that the kernel has the MMC subsystem enabled (CONFIG_MMC +enabled) does not mean that the underlying hardware platform has the +SDHC hardware present. Within the ColdFire hardware defines that is +signified by MCFSDHC_BASE being defined with an address. + +The platform data for the ColdFire parts is including the SDHC hardware +if CONFIG_MMC is enabled, instead of MCFSDHC_BASE. This means that if +you are compiling for a ColdFire target that does not support SDHC but +enable CONFIG_MMC you will fail to compile with errors like this: + + arch/m68k/coldfire/device.c:565:12: error: ‘MCFSDHC_BASE’ undeclared here (not in a function) + .start = MCFSDHC_BASE, + ^ + arch/m68k/coldfire/device.c:566:25: error: ‘MCFSDHC_SIZE’ undeclared here (not in a function) + .end = MCFSDHC_BASE + MCFSDHC_SIZE - 1, + ^ + arch/m68k/coldfire/device.c:569:12: error: ‘MCF_IRQ_SDHC’ undeclared here (not in a function) + .start = MCF_IRQ_SDHC, + ^ + +Make the SDHC platform support depend on MCFSDHC_BASE, that is only +include it if the specific ColdFire SoC has that hardware module. + +Fixes: 991f5c4dd2422881 ("m68k: mcf5441x: add support for esdhc mmc controller") +Signed-off-by: Greg Ungerer +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Angelo Dureghello +Tested-by: Angelo Dureghello +Signed-off-by: Sasha Levin +--- + arch/m68k/coldfire/device.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/m68k/coldfire/device.c b/arch/m68k/coldfire/device.c +index 9ef4ec0aea008..59f7dfe50a4d0 100644 +--- a/arch/m68k/coldfire/device.c ++++ b/arch/m68k/coldfire/device.c +@@ -554,7 +554,7 @@ static struct platform_device mcf_edma = { + }; + #endif /* IS_ENABLED(CONFIG_MCF_EDMA) */ + +-#if IS_ENABLED(CONFIG_MMC) ++#ifdef MCFSDHC_BASE + static struct mcf_esdhc_platform_data mcf_esdhc_data = { + .max_bus_width = 4, + .cd_type = ESDHC_CD_NONE, +@@ -579,7 +579,7 @@ static struct platform_device mcf_esdhc = { + .resource = mcf_esdhc_resources, + .dev.platform_data = &mcf_esdhc_data, + }; +-#endif /* IS_ENABLED(CONFIG_MMC) */ ++#endif /* MCFSDHC_BASE */ + + static struct platform_device *mcf_devices[] __initdata = { + &mcf_uart, +@@ -613,7 +613,7 @@ static struct platform_device *mcf_devices[] __initdata = { + #if IS_ENABLED(CONFIG_MCF_EDMA) + &mcf_edma, + #endif +-#if IS_ENABLED(CONFIG_MMC) ++#ifdef MCFSDHC_BASE + &mcf_esdhc, + #endif + }; +-- +2.25.1 + diff --git a/queue-5.9/mac80211-handle-lack-of-sband-bitrates-in-rates.patch b/queue-5.9/mac80211-handle-lack-of-sband-bitrates-in-rates.patch new file mode 100644 index 00000000000..91f5bf00707 --- /dev/null +++ b/queue-5.9/mac80211-handle-lack-of-sband-bitrates-in-rates.patch @@ -0,0 +1,58 @@ +From 4745e4bd4647a95ff981e77be65d0f2ad7ece8b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 09:45:21 -0700 +Subject: mac80211: handle lack of sband->bitrates in rates + +From: Thomas Pedersen + +[ Upstream commit 8b783d104e7f40684333d2ec155fac39219beb2f ] + +Even though a driver or mac80211 shouldn't produce a +legacy bitrate if sband->bitrates doesn't exist, don't +crash if that is the case either. + +This fixes a kernel panic if station dump is run before +last_rate can be updated with a data frame when +sband->bitrates is missing (eg. in S1G bands). + +Signed-off-by: Thomas Pedersen +Link: https://lore.kernel.org/r/20201005164522.18069-1-thomas@adapt-ip.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 ++- + net/mac80211/sta_info.c | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 87fddd84c621e..82d516d117385 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -709,7 +709,8 @@ void sta_set_rate_info_tx(struct sta_info *sta, + u16 brate; + + sband = ieee80211_get_sband(sta->sdata); +- if (sband) { ++ WARN_ON_ONCE(sband && !sband->bitrates); ++ if (sband && sband->bitrates) { + brate = sband->bitrates[rate->idx].bitrate; + rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift); + } +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index f2840d1d95cfb..fb4f2b9b294f0 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2122,6 +2122,10 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u32 rate, + int rate_idx = STA_STATS_GET(LEGACY_IDX, rate); + + sband = local->hw.wiphy->bands[band]; ++ ++ if (WARN_ON_ONCE(!sband->bitrates)) ++ break; ++ + brate = sband->bitrates[rate_idx].bitrate; + if (rinfo->bw == RATE_INFO_BW_5) + shift = 2; +-- +2.25.1 + diff --git a/queue-5.9/maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch b/queue-5.9/maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch new file mode 100644 index 00000000000..09cbd3fb643 --- /dev/null +++ b/queue-5.9/maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch @@ -0,0 +1,49 @@ +From f8bc803d560ebcb2bf74aa8ddd3000dacb7be3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:31:28 +0200 +Subject: maiblox: mediatek: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 558e4c36ec9f2722af4fe8ef84dc812bcdb5c43a ] + +platform_get_irq() returns -ERRNO on error. In such case casting to u32 +and comparing to 0 would pass the check. + +Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c +index 484d4438cd835..5665b6ea8119f 100644 +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -69,7 +69,7 @@ struct cmdq_task { + struct cmdq { + struct mbox_controller mbox; + void __iomem *base; +- u32 irq; ++ int irq; + u32 thread_nr; + u32 irq_mask; + struct cmdq_thread *thread; +@@ -525,10 +525,8 @@ static int cmdq_probe(struct platform_device *pdev) + } + + cmdq->irq = platform_get_irq(pdev, 0); +- if (!cmdq->irq) { +- dev_err(dev, "failed to get irq\n"); +- return -EINVAL; +- } ++ if (cmdq->irq < 0) ++ return cmdq->irq; + + plat_data = (struct gce_plat *)of_device_get_match_data(dev); + if (!plat_data) { +-- +2.25.1 + diff --git a/queue-5.9/mailbox-avoid-timer-start-from-callback.patch b/queue-5.9/mailbox-avoid-timer-start-from-callback.patch new file mode 100644 index 00000000000..4593cf6f4b2 --- /dev/null +++ b/queue-5.9/mailbox-avoid-timer-start-from-callback.patch @@ -0,0 +1,75 @@ +From 54ad00465dc99de209df11682bc8f5cf852b6638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 12:20:56 -0500 +Subject: mailbox: avoid timer start from callback + +From: Jassi Brar + +[ Upstream commit c7dacf5b0f32957b24ef29df1207dc2cd8307743 ] + +If the txdone is done by polling, it is possible for msg_submit() to start +the timer while txdone_hrtimer() callback is running. If the timer needs +recheduling, it could already be enqueued by the time hrtimer_forward_now() +is called, leading hrtimer to loudly complain. + +WARNING: CPU: 3 PID: 74 at kernel/time/hrtimer.c:932 hrtimer_forward+0xc4/0x110 +CPU: 3 PID: 74 Comm: kworker/u8:1 Not tainted 5.9.0-rc2-00236-gd3520067d01c-dirty #5 +Hardware name: Libre Computer AML-S805X-AC (DT) +Workqueue: events_freezable_power_ thermal_zone_device_check +pstate: 20000085 (nzCv daIf -PAN -UAO BTYPE=--) +pc : hrtimer_forward+0xc4/0x110 +lr : txdone_hrtimer+0xf8/0x118 +[...] + +This can be fixed by not starting the timer from the callback path. Which +requires the timer reloading as long as any message is queued on the +channel, and not just when current tx is not done yet. + +Fixes: 0cc67945ea59 ("mailbox: switch to hrtimer for tx_complete polling") +Reported-by: Da Xue +Reviewed-by: Sudeep Holla +Tested-by: Sudeep Holla +Acked-by: Jerome Brunet +Tested-by: Jerome Brunet +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c +index 0b821a5b2db84..3e7d4b20ab34f 100644 +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -82,9 +82,12 @@ static void msg_submit(struct mbox_chan *chan) + exit: + spin_unlock_irqrestore(&chan->lock, flags); + +- if (!err && (chan->txdone_method & TXDONE_BY_POLL)) +- /* kick start the timer immediately to avoid delays */ +- hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ /* kick start the timer immediately to avoid delays */ ++ if (!err && (chan->txdone_method & TXDONE_BY_POLL)) { ++ /* but only if not already active */ ++ if (!hrtimer_active(&chan->mbox->poll_hrt)) ++ hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ } + } + + static void tx_tick(struct mbox_chan *chan, int r) +@@ -122,11 +125,10 @@ static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer) + struct mbox_chan *chan = &mbox->chans[i]; + + if (chan->active_req && chan->cl) { ++ resched = true; + txdone = chan->mbox->ops->last_tx_done(chan); + if (txdone) + tx_tick(chan, 0); +- else +- resched = true; + } + } + +-- +2.25.1 + diff --git a/queue-5.9/md-bitmap-fix-memory-leak-of-temporary-bitmap.patch b/queue-5.9/md-bitmap-fix-memory-leak-of-temporary-bitmap.patch new file mode 100644 index 00000000000..2f6eba188cb --- /dev/null +++ b/queue-5.9/md-bitmap-fix-memory-leak-of-temporary-bitmap.patch @@ -0,0 +1,60 @@ +From f1feab286d1bd87772e2c2a4f330614bc43753e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 13:40:13 +0800 +Subject: md/bitmap: fix memory leak of temporary bitmap + +From: Zhao Heming + +[ Upstream commit 1383b347a8ae4a69c04ae3746e6cb5c8d38e2585 ] + +Callers of get_bitmap_from_slot() are responsible to free the bitmap. + +Suggested-by: Guoqing Jiang +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 3 ++- + drivers/md/md-cluster.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index b10c51988c8ee..c61ab86a28b52 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -1949,6 +1949,7 @@ int md_bitmap_load(struct mddev *mddev) + } + EXPORT_SYMBOL_GPL(md_bitmap_load); + ++/* caller need to free returned bitmap with md_bitmap_free() */ + struct bitmap *get_bitmap_from_slot(struct mddev *mddev, int slot) + { + int rv = 0; +@@ -2012,6 +2013,7 @@ int md_bitmap_copy_from_slot(struct mddev *mddev, int slot, + md_bitmap_unplug(mddev->bitmap); + *low = lo; + *high = hi; ++ md_bitmap_free(bitmap); + + return rv; + } +@@ -2615,4 +2617,3 @@ struct attribute_group md_bitmap_group = { + .name = "bitmap", + .attrs = md_bitmap_attrs, + }; +- +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c +index d50737ec40394..afbbc552c3275 100644 +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -1166,6 +1166,7 @@ static int resize_bitmaps(struct mddev *mddev, sector_t newsize, sector_t oldsiz + * can't resize bitmap + */ + goto out; ++ md_bitmap_free(bitmap); + } + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/media-ati_remote-sanity-check-for-both-endpoints.patch b/queue-5.9/media-ati_remote-sanity-check-for-both-endpoints.patch new file mode 100644 index 00000000000..72dedefe663 --- /dev/null +++ b/queue-5.9/media-ati_remote-sanity-check-for-both-endpoints.patch @@ -0,0 +1,40 @@ +From 122ec5726b54f65bbbd30eb8bf71e66e6da9e5fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 15:50:51 +0200 +Subject: media: ati_remote: sanity check for both endpoints + +From: Oliver Neukum + +[ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ] + +If you do sanity checks, you should do them for both endpoints. +Hence introduce checking for endpoint type for the output +endpoint, too. + +Reported-by: syzbot+998261c2ae5932458f6c@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ati_remote.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c +index 9cdef17b4793f..c12dda73cdd53 100644 +--- a/drivers/media/rc/ati_remote.c ++++ b/drivers/media/rc/ati_remote.c +@@ -835,6 +835,10 @@ static int ati_remote_probe(struct usb_interface *interface, + err("%s: endpoint_in message size==0? \n", __func__); + return -ENODEV; + } ++ if (!usb_endpoint_is_int_out(endpoint_out)) { ++ err("%s: Unexpected endpoint_out\n", __func__); ++ return -ENODEV; ++ } + + ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL); + rc_dev = rc_allocate_device(RC_DRIVER_SCANCODE); +-- +2.25.1 + diff --git a/queue-5.9/media-atomisp-fix-memleak-in-ia_css_stream_create.patch b/queue-5.9/media-atomisp-fix-memleak-in-ia_css_stream_create.patch new file mode 100644 index 00000000000..f54e0182f8c --- /dev/null +++ b/queue-5.9/media-atomisp-fix-memleak-in-ia_css_stream_create.patch @@ -0,0 +1,37 @@ +From d4b0f93013537746d6a16142107e3afa7edba475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 07:49:16 +0200 +Subject: media: atomisp: fix memleak in ia_css_stream_create + +From: Dinghao Liu + +[ Upstream commit c1bca5b5ced0cbd779d56f60cdbc9f5e6f6449fe ] + +When aspect_ratio_crop_init() fails, curr_stream needs +to be freed just like what we've done in the following +error paths. However, current code is returning directly +and ends up leaking memory. + +Signed-off-by: Dinghao Liu +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/sh_css.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c +index a68cbb4995f0f..33a0f8ff82aa8 100644 +--- a/drivers/staging/media/atomisp/pci/sh_css.c ++++ b/drivers/staging/media/atomisp/pci/sh_css.c +@@ -9521,7 +9521,7 @@ ia_css_stream_create(const struct ia_css_stream_config *stream_config, + if (err) + { + IA_CSS_LEAVE_ERR(err); +- return err; ++ goto ERR; + } + #endif + for (i = 0; i < num_pipes; i++) +-- +2.25.1 + diff --git a/queue-5.9/media-bdisp-fix-runtime-pm-imbalance-on-error.patch b/queue-5.9/media-bdisp-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..f0e92cd57af --- /dev/null +++ b/queue-5.9/media-bdisp-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,46 @@ +From 949ee68de423a3cdfac0cd3f88357d4ec477099b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 12:00:21 +0200 +Subject: media: bdisp: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +index af2d5eb782cee..e1d150584bdc2 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -1371,7 +1371,7 @@ static int bdisp_probe(struct platform_device *pdev) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "failed to set PM\n"); +- goto err_dbg; ++ goto err_pm; + } + + /* Filters */ +@@ -1399,7 +1399,6 @@ static int bdisp_probe(struct platform_device *pdev) + bdisp_hw_free_filters(bdisp->dev); + err_pm: + pm_runtime_put(dev); +-err_dbg: + bdisp_debugfs_remove(bdisp); + err_v4l2: + v4l2_device_unregister(&bdisp->v4l2_dev); +-- +2.25.1 + diff --git a/queue-5.9/media-camss-fix-a-reference-count-leak.patch b/queue-5.9/media-camss-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..ad6ba05f4fb --- /dev/null +++ b/queue-5.9/media-camss-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From 0743d1ab5125e808e7fbdcb657cf8d1be60f7329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:27:12 +0200 +Subject: media: camss: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit d0675b67b42eb4f1a840d1513b5b00f78312f833 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +PM runtime put is not called in error handling paths. +Thus call pm_runtime_put_sync() if pm_runtime_get_sync() fails. + +Fixes: 02afa816dbbf ("media: camss: Add basic runtime PM support") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss-csiphy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-csiphy.c b/drivers/media/platform/qcom/camss/camss-csiphy.c +index 03ef9c5f4774d..85b24054f35e6 100644 +--- a/drivers/media/platform/qcom/camss/camss-csiphy.c ++++ b/drivers/media/platform/qcom/camss/camss-csiphy.c +@@ -176,8 +176,10 @@ static int csiphy_set_power(struct v4l2_subdev *sd, int on) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_sync(dev); + return ret; ++ } + + ret = csiphy_set_clock_rates(csiphy); + if (ret < 0) { +-- +2.25.1 + diff --git a/queue-5.9/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch b/queue-5.9/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch new file mode 100644 index 00000000000..76e434a5b02 --- /dev/null +++ b/queue-5.9/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch @@ -0,0 +1,41 @@ +From a2aeb77bc5aa7c9af4f80da0993acafc7f00119d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:10:58 +0200 +Subject: media: exynos4-is: Fix a reference count leak due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 9a575233e4c1e..9034f9cf88481 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -484,8 +484,10 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd) + return -ENXIO; + + ret = pm_runtime_get_sync(fmd->pmf); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(fmd->pmf); + return ret; ++ } + + fmd->num_sensors = 0; + +-- +2.25.1 + diff --git a/queue-5.9/media-exynos4-is-fix-a-reference-count-leak.patch b/queue-5.9/media-exynos4-is-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..4b0d7ecd2d9 --- /dev/null +++ b/queue-5.9/media-exynos4-is-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From b4885aa4c089c515bb1d7cbb6f5b87011d1fa4b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:01:11 +0200 +Subject: media: exynos4-is: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 64157b2cb1940449e7df2670e85781c690266588 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/mipi-csis.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c +index 540151bbf58f2..1aac167abb175 100644 +--- a/drivers/media/platform/exynos4-is/mipi-csis.c ++++ b/drivers/media/platform/exynos4-is/mipi-csis.c +@@ -510,8 +510,10 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable) + if (enable) { + s5pcsis_clear_counters(state); + ret = pm_runtime_get_sync(&state->pdev->dev); +- if (ret && ret != 1) ++ if (ret && ret != 1) { ++ pm_runtime_put_noidle(&state->pdev->dev); + return ret; ++ } + } + + mutex_lock(&state->lock); +-- +2.25.1 + diff --git a/queue-5.9/media-exynos4-is-fix-several-reference-count-leaks-d.patch b/queue-5.9/media-exynos4-is-fix-several-reference-count-leaks-d.patch new file mode 100644 index 00000000000..b29b63d8ecd --- /dev/null +++ b/queue-5.9/media-exynos4-is-fix-several-reference-count-leaks-d.patch @@ -0,0 +1,55 @@ +From 35c86099ec9e38ed88e13deacce00d877a71b7c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:18:29 +0200 +Subject: media: exynos4-is: Fix several reference count leaks due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-isp.c | 4 +++- + drivers/media/platform/exynos4-is/fimc-lite.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c +index cde0d254ec1c4..a77c49b185115 100644 +--- a/drivers/media/platform/exynos4-is/fimc-isp.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp.c +@@ -305,8 +305,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on) + + if (on) { + ret = pm_runtime_get_sync(&is->pdev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(&is->pdev->dev); + return ret; ++ } + set_bit(IS_ST_PWR_ON, &is->state); + + ret = fimc_is_start_firmware(is); +diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c +index 9c666f663ab43..fdd0d369b1925 100644 +--- a/drivers/media/platform/exynos4-is/fimc-lite.c ++++ b/drivers/media/platform/exynos4-is/fimc-lite.c +@@ -471,7 +471,7 @@ static int fimc_lite_open(struct file *file) + set_bit(ST_FLITE_IN_USE, &fimc->state); + ret = pm_runtime_get_sync(&fimc->pdev->dev); + if (ret < 0) +- goto unlock; ++ goto err_pm; + + ret = v4l2_fh_open(file); + if (ret < 0) +-- +2.25.1 + diff --git a/queue-5.9/media-firewire-fix-memory-leak.patch b/queue-5.9/media-firewire-fix-memory-leak.patch new file mode 100644 index 00000000000..daa06c61a5b --- /dev/null +++ b/queue-5.9/media-firewire-fix-memory-leak.patch @@ -0,0 +1,39 @@ +From f2a90a07f0960ca6bc469cc68b81b558fedc430c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 11:01:37 +0200 +Subject: media: firewire: fix memory leak + +From: Pavel Machek + +[ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ] + +Fix memory leak in node_probe. + +Signed-off-by: Pavel Machek (CIP) +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-fw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 3f1ca40b9b987..8a8585261bb80 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -272,8 +272,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); +- if (name_len < 0) +- return name_len; ++ if (name_len < 0) { ++ err = name_len; ++ goto fail_free; ++ } + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.25.1 + diff --git a/queue-5.9/media-hantro-h264-get-the-correct-fallback-reference.patch b/queue-5.9/media-hantro-h264-get-the-correct-fallback-reference.patch new file mode 100644 index 00000000000..34d30d00d8f --- /dev/null +++ b/queue-5.9/media-hantro-h264-get-the-correct-fallback-reference.patch @@ -0,0 +1,44 @@ +From 2cab0a0ec1bcb788f8da85a0ecf0ba279c94c9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 19:05:37 +0200 +Subject: media: hantro: h264: Get the correct fallback reference buffer + +From: Ezequiel Garcia + +[ Upstream commit 6d9e8cd0553bb03e8ab9d4d2d7d17f3fb639bd86 ] + +If the bitstream and the application are incorrectly configuring +the reference pictures, the hardware will need to fallback +to using some other reference picture. + +When the post-processor is enabled, the fallback buffer +should be a shadow buffer (postproc.dec_q), and not a +CAPTURE queue buffer, since the latter is post-processed +and not really the output of the decoder core. + +Fixes: 8c2d66b036c77 ("media: hantro: Support color conversion via post-processing") +Signed-off-by: Ezequiel Garcia +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/hantro/hantro_h264.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/hantro/hantro_h264.c b/drivers/staging/media/hantro/hantro_h264.c +index 194d058480777..6dcd47bd9ed3f 100644 +--- a/drivers/staging/media/hantro/hantro_h264.c ++++ b/drivers/staging/media/hantro/hantro_h264.c +@@ -325,7 +325,7 @@ dma_addr_t hantro_h264_get_ref_buf(struct hantro_ctx *ctx, + */ + dst_buf = hantro_get_dst_buf(ctx); + buf = &dst_buf->vb2_buf; +- dma_addr = vb2_dma_contig_plane_dma_addr(buf, 0); ++ dma_addr = hantro_get_dec_buf_addr(ctx, buf); + } + + return dma_addr; +-- +2.25.1 + diff --git a/queue-5.9/media-hantro-postproc-fix-motion-vector-space-alloca.patch b/queue-5.9/media-hantro-postproc-fix-motion-vector-space-alloca.patch new file mode 100644 index 00000000000..408e97c62cf --- /dev/null +++ b/queue-5.9/media-hantro-postproc-fix-motion-vector-space-alloca.patch @@ -0,0 +1,47 @@ +From 9aebeff76e0a745e48775caea058021a6d6c032e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 19:05:38 +0200 +Subject: media: hantro: postproc: Fix motion vector space allocation + +From: Ezequiel Garcia + +[ Upstream commit 669ccf19ed2059b9d517664a2dbbf6bde87e1414 ] + +When the post-processor is enabled, the driver allocates +"shadow buffers" which are used for the decoder core, +and exposes the post-processed buffers to userspace. + +For this reason, extra motion vector space has to +be allocated on the shadow buffers, which the driver +wasn't doing. Fix it. + +This fix should address artifacts on high profile bitstreams. + +Fixes: 8c2d66b036c77 ("media: hantro: Support color conversion via post-processing") +Signed-off-by: Ezequiel Garcia +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/hantro/hantro_postproc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/hantro/hantro_postproc.c b/drivers/staging/media/hantro/hantro_postproc.c +index 44062ffceaea7..6d2a8f2a8f0bb 100644 +--- a/drivers/staging/media/hantro/hantro_postproc.c ++++ b/drivers/staging/media/hantro/hantro_postproc.c +@@ -118,7 +118,9 @@ int hantro_postproc_alloc(struct hantro_ctx *ctx) + unsigned int num_buffers = cap_queue->num_buffers; + unsigned int i, buf_size; + +- buf_size = ctx->dst_fmt.plane_fmt[0].sizeimage; ++ buf_size = ctx->dst_fmt.plane_fmt[0].sizeimage + ++ hantro_h264_mv_size(ctx->dst_fmt.width, ++ ctx->dst_fmt.height); + + for (i = 0; i < num_buffers; ++i) { + struct hantro_aux_buf *priv = &ctx->postproc.dec_q[i]; +-- +2.25.1 + diff --git a/queue-5.9/media-i2c-fix-error-check-on-max9286_read-call.patch b/queue-5.9/media-i2c-fix-error-check-on-max9286_read-call.patch new file mode 100644 index 00000000000..2699b6695e9 --- /dev/null +++ b/queue-5.9/media-i2c-fix-error-check-on-max9286_read-call.patch @@ -0,0 +1,46 @@ +From 2bd8f66acab4d8263d5457c8420a79b81a6a894f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 18:13:35 +0200 +Subject: media: i2c: fix error check on max9286_read call + +From: Colin Ian King + +[ Upstream commit e5b95c8febd504659b60a7601fd43c0ae8e4f3c0 ] + +Currently the error return from the call to max9286_read is masked +with 0xf0 so the following check for a negative error return is +never true. Fix this by checking for an error first, then masking +the return value for subsequent conflink_mask checking. + +Addresses-Coverity: ("Logically dead code") + +Fixes: 66d8c9d2422d ("media: i2c: Add MAX9286 driver") +Signed-off-by: Colin Ian King +Reviewed-by: Kieran Bingham +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/max9286.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c +index 47f280518fdb6..b364a3f604861 100644 +--- a/drivers/media/i2c/max9286.c ++++ b/drivers/media/i2c/max9286.c +@@ -405,10 +405,11 @@ static int max9286_check_config_link(struct max9286_priv *priv, + * to 5 milliseconds. + */ + for (i = 0; i < 10; i++) { +- ret = max9286_read(priv, 0x49) & 0xf0; ++ ret = max9286_read(priv, 0x49); + if (ret < 0) + return -EIO; + ++ ret &= 0xf0; + if (ret == conflink_mask) + break; + +-- +2.25.1 + diff --git a/queue-5.9/media-i2c-max9286-allocate-v4l2_async_subdev-dynamic.patch b/queue-5.9/media-i2c-max9286-allocate-v4l2_async_subdev-dynamic.patch new file mode 100644 index 00000000000..8826ab33399 --- /dev/null +++ b/queue-5.9/media-i2c-max9286-allocate-v4l2_async_subdev-dynamic.patch @@ -0,0 +1,117 @@ +From 84b22419c8e3ed4f9d279073ab63c7dc416f002a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 22:59:39 +0200 +Subject: media: i2c: max9286: Allocate v4l2_async_subdev dynamically + +From: Laurent Pinchart + +[ Upstream commit 86d37bf31af647760f1f17e7c1afa1bdba075198 ] + +v4l2_async_notifier_add_subdev() requires the asd to be allocated +dynamically, but the max9286 driver embeds it in the max9286_source +structure. This causes memory corruption when the notifier is destroyed +at remove time with v4l2_async_notifier_cleanup(). + +Fix this issue by registering the asd with +v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically +internally. A new max9286_asd structure is introduced, to store a +pointer to the corresonding max9286_source that needs to be accessed +from bound and unbind callbacks. There's no need to take an extra +explicit reference to the fwnode anymore as +v4l2_async_notifier_add_fwnode_subdev() does so internally. + +While at it, use %u instead of %d to print the unsigned index in the +error message from the v4l2_async_notifier_add_fwnode_subdev() error +path. + +Fixes: 66d8c9d2422d ("media: i2c: Add MAX9286 driver") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/max9286.c | 40 +++++++++++++++++++------------------ + 1 file changed, 21 insertions(+), 19 deletions(-) + +diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c +index b364a3f604861..c82c1493e099d 100644 +--- a/drivers/media/i2c/max9286.c ++++ b/drivers/media/i2c/max9286.c +@@ -135,13 +135,19 @@ + #define MAX9286_SRC_PAD 4 + + struct max9286_source { +- struct v4l2_async_subdev asd; + struct v4l2_subdev *sd; + struct fwnode_handle *fwnode; + }; + +-#define asd_to_max9286_source(_asd) \ +- container_of(_asd, struct max9286_source, asd) ++struct max9286_asd { ++ struct v4l2_async_subdev base; ++ struct max9286_source *source; ++}; ++ ++static inline struct max9286_asd *to_max9286_asd(struct v4l2_async_subdev *asd) ++{ ++ return container_of(asd, struct max9286_asd, base); ++} + + struct max9286_priv { + struct i2c_client *client; +@@ -481,7 +487,7 @@ static int max9286_notify_bound(struct v4l2_async_notifier *notifier, + struct v4l2_async_subdev *asd) + { + struct max9286_priv *priv = sd_to_max9286(notifier->sd); +- struct max9286_source *source = asd_to_max9286_source(asd); ++ struct max9286_source *source = to_max9286_asd(asd)->source; + unsigned int index = to_index(priv, source); + unsigned int src_pad; + int ret; +@@ -545,7 +551,7 @@ static void max9286_notify_unbind(struct v4l2_async_notifier *notifier, + struct v4l2_async_subdev *asd) + { + struct max9286_priv *priv = sd_to_max9286(notifier->sd); +- struct max9286_source *source = asd_to_max9286_source(asd); ++ struct max9286_source *source = to_max9286_asd(asd)->source; + unsigned int index = to_index(priv, source); + + source->sd = NULL; +@@ -570,23 +576,19 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) + + for_each_source(priv, source) { + unsigned int i = to_index(priv, source); +- +- source->asd.match_type = V4L2_ASYNC_MATCH_FWNODE; +- source->asd.match.fwnode = source->fwnode; +- +- ret = v4l2_async_notifier_add_subdev(&priv->notifier, +- &source->asd); +- if (ret) { +- dev_err(dev, "Failed to add subdev for source %d", i); ++ struct v4l2_async_subdev *asd; ++ ++ asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, ++ source->fwnode, ++ sizeof(*asd)); ++ if (IS_ERR(asd)) { ++ dev_err(dev, "Failed to add subdev for source %u: %ld", ++ i, PTR_ERR(asd)); + v4l2_async_notifier_cleanup(&priv->notifier); +- return ret; ++ return PTR_ERR(asd); + } + +- /* +- * Balance the reference counting handled through +- * v4l2_async_notifier_cleanup() +- */ +- fwnode_handle_get(source->fwnode); ++ to_max9286_asd(asd)->source = source; + } + + priv->notifier.ops = &max9286_notify_ops; +-- +2.25.1 + diff --git a/queue-5.9/media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch b/queue-5.9/media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch new file mode 100644 index 00000000000..d0e00840892 --- /dev/null +++ b/queue-5.9/media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch @@ -0,0 +1,141 @@ +From 29318b9df82df4871289cc7c78ab90c3808ba958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 22:18:32 +0200 +Subject: media: i2c: ov5640: Enable data pins on poweron for DVP mode + +From: Lad Prabhakar + +[ Upstream commit 576f5d4ba8f672953513280510abf9a736b015cc ] + +During testing this sensor on iW-RainboW-G21D-Qseven platform in 8-bit DVP +mode with rcar-vin bridge noticed the capture worked fine for the first run +(with yavta), but for subsequent runs the bridge driver waited for the +frame to be captured. Debugging further noticed the data lines were +enabled/disabled in stream on/off callback and dumping the register +contents 0x3017/0x3018 in ov5640_set_stream_dvp() reported the correct +values, but yet frame capturing failed. + +To get around this issue data lines are enabled in s_power callback. +(Also the sensor remains in power down mode if not streaming so power +consumption shouldn't be affected) + +Fixes: f22996db44e2d ("media: ov5640: add support of DVP parallel interface") +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 73 +++++++++++++++++++++----------------- + 1 file changed, 40 insertions(+), 33 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 90db5443c4248..3a4268aa5f023 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -276,8 +276,7 @@ static inline struct v4l2_subdev *ctrl_to_sd(struct v4l2_ctrl *ctrl) + /* YUV422 UYVY VGA@30fps */ + static const struct reg_value ov5640_init_setting_30fps_VGA[] = { + {0x3103, 0x11, 0, 0}, {0x3008, 0x82, 0, 5}, {0x3008, 0x42, 0, 0}, +- {0x3103, 0x03, 0, 0}, {0x3017, 0x00, 0, 0}, {0x3018, 0x00, 0, 0}, +- {0x3630, 0x36, 0, 0}, ++ {0x3103, 0x03, 0, 0}, {0x3630, 0x36, 0, 0}, + {0x3631, 0x0e, 0, 0}, {0x3632, 0xe2, 0, 0}, {0x3633, 0x12, 0, 0}, + {0x3621, 0xe0, 0, 0}, {0x3704, 0xa0, 0, 0}, {0x3703, 0x5a, 0, 0}, + {0x3715, 0x78, 0, 0}, {0x3717, 0x01, 0, 0}, {0x370b, 0x60, 0, 0}, +@@ -1283,33 +1282,6 @@ static int ov5640_set_stream_dvp(struct ov5640_dev *sensor, bool on) + if (ret) + return ret; + +- /* +- * enable VSYNC/HREF/PCLK DVP control lines +- * & D[9:6] DVP data lines +- * +- * PAD OUTPUT ENABLE 01 +- * - 6: VSYNC output enable +- * - 5: HREF output enable +- * - 4: PCLK output enable +- * - [3:0]: D[9:6] output enable +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT_ENABLE01, +- on ? 0x7f : 0); +- if (ret) +- return ret; +- +- /* +- * enable D[5:0] DVP data lines +- * +- * PAD OUTPUT ENABLE 02 +- * - [7:2]: D[5:0] output enable +- */ +- ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, +- on ? 0xfc : 0); +- if (ret) +- return ret; +- + return ov5640_write_reg(sensor, OV5640_REG_SYS_CTRL0, on ? + OV5640_REG_SYS_CTRL0_SW_PWUP : + OV5640_REG_SYS_CTRL0_SW_PWDN); +@@ -2069,6 +2041,40 @@ static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on) + return 0; + } + ++static int ov5640_set_power_dvp(struct ov5640_dev *sensor, bool on) ++{ ++ int ret; ++ ++ if (!on) { ++ /* Reset settings to their default values. */ ++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE01, 0x00); ++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, 0x00); ++ return 0; ++ } ++ ++ /* ++ * enable VSYNC/HREF/PCLK DVP control lines ++ * & D[9:6] DVP data lines ++ * ++ * PAD OUTPUT ENABLE 01 ++ * - 6: VSYNC output enable ++ * - 5: HREF output enable ++ * - 4: PCLK output enable ++ * - [3:0]: D[9:6] output enable ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE01, 0x7f); ++ if (ret) ++ return ret; ++ ++ /* ++ * enable D[5:0] DVP data lines ++ * ++ * PAD OUTPUT ENABLE 02 ++ * - [7:2]: D[5:0] output enable ++ */ ++ return ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, 0xfc); ++} ++ + static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + { + int ret = 0; +@@ -2083,11 +2089,12 @@ static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + goto power_off; + } + +- if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) { ++ if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) + ret = ov5640_set_power_mipi(sensor, on); +- if (ret) +- goto power_off; +- } ++ else ++ ret = ov5640_set_power_dvp(sensor, on); ++ if (ret) ++ goto power_off; + + if (!on) + ov5640_set_power_off(sensor); +-- +2.25.1 + diff --git a/queue-5.9/media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch b/queue-5.9/media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch new file mode 100644 index 00000000000..d01df3e6e4b --- /dev/null +++ b/queue-5.9/media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch @@ -0,0 +1,70 @@ +From 6fa0f281adfffaebf7f23ad9d4bc7f868685d1f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 22:18:30 +0200 +Subject: media: i2c: ov5640: Remain in power down for DVP mode unless + streaming + +From: Lad Prabhakar + +[ Upstream commit 3b987d70e903962eb8c5961ba166c345a49d1a0b ] + +Keep the sensor in software power down mode and wake up only in +ov5640_set_stream_dvp() callback. + +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index ab19e04720d3a..6e558a7e2d244 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -34,6 +34,8 @@ + #define OV5640_REG_SYS_RESET02 0x3002 + #define OV5640_REG_SYS_CLOCK_ENABLE02 0x3006 + #define OV5640_REG_SYS_CTRL0 0x3008 ++#define OV5640_REG_SYS_CTRL0_SW_PWDN 0x42 ++#define OV5640_REG_SYS_CTRL0_SW_PWUP 0x02 + #define OV5640_REG_CHIP_ID 0x300a + #define OV5640_REG_IO_MIPI_CTRL00 0x300e + #define OV5640_REG_PAD_OUTPUT_ENABLE01 0x3017 +@@ -1120,6 +1122,12 @@ static int ov5640_load_regs(struct ov5640_dev *sensor, + val = regs->val; + mask = regs->mask; + ++ /* remain in power down mode for DVP */ ++ if (regs->reg_addr == OV5640_REG_SYS_CTRL0 && ++ val == OV5640_REG_SYS_CTRL0_SW_PWUP && ++ sensor->ep.bus_type != V4L2_MBUS_CSI2_DPHY) ++ continue; ++ + if (mask) + ret = ov5640_mod_reg(sensor, reg_addr, mask, val); + else +@@ -1297,9 +1305,14 @@ static int ov5640_set_stream_dvp(struct ov5640_dev *sensor, bool on) + * PAD OUTPUT ENABLE 02 + * - [7:2]: D[5:0] output enable + */ +- return ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT_ENABLE02, +- on ? 0xfc : 0); ++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, ++ on ? 0xfc : 0); ++ if (ret) ++ return ret; ++ ++ return ov5640_write_reg(sensor, OV5640_REG_SYS_CTRL0, on ? ++ OV5640_REG_SYS_CTRL0_SW_PWUP : ++ OV5640_REG_SYS_CTRL0_SW_PWDN); + } + + static int ov5640_set_stream_mipi(struct ov5640_dev *sensor, bool on) +-- +2.25.1 + diff --git a/queue-5.9/media-i2c-ov5640-separate-out-mipi-configuration-fro.patch b/queue-5.9/media-i2c-ov5640-separate-out-mipi-configuration-fro.patch new file mode 100644 index 00000000000..aa8b8045ce1 --- /dev/null +++ b/queue-5.9/media-i2c-ov5640-separate-out-mipi-configuration-fro.patch @@ -0,0 +1,164 @@ +From ad00c43eec7830e9407b12f90f210731b219d8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 22:18:31 +0200 +Subject: media: i2c: ov5640: Separate out mipi configuration from s_power + +From: Lad Prabhakar + +[ Upstream commit b1751ae652fb95919c08df5bdd739ccf9886158a ] + +In preparation for adding DVP configuration in s_power callback +move mipi configuration into separate function + +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 116 +++++++++++++++++++------------------ + 1 file changed, 60 insertions(+), 56 deletions(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 6e558a7e2d244..90db5443c4248 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -2014,6 +2014,61 @@ static void ov5640_set_power_off(struct ov5640_dev *sensor) + clk_disable_unprepare(sensor->xclk); + } + ++static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on) ++{ ++ int ret; ++ ++ if (!on) { ++ /* Reset MIPI bus settings to their default values. */ ++ ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x58); ++ ov5640_write_reg(sensor, OV5640_REG_MIPI_CTRL00, 0x04); ++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT00, 0x00); ++ return 0; ++ } ++ ++ /* ++ * Power up MIPI HS Tx and LS Rx; 2 data lanes mode ++ * ++ * 0x300e = 0x40 ++ * [7:5] = 010 : 2 data lanes mode (see FIXME note in ++ * "ov5640_set_stream_mipi()") ++ * [4] = 0 : Power up MIPI HS Tx ++ * [3] = 0 : Power up MIPI LS Rx ++ * [2] = 0 : MIPI interface disabled ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x40); ++ if (ret) ++ return ret; ++ ++ /* ++ * Gate clock and set LP11 in 'no packets mode' (idle) ++ * ++ * 0x4800 = 0x24 ++ * [5] = 1 : Gate clock when 'no packets' ++ * [2] = 1 : MIPI bus in LP11 when 'no packets' ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_MIPI_CTRL00, 0x24); ++ if (ret) ++ return ret; ++ ++ /* ++ * Set data lanes and clock in LP11 when 'sleeping' ++ * ++ * 0x3019 = 0x70 ++ * [6] = 1 : MIPI data lane 2 in LP11 when 'sleeping' ++ * [5] = 1 : MIPI data lane 1 in LP11 when 'sleeping' ++ * [4] = 1 : MIPI clock lane in LP11 when 'sleeping' ++ */ ++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT00, 0x70); ++ if (ret) ++ return ret; ++ ++ /* Give lanes some time to coax into LP11 state. */ ++ usleep_range(500, 1000); ++ ++ return 0; ++} ++ + static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + { + int ret = 0; +@@ -2026,67 +2081,16 @@ static int ov5640_set_power(struct ov5640_dev *sensor, bool on) + ret = ov5640_restore_mode(sensor); + if (ret) + goto power_off; ++ } + +- /* We're done here for DVP bus, while CSI-2 needs setup. */ +- if (sensor->ep.bus_type != V4L2_MBUS_CSI2_DPHY) +- return 0; +- +- /* +- * Power up MIPI HS Tx and LS Rx; 2 data lanes mode +- * +- * 0x300e = 0x40 +- * [7:5] = 010 : 2 data lanes mode (see FIXME note in +- * "ov5640_set_stream_mipi()") +- * [4] = 0 : Power up MIPI HS Tx +- * [3] = 0 : Power up MIPI LS Rx +- * [2] = 0 : MIPI interface disabled +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_IO_MIPI_CTRL00, 0x40); +- if (ret) +- goto power_off; +- +- /* +- * Gate clock and set LP11 in 'no packets mode' (idle) +- * +- * 0x4800 = 0x24 +- * [5] = 1 : Gate clock when 'no packets' +- * [2] = 1 : MIPI bus in LP11 when 'no packets' +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_MIPI_CTRL00, 0x24); +- if (ret) +- goto power_off; +- +- /* +- * Set data lanes and clock in LP11 when 'sleeping' +- * +- * 0x3019 = 0x70 +- * [6] = 1 : MIPI data lane 2 in LP11 when 'sleeping' +- * [5] = 1 : MIPI data lane 1 in LP11 when 'sleeping' +- * [4] = 1 : MIPI clock lane in LP11 when 'sleeping' +- */ +- ret = ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT00, 0x70); ++ if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) { ++ ret = ov5640_set_power_mipi(sensor, on); + if (ret) + goto power_off; ++ } + +- /* Give lanes some time to coax into LP11 state. */ +- usleep_range(500, 1000); +- +- } else { +- if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) { +- /* Reset MIPI bus settings to their default values. */ +- ov5640_write_reg(sensor, +- OV5640_REG_IO_MIPI_CTRL00, 0x58); +- ov5640_write_reg(sensor, +- OV5640_REG_MIPI_CTRL00, 0x04); +- ov5640_write_reg(sensor, +- OV5640_REG_PAD_OUTPUT00, 0x00); +- } +- ++ if (!on) + ov5640_set_power_off(sensor); +- } + + return 0; + +-- +2.25.1 + diff --git a/queue-5.9/media-m5mols-check-function-pointer-in-m5mols_sensor.patch b/queue-5.9/media-m5mols-check-function-pointer-in-m5mols_sensor.patch new file mode 100644 index 00000000000..211cbdbf55e --- /dev/null +++ b/queue-5.9/media-m5mols-check-function-pointer-in-m5mols_sensor.patch @@ -0,0 +1,45 @@ +From 8d51b194dfb901f357b3913d5b59247649403507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 17:34:47 +0200 +Subject: media: m5mols: Check function pointer in m5mols_sensor_power + +From: Tom Rix + +[ Upstream commit 52438c4463ac904d14bf3496765e67750766f3a6 ] + +clang static analysis reports this error + +m5mols_core.c:767:4: warning: Called function pointer + is null (null dereference) [core.CallAndMessage] + info->set_power(&client->dev, 0); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In other places, the set_power ptr is checked. +So add a check. + +Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP") +Signed-off-by: Tom Rix +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/m5mols/m5mols_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c +index de295114ca482..21666d705e372 100644 +--- a/drivers/media/i2c/m5mols/m5mols_core.c ++++ b/drivers/media/i2c/m5mols/m5mols_core.c +@@ -764,7 +764,8 @@ static int m5mols_sensor_power(struct m5mols_info *info, bool enable) + + ret = regulator_bulk_enable(ARRAY_SIZE(supplies), supplies); + if (ret) { +- info->set_power(&client->dev, 0); ++ if (info->set_power) ++ info->set_power(&client->dev, 0); + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.9/media-media-pci-prevent-memory-leak-in-bttv_probe.patch b/queue-5.9/media-media-pci-prevent-memory-leak-in-bttv_probe.patch new file mode 100644 index 00000000000..b3816680b80 --- /dev/null +++ b/queue-5.9/media-media-pci-prevent-memory-leak-in-bttv_probe.patch @@ -0,0 +1,65 @@ +From 0eb501ee10c41cf703fe03b2b46b918c4073090e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 11:52:30 +0200 +Subject: media: media/pci: prevent memory leak in bttv_probe + +From: Xiaolong Huang + +[ Upstream commit 7b817585b730665126b45df5508dd69526448bc8 ] + +In bttv_probe if some functions such as pci_enable_device, +pci_set_dma_mask and request_mem_region fails the allocated + memory for btv should be released. + +Signed-off-by: Xiaolong Huang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/bt8xx/bttv-driver.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c +index 9144f795fb933..b721720f9845a 100644 +--- a/drivers/media/pci/bt8xx/bttv-driver.c ++++ b/drivers/media/pci/bt8xx/bttv-driver.c +@@ -4013,11 +4013,13 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + btv->id = dev->device; + if (pci_enable_device(dev)) { + pr_warn("%d: Can't enable device\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) { + pr_warn("%d: No suitable DMA available\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (!request_mem_region(pci_resource_start(dev,0), + pci_resource_len(dev,0), +@@ -4025,7 +4027,8 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + pr_warn("%d: can't request iomem (0x%llx)\n", + btv->c.nr, + (unsigned long long)pci_resource_start(dev, 0)); +- return -EBUSY; ++ result = -EBUSY; ++ goto free_mem; + } + pci_set_master(dev); + pci_set_command(dev); +@@ -4211,6 +4214,10 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + release_mem_region(pci_resource_start(btv->c.pci,0), + pci_resource_len(btv->c.pci,0)); + pci_disable_device(btv->c.pci); ++ ++free_mem: ++ bttvs[btv->c.nr] = NULL; ++ kfree(btv); + return result; + } + +-- +2.25.1 + diff --git a/queue-5.9/media-mtk-mdp-fix-null-pointer-dereference-when-call.patch b/queue-5.9/media-mtk-mdp-fix-null-pointer-dereference-when-call.patch new file mode 100644 index 00000000000..4407d650a91 --- /dev/null +++ b/queue-5.9/media-mtk-mdp-fix-null-pointer-dereference-when-call.patch @@ -0,0 +1,102 @@ +From 74318b584f51c938e274f5bbb6115e5461a993e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 15:55:41 +0200 +Subject: media: mtk-mdp: Fix Null pointer dereference when calling list_add + +From: Dafna Hirschfeld + +[ Upstream commit 0ca9454740b05eec199c5ffdb23a79eb44437917 ] + +In list_add, the first variable is the new node and the second +is the list head. The function is called with a wrong order causing +NULL dereference: + +[ 15.527030] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 +[ 15.542317] Mem abort info: +[ 15.545152] ESR = 0x96000044 +[ 15.548248] EC = 0x25: DABT (current EL), IL = 32 bits +[ 15.553624] SET = 0, FnV = 0 +[ 15.556715] EA = 0, S1PTW = 0 +[ 15.559892] Data abort info: +[ 15.562799] ISV = 0, ISS = 0x00000044 +[ 15.566678] CM = 0, WnR = 1 +[ 15.569683] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001373f0000 +[ 15.576196] [0000000000000008] pgd=0000000000000000, p4d=0000000000000000 +[ 15.583101] Internal error: Oops: 96000044 [#1] PREEMPT SMP +[ 15.588747] Modules linked in: mtk_mdp(+) cfg80211 v4l2_mem2mem videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common vide +odev mt8173_rt5650 smsc95xx usbnet ecdh_generic ecc snd_soc_rt5645 mc mt8173_afe_pcm rfkill cros_ec_sensors snd_soc_mtk_common elan_i2c crct10dif_ce cros_ec_se +nsors_core snd_soc_rl6231 elants_i2c industrialio_triggered_buffer kfifo_buf mtk_vpu cros_ec_chardev cros_usbpd_charger cros_usbpd_logger sbs_battery display_c +onnector pwm_bl ip_tables x_tables ipv6 +[ 15.634295] CPU: 0 PID: 188 Comm: systemd-udevd Not tainted 5.9.0-rc2+ #69 +[ 15.641242] Hardware name: Google Elm (DT) +[ 15.645381] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--) +[ 15.651022] pc : mtk_mdp_probe+0x134/0x3a8 [mtk_mdp] +[ 15.656041] lr : mtk_mdp_probe+0x128/0x3a8 [mtk_mdp] +[ 15.661055] sp : ffff80001255b910 +[ 15.669548] x29: ffff80001255b910 x28: 0000000000000000 +[ 15.679973] x27: ffff800009089bf8 x26: ffff0000fafde800 +[ 15.690347] x25: ffff0000ff7d2768 x24: ffff800009089010 +[ 15.700670] x23: ffff0000f01a7cd8 x22: ffff0000fafde810 +[ 15.710940] x21: ffff0000f01a7c80 x20: ffff0000f0c3c180 +[ 15.721148] x19: ffff0000ff7f1618 x18: 0000000000000010 +[ 15.731289] x17: 0000000000000000 x16: 0000000000000000 +[ 15.741375] x15: 0000000000aaaaaa x14: 0000000000000020 +[ 15.751399] x13: 00000000ffffffff x12: 0000000000000020 +[ 15.761363] x11: 0000000000000028 x10: 0101010101010101 +[ 15.771279] x9 : 0000000000000004 x8 : 7f7f7f7f7f7f7f7f +[ 15.781148] x7 : 646bff6171606b2b x6 : 0000000000806d65 +[ 15.790981] x5 : ffff0000ff7f8360 x4 : 0000000000000000 +[ 15.800767] x3 : 0000000000000004 x2 : 0000000000000001 +[ 15.810501] x1 : 0000000000000005 x0 : 0000000000000000 +[ 15.820171] Call trace: +[ 15.826944] mtk_mdp_probe+0x134/0x3a8 [mtk_mdp] +[ 15.835908] platform_drv_probe+0x54/0xa8 +[ 15.844247] really_probe+0xe4/0x3b0 +[ 15.852104] driver_probe_device+0x58/0xb8 +[ 15.860457] device_driver_attach+0x74/0x80 +[ 15.868854] __driver_attach+0x58/0xe0 +[ 15.876770] bus_for_each_dev+0x70/0xc0 +[ 15.884726] driver_attach+0x24/0x30 +[ 15.892374] bus_add_driver+0x14c/0x1f0 +[ 15.900295] driver_register+0x64/0x120 +[ 15.908168] __platform_driver_register+0x48/0x58 +[ 15.916864] mtk_mdp_driver_init+0x20/0x1000 [mtk_mdp] +[ 15.925943] do_one_initcall+0x54/0x1b4 +[ 15.933662] do_init_module+0x54/0x200 +[ 15.941246] load_module+0x1cf8/0x22d0 +[ 15.948798] __do_sys_finit_module+0xd8/0xf0 +[ 15.956829] __arm64_sys_finit_module+0x20/0x30 +[ 15.965082] el0_svc_common.constprop.0+0x6c/0x168 +[ 15.973527] do_el0_svc+0x24/0x90 +[ 15.980403] el0_sync_handler+0x90/0x198 +[ 15.987867] el0_sync+0x158/0x180 +[ 15.994653] Code: 9400014b 2a0003fc 35000920 f9400280 (f9000417) +[ 16.004299] ---[ end trace 76fee0203f9898e5 ]--- + +Fixes: 86698b9505bbc ("media: mtk-mdp: convert mtk_mdp_dev.comp array to list") +Signed-off-by: Dafna Hirschfeld +Reviewed-by: Matthias Brugger +Tested-by: Enric Balletbo i Serra +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-mdp/mtk_mdp_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_core.c b/drivers/media/platform/mtk-mdp/mtk_mdp_core.c +index f96c8b3bf8618..976aa1f4829b8 100644 +--- a/drivers/media/platform/mtk-mdp/mtk_mdp_core.c ++++ b/drivers/media/platform/mtk-mdp/mtk_mdp_core.c +@@ -94,7 +94,7 @@ static void mtk_mdp_reset_handler(void *priv) + void mtk_mdp_register_component(struct mtk_mdp_dev *mdp, + struct mtk_mdp_comp *comp) + { +- list_add(&mdp->comp_list, &comp->node); ++ list_add(&comp->node, &mdp->comp_list); + } + + void mtk_mdp_unregister_component(struct mtk_mdp_dev *mdp, +-- +2.25.1 + diff --git a/queue-5.9/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch b/queue-5.9/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch new file mode 100644 index 00000000000..ae0cc2a76fa --- /dev/null +++ b/queue-5.9/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch @@ -0,0 +1,44 @@ +From 21c0825ad179e532f20bc88325e314f15b0a8328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 11:26:04 +0200 +Subject: media: mx2_emmaprp: Fix memleak in emmaprp_probe + +From: Dinghao Liu + +[ Upstream commit 21d387b8d372f859d9e87fdcc7c3b4a432737f4d ] + +When platform_get_irq() fails, we should release +vfd and unregister pcdev->v4l2_dev just like the +subsequent error paths. + +Fixes: d4e192cc44914 ("media: mx2_emmaprp: Check for platform_get_irq() error") +Signed-off-by: Dinghao Liu +Reviewed-by: Fabio Estevam +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mx2_emmaprp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c +index df78df59da456..08a5473b56104 100644 +--- a/drivers/media/platform/mx2_emmaprp.c ++++ b/drivers/media/platform/mx2_emmaprp.c +@@ -852,8 +852,11 @@ static int emmaprp_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, pcdev); + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) +- return irq; ++ if (irq < 0) { ++ ret = irq; ++ goto rel_vdev; ++ } ++ + ret = devm_request_irq(&pdev->dev, irq, emmaprp_irq, 0, + dev_name(&pdev->dev), pcdev); + if (ret) +-- +2.25.1 + diff --git a/queue-5.9/media-omap3isp-fix-memleak-in-isp_probe.patch b/queue-5.9/media-omap3isp-fix-memleak-in-isp_probe.patch new file mode 100644 index 00000000000..183f3840eae --- /dev/null +++ b/queue-5.9/media-omap3isp-fix-memleak-in-isp_probe.patch @@ -0,0 +1,41 @@ +From 56b472fc72cbf3dbec4e49e6b30352305822a363 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 08:53:52 +0200 +Subject: media: omap3isp: Fix memleak in isp_probe + +From: Dinghao Liu + +[ Upstream commit d8fc21c17099635e8ebd986d042be65a6c6b5bd0 ] + +When devm_ioremap_resource() fails, isp should be +freed just like other error paths in isp_probe. + +Fixes: 8644cdf972dd6 ("[media] omap3isp: Replace many MMIO regions by two") +Signed-off-by: Dinghao Liu +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index b91e472ee764e..de066757726de 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2328,8 +2328,10 @@ static int isp_probe(struct platform_device *pdev) + mem = platform_get_resource(pdev, IORESOURCE_MEM, i); + isp->mmio_base[map_idx] = + devm_ioremap_resource(isp->dev, mem); +- if (IS_ERR(isp->mmio_base[map_idx])) +- return PTR_ERR(isp->mmio_base[map_idx]); ++ if (IS_ERR(isp->mmio_base[map_idx])) { ++ ret = PTR_ERR(isp->mmio_base[map_idx]); ++ goto error; ++ } + } + + ret = isp_get_clocks(isp); +-- +2.25.1 + diff --git a/queue-5.9/media-ov5640-correct-bit-div-register-in-clock-tree-.patch b/queue-5.9/media-ov5640-correct-bit-div-register-in-clock-tree-.patch new file mode 100644 index 00000000000..76d0a85df9e --- /dev/null +++ b/queue-5.9/media-ov5640-correct-bit-div-register-in-clock-tree-.patch @@ -0,0 +1,39 @@ +From dd64e57ed797c1e1bd30e1ba87c6badfb0f53efd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 11:06:58 +0200 +Subject: media: ov5640: Correct Bit Div register in clock tree diagram + +From: Paul Kocialkowski + +[ Upstream commit 4c85f628f6639e3e3e0a7788416154f28dfcae4f ] + +Although the code is correct and doing the right thing, the clock diagram +showed the wrong register for the bit divider, which had me doubting the +understanding of the tree. Fix this to avoid doubts in the future. + +Signed-off-by: Paul Kocialkowski +Fixes: aa2882481cada ("media: ov5640: Adjust the clock based on the expected rate") +Acked-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c +index 2fe4a7ac05929..ab19e04720d3a 100644 +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -751,7 +751,7 @@ static int ov5640_mod_reg(struct ov5640_dev *sensor, u16 reg, + * +->| PLL Root Div | - reg 0x3037, bit 4 + * +-+------------+ + * | +---------+ +- * +->| Bit Div | - reg 0x3035, bits 0-3 ++ * +->| Bit Div | - reg 0x3034, bits 0-3 + * +-+-------+ + * | +-------------+ + * +->| SCLK Div | - reg 0x3108, bits 0-1 +-- +2.25.1 + diff --git a/queue-5.9/media-platform-fcp-fix-a-reference-count-leak.patch b/queue-5.9/media-platform-fcp-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..4f268e1fc78 --- /dev/null +++ b/queue-5.9/media-platform-fcp-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From 466c127845dd008bc8ba56bf0cc04afed369d54f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:19:44 +0200 +Subject: media: platform: fcp: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit 63e36a381d92a9cded97e90d481ee22566557dd1 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Fixes: 6eaafbdb668b ("[media] v4l: rcar-fcp: Keep the coding style consistent") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-fcp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c +index 5c6b00737fe75..05c712e00a2a7 100644 +--- a/drivers/media/platform/rcar-fcp.c ++++ b/drivers/media/platform/rcar-fcp.c +@@ -103,8 +103,10 @@ int rcar_fcp_enable(struct rcar_fcp_device *fcp) + return 0; + + ret = pm_runtime_get_sync(fcp->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(fcp->dev); + return ret; ++ } + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.9/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch b/queue-5.9/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch new file mode 100644 index 00000000000..0b9363928af --- /dev/null +++ b/queue-5.9/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch @@ -0,0 +1,53 @@ +From b0f32e7c96a07ace5135b2a57de6f4fee4ef60e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 15:29:33 +0200 +Subject: media: platform: s3c-camif: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit dafa3605fe60d5a61239d670919b2a36e712481e ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Also, call pm_runtime_disable() when pm_runtime_get_sync() returns +an error code. + +Signed-off-by: Dinghao Liu +Reviewed-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s3c-camif/camif-core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c +index 92f43c0cbc0c0..422fd549e9c87 100644 +--- a/drivers/media/platform/s3c-camif/camif-core.c ++++ b/drivers/media/platform/s3c-camif/camif-core.c +@@ -464,7 +464,7 @@ static int s3c_camif_probe(struct platform_device *pdev) + + ret = camif_media_dev_init(camif); + if (ret < 0) +- goto err_alloc; ++ goto err_pm; + + ret = camif_register_sensor(camif); + if (ret < 0) +@@ -498,10 +498,9 @@ static int s3c_camif_probe(struct platform_device *pdev) + media_device_unregister(&camif->media_dev); + media_device_cleanup(&camif->media_dev); + camif_unregister_media_entities(camif); +-err_alloc: ++err_pm: + pm_runtime_put(dev); + pm_runtime_disable(dev); +-err_pm: + camif_clk_put(camif); + err_clk: + s3c_camif_unregister_subdev(camif); +-- +2.25.1 + diff --git a/queue-5.9/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch b/queue-5.9/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch new file mode 100644 index 00000000000..9473d142206 --- /dev/null +++ b/queue-5.9/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch @@ -0,0 +1,37 @@ +From 1c4d1402a2ac1484d1f5d3f1f187cdf5f902751a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 12:05:02 +0200 +Subject: media: platform: sti: hva: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit d912a1d9e9afe69c6066c1ceb6bfc09063074075 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/hva/hva-hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index bb13348be0832..43f279e2a6a38 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -389,7 +389,7 @@ int hva_hw_probe(struct platform_device *pdev, struct hva_dev *hva) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "%s failed to set PM\n", HVA_PREFIX); +- goto err_clk; ++ goto err_pm; + } + + /* check IP hardware version */ +-- +2.25.1 + diff --git a/queue-5.9/media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch b/queue-5.9/media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch new file mode 100644 index 00000000000..cb82c2353f1 --- /dev/null +++ b/queue-5.9/media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch @@ -0,0 +1,84 @@ +From d619300fe3cb4bdf48dd2afe367737975a25c674 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 22:59:38 +0200 +Subject: media: rcar-csi2: Allocate v4l2_async_subdev dynamically + +From: Laurent Pinchart + +[ Upstream commit 2cac7cbfb4099980e78244359ab9c6f056d6a7ec ] + +v4l2_async_notifier_add_subdev() requires the asd to be allocated +dynamically, but the rcar-csi2 driver embeds it in the rcar_csi2 +structure. This causes memory corruption when the notifier is destroyed +at remove time with v4l2_async_notifier_cleanup(). + +Fix this issue by registering the asd with +v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically +internally. + +Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 24 +++++++++------------ + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c +index c6cc4f473a077..a16c492b31434 100644 +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -362,7 +362,6 @@ struct rcar_csi2 { + struct media_pad pads[NR_OF_RCAR_CSI2_PAD]; + + struct v4l2_async_notifier notifier; +- struct v4l2_async_subdev asd; + struct v4l2_subdev *remote; + + struct v4l2_mbus_framefmt mf; +@@ -811,6 +810,8 @@ static int rcsi2_parse_v4l2(struct rcar_csi2 *priv, + + static int rcsi2_parse_dt(struct rcar_csi2 *priv) + { ++ struct v4l2_async_subdev *asd; ++ struct fwnode_handle *fwnode; + struct device_node *ep; + struct v4l2_fwnode_endpoint v4l2_ep = { .bus_type = 0 }; + int ret; +@@ -834,24 +835,19 @@ static int rcsi2_parse_dt(struct rcar_csi2 *priv) + return ret; + } + +- priv->asd.match.fwnode = +- fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep)); +- priv->asd.match_type = V4L2_ASYNC_MATCH_FWNODE; +- ++ fwnode = fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep)); + of_node_put(ep); + +- v4l2_async_notifier_init(&priv->notifier); +- +- ret = v4l2_async_notifier_add_subdev(&priv->notifier, &priv->asd); +- if (ret) { +- fwnode_handle_put(priv->asd.match.fwnode); +- return ret; +- } ++ dev_dbg(priv->dev, "Found '%pOF'\n", to_of_node(fwnode)); + ++ v4l2_async_notifier_init(&priv->notifier); + priv->notifier.ops = &rcar_csi2_notify_ops; + +- dev_dbg(priv->dev, "Found '%pOF'\n", +- to_of_node(priv->asd.match.fwnode)); ++ asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, fwnode, ++ sizeof(*asd)); ++ fwnode_handle_put(fwnode); ++ if (IS_ERR(asd)) ++ return PTR_ERR(asd); + + ret = v4l2_async_subdev_notifier_register(&priv->subdev, + &priv->notifier); +-- +2.25.1 + diff --git a/queue-5.9/media-rcar-vin-fix-a-reference-count-leak.patch b/queue-5.9/media-rcar-vin-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..afb469e2418 --- /dev/null +++ b/queue-5.9/media-rcar-vin-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From 952b35c59d87ae3e8be573a78ee6587d220dbe9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 00:30:08 +0200 +Subject: media: rcar-vin: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit aaffa0126a111d65f4028c503c76192d4cc93277 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus call pm_runtime_put_noidle() +if pm_runtime_get_sync() fails. + +Fixes: 90dedce9bc54 ("media: rcar-vin: add function to manipulate Gen3 chsel value") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-dma.c b/drivers/media/platform/rcar-vin/rcar-dma.c +index a5dbb90c5210b..260604dc5791b 100644 +--- a/drivers/media/platform/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/rcar-vin/rcar-dma.c +@@ -1409,8 +1409,10 @@ int rvin_set_channel_routing(struct rvin_dev *vin, u8 chsel) + int ret; + + ret = pm_runtime_get_sync(vin->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(vin->dev); + return ret; ++ } + + /* Make register writes take effect immediately. */ + vnmc = rvin_read(vin, VNMC_REG); +-- +2.25.1 + diff --git a/queue-5.9/media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch b/queue-5.9/media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch new file mode 100644 index 00000000000..3da7f1068ab --- /dev/null +++ b/queue-5.9/media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch @@ -0,0 +1,82 @@ +From d44106ee0c81470519075995140b9f222f2153d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 22:59:37 +0200 +Subject: media: rcar_drif: Allocate v4l2_async_subdev dynamically + +From: Laurent Pinchart + +[ Upstream commit 468e986dac0e94194334ca6d0abf3af8c250792e ] + +v4l2_async_notifier_add_subdev() requires the asd to be allocated +dynamically, but the rcar-drif driver embeds it in the +rcar_drif_graph_ep structure. This causes memory corruption when the +notifier is destroyed at remove time with v4l2_async_notifier_cleanup(). + +Fix this issue by registering the asd with +v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically +internally. + +Fixes: d079f94c9046 ("media: platform: Switch to v4l2_async_notifier_add_subdev") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar_drif.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c +index 3f1e5cb8b1976..f318cd4b8086f 100644 +--- a/drivers/media/platform/rcar_drif.c ++++ b/drivers/media/platform/rcar_drif.c +@@ -185,7 +185,6 @@ struct rcar_drif_frame_buf { + /* OF graph endpoint's V4L2 async data */ + struct rcar_drif_graph_ep { + struct v4l2_subdev *subdev; /* Async matched subdev */ +- struct v4l2_async_subdev asd; /* Async sub-device descriptor */ + }; + + /* DMA buffer */ +@@ -1109,12 +1108,6 @@ static int rcar_drif_notify_bound(struct v4l2_async_notifier *notifier, + struct rcar_drif_sdr *sdr = + container_of(notifier, struct rcar_drif_sdr, notifier); + +- if (sdr->ep.asd.match.fwnode != +- of_fwnode_handle(subdev->dev->of_node)) { +- rdrif_err(sdr, "subdev %s cannot bind\n", subdev->name); +- return -EINVAL; +- } +- + v4l2_set_subdev_hostdata(subdev, sdr); + sdr->ep.subdev = subdev; + rdrif_dbg(sdr, "bound asd %s\n", subdev->name); +@@ -1218,7 +1211,7 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) + { + struct v4l2_async_notifier *notifier = &sdr->notifier; + struct fwnode_handle *fwnode, *ep; +- int ret; ++ struct v4l2_async_subdev *asd; + + v4l2_async_notifier_init(notifier); + +@@ -1237,12 +1230,13 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) + return -EINVAL; + } + +- sdr->ep.asd.match.fwnode = fwnode; +- sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE; +- ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd); ++ asd = v4l2_async_notifier_add_fwnode_subdev(notifier, fwnode, ++ sizeof(*asd)); + fwnode_handle_put(fwnode); ++ if (IS_ERR(asd)) ++ return PTR_ERR(asd); + +- return ret; ++ return 0; + } + + /* Check if the given device is the primary bond */ +-- +2.25.1 + diff --git a/queue-5.9/media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch b/queue-5.9/media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch new file mode 100644 index 00000000000..73c41fba4f4 --- /dev/null +++ b/queue-5.9/media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch @@ -0,0 +1,63 @@ +From f27752efe899d94e648970e81162e7c8f4d48dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 22:59:36 +0200 +Subject: media: rcar_drif: Fix fwnode reference leak when parsing DT + +From: Laurent Pinchart + +[ Upstream commit cdd4f7824994c9254acc6e415750529ea2d2cfe0 ] + +The fwnode reference corresponding to the endpoint is leaked in an error +path of the rcar_drif_parse_subdevs() function. Fix it, and reorganize +fwnode reference handling in the function to release references early, +simplifying error paths. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar_drif.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c +index 3d2451ac347d7..3f1e5cb8b1976 100644 +--- a/drivers/media/platform/rcar_drif.c ++++ b/drivers/media/platform/rcar_drif.c +@@ -1227,28 +1227,22 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) + if (!ep) + return 0; + ++ /* Get the endpoint properties */ ++ rcar_drif_get_ep_properties(sdr, ep); ++ + fwnode = fwnode_graph_get_remote_port_parent(ep); ++ fwnode_handle_put(ep); + if (!fwnode) { + dev_warn(sdr->dev, "bad remote port parent\n"); +- fwnode_handle_put(ep); + return -EINVAL; + } + + sdr->ep.asd.match.fwnode = fwnode; + sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE; + ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd); +- if (ret) { +- fwnode_handle_put(fwnode); +- return ret; +- } +- +- /* Get the endpoint properties */ +- rcar_drif_get_ep_properties(sdr, ep); +- + fwnode_handle_put(fwnode); +- fwnode_handle_put(ep); + +- return 0; ++ return ret; + } + + /* Check if the given device is the primary bond */ +-- +2.25.1 + diff --git a/queue-5.9/media-revert-media-exynos4-is-add-missed-check-for-p.patch b/queue-5.9/media-revert-media-exynos4-is-add-missed-check-for-p.patch new file mode 100644 index 00000000000..e757b8fcafb --- /dev/null +++ b/queue-5.9/media-revert-media-exynos4-is-add-missed-check-for-p.patch @@ -0,0 +1,47 @@ +From 8cbcf1814ab969520ed231f7da61cf3e528e034d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 17:32:39 +0200 +Subject: media: Revert "media: exynos4-is: Add missed check for + pinctrl_lookup_state()" + +From: Sylwester Nawrocki + +[ Upstream commit 00d21f325d58567d81d9172096692d0a9ea7f725 ] + +The "idle" pinctrl state is optional as documented in the DT binding. +The change introduced by the commit being reverted makes that pinctrl state +mandatory and breaks initialization of the whole media driver, since the +"idle" state is not specified in any mainline dts. + +This reverts commit 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +to fix the regression. + +Fixes: 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 16dd660137a8d..9a575233e4c1e 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1268,11 +1268,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + if (IS_ERR(pctl->state_default)) + return PTR_ERR(pctl->state_default); + ++ /* PINCTRL_STATE_IDLE is optional */ + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); +- if (IS_ERR(pctl->state_idle)) +- return PTR_ERR(pctl->state_idle); +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/media-rockchip-rga-fix-a-reference-count-leak.patch b/queue-5.9/media-rockchip-rga-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..24aabf8989a --- /dev/null +++ b/queue-5.9/media-rockchip-rga-fix-a-reference-count-leak.patch @@ -0,0 +1,38 @@ +From f7a95e153ff2c854922aff8463366d71b8237892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:13:49 +0200 +Subject: media: rockchip/rga: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit 884d638e0853c4b5f01eb6d048fc3b6239012404 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus call pm_runtime_put_noidle() +if pm_runtime_get_sync() fails. + +Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support") +Signed-off-by: Qiushi Wu +Reviewed-by: Heiko Stuebner +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga-buf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c +index 36b821ccc1dba..bf9a75b75083b 100644 +--- a/drivers/media/platform/rockchip/rga/rga-buf.c ++++ b/drivers/media/platform/rockchip/rga/rga-buf.c +@@ -81,6 +81,7 @@ static int rga_buf_start_streaming(struct vb2_queue *q, unsigned int count) + + ret = pm_runtime_get_sync(rga->dev); + if (ret < 0) { ++ pm_runtime_put_noidle(rga->dev); + rga_buf_return_buffers(q, VB2_BUF_STATE_QUEUED); + return ret; + } +-- +2.25.1 + diff --git a/queue-5.9/media-s5p-mfc-fix-a-reference-count-leak.patch b/queue-5.9/media-s5p-mfc-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..a2c813ccbea --- /dev/null +++ b/queue-5.9/media-s5p-mfc-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From 52da7b403cd6d010939a7754bd3f398c984177f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:31:22 +0200 +Subject: media: s5p-mfc: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 78741ce98c2e36188e2343434406b0e0bc50b0e7 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Fixes: c5086f130a77 ("[media] s5p-mfc: Use clock gating only on MFC v5 hardware") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +index 7d52431c2c837..62d2320a72186 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +@@ -79,8 +79,10 @@ int s5p_mfc_power_on(void) + int i, ret = 0; + + ret = pm_runtime_get_sync(pm->device); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(pm->device); + return ret; ++ } + + /* clock control */ + for (i = 0; i < pm->num_clocks; i++) { +-- +2.25.1 + diff --git a/queue-5.9/media-saa7134-avoid-a-shift-overflow.patch b/queue-5.9/media-saa7134-avoid-a-shift-overflow.patch new file mode 100644 index 00000000000..ce14c86cdfe --- /dev/null +++ b/queue-5.9/media-saa7134-avoid-a-shift-overflow.patch @@ -0,0 +1,39 @@ +From e16f1e921df7c031d759d523cdf6d9c395885824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 08:37:12 +0200 +Subject: media: saa7134: avoid a shift overflow + +From: Mauro Carvalho Chehab + +[ Upstream commit 15a36aae1ec1c1f17149b6113b92631791830740 ] + +As reported by smatch: + drivers/media/pci/saa7134//saa7134-tvaudio.c:686 saa_dsp_writel() warn: should 'reg << 2' be a 64 bit type? + +On a 64-bits Kernel, the shift might be bigger than 32 bits. + +In real, this should never happen, but let's shut up the warning. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7134/saa7134-tvaudio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7134/saa7134-tvaudio.c b/drivers/media/pci/saa7134/saa7134-tvaudio.c +index 79e1afb710758..5cc4ef21f9d37 100644 +--- a/drivers/media/pci/saa7134/saa7134-tvaudio.c ++++ b/drivers/media/pci/saa7134/saa7134-tvaudio.c +@@ -683,7 +683,8 @@ int saa_dsp_writel(struct saa7134_dev *dev, int reg, u32 value) + { + int err; + +- audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", reg << 2, value); ++ audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", ++ (reg << 2) & 0xffffffff, value); + err = saa_dsp_wait_bit(dev,SAA7135_DSP_RWSTATE_WRR); + if (err < 0) + return err; +-- +2.25.1 + diff --git a/queue-5.9/media-st-delta-fix-reference-count-leak-in-delta_run.patch b/queue-5.9/media-st-delta-fix-reference-count-leak-in-delta_run.patch new file mode 100644 index 00000000000..cbb5cb59ce3 --- /dev/null +++ b/queue-5.9/media-st-delta-fix-reference-count-leak-in-delta_run.patch @@ -0,0 +1,40 @@ +From b88f9e8f0a03e0f6daf35c205ca0c4c08629ea68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:58:41 +0200 +Subject: media: st-delta: Fix reference count leak in delta_run_work + +From: Aditya Pakki + +[ Upstream commit 57cc666d36adc7b45e37ba4cd7bc4e44ec4c43d7 ] + +delta_run_work() calls delta_get_sync() that increments +the reference counter. In case of failure, decrement the reference +count by calling delta_put_autosuspend(). + +Signed-off-by: Aditya Pakki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/delta/delta-v4l2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sti/delta/delta-v4l2.c b/drivers/media/platform/sti/delta/delta-v4l2.c +index 2503224eeee51..c691b3d81549d 100644 +--- a/drivers/media/platform/sti/delta/delta-v4l2.c ++++ b/drivers/media/platform/sti/delta/delta-v4l2.c +@@ -954,8 +954,10 @@ static void delta_run_work(struct work_struct *work) + /* enable the hardware */ + if (!dec->pm) { + ret = delta_get_sync(ctx); +- if (ret) ++ if (ret) { ++ delta_put_autosuspend(ctx); + goto err; ++ } + } + + /* decode this access unit */ +-- +2.25.1 + diff --git a/queue-5.9/media-staging-intel-ipu3-css-correctly-reset-some-me.patch b/queue-5.9/media-staging-intel-ipu3-css-correctly-reset-some-me.patch new file mode 100644 index 00000000000..84713d21e75 --- /dev/null +++ b/queue-5.9/media-staging-intel-ipu3-css-correctly-reset-some-me.patch @@ -0,0 +1,38 @@ +From 7e0bb37ec531f7b6f3dcf73bca46c549ba09db05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 15:11:24 +0200 +Subject: media: staging/intel-ipu3: css: Correctly reset some memory + +From: Christophe JAILLET + +[ Upstream commit 08913a8e458e03f886a1a1154a6501fcb9344c39 ] + +The intent here is to reset the whole 'scaler_coeffs_luma' array, not just +the first element. + +Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs") +Signed-off-by: Christophe JAILLET +Reviewed-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/ipu3/ipu3-css-params.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging/media/ipu3/ipu3-css-params.c +index fbd53d7c097cd..e9d6bd9e9332a 100644 +--- a/drivers/staging/media/ipu3/ipu3-css-params.c ++++ b/drivers/staging/media/ipu3/ipu3-css-params.c +@@ -159,7 +159,7 @@ imgu_css_scaler_calc(u32 input_width, u32 input_height, u32 target_width, + + memset(&cfg->scaler_coeffs_chroma, 0, + sizeof(cfg->scaler_coeffs_chroma)); +- memset(&cfg->scaler_coeffs_luma, 0, sizeof(*cfg->scaler_coeffs_luma)); ++ memset(&cfg->scaler_coeffs_luma, 0, sizeof(cfg->scaler_coeffs_luma)); + do { + phase_step_correction++; + +-- +2.25.1 + diff --git a/queue-5.9/media-sti-fix-reference-count-leaks.patch b/queue-5.9/media-sti-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..0dbbbc6da5e --- /dev/null +++ b/queue-5.9/media-sti-fix-reference-count-leaks.patch @@ -0,0 +1,45 @@ +From f3e53dd88069f5ca149bb1bc34a5f3dd1d91bd3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:31:06 +0200 +Subject: media: sti: Fix reference count leaks + +From: Qiushi Wu + +[ Upstream commit 6f4432bae9f2d12fc1815b5e26cc07e69bcad0df ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/hva/hva-hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index 401aaafa17109..bb13348be0832 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -272,6 +272,7 @@ static unsigned long int hva_hw_get_ip_version(struct hva_dev *hva) + + if (pm_runtime_get_sync(dev) < 0) { + dev_err(dev, "%s failed to get pm_runtime\n", HVA_PREFIX); ++ pm_runtime_put_noidle(dev); + mutex_unlock(&hva->protect_mutex); + return -EFAULT; + } +@@ -553,6 +554,7 @@ void hva_hw_dump_regs(struct hva_dev *hva, struct seq_file *s) + + if (pm_runtime_get_sync(dev) < 0) { + seq_puts(s, "Cannot wake up IP\n"); ++ pm_runtime_put_noidle(dev); + mutex_unlock(&hva->protect_mutex); + return; + } +-- +2.25.1 + diff --git a/queue-5.9/media-stm32-dcmi-fix-a-reference-count-leak.patch b/queue-5.9/media-stm32-dcmi-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..9d0523dc986 --- /dev/null +++ b/queue-5.9/media-stm32-dcmi-fix-a-reference-count-leak.patch @@ -0,0 +1,48 @@ +From f06749dda7344d488e8d4f59328dcfc16605db01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:36:59 +0200 +Subject: media: stm32-dcmi: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 88f50a05f907d96a27a9ce3cc9e8cbb91a6f0f22 ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not +called in error handling paths. Thus replace the jump target +"err_release_buffers" by "err_pm_putw". + +Fixes: 152e0bf60219 ("media: stm32-dcmi: add power saving support") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/stm32/stm32-dcmi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c +index b8931490b83b7..fd1c41cba52fc 100644 +--- a/drivers/media/platform/stm32/stm32-dcmi.c ++++ b/drivers/media/platform/stm32/stm32-dcmi.c +@@ -733,7 +733,7 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count) + if (ret < 0) { + dev_err(dcmi->dev, "%s: Failed to start streaming, cannot get sync (%d)\n", + __func__, ret); +- goto err_release_buffers; ++ goto err_pm_put; + } + + ret = media_pipeline_start(&dcmi->vdev->entity, &dcmi->pipeline); +@@ -837,8 +837,6 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count) + + err_pm_put: + pm_runtime_put(dcmi->dev); +- +-err_release_buffers: + spin_lock_irq(&dcmi->irqlock); + /* + * Return all buffers to vb2 in QUEUED state. +-- +2.25.1 + diff --git a/queue-5.9/media-tc358743-cleanup-tc358743_cec_isr.patch b/queue-5.9/media-tc358743-cleanup-tc358743_cec_isr.patch new file mode 100644 index 00000000000..d47684c4366 --- /dev/null +++ b/queue-5.9/media-tc358743-cleanup-tc358743_cec_isr.patch @@ -0,0 +1,72 @@ +From 60f4644c855967114728525b005c9a1a723b83f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 20:32:12 +0200 +Subject: media: tc358743: cleanup tc358743_cec_isr + +From: Tom Rix + +[ Upstream commit 877cb8a444dad2304e891294afb0915fe3c278d6 ] + +tc358743_cec_isr is misnammed, it is not the main isr. +So rename it to be consistent with its siblings, +tc358743_cec_handler. + +It also does not check if its input parameter 'handled' is +is non NULL like its siblings, so add a check. + +Fixes: a0ec8d1dc42e ("media: tc358743: add CEC support") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 211caade9f998..cff99cf61ed4d 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -919,8 +919,8 @@ static const struct cec_adap_ops tc358743_cec_adap_ops = { + .adap_monitor_all_enable = tc358743_cec_adap_monitor_all_enable, + }; + +-static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, +- bool *handled) ++static void tc358743_cec_handler(struct v4l2_subdev *sd, u16 intstatus, ++ bool *handled) + { + struct tc358743_state *state = to_state(sd); + unsigned int cec_rxint, cec_txint; +@@ -953,7 +953,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, + cec_transmit_attempt_done(state->cec_adap, + CEC_TX_STATUS_ERROR); + } +- *handled = true; ++ if (handled) ++ *handled = true; + } + if ((intstatus & MASK_CEC_RINT) && + (cec_rxint & MASK_CECRIEND)) { +@@ -968,7 +969,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, + msg.msg[i] = v & 0xff; + } + cec_received_msg(state->cec_adap, &msg); +- *handled = true; ++ if (handled) ++ *handled = true; + } + i2c_wr16(sd, INTSTATUS, + intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)); +@@ -1432,7 +1434,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled) + + #ifdef CONFIG_VIDEO_TC358743_CEC + if (intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)) { +- tc358743_cec_isr(sd, intstatus, handled); ++ tc358743_cec_handler(sd, intstatus, handled); + i2c_wr16(sd, INTSTATUS, + intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)); + intstatus &= ~(MASK_CEC_RINT | MASK_CEC_TINT); +-- +2.25.1 + diff --git a/queue-5.9/media-tc358743-initialize-variable.patch b/queue-5.9/media-tc358743-initialize-variable.patch new file mode 100644 index 00000000000..9fb668893d8 --- /dev/null +++ b/queue-5.9/media-tc358743-initialize-variable.patch @@ -0,0 +1,42 @@ +From c109594904bd864c08c04ef74f64ebed8bb6d3bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 18:30:43 +0200 +Subject: media: tc358743: initialize variable + +From: Tom Rix + +[ Upstream commit 274cf92d5dff5c2fec1a518078542ffe70d07646 ] + +clang static analysis flags this error + +tc358743.c:1468:9: warning: Branch condition evaluates + to a garbage value + return handled ? IRQ_HANDLED : IRQ_NONE; + ^~~~~~~ +handled should be initialized to false. + +Fixes: d747b806abf4 ("[media] tc358743: add direct interrupt handling") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index dbbab75f135ec..211caade9f998 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1461,7 +1461,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled) + static irqreturn_t tc358743_irq_handler(int irq, void *dev_id) + { + struct tc358743_state *state = dev_id; +- bool handled; ++ bool handled = false; + + tc358743_isr(&state->sd, 0, &handled); + +-- +2.25.1 + diff --git a/queue-5.9/media-ti-vpe-fix-a-missing-check-and-reference-count.patch b/queue-5.9/media-ti-vpe-fix-a-missing-check-and-reference-count.patch new file mode 100644 index 00000000000..b86dc8942b2 --- /dev/null +++ b/queue-5.9/media-ti-vpe-fix-a-missing-check-and-reference-count.patch @@ -0,0 +1,42 @@ +From a6898588f4b5d3c9e21da908717e5ebcdc3ab15b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:56:05 +0200 +Subject: media: ti-vpe: Fix a missing check and reference count leak + +From: Qiushi Wu + +[ Upstream commit 7dae2aaaf432767ca7aa11fa84643a7c2600dbdd ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +And also, when the call of function vpe_runtime_get() failed, +we won't call vpe_runtime_put(). +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails +inside vpe_runtime_get(). + +Fixes: 4571912743ac ("[media] v4l: ti-vpe: Add VPE mem to mem driver") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index 346f8212791cf..779dd74b82d01 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -2475,6 +2475,8 @@ static int vpe_runtime_get(struct platform_device *pdev) + + r = pm_runtime_get_sync(&pdev->dev); + WARN_ON(r < 0); ++ if (r) ++ pm_runtime_put_noidle(&pdev->dev); + return r < 0 ? r : 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/media-tuner-simple-fix-regression-in-simple_set_radi.patch b/queue-5.9/media-tuner-simple-fix-regression-in-simple_set_radi.patch new file mode 100644 index 00000000000..601dea407c3 --- /dev/null +++ b/queue-5.9/media-tuner-simple-fix-regression-in-simple_set_radi.patch @@ -0,0 +1,66 @@ +From 635e7bbec7b6757e0d7e68798d900b835f7dfa3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 23:15:47 +0200 +Subject: media: tuner-simple: fix regression in simple_set_radio_freq + +From: Tom Rix + +[ Upstream commit 505bfc2a142f12ce7bc7a878b44abc3496f2e747 ] + +clang static analysis reports this problem + +tuner-simple.c:714:13: warning: Assigned value is + garbage or undefined + buffer[1] = buffer[3]; + ^ ~~~~~~~~~ +In simple_set_radio_freq buffer[3] used to be done +in-function with a switch of tuner type, now done +by a call to simple_radio_bandswitch which has this case + + case TUNER_TENA_9533_DI: + case TUNER_YMEC_TVF_5533MF: + tuner_dbg("This tuner doesn't ... + return 0; + +which does not set buffer[3]. In the old logic, this case +would have returned 0 from simple_set_radio_freq. + +Recover this old behavior by returning an error for this +codition. Since the old simple_set_radio_freq behavior +returned a 0, do the same. + +Fixes: c7a9f3aa1e1b ("V4L/DVB (7129): tuner-simple: move device-specific code into three separate functions") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/tuner-simple.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/tuners/tuner-simple.c b/drivers/media/tuners/tuner-simple.c +index b6e70fada3fb2..8fb186b25d6af 100644 +--- a/drivers/media/tuners/tuner-simple.c ++++ b/drivers/media/tuners/tuner-simple.c +@@ -500,7 +500,7 @@ static int simple_radio_bandswitch(struct dvb_frontend *fe, u8 *buffer) + case TUNER_TENA_9533_DI: + case TUNER_YMEC_TVF_5533MF: + tuner_dbg("This tuner doesn't have FM. Most cards have a TEA5767 for FM\n"); +- return 0; ++ return -EINVAL; + case TUNER_PHILIPS_FM1216ME_MK3: + case TUNER_PHILIPS_FM1236_MK3: + case TUNER_PHILIPS_FMD1216ME_MK3: +@@ -702,7 +702,8 @@ static int simple_set_radio_freq(struct dvb_frontend *fe, + TUNER_RATIO_SELECT_50; /* 50 kHz step */ + + /* Bandswitch byte */ +- simple_radio_bandswitch(fe, &buffer[0]); ++ if (simple_radio_bandswitch(fe, &buffer[0])) ++ return 0; + + /* Convert from 1/16 kHz V4L steps to 1/20 MHz (=50 kHz) PLL steps + freq * (1 Mhz / 16000 V4L steps) * (20 PLL steps / 1 MHz) = +-- +2.25.1 + diff --git a/queue-5.9/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch b/queue-5.9/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch new file mode 100644 index 00000000000..22e6215f7bf --- /dev/null +++ b/queue-5.9/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch @@ -0,0 +1,84 @@ +From cfcc1ab6c7aeee8ed3a5580a4a245e7e5f6e6e45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 03:21:33 +0200 +Subject: media: uvcvideo: Ensure all probed info is returned to v4l2 + +From: Adam Goode + +[ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ] + +bFrameIndex and bFormatIndex can be negotiated by the camera during +probing, resulting in the camera choosing a different format than +expected. v4l2 can already accommodate such changes, but the code was +not updating the proper fields. + +Without such a change, v4l2 would potentially interpret the payload +incorrectly, causing corrupted output. This was happening on the +Elgato HD60 S+, which currently always renegotiates to format 1. + +As an aside, the Elgato firmware is buggy and should not be renegotating, +but it is still a valid thing for the camera to do. Both macOS and Windows +will properly probe and read uncorrupted images from this camera. + +With this change, both qv4l2 and chromium can now read uncorrupted video +from the Elgato HD60 S+. + +[Add blank lines, remove periods at the of messages] + +Signed-off-by: Adam Goode +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 0335e69b70abe..5e6f3153b5ff8 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -247,11 +247,41 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + if (ret < 0) + goto done; + ++ /* After the probe, update fmt with the values returned from ++ * negotiation with the device. ++ */ ++ for (i = 0; i < stream->nformats; ++i) { ++ if (probe->bFormatIndex == stream->format[i].index) { ++ format = &stream->format[i]; ++ break; ++ } ++ } ++ ++ if (i == stream->nformats) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n", ++ probe->bFormatIndex); ++ return -EINVAL; ++ } ++ ++ for (i = 0; i < format->nframes; ++i) { ++ if (probe->bFrameIndex == format->frame[i].bFrameIndex) { ++ frame = &format->frame[i]; ++ break; ++ } ++ } ++ ++ if (i == format->nframes) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n", ++ probe->bFrameIndex); ++ return -EINVAL; ++ } ++ + fmt->fmt.pix.width = frame->wWidth; + fmt->fmt.pix.height = frame->wHeight; + fmt->fmt.pix.field = V4L2_FIELD_NONE; + fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(format, frame); + fmt->fmt.pix.sizeimage = probe->dwMaxVideoFrameSize; ++ fmt->fmt.pix.pixelformat = format->fcc; + fmt->fmt.pix.colorspace = format->colorspace; + + if (uvc_format != NULL) +-- +2.25.1 + diff --git a/queue-5.9/media-uvcvideo-set-media-controller-entity-functions.patch b/queue-5.9/media-uvcvideo-set-media-controller-entity-functions.patch new file mode 100644 index 00000000000..4fecb0848df --- /dev/null +++ b/queue-5.9/media-uvcvideo-set-media-controller-entity-functions.patch @@ -0,0 +1,78 @@ +From 525dabed72ca94a14aa91eddbeefbe1e610c365b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Jun 2020 04:05:49 +0200 +Subject: media: uvcvideo: Set media controller entity functions + +From: Laurent Pinchart + +[ Upstream commit d6834b4b58d110814aaf3469e7fd87d34ae5ae81 ] + +The media controller core prints a warning when an entity is registered +without a function being set. This affects the uvcvideo driver, as the +warning was added without first addressing the issue in existing +drivers. The problem is harmless, but unnecessarily worries users. Fix +it by mapping UVC entity types to MC entity functions as accurately as +possible using the existing functions. + +Fixes: b50bde4e476d ("[media] v4l2-subdev: use MEDIA_ENT_T_UNKNOWN for new subdevs") +Signed-off-by: Laurent Pinchart +Reviewed-by: Kieran Bingham +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_entity.c | 35 ++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c +index b4499cddeffe5..ca3a9c2eec271 100644 +--- a/drivers/media/usb/uvc/uvc_entity.c ++++ b/drivers/media/usb/uvc/uvc_entity.c +@@ -73,10 +73,45 @@ static int uvc_mc_init_entity(struct uvc_video_chain *chain, + int ret; + + if (UVC_ENTITY_TYPE(entity) != UVC_TT_STREAMING) { ++ u32 function; ++ + v4l2_subdev_init(&entity->subdev, &uvc_subdev_ops); + strscpy(entity->subdev.name, entity->name, + sizeof(entity->subdev.name)); + ++ switch (UVC_ENTITY_TYPE(entity)) { ++ case UVC_VC_SELECTOR_UNIT: ++ function = MEDIA_ENT_F_VID_MUX; ++ break; ++ case UVC_VC_PROCESSING_UNIT: ++ case UVC_VC_EXTENSION_UNIT: ++ /* For lack of a better option. */ ++ function = MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER; ++ break; ++ case UVC_COMPOSITE_CONNECTOR: ++ case UVC_COMPONENT_CONNECTOR: ++ function = MEDIA_ENT_F_CONN_COMPOSITE; ++ break; ++ case UVC_SVIDEO_CONNECTOR: ++ function = MEDIA_ENT_F_CONN_SVIDEO; ++ break; ++ case UVC_ITT_CAMERA: ++ function = MEDIA_ENT_F_CAM_SENSOR; ++ break; ++ case UVC_TT_VENDOR_SPECIFIC: ++ case UVC_ITT_VENDOR_SPECIFIC: ++ case UVC_ITT_MEDIA_TRANSPORT_INPUT: ++ case UVC_OTT_VENDOR_SPECIFIC: ++ case UVC_OTT_DISPLAY: ++ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT: ++ case UVC_EXTERNAL_VENDOR_SPECIFIC: ++ default: ++ function = MEDIA_ENT_F_V4L2_SUBDEV_UNKNOWN; ++ break; ++ } ++ ++ entity->subdev.entity.function = function; ++ + ret = media_entity_pads_init(&entity->subdev.entity, + entity->num_pads, entity->pads); + +-- +2.25.1 + diff --git a/queue-5.9/media-uvcvideo-silence-shift-out-of-bounds-warning.patch b/queue-5.9/media-uvcvideo-silence-shift-out-of-bounds-warning.patch new file mode 100644 index 00000000000..4489e3a6810 --- /dev/null +++ b/queue-5.9/media-uvcvideo-silence-shift-out-of-bounds-warning.patch @@ -0,0 +1,54 @@ +From d30ed1f6667df18b497cdaffd587b19a62514884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 01:56:49 +0200 +Subject: media: uvcvideo: Silence shift-out-of-bounds warning + +From: Laurent Pinchart + +[ Upstream commit 171994e498a0426cbe17f874c5c6af3c0af45200 ] + +UBSAN reports a shift-out-of-bounds warning in uvc_get_le_value(). The +report is correct, but the issue should be harmless as the computed +value isn't used when the shift is negative. This may however cause +incorrect behaviour if a negative shift could generate adverse side +effects (such as a trap on some architectures for instance). + +Regardless of whether that may happen or not, silence the warning as a +full WARN backtrace isn't nice. + +Reported-by: Bart Van Assche +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Signed-off-by: Laurent Pinchart +Reviewed-by: Bart Van Assche +Tested-by: Bart Van Assche +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_ctrl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index e399b9fad7574..a30a8a731eda8 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -773,12 +773,16 @@ static s32 uvc_get_le_value(struct uvc_control_mapping *mapping, + offset &= 7; + mask = ((1LL << bits) - 1) << offset; + +- for (; bits > 0; data++) { ++ while (1) { + u8 byte = *data & mask; + value |= offset > 0 ? (byte >> offset) : (byte << (-offset)); + bits -= 8 - (offset > 0 ? offset : 0); ++ if (bits <= 0) ++ break; ++ + offset -= 8; + mask = (1 << bits) - 1; ++ data++; + } + + /* Sign-extend the value if needed. */ +-- +2.25.1 + diff --git a/queue-5.9/media-venus-core-fix-error-handling-in-probe.patch b/queue-5.9/media-venus-core-fix-error-handling-in-probe.patch new file mode 100644 index 00000000000..6d73d5459cc --- /dev/null +++ b/queue-5.9/media-venus-core-fix-error-handling-in-probe.patch @@ -0,0 +1,72 @@ +From 0e2108612e0580f70b88e6cea226be1b0bd93051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 09:16:42 +0200 +Subject: media: venus: core: Fix error handling in probe + +From: Rajendra Nayak + +[ Upstream commit 98cd831088c64aa8fe7e1d2a8bb94b6faba0462b ] + +Post a successful pm_ops->core_get, an error in probe +should exit by doing a pm_ops->core_put which seems +to be missing. So fix it. + +Signed-off-by: Rajendra Nayak +Reviewed-by: Bjorn Andersson +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index 203c6538044fb..bfcaba37d60fe 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -224,13 +224,15 @@ static int venus_probe(struct platform_device *pdev) + + ret = dma_set_mask_and_coherent(dev, core->res->dma_mask); + if (ret) +- return ret; ++ goto err_core_put; + + if (!dev->dma_parms) { + dev->dma_parms = devm_kzalloc(dev, sizeof(*dev->dma_parms), + GFP_KERNEL); +- if (!dev->dma_parms) +- return -ENOMEM; ++ if (!dev->dma_parms) { ++ ret = -ENOMEM; ++ goto err_core_put; ++ } + } + dma_set_max_seg_size(dev, DMA_BIT_MASK(32)); + +@@ -242,11 +244,11 @@ static int venus_probe(struct platform_device *pdev) + IRQF_TRIGGER_HIGH | IRQF_ONESHOT, + "venus", core); + if (ret) +- return ret; ++ goto err_core_put; + + ret = hfi_create(core, &venus_core_ops); + if (ret) +- return ret; ++ goto err_core_put; + + pm_runtime_enable(dev); + +@@ -302,6 +304,9 @@ static int venus_probe(struct platform_device *pdev) + pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); + hfi_destroy(core); ++err_core_put: ++ if (core->pm_ops->core_put) ++ core->pm_ops->core_put(dev); + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.9/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch b/queue-5.9/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch new file mode 100644 index 00000000000..501ff461425 --- /dev/null +++ b/queue-5.9/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch @@ -0,0 +1,53 @@ +From 7b7ce314e42d257deef81ba80895c2140cf99c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 07:55:23 +0200 +Subject: media: venus: core: Fix runtime PM imbalance in venus_probe + +From: Dinghao Liu + +[ Upstream commit bbe516e976fce538db96bd2b7287df942faa14a3 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. For other error +paths after this call, things are the same. + +Fix this by adding pm_runtime_put_noidle() after 'err_runtime_disable' +label. But in this case, the error path after pm_runtime_put_sync() +will decrease PM usage counter twice. Thus add an extra +pm_runtime_get_noresume() in this path to balance PM counter. + +Signed-off-by: Dinghao Liu +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index bfcaba37d60fe..321ad77cb6cf4 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -289,8 +289,10 @@ static int venus_probe(struct platform_device *pdev) + goto err_core_deinit; + + ret = pm_runtime_put_sync(dev); +- if (ret) ++ if (ret) { ++ pm_runtime_get_noresume(dev); + goto err_dev_unregister; ++ } + + return 0; + +@@ -301,6 +303,7 @@ static int venus_probe(struct platform_device *pdev) + err_venus_shutdown: + venus_shutdown(core); + err_runtime_disable: ++ pm_runtime_put_noidle(dev); + pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); + hfi_destroy(core); +-- +2.25.1 + diff --git a/queue-5.9/media-venus-fixes-for-list-corruption.patch b/queue-5.9/media-venus-fixes-for-list-corruption.patch new file mode 100644 index 00000000000..09fd113b185 --- /dev/null +++ b/queue-5.9/media-venus-fixes-for-list-corruption.patch @@ -0,0 +1,79 @@ +From 41ba8be99299d8b4013083036ad3a681d34de1d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 13:48:45 +0200 +Subject: media: venus: fixes for list corruption + +From: Vikash Garodia + +[ Upstream commit e1c69c4eef61ffe295b747992c6fd849e6cd747d ] + +There are few list handling issues while adding and deleting +node in the registered buf list in the driver. +1. list addition - buffer added into the list during buf_init +while not deleted during cleanup. +2. list deletion - In capture streamoff, the list was reinitialized. +As a result, if any node was present in the list, it would +lead to issue while cleaning up that node during buf_cleanup. + +Corresponding call traces below: +[ 165.751014] Call trace: +[ 165.753541] __list_add_valid+0x58/0x88 +[ 165.757532] venus_helper_vb2_buf_init+0x74/0xa8 [venus_core] +[ 165.763450] vdec_buf_init+0x34/0xb4 [venus_dec] +[ 165.768271] __buf_prepare+0x598/0x8a0 [videobuf2_common] +[ 165.773820] vb2_core_qbuf+0xb4/0x334 [videobuf2_common] +[ 165.779298] vb2_qbuf+0x78/0xb8 [videobuf2_v4l2] +[ 165.784053] v4l2_m2m_qbuf+0x80/0xf8 [v4l2_mem2mem] +[ 165.789067] v4l2_m2m_ioctl_qbuf+0x2c/0x38 [v4l2_mem2mem] +[ 165.794624] v4l_qbuf+0x48/0x58 + +[ 1797.556001] Call trace: +[ 1797.558516] __list_del_entry_valid+0x88/0x9c +[ 1797.562989] vdec_buf_cleanup+0x54/0x228 [venus_dec] +[ 1797.568088] __buf_prepare+0x270/0x8a0 [videobuf2_common] +[ 1797.573625] vb2_core_qbuf+0xb4/0x338 [videobuf2_common] +[ 1797.579082] vb2_qbuf+0x78/0xb8 [videobuf2_v4l2] +[ 1797.583830] v4l2_m2m_qbuf+0x80/0xf8 [v4l2_mem2mem] +[ 1797.588843] v4l2_m2m_ioctl_qbuf+0x2c/0x38 [v4l2_mem2mem] +[ 1797.594389] v4l_qbuf+0x48/0x58 + +Signed-off-by: Vikash Garodia +Reviewed-by: Fritz Koenig +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/vdec.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c +index 7c4c483d54389..76be14efbfb09 100644 +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -1088,8 +1088,6 @@ static int vdec_stop_capture(struct venus_inst *inst) + break; + } + +- INIT_LIST_HEAD(&inst->registeredbufs); +- + return ret; + } + +@@ -1189,6 +1187,14 @@ static int vdec_buf_init(struct vb2_buffer *vb) + static void vdec_buf_cleanup(struct vb2_buffer *vb) + { + struct venus_inst *inst = vb2_get_drv_priv(vb->vb2_queue); ++ struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); ++ struct venus_buffer *buf = to_venus_buffer(vbuf); ++ ++ mutex_lock(&inst->lock); ++ if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) ++ if (!list_empty(&inst->registeredbufs)) ++ list_del_init(&buf->reg_list); ++ mutex_unlock(&inst->lock); + + inst->buf_count--; + if (!inst->buf_count) +-- +2.25.1 + diff --git a/queue-5.9/media-vivid-fix-global-out-of-bounds-read-in-precalc.patch b/queue-5.9/media-vivid-fix-global-out-of-bounds-read-in-precalc.patch new file mode 100644 index 00000000000..0a887cdac19 --- /dev/null +++ b/queue-5.9/media-vivid-fix-global-out-of-bounds-read-in-precalc.patch @@ -0,0 +1,53 @@ +From c8df67bd3406a3649eedcbafb5603f961e7a16c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 14:46:45 +0200 +Subject: media: vivid: Fix global-out-of-bounds read in precalculate_color() + +From: Peilin Ye + +[ Upstream commit e3158a5e7e661786b3ab650c7e4d21024e8eff0f ] + +vivid_meta_out_process() is setting `brightness`, `contrast`, `saturation` +and `hue` using tpg_s_*(). This is wrong, since tpg_s_*() do not provide +range checks. Using tpg_s_*() here also makes the control framework +out-of-sync with the actual values. Use v4l2_ctrl_s_ctrl() instead. + +This issue has been reported by syzbot as an out-of-bounds read bug in +precalculate_color(). + +Reported-and-tested-by: syzbot+02d9172bf4c43104cd70@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=02d9172bf4c43104cd70 + +Fixes: 746facd39370 ("media: vivid: Add metadata output support") +Suggested-by: Hans Verkuil +Signed-off-by: Peilin Ye +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vivid/vivid-meta-out.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/test-drivers/vivid/vivid-meta-out.c b/drivers/media/test-drivers/vivid/vivid-meta-out.c +index ff8a039aba72e..95835b52b58fc 100644 +--- a/drivers/media/test-drivers/vivid/vivid-meta-out.c ++++ b/drivers/media/test-drivers/vivid/vivid-meta-out.c +@@ -164,10 +164,11 @@ void vivid_meta_out_process(struct vivid_dev *dev, + { + struct vivid_meta_out_buf *meta = vb2_plane_vaddr(&buf->vb.vb2_buf, 0); + +- tpg_s_brightness(&dev->tpg, meta->brightness); +- tpg_s_contrast(&dev->tpg, meta->contrast); +- tpg_s_saturation(&dev->tpg, meta->saturation); +- tpg_s_hue(&dev->tpg, meta->hue); ++ v4l2_ctrl_s_ctrl(dev->brightness, meta->brightness); ++ v4l2_ctrl_s_ctrl(dev->contrast, meta->contrast); ++ v4l2_ctrl_s_ctrl(dev->saturation, meta->saturation); ++ v4l2_ctrl_s_ctrl(dev->hue, meta->hue); ++ + dprintk(dev, 2, " %s brightness %u contrast %u saturation %u hue %d\n", + __func__, meta->brightness, meta->contrast, + meta->saturation, meta->hue); +-- +2.25.1 + diff --git a/queue-5.9/media-vsp1-fix-runtime-pm-imbalance-on-error.patch b/queue-5.9/media-vsp1-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..297b3276a58 --- /dev/null +++ b/queue-5.9/media-vsp1-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,59 @@ +From 4d59c248f187a43420ff1e95769c4d78f7068ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 07:29:19 +0200 +Subject: media: vsp1: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit 98fae901c8883640202802174a4bd70a1b9118bd ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vsp1/vsp1_drv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c +index c650e45bb0ad1..dc62533cf32ce 100644 +--- a/drivers/media/platform/vsp1/vsp1_drv.c ++++ b/drivers/media/platform/vsp1/vsp1_drv.c +@@ -562,7 +562,12 @@ int vsp1_device_get(struct vsp1_device *vsp1) + int ret; + + ret = pm_runtime_get_sync(vsp1->dev); +- return ret < 0 ? ret : 0; ++ if (ret < 0) { ++ pm_runtime_put_noidle(vsp1->dev); ++ return ret; ++ } ++ ++ return 0; + } + + /* +@@ -845,12 +850,12 @@ static int vsp1_probe(struct platform_device *pdev) + /* Configure device parameters based on the version register. */ + pm_runtime_enable(&pdev->dev); + +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = vsp1_device_get(vsp1); + if (ret < 0) + goto done; + + vsp1->version = vsp1_read(vsp1, VI6_IP_VERSION); +- pm_runtime_put_sync(&pdev->dev); ++ vsp1_device_put(vsp1); + + for (i = 0; i < ARRAY_SIZE(vsp1_device_infos); ++i) { + if ((vsp1->version & VI6_IP_VERSION_MODEL_MASK) == +-- +2.25.1 + diff --git a/queue-5.9/memory-brcmstb_dpfe-fix-array-index-out-of-bounds.patch b/queue-5.9/memory-brcmstb_dpfe-fix-array-index-out-of-bounds.patch new file mode 100644 index 00000000000..8611d76c04f --- /dev/null +++ b/queue-5.9/memory-brcmstb_dpfe-fix-array-index-out-of-bounds.patch @@ -0,0 +1,88 @@ +From 55c89a7163661debe7806e507310263197692ea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 13:50:00 -0700 +Subject: memory: brcmstb_dpfe: fix array index out of bounds + +From: Markus Mayer + +[ Upstream commit f42ae4bbf94c15aa720afb9d176ecbfe140d792e ] + +We would overrun the error_text array if we hit a TIMEOUT condition, +because we were using the error code "ETIMEDOUT" (which is 110) as an +array index. + +We fix the problem by correcting the array index and by providing a +function to retrieve error messages rather than accessing the array +directly. The function includes a bounds check that prevents the array +from being overrun. + +Link: https://lore.kernel.org/linux-arm-kernel/38d00022-730c-948a-917c-d86382df8cb9@canonical.com/ +Link: https://lore.kernel.org/r/20200822205000.15841-1-mmayer@broadcom.com +Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE") +Reported-by: Colin Ian King +Signed-off-by: Markus Mayer +Acked-by: Florian Fainelli +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/brcmstb_dpfe.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c +index 60e8633b11758..ddff687c79eaa 100644 +--- a/drivers/memory/brcmstb_dpfe.c ++++ b/drivers/memory/brcmstb_dpfe.c +@@ -188,11 +188,6 @@ struct brcmstb_dpfe_priv { + struct mutex lock; + }; + +-static const char * const error_text[] = { +- "Success", "Header code incorrect", "Unknown command or argument", +- "Incorrect checksum", "Malformed command", "Timed out", +-}; +- + /* + * Forward declaration of our sysfs attribute functions, so we can declare the + * attribute data structures early. +@@ -307,6 +302,20 @@ static const struct dpfe_api dpfe_api_v3 = { + }, + }; + ++static const char *get_error_text(unsigned int i) ++{ ++ static const char * const error_text[] = { ++ "Success", "Header code incorrect", ++ "Unknown command or argument", "Incorrect checksum", ++ "Malformed command", "Timed out", "Unknown error", ++ }; ++ ++ if (unlikely(i >= ARRAY_SIZE(error_text))) ++ i = ARRAY_SIZE(error_text) - 1; ++ ++ return error_text[i]; ++} ++ + static bool is_dcpu_enabled(struct brcmstb_dpfe_priv *priv) + { + u32 val; +@@ -445,7 +454,7 @@ static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd, + } + if (resp != 0) { + mutex_unlock(&priv->lock); +- return -ETIMEDOUT; ++ return -ffs(DCPU_RET_ERR_TIMEDOUT); + } + + /* Compute checksum over the message */ +@@ -691,7 +700,7 @@ static ssize_t generic_show(unsigned int command, u32 response[], + + ret = __send_command(priv, command, response); + if (ret < 0) +- return sprintf(buf, "ERROR: %s\n", error_text[-ret]); ++ return sprintf(buf, "ERROR: %s\n", get_error_text(-ret)); + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.9/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch b/queue-5.9/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch new file mode 100644 index 00000000000..17cd54b5751 --- /dev/null +++ b/queue-5.9/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch @@ -0,0 +1,40 @@ +From 3d1e966b6799316d4dab31f35cd192fae7f0e09c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:33:15 +0200 +Subject: memory: fsl-corenet-cf: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit dd85345abca60a8916617e8d75c0f9ce334336dd ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 54afbec0d57f ("memory: Freescale CoreNet Coherency Fabric error reporting driver") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200827073315.29351-1-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl-corenet-cf.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/memory/fsl-corenet-cf.c b/drivers/memory/fsl-corenet-cf.c +index 0b0ed72016da8..0309bd5a18008 100644 +--- a/drivers/memory/fsl-corenet-cf.c ++++ b/drivers/memory/fsl-corenet-cf.c +@@ -211,10 +211,8 @@ static int ccf_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, ccf); + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "%s: no irq\n", __func__); +- return -ENXIO; +- } ++ if (irq < 0) ++ return irq; + + ret = devm_request_irq(&pdev->dev, irq, ccf_irq, 0, pdev->name, ccf); + if (ret) { +-- +2.25.1 + diff --git a/queue-5.9/memory-omap-gpmc-fix-a-couple-off-by-ones.patch b/queue-5.9/memory-omap-gpmc-fix-a-couple-off-by-ones.patch new file mode 100644 index 00000000000..50257093de8 --- /dev/null +++ b/queue-5.9/memory-omap-gpmc-fix-a-couple-off-by-ones.patch @@ -0,0 +1,48 @@ +From 83d166c783e88384b7e880e6ba8f6c14fa440440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 13:47:07 +0300 +Subject: memory: omap-gpmc: Fix a couple off by ones + +From: Dan Carpenter + +[ Upstream commit 4c54228ac8fd55044195825873c50a524131fa53 ] + +These comparisons should be >= instead of > to prevent reading one +element beyond the end of the gpmc_cs[] array. + +Fixes: cdd6928c589a ("ARM: OMAP2+: Add device-tree support for NOR flash") +Fixes: f37e4580c409 ("ARM: OMAP2: Dynamic allocator for GPMC memory space") +Signed-off-by: Dan Carpenter +Acked-by: Roger Quadros +Link: https://lore.kernel.org/r/20200825104707.GB278587@mwanda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index ca0097664b125..1e6d6e9434c8b 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -943,7 +943,7 @@ static int gpmc_cs_remap(int cs, u32 base) + int ret; + u32 old_base, size; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +@@ -978,7 +978,7 @@ int gpmc_cs_request(int cs, unsigned long size, unsigned long *base) + struct resource *res = &gpmc->mem; + int r = -1; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +-- +2.25.1 + diff --git a/queue-5.9/memory-omap-gpmc-fix-build-error-without-config_of.patch b/queue-5.9/memory-omap-gpmc-fix-build-error-without-config_of.patch new file mode 100644 index 00000000000..bdaa9077bb1 --- /dev/null +++ b/queue-5.9/memory-omap-gpmc-fix-build-error-without-config_of.patch @@ -0,0 +1,45 @@ +From ecc78fb36f2fc93e8ea921238474d72c1d3b25d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 20:53:16 +0800 +Subject: memory: omap-gpmc: Fix build error without CONFIG_OF + +From: YueHaibing + +[ Upstream commit 13d029ee51da365aa9c859db0c7395129252bde8 ] + +If CONFIG_OF is n, gcc fails: + +drivers/memory/omap-gpmc.o: In function `gpmc_omap_onenand_set_timings': + omap-gpmc.c:(.text+0x2a88): undefined reference to `gpmc_read_settings_dt' + +Add gpmc_read_settings_dt() helper function, which zero the gpmc_settings +so the caller doesn't proceed with random/invalid settings. + +Fixes: a758f50f10cf ("mtd: onenand: omap2: Configure driver from DT") +Signed-off-by: YueHaibing +Acked-by: Roger Quadros +Link: https://lore.kernel.org/r/20200827125316.20780-1-yuehaibing@huawei.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index 1e6d6e9434c8b..057666e1b6cda 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -2265,6 +2265,10 @@ static void gpmc_probe_dt_children(struct platform_device *pdev) + } + } + #else ++void gpmc_read_settings_dt(struct device_node *np, struct gpmc_settings *p) ++{ ++ memset(p, 0, sizeof(*p)); ++} + static int gpmc_probe_dt(struct platform_device *pdev) + { + return 0; +-- +2.25.1 + diff --git a/queue-5.9/mfd-sm501-fix-leaks-in-probe.patch b/queue-5.9/mfd-sm501-fix-leaks-in-probe.patch new file mode 100644 index 00000000000..81a5a290f15 --- /dev/null +++ b/queue-5.9/mfd-sm501-fix-leaks-in-probe.patch @@ -0,0 +1,42 @@ +From ddb3f45243d465045177568710295caf1882254b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 14:33:26 +0300 +Subject: mfd: sm501: Fix leaks in probe() + +From: Dan Carpenter + +[ Upstream commit 8ce24f8967df2836b4557a23e74dc4bb098249f1 ] + +This code should clean up if sm501_init_dev() fails. + +Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index ccd62b9639528..6d2f4a0a901dc 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -1415,8 +1415,14 @@ static int sm501_plat_probe(struct platform_device *dev) + goto err_claim; + } + +- return sm501_init_dev(sm); ++ ret = sm501_init_dev(sm); ++ if (ret) ++ goto err_unmap; ++ ++ return 0; + ++ err_unmap: ++ iounmap(sm->regs); + err_claim: + release_mem_region(sm->io_res->start, 0x100); + err_res: +-- +2.25.1 + diff --git a/queue-5.9/mfd-syscon-don-t-free-allocated-name-for-regmap_conf.patch b/queue-5.9/mfd-syscon-don-t-free-allocated-name-for-regmap_conf.patch new file mode 100644 index 00000000000..c67be7d3680 --- /dev/null +++ b/queue-5.9/mfd-syscon-don-t-free-allocated-name-for-regmap_conf.patch @@ -0,0 +1,49 @@ +From 165723a5be74866f65f01a3cf2354395388db967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 17:02:37 +0100 +Subject: mfd: syscon: Don't free allocated name for regmap_config + +From: Marc Zyngier + +[ Upstream commit 529a1101212a785c5df92c314b0e718287150c3b ] + +The name allocated for the regmap_config structure is freed +pretty early, right after the registration of the MMIO region. + +Unfortunately, that doesn't follow the life cycle that debugfs +expects, as it can access the name field long after the free +has occurred. + +Move the free on the error path, and keep it forever otherwise. + +Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") +Signed-off-by: Marc Zyngier +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/syscon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c +index df5cebb372a59..ca465794ea9c8 100644 +--- a/drivers/mfd/syscon.c ++++ b/drivers/mfd/syscon.c +@@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) + syscon_config.max_register = resource_size(&res) - reg_io_width; + + regmap = regmap_init_mmio(NULL, base, &syscon_config); +- kfree(syscon_config.name); + if (IS_ERR(regmap)) { + pr_err("regmap init failed\n"); + ret = PTR_ERR(regmap); +@@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) + regmap_exit(regmap); + err_regmap: + iounmap(base); ++ kfree(syscon_config.name); + err_map: + kfree(syscon); + return ERR_PTR(ret); +-- +2.25.1 + diff --git a/queue-5.9/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch b/queue-5.9/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch new file mode 100644 index 00000000000..926cfb448d1 --- /dev/null +++ b/queue-5.9/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch @@ -0,0 +1,63 @@ +From d0cc2a4af57b1c1c3b89c95c8b3bb0c977ac5ea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 17:11:06 +0800 +Subject: mic: vop: copy data to kernel space then write to io memory + +From: Sherry Sun + +[ Upstream commit 675f0ad4046946e80412896436164d172cd92238 ] + +Read and write io memory should address align on ARCH ARM. Change to use +memcpy_toio to avoid kernel panic caused by the address un-align issue. + +Signed-off-by: Sherry Sun +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20200929091106.24624-5-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/vop/vop_vringh.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c +index 30eac172f0170..d069947b09345 100644 +--- a/drivers/misc/mic/vop/vop_vringh.c ++++ b/drivers/misc/mic/vop/vop_vringh.c +@@ -602,6 +602,7 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf, + size_t partlen; + bool dma = VOP_USE_DMA && vi->dma_ch; + int err = 0; ++ size_t offset = 0; + + if (dma) { + dma_alignment = 1 << vi->dma_ch->device->copy_align; +@@ -655,13 +656,20 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf, + * We are copying to IO below and should ideally use something + * like copy_from_user_toio(..) if it existed. + */ +- if (copy_from_user((void __force *)dbuf, ubuf, len)) { +- err = -EFAULT; +- dev_err(vop_dev(vdev), "%s %d err %d\n", +- __func__, __LINE__, err); +- goto err; ++ while (len) { ++ partlen = min_t(size_t, len, VOP_INT_DMA_BUF_SIZE); ++ ++ if (copy_from_user(vvr->buf, ubuf + offset, partlen)) { ++ err = -EFAULT; ++ dev_err(vop_dev(vdev), "%s %d err %d\n", ++ __func__, __LINE__, err); ++ goto err; ++ } ++ memcpy_toio(dbuf + offset, vvr->buf, partlen); ++ offset += partlen; ++ vdev->out_bytes += partlen; ++ len -= partlen; + } +- vdev->out_bytes += len; + err = 0; + err: + vpdev->hw_ops->unmap(vpdev, dbuf); +-- +2.25.1 + diff --git a/queue-5.9/microblaze-fix-kbuild-redundant-file-warning.patch b/queue-5.9/microblaze-fix-kbuild-redundant-file-warning.patch new file mode 100644 index 00000000000..95b8da919ba --- /dev/null +++ b/queue-5.9/microblaze-fix-kbuild-redundant-file-warning.patch @@ -0,0 +1,42 @@ +From 774b5235d8b860cc5c2ea2b7aeb94000a30d7d9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 09:38:58 -0700 +Subject: microblaze: fix kbuild redundant file warning + +From: Randy Dunlap + +[ Upstream commit 4a17e8513376bb23f814d3e340a5692a12c69369 ] + +Fix build warning since this file is already listed in +include/asm-generic/Kbuild. + +../scripts/Makefile.asm-generic:25: redundant generic-y found in arch/microblaze/include/asm/Kbuild: hw_irq.h + +Fixes: 630f289b7114 ("asm-generic: make more kernel-space headers mandatory") +Signed-off-by: Randy Dunlap +Cc: Michal Simek +Cc: Michal Simek +Cc: Masahiro Yamada +Reviewed-by: Masahiro Yamada +Link: https://lore.kernel.org/r/4d992aee-8a69-1769-e622-8d6d6e316346@infradead.org +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/microblaze/include/asm/Kbuild | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/microblaze/include/asm/Kbuild b/arch/microblaze/include/asm/Kbuild +index 2e87a9b6d312f..63bce836b9f10 100644 +--- a/arch/microblaze/include/asm/Kbuild ++++ b/arch/microblaze/include/asm/Kbuild +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + generated-y += syscall_table.h + generic-y += extable.h +-generic-y += hw_irq.h + generic-y += kvm_para.h + generic-y += local64.h + generic-y += mcs_spinlock.h +-- +2.25.1 + diff --git a/queue-5.9/misc-mic-scif-fix-error-handling-path.patch b/queue-5.9/misc-mic-scif-fix-error-handling-path.patch new file mode 100644 index 00000000000..d425ed09ae9 --- /dev/null +++ b/queue-5.9/misc-mic-scif-fix-error-handling-path.patch @@ -0,0 +1,65 @@ +From 0b2db552f35c6af2f6ddec1bf45aef95555c2221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 08:21:35 +0530 +Subject: misc: mic: scif: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit a81072a9c0ae734b7889929b0bc070fe3f353f0e ] + +Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it +will call pin_user_pages_fast() to map nr_pages. However, +pin_user_pages_fast() might fail with a return value -ERRNO. + +The return value is stored in pinned_pages->nr_pages. which in +turn is passed to unpin_user_pages(), which expects +pinned_pages->nr_pages >=0, else disaster. + +Fix this by assigning pinned_pages->nr_pages to 0 if +pin_user_pages_fast() returns -ERRNO. + +Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and unregistration") +Cc: John Hubbard +Cc: Ira Weiny +Cc: Dan Carpenter +Reviewed-by: John Hubbard +Signed-off-by: Souptick Joarder +Link: https://lore.kernel.org/r/1600570295-29546-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/scif/scif_rma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c +index 2da3b474f4863..18fb9d8b8a4b5 100644 +--- a/drivers/misc/mic/scif/scif_rma.c ++++ b/drivers/misc/mic/scif/scif_rma.c +@@ -1392,6 +1392,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + (prot & SCIF_PROT_WRITE) ? FOLL_WRITE : 0, + pinned_pages->pages); + if (nr_pages != pinned_pages->nr_pages) { ++ if (pinned_pages->nr_pages < 0) ++ pinned_pages->nr_pages = 0; + if (try_upgrade) { + if (ulimit) + __scif_dec_pinned_vm_lock(mm, nr_pages); +@@ -1408,7 +1410,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + + if (pinned_pages->nr_pages < nr_pages) { + err = -EFAULT; +- pinned_pages->nr_pages = nr_pages; + goto dec_pinned; + } + +@@ -1421,7 +1422,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + __scif_dec_pinned_vm_lock(mm, nr_pages); + /* Something went wrong! Rollback */ + error_unmap: +- pinned_pages->nr_pages = nr_pages; + scif_destroy_pinned_pages(pinned_pages); + *pages = NULL; + dev_dbg(scif_info.mdev.this_device, +-- +2.25.1 + diff --git a/queue-5.9/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch b/queue-5.9/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch new file mode 100644 index 00000000000..a2a4948c58c --- /dev/null +++ b/queue-5.9/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch @@ -0,0 +1,46 @@ +From 4f98a7d397eb2f278d4269edb7dfd9e49859ab68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 07:18:51 +0000 +Subject: misc: rtsx: Fix memory leak in rtsx_pci_probe + +From: Keita Suzuki + +[ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ] + +When mfd_add_devices() fail, pcr->slots should also be freed. However, +the current implementation does not free the member, leading to a memory +leak. + +Fix this by adding a new goto label that frees pcr->slots. + +Signed-off-by: Keita Suzuki +Link: https://lore.kernel.org/r/20200909071853.4053-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cardreader/rtsx_pcr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/cardreader/rtsx_pcr.c b/drivers/misc/cardreader/rtsx_pcr.c +index 37ccc67f4914b..f2b2805942f50 100644 +--- a/drivers/misc/cardreader/rtsx_pcr.c ++++ b/drivers/misc/cardreader/rtsx_pcr.c +@@ -1562,12 +1562,14 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + ret = mfd_add_devices(&pcidev->dev, pcr->id, rtsx_pcr_cells, + ARRAY_SIZE(rtsx_pcr_cells), NULL, 0, NULL); + if (ret < 0) +- goto disable_irq; ++ goto free_slots; + + schedule_delayed_work(&pcr->idle_work, msecs_to_jiffies(200)); + + return 0; + ++free_slots: ++ kfree(pcr->slots); + disable_irq: + free_irq(pcr->irq, (void *)pcr); + disable_msi: +-- +2.25.1 + diff --git a/queue-5.9/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch b/queue-5.9/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch new file mode 100644 index 00000000000..84b8cf756c0 --- /dev/null +++ b/queue-5.9/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch @@ -0,0 +1,91 @@ +From eb78547bf1d524617c5d12aebaa2618f39d705d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 17:11:05 +0800 +Subject: misc: vop: add round_up(x,4) for vring_size to avoid kernel panic + +From: Sherry Sun + +[ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ] + +Since struct _mic_vring_info and vring are allocated together and follow +vring, if the vring_size() is not four bytes aligned, which will cause +the start address of struct _mic_vring_info is not four byte aligned. +For example, when vring entries is 128, the vring_size() will be 5126 +bytes. The _mic_vring_info struct layout in ddr looks like: +0x90002400: 00000000 00390000 EE010000 0000C0FF +Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member. + +When EP use ioread32(magic) to reads the magic in RC's share memory, it +will cause kernel panic on ARM64 platform due to the cross-byte io read. +Here read magic in user space use le32toh(vr0->info->magic) will meet +the same issue. +So add round_up(x,4) for vring_size, then the struct _mic_vring_info +will store in this way: +0x90002400: 00000000 00000000 00000039 C0FFEE01 +Which will avoid kernel panic when read magic in struct _mic_vring_info. + +Signed-off-by: Sherry Sun +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/vop/vop_main.c | 2 +- + drivers/misc/mic/vop/vop_vringh.c | 4 ++-- + samples/mic/mpssd/mpssd.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/misc/mic/vop/vop_main.c b/drivers/misc/mic/vop/vop_main.c +index 55e7f21e51f44..6722c726b2590 100644 +--- a/drivers/misc/mic/vop/vop_main.c ++++ b/drivers/misc/mic/vop/vop_main.c +@@ -320,7 +320,7 @@ static struct virtqueue *vop_find_vq(struct virtio_device *dev, + /* First assign the vring's allocated in host memory */ + vqconfig = _vop_vq_config(vdev->desc) + index; + memcpy_fromio(&config, vqconfig, sizeof(config)); +- _vr_size = vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN); ++ _vr_size = round_up(vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN), 4); + vr_size = PAGE_ALIGN(_vr_size + sizeof(struct _mic_vring_info)); + va = vpdev->hw_ops->remap(vpdev, le64_to_cpu(config.address), vr_size); + if (!va) +diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c +index d069947b09345..7014ffe88632e 100644 +--- a/drivers/misc/mic/vop/vop_vringh.c ++++ b/drivers/misc/mic/vop/vop_vringh.c +@@ -296,7 +296,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, + + num = le16_to_cpu(vqconfig[i].num); + mutex_init(&vvr->vr_mutex); +- vr_size = PAGE_ALIGN(vring_size(num, MIC_VIRTIO_RING_ALIGN) + ++ vr_size = PAGE_ALIGN(round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4) + + sizeof(struct _mic_vring_info)); + vr->va = (void *) + __get_free_pages(GFP_KERNEL | __GFP_ZERO, +@@ -308,7 +308,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, + goto err; + } + vr->len = vr_size; +- vr->info = vr->va + vring_size(num, MIC_VIRTIO_RING_ALIGN); ++ vr->info = vr->va + round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4); + vr->info->magic = cpu_to_le32(MIC_MAGIC + vdev->virtio_id + i); + vr_addr = dma_map_single(&vpdev->dev, vr->va, vr_size, + DMA_BIDIRECTIONAL); +diff --git a/samples/mic/mpssd/mpssd.c b/samples/mic/mpssd/mpssd.c +index a11bf6c5b53b4..cd3f16a6f5caf 100644 +--- a/samples/mic/mpssd/mpssd.c ++++ b/samples/mic/mpssd/mpssd.c +@@ -403,9 +403,9 @@ mic_virtio_copy(struct mic_info *mic, int fd, + + static inline unsigned _vring_size(unsigned int num, unsigned long align) + { +- return ((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) ++ return _ALIGN_UP(((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) + + align - 1) & ~(align - 1)) +- + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num; ++ + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num, 4); + } + + /* +-- +2.25.1 + diff --git a/queue-5.9/mm-error_inject-fix-allow_error_inject-function-sign.patch b/queue-5.9/mm-error_inject-fix-allow_error_inject-function-sign.patch new file mode 100644 index 00000000000..3bce746e027 --- /dev/null +++ b/queue-5.9/mm-error_inject-fix-allow_error_inject-function-sign.patch @@ -0,0 +1,67 @@ +From cf4523bd9ec0e7c29de9edb71bc6307a015ac58c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 15:01:10 -0700 +Subject: mm/error_inject: Fix allow_error_inject function signatures. + +From: Alexei Starovoitov + +[ Upstream commit 76cd61739fd107a7f7ec4c24a045e98d8ee150f0 ] + +'static' and 'static noinline' function attributes make no guarantees that +gcc/clang won't optimize them. The compiler may decide to inline 'static' +function and in such case ALLOW_ERROR_INJECT becomes meaningless. The compiler +could have inlined __add_to_page_cache_locked() in one callsite and didn't +inline in another. In such case injecting errors into it would cause +unpredictable behavior. It's worse with 'static noinline' which won't be +inlined, but it still can be optimized. Like the compiler may decide to remove +one argument or constant propagate the value depending on the callsite. + +To avoid such issues make sure that these functions are global noinline. + +Fixes: af3b854492f3 ("mm/page_alloc.c: allow error injection") +Fixes: cfcbfb1382db ("mm/filemap.c: enable error injection at add_to_page_cache()") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/bpf/20200827220114.69225-2-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + mm/filemap.c | 8 ++++---- + mm/page_alloc.c | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/mm/filemap.c b/mm/filemap.c +index 99c49eeae71b8..f6d36ccc23515 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -827,10 +827,10 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask) + } + EXPORT_SYMBOL_GPL(replace_page_cache_page); + +-static int __add_to_page_cache_locked(struct page *page, +- struct address_space *mapping, +- pgoff_t offset, gfp_t gfp_mask, +- void **shadowp) ++noinline int __add_to_page_cache_locked(struct page *page, ++ struct address_space *mapping, ++ pgoff_t offset, gfp_t gfp_mask, ++ void **shadowp) + { + XA_STATE(xas, &mapping->i_pages, offset); + int huge = PageHuge(page); +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 780c8f023b282..c449d74f55842 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3496,7 +3496,7 @@ static inline bool __should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) + + #endif /* CONFIG_FAIL_PAGE_ALLOC */ + +-static noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) ++noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) + { + return __should_fail_alloc_page(gfp_mask, order); + } +-- +2.25.1 + diff --git a/queue-5.9/mm-fix-a-race-during-thp-splitting.patch b/queue-5.9/mm-fix-a-race-during-thp-splitting.patch new file mode 100644 index 00000000000..82fe1dd9933 --- /dev/null +++ b/queue-5.9/mm-fix-a-race-during-thp-splitting.patch @@ -0,0 +1,124 @@ +From 78fa7fc978fce36b1e17ff66ae5009ed2c6257f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:06:07 -0700 +Subject: mm: fix a race during THP splitting + +From: Huang Ying + +[ Upstream commit c4f9c701f9b44299e6adbc58d1a4bb2c40383494 ] + +It is reported that the following bug is triggered if the HDD is used as +swap device, + +[ 5758.157556] BUG: kernel NULL pointer dereference, address: 0000000000000007 +[ 5758.165331] #PF: supervisor write access in kernel mode +[ 5758.171161] #PF: error_code(0x0002) - not-present page +[ 5758.176894] PGD 0 P4D 0 +[ 5758.179721] Oops: 0002 [#1] SMP PTI +[ 5758.183614] CPU: 10 PID: 316 Comm: kswapd1 Kdump: loaded Tainted: G S --------- --- 5.9.0-0.rc3.1.tst.el8.x86_64 #1 +[ 5758.196717] Hardware name: Intel Corporation S2600CP/S2600CP, BIOS SE5C600.86B.02.01.0002.082220131453 08/22/2013 +[ 5758.208176] RIP: 0010:split_swap_cluster+0x47/0x60 +[ 5758.213522] Code: c1 e3 06 48 c1 eb 0f 48 8d 1c d8 48 89 df e8 d0 20 6a 00 80 63 07 fb 48 85 db 74 16 48 89 df c6 07 00 66 66 66 90 31 c0 5b c3 <80> 24 25 07 00 00 00 fb 31 c0 5b c3 b8 f0 ff ff ff 5b c3 66 0f 1f +[ 5758.234478] RSP: 0018:ffffb147442d7af0 EFLAGS: 00010246 +[ 5758.240309] RAX: 0000000000000000 RBX: 000000000014b217 RCX: ffffb14779fd9000 +[ 5758.248281] RDX: 000000000014b217 RSI: ffff9c52f2ab1400 RDI: 000000000014b217 +[ 5758.256246] RBP: ffffe00c51168080 R08: ffffe00c5116fe08 R09: ffff9c52fffd3000 +[ 5758.264208] R10: ffffe00c511537c8 R11: ffff9c52fffd3c90 R12: 0000000000000000 +[ 5758.272172] R13: ffffe00c51170000 R14: ffffe00c51170000 R15: ffffe00c51168040 +[ 5758.280134] FS: 0000000000000000(0000) GS:ffff9c52f2a80000(0000) knlGS:0000000000000000 +[ 5758.289163] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5758.295575] CR2: 0000000000000007 CR3: 0000000022a0e003 CR4: 00000000000606e0 +[ 5758.303538] Call Trace: +[ 5758.306273] split_huge_page_to_list+0x88b/0x950 +[ 5758.311433] deferred_split_scan+0x1ca/0x310 +[ 5758.316202] do_shrink_slab+0x12c/0x2a0 +[ 5758.320491] shrink_slab+0x20f/0x2c0 +[ 5758.324482] shrink_node+0x240/0x6c0 +[ 5758.328469] balance_pgdat+0x2d1/0x550 +[ 5758.332652] kswapd+0x201/0x3c0 +[ 5758.336157] ? finish_wait+0x80/0x80 +[ 5758.340147] ? balance_pgdat+0x550/0x550 +[ 5758.344525] kthread+0x114/0x130 +[ 5758.348126] ? kthread_park+0x80/0x80 +[ 5758.352214] ret_from_fork+0x22/0x30 +[ 5758.356203] Modules linked in: fuse zram rfkill sunrpc intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp mgag200 iTCO_wdt crct10dif_pclmul iTCO_vendor_support drm_kms_helper crc32_pclmul ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops cec rapl joydev intel_cstate ipmi_si ipmi_devintf drm intel_uncore i2c_i801 ipmi_msghandler pcspkr lpc_ich mei_me i2c_smbus mei ioatdma ip_tables xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg igb ahci libahci i2c_algo_bit crc32c_intel libata dca wmi dm_mirror dm_region_hash dm_log dm_mod +[ 5758.412673] CR2: 0000000000000007 +[ 0.000000] Linux version 5.9.0-0.rc3.1.tst.el8.x86_64 (mockbuild@x86-vm-15.build.eng.bos.redhat.com) (gcc (GCC) 8.3.1 20191121 (Red Hat 8.3.1-5), GNU ld version 2.30-79.el8) #1 SMP Wed Sep 9 16:03:34 EDT 2020 + +After further digging it's found that the following race condition exists in the +original implementation, + +CPU1 CPU2 +---- ---- +deferred_split_scan() + split_huge_page(page) /* page isn't compound head */ + split_huge_page_to_list(page, NULL) + __split_huge_page(page, ) + ClearPageCompound(head) + /* unlock all subpages except page (not head) */ + add_to_swap(head) /* not THP */ + get_swap_page(head) + add_to_swap_cache(head, ) + SetPageSwapCache(head) + if PageSwapCache(head) + split_swap_cluster(/* swap entry of head */) + /* Deref sis->cluster_info: NULL accessing! */ + +So, in split_huge_page_to_list(), PageSwapCache() is called for the already +split and unlocked "head", which may be added to swap cache in another CPU. So +split_swap_cluster() may be called wrongly. + +To fix the race, the call to split_swap_cluster() is moved to +__split_huge_page() before all subpages are unlocked. So that the +PageSwapCache() is stable. + +Fixes: 59807685a7e77 ("mm, THP, swap: support splitting THP for THP swap out") +Reported-by: Rafael Aquini +Signed-off-by: "Huang, Ying" +Signed-off-by: Andrew Morton +Tested-by: Rafael Aquini +Acked-by: Kirill A. Shutemov +Cc: Hugh Dickins +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Link: https://lkml.kernel.org/r/20201009073647.1531083-1-ying.huang@intel.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/huge_memory.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index d37e205d3eae7..18a6f8c8b2844 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2473,6 +2473,12 @@ static void __split_huge_page(struct page *page, struct list_head *list, + + remap_page(head, nr); + ++ if (PageSwapCache(head)) { ++ swp_entry_t entry = { .val = page_private(head) }; ++ ++ split_swap_cluster(entry); ++ } ++ + for (i = 0; i < nr; i++) { + struct page *subpage = head + i; + if (subpage == page) +@@ -2707,12 +2713,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + } + + __split_huge_page(page, list, end, flags); +- if (PageSwapCache(head)) { +- swp_entry_t entry = { .val = page_private(head) }; +- +- ret = split_swap_cluster(entry); +- } else +- ret = 0; ++ ret = 0; + } else { + if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) { + pr_alert("total_mapcount: %u, page_count(): %u\n", +-- +2.25.1 + diff --git a/queue-5.9/mm-huge_memory-fix-split-assumption-of-page-size.patch b/queue-5.9/mm-huge_memory-fix-split-assumption-of-page-size.patch new file mode 100644 index 00000000000..c35c39f7be9 --- /dev/null +++ b/queue-5.9/mm-huge_memory-fix-split-assumption-of-page-size.patch @@ -0,0 +1,95 @@ +From 4790df16e80b281abf1c508a25f960ec79dd8ce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:05:36 -0700 +Subject: mm/huge_memory: fix split assumption of page size + +From: Kirill A. Shutemov + +[ Upstream commit 8cce54756806e5777069c46011c5f54f9feac717 ] + +File THPs may now be of arbitrary size, and we can't rely on that size +after doing the split so remember the number of pages before we start the +split. + +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Reviewed-by: SeongJae Park +Cc: Huang Ying +Link: https://lkml.kernel.org/r/20200908195539.25896-6-willy@infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/huge_memory.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index dbac774103769..d37e205d3eae7 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2335,13 +2335,13 @@ static void unmap_page(struct page *page) + VM_BUG_ON_PAGE(!unmap_success, page); + } + +-static void remap_page(struct page *page) ++static void remap_page(struct page *page, unsigned int nr) + { + int i; + if (PageTransHuge(page)) { + remove_migration_ptes(page, page, true); + } else { +- for (i = 0; i < HPAGE_PMD_NR; i++) ++ for (i = 0; i < nr; i++) + remove_migration_ptes(page + i, page + i, true); + } + } +@@ -2416,6 +2416,7 @@ static void __split_huge_page(struct page *page, struct list_head *list, + struct lruvec *lruvec; + struct address_space *swap_cache = NULL; + unsigned long offset = 0; ++ unsigned int nr = thp_nr_pages(head); + int i; + + lruvec = mem_cgroup_page_lruvec(head, pgdat); +@@ -2431,7 +2432,7 @@ static void __split_huge_page(struct page *page, struct list_head *list, + xa_lock(&swap_cache->i_pages); + } + +- for (i = HPAGE_PMD_NR - 1; i >= 1; i--) { ++ for (i = nr - 1; i >= 1; i--) { + __split_huge_page_tail(head, i, lruvec, list); + /* Some pages can be beyond i_size: drop them from page cache */ + if (head[i].index >= end) { +@@ -2451,7 +2452,7 @@ static void __split_huge_page(struct page *page, struct list_head *list, + + ClearPageCompound(head); + +- split_page_owner(head, HPAGE_PMD_NR); ++ split_page_owner(head, nr); + + /* See comment in __split_huge_page_tail() */ + if (PageAnon(head)) { +@@ -2470,9 +2471,9 @@ static void __split_huge_page(struct page *page, struct list_head *list, + + spin_unlock_irqrestore(&pgdat->lru_lock, flags); + +- remap_page(head); ++ remap_page(head, nr); + +- for (i = 0; i < HPAGE_PMD_NR; i++) { ++ for (i = 0; i < nr; i++) { + struct page *subpage = head + i; + if (subpage == page) + continue; +@@ -2725,7 +2726,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) + fail: if (mapping) + xa_unlock(&mapping->i_pages); + spin_unlock_irqrestore(&pgdata->lru_lock, flags); +- remap_page(head); ++ remap_page(head, thp_nr_pages(head)); + ret = -EBUSY; + } + +-- +2.25.1 + diff --git a/queue-5.9/mm-memcg-fix-device-private-memcg-accounting.patch b/queue-5.9/mm-memcg-fix-device-private-memcg-accounting.patch new file mode 100644 index 00000000000..f9ce701092d --- /dev/null +++ b/queue-5.9/mm-memcg-fix-device-private-memcg-accounting.patch @@ -0,0 +1,61 @@ +From 6529a101551bc393a8f3bf16ef0ed619b4a88ba9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:53:13 -0700 +Subject: mm/memcg: fix device private memcg accounting + +From: Ralph Campbell + +[ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ] + +The code in mc_handle_swap_pte() checks for non_swap_entry() and returns +NULL before checking is_device_private_entry() so device private pages are +never handled. Fix this by checking for non_swap_entry() after handling +device private swap PTEs. + +I assume the memory cgroup accounting would be off somehow when moving +a process to another memory cgroup. Currently, the device private page +is charged like a normal anonymous page when allocated and is uncharged +when the page is freed so I think that path is OK. + +Signed-off-by: Ralph Campbell +Signed-off-by: Andrew Morton +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Vladimir Davydov +Cc: Jerome Glisse +Cc: Balbir Singh +Cc: Ira Weiny +Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com +xFixes: c733a82874a7 ("mm/memcontrol: support MEMORY_DEVICE_PRIVATE") +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index b9688a4b1d550..9eefdb9cc2303 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5511,7 +5511,7 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma, + struct page *page = NULL; + swp_entry_t ent = pte_to_swp_entry(ptent); + +- if (!(mc.flags & MOVE_ANON) || non_swap_entry(ent)) ++ if (!(mc.flags & MOVE_ANON)) + return NULL; + + /* +@@ -5530,6 +5530,9 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma, + return page; + } + ++ if (non_swap_entry(ent)) ++ return NULL; ++ + /* + * Because lookup_swap_cache() updates some statistics counter, + * we call find_get_page() with swapper_space directly. +-- +2.25.1 + diff --git a/queue-5.9/mm-memcg-slab-fix-racy-access-to-page-mem_cgroup-in-.patch b/queue-5.9/mm-memcg-slab-fix-racy-access-to-page-mem_cgroup-in-.patch new file mode 100644 index 00000000000..59ef53e8af9 --- /dev/null +++ b/queue-5.9/mm-memcg-slab-fix-racy-access-to-page-mem_cgroup-in-.patch @@ -0,0 +1,76 @@ +From 0d83c64287c8ff33731eae9c8e116272eadfd9ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:52:42 -0700 +Subject: mm: memcg/slab: fix racy access to page->mem_cgroup in + mem_cgroup_from_obj() + +From: Roman Gushchin + +[ Upstream commit 19b629c9795bfe67bf77be8fb611b84424b56d91 ] + +mem_cgroup_from_obj() checks the lowest bit of the page->mem_cgroup +pointer to determine if the page has an attached obj_cgroup vector instead +of a regular memcg pointer. If it's not set, it simple returns the +page->mem_cgroup value as a struct mem_cgroup pointer. + +The commit 10befea91b61 ("mm: memcg/slab: use a single set of kmem_caches +for all allocations") changed the moment when this bit is set: if +previously it was set on the allocation of the slab page, now it can be +set well after, when the first accounted object is allocated on this page. + +It opened a race: if page->mem_cgroup is set concurrently after the first +page_has_obj_cgroups(page) check, a pointer to the obj_cgroups array can +be returned as a memory cgroup pointer. + +A simple check for page->mem_cgroup pointer for NULL before the +page_has_obj_cgroups() check fixes the race. Indeed, if the pointer is +not NULL, it's either a simple mem_cgroup pointer or a pointer to +obj_cgroup vector. The pointer can be asynchronously changed from NULL to +(obj_cgroup_vec | 0x1UL), but can't be changed from a valid memcg pointer +to objcg vector or back. + +If the object passed to mem_cgroup_from_obj() is a slab object and +page->mem_cgroup is NULL, it means that the object is not accounted, so +the function must return NULL. + +I've discovered the race looking at the code, so far I haven't seen it in +the wild. + +Fixes: 10befea91b61 ("mm: memcg/slab: use a single set of kmem_caches for all allocations") +Signed-off-by: Roman Gushchin +Signed-off-by: Andrew Morton +Reviewed-by: Shakeel Butt +Cc: Johannes Weiner +Cc: Vlastimil Babka +Link: https://lkml.kernel.org/r/20200910022435.2773735-1-guro@fb.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 6877c765b8d03..b9688a4b1d550 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2887,6 +2887,17 @@ struct mem_cgroup *mem_cgroup_from_obj(void *p) + + page = virt_to_head_page(p); + ++ /* ++ * If page->mem_cgroup is set, it's either a simple mem_cgroup pointer ++ * or a pointer to obj_cgroup vector. In the latter case the lowest ++ * bit of the pointer is set. ++ * The page->mem_cgroup pointer can be asynchronously changed ++ * from NULL to (obj_cgroup_vec | 0x1UL), but can't be changed ++ * from a valid memcg pointer to objcg vector or back. ++ */ ++ if (!page->mem_cgroup) ++ return NULL; ++ + /* + * Slab objects are accounted individually, not per-page. + * Memcg membership data for each individual object is saved in +-- +2.25.1 + diff --git a/queue-5.9/mm-mmap.c-replace-do_brk-with-do_brk_flags-in-commen.patch b/queue-5.9/mm-mmap.c-replace-do_brk-with-do_brk_flags-in-commen.patch new file mode 100644 index 00000000000..51b0639b9d8 --- /dev/null +++ b/queue-5.9/mm-mmap.c-replace-do_brk-with-do_brk_flags-in-commen.patch @@ -0,0 +1,40 @@ +From f9090efc13cb0a4f4db3f5742585db5b32cacf19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:54:18 -0700 +Subject: mm/mmap.c: replace do_brk with do_brk_flags in comment of + insert_vm_struct() + +From: Liao Pingfang + +[ Upstream commit 8332326e8e47fbc35711433419c31f610153dd58 ] + +Replace do_brk with do_brk_flags in comment of insert_vm_struct(), since +do_brk was removed in following commit. + +Fixes: bb177a732c4369 ("mm: do not bug_on on incorrect length in __mm_populate()") +Signed-off-by: Liao Pingfang +Signed-off-by: Yi Wang +Signed-off-by: Andrew Morton +Link: https://lkml.kernel.org/r/1600650778-43230-1-git-send-email-wang.yi59@zte.com.cn +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index bdd19f5b994e0..7a8987aa69962 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3227,7 +3227,7 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) + * By setting it to reflect the virtual start address of the + * vma, merges and splits can happen in a seamless way, just + * using the existing file pgoff checks and manipulations. +- * Similarly in do_mmap and in do_brk. ++ * Similarly in do_mmap and in do_brk_flags. + */ + if (vma_is_anonymous(vma)) { + BUG_ON(vma->anon_vma); +-- +2.25.1 + diff --git a/queue-5.9/mm-mmu_notifier-fix-mmget-assert-in-__mmu_interval_n.patch b/queue-5.9/mm-mmu_notifier-fix-mmget-assert-in-__mmu_interval_n.patch new file mode 100644 index 00000000000..bbc0940905f --- /dev/null +++ b/queue-5.9/mm-mmu_notifier-fix-mmget-assert-in-__mmu_interval_n.patch @@ -0,0 +1,49 @@ +From 66da55b8babcf5379e129595e69bcb13b6b268d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:07:43 -0700 +Subject: mm/mmu_notifier: fix mmget() assert in __mmu_interval_notifier_insert +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jann Horn + +[ Upstream commit c9682d10271e1025ebfbb1675c7afffbef5c6856 ] + +The comment talks about having to hold mmget() (which means mm_users), but +the actual check is on mm_count (which would be mmgrab()). + +Given that MMU notifiers are torn down in mmput() -> __mmput() -> +exit_mmap() -> mmu_notifier_release(), I believe that the comment is +correct and the check should be on mm->mm_users. Fix it up accordingly. + +Fixes: 99cb252f5e68 ("mm/mmu_notifier: add an interval tree notifier") +Signed-off-by: Jann Horn +Signed-off-by: Andrew Morton +Reviewed-by: Jason Gunthorpe +Cc: John Hubbard +Cc: Christoph Hellwig +Cc: Christian König +Signed-off-by: Sasha Levin +--- + mm/mmu_notifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c +index 4fc918163dd32..5654dd19addc0 100644 +--- a/mm/mmu_notifier.c ++++ b/mm/mmu_notifier.c +@@ -913,7 +913,7 @@ static int __mmu_interval_notifier_insert( + return -EOVERFLOW; + + /* Must call with a mmget() held */ +- if (WARN_ON(atomic_read(&mm->mm_count) <= 0)) ++ if (WARN_ON(atomic_read(&mm->mm_users) <= 0)) + return -EINVAL; + + /* pairs with mmdrop in mmu_interval_notifier_remove() */ +-- +2.25.1 + diff --git a/queue-5.9/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch b/queue-5.9/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch new file mode 100644 index 00000000000..67b28622779 --- /dev/null +++ b/queue-5.9/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch @@ -0,0 +1,187 @@ +From 5f2fe2fbf437c2d7851a32581928366274de296e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:58:35 -0700 +Subject: mm, oom_adj: don't loop through tasks in __set_oom_adj when not + necessary + +From: Suren Baghdasaryan + +[ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ] + +Currently __set_oom_adj loops through all processes in the system to keep +oom_score_adj and oom_score_adj_min in sync between processes sharing +their mm. This is done for any task with more that one mm_users, which +includes processes with multiple threads (sharing mm and signals). +However for such processes the loop is unnecessary because their signal +structure is shared as well. + +Android updates oom_score_adj whenever a tasks changes its role +(background/foreground/...) or binds to/unbinds from a service, making it +more/less important. Such operation can happen frequently. We noticed +that updates to oom_score_adj became more expensive and after further +investigation found out that the patch mentioned in "Fixes" introduced a +regression. Using Pixel 4 with a typical Android workload, write time to +oom_score_adj increased from ~3.57us to ~362us. Moreover this regression +linearly depends on the number of multi-threaded processes running on the +system. + +Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with +(CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use +MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj +update should be synchronized between multiple processes. To prevent +races between clone() and __set_oom_adj(), when oom_score_adj of the +process being cloned might be modified from userspace, we use +oom_adj_mutex. Its scope is changed to global. + +The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for +the case of vfork(). To prevent performance regressions of vfork(), we +skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is +specified. Clearing the MMF_MULTIPROCESS flag (when the last process +sharing the mm exits) is left out of this patch to keep it simple and +because it is believed that this threading model is rare. Should there +ever be a need for optimizing that case as well, it can be done by hooking +into the exit path, likely following the mm_update_next_owner pattern. + +With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being +quite rare, the regression is gone after the change is applied. + +[surenb@google.com: v3] + Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com + +Fixes: 44a70adec910 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj") +Reported-by: Tim Murray +Suggested-by: Michal Hocko +Signed-off-by: Suren Baghdasaryan +Signed-off-by: Andrew Morton +Acked-by: Christian Brauner +Acked-by: Michal Hocko +Acked-by: Oleg Nesterov +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Eugene Syromiatnikov +Cc: Christian Kellner +Cc: Adrian Reber +Cc: Shakeel Butt +Cc: Aleksa Sarai +Cc: Alexey Dobriyan +Cc: "Eric W. Biederman" +Cc: Alexey Gladkov +Cc: Michel Lespinasse +Cc: Daniel Jordan +Cc: Andrei Vagin +Cc: Bernd Edlinger +Cc: John Johansen +Cc: Yafang Shao +Link: https://lkml.kernel.org/r/20200824153036.3201505-1-surenb@google.com +Debugged-by: Minchan Kim +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 3 +-- + include/linux/oom.h | 1 + + include/linux/sched/coredump.h | 1 + + kernel/fork.c | 21 +++++++++++++++++++++ + mm/oom_kill.c | 2 ++ + 5 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 617db4e0faa09..aa69c35d904ca 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1055,7 +1055,6 @@ static ssize_t oom_adj_read(struct file *file, char __user *buf, size_t count, + + static int __set_oom_adj(struct file *file, int oom_adj, bool legacy) + { +- static DEFINE_MUTEX(oom_adj_mutex); + struct mm_struct *mm = NULL; + struct task_struct *task; + int err = 0; +@@ -1095,7 +1094,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy) + struct task_struct *p = find_lock_task_mm(task); + + if (p) { +- if (atomic_read(&p->mm->mm_users) > 1) { ++ if (test_bit(MMF_MULTIPROCESS, &p->mm->flags)) { + mm = p->mm; + mmgrab(mm); + } +diff --git a/include/linux/oom.h b/include/linux/oom.h +index f022f581ac29d..2db9a14325112 100644 +--- a/include/linux/oom.h ++++ b/include/linux/oom.h +@@ -55,6 +55,7 @@ struct oom_control { + }; + + extern struct mutex oom_lock; ++extern struct mutex oom_adj_mutex; + + static inline void set_current_oom_origin(void) + { +diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h +index ecdc6542070f1..dfd82eab29025 100644 +--- a/include/linux/sched/coredump.h ++++ b/include/linux/sched/coredump.h +@@ -72,6 +72,7 @@ static inline int get_dumpable(struct mm_struct *mm) + #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */ + #define MMF_OOM_VICTIM 25 /* mm is the oom victim */ + #define MMF_OOM_REAP_QUEUED 26 /* mm was queued for oom_reaper */ ++#define MMF_MULTIPROCESS 27 /* mm is shared between processes */ + #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP) + + #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ +diff --git a/kernel/fork.c b/kernel/fork.c +index da8d360fb0326..a9ce750578cae 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1810,6 +1810,25 @@ static __always_inline void delayed_free_task(struct task_struct *tsk) + free_task(tsk); + } + ++static void copy_oom_score_adj(u64 clone_flags, struct task_struct *tsk) ++{ ++ /* Skip if kernel thread */ ++ if (!tsk->mm) ++ return; ++ ++ /* Skip if spawning a thread or using vfork */ ++ if ((clone_flags & (CLONE_VM | CLONE_THREAD | CLONE_VFORK)) != CLONE_VM) ++ return; ++ ++ /* We need to synchronize with __set_oom_adj */ ++ mutex_lock(&oom_adj_mutex); ++ set_bit(MMF_MULTIPROCESS, &tsk->mm->flags); ++ /* Update the values in case they were changed after copy_signal */ ++ tsk->signal->oom_score_adj = current->signal->oom_score_adj; ++ tsk->signal->oom_score_adj_min = current->signal->oom_score_adj_min; ++ mutex_unlock(&oom_adj_mutex); ++} ++ + /* + * This creates a new process as a copy of the old one, + * but does not actually start it yet. +@@ -2282,6 +2301,8 @@ static __latent_entropy struct task_struct *copy_process( + trace_task_newtask(p, clone_flags); + uprobe_copy_process(p, clone_flags); + ++ copy_oom_score_adj(clone_flags, p); ++ + return p; + + bad_fork_cancel_cgroup: +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index e90f25d6385d7..8b84661a64109 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -64,6 +64,8 @@ int sysctl_oom_dump_tasks = 1; + * and mark_oom_victim + */ + DEFINE_MUTEX(oom_lock); ++/* Serializes oom_score_adj and oom_score_adj_min updates */ ++DEFINE_MUTEX(oom_adj_mutex); + + static inline bool is_memcg_oom(struct oom_control *oc) + { +-- +2.25.1 + diff --git a/queue-5.9/mm-page_alloc.c-fix-freeing-non-compound-pages.patch b/queue-5.9/mm-page_alloc.c-fix-freeing-non-compound-pages.patch new file mode 100644 index 00000000000..7d7cf3263ff --- /dev/null +++ b/queue-5.9/mm-page_alloc.c-fix-freeing-non-compound-pages.patch @@ -0,0 +1,146 @@ +From 4437ab2c19e2f1941ff53b1fc88d1e0e11667805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:56:04 -0700 +Subject: mm/page_alloc.c: fix freeing non-compound pages + +From: Matthew Wilcox (Oracle) + +[ Upstream commit e320d3012d25b1fb5f3df4edb7bd44a1c362ec10 ] + +Here is a very rare race which leaks memory: + +Page P0 is allocated to the page cache. Page P1 is free. + +Thread A Thread B Thread C +find_get_entry(): +xas_load() returns P0 + Removes P0 from page cache + P0 finds its buddy P1 + alloc_pages(GFP_KERNEL, 1) returns P0 + P0 has refcount 1 +page_cache_get_speculative(P0) +P0 has refcount 2 + __free_pages(P0) + P0 has refcount 1 +put_page(P0) +P1 is not freed + +Fix this by freeing all the pages in __free_pages() that won't be freed +by the call to put_page(). It's usually not a good idea to split a page, +but this is a very unlikely scenario. + +Fixes: e286781d5f2e ("mm: speculative page references") +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Acked-by: Mike Rapoport +Cc: Nick Piggin +Cc: Hugh Dickins +Cc: Peter Zijlstra +Link: https://lkml.kernel.org/r/20200926213919.26642-1-willy@infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/Kconfig.debug | 9 +++++++++ + lib/Makefile | 1 + + lib/test_free_pages.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + mm/page_alloc.c | 3 +++ + 4 files changed, 55 insertions(+) + create mode 100644 lib/test_free_pages.c + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 0c781f912f9f0..491789a793ae5 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -2367,6 +2367,15 @@ config TEST_HMM + + If unsure, say N. + ++config TEST_FREE_PAGES ++ tristate "Test freeing pages" ++ help ++ Test that a memory leak does not occur due to a race between ++ freeing a block of pages and a speculative page reference. ++ Loading this module is safe if your kernel has the bug fixed. ++ If the bug is not fixed, it will leak gigabytes of memory and ++ probably OOM your system. ++ + config TEST_FPU + tristate "Test floating point operations in kernel space" + depends on X86 && !KCOV_INSTRUMENT_ALL +diff --git a/lib/Makefile b/lib/Makefile +index a4a4c6864f518..071b687b7363f 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -99,6 +99,7 @@ obj-$(CONFIG_TEST_BLACKHOLE_DEV) += test_blackhole_dev.o + obj-$(CONFIG_TEST_MEMINIT) += test_meminit.o + obj-$(CONFIG_TEST_LOCKUP) += test_lockup.o + obj-$(CONFIG_TEST_HMM) += test_hmm.o ++obj-$(CONFIG_TEST_FREE_PAGES) += test_free_pages.o + + # + # CFLAGS for compiling floating point code inside the kernel. x86/Makefile turns +diff --git a/lib/test_free_pages.c b/lib/test_free_pages.c +new file mode 100644 +index 0000000000000..074e76bd76b2b +--- /dev/null ++++ b/lib/test_free_pages.c +@@ -0,0 +1,42 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++/* ++ * test_free_pages.c: Check that free_pages() doesn't leak memory ++ * Copyright (c) 2020 Oracle ++ * Author: Matthew Wilcox ++ */ ++ ++#include ++#include ++#include ++ ++static void test_free_pages(gfp_t gfp) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < 1000 * 1000; i++) { ++ unsigned long addr = __get_free_pages(gfp, 3); ++ struct page *page = virt_to_page(addr); ++ ++ /* Simulate page cache getting a speculative reference */ ++ get_page(page); ++ free_pages(addr, 3); ++ put_page(page); ++ } ++} ++ ++static int m_in(void) ++{ ++ test_free_pages(GFP_KERNEL); ++ test_free_pages(GFP_KERNEL | __GFP_COMP); ++ ++ return 0; ++} ++ ++static void m_ex(void) ++{ ++} ++ ++module_init(m_in); ++module_exit(m_ex); ++MODULE_AUTHOR("Matthew Wilcox "); ++MODULE_LICENSE("GPL"); +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index c449d74f55842..d99c2db7f254f 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -4961,6 +4961,9 @@ void __free_pages(struct page *page, unsigned int order) + { + if (put_page_testzero(page)) + free_the_page(page, order); ++ else if (!PageHead(page)) ++ while (order-- > 0) ++ free_the_page(page + (1 << order), order); + } + EXPORT_SYMBOL(__free_pages); + +-- +2.25.1 + diff --git a/queue-5.9/mm-page_owner-change-split_page_owner-to-take-a-coun.patch b/queue-5.9/mm-page_owner-change-split_page_owner-to-take-a-coun.patch new file mode 100644 index 00000000000..2ff890574fe --- /dev/null +++ b/queue-5.9/mm-page_owner-change-split_page_owner-to-take-a-coun.patch @@ -0,0 +1,106 @@ +From d1386949f34e7b4f6c258eece35951c1bf94ee1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:05:29 -0700 +Subject: mm/page_owner: change split_page_owner to take a count + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 8fb156c9ee2db94f7127c930c89917634a1a9f56 ] + +The implementation of split_page_owner() prefers a count rather than the +old order of the page. When we support a variable size THP, we won't +have the order at this point, but we will have the number of pages. +So change the interface to what the caller and callee would prefer. + +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Reviewed-by: SeongJae Park +Acked-by: Kirill A. Shutemov +Cc: Huang Ying +Link: https://lkml.kernel.org/r/20200908195539.25896-4-willy@infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/page_owner.h | 6 +++--- + mm/huge_memory.c | 2 +- + mm/page_alloc.c | 2 +- + mm/page_owner.c | 4 ++-- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/include/linux/page_owner.h b/include/linux/page_owner.h +index 8679ccd722e89..3468794f83d23 100644 +--- a/include/linux/page_owner.h ++++ b/include/linux/page_owner.h +@@ -11,7 +11,7 @@ extern struct page_ext_operations page_owner_ops; + extern void __reset_page_owner(struct page *page, unsigned int order); + extern void __set_page_owner(struct page *page, + unsigned int order, gfp_t gfp_mask); +-extern void __split_page_owner(struct page *page, unsigned int order); ++extern void __split_page_owner(struct page *page, unsigned int nr); + extern void __copy_page_owner(struct page *oldpage, struct page *newpage); + extern void __set_page_owner_migrate_reason(struct page *page, int reason); + extern void __dump_page_owner(struct page *page); +@@ -31,10 +31,10 @@ static inline void set_page_owner(struct page *page, + __set_page_owner(page, order, gfp_mask); + } + +-static inline void split_page_owner(struct page *page, unsigned int order) ++static inline void split_page_owner(struct page *page, unsigned int nr) + { + if (static_branch_unlikely(&page_owner_inited)) +- __split_page_owner(page, order); ++ __split_page_owner(page, nr); + } + static inline void copy_page_owner(struct page *oldpage, struct page *newpage) + { +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index da397779a6d43..dbac774103769 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2451,7 +2451,7 @@ static void __split_huge_page(struct page *page, struct list_head *list, + + ClearPageCompound(head); + +- split_page_owner(head, HPAGE_PMD_ORDER); ++ split_page_owner(head, HPAGE_PMD_NR); + + /* See comment in __split_huge_page_tail() */ + if (PageAnon(head)) { +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index d99c2db7f254f..3fb35fe6a9e44 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3209,7 +3209,7 @@ void split_page(struct page *page, unsigned int order) + + for (i = 1; i < (1 << order); i++) + set_page_refcounted(page + i); +- split_page_owner(page, order); ++ split_page_owner(page, 1 << order); + } + EXPORT_SYMBOL_GPL(split_page); + +diff --git a/mm/page_owner.c b/mm/page_owner.c +index 3604615094235..4ca3051a10358 100644 +--- a/mm/page_owner.c ++++ b/mm/page_owner.c +@@ -204,7 +204,7 @@ void __set_page_owner_migrate_reason(struct page *page, int reason) + page_owner->last_migrate_reason = reason; + } + +-void __split_page_owner(struct page *page, unsigned int order) ++void __split_page_owner(struct page *page, unsigned int nr) + { + int i; + struct page_ext *page_ext = lookup_page_ext(page); +@@ -213,7 +213,7 @@ void __split_page_owner(struct page *page, unsigned int order) + if (unlikely(!page_ext)) + return; + +- for (i = 0; i < (1 << order); i++) { ++ for (i = 0; i < nr; i++) { + page_owner = get_page_owner(page_ext); + page_owner->order = 0; + page_ext = page_ext_next(page_ext); +-- +2.25.1 + diff --git a/queue-5.9/mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch b/queue-5.9/mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch new file mode 100644 index 00000000000..38a36b4865e --- /dev/null +++ b/queue-5.9/mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch @@ -0,0 +1,48 @@ +From 1be09a9e317882ee74339c9797c7a236a70c67ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:52:30 -0700 +Subject: mm/swapfile.c: fix potential memory leak in sys_swapon + +From: Miaohe Lin + +[ Upstream commit 822bca52ee7eb279acfba261a423ed7ac47d6f73 ] + +If we failed to drain inode, we would forget to free the swap address +space allocated by init_swap_address_space() above. + +Fixes: dc617f29dbe5 ("vfs: don't allow writes to swap files") +Signed-off-by: Miaohe Lin +Signed-off-by: Andrew Morton +Reviewed-by: Darrick J. Wong +Link: https://lkml.kernel.org/r/20200930101803.53884-1-linmiaohe@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/swapfile.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/swapfile.c b/mm/swapfile.c +index debc94155f74d..b877c1504e00b 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -3343,7 +3343,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) + error = inode_drain_writes(inode); + if (error) { + inode->i_flags &= ~S_SWAPFILE; +- goto bad_swap_unlock_inode; ++ goto free_swap_address_space; + } + + mutex_lock(&swapon_mutex); +@@ -3368,6 +3368,8 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) + + error = 0; + goto out; ++free_swap_address_space: ++ exit_swap_address_space(p->type); + bad_swap_unlock_inode: + inode_unlock(inode); + bad_swap: +-- +2.25.1 + diff --git a/queue-5.9/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch b/queue-5.9/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch new file mode 100644 index 00000000000..792ce4cc1c2 --- /dev/null +++ b/queue-5.9/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch @@ -0,0 +1,40 @@ +From 315d7212af326b6eaa4217a48ed177d34600da56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 15:38:34 +0200 +Subject: mmc: sdio: Check for CISTPL_VERS_1 buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ] + +Before parsing CISTPL_VERS_1 structure check that its size is at least two +bytes to prevent buffer overflow. + +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20200727133837.19086-2-pali@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sdio_cis.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c +index e0655278c5c32..3efaa9534a777 100644 +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -26,6 +26,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, + unsigned i, nr_strings; + char **buffer, *string; + ++ if (size < 2) ++ return 0; ++ + /* Find all null-terminated (including zero length) strings in + the TPLLV1_INFO field. Trailing garbage is ignored. */ + buf += 2; +-- +2.25.1 + diff --git a/queue-5.9/module-statically-initialize-init-section-freeing-da.patch b/queue-5.9/module-statically-initialize-init-section-freeing-da.patch new file mode 100644 index 00000000000..054ba505552 --- /dev/null +++ b/queue-5.9/module-statically-initialize-init-section-freeing-da.patch @@ -0,0 +1,89 @@ +From 45a6ca4b10b00f2cab69f6131376053c89bf6e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 13:32:20 -0400 +Subject: module: statically initialize init section freeing data + +From: Daniel Jordan + +[ Upstream commit fdf09ab887829cd1b671e45d9549f8ec1ffda0fa ] + +Corentin hit the following workqueue warning when running with +CRYPTO_MANAGER_EXTRA_TESTS: + + WARNING: CPU: 2 PID: 147 at kernel/workqueue.c:1473 __queue_work+0x3b8/0x3d0 + Modules linked in: ghash_generic + CPU: 2 PID: 147 Comm: modprobe Not tainted + 5.6.0-rc1-next-20200214-00068-g166c9264f0b1-dirty #545 + Hardware name: Pine H64 model A (DT) + pc : __queue_work+0x3b8/0x3d0 + Call trace: + __queue_work+0x3b8/0x3d0 + queue_work_on+0x6c/0x90 + do_init_module+0x188/0x1f0 + load_module+0x1d00/0x22b0 + +I wasn't able to reproduce on x86 or rpi 3b+. + +This is + + WARN_ON(!list_empty(&work->entry)) + +from __queue_work(), and it happens because the init_free_wq work item +isn't initialized in time for a crypto test that requests the gcm +module. Some crypto tests were recently moved earlier in boot as +explained in commit c4741b230597 ("crypto: run initcalls for generic +implementations earlier"), which went into mainline less than two weeks +before the Fixes commit. + +Avoid the warning by statically initializing init_free_wq and the +corresponding llist. + +Link: https://lore.kernel.org/lkml/20200217204803.GA13479@Red/ +Fixes: 1a7b7d922081 ("modules: Use vmalloc special flag") +Reported-by: Corentin Labbe +Tested-by: Corentin Labbe +Tested-on: sun50i-h6-pine-h64 +Tested-on: imx8mn-ddr4-evk +Tested-on: sun50i-a64-bananapi-m64 +Reviewed-by: Eric Biggers +Signed-off-by: Daniel Jordan +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 1c5cff34d9f28..8486123ffd7af 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -91,8 +91,9 @@ EXPORT_SYMBOL_GPL(module_mutex); + static LIST_HEAD(modules); + + /* Work queue for freeing init sections in success case */ +-static struct work_struct init_free_wq; +-static struct llist_head init_free_list; ++static void do_free_init(struct work_struct *w); ++static DECLARE_WORK(init_free_wq, do_free_init); ++static LLIST_HEAD(init_free_list); + + #ifdef CONFIG_MODULES_TREE_LOOKUP + +@@ -3579,14 +3580,6 @@ static void do_free_init(struct work_struct *w) + } + } + +-static int __init modules_wq_init(void) +-{ +- INIT_WORK(&init_free_wq, do_free_init); +- init_llist_head(&init_free_list); +- return 0; +-} +-module_init(modules_wq_init); +- + /* + * This is where the real work happens. + * +-- +2.25.1 + diff --git a/queue-5.9/mt76-fix-a-possible-null-pointer-dereference-in-mt76.patch b/queue-5.9/mt76-fix-a-possible-null-pointer-dereference-in-mt76.patch new file mode 100644 index 00000000000..dcee2b62b2c --- /dev/null +++ b/queue-5.9/mt76-fix-a-possible-null-pointer-dereference-in-mt76.patch @@ -0,0 +1,43 @@ +From fa6872117b9f6d769b1d7cd5c6abcafa58614f1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 12:52:15 +0200 +Subject: mt76: fix a possible NULL pointer dereference in mt76_testmode_dump + +From: Lorenzo Bianconi + +[ Upstream commit ce8463a726a5669b200a1c2c17f95bc1394cc6bf ] + +Fix a possible NULL pointer dereference in mt76_testmode_dump() since +nla_nest_start returns NULL in case of error + +Fixes: f0efa8621550e ("mt76: add API for testmode support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/testmode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/testmode.c b/drivers/net/wireless/mediatek/mt76/testmode.c +index 75bb02cdfdae4..5bd6ac1ba3b5b 100644 +--- a/drivers/net/wireless/mediatek/mt76/testmode.c ++++ b/drivers/net/wireless/mediatek/mt76/testmode.c +@@ -442,9 +442,13 @@ int mt76_testmode_dump(struct ieee80211_hw *hw, struct sk_buff *msg, + mutex_lock(&dev->mutex); + + if (tb[MT76_TM_ATTR_STATS]) { ++ err = -EINVAL; ++ + a = nla_nest_start(msg, MT76_TM_ATTR_STATS); +- err = mt76_testmode_dump_stats(dev, msg); +- nla_nest_end(msg, a); ++ if (a) { ++ err = mt76_testmode_dump_stats(dev, msg); ++ nla_nest_end(msg, a); ++ } + + goto out; + } +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7615-fix-a-possible-null-pointer-dereference-.patch b/queue-5.9/mt76-mt7615-fix-a-possible-null-pointer-dereference-.patch new file mode 100644 index 00000000000..cd347108c32 --- /dev/null +++ b/queue-5.9/mt76-mt7615-fix-a-possible-null-pointer-dereference-.patch @@ -0,0 +1,43 @@ +From b58ce37d6b51ccc159548e389d86a7b71163ed09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 12:09:54 +0200 +Subject: mt76: mt7615: fix a possible NULL pointer dereference in + mt7615_pm_wake_work + +From: Lorenzo Bianconi + +[ Upstream commit a081de174d11b12db9a94eb748041c2732f14c10 ] + +Initialize wcid to global_wcid if msta is NULL in mt7615_pm_wake_work +routine since wcid will be dereferenced running mt76_tx() + +Fixes: 2b8cdfb28d340 ("mt76: mt7615: wake device before pushing frames in mt7615_tx") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +index 3dd8dd28690ed..2be127018df6a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -1853,12 +1853,13 @@ void mt7615_pm_wake_work(struct work_struct *work) + spin_lock_bh(&dev->pm.txq_lock); + for (i = 0; i < IEEE80211_NUM_ACS; i++) { + struct mt7615_sta *msta = dev->pm.tx_q[i].msta; +- struct mt76_wcid *wcid = msta ? &msta->wcid : NULL; + struct ieee80211_sta *sta = NULL; ++ struct mt76_wcid *wcid; + + if (!dev->pm.tx_q[i].skb) + continue; + ++ wcid = msta ? &msta->wcid : &dev->mt76.global_wcid; + if (msta && wcid->sta) + sta = container_of((void *)msta, struct ieee80211_sta, + drv_priv); +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7615-fix-possible-memory-leak-in-mt7615_tm_se.patch b/queue-5.9/mt76-mt7615-fix-possible-memory-leak-in-mt7615_tm_se.patch new file mode 100644 index 00000000000..17f7d9f8891 --- /dev/null +++ b/queue-5.9/mt76-mt7615-fix-possible-memory-leak-in-mt7615_tm_se.patch @@ -0,0 +1,49 @@ +From c34c3369e053a4a595c2d8f2c865097893052fa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 11:19:51 +0200 +Subject: mt76: mt7615: fix possible memory leak in mt7615_tm_set_tx_power + +From: Lorenzo Bianconi + +[ Upstream commit e862825dcf74203c5ab60335c341766808f47507 ] + +Fix a memory leak in mt7615_tm_set_tx_power routine if +mt7615_eeprom_get_target_power_index fails. +Moreover do not account req_header twice in mcu skb allocation. + +Fixes: 4f0bce1c88882 ("mt76: mt7615: implement testmode support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/testmode.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c b/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c +index 1730751133aa2..2cfa58d49832f 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c +@@ -70,7 +70,7 @@ mt7615_tm_set_tx_power(struct mt7615_phy *phy) + if (dev->mt76.test.state != MT76_TM_STATE_OFF) + tx_power = dev->mt76.test.tx_power; + +- len = sizeof(req_hdr) + MT7615_EE_MAX - MT_EE_NIC_CONF_0; ++ len = MT7615_EE_MAX - MT_EE_NIC_CONF_0; + skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, sizeof(req_hdr) + len); + if (!skb) + return -ENOMEM; +@@ -83,8 +83,10 @@ mt7615_tm_set_tx_power(struct mt7615_phy *phy) + int index; + + ret = mt7615_eeprom_get_target_power_index(dev, chandef->chan, i); +- if (ret < 0) ++ if (ret < 0) { ++ dev_kfree_skb(skb); + return -EINVAL; ++ } + + index = ret - MT_EE_NIC_CONF_0; + if (tx_power && tx_power[i]) +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7615-hold-mt76-lock-queueing-wd-in-mt7615_que.patch b/queue-5.9/mt76-mt7615-hold-mt76-lock-queueing-wd-in-mt7615_que.patch new file mode 100644 index 00000000000..62941e1411f --- /dev/null +++ b/queue-5.9/mt76-mt7615-hold-mt76-lock-queueing-wd-in-mt7615_que.patch @@ -0,0 +1,39 @@ +From f3db1f618d6275d2be2a6732a4d6338bb6f82c8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 11:21:31 +0200 +Subject: mt76: mt7615: hold mt76 lock queueing wd in mt7615_queue_key_update + +From: Lorenzo Bianconi + +[ Upstream commit cddaaa56375615c256eb6960d3092ddb8a7a9154 ] + +wq queue is always updated holding mt76 spinlock. Grab mt76 lock in +mt7615_queue_key_update() before putting a new element at the end of the +queue. + +Fixes: eb99cc95c3b65 ("mt76: mt7615: introduce mt7663u support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +index 2d0b1f49fdbcf..bafe2bdeb5eb4 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +@@ -361,7 +361,10 @@ mt7615_queue_key_update(struct mt7615_dev *dev, enum set_key_cmd cmd, + wd->key.keylen = key->keylen; + wd->key.cmd = cmd; + ++ spin_lock_bh(&dev->mt76.lock); + list_add_tail(&wd->node, &dev->wd_head); ++ spin_unlock_bh(&dev->mt76.lock); ++ + queue_work(dev->mt76.wq, &dev->wtbl_work); + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7615-move-drv_own-fw_own-in-mt7615_mcu_ops.patch b/queue-5.9/mt76-mt7615-move-drv_own-fw_own-in-mt7615_mcu_ops.patch new file mode 100644 index 00000000000..1393a4ebae2 --- /dev/null +++ b/queue-5.9/mt76-mt7615-move-drv_own-fw_own-in-mt7615_mcu_ops.patch @@ -0,0 +1,312 @@ +From 7919ab6c396f81338b9acc47e3dba5735ae4401a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 17:41:19 +0200 +Subject: mt76: mt7615: move drv_own/fw_own in mt7615_mcu_ops + +From: Lorenzo Bianconi + +[ Upstream commit 186b659c0859704ef3b2fb634a659724f020889a ] + +Introduce set_drv_ctrl and set_fw_ctrl function pointers in +mt7615_mcu_ops data structure. This is a preliminary patch to enable +runtime-pm for non-pci chipsets + +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7615/mac.c | 4 +- + .../net/wireless/mediatek/mt76/mt7615/mcu.c | 158 +++++++++--------- + .../wireless/mediatek/mt76/mt7615/mt7615.h | 6 +- + .../net/wireless/mediatek/mt76/mt7615/pci.c | 4 +- + 4 files changed, 89 insertions(+), 83 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +index 2be127018df6a..019031d436de8 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -1845,7 +1845,7 @@ void mt7615_pm_wake_work(struct work_struct *work) + pm.wake_work); + mphy = dev->phy.mt76; + +- if (mt7615_driver_own(dev)) { ++ if (mt7615_mcu_set_drv_ctrl(dev)) { + dev_err(mphy->dev->dev, "failed to wake device\n"); + goto out; + } +@@ -1944,7 +1944,7 @@ void mt7615_pm_power_save_work(struct work_struct *work) + goto out; + } + +- if (!mt7615_firmware_own(dev)) ++ if (!mt7615_mcu_set_fw_ctrl(dev)) + return; + out: + queue_delayed_work(dev->mt76.wq, &dev->pm.ps_work, delta); +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +index bd316dbd9041d..82b6edd7a9f67 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +@@ -324,6 +324,79 @@ int mt7615_rf_wr(struct mt7615_dev *dev, u32 wf, u32 reg, u32 val) + sizeof(req), false); + } + ++static void mt7622_trigger_hif_int(struct mt7615_dev *dev, bool en) ++{ ++ if (!is_mt7622(&dev->mt76)) ++ return; ++ ++ regmap_update_bits(dev->infracfg, MT_INFRACFG_MISC, ++ MT_INFRACFG_MISC_AP2CONN_WAKE, ++ !en * MT_INFRACFG_MISC_AP2CONN_WAKE); ++} ++ ++static int mt7615_mcu_drv_pmctrl(struct mt7615_dev *dev) ++{ ++ struct mt76_phy *mphy = &dev->mt76.phy; ++ struct mt76_dev *mdev = &dev->mt76; ++ int i; ++ ++ if (!test_and_clear_bit(MT76_STATE_PM, &mphy->state)) ++ goto out; ++ ++ mt7622_trigger_hif_int(dev, true); ++ ++ for (i = 0; i < MT7615_DRV_OWN_RETRY_COUNT; i++) { ++ u32 addr; ++ ++ addr = is_mt7663(mdev) ? MT_PCIE_DOORBELL_PUSH : MT_CFG_LPCR_HOST; ++ mt76_wr(dev, addr, MT_CFG_LPCR_HOST_DRV_OWN); ++ ++ addr = is_mt7663(mdev) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST; ++ if (mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, 0, 50)) ++ break; ++ } ++ ++ mt7622_trigger_hif_int(dev, false); ++ ++ if (i == MT7615_DRV_OWN_RETRY_COUNT) { ++ dev_err(mdev->dev, "driver own failed\n"); ++ set_bit(MT76_STATE_PM, &mphy->state); ++ return -EIO; ++ } ++ ++out: ++ dev->pm.last_activity = jiffies; ++ ++ return 0; ++} ++ ++static int mt7615_mcu_fw_pmctrl(struct mt7615_dev *dev) ++{ ++ struct mt76_phy *mphy = &dev->mt76.phy; ++ int err = 0; ++ u32 addr; ++ ++ if (test_and_set_bit(MT76_STATE_PM, &mphy->state)) ++ return 0; ++ ++ mt7622_trigger_hif_int(dev, true); ++ ++ addr = is_mt7663(&dev->mt76) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST; ++ mt76_wr(dev, addr, MT_CFG_LPCR_HOST_FW_OWN); ++ ++ if (is_mt7622(&dev->mt76) && ++ !mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, ++ MT_CFG_LPCR_HOST_FW_OWN, 300)) { ++ dev_err(dev->mt76.dev, "Timeout for firmware own\n"); ++ clear_bit(MT76_STATE_PM, &mphy->state); ++ err = -EIO; ++ } ++ ++ mt7622_trigger_hif_int(dev, false); ++ ++ return err; ++} ++ + static void + mt7615_mcu_csa_finish(void *priv, u8 *mac, struct ieee80211_vif *vif) + { +@@ -1314,6 +1387,8 @@ static const struct mt7615_mcu_ops wtbl_update_ops = { + .add_tx_ba = mt7615_mcu_wtbl_tx_ba, + .add_rx_ba = mt7615_mcu_wtbl_rx_ba, + .sta_add = mt7615_mcu_wtbl_sta_add, ++ .set_drv_ctrl = mt7615_mcu_drv_pmctrl, ++ .set_fw_ctrl = mt7615_mcu_fw_pmctrl, + }; + + static int +@@ -1410,6 +1485,8 @@ static const struct mt7615_mcu_ops sta_update_ops = { + .add_tx_ba = mt7615_mcu_sta_tx_ba, + .add_rx_ba = mt7615_mcu_sta_rx_ba, + .sta_add = mt7615_mcu_add_sta, ++ .set_drv_ctrl = mt7615_mcu_drv_pmctrl, ++ .set_fw_ctrl = mt7615_mcu_fw_pmctrl, + }; + + static int +@@ -1823,6 +1900,8 @@ static const struct mt7615_mcu_ops uni_update_ops = { + .add_tx_ba = mt7615_mcu_uni_tx_ba, + .add_rx_ba = mt7615_mcu_uni_rx_ba, + .sta_add = mt7615_mcu_uni_add_sta, ++ .set_drv_ctrl = mt7615_mcu_drv_pmctrl, ++ .set_fw_ctrl = mt7615_mcu_fw_pmctrl, + }; + + static int mt7615_mcu_send_firmware(struct mt7615_dev *dev, const void *data, +@@ -1895,81 +1974,6 @@ static int mt7615_mcu_start_patch(struct mt7615_dev *dev) + &req, sizeof(req), true); + } + +-static void mt7622_trigger_hif_int(struct mt7615_dev *dev, bool en) +-{ +- if (!is_mt7622(&dev->mt76)) +- return; +- +- regmap_update_bits(dev->infracfg, MT_INFRACFG_MISC, +- MT_INFRACFG_MISC_AP2CONN_WAKE, +- !en * MT_INFRACFG_MISC_AP2CONN_WAKE); +-} +- +-int mt7615_driver_own(struct mt7615_dev *dev) +-{ +- struct mt76_phy *mphy = &dev->mt76.phy; +- struct mt76_dev *mdev = &dev->mt76; +- int i; +- +- if (!test_and_clear_bit(MT76_STATE_PM, &mphy->state)) +- goto out; +- +- mt7622_trigger_hif_int(dev, true); +- +- for (i = 0; i < MT7615_DRV_OWN_RETRY_COUNT; i++) { +- u32 addr; +- +- addr = is_mt7663(mdev) ? MT_PCIE_DOORBELL_PUSH : MT_CFG_LPCR_HOST; +- mt76_wr(dev, addr, MT_CFG_LPCR_HOST_DRV_OWN); +- +- addr = is_mt7663(mdev) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST; +- if (mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, 0, 50)) +- break; +- } +- +- mt7622_trigger_hif_int(dev, false); +- +- if (i == MT7615_DRV_OWN_RETRY_COUNT) { +- dev_err(mdev->dev, "driver own failed\n"); +- set_bit(MT76_STATE_PM, &mphy->state); +- return -EIO; +- } +- +-out: +- dev->pm.last_activity = jiffies; +- +- return 0; +-} +-EXPORT_SYMBOL_GPL(mt7615_driver_own); +- +-int mt7615_firmware_own(struct mt7615_dev *dev) +-{ +- struct mt76_phy *mphy = &dev->mt76.phy; +- int err = 0; +- u32 addr; +- +- if (test_and_set_bit(MT76_STATE_PM, &mphy->state)) +- return 0; +- +- mt7622_trigger_hif_int(dev, true); +- +- addr = is_mt7663(&dev->mt76) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST; +- mt76_wr(dev, addr, MT_CFG_LPCR_HOST_FW_OWN); +- +- if (is_mt7622(&dev->mt76) && +- !mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, +- MT_CFG_LPCR_HOST_FW_OWN, 300)) { +- dev_err(dev->mt76.dev, "Timeout for firmware own\n"); +- clear_bit(MT76_STATE_PM, &mphy->state); +- err = -EIO; +- } +- +- mt7622_trigger_hif_int(dev, false); +- +- return err; +-} +-EXPORT_SYMBOL_GPL(mt7615_firmware_own); +- + static int mt7615_load_patch(struct mt7615_dev *dev, u32 addr, const char *name) + { + const struct mt7615_patch_hdr *hdr; +@@ -2452,7 +2456,7 @@ int mt7615_mcu_init(struct mt7615_dev *dev) + + dev->mt76.mcu_ops = &mt7615_mcu_ops, + +- ret = mt7615_driver_own(dev); ++ ret = mt7615_mcu_drv_pmctrl(dev); + if (ret) + return ret; + +@@ -2482,7 +2486,7 @@ EXPORT_SYMBOL_GPL(mt7615_mcu_init); + void mt7615_mcu_exit(struct mt7615_dev *dev) + { + __mt76_mcu_restart(&dev->mt76); +- mt7615_firmware_own(dev); ++ mt7615_mcu_set_fw_ctrl(dev); + skb_queue_purge(&dev->mt76.mcu.res_q); + } + EXPORT_SYMBOL_GPL(mt7615_mcu_exit); +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h b/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h +index 571eadc033a3b..c2e1cfb071a82 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h +@@ -220,6 +220,8 @@ struct mt7615_phy { + #define mt7615_mcu_add_bss_info(phy, ...) (phy->dev)->mcu_ops->add_bss_info((phy), __VA_ARGS__) + #define mt7615_mcu_add_beacon(dev, ...) (dev)->mcu_ops->add_beacon_offload((dev), __VA_ARGS__) + #define mt7615_mcu_set_pm(dev, ...) (dev)->mcu_ops->set_pm_state((dev), __VA_ARGS__) ++#define mt7615_mcu_set_drv_ctrl(dev) (dev)->mcu_ops->set_drv_ctrl((dev)) ++#define mt7615_mcu_set_fw_ctrl(dev) (dev)->mcu_ops->set_fw_ctrl((dev)) + struct mt7615_mcu_ops { + int (*add_tx_ba)(struct mt7615_dev *dev, + struct ieee80211_ampdu_params *params, +@@ -238,6 +240,8 @@ struct mt7615_mcu_ops { + struct ieee80211_hw *hw, + struct ieee80211_vif *vif, bool enable); + int (*set_pm_state)(struct mt7615_dev *dev, int band, int state); ++ int (*set_drv_ctrl)(struct mt7615_dev *dev); ++ int (*set_fw_ctrl)(struct mt7615_dev *dev); + }; + + struct mt7615_dev { +@@ -638,8 +642,6 @@ int mt7615_mcu_set_p2p_oppps(struct ieee80211_hw *hw, + struct ieee80211_vif *vif); + int mt7615_mcu_set_roc(struct mt7615_phy *phy, struct ieee80211_vif *vif, + struct ieee80211_channel *chan, int duration); +-int mt7615_firmware_own(struct mt7615_dev *dev); +-int mt7615_driver_own(struct mt7615_dev *dev); + + int mt7615_init_debugfs(struct mt7615_dev *dev); + int mt7615_mcu_wait_response(struct mt7615_dev *dev, int cmd, int seq); +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/pci.c b/drivers/net/wireless/mediatek/mt76/mt7615/pci.c +index 2328d78e06a10..b9794f8a8df41 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/pci.c +@@ -118,7 +118,7 @@ static int mt7615_pci_suspend(struct pci_dev *pdev, pm_message_t state) + if (err) + goto restore; + +- err = mt7615_firmware_own(dev); ++ err = mt7615_mcu_set_fw_ctrl(dev); + if (err) + goto restore; + +@@ -142,7 +142,7 @@ static int mt7615_pci_resume(struct pci_dev *pdev) + bool pdma_reset; + int i, err; + +- err = mt7615_driver_own(dev); ++ err = mt7615_mcu_set_drv_ctrl(dev); + if (err < 0) + return err; + +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7615-release-mutex-in-mt7615_reset_test_set.patch b/queue-5.9/mt76-mt7615-release-mutex-in-mt7615_reset_test_set.patch new file mode 100644 index 00000000000..1ddefc2e354 --- /dev/null +++ b/queue-5.9/mt76-mt7615-release-mutex-in-mt7615_reset_test_set.patch @@ -0,0 +1,50 @@ +From 11b349ab0c8ada04e35d95695e1678acc2ba9101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Aug 2020 20:25:41 +0200 +Subject: mt76: mt7615: release mutex in mt7615_reset_test_set + +From: Lorenzo Bianconi + +[ Upstream commit 346f810e22428cdf73ee5cf2e0ce1b79d5671de5 ] + +Reduce scope of mutex_acquire/mutex_release in mt7615_reset_test_set +routine in order to fix the following static checker warning: + +drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c:179 +mt7615_reset_test_set() +warn: inconsistent returns 'dev->mt76.mutex'. + +Reported-by: Dan Carpenter +Fixes: ea4906c4be49 ("mt76: mt7615: wake device before accessing regmap in debugfs") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c +index 88931658a9fbb..937cb71bed642 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c +@@ -165,15 +165,14 @@ mt7615_reset_test_set(void *data, u64 val) + if (!mt7615_wait_for_mcu_init(dev)) + return 0; + +- mt7615_mutex_acquire(dev); +- + skb = alloc_skb(1, GFP_KERNEL); + if (!skb) + return -ENOMEM; + + skb_put(skb, 1); +- mt76_tx_queue_skb_raw(dev, 0, skb, 0); + ++ mt7615_mutex_acquire(dev); ++ mt76_tx_queue_skb_raw(dev, 0, skb, 0); + mt7615_mutex_release(dev); + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7622-fix-fw-hang-on-mt7622.patch b/queue-5.9/mt76-mt7622-fix-fw-hang-on-mt7622.patch new file mode 100644 index 00000000000..e1721d01dee --- /dev/null +++ b/queue-5.9/mt76-mt7622-fix-fw-hang-on-mt7622.patch @@ -0,0 +1,113 @@ +From 0f99643b567129a5e9702a370d77e19109333da7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 13:54:03 +0200 +Subject: mt76: mt7622: fix fw hang on mt7622 + +From: Lorenzo Bianconi + +[ Upstream commit 6892555dbe71ed551d3779aa20747484dc9b6ad5 ] + +Set poll timeout to 3s for mt7622 devices in order to avoid fw hangs. +Swap mt7622_trigger_hif_int and doorbell configuration order in +mt7615_mcu_drv_pmctrl routine. +Introduce mt7615_mcu_lp_drv_pmctrl routine to take care of drv_own +configuration for runtime-pm. + +Fixes: 08523a2a1db5 ("mt76: mt7615: add mt7615_pm_wake utility routine") +Fixes: 894b7767ec2f ("mt76: mt7615: improve mt7615_driver_own reliability") +Fixes: 757b0e7fd6f4 ("mt76: mt7615: avoid polling in fw_own for mt7663") +Co-developed-by: Shayne Chen +Signed-off-by: Shayne Chen +Co-developed-by: Ryder Lee +Signed-off-by: Ryder Lee +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7615/mcu.c | 46 +++++++++++++------ + 1 file changed, 32 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +index 82b6edd7a9f67..f42a69ee5635a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +@@ -338,28 +338,46 @@ static int mt7615_mcu_drv_pmctrl(struct mt7615_dev *dev) + { + struct mt76_phy *mphy = &dev->mt76.phy; + struct mt76_dev *mdev = &dev->mt76; +- int i; ++ u32 addr; ++ int err; + +- if (!test_and_clear_bit(MT76_STATE_PM, &mphy->state)) +- goto out; ++ addr = is_mt7663(mdev) ? MT_PCIE_DOORBELL_PUSH : MT_CFG_LPCR_HOST; ++ mt76_wr(dev, addr, MT_CFG_LPCR_HOST_DRV_OWN); + + mt7622_trigger_hif_int(dev, true); + +- for (i = 0; i < MT7615_DRV_OWN_RETRY_COUNT; i++) { +- u32 addr; ++ addr = is_mt7663(mdev) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST; ++ err = !mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, 0, 3000); + +- addr = is_mt7663(mdev) ? MT_PCIE_DOORBELL_PUSH : MT_CFG_LPCR_HOST; +- mt76_wr(dev, addr, MT_CFG_LPCR_HOST_DRV_OWN); ++ mt7622_trigger_hif_int(dev, false); + +- addr = is_mt7663(mdev) ? MT_CONN_HIF_ON_LPCTL : MT_CFG_LPCR_HOST; +- if (mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, 0, 50)) +- break; ++ if (err) { ++ dev_err(mdev->dev, "driver own failed\n"); ++ return -ETIMEDOUT; + } + +- mt7622_trigger_hif_int(dev, false); ++ clear_bit(MT76_STATE_PM, &mphy->state); ++ ++ return 0; ++} ++ ++static int mt7615_mcu_lp_drv_pmctrl(struct mt7615_dev *dev) ++{ ++ struct mt76_phy *mphy = &dev->mt76.phy; ++ int i; ++ ++ if (!test_and_clear_bit(MT76_STATE_PM, &mphy->state)) ++ goto out; ++ ++ for (i = 0; i < MT7615_DRV_OWN_RETRY_COUNT; i++) { ++ mt76_wr(dev, MT_PCIE_DOORBELL_PUSH, MT_CFG_LPCR_HOST_DRV_OWN); ++ if (mt76_poll_msec(dev, MT_CONN_HIF_ON_LPCTL, ++ MT_CFG_LPCR_HOST_FW_OWN, 0, 50)) ++ break; ++ } + + if (i == MT7615_DRV_OWN_RETRY_COUNT) { +- dev_err(mdev->dev, "driver own failed\n"); ++ dev_err(dev->mt76.dev, "driver own failed\n"); + set_bit(MT76_STATE_PM, &mphy->state); + return -EIO; + } +@@ -386,7 +404,7 @@ static int mt7615_mcu_fw_pmctrl(struct mt7615_dev *dev) + + if (is_mt7622(&dev->mt76) && + !mt76_poll_msec(dev, addr, MT_CFG_LPCR_HOST_FW_OWN, +- MT_CFG_LPCR_HOST_FW_OWN, 300)) { ++ MT_CFG_LPCR_HOST_FW_OWN, 3000)) { + dev_err(dev->mt76.dev, "Timeout for firmware own\n"); + clear_bit(MT76_STATE_PM, &mphy->state); + err = -EIO; +@@ -1900,7 +1918,7 @@ static const struct mt7615_mcu_ops uni_update_ops = { + .add_tx_ba = mt7615_mcu_uni_tx_ba, + .add_rx_ba = mt7615_mcu_uni_rx_ba, + .sta_add = mt7615_mcu_uni_add_sta, +- .set_drv_ctrl = mt7615_mcu_drv_pmctrl, ++ .set_drv_ctrl = mt7615_mcu_lp_drv_pmctrl, + .set_fw_ctrl = mt7615_mcu_fw_pmctrl, + }; + +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7663s-fix-resume-failure.patch b/queue-5.9/mt76-mt7663s-fix-resume-failure.patch new file mode 100644 index 00000000000..28b84885d9d --- /dev/null +++ b/queue-5.9/mt76-mt7663s-fix-resume-failure.patch @@ -0,0 +1,41 @@ +From 29c6d2523d30ddcc994cae02930d77ec82fa0f7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 05:49:47 +0800 +Subject: mt76: mt7663s: fix resume failure + +From: Sean Wang + +[ Upstream commit 8b7c6e1cb2cb1d4e2ee94556695d80dde6ccdcc6 ] + +MT7663s have to rely on MMC_PM_KEEP_POWER in pm_flags for to avoid SDIO +power is being shut off. + +To fix sdio access failure like "mt7663s mmc1:0001:1: sdio write failed: +-22" for the first sdio command to access the bus in the resume handler. + +Fixes: a66cbdd6573d ("mt76: mt7615: introduce mt7663s support") +Co-developed-by: YN Chen +Signed-off-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7615/sdio.c +index dabce51117b0a..57d60876db544 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/sdio.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/sdio.c +@@ -426,6 +426,8 @@ static int mt7663s_suspend(struct device *dev) + return err; + } + ++ sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER); ++ + mt76s_stop_txrx(&mdev->mt76); + + return mt7663s_firmware_own(mdev); +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7663u-fix-dma-header-initialization.patch b/queue-5.9/mt76-mt7663u-fix-dma-header-initialization.patch new file mode 100644 index 00000000000..b9c0e259822 --- /dev/null +++ b/queue-5.9/mt76-mt7663u-fix-dma-header-initialization.patch @@ -0,0 +1,64 @@ +From d19b14559f9dda2aebf4a5fbcc3e504af67cc142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 20:55:12 +0200 +Subject: mt76: mt7663u: fix dma header initialization + +From: Lorenzo Bianconi + +[ Upstream commit 8da40d698111ad27b03afc40d67843e3073395e7 ] + +Fix length field corruption in usb dma header introduced adding sdio +support + +Fixes: 75b10f0cbd0b ("mt76: mt76u: add mt76_skb_adjust_pad utility routine") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/usb_mcu.c | 4 +++- + drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c | 7 +++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/usb_mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/usb_mcu.c +index 0b33df3e3bfec..adbed373798e8 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/usb_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/usb_mcu.c +@@ -19,6 +19,7 @@ mt7663u_mcu_send_message(struct mt76_dev *mdev, struct sk_buff *skb, + { + struct mt7615_dev *dev = container_of(mdev, struct mt7615_dev, mt76); + int ret, seq, ep; ++ u32 len; + + mutex_lock(&mdev->mcu.mutex); + +@@ -28,7 +29,8 @@ mt7663u_mcu_send_message(struct mt76_dev *mdev, struct sk_buff *skb, + else + ep = MT_EP_OUT_AC_BE; + +- put_unaligned_le32(skb->len, skb_push(skb, sizeof(skb->len))); ++ len = skb->len; ++ put_unaligned_le32(len, skb_push(skb, sizeof(len))); + ret = mt76_skb_adjust_pad(skb); + if (ret < 0) + goto out; +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c b/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c +index 6dffdaaa9ad53..294276e2280d2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c +@@ -259,8 +259,11 @@ int mt7663_usb_sdio_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr, + } + + mt7663_usb_sdio_write_txwi(dev, wcid, qid, sta, skb); +- if (mt76_is_usb(mdev)) +- put_unaligned_le32(skb->len, skb_push(skb, sizeof(skb->len))); ++ if (mt76_is_usb(mdev)) { ++ u32 len = skb->len; ++ ++ put_unaligned_le32(len, skb_push(skb, sizeof(len))); ++ } + + return mt76_skb_adjust_pad(skb); + } +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7915-do-not-do-any-work-in-napi-poll-after-ca.patch b/queue-5.9/mt76-mt7915-do-not-do-any-work-in-napi-poll-after-ca.patch new file mode 100644 index 00000000000..cd26008d572 --- /dev/null +++ b/queue-5.9/mt76-mt7915-do-not-do-any-work-in-napi-poll-after-ca.patch @@ -0,0 +1,46 @@ +From fb45dac66a5b5c77ebd3911d8763777bfc64a7e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 20:57:46 +0200 +Subject: mt76: mt7915: do not do any work in napi poll after calling + napi_complete_done() + +From: Felix Fietkau + +[ Upstream commit 38b04398c532e9bb9aa90fc07846ad0b0845fe94 ] + +Fixes a race condition where multiple tx cleanup or sta poll tasks could run +in parallel. + +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/dma.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/dma.c b/drivers/net/wireless/mediatek/mt76/mt7915/dma.c +index a8832c5e60041..8a1ae08d9572e 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/dma.c +@@ -95,16 +95,13 @@ static int mt7915_poll_tx(struct napi_struct *napi, int budget) + dev = container_of(napi, struct mt7915_dev, mt76.tx_napi); + + mt7915_tx_cleanup(dev); +- +- if (napi_complete_done(napi, 0)) +- mt7915_irq_enable(dev, MT_INT_TX_DONE_ALL); +- +- mt7915_tx_cleanup(dev); +- + mt7915_mac_sta_poll(dev); + + tasklet_schedule(&dev->mt76.tx_tasklet); + ++ if (napi_complete_done(napi, 0)) ++ mt7915_irq_enable(dev, MT_INT_TX_DONE_ALL); ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/mt76-mt7915-fix-possible-memory-leak-in-mt7915_mcu_a.patch b/queue-5.9/mt76-mt7915-fix-possible-memory-leak-in-mt7915_mcu_a.patch new file mode 100644 index 00000000000..a8c394f7404 --- /dev/null +++ b/queue-5.9/mt76-mt7915-fix-possible-memory-leak-in-mt7915_mcu_a.patch @@ -0,0 +1,59 @@ +From 8b49f71e05240ab07f6f90d88db8eda3614afc31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 20:29:01 +0200 +Subject: mt76: mt7915: fix possible memory leak in mt7915_mcu_add_beacon + +From: Lorenzo Bianconi + +[ Upstream commit 071c8ce8e92a86b8bf78678e78eb4b79fdc16768 ] + +Release mcu message memory in case of failure in mt7915_mcu_add_beacon +routine + +Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7915/mcu.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index eaed5ef054016..bfd87974a5796 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -2335,14 +2335,6 @@ int mt7915_mcu_add_beacon(struct ieee80211_hw *hw, + struct bss_info_bcn *bcn; + int len = MT7915_BEACON_UPDATE_SIZE + MAX_BEACON_SIZE; + +- rskb = mt7915_mcu_alloc_sta_req(dev, mvif, NULL, len); +- if (IS_ERR(rskb)) +- return PTR_ERR(rskb); +- +- tlv = mt7915_mcu_add_tlv(rskb, BSS_INFO_OFFLOAD, sizeof(*bcn)); +- bcn = (struct bss_info_bcn *)tlv; +- bcn->enable = en; +- + skb = ieee80211_beacon_get_template(hw, vif, &offs); + if (!skb) + return -EINVAL; +@@ -2353,6 +2345,16 @@ int mt7915_mcu_add_beacon(struct ieee80211_hw *hw, + return -EINVAL; + } + ++ rskb = mt7915_mcu_alloc_sta_req(dev, mvif, NULL, len); ++ if (IS_ERR(rskb)) { ++ dev_kfree_skb(skb); ++ return PTR_ERR(rskb); ++ } ++ ++ tlv = mt7915_mcu_add_tlv(rskb, BSS_INFO_OFFLOAD, sizeof(*bcn)); ++ bcn = (struct bss_info_bcn *)tlv; ++ bcn->enable = en; ++ + if (mvif->band_idx) { + info = IEEE80211_SKB_CB(skb); + info->hw_queue |= MT_TX_HW_QUEUE_EXT_PHY; +-- +2.25.1 + diff --git a/queue-5.9/mtd-hyperbus-hbmc-am654-fix-direct-mapping-setup-fla.patch b/queue-5.9/mtd-hyperbus-hbmc-am654-fix-direct-mapping-setup-fla.patch new file mode 100644 index 00000000000..fe537106d01 --- /dev/null +++ b/queue-5.9/mtd-hyperbus-hbmc-am654-fix-direct-mapping-setup-fla.patch @@ -0,0 +1,45 @@ +From 3eda7b3e01d264fc1671c2fb31051b139fd8d5c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 13:42:12 +0530 +Subject: mtd: hyperbus: hbmc-am654: Fix direct mapping setup flash access + +From: Vignesh Raghavendra + +[ Upstream commit aca31ce96814c84d1a41aaa109c15abe61005af7 ] + +Setting up of direct mapping should be done with flash node's IO +address space and not with controller's IO region. + +Fixes: b6fe8bc67d2d3 ("mtd: hyperbus: move direct mapping setup to AM654 HBMC driver") +Signed-off-by: Vignesh Raghavendra +Link: https://lore.kernel.org/r/20200924081214.16934-3-vigneshr@ti.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/hyperbus/hbmc-am654.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/hyperbus/hbmc-am654.c b/drivers/mtd/hyperbus/hbmc-am654.c +index e0e33f6bf513b..1e70ecfffa39f 100644 +--- a/drivers/mtd/hyperbus/hbmc-am654.c ++++ b/drivers/mtd/hyperbus/hbmc-am654.c +@@ -70,7 +70,8 @@ static int am654_hbmc_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, priv); + +- ret = of_address_to_resource(np, 0, &res); ++ priv->hbdev.np = of_get_next_child(np, NULL); ++ ret = of_address_to_resource(priv->hbdev.np, 0, &res); + if (ret) + return ret; + +@@ -103,7 +104,6 @@ static int am654_hbmc_probe(struct platform_device *pdev) + priv->ctlr.dev = dev; + priv->ctlr.ops = &am654_hbmc_ops; + priv->hbdev.ctlr = &priv->ctlr; +- priv->hbdev.np = of_get_next_child(dev->of_node, NULL); + ret = hyperbus_register_device(&priv->hbdev); + if (ret) { + dev_err(dev, "failed to register controller\n"); +-- +2.25.1 + diff --git a/queue-5.9/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch b/queue-5.9/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch new file mode 100644 index 00000000000..cfd95704d52 --- /dev/null +++ b/queue-5.9/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch @@ -0,0 +1,96 @@ +From ce4ab36fd4b6ee4fc02946543711fc65bb2572b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 16:01:16 +0200 +Subject: mtd: lpddr: fix excessive stack usage with clang + +From: Arnd Bergmann + +[ Upstream commit 3e1b6469f8324bee5927b063e2aca30d3e56b907 ] + +Building lpddr2_nvm with clang can result in a giant stack usage +in one function: + +drivers/mtd/lpddr/lpddr2_nvm.c:399:12: error: stack frame size of 1144 bytes in function 'lpddr2_nvm_probe' [-Werror,-Wframe-larger-than=] + +The problem is that clang decides to build a copy of the mtd_info +structure on the stack and then do a memcpy() into the actual version. It +shouldn't really do it that way, but it's not strictly a bug either. + +As a workaround, use a static const version of the structure to assign +most of the members upfront and then only set the few members that +require runtime knowledge at probe time. + +Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Acked-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200505140136.263461-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/lpddr/lpddr2_nvm.c | 35 ++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c +index 0f1547f09d08b..72f5c7b300790 100644 +--- a/drivers/mtd/lpddr/lpddr2_nvm.c ++++ b/drivers/mtd/lpddr/lpddr2_nvm.c +@@ -393,6 +393,17 @@ static int lpddr2_nvm_lock(struct mtd_info *mtd, loff_t start_add, + return lpddr2_nvm_do_block_op(mtd, start_add, len, LPDDR2_NVM_LOCK); + } + ++static const struct mtd_info lpddr2_nvm_mtd_info = { ++ .type = MTD_RAM, ++ .writesize = 1, ++ .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), ++ ._read = lpddr2_nvm_read, ++ ._write = lpddr2_nvm_write, ++ ._erase = lpddr2_nvm_erase, ++ ._unlock = lpddr2_nvm_unlock, ++ ._lock = lpddr2_nvm_lock, ++}; ++ + /* + * lpddr2_nvm driver probe method + */ +@@ -433,6 +444,7 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + .pfow_base = OW_BASE_ADDRESS, + .fldrv_priv = pcm_data, + }; ++ + if (IS_ERR(map->virt)) + return PTR_ERR(map->virt); + +@@ -444,22 +456,13 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + return PTR_ERR(pcm_data->ctl_regs); + + /* Populate mtd_info data structure */ +- *mtd = (struct mtd_info) { +- .dev = { .parent = &pdev->dev }, +- .name = pdev->dev.init_name, +- .type = MTD_RAM, +- .priv = map, +- .size = resource_size(add_range), +- .erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width, +- .writesize = 1, +- .writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width, +- .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), +- ._read = lpddr2_nvm_read, +- ._write = lpddr2_nvm_write, +- ._erase = lpddr2_nvm_erase, +- ._unlock = lpddr2_nvm_unlock, +- ._lock = lpddr2_nvm_lock, +- }; ++ *mtd = lpddr2_nvm_mtd_info; ++ mtd->dev.parent = &pdev->dev; ++ mtd->name = pdev->dev.init_name; ++ mtd->priv = map; ++ mtd->size = resource_size(add_range); ++ mtd->erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width; ++ mtd->writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width; + + /* Verify the presence of the device looking for PFOW string */ + if (!lpddr2_nvm_pfow_present(map)) { +-- +2.25.1 + diff --git a/queue-5.9/mtd-mtdoops-don-t-write-panic-data-twice.patch b/queue-5.9/mtd-mtdoops-don-t-write-panic-data-twice.patch new file mode 100644 index 00000000000..bed0d9bb15d --- /dev/null +++ b/queue-5.9/mtd-mtdoops-don-t-write-panic-data-twice.patch @@ -0,0 +1,49 @@ +From 026f79025f66af12750d3eb3d1420761c98ba348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 15:42:17 +1200 +Subject: mtd: mtdoops: Don't write panic data twice + +From: Mark Tomlinson + +[ Upstream commit c1cf1d57d1492235309111ea6a900940213a9166 ] + +If calling mtdoops_write, don't also schedule work to be done later. + +Although this appears to not be causing an issue, possibly because the +scheduled work will never get done, it is confusing. + +Fixes: 016c1291ce70 ("mtd: mtdoops: do not use mtd->panic_write directly") +Signed-off-by: Mark Tomlinson +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200903034217.23079-1-mark.tomlinson@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdoops.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c +index 4ced68be7ed7e..774970bfcf859 100644 +--- a/drivers/mtd/mtdoops.c ++++ b/drivers/mtd/mtdoops.c +@@ -279,12 +279,13 @@ static void mtdoops_do_dump(struct kmsg_dumper *dumper, + kmsg_dump_get_buffer(dumper, true, cxt->oops_buf + MTDOOPS_HEADER_SIZE, + record_size - MTDOOPS_HEADER_SIZE, NULL); + +- /* Panics must be written immediately */ +- if (reason != KMSG_DUMP_OOPS) ++ if (reason != KMSG_DUMP_OOPS) { ++ /* Panics must be written immediately */ + mtdoops_write(cxt, 1); +- +- /* For other cases, schedule work to write it "nicely" */ +- schedule_work(&cxt->work_write); ++ } else { ++ /* For other cases, schedule work to write it "nicely" */ ++ schedule_work(&cxt->work_write); ++ } + } + + static void mtdoops_notify_add(struct mtd_info *mtd) +-- +2.25.1 + diff --git a/queue-5.9/mtd-parsers-bcm63xx-do-not-make-it-modular.patch b/queue-5.9/mtd-parsers-bcm63xx-do-not-make-it-modular.patch new file mode 100644 index 00000000000..cb7684387f0 --- /dev/null +++ b/queue-5.9/mtd-parsers-bcm63xx-do-not-make-it-modular.patch @@ -0,0 +1,43 @@ +From 3074c2b59a8942055cd6baa7c1ce007e2457248e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 10:27:21 -0700 +Subject: mtd: parsers: bcm63xx: Do not make it modular + +From: Florian Fainelli + +[ Upstream commit b597cc75f7fe76708bc6ab3f0e09bbff6f09ae4a ] + +With commit 91e81150d388 ("mtd: parsers: bcm63xx: simplify CFE +detection"), we generate a reference to fw_arg3 which is the fourth +firmware/command line argument on MIPS platforms. That symbol is not +exported and would cause a linking failure. + +The parser is typically necessary to boot a BCM63xx-based system anyway +so having it be part of the kernel image makes sense, therefore make it +'bool' instead of 'tristate'. + +Fixes: 91e81150d388 ("mtd: parsers: bcm63xx: simplify CFE detection") +Signed-off-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200929172726.30469-1-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/parsers/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/parsers/Kconfig b/drivers/mtd/parsers/Kconfig +index f98363c9b3630..e72354322f628 100644 +--- a/drivers/mtd/parsers/Kconfig ++++ b/drivers/mtd/parsers/Kconfig +@@ -12,7 +12,7 @@ config MTD_BCM47XX_PARTS + boards. + + config MTD_BCM63XX_PARTS +- tristate "BCM63XX CFE partitioning parser" ++ bool "BCM63XX CFE partitioning parser" + depends on BCM63XX || BMIPS_GENERIC || COMPILE_TEST + select CRC32 + select MTD_PARSER_IMAGETAG +-- +2.25.1 + diff --git a/queue-5.9/mtd-rawnand-ams-delta-fix-non-of-build-warning.patch b/queue-5.9/mtd-rawnand-ams-delta-fix-non-of-build-warning.patch new file mode 100644 index 00000000000..79b55afa943 --- /dev/null +++ b/queue-5.9/mtd-rawnand-ams-delta-fix-non-of-build-warning.patch @@ -0,0 +1,52 @@ +From f25ce95ee1b73e9d9976302db251bef3541b4101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 10:04:03 +0200 +Subject: mtd: rawnand: ams-delta: Fix non-OF build warning + +From: Janusz Krzysztofik + +[ Upstream commit 6d11178762f7c8338a028b428198383b8978b280 ] + +Commit 7c2f66a960fc ("mtd: rawnand: ams-delta: Add module device +tables") introduced an OF module device table but wrapped a reference +to it with of_match_ptr() which resolves to NULL in non-OF configs. +That resulted in a clang compiler warning on unused variable in non-OF +builds. Fix it. + +drivers/mtd/nand/raw/ams-delta.c:373:34: warning: unused variable 'gpio_nand_of_id_table' [-Wunused-const-variable] + static const struct of_device_id gpio_nand_of_id_table[] = { + ^ + 1 warning generated. + +Fixes: 7c2f66a960fc ("mtd: rawnand: ams-delta: Add module device tables") +Reported-by: kernel test robot +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200919080403.17520-1-jmkrzyszt@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/ams-delta.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mtd/nand/raw/ams-delta.c b/drivers/mtd/nand/raw/ams-delta.c +index fdba155416d25..0bf4cfc251472 100644 +--- a/drivers/mtd/nand/raw/ams-delta.c ++++ b/drivers/mtd/nand/raw/ams-delta.c +@@ -400,12 +400,14 @@ static int gpio_nand_remove(struct platform_device *pdev) + return 0; + } + ++#ifdef CONFIG_OF + static const struct of_device_id gpio_nand_of_id_table[] = { + { + /* sentinel */ + }, + }; + MODULE_DEVICE_TABLE(of, gpio_nand_of_id_table); ++#endif + + static const struct platform_device_id gpio_nand_plat_id_table[] = { + { +-- +2.25.1 + diff --git a/queue-5.9/mtd-rawnand-stm32_fmc2-fix-a-buffer-overflow.patch b/queue-5.9/mtd-rawnand-stm32_fmc2-fix-a-buffer-overflow.patch new file mode 100644 index 00000000000..44377284b4c --- /dev/null +++ b/queue-5.9/mtd-rawnand-stm32_fmc2-fix-a-buffer-overflow.patch @@ -0,0 +1,40 @@ +From bfdd6a993fad8b72b421ab57134e96fc8c6e8171 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 11:52:07 +0200 +Subject: mtd: rawnand: stm32_fmc2: fix a buffer overflow + +From: Christophe Kerello + +[ Upstream commit ab16f54ef3cdb6bbc06a36f636a89e6db8a6cea3 ] + +This patch solves following static checker warning: +drivers/mtd/nand/raw/stm32_fmc2_nand.c:350 stm32_fmc2_nfc_select_chip() +error: buffer overflow 'nfc->data_phys_addr' 2 <= 2 + +The CS value can only be 0 or 1. + +Signed-off-by: Christophe Kerello +Fixes: 2cd457f328c1 ("mtd: rawnand: stm32_fmc2: add STM32 FMC2 NAND flash controller driver") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/1595325127-32693-1-git-send-email-christophe.kerello@st.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/stm32_fmc2_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/stm32_fmc2_nand.c b/drivers/mtd/nand/raw/stm32_fmc2_nand.c +index 7f4546ae91303..5792fb240cb2b 100644 +--- a/drivers/mtd/nand/raw/stm32_fmc2_nand.c ++++ b/drivers/mtd/nand/raw/stm32_fmc2_nand.c +@@ -1762,7 +1762,7 @@ static int stm32_fmc2_nfc_parse_child(struct stm32_fmc2_nfc *nfc, + return ret; + } + +- if (cs > FMC2_MAX_CE) { ++ if (cs >= FMC2_MAX_CE) { + dev_err(nfc->dev, "invalid reg value: %d\n", cs); + return -EINVAL; + } +-- +2.25.1 + diff --git a/queue-5.9/mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch b/queue-5.9/mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch new file mode 100644 index 00000000000..b5a04d670b2 --- /dev/null +++ b/queue-5.9/mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch @@ -0,0 +1,43 @@ +From 46d8ab67e2b31c9d4ff91a4c58fce1d3befecd5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 10:26:34 +0300 +Subject: mtd: rawnand: vf610: disable clk on error handling path in probe + +From: Evgeny Novikov + +[ Upstream commit cb7dc3178a9862614b1e7567d77f4679f027a074 ] + +vf610_nfc_probe() does not invoke clk_disable_unprepare() on one error +handling path. The patch fixes that. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 6f0ce4dfc5a3 ("mtd: rawnand: vf610: Avoid a potential NULL pointer dereference") +Signed-off-by: Evgeny Novikov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200806072634.23528-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/vf610_nfc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/vf610_nfc.c b/drivers/mtd/nand/raw/vf610_nfc.c +index 7248c59011836..fcca45e2abe20 100644 +--- a/drivers/mtd/nand/raw/vf610_nfc.c ++++ b/drivers/mtd/nand/raw/vf610_nfc.c +@@ -852,8 +852,10 @@ static int vf610_nfc_probe(struct platform_device *pdev) + } + + of_id = of_match_device(vf610_nfc_dt_ids, &pdev->dev); +- if (!of_id) +- return -ENODEV; ++ if (!of_id) { ++ err = -ENODEV; ++ goto err_disable_clk; ++ } + + nfc->variant = (enum vf610_nfc_variant)of_id->data; + +-- +2.25.1 + diff --git a/queue-5.9/mtd-spinand-gigadevice-add-qe-bit.patch b/queue-5.9/mtd-spinand-gigadevice-add-qe-bit.patch new file mode 100644 index 00000000000..b4ee4fcb1fc --- /dev/null +++ b/queue-5.9/mtd-spinand-gigadevice-add-qe-bit.patch @@ -0,0 +1,80 @@ +From 25a3e551988f3964c8da2d44dfb155631a1b312e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:51:20 +0200 +Subject: mtd: spinand: gigadevice: Add QE Bit + +From: Hauke Mehrtens + +[ Upstream commit aea7687e77bebce5b67fab9d03347bd8df7933c7 ] + +The following GigaDevice chips have the QE BIT in the feature flags, I +checked the datasheets, but did not try this. +* GD5F1GQ4xExxG +* GD5F1GQ4xFxxG +* GD5F1GQ4UAYIG +* GD5F4GQ4UAYIG + +The Quad operations like 0xEB mention that the QE bit has to be set. + +Fixes: c93c613214ac ("mtd: spinand: add support for GigaDevice GD5FxGQ4xA") +Signed-off-by: Hauke Mehrtens +Tested-by: Chuanhong Guo +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200820165121.3192-3-hauke@hauke-m.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/spi/gigadevice.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/nand/spi/gigadevice.c b/drivers/mtd/nand/spi/gigadevice.c +index 679d3c43e15aa..0b7667e60780f 100644 +--- a/drivers/mtd/nand/spi/gigadevice.c ++++ b/drivers/mtd/nand/spi/gigadevice.c +@@ -202,7 +202,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout, + gd5fxgq4xa_ecc_get_status)), + SPINAND_INFO("GD5F2GQ4xA", +@@ -212,7 +212,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout, + gd5fxgq4xa_ecc_get_status)), + SPINAND_INFO("GD5F4GQ4xA", +@@ -222,7 +222,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout, + gd5fxgq4xa_ecc_get_status)), + SPINAND_INFO("GD5F1GQ4UExxG", +@@ -232,7 +232,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4_variant2_ooblayout, + gd5fxgq4uexxg_ecc_get_status)), + SPINAND_INFO("GD5F1GQ4UFxxG", +@@ -242,7 +242,7 @@ static const struct spinand_info gigadevice_spinand_table[] = { + SPINAND_INFO_OP_VARIANTS(&read_cache_variants_f, + &write_cache_variants, + &update_cache_variants), +- 0, ++ SPINAND_HAS_QE_BIT, + SPINAND_ECCINFO(&gd5fxgq4_variant2_ooblayout, + gd5fxgq4ufxxg_ecc_get_status)), + }; +-- +2.25.1 + diff --git a/queue-5.9/mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch b/queue-5.9/mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch new file mode 100644 index 00000000000..133ec91c283 --- /dev/null +++ b/queue-5.9/mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch @@ -0,0 +1,51 @@ +From a509d702a981fbd36d08b22f05dbdae371f6884c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:51:19 +0200 +Subject: mtd: spinand: gigadevice: Only one dummy byte in QUADIO + +From: Hauke Mehrtens + +[ Upstream commit 6387ad9caf8f09747a8569e5876086b72ee9382c ] + +The datasheet only lists one dummy byte in the 0xEH operation for the +following chips: +* GD5F1GQ4xExxG +* GD5F1GQ4xFxxG +* GD5F1GQ4UAYIG +* GD5F4GQ4UAYIG + +Fixes: c93c613214ac ("mtd: spinand: add support for GigaDevice GD5FxGQ4xA") +Signed-off-by: Hauke Mehrtens +Tested-by: Chuanhong Guo +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200820165121.3192-2-hauke@hauke-m.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/spi/gigadevice.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/spi/gigadevice.c b/drivers/mtd/nand/spi/gigadevice.c +index d219c970042a2..679d3c43e15aa 100644 +--- a/drivers/mtd/nand/spi/gigadevice.c ++++ b/drivers/mtd/nand/spi/gigadevice.c +@@ -21,7 +21,7 @@ + #define GD5FXGQ4UXFXXG_STATUS_ECC_UNCOR_ERROR (7 << 4) + + static SPINAND_OP_VARIANTS(read_cache_variants, +- SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 2, NULL, 0), ++ SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X4_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_DUALIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X2_OP(0, 1, NULL, 0), +@@ -29,7 +29,7 @@ static SPINAND_OP_VARIANTS(read_cache_variants, + SPINAND_PAGE_READ_FROM_CACHE_OP(false, 0, 1, NULL, 0)); + + static SPINAND_OP_VARIANTS(read_cache_variants_f, +- SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 2, NULL, 0), ++ SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X4_OP_3A(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_DUALIO_OP(0, 1, NULL, 0), + SPINAND_PAGE_READ_FROM_CACHE_X2_OP_3A(0, 1, NULL, 0), +-- +2.25.1 + diff --git a/queue-5.9/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch b/queue-5.9/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch new file mode 100644 index 00000000000..829b12fffc8 --- /dev/null +++ b/queue-5.9/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch @@ -0,0 +1,51 @@ +From 7bf1f5740f3d05da9ffa41967a8c0959dfcb0d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 11:29:06 +0200 +Subject: mwifiex: Do not use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit d2ab7f00f4321370a8ee14e5630d4349fdacc42e ] + +A possible call chain is as follow: + mwifiex_sdio_interrupt (sdio.c) + --> mwifiex_main_process (main.c) + --> mwifiex_process_cmdresp (cmdevt.c) + --> mwifiex_process_sta_cmdresp (sta_cmdresp.c) + --> mwifiex_ret_802_11_scan (scan.c) + --> mwifiex_parse_single_response_buf (scan.c) + +'mwifiex_sdio_interrupt()' is an interrupt function. + +Also note that 'mwifiex_ret_802_11_scan()' already uses GFP_ATOMIC. + +So use GFP_ATOMIC instead of GFP_KERNEL when memory is allocated in +'mwifiex_parse_single_response_buf()'. + +Fixes: 7c6fa2a843c5 ("mwifiex: use cfg80211 dynamic scan table and cfg80211_get_bss API") +or +Fixes: 601216e12c65e ("mwifiex: process RX packets in SDIO IRQ thread directly") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200809092906.744621-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index ff932627a46c1..2fb69a590bd8e 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -1889,7 +1889,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info, + chan, CFG80211_BSS_FTYPE_UNKNOWN, + bssid, timestamp, + cap_info_bitmap, beacon_period, +- ie_buf, ie_len, rssi, GFP_KERNEL); ++ ie_buf, ie_len, rssi, GFP_ATOMIC); + if (bss) { + bss_priv = (struct mwifiex_bss_priv *)bss->priv; + bss_priv->band = band; +-- +2.25.1 + diff --git a/queue-5.9/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch b/queue-5.9/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch new file mode 100644 index 00000000000..e382ea4d1bc --- /dev/null +++ b/queue-5.9/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch @@ -0,0 +1,54 @@ +From da16bbdb33b0cb29bbc0e6f881152438911c0970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 17:27:19 +0900 +Subject: mwifiex: don't call del_timer_sync() on uninitialized timer + +From: Tetsuo Handa + +[ Upstream commit 621a3a8b1c0ecf16e1e5667ea5756a76a082b738 ] + +syzbot is reporting that del_timer_sync() is called from +mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without +checking timer_setup() from mwifiex_usb_tx_init() was called [1]. + +Ganapathi Bhat proposed a possibly cleaner fix, but it seems that +that fix was forgotten [2]. + +"grep -FrB1 'del_timer' drivers/ | grep -FA1 '.function)'" says that +currently there are 28 locations which call del_timer[_sync]() only if +that timer's function field was initialized (because timer_setup() sets +that timer's function field). Therefore, let's use same approach here. + +[1] https://syzkaller.appspot.com/bug?id=26525f643f454dd7be0078423e3cdb0d57744959 +[2] https://lkml.kernel.org/r/CA+ASDXMHt2gq9Hy+iP_BYkWXsSreWdp3_bAfMkNcuqJ3K+-jbQ@mail.gmail.com + +Reported-by: syzbot +Cc: Ganapathi Bhat +Cc: Brian Norris +Signed-off-by: Tetsuo Handa +Reviewed-by: Brian Norris +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200821082720.7716-1-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c +index 6f3cfde4654cc..426e39d4ccf0f 100644 +--- a/drivers/net/wireless/marvell/mwifiex/usb.c ++++ b/drivers/net/wireless/marvell/mwifiex/usb.c +@@ -1353,7 +1353,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter) + skb_dequeue(&port->tx_aggr.aggr_list))) + mwifiex_write_data_complete(adapter, skb_tmp, + 0, -1); +- del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); ++ if (port->tx_aggr.timer_cnxt.hold_timer.function) ++ del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); + port->tx_aggr.timer_cnxt.is_hold_timer_set = false; + port->tx_aggr.timer_cnxt.hold_tmo_msecs = 0; + } +-- +2.25.1 + diff --git a/queue-5.9/mwifiex-fix-double-free.patch b/queue-5.9/mwifiex-fix-double-free.patch new file mode 100644 index 00000000000..6ea9313c41a --- /dev/null +++ b/queue-5.9/mwifiex-fix-double-free.patch @@ -0,0 +1,50 @@ +From 190f8f9f759f49b11b5f8984fff61cb5df851cdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 06:19:31 -0700 +Subject: mwifiex: fix double free + +From: Tom Rix + +[ Upstream commit 53708f4fd9cfe389beab5c8daa763bcd0e0b4aef ] + +clang static analysis reports this problem: + +sdio.c:2403:3: warning: Attempt to free released memory + kfree(card->mpa_rx.buf); + ^~~~~~~~~~~~~~~~~~~~~~~ + +When mwifiex_init_sdio() fails in its first call to +mwifiex_alloc_sdio_mpa_buffer, it falls back to calling it +again. If the second alloc of mpa_tx.buf fails, the error +handler will try to free the old, previously freed mpa_rx.buf. +Reviewing the code, it looks like a second double free would +happen with mwifiex_cleanup_sdio(). + +So set both pointers to NULL when they are freed. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Tom Rix +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201004131931.29782-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c +index a042965962a2d..1b6bee5465288 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.c ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c +@@ -1976,6 +1976,8 @@ static int mwifiex_alloc_sdio_mpa_buffers(struct mwifiex_adapter *adapter, + kfree(card->mpa_rx.buf); + card->mpa_tx.buf_size = 0; + card->mpa_rx.buf_size = 0; ++ card->mpa_tx.buf = NULL; ++ card->mpa_rx.buf = NULL; + } + + return ret; +-- +2.25.1 + diff --git a/queue-5.9/net-dsa-rtl8366-check-validity-of-passed-vlans.patch b/queue-5.9/net-dsa-rtl8366-check-validity-of-passed-vlans.patch new file mode 100644 index 00000000000..0c20b40e337 --- /dev/null +++ b/queue-5.9/net-dsa-rtl8366-check-validity-of-passed-vlans.patch @@ -0,0 +1,49 @@ +From 2386eb0669209a1d866aa39e21b647c87826bdba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 00:09:34 +0200 +Subject: net: dsa: rtl8366: Check validity of passed VLANs + +From: Linus Walleij + +[ Upstream commit 6641a2c42b0a307b7638d10e5d4b90debc61389d ] + +The rtl8366_set_vlan() and rtl8366_set_pvid() get invalid +VLANs tossed at it, especially VLAN0, something the hardware +and driver cannot handle. Check validity and bail out like +we do in the other callbacks. + +Reviewed-by: Florian Fainelli +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index a8c5a934c3d30..f75a660fcb620 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -43,6 +43,9 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + int ret; + int i; + ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return -EINVAL; ++ + dev_dbg(smi->dev, + "setting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", + vid, member, untag); +@@ -118,6 +121,9 @@ int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + int ret; + int i; + ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return -EINVAL; ++ + /* Try to find an existing MC entry for this VID */ + for (i = 0; i < smi->num_vlan_mc; i++) { + ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +-- +2.25.1 + diff --git a/queue-5.9/net-dsa-rtl8366-refactor-vlan-pvid-init.patch b/queue-5.9/net-dsa-rtl8366-refactor-vlan-pvid-init.patch new file mode 100644 index 00000000000..c34beb511c2 --- /dev/null +++ b/queue-5.9/net-dsa-rtl8366-refactor-vlan-pvid-init.patch @@ -0,0 +1,398 @@ +From 16d895d8a443d35fe21100600293b43abb4007d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 00:09:35 +0200 +Subject: net: dsa: rtl8366: Refactor VLAN/PVID init + +From: Linus Walleij + +[ Upstream commit 7e1301ed1881447d2a25f9c6423738c33cbca133 ] + +The VLANs and PVIDs on the RTL8366 utilizes a "member +configuration" (MC) which is largely unexplained in the +code. + +This set-up requires a special ordering: rtl8366_set_pvid() +must be called first, followed by rtl8366_set_vlan(), +else the MC will not be properly allocated. Relax this +by factoring out the code obtaining an MC and reuse +the helper in both rtl8366_set_pvid() and +rtl8366_set_vlan() so we remove this strict ordering +requirement. + +In the process, add some better comments and debug prints +so people who read the code understand what is going on. + +Reviewed-by: Florian Fainelli +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek-smi-core.h | 4 +- + drivers/net/dsa/rtl8366.c | 273 +++++++++++++++-------------- + 2 files changed, 146 insertions(+), 131 deletions(-) + +diff --git a/drivers/net/dsa/realtek-smi-core.h b/drivers/net/dsa/realtek-smi-core.h +index 9a63b51e1d82f..6f2dab7e33d65 100644 +--- a/drivers/net/dsa/realtek-smi-core.h ++++ b/drivers/net/dsa/realtek-smi-core.h +@@ -25,6 +25,9 @@ struct rtl8366_mib_counter { + const char *name; + }; + ++/** ++ * struct rtl8366_vlan_mc - Virtual LAN member configuration ++ */ + struct rtl8366_vlan_mc { + u16 vid; + u16 untag; +@@ -119,7 +122,6 @@ int realtek_smi_setup_mdio(struct realtek_smi *smi); + int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used); + int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + u32 untag, u32 fid); +-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val); + int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + unsigned int vid); + int rtl8366_enable_vlan4k(struct realtek_smi *smi, bool enable); +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index f75a660fcb620..bd3c947976ce0 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -36,12 +36,110 @@ int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used) + } + EXPORT_SYMBOL_GPL(rtl8366_mc_is_used); + ++/** ++ * rtl8366_obtain_mc() - retrieve or allocate a VLAN member configuration ++ * @smi: the Realtek SMI device instance ++ * @vid: the VLAN ID to look up or allocate ++ * @vlanmc: the pointer will be assigned to a pointer to a valid member config ++ * if successful ++ * @return: index of a new member config or negative error number ++ */ ++static int rtl8366_obtain_mc(struct realtek_smi *smi, int vid, ++ struct rtl8366_vlan_mc *vlanmc) ++{ ++ struct rtl8366_vlan_4k vlan4k; ++ int ret; ++ int i; ++ ++ /* Try to find an existing member config entry for this VID */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ if (vid == vlanmc->vid) ++ return i; ++ } ++ ++ /* We have no MC entry for this VID, try to find an empty one */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ if (vlanmc->vid == 0 && vlanmc->member == 0) { ++ /* Update the entry from the 4K table */ ++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); ++ if (ret) { ++ dev_err(smi->dev, "error looking for 4K VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ vlanmc->vid = vid; ++ vlanmc->member = vlan4k.member; ++ vlanmc->untag = vlan4k.untag; ++ vlanmc->fid = vlan4k.fid; ++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ dev_dbg(smi->dev, "created new MC at index %d for VID %d\n", ++ i, vid); ++ return i; ++ } ++ } ++ ++ /* MC table is full, try to find an unused entry and replace it */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ int used; ++ ++ ret = rtl8366_mc_is_used(smi, i, &used); ++ if (ret) ++ return ret; ++ ++ if (!used) { ++ /* Update the entry from the 4K table */ ++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); ++ if (ret) ++ return ret; ++ ++ vlanmc->vid = vid; ++ vlanmc->member = vlan4k.member; ++ vlanmc->untag = vlan4k.untag; ++ vlanmc->fid = vlan4k.fid; ++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ dev_dbg(smi->dev, "recycled MC at index %i for VID %d\n", ++ i, vid); ++ return i; ++ } ++ } ++ ++ dev_err(smi->dev, "all VLAN member configurations are in use\n"); ++ return -ENOSPC; ++} ++ + int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + u32 untag, u32 fid) + { ++ struct rtl8366_vlan_mc vlanmc; + struct rtl8366_vlan_4k vlan4k; ++ int mc; + int ret; +- int i; + + if (!smi->ops->is_vlan_valid(smi, vid)) + return -EINVAL; +@@ -66,136 +164,58 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + "resulting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", + vid, vlan4k.member, vlan4k.untag); + +- /* Try to find an existing MC entry for this VID */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- struct rtl8366_vlan_mc vlanmc; +- +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vid == vlanmc.vid) { +- /* update the MC entry */ +- vlanmc.member |= member; +- vlanmc.untag |= untag; +- vlanmc.fid = fid; +- +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); ++ /* Find or allocate a member config for this VID */ ++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc); ++ if (ret < 0) ++ return ret; ++ mc = ret; + +- dev_dbg(smi->dev, +- "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n", +- vid, vlanmc.member, vlanmc.untag); ++ /* Update the MC entry */ ++ vlanmc.member |= member; ++ vlanmc.untag |= untag; ++ vlanmc.fid = fid; + +- break; +- } +- } ++ /* Commit updates to the MC entry */ ++ ret = smi->ops->set_vlan_mc(smi, mc, &vlanmc); ++ if (ret) ++ dev_err(smi->dev, "failed to commit changes to VLAN MC index %d for VID %d\n", ++ mc, vid); ++ else ++ dev_dbg(smi->dev, ++ "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n", ++ vid, vlanmc.member, vlanmc.untag); + + return ret; + } + EXPORT_SYMBOL_GPL(rtl8366_set_vlan); + +-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val) +-{ +- struct rtl8366_vlan_mc vlanmc; +- int ret; +- int index; +- +- ret = smi->ops->get_mc_index(smi, port, &index); +- if (ret) +- return ret; +- +- ret = smi->ops->get_vlan_mc(smi, index, &vlanmc); +- if (ret) +- return ret; +- +- *val = vlanmc.vid; +- return 0; +-} +-EXPORT_SYMBOL_GPL(rtl8366_get_pvid); +- + int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + unsigned int vid) + { + struct rtl8366_vlan_mc vlanmc; +- struct rtl8366_vlan_4k vlan4k; ++ int mc; + int ret; +- int i; + + if (!smi->ops->is_vlan_valid(smi, vid)) + return -EINVAL; + +- /* Try to find an existing MC entry for this VID */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vid == vlanmc.vid) { +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } +- } +- +- /* We have no MC entry for this VID, try to find an empty one */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vlanmc.vid == 0 && vlanmc.member == 0) { +- /* Update the entry from the 4K table */ +- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); +- if (ret) +- return ret; +- +- vlanmc.vid = vid; +- vlanmc.member = vlan4k.member; +- vlanmc.untag = vlan4k.untag; +- vlanmc.fid = vlan4k.fid; +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } +- } +- +- /* MC table is full, try to find an unused entry and replace it */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- int used; +- +- ret = rtl8366_mc_is_used(smi, i, &used); +- if (ret) +- return ret; +- +- if (!used) { +- /* Update the entry from the 4K table */ +- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); +- if (ret) +- return ret; +- +- vlanmc.vid = vid; +- vlanmc.member = vlan4k.member; +- vlanmc.untag = vlan4k.untag; +- vlanmc.fid = vlan4k.fid; +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; ++ /* Find or allocate a member config for this VID */ ++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc); ++ if (ret < 0) ++ return ret; ++ mc = ret; + +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } ++ ret = smi->ops->set_mc_index(smi, port, mc); ++ if (ret) { ++ dev_err(smi->dev, "set PVID: failed to set MC index %d for port %d\n", ++ mc, port); ++ return ret; + } + +- dev_err(smi->dev, +- "all VLAN member configurations are in use\n"); ++ dev_dbg(smi->dev, "set PVID: the PVID for port %d set to %d using existing MC index %d\n", ++ port, vid, mc); + +- return -ENOSPC; ++ return 0; + } + EXPORT_SYMBOL_GPL(rtl8366_set_pvid); + +@@ -395,7 +415,8 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + if (!smi->ops->is_vlan_valid(smi, vid)) + return; + +- dev_info(smi->dev, "add VLAN on port %d, %s, %s\n", ++ dev_info(smi->dev, "add VLAN %d on port %d, %s, %s\n", ++ vlan->vid_begin, + port, + untagged ? "untagged" : "tagged", + pvid ? " PVID" : "no PVID"); +@@ -404,34 +425,26 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + dev_err(smi->dev, "port is DSA or CPU port\n"); + + for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) { +- int pvid_val = 0; +- +- dev_info(smi->dev, "add VLAN %04x\n", vid); + member |= BIT(port); + + if (untagged) + untag |= BIT(port); + +- /* To ensure that we have a valid MC entry for this VLAN, +- * initialize the port VLAN ID here. +- */ +- ret = rtl8366_get_pvid(smi, port, &pvid_val); +- if (ret < 0) { +- dev_err(smi->dev, "could not lookup PVID for port %d\n", +- port); +- return; +- } +- if (pvid_val == 0) { +- ret = rtl8366_set_pvid(smi, port, vid); +- if (ret < 0) +- return; +- } +- + ret = rtl8366_set_vlan(smi, vid, member, untag, 0); + if (ret) + dev_err(smi->dev, + "failed to set up VLAN %04x", + vid); ++ ++ ret = rtl8366_set_pvid(smi, port, vid); ++ if (ret) ++ dev_err(smi->dev, ++ "failed to set PVID on port %d to VLAN %04x", ++ port, vid); ++ ++ if (!ret) ++ dev_dbg(smi->dev, "VLAN add: added VLAN %d with PVID on port %d\n", ++ vid, port); + } + } + EXPORT_SYMBOL_GPL(rtl8366_vlan_add); +-- +2.25.1 + diff --git a/queue-5.9/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch b/queue-5.9/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch new file mode 100644 index 00000000000..9624ddf5a47 --- /dev/null +++ b/queue-5.9/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch @@ -0,0 +1,38 @@ +From 91a95b4cee6086eb1b98f2b532c54cf8b7ad218b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 00:29:54 +0200 +Subject: net: dsa: rtl8366: Skip PVID setting if not requested + +From: Linus Walleij + +[ Upstream commit 3dfe8dde093a07e82fa472c0f8c29a7f6a2006a5 ] + +We go to lengths to determine whether the PVID should be set +for this port or not, and then fail to take it into account. +Fix this oversight. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index bd3c947976ce0..c58ca324a4b24 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -436,6 +436,9 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + "failed to set up VLAN %04x", + vid); + ++ if (!pvid) ++ continue; ++ + ret = rtl8366_set_pvid(smi, port, vid); + if (ret) + dev_err(smi->dev, +-- +2.25.1 + diff --git a/queue-5.9/net-dsa-rtl8366rb-support-all-4096-vlans.patch b/queue-5.9/net-dsa-rtl8366rb-support-all-4096-vlans.patch new file mode 100644 index 00000000000..cf3dffbd125 --- /dev/null +++ b/queue-5.9/net-dsa-rtl8366rb-support-all-4096-vlans.patch @@ -0,0 +1,38 @@ +From 087bbef6e8fe0bb766843595f92ea6bce4514360 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 22:37:33 +0200 +Subject: net: dsa: rtl8366rb: Support all 4096 VLANs + +From: Linus Walleij + +[ Upstream commit a7920efdd86d8a0d74402dbc80ead03b023294ba ] + +There is an off-by-one error in rtl8366rb_is_vlan_valid() +making VLANs 0..4094 valid while it should be 1..4095. +Fix it. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366rb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/rtl8366rb.c b/drivers/net/dsa/rtl8366rb.c +index 48f1ff7467999..5cfffa7559c7c 100644 +--- a/drivers/net/dsa/rtl8366rb.c ++++ b/drivers/net/dsa/rtl8366rb.c +@@ -1255,7 +1255,7 @@ static bool rtl8366rb_is_vlan_valid(struct realtek_smi *smi, unsigned int vlan) + if (smi->vlan4k_enabled) + max = RTL8366RB_NUM_VIDS - 1; + +- if (vlan == 0 || vlan >= max) ++ if (vlan == 0 || vlan > max) + return false; + + return true; +-- +2.25.1 + diff --git a/queue-5.9/net-dsa-seville-the-packet-buffer-is-2-megabits-not-.patch b/queue-5.9/net-dsa-seville-the-packet-buffer-is-2-megabits-not-.patch new file mode 100644 index 00000000000..0df175c0c41 --- /dev/null +++ b/queue-5.9/net-dsa-seville-the-packet-buffer-is-2-megabits-not-.patch @@ -0,0 +1,39 @@ +From 9f17700e7b6d46ce50abbed1f83043de0b4653f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 08:06:25 +0300 +Subject: net: dsa: seville: the packet buffer is 2 megabits, not megabytes + +From: Maxim Kochetkov + +[ Upstream commit a15a6afb3bf9388eb83a4b876d3453f305fba909 ] + +The VSC9953 Seville switch has 2 megabits of buffer split into 4360 +words of 60 bytes each. 2048 * 1024 is 2 megabytes instead of 2 megabits. +2 megabits is (2048 / 8) * 1024 = 256 * 1024. + +Signed-off-by: Maxim Kochetkov +Reviewed-by: Vladimir Oltean +Fixes: a63ed92d217f ("net: dsa: seville: fix buffer size of the queue system") +Link: https://lore.kernel.org/r/20201019050625.21533-1-fido_max@inbox.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/ocelot/seville_vsc9953.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/ocelot/seville_vsc9953.c b/drivers/net/dsa/ocelot/seville_vsc9953.c +index 9e9fd19e1d00c..e2cd49eec0370 100644 +--- a/drivers/net/dsa/ocelot/seville_vsc9953.c ++++ b/drivers/net/dsa/ocelot/seville_vsc9953.c +@@ -1010,7 +1010,7 @@ static const struct felix_info seville_info_vsc9953 = { + .vcap_is2_keys = vsc9953_vcap_is2_keys, + .vcap_is2_actions = vsc9953_vcap_is2_actions, + .vcap = vsc9953_vcap_props, +- .shared_queue_sz = 2048 * 1024, ++ .shared_queue_sz = 256 * 1024, + .num_mact_rows = 2048, + .num_ports = 10, + .mdio_bus_alloc = vsc9953_mdio_bus_alloc, +-- +2.25.1 + diff --git a/queue-5.9/net-enic-cure-the-enic-api-locking-trainwreck.patch b/queue-5.9/net-enic-cure-the-enic-api-locking-trainwreck.patch new file mode 100644 index 00000000000..22fac692dd7 --- /dev/null +++ b/queue-5.9/net-enic-cure-the-enic-api-locking-trainwreck.patch @@ -0,0 +1,157 @@ +From 717c4f1d1cb309ec9c36a013c947b274c8c64c90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 22:25:10 +0200 +Subject: net: enic: Cure the enic api locking trainwreck + +From: Thomas Gleixner + +[ Upstream commit a53b59ece86c86d16d12ccdaa1ad0c78250a9d96 ] + +enic_dev_wait() has a BUG_ON(in_interrupt()). + +Chasing the callers of enic_dev_wait() revealed the gems of enic_reset() +and enic_tx_hang_reset() which are both invoked through work queues in +order to be able to call rtnl_lock(). So far so good. + +After locking rtnl both functions acquire enic::enic_api_lock which +serializes against the (ab)use from infiniband. This is where the +trainwreck starts. + +enic::enic_api_lock is a spin_lock() which implicitly disables preemption, +but both functions invoke a ton of functions under that lock which can +sleep. The BUG_ON(in_interrupt()) does not trigger in that case because it +can't detect the preempt disabled condition. + +This clearly has never been tested with any of the mandatory debug options +for 7+ years, which would have caught that for sure. + +Cure it by adding a enic_api_busy member to struct enic, which is modified +and evaluated with enic::enic_api_lock held. + +If enic_api_devcmd_proxy_by_index() observes enic::enic_api_busy as true, +it drops enic::enic_api_lock and busy waits for enic::enic_api_busy to +become false. + +It would be smarter to wait for a completion of that busy period, but +enic_api_devcmd_proxy_by_index() is called with other spin locks held which +obviously can't sleep. + +Remove the BUG_ON(in_interrupt()) check as well because it's incomplete and +with proper debugging enabled the problem would have been caught from the +debug checks in schedule_timeout(). + +Fixes: 0b038566c0ea ("drivers/net: enic: Add an interface for USNIC to interact with firmware") +Signed-off-by: Thomas Gleixner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic.h | 1 + + drivers/net/ethernet/cisco/enic/enic_api.c | 6 +++++ + drivers/net/ethernet/cisco/enic/enic_main.c | 27 ++++++++++++++++----- + 3 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h +index 18f3aeb88f22a..c67a16a48d624 100644 +--- a/drivers/net/ethernet/cisco/enic/enic.h ++++ b/drivers/net/ethernet/cisco/enic/enic.h +@@ -169,6 +169,7 @@ struct enic { + u16 num_vfs; + #endif + spinlock_t enic_api_lock; ++ bool enic_api_busy; + struct enic_port_profile *pp; + + /* work queue cache line section */ +diff --git a/drivers/net/ethernet/cisco/enic/enic_api.c b/drivers/net/ethernet/cisco/enic/enic_api.c +index b161f24522b87..b028ea2dec2b9 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_api.c ++++ b/drivers/net/ethernet/cisco/enic/enic_api.c +@@ -34,6 +34,12 @@ int enic_api_devcmd_proxy_by_index(struct net_device *netdev, int vf, + struct vnic_dev *vdev = enic->vdev; + + spin_lock(&enic->enic_api_lock); ++ while (enic->enic_api_busy) { ++ spin_unlock(&enic->enic_api_lock); ++ cpu_relax(); ++ spin_lock(&enic->enic_api_lock); ++ } ++ + spin_lock_bh(&enic->devcmd_lock); + + vnic_dev_cmd_proxy_by_index_start(vdev, vf); +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 552d89fdf54a5..988c0a72e6836 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2106,8 +2106,6 @@ static int enic_dev_wait(struct vnic_dev *vdev, + int done; + int err; + +- BUG_ON(in_interrupt()); +- + err = start(vdev, arg); + if (err) + return err; +@@ -2295,6 +2293,13 @@ static int enic_set_rss_nic_cfg(struct enic *enic) + rss_hash_bits, rss_base_cpu, rss_enable); + } + ++static void enic_set_api_busy(struct enic *enic, bool busy) ++{ ++ spin_lock(&enic->enic_api_lock); ++ enic->enic_api_busy = busy; ++ spin_unlock(&enic->enic_api_lock); ++} ++ + static void enic_reset(struct work_struct *work) + { + struct enic *enic = container_of(work, struct enic, reset); +@@ -2304,7 +2309,9 @@ static void enic_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_stop(enic->netdev); + enic_dev_soft_reset(enic); + enic_reset_addr_lists(enic); +@@ -2312,7 +2319,10 @@ static void enic_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +@@ -2324,7 +2334,9 @@ static void enic_tx_hang_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_dev_hang_notify(enic); + enic_stop(enic->netdev); + enic_dev_hang_reset(enic); +@@ -2333,7 +2345,10 @@ static void enic_tx_hang_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +-- +2.25.1 + diff --git a/queue-5.9/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch b/queue-5.9/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch new file mode 100644 index 00000000000..bb2dc89d9a7 --- /dev/null +++ b/queue-5.9/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch @@ -0,0 +1,49 @@ +From 928f20b921761543f61c2eacc93ad3cf28cd33cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 15:52:53 +0200 +Subject: net: fec: Fix PHY init after phy_reset_after_clk_enable() + +From: Marek Vasut + +[ Upstream commit 0da1ccbbefb662915228bc17e1c7d4ad28b3ddab ] + +The phy_reset_after_clk_enable() does a PHY reset, which means the PHY +loses its register settings. The fec_enet_mii_probe() starts the PHY +and does the necessary calls to configure the PHY via PHY framework, +and loads the correct register settings into the PHY. Therefore, +fec_enet_mii_probe() should be called only after the PHY has been +reset, not before as it is now. + +Fixes: 1b0a83ac04e3 ("net: fec: add phy_reset_after_clk_enable() support") +Reviewed-by: Andrew Lunn +Tested-by: Richard Leitner +Signed-off-by: Marek Vasut +Cc: Christoph Niedermaier +Cc: David S. Miller +Cc: NXP Linux Team +Cc: Shawn Guo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 31f60b542feb4..933f4a6822547 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3016,6 +3016,11 @@ fec_enet_open(struct net_device *ndev) + if (ret) + goto err_enet_mii_probe; + ++ /* Probe and connect to PHY when open the interface */ ++ ret = fec_enet_mii_probe(ndev); ++ if (ret) ++ goto err_enet_mii_probe; ++ + if (fep->quirks & FEC_QUIRK_ERR006687) + imx6q_cpuidle_fec_irqs_used(); + +-- +2.25.1 + diff --git a/queue-5.9/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch b/queue-5.9/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch new file mode 100644 index 00000000000..2d43a685ab2 --- /dev/null +++ b/queue-5.9/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch @@ -0,0 +1,46 @@ +From b351c8546706ff7ef35f908765741a4f7f2e554c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 00:03:29 +0200 +Subject: net: korina: fix kfree of rx/tx descriptor array + +From: Valentin Vidic + +[ Upstream commit 3af5f0f5c74ecbaf757ef06c3f80d56751277637 ] + +kmalloc returns KSEG0 addresses so convert back from KSEG1 +in kfree. Also make sure array is freed when the driver is +unloaded from the kernel. + +Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") +Signed-off-by: Valentin Vidic +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index 03e034918d147..af441d699a57a 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1113,7 +1113,7 @@ static int korina_probe(struct platform_device *pdev) + return rc; + + probe_err_register: +- kfree(lp->td_ring); ++ kfree(KSEG0ADDR(lp->td_ring)); + probe_err_td_ring: + iounmap(lp->tx_dma_regs); + probe_err_dma_tx: +@@ -1133,6 +1133,7 @@ static int korina_remove(struct platform_device *pdev) + iounmap(lp->eth_regs); + iounmap(lp->rx_dma_regs); + iounmap(lp->tx_dma_regs); ++ kfree(KSEG0ADDR(lp->td_ring)); + + unregister_netdev(bif->dev); + free_netdev(bif->dev); +-- +2.25.1 + diff --git a/queue-5.9/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch b/queue-5.9/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch new file mode 100644 index 00000000000..95e78c56871 --- /dev/null +++ b/queue-5.9/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch @@ -0,0 +1,38 @@ +From b2720af31d68b0a5ef0b2eb94b91f41aacc48d99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 12:07:10 +0300 +Subject: net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow + +From: Eran Ben Elisha + +[ Upstream commit 0d2ffdc8d4002a62de31ff7aa3bef28c843c3cbe ] + +Before calling timecounter_cyc2time(), clock->lock must be taken. +Use mlx5_timecounter_cyc2time instead which guarantees a safe access. + +Fixes: afc98a0b46d8 ("net/mlx5: Update ptp_clock_event foreach PPS event") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +index 2d55b7c22c034..4e7cfa22b3d2f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +@@ -550,8 +550,9 @@ static int mlx5_pps_event(struct notifier_block *nb, + switch (clock->ptp_info.pin_config[pin].func) { + case PTP_PF_EXTTS: + ptp_event.index = pin; +- ptp_event.timestamp = timecounter_cyc2time(&clock->tc, +- be64_to_cpu(eqe->data.pps.time_stamp)); ++ ptp_event.timestamp = ++ mlx5_timecounter_cyc2time(clock, ++ be64_to_cpu(eqe->data.pps.time_stamp)); + if (clock->pps_info.enabled) { + ptp_event.type = PTP_CLOCK_PPSUSR; + ptp_event.pps_times.ts_real = +-- +2.25.1 + diff --git a/queue-5.9/net-mlx5-fix-uninitialized-variable-warning.patch b/queue-5.9/net-mlx5-fix-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..268fe6230e1 --- /dev/null +++ b/queue-5.9/net-mlx5-fix-uninitialized-variable-warning.patch @@ -0,0 +1,38 @@ +From 56077ab841c01bc53622a2b0b873231f6dc2e22a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 14:59:30 +0300 +Subject: net/mlx5: Fix uninitialized variable warning + +From: Moshe Tal + +[ Upstream commit 19f5b63bc9932d51292d72c9dc3ec95e5dfa2289 ] + +Add variable initialization to eliminate the warning +"variable may be used uninitialized". + +Fixes: 5f29458b77d5 ("net/mlx5e: Support dump callback in TX reporter") +Signed-off-by: Moshe Tal +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/health.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/health.c b/drivers/net/ethernet/mellanox/mlx5/core/en/health.c +index 3dc200bcfabde..69a05da0e3e3d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/health.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/health.c +@@ -242,8 +242,8 @@ static int mlx5e_health_rsc_fmsg_binary(struct devlink_fmsg *fmsg, + + { + u32 data_size; ++ int err = 0; + u32 offset; +- int err; + + for (offset = 0; offset < value_len; offset += data_size) { + data_size = value_len - offset; +-- +2.25.1 + diff --git a/queue-5.9/net-mlx5e-ipsec-use-kvfree-for-memory-allocated-with.patch b/queue-5.9/net-mlx5e-ipsec-use-kvfree-for-memory-allocated-with.patch new file mode 100644 index 00000000000..2bb4c2807e2 --- /dev/null +++ b/queue-5.9/net-mlx5e-ipsec-use-kvfree-for-memory-allocated-with.patch @@ -0,0 +1,39 @@ +From 91afb55d2167407ee03592d056e8d5962cd60d59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 19:23:44 +0300 +Subject: net/mlx5e: IPsec: Use kvfree() for memory allocated with kvzalloc() + +From: Denis Efremov + +[ Upstream commit 22db4c24452a6681c7e99c6a06b38b5418395bec ] + +Variables flow_group_in, spec in rx_fs_create() are allocated with +kvzalloc(). It's incorrect to free them with kfree(). Use kvfree() +instead. + +Fixes: 5e466345291a ("net/mlx5e: IPsec: Add IPsec steering in local NIC RX") +Signed-off-by: Denis Efremov +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +index 429428bbc903c..b974f3cd10058 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +@@ -228,8 +228,8 @@ static int rx_fs_create(struct mlx5e_priv *priv, + fs_prot->miss_rule = miss_rule; + + out: +- kfree(flow_group_in); +- kfree(spec); ++ kvfree(flow_group_in); ++ kvfree(spec); + return err; + } + +-- +2.25.1 + diff --git a/queue-5.9/net-stmmac-fix-incorrect-location-to-set-real_num_rx.patch b/queue-5.9/net-stmmac-fix-incorrect-location-to-set-real_num_rx.patch new file mode 100644 index 00000000000..e485d0ec6e0 --- /dev/null +++ b/queue-5.9/net-stmmac-fix-incorrect-location-to-set-real_num_rx.patch @@ -0,0 +1,53 @@ +From 08668c3933aae6b33d467f382e6cd6413ced9121 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:28:39 +0800 +Subject: net: stmmac: Fix incorrect location to set real_num_rx|tx_queues + +From: Aashish Verma + +[ Upstream commit 686cff3d7022ddf35d7e38bc80191eb92de5989a ] + +netif_set_real_num_tx_queues() & netif_set_real_num_rx_queues() should be +used to inform network stack about the real Tx & Rx queue (active) number +in both stmmac_open() and stmmac_resume(), therefore, we move the code +from stmmac_dvr_probe() to stmmac_hw_setup(). + +Fixes: c02b7a914551 net: stmmac: use netif_set_real_num_{rx,tx}_queues + +Signed-off-by: Aashish Verma +Signed-off-by: Ong Boon Leong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index b56b13d64ab48..1af25da4461da 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2740,6 +2740,10 @@ static int stmmac_hw_setup(struct net_device *dev, bool init_ptp) + stmmac_enable_tbs(priv, priv->ioaddr, enable, chan); + } + ++ /* Configure real RX and TX queues */ ++ netif_set_real_num_rx_queues(dev, priv->plat->rx_queues_to_use); ++ netif_set_real_num_tx_queues(dev, priv->plat->tx_queues_to_use); ++ + /* Start the ball rolling... */ + stmmac_start_all_dma(priv); + +@@ -4827,10 +4831,6 @@ int stmmac_dvr_probe(struct device *device, + + stmmac_check_ether_addr(priv); + +- /* Configure real RX and TX queues */ +- netif_set_real_num_rx_queues(ndev, priv->plat->rx_queues_to_use); +- netif_set_real_num_tx_queues(ndev, priv->plat->tx_queues_to_use); +- + ndev->netdev_ops = &stmmac_netdev_ops; + + ndev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | +-- +2.25.1 + diff --git a/queue-5.9/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch b/queue-5.9/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch new file mode 100644 index 00000000000..b978abf0931 --- /dev/null +++ b/queue-5.9/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch @@ -0,0 +1,101 @@ +From 86f99dfd48943161fd25878b0b3d753377d0c657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:28:40 +0800 +Subject: net: stmmac: use netif_tx_start|stop_all_queues() function + +From: Ong Boon Leong + +[ Upstream commit 9f19306d166688a73356aa636c62e698bf2063cc ] + +The current implementation of stmmac_stop_all_queues() and +stmmac_start_all_queues() will not work correctly when the value of +tx_queues_to_use is changed through ethtool -L DEVNAME rx N tx M command. + +Also, netif_tx_start|stop_all_queues() are only needed in driver open() +and close() only. + +Fixes: c22a3f48 net: stmmac: adding multiple napi mechanism + +Signed-off-by: Ong Boon Leong +Signed-off-by: Voon Weifeng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 33 +------------------ + 1 file changed, 1 insertion(+), 32 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 1af25da4461da..122a0697229af 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -176,32 +176,6 @@ static void stmmac_enable_all_queues(struct stmmac_priv *priv) + } + } + +-/** +- * stmmac_stop_all_queues - Stop all queues +- * @priv: driver private structure +- */ +-static void stmmac_stop_all_queues(struct stmmac_priv *priv) +-{ +- u32 tx_queues_cnt = priv->plat->tx_queues_to_use; +- u32 queue; +- +- for (queue = 0; queue < tx_queues_cnt; queue++) +- netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue)); +-} +- +-/** +- * stmmac_start_all_queues - Start all queues +- * @priv: driver private structure +- */ +-static void stmmac_start_all_queues(struct stmmac_priv *priv) +-{ +- u32 tx_queues_cnt = priv->plat->tx_queues_to_use; +- u32 queue; +- +- for (queue = 0; queue < tx_queues_cnt; queue++) +- netif_tx_start_queue(netdev_get_tx_queue(priv->dev, queue)); +-} +- + static void stmmac_service_event_schedule(struct stmmac_priv *priv) + { + if (!test_bit(STMMAC_DOWN, &priv->state) && +@@ -2872,7 +2846,7 @@ static int stmmac_open(struct net_device *dev) + } + + stmmac_enable_all_queues(priv); +- stmmac_start_all_queues(priv); ++ netif_tx_start_all_queues(priv->dev); + + return 0; + +@@ -2915,8 +2889,6 @@ static int stmmac_release(struct net_device *dev) + phylink_stop(priv->phylink); + phylink_disconnect_phy(priv->phylink); + +- stmmac_stop_all_queues(priv); +- + stmmac_disable_all_queues(priv); + + for (chan = 0; chan < priv->plat->tx_queues_to_use; chan++) +@@ -5086,7 +5058,6 @@ int stmmac_suspend(struct device *dev) + mutex_lock(&priv->lock); + + netif_device_detach(ndev); +- stmmac_stop_all_queues(priv); + + stmmac_disable_all_queues(priv); + +@@ -5213,8 +5184,6 @@ int stmmac_resume(struct device *dev) + + stmmac_enable_all_queues(priv); + +- stmmac_start_all_queues(priv); +- + mutex_unlock(&priv->lock); + + if (!device_may_wakeup(priv->device) || !priv->plat->pmt) { +-- +2.25.1 + diff --git a/queue-5.9/net-wilc1000-clean-up-resource-in-error-path-of-init.patch b/queue-5.9/net-wilc1000-clean-up-resource-in-error-path-of-init.patch new file mode 100644 index 00000000000..df3f98ee212 --- /dev/null +++ b/queue-5.9/net-wilc1000-clean-up-resource-in-error-path-of-init.patch @@ -0,0 +1,44 @@ +From 8a856398512ebc7c492b3fb258d1ffe403aeb347 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 08:30:19 -0400 +Subject: net: wilc1000: clean up resource in error path of init mon interface + +From: Huang Guobin + +[ Upstream commit 55bd149978679742374c800e56e8f6bc74378bbe ] + +The wilc_wfi_init_mon_int() forgets to clean up resource when +register_netdevice() failed. Add the missed call to fix it. +And the return value of netdev_priv can't be NULL, so remove +the unnecessary error handling. + +Fixes: 588713006ea4 ("staging: wilc1000: avoid the use of 'wilc_wfi_mon' static variable") +Reported-by: Hulk Robot +Signed-off-by: Huang Guobin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200917123019.206382-1-huangguobin4@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/mon.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/mon.c b/drivers/net/wireless/microchip/wilc1000/mon.c +index 358ac86013338..b5a1b65c087ca 100644 +--- a/drivers/net/wireless/microchip/wilc1000/mon.c ++++ b/drivers/net/wireless/microchip/wilc1000/mon.c +@@ -235,11 +235,10 @@ struct net_device *wilc_wfi_init_mon_interface(struct wilc *wl, + + if (register_netdevice(wl->monitor_dev)) { + netdev_err(real_dev, "register_netdevice failed\n"); ++ free_netdev(wl->monitor_dev); + return NULL; + } + priv = netdev_priv(wl->monitor_dev); +- if (!priv) +- return NULL; + + priv->real_ndev = real_dev; + +-- +2.25.1 + diff --git a/queue-5.9/netfilter-conntrack-connection-timeout-after-re-regi.patch b/queue-5.9/netfilter-conntrack-connection-timeout-after-re-regi.patch new file mode 100644 index 00000000000..4cf2a161cc6 --- /dev/null +++ b/queue-5.9/netfilter-conntrack-connection-timeout-after-re-regi.patch @@ -0,0 +1,64 @@ +From 51686c6aa28ce443b7c5c493f1f2a1d7ffa32e58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 12:32:52 -0700 +Subject: netfilter: conntrack: connection timeout after re-register + +From: Francesco Ruggeri + +[ Upstream commit 4f25434bccc28cf8a07876ef5142a2869a674353 ] + +If the first packet conntrack sees after a re-register is an outgoing +keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to +SND.NXT-1. +When the peer correctly acknowledges SND.NXT, tcp_in_window fails +check III (Upper bound for valid (s)ack: sack <= receiver.td_end) and +returns false, which cascades into nf_conntrack_in setting +skb->_nfct = 0 and in later conntrack iptables rules not matching. +In cases where iptables are dropping packets that do not match +conntrack rules this can result in idle tcp connections to time out. + +v2: adjust td_end when getting the reply rather than when sending out + the keepalive packet. + +Fixes: f94e63801ab2 ("netfilter: conntrack: reset tcp maxwin on re-register") +Signed-off-by: Francesco Ruggeri +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_tcp.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index e8c86ee4c1c48..c8fb2187ad4b2 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -541,13 +541,20 @@ static bool tcp_in_window(const struct nf_conn *ct, + swin = win << sender->td_scale; + sender->td_maxwin = (swin == 0 ? 1 : swin); + sender->td_maxend = end + sender->td_maxwin; +- /* +- * We haven't seen traffic in the other direction yet +- * but we have to tweak window tracking to pass III +- * and IV until that happens. +- */ +- if (receiver->td_maxwin == 0) ++ if (receiver->td_maxwin == 0) { ++ /* We haven't seen traffic in the other ++ * direction yet but we have to tweak window ++ * tracking to pass III and IV until that ++ * happens. ++ */ + receiver->td_end = receiver->td_maxend = sack; ++ } else if (sack == receiver->td_end + 1) { ++ /* Likely a reply to a keepalive. ++ * Needed for III. ++ */ ++ receiver->td_end++; ++ } ++ + } + } else if (((state->state == TCP_CONNTRACK_SYN_SENT + && dir == IP_CT_DIR_ORIGINAL) +-- +2.25.1 + diff --git a/queue-5.9/netfilter-ebtables-fixes-dropping-of-small-packets-i.patch b/queue-5.9/netfilter-ebtables-fixes-dropping-of-small-packets-i.patch new file mode 100644 index 00000000000..4c6394fdd5a --- /dev/null +++ b/queue-5.9/netfilter-ebtables-fixes-dropping-of-small-packets-i.patch @@ -0,0 +1,70 @@ +From 71b90935642274c262f11e30568fa1bc8bc2c2b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 12:36:15 +0000 +Subject: netfilter: ebtables: Fixes dropping of small packets in bridge nat +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timothée COCAULT + +[ Upstream commit 63137bc5882a1882c553d389fdeeeace86ee1741 ] + +Fixes an error causing small packets to get dropped. skb_ensure_writable +expects the second parameter to be a length in the ethernet payload.=20 +If we want to write the ethernet header (src, dst), we should pass 0. +Otherwise, packets with small payloads (< ETH_ALEN) will get dropped. + +Fixes: c1a831167901 ("netfilter: bridge: convert skb_make_writable to skb_ensure_writable") +Signed-off-by: Timothée COCAULT +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebt_dnat.c | 2 +- + net/bridge/netfilter/ebt_redirect.c | 2 +- + net/bridge/netfilter/ebt_snat.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c +index 12a4f4d936810..3fda71a8579d1 100644 +--- a/net/bridge/netfilter/ebt_dnat.c ++++ b/net/bridge/netfilter/ebt_dnat.c +@@ -21,7 +21,7 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par) + { + const struct ebt_nat_info *info = par->targinfo; + +- if (skb_ensure_writable(skb, ETH_ALEN)) ++ if (skb_ensure_writable(skb, 0)) + return EBT_DROP; + + ether_addr_copy(eth_hdr(skb)->h_dest, info->mac); +diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c +index 0cad62a4052b9..307790562b492 100644 +--- a/net/bridge/netfilter/ebt_redirect.c ++++ b/net/bridge/netfilter/ebt_redirect.c +@@ -21,7 +21,7 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par) + { + const struct ebt_redirect_info *info = par->targinfo; + +- if (skb_ensure_writable(skb, ETH_ALEN)) ++ if (skb_ensure_writable(skb, 0)) + return EBT_DROP; + + if (xt_hooknum(par) != NF_BR_BROUTING) +diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c +index 27443bf229a3b..7dfbcdfc30e5d 100644 +--- a/net/bridge/netfilter/ebt_snat.c ++++ b/net/bridge/netfilter/ebt_snat.c +@@ -22,7 +22,7 @@ ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par) + { + const struct ebt_nat_info *info = par->targinfo; + +- if (skb_ensure_writable(skb, ETH_ALEN * 2)) ++ if (skb_ensure_writable(skb, 0)) + return EBT_DROP; + + ether_addr_copy(eth_hdr(skb)->h_source, info->mac); +-- +2.25.1 + diff --git a/queue-5.9/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch b/queue-5.9/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch new file mode 100644 index 00000000000..d377f02a8c3 --- /dev/null +++ b/queue-5.9/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch @@ -0,0 +1,49 @@ +From 29e480ff7c01cb263b6e191380c5f1ff100ea355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 12:55:52 +0200 +Subject: netfilter: nf_fwd_netdev: clear timestamp in forwarding path + +From: Pablo Neira Ayuso + +[ Upstream commit c77761c8a59405cb7aa44188b30fffe13fbdd02d ] + +Similar to 7980d2eabde8 ("ipvs: clear skb->tstamp in forwarding path"). +fq qdisc requires tstamp to be cleared in forwarding path. + +Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths") +Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC") +Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_dup_netdev.c | 1 + + net/netfilter/nft_fwd_netdev.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c +index 2b01a151eaa80..a579e59ee5c5e 100644 +--- a/net/netfilter/nf_dup_netdev.c ++++ b/net/netfilter/nf_dup_netdev.c +@@ -19,6 +19,7 @@ static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev) + skb_push(skb, skb->mac_len); + + skb->dev = dev; ++ skb->tstamp = 0; + dev_queue_xmit(skb); + } + +diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c +index 3087e23297dbf..b77985986b24e 100644 +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -138,6 +138,7 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr, + return; + + skb->dev = dev; ++ skb->tstamp = 0; + neigh_xmit(neigh_table, dev, addr, skb); + out: + regs->verdict.code = verdict; +-- +2.25.1 + diff --git a/queue-5.9/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch b/queue-5.9/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch new file mode 100644 index 00000000000..3f8d62cd7a8 --- /dev/null +++ b/queue-5.9/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch @@ -0,0 +1,139 @@ +From 9e9735f65fac99b375219491760ee06c7aee99e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 17:06:06 +0200 +Subject: netfilter: nf_log: missing vlan offload tag and proto + +From: Pablo Neira Ayuso + +[ Upstream commit 0d9826bc18ce356e8909919ad681ad65d0a6061e ] + +Dump vlan tag and proto for the usual vlan offload case if the +NF_LOG_MACDECODE flag is set on. Without this information the logging is +misleading as there is no reference to the VLAN header. + +[12716.993704] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0800 SRC=192.168.10.2 DST=172.217.168.163 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2548 DF PROTO=TCP SPT=55848 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0 +[12721.157643] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0806 ARP HTYPE=1 PTYPE=0x0800 OPCODE=2 MACSRC=86:6c:92:ea:d6:73 IPSRC=192.168.10.2 MACDST=0e:3b:eb:86:73:76 IPDST=192.168.10.1 + +Fixes: 83e96d443b37 ("netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_log.h | 1 + + net/ipv4/netfilter/nf_log_arp.c | 19 +++++++++++++++++-- + net/ipv4/netfilter/nf_log_ipv4.c | 6 ++++-- + net/ipv6/netfilter/nf_log_ipv6.c | 8 +++++--- + net/netfilter/nf_log_common.c | 12 ++++++++++++ + 5 files changed, 39 insertions(+), 7 deletions(-) + +diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h +index 0d3920896d502..716db4a0fed89 100644 +--- a/include/net/netfilter/nf_log.h ++++ b/include/net/netfilter/nf_log.h +@@ -108,6 +108,7 @@ int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, + unsigned int logflags); + void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, + struct sock *sk); ++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb); + void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, + unsigned int hooknum, const struct sk_buff *skb, + const struct net_device *in, +diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c +index 7a83f881efa9e..136030ad2e546 100644 +--- a/net/ipv4/netfilter/nf_log_arp.c ++++ b/net/ipv4/netfilter/nf_log_arp.c +@@ -43,16 +43,31 @@ static void dump_arp_packet(struct nf_log_buf *m, + const struct nf_loginfo *info, + const struct sk_buff *skb, unsigned int nhoff) + { +- const struct arphdr *ah; +- struct arphdr _arph; + const struct arppayload *ap; + struct arppayload _arpp; ++ const struct arphdr *ah; ++ unsigned int logflags; ++ struct arphdr _arph; + + ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); + if (ah == NULL) { + nf_log_buf_add(m, "TRUNCATED"); + return; + } ++ ++ if (info->type == NF_LOG_TYPE_LOG) ++ logflags = info->u.log.logflags; ++ else ++ logflags = NF_LOG_DEFAULT_MASK; ++ ++ if (logflags & NF_LOG_MACDECODE) { ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", ++ ntohs(eth_hdr(skb)->h_proto)); ++ } ++ + nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", + ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); + +diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c +index 0c72156130b68..d07583fac8f8c 100644 +--- a/net/ipv4/netfilter/nf_log_ipv4.c ++++ b/net/ipv4/netfilter/nf_log_ipv4.c +@@ -284,8 +284,10 @@ static void dump_ipv4_mac_header(struct nf_log_buf *m, + + switch (dev->type) { + case ARPHRD_ETHER: +- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", +- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", + ntohs(eth_hdr(skb)->h_proto)); + return; + default: +diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c +index da64550a57075..8210ff34ed9b7 100644 +--- a/net/ipv6/netfilter/nf_log_ipv6.c ++++ b/net/ipv6/netfilter/nf_log_ipv6.c +@@ -297,9 +297,11 @@ static void dump_ipv6_mac_header(struct nf_log_buf *m, + + switch (dev->type) { + case ARPHRD_ETHER: +- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", +- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, +- ntohs(eth_hdr(skb)->h_proto)); ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", ++ ntohs(eth_hdr(skb)->h_proto)); + return; + default: + break; +diff --git a/net/netfilter/nf_log_common.c b/net/netfilter/nf_log_common.c +index ae5628ddbe6d7..fd7c5f0f5c25b 100644 +--- a/net/netfilter/nf_log_common.c ++++ b/net/netfilter/nf_log_common.c +@@ -171,6 +171,18 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, + } + EXPORT_SYMBOL_GPL(nf_log_dump_packet_common); + ++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) ++{ ++ u16 vid; ++ ++ if (!skb_vlan_tag_present(skb)) ++ return; ++ ++ vid = skb_vlan_tag_get(skb); ++ nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); ++} ++EXPORT_SYMBOL_GPL(nf_log_dump_vlan); ++ + /* bridge and netdev logging families share this code. */ + void nf_log_l2packet(struct net *net, u_int8_t pf, + __be16 protocol, +-- +2.25.1 + diff --git a/queue-5.9/nfs-add-missing-posix-local_lock-constant-table-defi.patch b/queue-5.9/nfs-add-missing-posix-local_lock-constant-table-defi.patch new file mode 100644 index 00000000000..4ce3863656b --- /dev/null +++ b/queue-5.9/nfs-add-missing-posix-local_lock-constant-table-defi.patch @@ -0,0 +1,35 @@ +From b1ede9ef4293bf0c0fcffde9479bfb5fae39e420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Oct 2020 10:03:12 -0400 +Subject: nfs: add missing "posix" local_lock constant table definition + +From: Scott Mayhew + +[ Upstream commit a2d24bcb97dc7b0be1cb891e60ae133bdf36c786 ] + +"mount -o local_lock=posix..." was broken by the mount API conversion +due to the missing constant. + +Fixes: e38bb238ed8c ("NFS: Convert mount option parsing to use functionality from fs_parser.h") +Signed-off-by: Scott Mayhew +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/fs_context.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c +index 524812984e2d4..009987e690207 100644 +--- a/fs/nfs/fs_context.c ++++ b/fs/nfs/fs_context.c +@@ -94,6 +94,7 @@ enum { + static const struct constant_table nfs_param_enums_local_lock[] = { + { "all", Opt_local_lock_all }, + { "flock", Opt_local_lock_flock }, ++ { "posix", Opt_local_lock_posix }, + { "none", Opt_local_lock_none }, + {} + }; +-- +2.25.1 + diff --git a/queue-5.9/nfsd-cache-r-rw-and-w-opens-separately.patch b/queue-5.9/nfsd-cache-r-rw-and-w-opens-separately.patch new file mode 100644 index 00000000000..75040f649a7 --- /dev/null +++ b/queue-5.9/nfsd-cache-r-rw-and-w-opens-separately.patch @@ -0,0 +1,44 @@ +From c44e2a49ba731107b9fed6306edc428e7eb55b43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 18:54:54 -0400 +Subject: nfsd: Cache R, RW, and W opens separately + +From: J. Bruce Fields + +[ Upstream commit ae3c57b5ca47665dc3416447a5534a9796096d86 ] + +The nfsd open code has always kept separate read-only, read-write, and +write-only opens as necessary to ensure that when a client closes or +downgrades, we don't retain more access than necessary. + +Also, I didn't realize the cache behaved this way when I wrote +94415b06eb8a "nfsd4: a client's own opens needn't prevent delegations". +There I assumed fi_fds[O_WRONLY] and fi_fds[O_RDWR] would always be +distinct. The violation of that assumption is triggering a +WARN_ON_ONCE() and could also cause the server to give out a delegation +when it shouldn't. + +Fixes: 94415b06eb8a ("nfsd4: a client's own opens needn't prevent delegations") +Tested-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/filecache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c +index c8b9d2667ee6f..3c6c2f7d1688b 100644 +--- a/fs/nfsd/filecache.c ++++ b/fs/nfsd/filecache.c +@@ -889,7 +889,7 @@ nfsd_file_find_locked(struct inode *inode, unsigned int may_flags, + + hlist_for_each_entry_rcu(nf, &nfsd_file_hashtbl[hashval].nfb_head, + nf_node, lockdep_is_held(&nfsd_file_hashtbl[hashval].nfb_lock)) { +- if ((need & nf->nf_may) != need) ++ if (nf->nf_may != need) + continue; + if (nf->nf_inode != inode) + continue; +-- +2.25.1 + diff --git a/queue-5.9/nfsv4.2-fix-nfs4err_stale-error-when-doing-inter-ser.patch b/queue-5.9/nfsv4.2-fix-nfs4err_stale-error-when-doing-inter-ser.patch new file mode 100644 index 00000000000..3a94c8c3ef6 --- /dev/null +++ b/queue-5.9/nfsv4.2-fix-nfs4err_stale-error-when-doing-inter-ser.patch @@ -0,0 +1,405 @@ +From 44a77fd670efa69557fcf5bb875fd9cb5f96061d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Oct 2020 23:42:49 -0400 +Subject: NFSv4.2: Fix NFS4ERR_STALE error when doing inter server copy + +From: Dai Ngo + +[ Upstream commit 0cfcd405e758ba1d277e58436fb32f06888c3e41 ] + +NFS_FS=y as dependency of CONFIG_NFSD_V4_2_INTER_SSC still have +build errors and some configs with NFSD=m to get NFS4ERR_STALE +error when doing inter server copy. + +Added ops table in nfs_common for knfsd to access NFS client modules. + +Fixes: 3ac3711adb88 ("NFSD: Fix NFS server build errors") +Signed-off-by: Dai Ngo +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 38 ++++++++++++++--- + fs/nfs/nfs4super.c | 5 +++ + fs/nfs/super.c | 17 ++++++++ + fs/nfs_common/Makefile | 1 + + fs/nfs_common/nfs_ssc.c | 94 +++++++++++++++++++++++++++++++++++++++++ + fs/nfsd/Kconfig | 2 +- + fs/nfsd/nfs4proc.c | 3 +- + include/linux/nfs_ssc.h | 67 +++++++++++++++++++++++++++++ + 8 files changed, 219 insertions(+), 8 deletions(-) + create mode 100644 fs/nfs_common/nfs_ssc.c + create mode 100644 include/linux/nfs_ssc.h + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index fdfc77486acee..984938024011b 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include "delegation.h" + #include "internal.h" + #include "iostat.h" +@@ -314,9 +315,8 @@ static loff_t nfs42_remap_file_range(struct file *src_file, loff_t src_off, + static int read_name_gen = 1; + #define SSC_READ_NAME_BODY "ssc_read_%d" + +-struct file * +-nfs42_ssc_open(struct vfsmount *ss_mnt, struct nfs_fh *src_fh, +- nfs4_stateid *stateid) ++static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt, ++ struct nfs_fh *src_fh, nfs4_stateid *stateid) + { + struct nfs_fattr fattr; + struct file *filep, *res; +@@ -398,14 +398,40 @@ nfs42_ssc_open(struct vfsmount *ss_mnt, struct nfs_fh *src_fh, + fput(filep); + goto out_free_name; + } +-EXPORT_SYMBOL_GPL(nfs42_ssc_open); +-void nfs42_ssc_close(struct file *filep) ++ ++static void __nfs42_ssc_close(struct file *filep) + { + struct nfs_open_context *ctx = nfs_file_open_context(filep); + + ctx->state->flags = 0; + } +-EXPORT_SYMBOL_GPL(nfs42_ssc_close); ++ ++static const struct nfs4_ssc_client_ops nfs4_ssc_clnt_ops_tbl = { ++ .sco_open = __nfs42_ssc_open, ++ .sco_close = __nfs42_ssc_close, ++}; ++ ++/** ++ * nfs42_ssc_register_ops - Wrapper to register NFS_V4 ops in nfs_common ++ * ++ * Return values: ++ * None ++ */ ++void nfs42_ssc_register_ops(void) ++{ ++ nfs42_ssc_register(&nfs4_ssc_clnt_ops_tbl); ++} ++ ++/** ++ * nfs42_ssc_unregister_ops - wrapper to un-register NFS_V4 ops in nfs_common ++ * ++ * Return values: ++ * None. ++ */ ++void nfs42_ssc_unregister_ops(void) ++{ ++ nfs42_ssc_unregister(&nfs4_ssc_clnt_ops_tbl); ++} + #endif /* CONFIG_NFS_V4_2 */ + + const struct file_operations nfs4_file_operations = { +diff --git a/fs/nfs/nfs4super.c b/fs/nfs/nfs4super.c +index 0c1ab846b83dd..93f5c1678ec29 100644 +--- a/fs/nfs/nfs4super.c ++++ b/fs/nfs/nfs4super.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include "delegation.h" + #include "internal.h" + #include "nfs4_fs.h" +@@ -279,6 +280,9 @@ static int __init init_nfs_v4(void) + if (err) + goto out2; + ++#ifdef CONFIG_NFS_V4_2 ++ nfs42_ssc_register_ops(); ++#endif + register_nfs_version(&nfs_v4); + return 0; + out2: +@@ -297,6 +301,7 @@ static void __exit exit_nfs_v4(void) + unregister_nfs_version(&nfs_v4); + #ifdef CONFIG_NFS_V4_2 + nfs4_xattr_cache_exit(); ++ nfs42_ssc_unregister_ops(); + #endif + nfs4_unregister_sysctl(); + nfs_idmap_quit(); +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 7a70287f21a2c..f7dad8227a5f4 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -57,6 +57,7 @@ + #include + + #include ++#include + + #include "nfs4_fs.h" + #include "callback.h" +@@ -85,6 +86,10 @@ const struct super_operations nfs_sops = { + }; + EXPORT_SYMBOL_GPL(nfs_sops); + ++static const struct nfs_ssc_client_ops nfs_ssc_clnt_ops_tbl = { ++ .sco_sb_deactive = nfs_sb_deactive, ++}; ++ + #if IS_ENABLED(CONFIG_NFS_V4) + static int __init register_nfs4_fs(void) + { +@@ -106,6 +111,16 @@ static void unregister_nfs4_fs(void) + } + #endif + ++static void nfs_ssc_register_ops(void) ++{ ++ nfs_ssc_register(&nfs_ssc_clnt_ops_tbl); ++} ++ ++static void nfs_ssc_unregister_ops(void) ++{ ++ nfs_ssc_unregister(&nfs_ssc_clnt_ops_tbl); ++} ++ + static struct shrinker acl_shrinker = { + .count_objects = nfs_access_cache_count, + .scan_objects = nfs_access_cache_scan, +@@ -133,6 +148,7 @@ int __init register_nfs_fs(void) + ret = register_shrinker(&acl_shrinker); + if (ret < 0) + goto error_3; ++ nfs_ssc_register_ops(); + return 0; + error_3: + nfs_unregister_sysctl(); +@@ -152,6 +168,7 @@ void __exit unregister_nfs_fs(void) + unregister_shrinker(&acl_shrinker); + nfs_unregister_sysctl(); + unregister_nfs4_fs(); ++ nfs_ssc_unregister_ops(); + unregister_filesystem(&nfs_fs_type); + } + +diff --git a/fs/nfs_common/Makefile b/fs/nfs_common/Makefile +index 4bebe834c0091..fa82f5aaa6d95 100644 +--- a/fs/nfs_common/Makefile ++++ b/fs/nfs_common/Makefile +@@ -7,3 +7,4 @@ obj-$(CONFIG_NFS_ACL_SUPPORT) += nfs_acl.o + nfs_acl-objs := nfsacl.o + + obj-$(CONFIG_GRACE_PERIOD) += grace.o ++obj-$(CONFIG_GRACE_PERIOD) += nfs_ssc.o +diff --git a/fs/nfs_common/nfs_ssc.c b/fs/nfs_common/nfs_ssc.c +new file mode 100644 +index 0000000000000..f43bbb3739134 +--- /dev/null ++++ b/fs/nfs_common/nfs_ssc.c +@@ -0,0 +1,94 @@ ++// SPDX-License-Identifier: GPL-2.0-only ++/* ++ * fs/nfs_common/nfs_ssc_comm.c ++ * ++ * Helper for knfsd's SSC to access ops in NFS client modules ++ * ++ * Author: Dai Ngo ++ * ++ * Copyright (c) 2020, Oracle and/or its affiliates. ++ */ ++ ++#include ++#include ++#include ++#include "../nfs/nfs4_fs.h" ++ ++MODULE_LICENSE("GPL"); ++ ++struct nfs_ssc_client_ops_tbl nfs_ssc_client_tbl; ++EXPORT_SYMBOL_GPL(nfs_ssc_client_tbl); ++ ++#ifdef CONFIG_NFS_V4_2 ++/** ++ * nfs42_ssc_register - install the NFS_V4 client ops in the nfs_ssc_client_tbl ++ * @ops: NFS_V4 ops to be installed ++ * ++ * Return values: ++ * None ++ */ ++void nfs42_ssc_register(const struct nfs4_ssc_client_ops *ops) ++{ ++ nfs_ssc_client_tbl.ssc_nfs4_ops = ops; ++} ++EXPORT_SYMBOL_GPL(nfs42_ssc_register); ++ ++/** ++ * nfs42_ssc_unregister - uninstall the NFS_V4 client ops from ++ * the nfs_ssc_client_tbl ++ * @ops: ops to be uninstalled ++ * ++ * Return values: ++ * None ++ */ ++void nfs42_ssc_unregister(const struct nfs4_ssc_client_ops *ops) ++{ ++ if (nfs_ssc_client_tbl.ssc_nfs4_ops != ops) ++ return; ++ ++ nfs_ssc_client_tbl.ssc_nfs4_ops = NULL; ++} ++EXPORT_SYMBOL_GPL(nfs42_ssc_unregister); ++#endif /* CONFIG_NFS_V4_2 */ ++ ++#ifdef CONFIG_NFS_V4_2 ++/** ++ * nfs_ssc_register - install the NFS_FS client ops in the nfs_ssc_client_tbl ++ * @ops: NFS_FS ops to be installed ++ * ++ * Return values: ++ * None ++ */ ++void nfs_ssc_register(const struct nfs_ssc_client_ops *ops) ++{ ++ nfs_ssc_client_tbl.ssc_nfs_ops = ops; ++} ++EXPORT_SYMBOL_GPL(nfs_ssc_register); ++ ++/** ++ * nfs_ssc_unregister - uninstall the NFS_FS client ops from ++ * the nfs_ssc_client_tbl ++ * @ops: ops to be uninstalled ++ * ++ * Return values: ++ * None ++ */ ++void nfs_ssc_unregister(const struct nfs_ssc_client_ops *ops) ++{ ++ if (nfs_ssc_client_tbl.ssc_nfs_ops != ops) ++ return; ++ nfs_ssc_client_tbl.ssc_nfs_ops = NULL; ++} ++EXPORT_SYMBOL_GPL(nfs_ssc_unregister); ++ ++#else ++void nfs_ssc_register(const struct nfs_ssc_client_ops *ops) ++{ ++} ++EXPORT_SYMBOL_GPL(nfs_ssc_register); ++ ++void nfs_ssc_unregister(const struct nfs_ssc_client_ops *ops) ++{ ++} ++EXPORT_SYMBOL_GPL(nfs_ssc_unregister); ++#endif /* CONFIG_NFS_V4_2 */ +diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig +index 99d2cae91bd68..f368f3215f88f 100644 +--- a/fs/nfsd/Kconfig ++++ b/fs/nfsd/Kconfig +@@ -136,7 +136,7 @@ config NFSD_FLEXFILELAYOUT + + config NFSD_V4_2_INTER_SSC + bool "NFSv4.2 inter server to server COPY" +- depends on NFSD_V4 && NFS_V4_1 && NFS_V4_2 && NFS_FS=y ++ depends on NFSD_V4 && NFS_V4_1 && NFS_V4_2 + help + This option enables support for NFSv4.2 inter server to + server copy where the destination server calls the NFSv4.2 +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index eaf50eafa9359..84e10aef14175 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include "idmap.h" + #include "cache.h" +@@ -1247,7 +1248,7 @@ nfsd4_interssc_connect(struct nl4_server *nss, struct svc_rqst *rqstp, + static void + nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) + { +- nfs_sb_deactive(ss_mnt->mnt_sb); ++ nfs_do_sb_deactive(ss_mnt->mnt_sb); + mntput(ss_mnt); + } + +diff --git a/include/linux/nfs_ssc.h b/include/linux/nfs_ssc.h +new file mode 100644 +index 0000000000000..f5ba0fbff72fe +--- /dev/null ++++ b/include/linux/nfs_ssc.h +@@ -0,0 +1,67 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * include/linux/nfs_ssc.h ++ * ++ * Author: Dai Ngo ++ * ++ * Copyright (c) 2020, Oracle and/or its affiliates. ++ */ ++ ++#include ++ ++extern struct nfs_ssc_client_ops_tbl nfs_ssc_client_tbl; ++ ++/* ++ * NFS_V4 ++ */ ++struct nfs4_ssc_client_ops { ++ struct file *(*sco_open)(struct vfsmount *ss_mnt, ++ struct nfs_fh *src_fh, nfs4_stateid *stateid); ++ void (*sco_close)(struct file *filep); ++}; ++ ++/* ++ * NFS_FS ++ */ ++struct nfs_ssc_client_ops { ++ void (*sco_sb_deactive)(struct super_block *sb); ++}; ++ ++struct nfs_ssc_client_ops_tbl { ++ const struct nfs4_ssc_client_ops *ssc_nfs4_ops; ++ const struct nfs_ssc_client_ops *ssc_nfs_ops; ++}; ++ ++extern void nfs42_ssc_register_ops(void); ++extern void nfs42_ssc_unregister_ops(void); ++ ++extern void nfs42_ssc_register(const struct nfs4_ssc_client_ops *ops); ++extern void nfs42_ssc_unregister(const struct nfs4_ssc_client_ops *ops); ++ ++#ifdef CONFIG_NFSD_V4_2_INTER_SSC ++static inline struct file *nfs42_ssc_open(struct vfsmount *ss_mnt, ++ struct nfs_fh *src_fh, nfs4_stateid *stateid) ++{ ++ if (nfs_ssc_client_tbl.ssc_nfs4_ops) ++ return (*nfs_ssc_client_tbl.ssc_nfs4_ops->sco_open)(ss_mnt, src_fh, stateid); ++ return ERR_PTR(-EIO); ++} ++ ++static inline void nfs42_ssc_close(struct file *filep) ++{ ++ if (nfs_ssc_client_tbl.ssc_nfs4_ops) ++ (*nfs_ssc_client_tbl.ssc_nfs4_ops->sco_close)(filep); ++} ++#endif ++ ++/* ++ * NFS_FS ++ */ ++extern void nfs_ssc_register(const struct nfs_ssc_client_ops *ops); ++extern void nfs_ssc_unregister(const struct nfs_ssc_client_ops *ops); ++ ++static inline void nfs_do_sb_deactive(struct super_block *sb) ++{ ++ if (nfs_ssc_client_tbl.ssc_nfs_ops) ++ (*nfs_ssc_client_tbl.ssc_nfs_ops->sco_sb_deactive)(sb); ++} +-- +2.25.1 + diff --git a/queue-5.9/nl80211-fix-non-split-wiphy-information.patch b/queue-5.9/nl80211-fix-non-split-wiphy-information.patch new file mode 100644 index 00000000000..da19b70fe46 --- /dev/null +++ b/queue-5.9/nl80211-fix-non-split-wiphy-information.patch @@ -0,0 +1,49 @@ +From c284f1ae5e3b98bdbb79e5f8c4b235b243e2faa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 13:07:18 +0200 +Subject: nl80211: fix non-split wiphy information + +From: Johannes Berg + +[ Upstream commit ab10c22bc3b2024f0c9eafa463899a071eac8d97 ] + +When dumping wiphy information, we try to split the data into +many submessages, but for old userspace we still support the +old mode where this doesn't happen. + +However, in this case we were not resetting our state correctly +and dumping multiple messages for each wiphy, which would have +broken such older userspace. + +This was broken pretty much immediately afterwards because it +only worked in the original commit where non-split dumps didn't +have any more data than split dumps... + +Fixes: fe1abafd942f ("nl80211: re-add channel width and extended capa advertising") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200928130717.3e6d9c6bada2.Ie0f151a8d0d00a8e1e18f6a8c9244dd02496af67@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 764151e89d0e9..e14307f2bddcc 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -2355,7 +2355,10 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev, + * case we'll continue with more data in the next round, + * but break unconditionally so unsplit data stops here. + */ +- state->split_start++; ++ if (state->split) ++ state->split_start++; ++ else ++ state->split_start = 0; + break; + case 9: + if (rdev->wiphy.extended_capabilities && +-- +2.25.1 + diff --git a/queue-5.9/nl80211-fix-obss-pd-min-and-max-offset-validation.patch b/queue-5.9/nl80211-fix-obss-pd-min-and-max-offset-validation.patch new file mode 100644 index 00000000000..0d293a48269 --- /dev/null +++ b/queue-5.9/nl80211-fix-obss-pd-min-and-max-offset-validation.patch @@ -0,0 +1,59 @@ +From c28c62ba4c2c78ce03793e60c29df92e5033e4bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 00:28:10 -0700 +Subject: nl80211: fix OBSS PD min and max offset validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rajkumar Manoharan + +[ Upstream commit 6c8b6e4a5f745ec49286ac0a3f1d591a34818f82 ] + +The SRG min and max offset won't present when SRG Information Present of +SR control field of Spatial Reuse Parameter Set element set to 0. Per +spec. IEEE802.11ax D7.0, SRG OBSS PD Min Offset ≤ SRG OBSS PD Max +Offset. Hence fix the constrain check to allow same values in both +offset and also call appropriate nla_get function to read the values. + +Fixes: 796e90f42b7e ("cfg80211: add support for parsing OBBS_PD attributes") +Signed-off-by: Rajkumar Manoharan +Link: https://lore.kernel.org/r/1601278091-20313-1-git-send-email-rmanohar@codeaurora.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 7fd45f6ddb058..764151e89d0e9 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4683,16 +4683,14 @@ static int nl80211_parse_he_obss_pd(struct nlattr *attrs, + if (err) + return err; + +- if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] || +- !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]) +- return -EINVAL; +- +- he_obss_pd->min_offset = +- nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]); +- he_obss_pd->max_offset = +- nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]); +- +- if (he_obss_pd->min_offset >= he_obss_pd->max_offset) ++ if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]) ++ he_obss_pd->min_offset = ++ nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]); ++ if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]) ++ he_obss_pd->max_offset = ++ nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]); ++ ++ if (he_obss_pd->min_offset > he_obss_pd->max_offset) + return -EINVAL; + + he_obss_pd->enable = true; +-- +2.25.1 + diff --git a/queue-5.9/notifier-fix-broken-error-handling-pattern.patch b/queue-5.9/notifier-fix-broken-error-handling-pattern.patch new file mode 100644 index 00000000000..233876c4808 --- /dev/null +++ b/queue-5.9/notifier-fix-broken-error-handling-pattern.patch @@ -0,0 +1,676 @@ +From 5f76dd41b813778c035c691cac8aa93e0b68c4a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:57:36 +0200 +Subject: notifier: Fix broken error handling pattern + +From: Peter Zijlstra + +[ Upstream commit 70d932985757fbe978024db313001218e9f8fe5c ] + +The current notifiers have the following error handling pattern all +over the place: + + int err, nr; + + err = __foo_notifier_call_chain(&chain, val_up, v, -1, &nr); + if (err & NOTIFIER_STOP_MASK) + __foo_notifier_call_chain(&chain, val_down, v, nr-1, NULL) + +And aside from the endless repetition thereof, it is broken. Consider +blocking notifiers; both calls take and drop the rwsem, this means +that the notifier list can change in between the two calls, making @nr +meaningless. + +Fix this by replacing all the __foo_notifier_call_chain() functions +with foo_notifier_call_chain_robust() that embeds the above pattern, +but ensures it is inside a single lock region. + +Note: I switched atomic_notifier_call_chain_robust() to use + the spinlock, since RCU cannot provide the guarantee + required for the recovery. + +Note: software_resume() error handling was broken afaict. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20200818135804.325626653@infradead.org +Signed-off-by: Sasha Levin +--- + include/linux/notifier.h | 15 ++- + kernel/cpu_pm.c | 48 ++++------ + kernel/notifier.c | 144 ++++++++++++++++++----------- + kernel/power/hibernate.c | 39 ++++---- + kernel/power/main.c | 8 +- + kernel/power/power.h | 3 +- + kernel/power/suspend.c | 14 ++- + kernel/power/user.c | 14 +-- + tools/power/pm-graph/sleepgraph.py | 2 +- + 9 files changed, 147 insertions(+), 140 deletions(-) + +diff --git a/include/linux/notifier.h b/include/linux/notifier.h +index 018947611483e..2fb373a5c1ede 100644 +--- a/include/linux/notifier.h ++++ b/include/linux/notifier.h +@@ -161,20 +161,19 @@ extern int srcu_notifier_chain_unregister(struct srcu_notifier_head *nh, + + extern int atomic_notifier_call_chain(struct atomic_notifier_head *nh, + unsigned long val, void *v); +-extern int __atomic_notifier_call_chain(struct atomic_notifier_head *nh, +- unsigned long val, void *v, int nr_to_call, int *nr_calls); + extern int blocking_notifier_call_chain(struct blocking_notifier_head *nh, + unsigned long val, void *v); +-extern int __blocking_notifier_call_chain(struct blocking_notifier_head *nh, +- unsigned long val, void *v, int nr_to_call, int *nr_calls); + extern int raw_notifier_call_chain(struct raw_notifier_head *nh, + unsigned long val, void *v); +-extern int __raw_notifier_call_chain(struct raw_notifier_head *nh, +- unsigned long val, void *v, int nr_to_call, int *nr_calls); + extern int srcu_notifier_call_chain(struct srcu_notifier_head *nh, + unsigned long val, void *v); +-extern int __srcu_notifier_call_chain(struct srcu_notifier_head *nh, +- unsigned long val, void *v, int nr_to_call, int *nr_calls); ++ ++extern int atomic_notifier_call_chain_robust(struct atomic_notifier_head *nh, ++ unsigned long val_up, unsigned long val_down, void *v); ++extern int blocking_notifier_call_chain_robust(struct blocking_notifier_head *nh, ++ unsigned long val_up, unsigned long val_down, void *v); ++extern int raw_notifier_call_chain_robust(struct raw_notifier_head *nh, ++ unsigned long val_up, unsigned long val_down, void *v); + + #define NOTIFY_DONE 0x0000 /* Don't care */ + #define NOTIFY_OK 0x0001 /* Suits me */ +diff --git a/kernel/cpu_pm.c b/kernel/cpu_pm.c +index 44a259338e33d..f7e1d0eccdbc6 100644 +--- a/kernel/cpu_pm.c ++++ b/kernel/cpu_pm.c +@@ -15,18 +15,28 @@ + + static ATOMIC_NOTIFIER_HEAD(cpu_pm_notifier_chain); + +-static int cpu_pm_notify(enum cpu_pm_event event, int nr_to_call, int *nr_calls) ++static int cpu_pm_notify(enum cpu_pm_event event) + { + int ret; + + /* +- * __atomic_notifier_call_chain has a RCU read critical section, which ++ * atomic_notifier_call_chain has a RCU read critical section, which + * could be disfunctional in cpu idle. Copy RCU_NONIDLE code to let + * RCU know this. + */ + rcu_irq_enter_irqson(); +- ret = __atomic_notifier_call_chain(&cpu_pm_notifier_chain, event, NULL, +- nr_to_call, nr_calls); ++ ret = atomic_notifier_call_chain(&cpu_pm_notifier_chain, event, NULL); ++ rcu_irq_exit_irqson(); ++ ++ return notifier_to_errno(ret); ++} ++ ++static int cpu_pm_notify_robust(enum cpu_pm_event event_up, enum cpu_pm_event event_down) ++{ ++ int ret; ++ ++ rcu_irq_enter_irqson(); ++ ret = atomic_notifier_call_chain_robust(&cpu_pm_notifier_chain, event_up, event_down, NULL); + rcu_irq_exit_irqson(); + + return notifier_to_errno(ret); +@@ -80,18 +90,7 @@ EXPORT_SYMBOL_GPL(cpu_pm_unregister_notifier); + */ + int cpu_pm_enter(void) + { +- int nr_calls = 0; +- int ret = 0; +- +- ret = cpu_pm_notify(CPU_PM_ENTER, -1, &nr_calls); +- if (ret) +- /* +- * Inform listeners (nr_calls - 1) about failure of CPU PM +- * PM entry who are notified earlier to prepare for it. +- */ +- cpu_pm_notify(CPU_PM_ENTER_FAILED, nr_calls - 1, NULL); +- +- return ret; ++ return cpu_pm_notify_robust(CPU_PM_ENTER, CPU_PM_ENTER_FAILED); + } + EXPORT_SYMBOL_GPL(cpu_pm_enter); + +@@ -109,7 +108,7 @@ EXPORT_SYMBOL_GPL(cpu_pm_enter); + */ + int cpu_pm_exit(void) + { +- return cpu_pm_notify(CPU_PM_EXIT, -1, NULL); ++ return cpu_pm_notify(CPU_PM_EXIT); + } + EXPORT_SYMBOL_GPL(cpu_pm_exit); + +@@ -131,18 +130,7 @@ EXPORT_SYMBOL_GPL(cpu_pm_exit); + */ + int cpu_cluster_pm_enter(void) + { +- int nr_calls = 0; +- int ret = 0; +- +- ret = cpu_pm_notify(CPU_CLUSTER_PM_ENTER, -1, &nr_calls); +- if (ret) +- /* +- * Inform listeners (nr_calls - 1) about failure of CPU cluster +- * PM entry who are notified earlier to prepare for it. +- */ +- cpu_pm_notify(CPU_CLUSTER_PM_ENTER_FAILED, nr_calls - 1, NULL); +- +- return ret; ++ return cpu_pm_notify_robust(CPU_CLUSTER_PM_ENTER, CPU_CLUSTER_PM_ENTER_FAILED); + } + EXPORT_SYMBOL_GPL(cpu_cluster_pm_enter); + +@@ -163,7 +151,7 @@ EXPORT_SYMBOL_GPL(cpu_cluster_pm_enter); + */ + int cpu_cluster_pm_exit(void) + { +- return cpu_pm_notify(CPU_CLUSTER_PM_EXIT, -1, NULL); ++ return cpu_pm_notify(CPU_CLUSTER_PM_EXIT); + } + EXPORT_SYMBOL_GPL(cpu_cluster_pm_exit); + +diff --git a/kernel/notifier.c b/kernel/notifier.c +index 84c987dfbe036..1b019cbca594a 100644 +--- a/kernel/notifier.c ++++ b/kernel/notifier.c +@@ -94,6 +94,34 @@ static int notifier_call_chain(struct notifier_block **nl, + } + NOKPROBE_SYMBOL(notifier_call_chain); + ++/** ++ * notifier_call_chain_robust - Inform the registered notifiers about an event ++ * and rollback on error. ++ * @nl: Pointer to head of the blocking notifier chain ++ * @val_up: Value passed unmodified to the notifier function ++ * @val_down: Value passed unmodified to the notifier function when recovering ++ * from an error on @val_up ++ * @v Pointer passed unmodified to the notifier function ++ * ++ * NOTE: It is important the @nl chain doesn't change between the two ++ * invocations of notifier_call_chain() such that we visit the ++ * exact same notifier callbacks; this rules out any RCU usage. ++ * ++ * Returns: the return value of the @val_up call. ++ */ ++static int notifier_call_chain_robust(struct notifier_block **nl, ++ unsigned long val_up, unsigned long val_down, ++ void *v) ++{ ++ int ret, nr = 0; ++ ++ ret = notifier_call_chain(nl, val_up, v, -1, &nr); ++ if (ret & NOTIFY_STOP_MASK) ++ notifier_call_chain(nl, val_down, v, nr-1, NULL); ++ ++ return ret; ++} ++ + /* + * Atomic notifier chain routines. Registration and unregistration + * use a spinlock, and call_chain is synchronized by RCU (no locks). +@@ -144,13 +172,30 @@ int atomic_notifier_chain_unregister(struct atomic_notifier_head *nh, + } + EXPORT_SYMBOL_GPL(atomic_notifier_chain_unregister); + ++int atomic_notifier_call_chain_robust(struct atomic_notifier_head *nh, ++ unsigned long val_up, unsigned long val_down, void *v) ++{ ++ unsigned long flags; ++ int ret; ++ ++ /* ++ * Musn't use RCU; because then the notifier list can ++ * change between the up and down traversal. ++ */ ++ spin_lock_irqsave(&nh->lock, flags); ++ ret = notifier_call_chain_robust(&nh->head, val_up, val_down, v); ++ spin_unlock_irqrestore(&nh->lock, flags); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(atomic_notifier_call_chain_robust); ++NOKPROBE_SYMBOL(atomic_notifier_call_chain_robust); ++ + /** +- * __atomic_notifier_call_chain - Call functions in an atomic notifier chain ++ * atomic_notifier_call_chain - Call functions in an atomic notifier chain + * @nh: Pointer to head of the atomic notifier chain + * @val: Value passed unmodified to notifier function + * @v: Pointer passed unmodified to notifier function +- * @nr_to_call: See the comment for notifier_call_chain. +- * @nr_calls: See the comment for notifier_call_chain. + * + * Calls each function in a notifier chain in turn. The functions + * run in an atomic context, so they must not block. +@@ -163,24 +208,16 @@ EXPORT_SYMBOL_GPL(atomic_notifier_chain_unregister); + * Otherwise the return value is the return value + * of the last notifier function called. + */ +-int __atomic_notifier_call_chain(struct atomic_notifier_head *nh, +- unsigned long val, void *v, +- int nr_to_call, int *nr_calls) ++int atomic_notifier_call_chain(struct atomic_notifier_head *nh, ++ unsigned long val, void *v) + { + int ret; + + rcu_read_lock(); +- ret = notifier_call_chain(&nh->head, val, v, nr_to_call, nr_calls); ++ ret = notifier_call_chain(&nh->head, val, v, -1, NULL); + rcu_read_unlock(); +- return ret; +-} +-EXPORT_SYMBOL_GPL(__atomic_notifier_call_chain); +-NOKPROBE_SYMBOL(__atomic_notifier_call_chain); + +-int atomic_notifier_call_chain(struct atomic_notifier_head *nh, +- unsigned long val, void *v) +-{ +- return __atomic_notifier_call_chain(nh, val, v, -1, NULL); ++ return ret; + } + EXPORT_SYMBOL_GPL(atomic_notifier_call_chain); + NOKPROBE_SYMBOL(atomic_notifier_call_chain); +@@ -250,13 +287,30 @@ int blocking_notifier_chain_unregister(struct blocking_notifier_head *nh, + } + EXPORT_SYMBOL_GPL(blocking_notifier_chain_unregister); + ++int blocking_notifier_call_chain_robust(struct blocking_notifier_head *nh, ++ unsigned long val_up, unsigned long val_down, void *v) ++{ ++ int ret = NOTIFY_DONE; ++ ++ /* ++ * We check the head outside the lock, but if this access is ++ * racy then it does not matter what the result of the test ++ * is, we re-check the list after having taken the lock anyway: ++ */ ++ if (rcu_access_pointer(nh->head)) { ++ down_read(&nh->rwsem); ++ ret = notifier_call_chain_robust(&nh->head, val_up, val_down, v); ++ up_read(&nh->rwsem); ++ } ++ return ret; ++} ++EXPORT_SYMBOL_GPL(blocking_notifier_call_chain_robust); ++ + /** +- * __blocking_notifier_call_chain - Call functions in a blocking notifier chain ++ * blocking_notifier_call_chain - Call functions in a blocking notifier chain + * @nh: Pointer to head of the blocking notifier chain + * @val: Value passed unmodified to notifier function + * @v: Pointer passed unmodified to notifier function +- * @nr_to_call: See comment for notifier_call_chain. +- * @nr_calls: See comment for notifier_call_chain. + * + * Calls each function in a notifier chain in turn. The functions + * run in a process context, so they are allowed to block. +@@ -268,9 +322,8 @@ EXPORT_SYMBOL_GPL(blocking_notifier_chain_unregister); + * Otherwise the return value is the return value + * of the last notifier function called. + */ +-int __blocking_notifier_call_chain(struct blocking_notifier_head *nh, +- unsigned long val, void *v, +- int nr_to_call, int *nr_calls) ++int blocking_notifier_call_chain(struct blocking_notifier_head *nh, ++ unsigned long val, void *v) + { + int ret = NOTIFY_DONE; + +@@ -281,19 +334,11 @@ int __blocking_notifier_call_chain(struct blocking_notifier_head *nh, + */ + if (rcu_access_pointer(nh->head)) { + down_read(&nh->rwsem); +- ret = notifier_call_chain(&nh->head, val, v, nr_to_call, +- nr_calls); ++ ret = notifier_call_chain(&nh->head, val, v, -1, NULL); + up_read(&nh->rwsem); + } + return ret; + } +-EXPORT_SYMBOL_GPL(__blocking_notifier_call_chain); +- +-int blocking_notifier_call_chain(struct blocking_notifier_head *nh, +- unsigned long val, void *v) +-{ +- return __blocking_notifier_call_chain(nh, val, v, -1, NULL); +-} + EXPORT_SYMBOL_GPL(blocking_notifier_call_chain); + + /* +@@ -335,13 +380,18 @@ int raw_notifier_chain_unregister(struct raw_notifier_head *nh, + } + EXPORT_SYMBOL_GPL(raw_notifier_chain_unregister); + ++int raw_notifier_call_chain_robust(struct raw_notifier_head *nh, ++ unsigned long val_up, unsigned long val_down, void *v) ++{ ++ return notifier_call_chain_robust(&nh->head, val_up, val_down, v); ++} ++EXPORT_SYMBOL_GPL(raw_notifier_call_chain_robust); ++ + /** +- * __raw_notifier_call_chain - Call functions in a raw notifier chain ++ * raw_notifier_call_chain - Call functions in a raw notifier chain + * @nh: Pointer to head of the raw notifier chain + * @val: Value passed unmodified to notifier function + * @v: Pointer passed unmodified to notifier function +- * @nr_to_call: See comment for notifier_call_chain. +- * @nr_calls: See comment for notifier_call_chain + * + * Calls each function in a notifier chain in turn. The functions + * run in an undefined context. +@@ -354,18 +404,10 @@ EXPORT_SYMBOL_GPL(raw_notifier_chain_unregister); + * Otherwise the return value is the return value + * of the last notifier function called. + */ +-int __raw_notifier_call_chain(struct raw_notifier_head *nh, +- unsigned long val, void *v, +- int nr_to_call, int *nr_calls) +-{ +- return notifier_call_chain(&nh->head, val, v, nr_to_call, nr_calls); +-} +-EXPORT_SYMBOL_GPL(__raw_notifier_call_chain); +- + int raw_notifier_call_chain(struct raw_notifier_head *nh, + unsigned long val, void *v) + { +- return __raw_notifier_call_chain(nh, val, v, -1, NULL); ++ return notifier_call_chain(&nh->head, val, v, -1, NULL); + } + EXPORT_SYMBOL_GPL(raw_notifier_call_chain); + +@@ -437,12 +479,10 @@ int srcu_notifier_chain_unregister(struct srcu_notifier_head *nh, + EXPORT_SYMBOL_GPL(srcu_notifier_chain_unregister); + + /** +- * __srcu_notifier_call_chain - Call functions in an SRCU notifier chain ++ * srcu_notifier_call_chain - Call functions in an SRCU notifier chain + * @nh: Pointer to head of the SRCU notifier chain + * @val: Value passed unmodified to notifier function + * @v: Pointer passed unmodified to notifier function +- * @nr_to_call: See comment for notifier_call_chain. +- * @nr_calls: See comment for notifier_call_chain + * + * Calls each function in a notifier chain in turn. The functions + * run in a process context, so they are allowed to block. +@@ -454,25 +494,17 @@ EXPORT_SYMBOL_GPL(srcu_notifier_chain_unregister); + * Otherwise the return value is the return value + * of the last notifier function called. + */ +-int __srcu_notifier_call_chain(struct srcu_notifier_head *nh, +- unsigned long val, void *v, +- int nr_to_call, int *nr_calls) ++int srcu_notifier_call_chain(struct srcu_notifier_head *nh, ++ unsigned long val, void *v) + { + int ret; + int idx; + + idx = srcu_read_lock(&nh->srcu); +- ret = notifier_call_chain(&nh->head, val, v, nr_to_call, nr_calls); ++ ret = notifier_call_chain(&nh->head, val, v, -1, NULL); + srcu_read_unlock(&nh->srcu, idx); + return ret; + } +-EXPORT_SYMBOL_GPL(__srcu_notifier_call_chain); +- +-int srcu_notifier_call_chain(struct srcu_notifier_head *nh, +- unsigned long val, void *v) +-{ +- return __srcu_notifier_call_chain(nh, val, v, -1, NULL); +-} + EXPORT_SYMBOL_GPL(srcu_notifier_call_chain); + + /** +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index e7aa57fb2fdc3..1dee70815f3cd 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -706,8 +706,8 @@ static int load_image_and_restore(void) + */ + int hibernate(void) + { +- int error, nr_calls = 0; + bool snapshot_test = false; ++ int error; + + if (!hibernation_available()) { + pm_pr_dbg("Hibernation not available.\n"); +@@ -723,11 +723,9 @@ int hibernate(void) + + pr_info("hibernation entry\n"); + pm_prepare_console(); +- error = __pm_notifier_call_chain(PM_HIBERNATION_PREPARE, -1, &nr_calls); +- if (error) { +- nr_calls--; +- goto Exit; +- } ++ error = pm_notifier_call_chain_robust(PM_HIBERNATION_PREPARE, PM_POST_HIBERNATION); ++ if (error) ++ goto Restore; + + ksys_sync_helper(); + +@@ -785,7 +783,8 @@ int hibernate(void) + /* Don't bother checking whether freezer_test_done is true */ + freezer_test_done = false; + Exit: +- __pm_notifier_call_chain(PM_POST_HIBERNATION, nr_calls, NULL); ++ pm_notifier_call_chain(PM_POST_HIBERNATION); ++ Restore: + pm_restore_console(); + hibernate_release(); + Unlock: +@@ -804,7 +803,7 @@ int hibernate(void) + */ + int hibernate_quiet_exec(int (*func)(void *data), void *data) + { +- int error, nr_calls = 0; ++ int error; + + lock_system_sleep(); + +@@ -815,11 +814,9 @@ int hibernate_quiet_exec(int (*func)(void *data), void *data) + + pm_prepare_console(); + +- error = __pm_notifier_call_chain(PM_HIBERNATION_PREPARE, -1, &nr_calls); +- if (error) { +- nr_calls--; +- goto exit; +- } ++ error = pm_notifier_call_chain_robust(PM_HIBERNATION_PREPARE, PM_POST_HIBERNATION); ++ if (error) ++ goto restore; + + error = freeze_processes(); + if (error) +@@ -880,8 +877,9 @@ int hibernate_quiet_exec(int (*func)(void *data), void *data) + thaw_processes(); + + exit: +- __pm_notifier_call_chain(PM_POST_HIBERNATION, nr_calls, NULL); ++ pm_notifier_call_chain(PM_POST_HIBERNATION); + ++restore: + pm_restore_console(); + + hibernate_release(); +@@ -910,7 +908,7 @@ EXPORT_SYMBOL_GPL(hibernate_quiet_exec); + */ + static int software_resume(void) + { +- int error, nr_calls = 0; ++ int error; + + /* + * If the user said "noresume".. bail out early. +@@ -997,11 +995,9 @@ static int software_resume(void) + + pr_info("resume from hibernation\n"); + pm_prepare_console(); +- error = __pm_notifier_call_chain(PM_RESTORE_PREPARE, -1, &nr_calls); +- if (error) { +- nr_calls--; +- goto Close_Finish; +- } ++ error = pm_notifier_call_chain_robust(PM_RESTORE_PREPARE, PM_POST_RESTORE); ++ if (error) ++ goto Restore; + + pm_pr_dbg("Preparing processes for hibernation restore.\n"); + error = freeze_processes(); +@@ -1017,7 +1013,8 @@ static int software_resume(void) + error = load_image_and_restore(); + thaw_processes(); + Finish: +- __pm_notifier_call_chain(PM_POST_RESTORE, nr_calls, NULL); ++ pm_notifier_call_chain(PM_POST_RESTORE); ++ Restore: + pm_restore_console(); + pr_info("resume failed (%d)\n", error); + hibernate_release(); +diff --git a/kernel/power/main.c b/kernel/power/main.c +index 40f86ec4ab30d..0aefd6f57e0ac 100644 +--- a/kernel/power/main.c ++++ b/kernel/power/main.c +@@ -80,18 +80,18 @@ int unregister_pm_notifier(struct notifier_block *nb) + } + EXPORT_SYMBOL_GPL(unregister_pm_notifier); + +-int __pm_notifier_call_chain(unsigned long val, int nr_to_call, int *nr_calls) ++int pm_notifier_call_chain_robust(unsigned long val_up, unsigned long val_down) + { + int ret; + +- ret = __blocking_notifier_call_chain(&pm_chain_head, val, NULL, +- nr_to_call, nr_calls); ++ ret = blocking_notifier_call_chain_robust(&pm_chain_head, val_up, val_down, NULL); + + return notifier_to_errno(ret); + } ++ + int pm_notifier_call_chain(unsigned long val) + { +- return __pm_notifier_call_chain(val, -1, NULL); ++ return blocking_notifier_call_chain(&pm_chain_head, val, NULL); + } + + /* If set, devices may be suspended and resumed asynchronously. */ +diff --git a/kernel/power/power.h b/kernel/power/power.h +index 32fc89ac96c30..24f12d534515f 100644 +--- a/kernel/power/power.h ++++ b/kernel/power/power.h +@@ -210,8 +210,7 @@ static inline void suspend_test_finish(const char *label) {} + + #ifdef CONFIG_PM_SLEEP + /* kernel/power/main.c */ +-extern int __pm_notifier_call_chain(unsigned long val, int nr_to_call, +- int *nr_calls); ++extern int pm_notifier_call_chain_robust(unsigned long val_up, unsigned long val_down); + extern int pm_notifier_call_chain(unsigned long val); + #endif + +diff --git a/kernel/power/suspend.c b/kernel/power/suspend.c +index 8b1bb5ee7e5d6..32391acc806bf 100644 +--- a/kernel/power/suspend.c ++++ b/kernel/power/suspend.c +@@ -342,18 +342,16 @@ static int suspend_test(int level) + */ + static int suspend_prepare(suspend_state_t state) + { +- int error, nr_calls = 0; ++ int error; + + if (!sleep_state_supported(state)) + return -EPERM; + + pm_prepare_console(); + +- error = __pm_notifier_call_chain(PM_SUSPEND_PREPARE, -1, &nr_calls); +- if (error) { +- nr_calls--; +- goto Finish; +- } ++ error = pm_notifier_call_chain_robust(PM_SUSPEND_PREPARE, PM_POST_SUSPEND); ++ if (error) ++ goto Restore; + + trace_suspend_resume(TPS("freeze_processes"), 0, true); + error = suspend_freeze_processes(); +@@ -363,8 +361,8 @@ static int suspend_prepare(suspend_state_t state) + + suspend_stats.failed_freeze++; + dpm_save_failed_step(SUSPEND_FREEZE); +- Finish: +- __pm_notifier_call_chain(PM_POST_SUSPEND, nr_calls, NULL); ++ pm_notifier_call_chain(PM_POST_SUSPEND); ++ Restore: + pm_restore_console(); + return error; + } +diff --git a/kernel/power/user.c b/kernel/power/user.c +index d5eedc2baa2a1..047f598f89a5c 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -46,7 +46,7 @@ int is_hibernate_resume_dev(const struct inode *bd_inode) + static int snapshot_open(struct inode *inode, struct file *filp) + { + struct snapshot_data *data; +- int error, nr_calls = 0; ++ int error; + + if (!hibernation_available()) + return -EPERM; +@@ -73,9 +73,7 @@ static int snapshot_open(struct inode *inode, struct file *filp) + swap_type_of(swsusp_resume_device, 0, NULL) : -1; + data->mode = O_RDONLY; + data->free_bitmaps = false; +- error = __pm_notifier_call_chain(PM_HIBERNATION_PREPARE, -1, &nr_calls); +- if (error) +- __pm_notifier_call_chain(PM_POST_HIBERNATION, --nr_calls, NULL); ++ error = pm_notifier_call_chain_robust(PM_HIBERNATION_PREPARE, PM_POST_HIBERNATION); + } else { + /* + * Resuming. We may need to wait for the image device to +@@ -85,15 +83,11 @@ static int snapshot_open(struct inode *inode, struct file *filp) + + data->swap = -1; + data->mode = O_WRONLY; +- error = __pm_notifier_call_chain(PM_RESTORE_PREPARE, -1, &nr_calls); ++ error = pm_notifier_call_chain_robust(PM_RESTORE_PREPARE, PM_POST_RESTORE); + if (!error) { + error = create_basic_memory_bitmaps(); + data->free_bitmaps = !error; +- } else +- nr_calls--; +- +- if (error) +- __pm_notifier_call_chain(PM_POST_RESTORE, nr_calls, NULL); ++ } + } + if (error) + hibernate_release(); +diff --git a/tools/power/pm-graph/sleepgraph.py b/tools/power/pm-graph/sleepgraph.py +index 46ff97e909c6f..1bc36a1db14f6 100755 +--- a/tools/power/pm-graph/sleepgraph.py ++++ b/tools/power/pm-graph/sleepgraph.py +@@ -171,7 +171,7 @@ class SystemValues: + tracefuncs = { + 'sys_sync': {}, + 'ksys_sync': {}, +- '__pm_notifier_call_chain': {}, ++ 'pm_notifier_call_chain_robust': {}, + 'pm_prepare_console': {}, + 'pm_notifier_call_chain': {}, + 'freeze_processes': {}, +-- +2.25.1 + diff --git a/queue-5.9/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch b/queue-5.9/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch new file mode 100644 index 00000000000..0026213de9d --- /dev/null +++ b/queue-5.9/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch @@ -0,0 +1,36 @@ +From abdc0f858e72dcceb7fee6f7982bc9ea27578479 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 09:59:57 +0800 +Subject: NTB: hw: amd: fix an issue about leak system resources + +From: Kaige Li + +[ Upstream commit 44a0a3c17919db1498cebb02ecf3cf4abc1ade7b ] + +The related system resources were not released when pci_set_dma_mask(), +pci_set_consistent_dma_mask(), or pci_iomap() return error in the +amd_ntb_init_pci() function. Add pci_release_regions() to fix it. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Kaige Li +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 88e1db65be02c..71428d8cbcfc5 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1203,6 +1203,7 @@ static int amd_ntb_init_pci(struct amd_ntb_dev *ndev, + + err_dma_mask: + pci_clear_master(pdev); ++ pci_release_regions(pdev); + err_pci_regions: + pci_disable_device(pdev); + err_pci_enable: +-- +2.25.1 + diff --git a/queue-5.9/ntb-intel-fix-memleak-in-intel_ntb_pci_probe.patch b/queue-5.9/ntb-intel-fix-memleak-in-intel_ntb_pci_probe.patch new file mode 100644 index 00000000000..34c24247aa1 --- /dev/null +++ b/queue-5.9/ntb-intel-fix-memleak-in-intel_ntb_pci_probe.patch @@ -0,0 +1,37 @@ +From b7d4053350f65b992c36e2ba547bfd494dabaf49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 14:55:12 +0800 +Subject: ntb: intel: Fix memleak in intel_ntb_pci_probe + +From: Dinghao Liu + +[ Upstream commit dbb8df5c2d27610a87b0168a8acc89d73fbfde94 ] + +The default error branch of a series of pdev_is_gen calls +should free ndev just like what we've done in these calls. + +Fixes: 26bfe3d0b227 ("ntb: intel: Add Icelake (gen4) support for Intel NTB") +Signed-off-by: Dinghao Liu +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 3185efeab487b..093dd20057b92 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -1893,7 +1893,7 @@ static int intel_ntb_pci_probe(struct pci_dev *pdev, + goto err_init_dev; + } else { + rc = -EINVAL; +- goto err_ndev; ++ goto err_init_pci; + } + + ndev_reset_unsafe_flags(ndev); +-- +2.25.1 + diff --git a/queue-5.9/ntfs-add-check-for-mft-record-size-in-superblock.patch b/queue-5.9/ntfs-add-check-for-mft-record-size-in-superblock.patch new file mode 100644 index 00000000000..947f85e05f1 --- /dev/null +++ b/queue-5.9/ntfs-add-check-for-mft-record-size-in-superblock.patch @@ -0,0 +1,46 @@ +From 6cab50e34684e428a40b3f8a1d94b9ca1e4b0b02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:48:17 -0700 +Subject: ntfs: add check for mft record size in superblock + +From: Rustam Kovhaev + +[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ] + +Number of bytes allocated for mft record should be equal to the mft record +size stored in ntfs superblock as reported by syzbot, userspace might +trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() + +Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Signed-off-by: Rustam Kovhaev +Signed-off-by: Andrew Morton +Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Acked-by: Anton Altaparmakov +Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e +Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ntfs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c +index 9bb9f0952b186..caf563981532b 100644 +--- a/fs/ntfs/inode.c ++++ b/fs/ntfs/inode.c +@@ -1810,6 +1810,12 @@ int ntfs_read_inode_mount(struct inode *vi) + brelse(bh); + } + ++ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) { ++ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.", ++ le32_to_cpu(m->bytes_allocated), vol->mft_record_size); ++ goto err_out; ++ } ++ + /* Apply the mst fixups. */ + if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) { + /* FIXME: Try to use the $MFTMirr now. */ +-- +2.25.1 + diff --git a/queue-5.9/nvme-fix-error-handling-in-nvme_ns_report_zones.patch b/queue-5.9/nvme-fix-error-handling-in-nvme_ns_report_zones.patch new file mode 100644 index 00000000000..6cade644a6d --- /dev/null +++ b/queue-5.9/nvme-fix-error-handling-in-nvme_ns_report_zones.patch @@ -0,0 +1,97 @@ +From 42242b8581f58a36850e69b7916da5ecf0766df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 12:00:10 +0200 +Subject: nvme: fix error handling in nvme_ns_report_zones + +From: Christoph Hellwig + +[ Upstream commit 936fab503ff4af94f5f9c0b549f3ab4d435500ec ] + +nvme_submit_sync_cmd can return positive NVMe error codes in addition to +the negative Linux error code, which are currently ignored. Fix this +by removing __nvme_ns_report_zones and handling the errors from +nvme_submit_sync_cmd in the caller instead of multiplexing the return +value and the number of zones reported into a single return value. + +Fixes: 240e6ee272c0 ("nvme: support for zoned namespaces") +Signed-off-by: Christoph Hellwig +Reviewed-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/zns.c | 41 ++++++++++++++++------------------------- + 1 file changed, 16 insertions(+), 25 deletions(-) + +diff --git a/drivers/nvme/host/zns.c b/drivers/nvme/host/zns.c +index 57cfd78731fbb..53efecb678983 100644 +--- a/drivers/nvme/host/zns.c ++++ b/drivers/nvme/host/zns.c +@@ -133,28 +133,6 @@ static void *nvme_zns_alloc_report_buffer(struct nvme_ns *ns, + return NULL; + } + +-static int __nvme_ns_report_zones(struct nvme_ns *ns, sector_t sector, +- struct nvme_zone_report *report, +- size_t buflen) +-{ +- struct nvme_command c = { }; +- int ret; +- +- c.zmr.opcode = nvme_cmd_zone_mgmt_recv; +- c.zmr.nsid = cpu_to_le32(ns->head->ns_id); +- c.zmr.slba = cpu_to_le64(nvme_sect_to_lba(ns, sector)); +- c.zmr.numd = cpu_to_le32(nvme_bytes_to_numd(buflen)); +- c.zmr.zra = NVME_ZRA_ZONE_REPORT; +- c.zmr.zrasf = NVME_ZRASF_ZONE_REPORT_ALL; +- c.zmr.pr = NVME_REPORT_ZONE_PARTIAL; +- +- ret = nvme_submit_sync_cmd(ns->queue, &c, report, buflen); +- if (ret) +- return ret; +- +- return le64_to_cpu(report->nr_zones); +-} +- + static int nvme_zone_parse_entry(struct nvme_ns *ns, + struct nvme_zone_descriptor *entry, + unsigned int idx, report_zones_cb cb, +@@ -182,6 +160,7 @@ static int nvme_ns_report_zones(struct nvme_ns *ns, sector_t sector, + unsigned int nr_zones, report_zones_cb cb, void *data) + { + struct nvme_zone_report *report; ++ struct nvme_command c = { }; + int ret, zone_idx = 0; + unsigned int nz, i; + size_t buflen; +@@ -190,14 +169,26 @@ static int nvme_ns_report_zones(struct nvme_ns *ns, sector_t sector, + if (!report) + return -ENOMEM; + ++ c.zmr.opcode = nvme_cmd_zone_mgmt_recv; ++ c.zmr.nsid = cpu_to_le32(ns->head->ns_id); ++ c.zmr.numd = cpu_to_le32(nvme_bytes_to_numd(buflen)); ++ c.zmr.zra = NVME_ZRA_ZONE_REPORT; ++ c.zmr.zrasf = NVME_ZRASF_ZONE_REPORT_ALL; ++ c.zmr.pr = NVME_REPORT_ZONE_PARTIAL; ++ + sector &= ~(ns->zsze - 1); + while (zone_idx < nr_zones && sector < get_capacity(ns->disk)) { + memset(report, 0, buflen); +- ret = __nvme_ns_report_zones(ns, sector, report, buflen); +- if (ret < 0) ++ ++ c.zmr.slba = cpu_to_le64(nvme_sect_to_lba(ns, sector)); ++ ret = nvme_submit_sync_cmd(ns->queue, &c, report, buflen); ++ if (ret) { ++ if (ret > 0) ++ ret = -EIO; + goto out_free; ++ } + +- nz = min_t(unsigned int, ret, nr_zones); ++ nz = min((unsigned int)le64_to_cpu(report->nr_zones), nr_zones); + if (!nz) + break; + +-- +2.25.1 + diff --git a/queue-5.9/nvmem-core-fix-missing-of_node_put-in-of_nvmem_devic.patch b/queue-5.9/nvmem-core-fix-missing-of_node_put-in-of_nvmem_devic.patch new file mode 100644 index 00000000000..209ede8c26a --- /dev/null +++ b/queue-5.9/nvmem-core-fix-missing-of_node_put-in-of_nvmem_devic.patch @@ -0,0 +1,49 @@ +From 8f4f8fd41c0c5126679a37889794f508a237f9da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 14:44:37 +0100 +Subject: nvmem: core: fix missing of_node_put() in of_nvmem_device_get() + +From: Vadym Kochan + +[ Upstream commit b1c194dcdb1425fa59eec61ab927cfff33096149 ] + +of_parse_phandle() returns device_node with incremented ref count +which needs to be decremented by of_node_put() when device_node +is not used. + +Fixes: e2a5402ec7c6 ("nvmem: Add nvmem_device based consumer apis.") +Signed-off-by: Vadym Kochan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200917134437.16637-5-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/nvmem/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c +index 6cd3edb2eaf65..204a515d8bc5d 100644 +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -835,6 +835,7 @@ struct nvmem_device *of_nvmem_device_get(struct device_node *np, const char *id) + { + + struct device_node *nvmem_np; ++ struct nvmem_device *nvmem; + int index = 0; + + if (id) +@@ -844,7 +845,9 @@ struct nvmem_device *of_nvmem_device_get(struct device_node *np, const char *id) + if (!nvmem_np) + return ERR_PTR(-ENOENT); + +- return __nvmem_device_get(nvmem_np, device_match_of_node); ++ nvmem = __nvmem_device_get(nvmem_np, device_match_of_node); ++ of_node_put(nvmem_np); ++ return nvmem; + } + EXPORT_SYMBOL_GPL(of_nvmem_device_get); + #endif +-- +2.25.1 + diff --git a/queue-5.9/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch b/queue-5.9/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch new file mode 100644 index 00000000000..8f9612ef973 --- /dev/null +++ b/queue-5.9/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch @@ -0,0 +1,115 @@ +From 85be89481db92710751a4ac04ed28259e8db547f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 23:44:56 +0300 +Subject: nvmem: core: fix possibly memleak when use + nvmem_cell_info_to_nvmem_cell() + +From: Vadym Kochan + +[ Upstream commit fc9eec4d643597cf4cb2fef17d48110e677610da ] + +Fix missing 'kfree_const(cell->name)' when call to +nvmem_cell_info_to_nvmem_cell() in several places: + + * after nvmem_cell_info_to_nvmem_cell() failed during + nvmem_add_cells() + + * during nvmem_device_cell_{read,write} when cell->name is + kstrdup'ed() without calling kfree_const() at the end, but + really there is no reason to do that 'dup, because the cell + instance is allocated on the stack for some short period to be + read/write without exposing it to the caller. + +So the new nvmem_cell_info_to_nvmem_cell_nodup() helper is introduced +which is used to convert cell_info -> cell without name duplication as +a lighweight version of nvmem_cell_info_to_nvmem_cell(). + +Fixes: e2a5402ec7c6 ("nvmem: Add nvmem_device based consumer apis.") +Reviewed-by: Srinivas Kandagatla +Acked-by: Srinivas Kandagatla +Signed-off-by: Vadym Kochan +Link: https://lore.kernel.org/r/20200923204456.14032-1-vadym.kochan@plvision.eu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/nvmem/core.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c +index 204a515d8bc5d..29a51cd795609 100644 +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -361,16 +361,14 @@ static void nvmem_cell_add(struct nvmem_cell *cell) + blocking_notifier_call_chain(&nvmem_notifier, NVMEM_CELL_ADD, cell); + } + +-static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, +- const struct nvmem_cell_info *info, +- struct nvmem_cell *cell) ++static int nvmem_cell_info_to_nvmem_cell_nodup(struct nvmem_device *nvmem, ++ const struct nvmem_cell_info *info, ++ struct nvmem_cell *cell) + { + cell->nvmem = nvmem; + cell->offset = info->offset; + cell->bytes = info->bytes; +- cell->name = kstrdup_const(info->name, GFP_KERNEL); +- if (!cell->name) +- return -ENOMEM; ++ cell->name = info->name; + + cell->bit_offset = info->bit_offset; + cell->nbits = info->nbits; +@@ -382,13 +380,30 @@ static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, + if (!IS_ALIGNED(cell->offset, nvmem->stride)) { + dev_err(&nvmem->dev, + "cell %s unaligned to nvmem stride %d\n", +- cell->name, nvmem->stride); ++ cell->name ?: "", nvmem->stride); + return -EINVAL; + } + + return 0; + } + ++static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, ++ const struct nvmem_cell_info *info, ++ struct nvmem_cell *cell) ++{ ++ int err; ++ ++ err = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, cell); ++ if (err) ++ return err; ++ ++ cell->name = kstrdup_const(info->name, GFP_KERNEL); ++ if (!cell->name) ++ return -ENOMEM; ++ ++ return 0; ++} ++ + /** + * nvmem_add_cells() - Add cell information to an nvmem device + * +@@ -1463,7 +1478,7 @@ ssize_t nvmem_device_cell_read(struct nvmem_device *nvmem, + if (!nvmem) + return -EINVAL; + +- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell); ++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell); + if (rc) + return rc; + +@@ -1493,7 +1508,7 @@ int nvmem_device_cell_write(struct nvmem_device *nvmem, + if (!nvmem) + return -EINVAL; + +- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell); ++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell); + if (rc) + return rc; + +-- +2.25.1 + diff --git a/queue-5.9/nvmet-fix-uninitialized-work-for-zero-kato.patch b/queue-5.9/nvmet-fix-uninitialized-work-for-zero-kato.patch new file mode 100644 index 00000000000..8b9495465c0 --- /dev/null +++ b/queue-5.9/nvmet-fix-uninitialized-work-for-zero-kato.patch @@ -0,0 +1,55 @@ +From c286ae9ef99648d6d8ba181e044fcd23a9a2b574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 09:51:40 +0800 +Subject: nvmet: fix uninitialized work for zero kato + +From: zhenwei pi + +[ Upstream commit 85bd23f3dc09a2ae9e56885420e52c54bf983713 ] + +When connecting a controller with a zero kato value using the following +command line + + nvme connect -t tcp -n NQN -a ADDR -s PORT --keep-alive-tmo=0 + +the warning below can be reproduced: + +WARNING: CPU: 1 PID: 241 at kernel/workqueue.c:1627 __queue_delayed_work+0x6d/0x90 +with trace: + mod_delayed_work_on+0x59/0x90 + nvmet_update_cc+0xee/0x100 [nvmet] + nvmet_execute_prop_set+0x72/0x80 [nvmet] + nvmet_tcp_try_recv_pdu+0x2f7/0x770 [nvmet_tcp] + nvmet_tcp_io_work+0x63f/0xb2d [nvmet_tcp] + ... + +This is caused by queuing up an uninitialized work. Althrough the +keep-alive timer is disabled during allocating the controller (fixed in +0d3b6a8d213a), ka_work still has a chance to run (called by +nvmet_start_ctrl). + +Fixes: 0d3b6a8d213a ("nvmet: Disable keep-alive timer when kato is cleared to 0h") +Signed-off-by: zhenwei pi +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index b7b63330b5efd..90e0c84df2af9 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -1126,7 +1126,8 @@ static void nvmet_start_ctrl(struct nvmet_ctrl *ctrl) + * in case a host died before it enabled the controller. Hence, simply + * reset the keep alive timer when the controller is enabled. + */ +- mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ); ++ if (ctrl->kato) ++ mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ); + } + + static void nvmet_clear_ctrl(struct nvmet_ctrl *ctrl) +-- +2.25.1 + diff --git a/queue-5.9/nvmet-limit-passthru-mtds-by-bio_max_pages.patch b/queue-5.9/nvmet-limit-passthru-mtds-by-bio_max_pages.patch new file mode 100644 index 00000000000..33f943cc455 --- /dev/null +++ b/queue-5.9/nvmet-limit-passthru-mtds-by-bio_max_pages.patch @@ -0,0 +1,59 @@ +From 37af318b7d1c639385078148bb9fef99f33cd889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 16:19:04 -0600 +Subject: nvmet: limit passthru MTDS by BIO_MAX_PAGES + +From: Logan Gunthorpe + +[ Upstream commit df06047d54276f73782c9d97882b305fca745d3f ] + +nvmet_passthru_map_sg() only supports mapping a single BIO, not a chain +so the effective maximum transfer should also be limitted by +BIO_MAX_PAGES (presently this works out to 1MB). + +For PCI passthru devices the max_sectors would typically be more +limitting than BIO_MAX_PAGES, but this may not be true for all passthru +devices. + +Fixes: c1fef73f793b ("nvmet: add passthru code to process commands") +Suggested-by: Christoph Hellwig +Signed-off-by: Logan Gunthorpe +Cc: Christoph Hellwig +Cc: Sagi Grimberg +Cc: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/passthru.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c +index dacfa7435d0b2..1ab88df3310f6 100644 +--- a/drivers/nvme/target/passthru.c ++++ b/drivers/nvme/target/passthru.c +@@ -26,7 +26,7 @@ static u16 nvmet_passthru_override_id_ctrl(struct nvmet_req *req) + struct nvme_ctrl *pctrl = ctrl->subsys->passthru_ctrl; + u16 status = NVME_SC_SUCCESS; + struct nvme_id_ctrl *id; +- u32 max_hw_sectors; ++ int max_hw_sectors; + int page_shift; + + id = kzalloc(sizeof(*id), GFP_KERNEL); +@@ -48,6 +48,13 @@ static u16 nvmet_passthru_override_id_ctrl(struct nvmet_req *req) + max_hw_sectors = min_not_zero(pctrl->max_segments << (PAGE_SHIFT - 9), + pctrl->max_hw_sectors); + ++ /* ++ * nvmet_passthru_map_sg is limitted to using a single bio so limit ++ * the mdts based on BIO_MAX_PAGES as well ++ */ ++ max_hw_sectors = min_not_zero(BIO_MAX_PAGES << (PAGE_SHIFT - 9), ++ max_hw_sectors); ++ + page_shift = NVME_CAP_MPSMIN(ctrl->cap) + 12; + + id->mdts = ilog2(max_hw_sectors) + 9 - page_shift; +-- +2.25.1 + diff --git a/queue-5.9/ocxl-fix-kconfig-dependency-warning-for-ocxl.patch b/queue-5.9/ocxl-fix-kconfig-dependency-warning-for-ocxl.patch new file mode 100644 index 00000000000..0c7fe8f8f90 --- /dev/null +++ b/queue-5.9/ocxl-fix-kconfig-dependency-warning-for-ocxl.patch @@ -0,0 +1,54 @@ +From 03ee3856c7be7f491e0953bdd993bb270008e5ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 12:41:49 +0300 +Subject: ocxl: fix kconfig dependency warning for OCXL + +From: Necip Fazil Yildiran + +[ Upstream commit 4b53a3c72116118d86fab4112277e1dc4edf273c ] + +When OCXL is enabled and HOTPLUG_PCI is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for HOTPLUG_PCI_POWERNV + Depends on [n]: PCI [=y] && HOTPLUG_PCI [=n] && PPC_POWERNV [=y] && EEH [=y] + Selected by [y]: + - OCXL [=y] && PPC_POWERNV [=y] && PCI [=y] && EEH [=y] + +The reason is that OCXL selects HOTPLUG_PCI_POWERNV without depending on +or selecting HOTPLUG_PCI while HOTPLUG_PCI_POWERNV is subordinate to +HOTPLUG_PCI. + +HOTPLUG_PCI_POWERNV is a visible symbol with a set of dependencies. +Selecting it will lead to overlooking its other dependencies as well. + +Let OCXL depend on HOTPLUG_PCI_POWERNV instead to avoid Kbuild issues. + +Fixes: 49ce94b8677c ("ocxl: Add PCI hotplug dependency to Kconfig") +Acked-by: Frederic Barrat +Signed-off-by: Necip Fazil Yildiran +Link: https://lore.kernel.org/r/20200918094148.20525-1-fazilyildiran@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ocxl/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/misc/ocxl/Kconfig b/drivers/misc/ocxl/Kconfig +index 6551007a066ce..947294f6d7f44 100644 +--- a/drivers/misc/ocxl/Kconfig ++++ b/drivers/misc/ocxl/Kconfig +@@ -9,9 +9,8 @@ config OCXL_BASE + + config OCXL + tristate "OpenCAPI coherent accelerator support" +- depends on PPC_POWERNV && PCI && EEH ++ depends on PPC_POWERNV && PCI && EEH && HOTPLUG_PCI_POWERNV + select OCXL_BASE +- select HOTPLUG_PCI_POWERNV + default m + help + Select this option to enable the ocxl driver for Open +-- +2.25.1 + diff --git a/queue-5.9/opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch b/queue-5.9/opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch new file mode 100644 index 00000000000..fab746ab4ff --- /dev/null +++ b/queue-5.9/opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch @@ -0,0 +1,55 @@ +From a07405453b9ab3e2fcc6ec432ab7aeef28b96204 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 11:22:37 +0530 +Subject: opp: Prevent memory leak in dev_pm_opp_attach_genpd() + +From: Viresh Kumar + +[ Upstream commit cb60e9602cce1593eb1e9cdc8ee562815078a354 ] + +If dev_pm_opp_attach_genpd() is called multiple times (once for each CPU +sharing the table), then it would result in unwanted behavior like +memory leak, attaching the domain multiple times, etc. + +Handle that by checking and returning earlier if the domains are already +attached. Now that dev_pm_opp_detach_genpd() can get called multiple +times as well, we need to protect that too. + +Note that the virtual device pointers aren't returned in this case, as +they may become unavailable to some callers during the middle of the +operation. + +Reported-by: Stephan Gerhold +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/opp/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/opp/core.c b/drivers/opp/core.c +index 3ca7543142bf3..1a95ad40795be 100644 +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -1949,6 +1949,9 @@ static void _opp_detach_genpd(struct opp_table *opp_table) + { + int index; + ++ if (!opp_table->genpd_virt_devs) ++ return; ++ + for (index = 0; index < opp_table->required_opp_count; index++) { + if (!opp_table->genpd_virt_devs[index]) + continue; +@@ -1995,6 +1998,9 @@ struct opp_table *dev_pm_opp_attach_genpd(struct device *dev, + if (!opp_table) + return ERR_PTR(-ENOMEM); + ++ if (opp_table->genpd_virt_devs) ++ return opp_table; ++ + /* + * If the genpd's OPP table isn't already initialized, parsing of the + * required-opps fail for dev. We should retry this after genpd's OPP +-- +2.25.1 + diff --git a/queue-5.9/overflow-include-header-file-with-size_max-declarati.patch b/queue-5.9/overflow-include-header-file-with-size_max-declarati.patch new file mode 100644 index 00000000000..2ef487ed2a7 --- /dev/null +++ b/queue-5.9/overflow-include-header-file-with-size_max-declarati.patch @@ -0,0 +1,42 @@ +From 3af1b4e9a45ac51c0b7d68a03643dc3401fdc8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 13:29:28 +0300 +Subject: overflow: Include header file with SIZE_MAX declaration + +From: Leon Romanovsky + +[ Upstream commit a4947e84f23474803b62a2759b5808147e4e15f9 ] + +The various array_size functions use SIZE_MAX define, but missed limits.h +causes to failure to compile code that needs overflow.h. + + In file included from drivers/infiniband/core/uverbs_std_types_device.c:6: + ./include/linux/overflow.h: In function 'array_size': + ./include/linux/overflow.h:258:10: error: 'SIZE_MAX' undeclared (first use in this function) + 258 | return SIZE_MAX; + | ^~~~~~~~ + +Fixes: 610b15c50e86 ("overflow.h: Add allocation size calculation helpers") +Link: https://lore.kernel.org/r/20200913102928.134985-1-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/linux/overflow.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +index 93fcef105061b..ff3c48f0abc5b 100644 +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -3,6 +3,7 @@ + #define __LINUX_OVERFLOW_H + + #include ++#include + + /* + * In the fallback code below, we need to compute the minimum and +-- +2.25.1 + diff --git a/queue-5.9/pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch b/queue-5.9/pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch new file mode 100644 index 00000000000..96adc3aec72 --- /dev/null +++ b/queue-5.9/pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch @@ -0,0 +1,63 @@ +From d896f1a1167f2e550283344e828be25bf80819ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 13:10:35 +0200 +Subject: PCI: aardvark: Check for errors from pci_bridge_emul_init() call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 7862a6134456c8b4f8c39e8c94aa97e5c2f7f2b7 ] + +Function pci_bridge_emul_init() may fail so correctly check for errors. + +Link: https://lore.kernel.org/r/20200907111038.5811-3-pali@kernel.org +Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Marek Behún +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-aardvark.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c +index 1c5f2fd47c511..2e2e2a2ff51d3 100644 +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -607,7 +607,7 @@ static struct pci_bridge_emul_ops advk_pci_bridge_emul_ops = { + * Initialize the configuration space of the PCI-to-PCI bridge + * associated with the given PCIe interface. + */ +-static void advk_sw_pci_bridge_init(struct advk_pcie *pcie) ++static int advk_sw_pci_bridge_init(struct advk_pcie *pcie) + { + struct pci_bridge_emul *bridge = &pcie->bridge; + +@@ -633,8 +633,7 @@ static void advk_sw_pci_bridge_init(struct advk_pcie *pcie) + bridge->data = pcie; + bridge->ops = &advk_pci_bridge_emul_ops; + +- pci_bridge_emul_init(bridge, 0); +- ++ return pci_bridge_emul_init(bridge, 0); + } + + static bool advk_pcie_valid_device(struct advk_pcie *pcie, struct pci_bus *bus, +@@ -1167,7 +1166,11 @@ static int advk_pcie_probe(struct platform_device *pdev) + + advk_pcie_setup_hw(pcie); + +- advk_sw_pci_bridge_init(pcie); ++ ret = advk_sw_pci_bridge_init(pcie); ++ if (ret) { ++ dev_err(dev, "Failed to register emulated root PCI bridge\n"); ++ return ret; ++ } + + ret = advk_pcie_init_irq_domain(pcie); + if (ret) { +-- +2.25.1 + diff --git a/queue-5.9/pci-aardvark-fix-compilation-on-s390.patch b/queue-5.9/pci-aardvark-fix-compilation-on-s390.patch new file mode 100644 index 00000000000..0ecb15d31a8 --- /dev/null +++ b/queue-5.9/pci-aardvark-fix-compilation-on-s390.patch @@ -0,0 +1,49 @@ +From d5d2597a97cdee34d2c141d2fddcbe1041ea958e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 13:10:34 +0200 +Subject: PCI: aardvark: Fix compilation on s390 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit b32c012e4b98f0126aa327be2d1f409963057643 ] + +Include linux/gpio/consumer.h instead of linux/gpio.h, as is said in the +latter file. + +This was reported by kernel test bot when compiling for s390. + + drivers/pci/controller/pci-aardvark.c:350:2: error: implicit declaration of function 'gpiod_set_value_cansleep' [-Werror,-Wimplicit-function-declaration] + drivers/pci/controller/pci-aardvark.c:1074:21: error: implicit declaration of function 'devm_gpiod_get_from_of_node' [-Werror,-Wimplicit-function-declaration] + drivers/pci/controller/pci-aardvark.c:1076:14: error: use of undeclared identifier 'GPIOD_OUT_LOW' + +Link: https://lore.kernel.org/r/202006211118.LxtENQfl%25lkp@intel.com +Link: https://lore.kernel.org/r/20200907111038.5811-2-pali@kernel.org +Fixes: 5169a9851daa ("PCI: aardvark: Issue PERST via GPIO") +Reported-by: kernel test robot +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Marek Behún +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-aardvark.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c +index 1559f79e63b6f..1c5f2fd47c511 100644 +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -9,7 +9,7 @@ + */ + + #include +-#include ++#include + #include + #include + #include +-- +2.25.1 + diff --git a/queue-5.9/pci-designware-ep-fix-the-header-type-check.patch b/queue-5.9/pci-designware-ep-fix-the-header-type-check.patch new file mode 100644 index 00000000000..9daee1dc4c9 --- /dev/null +++ b/queue-5.9/pci-designware-ep-fix-the-header-type-check.patch @@ -0,0 +1,53 @@ +From b5eeead4a07090a935ad4aa8af133551b694190e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 17:27:46 +0800 +Subject: PCI: designware-ep: Fix the Header Type check + +From: Hou Zhiqiang + +[ Upstream commit 16270a92355722e387e9ca19627c5a4d7bae1354 ] + +The current check will result in the multiple function device +fails to initialize. So fix the check by masking out the +multiple function bit. + +Link: https://lore.kernel.org/r/20200818092746.24366-1-Zhiqiang.Hou@nxp.com +Fixes: 0b24134f7888 ("PCI: dwc: Add validation that PCIe core is set to correct mode") +Signed-off-by: Hou Zhiqiang +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-designware-ep.c | 3 ++- + include/uapi/linux/pci_regs.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pcie-designware-ep.c b/drivers/pci/controller/dwc/pcie-designware-ep.c +index 305bfec2424d8..29f5c616c3bc6 100644 +--- a/drivers/pci/controller/dwc/pcie-designware-ep.c ++++ b/drivers/pci/controller/dwc/pcie-designware-ep.c +@@ -505,7 +505,8 @@ int dw_pcie_ep_init_complete(struct dw_pcie_ep *ep) + u32 reg; + int i; + +- hdr_type = dw_pcie_readb_dbi(pci, PCI_HEADER_TYPE); ++ hdr_type = dw_pcie_readb_dbi(pci, PCI_HEADER_TYPE) & ++ PCI_HEADER_TYPE_MASK; + if (hdr_type != PCI_HEADER_TYPE_NORMAL) { + dev_err(pci->dev, + "PCIe controller is not set to EP mode (hdr_type:0x%x)!\n", +diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h +index f9701410d3b52..57a222014cd20 100644 +--- a/include/uapi/linux/pci_regs.h ++++ b/include/uapi/linux/pci_regs.h +@@ -76,6 +76,7 @@ + #define PCI_CACHE_LINE_SIZE 0x0c /* 8 bits */ + #define PCI_LATENCY_TIMER 0x0d /* 8 bits */ + #define PCI_HEADER_TYPE 0x0e /* 8 bits */ ++#define PCI_HEADER_TYPE_MASK 0x7f + #define PCI_HEADER_TYPE_NORMAL 0 + #define PCI_HEADER_TYPE_BRIDGE 1 + #define PCI_HEADER_TYPE_CARDBUS 2 +-- +2.25.1 + diff --git a/queue-5.9/pci-hv-fix-hibernation-in-case-interrupts-are-not-re.patch b/queue-5.9/pci-hv-fix-hibernation-in-case-interrupts-are-not-re.patch new file mode 100644 index 00000000000..918d4ae67a5 --- /dev/null +++ b/queue-5.9/pci-hv-fix-hibernation-in-case-interrupts-are-not-re.patch @@ -0,0 +1,151 @@ +From 57ac1ff43b38bcb9ab2c0633a94e290fd97a3078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 01:51:58 -0700 +Subject: PCI: hv: Fix hibernation in case interrupts are not re-created + +From: Dexuan Cui + +[ Upstream commit 915cff7f38c5e4d47f187f8049245afc2cb3e503 ] + +pci_restore_msi_state() directly writes the MSI/MSI-X related registers +via MMIO. On a physical machine, this works perfectly; for a Linux VM +running on a hypervisor, which typically enables IOMMU interrupt remapping, +the hypervisor usually should trap and emulate the MMIO accesses in order +to re-create the necessary interrupt remapping table entries in the IOMMU, +otherwise the interrupts can not work in the VM after hibernation. + +Hyper-V is different from other hypervisors in that it does not trap and +emulate the MMIO accesses, and instead it uses a para-virtualized method, +which requires the VM to call hv_compose_msi_msg() to notify the hypervisor +of the info that would be passed to the hypervisor in the case of the +trap-and-emulate method. This is not an issue to a lot of PCI device +drivers, which destroy and re-create the interrupts across hibernation, so +hv_compose_msi_msg() is called automatically. However, some PCI device +drivers (e.g. the in-tree GPU driver nouveau and the out-of-tree Nvidia +proprietary GPU driver) do not destroy and re-create MSI/MSI-X interrupts +across hibernation, so hv_pci_resume() has to call hv_compose_msi_msg(), +otherwise the PCI device drivers can no longer receive interrupts after +the VM resumes from hibernation. + +Hyper-V is also different in that chip->irq_unmask() may fail in a +Linux VM running on Hyper-V (on a physical machine, chip->irq_unmask() +can not fail because unmasking an MSI/MSI-X register just means an MMIO +write): during hibernation, when a CPU is offlined, the kernel tries +to move the interrupt to the remaining CPUs that haven't been offlined +yet. In this case, hv_irq_unmask() -> hv_do_hypercall() always fails +because the vmbus channel has been closed: here the early "return" in +hv_irq_unmask() means the pci_msi_unmask_irq() is not called, i.e. the +desc->masked remains "true", so later after hibernation, the MSI interrupt +always remains masked, which is incorrect. Refer to cpu_disable_common() +-> fixup_irqs() -> irq_migrate_all_off_this_cpu() -> migrate_one_irq(): + +static bool migrate_one_irq(struct irq_desc *desc) +{ +... + if (maskchip && chip->irq_mask) + chip->irq_mask(d); +... + err = irq_do_set_affinity(d, affinity, false); +... + if (maskchip && chip->irq_unmask) + chip->irq_unmask(d); + +Fix the issue by calling pci_msi_unmask_irq() unconditionally in +hv_irq_unmask(). Also suppress the error message for hibernation because +the hypercall failure during hibernation does not matter (at this time +all the devices have been frozen). Note: the correct affinity info is +still updated into the irqdata data structure in migrate_one_irq() -> +irq_do_set_affinity() -> hv_set_affinity(), so later when the VM +resumes, hv_pci_restore_msi_state() is able to correctly restore +the interrupt with the correct affinity. + +Link: https://lore.kernel.org/r/20201002085158.9168-1-decui@microsoft.com +Fixes: ac82fc832708 ("PCI: hv: Add hibernation support") +Signed-off-by: Dexuan Cui +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Jake Oshins +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 50 +++++++++++++++++++++++++++-- + 1 file changed, 47 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index fc4c3a15e5707..a9df492fbffa2 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1276,11 +1276,25 @@ static void hv_irq_unmask(struct irq_data *data) + exit_unlock: + spin_unlock_irqrestore(&hbus->retarget_msi_interrupt_lock, flags); + +- if (res) { ++ /* ++ * During hibernation, when a CPU is offlined, the kernel tries ++ * to move the interrupt to the remaining CPUs that haven't ++ * been offlined yet. In this case, the below hv_do_hypercall() ++ * always fails since the vmbus channel has been closed: ++ * refer to cpu_disable_common() -> fixup_irqs() -> ++ * irq_migrate_all_off_this_cpu() -> migrate_one_irq(). ++ * ++ * Suppress the error message for hibernation because the failure ++ * during hibernation does not matter (at this time all the devices ++ * have been frozen). Note: the correct affinity info is still updated ++ * into the irqdata data structure in migrate_one_irq() -> ++ * irq_do_set_affinity() -> hv_set_affinity(), so later when the VM ++ * resumes, hv_pci_restore_msi_state() is able to correctly restore ++ * the interrupt with the correct affinity. ++ */ ++ if (res && hbus->state != hv_pcibus_removing) + dev_err(&hbus->hdev->device, + "%s() failed: %#llx", __func__, res); +- return; +- } + + pci_msi_unmask_irq(data); + } +@@ -3372,6 +3386,34 @@ static int hv_pci_suspend(struct hv_device *hdev) + return 0; + } + ++static int hv_pci_restore_msi_msg(struct pci_dev *pdev, void *arg) ++{ ++ struct msi_desc *entry; ++ struct irq_data *irq_data; ++ ++ for_each_pci_msi_entry(entry, pdev) { ++ irq_data = irq_get_irq_data(entry->irq); ++ if (WARN_ON_ONCE(!irq_data)) ++ return -EINVAL; ++ ++ hv_compose_msi_msg(irq_data, &entry->msg); ++ } ++ ++ return 0; ++} ++ ++/* ++ * Upon resume, pci_restore_msi_state() -> ... -> __pci_write_msi_msg() ++ * directly writes the MSI/MSI-X registers via MMIO, but since Hyper-V ++ * doesn't trap and emulate the MMIO accesses, here hv_compose_msi_msg() ++ * must be used to ask Hyper-V to re-create the IOMMU Interrupt Remapping ++ * Table entries. ++ */ ++static void hv_pci_restore_msi_state(struct hv_pcibus_device *hbus) ++{ ++ pci_walk_bus(hbus->pci_bus, hv_pci_restore_msi_msg, NULL); ++} ++ + static int hv_pci_resume(struct hv_device *hdev) + { + struct hv_pcibus_device *hbus = hv_get_drvdata(hdev); +@@ -3405,6 +3447,8 @@ static int hv_pci_resume(struct hv_device *hdev) + + prepopulate_bars(hbus); + ++ hv_pci_restore_msi_state(hbus); ++ + hbus->state = hv_pcibus_installed; + return 0; + out: +-- +2.25.1 + diff --git a/queue-5.9/pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch b/queue-5.9/pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch new file mode 100644 index 00000000000..f4a55bf398e --- /dev/null +++ b/queue-5.9/pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch @@ -0,0 +1,53 @@ +From b7475a5c0789961c8f3a5581609b43301912ea38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:59:55 -0400 +Subject: PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY + +From: Matthew Rosato + +[ Upstream commit 12856e7acde4702b7c3238c15fcba86ff6aa507f ] + +For VFs, the Memory Space Enable bit in the Command Register is +hard-wired to 0. + +Add a new bit to signify devices where the Command Register Memory +Space Enable bit does not control the device's response to MMIO +accesses. + +Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory") +Signed-off-by: Matthew Rosato +Acked-by: Bjorn Helgaas +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/pci/iov.c | 1 + + include/linux/pci.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c +index b37e08c4f9d1a..4afd4ee4f7f04 100644 +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -180,6 +180,7 @@ int pci_iov_add_virtfn(struct pci_dev *dev, int id) + virtfn->device = iov->vf_device; + virtfn->is_virtfn = 1; + virtfn->physfn = pci_dev_get(dev); ++ virtfn->no_command_memory = 1; + + if (id == 0) + pci_read_vf_config_common(virtfn); +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 835530605c0d7..3ff723124ca7f 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -445,6 +445,7 @@ struct pci_dev { + unsigned int is_probed:1; /* Device probing in progress */ + unsigned int link_active_reporting:1;/* Device capable of reporting link active */ + unsigned int no_vf_scan:1; /* Don't scan for VFs after IOV enablement */ ++ unsigned int no_command_memory:1; /* No PCI_COMMAND_MEMORY */ + pci_dev_flags_t dev_flags; + atomic_t enable_cnt; /* pci_enable_device has been called */ + +-- +2.25.1 + diff --git a/queue-5.9/pci-iproc-set-affinity-mask-on-msi-interrupts.patch b/queue-5.9/pci-iproc-set-affinity-mask-on-msi-interrupts.patch new file mode 100644 index 00000000000..b79ac02d169 --- /dev/null +++ b/queue-5.9/pci-iproc-set-affinity-mask-on-msi-interrupts.patch @@ -0,0 +1,55 @@ +From 25f6d1c1cd36a77486ac4f3d736ba8d6906a0242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 15:52:40 +1200 +Subject: PCI: iproc: Set affinity mask on MSI interrupts + +From: Mark Tomlinson + +[ Upstream commit eb7eacaa5b9e4f665bd08d416c8f88e63d2f123c ] + +The core interrupt code expects the irq_set_affinity call to update the +effective affinity for the interrupt. This was not being done, so update +iproc_msi_irq_set_affinity() to do so. + +Link: https://lore.kernel.org/r/20200803035241.7737-1-mark.tomlinson@alliedtelesis.co.nz +Fixes: 3bc2b2348835 ("PCI: iproc: Add iProc PCIe MSI support") +Signed-off-by: Mark Tomlinson +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Ray Jui +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-iproc-msi.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c +index 3176ad3ab0e52..908475d27e0e7 100644 +--- a/drivers/pci/controller/pcie-iproc-msi.c ++++ b/drivers/pci/controller/pcie-iproc-msi.c +@@ -209,15 +209,20 @@ static int iproc_msi_irq_set_affinity(struct irq_data *data, + struct iproc_msi *msi = irq_data_get_irq_chip_data(data); + int target_cpu = cpumask_first(mask); + int curr_cpu; ++ int ret; + + curr_cpu = hwirq_to_cpu(msi, data->hwirq); + if (curr_cpu == target_cpu) +- return IRQ_SET_MASK_OK_DONE; ++ ret = IRQ_SET_MASK_OK_DONE; ++ else { ++ /* steer MSI to the target CPU */ ++ data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ ret = IRQ_SET_MASK_OK; ++ } + +- /* steer MSI to the target CPU */ +- data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ irq_data_update_effective_affinity(data, cpumask_of(target_cpu)); + +- return IRQ_SET_MASK_OK; ++ return ret; + } + + static void iproc_msi_irq_compose_msi_msg(struct irq_data *data, +-- +2.25.1 + diff --git a/queue-5.9/perf-core-fix-race-in-the-perf_mmap_close-function.patch b/queue-5.9/perf-core-fix-race-in-the-perf_mmap_close-function.patch new file mode 100644 index 00000000000..ccc1b162978 --- /dev/null +++ b/queue-5.9/perf-core-fix-race-in-the-perf_mmap_close-function.patch @@ -0,0 +1,103 @@ +From c774f0ef40892f1dd40a23f1d58fad019e8af35b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:53:11 +0200 +Subject: perf/core: Fix race in the perf_mmap_close() function + +From: Jiri Olsa + +[ Upstream commit f91072ed1b7283b13ca57fcfbece5a3b92726143 ] + +There's a possible race in perf_mmap_close() when checking ring buffer's +mmap_count refcount value. The problem is that the mmap_count check is +not atomic because we call atomic_dec() and atomic_read() separately. + + perf_mmap_close: + ... + atomic_dec(&rb->mmap_count); + ... + if (atomic_read(&rb->mmap_count)) + goto out_put; + + + free_uid + +out_put: + ring_buffer_put(rb); /* could be last */ + +The race can happen when we have two (or more) events sharing same ring +buffer and they go through atomic_dec() and then they both see 0 as refcount +value later in atomic_read(). Then both will go on and execute code which +is meant to be run just once. + +The code that detaches ring buffer is probably fine to be executed more +than once, but the problem is in calling free_uid(), which will later on +demonstrate in related crashes and refcount warnings, like: + + refcount_t: addition on 0; use-after-free. + ... + RIP: 0010:refcount_warn_saturate+0x6d/0xf + ... + Call Trace: + prepare_creds+0x190/0x1e0 + copy_creds+0x35/0x172 + copy_process+0x471/0x1a80 + _do_fork+0x83/0x3a0 + __do_sys_wait4+0x83/0x90 + __do_sys_clone+0x85/0xa0 + do_syscall_64+0x5b/0x1e0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Using atomic decrease and check instead of separated calls. + +Tested-by: Michael Petlan +Signed-off-by: Jiri Olsa +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Acked-by: Namhyung Kim +Acked-by: Wade Mealing +Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole"); +Link: https://lore.kernel.org/r/20200916115311.GE2301783@krava +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index e8bf92202542b..6a1ae6a62d489 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5869,11 +5869,11 @@ static void perf_pmu_output_stop(struct perf_event *event); + static void perf_mmap_close(struct vm_area_struct *vma) + { + struct perf_event *event = vma->vm_file->private_data; +- + struct perf_buffer *rb = ring_buffer_get(event); + struct user_struct *mmap_user = rb->mmap_user; + int mmap_locked = rb->mmap_locked; + unsigned long size = perf_data_size(rb); ++ bool detach_rest = false; + + if (event->pmu->event_unmapped) + event->pmu->event_unmapped(event, vma->vm_mm); +@@ -5904,7 +5904,8 @@ static void perf_mmap_close(struct vm_area_struct *vma) + mutex_unlock(&event->mmap_mutex); + } + +- atomic_dec(&rb->mmap_count); ++ if (atomic_dec_and_test(&rb->mmap_count)) ++ detach_rest = true; + + if (!atomic_dec_and_mutex_lock(&event->mmap_count, &event->mmap_mutex)) + goto out_put; +@@ -5913,7 +5914,7 @@ static void perf_mmap_close(struct vm_area_struct *vma) + mutex_unlock(&event->mmap_mutex); + + /* If there's still other mmap()s of this buffer, we're done. */ +- if (atomic_read(&rb->mmap_count)) ++ if (!detach_rest) + goto out_put; + + /* +-- +2.25.1 + diff --git a/queue-5.9/perf-correct-snoopx-field-offset.patch b/queue-5.9/perf-correct-snoopx-field-offset.patch new file mode 100644 index 00000000000..d19e09786f2 --- /dev/null +++ b/queue-5.9/perf-correct-snoopx-field-offset.patch @@ -0,0 +1,40 @@ +From ffc035f256c9bd77113598165ea5b82333095e5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 21:46:37 +0100 +Subject: perf: correct SNOOPX field offset + +From: Al Grant + +[ Upstream commit f3d301c1f2f5676465cdf3259737ea19cc82731f ] + +perf_event.h has macros that define the field offsets in the +data_src bitmask in perf records. The SNOOPX and REMOTE offsets +were both 37. These are distinct fields, and the bitfield layout +in perf_mem_data_src confirms that SNOOPX should be at offset 38. + +Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings") +Signed-off-by: Al Grant +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Andi Kleen +Link: https://lkml.kernel.org/r/4ac9f5cc-4388-b34a-9999-418a4099415d@foss.arm.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/perf_event.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/perf_event.h b/include/uapi/linux/perf_event.h +index 077e7ee69e3d8..b95d3c485d27e 100644 +--- a/include/uapi/linux/perf_event.h ++++ b/include/uapi/linux/perf_event.h +@@ -1196,7 +1196,7 @@ union perf_mem_data_src { + + #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */ + /* 1 free */ +-#define PERF_MEM_SNOOPX_SHIFT 37 ++#define PERF_MEM_SNOOPX_SHIFT 38 + + /* locked instruction */ + #define PERF_MEM_LOCK_NA 0x01 /* not available */ +-- +2.25.1 + diff --git a/queue-5.9/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch b/queue-5.9/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch new file mode 100644 index 00000000000..4f250bbbc5b --- /dev/null +++ b/queue-5.9/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch @@ -0,0 +1,152 @@ +From 03adb2d8ada5c5138282c0eb5a7b63311eed0a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 11:49:23 +0300 +Subject: perf intel-pt: Fix "context_switch event has no tid" error + +From: Adrian Hunter + +[ Upstream commit 7d537a8d2e76bc4fc71e34545ceaa463ac2cd928 ] + +A context_switch event can have no tid because pids can be detached from +a task while the task is still running (in do_exit()). Note this won't +happen with per-task contexts because then tracing stops at +perf_event_exit_task() + +If a task with no tid gets preempted, or a dying task gets preempted and +its parent releases it, when it subsequently gets switched back in, +Intel PT will not be able to determine what task is running and prints +an error "context_switch event has no tid". However, it is not really an +error because the task is in kernel space and the decoder can continue +to decode successfully. Fix by changing the error to be only a logged +message, and make allowance for tid == -1. + +Example: + + Using 5.9-rc4 with Preemptible Kernel (Low-Latency Desktop) e.g. + $ uname -r + 5.9.0-rc4 + $ grep PREEMPT .config + # CONFIG_PREEMPT_NONE is not set + # CONFIG_PREEMPT_VOLUNTARY is not set + CONFIG_PREEMPT=y + CONFIG_PREEMPT_COUNT=y + CONFIG_PREEMPTION=y + CONFIG_PREEMPT_RCU=y + CONFIG_PREEMPT_NOTIFIERS=y + CONFIG_DRM_I915_PREEMPT_TIMEOUT=640 + CONFIG_DEBUG_PREEMPT=y + # CONFIG_PREEMPT_TRACER is not set + # CONFIG_PREEMPTIRQ_DELAY_TEST is not set + +Before: + + $ cat forkit.c + + #include + #include + #include + + int main() + { + pid_t child; + int status = 0; + + child = fork(); + if (child == 0) + return 123; + wait(&status); + return 0; + } + + $ gcc -o forkit forkit.c + $ sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k & + [1] 11016 + $ taskset 2 ./forkit + $ sudo pkill perf + $ [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 17.262 MB perf.data ] + + [1]+ Terminated sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + context_switch event has no tid + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + +After: + + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + forkit 11019 [001] 66663.271688752: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: -1/-1 + :-1 -1 [001] 66663.271692086: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + :-1 -1 [001] 66663.271707466: 1 instructions:k: ffffffffb18eb096 update_load_avg+0x306 ([kernel.kallsyms]) + +Fixes: 86c2786994bd7c ("perf intel-pt: Add support for PERF_RECORD_SWITCH") +Signed-off-by: Adrian Hunter +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Yu-cheng Yu +Link: http://lore.kernel.org/lkml/20200909084923.9096-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index 0af4e81c46e2b..3a0348caec7d6 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -1101,6 +1101,8 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt, + + if (queue->tid == -1 || pt->have_sched_switch) { + ptq->tid = machine__get_current_tid(pt->machine, ptq->cpu); ++ if (ptq->tid == -1) ++ ptq->pid = -1; + thread__zput(ptq->thread); + } + +@@ -2603,10 +2605,8 @@ static int intel_pt_context_switch(struct intel_pt *pt, union perf_event *event, + tid = sample->tid; + } + +- if (tid == -1) { +- pr_err("context_switch event has no tid\n"); +- return -EINVAL; +- } ++ if (tid == -1) ++ intel_pt_log("context_switch event has no tid\n"); + + ret = intel_pt_sync_switch(pt, cpu, tid, sample->time); + if (ret <= 0) +-- +2.25.1 + diff --git a/queue-5.9/perf-metricgroup-fix-uncore-metric-expressions.patch b/queue-5.9/perf-metricgroup-fix-uncore-metric-expressions.patch new file mode 100644 index 00000000000..a57194c55c9 --- /dev/null +++ b/queue-5.9/perf-metricgroup-fix-uncore-metric-expressions.patch @@ -0,0 +1,195 @@ +From 1d4132baf0c5936499c988eb4bb80ba127f757ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 13:18:07 -0700 +Subject: perf metricgroup: Fix uncore metric expressions + +From: Ian Rogers + +[ Upstream commit dcc81be0fc4e66943041e6e19a5faf8f8704a27e ] + +A metric like DRAM_BW_Use has on SkylakeX events uncore_imc/cas_count_read/ +and uncore_imc/case_count_write/. + +These events open 6 events per socket with pmu names of +uncore_imc_[0-5]. + +The current metric setup code in find_evsel_group assumes one ID will +map to 1 event to be recorded in metric_events. + +For events with multiple matches, the first event is recorded in +metric_events (avoiding matching >1 event with the same name) and the +evlist_used updated so that duplicate events aren't removed when the +evlist has unused events removed. + +Before this change: + + $ /tmp/perf/perf stat -M DRAM_BW_Use -a -- sleep 1 + + Performance counter stats for 'system wide': + + 41.14 MiB uncore_imc/cas_count_read/ + 1,002,614,251 ns duration_time + + 1.002614251 seconds time elapsed + +After this change: + + $ /tmp/perf/perf stat -M DRAM_BW_Use -a -- sleep 1 + + Performance counter stats for 'system wide': + + 157.47 MiB uncore_imc/cas_count_read/ # 0.00 DRAM_BW_Use + 126.97 MiB uncore_imc/cas_count_write/ + 1,003,019,728 ns duration_time + +Erroneous duplication introduced in: +commit 2440689d62e9 ("perf metricgroup: Remove duped metric group events"). + +Fixes: ded80bda8bc9 ("perf expr: Migrate expr ids table to a hashmap"). +Reported-by: Jin Yao +Signed-off-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexei Starovoitov +Cc: Andi Kleen +Cc: Andrii Nakryiko +Cc: Athira Jajeev +Cc: Daniel Borkmann +Cc: Jiri Olsa +Cc: John Fastabend +Cc: KP Singh +Cc: Mark Rutland +Cc: Martin KaFai Lau +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Cc: Yonghong Song +Cc: bpf@vger.kernel.org +Cc: netdev@vger.kernel.org +Link: http://lore.kernel.org/lkml/20200917201807.4090224-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/metricgroup.c | 75 ++++++++++++++++++++++++++--------- + 1 file changed, 56 insertions(+), 19 deletions(-) + +diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c +index ab5030fcfed4e..d948a7f910cfa 100644 +--- a/tools/perf/util/metricgroup.c ++++ b/tools/perf/util/metricgroup.c +@@ -150,6 +150,18 @@ static void expr_ids__exit(struct expr_ids *ids) + free(ids->id[i].id); + } + ++static bool contains_event(struct evsel **metric_events, int num_events, ++ const char *event_name) ++{ ++ int i; ++ ++ for (i = 0; i < num_events; i++) { ++ if (!strcmp(metric_events[i]->name, event_name)) ++ return true; ++ } ++ return false; ++} ++ + /** + * Find a group of events in perf_evlist that correpond to those from a parsed + * metric expression. Note, as find_evsel_group is called in the same order as +@@ -180,7 +192,11 @@ static struct evsel *find_evsel_group(struct evlist *perf_evlist, + int i = 0, matched_events = 0, events_to_match; + const int idnum = (int)hashmap__size(&pctx->ids); + +- /* duration_time is grouped separately. */ ++ /* ++ * duration_time is always grouped separately, when events are grouped ++ * (ie has_constraint is false) then ignore it in the matching loop and ++ * add it to metric_events at the end. ++ */ + if (!has_constraint && + hashmap__find(&pctx->ids, "duration_time", (void **)&val_ptr)) + events_to_match = idnum - 1; +@@ -207,23 +223,20 @@ static struct evsel *find_evsel_group(struct evlist *perf_evlist, + sizeof(struct evsel *) * idnum); + current_leader = ev->leader; + } +- if (hashmap__find(&pctx->ids, ev->name, (void **)&val_ptr)) { +- if (has_constraint) { +- /* +- * Events aren't grouped, ensure the same event +- * isn't matched from two groups. +- */ +- for (i = 0; i < matched_events; i++) { +- if (!strcmp(ev->name, +- metric_events[i]->name)) { +- break; +- } +- } +- if (i != matched_events) +- continue; +- } ++ /* ++ * Check for duplicate events with the same name. For example, ++ * uncore_imc/cas_count_read/ will turn into 6 events per socket ++ * on skylakex. Only the first such event is placed in ++ * metric_events. If events aren't grouped then this also ++ * ensures that the same event in different sibling groups ++ * aren't both added to metric_events. ++ */ ++ if (contains_event(metric_events, matched_events, ev->name)) ++ continue; ++ /* Does this event belong to the parse context? */ ++ if (hashmap__find(&pctx->ids, ev->name, (void **)&val_ptr)) + metric_events[matched_events++] = ev; +- } ++ + if (matched_events == events_to_match) + break; + } +@@ -239,7 +252,7 @@ static struct evsel *find_evsel_group(struct evlist *perf_evlist, + } + + if (matched_events != idnum) { +- /* Not whole match */ ++ /* Not a whole match */ + return NULL; + } + +@@ -247,8 +260,32 @@ static struct evsel *find_evsel_group(struct evlist *perf_evlist, + + for (i = 0; i < idnum; i++) { + ev = metric_events[i]; +- ev->metric_leader = ev; ++ /* Don't free the used events. */ + set_bit(ev->idx, evlist_used); ++ /* ++ * The metric leader points to the identically named event in ++ * metric_events. ++ */ ++ ev->metric_leader = ev; ++ /* ++ * Mark two events with identical names in the same group (or ++ * globally) as being in use as uncore events may be duplicated ++ * for each pmu. Set the metric leader of such events to be the ++ * event that appears in metric_events. ++ */ ++ evlist__for_each_entry_continue(perf_evlist, ev) { ++ /* ++ * If events are grouped then the search can terminate ++ * when then group is left. ++ */ ++ if (!has_constraint && ++ ev->leader != metric_events[i]->leader) ++ break; ++ if (!strcmp(metric_events[i]->name, ev->name)) { ++ set_bit(ev->idx, evlist_used); ++ ev->metric_leader = metric_events[i]; ++ } ++ } + } + + return metric_events[0]; +-- +2.25.1 + diff --git a/queue-5.9/perf-stat-fix-out-of-bounds-cpu-map-access-when-hand.patch b/queue-5.9/perf-stat-fix-out-of-bounds-cpu-map-access-when-hand.patch new file mode 100644 index 00000000000..f3ece6d96a8 --- /dev/null +++ b/queue-5.9/perf-stat-fix-out-of-bounds-cpu-map-access-when-hand.patch @@ -0,0 +1,70 @@ +From 231c23904b9da4b6fa6fc4470e13c09361091208 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 17:13:11 +0900 +Subject: perf stat: Fix out of bounds CPU map access when handling armv8_pmu + events + +From: Namhyung Kim + +[ Upstream commit bef69bd7cfc363ab94b84ea29102f3e913ed3c6c ] + +It was reported that 'perf stat' crashed when using with armv8_pmu (CPU) +events with the task mode. As 'perf stat' uses an empty cpu map for +task mode but armv8_pmu has its own cpu mask, it has confused which map +it should use when accessing file descriptors and this causes segfaults: + + (gdb) bt + #0 0x0000000000603fc8 in perf_evsel__close_fd_cpu (evsel=, + cpu=) at evsel.c:122 + #1 perf_evsel__close_cpu (evsel=evsel@entry=0x716e950, cpu=7) at evsel.c:156 + #2 0x00000000004d4718 in evlist__close (evlist=0x70a7cb0) at util/evlist.c:1242 + #3 0x0000000000453404 in __run_perf_stat (argc=3, argc@entry=1, argv=0x30, + argv@entry=0xfffffaea2f90, run_idx=119, run_idx@entry=1701998435) + at builtin-stat.c:929 + #4 0x0000000000455058 in run_perf_stat (run_idx=1701998435, argv=0xfffffaea2f90, + argc=1) at builtin-stat.c:947 + #5 cmd_stat (argc=1, argv=0xfffffaea2f90) at builtin-stat.c:2357 + #6 0x00000000004bb888 in run_builtin (p=p@entry=0x9764b8 , + argc=argc@entry=4, argv=argv@entry=0xfffffaea2f90) at perf.c:312 + #7 0x00000000004bbb54 in handle_internal_command (argc=argc@entry=4, + argv=argv@entry=0xfffffaea2f90) at perf.c:364 + #8 0x0000000000435378 in run_argv (argcp=, + argv=) at perf.c:408 + #9 main (argc=4, argv=0xfffffaea2f90) at perf.c:538 + +To fix this, I simply used the given cpu map unless the evsel actually +is not a system-wide event (like uncore events). + +Fixes: 7736627b865d ("perf stat: Use affinity for closing file descriptors") +Reported-by: Wei Li +Signed-off-by: Namhyung Kim +Tested-by: Barry Song +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20201007081311.1831003-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/perf/evlist.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c +index 2208444ecb448..cfcdbd7be066e 100644 +--- a/tools/lib/perf/evlist.c ++++ b/tools/lib/perf/evlist.c +@@ -45,6 +45,9 @@ static void __perf_evlist__propagate_maps(struct perf_evlist *evlist, + if (!evsel->own_cpus || evlist->has_user_cpus) { + perf_cpu_map__put(evsel->cpus); + evsel->cpus = perf_cpu_map__get(evlist->cpus); ++ } else if (!evsel->system_wide && perf_cpu_map__empty(evlist->cpus)) { ++ perf_cpu_map__put(evsel->cpus); ++ evsel->cpus = perf_cpu_map__get(evlist->cpus); + } else if (evsel->cpus != evsel->own_cpus) { + perf_cpu_map__put(evsel->cpus); + evsel->cpus = perf_cpu_map__get(evsel->own_cpus); +-- +2.25.1 + diff --git a/queue-5.9/perf-stat-skip-duration_time-in-setup_system_wide.patch b/queue-5.9/perf-stat-skip-duration_time-in-setup_system_wide.patch new file mode 100644 index 00000000000..08977553b14 --- /dev/null +++ b/queue-5.9/perf-stat-skip-duration_time-in-setup_system_wide.patch @@ -0,0 +1,75 @@ +From 507cd8cb8a60a435aa8371fc21c12156f707543e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 09:50:04 +0800 +Subject: perf stat: Skip duration_time in setup_system_wide + +From: Jin Yao + +[ Upstream commit 002a3d690f95804bdef6b70b26154103518e13d9 ] + +Some metrics (such as DRAM_BW_Use) consists of uncore events and +duration_time. For uncore events, counter->core.system_wide is true. But +for duration_time, counter->core.system_wide is false so +target.system_wide is set to false. + +Then 'enable_on_exec' is set in perf_event_attr of uncore event. Kernel +will return error when trying to open the uncore event. + +This patch skips the duration_time in setup_system_wide then +target.system_wide will be set to true for the evlist of uncore events + +duration_time. + +Before (tested on skylake desktop): + + # perf stat -M DRAM_BW_Use -- sleep 1 + Error: + The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (arb/event=0x84,umask=0x1/). + /bin/dmesg | grep -i perf may provide additional information. + +After: + + # perf stat -M DRAM_BW_Use -- sleep 1 + + Performance counter stats for 'system wide': + + 169 arb/event=0x84,umask=0x1/ # 0.00 DRAM_BW_Use + 40,427 arb/event=0x81,umask=0x1/ + 1,000,902,197 ns duration_time + + 1.000902197 seconds time elapsed + +Fixes: e3ba76deef23064f ("perf tools: Force uncore events to system wide monitoring") +Signed-off-by: Jin Yao +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20200922015004.30114-1-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-stat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c +index fddc97cac9841..eef64b1411a4a 100644 +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -2063,8 +2063,10 @@ static void setup_system_wide(int forks) + struct evsel *counter; + + evlist__for_each_entry(evsel_list, counter) { +- if (!counter->core.system_wide) ++ if (!counter->core.system_wide && ++ strcmp(counter->name, "duration_time")) { + return; ++ } + } + + if (evsel_list->core.nr_entries) +-- +2.25.1 + diff --git a/queue-5.9/perf-tools-make-gtk2-support-opt-in.patch b/queue-5.9/perf-tools-make-gtk2-support-opt-in.patch new file mode 100644 index 00000000000..f1da697c1da --- /dev/null +++ b/queue-5.9/perf-tools-make-gtk2-support-opt-in.patch @@ -0,0 +1,169 @@ +From a052e274516d611726f8ee799e6da32e74481a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 17:11:59 -0300 +Subject: perf tools: Make GTK2 support opt-in + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 4751bddd3f983af2004ec470ca38b42d7a8a53bc ] + +This is bitrotting, nobody is stepping up to work on it, and since we +treat warnings as errors, feature detection is failing in its main, +faster test (tools/build/feature/test-all.c) because of the GTK+2 +infobar check. + +So make this opt-in, at some point ditch this if nobody volunteers to +take care of this. + +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/Makefile.feature | 5 ++--- + tools/build/feature/Makefile | 2 +- + tools/build/feature/test-all.c | 10 ---------- + tools/perf/Makefile.config | 4 +++- + tools/perf/Makefile.perf | 6 +++--- + tools/perf/builtin-version.c | 1 - + 6 files changed, 9 insertions(+), 19 deletions(-) + +diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature +index c1daf4d57518c..3b218fd068b0e 100644 +--- a/tools/build/Makefile.feature ++++ b/tools/build/Makefile.feature +@@ -38,8 +38,6 @@ FEATURE_TESTS_BASIC := \ + get_current_dir_name \ + gettid \ + glibc \ +- gtk2 \ +- gtk2-infobar \ + libbfd \ + libcap \ + libelf \ +@@ -81,6 +79,8 @@ FEATURE_TESTS_EXTRA := \ + compile-32 \ + compile-x32 \ + cplus-demangle \ ++ gtk2 \ ++ gtk2-infobar \ + hello \ + libbabeltrace \ + libbfd-liberty \ +@@ -111,7 +111,6 @@ FEATURE_DISPLAY ?= \ + dwarf \ + dwarf_getlocations \ + glibc \ +- gtk2 \ + libbfd \ + libcap \ + libelf \ +diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile +index d220fe9527470..9ee2bcb8d560a 100644 +--- a/tools/build/feature/Makefile ++++ b/tools/build/feature/Makefile +@@ -90,7 +90,7 @@ __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$( + ############################### + + $(OUTPUT)test-all.bin: +- $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -I/usr/include/slang -lslang $(shell $(PKG_CONFIG) --libs --cflags gtk+-2.0 2>/dev/null) $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma ++ $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -I/usr/include/slang -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma + + $(OUTPUT)test-hello.bin: + $(BUILD) +diff --git a/tools/build/feature/test-all.c b/tools/build/feature/test-all.c +index 5479e543b1947..d2623992ccd61 100644 +--- a/tools/build/feature/test-all.c ++++ b/tools/build/feature/test-all.c +@@ -78,14 +78,6 @@ + # include "test-libslang.c" + #undef main + +-#define main main_test_gtk2 +-# include "test-gtk2.c" +-#undef main +- +-#define main main_test_gtk2_infobar +-# include "test-gtk2-infobar.c" +-#undef main +- + #define main main_test_libbfd + # include "test-libbfd.c" + #undef main +@@ -205,8 +197,6 @@ int main(int argc, char *argv[]) + main_test_libelf_getshdrstrndx(); + main_test_libunwind(); + main_test_libslang(); +- main_test_gtk2(argc, argv); +- main_test_gtk2_infobar(argc, argv); + main_test_libbfd(); + main_test_backtrace(); + main_test_libnuma(); +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 190be4fa5c218..2d6690b308564 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -724,12 +724,14 @@ ifndef NO_SLANG + endif + endif + +-ifndef NO_GTK2 ++ifdef GTK2 + FLAGS_GTK2=$(CFLAGS) $(LDFLAGS) $(EXTLIBS) $(shell $(PKG_CONFIG) --libs --cflags gtk+-2.0 2>/dev/null) ++ $(call feature_check,gtk2) + ifneq ($(feature-gtk2), 1) + msg := $(warning GTK2 not found, disables GTK2 support. Please install gtk2-devel or libgtk2.0-dev); + NO_GTK2 := 1 + else ++ $(call feature_check,gtk2-infobar) + ifeq ($(feature-gtk2-infobar), 1) + GTK_CFLAGS := -DHAVE_GTK_INFO_BAR_SUPPORT + endif +diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf +index 6031167939ae6..515e6ed635f1a 100644 +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -48,7 +48,7 @@ include ../scripts/utilities.mak + # + # Define NO_SLANG if you do not want TUI support. + # +-# Define NO_GTK2 if you do not want GTK+ GUI support. ++# Define GTK2 if you want GTK+ GUI support. + # + # Define NO_DEMANGLE if you do not want C++ symbol demangling. + # +@@ -386,7 +386,7 @@ ifneq ($(OUTPUT),) + CFLAGS += -I$(OUTPUT) + endif + +-ifndef NO_GTK2 ++ifdef GTK2 + ALL_PROGRAMS += $(OUTPUT)libperf-gtk.so + GTK_IN := $(OUTPUT)gtk-in.o + endif +@@ -886,7 +886,7 @@ check: $(OUTPUT)common-cmds.h + + ### Installation rules + +-ifndef NO_GTK2 ++ifdef GTK2 + install-gtk: $(OUTPUT)libperf-gtk.so + $(call QUIET_INSTALL, 'GTK UI') \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(libdir_SQ)'; \ +diff --git a/tools/perf/builtin-version.c b/tools/perf/builtin-version.c +index 05cf2af9e2c27..d09ec2f030719 100644 +--- a/tools/perf/builtin-version.c ++++ b/tools/perf/builtin-version.c +@@ -60,7 +60,6 @@ static void library_status(void) + STATUS(HAVE_DWARF_SUPPORT, dwarf); + STATUS(HAVE_DWARF_GETLOCATIONS_SUPPORT, dwarf_getlocations); + STATUS(HAVE_GLIBC_SUPPORT, glibc); +- STATUS(HAVE_GTK2_SUPPORT, gtk2); + #ifndef HAVE_SYSCALL_TABLE_SUPPORT + STATUS(HAVE_LIBAUDIT_SUPPORT, libaudit); + #endif +-- +2.25.1 + diff --git a/queue-5.9/perf-trace-fix-off-by-ones-in-memset-after-realloc-i.patch b/queue-5.9/perf-trace-fix-off-by-ones-in-memset-after-realloc-i.patch new file mode 100644 index 00000000000..f751ffbb217 --- /dev/null +++ b/queue-5.9/perf-trace-fix-off-by-ones-in-memset-after-realloc-i.patch @@ -0,0 +1,70 @@ +From 3bf720bb6484772b9c042feabc518ba479134e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 11:34:19 +0200 +Subject: perf trace: Fix off by ones in memset() after realloc() in arches + using libaudit + +From: Jiri Slaby + +[ Upstream commit f3013f7ed465479e60c1ab1921a5718fc541cc3b ] + +'perf trace ls' started crashing after commit d21cb73a9025 on +!HAVE_SYSCALL_TABLE_SUPPORT configs (armv7l here) like this: + + 0 strlen () at ../sysdeps/arm/armv6t2/strlen.S:126 + 1 0xb6800780 in __vfprintf_internal (s=0xbeff9908, s@entry=0xbeff9900, format=0xa27160 "]: %s()", ap=..., mode_flags=) at vfprintf-internal.c:1688 + ... + 5 0x0056ecdc in fprintf (__fmt=0xa27160 "]: %s()", __stream=) at /usr/include/bits/stdio2.h:100 + 6 trace__sys_exit (trace=trace@entry=0xbeffc710, evsel=evsel@entry=0xd968d0, event=, sample=sample@entry=0xbeffc3e8) at builtin-trace.c:2475 + 7 0x00566d40 in trace__handle_event (sample=0xbeffc3e8, event=, trace=0xbeffc710) at builtin-trace.c:3122 + ... + 15 main (argc=2, argv=0xbefff6e8) at perf.c:538 + +It is because memset in trace__read_syscall_info zeroes wrong memory: + +1) when initializing for the first time, it does not reset the last id. + +2) in other cases, it resets the last id of previous buffer. + +ad 1) it causes the crash above as sc->name used in the fprintf above + contains garbage. + +ad 2) it sets nonexistent from true back to false for id 11 here. Not + sure, what the consequences are. + +So fix it by introducing a special case for the initial initialization +and do the right +1 in both cases. + +Fixes: d21cb73a9025 ("perf trace: Grow the syscall table as needed when using libaudit") +Signed-off-by: Jiri Slaby +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20201001093419.15761-1-jslaby@suse.cz +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index bea461b6f937b..44a75f234db17 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1762,7 +1762,11 @@ static int trace__read_syscall_info(struct trace *trace, int id) + if (table == NULL) + return -ENOMEM; + +- memset(table + trace->sctbl->syscalls.max_id, 0, (id - trace->sctbl->syscalls.max_id) * sizeof(*sc)); ++ // Need to memset from offset 0 and +1 members if brand new ++ if (trace->syscalls.table == NULL) ++ memset(table, 0, (id + 1) * sizeof(*sc)); ++ else ++ memset(table + trace->sctbl->syscalls.max_id + 1, 0, (id - trace->sctbl->syscalls.max_id) * sizeof(*sc)); + + trace->syscalls.table = table; + trace->sctbl->syscalls.max_id = id; +-- +2.25.1 + diff --git a/queue-5.9/perf-x86-fix-n_pair-for-cancelled-txn.patch b/queue-5.9/perf-x86-fix-n_pair-for-cancelled-txn.patch new file mode 100644 index 00000000000..f0108797bb6 --- /dev/null +++ b/queue-5.9/perf-x86-fix-n_pair-for-cancelled-txn.patch @@ -0,0 +1,81 @@ +From 02a6d2f07c61e9fc7b999b18fb518c090723709e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 23:28:52 -0400 +Subject: perf/x86: Fix n_pair for cancelled txn + +[ Upstream commit 871a93b0aad65a7f44ee25f2d17932ef6d559850 ] + +Kan reported that n_metric gets corrupted for cancelled transactions; +a similar issue exists for n_pair for AMD's Large Increment thing. + +The problem was confirmed and confirmed fixed by Kim using: + + sudo perf stat -e "{cycles,cycles,cycles,cycles}:D" -a sleep 10 & + + # should succeed: + sudo perf stat -e "{fp_ret_sse_avx_ops.all}:D" -a workload + + # should fail: + sudo perf stat -e "{fp_ret_sse_avx_ops.all,fp_ret_sse_avx_ops.all,cycles}:D" -a workload + + # previously failed, now succeeds with this patch: + sudo perf stat -e "{fp_ret_sse_avx_ops.all}:D" -a workload + +Fixes: 5738891229a2 ("perf/x86/amd: Add support for Large Increment per Cycle Events") +Reported-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Kim Phillips +Link: https://lkml.kernel.org/r/20201005082516.GG2628@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/events/core.c | 6 +++++- + arch/x86/events/perf_event.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c +index 1cbf57dc2ac89..11bbc6590f904 100644 +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1087,8 +1087,10 @@ static int collect_events(struct cpu_hw_events *cpuc, struct perf_event *leader, + + cpuc->event_list[n] = event; + n++; +- if (is_counter_pair(&event->hw)) ++ if (is_counter_pair(&event->hw)) { + cpuc->n_pair++; ++ cpuc->n_txn_pair++; ++ } + } + return n; + } +@@ -1962,6 +1964,7 @@ static void x86_pmu_start_txn(struct pmu *pmu, unsigned int txn_flags) + + perf_pmu_disable(pmu); + __this_cpu_write(cpu_hw_events.n_txn, 0); ++ __this_cpu_write(cpu_hw_events.n_txn_pair, 0); + } + + /* +@@ -1987,6 +1990,7 @@ static void x86_pmu_cancel_txn(struct pmu *pmu) + */ + __this_cpu_sub(cpu_hw_events.n_added, __this_cpu_read(cpu_hw_events.n_txn)); + __this_cpu_sub(cpu_hw_events.n_events, __this_cpu_read(cpu_hw_events.n_txn)); ++ __this_cpu_sub(cpu_hw_events.n_pair, __this_cpu_read(cpu_hw_events.n_txn_pair)); + perf_pmu_enable(pmu); + } + +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h +index 7b68ab5f19e76..0e74235cdac9e 100644 +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -210,6 +210,7 @@ struct cpu_hw_events { + they've never been enabled yet */ + int n_txn; /* the # last events in the below arrays; + added in the current transaction */ ++ int n_txn_pair; + int assign[X86_PMC_IDX_MAX]; /* event to counter assignment */ + u64 tags[X86_PMC_IDX_MAX]; + +-- +2.25.1 + diff --git a/queue-5.9/perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch b/queue-5.9/perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch new file mode 100644 index 00000000000..2e79c17009e --- /dev/null +++ b/queue-5.9/perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch @@ -0,0 +1,161 @@ +From cfe0959110bddac99bdbc5c9573fef41e01ef9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:06:49 -0700 +Subject: perf/x86/intel/ds: Fix x86_pmu_stop warning for large PEBS + +From: Kan Liang + +[ Upstream commit 35d1ce6bec133679ff16325d335217f108b84871 ] + +A warning as below may be triggered when sampling with large PEBS. + +[ 410.411250] perf: interrupt took too long (72145 > 71975), lowering +kernel.perf_event_max_sample_rate to 2000 +[ 410.724923] ------------[ cut here ]------------ +[ 410.729822] WARNING: CPU: 0 PID: 16397 at arch/x86/events/core.c:1422 +x86_pmu_stop+0x95/0xa0 +[ 410.933811] x86_pmu_del+0x50/0x150 +[ 410.937304] event_sched_out.isra.0+0xbc/0x210 +[ 410.941751] group_sched_out.part.0+0x53/0xd0 +[ 410.946111] ctx_sched_out+0x193/0x270 +[ 410.949862] __perf_event_task_sched_out+0x32c/0x890 +[ 410.954827] ? set_next_entity+0x98/0x2d0 +[ 410.958841] __schedule+0x592/0x9c0 +[ 410.962332] schedule+0x5f/0xd0 +[ 410.965477] exit_to_usermode_loop+0x73/0x120 +[ 410.969837] prepare_exit_to_usermode+0xcd/0xf0 +[ 410.974369] ret_from_intr+0x2a/0x3a +[ 410.977946] RIP: 0033:0x40123c +[ 411.079661] ---[ end trace bc83adaea7bb664a ]--- + +In the non-overflow context, e.g., context switch, with large PEBS, perf +may stop an event twice. An example is below. + + //max_samples_per_tick is adjusted to 2 + //NMI is triggered + intel_pmu_handle_irq() + handle_pmi_common() + drain_pebs() + __intel_pmu_pebs_event() + perf_event_overflow() + __perf_event_account_interrupt() + hwc->interrupts = 1 + return 0 + //A context switch happens right after the NMI. + //In the same tick, the perf_throttled_seq is not changed. + perf_event_task_sched_out() + perf_pmu_sched_task() + intel_pmu_drain_pebs_buffer() + __intel_pmu_pebs_event() + perf_event_overflow() + __perf_event_account_interrupt() + ++hwc->interrupts >= max_samples_per_tick + return 1 + x86_pmu_stop(); # First stop + perf_event_context_sched_out() + task_ctx_sched_out() + ctx_sched_out() + event_sched_out() + x86_pmu_del() + x86_pmu_stop(); # Second stop and trigger the warning + +Perf should only invoke the perf_event_overflow() in the overflow +context. + +Current drain_pebs() is called from: +- handle_pmi_common() -- overflow context +- intel_pmu_pebs_sched_task() -- non-overflow context +- intel_pmu_pebs_disable() -- non-overflow context +- intel_pmu_auto_reload_read() -- possible overflow context + With PERF_SAMPLE_READ + PERF_FORMAT_GROUP, the function may be + invoked in the NMI handler. But, before calling the function, the + PEBS buffer has already been drained. The __intel_pmu_pebs_event() + will not be called in the possible overflow context. + +To fix the issue, an indicator is required to distinguish between the +overflow context aka handle_pmi_common() and other cases. +The dummy regs pointer can be used as the indicator. + +In the non-overflow context, perf should treat the last record the same +as other PEBS records, and doesn't invoke the generic overflow handler. + +Fixes: 21509084f999 ("perf/x86/intel: Handle multiple records in the PEBS buffer") +Reported-by: Like Xu +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Like Xu +Link: https://lkml.kernel.org/r/20200902210649.2743-1-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/ds.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index 86848c57b55ed..404315df1e167 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -670,9 +670,7 @@ int intel_pmu_drain_bts_buffer(void) + + static inline void intel_pmu_drain_pebs_buffer(void) + { +- struct pt_regs regs; +- +- x86_pmu.drain_pebs(®s); ++ x86_pmu.drain_pebs(NULL); + } + + /* +@@ -1737,6 +1735,7 @@ static void __intel_pmu_pebs_event(struct perf_event *event, + struct x86_perf_regs perf_regs; + struct pt_regs *regs = &perf_regs.regs; + void *at = get_next_pebs_record_by_bit(base, top, bit); ++ struct pt_regs dummy_iregs; + + if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) { + /* +@@ -1749,6 +1748,9 @@ static void __intel_pmu_pebs_event(struct perf_event *event, + } else if (!intel_pmu_save_and_restart(event)) + return; + ++ if (!iregs) ++ iregs = &dummy_iregs; ++ + while (count > 1) { + setup_sample(event, iregs, at, &data, regs); + perf_event_output(event, &data, regs); +@@ -1758,16 +1760,22 @@ static void __intel_pmu_pebs_event(struct perf_event *event, + } + + setup_sample(event, iregs, at, &data, regs); +- +- /* +- * All but the last records are processed. +- * The last one is left to be able to call the overflow handler. +- */ +- if (perf_event_overflow(event, &data, regs)) { +- x86_pmu_stop(event, 0); +- return; ++ if (iregs == &dummy_iregs) { ++ /* ++ * The PEBS records may be drained in the non-overflow context, ++ * e.g., large PEBS + context switch. Perf should treat the ++ * last record the same as other PEBS records, and doesn't ++ * invoke the generic overflow handler. ++ */ ++ perf_event_output(event, &data, regs); ++ } else { ++ /* ++ * All but the last records are processed. ++ * The last one is left to be able to call the overflow handler. ++ */ ++ if (perf_event_overflow(event, &data, regs)) ++ x86_pmu_stop(event, 0); + } +- + } + + static void intel_pmu_drain_pebs_core(struct pt_regs *iregs) +-- +2.25.1 + diff --git a/queue-5.9/perf-x86-intel-uncore-fix-for-iio-mapping-on-skylake.patch b/queue-5.9/perf-x86-intel-uncore-fix-for-iio-mapping-on-skylake.patch new file mode 100644 index 00000000000..552dd5053fd --- /dev/null +++ b/queue-5.9/perf-x86-intel-uncore-fix-for-iio-mapping-on-skylake.patch @@ -0,0 +1,61 @@ +From 9cb4538098f6f3f73ccebea179d23dd24f102cdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 13:21:33 +0300 +Subject: perf/x86/intel/uncore: Fix for iio mapping on Skylake Server + +From: Alexander Antonov + +[ Upstream commit f797f05d917ffef94249ee0aec4c14a5b50517b2 ] + +Introduced early attributes /sys/devices/uncore_iio_/die* are +initialized by skx_iio_set_mapping(), however, for example, for multiple +segment platforms skx_iio_get_topology() returns -EPERM before a list of +attributes in skx_iio_mapping_group will have been initialized. +As a result the list is being NULL. Thus the warning +"sysfs: (bin_)attrs not set by subsystem for group: uncore_iio_*/" appears +and uncore_iio pmus are not available in sysfs. Clear IIO attr_update +to properly handle the cases when topology information cannot be +retrieved. + +Fixes: bb42b3d39781 ("perf/x86/intel/uncore: Expose an Uncore unit to IIO PMON mapping") +Reported-by: Kyle Meyer +Suggested-by: Kan Liang +Signed-off-by: Alexander Antonov +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Alexei Budankov +Reviewed-by: Kan Liang +Link: https://lkml.kernel.org/r/20200928102133.61041-1-alexander.antonov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index 62e88ad919ffc..ccfa1d6b6aa0d 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -3749,7 +3749,9 @@ static int skx_iio_set_mapping(struct intel_uncore_type *type) + + ret = skx_iio_get_topology(type); + if (ret) +- return ret; ++ goto clear_attr_update; ++ ++ ret = -ENOMEM; + + /* One more for NULL. */ + attrs = kcalloc((uncore_max_dies() + 1), sizeof(*attrs), GFP_KERNEL); +@@ -3781,8 +3783,9 @@ static int skx_iio_set_mapping(struct intel_uncore_type *type) + kfree(eas); + kfree(attrs); + kfree(type->topology); ++clear_attr_update: + type->attr_update = NULL; +- return -ENOMEM; ++ return ret; + } + + static void skx_iio_cleanup_mapping(struct intel_uncore_type *type) +-- +2.25.1 + diff --git a/queue-5.9/perf-x86-intel-uncore-fix-the-scale-of-the-imc-free-.patch b/queue-5.9/perf-x86-intel-uncore-fix-the-scale-of-the-imc-free-.patch new file mode 100644 index 00000000000..a199ab02fbc --- /dev/null +++ b/queue-5.9/perf-x86-intel-uncore-fix-the-scale-of-the-imc-free-.patch @@ -0,0 +1,72 @@ +From 58dc1b41b65a8a973ae9f0148ff2e21058f25f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 06:32:40 -0700 +Subject: perf/x86/intel/uncore: Fix the scale of the IMC free-running events + +From: Kan Liang + +[ Upstream commit 8191016a026b8dfbb14dea64efc8e723ee99fe65 ] + +The "MiB" result of the IMC free-running bandwidth events, +uncore_imc_free_running/read/ and uncore_imc_free_running/write/ are 16 +times too small. + +The "MiB" value equals the raw IMC free-running bandwidth counter value +times a "scale" which is inaccurate. + +The IMC free-running bandwidth events should be incremented per 64B +cache line, not DWs (4 bytes). The "scale" should be 6.103515625e-5. +Fix the "scale" for both Snow Ridge and Ice Lake. + +Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support") +Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200928133240.12977-1-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index ccfa1d6b6aa0d..4f5e78a4003be 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -4754,10 +4754,10 @@ static struct uncore_event_desc snr_uncore_imc_freerunning_events[] = { + INTEL_UNCORE_EVENT_DESC(dclk, "event=0xff,umask=0x10"), + + INTEL_UNCORE_EVENT_DESC(read, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(read.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(read.scale, "6.103515625e-5"), + INTEL_UNCORE_EVENT_DESC(read.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(write, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(write.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(write.scale, "6.103515625e-5"), + INTEL_UNCORE_EVENT_DESC(write.unit, "MiB"), + { /* end: all zeroes */ }, + }; +@@ -5215,17 +5215,17 @@ static struct uncore_event_desc icx_uncore_imc_freerunning_events[] = { + INTEL_UNCORE_EVENT_DESC(dclk, "event=0xff,umask=0x10"), + + INTEL_UNCORE_EVENT_DESC(read, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(read.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(read.scale, "6.103515625e-5"), + INTEL_UNCORE_EVENT_DESC(read.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(write, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(write.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(write.scale, "6.103515625e-5"), + INTEL_UNCORE_EVENT_DESC(write.unit, "MiB"), + + INTEL_UNCORE_EVENT_DESC(ddrt_read, "event=0xff,umask=0x30"), +- INTEL_UNCORE_EVENT_DESC(ddrt_read.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(ddrt_read.scale, "6.103515625e-5"), + INTEL_UNCORE_EVENT_DESC(ddrt_read.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(ddrt_write, "event=0xff,umask=0x31"), +- INTEL_UNCORE_EVENT_DESC(ddrt_write.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(ddrt_write.scale, "6.103515625e-5"), + INTEL_UNCORE_EVENT_DESC(ddrt_write.unit, "MiB"), + { /* end: all zeroes */ }, + }; +-- +2.25.1 + diff --git a/queue-5.9/perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch b/queue-5.9/perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch new file mode 100644 index 00000000000..d817a45c6ba --- /dev/null +++ b/queue-5.9/perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch @@ -0,0 +1,47 @@ +From ccd1fbb8a99365ef1ff85a4333acd3f35c091a4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:49:05 -0700 +Subject: perf/x86/intel/uncore: Reduce the number of CBOX counters + +From: Kan Liang + +[ Upstream commit ee139385432e919f4d1f59b80edbc073cdae1391 ] + +An oops is triggered by the fuzzy test. + +[ 327.853081] unchecked MSR access error: RDMSR from 0x70c at rIP: +0xffffffffc082c820 (uncore_msr_read_counter+0x10/0x50 [intel_uncore]) +[ 327.853083] Call Trace: +[ 327.853085] +[ 327.853089] uncore_pmu_event_start+0x85/0x170 [intel_uncore] +[ 327.853093] uncore_pmu_event_add+0x1a4/0x410 [intel_uncore] +[ 327.853097] ? event_sched_in.isra.118+0xca/0x240 + +There are 2 GP counters for each CBOX, but the current code claims 4 +counters. Accessing the invalid registers triggers the oops. + +Fixes: 6e394376ee89 ("perf/x86/intel/uncore: Add Intel Icelake uncore support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200925134905.8839-3-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c +index e2c683fe42645..4aa735694e030 100644 +--- a/arch/x86/events/intel/uncore_snb.c ++++ b/arch/x86/events/intel/uncore_snb.c +@@ -325,7 +325,7 @@ static struct intel_uncore_ops icl_uncore_msr_ops = { + + static struct intel_uncore_type icl_uncore_cbox = { + .name = "cbox", +- .num_counters = 4, ++ .num_counters = 2, + .perf_ctr_bits = 44, + .perf_ctr = ICL_UNC_CBO_0_PER_CTR0, + .event_ctl = SNB_UNC_CBO_0_PERFEVTSEL0, +-- +2.25.1 + diff --git a/queue-5.9/perf-x86-intel-uncore-update-ice-lake-uncore-units.patch b/queue-5.9/perf-x86-intel-uncore-update-ice-lake-uncore-units.patch new file mode 100644 index 00000000000..d216068b6c3 --- /dev/null +++ b/queue-5.9/perf-x86-intel-uncore-update-ice-lake-uncore-units.patch @@ -0,0 +1,118 @@ +From 71b17b88d5d501b4d743c1d82948dd88c38ec1a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 06:49:04 -0700 +Subject: perf/x86/intel/uncore: Update Ice Lake uncore units + +From: Kan Liang + +[ Upstream commit 8f5d41f3a0f495435c88ebba8fc150c931c10fef ] + +There are some updates for the Icelake model specific uncore performance +monitors. (The update can be found at 10th generation intel core +processors families specification update Revision 004, ICL068) + +1) Counter 0 of ARB uncore unit is not available for software use +2) The global 'enable bit' (bit 29) and 'freeze bit' (bit 31) of + MSR_UNC_PERF_GLOBAL_CTRL cannot be used to control counter behavior. + Needs to use local enable in event select MSR. + +Accessing the modified bit/registers will be ignored by HW. Users may +observe inaccurate results with the current code. + +The changes of the MSR_UNC_PERF_GLOBAL_CTRL imply that groups cannot be +read atomically anymore. Although the error of the result for a group +becomes a bit bigger, it still far lower than not using a group. The +group support is still kept. Only Remove the *_box() related +implementation. + +Since the counter 0 of ARB uncore unit is not available, update the MSR +address for the ARB uncore unit. + +There is no change for IMC uncore unit, which only include free-running +counters. + +Fixes: 6e394376ee89 ("perf/x86/intel/uncore: Add Intel Icelake uncore support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200925134905.8839-2-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snb.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c +index 6a4ca27b2c9e1..e2c683fe42645 100644 +--- a/arch/x86/events/intel/uncore_snb.c ++++ b/arch/x86/events/intel/uncore_snb.c +@@ -126,6 +126,10 @@ + #define ICL_UNC_CBO_0_PER_CTR0 0x702 + #define ICL_UNC_CBO_MSR_OFFSET 0x8 + ++/* ICL ARB register */ ++#define ICL_UNC_ARB_PER_CTR 0x3b1 ++#define ICL_UNC_ARB_PERFEVTSEL 0x3b3 ++ + DEFINE_UNCORE_FORMAT_ATTR(event, event, "config:0-7"); + DEFINE_UNCORE_FORMAT_ATTR(umask, umask, "config:8-15"); + DEFINE_UNCORE_FORMAT_ATTR(edge, edge, "config:18"); +@@ -313,6 +317,12 @@ void skl_uncore_cpu_init(void) + snb_uncore_arb.ops = &skl_uncore_msr_ops; + } + ++static struct intel_uncore_ops icl_uncore_msr_ops = { ++ .disable_event = snb_uncore_msr_disable_event, ++ .enable_event = snb_uncore_msr_enable_event, ++ .read_counter = uncore_msr_read_counter, ++}; ++ + static struct intel_uncore_type icl_uncore_cbox = { + .name = "cbox", + .num_counters = 4, +@@ -321,7 +331,7 @@ static struct intel_uncore_type icl_uncore_cbox = { + .event_ctl = SNB_UNC_CBO_0_PERFEVTSEL0, + .event_mask = SNB_UNC_RAW_EVENT_MASK, + .msr_offset = ICL_UNC_CBO_MSR_OFFSET, +- .ops = &skl_uncore_msr_ops, ++ .ops = &icl_uncore_msr_ops, + .format_group = &snb_uncore_format_group, + }; + +@@ -350,13 +360,25 @@ static struct intel_uncore_type icl_uncore_clockbox = { + .single_fixed = 1, + .event_mask = SNB_UNC_CTL_EV_SEL_MASK, + .format_group = &icl_uncore_clock_format_group, +- .ops = &skl_uncore_msr_ops, ++ .ops = &icl_uncore_msr_ops, + .event_descs = icl_uncore_events, + }; + ++static struct intel_uncore_type icl_uncore_arb = { ++ .name = "arb", ++ .num_counters = 1, ++ .num_boxes = 1, ++ .perf_ctr_bits = 44, ++ .perf_ctr = ICL_UNC_ARB_PER_CTR, ++ .event_ctl = ICL_UNC_ARB_PERFEVTSEL, ++ .event_mask = SNB_UNC_RAW_EVENT_MASK, ++ .ops = &icl_uncore_msr_ops, ++ .format_group = &snb_uncore_format_group, ++}; ++ + static struct intel_uncore_type *icl_msr_uncores[] = { + &icl_uncore_cbox, +- &snb_uncore_arb, ++ &icl_uncore_arb, + &icl_uncore_clockbox, + NULL, + }; +@@ -374,7 +396,6 @@ void icl_uncore_cpu_init(void) + { + uncore_msr_uncores = icl_msr_uncores; + icl_uncore_cbox.num_boxes = icl_get_cbox_num(); +- snb_uncore_arb.ops = &skl_uncore_msr_ops; + } + + enum { +-- +2.25.1 + diff --git a/queue-5.9/phy-rockchip-dphy-rx0-include-linux-delay.h.patch b/queue-5.9/phy-rockchip-dphy-rx0-include-linux-delay.h.patch new file mode 100644 index 00000000000..f7ae891a324 --- /dev/null +++ b/queue-5.9/phy-rockchip-dphy-rx0-include-linux-delay.h.patch @@ -0,0 +1,39 @@ +From 08de5840ad7427d232077692012df649a4b07dda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 22:56:18 +0000 +Subject: phy: rockchip-dphy-rx0: Include linux/delay.h + +From: Tomasz Figa + +[ Upstream commit 488e3f52a82775bf9a4826a9eb59f10336c3f012 ] + +Fix an implicit declaration of usleep_range(): + +drivers/phy/rockchip/phy-rockchip-dphy-rx0.c: In function 'rk_dphy_enable': +drivers/phy/rockchip/phy-rockchip-dphy-rx0.c:203:2: error: implicit declaration of function 'usleep_range' [-Werror=implicit-function-declaration] + +Fixes: 32abcc4491c62 ("media: staging: phy-rockchip-dphy-rx0: add Rockchip MIPI Synopsys DPHY RX0 driver") +Signed-off-by: Tomasz Figa +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20200921225618.52529-1-tfiga@chromium.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + .../staging/media/phy-rockchip-dphy-rx0/phy-rockchip-dphy-rx0.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/media/phy-rockchip-dphy-rx0/phy-rockchip-dphy-rx0.c b/drivers/staging/media/phy-rockchip-dphy-rx0/phy-rockchip-dphy-rx0.c +index 7c4df6d48c43d..4df9476ef2a9b 100644 +--- a/drivers/staging/media/phy-rockchip-dphy-rx0/phy-rockchip-dphy-rx0.c ++++ b/drivers/staging/media/phy-rockchip-dphy-rx0/phy-rockchip-dphy-rx0.c +@@ -16,6 +16,7 @@ + */ + + #include ++#include + #include + #include + #include +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-aspeed-use-the-right-pinconf-mask.patch b/queue-5.9/pinctrl-aspeed-use-the-right-pinconf-mask.patch new file mode 100644 index 00000000000..aef4d4de9af --- /dev/null +++ b/queue-5.9/pinctrl-aspeed-use-the-right-pinconf-mask.patch @@ -0,0 +1,47 @@ +From 8125420c0f6ad1f2f059c2b791e9d232e78c3ab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 12:26:30 +0930 +Subject: pinctrl: aspeed: Use the right pinconf mask + +From: Andrew Jeffery + +[ Upstream commit 1d6db5ae6b090d1a8edfcb36b9bf47c5f4fe27f6 ] + +The Aspeed pinconf data structures are split into 'conf' and 'map' +types, where the 'conf' struct defines which register and bitfield to +manipulate, while the 'map' struct defines what value to write to +the register and bitfield. + +Both structs have a mask member, and the wrong mask was being used to +tell the regmap which bits to update. + +A todo is to look at whether we can remove the mask from the 'map' +struct. + +Fixes: 5f52c853847f ("pinctrl: aspeed: Use masks to describe pinconf bitfields") +Signed-off-by: Andrew Jeffery +Reviewed-by: Joel Stanley +Cc: Johnny Huang +Link: https://lore.kernel.org/r/20200910025631.2996342-3-andrew@aj.id.au +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/aspeed/pinctrl-aspeed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed.c b/drivers/pinctrl/aspeed/pinctrl-aspeed.c +index 53f3f8aec6956..3e6567355d97d 100644 +--- a/drivers/pinctrl/aspeed/pinctrl-aspeed.c ++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed.c +@@ -534,7 +534,7 @@ int aspeed_pin_config_set(struct pinctrl_dev *pctldev, unsigned int offset, + val = pmap->val << __ffs(pconf->mask); + + rc = regmap_update_bits(pdata->scu, pconf->reg, +- pmap->mask, val); ++ pconf->mask, val); + + if (rc < 0) + return rc; +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch b/queue-5.9/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch new file mode 100644 index 00000000000..6dd4e08797b --- /dev/null +++ b/queue-5.9/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch @@ -0,0 +1,47 @@ +From 1b63efb8c88fbb361bb2e11e2df0373766786c71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 17:40:26 +0300 +Subject: pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB + +From: Necip Fazil Yildiran + +[ Upstream commit 513034d8b089b9a49dab57845aee70e830fe7334 ] + +When PINCTRL_BCM2835 is enabled and GPIOLIB is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for GPIOLIB_IRQCHIP + Depends on [n]: GPIOLIB [=n] + Selected by [y]: + - PINCTRL_BCM2835 [=y] && PINCTRL [=y] && OF [=y] && (ARCH_BCM2835 [=n] || ARCH_BRCMSTB [=n] || COMPILE_TEST [=y]) + +The reason is that PINCTRL_BCM2835 selects GPIOLIB_IRQCHIP without +depending on or selecting GPIOLIB while GPIOLIB_IRQCHIP is subordinate to +GPIOLIB. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: 85ae9e512f43 ("pinctrl: bcm2835: switch to GPIOLIB_IRQCHIP") +Signed-off-by: Necip Fazil Yildiran +Link: https://lore.kernel.org/r/20200914144025.371370-1-fazilyildiran@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/bcm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/bcm/Kconfig b/drivers/pinctrl/bcm/Kconfig +index dcf7df797af75..0ed14de0134cf 100644 +--- a/drivers/pinctrl/bcm/Kconfig ++++ b/drivers/pinctrl/bcm/Kconfig +@@ -23,6 +23,7 @@ config PINCTRL_BCM2835 + select PINMUX + select PINCONF + select GENERIC_PINCONF ++ select GPIOLIB + select GPIOLIB_IRQCHIP + default ARCH_BCM2835 || ARCH_BRCMSTB + help +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-devicetree-keep-deferring-even-on-timeout.patch b/queue-5.9/pinctrl-devicetree-keep-deferring-even-on-timeout.patch new file mode 100644 index 00000000000..f5b0f5ec294 --- /dev/null +++ b/queue-5.9/pinctrl-devicetree-keep-deferring-even-on-timeout.patch @@ -0,0 +1,51 @@ +From e2698a7277e1cc05cc676406a72103ede9e2caf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 16:33:48 +0200 +Subject: pinctrl: devicetree: Keep deferring even on timeout + +From: Thierry Reding + +[ Upstream commit 84f28fc38d2ff99e2ac623325ba37809da611b8e ] + +driver_deferred_probe_check_state() may return -ETIMEDOUT instead of +-EPROBE_DEFER after all built-in drivers have been probed. This can +cause issues for built-in drivers that depend on resources provided by +loadable modules. + +One such case happens on Tegra where I2C controllers are used during +early boot to set up the system PMIC, so the I2C driver needs to be a +built-in driver. At the same time, some instances of the I2C controller +depend on the DPAUX hardware for pinmuxing. Since the DPAUX is handled +by the display driver, which is usually not built-in, the pin control +states will not become available until after the root filesystem has +been mounted and the display driver loaded from it. + +Fixes: bec6c0ecb243 ("pinctrl: Remove use of driver_deferred_probe_check_state_continue()") +Suggested-by: John Stultz +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/20200825143348.1358679-1-thierry.reding@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/devicetree.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c +index 5eff8c2965528..3fb2387147189 100644 +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -130,9 +130,8 @@ static int dt_to_map_one_config(struct pinctrl *p, + if (!np_pctldev || of_node_is_root(np_pctldev)) { + of_node_put(np_pctldev); + ret = driver_deferred_probe_check_state(p->dev); +- /* keep deferring if modules are enabled unless we've timed out */ +- if (IS_ENABLED(CONFIG_MODULES) && !allow_default && +- (ret == -ENODEV)) ++ /* keep deferring if modules are enabled */ ++ if (IS_ENABLED(CONFIG_MODULES) && !allow_default && ret < 0) + ret = -EPROBE_DEFER; + return ret; + } +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch b/queue-5.9/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch new file mode 100644 index 00000000000..93914d66629 --- /dev/null +++ b/queue-5.9/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch @@ -0,0 +1,42 @@ +From a84f81b0275c12f36bc1c332eed16a628b58fbe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 22:32:26 +0100 +Subject: pinctrl: mcp23s08: Fix mcp23x17 precious range + +From: Thomas Preston + +[ Upstream commit b9b7fb29433b906635231d0a111224efa009198c ] + +On page 23 of the datasheet [0] it says "The register remains unchanged +until the interrupt is cleared via a read of INTCAP or GPIO." Include +INTCAPA and INTCAPB registers in precious range, so that they aren't +accidentally cleared when we read via debugfs. + +[0] https://ww1.microchip.com/downloads/en/DeviceDoc/20001952C.pdf + +Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") +Signed-off-by: Thomas Preston +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200828213226.1734264-3-thomas.preston@codethink.co.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 87cde8fb08dd9..7edb067f5e76a 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -109,7 +109,7 @@ static const struct regmap_access_table mcp23x17_volatile_table = { + }; + + static const struct regmap_range mcp23x17_precious_range = { +- .range_min = MCP_GPIO << 1, ++ .range_min = MCP_INTCAP << 1, + .range_max = MCP_GPIO << 1, + }; + +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch b/queue-5.9/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch new file mode 100644 index 00000000000..eacecf6c760 --- /dev/null +++ b/queue-5.9/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch @@ -0,0 +1,84 @@ +From 30e5b7953173dfc6737772a4d0e37c5e02413ee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 22:32:25 +0100 +Subject: pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser + +From: Thomas Preston + +[ Upstream commit b445f6237744df5e8d4f56f8733b2108c611220a ] + +The mcp23x17_regmap is initialised with structs named "mcp23x16". +However, the mcp23s08 driver doesn't support the MCP23016 device yet, so +this appears to be a typo. + +Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") +Signed-off-by: Thomas Preston +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200828213226.1734264-2-thomas.preston@codethink.co.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 42b12ea14d6be..87cde8fb08dd9 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -87,7 +87,7 @@ const struct regmap_config mcp23x08_regmap = { + }; + EXPORT_SYMBOL_GPL(mcp23x08_regmap); + +-static const struct reg_default mcp23x16_defaults[] = { ++static const struct reg_default mcp23x17_defaults[] = { + {.reg = MCP_IODIR << 1, .def = 0xffff}, + {.reg = MCP_IPOL << 1, .def = 0x0000}, + {.reg = MCP_GPINTEN << 1, .def = 0x0000}, +@@ -98,23 +98,23 @@ static const struct reg_default mcp23x16_defaults[] = { + {.reg = MCP_OLAT << 1, .def = 0x0000}, + }; + +-static const struct regmap_range mcp23x16_volatile_range = { ++static const struct regmap_range mcp23x17_volatile_range = { + .range_min = MCP_INTF << 1, + .range_max = MCP_GPIO << 1, + }; + +-static const struct regmap_access_table mcp23x16_volatile_table = { +- .yes_ranges = &mcp23x16_volatile_range, ++static const struct regmap_access_table mcp23x17_volatile_table = { ++ .yes_ranges = &mcp23x17_volatile_range, + .n_yes_ranges = 1, + }; + +-static const struct regmap_range mcp23x16_precious_range = { ++static const struct regmap_range mcp23x17_precious_range = { + .range_min = MCP_GPIO << 1, + .range_max = MCP_GPIO << 1, + }; + +-static const struct regmap_access_table mcp23x16_precious_table = { +- .yes_ranges = &mcp23x16_precious_range, ++static const struct regmap_access_table mcp23x17_precious_table = { ++ .yes_ranges = &mcp23x17_precious_range, + .n_yes_ranges = 1, + }; + +@@ -124,10 +124,10 @@ const struct regmap_config mcp23x17_regmap = { + + .reg_stride = 2, + .max_register = MCP_OLAT << 1, +- .volatile_table = &mcp23x16_volatile_table, +- .precious_table = &mcp23x16_precious_table, +- .reg_defaults = mcp23x16_defaults, +- .num_reg_defaults = ARRAY_SIZE(mcp23x16_defaults), ++ .volatile_table = &mcp23x17_volatile_table, ++ .precious_table = &mcp23x17_precious_table, ++ .reg_defaults = mcp23x17_defaults, ++ .num_reg_defaults = ARRAY_SIZE(mcp23x17_defaults), + .cache_type = REGCACHE_FLAT, + .val_format_endian = REGMAP_ENDIAN_LITTLE, + }; +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-qcom-set-irqchip_set_type_masked-and-irqchip.patch b/queue-5.9/pinctrl-qcom-set-irqchip_set_type_masked-and-irqchip.patch new file mode 100644 index 00000000000..8556d5ef93d --- /dev/null +++ b/queue-5.9/pinctrl-qcom-set-irqchip_set_type_masked-and-irqchip.patch @@ -0,0 +1,48 @@ +From 4c4317800b3ee3d049477d74322d427d031c2dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 10:01:59 +0530 +Subject: pinctrl: qcom: Set IRQCHIP_SET_TYPE_MASKED and + IRQCHIP_MASK_ON_SUSPEND flags + +From: Maulik Shah + +[ Upstream commit c5f72aeb659eb2f809b9531d759651514d42aa3a ] + +Both IRQCHIP_SET_TYPE_MASKED and IRQCHIP_MASK_ON_SUSPEND flags are already +set for msmgpio's parent PDC irqchip but GPIO interrupts do not get masked +during suspend or during setting irq type since genirq checks irqchip flag +of msmgpio irqchip which forwards these calls to its parent PDC irqchip. + +Add irqchip specific flags for msmgpio irqchip to mask non wakeirqs during +suspend and mask before setting irq type. Masking before changing type make +sures any spurious interrupt is not detected during this operation. + +Fixes: e35a6ae0eb3a ("pinctrl/msm: Setup GPIO chip in hierarchy") +Signed-off-by: Maulik Shah +Signed-off-by: Marc Zyngier +Tested-by: Stephen Boyd +Reviewed-by: Douglas Anderson +Acked-by: Bjorn Andersson +Acked-by: Linus Walleij +Link: https://lore.kernel.org/r/1601267524-20199-2-git-send-email-mkshah@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c +index a2567e772cd57..1c23f5c88fdd4 100644 +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -1243,6 +1243,8 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl) + pctrl->irq_chip.irq_release_resources = msm_gpio_irq_relres; + pctrl->irq_chip.irq_set_affinity = msm_gpio_irq_set_affinity; + pctrl->irq_chip.irq_set_vcpu_affinity = msm_gpio_irq_set_vcpu_affinity; ++ pctrl->irq_chip.flags = IRQCHIP_MASK_ON_SUSPEND | ++ IRQCHIP_SET_TYPE_MASKED; + + np = of_parse_phandle(pctrl->dev->of_node, "wakeup-parent", 0); + if (np) { +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-qcom-use-return-value-from-irq_set_wake-call.patch b/queue-5.9/pinctrl-qcom-use-return-value-from-irq_set_wake-call.patch new file mode 100644 index 00000000000..a9a3335b9d6 --- /dev/null +++ b/queue-5.9/pinctrl-qcom-use-return-value-from-irq_set_wake-call.patch @@ -0,0 +1,58 @@ +From 0fc9ff7e0bc76fd98b2656eee66a182eaab0d37b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 10:02:00 +0530 +Subject: pinctrl: qcom: Use return value from irq_set_wake() call + +From: Maulik Shah + +[ Upstream commit f41aaca593377a4fe3984459fd4539481263b4cd ] + +msmgpio irqchip was not using return value of irq_set_irq_wake() callback +since previously GIC-v3 irqchip neither had IRQCHIP_SKIP_SET_WAKE flag nor +it implemented .irq_set_wake callback. This lead to irq_set_irq_wake() +return error -ENXIO. + +However from 'commit 4110b5cbb014 ("irqchip/gic-v3: Allow interrupt to be +configured as wake-up sources")' GIC irqchip has IRQCHIP_SKIP_SET_WAKE +flag. + +Use return value from irq_set_irq_wake() and irq_chip_set_wake_parent() +instead of always returning success. + +Fixes: e35a6ae0eb3a ("pinctrl/msm: Setup GPIO chip in hierarchy") +Signed-off-by: Maulik Shah +Signed-off-by: Marc Zyngier +Tested-by: Stephen Boyd +Reviewed-by: Douglas Anderson +Reviewed-by: Stephen Boyd +Acked-by: Bjorn Andersson +Acked-by: Linus Walleij +Link: https://lore.kernel.org/r/1601267524-20199-3-git-send-email-mkshah@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c +index 1c23f5c88fdd4..1df232266f63a 100644 +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -1077,12 +1077,10 @@ static int msm_gpio_irq_set_wake(struct irq_data *d, unsigned int on) + * when TLMM is powered on. To allow that, enable the GPIO + * summary line to be wakeup capable at GIC. + */ +- if (d->parent_data) +- irq_chip_set_wake_parent(d, on); +- +- irq_set_irq_wake(pctrl->irq, on); ++ if (d->parent_data && test_bit(d->hwirq, pctrl->skip_wake_irqs)) ++ return irq_chip_set_wake_parent(d, on); + +- return 0; ++ return irq_set_irq_wake(pctrl->irq, on); + } + + static int msm_gpio_irq_reqres(struct irq_data *d) +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-single-fix-debug-output-when-pinctrl-cells-2.patch b/queue-5.9/pinctrl-single-fix-debug-output-when-pinctrl-cells-2.patch new file mode 100644 index 00000000000..996759b80c8 --- /dev/null +++ b/queue-5.9/pinctrl-single-fix-debug-output-when-pinctrl-cells-2.patch @@ -0,0 +1,40 @@ +From dbe634a087bc5a2aa284229ef2daa6892c1c9916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 01:03:07 +0200 +Subject: pinctrl: single: fix debug output when #pinctrl-cells = 2 + +From: Drew Fustini + +[ Upstream commit f4a2b19c37caf40f3b8487ccb9032b974a84a3a7 ] + +The debug output in pcs_parse_one_pinctrl_entry() needs to be updated +to print the correct pinctrl register value when #pinctrl-cells is 2. + +Fixes: a13395418888 ("pinctrl: single: parse #pinctrl-cells = 2") +Reported-by: Trent Piepho +Signed-off-by: Drew Fustini +Acked-by: Tony Lindgren +Link: https://lore.kernel.org/linux-omap/3139716.CMS8C0sQ7x@zen.local/ +Link: https://lore.kernel.org/r/20200913230306.2061645-1-drew@beagleboard.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index 5cbf0e55087c6..f3cd7e2967126 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1033,7 +1033,7 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + } + + dev_dbg(pcs->dev, "%pOFn index: 0x%x value: 0x%x\n", +- pinctrl_spec.np, offset, pinctrl_spec.args[1]); ++ pinctrl_spec.np, offset, vals[found].val); + + pin = pcs_get_pin_by_offset(pcs, offset); + if (pin < 0) { +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-single-fix-pinctrl_spec.args_count-bounds-ch.patch b/queue-5.9/pinctrl-single-fix-pinctrl_spec.args_count-bounds-ch.patch new file mode 100644 index 00000000000..095018e6ff4 --- /dev/null +++ b/queue-5.9/pinctrl-single-fix-pinctrl_spec.args_count-bounds-ch.patch @@ -0,0 +1,45 @@ +From 4ee8eaeb1904794bb530048ec55c25b2d5b94e86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 12:48:40 -0500 +Subject: pinctrl: single: fix pinctrl_spec.args_count bounds check + +From: Drew Fustini + +[ Upstream commit 9b9448f39e83d8e6fdfed006c5db8c304a98c2cd ] + +The property #pinctrl-cells can either be 1 or 2: + +- if #pinctrl-cells = <1>, then pinctrl_spec.args_count = 2 +- if #pinctrl-cells = <2>, then pinctrl_spec.args_count = 3 + +All other values of pinctrl_spec.args_count are incorrect. This fix +checks the upper bound instead of just the lower bound. + +Fixes: a13395418888 ("pinctrl: single: parse #pinctrl-cells = 2") +Reported-by: Trent Piepho +Signed-off-by: Drew Fustini +Acked-by: Tony Lindgren +Link: https://lore.kernel.org/linux-omap/3139716.CMS8C0sQ7x@zen.local/ +Link: https://lore.kernel.org/r/20200930174839.1308344-1-drew@beagleboard.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index efe41abc5d472..5cbf0e55087c6 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1014,7 +1014,7 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + if (res) + return res; + +- if (pinctrl_spec.args_count < 2) { ++ if (pinctrl_spec.args_count < 2 || pinctrl_spec.args_count > 3) { + dev_err(pcs->dev, "invalid args_count for spec: %i\n", + pinctrl_spec.args_count); + break; +-- +2.25.1 + diff --git a/queue-5.9/pinctrl-tigerlake-fix-register-offsets-for-tgl-h-var.patch b/queue-5.9/pinctrl-tigerlake-fix-register-offsets-for-tgl-h-var.patch new file mode 100644 index 00000000000..e95eaa30742 --- /dev/null +++ b/queue-5.9/pinctrl-tigerlake-fix-register-offsets-for-tgl-h-var.patch @@ -0,0 +1,111 @@ +From aa56ba72e6b608635da9dbdb319cf26761933210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 14:03:04 +0300 +Subject: pinctrl: tigerlake: Fix register offsets for TGL-H variant + +From: Andy Shevchenko + +[ Upstream commit cb8cc18508fb0cad74929ffd080bebafe91609e2 ] + +It appears that almost traditionally the H variants have some deviations +in the register offsets in comparison to LP ones. This is the case for +Intel Tiger Lake as well. Fix register offsets for TGL-H variant. + +Fixes: 653d96455e1e ("pinctrl: tigerlake: Add support for Tiger Lake-H") +Reported-by: Pierre-Louis Bossart +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Link: https://lore.kernel.org/r/20200929110306.40852-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-tigerlake.c | 42 ++++++++++++++--------- + 1 file changed, 25 insertions(+), 17 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-tigerlake.c b/drivers/pinctrl/intel/pinctrl-tigerlake.c +index 8c162dd5f5a10..3e354e02f4084 100644 +--- a/drivers/pinctrl/intel/pinctrl-tigerlake.c ++++ b/drivers/pinctrl/intel/pinctrl-tigerlake.c +@@ -15,11 +15,13 @@ + + #include "pinctrl-intel.h" + +-#define TGL_PAD_OWN 0x020 +-#define TGL_PADCFGLOCK 0x080 +-#define TGL_HOSTSW_OWN 0x0b0 +-#define TGL_GPI_IS 0x100 +-#define TGL_GPI_IE 0x120 ++#define TGL_PAD_OWN 0x020 ++#define TGL_LP_PADCFGLOCK 0x080 ++#define TGL_H_PADCFGLOCK 0x090 ++#define TGL_LP_HOSTSW_OWN 0x0b0 ++#define TGL_H_HOSTSW_OWN 0x0c0 ++#define TGL_GPI_IS 0x100 ++#define TGL_GPI_IE 0x120 + + #define TGL_GPP(r, s, e, g) \ + { \ +@@ -29,12 +31,12 @@ + .gpio_base = (g), \ + } + +-#define TGL_COMMUNITY(b, s, e, g) \ ++#define TGL_COMMUNITY(b, s, e, pl, ho, g) \ + { \ + .barno = (b), \ + .padown_offset = TGL_PAD_OWN, \ +- .padcfglock_offset = TGL_PADCFGLOCK, \ +- .hostown_offset = TGL_HOSTSW_OWN, \ ++ .padcfglock_offset = (pl), \ ++ .hostown_offset = (ho), \ + .is_offset = TGL_GPI_IS, \ + .ie_offset = TGL_GPI_IE, \ + .pin_base = (s), \ +@@ -43,6 +45,12 @@ + .ngpps = ARRAY_SIZE(g), \ + } + ++#define TGL_LP_COMMUNITY(b, s, e, g) \ ++ TGL_COMMUNITY(b, s, e, TGL_LP_PADCFGLOCK, TGL_LP_HOSTSW_OWN, g) ++ ++#define TGL_H_COMMUNITY(b, s, e, g) \ ++ TGL_COMMUNITY(b, s, e, TGL_H_PADCFGLOCK, TGL_H_HOSTSW_OWN, g) ++ + /* Tiger Lake-LP */ + static const struct pinctrl_pin_desc tgllp_pins[] = { + /* GPP_B */ +@@ -367,10 +375,10 @@ static const struct intel_padgroup tgllp_community5_gpps[] = { + }; + + static const struct intel_community tgllp_communities[] = { +- TGL_COMMUNITY(0, 0, 66, tgllp_community0_gpps), +- TGL_COMMUNITY(1, 67, 170, tgllp_community1_gpps), +- TGL_COMMUNITY(2, 171, 259, tgllp_community4_gpps), +- TGL_COMMUNITY(3, 260, 276, tgllp_community5_gpps), ++ TGL_LP_COMMUNITY(0, 0, 66, tgllp_community0_gpps), ++ TGL_LP_COMMUNITY(1, 67, 170, tgllp_community1_gpps), ++ TGL_LP_COMMUNITY(2, 171, 259, tgllp_community4_gpps), ++ TGL_LP_COMMUNITY(3, 260, 276, tgllp_community5_gpps), + }; + + static const struct intel_pinctrl_soc_data tgllp_soc_data = { +@@ -723,11 +731,11 @@ static const struct intel_padgroup tglh_community5_gpps[] = { + }; + + static const struct intel_community tglh_communities[] = { +- TGL_COMMUNITY(0, 0, 78, tglh_community0_gpps), +- TGL_COMMUNITY(1, 79, 180, tglh_community1_gpps), +- TGL_COMMUNITY(2, 181, 217, tglh_community3_gpps), +- TGL_COMMUNITY(3, 218, 266, tglh_community4_gpps), +- TGL_COMMUNITY(4, 267, 290, tglh_community5_gpps), ++ TGL_H_COMMUNITY(0, 0, 78, tglh_community0_gpps), ++ TGL_H_COMMUNITY(1, 79, 180, tglh_community1_gpps), ++ TGL_H_COMMUNITY(2, 181, 217, tglh_community3_gpps), ++ TGL_H_COMMUNITY(3, 218, 266, tglh_community4_gpps), ++ TGL_H_COMMUNITY(4, 267, 290, tglh_community5_gpps), + }; + + static const struct intel_pinctrl_soc_data tglh_soc_data = { +-- +2.25.1 + diff --git a/queue-5.9/platform-chrome-cros_ec_lightbar-reduce-ligthbar-get.patch b/queue-5.9/platform-chrome-cros_ec_lightbar-reduce-ligthbar-get.patch new file mode 100644 index 00000000000..66283545a74 --- /dev/null +++ b/queue-5.9/platform-chrome-cros_ec_lightbar-reduce-ligthbar-get.patch @@ -0,0 +1,47 @@ +From c487be006a458fcdeebcfdb6f548579bc31f1ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 23:59:37 -0700 +Subject: platform/chrome: cros_ec_lightbar: Reduce ligthbar get version + command + +From: Gwendal Grignou + +[ Upstream commit 1e7913ff5f9f1b73146ad8522958bd266f22a510 ] + +By default, the lightbar commands are set to the biggest lightbar command +and response. That length is greater than 128 bytes and may not work on +all machines. But all EC are probed for lightbar by sending a get version +request. Set that request size precisely. + +Before the command would be: + + cros_ec_cmd: version: 0, command: EC_CMD_LIGHTBAR_CMD, outsize: 194, insize: 128, result: 0 + +Afer: + + cros_ec_cmd: version: 0, command: EC_CMD_LIGHTBAR_CMD, outsize: 1, insize: 8, result: 0 + +Fixes: a841178445bb7 ("mfd: cros_ec: Use a zero-length array for command data") +Signed-off-by: Gwendal Grignou +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_lightbar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/platform/chrome/cros_ec_lightbar.c b/drivers/platform/chrome/cros_ec_lightbar.c +index b59180bff5a3e..ef61298c30bdd 100644 +--- a/drivers/platform/chrome/cros_ec_lightbar.c ++++ b/drivers/platform/chrome/cros_ec_lightbar.c +@@ -116,6 +116,8 @@ static int get_lightbar_version(struct cros_ec_dev *ec, + + param = (struct ec_params_lightbar *)msg->data; + param->cmd = LIGHTBAR_CMD_VERSION; ++ msg->outsize = sizeof(param->cmd); ++ msg->result = sizeof(resp->version); + ret = cros_ec_cmd_xfer_status(ec->ec_dev, msg); + if (ret < 0) { + ret = 0; +-- +2.25.1 + diff --git a/queue-5.9/platform-chrome-cros_ec_typec-send-enum-values-to-us.patch b/queue-5.9/platform-chrome-cros_ec_typec-send-enum-values-to-us.patch new file mode 100644 index 00000000000..ba16dc8676d --- /dev/null +++ b/queue-5.9/platform-chrome-cros_ec_typec-send-enum-values-to-us.patch @@ -0,0 +1,45 @@ +From 69192469a799fee63d2f9a541bc2fb3d7c6c4290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 14:47:22 -0700 +Subject: platform/chrome: cros_ec_typec: Send enum values to + usb_role_switch_set_role() + +From: Azhar Shaikh + +[ Upstream commit 5381b0ed54b6af3c0e8184b43e34154e17904848 ] + +usb_role_switch_set_role() has the second argument as enum for usb_role. +Currently depending upon the data role i.e. UFP(0) or DFP(1) is sent. +This eventually translates to USB_ROLE_NONE in case of UFP and +USB_ROLE_DEVICE in case of DFP. Correct this by sending correct enum +values as USB_ROLE_DEVICE in case of UFP and USB_ROLE_HOST in case of +DFP. + +Fixes: 7e7def15fa4b ("platform/chrome: cros_ec_typec: Add USB mux control") +Signed-off-by: Azhar Shaikh +Cc: Prashant Malani +Reviewed-by: Prashant Malani +Reviewed-by: Heikki Krogerus +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_typec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c +index 3fcd27ec9ad8f..10ef1fc75c0e1 100644 +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -591,7 +591,8 @@ static int cros_typec_port_update(struct cros_typec_data *typec, int port_num) + dev_warn(typec->dev, "Configure muxes failed, err = %d\n", ret); + + return usb_role_switch_set_role(typec->ports[port_num]->role_sw, +- !!(resp.role & PD_CTRL_RESP_ROLE_DATA)); ++ resp.role & PD_CTRL_RESP_ROLE_DATA ++ ? USB_ROLE_HOST : USB_ROLE_DEVICE); + } + + static int cros_typec_get_cmd_version(struct cros_typec_data *typec) +-- +2.25.1 + diff --git a/queue-5.9/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch b/queue-5.9/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch new file mode 100644 index 00000000000..683a56380ec --- /dev/null +++ b/queue-5.9/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch @@ -0,0 +1,71 @@ +From 7612da67e72e9e1201f1fa11724fbe10868df331 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 20:20:49 +0300 +Subject: platform/x86: mlx-platform: Remove PSU EEPROM configuration + +From: Vadim Pasternak + +[ Upstream commit c071afcea6ecf24a3c119f25ce9f71ffd55b5dc2 ] + +Remove PSU EEPROM configuration for systems class equipped with +Mellanox chip Spectrume-2. Till now all the systems from this class +used few types of power units, all equipped with EEPROM device with +address space two bytes. Thus, all these devices have been handled by +EEPROM driver "24c32". +There is a new requirement is to support power unit replacement by "off +the shelf" device, matching electrical required parameters. Such device +could be equipped with different EEPROM type, which could be one byte +address space addressing or even could be not equipped with EEPROM. +In such case "24c32" will not work. + +Fixes: 1bd42d94ccab ("platform/x86: mlx-platform: Add support for new 200G IB and Ethernet systems") +Signed-off-by: Vadim Pasternak +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20200923172053.26296-2-vadimp@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/mlx-platform.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/platform/x86/mlx-platform.c b/drivers/platform/x86/mlx-platform.c +index 1506ec0a47771..04a745095c379 100644 +--- a/drivers/platform/x86/mlx-platform.c ++++ b/drivers/platform/x86/mlx-platform.c +@@ -328,15 +328,6 @@ static struct i2c_board_info mlxplat_mlxcpld_psu[] = { + }, + }; + +-static struct i2c_board_info mlxplat_mlxcpld_ng_psu[] = { +- { +- I2C_BOARD_INFO("24c32", 0x51), +- }, +- { +- I2C_BOARD_INFO("24c32", 0x50), +- }, +-}; +- + static struct i2c_board_info mlxplat_mlxcpld_pwr[] = { + { + I2C_BOARD_INFO("dps460", 0x59), +@@ -770,15 +761,13 @@ static struct mlxreg_core_data mlxplat_mlxcpld_default_ng_psu_items_data[] = { + .label = "psu1", + .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET, + .mask = BIT(0), +- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[0], +- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR, ++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE, + }, + { + .label = "psu2", + .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET, + .mask = BIT(1), +- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[1], +- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR, ++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE, + }, + }; + +-- +2.25.1 + diff --git a/queue-5.9/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch b/queue-5.9/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch new file mode 100644 index 00000000000..313472b72e0 --- /dev/null +++ b/queue-5.9/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch @@ -0,0 +1,49 @@ +From 73f9e9fc1525269974d40f29eca76701a0958d48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 18:14:47 +0200 +Subject: PM: hibernate: remove the bogus call to get_gendisk() in + software_resume() + +From: Christoph Hellwig + +[ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ] + +get_gendisk grabs a reference on the disk and file operation, so this +code will leak both of them while having absolutely no use for the +gendisk itself. + +This effectively reverts commit 2df83fa4bce421f ("PM / Hibernate: Use +get_gendisk to verify partition if resume_file is integer format") + +Signed-off-by: Christoph Hellwig +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 1dee70815f3cd..2fc7d509a34fc 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -946,17 +946,6 @@ static int software_resume(void) + + /* Check if the device is there */ + swsusp_resume_device = name_to_dev_t(resume_file); +- +- /* +- * name_to_dev_t is ineffective to verify parition if resume_file is in +- * integer format. (e.g. major:minor) +- */ +- if (isdigit(resume_file[0]) && resume_wait) { +- int partno; +- while (!get_gendisk(swsusp_resume_device, &partno)) +- msleep(10); +- } +- + if (!swsusp_resume_device) { + /* + * Some device discovery might still be in progress; we need +-- +2.25.1 + diff --git a/queue-5.9/powerpc-64-fix-irq-replay-missing-preempt.patch b/queue-5.9/powerpc-64-fix-irq-replay-missing-preempt.patch new file mode 100644 index 00000000000..307d99e18c5 --- /dev/null +++ b/queue-5.9/powerpc-64-fix-irq-replay-missing-preempt.patch @@ -0,0 +1,55 @@ +From c84b6b4739e5b37928c47d4b696cc6b3a7a1a681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 21:46:45 +1000 +Subject: powerpc/64: fix irq replay missing preempt + +From: Nicholas Piggin + +[ Upstream commit 903fd31d3212ab72d564c68f6cfb5d04db68773e ] + +Prior to commit 3282a3da25bd ("powerpc/64: Implement soft interrupt +replay in C"), replayed interrupts returned by the regular interrupt +exit code, which performs preemption in case an interrupt had set +need_resched. + +This logic was missed by the conversion. Adding preempt_disable/enable +around the interrupt replay and final irq enable will reschedule if +needed. + +Fixes: 3282a3da25bd ("powerpc/64: Implement soft interrupt replay in C") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200915114650.3980244-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/irq.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c +index bf21ebd361900..77019699606a5 100644 +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -368,6 +368,12 @@ notrace void arch_local_irq_restore(unsigned long mask) + } + } + ++ /* ++ * Disable preempt here, so that the below preempt_enable will ++ * perform resched if required (a replayed interrupt may set ++ * need_resched). ++ */ ++ preempt_disable(); + irq_soft_mask_set(IRQS_ALL_DISABLED); + trace_hardirqs_off(); + +@@ -377,6 +383,7 @@ notrace void arch_local_irq_restore(unsigned long mask) + trace_hardirqs_on(); + irq_soft_mask_set(IRQS_ENABLED); + __hard_irq_enable(); ++ preempt_enable(); + } + EXPORT_SYMBOL(arch_local_irq_restore); + +-- +2.25.1 + diff --git a/queue-5.9/powerpc-64-fix-irq-replay-pt_regs-softe-value.patch b/queue-5.9/powerpc-64-fix-irq-replay-pt_regs-softe-value.patch new file mode 100644 index 00000000000..8fed97ced7d --- /dev/null +++ b/queue-5.9/powerpc-64-fix-irq-replay-pt_regs-softe-value.patch @@ -0,0 +1,44 @@ +From 58f90c22ebc2b4abbc3834efc1b9c8a3558a3978 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 21:46:46 +1000 +Subject: powerpc/64: fix irq replay pt_regs->softe value + +From: Nicholas Piggin + +[ Upstream commit 2b48e96be2f9f7151197fd25dc41487054bc6f5b ] + +Replayed interrupts get an "artificial" struct pt_regs constructed to +pass to interrupt handler functions. This did not get the softe field +set correctly, it's as though the interrupt has hit while irqs are +disabled. It should be IRQS_ENABLED. + +This is possibly harmless, asynchronous handlers should not be testing +if irqs were disabled, but it might be possible for example some code +is shared with synchronous or NMI handlers, and it makes more sense if +debug output looks at this. + +Fixes: 3282a3da25bd ("powerpc/64: Implement soft interrupt replay in C") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200915114650.3980244-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c +index 77019699606a5..3fdad93368858 100644 +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -214,7 +214,7 @@ void replay_soft_interrupts(void) + struct pt_regs regs; + + ppc_save_regs(®s); +- regs.softe = IRQS_ALL_DISABLED; ++ regs.softe = IRQS_ENABLED; + + again: + if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG)) +-- +2.25.1 + diff --git a/queue-5.9/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch b/queue-5.9/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch new file mode 100644 index 00000000000..8bfe9ddc890 --- /dev/null +++ b/queue-5.9/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch @@ -0,0 +1,116 @@ +From 7598aade02ab3f70e2806a69808db938d7c9b22a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:19 +1000 +Subject: powerpc/64s/radix: Fix mm_cpumask trimming race vs kthread_use_mm + +From: Nicholas Piggin + +[ Upstream commit a665eec0a22e11cdde708c1c256a465ebe768047 ] + +Commit 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of +single-threaded mm_cpumask") added a mechanism to trim the mm_cpumask of +a process under certain conditions. One of the assumptions is that +mm_users would not be incremented via a reference outside the process +context with mmget_not_zero() then go on to kthread_use_mm() via that +reference. + +That invariant was broken by io_uring code (see previous sparc64 fix), +but I'll point Fixes: to the original powerpc commit because we are +changing that assumption going forward, so this will make backports +match up. + +Fix this by no longer relying on that assumption, but by having each CPU +check the mm is not being used, and clearing their own bit from the mask +only if it hasn't been switched-to by the time the IPI is processed. + +This relies on commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB +invalidate") and ARCH_WANT_IRQS_OFF_ACTIVATE_MM to disable irqs over mm +switch sequences. + +Fixes: 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of single-threaded mm_cpumask") +Signed-off-by: Nicholas Piggin +Reviewed-by: Michael Ellerman +Depends-on: 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB invalidate") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-5-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/tlb.h | 13 ------------- + arch/powerpc/mm/book3s64/radix_tlb.c | 23 ++++++++++++++++------- + 2 files changed, 16 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/include/asm/tlb.h b/arch/powerpc/include/asm/tlb.h +index fbc6f3002f236..d97f061fecac0 100644 +--- a/arch/powerpc/include/asm/tlb.h ++++ b/arch/powerpc/include/asm/tlb.h +@@ -66,19 +66,6 @@ static inline int mm_is_thread_local(struct mm_struct *mm) + return false; + return cpumask_test_cpu(smp_processor_id(), mm_cpumask(mm)); + } +-static inline void mm_reset_thread_local(struct mm_struct *mm) +-{ +- WARN_ON(atomic_read(&mm->context.copros) > 0); +- /* +- * It's possible for mm_access to take a reference on mm_users to +- * access the remote mm from another thread, but it's not allowed +- * to set mm_cpumask, so mm_users may be > 1 here. +- */ +- WARN_ON(current->mm != mm); +- atomic_set(&mm->context.active_cpus, 1); +- cpumask_clear(mm_cpumask(mm)); +- cpumask_set_cpu(smp_processor_id(), mm_cpumask(mm)); +-} + #else /* CONFIG_PPC_BOOK3S_64 */ + static inline int mm_is_thread_local(struct mm_struct *mm) + { +diff --git a/arch/powerpc/mm/book3s64/radix_tlb.c b/arch/powerpc/mm/book3s64/radix_tlb.c +index 0d233763441fd..143b4fd396f08 100644 +--- a/arch/powerpc/mm/book3s64/radix_tlb.c ++++ b/arch/powerpc/mm/book3s64/radix_tlb.c +@@ -645,19 +645,29 @@ static void do_exit_flush_lazy_tlb(void *arg) + struct mm_struct *mm = arg; + unsigned long pid = mm->context.id; + ++ /* ++ * A kthread could have done a mmget_not_zero() after the flushing CPU ++ * checked mm_is_singlethreaded, and be in the process of ++ * kthread_use_mm when interrupted here. In that case, current->mm will ++ * be set to mm, because kthread_use_mm() setting ->mm and switching to ++ * the mm is done with interrupts off. ++ */ + if (current->mm == mm) +- return; /* Local CPU */ ++ goto out_flush; + + if (current->active_mm == mm) { +- /* +- * Must be a kernel thread because sender is single-threaded. +- */ +- BUG_ON(current->mm); ++ WARN_ON_ONCE(current->mm != NULL); ++ /* Is a kernel thread and is using mm as the lazy tlb */ + mmgrab(&init_mm); +- switch_mm(mm, &init_mm, current); + current->active_mm = &init_mm; ++ switch_mm_irqs_off(mm, &init_mm, current); + mmdrop(mm); + } ++ ++ atomic_dec(&mm->context.active_cpus); ++ cpumask_clear_cpu(smp_processor_id(), mm_cpumask(mm)); ++ ++out_flush: + _tlbiel_pid(pid, RIC_FLUSH_ALL); + } + +@@ -672,7 +682,6 @@ static void exit_flush_lazy_tlbs(struct mm_struct *mm) + */ + smp_call_function_many(mm_cpumask(mm), do_exit_flush_lazy_tlb, + (void *)mm, 1); +- mm_reset_thread_local(mm); + } + + void radix__flush_tlb_mm(struct mm_struct *mm) +-- +2.25.1 + diff --git a/queue-5.9/powerpc-64s-remove-tm-from-power10-features.patch b/queue-5.9/powerpc-64s-remove-tm-from-power10-features.patch new file mode 100644 index 00000000000..088b97edf7c --- /dev/null +++ b/queue-5.9/powerpc-64s-remove-tm-from-power10-features.patch @@ -0,0 +1,64 @@ +From 6ed485b28598fc07600cbd17d5fa6e8553659077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 13:55:29 +1000 +Subject: powerpc/64s: Remove TM from Power10 features + +From: Jordan Niethe + +[ Upstream commit ec613a57fa1d57381f890c3166175fe68cf43f12 ] + +ISA v3.1 removes transactional memory and hence it should not be present +in cpu_features or cpu_user_features2. Remove CPU_FTR_TM_COMP from +CPU_FTRS_POWER10. Remove PPC_FEATURE2_HTM_COMP and +PPC_FEATURE2_HTM_NOSC_COMP from COMMON_USER2_POWER10. + +Fixes: a3ea40d5c736 ("powerpc: Add POWER10 architected mode") +Signed-off-by: Jordan Niethe +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200827035529.900-1-jniethe5@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/cputable.h | 2 +- + arch/powerpc/kernel/cputable.c | 13 ++++++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/include/asm/cputable.h b/arch/powerpc/include/asm/cputable.h +index 32a15dc49e8ca..ade681c1d4095 100644 +--- a/arch/powerpc/include/asm/cputable.h ++++ b/arch/powerpc/include/asm/cputable.h +@@ -483,7 +483,7 @@ static inline void cpu_feature_keys_init(void) { } + CPU_FTR_STCX_CHECKS_ADDRESS | CPU_FTR_POPCNTB | CPU_FTR_POPCNTD | \ + CPU_FTR_CFAR | CPU_FTR_HVMODE | CPU_FTR_VMX_COPY | \ + CPU_FTR_DBELL | CPU_FTR_HAS_PPR | CPU_FTR_ARCH_207S | \ +- CPU_FTR_TM_COMP | CPU_FTR_ARCH_300 | CPU_FTR_ARCH_31 | \ ++ CPU_FTR_ARCH_300 | CPU_FTR_ARCH_31 | \ + CPU_FTR_DAWR | CPU_FTR_DAWR1) + #define CPU_FTRS_CELL (CPU_FTR_LWSYNC | \ + CPU_FTR_PPCAS_ARCH_V2 | CPU_FTR_CTRL | \ +diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c +index 2aa89c6b28967..0d704f1e07739 100644 +--- a/arch/powerpc/kernel/cputable.c ++++ b/arch/powerpc/kernel/cputable.c +@@ -120,9 +120,16 @@ extern void __restore_cpu_e6500(void); + PPC_FEATURE2_DARN | \ + PPC_FEATURE2_SCV) + #define COMMON_USER_POWER10 COMMON_USER_POWER9 +-#define COMMON_USER2_POWER10 (COMMON_USER2_POWER9 | \ +- PPC_FEATURE2_ARCH_3_1 | \ +- PPC_FEATURE2_MMA) ++#define COMMON_USER2_POWER10 (PPC_FEATURE2_ARCH_3_1 | \ ++ PPC_FEATURE2_MMA | \ ++ PPC_FEATURE2_ARCH_3_00 | \ ++ PPC_FEATURE2_HAS_IEEE128 | \ ++ PPC_FEATURE2_DARN | \ ++ PPC_FEATURE2_SCV | \ ++ PPC_FEATURE2_ARCH_2_07 | \ ++ PPC_FEATURE2_DSCR | \ ++ PPC_FEATURE2_ISEL | PPC_FEATURE2_TAR | \ ++ PPC_FEATURE2_VEC_CRYPTO) + + #ifdef CONFIG_PPC_BOOK3E_64 + #define COMMON_USER_BOOKE (COMMON_USER_PPC64 | PPC_FEATURE_BOOKE) +-- +2.25.1 + diff --git a/queue-5.9/powerpc-book3s64-hash-4k-support-large-linear-mappin.patch b/queue-5.9/powerpc-book3s64-hash-4k-support-large-linear-mappin.patch new file mode 100644 index 00000000000..714ef03a97e --- /dev/null +++ b/queue-5.9/powerpc-book3s64-hash-4k-support-large-linear-mappin.patch @@ -0,0 +1,74 @@ +From c285cefa3548ad22ebaabfe220ca39289f60f73b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 12:39:03 +0530 +Subject: powerpc/book3s64/hash/4k: Support large linear mapping range with 4K + +From: Aneesh Kumar K.V + +[ Upstream commit 7746406baa3bc9e23fdd7b7da2f04d86e25ab837 ] + +With commit: 0034d395f89d ("powerpc/mm/hash64: Map all the kernel +regions in the same 0xc range"), we now split the 64TB address range +into 4 contexts each of 16TB. That implies we can do only 16TB linear +mapping. + +On some systems, eg. Power9, memory attached to nodes > 0 will appear +above 16TB in the linear mapping. This resulted in kernel crash when +we boot such systems in hash translation mode with 4K PAGE_SIZE. + +This patch updates the kernel mapping such that we now start supporting upto +61TB of memory with 4K. The kernel mapping now looks like below 4K PAGE_SIZE +and hash translation. + + vmalloc start = 0xc0003d0000000000 + IO start = 0xc0003e0000000000 + vmemmap start = 0xc0003f0000000000 + +Our MAX_PHYSMEM_BITS for 4K is still 64TB even though we can only map 61TB. +We prevent bolt mapping anything outside 61TB range by checking against +H_VMALLOC_START. + +Fixes: 0034d395f89d ("powerpc/mm/hash64: Map all the kernel regions in the same 0xc range") +Reported-by: Cameron Berkenpas +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200608070904.387440-3-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/hash-4k.h | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h +index 082b988087011..b3ca542f871ec 100644 +--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h ++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h +@@ -13,20 +13,19 @@ + */ + #define MAX_EA_BITS_PER_CONTEXT 46 + +-#define REGION_SHIFT (MAX_EA_BITS_PER_CONTEXT - 2) + + /* +- * Our page table limit us to 64TB. Hence for the kernel mapping, +- * each MAP area is limited to 16 TB. +- * The four map areas are: linear mapping, vmap, IO and vmemmap ++ * Our page table limit us to 64TB. For 64TB physical memory, we only need 64GB ++ * of vmemmap space. To better support sparse memory layout, we use 61TB ++ * linear map range, 1TB of vmalloc, 1TB of I/O and 1TB of vmememmap. + */ ++#define REGION_SHIFT (40) + #define H_KERN_MAP_SIZE (ASM_CONST(1) << REGION_SHIFT) + + /* +- * Define the address range of the kernel non-linear virtual area +- * 16TB ++ * Define the address range of the kernel non-linear virtual area (61TB) + */ +-#define H_KERN_VIRT_START ASM_CONST(0xc000100000000000) ++#define H_KERN_VIRT_START ASM_CONST(0xc0003d0000000000) + + #ifndef __ASSEMBLY__ + #define H_PTE_TABLE_SIZE (sizeof(pte_t) << H_PTE_INDEX_SIZE) +-- +2.25.1 + diff --git a/queue-5.9/powerpc-book3s64-radix-make-radix_mem_block_size-64b.patch b/queue-5.9/powerpc-book3s64-radix-make-radix_mem_block_size-64b.patch new file mode 100644 index 00000000000..19c44f4ab96 --- /dev/null +++ b/queue-5.9/powerpc-book3s64-radix-make-radix_mem_block_size-64b.patch @@ -0,0 +1,51 @@ +From 26977caaf02e60d34f1ac4b8c9ad1c8946cb3c28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 17:18:35 +0530 +Subject: powerpc/book3s64/radix: Make radix_mem_block_size 64bit + +From: Aneesh Kumar K.V + +[ Upstream commit 950805f4d90eda14325ceab56b0f00d034baa8bc ] + +Similar to commit 89c140bbaeee ("pseries: Fix 64 bit logical memory block panic") +make sure different variables tracking lmb_size are updated to be 64 bit. + +Fixes: af9d00e93a4f ("powerpc/mm/radix: Create separate mappings for hot-plugged memory") +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201007114836.282468-4-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/mmu.h | 2 +- + arch/powerpc/mm/book3s64/radix_pgtable.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/mmu.h b/arch/powerpc/include/asm/book3s/64/mmu.h +index b392384a3b150..86173bfc39feb 100644 +--- a/arch/powerpc/include/asm/book3s/64/mmu.h ++++ b/arch/powerpc/include/asm/book3s/64/mmu.h +@@ -85,7 +85,7 @@ extern unsigned int mmu_base_pid; + /* + * memory block size used with radix translation. + */ +-extern unsigned int __ro_after_init radix_mem_block_size; ++extern unsigned long __ro_after_init radix_mem_block_size; + + #define PRTB_SIZE_SHIFT (mmu_pid_bits + 4) + #define PRTB_ENTRIES (1ul << mmu_pid_bits) +diff --git a/arch/powerpc/mm/book3s64/radix_pgtable.c b/arch/powerpc/mm/book3s64/radix_pgtable.c +index d5f0c10d752a3..aae8550379bae 100644 +--- a/arch/powerpc/mm/book3s64/radix_pgtable.c ++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c +@@ -34,7 +34,7 @@ + + unsigned int mmu_pid_bits; + unsigned int mmu_base_pid; +-unsigned int radix_mem_block_size __ro_after_init; ++unsigned long radix_mem_block_size __ro_after_init; + + static __ref void *early_alloc_pgtable(unsigned long size, int nid, + unsigned long region_start, unsigned long region_end) +-- +2.25.1 + diff --git a/queue-5.9/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch b/queue-5.9/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch new file mode 100644 index 00000000000..36b73af1072 --- /dev/null +++ b/queue-5.9/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch @@ -0,0 +1,37 @@ +From 8bf90e96e96a977f5944f4298d80a76c532e1a1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jul 2018 10:03:27 +0200 +Subject: powerpc/icp-hv: Fix missing of_node_put() in success path + +From: Nicholas Mc Guire + +[ Upstream commit d3e669f31ec35856f5e85df9224ede5bdbf1bc7b ] + +Both of_find_compatible_node() and of_find_node_by_type() will return +a refcounted node on success - thus for the success path the node must +be explicitly released with a of_node_put(). + +Fixes: 0b05ac6e2480 ("powerpc/xics: Rewrite XICS driver") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530691407-3991-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-hv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-hv.c b/arch/powerpc/sysdev/xics/icp-hv.c +index ad8117148ea3b..21b9d1bf39ff6 100644 +--- a/arch/powerpc/sysdev/xics/icp-hv.c ++++ b/arch/powerpc/sysdev/xics/icp-hv.c +@@ -174,6 +174,7 @@ int icp_hv_init(void) + + icp_ops = &icp_hv_ops; + ++ of_node_put(np); + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/powerpc-kasan-fix-config_kasan_vmalloc-for-8xx.patch b/queue-5.9/powerpc-kasan-fix-config_kasan_vmalloc-for-8xx.patch new file mode 100644 index 00000000000..09a4842f1f7 --- /dev/null +++ b/queue-5.9/powerpc-kasan-fix-config_kasan_vmalloc-for-8xx.patch @@ -0,0 +1,81 @@ +From b8c5d7cddf02f63011d5b6f283aa26b6cfaf2267 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 05:05:38 +0000 +Subject: powerpc/kasan: Fix CONFIG_KASAN_VMALLOC for 8xx + +From: Christophe Leroy + +[ Upstream commit 4c42dc5c69a8f24c467a6c997909d2f1d4efdc7f ] + +Before the commit identified below, pages tables allocation was +performed after the allocation of final shadow area for linear memory. +But that commit switched the order, leading to page tables being +already allocated at the time 8xx kasan_init_shadow_8M() is called. +Due to this, kasan_init_shadow_8M() doesn't map the needed +shadow entries because there are already page tables. + +kasan_init_shadow_8M() installs huge PMD entries instead of page +tables. We could at that time free the page tables, but there is no +point in creating page tables that get freed before being used. + +Only book3s/32 hash needs early allocation of page tables. For other +variants, we can keep the initial order and create remaining page +tables after the allocation of final shadow memory for linear mem. + +Move back the allocation of shadow page tables for +CONFIG_KASAN_VMALLOC into kasan_init() after the loop which creates +final shadow memory for linear mem. + +Fixes: 41ea93cf7ba4 ("powerpc/kasan: Fix shadow pages allocation failure") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/8ae4554357da4882612644a74387ae05525b2aaa.1599800716.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/kasan/kasan_init_32.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/mm/kasan/kasan_init_32.c b/arch/powerpc/mm/kasan/kasan_init_32.c +index fb294046e00e4..929716ea21e9c 100644 +--- a/arch/powerpc/mm/kasan/kasan_init_32.c ++++ b/arch/powerpc/mm/kasan/kasan_init_32.c +@@ -127,8 +127,7 @@ void __init kasan_mmu_init(void) + { + int ret; + +- if (early_mmu_has_feature(MMU_FTR_HPTE_TABLE) || +- IS_ENABLED(CONFIG_KASAN_VMALLOC)) { ++ if (early_mmu_has_feature(MMU_FTR_HPTE_TABLE)) { + ret = kasan_init_shadow_page_tables(KASAN_SHADOW_START, KASAN_SHADOW_END); + + if (ret) +@@ -139,11 +138,11 @@ void __init kasan_mmu_init(void) + void __init kasan_init(void) + { + struct memblock_region *reg; ++ int ret; + + for_each_memblock(memory, reg) { + phys_addr_t base = reg->base; + phys_addr_t top = min(base + reg->size, total_lowmem); +- int ret; + + if (base >= top) + continue; +@@ -153,6 +152,13 @@ void __init kasan_init(void) + panic("kasan: kasan_init_region() failed"); + } + ++ if (IS_ENABLED(CONFIG_KASAN_VMALLOC)) { ++ ret = kasan_init_shadow_page_tables(KASAN_SHADOW_START, KASAN_SHADOW_END); ++ ++ if (ret) ++ panic("kasan: kasan_init_shadow_page_tables() failed"); ++ } ++ + kasan_remap_early_shadow_ro(); + + clear_page(kasan_early_shadow_page); +-- +2.25.1 + diff --git a/queue-5.9/powerpc-papr_scm-add-papr-command-family-to-pass-thr.patch b/queue-5.9/powerpc-papr_scm-add-papr-command-family-to-pass-thr.patch new file mode 100644 index 00000000000..6cff974eb39 --- /dev/null +++ b/queue-5.9/powerpc-papr_scm-add-papr-command-family-to-pass-thr.patch @@ -0,0 +1,46 @@ +From 1849a8ba72095fdbf609505e9bf1d917467787cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 02:49:04 +0530 +Subject: powerpc/papr_scm: Add PAPR command family to pass-through command-set + +From: Vaibhav Jain + +[ Upstream commit 13135b461cf205941308984bd3271ec7d403dc40 ] + +Add NVDIMM_FAMILY_PAPR to the list of valid 'dimm_family_mask' +acceptable by papr_scm. This is needed as since commit +92fe2aa859f5 ("libnvdimm: Validate command family indices") libnvdimm +performs a validation of 'nd_cmd_pkg.nd_family' received as part of +ND_CMD_CALL processing to ensure only known command families can use +the general ND_CMD_CALL pass-through functionality. + +Without this change the ND_CMD_CALL pass-through targeting +NVDIMM_FAMILY_PAPR error out with -EINVAL. + +Fixes: 92fe2aa859f5 ("libnvdimm: Validate command family indices") +Signed-off-by: Vaibhav Jain +Reviewed-by: Ira Weiny +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200913211904.24472-1-vaibhav@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/papr_scm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c +index 5493bc847bd08..27268370dee00 100644 +--- a/arch/powerpc/platforms/pseries/papr_scm.c ++++ b/arch/powerpc/platforms/pseries/papr_scm.c +@@ -898,6 +898,9 @@ static int papr_scm_nvdimm_init(struct papr_scm_priv *p) + p->bus_desc.of_node = p->pdev->dev.of_node; + p->bus_desc.provider_name = kstrdup(p->pdev->name, GFP_KERNEL); + ++ /* Set the dimm command family mask to accept PDSMs */ ++ set_bit(NVDIMM_FAMILY_PAPR, &p->bus_desc.dimm_family_mask); ++ + if (!p->bus_desc.provider_name) + return -ENOMEM; + +-- +2.25.1 + diff --git a/queue-5.9/powerpc-papr_scm-fix-warning-triggered-by-perf_stats.patch b/queue-5.9/powerpc-papr_scm-fix-warning-triggered-by-perf_stats.patch new file mode 100644 index 00000000000..734a6102773 --- /dev/null +++ b/queue-5.9/powerpc-papr_scm-fix-warning-triggered-by-perf_stats.patch @@ -0,0 +1,65 @@ +From 217b5b8951d743737d3468cbb15dc15be7d3ecf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Sep 2020 13:44:51 +0530 +Subject: powerpc/papr_scm: Fix warning triggered by perf_stats_show() + +From: Vaibhav Jain + +[ Upstream commit ca78ef2f08ccfa29b711d644964cdf9d7ace15e5 ] + +A warning is reported by the kernel in case perf_stats_show() returns +an error code. The warning is of the form below: + + papr_scm ibm,persistent-memory:ibm,pmemory@44100001: + Failed to query performance stats, Err:-10 + dev_attr_show: perf_stats_show+0x0/0x1c0 [papr_scm] returned bad count + fill_read_buffer: dev_attr_show+0x0/0xb0 returned bad count + +On investigation it looks like that the compiler is silently +truncating the return value of drc_pmem_query_stats() from 'long' to +'int', since the variable used to store the return code 'rc' is an +'int'. This truncated value is then returned back as a 'ssize_t' back +from perf_stats_show() to 'dev_attr_show()' which thinks of it as a +large unsigned number and triggers this warning.. + +To fix this we update the type of variable 'rc' from 'int' to +'ssize_t' that prevents the compiler from truncating the return value +of drc_pmem_query_stats() and returning correct signed value back from +perf_stats_show(). + +Fixes: 2d02bf835e57 ("powerpc/papr_scm: Fetch nvdimm performance stats from PHYP") +Signed-off-by: Vaibhav Jain +Reviewed-by: Ira Weiny +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200912081451.66225-1-vaibhav@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/papr_scm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c +index a88a707a608aa..5493bc847bd08 100644 +--- a/arch/powerpc/platforms/pseries/papr_scm.c ++++ b/arch/powerpc/platforms/pseries/papr_scm.c +@@ -785,7 +785,8 @@ static int papr_scm_ndctl(struct nvdimm_bus_descriptor *nd_desc, + static ssize_t perf_stats_show(struct device *dev, + struct device_attribute *attr, char *buf) + { +- int index, rc; ++ int index; ++ ssize_t rc; + struct seq_buf s; + struct papr_scm_perf_stat *stat; + struct papr_scm_perf_stats *stats; +@@ -820,7 +821,7 @@ static ssize_t perf_stats_show(struct device *dev, + + free_stats: + kfree(stats); +- return rc ? rc : seq_buf_used(&s); ++ return rc ? rc : (ssize_t)seq_buf_used(&s); + } + DEVICE_ATTR_ADMIN_RO(perf_stats); + +-- +2.25.1 + diff --git a/queue-5.9/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch b/queue-5.9/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch new file mode 100644 index 00000000000..1360f31dc16 --- /dev/null +++ b/queue-5.9/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch @@ -0,0 +1,61 @@ +From 069a5a6ba814d5b96a2b99afd999c9e309ff1e2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 03:10:04 -0400 +Subject: powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group + constraints + +From: Athira Rajeev + +[ Upstream commit 3b6c3adbb2fa42749c3d38cfc4d4d0b7e096bb7b ] + +PMU counter support functions enforces event constraints for group of +events to check if all events in a group can be monitored. Incase of +event codes using PMC5 and PMC6 ( 500fa and 600f4 respectively ), not +all constraints are applicable, say the threshold or sample bits. But +current code includes pmc5 and pmc6 in some group constraints (like +IC_DC Qualifier bits) which is actually not applicable and hence +results in those events not getting counted when scheduled along with +group of other events. Patch fixes this by excluding PMC5/6 from +constraints which are not relevant for it. + +Fixes: 7ffd948 ("powerpc/perf: factor out power8 pmu functions") +Signed-off-by: Athira Rajeev +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1600672204-1610-1-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/isa207-common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c +index 964437adec185..2848904df6383 100644 +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -288,6 +288,15 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp) + + mask |= CNST_PMC_MASK(pmc); + value |= CNST_PMC_VAL(pmc); ++ ++ /* ++ * PMC5 and PMC6 are used to count cycles and instructions and ++ * they do not support most of the constraint bits. Add a check ++ * to exclude PMC5/6 from most of the constraints except for ++ * EBB/BHRB. ++ */ ++ if (pmc >= 5) ++ goto ebb_bhrb; + } + + if (pmc <= 4) { +@@ -357,6 +366,7 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp) + } + } + ++ebb_bhrb: + if (!pmc && ebb) + /* EBB events must specify the PMC */ + return -1; +-- +2.25.1 + diff --git a/queue-5.9/powerpc-perf-hv-gpci-fix-starting-index-value.patch b/queue-5.9/powerpc-perf-hv-gpci-fix-starting-index-value.patch new file mode 100644 index 00000000000..16e30ee6fa5 --- /dev/null +++ b/queue-5.9/powerpc-perf-hv-gpci-fix-starting-index-value.patch @@ -0,0 +1,76 @@ +From 125aa06c08eb2ced0818ed35d33499331dcf071a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 13:19:39 +0530 +Subject: powerpc/perf/hv-gpci: Fix starting index value + +From: Kajol Jain + +[ Upstream commit 0f9866f7e85765bbda86666df56c92f377c3bc10 ] + +Commit 9e9f60108423f ("powerpc/perf/{hv-gpci, hv-common}: generate +requests with counters annotated") adds a framework for defining +gpci counters. +In this patch, they adds starting_index value as '0xffffffffffffffff'. +which is wrong as starting_index is of size 32 bits. + +Because of this, incase we try to run hv-gpci event we get error. + +In power9 machine: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + -C 0 -I 1000 +event syntax error: '..bie_count_and_time_tlbie_instructions_issued/' + \___ value too big for format, maximum is 4294967295 + +This patch fix this issue and changes starting_index value to '0xffffffff' + +After this patch: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000 + 1.000085786 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.000287818 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.439113909 17,408 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + +Fixes: 9e9f60108423 ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated") +Signed-off-by: Kajol Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201003074943.338618-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci-requests.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h +index e608f9db12ddc..8965b4463d433 100644 +--- a/arch/powerpc/perf/hv-gpci-requests.h ++++ b/arch/powerpc/perf/hv-gpci-requests.h +@@ -95,7 +95,7 @@ REQUEST(__field(0, 8, partition_id) + + #define REQUEST_NAME system_performance_capabilities + #define REQUEST_NUM 0x40 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__field(0, 1, perf_collect_privileged) + __field(0x1, 1, capability_mask) +@@ -223,7 +223,7 @@ REQUEST(__field(0, 2, partition_id) + + #define REQUEST_NAME system_hypervisor_times + #define REQUEST_NUM 0xF0 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + __count(0x8, 8, time_spent_processing_virtual_processor_timers) +@@ -234,7 +234,7 @@ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + + #define REQUEST_NAME system_tlbie_count_and_time + #define REQUEST_NUM 0xF4 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, tlbie_instructions_issued) + /* +-- +2.25.1 + diff --git a/queue-5.9/powerpc-powernv-dump-fix-race-while-processing-opal-.patch b/queue-5.9/powerpc-powernv-dump-fix-race-while-processing-opal-.patch new file mode 100644 index 00000000000..897a89e5983 --- /dev/null +++ b/queue-5.9/powerpc-powernv-dump-fix-race-while-processing-opal-.patch @@ -0,0 +1,117 @@ +From 66594c2318f87a0e75f7a07efd401231fa3f2ec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Oct 2020 22:12:10 +0530 +Subject: powerpc/powernv/dump: Fix race while processing OPAL dump + +From: Vasant Hegde + +[ Upstream commit 0a43ae3e2beb77e3481d812834d33abe270768ab ] + +Every dump reported by OPAL is exported to userspace through a sysfs +interface and notified using kobject_uevent(). The userspace daemon +(opal_errd) then reads the dump and acknowledges that the dump is +saved safely to disk. Once acknowledged the kernel removes the +respective sysfs file entry causing respective resources to be +released including kobject. + +However it's possible the userspace daemon may already be scanning +dump entries when a new sysfs dump entry is created by the kernel. +User daemon may read this new entry and ack it even before kernel can +notify userspace about it through kobject_uevent() call. If that +happens then we have a potential race between +dump_ack_store->kobject_put() and kobject_uevent which can lead to +use-after-free of a kernfs object resulting in a kernel crash. + +This patch fixes this race by protecting the sysfs file +creation/notification by holding a reference count on kobject until we +safely send kobject_uevent(). + +The function create_dump_obj() returns the dump object which if used +by caller function will end up in use-after-free problem again. +However, the return value of create_dump_obj() function isn't being +used today and there is no need as well. Hence change it to return +void to make this fix complete. + +Fixes: c7e64b9ce04a ("powerpc/powernv Platform dump interface") +Signed-off-by: Vasant Hegde +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201017164210.264619-1-hegdevasant@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-dump.c | 41 +++++++++++++++------- + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/opal-dump.c b/arch/powerpc/platforms/powernv/opal-dump.c +index 543c816fa99ef..0e6693bacb7e7 100644 +--- a/arch/powerpc/platforms/powernv/opal-dump.c ++++ b/arch/powerpc/platforms/powernv/opal-dump.c +@@ -318,15 +318,14 @@ static ssize_t dump_attr_read(struct file *filep, struct kobject *kobj, + return count; + } + +-static struct dump_obj *create_dump_obj(uint32_t id, size_t size, +- uint32_t type) ++static void create_dump_obj(uint32_t id, size_t size, uint32_t type) + { + struct dump_obj *dump; + int rc; + + dump = kzalloc(sizeof(*dump), GFP_KERNEL); + if (!dump) +- return NULL; ++ return; + + dump->kobj.kset = dump_kset; + +@@ -346,21 +345,39 @@ static struct dump_obj *create_dump_obj(uint32_t id, size_t size, + rc = kobject_add(&dump->kobj, NULL, "0x%x-0x%x", type, id); + if (rc) { + kobject_put(&dump->kobj); +- return NULL; ++ return; + } + ++ /* ++ * As soon as the sysfs file for this dump is created/activated there is ++ * a chance the opal_errd daemon (or any userspace) might read and ++ * acknowledge the dump before kobject_uevent() is called. If that ++ * happens then there is a potential race between ++ * dump_ack_store->kobject_put() and kobject_uevent() which leads to a ++ * use-after-free of a kernfs object resulting in a kernel crash. ++ * ++ * To avoid that, we need to take a reference on behalf of the bin file, ++ * so that our reference remains valid while we call kobject_uevent(). ++ * We then drop our reference before exiting the function, leaving the ++ * bin file to drop the last reference (if it hasn't already). ++ */ ++ ++ /* Take a reference for the bin file */ ++ kobject_get(&dump->kobj); + rc = sysfs_create_bin_file(&dump->kobj, &dump->dump_attr); +- if (rc) { ++ if (rc == 0) { ++ kobject_uevent(&dump->kobj, KOBJ_ADD); ++ ++ pr_info("%s: New platform dump. ID = 0x%x Size %u\n", ++ __func__, dump->id, dump->size); ++ } else { ++ /* Drop reference count taken for bin file */ + kobject_put(&dump->kobj); +- return NULL; + } + +- pr_info("%s: New platform dump. ID = 0x%x Size %u\n", +- __func__, dump->id, dump->size); +- +- kobject_uevent(&dump->kobj, KOBJ_ADD); +- +- return dump; ++ /* Drop our reference */ ++ kobject_put(&dump->kobj); ++ return; + } + + static irqreturn_t process_dump(int irq, void *data) +-- +2.25.1 + diff --git a/queue-5.9/powerpc-ppc_secure_boot-should-not-require-powernv.patch b/queue-5.9/powerpc-ppc_secure_boot-should-not-require-powernv.patch new file mode 100644 index 00000000000..6176fd150a7 --- /dev/null +++ b/queue-5.9/powerpc-ppc_secure_boot-should-not-require-powernv.patch @@ -0,0 +1,48 @@ +From 886e4bc119cc66f9fa6d026f3f1598d33f79ee95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 11:49:22 +1000 +Subject: powerpc: PPC_SECURE_BOOT should not require PowerNV + +From: Daniel Axtens + +[ Upstream commit 5c5e46dad939b2bf4df04293ab9ac68abd7c1f55 ] + +In commit 61f879d97ce4 ("powerpc/pseries: Detect secure and trusted +boot state of the system.") we taught the kernel how to understand the +secure-boot parameters used by a pseries guest. + +However, CONFIG_PPC_SECURE_BOOT still requires PowerNV. I didn't +catch this because pseries_le_defconfig includes support for +PowerNV and so everything still worked. Indeed, most configs will. +Nonetheless, technically PPC_SECURE_BOOT doesn't require PowerNV +any more. + +The secure variables support (PPC_SECVAR_SYSFS) doesn't do anything +on pSeries yet, but I don't think it's worth adding a new condition - +at some stage we'll want to add a backend for pSeries anyway. + +Fixes: 61f879d97ce4 ("powerpc/pseries: Detect secure and trusted boot state of the system.") +Signed-off-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200924014922.172914-1-dja@axtens.net +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 787e829b6f25c..997da0221780b 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -980,7 +980,7 @@ config PPC_MEM_KEYS + config PPC_SECURE_BOOT + prompt "Enable secure boot support" + bool +- depends on PPC_POWERNV ++ depends on PPC_POWERNV || PPC_PSERIES + depends on IMA_ARCH_POLICY + imply IMA_SECURE_AND_OR_TRUSTED_BOOT + help +-- +2.25.1 + diff --git a/queue-5.9/powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch b/queue-5.9/powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch new file mode 100644 index 00000000000..bce2dcd9c57 --- /dev/null +++ b/queue-5.9/powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch @@ -0,0 +1,219 @@ +From a049955818cfab710563941a63aae8f07c394222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 12:09:46 +0530 +Subject: powerpc/pseries: Avoid using addr_to_pfn in real mode + +From: Ganesh Goudar + +[ Upstream commit 4ff753feab021242144818b9a3ba011238218145 ] + +When an UE or memory error exception is encountered the MCE handler +tries to find the pfn using addr_to_pfn() which takes effective +address as an argument, later pfn is used to poison the page where +memory error occurred, recent rework in this area made addr_to_pfn +to run in real mode, which can be fatal as it may try to access +memory outside RMO region. + +Have two helper functions to separate things to be done in real mode +and virtual mode without changing any functionality. This also fixes +the following error as the use of addr_to_pfn is now moved to virtual +mode. + +Without this change following kernel crash is seen on hitting UE. + +[ 485.128036] Oops: Kernel access of bad area, sig: 11 [#1] +[ 485.128040] LE SMP NR_CPUS=2048 NUMA pSeries +[ 485.128047] Modules linked in: +[ 485.128067] CPU: 15 PID: 6536 Comm: insmod Kdump: loaded Tainted: G OE 5.7.0 #22 +[ 485.128074] NIP: c00000000009b24c LR: c0000000000398d8 CTR: c000000000cd57c0 +[ 485.128078] REGS: c000000003f1f970 TRAP: 0300 Tainted: G OE (5.7.0) +[ 485.128082] MSR: 8000000000001003 CR: 28008284 XER: 00000001 +[ 485.128088] CFAR: c00000000009b190 DAR: c0000001fab00000 DSISR: 40000000 IRQMASK: 1 +[ 485.128088] GPR00: 0000000000000001 c000000003f1fbf0 c000000001634300 0000b0fa01000000 +[ 485.128088] GPR04: d000000002220000 0000000000000000 00000000fab00000 0000000000000022 +[ 485.128088] GPR08: c0000001fab00000 0000000000000000 c0000001fab00000 c000000003f1fc14 +[ 485.128088] GPR12: 0000000000000008 c000000003ff5880 d000000002100008 0000000000000000 +[ 485.128088] GPR16: 000000000000ff20 000000000000fff1 000000000000fff2 d0000000021a1100 +[ 485.128088] GPR20: d000000002200000 c00000015c893c50 c000000000d49b28 c00000015c893c50 +[ 485.128088] GPR24: d0000000021a0d08 c0000000014e5da8 d0000000021a0818 000000000000000a +[ 485.128088] GPR28: 0000000000000008 000000000000000a c0000000017e2970 000000000000000a +[ 485.128125] NIP [c00000000009b24c] __find_linux_pte+0x11c/0x310 +[ 485.128130] LR [c0000000000398d8] addr_to_pfn+0x138/0x170 +[ 485.128133] Call Trace: +[ 485.128135] Instruction dump: +[ 485.128138] 3929ffff 7d4a3378 7c883c36 7d2907b4 794a1564 7d294038 794af082 3900ffff +[ 485.128144] 79291f24 790af00e 78e70020 7d095214 <7c69502a> 2fa30000 419e011c 70690040 +[ 485.128152] ---[ end trace d34b27e29ae0e340 ]--- + +Fixes: 9ca766f9891d ("powerpc/64s/pseries: machine check convert to use common event code") +Signed-off-by: Ganesh Goudar +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200724063946.21378-1-ganeshgr@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/ras.c | 118 ++++++++++++++++----------- + 1 file changed, 69 insertions(+), 49 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c +index 13c86a292c6d7..b2b245b25edba 100644 +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -521,18 +521,55 @@ int pSeries_system_reset_exception(struct pt_regs *regs) + return 0; /* need to perform reset */ + } + ++static int mce_handle_err_realmode(int disposition, u8 error_type) ++{ ++#ifdef CONFIG_PPC_BOOK3S_64 ++ if (disposition == RTAS_DISP_NOT_RECOVERED) { ++ switch (error_type) { ++ case MC_ERROR_TYPE_SLB: ++ case MC_ERROR_TYPE_ERAT: ++ /* ++ * Store the old slb content in paca before flushing. ++ * Print this when we go to virtual mode. ++ * There are chances that we may hit MCE again if there ++ * is a parity error on the SLB entry we trying to read ++ * for saving. Hence limit the slb saving to single ++ * level of recursion. ++ */ ++ if (local_paca->in_mce == 1) ++ slb_save_contents(local_paca->mce_faulty_slbs); ++ flush_and_reload_slb(); ++ disposition = RTAS_DISP_FULLY_RECOVERED; ++ break; ++ default: ++ break; ++ } ++ } else if (disposition == RTAS_DISP_LIMITED_RECOVERY) { ++ /* Platform corrected itself but could be degraded */ ++ pr_err("MCE: limited recovery, system may be degraded\n"); ++ disposition = RTAS_DISP_FULLY_RECOVERED; ++ } ++#endif ++ return disposition; ++} + +-static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) ++static int mce_handle_err_virtmode(struct pt_regs *regs, ++ struct rtas_error_log *errp, ++ struct pseries_mc_errorlog *mce_log, ++ int disposition) + { + struct mce_error_info mce_err = { 0 }; +- unsigned long eaddr = 0, paddr = 0; +- struct pseries_errorlog *pseries_log; +- struct pseries_mc_errorlog *mce_log; +- int disposition = rtas_error_disposition(errp); + int initiator = rtas_error_initiator(errp); + int severity = rtas_error_severity(errp); ++ unsigned long eaddr = 0, paddr = 0; + u8 error_type, err_sub_type; + ++ if (!mce_log) ++ goto out; ++ ++ error_type = mce_log->error_type; ++ err_sub_type = rtas_mc_error_sub_type(mce_log); ++ + if (initiator == RTAS_INITIATOR_UNKNOWN) + mce_err.initiator = MCE_INITIATOR_UNKNOWN; + else if (initiator == RTAS_INITIATOR_CPU) +@@ -571,18 +608,7 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) + mce_err.error_type = MCE_ERROR_TYPE_UNKNOWN; + mce_err.error_class = MCE_ECLASS_UNKNOWN; + +- if (!rtas_error_extended(errp)) +- goto out; +- +- pseries_log = get_pseries_errorlog(errp, PSERIES_ELOG_SECT_ID_MCE); +- if (pseries_log == NULL) +- goto out; +- +- mce_log = (struct pseries_mc_errorlog *)pseries_log->data; +- error_type = mce_log->error_type; +- err_sub_type = rtas_mc_error_sub_type(mce_log); +- +- switch (mce_log->error_type) { ++ switch (error_type) { + case MC_ERROR_TYPE_UE: + mce_err.error_type = MCE_ERROR_TYPE_UE; + mce_common_process_ue(regs, &mce_err); +@@ -682,37 +708,31 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) + mce_err.error_type = MCE_ERROR_TYPE_UNKNOWN; + break; + } ++out: ++ save_mce_event(regs, disposition == RTAS_DISP_FULLY_RECOVERED, ++ &mce_err, regs->nip, eaddr, paddr); ++ return disposition; ++} + +-#ifdef CONFIG_PPC_BOOK3S_64 +- if (disposition == RTAS_DISP_NOT_RECOVERED) { +- switch (error_type) { +- case MC_ERROR_TYPE_SLB: +- case MC_ERROR_TYPE_ERAT: +- /* +- * Store the old slb content in paca before flushing. +- * Print this when we go to virtual mode. +- * There are chances that we may hit MCE again if there +- * is a parity error on the SLB entry we trying to read +- * for saving. Hence limit the slb saving to single +- * level of recursion. +- */ +- if (local_paca->in_mce == 1) +- slb_save_contents(local_paca->mce_faulty_slbs); +- flush_and_reload_slb(); +- disposition = RTAS_DISP_FULLY_RECOVERED; +- break; +- default: +- break; +- } +- } else if (disposition == RTAS_DISP_LIMITED_RECOVERY) { +- /* Platform corrected itself but could be degraded */ +- printk(KERN_ERR "MCE: limited recovery, system may " +- "be degraded\n"); +- disposition = RTAS_DISP_FULLY_RECOVERED; +- } +-#endif ++static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) ++{ ++ struct pseries_errorlog *pseries_log; ++ struct pseries_mc_errorlog *mce_log = NULL; ++ int disposition = rtas_error_disposition(errp); ++ u8 error_type; ++ ++ if (!rtas_error_extended(errp)) ++ goto out; ++ ++ pseries_log = get_pseries_errorlog(errp, PSERIES_ELOG_SECT_ID_MCE); ++ if (!pseries_log) ++ goto out; ++ ++ mce_log = (struct pseries_mc_errorlog *)pseries_log->data; ++ error_type = mce_log->error_type; ++ ++ disposition = mce_handle_err_realmode(disposition, error_type); + +-out: + /* + * Enable translation as we will be accessing per-cpu variables + * in save_mce_event() which may fall outside RMO region, also +@@ -723,10 +743,10 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp) + * Note: All the realmode handling like flushing SLB entries for + * SLB multihit is done by now. + */ ++out: + mtmsr(mfmsr() | MSR_IR | MSR_DR); +- save_mce_event(regs, disposition == RTAS_DISP_FULLY_RECOVERED, +- &mce_err, regs->nip, eaddr, paddr); +- ++ disposition = mce_handle_err_virtmode(regs, errp, mce_log, ++ disposition); + return disposition; + } + +-- +2.25.1 + diff --git a/queue-5.9/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch b/queue-5.9/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch new file mode 100644 index 00000000000..e42f9773d0f --- /dev/null +++ b/queue-5.9/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch @@ -0,0 +1,76 @@ +From b55b086185e490af3d33a114f59f960a0f1bb5f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 10:11:31 -0500 +Subject: powerpc/pseries: explicitly reschedule during drmem_lmb list + traversal + +From: Nathan Lynch + +[ Upstream commit 9d6792ffe140240ae54c881cc4183f9acc24b4df ] + +The drmem lmb list can have hundreds of thousands of entries, and +unfortunately lookups take the form of linear searches. As long as +this is the case, traversals have the potential to monopolize the CPU +and provoke lockup reports, workqueue stalls, and the like unless +they explicitly yield. + +Rather than placing cond_resched() calls within various +for_each_drmem_lmb() loop blocks in the code, put it in the iteration +expression of the loop macro itself so users can't omit it. + +Introduce a drmem_lmb_next() iteration helper function which calls +cond_resched() at a regular interval during array traversal. Each +iteration of the loop in DLPAR code paths can involve around ten RTAS +calls which can each take up to 250us, so this ensures the check is +performed at worst every few milliseconds. + +Fixes: 6c6ea53725b3 ("powerpc/mm: Separate ibm, dynamic-memory data from DT format") +Signed-off-by: Nathan Lynch +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200813151131.2070161-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/drmem.h | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/drmem.h b/arch/powerpc/include/asm/drmem.h +index 17ccc6474ab6f..6fb928605ed13 100644 +--- a/arch/powerpc/include/asm/drmem.h ++++ b/arch/powerpc/include/asm/drmem.h +@@ -8,6 +8,8 @@ + #ifndef _ASM_POWERPC_LMB_H + #define _ASM_POWERPC_LMB_H + ++#include ++ + struct drmem_lmb { + u64 base_addr; + u32 drc_index; +@@ -26,8 +28,22 @@ struct drmem_lmb_info { + + extern struct drmem_lmb_info *drmem_info; + ++static inline struct drmem_lmb *drmem_lmb_next(struct drmem_lmb *lmb, ++ const struct drmem_lmb *start) ++{ ++ /* ++ * DLPAR code paths can take several milliseconds per element ++ * when interacting with firmware. Ensure that we don't ++ * unfairly monopolize the CPU. ++ */ ++ if (((++lmb - start) % 16) == 0) ++ cond_resched(); ++ ++ return lmb; ++} ++ + #define for_each_drmem_lmb_in_range(lmb, start, end) \ +- for ((lmb) = (start); (lmb) < (end); (lmb)++) ++ for ((lmb) = (start); (lmb) < (end); lmb = drmem_lmb_next(lmb, start)) + + #define for_each_drmem_lmb(lmb) \ + for_each_drmem_lmb_in_range((lmb), \ +-- +2.25.1 + diff --git a/queue-5.9/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch b/queue-5.9/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch new file mode 100644 index 00000000000..cb87777a2c1 --- /dev/null +++ b/queue-5.9/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch @@ -0,0 +1,37 @@ +From fa53bbda91b9efca70b55de4635850f8985657a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jul 2018 11:08:16 +0200 +Subject: powerpc/pseries: Fix missing of_node_put() in rng_init() + +From: Nicholas Mc Guire + +[ Upstream commit 67c3e59443f5fc77be39e2ce0db75fbfa78c7965 ] + +The call to of_find_compatible_node() returns a node pointer with +refcount incremented thus it must be explicitly decremented here +before returning. + +Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530522496-14816-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c +index bbb97169bf63e..6268545947b83 100644 +--- a/arch/powerpc/platforms/pseries/rng.c ++++ b/arch/powerpc/platforms/pseries/rng.c +@@ -36,6 +36,7 @@ static __init int rng_init(void) + + ppc_md.get_random_seed = pseries_get_random_long; + ++ of_node_put(dn); + return 0; + } + machine_subsys_initcall(pseries, rng_init); +-- +2.25.1 + diff --git a/queue-5.9/powerpc-pseries-svm-allocate-swiotlb-buffer-anywhere.patch b/queue-5.9/powerpc-pseries-svm-allocate-swiotlb-buffer-anywhere.patch new file mode 100644 index 00000000000..a0263098fa9 --- /dev/null +++ b/queue-5.9/powerpc-pseries-svm-allocate-swiotlb-buffer-anywhere.patch @@ -0,0 +1,128 @@ +From 26a09b804d4bef8c0b9a4a0485e4b3e2396f4805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 19:11:26 -0300 +Subject: powerpc/pseries/svm: Allocate SWIOTLB buffer anywhere in memory + +From: Thiago Jung Bauermann + +[ Upstream commit eae9eec476d13fad9af6da1f44a054ee02b7b161 ] + +POWER secure guests (i.e., guests which use the Protected Execution +Facility) need to use SWIOTLB to be able to do I/O with the +hypervisor, but they don't need the SWIOTLB memory to be in low +addresses since the hypervisor doesn't have any addressing limitation. + +This solves a SWIOTLB initialization problem we are seeing in secure +guests with 128 GB of RAM: they are configured with 4 GB of +crashkernel reserved memory, which leaves no space for SWIOTLB in low +addresses. + +To do this, we use mostly the same code as swiotlb_init(), but +allocate the buffer using memblock_alloc() instead of +memblock_alloc_low(). + +Fixes: 2efbc58f157a ("powerpc/pseries/svm: Force SWIOTLB for secure guests") +Signed-off-by: Thiago Jung Bauermann +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200818221126.391073-1-bauerman@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/svm.h | 4 ++++ + arch/powerpc/mm/mem.c | 6 +++++- + arch/powerpc/platforms/pseries/svm.c | 26 ++++++++++++++++++++++++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/svm.h b/arch/powerpc/include/asm/svm.h +index 85580b30aba48..7546402d796af 100644 +--- a/arch/powerpc/include/asm/svm.h ++++ b/arch/powerpc/include/asm/svm.h +@@ -15,6 +15,8 @@ static inline bool is_secure_guest(void) + return mfmsr() & MSR_S; + } + ++void __init svm_swiotlb_init(void); ++ + void dtl_cache_ctor(void *addr); + #define get_dtl_cache_ctor() (is_secure_guest() ? dtl_cache_ctor : NULL) + +@@ -25,6 +27,8 @@ static inline bool is_secure_guest(void) + return false; + } + ++static inline void svm_swiotlb_init(void) {} ++ + #define get_dtl_cache_ctor() NULL + + #endif /* CONFIG_PPC_SVM */ +diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c +index 42e25874f5a8f..ddc32cc1b6cfc 100644 +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -49,6 +49,7 @@ + #include + #include + #include ++#include + + #include + +@@ -282,7 +283,10 @@ void __init mem_init(void) + * back to to-down. + */ + memblock_set_bottom_up(true); +- swiotlb_init(0); ++ if (is_secure_guest()) ++ svm_swiotlb_init(); ++ else ++ swiotlb_init(0); + #endif + + high_memory = (void *) __va(max_low_pfn * PAGE_SIZE); +diff --git a/arch/powerpc/platforms/pseries/svm.c b/arch/powerpc/platforms/pseries/svm.c +index e6d7a344d9f22..7b739cc7a8a93 100644 +--- a/arch/powerpc/platforms/pseries/svm.c ++++ b/arch/powerpc/platforms/pseries/svm.c +@@ -7,6 +7,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -35,6 +36,31 @@ static int __init init_svm(void) + } + machine_early_initcall(pseries, init_svm); + ++/* ++ * Initialize SWIOTLB. Essentially the same as swiotlb_init(), except that it ++ * can allocate the buffer anywhere in memory. Since the hypervisor doesn't have ++ * any addressing limitation, we don't need to allocate it in low addresses. ++ */ ++void __init svm_swiotlb_init(void) ++{ ++ unsigned char *vstart; ++ unsigned long bytes, io_tlb_nslabs; ++ ++ io_tlb_nslabs = (swiotlb_size_or_default() >> IO_TLB_SHIFT); ++ io_tlb_nslabs = ALIGN(io_tlb_nslabs, IO_TLB_SEGSIZE); ++ ++ bytes = io_tlb_nslabs << IO_TLB_SHIFT; ++ ++ vstart = memblock_alloc(PAGE_ALIGN(bytes), PAGE_SIZE); ++ if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, false)) ++ return; ++ ++ if (io_tlb_start) ++ memblock_free_early(io_tlb_start, ++ PAGE_ALIGN(io_tlb_nslabs << IO_TLB_SHIFT)); ++ panic("SVM: Cannot allocate SWIOTLB buffer"); ++} ++ + int set_memory_encrypted(unsigned long addr, int numpages) + { + if (!PAGE_ALIGNED(addr)) +-- +2.25.1 + diff --git a/queue-5.9/powerpc-security-fix-link-stack-flush-instruction.patch b/queue-5.9/powerpc-security-fix-link-stack-flush-instruction.patch new file mode 100644 index 00000000000..e96a6759593 --- /dev/null +++ b/queue-5.9/powerpc-security-fix-link-stack-flush-instruction.patch @@ -0,0 +1,127 @@ +From 15ddd63d9646b11eae2fbdb1d477c6e3888ea830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 18:06:05 +1000 +Subject: powerpc/security: Fix link stack flush instruction + +From: Nicholas Piggin + +[ Upstream commit 792254a77201453d9a77479e63dc216ad90462d2 ] + +The inline execution path for the hardware assisted branch flush +instruction failed to set CTR to the correct value before bcctr, +causing a crash when the feature is enabled. + +Fixes: 4d24e21cc694 ("powerpc/security: Allow for processors that flush the link stack using the special bcctr") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201007080605.64423-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/asm-prototypes.h | 4 ++- + arch/powerpc/kernel/entry_64.S | 8 ++++-- + arch/powerpc/kernel/security.c | 34 ++++++++++++++++------- + 3 files changed, 33 insertions(+), 13 deletions(-) + +diff --git a/arch/powerpc/include/asm/asm-prototypes.h b/arch/powerpc/include/asm/asm-prototypes.h +index de14b1a34d568..9652756b0694c 100644 +--- a/arch/powerpc/include/asm/asm-prototypes.h ++++ b/arch/powerpc/include/asm/asm-prototypes.h +@@ -144,7 +144,9 @@ void _kvmppc_restore_tm_pr(struct kvm_vcpu *vcpu, u64 guest_msr); + void _kvmppc_save_tm_pr(struct kvm_vcpu *vcpu, u64 guest_msr); + + /* Patch sites */ +-extern s32 patch__call_flush_branch_caches; ++extern s32 patch__call_flush_branch_caches1; ++extern s32 patch__call_flush_branch_caches2; ++extern s32 patch__call_flush_branch_caches3; + extern s32 patch__flush_count_cache_return; + extern s32 patch__flush_link_stack_return; + extern s32 patch__call_kvm_flush_link_stack; +diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S +index 733e40eba4ebe..2f3846192ec7d 100644 +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -430,7 +430,11 @@ _ASM_NOKPROBE_SYMBOL(save_nvgprs); + + #define FLUSH_COUNT_CACHE \ + 1: nop; \ +- patch_site 1b, patch__call_flush_branch_caches ++ patch_site 1b, patch__call_flush_branch_caches1; \ ++1: nop; \ ++ patch_site 1b, patch__call_flush_branch_caches2; \ ++1: nop; \ ++ patch_site 1b, patch__call_flush_branch_caches3 + + .macro nops number + .rept \number +@@ -512,7 +516,7 @@ _GLOBAL(_switch) + + kuap_check_amr r9, r10 + +- FLUSH_COUNT_CACHE ++ FLUSH_COUNT_CACHE /* Clobbers r9, ctr */ + + /* + * On SMP kernels, care must be taken because a task may be +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c +index c9876aab31421..e4e1a94ccf6a6 100644 +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -430,30 +430,44 @@ device_initcall(stf_barrier_debugfs_init); + + static void update_branch_cache_flush(void) + { ++ u32 *site; ++ + #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE ++ site = &patch__call_kvm_flush_link_stack; + // This controls the branch from guest_exit_cont to kvm_flush_link_stack + if (link_stack_flush_type == BRANCH_CACHE_FLUSH_NONE) { +- patch_instruction_site(&patch__call_kvm_flush_link_stack, +- ppc_inst(PPC_INST_NOP)); ++ patch_instruction_site(site, ppc_inst(PPC_INST_NOP)); + } else { + // Could use HW flush, but that could also flush count cache +- patch_branch_site(&patch__call_kvm_flush_link_stack, +- (u64)&kvm_flush_link_stack, BRANCH_SET_LINK); ++ patch_branch_site(site, (u64)&kvm_flush_link_stack, BRANCH_SET_LINK); + } + #endif + ++ // Patch out the bcctr first, then nop the rest ++ site = &patch__call_flush_branch_caches3; ++ patch_instruction_site(site, ppc_inst(PPC_INST_NOP)); ++ site = &patch__call_flush_branch_caches2; ++ patch_instruction_site(site, ppc_inst(PPC_INST_NOP)); ++ site = &patch__call_flush_branch_caches1; ++ patch_instruction_site(site, ppc_inst(PPC_INST_NOP)); ++ + // This controls the branch from _switch to flush_branch_caches + if (count_cache_flush_type == BRANCH_CACHE_FLUSH_NONE && + link_stack_flush_type == BRANCH_CACHE_FLUSH_NONE) { +- patch_instruction_site(&patch__call_flush_branch_caches, +- ppc_inst(PPC_INST_NOP)); ++ // Nothing to be done ++ + } else if (count_cache_flush_type == BRANCH_CACHE_FLUSH_HW && + link_stack_flush_type == BRANCH_CACHE_FLUSH_HW) { +- patch_instruction_site(&patch__call_flush_branch_caches, +- ppc_inst(PPC_INST_BCCTR_FLUSH)); ++ // Patch in the bcctr last ++ site = &patch__call_flush_branch_caches1; ++ patch_instruction_site(site, ppc_inst(0x39207fff)); // li r9,0x7fff ++ site = &patch__call_flush_branch_caches2; ++ patch_instruction_site(site, ppc_inst(0x7d2903a6)); // mtctr r9 ++ site = &patch__call_flush_branch_caches3; ++ patch_instruction_site(site, ppc_inst(PPC_INST_BCCTR_FLUSH)); ++ + } else { +- patch_branch_site(&patch__call_flush_branch_caches, +- (u64)&flush_branch_caches, BRANCH_SET_LINK); ++ patch_branch_site(site, (u64)&flush_branch_caches, BRANCH_SET_LINK); + + // If we just need to flush the link stack, early return + if (count_cache_flush_type == BRANCH_CACHE_FLUSH_NONE) { +-- +2.25.1 + diff --git a/queue-5.9/powerpc-tau-check-processor-type-before-enabling-tau.patch b/queue-5.9/powerpc-tau-check-processor-type-before-enabling-tau.patch new file mode 100644 index 00000000000..9c53588d4b0 --- /dev/null +++ b/queue-5.9/powerpc-tau-check-processor-type-before-enabling-tau.patch @@ -0,0 +1,116 @@ +From 6404233e8e5fd53d1577a2748ee780b86728c16a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Check processor type before enabling TAU interrupt + +From: Finn Thain + +[ Upstream commit 5e3119e15fed5b9a9a7e528665ff098a4a8dbdbc ] + +According to Freescale's documentation, MPC74XX processors have an +erratum that prevents the TAU interrupt from working, so don't try to +use it when running on those processors. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/c281611544768e758bd58fe812cf702a5bd2d042.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 33 ++++++++++++++------------------- + arch/powerpc/platforms/Kconfig | 5 ++--- + 2 files changed, 16 insertions(+), 22 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index b8d7e7d498e0a..614b5b272d9c6 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -40,6 +40,8 @@ static struct tau_temp + unsigned char grew; + } tau[NR_CPUS]; + ++static bool tau_int_enable; ++ + #undef DEBUG + + /* TODO: put these in a /proc interface, with some sanity checks, and maybe +@@ -54,22 +56,13 @@ static struct tau_temp + + static void set_thresholds(unsigned long cpu) + { +-#ifdef CONFIG_TAU_INT +- /* +- * setup THRM1, +- * threshold, valid bit, enable interrupts, interrupt when below threshold +- */ +- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TIE | THRM1_TID); ++ u32 maybe_tie = tau_int_enable ? THRM1_TIE : 0; + +- /* setup THRM2, +- * threshold, valid bit, enable interrupts, interrupt when above threshold +- */ +- mtspr (SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | THRM1_TIE); +-#else +- /* same thing but don't enable interrupts */ +- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TID); +- mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V); +-#endif ++ /* setup THRM1, threshold, valid bit, interrupt when below threshold */ ++ mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | maybe_tie | THRM1_TID); ++ ++ /* setup THRM2, threshold, valid bit, interrupt when above threshold */ ++ mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | maybe_tie); + } + + static void TAUupdate(int cpu) +@@ -142,9 +135,8 @@ static void tau_timeout(void * info) + local_irq_save(flags); + cpu = smp_processor_id(); + +-#ifndef CONFIG_TAU_INT +- TAUupdate(cpu); +-#endif ++ if (!tau_int_enable) ++ TAUupdate(cpu); + + size = tau[cpu].high - tau[cpu].low; + if (size > min_window && ! tau[cpu].grew) { +@@ -225,6 +217,9 @@ static int __init TAU_init(void) + return 1; + } + ++ tau_int_enable = IS_ENABLED(CONFIG_TAU_INT) && ++ !strcmp(cur_cpu_spec->platform, "ppc750"); ++ + tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0); + if (!tau_workq) + return -ENOMEM; +@@ -234,7 +229,7 @@ static int __init TAU_init(void) + queue_work(tau_workq, &tau_work); + + pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n", +- IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer); ++ tau_int_enable ? "interrupts" : "workqueue", shrink_timer); + tau_initialized = 1; + + return 0; +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index fb7515b4fa9c6..9fe36f0b54c1a 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -223,9 +223,8 @@ config TAU + temperature within 2-4 degrees Celsius. This option shows the current + on-die temperature in /proc/cpuinfo if the cpu supports it. + +- Unfortunately, on some chip revisions, this sensor is very inaccurate +- and in many cases, does not work at all, so don't assume the cpu +- temp is actually what /proc/cpuinfo says it is. ++ Unfortunately, this sensor is very inaccurate when uncalibrated, so ++ don't assume the cpu temp is actually what /proc/cpuinfo says it is. + + config TAU_INT + bool "Interrupt driven TAU driver (DANGEROUS)" +-- +2.25.1 + diff --git a/queue-5.9/powerpc-tau-convert-from-timer-to-workqueue.patch b/queue-5.9/powerpc-tau-convert-from-timer-to-workqueue.patch new file mode 100644 index 00000000000..8a7a73ab99b --- /dev/null +++ b/queue-5.9/powerpc-tau-convert-from-timer-to-workqueue.patch @@ -0,0 +1,153 @@ +From 6048771f72cac688ec7b10fa7b9c3339ba4afd2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Convert from timer to workqueue + +From: Finn Thain + +[ Upstream commit b1c6a0a10bfaf36ec82fde6f621da72407fa60a1 ] + +Since commit 19dbdcb8039cf ("smp: Warn on function calls from softirq +context") the Thermal Assist Unit driver causes a warning like the +following when CONFIG_SMP is enabled. + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at kernel/smp.c:428 smp_call_function_many_cond+0xf4/0x38c + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac #3 + NIP: c00b37a8 LR: c00b3abc CTR: c001218c + REGS: c0799c60 TRAP: 0700 Not tainted (5.7.0-pmac) + MSR: 00029032 CR: 42000224 XER: 00000000 + GPR00: c00b3abc c0799d18 c076e300 c079ef5c c0011fec 00000000 00000000 00000000 + GPR08: 00000100 00000100 00008000 ffffffff 42000224 00000000 c079d040 c079d044 + GPR16: 00000001 00000000 00000004 c0799da0 c079f054 c07a0000 c07a0000 00000000 + GPR24: c0011fec 00000000 c079ef5c c079ef5c 00000000 00000000 00000000 00000000 + NIP [c00b37a8] smp_call_function_many_cond+0xf4/0x38c + LR [c00b3abc] on_each_cpu+0x38/0x68 + Call Trace: + [c0799d18] [ffffffff] 0xffffffff (unreliable) + [c0799d68] [c00b3abc] on_each_cpu+0x38/0x68 + [c0799d88] [c0096704] call_timer_fn.isra.26+0x20/0x7c + [c0799d98] [c0096b40] run_timer_softirq+0x1d4/0x3fc + [c0799df8] [c05b4368] __do_softirq+0x118/0x240 + [c0799e58] [c0039c44] irq_exit+0xc4/0xcc + [c0799e68] [c000ade8] timer_interrupt+0x1b0/0x230 + [c0799ea8] [c0013520] ret_from_except+0x0/0x14 + --- interrupt: 901 at arch_cpu_idle+0x24/0x6c + LR = arch_cpu_idle+0x24/0x6c + [c0799f70] [00000001] 0x1 (unreliable) + [c0799f80] [c0060990] do_idle+0xd8/0x17c + [c0799fa0] [c0060ba8] cpu_startup_entry+0x24/0x28 + [c0799fb0] [c072d220] start_kernel+0x434/0x44c + [c0799ff0] [00003860] 0x3860 + Instruction dump: + 8129f204 2f890000 40beff98 3d20c07a 8929eec4 2f890000 40beff88 0fe00000 + 81220000 552805de 550802ef 4182ff84 <0fe00000> 3860ffff 7f65db78 7f44d378 + ---[ end trace 34a886e47819c2eb ]--- + +Don't call on_each_cpu() from a timer callback, call it from a worker +thread instead. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/bb61650bea4f4c91fb8e24b9a6f130a1438651a7.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 38 +++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 976d5bc1b5176..268205cc347da 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -13,13 +13,14 @@ + */ + + #include +-#include + #include + #include + #include + #include + #include + #include ++#include ++#include + + #include + #include +@@ -39,8 +40,6 @@ static struct tau_temp + unsigned char grew; + } tau[NR_CPUS]; + +-struct timer_list tau_timer; +- + #undef DEBUG + + /* TODO: put these in a /proc interface, with some sanity checks, and maybe +@@ -50,7 +49,7 @@ struct timer_list tau_timer; + #define step_size 2 /* step size when temp goes out of range */ + #define window_expand 1 /* expand the window by this much */ + /* configurable values for shrinking the window */ +-#define shrink_timer 2*HZ /* period between shrinking the window */ ++#define shrink_timer 2000 /* period between shrinking the window */ + #define min_window 2 /* minimum window size, degrees C */ + + static void set_thresholds(unsigned long cpu) +@@ -187,14 +186,18 @@ static void tau_timeout(void * info) + local_irq_restore(flags); + } + +-static void tau_timeout_smp(struct timer_list *unused) +-{ ++static struct workqueue_struct *tau_workq; + +- /* schedule ourselves to be run again */ +- mod_timer(&tau_timer, jiffies + shrink_timer) ; ++static void tau_work_func(struct work_struct *work) ++{ ++ msleep(shrink_timer); + on_each_cpu(tau_timeout, NULL, 0); ++ /* schedule ourselves to be run again */ ++ queue_work(tau_workq, work); + } + ++DECLARE_WORK(tau_work, tau_work_func); ++ + /* + * setup the TAU + * +@@ -227,21 +230,16 @@ static int __init TAU_init(void) + return 1; + } + +- +- /* first, set up the window shrinking timer */ +- timer_setup(&tau_timer, tau_timeout_smp, 0); +- tau_timer.expires = jiffies + shrink_timer; +- add_timer(&tau_timer); ++ tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0); ++ if (!tau_workq) ++ return -ENOMEM; + + on_each_cpu(TAU_init_smp, NULL, 0); + +- printk("Thermal assist unit "); +-#ifdef CONFIG_TAU_INT +- printk("using interrupts, "); +-#else +- printk("using timers, "); +-#endif +- printk("shrink_timer: %d jiffies\n", shrink_timer); ++ queue_work(tau_workq, &tau_work); ++ ++ pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n", ++ IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer); + tau_initialized = 1; + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/powerpc-tau-disable-tau-between-measurements.patch b/queue-5.9/powerpc-tau-disable-tau-between-measurements.patch new file mode 100644 index 00000000000..3a504a45a1d --- /dev/null +++ b/queue-5.9/powerpc-tau-disable-tau-between-measurements.patch @@ -0,0 +1,199 @@ +From d15af0972b7810ec077dcbc38ae5c7b2c3556b2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Disable TAU between measurements + +From: Finn Thain + +[ Upstream commit e63d6fb5637e92725cf143559672a34b706bca4f ] + +Enabling CONFIG_TAU_INT causes random crashes: + +Unrecoverable exception 1700 at c0009414 (msr=1000) +Oops: Unrecoverable exception, sig: 6 [#1] +BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac-00043-gd5f545e1a8593 #5 +NIP: c0009414 LR: c0009414 CTR: c00116fc +REGS: c0799eb8 TRAP: 1700 Not tainted (5.7.0-pmac-00043-gd5f545e1a8593) +MSR: 00001000 CR: 22000228 XER: 00000100 + +GPR00: 00000000 c0799f70 c076e300 00800000 0291c0ac 00e00000 c076e300 00049032 +GPR08: 00000001 c00116fc 00000000 dfbd3200 ffffffff 007f80a8 00000000 00000000 +GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c075ce04 +GPR24: c075ce04 dfff8880 c07b0000 c075ce04 00080000 00000001 c079ef98 c079ef5c +NIP [c0009414] arch_cpu_idle+0x24/0x6c +LR [c0009414] arch_cpu_idle+0x24/0x6c +Call Trace: +[c0799f70] [00000001] 0x1 (unreliable) +[c0799f80] [c0060990] do_idle+0xd8/0x17c +[c0799fa0] [c0060ba4] cpu_startup_entry+0x20/0x28 +[c0799fb0] [c072d220] start_kernel+0x434/0x44c +[c0799ff0] [00003860] 0x3860 +Instruction dump: +XXXXXXXX XXXXXXXX XXXXXXXX 3d20c07b XXXXXXXX XXXXXXXX XXXXXXXX 7c0802a6 +XXXXXXXX XXXXXXXX XXXXXXXX 4e800421 XXXXXXXX XXXXXXXX XXXXXXXX 7d2000a6 +---[ end trace 3a0c9b5cb216db6b ]--- + +Resolve this problem by disabling each THRMn comparator when handling +the associated THRMn interrupt and by disabling the TAU entirely when +updating THRMn thresholds. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/5a0ba3dc5612c7aac596727331284a3676c08472.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 65 +++++++++++++--------------------- + arch/powerpc/platforms/Kconfig | 9 ++--- + 2 files changed, 26 insertions(+), 48 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 614b5b272d9c6..0b4694b8d2482 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -42,8 +42,6 @@ static struct tau_temp + + static bool tau_int_enable; + +-#undef DEBUG +- + /* TODO: put these in a /proc interface, with some sanity checks, and maybe + * dynamic adjustment to minimize # of interrupts */ + /* configurable values for step size and how much to expand the window when +@@ -67,42 +65,33 @@ static void set_thresholds(unsigned long cpu) + + static void TAUupdate(int cpu) + { +- unsigned thrm; +- +-#ifdef DEBUG +- printk("TAUupdate "); +-#endif ++ u32 thrm; ++ u32 bits = THRM1_TIV | THRM1_TIN | THRM1_V; + + /* if both thresholds are crossed, the step_sizes cancel out + * and the window winds up getting expanded twice. */ +- if((thrm = mfspr(SPRN_THRM1)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed low threshold */ +- if (tau[cpu].low >= step_size){ +- tau[cpu].low -= step_size; +- tau[cpu].high -= (step_size - window_expand); +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("low threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM1); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM1, 0); ++ ++ if (tau[cpu].low >= step_size) { ++ tau[cpu].low -= step_size; ++ tau[cpu].high -= (step_size - window_expand); + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: low threshold crossed\n", __func__); + } +- if((thrm = mfspr(SPRN_THRM2)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed high threshold */ +- if (tau[cpu].high <= 127-step_size){ +- tau[cpu].low += (step_size - window_expand); +- tau[cpu].high += step_size; +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("high threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM2); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM2, 0); ++ ++ if (tau[cpu].high <= 127 - step_size) { ++ tau[cpu].low += (step_size - window_expand); ++ tau[cpu].high += step_size; + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: high threshold crossed\n", __func__); + } +- +-#ifdef DEBUG +- printk("grew = %d\n", tau[cpu].grew); +-#endif + } + + #ifdef CONFIG_TAU_INT +@@ -127,17 +116,17 @@ void TAUException(struct pt_regs * regs) + static void tau_timeout(void * info) + { + int cpu; +- unsigned long flags; + int size; + int shrink; + +- /* disabling interrupts *should* be okay */ +- local_irq_save(flags); + cpu = smp_processor_id(); + + if (!tau_int_enable) + TAUupdate(cpu); + ++ /* Stop thermal sensor comparisons and interrupts */ ++ mtspr(SPRN_THRM3, 0); ++ + size = tau[cpu].high - tau[cpu].low; + if (size > min_window && ! tau[cpu].grew) { + /* do an exponential shrink of half the amount currently over size */ +@@ -159,18 +148,12 @@ static void tau_timeout(void * info) + + set_thresholds(cpu); + +- /* +- * Do the enable every time, since otherwise a bunch of (relatively) +- * complex sleep code needs to be added. One mtspr every time +- * tau_timeout is called is probably not a big deal. +- * ++ /* Restart thermal sensor comparisons and interrupts. + * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" + * recommends that "the maximum value be set in THRM3 under all + * conditions." + */ + mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); +- +- local_irq_restore(flags); + } + + static struct workqueue_struct *tau_workq; +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index 9fe36f0b54c1a..b439b027a42f1 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -227,7 +227,7 @@ config TAU + don't assume the cpu temp is actually what /proc/cpuinfo says it is. + + config TAU_INT +- bool "Interrupt driven TAU driver (DANGEROUS)" ++ bool "Interrupt driven TAU driver (EXPERIMENTAL)" + depends on TAU + help + The TAU supports an interrupt driven mode which causes an interrupt +@@ -235,12 +235,7 @@ config TAU_INT + to get notified the temp has exceeded a range. With this option off, + a timer is used to re-check the temperature periodically. + +- However, on some cpus it appears that the TAU interrupt hardware +- is buggy and can cause a situation which would lead unexplained hard +- lockups. +- +- Unless you are extending the TAU driver, or enjoy kernel/hardware +- debugging, leave this option off. ++ If in doubt, say N here. + + config TAU_AVERAGE + bool "Average high and low temp" +-- +2.25.1 + diff --git a/queue-5.9/powerpc-tau-remove-duplicated-set_thresholds-call.patch b/queue-5.9/powerpc-tau-remove-duplicated-set_thresholds-call.patch new file mode 100644 index 00000000000..d34f766a9e7 --- /dev/null +++ b/queue-5.9/powerpc-tau-remove-duplicated-set_thresholds-call.patch @@ -0,0 +1,44 @@ +From 1b7072bec568bdc46690df0c6e061cb96482d901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Remove duplicated set_thresholds() call + +From: Finn Thain + +[ Upstream commit 420ab2bc7544d978a5d0762ee736412fe9c796ab ] + +The commentary at the call site seems to disagree with the code. The +conditional prevents calling set_thresholds() via the exception handler, +which appears to crash. Perhaps that's because it immediately triggers +another TAU exception. Anyway, calling set_thresholds() from TAUupdate() +is redundant because tau_timeout() does so. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/d7c7ee33232cf72a6a6bbb6ef05838b2e2b113c0.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 268205cc347da..b8d7e7d498e0a 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -110,11 +110,6 @@ static void TAUupdate(int cpu) + #ifdef DEBUG + printk("grew = %d\n", tau[cpu].grew); + #endif +- +-#ifndef CONFIG_TAU_INT /* tau_timeout will do this if not using interrupts */ +- set_thresholds(cpu); +-#endif +- + } + + #ifdef CONFIG_TAU_INT +-- +2.25.1 + diff --git a/queue-5.9/powerpc-tau-use-appropriate-temperature-sample-inter.patch b/queue-5.9/powerpc-tau-use-appropriate-temperature-sample-inter.patch new file mode 100644 index 00000000000..af1d9cb7b6c --- /dev/null +++ b/queue-5.9/powerpc-tau-use-appropriate-temperature-sample-inter.patch @@ -0,0 +1,68 @@ +From cb2539ea5689724c5b6be45a3c5d903f9e5a26dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Use appropriate temperature sample interval + +From: Finn Thain + +[ Upstream commit 66943005cc41f48e4d05614e8f76c0ca1812f0fd ] + +According to the MPC750 Users Manual, the SITV value in Thermal +Management Register 3 is 13 bits long. The present code calculates the +SITV value as 60 * 500 cycles. This would overflow to give 10 us on +a 500 MHz CPU rather than the intended 60 us. (But according to the +Microprocessor Datasheet, there is also a factor of 266 that has to be +applied to this value on certain parts i.e. speed sort above 266 MHz.) +Always use the maximum cycle count, as recommended by the Datasheet. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/896f542e5f0f1d6cf8218524c2b67d79f3d69b3c.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/reg.h | 2 +- + arch/powerpc/kernel/tau_6xx.c | 12 ++++-------- + 2 files changed, 5 insertions(+), 9 deletions(-) + +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index 88fb88491fe9f..5647006ed373e 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -817,7 +817,7 @@ + #define THRM1_TIN (1 << 31) + #define THRM1_TIV (1 << 30) + #define THRM1_THRES(x) ((x&0x7f)<<23) +-#define THRM3_SITV(x) ((x&0x3fff)<<1) ++#define THRM3_SITV(x) ((x & 0x1fff) << 1) + #define THRM1_TID (1<<2) + #define THRM1_TIE (1<<1) + #define THRM1_V (1<<0) +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index e2ab8a111b693..976d5bc1b5176 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -178,15 +178,11 @@ static void tau_timeout(void * info) + * complex sleep code needs to be added. One mtspr every time + * tau_timeout is called is probably not a big deal. + * +- * Enable thermal sensor and set up sample interval timer +- * need 20 us to do the compare.. until a nice 'cpu_speed' function +- * call is implemented, just assume a 500 mhz clock. It doesn't really +- * matter if we take too long for a compare since it's all interrupt +- * driven anyway. +- * +- * use a extra long time.. (60 us @ 500 mhz) ++ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" ++ * recommends that "the maximum value be set in THRM3 under all ++ * conditions." + */ +- mtspr(SPRN_THRM3, THRM3_SITV(500*60) | THRM3_E); ++ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); + + local_irq_restore(flags); + } +-- +2.25.1 + diff --git a/queue-5.9/powerpc-watchpoint-add-hw_len-wherever-missing.patch b/queue-5.9/powerpc-watchpoint-add-hw_len-wherever-missing.patch new file mode 100644 index 00000000000..73213bed9b6 --- /dev/null +++ b/queue-5.9/powerpc-watchpoint-add-hw_len-wherever-missing.patch @@ -0,0 +1,53 @@ +From 20fb1fcffb1cfba2e55a98e16dd4d958815c47af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 09:59:43 +0530 +Subject: powerpc/watchpoint: Add hw_len wherever missing + +From: Ravi Bangoria + +[ Upstream commit 58da5984d2ea6d95f3f9d9e8dd9f7e1b0dddfb3c ] + +There are couple of places where we set len but not hw_len. For +ptrace/perf watchpoints, when CONFIG_HAVE_HW_BREAKPOINT=Y, hw_len +will be calculated and set internally while parsing watchpoint. +But when CONFIG_HAVE_HW_BREAKPOINT=N, we need to manually set +'hw_len'. Similarly for xmon as well, hw_len needs to be set +directly. + +Fixes: b57aeab811db ("powerpc/watchpoint: Fix length calculation for unaligned target") +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200902042945.129369-7-ravi.bangoria@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/ptrace/ptrace-noadv.c | 1 + + arch/powerpc/xmon/xmon.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/ptrace/ptrace-noadv.c b/arch/powerpc/kernel/ptrace/ptrace-noadv.c +index 697c7e4b5877f..8bd8d8de5c40b 100644 +--- a/arch/powerpc/kernel/ptrace/ptrace-noadv.c ++++ b/arch/powerpc/kernel/ptrace/ptrace-noadv.c +@@ -219,6 +219,7 @@ long ppc_set_hwdebug(struct task_struct *child, struct ppc_hw_breakpoint *bp_inf + brk.address = ALIGN_DOWN(bp_info->addr, HW_BREAKPOINT_SIZE); + brk.type = HW_BRK_TYPE_TRANSLATE; + brk.len = DABR_MAX_LEN; ++ brk.hw_len = DABR_MAX_LEN; + if (bp_info->trigger_type & PPC_BREAKPOINT_TRIGGER_READ) + brk.type |= HW_BRK_TYPE_READ; + if (bp_info->trigger_type & PPC_BREAKPOINT_TRIGGER_WRITE) +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index df7bca00f5ec9..55c43a6c91112 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -969,6 +969,7 @@ static void insert_cpu_bpts(void) + brk.address = dabr[i].address; + brk.type = (dabr[i].enabled & HW_BRK_TYPE_DABR) | HW_BRK_TYPE_PRIV_ALL; + brk.len = 8; ++ brk.hw_len = 8; + __set_breakpoint(i, &brk); + } + } +-- +2.25.1 + diff --git a/queue-5.9/powerpc-watchpoint-fix-handling-of-vector-instructio.patch b/queue-5.9/powerpc-watchpoint-fix-handling-of-vector-instructio.patch new file mode 100644 index 00000000000..c9d76b7f29b --- /dev/null +++ b/queue-5.9/powerpc-watchpoint-fix-handling-of-vector-instructio.patch @@ -0,0 +1,39 @@ +From 34c76eb3a67016198a74fd9f8fd17c56bce9205a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 09:59:39 +0530 +Subject: powerpc/watchpoint: Fix handling of vector instructions + +From: Ravi Bangoria + +[ Upstream commit 4441eb02333a9b46a0d919aa7a6d3b137b5f2562 ] + +Vector load/store instructions are special because they are always +aligned. Thus unaligned EA needs to be aligned down before comparing +it with watch ranges. Otherwise we might consider valid event as +invalid. + +Fixes: 74c6881019b7 ("powerpc/watchpoint: Prepare handler to handle more than one watchpoint") +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200902042945.129369-3-ravi.bangoria@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/hw_breakpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/hw_breakpoint.c b/arch/powerpc/kernel/hw_breakpoint.c +index 9f7df1c372330..f6b24838ca3c0 100644 +--- a/arch/powerpc/kernel/hw_breakpoint.c ++++ b/arch/powerpc/kernel/hw_breakpoint.c +@@ -644,6 +644,8 @@ static void get_instr_detail(struct pt_regs *regs, struct ppc_inst *instr, + if (*type == CACHEOP) { + *size = cache_op_size(); + *ea &= ~(*size - 1); ++ } else if (*type == LOAD_VMX || *type == STORE_VMX) { ++ *ea &= ~(*size - 1); + } + } + +-- +2.25.1 + diff --git a/queue-5.9/powerpc-watchpoint-fix-quadword-instruction-handling.patch b/queue-5.9/powerpc-watchpoint-fix-quadword-instruction-handling.patch new file mode 100644 index 00000000000..9f2e07b06f3 --- /dev/null +++ b/queue-5.9/powerpc-watchpoint-fix-quadword-instruction-handling.patch @@ -0,0 +1,67 @@ +From 21435398dd9926d961eee9b68c874237839fa6c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 09:59:38 +0530 +Subject: powerpc/watchpoint: Fix quadword instruction handling on p10 + predecessors + +From: Ravi Bangoria + +[ Upstream commit 4759c11ed20454b7b36db4ec15f7d5aa1519af4a ] + +On p10 predecessors, watchpoint with quadword access is compared at +quadword length. If the watch range is doubleword or less than that +in a first half of quadword aligned 16 bytes, and if there is any +unaligned quadword access which will access only the 2nd half, the +handler should consider it as extraneous and emulate/single-step it +before continuing. + +Fixes: 74c6881019b7 ("powerpc/watchpoint: Prepare handler to handle more than one watchpoint") +Reported-by: Pedro Miraglia Franco de Carvalho +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200902042945.129369-2-ravi.bangoria@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/hw_breakpoint.h | 1 + + arch/powerpc/kernel/hw_breakpoint.c | 12 ++++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/hw_breakpoint.h b/arch/powerpc/include/asm/hw_breakpoint.h +index db206a7f38e24..9b68eafebf439 100644 +--- a/arch/powerpc/include/asm/hw_breakpoint.h ++++ b/arch/powerpc/include/asm/hw_breakpoint.h +@@ -42,6 +42,7 @@ struct arch_hw_breakpoint { + #else + #define HW_BREAKPOINT_SIZE 0x8 + #endif ++#define HW_BREAKPOINT_SIZE_QUADWORD 0x10 + + #define DABR_MAX_LEN 8 + #define DAWR_MAX_LEN 512 +diff --git a/arch/powerpc/kernel/hw_breakpoint.c b/arch/powerpc/kernel/hw_breakpoint.c +index 1f4a1efa00744..9f7df1c372330 100644 +--- a/arch/powerpc/kernel/hw_breakpoint.c ++++ b/arch/powerpc/kernel/hw_breakpoint.c +@@ -520,9 +520,17 @@ static bool ea_hw_range_overlaps(unsigned long ea, int size, + struct arch_hw_breakpoint *info) + { + unsigned long hw_start_addr, hw_end_addr; ++ unsigned long align_size = HW_BREAKPOINT_SIZE; + +- hw_start_addr = ALIGN_DOWN(info->address, HW_BREAKPOINT_SIZE); +- hw_end_addr = ALIGN(info->address + info->len, HW_BREAKPOINT_SIZE); ++ /* ++ * On p10 predecessors, quadword is handle differently then ++ * other instructions. ++ */ ++ if (!cpu_has_feature(CPU_FTR_ARCH_31) && size == 16) ++ align_size = HW_BREAKPOINT_SIZE_QUADWORD; ++ ++ hw_start_addr = ALIGN_DOWN(info->address, align_size); ++ hw_end_addr = ALIGN(info->address + info->len, align_size); + + return ((ea < hw_end_addr) && (ea + size > hw_start_addr)); + } +-- +2.25.1 + diff --git a/queue-5.9/pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch b/queue-5.9/pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch new file mode 100644 index 00000000000..3e7825545e5 --- /dev/null +++ b/queue-5.9/pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch @@ -0,0 +1,210 @@ +From 7c5a7cfeb6bc6c901546b470918faaa1d7b95cac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 20:51:15 -0500 +Subject: pseries/drmem: don't cache node id in drmem_lmb struct + +From: Scott Cheloha + +[ Upstream commit e5e179aa3a39c818db8fbc2dce8d2cd24adaf657 ] + +At memory hot-remove time we can retrieve an LMB's nid from its +corresponding memory_block. There is no need to store the nid +in multiple locations. + +Note that lmb_to_memblock() uses find_memory_block() to get the +corresponding memory_block. As find_memory_block() runs in sub-linear +time this approach is negligibly slower than what we do at present. + +In exchange for this lookup at hot-remove time we no longer need to +call memory_add_physaddr_to_nid() during drmem_init() for each LMB. +On powerpc, memory_add_physaddr_to_nid() is a linear search, so this +spares us an O(n^2) initialization during boot. + +On systems with many LMBs that initialization overhead is palpable and +disruptive. For example, on a box with 249854 LMBs we're seeing +drmem_init() take upwards of 30 seconds to complete: + +[ 53.721639] drmem: initializing drmem v2 +[ 80.604346] watchdog: BUG: soft lockup - CPU#65 stuck for 23s! [swapper/0:1] +[ 80.604377] Modules linked in: +[ 80.604389] CPU: 65 PID: 1 Comm: swapper/0 Not tainted 5.6.0-rc2+ #4 +[ 80.604397] NIP: c0000000000a4980 LR: c0000000000a4940 CTR: 0000000000000000 +[ 80.604407] REGS: c0002dbff8493830 TRAP: 0901 Not tainted (5.6.0-rc2+) +[ 80.604412] MSR: 8000000002009033 CR: 44000248 XER: 0000000d +[ 80.604431] CFAR: c0000000000a4a38 IRQMASK: 0 +[ 80.604431] GPR00: c0000000000a4940 c0002dbff8493ac0 c000000001904400 c0003cfffffede30 +[ 80.604431] GPR04: 0000000000000000 c000000000f4095a 000000000000002f 0000000010000000 +[ 80.604431] GPR08: c0000bf7ecdb7fb8 c0000bf7ecc2d3c8 0000000000000008 c00c0002fdfb2001 +[ 80.604431] GPR12: 0000000000000000 c00000001e8ec200 +[ 80.604477] NIP [c0000000000a4980] hot_add_scn_to_nid+0xa0/0x3e0 +[ 80.604486] LR [c0000000000a4940] hot_add_scn_to_nid+0x60/0x3e0 +[ 80.604492] Call Trace: +[ 80.604498] [c0002dbff8493ac0] [c0000000000a4940] hot_add_scn_to_nid+0x60/0x3e0 (unreliable) +[ 80.604509] [c0002dbff8493b20] [c000000000087c10] memory_add_physaddr_to_nid+0x20/0x60 +[ 80.604521] [c0002dbff8493b40] [c0000000010d4880] drmem_init+0x25c/0x2f0 +[ 80.604530] [c0002dbff8493c10] [c000000000010154] do_one_initcall+0x64/0x2c0 +[ 80.604540] [c0002dbff8493ce0] [c0000000010c4aa0] kernel_init_freeable+0x2d8/0x3a0 +[ 80.604550] [c0002dbff8493db0] [c000000000010824] kernel_init+0x2c/0x148 +[ 80.604560] [c0002dbff8493e20] [c00000000000b648] ret_from_kernel_thread+0x5c/0x74 +[ 80.604567] Instruction dump: +[ 80.604574] 392918e8 e9490000 e90a000a e92a0000 80ea000c 1d080018 3908ffe8 7d094214 +[ 80.604586] 7fa94040 419d00dc e9490010 714a0088 <2faa0008> 409e00ac e9490000 7fbe5040 +[ 89.047390] drmem: 249854 LMB(s) + +With a patched kernel on the same machine we're no longer seeing the +soft lockup. drmem_init() now completes in negligible time, even when +the LMB count is large. + +Fixes: b2d3b5ee66f2 ("powerpc/pseries: Track LMB nid instead of using device tree") +Signed-off-by: Scott Cheloha +Reviewed-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200811015115.63677-1-cheloha@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/drmem.h | 21 ---------------- + arch/powerpc/mm/drmem.c | 6 +---- + .../platforms/pseries/hotplug-memory.c | 24 ++++++++++++------- + 3 files changed, 17 insertions(+), 34 deletions(-) + +diff --git a/arch/powerpc/include/asm/drmem.h b/arch/powerpc/include/asm/drmem.h +index 6fb928605ed13..030a19d922132 100644 +--- a/arch/powerpc/include/asm/drmem.h ++++ b/arch/powerpc/include/asm/drmem.h +@@ -15,9 +15,6 @@ struct drmem_lmb { + u32 drc_index; + u32 aa_index; + u32 flags; +-#ifdef CONFIG_MEMORY_HOTPLUG +- int nid; +-#endif + }; + + struct drmem_lmb_info { +@@ -121,22 +118,4 @@ static inline void invalidate_lmb_associativity_index(struct drmem_lmb *lmb) + lmb->aa_index = 0xffffffff; + } + +-#ifdef CONFIG_MEMORY_HOTPLUG +-static inline void lmb_set_nid(struct drmem_lmb *lmb) +-{ +- lmb->nid = memory_add_physaddr_to_nid(lmb->base_addr); +-} +-static inline void lmb_clear_nid(struct drmem_lmb *lmb) +-{ +- lmb->nid = -1; +-} +-#else +-static inline void lmb_set_nid(struct drmem_lmb *lmb) +-{ +-} +-static inline void lmb_clear_nid(struct drmem_lmb *lmb) +-{ +-} +-#endif +- + #endif /* _ASM_POWERPC_LMB_H */ +diff --git a/arch/powerpc/mm/drmem.c b/arch/powerpc/mm/drmem.c +index b2eeea39684ca..9af3832c9d8dc 100644 +--- a/arch/powerpc/mm/drmem.c ++++ b/arch/powerpc/mm/drmem.c +@@ -389,10 +389,8 @@ static void __init init_drmem_v1_lmbs(const __be32 *prop) + if (!drmem_info->lmbs) + return; + +- for_each_drmem_lmb(lmb) { ++ for_each_drmem_lmb(lmb) + read_drconf_v1_cell(lmb, &prop); +- lmb_set_nid(lmb); +- } + } + + static void __init init_drmem_v2_lmbs(const __be32 *prop) +@@ -437,8 +435,6 @@ static void __init init_drmem_v2_lmbs(const __be32 *prop) + + lmb->aa_index = dr_cell.aa_index; + lmb->flags = dr_cell.flags; +- +- lmb_set_nid(lmb); + } + } + } +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index 5d545b78111f9..0ea976d1cac47 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -354,25 +354,32 @@ static int dlpar_add_lmb(struct drmem_lmb *); + + static int dlpar_remove_lmb(struct drmem_lmb *lmb) + { ++ struct memory_block *mem_block; + unsigned long block_sz; + int rc; + + if (!lmb_is_removable(lmb)) + return -EINVAL; + ++ mem_block = lmb_to_memblock(lmb); ++ if (mem_block == NULL) ++ return -EINVAL; ++ + rc = dlpar_offline_lmb(lmb); +- if (rc) ++ if (rc) { ++ put_device(&mem_block->dev); + return rc; ++ } + + block_sz = pseries_memory_block_size(); + +- __remove_memory(lmb->nid, lmb->base_addr, block_sz); ++ __remove_memory(mem_block->nid, lmb->base_addr, block_sz); ++ put_device(&mem_block->dev); + + /* Update memory regions for memory remove */ + memblock_remove(lmb->base_addr, block_sz); + + invalidate_lmb_associativity_index(lmb); +- lmb_clear_nid(lmb); + lmb->flags &= ~DRCONF_MEM_ASSIGNED; + + return 0; +@@ -591,7 +598,7 @@ static int dlpar_memory_remove_by_ic(u32 lmbs_to_remove, u32 drc_index) + static int dlpar_add_lmb(struct drmem_lmb *lmb) + { + unsigned long block_sz; +- int rc; ++ int nid, rc; + + if (lmb->flags & DRCONF_MEM_ASSIGNED) + return -EINVAL; +@@ -602,11 +609,13 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb) + return rc; + } + +- lmb_set_nid(lmb); + block_sz = memory_block_size_bytes(); + ++ /* Find the node id for this address. */ ++ nid = memory_add_physaddr_to_nid(lmb->base_addr); ++ + /* Add the memory */ +- rc = __add_memory(lmb->nid, lmb->base_addr, block_sz); ++ rc = __add_memory(nid, lmb->base_addr, block_sz); + if (rc) { + invalidate_lmb_associativity_index(lmb); + return rc; +@@ -614,9 +623,8 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb) + + rc = dlpar_online_lmb(lmb); + if (rc) { +- __remove_memory(lmb->nid, lmb->base_addr, block_sz); ++ __remove_memory(nid, lmb->base_addr, block_sz); + invalidate_lmb_associativity_index(lmb); +- lmb_clear_nid(lmb); + } else { + lmb->flags |= DRCONF_MEM_ASSIGNED; + } +-- +2.25.1 + diff --git a/queue-5.9/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch b/queue-5.9/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch new file mode 100644 index 00000000000..8b2886354ea --- /dev/null +++ b/queue-5.9/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch @@ -0,0 +1,140 @@ +From cf1ea7d84347f78e61e872df6d0ac2eb13ba8dcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:00:45 +0200 +Subject: pty: do tty_flip_buffer_push without port->lock in pty_write + +From: Artem Savkov + +[ Upstream commit 71a174b39f10b4b93223d374722aa894b5d8a82e ] + +b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag" +puts tty_flip_buffer_push under port->lock introducing the following +possible circular locking dependency: + +[30129.876566] ====================================================== +[30129.876566] WARNING: possible circular locking dependency detected +[30129.876567] 5.9.0-rc2+ #3 Tainted: G S W +[30129.876568] ------------------------------------------------------ +[30129.876568] sysrq.sh/1222 is trying to acquire lock: +[30129.876569] ffffffff92c39480 (console_owner){....}-{0:0}, at: console_unlock+0x3fe/0xa90 + +[30129.876572] but task is already holding lock: +[30129.876572] ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca + +[30129.876576] which lock already depends on the new lock. + +[30129.876577] the existing dependency chain (in reverse order) is: + +[30129.876578] -> #3 (&pool->lock/1){-.-.}-{2:2}: +[30129.876581] _raw_spin_lock+0x30/0x70 +[30129.876581] __queue_work+0x1a3/0x10f0 +[30129.876582] queue_work_on+0x78/0x80 +[30129.876582] pty_write+0x165/0x1e0 +[30129.876583] n_tty_write+0x47f/0xf00 +[30129.876583] tty_write+0x3d6/0x8d0 +[30129.876584] vfs_write+0x1a8/0x650 + +[30129.876588] -> #2 (&port->lock#2){-.-.}-{2:2}: +[30129.876590] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876591] tty_port_tty_get+0x1d/0xb0 +[30129.876592] tty_port_default_wakeup+0xb/0x30 +[30129.876592] serial8250_tx_chars+0x3d6/0x970 +[30129.876593] serial8250_handle_irq.part.12+0x216/0x380 +[30129.876593] serial8250_default_handle_irq+0x82/0xe0 +[30129.876594] serial8250_interrupt+0xdd/0x1b0 +[30129.876595] __handle_irq_event_percpu+0xfc/0x850 + +[30129.876602] -> #1 (&port->lock){-.-.}-{2:2}: +[30129.876605] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876605] serial8250_console_write+0x12d/0x900 +[30129.876606] console_unlock+0x679/0xa90 +[30129.876606] register_console+0x371/0x6e0 +[30129.876607] univ8250_console_init+0x24/0x27 +[30129.876607] console_init+0x2f9/0x45e + +[30129.876609] -> #0 (console_owner){....}-{0:0}: +[30129.876611] __lock_acquire+0x2f70/0x4e90 +[30129.876612] lock_acquire+0x1ac/0xad0 +[30129.876612] console_unlock+0x460/0xa90 +[30129.876613] vprintk_emit+0x130/0x420 +[30129.876613] printk+0x9f/0xc5 +[30129.876614] show_pwq+0x154/0x618 +[30129.876615] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876615] __handle_sysrq+0x244/0x460 +[30129.876616] write_sysrq_trigger+0x48/0x4a +[30129.876616] proc_reg_write+0x1a6/0x240 +[30129.876617] vfs_write+0x1a8/0x650 + +[30129.876619] other info that might help us debug this: + +[30129.876620] Chain exists of: +[30129.876621] console_owner --> &port->lock#2 --> &pool->lock/1 + +[30129.876625] Possible unsafe locking scenario: + +[30129.876626] CPU0 CPU1 +[30129.876626] ---- ---- +[30129.876627] lock(&pool->lock/1); +[30129.876628] lock(&port->lock#2); +[30129.876630] lock(&pool->lock/1); +[30129.876631] lock(console_owner); + +[30129.876633] *** DEADLOCK *** + +[30129.876634] 5 locks held by sysrq.sh/1222: +[30129.876634] #0: ffff8881d3ce0470 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x359/0x650 +[30129.876637] #1: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: __handle_sysrq+0x4d/0x460 +[30129.876640] #2: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: show_workqueue_state+0x5/0xf0 +[30129.876642] #3: ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca +[30129.876645] #4: ffffffff92c39980 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x123/0x420 + +[30129.876648] stack backtrace: +[30129.876649] CPU: 3 PID: 1222 Comm: sysrq.sh Tainted: G S W 5.9.0-rc2+ #3 +[30129.876649] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012 +[30129.876650] Call Trace: +[30129.876650] dump_stack+0x9d/0xe0 +[30129.876651] check_noncircular+0x34f/0x410 +[30129.876653] __lock_acquire+0x2f70/0x4e90 +[30129.876656] lock_acquire+0x1ac/0xad0 +[30129.876658] console_unlock+0x460/0xa90 +[30129.876660] vprintk_emit+0x130/0x420 +[30129.876660] printk+0x9f/0xc5 +[30129.876661] show_pwq+0x154/0x618 +[30129.876662] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876664] __handle_sysrq+0x244/0x460 +[30129.876665] write_sysrq_trigger+0x48/0x4a +[30129.876665] proc_reg_write+0x1a6/0x240 +[30129.876666] vfs_write+0x1a8/0x650 + +It looks like the commit was aimed to protect tty_insert_flip_string and +there is no need for tty_flip_buffer_push to be under this lock. + +Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag") +Signed-off-by: Artem Savkov +Acked-by: Jiri Slaby +Link: https://lore.kernel.org/r/20200902120045.3693075-1-asavkov@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/pty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 00099a8439d21..c6a1d8c4e6894 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -120,10 +120,10 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + spin_lock_irqsave(&to->port->lock, flags); + /* Stuff the data into the input queue of the other end */ + c = tty_insert_flip_string(to->port, buf, c); ++ spin_unlock_irqrestore(&to->port->lock, flags); + /* And shovel */ + if (c) + tty_flip_buffer_push(to->port); +- spin_unlock_irqrestore(&to->port->lock, flags); + } + return c; + } +-- +2.25.1 + diff --git a/queue-5.9/pwm-img-fix-null-pointer-access-in-probe.patch b/queue-5.9/pwm-img-fix-null-pointer-access-in-probe.patch new file mode 100644 index 00000000000..163003056e0 --- /dev/null +++ b/queue-5.9/pwm-img-fix-null-pointer-access-in-probe.patch @@ -0,0 +1,53 @@ +From 0da11b0d13e27cb9ec4f4de8c604c5782c292f22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 19:14:25 +0200 +Subject: pwm: img: Fix null pointer access in probe + +From: Hauke Mehrtens + +[ Upstream commit b39c0615d0667b3a6f2f5c4bf99ffadf3b518bb1 ] + +dev_get_drvdata() is called in img_pwm_runtime_resume() before the +driver data is set. +When pm_runtime_enabled() returns false in img_pwm_probe() it calls +img_pwm_runtime_resume() which results in a null pointer access. + +This patch fixes the problem by setting the driver data earlier in the +img_pwm_probe() function. + +This crash was seen when booting the Imagination Technologies Creator +Ci40 (Marduk) with kernel 5.4 in OpenWrt. + +Fixes: e690ae526216 ("pwm: img: Add runtime PM") +Signed-off-by: Hauke Mehrtens +Acked-by: Lee Jones +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-img.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-img.c b/drivers/pwm/pwm-img.c +index 599a0f66a3845..a34d95ed70b20 100644 +--- a/drivers/pwm/pwm-img.c ++++ b/drivers/pwm/pwm-img.c +@@ -277,6 +277,8 @@ static int img_pwm_probe(struct platform_device *pdev) + return PTR_ERR(pwm->pwm_clk); + } + ++ platform_set_drvdata(pdev, pwm); ++ + pm_runtime_set_autosuspend_delay(&pdev->dev, IMG_PWM_PM_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_enable(&pdev->dev); +@@ -313,7 +315,6 @@ static int img_pwm_probe(struct platform_device *pdev) + goto err_suspend; + } + +- platform_set_drvdata(pdev, pwm); + return 0; + + err_suspend: +-- +2.25.1 + diff --git a/queue-5.9/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch b/queue-5.9/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch new file mode 100644 index 00000000000..30ed681e594 --- /dev/null +++ b/queue-5.9/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch @@ -0,0 +1,68 @@ +From d012e2d637f82d3f261b94aa64b39821a1668fcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 13:23:24 +0200 +Subject: pwm: lpss: Add range limit check for the base_unit register value + +From: Hans de Goede + +[ Upstream commit ef9f60daab309558c8bb3e086a9a11ee40bd6061 ] + +When the user requests a high enough period ns value, then the +calculations in pwm_lpss_prepare() might result in a base_unit value of 0. + +But according to the data-sheet the way the PWM controller works is that +each input clock-cycle the base_unit gets added to a N bit counter and +that counter overflowing determines the PWM output frequency. Adding 0 +to the counter is a no-op. The data-sheet even explicitly states that +writing 0 to the base_unit bits will result in the PWM outputting a +continuous 0 signal. + +When the user requestes a low enough period ns value, then the +calculations in pwm_lpss_prepare() might result in a base_unit value +which is bigger then base_unit_range - 1. Currently the codes for this +deals with this by applying a mask: + + base_unit &= (base_unit_range - 1); + +But this means that we let the value overflow the range, we throw away the +higher bits and store whatever value is left in the lower bits into the +register leading to a random output frequency, rather then clamping the +output frequency to the highest frequency which the hardware can do. + +This commit fixes both issues by clamping the base_unit value to be +between 1 and (base_unit_range - 1). + +Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") +Reviewed-by: Andy Shevchenko +Acked-by: Thierry Reding +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-5-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c +index 43b1fc634af1a..da9bc3d10104a 100644 +--- a/drivers/pwm/pwm-lpss.c ++++ b/drivers/pwm/pwm-lpss.c +@@ -97,6 +97,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + freq *= base_unit_range; + + base_unit = DIV_ROUND_CLOSEST_ULL(freq, c); ++ /* base_unit must not be 0 and we also want to avoid overflowing it */ ++ base_unit = clamp_val(base_unit, 1, base_unit_range - 1); + + on_time_div = 255ULL * duty_ns; + do_div(on_time_div, period_ns); +@@ -105,7 +107,6 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + orig_ctrl = ctrl = pwm_lpss_read(pwm); + ctrl &= ~PWM_ON_TIME_DIV_MASK; + ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT); +- base_unit &= (base_unit_range - 1); + ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT; + ctrl |= on_time_div; + +-- +2.25.1 + diff --git a/queue-5.9/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch b/queue-5.9/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch new file mode 100644 index 00000000000..27fc5d0dda2 --- /dev/null +++ b/queue-5.9/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch @@ -0,0 +1,68 @@ +From 26aa648b7b9f48377f80cc5e7486e9d17f57287c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 13:23:23 +0200 +Subject: pwm: lpss: Fix off by one error in base_unit math in + pwm_lpss_prepare() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit 181f4d2f44463fe09fe4df02e03095cb87151c29 ] + +According to the data-sheet the way the PWM controller works is that +each input clock-cycle the base_unit gets added to a N bit counter and +that counter overflowing determines the PWM output frequency. + +So assuming e.g. a 16 bit counter this means that if base_unit is set to 1, +after 65535 input clock-cycles the counter has been increased from 0 to +65535 and it will overflow on the next cycle, so it will overflow after +every 65536 clock cycles and thus the calculations done in +pwm_lpss_prepare() should use 65536 and not 65535. + +This commit fixes this. Note this also aligns the calculations in +pwm_lpss_prepare() with those in pwm_lpss_get_state(). + +Note this effectively reverts commit 684309e5043e ("pwm: lpss: Avoid +potential overflow of base_unit"). The next patch in this series really +fixes the potential overflow of the base_unit value. + +Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") +Reviewed-by: Andy Shevchenko +Acked-by: Uwe Kleine-König +Acked-by: Thierry Reding +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-4-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpss.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c +index 9d965ffe66d1e..43b1fc634af1a 100644 +--- a/drivers/pwm/pwm-lpss.c ++++ b/drivers/pwm/pwm-lpss.c +@@ -93,7 +93,7 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + * The equation is: + * base_unit = round(base_unit_range * freq / c) + */ +- base_unit_range = BIT(lpwm->info->base_unit_bits) - 1; ++ base_unit_range = BIT(lpwm->info->base_unit_bits); + freq *= base_unit_range; + + base_unit = DIV_ROUND_CLOSEST_ULL(freq, c); +@@ -104,8 +104,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + + orig_ctrl = ctrl = pwm_lpss_read(pwm); + ctrl &= ~PWM_ON_TIME_DIV_MASK; +- ctrl &= ~(base_unit_range << PWM_BASE_UNIT_SHIFT); +- base_unit &= base_unit_range; ++ ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT); ++ base_unit &= (base_unit_range - 1); + ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT; + ctrl |= on_time_div; + +-- +2.25.1 + diff --git a/queue-5.9/pwm-rockchip-keep-enabled-pwms-running-while-probing.patch b/queue-5.9/pwm-rockchip-keep-enabled-pwms-running-while-probing.patch new file mode 100644 index 00000000000..78db852b5fe --- /dev/null +++ b/queue-5.9/pwm-rockchip-keep-enabled-pwms-running-while-probing.patch @@ -0,0 +1,60 @@ +From c283ef7a0e106bc9bfb4ebd1a861f1e9ef5d213b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 15:33:06 -0400 +Subject: pwm: rockchip: Keep enabled PWMs running while probing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon South + +[ Upstream commit 457f74abbed060a0395f75ab5297f2d76cada516 ] + +Following commit cfc4c189bc70 ("pwm: Read initial hardware state at +request time") the Rockchip PWM driver can no longer assume a device's +pwm_state structure has been populated after a call to pwmchip_add(). +Consequently, the test in rockchip_pwm_probe() intended to prevent the +driver from stopping PWM devices already enabled by the bootloader no +longer functions reliably and this can lead to the kernel hanging +during startup, particularly on devices like the Pinebook Pro that use +a PWM-controlled backlight for their display. + +Avoid this by querying the device directly at probe time to determine +whether or not it is enabled. + +Fixes: cfc4c189bc70 ("pwm: Read initial hardware state at request time") +Signed-off-by: Simon South +Reviewed-by: Uwe Kleine-König +Reviewed-by: Heiko Stuebner +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-rockchip.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-rockchip.c b/drivers/pwm/pwm-rockchip.c +index eb8c9cb645a6c..098e94335cb5b 100644 +--- a/drivers/pwm/pwm-rockchip.c ++++ b/drivers/pwm/pwm-rockchip.c +@@ -288,6 +288,7 @@ static int rockchip_pwm_probe(struct platform_device *pdev) + const struct of_device_id *id; + struct rockchip_pwm_chip *pc; + struct resource *r; ++ u32 enable_conf, ctrl; + int ret, count; + + id = of_match_device(rockchip_pwm_dt_ids, &pdev->dev); +@@ -362,7 +363,9 @@ static int rockchip_pwm_probe(struct platform_device *pdev) + } + + /* Keep the PWM clk enabled if the PWM appears to be up and running. */ +- if (!pwm_is_enabled(pc->chip.pwms)) ++ enable_conf = pc->data->enable_conf; ++ ctrl = readl_relaxed(pc->base + pc->data->regs.ctrl); ++ if ((ctrl & enable_conf) != enable_conf) + clk_disable(pc->clk); + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch b/queue-5.9/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch new file mode 100644 index 00000000000..aa6a29547e4 --- /dev/null +++ b/queue-5.9/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch @@ -0,0 +1,46 @@ +From 8442808d5be09bb1dcf654937036ece4ff5617b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:22:24 +0100 +Subject: qtnfmac: fix resource leaks on unsupported iftype error return path + +From: Colin Ian King + +[ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ] + +Currently if an unsupported iftype is detected the error return path +does not free the cmd_skb leading to a resource leak. Fix this by +free'ing cmd_skb. + +Addresses-Coverity: ("Resource leak") +Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support") +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/quantenna/qtnfmac/commands.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c +index f40d8c3c3d9e5..f3ccbd2b10847 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/commands.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c +@@ -869,6 +869,7 @@ int qtnf_cmd_send_del_intf(struct qtnf_vif *vif) + default: + pr_warn("VIF%u.%u: unsupported iftype %d\n", vif->mac->macid, + vif->vifid, vif->wdev.iftype); ++ dev_kfree_skb(cmd_skb); + ret = -EINVAL; + goto out; + } +@@ -1924,6 +1925,7 @@ int qtnf_cmd_send_change_sta(struct qtnf_vif *vif, const u8 *mac, + break; + default: + pr_err("unsupported iftype %d\n", vif->wdev.iftype); ++ dev_kfree_skb(cmd_skb); + ret = -EINVAL; + goto out; + } +-- +2.25.1 + diff --git a/queue-5.9/quota-clear-padding-in-v2r1_mem2diskdqb.patch b/queue-5.9/quota-clear-padding-in-v2r1_mem2diskdqb.patch new file mode 100644 index 00000000000..c0b311c5c44 --- /dev/null +++ b/queue-5.9/quota-clear-padding-in-v2r1_mem2diskdqb.patch @@ -0,0 +1,114 @@ +From 1bc58cebc683afe4492bdbce3de7b036a00ee94e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 11:36:19 -0700 +Subject: quota: clear padding in v2r1_mem2diskdqb() + +From: Eric Dumazet + +[ Upstream commit 3d3dc274ce736227e3197868ff749cff2f175f63 ] + +Freshly allocated memory contains garbage, better make sure +to init all struct v2r1_disk_dqblk fields to avoid KMSAN report: + +BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 +CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219 + qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 + v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285 + qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c +RIP: 0023:0xf7ff4549 +Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127 +RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000 +RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80 + slab_alloc_node mm/slub.c:2907 [inline] + slab_alloc mm/slub.c:2916 [inline] + __kmalloc+0x2bb/0x4b0 mm/slub.c:3982 + kmalloc include/linux/slab.h:559 [inline] + getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52 + qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits") +Link: https://lore.kernel.org/r/20200924183619.4176790-1-edumazet@google.com +Signed-off-by: Eric Dumazet +Cc: Jan Kara +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/quota_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c +index 58fc2a7c7fd19..e69a2bfdd81c0 100644 +--- a/fs/quota/quota_v2.c ++++ b/fs/quota/quota_v2.c +@@ -282,6 +282,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot) + d->dqb_curspace = cpu_to_le64(m->dqb_curspace); + d->dqb_btime = cpu_to_le64(m->dqb_btime); + d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id)); ++ d->dqb_pad = 0; + if (qtree_entry_unused(info, dp)) + d->dqb_itime = cpu_to_le64(1); + } +-- +2.25.1 + diff --git a/queue-5.9/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch b/queue-5.9/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch new file mode 100644 index 00000000000..ace612a189f --- /dev/null +++ b/queue-5.9/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch @@ -0,0 +1,42 @@ +From 26d1ddea4b6879d1534cf7cfdd938231ce764ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:04 -0700 +Subject: ramfs: fix nommu mmap with gaps in the page cache + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 50b7d85680086126d7bd91dae81d57d4cb1ab6b7 ] + +ramfs needs to check that pages are both physically contiguous and +contiguous in the file. If the page cache happens to have, eg, page A for +index 0 of the file, no page for index 1, and page A+1 for index 2, then +an mmap of the first two pages of the file will succeed when it should +fail. + +Fixes: 642fb4d1f1dd ("[PATCH] NOMMU: Provide shared-writable mmap support on ramfs") +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Cc: David Howells +Link: https://lkml.kernel.org/r/20200914122239.GO6583@casper.infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ramfs/file-nommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c +index 4146954549560..355523f4a4bf3 100644 +--- a/fs/ramfs/file-nommu.c ++++ b/fs/ramfs/file-nommu.c +@@ -224,7 +224,7 @@ static unsigned long ramfs_nommu_get_unmapped_area(struct file *file, + if (!pages) + goto out_free; + +- nr = find_get_pages(inode->i_mapping, &pgoff, lpages, pages); ++ nr = find_get_pages_contig(inode->i_mapping, pgoff, lpages, pages); + if (nr != lpages) + goto out_free_pages; /* leave if some pages were missing */ + +-- +2.25.1 + diff --git a/queue-5.9/random32-make-prandom_u32-output-unpredictable.patch b/queue-5.9/random32-make-prandom_u32-output-unpredictable.patch new file mode 100644 index 00000000000..bee785a62af --- /dev/null +++ b/queue-5.9/random32-make-prandom_u32-output-unpredictable.patch @@ -0,0 +1,661 @@ +From 3af669b15c6d2cdb475afb9a6dfc0bf96b905018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 06:57:44 +0000 +Subject: random32: make prandom_u32() output unpredictable + +From: George Spelvin + +[ Upstream commit c51f8f88d705e06bd696d7510aff22b33eb8e638 ] + +Non-cryptographic PRNGs may have great statistical properties, but +are usually trivially predictable to someone who knows the algorithm, +given a small sample of their output. An LFSR like prandom_u32() is +particularly simple, even if the sample is widely scattered bits. + +It turns out the network stack uses prandom_u32() for some things like +random port numbers which it would prefer are *not* trivially predictable. +Predictability led to a practical DNS spoofing attack. Oops. + +This patch replaces the LFSR with a homebrew cryptographic PRNG based +on the SipHash round function, which is in turn seeded with 128 bits +of strong random key. (The authors of SipHash have *not* been consulted +about this abuse of their algorithm.) Speed is prioritized over security; +attacks are rare, while performance is always wanted. + +Replacing all callers of prandom_u32() is the quick fix. +Whether to reinstate a weaker PRNG for uses which can tolerate it +is an open question. + +Commit f227e3ec3b5c ("random32: update the net random state on interrupt +and activity") was an earlier attempt at a solution. This patch replaces +it. + +Reported-by: Amit Klein +Cc: Willy Tarreau +Cc: Eric Dumazet +Cc: "Jason A. Donenfeld" +Cc: Andy Lutomirski +Cc: Kees Cook +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Linus Torvalds +Cc: tytso@mit.edu +Cc: Florian Westphal +Cc: Marc Plumb +Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity") +Signed-off-by: George Spelvin +Link: https://lore.kernel.org/netdev/20200808152628.GA27941@SDF.ORG/ +[ willy: partial reversal of f227e3ec3b5c; moved SIPROUND definitions + to prandom.h for later use; merged George's prandom_seed() proposal; + inlined siprand_u32(); replaced the net_rand_state[] array with 4 + members to fix a build issue; cosmetic cleanups to make checkpatch + happy; fixed RANDOM32_SELFTEST build ] +Signed-off-by: Willy Tarreau +Signed-off-by: Sasha Levin +--- + drivers/char/random.c | 1 - + include/linux/prandom.h | 36 +++- + kernel/time/timer.c | 7 - + lib/random32.c | 464 ++++++++++++++++++++++++---------------- + 4 files changed, 318 insertions(+), 190 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index d20ba1b104ca3..2a41b21623ae4 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1277,7 +1277,6 @@ void add_interrupt_randomness(int irq, int irq_flags) + + fast_mix(fast_pool); + add_interrupt_bench(cycles); +- this_cpu_add(net_rand_state.s1, fast_pool->pool[cycles & 3]); + + if (unlikely(crng_init == 0)) { + if ((fast_pool->count >= 64) && +diff --git a/include/linux/prandom.h b/include/linux/prandom.h +index aa16e6468f91e..cc1e71334e53c 100644 +--- a/include/linux/prandom.h ++++ b/include/linux/prandom.h +@@ -16,12 +16,44 @@ void prandom_bytes(void *buf, size_t nbytes); + void prandom_seed(u32 seed); + void prandom_reseed_late(void); + ++#if BITS_PER_LONG == 64 ++/* ++ * The core SipHash round function. Each line can be executed in ++ * parallel given enough CPU resources. ++ */ ++#define PRND_SIPROUND(v0, v1, v2, v3) ( \ ++ v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \ ++ v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \ ++ v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \ ++ v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \ ++) ++ ++#define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261) ++#define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573) ++ ++#elif BITS_PER_LONG == 32 ++/* ++ * On 32-bit machines, we use HSipHash, a reduced-width version of SipHash. ++ * This is weaker, but 32-bit machines are not used for high-traffic ++ * applications, so there is less output for an attacker to analyze. ++ */ ++#define PRND_SIPROUND(v0, v1, v2, v3) ( \ ++ v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \ ++ v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \ ++ v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \ ++ v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \ ++) ++#define PRND_K0 0x6c796765 ++#define PRND_K1 0x74656462 ++ ++#else ++#error Unsupported BITS_PER_LONG ++#endif ++ + struct rnd_state { + __u32 s1, s2, s3, s4; + }; + +-DECLARE_PER_CPU(struct rnd_state, net_rand_state); +- + u32 prandom_u32_state(struct rnd_state *state); + void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes); + void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state); +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index a50364df10543..401fcb9d73886 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1715,13 +1715,6 @@ void update_process_times(int user_tick) + scheduler_tick(); + if (IS_ENABLED(CONFIG_POSIX_TIMERS)) + run_posix_cpu_timers(); +- +- /* The current CPU might make use of net randoms without receiving IRQs +- * to renew them often enough. Let's update the net_rand_state from a +- * non-constant value that's not affine to the number of calls to make +- * sure it's updated when there's some activity (we don't care in idle). +- */ +- this_cpu_add(net_rand_state.s1, rol32(jiffies, 24) + user_tick); + } + + /** +diff --git a/lib/random32.c b/lib/random32.c +index dfb9981ab7989..be9f242a42075 100644 +--- a/lib/random32.c ++++ b/lib/random32.c +@@ -41,16 +41,6 @@ + #include + #include + +-#ifdef CONFIG_RANDOM32_SELFTEST +-static void __init prandom_state_selftest(void); +-#else +-static inline void prandom_state_selftest(void) +-{ +-} +-#endif +- +-DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy; +- + /** + * prandom_u32_state - seeded pseudo-random number generator. + * @state: pointer to state structure holding seeded state. +@@ -70,26 +60,6 @@ u32 prandom_u32_state(struct rnd_state *state) + } + EXPORT_SYMBOL(prandom_u32_state); + +-/** +- * prandom_u32 - pseudo random number generator +- * +- * A 32 bit pseudo-random number is generated using a fast +- * algorithm suitable for simulation. This algorithm is NOT +- * considered safe for cryptographic use. +- */ +-u32 prandom_u32(void) +-{ +- struct rnd_state *state = &get_cpu_var(net_rand_state); +- u32 res; +- +- res = prandom_u32_state(state); +- trace_prandom_u32(res); +- put_cpu_var(net_rand_state); +- +- return res; +-} +-EXPORT_SYMBOL(prandom_u32); +- + /** + * prandom_bytes_state - get the requested number of pseudo-random bytes + * +@@ -121,20 +91,6 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, size_t bytes) + } + EXPORT_SYMBOL(prandom_bytes_state); + +-/** +- * prandom_bytes - get the requested number of pseudo-random bytes +- * @buf: where to copy the pseudo-random bytes to +- * @bytes: the requested number of bytes +- */ +-void prandom_bytes(void *buf, size_t bytes) +-{ +- struct rnd_state *state = &get_cpu_var(net_rand_state); +- +- prandom_bytes_state(state, buf, bytes); +- put_cpu_var(net_rand_state); +-} +-EXPORT_SYMBOL(prandom_bytes); +- + static void prandom_warmup(struct rnd_state *state) + { + /* Calling RNG ten times to satisfy recurrence condition */ +@@ -150,96 +106,6 @@ static void prandom_warmup(struct rnd_state *state) + prandom_u32_state(state); + } + +-static u32 __extract_hwseed(void) +-{ +- unsigned int val = 0; +- +- (void)(arch_get_random_seed_int(&val) || +- arch_get_random_int(&val)); +- +- return val; +-} +- +-static void prandom_seed_early(struct rnd_state *state, u32 seed, +- bool mix_with_hwseed) +-{ +-#define LCG(x) ((x) * 69069U) /* super-duper LCG */ +-#define HWSEED() (mix_with_hwseed ? __extract_hwseed() : 0) +- state->s1 = __seed(HWSEED() ^ LCG(seed), 2U); +- state->s2 = __seed(HWSEED() ^ LCG(state->s1), 8U); +- state->s3 = __seed(HWSEED() ^ LCG(state->s2), 16U); +- state->s4 = __seed(HWSEED() ^ LCG(state->s3), 128U); +-} +- +-/** +- * prandom_seed - add entropy to pseudo random number generator +- * @entropy: entropy value +- * +- * Add some additional entropy to the prandom pool. +- */ +-void prandom_seed(u32 entropy) +-{ +- int i; +- /* +- * No locking on the CPUs, but then somewhat random results are, well, +- * expected. +- */ +- for_each_possible_cpu(i) { +- struct rnd_state *state = &per_cpu(net_rand_state, i); +- +- state->s1 = __seed(state->s1 ^ entropy, 2U); +- prandom_warmup(state); +- } +-} +-EXPORT_SYMBOL(prandom_seed); +- +-/* +- * Generate some initially weak seeding values to allow +- * to start the prandom_u32() engine. +- */ +-static int __init prandom_init(void) +-{ +- int i; +- +- prandom_state_selftest(); +- +- for_each_possible_cpu(i) { +- struct rnd_state *state = &per_cpu(net_rand_state, i); +- u32 weak_seed = (i + jiffies) ^ random_get_entropy(); +- +- prandom_seed_early(state, weak_seed, true); +- prandom_warmup(state); +- } +- +- return 0; +-} +-core_initcall(prandom_init); +- +-static void __prandom_timer(struct timer_list *unused); +- +-static DEFINE_TIMER(seed_timer, __prandom_timer); +- +-static void __prandom_timer(struct timer_list *unused) +-{ +- u32 entropy; +- unsigned long expires; +- +- get_random_bytes(&entropy, sizeof(entropy)); +- prandom_seed(entropy); +- +- /* reseed every ~60 seconds, in [40 .. 80) interval with slack */ +- expires = 40 + prandom_u32_max(40); +- seed_timer.expires = jiffies + msecs_to_jiffies(expires * MSEC_PER_SEC); +- +- add_timer(&seed_timer); +-} +- +-static void __init __prandom_start_seed_timer(void) +-{ +- seed_timer.expires = jiffies + msecs_to_jiffies(40 * MSEC_PER_SEC); +- add_timer(&seed_timer); +-} +- + void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state) + { + int i; +@@ -259,51 +125,6 @@ void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state) + } + EXPORT_SYMBOL(prandom_seed_full_state); + +-/* +- * Generate better values after random number generator +- * is fully initialized. +- */ +-static void __prandom_reseed(bool late) +-{ +- unsigned long flags; +- static bool latch = false; +- static DEFINE_SPINLOCK(lock); +- +- /* Asking for random bytes might result in bytes getting +- * moved into the nonblocking pool and thus marking it +- * as initialized. In this case we would double back into +- * this function and attempt to do a late reseed. +- * Ignore the pointless attempt to reseed again if we're +- * already waiting for bytes when the nonblocking pool +- * got initialized. +- */ +- +- /* only allow initial seeding (late == false) once */ +- if (!spin_trylock_irqsave(&lock, flags)) +- return; +- +- if (latch && !late) +- goto out; +- +- latch = true; +- prandom_seed_full_state(&net_rand_state); +-out: +- spin_unlock_irqrestore(&lock, flags); +-} +- +-void prandom_reseed_late(void) +-{ +- __prandom_reseed(true); +-} +- +-static int __init prandom_reseed(void) +-{ +- __prandom_reseed(false); +- __prandom_start_seed_timer(); +- return 0; +-} +-late_initcall(prandom_reseed); +- + #ifdef CONFIG_RANDOM32_SELFTEST + static struct prandom_test1 { + u32 seed; +@@ -423,7 +244,28 @@ static struct prandom_test2 { + { 407983964U, 921U, 728767059U }, + }; + +-static void __init prandom_state_selftest(void) ++static u32 __extract_hwseed(void) ++{ ++ unsigned int val = 0; ++ ++ (void)(arch_get_random_seed_int(&val) || ++ arch_get_random_int(&val)); ++ ++ return val; ++} ++ ++static void prandom_seed_early(struct rnd_state *state, u32 seed, ++ bool mix_with_hwseed) ++{ ++#define LCG(x) ((x) * 69069U) /* super-duper LCG */ ++#define HWSEED() (mix_with_hwseed ? __extract_hwseed() : 0) ++ state->s1 = __seed(HWSEED() ^ LCG(seed), 2U); ++ state->s2 = __seed(HWSEED() ^ LCG(state->s1), 8U); ++ state->s3 = __seed(HWSEED() ^ LCG(state->s2), 16U); ++ state->s4 = __seed(HWSEED() ^ LCG(state->s3), 128U); ++} ++ ++static int __init prandom_state_selftest(void) + { + int i, j, errors = 0, runs = 0; + bool error = false; +@@ -463,5 +305,267 @@ static void __init prandom_state_selftest(void) + pr_warn("prandom: %d/%d self tests failed\n", errors, runs); + else + pr_info("prandom: %d self tests passed\n", runs); ++ return 0; + } ++core_initcall(prandom_state_selftest); + #endif ++ ++/* ++ * The prandom_u32() implementation is now completely separate from the ++ * prandom_state() functions, which are retained (for now) for compatibility. ++ * ++ * Because of (ab)use in the networking code for choosing random TCP/UDP port ++ * numbers, which open DoS possibilities if guessable, we want something ++ * stronger than a standard PRNG. But the performance requirements of ++ * the network code do not allow robust crypto for this application. ++ * ++ * So this is a homebrew Junior Spaceman implementation, based on the ++ * lowest-latency trustworthy crypto primitive available, SipHash. ++ * (The authors of SipHash have not been consulted about this abuse of ++ * their work.) ++ * ++ * Standard SipHash-2-4 uses 2n+4 rounds to hash n words of input to ++ * one word of output. This abbreviated version uses 2 rounds per word ++ * of output. ++ */ ++ ++struct siprand_state { ++ unsigned long v0; ++ unsigned long v1; ++ unsigned long v2; ++ unsigned long v3; ++}; ++ ++static DEFINE_PER_CPU(struct siprand_state, net_rand_state) __latent_entropy; ++ ++/* ++ * This is the core CPRNG function. As "pseudorandom", this is not used ++ * for truly valuable things, just intended to be a PITA to guess. ++ * For maximum speed, we do just two SipHash rounds per word. This is ++ * the same rate as 4 rounds per 64 bits that SipHash normally uses, ++ * so hopefully it's reasonably secure. ++ * ++ * There are two changes from the official SipHash finalization: ++ * - We omit some constants XORed with v2 in the SipHash spec as irrelevant; ++ * they are there only to make the output rounds distinct from the input ++ * rounds, and this application has no input rounds. ++ * - Rather than returning v0^v1^v2^v3, return v1+v3. ++ * If you look at the SipHash round, the last operation on v3 is ++ * "v3 ^= v0", so "v0 ^ v3" just undoes that, a waste of time. ++ * Likewise "v1 ^= v2". (The rotate of v2 makes a difference, but ++ * it still cancels out half of the bits in v2 for no benefit.) ++ * Second, since the last combining operation was xor, continue the ++ * pattern of alternating xor/add for a tiny bit of extra non-linearity. ++ */ ++static inline u32 siprand_u32(struct siprand_state *s) ++{ ++ unsigned long v0 = s->v0, v1 = s->v1, v2 = s->v2, v3 = s->v3; ++ ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ s->v0 = v0; s->v1 = v1; s->v2 = v2; s->v3 = v3; ++ return v1 + v3; ++} ++ ++ ++/** ++ * prandom_u32 - pseudo random number generator ++ * ++ * A 32 bit pseudo-random number is generated using a fast ++ * algorithm suitable for simulation. This algorithm is NOT ++ * considered safe for cryptographic use. ++ */ ++u32 prandom_u32(void) ++{ ++ struct siprand_state *state = get_cpu_ptr(&net_rand_state); ++ u32 res = siprand_u32(state); ++ ++ trace_prandom_u32(res); ++ put_cpu_ptr(&net_rand_state); ++ return res; ++} ++EXPORT_SYMBOL(prandom_u32); ++ ++/** ++ * prandom_bytes - get the requested number of pseudo-random bytes ++ * @buf: where to copy the pseudo-random bytes to ++ * @bytes: the requested number of bytes ++ */ ++void prandom_bytes(void *buf, size_t bytes) ++{ ++ struct siprand_state *state = get_cpu_ptr(&net_rand_state); ++ u8 *ptr = buf; ++ ++ while (bytes >= sizeof(u32)) { ++ put_unaligned(siprand_u32(state), (u32 *)ptr); ++ ptr += sizeof(u32); ++ bytes -= sizeof(u32); ++ } ++ ++ if (bytes > 0) { ++ u32 rem = siprand_u32(state); ++ ++ do { ++ *ptr++ = (u8)rem; ++ rem >>= BITS_PER_BYTE; ++ } while (--bytes > 0); ++ } ++ put_cpu_ptr(&net_rand_state); ++} ++EXPORT_SYMBOL(prandom_bytes); ++ ++/** ++ * prandom_seed - add entropy to pseudo random number generator ++ * @entropy: entropy value ++ * ++ * Add some additional seed material to the prandom pool. ++ * The "entropy" is actually our IP address (the only caller is ++ * the network code), not for unpredictability, but to ensure that ++ * different machines are initialized differently. ++ */ ++void prandom_seed(u32 entropy) ++{ ++ int i; ++ ++ add_device_randomness(&entropy, sizeof(entropy)); ++ ++ for_each_possible_cpu(i) { ++ struct siprand_state *state = per_cpu_ptr(&net_rand_state, i); ++ unsigned long v0 = state->v0, v1 = state->v1; ++ unsigned long v2 = state->v2, v3 = state->v3; ++ ++ do { ++ v3 ^= entropy; ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ v0 ^= entropy; ++ } while (unlikely(!v0 || !v1 || !v2 || !v3)); ++ ++ WRITE_ONCE(state->v0, v0); ++ WRITE_ONCE(state->v1, v1); ++ WRITE_ONCE(state->v2, v2); ++ WRITE_ONCE(state->v3, v3); ++ } ++} ++EXPORT_SYMBOL(prandom_seed); ++ ++/* ++ * Generate some initially weak seeding values to allow ++ * the prandom_u32() engine to be started. ++ */ ++static int __init prandom_init_early(void) ++{ ++ int i; ++ unsigned long v0, v1, v2, v3; ++ ++ if (!arch_get_random_long(&v0)) ++ v0 = jiffies; ++ if (!arch_get_random_long(&v1)) ++ v1 = random_get_entropy(); ++ v2 = v0 ^ PRND_K0; ++ v3 = v1 ^ PRND_K1; ++ ++ for_each_possible_cpu(i) { ++ struct siprand_state *state; ++ ++ v3 ^= i; ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ v0 ^= i; ++ ++ state = per_cpu_ptr(&net_rand_state, i); ++ state->v0 = v0; state->v1 = v1; ++ state->v2 = v2; state->v3 = v3; ++ } ++ ++ return 0; ++} ++core_initcall(prandom_init_early); ++ ++ ++/* Stronger reseeding when available, and periodically thereafter. */ ++static void prandom_reseed(struct timer_list *unused); ++ ++static DEFINE_TIMER(seed_timer, prandom_reseed); ++ ++static void prandom_reseed(struct timer_list *unused) ++{ ++ unsigned long expires; ++ int i; ++ ++ /* ++ * Reinitialize each CPU's PRNG with 128 bits of key. ++ * No locking on the CPUs, but then somewhat random results are, ++ * well, expected. ++ */ ++ for_each_possible_cpu(i) { ++ struct siprand_state *state; ++ unsigned long v0 = get_random_long(), v2 = v0 ^ PRND_K0; ++ unsigned long v1 = get_random_long(), v3 = v1 ^ PRND_K1; ++#if BITS_PER_LONG == 32 ++ int j; ++ ++ /* ++ * On 32-bit machines, hash in two extra words to ++ * approximate 128-bit key length. Not that the hash ++ * has that much security, but this prevents a trivial ++ * 64-bit brute force. ++ */ ++ for (j = 0; j < 2; j++) { ++ unsigned long m = get_random_long(); ++ ++ v3 ^= m; ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ v0 ^= m; ++ } ++#endif ++ /* ++ * Probably impossible in practice, but there is a ++ * theoretical risk that a race between this reseeding ++ * and the target CPU writing its state back could ++ * create the all-zero SipHash fixed point. ++ * ++ * To ensure that never happens, ensure the state ++ * we write contains no zero words. ++ */ ++ state = per_cpu_ptr(&net_rand_state, i); ++ WRITE_ONCE(state->v0, v0 ? v0 : -1ul); ++ WRITE_ONCE(state->v1, v1 ? v1 : -1ul); ++ WRITE_ONCE(state->v2, v2 ? v2 : -1ul); ++ WRITE_ONCE(state->v3, v3 ? v3 : -1ul); ++ } ++ ++ /* reseed every ~60 seconds, in [40 .. 80) interval with slack */ ++ expires = round_jiffies(jiffies + 40 * HZ + prandom_u32_max(40 * HZ)); ++ mod_timer(&seed_timer, expires); ++} ++ ++/* ++ * The random ready callback can be called from almost any interrupt. ++ * To avoid worrying about whether it's safe to delay that interrupt ++ * long enough to seed all CPUs, just schedule an immediate timer event. ++ */ ++static void prandom_timer_start(struct random_ready_callback *unused) ++{ ++ mod_timer(&seed_timer, jiffies); ++} ++ ++/* ++ * Start periodic full reseeding as soon as strong ++ * random numbers are available. ++ */ ++static int __init prandom_init_late(void) ++{ ++ static struct random_ready_callback random_ready = { ++ .func = prandom_timer_start ++ }; ++ int ret = add_random_ready_callback(&random_ready); ++ ++ if (ret == -EALREADY) { ++ prandom_timer_start(&random_ready); ++ ret = 0; ++ } ++ return ret; ++} ++late_initcall(prandom_init_late); +-- +2.25.1 + diff --git a/queue-5.9/rapidio-fix-error-handling-path.patch b/queue-5.9/rapidio-fix-error-handling-path.patch new file mode 100644 index 00000000000..581b4823538 --- /dev/null +++ b/queue-5.9/rapidio-fix-error-handling-path.patch @@ -0,0 +1,71 @@ +From afcff3ee3aa09327113f59acc01a6412cfc11bbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:15 -0700 +Subject: rapidio: fix error handling path + +From: Souptick Joarder + +[ Upstream commit fa63f083b3492b5ed5332b8d7c90b03b5ef24a1d ] + +rio_dma_transfer() attempts to clamp the return value of +pin_user_pages_fast() to be >= 0. However, the attempt fails because +nr_pages is overridden a few lines later, and restored to the undesirable +-ERRNO value. + +The return value is ultimately stored in nr_pages, which in turn is passed +to unpin_user_pages(), which expects nr_pages >= 0, else, disaster. + +Fix this by fixing the nesting of the assignment to nr_pages: nr_pages +should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or set +to the return value of pin_user_pages_fast(), otherwise. + +[jhubbard@nvidia.com: new changelog] + +Fixes: e8de370188d09 ("rapidio: add mport char device driver") +Signed-off-by: Souptick Joarder +Signed-off-by: Andrew Morton +Reviewed-by: Ira Weiny +Reviewed-by: John Hubbard +Cc: Matthew Wilcox +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Gustavo A. R. Silva +Cc: Madhuparna Bhowmik +Cc: Dan Carpenter +Link: https://lkml.kernel.org/r/1600227737-20785-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index a30342942e26f..163b6c72501d6 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -871,15 +871,16 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode, + rmcd_error("pin_user_pages_fast err=%ld", + pinned); + nr_pages = 0; +- } else ++ } else { + rmcd_error("pinned %ld out of %ld pages", + pinned, nr_pages); ++ /* ++ * Set nr_pages up to mean "how many pages to unpin, in ++ * the error handler: ++ */ ++ nr_pages = pinned; ++ } + ret = -EFAULT; +- /* +- * Set nr_pages up to mean "how many pages to unpin, in +- * the error handler: +- */ +- nr_pages = pinned; + goto err_pg; + } + +-- +2.25.1 + diff --git a/queue-5.9/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch b/queue-5.9/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch new file mode 100644 index 00000000000..b6d4287aa2f --- /dev/null +++ b/queue-5.9/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch @@ -0,0 +1,56 @@ +From da2fb6b3bd8e5120e74d4ad05ce468f297193335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:18 -0700 +Subject: rapidio: fix the missed put_device() for rio_mport_add_riodev + +From: Jing Xiangfeng + +[ Upstream commit 85094c05eeb47d195a74a25366a2db066f1c9d47 ] + +rio_mport_add_riodev() misses to call put_device() when the device already +exists. Add the missed function call to fix it. + +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Andrew Morton +Reviewed-by: Dan Carpenter +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Gustavo A. R. Silva +Cc: John Hubbard +Cc: Kees Cook +Cc: Madhuparna Bhowmik +Link: https://lkml.kernel.org/r/20200922072525.42330-1-jingxiangfeng@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 163b6c72501d6..94331d999d273 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1680,6 +1680,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + struct rio_dev *rdev; + struct rio_switch *rswitch = NULL; + struct rio_mport *mport; ++ struct device *dev; + size_t size; + u32 rval; + u32 swpinfo = 0; +@@ -1694,8 +1695,10 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, + dev_info.comptag, dev_info.destid, dev_info.hopcount); + +- if (bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name)) { ++ dev = bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name); ++ if (dev) { + rmcd_debug(RDEV, "device %s already exists", dev_info.name); ++ put_device(dev); + return -EEXIST; + } + +-- +2.25.1 + diff --git a/queue-5.9/ras-cec-fix-cec_init-prototype.patch b/queue-5.9/ras-cec-fix-cec_init-prototype.patch new file mode 100644 index 00000000000..61dda919d1d --- /dev/null +++ b/queue-5.9/ras-cec-fix-cec_init-prototype.patch @@ -0,0 +1,65 @@ +From fd730d774b2afc500e098c684abe5a1ac5e3d314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 11:57:08 +0200 +Subject: RAS/CEC: Fix cec_init() prototype + +From: Luca Stefani + +[ Upstream commit 85e6084e0b436cabe9c909e679937998ffbf9c9d ] + +late_initcall() expects a function that returns an integer. Update the +function signature to match. + + [ bp: Massage commit message into proper sentences. ] + +Fixes: 9554bfe403bd ("x86/mce: Convert the CEC to use the MCE notifier") +Signed-off-by: Luca Stefani +Signed-off-by: Borislav Petkov +Reviewed-by: Sami Tolvanen +Tested-by: Sami Tolvanen +Link: https://lkml.kernel.org/r/20200805095708.83939-1-luca.stefani.ge1@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/ras/cec.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/ras/cec.c b/drivers/ras/cec.c +index 569d9ad2c5942..6939aa5b3dc7f 100644 +--- a/drivers/ras/cec.c ++++ b/drivers/ras/cec.c +@@ -553,20 +553,20 @@ static struct notifier_block cec_nb = { + .priority = MCE_PRIO_CEC, + }; + +-static void __init cec_init(void) ++static int __init cec_init(void) + { + if (ce_arr.disabled) +- return; ++ return -ENODEV; + + ce_arr.array = (void *)get_zeroed_page(GFP_KERNEL); + if (!ce_arr.array) { + pr_err("Error allocating CE array page!\n"); +- return; ++ return -ENOMEM; + } + + if (create_debugfs_nodes()) { + free_page((unsigned long)ce_arr.array); +- return; ++ return -ENOMEM; + } + + INIT_DELAYED_WORK(&cec_work, cec_work_fn); +@@ -575,6 +575,7 @@ static void __init cec_init(void) + mce_register_decode_chain(&cec_nb); + + pr_info("Correctable Errors collector initialized.\n"); ++ return 0; + } + late_initcall(cec_init); + +-- +2.25.1 + diff --git a/queue-5.9/rcu-tree-force-quiescent-state-on-callback-overload.patch b/queue-5.9/rcu-tree-force-quiescent-state-on-callback-overload.patch new file mode 100644 index 00000000000..fc77bf84d85 --- /dev/null +++ b/queue-5.9/rcu-tree-force-quiescent-state-on-callback-overload.patch @@ -0,0 +1,44 @@ +From c493e686b5891a205c9c7f7b4dc8cdc1c9478255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jun 2020 00:07:27 +0530 +Subject: rcu/tree: Force quiescent state on callback overload + +From: Neeraj Upadhyay + +[ Upstream commit 9c39245382de4d52a122641952900709d4a9950b ] + +On callback overload, it is necessary to quickly detect idle CPUs, +and rcu_gp_fqs_check_wake() checks for this condition. Unfortunately, +the code following the call to this function does not repeat this check, +which means that in reality no actual quiescent-state forcing, instead +only a couple of quick and pointless wakeups at the beginning of the +grace period. + +This commit therefore adds a check for the RCU_GP_FLAG_OVLD flag in +the post-wakeup "if" statement in rcu_gp_fqs_loop(). + +Fixes: 1fca4d12f4637 ("rcu: Expedite first two FQS scans under callback-overload conditions") +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Neeraj Upadhyay +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index f78ee759af9cb..388a2ad292bf4 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -1898,7 +1898,7 @@ static void rcu_gp_fqs_loop(void) + break; + /* If time for quiescent-state forcing, do it. */ + if (!time_after(rcu_state.jiffies_force_qs, jiffies) || +- (gf & RCU_GP_FLAG_FQS)) { ++ (gf & (RCU_GP_FLAG_FQS | RCU_GP_FLAG_OVLD))) { + trace_rcu_grace_period(rcu_state.name, rcu_state.gp_seq, + TPS("fqsstart")); + rcu_gp_fqs(first_gp_fqs); +-- +2.25.1 + diff --git a/queue-5.9/rcutorture-properly-set-rcu_fwds-for-oom-handling.patch b/queue-5.9/rcutorture-properly-set-rcu_fwds-for-oom-handling.patch new file mode 100644 index 00000000000..cd1a6941aeb --- /dev/null +++ b/queue-5.9/rcutorture-properly-set-rcu_fwds-for-oom-handling.patch @@ -0,0 +1,59 @@ +From c592156ee73f05c19615e1ea582dd7c274afb170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 14:40:31 -0700 +Subject: rcutorture: Properly set rcu_fwds for OOM handling + +From: Paul E. McKenney + +[ Upstream commit c8fa63714763b7795a3f5fb7ed6d000763e6dccc ] + +The conversion of rcu_fwds to dynamic allocation failed to actually +allocate the required structure. This commit therefore allocates it, +frees it, and updates rcu_fwds accordingly. While in the area, it +abstracts the cleanup actions into rcu_torture_fwd_prog_cleanup(). + +Fixes: 5155be9994e5 ("rcutorture: Dynamically allocate rcu_fwds structure") +Reported-by: kernel test robot +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcutorture.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index f453bf8d2f1ef..49202099692be 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -2160,9 +2160,20 @@ static int __init rcu_torture_fwd_prog_init(void) + return -ENOMEM; + spin_lock_init(&rfp->rcu_fwd_lock); + rfp->rcu_fwd_cb_tail = &rfp->rcu_fwd_cb_head; ++ rcu_fwds = rfp; + return torture_create_kthread(rcu_torture_fwd_prog, rfp, fwd_prog_task); + } + ++static void rcu_torture_fwd_prog_cleanup(void) ++{ ++ struct rcu_fwd *rfp; ++ ++ torture_stop_kthread(rcu_torture_fwd_prog, fwd_prog_task); ++ rfp = rcu_fwds; ++ rcu_fwds = NULL; ++ kfree(rfp); ++} ++ + /* Callback function for RCU barrier testing. */ + static void rcu_torture_barrier_cbf(struct rcu_head *rcu) + { +@@ -2460,7 +2471,7 @@ rcu_torture_cleanup(void) + show_rcu_gp_kthreads(); + rcu_torture_read_exit_cleanup(); + rcu_torture_barrier_cleanup(); +- torture_stop_kthread(rcu_torture_fwd_prog, fwd_prog_task); ++ rcu_torture_fwd_prog_cleanup(); + torture_stop_kthread(rcu_torture_stall, stall_task); + torture_stop_kthread(rcu_torture_writer, writer_task); + +-- +2.25.1 + diff --git a/queue-5.9/rdma-allow-fail-of-destroy-cq.patch b/queue-5.9/rdma-allow-fail-of-destroy-cq.patch new file mode 100644 index 00000000000..b14a756cde8 --- /dev/null +++ b/queue-5.9/rdma-allow-fail-of-destroy-cq.patch @@ -0,0 +1,645 @@ +From 14f050008a172bab934095e5a524be1dc3a678df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 15:09:18 +0300 +Subject: RDMA: Allow fail of destroy CQ + +From: Leon Romanovsky + +[ Upstream commit 43d781b9fa562f0c6e50f62c870fbfeb9dc85213 ] + +Like any other verbs objects, CQ shouldn't fail during destroy, but +mlx5_ib didn't follow this contract with mixed IB verbs objects with +DEVX. Such mix causes to the situation where FW and kernel are fully +interdependent on the reference counting of each side. + +Kernel verbs and drivers that don't have DEVX flows shouldn't fail. + +Fixes: e39afe3d6dbd ("RDMA: Convert CQ allocations to be under core responsibility") +Link: https://lore.kernel.org/r/20200907120921.476363-7-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cq.c | 5 ++++- + drivers/infiniband/core/verbs.c | 9 +++++++-- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 3 ++- + drivers/infiniband/hw/bnxt_re/ib_verbs.h | 2 +- + drivers/infiniband/hw/cxgb4/cq.c | 3 ++- + drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +- + drivers/infiniband/hw/efa/efa.h | 2 +- + drivers/infiniband/hw/efa/efa_verbs.c | 3 ++- + drivers/infiniband/hw/hns/hns_roce_cq.c | 3 ++- + drivers/infiniband/hw/hns/hns_roce_device.h | 4 ++-- + drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 3 ++- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 3 ++- + drivers/infiniband/hw/mlx4/cq.c | 3 ++- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/infiniband/hw/mlx5/cq.c | 9 +++++++-- + drivers/infiniband/hw/mlx5/mlx5_ib.h | 2 +- + drivers/infiniband/hw/mthca/mthca_provider.c | 3 ++- + drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 3 ++- + drivers/infiniband/hw/ocrdma/ocrdma_verbs.h | 2 +- + drivers/infiniband/hw/qedr/verbs.c | 5 +++-- + drivers/infiniband/hw/qedr/verbs.h | 2 +- + drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 4 ++-- + drivers/infiniband/hw/usnic/usnic_ib_verbs.h | 2 +- + drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c | 3 ++- + drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h | 2 +- + drivers/infiniband/sw/rdmavt/cq.c | 3 ++- + drivers/infiniband/sw/rdmavt/cq.h | 2 +- + drivers/infiniband/sw/rxe/rxe_verbs.c | 3 ++- + drivers/infiniband/sw/siw/siw_verbs.c | 3 ++- + drivers/infiniband/sw/siw/siw_verbs.h | 2 +- + include/rdma/ib_verbs.h | 6 ++++-- + 31 files changed, 66 insertions(+), 37 deletions(-) + +diff --git a/drivers/infiniband/core/cq.c b/drivers/infiniband/core/cq.c +index 2efe825689e3e..19e36e52181be 100644 +--- a/drivers/infiniband/core/cq.c ++++ b/drivers/infiniband/core/cq.c +@@ -319,6 +319,8 @@ EXPORT_SYMBOL(__ib_alloc_cq_any); + */ + void ib_free_cq(struct ib_cq *cq) + { ++ int ret; ++ + if (WARN_ON_ONCE(atomic_read(&cq->usecnt))) + return; + if (WARN_ON_ONCE(cq->cqe_used)) +@@ -340,8 +342,9 @@ void ib_free_cq(struct ib_cq *cq) + + rdma_dim_destroy(cq); + trace_cq_free(cq); ++ ret = cq->device->ops.destroy_cq(cq, NULL); ++ WARN_ONCE(ret, "Destroy of kernel CQ shouldn't fail"); + rdma_restrack_del(&cq->res); +- cq->device->ops.destroy_cq(cq, NULL); + kfree(cq->wc); + kfree(cq); + } +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 307886737646e..c8b650f240d5f 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2011,16 +2011,21 @@ EXPORT_SYMBOL(rdma_set_cq_moderation); + + int ib_destroy_cq_user(struct ib_cq *cq, struct ib_udata *udata) + { ++ int ret; ++ + if (WARN_ON_ONCE(cq->shared)) + return -EOPNOTSUPP; + + if (atomic_read(&cq->usecnt)) + return -EBUSY; + ++ ret = cq->device->ops.destroy_cq(cq, udata); ++ if (ret) ++ return ret; ++ + rdma_restrack_del(&cq->res); +- cq->device->ops.destroy_cq(cq, udata); + kfree(cq); +- return 0; ++ return ret; + } + EXPORT_SYMBOL(ib_destroy_cq_user); + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 1d7a9ca5240c5..e0d06899ad4f4 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2800,7 +2800,7 @@ int bnxt_re_post_recv(struct ib_qp *ib_qp, const struct ib_recv_wr *wr, + } + + /* Completion Queues */ +-void bnxt_re_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) ++int bnxt_re_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + { + struct bnxt_re_cq *cq; + struct bnxt_qplib_nq *nq; +@@ -2816,6 +2816,7 @@ void bnxt_re_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + atomic_dec(&rdev->cq_count); + nq->budget--; + kfree(cq->cql); ++ return 0; + } + + int bnxt_re_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.h b/drivers/infiniband/hw/bnxt_re/ib_verbs.h +index 1daeb30e06fda..f1d98540fede5 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.h ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.h +@@ -193,7 +193,7 @@ int bnxt_re_post_recv(struct ib_qp *qp, const struct ib_recv_wr *recv_wr, + const struct ib_recv_wr **bad_recv_wr); + int bnxt_re_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); +-void bnxt_re_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); ++int bnxt_re_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); + int bnxt_re_poll_cq(struct ib_cq *cq, int num_entries, struct ib_wc *wc); + int bnxt_re_req_notify_cq(struct ib_cq *cq, enum ib_cq_notify_flags flags); + struct ib_mr *bnxt_re_get_dma_mr(struct ib_pd *pd, int mr_access_flags); +diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c +index 352b8af1998a5..28349ed508854 100644 +--- a/drivers/infiniband/hw/cxgb4/cq.c ++++ b/drivers/infiniband/hw/cxgb4/cq.c +@@ -967,7 +967,7 @@ int c4iw_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *wc) + return !err || err == -ENODATA ? npolled : err; + } + +-void c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) ++int c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + { + struct c4iw_cq *chp; + struct c4iw_ucontext *ucontext; +@@ -985,6 +985,7 @@ void c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + ucontext ? &ucontext->uctx : &chp->cq.rdev->uctx, + chp->destroy_skb, chp->wr_waitp); + c4iw_put_wr_wait(chp->wr_waitp); ++ return 0; + } + + int c4iw_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, +diff --git a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h +index 2b2b009b371af..a5975119b0d4c 100644 +--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h ++++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h +@@ -992,7 +992,7 @@ struct ib_mr *c4iw_reg_user_mr(struct ib_pd *pd, u64 start, + struct ib_udata *udata); + struct ib_mr *c4iw_get_dma_mr(struct ib_pd *pd, int acc); + int c4iw_dereg_mr(struct ib_mr *ib_mr, struct ib_udata *udata); +-void c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata); ++int c4iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata); + int c4iw_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); + int c4iw_arm_cq(struct ib_cq *ibcq, enum ib_cq_notify_flags flags); +diff --git a/drivers/infiniband/hw/efa/efa.h b/drivers/infiniband/hw/efa/efa.h +index 1889dd172a252..05f593940e7b0 100644 +--- a/drivers/infiniband/hw/efa/efa.h ++++ b/drivers/infiniband/hw/efa/efa.h +@@ -139,7 +139,7 @@ int efa_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata); + struct ib_qp *efa_create_qp(struct ib_pd *ibpd, + struct ib_qp_init_attr *init_attr, + struct ib_udata *udata); +-void efa_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); ++int efa_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); + int efa_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); + struct ib_mr *efa_reg_mr(struct ib_pd *ibpd, u64 start, u64 length, +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 9e201f1692892..61520521baccd 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -843,7 +843,7 @@ static int efa_destroy_cq_idx(struct efa_dev *dev, int cq_idx) + return efa_com_destroy_cq(&dev->edev, ¶ms); + } + +-void efa_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) ++int efa_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + { + struct efa_dev *dev = to_edev(ibcq->device); + struct efa_cq *cq = to_ecq(ibcq); +@@ -856,6 +856,7 @@ void efa_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + efa_destroy_cq_idx(dev, cq->cq_idx); + efa_free_mapped(dev, cq->cpu_addr, cq->dma_addr, cq->size, + DMA_FROM_DEVICE); ++ return 0; + } + + static int cq_mmap_entries_setup(struct efa_dev *dev, struct efa_cq *cq, +diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c +index e87d616f79882..c5acf3332519b 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_cq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_cq.c +@@ -311,7 +311,7 @@ int hns_roce_create_cq(struct ib_cq *ib_cq, const struct ib_cq_init_attr *attr, + return ret; + } + +-void hns_roce_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) ++int hns_roce_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + { + struct hns_roce_dev *hr_dev = to_hr_dev(ib_cq->device); + struct hns_roce_cq *hr_cq = to_hr_cq(ib_cq); +@@ -322,6 +322,7 @@ void hns_roce_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + free_cq_buf(hr_dev, hr_cq); + free_cq_db(hr_dev, hr_cq, udata); + free_cqc(hr_dev, hr_cq); ++ return 0; + } + + void hns_roce_cq_completion(struct hns_roce_dev *hr_dev, u32 cqn) +diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h +index 6edcbdcd8f432..6dc07bfb4daad 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_device.h ++++ b/drivers/infiniband/hw/hns/hns_roce_device.h +@@ -930,7 +930,7 @@ struct hns_roce_hw { + int (*poll_cq)(struct ib_cq *ibcq, int num_entries, struct ib_wc *wc); + int (*dereg_mr)(struct hns_roce_dev *hr_dev, struct hns_roce_mr *mr, + struct ib_udata *udata); +- void (*destroy_cq)(struct ib_cq *ibcq, struct ib_udata *udata); ++ int (*destroy_cq)(struct ib_cq *ibcq, struct ib_udata *udata); + int (*modify_cq)(struct ib_cq *cq, u16 cq_count, u16 cq_period); + int (*init_eq)(struct hns_roce_dev *hr_dev); + void (*cleanup_eq)(struct hns_roce_dev *hr_dev); +@@ -1247,7 +1247,7 @@ int to_hr_qp_type(int qp_type); + int hns_roce_create_cq(struct ib_cq *ib_cq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); + +-void hns_roce_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata); ++int hns_roce_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata); + int hns_roce_db_map_user(struct hns_roce_ucontext *context, + struct ib_udata *udata, unsigned long virt, + struct hns_roce_db *db); +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +index aeb3a6fa7d472..109f42458c026 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +@@ -3572,7 +3572,7 @@ int hns_roce_v1_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + return 0; + } + +-static void hns_roce_v1_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) ++static int hns_roce_v1_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + { + struct hns_roce_dev *hr_dev = to_hr_dev(ibcq->device); + struct hns_roce_cq *hr_cq = to_hr_cq(ibcq); +@@ -3603,6 +3603,7 @@ static void hns_roce_v1_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + } + wait_time++; + } ++ return 0; + } + + static void set_eq_cons_index_v1(struct hns_roce_eq *eq, int req_not) +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +index b51339328a51e..1321e3a36491b 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -1052,7 +1052,7 @@ void i40iw_cq_wq_destroy(struct i40iw_device *iwdev, struct i40iw_sc_cq *cq) + * @ib_cq: cq pointer + * @udata: user data or NULL for kernel object + */ +-static void i40iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) ++static int i40iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + { + struct i40iw_cq *iwcq; + struct i40iw_device *iwdev; +@@ -1064,6 +1064,7 @@ static void i40iw_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + i40iw_cq_wq_destroy(iwdev, cq); + cq_free_resources(iwdev, iwcq); + i40iw_rem_devusecount(iwdev); ++ return 0; + } + + /** +diff --git a/drivers/infiniband/hw/mlx4/cq.c b/drivers/infiniband/hw/mlx4/cq.c +index 8a3436994f809..ee50dd823a8e8 100644 +--- a/drivers/infiniband/hw/mlx4/cq.c ++++ b/drivers/infiniband/hw/mlx4/cq.c +@@ -475,7 +475,7 @@ int mlx4_ib_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata) + return err; + } + +-void mlx4_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) ++int mlx4_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + { + struct mlx4_ib_dev *dev = to_mdev(cq->device); + struct mlx4_ib_cq *mcq = to_mcq(cq); +@@ -495,6 +495,7 @@ void mlx4_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + mlx4_db_free(dev->dev, &mcq->db); + } + ib_umem_release(mcq->umem); ++ return 0; + } + + static void dump_cqe(void *cqe) +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index 75af838365c93..41d8dcd005c0b 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -738,7 +738,7 @@ int mlx4_ib_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period); + int mlx4_ib_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata); + int mlx4_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); +-void mlx4_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); ++int mlx4_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); + int mlx4_ib_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *wc); + int mlx4_ib_arm_cq(struct ib_cq *cq, enum ib_cq_notify_flags flags); + void __mlx4_ib_cq_clean(struct mlx4_ib_cq *cq, u32 qpn, struct mlx4_ib_srq *srq); +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index b318bde2e565f..35e5bbb44d3d8 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -1024,16 +1024,21 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + return err; + } + +-void mlx5_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) ++int mlx5_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + { + struct mlx5_ib_dev *dev = to_mdev(cq->device); + struct mlx5_ib_cq *mcq = to_mcq(cq); ++ int ret; ++ ++ ret = mlx5_core_destroy_cq(dev->mdev, &mcq->mcq); ++ if (ret) ++ return ret; + +- mlx5_core_destroy_cq(dev->mdev, &mcq->mcq); + if (udata) + destroy_cq_user(mcq, udata); + else + destroy_cq_kernel(dev, mcq); ++ return 0; + } + + static int is_equal_rsn(struct mlx5_cqe64 *cqe64, u32 rsn) +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h +index 5287fc8686627..0d4b88389beb8 100644 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h +@@ -1148,7 +1148,7 @@ int mlx5_ib_read_wqe_srq(struct mlx5_ib_srq *srq, int wqe_index, void *buffer, + size_t buflen, size_t *bc); + int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); +-void mlx5_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); ++int mlx5_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); + int mlx5_ib_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *wc); + int mlx5_ib_arm_cq(struct ib_cq *ibcq, enum ib_cq_notify_flags flags); + int mlx5_ib_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period); +diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c +index 9fa2f9164a47b..2ad15adf304e5 100644 +--- a/drivers/infiniband/hw/mthca/mthca_provider.c ++++ b/drivers/infiniband/hw/mthca/mthca_provider.c +@@ -789,7 +789,7 @@ static int mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *uda + return ret; + } + +-static void mthca_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) ++static int mthca_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + { + if (udata) { + struct mthca_ucontext *context = +@@ -808,6 +808,7 @@ static void mthca_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + to_mcq(cq)->set_ci_db_index); + } + mthca_free_cq(to_mdev(cq->device), to_mcq(cq)); ++ return 0; + } + + static inline u32 convert_access(int acc) +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +index c1751c9a0f625..4ef5298247fcf 100644 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +@@ -1056,7 +1056,7 @@ static void ocrdma_flush_cq(struct ocrdma_cq *cq) + spin_unlock_irqrestore(&cq->cq_lock, flags); + } + +-void ocrdma_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) ++int ocrdma_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + { + struct ocrdma_cq *cq = get_ocrdma_cq(ibcq); + struct ocrdma_eq *eq = NULL; +@@ -1081,6 +1081,7 @@ void ocrdma_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + ocrdma_get_db_addr(dev, pdid), + dev->nic_info.db_page_size); + } ++ return 0; + } + + static int ocrdma_add_qpn_map(struct ocrdma_dev *dev, struct ocrdma_qp *qp) +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.h b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.h +index df8e3b923a440..4322b5d792608 100644 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.h ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.h +@@ -72,7 +72,7 @@ void ocrdma_dealloc_pd(struct ib_pd *pd, struct ib_udata *udata); + int ocrdma_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); + int ocrdma_resize_cq(struct ib_cq *, int cqe, struct ib_udata *); +-void ocrdma_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); ++int ocrdma_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); + + struct ib_qp *ocrdma_create_qp(struct ib_pd *, + struct ib_qp_init_attr *attrs, +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index b49bef94637e5..9141a77534c7d 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1051,7 +1051,7 @@ int qedr_resize_cq(struct ib_cq *ibcq, int new_cnt, struct ib_udata *udata) + #define QEDR_DESTROY_CQ_MAX_ITERATIONS (10) + #define QEDR_DESTROY_CQ_ITER_DURATION (10) + +-void qedr_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) ++int qedr_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + { + struct qedr_dev *dev = get_qedr_dev(ibcq->device); + struct qed_rdma_destroy_cq_out_params oparams; +@@ -1066,7 +1066,7 @@ void qedr_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + /* GSIs CQs are handled by driver, so they don't exist in the FW */ + if (cq->cq_type == QEDR_CQ_TYPE_GSI) { + qedr_db_recovery_del(dev, cq->db_addr, &cq->db.data); +- return; ++ return 0; + } + + iparams.icid = cq->icid; +@@ -1114,6 +1114,7 @@ void qedr_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + * Since the destroy CQ ramrod has also been received on the EQ we can + * be certain that there's no event handler in process. + */ ++ return 0; + } + + static inline int get_gid_info_from_table(struct ib_qp *ibqp, +diff --git a/drivers/infiniband/hw/qedr/verbs.h b/drivers/infiniband/hw/qedr/verbs.h +index 39dd6286ba395..b6d09f5376d81 100644 +--- a/drivers/infiniband/hw/qedr/verbs.h ++++ b/drivers/infiniband/hw/qedr/verbs.h +@@ -52,7 +52,7 @@ void qedr_dealloc_pd(struct ib_pd *pd, struct ib_udata *udata); + int qedr_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); + int qedr_resize_cq(struct ib_cq *, int cqe, struct ib_udata *); +-void qedr_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); ++int qedr_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); + int qedr_arm_cq(struct ib_cq *ibcq, enum ib_cq_notify_flags flags); + struct ib_qp *qedr_create_qp(struct ib_pd *, struct ib_qp_init_attr *attrs, + struct ib_udata *); +diff --git a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +index b8a77ce115908..586ff16be1bb3 100644 +--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c ++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +@@ -596,9 +596,9 @@ int usnic_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + return 0; + } + +-void usnic_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) ++int usnic_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + { +- return; ++ return 0; + } + + struct ib_mr *usnic_ib_reg_mr(struct ib_pd *pd, u64 start, u64 length, +diff --git a/drivers/infiniband/hw/usnic/usnic_ib_verbs.h b/drivers/infiniband/hw/usnic/usnic_ib_verbs.h +index 2aedf78c13cf2..f13b08c59b9a3 100644 +--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.h ++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.h +@@ -60,7 +60,7 @@ int usnic_ib_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + int attr_mask, struct ib_udata *udata); + int usnic_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); +-void usnic_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); ++int usnic_ib_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); + struct ib_mr *usnic_ib_reg_mr(struct ib_pd *pd, u64 start, u64 length, + u64 virt_addr, int access_flags, + struct ib_udata *udata); +diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c +index 4f6cc0de7ef95..6d3e6389e47da 100644 +--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c ++++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_cq.c +@@ -235,7 +235,7 @@ static void pvrdma_free_cq(struct pvrdma_dev *dev, struct pvrdma_cq *cq) + * @cq: the completion queue to destroy. + * @udata: user data or null for kernel object + */ +-void pvrdma_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) ++int pvrdma_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + { + struct pvrdma_cq *vcq = to_vcq(cq); + union pvrdma_cmd_req req; +@@ -261,6 +261,7 @@ void pvrdma_destroy_cq(struct ib_cq *cq, struct ib_udata *udata) + + pvrdma_free_cq(dev, vcq); + atomic_dec(&dev->num_cqs); ++ return 0; + } + + static inline struct pvrdma_cqe *get_cqe(struct pvrdma_cq *cq, int i) +diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h +index 699b20849a7ef..61b8425d92c5e 100644 +--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h ++++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h +@@ -411,7 +411,7 @@ int pvrdma_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, + int sg_nents, unsigned int *sg_offset); + int pvrdma_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); +-void pvrdma_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); ++int pvrdma_destroy_cq(struct ib_cq *cq, struct ib_udata *udata); + int pvrdma_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *wc); + int pvrdma_req_notify_cq(struct ib_cq *cq, enum ib_cq_notify_flags flags); + int pvrdma_create_ah(struct ib_ah *ah, struct rdma_ah_init_attr *init_attr, +diff --git a/drivers/infiniband/sw/rdmavt/cq.c b/drivers/infiniband/sw/rdmavt/cq.c +index 04d2e72017fed..19248be140933 100644 +--- a/drivers/infiniband/sw/rdmavt/cq.c ++++ b/drivers/infiniband/sw/rdmavt/cq.c +@@ -315,7 +315,7 @@ int rvt_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + * + * Called by ib_destroy_cq() in the generic verbs code. + */ +-void rvt_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) ++int rvt_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + { + struct rvt_cq *cq = ibcq_to_rvtcq(ibcq); + struct rvt_dev_info *rdi = cq->rdi; +@@ -328,6 +328,7 @@ void rvt_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + kref_put(&cq->ip->ref, rvt_release_mmap_info); + else + vfree(cq->kqueue); ++ return 0; + } + + /** +diff --git a/drivers/infiniband/sw/rdmavt/cq.h b/drivers/infiniband/sw/rdmavt/cq.h +index 5e26a2eb19a4c..feb01e7ee0044 100644 +--- a/drivers/infiniband/sw/rdmavt/cq.h ++++ b/drivers/infiniband/sw/rdmavt/cq.h +@@ -53,7 +53,7 @@ + + int rvt_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); +-void rvt_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); ++int rvt_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata); + int rvt_req_notify_cq(struct ib_cq *ibcq, enum ib_cq_notify_flags notify_flags); + int rvt_resize_cq(struct ib_cq *ibcq, int cqe, struct ib_udata *udata); + int rvt_poll_cq(struct ib_cq *ibcq, int num_entries, struct ib_wc *entry); +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c +index 8522e9a3e9140..cfe115d64cb88 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -803,13 +803,14 @@ static int rxe_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + return rxe_add_to_pool(&rxe->cq_pool, &cq->pelem); + } + +-static void rxe_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) ++static int rxe_destroy_cq(struct ib_cq *ibcq, struct ib_udata *udata) + { + struct rxe_cq *cq = to_rcq(ibcq); + + rxe_cq_disable(cq); + + rxe_drop_ref(cq); ++ return 0; + } + + static int rxe_resize_cq(struct ib_cq *ibcq, int cqe, struct ib_udata *udata) +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index adafa1b8bebe3..60271c30e7de5 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -1055,7 +1055,7 @@ int siw_post_receive(struct ib_qp *base_qp, const struct ib_recv_wr *wr, + return rv > 0 ? 0 : rv; + } + +-void siw_destroy_cq(struct ib_cq *base_cq, struct ib_udata *udata) ++int siw_destroy_cq(struct ib_cq *base_cq, struct ib_udata *udata) + { + struct siw_cq *cq = to_siw_cq(base_cq); + struct siw_device *sdev = to_siw_dev(base_cq->device); +@@ -1073,6 +1073,7 @@ void siw_destroy_cq(struct ib_cq *base_cq, struct ib_udata *udata) + atomic_dec(&sdev->num_cq); + + vfree(cq->queue); ++ return 0; + } + + /* +diff --git a/drivers/infiniband/sw/siw/siw_verbs.h b/drivers/infiniband/sw/siw/siw_verbs.h +index d9572275a6b69..476e9283fce25 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.h ++++ b/drivers/infiniband/sw/siw/siw_verbs.h +@@ -62,7 +62,7 @@ int siw_post_send(struct ib_qp *base_qp, const struct ib_send_wr *wr, + const struct ib_send_wr **bad_wr); + int siw_post_receive(struct ib_qp *base_qp, const struct ib_recv_wr *wr, + const struct ib_recv_wr **bad_wr); +-void siw_destroy_cq(struct ib_cq *base_cq, struct ib_udata *udata); ++int siw_destroy_cq(struct ib_cq *base_cq, struct ib_udata *udata); + int siw_poll_cq(struct ib_cq *base_cq, int num_entries, struct ib_wc *wc); + int siw_req_notify_cq(struct ib_cq *base_cq, enum ib_cq_notify_flags flags); + struct ib_mr *siw_reg_user_mr(struct ib_pd *base_pd, u64 start, u64 len, +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index 1a3ef718c30b4..f64c1d02b9350 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -2439,7 +2439,7 @@ struct ib_device_ops { + int (*create_cq)(struct ib_cq *cq, const struct ib_cq_init_attr *attr, + struct ib_udata *udata); + int (*modify_cq)(struct ib_cq *cq, u16 cq_count, u16 cq_period); +- void (*destroy_cq)(struct ib_cq *cq, struct ib_udata *udata); ++ int (*destroy_cq)(struct ib_cq *cq, struct ib_udata *udata); + int (*resize_cq)(struct ib_cq *cq, int cqe, struct ib_udata *udata); + struct ib_mr *(*get_dma_mr)(struct ib_pd *pd, int mr_access_flags); + struct ib_mr *(*reg_user_mr)(struct ib_pd *pd, u64 start, u64 length, +@@ -3905,7 +3905,9 @@ int ib_destroy_cq_user(struct ib_cq *cq, struct ib_udata *udata); + */ + static inline void ib_destroy_cq(struct ib_cq *cq) + { +- ib_destroy_cq_user(cq, NULL); ++ int ret = ib_destroy_cq_user(cq, NULL); ++ ++ WARN_ONCE(ret, "Destroy of kernel CQ shouldn't fail"); + } + + /** +-- +2.25.1 + diff --git a/queue-5.9/rdma-change-xrcd-destroy-return-value.patch b/queue-5.9/rdma-change-xrcd-destroy-return-value.patch new file mode 100644 index 00000000000..6b9a8ddedf9 --- /dev/null +++ b/queue-5.9/rdma-change-xrcd-destroy-return-value.patch @@ -0,0 +1,114 @@ +From d60dc787d2c1894a037302cd534e7078e4bbe66e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 15:09:19 +0300 +Subject: RDMA: Change XRCD destroy return value + +From: Leon Romanovsky + +[ Upstream commit d0c45c8556e57342d44c9548763609ffcc4e3866 ] + +Update XRCD destroy flow to allow command failure. + +Fixes: 28ad5f65c314 ("RDMA: Move XRCD to be under ib_core responsibility") +Link: https://lore.kernel.org/r/20200907120921.476363-8-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 8 ++++++-- + drivers/infiniband/hw/mlx4/main.c | 3 ++- + drivers/infiniband/hw/mlx5/mlx5_ib.h | 2 +- + drivers/infiniband/hw/mlx5/qp.c | 4 ++-- + include/rdma/ib_verbs.h | 2 +- + 5 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index c8b650f240d5f..b411be9321bdf 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2333,13 +2333,17 @@ EXPORT_SYMBOL(ib_alloc_xrcd_user); + */ + int ib_dealloc_xrcd_user(struct ib_xrcd *xrcd, struct ib_udata *udata) + { ++ int ret; ++ + if (atomic_read(&xrcd->usecnt)) + return -EBUSY; + + WARN_ON(!xa_empty(&xrcd->tgt_qps)); +- xrcd->device->ops.dealloc_xrcd(xrcd, udata); ++ ret = xrcd->device->ops.dealloc_xrcd(xrcd, udata); ++ if (ret) ++ return ret; + kfree(xrcd); +- return 0; ++ return ret; + } + EXPORT_SYMBOL(ib_dealloc_xrcd_user); + +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index bd4f975e7f9ac..d22bf9a4b53e2 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1256,11 +1256,12 @@ static int mlx4_ib_alloc_xrcd(struct ib_xrcd *ibxrcd, struct ib_udata *udata) + return err; + } + +-static void mlx4_ib_dealloc_xrcd(struct ib_xrcd *xrcd, struct ib_udata *udata) ++static int mlx4_ib_dealloc_xrcd(struct ib_xrcd *xrcd, struct ib_udata *udata) + { + ib_destroy_cq(to_mxrcd(xrcd)->cq); + ib_dealloc_pd(to_mxrcd(xrcd)->pd); + mlx4_xrcd_free(to_mdev(xrcd->device)->dev, to_mxrcd(xrcd)->xrcdn); ++ return 0; + } + + static int add_gid_entry(struct ib_qp *ibqp, union ib_gid *gid) +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h +index 0d4b88389beb8..2f06677adaa2a 100644 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h +@@ -1193,7 +1193,7 @@ int mlx5_ib_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num, + const struct ib_mad *in, struct ib_mad *out, + size_t *out_mad_size, u16 *out_mad_pkey_index); + int mlx5_ib_alloc_xrcd(struct ib_xrcd *xrcd, struct ib_udata *udata); +-void mlx5_ib_dealloc_xrcd(struct ib_xrcd *xrcd, struct ib_udata *udata); ++int mlx5_ib_dealloc_xrcd(struct ib_xrcd *xrcd, struct ib_udata *udata); + int mlx5_ib_get_buf_offset(u64 addr, int page_shift, u32 *offset); + int mlx5_query_ext_port_caps(struct mlx5_ib_dev *dev, u8 port); + int mlx5_query_mad_ifc_smp_attr_node_info(struct ib_device *ibdev, +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index 5758dbe640451..cda7608b6f2d9 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -4716,12 +4716,12 @@ int mlx5_ib_alloc_xrcd(struct ib_xrcd *ibxrcd, struct ib_udata *udata) + return mlx5_cmd_xrcd_alloc(dev->mdev, &xrcd->xrcdn, 0); + } + +-void mlx5_ib_dealloc_xrcd(struct ib_xrcd *xrcd, struct ib_udata *udata) ++int mlx5_ib_dealloc_xrcd(struct ib_xrcd *xrcd, struct ib_udata *udata) + { + struct mlx5_ib_dev *dev = to_mdev(xrcd->device); + u32 xrcdn = to_mxrcd(xrcd)->xrcdn; + +- mlx5_cmd_xrcd_dealloc(dev->mdev, xrcdn, 0); ++ return mlx5_cmd_xrcd_dealloc(dev->mdev, xrcdn, 0); + } + + static void mlx5_ib_wq_event(struct mlx5_core_qp *core_qp, int type) +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index f64c1d02b9350..8cccbdef5de2a 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -2468,7 +2468,7 @@ struct ib_device_ops { + int (*attach_mcast)(struct ib_qp *qp, union ib_gid *gid, u16 lid); + int (*detach_mcast)(struct ib_qp *qp, union ib_gid *gid, u16 lid); + int (*alloc_xrcd)(struct ib_xrcd *xrcd, struct ib_udata *udata); +- void (*dealloc_xrcd)(struct ib_xrcd *xrcd, struct ib_udata *udata); ++ int (*dealloc_xrcd)(struct ib_xrcd *xrcd, struct ib_udata *udata); + struct ib_flow *(*create_flow)(struct ib_qp *qp, + struct ib_flow_attr *flow_attr, + int domain, struct ib_udata *udata); +-- +2.25.1 + diff --git a/queue-5.9/rdma-cma-combine-cma_ndev_work-with-cma_work.patch b/queue-5.9/rdma-cma-combine-cma_ndev_work-with-cma_work.patch new file mode 100644 index 00000000000..be998022c6e --- /dev/null +++ b/queue-5.9/rdma-cma-combine-cma_ndev_work-with-cma_work.patch @@ -0,0 +1,100 @@ +From 437e077f4f9a5c400db83465e848f9e8c893fbe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:19 +0300 +Subject: RDMA/cma: Combine cma_ndev_work with cma_work + +From: Jason Gunthorpe + +[ Upstream commit 7e85bcda8bfe883f4244672ed79f81b7762a1a7e ] + +These are the same thing, except that cma_ndev_work doesn't have a state +transition. Signal no state transition by setting old_state and new_state +== 0. + +In all cases the handler function should not be called once +rdma_destroy_id() has progressed passed setting the state. + +Link: https://lore.kernel.org/r/20200902081122.745412-6-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 38 +++++++---------------------------- + 1 file changed, 7 insertions(+), 31 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 5888311b21198..9c3cb8549ac72 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -363,12 +363,6 @@ struct cma_work { + struct rdma_cm_event event; + }; + +-struct cma_ndev_work { +- struct work_struct work; +- struct rdma_id_private *id; +- struct rdma_cm_event event; +-}; +- + struct iboe_mcast_work { + struct work_struct work; + struct rdma_id_private *id; +@@ -2647,32 +2641,14 @@ static void cma_work_handler(struct work_struct *_work) + struct rdma_id_private *id_priv = work->id; + + mutex_lock(&id_priv->handler_mutex); +- if (!cma_comp_exch(id_priv, work->old_state, work->new_state)) ++ if (READ_ONCE(id_priv->state) == RDMA_CM_DESTROYING || ++ READ_ONCE(id_priv->state) == RDMA_CM_DEVICE_REMOVAL) + goto out_unlock; +- +- if (cma_cm_event_handler(id_priv, &work->event)) { +- cma_id_put(id_priv); +- destroy_id_handler_unlock(id_priv); +- goto out_free; ++ if (work->old_state != 0 || work->new_state != 0) { ++ if (!cma_comp_exch(id_priv, work->old_state, work->new_state)) ++ goto out_unlock; + } + +-out_unlock: +- mutex_unlock(&id_priv->handler_mutex); +- cma_id_put(id_priv); +-out_free: +- kfree(work); +-} +- +-static void cma_ndev_work_handler(struct work_struct *_work) +-{ +- struct cma_ndev_work *work = container_of(_work, struct cma_ndev_work, work); +- struct rdma_id_private *id_priv = work->id; +- +- mutex_lock(&id_priv->handler_mutex); +- if (id_priv->state == RDMA_CM_DESTROYING || +- id_priv->state == RDMA_CM_DEVICE_REMOVAL) +- goto out_unlock; +- + if (cma_cm_event_handler(id_priv, &work->event)) { + cma_id_put(id_priv); + destroy_id_handler_unlock(id_priv); +@@ -4656,7 +4632,7 @@ EXPORT_SYMBOL(rdma_leave_multicast); + static int cma_netdev_change(struct net_device *ndev, struct rdma_id_private *id_priv) + { + struct rdma_dev_addr *dev_addr; +- struct cma_ndev_work *work; ++ struct cma_work *work; + + dev_addr = &id_priv->id.route.addr.dev_addr; + +@@ -4669,7 +4645,7 @@ static int cma_netdev_change(struct net_device *ndev, struct rdma_id_private *id + if (!work) + return -ENOMEM; + +- INIT_WORK(&work->work, cma_ndev_work_handler); ++ INIT_WORK(&work->work, cma_work_handler); + work->id = id_priv; + work->event.event = RDMA_CM_EVENT_ADDR_CHANGE; + cma_id_get(id_priv); +-- +2.25.1 + diff --git a/queue-5.9/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch b/queue-5.9/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch new file mode 100644 index 00000000000..780234ea1f7 --- /dev/null +++ b/queue-5.9/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch @@ -0,0 +1,116 @@ +From 4ec466661483dcce7cf4188662053f0c80770386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:21 +0300 +Subject: RDMA/cma: Consolidate the destruction of a cma_multicast in one place + +From: Jason Gunthorpe + +[ Upstream commit 3788d2997bc0150ea911a964d5b5a2e11808a936 ] + +Two places were open coding this sequence, and also pull in +cma_leave_roce_mc_group() which was called only once. + +Link: https://lore.kernel.org/r/20200902081122.745412-8-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 63 +++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 32 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index f737f347ae1fc..da2c06850b303 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1777,19 +1777,30 @@ static void cma_release_port(struct rdma_id_private *id_priv) + mutex_unlock(&lock); + } + +-static void cma_leave_roce_mc_group(struct rdma_id_private *id_priv, +- struct cma_multicast *mc) ++static void destroy_mc(struct rdma_id_private *id_priv, ++ struct cma_multicast *mc) + { +- struct rdma_dev_addr *dev_addr = &id_priv->id.route.addr.dev_addr; +- struct net_device *ndev = NULL; ++ if (rdma_cap_ib_mcast(id_priv->id.device, id_priv->id.port_num)) { ++ ib_sa_free_multicast(mc->multicast.ib); ++ kfree(mc); ++ return; ++ } + +- if (dev_addr->bound_dev_if) +- ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); +- if (ndev) { +- cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false); +- dev_put(ndev); ++ if (rdma_protocol_roce(id_priv->id.device, ++ id_priv->id.port_num)) { ++ struct rdma_dev_addr *dev_addr = ++ &id_priv->id.route.addr.dev_addr; ++ struct net_device *ndev = NULL; ++ ++ if (dev_addr->bound_dev_if) ++ ndev = dev_get_by_index(dev_addr->net, ++ dev_addr->bound_dev_if); ++ if (ndev) { ++ cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false); ++ dev_put(ndev); ++ } ++ kref_put(&mc->mcref, release_mc); + } +- kref_put(&mc->mcref, release_mc); + } + + static void cma_leave_mc_groups(struct rdma_id_private *id_priv) +@@ -1797,16 +1808,10 @@ static void cma_leave_mc_groups(struct rdma_id_private *id_priv) + struct cma_multicast *mc; + + while (!list_empty(&id_priv->mc_list)) { +- mc = container_of(id_priv->mc_list.next, +- struct cma_multicast, list); ++ mc = list_first_entry(&id_priv->mc_list, struct cma_multicast, ++ list); + list_del(&mc->list); +- if (rdma_cap_ib_mcast(id_priv->cma_dev->device, +- id_priv->id.port_num)) { +- ib_sa_free_multicast(mc->multicast.ib); +- kfree(mc); +- } else { +- cma_leave_roce_mc_group(id_priv, mc); +- } ++ destroy_mc(id_priv, mc); + } + } + +@@ -4599,20 +4604,14 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr) + id_priv = container_of(id, struct rdma_id_private, id); + spin_lock_irq(&id_priv->lock); + list_for_each_entry(mc, &id_priv->mc_list, list) { +- if (!memcmp(&mc->addr, addr, rdma_addr_size(addr))) { +- list_del(&mc->list); +- spin_unlock_irq(&id_priv->lock); +- +- BUG_ON(id_priv->cma_dev->device != id->device); ++ if (memcmp(&mc->addr, addr, rdma_addr_size(addr)) != 0) ++ continue; ++ list_del(&mc->list); ++ spin_unlock_irq(&id_priv->lock); + +- if (rdma_cap_ib_mcast(id->device, id->port_num)) { +- ib_sa_free_multicast(mc->multicast.ib); +- kfree(mc); +- } else if (rdma_protocol_roce(id->device, id->port_num)) { +- cma_leave_roce_mc_group(id_priv, mc); +- } +- return; +- } ++ WARN_ON(id_priv->cma_dev->device != id->device); ++ destroy_mc(id_priv, mc); ++ return; + } + spin_unlock_irq(&id_priv->lock); + } +-- +2.25.1 + diff --git a/queue-5.9/rdma-cma-fix-use-after-free-race-in-roce-multicast-j.patch b/queue-5.9/rdma-cma-fix-use-after-free-race-in-roce-multicast-j.patch new file mode 100644 index 00000000000..d064921cd73 --- /dev/null +++ b/queue-5.9/rdma-cma-fix-use-after-free-race-in-roce-multicast-j.patch @@ -0,0 +1,393 @@ +From 507ecba4ff5050156cfbcaf00e0d07e8626133b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:22 +0300 +Subject: RDMA/cma: Fix use after free race in roce multicast join + +From: Jason Gunthorpe + +[ Upstream commit b5de0c60cc30c2a3513c7188c73f3f29acc29234 ] + +The roce path triggers a work queue that continues to touch the id_priv +but doesn't hold any reference on it. Futher, unlike in the IB case, the +work queue is not fenced during rdma_destroy_id(). + +This can trigger a use after free if a destroy is triggered in the +incredibly narrow window after the queue_work and the work starting and +obtaining the handler_mutex. + +The only purpose of this work queue is to run the ULP event callback from +the standard context, so switch the design to use the existing +cma_work_handler() scheme. This simplifies quite a lot of the flow: + +- Use the cma_work_handler() callback to launch the work for roce. This + requires generating the event synchronously inside the + rdma_join_multicast(), which in turn means the dummy struct + ib_sa_multicast can become a simple stack variable. + +- cm_work_handler() used the id_priv kref, so we can entirely eliminate + the kref inside struct cma_multicast. Since the cma_multicast never + leaks into an unprotected work queue the kfree can be done at the same + time as for IB. + +- Eliminating the general multicast.ib requires using cma_set_mgid() in a + few places to recompute the mgid. + +Fixes: 3c86aa70bf67 ("RDMA/cm: Add RDMA CM support for IBoE devices") +Link: https://lore.kernel.org/r/20200902081122.745412-9-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 196 +++++++++++++++------------------- + 1 file changed, 88 insertions(+), 108 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index da2c06850b303..baf0b6ae7a8bb 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -68,6 +68,9 @@ static const char * const cma_events[] = { + [RDMA_CM_EVENT_TIMEWAIT_EXIT] = "timewait exit", + }; + ++static void cma_set_mgid(struct rdma_id_private *id_priv, struct sockaddr *addr, ++ union ib_gid *mgid); ++ + const char *__attribute_const__ rdma_event_msg(enum rdma_cm_event_type event) + { + size_t index = event; +@@ -345,13 +348,10 @@ struct ib_device *cma_get_ib_dev(struct cma_device *cma_dev) + + struct cma_multicast { + struct rdma_id_private *id_priv; +- union { +- struct ib_sa_multicast *ib; +- } multicast; ++ struct ib_sa_multicast *sa_mc; + struct list_head list; + void *context; + struct sockaddr_storage addr; +- struct kref mcref; + u8 join_state; + }; + +@@ -363,12 +363,6 @@ struct cma_work { + struct rdma_cm_event event; + }; + +-struct iboe_mcast_work { +- struct work_struct work; +- struct rdma_id_private *id; +- struct cma_multicast *mc; +-}; +- + union cma_ip_addr { + struct in6_addr ip6; + struct { +@@ -477,14 +471,6 @@ static void cma_attach_to_dev(struct rdma_id_private *id_priv, + rdma_start_port(cma_dev->device)]; + } + +-static inline void release_mc(struct kref *kref) +-{ +- struct cma_multicast *mc = container_of(kref, struct cma_multicast, mcref); +- +- kfree(mc->multicast.ib); +- kfree(mc); +-} +- + static void cma_release_dev(struct rdma_id_private *id_priv) + { + mutex_lock(&lock); +@@ -1780,14 +1766,10 @@ static void cma_release_port(struct rdma_id_private *id_priv) + static void destroy_mc(struct rdma_id_private *id_priv, + struct cma_multicast *mc) + { +- if (rdma_cap_ib_mcast(id_priv->id.device, id_priv->id.port_num)) { +- ib_sa_free_multicast(mc->multicast.ib); +- kfree(mc); +- return; +- } ++ if (rdma_cap_ib_mcast(id_priv->id.device, id_priv->id.port_num)) ++ ib_sa_free_multicast(mc->sa_mc); + +- if (rdma_protocol_roce(id_priv->id.device, +- id_priv->id.port_num)) { ++ if (rdma_protocol_roce(id_priv->id.device, id_priv->id.port_num)) { + struct rdma_dev_addr *dev_addr = + &id_priv->id.route.addr.dev_addr; + struct net_device *ndev = NULL; +@@ -1796,11 +1778,15 @@ static void destroy_mc(struct rdma_id_private *id_priv, + ndev = dev_get_by_index(dev_addr->net, + dev_addr->bound_dev_if); + if (ndev) { +- cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false); ++ union ib_gid mgid; ++ ++ cma_set_mgid(id_priv, (struct sockaddr *)&mc->addr, ++ &mgid); ++ cma_igmp_send(ndev, &mgid, false); + dev_put(ndev); + } +- kref_put(&mc->mcref, release_mc); + } ++ kfree(mc); + } + + static void cma_leave_mc_groups(struct rdma_id_private *id_priv) +@@ -2664,6 +2650,8 @@ static void cma_work_handler(struct work_struct *_work) + mutex_unlock(&id_priv->handler_mutex); + cma_id_put(id_priv); + out_free: ++ if (work->event.event == RDMA_CM_EVENT_MULTICAST_JOIN) ++ rdma_destroy_ah_attr(&work->event.param.ud.ah_attr); + kfree(work); + } + +@@ -4280,53 +4268,66 @@ int rdma_disconnect(struct rdma_cm_id *id) + } + EXPORT_SYMBOL(rdma_disconnect); + ++static void cma_make_mc_event(int status, struct rdma_id_private *id_priv, ++ struct ib_sa_multicast *multicast, ++ struct rdma_cm_event *event, ++ struct cma_multicast *mc) ++{ ++ struct rdma_dev_addr *dev_addr; ++ enum ib_gid_type gid_type; ++ struct net_device *ndev; ++ ++ if (!status) ++ status = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey)); ++ else ++ pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n", ++ status); ++ ++ event->status = status; ++ event->param.ud.private_data = mc->context; ++ if (status) { ++ event->event = RDMA_CM_EVENT_MULTICAST_ERROR; ++ return; ++ } ++ ++ dev_addr = &id_priv->id.route.addr.dev_addr; ++ ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); ++ gid_type = ++ id_priv->cma_dev ++ ->default_gid_type[id_priv->id.port_num - ++ rdma_start_port( ++ id_priv->cma_dev->device)]; ++ ++ event->event = RDMA_CM_EVENT_MULTICAST_JOIN; ++ if (ib_init_ah_from_mcmember(id_priv->id.device, id_priv->id.port_num, ++ &multicast->rec, ndev, gid_type, ++ &event->param.ud.ah_attr)) { ++ event->event = RDMA_CM_EVENT_MULTICAST_ERROR; ++ goto out; ++ } ++ ++ event->param.ud.qp_num = 0xFFFFFF; ++ event->param.ud.qkey = be32_to_cpu(multicast->rec.qkey); ++ ++out: ++ if (ndev) ++ dev_put(ndev); ++} ++ + static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast) + { +- struct rdma_id_private *id_priv; + struct cma_multicast *mc = multicast->context; ++ struct rdma_id_private *id_priv = mc->id_priv; + struct rdma_cm_event event = {}; + int ret = 0; + +- id_priv = mc->id_priv; + mutex_lock(&id_priv->handler_mutex); + if (id_priv->state != RDMA_CM_ADDR_BOUND && + id_priv->state != RDMA_CM_ADDR_RESOLVED) + goto out; + +- if (!status) +- status = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey)); +- else +- pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n", +- status); +- event.status = status; +- event.param.ud.private_data = mc->context; +- if (!status) { +- struct rdma_dev_addr *dev_addr = +- &id_priv->id.route.addr.dev_addr; +- struct net_device *ndev = +- dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); +- enum ib_gid_type gid_type = +- id_priv->cma_dev->default_gid_type[id_priv->id.port_num - +- rdma_start_port(id_priv->cma_dev->device)]; +- +- event.event = RDMA_CM_EVENT_MULTICAST_JOIN; +- ret = ib_init_ah_from_mcmember(id_priv->id.device, +- id_priv->id.port_num, +- &multicast->rec, +- ndev, gid_type, +- &event.param.ud.ah_attr); +- if (ret) +- event.event = RDMA_CM_EVENT_MULTICAST_ERROR; +- +- event.param.ud.qp_num = 0xFFFFFF; +- event.param.ud.qkey = be32_to_cpu(multicast->rec.qkey); +- if (ndev) +- dev_put(ndev); +- } else +- event.event = RDMA_CM_EVENT_MULTICAST_ERROR; +- ++ cma_make_mc_event(status, id_priv, multicast, &event, mc); + ret = cma_cm_event_handler(id_priv, &event); +- + rdma_destroy_ah_attr(&event.param.ud.ah_attr); + if (ret) { + destroy_id_handler_unlock(id_priv); +@@ -4416,23 +4417,10 @@ static int cma_join_ib_multicast(struct rdma_id_private *id_priv, + IB_SA_MCMEMBER_REC_MTU | + IB_SA_MCMEMBER_REC_HOP_LIMIT; + +- mc->multicast.ib = ib_sa_join_multicast(&sa_client, id_priv->id.device, +- id_priv->id.port_num, &rec, +- comp_mask, GFP_KERNEL, +- cma_ib_mc_handler, mc); +- return PTR_ERR_OR_ZERO(mc->multicast.ib); +-} +- +-static void iboe_mcast_work_handler(struct work_struct *work) +-{ +- struct iboe_mcast_work *mw = container_of(work, struct iboe_mcast_work, work); +- struct cma_multicast *mc = mw->mc; +- struct ib_sa_multicast *m = mc->multicast.ib; +- +- mc->multicast.ib->context = mc; +- cma_ib_mc_handler(0, m); +- kref_put(&mc->mcref, release_mc); +- kfree(mw); ++ mc->sa_mc = ib_sa_join_multicast(&sa_client, id_priv->id.device, ++ id_priv->id.port_num, &rec, comp_mask, ++ GFP_KERNEL, cma_ib_mc_handler, mc); ++ return PTR_ERR_OR_ZERO(mc->sa_mc); + } + + static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid, +@@ -4467,52 +4455,47 @@ static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid, + static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, + struct cma_multicast *mc) + { +- struct iboe_mcast_work *work; ++ struct cma_work *work; + struct rdma_dev_addr *dev_addr = &id_priv->id.route.addr.dev_addr; + int err = 0; + struct sockaddr *addr = (struct sockaddr *)&mc->addr; + struct net_device *ndev = NULL; ++ struct ib_sa_multicast ib; + enum ib_gid_type gid_type; + bool send_only; + + send_only = mc->join_state == BIT(SENDONLY_FULLMEMBER_JOIN); + +- if (cma_zero_addr((struct sockaddr *)&mc->addr)) ++ if (cma_zero_addr(addr)) + return -EINVAL; + + work = kzalloc(sizeof *work, GFP_KERNEL); + if (!work) + return -ENOMEM; + +- mc->multicast.ib = kzalloc(sizeof(struct ib_sa_multicast), GFP_KERNEL); +- if (!mc->multicast.ib) { +- err = -ENOMEM; +- goto out1; +- } +- + gid_type = id_priv->cma_dev->default_gid_type[id_priv->id.port_num - + rdma_start_port(id_priv->cma_dev->device)]; +- cma_iboe_set_mgid(addr, &mc->multicast.ib->rec.mgid, gid_type); ++ cma_iboe_set_mgid(addr, &ib.rec.mgid, gid_type); + +- mc->multicast.ib->rec.pkey = cpu_to_be16(0xffff); ++ ib.rec.pkey = cpu_to_be16(0xffff); + if (id_priv->id.ps == RDMA_PS_UDP) +- mc->multicast.ib->rec.qkey = cpu_to_be32(RDMA_UDP_QKEY); ++ ib.rec.qkey = cpu_to_be32(RDMA_UDP_QKEY); + + if (dev_addr->bound_dev_if) + ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); + if (!ndev) { + err = -ENODEV; +- goto out2; ++ goto err_free; + } +- mc->multicast.ib->rec.rate = iboe_get_rate(ndev); +- mc->multicast.ib->rec.hop_limit = 1; +- mc->multicast.ib->rec.mtu = iboe_get_mtu(ndev->mtu); ++ ib.rec.rate = iboe_get_rate(ndev); ++ ib.rec.hop_limit = 1; ++ ib.rec.mtu = iboe_get_mtu(ndev->mtu); + + if (addr->sa_family == AF_INET) { + if (gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP) { +- mc->multicast.ib->rec.hop_limit = IPV6_DEFAULT_HOPLIMIT; ++ ib.rec.hop_limit = IPV6_DEFAULT_HOPLIMIT; + if (!send_only) { +- err = cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, ++ err = cma_igmp_send(ndev, &ib.rec.mgid, + true); + } + } +@@ -4521,24 +4504,22 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv, + err = -ENOTSUPP; + } + dev_put(ndev); +- if (err || !mc->multicast.ib->rec.mtu) { ++ if (err || !ib.rec.mtu) { + if (!err) + err = -EINVAL; +- goto out2; ++ goto err_free; + } + rdma_ip2gid((struct sockaddr *)&id_priv->id.route.addr.src_addr, +- &mc->multicast.ib->rec.port_gid); ++ &ib.rec.port_gid); + work->id = id_priv; +- work->mc = mc; +- INIT_WORK(&work->work, iboe_mcast_work_handler); +- kref_get(&mc->mcref); ++ INIT_WORK(&work->work, cma_work_handler); ++ cma_make_mc_event(0, id_priv, &ib, &work->event, mc); ++ /* Balances with cma_id_put() in cma_work_handler */ ++ cma_id_get(id_priv); + queue_work(cma_wq, &work->work); +- + return 0; + +-out2: +- kfree(mc->multicast.ib); +-out1: ++err_free: + kfree(work); + return err; + } +@@ -4562,7 +4543,7 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED)) + return -EINVAL; + +- mc = kmalloc(sizeof *mc, GFP_KERNEL); ++ mc = kzalloc(sizeof(*mc), GFP_KERNEL); + if (!mc) + return -ENOMEM; + +@@ -4572,7 +4553,6 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + mc->join_state = join_state; + + if (rdma_protocol_roce(id->device, id->port_num)) { +- kref_init(&mc->mcref); + ret = cma_iboe_join_multicast(id_priv, mc); + if (ret) + goto out_err; +-- +2.25.1 + diff --git a/queue-5.9/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch b/queue-5.9/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch new file mode 100644 index 00000000000..7f90c9a55ed --- /dev/null +++ b/queue-5.9/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch @@ -0,0 +1,69 @@ +From c68e5a6c04ed0ea113e86d76418b463d9ead966e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:20 +0300 +Subject: RDMA/cma: Remove dead code for kernel rdmacm multicast + +From: Jason Gunthorpe + +[ Upstream commit 1bb5091def706732c749df9aae45fbca003696f2 ] + +There is no kernel user of RDMA CM multicast so this code managing the +multicast subscription of the kernel-only internal QP is dead. Remove it. + +This makes the bug fixes in the next patches much simpler. + +Link: https://lore.kernel.org/r/20200902081122.745412-7-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 9c3cb8549ac72..f737f347ae1fc 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4293,16 +4293,6 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast) + else + pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n", + status); +- mutex_lock(&id_priv->qp_mutex); +- if (!status && id_priv->id.qp) { +- status = ib_attach_mcast(id_priv->id.qp, &multicast->rec.mgid, +- be16_to_cpu(multicast->rec.mlid)); +- if (status) +- pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to attach QP. status %d\n", +- status); +- } +- mutex_unlock(&id_priv->qp_mutex); +- + event.status = status; + event.param.ud.private_data = mc->context; + if (!status) { +@@ -4555,6 +4545,10 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + struct cma_multicast *mc; + int ret; + ++ /* Not supported for kernel QPs */ ++ if (WARN_ON(id->qp)) ++ return -EINVAL; ++ + if (!id->device) + return -EINVAL; + +@@ -4609,11 +4603,6 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr) + list_del(&mc->list); + spin_unlock_irq(&id_priv->lock); + +- if (id->qp) +- ib_detach_mcast(id->qp, +- &mc->multicast.ib->rec.mgid, +- be16_to_cpu(mc->multicast.ib->rec.mlid)); +- + BUG_ON(id_priv->cma_dev->device != id->device); + + if (rdma_cap_ib_mcast(id->device, id->port_num)) { +-- +2.25.1 + diff --git a/queue-5.9/rdma-core-delete-function-indirection-for-alloc-free.patch b/queue-5.9/rdma-core-delete-function-indirection-for-alloc-free.patch new file mode 100644 index 00000000000..52ca57e4086 --- /dev/null +++ b/queue-5.9/rdma-core-delete-function-indirection-for-alloc-free.patch @@ -0,0 +1,196 @@ +From d083fa32355fb763cf77c7890250dafacc1ca61b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 15:09:17 +0300 +Subject: RDMA/core: Delete function indirection for alloc/free kernel CQ + +From: Leon Romanovsky + +[ Upstream commit 7e3c66c9a989d5b53387ceebc88b9e4a9b1d6434 ] + +The ib_alloc_cq*() and ib_free_cq*() are solely kernel verbs to manage CQs +and doesn't need extra indirection just to call same functions with +constant parameter NULL as udata. + +Link: https://lore.kernel.org/r/20200907120921.476363-6-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cq.c | 27 +++++++--------- + include/rdma/ib_verbs.h | 62 ++++-------------------------------- + 2 files changed, 18 insertions(+), 71 deletions(-) + +diff --git a/drivers/infiniband/core/cq.c b/drivers/infiniband/core/cq.c +index a92fc3f90bb5b..2efe825689e3e 100644 +--- a/drivers/infiniband/core/cq.c ++++ b/drivers/infiniband/core/cq.c +@@ -197,24 +197,22 @@ static void ib_cq_completion_workqueue(struct ib_cq *cq, void *private) + } + + /** +- * __ib_alloc_cq_user - allocate a completion queue ++ * __ib_alloc_cq allocate a completion queue + * @dev: device to allocate the CQ for + * @private: driver private data, accessible from cq->cq_context + * @nr_cqe: number of CQEs to allocate + * @comp_vector: HCA completion vectors for this CQ + * @poll_ctx: context to poll the CQ from. + * @caller: module owner name. +- * @udata: Valid user data or NULL for kernel object + * + * This is the proper interface to allocate a CQ for in-kernel users. A + * CQ allocated with this interface will automatically be polled from the + * specified context. The ULP must use wr->wr_cqe instead of wr->wr_id + * to use this CQ abstraction. + */ +-struct ib_cq *__ib_alloc_cq_user(struct ib_device *dev, void *private, +- int nr_cqe, int comp_vector, +- enum ib_poll_context poll_ctx, +- const char *caller, struct ib_udata *udata) ++struct ib_cq *__ib_alloc_cq(struct ib_device *dev, void *private, int nr_cqe, ++ int comp_vector, enum ib_poll_context poll_ctx, ++ const char *caller) + { + struct ib_cq_init_attr cq_attr = { + .cqe = nr_cqe, +@@ -277,7 +275,7 @@ struct ib_cq *__ib_alloc_cq_user(struct ib_device *dev, void *private, + out_destroy_cq: + rdma_dim_destroy(cq); + rdma_restrack_del(&cq->res); +- cq->device->ops.destroy_cq(cq, udata); ++ cq->device->ops.destroy_cq(cq, NULL); + out_free_wc: + kfree(cq->wc); + out_free_cq: +@@ -285,7 +283,7 @@ struct ib_cq *__ib_alloc_cq_user(struct ib_device *dev, void *private, + trace_cq_alloc_error(nr_cqe, comp_vector, poll_ctx, ret); + return ERR_PTR(ret); + } +-EXPORT_SYMBOL(__ib_alloc_cq_user); ++EXPORT_SYMBOL(__ib_alloc_cq); + + /** + * __ib_alloc_cq_any - allocate a completion queue +@@ -310,17 +308,16 @@ struct ib_cq *__ib_alloc_cq_any(struct ib_device *dev, void *private, + atomic_inc_return(&counter) % + min_t(int, dev->num_comp_vectors, num_online_cpus()); + +- return __ib_alloc_cq_user(dev, private, nr_cqe, comp_vector, poll_ctx, +- caller, NULL); ++ return __ib_alloc_cq(dev, private, nr_cqe, comp_vector, poll_ctx, ++ caller); + } + EXPORT_SYMBOL(__ib_alloc_cq_any); + + /** +- * ib_free_cq_user - free a completion queue ++ * ib_free_cq - free a completion queue + * @cq: completion queue to free. +- * @udata: User data or NULL for kernel object + */ +-void ib_free_cq_user(struct ib_cq *cq, struct ib_udata *udata) ++void ib_free_cq(struct ib_cq *cq) + { + if (WARN_ON_ONCE(atomic_read(&cq->usecnt))) + return; +@@ -344,11 +341,11 @@ void ib_free_cq_user(struct ib_cq *cq, struct ib_udata *udata) + rdma_dim_destroy(cq); + trace_cq_free(cq); + rdma_restrack_del(&cq->res); +- cq->device->ops.destroy_cq(cq, udata); ++ cq->device->ops.destroy_cq(cq, NULL); + kfree(cq->wc); + kfree(cq); + } +-EXPORT_SYMBOL(ib_free_cq_user); ++EXPORT_SYMBOL(ib_free_cq); + + void ib_cq_pool_init(struct ib_device *dev) + { +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index c0b2fa7e9b959..1a3ef718c30b4 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3817,46 +3817,15 @@ static inline int ib_post_recv(struct ib_qp *qp, + return qp->device->ops.post_recv(qp, recv_wr, bad_recv_wr ? : &dummy); + } + +-struct ib_cq *__ib_alloc_cq_user(struct ib_device *dev, void *private, +- int nr_cqe, int comp_vector, +- enum ib_poll_context poll_ctx, +- const char *caller, struct ib_udata *udata); +- +-/** +- * ib_alloc_cq_user: Allocate kernel/user CQ +- * @dev: The IB device +- * @private: Private data attached to the CQE +- * @nr_cqe: Number of CQEs in the CQ +- * @comp_vector: Completion vector used for the IRQs +- * @poll_ctx: Context used for polling the CQ +- * @udata: Valid user data or NULL for kernel objects +- */ +-static inline struct ib_cq *ib_alloc_cq_user(struct ib_device *dev, +- void *private, int nr_cqe, +- int comp_vector, +- enum ib_poll_context poll_ctx, +- struct ib_udata *udata) +-{ +- return __ib_alloc_cq_user(dev, private, nr_cqe, comp_vector, poll_ctx, +- KBUILD_MODNAME, udata); +-} +- +-/** +- * ib_alloc_cq: Allocate kernel CQ +- * @dev: The IB device +- * @private: Private data attached to the CQE +- * @nr_cqe: Number of CQEs in the CQ +- * @comp_vector: Completion vector used for the IRQs +- * @poll_ctx: Context used for polling the CQ +- * +- * NOTE: for user cq use ib_alloc_cq_user with valid udata! +- */ ++struct ib_cq *__ib_alloc_cq(struct ib_device *dev, void *private, int nr_cqe, ++ int comp_vector, enum ib_poll_context poll_ctx, ++ const char *caller); + static inline struct ib_cq *ib_alloc_cq(struct ib_device *dev, void *private, + int nr_cqe, int comp_vector, + enum ib_poll_context poll_ctx) + { +- return ib_alloc_cq_user(dev, private, nr_cqe, comp_vector, poll_ctx, +- NULL); ++ return __ib_alloc_cq(dev, private, nr_cqe, comp_vector, poll_ctx, ++ KBUILD_MODNAME); + } + + struct ib_cq *__ib_alloc_cq_any(struct ib_device *dev, void *private, +@@ -3878,26 +3847,7 @@ static inline struct ib_cq *ib_alloc_cq_any(struct ib_device *dev, + KBUILD_MODNAME); + } + +-/** +- * ib_free_cq_user - Free kernel/user CQ +- * @cq: The CQ to free +- * @udata: Valid user data or NULL for kernel objects +- * +- * NOTE: This function shouldn't be called on shared CQs. +- */ +-void ib_free_cq_user(struct ib_cq *cq, struct ib_udata *udata); +- +-/** +- * ib_free_cq - Free kernel CQ +- * @cq: The CQ to free +- * +- * NOTE: for user cq use ib_free_cq_user with valid udata! +- */ +-static inline void ib_free_cq(struct ib_cq *cq) +-{ +- ib_free_cq_user(cq, NULL); +-} +- ++void ib_free_cq(struct ib_cq *cq); + int ib_process_cq_direct(struct ib_cq *cq, int budget); + + /** +-- +2.25.1 + diff --git a/queue-5.9/rdma-hns-add-a-check-for-current-state-before-modify.patch b/queue-5.9/rdma-hns-add-a-check-for-current-state-before-modify.patch new file mode 100644 index 00000000000..bed938720fa --- /dev/null +++ b/queue-5.9/rdma-hns-add-a-check-for-current-state-before-modify.patch @@ -0,0 +1,45 @@ +From 8cad257148d819139ef803c0cafb097b87c64c5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 19:07:54 +0800 +Subject: RDMA/hns: Add a check for current state before modifying QP + +From: Lang Cheng + +[ Upstream commit e0ef0f68c4c0d85b1eb63f38d5d10324361280e8 ] + +It should be considered an illegal operation if the ULP attempts to modify +a QP from another state to the current hardware state. Otherwise, the ULP +can modify some fields of QPC at any time. For example, for a QP in state +of RTS, modify it from RTR to RTS can change the PSN, which is always not +as expected. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Link: https://lore.kernel.org/r/1598353674-24270-1-git-send-email-liweihang@huawei.com +Signed-off-by: Lang Cheng +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index c063c450c715f..975281f034685 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -1161,8 +1161,10 @@ int hns_roce_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + + mutex_lock(&hr_qp->mutex); + +- cur_state = attr_mask & IB_QP_CUR_STATE ? +- attr->cur_qp_state : (enum ib_qp_state)hr_qp->state; ++ if (attr_mask & IB_QP_CUR_STATE && attr->cur_qp_state != hr_qp->state) ++ goto out; ++ ++ cur_state = hr_qp->state; + new_state = attr_mask & IB_QP_STATE ? attr->qp_state : cur_state; + + if (ibqp->uobject && +-- +2.25.1 + diff --git a/queue-5.9/rdma-hns-add-check-for-the-validity-of-sl-configurat.patch b/queue-5.9/rdma-hns-add-check-for-the-validity-of-sl-configurat.patch new file mode 100644 index 00000000000..d0ca1a42f75 --- /dev/null +++ b/queue-5.9/rdma-hns-add-check-for-the-validity-of-sl-configurat.patch @@ -0,0 +1,67 @@ +From 97a3109187284d96de8a8f18d148639ed5d1ef5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:18 +0800 +Subject: RDMA/hns: Add check for the validity of sl configuration + +From: Jiaran Zhang + +[ Upstream commit 172505cfa3a8ee98acaa569fd3be97697b333958 ] + +According to the RoCE v1 specification, the sl (service level) 0-7 are +mapped directly to priorities 0-7 respectively, sl 8-15 are reserved. The +driver should verify whether the the value of sl is larger than 7, if so, +an exception should be returned. + +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Link: https://lore.kernel.org/r/1600509802-44382-5-git-send-email-liweihang@huawei.com +Signed-off-by: Jiaran Zhang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 12 ++++++++++-- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 2 ++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 4cda95ed1fbe2..59087d5811ba3 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4259,11 +4259,19 @@ static int hns_roce_v2_set_path(struct ib_qp *ibqp, + V2_QPC_BYTE_28_FL_S, 0); + memcpy(context->dgid, grh->dgid.raw, sizeof(grh->dgid.raw)); + memset(qpc_mask->dgid, 0, sizeof(grh->dgid.raw)); ++ ++ hr_qp->sl = rdma_ah_get_sl(&attr->ah_attr); ++ if (unlikely(hr_qp->sl > MAX_SERVICE_LEVEL)) { ++ ibdev_err(ibdev, ++ "failed to fill QPC, sl (%d) shouldn't be larger than %d.\n", ++ hr_qp->sl, MAX_SERVICE_LEVEL); ++ return -EINVAL; ++ } ++ + roce_set_field(context->byte_28_at_fl, V2_QPC_BYTE_28_SL_M, +- V2_QPC_BYTE_28_SL_S, rdma_ah_get_sl(&attr->ah_attr)); ++ V2_QPC_BYTE_28_SL_S, hr_qp->sl); + roce_set_field(qpc_mask->byte_28_at_fl, V2_QPC_BYTE_28_SL_M, + V2_QPC_BYTE_28_SL_S, 0); +- hr_qp->sl = rdma_ah_get_sl(&attr->ah_attr); + + return 0; + } +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index ac29be43b6bd5..17f35f91f4ad2 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -1941,6 +1941,8 @@ struct hns_roce_eq_context { + #define HNS_ROCE_V2_AEQE_EVENT_QUEUE_NUM_S 0 + #define HNS_ROCE_V2_AEQE_EVENT_QUEUE_NUM_M GENMASK(23, 0) + ++#define MAX_SERVICE_LEVEL 0x7 ++ + struct hns_roce_wqe_atomic_seg { + __le64 fetchadd_swap_data; + __le64 cmp_data; +-- +2.25.1 + diff --git a/queue-5.9/rdma-hns-fix-configuration-of-ack_req_freq-in-qpc.patch b/queue-5.9/rdma-hns-fix-configuration-of-ack_req_freq-in-qpc.patch new file mode 100644 index 00000000000..447175f79dd --- /dev/null +++ b/queue-5.9/rdma-hns-fix-configuration-of-ack_req_freq-in-qpc.patch @@ -0,0 +1,73 @@ +From 46756057aa1a6ea6dbe511e93ab1c463b80e1fa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:21 +0800 +Subject: RDMA/hns: Fix configuration of ack_req_freq in QPC + +From: Weihang Li + +[ Upstream commit fbed9d2be292504e04caa2057e3a9477a1e1d040 ] + +The hardware will add AckReq flag in BTH header according to the value of +ack_req_freq to request ACK from responder for the packets with this flag. +It should be greater than or equal to lp_pktn_ini instead of using a fixed +value. + +Fixes: 7b9bd73ed13d ("RDMA/hns: Fix wrong assignment of lp_pktn_ini in QPC") +Link: https://lore.kernel.org/r/1600509802-44382-8-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 9eaed58fbaee0..f72ee3b5d05f6 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -3641,9 +3641,6 @@ static void modify_qp_reset_to_init(struct ib_qp *ibqp, + V2_QPC_BYTE_76_SRQ_EN_S, 1); + } + +- roce_set_field(context->byte_172_sq_psn, V2_QPC_BYTE_172_ACK_REQ_FREQ_M, +- V2_QPC_BYTE_172_ACK_REQ_FREQ_S, 4); +- + roce_set_bit(context->byte_172_sq_psn, V2_QPC_BYTE_172_FRE_S, 1); + + hr_qp->access_flags = attr->qp_access_flags; +@@ -3954,6 +3951,7 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + dma_addr_t trrl_ba; + dma_addr_t irrl_ba; + enum ib_mtu mtu; ++ u8 lp_pktn_ini; + u8 port_num; + u64 *mtts; + u8 *dmac; +@@ -4061,13 +4059,21 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + } + + #define MAX_LP_MSG_LEN 65536 +- /* MTU*(2^LP_PKTN_INI) shouldn't be bigger than 64kb */ ++ /* MTU * (2 ^ LP_PKTN_INI) shouldn't be bigger than 64KB */ ++ lp_pktn_ini = ilog2(MAX_LP_MSG_LEN / ib_mtu_enum_to_int(mtu)); ++ + roce_set_field(context->byte_56_dqpn_err, V2_QPC_BYTE_56_LP_PKTN_INI_M, +- V2_QPC_BYTE_56_LP_PKTN_INI_S, +- ilog2(MAX_LP_MSG_LEN / ib_mtu_enum_to_int(mtu))); ++ V2_QPC_BYTE_56_LP_PKTN_INI_S, lp_pktn_ini); + roce_set_field(qpc_mask->byte_56_dqpn_err, V2_QPC_BYTE_56_LP_PKTN_INI_M, + V2_QPC_BYTE_56_LP_PKTN_INI_S, 0); + ++ /* ACK_REQ_FREQ should be larger than or equal to LP_PKTN_INI */ ++ roce_set_field(context->byte_172_sq_psn, V2_QPC_BYTE_172_ACK_REQ_FREQ_M, ++ V2_QPC_BYTE_172_ACK_REQ_FREQ_S, lp_pktn_ini); ++ roce_set_field(qpc_mask->byte_172_sq_psn, ++ V2_QPC_BYTE_172_ACK_REQ_FREQ_M, ++ V2_QPC_BYTE_172_ACK_REQ_FREQ_S, 0); ++ + roce_set_bit(qpc_mask->byte_108_rx_reqepsn, + V2_QPC_BYTE_108_RX_REQ_PSN_ERR_S, 0); + roce_set_field(qpc_mask->byte_96_rx_reqmsn, V2_QPC_BYTE_96_RX_REQ_MSN_M, +-- +2.25.1 + diff --git a/queue-5.9/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch b/queue-5.9/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch new file mode 100644 index 00000000000..b57e7ba04a4 --- /dev/null +++ b/queue-5.9/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch @@ -0,0 +1,36 @@ +From b693fe0c165439d589a1c95ff4afb0f72889099c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:22 +0800 +Subject: RDMA/hns: Fix missing sq_sig_type when querying QP + +From: Weihang Li + +[ Upstream commit 05df49279f8926178ecb3ce88e61b63104cd6293 ] + +The sq_sig_type field should be filled when querying QP, or the users may +get a wrong value. + +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Link: https://lore.kernel.org/r/1600509802-44382-9-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index f72ee3b5d05f6..cee140920c579 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4791,6 +4791,7 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + } + + qp_init_attr->cap = qp_attr->cap; ++ qp_init_attr->sq_sig_type = hr_qp->sq_signal_bits; + + out: + mutex_unlock(&hr_qp->mutex); +-- +2.25.1 + diff --git a/queue-5.9/rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch b/queue-5.9/rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch new file mode 100644 index 00000000000..76599136d86 --- /dev/null +++ b/queue-5.9/rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch @@ -0,0 +1,40 @@ +From a1eac4962288b96f6828d81911198d0c24b6019d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:20 +0800 +Subject: RDMA/hns: Fix the wrong value of rnr_retry when querying qp + +From: Wenpeng Liang + +[ Upstream commit 99fcf82521d91468ee6115a3c253aa032dc63cbc ] + +The rnr_retry returned to the user is not correct, it should be got from +another fields in QPC. + +Fixes: bfe860351e31 ("RDMA/hns: Fix cast from or to restricted __le32 for driver") +Link: https://lore.kernel.org/r/1600509802-44382-7-git-send-email-liweihang@huawei.com +Signed-off-by: Wenpeng Liang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 547f8c7dcf561..9eaed58fbaee0 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4767,7 +4767,9 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + qp_attr->retry_cnt = roce_get_field(context.byte_212_lsn, + V2_QPC_BYTE_212_RETRY_CNT_M, + V2_QPC_BYTE_212_RETRY_CNT_S); +- qp_attr->rnr_retry = le32_to_cpu(context.rq_rnr_timer); ++ qp_attr->rnr_retry = roce_get_field(context.byte_244_rnr_rxack, ++ V2_QPC_BYTE_244_RNR_CNT_M, ++ V2_QPC_BYTE_244_RNR_CNT_S); + + done: + qp_attr->cur_qp_state = qp_attr->qp_state; +-- +2.25.1 + diff --git a/queue-5.9/rdma-hns-set-the-unsupported-wr-opcode.patch b/queue-5.9/rdma-hns-set-the-unsupported-wr-opcode.patch new file mode 100644 index 00000000000..242ece7f317 --- /dev/null +++ b/queue-5.9/rdma-hns-set-the-unsupported-wr-opcode.patch @@ -0,0 +1,37 @@ +From b91496f418d4d0b9e5c76f288f35f9f6ac07c918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 21:50:15 +0800 +Subject: RDMA/hns: Set the unsupported wr opcode + +From: Lijun Ou + +[ Upstream commit 22d3e1ed2cc837af87f76c3c8a4ccf4455e225c5 ] + +hip06 does not support IB_WR_LOCAL_INV, so the ps_opcode should be set to +an invalid value instead of being left uninitialized. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Fixes: a2f3d4479fe9 ("RDMA/hns: Avoid unncessary initialization") +Link: https://lore.kernel.org/r/1600350615-115217-1-git-send-email-oulijun@huawei.com +Signed-off-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +index 109f42458c026..eac971c663791 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +@@ -271,7 +271,6 @@ static int hns_roce_v1_post_send(struct ib_qp *ibqp, + ps_opcode = HNS_ROCE_WQE_OPCODE_SEND; + break; + case IB_WR_LOCAL_INV: +- break; + case IB_WR_ATOMIC_CMP_AND_SWP: + case IB_WR_ATOMIC_FETCH_AND_ADD: + case IB_WR_LSO: +-- +2.25.1 + diff --git a/queue-5.9/rdma-hns-solve-the-overflow-of-the-calc_pg_sz.patch b/queue-5.9/rdma-hns-solve-the-overflow-of-the-calc_pg_sz.patch new file mode 100644 index 00000000000..dfb0cba727e --- /dev/null +++ b/queue-5.9/rdma-hns-solve-the-overflow-of-the-calc_pg_sz.patch @@ -0,0 +1,44 @@ +From 83ab2264cb529b9c80188db26019b4ba66ca8b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:19 +0800 +Subject: RDMA/hns: Solve the overflow of the calc_pg_sz() + +From: Jiaran Zhang + +[ Upstream commit 768202a0825d447de785e87ff1ea1d3c86a71727 ] + +calc_pg_sz() may gets a data calculation overflow if the PAGE_SIZE is 64 KB +and hop_num is 2. It is because that all variables involved in calculation +are defined in type of int. So change the type of bt_chunk_size, +buf_chunk_size and obj_per_chunk_default to u64. + +Fixes: ba6bb7e97421 ("RDMA/hns: Add interfaces to get pf capabilities from firmware") +Link: https://lore.kernel.org/r/1600509802-44382-6-git-send-email-liweihang@huawei.com +Signed-off-by: Jiaran Zhang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 59087d5811ba3..547f8c7dcf561 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -1770,9 +1770,9 @@ static void calc_pg_sz(int obj_num, int obj_size, int hop_num, int ctx_bt_num, + int *buf_page_size, int *bt_page_size, u32 hem_type) + { + u64 obj_per_chunk; +- int bt_chunk_size = 1 << PAGE_SHIFT; +- int buf_chunk_size = 1 << PAGE_SHIFT; +- int obj_per_chunk_default = buf_chunk_size / obj_size; ++ u64 bt_chunk_size = PAGE_SIZE; ++ u64 buf_chunk_size = PAGE_SIZE; ++ u64 obj_per_chunk_default = buf_chunk_size / obj_size; + + *buf_page_size = 0; + *bt_page_size = 0; +-- +2.25.1 + diff --git a/queue-5.9/rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch b/queue-5.9/rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch new file mode 100644 index 00000000000..766f67bd305 --- /dev/null +++ b/queue-5.9/rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch @@ -0,0 +1,84 @@ +From 7afc425c56ab1854369457ad101f48d75f23bbc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 16:29:48 +0300 +Subject: RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces + +From: Kamal Heib + +[ Upstream commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 ] + +Report the "ipoib pkey", "mode" and "umcast" netlink attributes for every +IPoiB interface type, not just children created with 'ip link add'. + +After setting the rtnl_link_ops for the parent interface, implement the +dellink() callback to block users from trying to remove it. + +Fixes: 862096a8bbf8 ("IB/ipoib: Add more rtnl_link_ops callbacks") +Link: https://lore.kernel.org/r/20201004132948.26669-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 ++ + drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 11 +++++++++++ + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 2 ++ + 3 files changed, 15 insertions(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index f772fe8c5b663..abfab89423f41 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -2480,6 +2480,8 @@ static struct net_device *ipoib_add_port(const char *format, + /* call event handler to ensure pkey in sync */ + queue_work(ipoib_workqueue, &priv->flush_heavy); + ++ ndev->rtnl_link_ops = ipoib_get_link_ops(); ++ + result = register_netdev(ndev); + if (result) { + pr_warn("%s: couldn't register ipoib port %d; error %d\n", +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +index 38c984d16996d..d5a90a66b45cf 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +@@ -144,6 +144,16 @@ static int ipoib_new_child_link(struct net *src_net, struct net_device *dev, + return 0; + } + ++static void ipoib_del_child_link(struct net_device *dev, struct list_head *head) ++{ ++ struct ipoib_dev_priv *priv = ipoib_priv(dev); ++ ++ if (!priv->parent) ++ return; ++ ++ unregister_netdevice_queue(dev, head); ++} ++ + static size_t ipoib_get_size(const struct net_device *dev) + { + return nla_total_size(2) + /* IFLA_IPOIB_PKEY */ +@@ -158,6 +168,7 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = { + .priv_size = sizeof(struct ipoib_dev_priv), + .setup = ipoib_setup_common, + .newlink = ipoib_new_child_link, ++ .dellink = ipoib_del_child_link, + .changelink = ipoib_changelink, + .get_size = ipoib_get_size, + .fill_info = ipoib_fill_info, +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +index 30865605e0980..4c50a87ed7cc2 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -195,6 +195,8 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) + } + priv = ipoib_priv(ndev); + ++ ndev->rtnl_link_ops = ipoib_get_link_ops(); ++ + result = __ipoib_vlan_add(ppriv, priv, pkey, IPOIB_LEGACY_CHILD); + + if (result && ndev->reg_state == NETREG_UNINITIALIZED) +-- +2.25.1 + diff --git a/queue-5.9/rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch b/queue-5.9/rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch new file mode 100644 index 00000000000..5c9cc7d8624 --- /dev/null +++ b/queue-5.9/rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch @@ -0,0 +1,42 @@ +From 038af9db5d478735ef1eb154b41a99a6d338c8ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:26:52 +0300 +Subject: RDMA/mlx5: Disable IB_DEVICE_MEM_MGT_EXTENSIONS if IB_WR_REG_MR can't + work + +From: Jason Gunthorpe + +[ Upstream commit 0ec52f0194638e2d284ad55eba5a7aff753de1b9 ] + +set_reg_wr() always fails if !umr_modify_entity_size_disabled because +mlx5_ib_can_use_umr() always fails. Without set_reg_wr() IB_WR_REG_MR +doesn't work and that means the device should not advertise +IB_DEVICE_MEM_MGT_EXTENSIONS. + +Fixes: 841b07f99a47 ("IB/mlx5: Block MR WR if UMR is not possible") +Link: https://lore.kernel.org/r/20200914112653.345244-5-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index d60d63221b14d..b805cc8124657 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -840,7 +840,9 @@ static int mlx5_ib_query_device(struct ib_device *ibdev, + /* We support 'Gappy' memory registration too */ + props->device_cap_flags |= IB_DEVICE_SG_GAPS_REG; + } +- props->device_cap_flags |= IB_DEVICE_MEM_MGT_EXTENSIONS; ++ /* IB_WR_REG_MR always requires changing the entity size with UMR */ ++ if (!MLX5_CAP_GEN(dev->mdev, umr_modify_entity_size_disabled)) ++ props->device_cap_flags |= IB_DEVICE_MEM_MGT_EXTENSIONS; + if (MLX5_CAP_GEN(mdev, sho)) { + props->device_cap_flags |= IB_DEVICE_INTEGRITY_HANDOVER; + /* At this stage no support for signature handover */ +-- +2.25.1 + diff --git a/queue-5.9/rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch b/queue-5.9/rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch new file mode 100644 index 00000000000..a0afb9fc318 --- /dev/null +++ b/queue-5.9/rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch @@ -0,0 +1,47 @@ +From 419b913a0c4ebd12031e34fde23196e7c047f244 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 11:40:04 +0300 +Subject: RDMA/mlx5: Fix potential race between destroy and CQE poll + +From: Leon Romanovsky + +[ Upstream commit 4b916ed9f9e85f705213ca8d69771d3c1cd6ee5a ] + +The SRQ can be destroyed right before mlx5_cmd_get_srq is called. +In such case the latter will return NULL instead of expected SRQ. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Link: https://lore.kernel.org/r/20200830084010.102381-5-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/cq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index dceb0eb2bed16..b318bde2e565f 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -168,7 +168,7 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe, + { + enum rdma_link_layer ll = rdma_port_get_link_layer(qp->ibqp.device, 1); + struct mlx5_ib_dev *dev = to_mdev(qp->ibqp.device); +- struct mlx5_ib_srq *srq; ++ struct mlx5_ib_srq *srq = NULL; + struct mlx5_ib_wq *wq; + u16 wqe_ctr; + u8 roce_packet_type; +@@ -180,7 +180,8 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe, + + if (qp->ibqp.xrcd) { + msrq = mlx5_cmd_get_srq(dev, be32_to_cpu(cqe->srqn)); +- srq = to_mibsrq(msrq); ++ if (msrq) ++ srq = to_mibsrq(msrq); + } else { + srq = to_msrq(qp->ibqp.srq); + } +-- +2.25.1 + diff --git a/queue-5.9/rdma-mlx5-fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch b/queue-5.9/rdma-mlx5-fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch new file mode 100644 index 00000000000..fe92638bc2b --- /dev/null +++ b/queue-5.9/rdma-mlx5-fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch @@ -0,0 +1,44 @@ +From a6a197a72f63473bc26cf71044fa1d80062cdad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 16:13:54 +0800 +Subject: RDMA/mlx5: Fix type warning of sizeof in __mlx5_ib_alloc_counters() + +From: Liu Shixin + +[ Upstream commit b942fc0319a72b83146b79619eb578e989062911 ] + +sizeof() when applied to a pointer typed expression should give the size +of the pointed data, even if the data is a pointer. + +Fixes: e1f24a79f424 ("IB/mlx5: Support congestion related counters") +Link: https://lore.kernel.org/r/20200917081354.2083293-1-liushixin2@huawei.com +Signed-off-by: Liu Shixin +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/counters.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c +index 145f3cb40ccba..aeeb14ecb3ee7 100644 +--- a/drivers/infiniband/hw/mlx5/counters.c ++++ b/drivers/infiniband/hw/mlx5/counters.c +@@ -456,12 +456,12 @@ static int __mlx5_ib_alloc_counters(struct mlx5_ib_dev *dev, + cnts->num_ext_ppcnt_counters = ARRAY_SIZE(ext_ppcnt_cnts); + num_counters += ARRAY_SIZE(ext_ppcnt_cnts); + } +- cnts->names = kcalloc(num_counters, sizeof(cnts->names), GFP_KERNEL); ++ cnts->names = kcalloc(num_counters, sizeof(*cnts->names), GFP_KERNEL); + if (!cnts->names) + return -ENOMEM; + + cnts->offsets = kcalloc(num_counters, +- sizeof(cnts->offsets), GFP_KERNEL); ++ sizeof(*cnts->offsets), GFP_KERNEL); + if (!cnts->offsets) + goto err_names; + +-- +2.25.1 + diff --git a/queue-5.9/rdma-mlx5-make-mkeys-always-owned-by-the-kernel-s-pd.patch b/queue-5.9/rdma-mlx5-make-mkeys-always-owned-by-the-kernel-s-pd.patch new file mode 100644 index 00000000000..f2ee8362667 --- /dev/null +++ b/queue-5.9/rdma-mlx5-make-mkeys-always-owned-by-the-kernel-s-pd.patch @@ -0,0 +1,120 @@ +From e49d27e988cbe25d0a13a2c744f6089d55544071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:26:51 +0300 +Subject: RDMA/mlx5: Make mkeys always owned by the kernel's PD when not + enabled + +From: Jason Gunthorpe + +[ Upstream commit 5eb29f0d13a66502b91954597270003c90fb66c5 ] + +Any mkey that is not enabled and assigned to userspace should have the PD +set to a kernel owned PD. + +When cache entries are created for the first time the PDN is set to 0, +which is probably a kernel PD, but be explicit. + +When a MR is registered using the hybrid reg_create with UMR xlt & enable +the disabled mkey is pointing at the user PD, keep it pointing at the +kernel until a UMR enables it and sets the user PD. + +Fixes: 9ec4483a3f0f ("IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache") +Link: https://lore.kernel.org/r/20200914112653.345244-4-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 51 +++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 25 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 8f5d36f32529e..6eb40b33e1ea8 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -50,6 +50,29 @@ enum { + static void + create_mkey_callback(int status, struct mlx5_async_work *context); + ++static void set_mkc_access_pd_addr_fields(void *mkc, int acc, u64 start_addr, ++ struct ib_pd *pd) ++{ ++ struct mlx5_ib_dev *dev = to_mdev(pd->device); ++ ++ MLX5_SET(mkc, mkc, a, !!(acc & IB_ACCESS_REMOTE_ATOMIC)); ++ MLX5_SET(mkc, mkc, rw, !!(acc & IB_ACCESS_REMOTE_WRITE)); ++ MLX5_SET(mkc, mkc, rr, !!(acc & IB_ACCESS_REMOTE_READ)); ++ MLX5_SET(mkc, mkc, lw, !!(acc & IB_ACCESS_LOCAL_WRITE)); ++ MLX5_SET(mkc, mkc, lr, 1); ++ ++ if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_write)) ++ MLX5_SET(mkc, mkc, relaxed_ordering_write, ++ !!(acc & IB_ACCESS_RELAXED_ORDERING)); ++ if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read)) ++ MLX5_SET(mkc, mkc, relaxed_ordering_read, ++ !!(acc & IB_ACCESS_RELAXED_ORDERING)); ++ ++ MLX5_SET(mkc, mkc, pd, to_mpd(pd)->pdn); ++ MLX5_SET(mkc, mkc, qpn, 0xffffff); ++ MLX5_SET64(mkc, mkc, start_addr, start_addr); ++} ++ + static void + assign_mkey_variant(struct mlx5_ib_dev *dev, struct mlx5_core_mkey *mkey, + u32 *in) +@@ -152,12 +175,12 @@ static struct mlx5_ib_mr *alloc_cache_mr(struct mlx5_cache_ent *ent, void *mkc) + mr->cache_ent = ent; + mr->dev = ent->dev; + ++ set_mkc_access_pd_addr_fields(mkc, 0, 0, ent->dev->umrc.pd); + MLX5_SET(mkc, mkc, free, 1); + MLX5_SET(mkc, mkc, umr_en, 1); + MLX5_SET(mkc, mkc, access_mode_1_0, ent->access_mode & 0x3); + MLX5_SET(mkc, mkc, access_mode_4_2, (ent->access_mode >> 2) & 0x7); + +- MLX5_SET(mkc, mkc, qpn, 0xffffff); + MLX5_SET(mkc, mkc, translations_octword_size, ent->xlt); + MLX5_SET(mkc, mkc, log_page_size, ent->page); + return mr; +@@ -774,29 +797,6 @@ int mlx5_mr_cache_cleanup(struct mlx5_ib_dev *dev) + return 0; + } + +-static void set_mkc_access_pd_addr_fields(void *mkc, int acc, u64 start_addr, +- struct ib_pd *pd) +-{ +- struct mlx5_ib_dev *dev = to_mdev(pd->device); +- +- MLX5_SET(mkc, mkc, a, !!(acc & IB_ACCESS_REMOTE_ATOMIC)); +- MLX5_SET(mkc, mkc, rw, !!(acc & IB_ACCESS_REMOTE_WRITE)); +- MLX5_SET(mkc, mkc, rr, !!(acc & IB_ACCESS_REMOTE_READ)); +- MLX5_SET(mkc, mkc, lw, !!(acc & IB_ACCESS_LOCAL_WRITE)); +- MLX5_SET(mkc, mkc, lr, 1); +- +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_write)) +- MLX5_SET(mkc, mkc, relaxed_ordering_write, +- !!(acc & IB_ACCESS_RELAXED_ORDERING)); +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read)) +- MLX5_SET(mkc, mkc, relaxed_ordering_read, +- !!(acc & IB_ACCESS_RELAXED_ORDERING)); +- +- MLX5_SET(mkc, mkc, pd, to_mpd(pd)->pdn); +- MLX5_SET(mkc, mkc, qpn, 0xffffff); +- MLX5_SET64(mkc, mkc, start_addr, start_addr); +-} +- + struct ib_mr *mlx5_ib_get_dma_mr(struct ib_pd *pd, int acc) + { + struct mlx5_ib_dev *dev = to_mdev(pd->device); +@@ -1190,7 +1190,8 @@ static struct mlx5_ib_mr *reg_create(struct ib_mr *ibmr, struct ib_pd *pd, + MLX5_SET(create_mkey_in, in, pg_access, !!(pg_cap)); + + mkc = MLX5_ADDR_OF(create_mkey_in, in, memory_key_mkey_entry); +- set_mkc_access_pd_addr_fields(mkc, access_flags, virt_addr, pd); ++ set_mkc_access_pd_addr_fields(mkc, access_flags, virt_addr, ++ populate ? pd : dev->umrc.pd); + MLX5_SET(mkc, mkc, free, !populate); + MLX5_SET(mkc, mkc, access_mode_1_0, MLX5_MKC_ACCESS_MODE_MTT); + MLX5_SET(mkc, mkc, umr_en, 1); +-- +2.25.1 + diff --git a/queue-5.9/rdma-mlx5-use-set_mkc_access_pd_addr_fields-in-reg_c.patch b/queue-5.9/rdma-mlx5-use-set_mkc_access_pd_addr_fields-in-reg_c.patch new file mode 100644 index 00000000000..4eda770da51 --- /dev/null +++ b/queue-5.9/rdma-mlx5-use-set_mkc_access_pd_addr_fields-in-reg_c.patch @@ -0,0 +1,57 @@ +From 18b5f964efe208fc431a330fca4e89ecf20748c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:26:50 +0300 +Subject: RDMA/mlx5: Use set_mkc_access_pd_addr_fields() in reg_create() + +From: Jason Gunthorpe + +[ Upstream commit 1c97ca3da0d12e0156a177f48ed3184c3f202002 ] + +reg_create() open codes this helper, use the shared code. + +Link: https://lore.kernel.org/r/20200914112653.345244-3-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 3e6f2f9c66555..8f5d36f32529e 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1190,29 +1190,16 @@ static struct mlx5_ib_mr *reg_create(struct ib_mr *ibmr, struct ib_pd *pd, + MLX5_SET(create_mkey_in, in, pg_access, !!(pg_cap)); + + mkc = MLX5_ADDR_OF(create_mkey_in, in, memory_key_mkey_entry); ++ set_mkc_access_pd_addr_fields(mkc, access_flags, virt_addr, pd); + MLX5_SET(mkc, mkc, free, !populate); + MLX5_SET(mkc, mkc, access_mode_1_0, MLX5_MKC_ACCESS_MODE_MTT); +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_write)) +- MLX5_SET(mkc, mkc, relaxed_ordering_write, +- !!(access_flags & IB_ACCESS_RELAXED_ORDERING)); +- if (MLX5_CAP_GEN(dev->mdev, relaxed_ordering_read)) +- MLX5_SET(mkc, mkc, relaxed_ordering_read, +- !!(access_flags & IB_ACCESS_RELAXED_ORDERING)); +- MLX5_SET(mkc, mkc, a, !!(access_flags & IB_ACCESS_REMOTE_ATOMIC)); +- MLX5_SET(mkc, mkc, rw, !!(access_flags & IB_ACCESS_REMOTE_WRITE)); +- MLX5_SET(mkc, mkc, rr, !!(access_flags & IB_ACCESS_REMOTE_READ)); +- MLX5_SET(mkc, mkc, lw, !!(access_flags & IB_ACCESS_LOCAL_WRITE)); +- MLX5_SET(mkc, mkc, lr, 1); + MLX5_SET(mkc, mkc, umr_en, 1); + +- MLX5_SET64(mkc, mkc, start_addr, virt_addr); + MLX5_SET64(mkc, mkc, len, length); +- MLX5_SET(mkc, mkc, pd, to_mpd(pd)->pdn); + MLX5_SET(mkc, mkc, bsf_octword_size, 0); + MLX5_SET(mkc, mkc, translations_octword_size, + get_octo_len(virt_addr, length, page_shift)); + MLX5_SET(mkc, mkc, log_page_size, page_shift); +- MLX5_SET(mkc, mkc, qpn, 0xffffff); + if (populate) { + MLX5_SET(create_mkey_in, in, translations_octword_actual_size, + get_octo_len(virt_addr, length, page_shift)); +-- +2.25.1 + diff --git a/queue-5.9/rdma-qedr-fix-doorbell-setting.patch b/queue-5.9/rdma-qedr-fix-doorbell-setting.patch new file mode 100644 index 00000000000..cd89700b754 --- /dev/null +++ b/queue-5.9/rdma-qedr-fix-doorbell-setting.patch @@ -0,0 +1,37 @@ +From 113a214d328b935533a001a047300084c61dface Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:35 +0300 +Subject: RDMA/qedr: Fix doorbell setting + +From: Michal Kalderon + +[ Upstream commit 0b1eddc1964351cd5ce57aff46853ed4ce9ebbff ] + +Change the doorbell setting so that the maximum value between the last and +current value is set. This is to avoid doorbells being lost. + +Fixes: a7efd7773e31 ("qedr: Add support for PD,PKEY and CQ verbs") +Link: https://lore.kernel.org/r/20200902165741.8355-3-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index ae22bb8fe19b8..c61bdf97231f8 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -999,7 +999,7 @@ int qedr_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + /* Generate doorbell address. */ + cq->db.data.icid = cq->icid; + cq->db_addr = dev->db_addr + db_offset; +- cq->db.data.params = DB_AGG_CMD_SET << ++ cq->db.data.params = DB_AGG_CMD_MAX << + RDMA_PWM_VAL32_DATA_AGG_CMD_SHIFT; + + /* point to the very last element, passing it we will toggle */ +-- +2.25.1 + diff --git a/queue-5.9/rdma-qedr-fix-inline-size-returned-for-iwarp.patch b/queue-5.9/rdma-qedr-fix-inline-size-returned-for-iwarp.patch new file mode 100644 index 00000000000..ad25ea5f610 --- /dev/null +++ b/queue-5.9/rdma-qedr-fix-inline-size-returned-for-iwarp.patch @@ -0,0 +1,40 @@ +From b5d61084b6b8d35007845ffc32050625afc9e2c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:40 +0300 +Subject: RDMA/qedr: Fix inline size returned for iWARP + +From: Michal Kalderon + +[ Upstream commit fbf58026b2256e9cd5f241a4801d79d3b2b7b89d ] + +commit 59e8970b3798 ("RDMA/qedr: Return max inline data in QP query +result") changed query_qp max_inline size to return the max roce inline +size. When iwarp was introduced, this should have been modified to return +the max inline size based on protocol. This size is cached in the device +attributes + +Fixes: 69ad0e7fe845 ("RDMA/qedr: Add support for iWARP in user space") +Link: https://lore.kernel.org/r/20200902165741.8355-8-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index c61bdf97231f8..db6be39834128 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2637,7 +2637,7 @@ int qedr_query_qp(struct ib_qp *ibqp, + qp_attr->cap.max_recv_wr = qp->rq.max_wr; + qp_attr->cap.max_send_sge = qp->sq.max_sges; + qp_attr->cap.max_recv_sge = qp->rq.max_sges; +- qp_attr->cap.max_inline_data = ROCE_REQ_MAX_INLINE_DATA_SIZE; ++ qp_attr->cap.max_inline_data = dev->attr.max_inline; + qp_init_attr->cap = qp_attr->cap; + + qp_attr->ah_attr.type = RDMA_AH_ATTR_TYPE_ROCE; +-- +2.25.1 + diff --git a/queue-5.9/rdma-qedr-fix-qp-structure-memory-leak.patch b/queue-5.9/rdma-qedr-fix-qp-structure-memory-leak.patch new file mode 100644 index 00000000000..1e53a10c9e1 --- /dev/null +++ b/queue-5.9/rdma-qedr-fix-qp-structure-memory-leak.patch @@ -0,0 +1,52 @@ +From fe1074ef0c0c2fe12e8d9672abcb9ff61b33bf1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:34 +0300 +Subject: RDMA/qedr: Fix qp structure memory leak + +From: Michal Kalderon + +[ Upstream commit 098e345a1a8faaad6e4e54d138773466cecc45d4 ] + +The qedr_qp structure wasn't freed when the protocol was RoCE. kmemleak +output when running basic RoCE scenario. + +unreferenced object 0xffff927ad7e22c00 (size 1024): + comm "ib_send_bw", pid 7082, jiffies 4384133693 (age 274.698s) + hex dump (first 32 bytes): + 00 b0 cd a2 79 92 ff ff 00 3f a1 a2 79 92 ff ff ....y....?..y... + 00 ee 5c dd 80 92 ff ff 00 f6 5c dd 80 92 ff ff ..\.......\..... + backtrace: + [<00000000b2ba0f35>] qedr_create_qp+0xb3/0x6c0 [qedr] + [<00000000e85a43dd>] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x555/0xad0 [ib_uverbs] + [<00000000fee4d029>] ib_uverbs_cmd_verbs+0xa5a/0xb80 [ib_uverbs] + [<000000005d622660>] ib_uverbs_ioctl+0xa4/0x110 [ib_uverbs] + [<00000000eb4cdc71>] ksys_ioctl+0x87/0xc0 + [<00000000abe6b23a>] __x64_sys_ioctl+0x16/0x20 + [<0000000046e7cef4>] do_syscall_64+0x4d/0x90 + [<00000000c6948f76>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 1212767e23bb ("qedr: Add wrapping generic structure for qpidr and adjust idr routines.") +Link: https://lore.kernel.org/r/20200902165741.8355-2-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 9141a77534c7d..ae22bb8fe19b8 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2753,6 +2753,8 @@ int qedr_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + + if (rdma_protocol_iwarp(&dev->ibdev, 1)) + qedr_iw_qp_rem_ref(&qp->ibqp); ++ else ++ kfree(qp); + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.9/rdma-qedr-fix-resource-leak-in-qedr_create_qp.patch b/queue-5.9/rdma-qedr-fix-resource-leak-in-qedr_create_qp.patch new file mode 100644 index 00000000000..e326fd8cd69 --- /dev/null +++ b/queue-5.9/rdma-qedr-fix-resource-leak-in-qedr_create_qp.patch @@ -0,0 +1,117 @@ +From b917b79e3e25b9c339a5c002320adf4f8e9a2b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 12:51:59 +0000 +Subject: RDMA/qedr: Fix resource leak in qedr_create_qp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Keita Suzuki + +[ Upstream commit 3e45410fe3c202ffb619f301beff0644f717e132 ] + +When xa_insert() fails, the acquired resource in qedr_create_qp should +also be freed. However, current implementation does not handle the error. + +Fix this by adding a new goto label that calls qedr_free_qp_resources. + +Fixes: 1212767e23bb ("qedr: Add wrapping generic structure for qpidr and adjust idr routines.") +Link: https://lore.kernel.org/r/20200911125159.4577-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Keita Suzuki +Acked-by: Michal Kalderon  +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 52 ++++++++++++++++-------------- + 1 file changed, 27 insertions(+), 25 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index db6be39834128..10536cce120e8 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2113,6 +2113,28 @@ static int qedr_create_kernel_qp(struct qedr_dev *dev, + return rc; + } + ++static int qedr_free_qp_resources(struct qedr_dev *dev, struct qedr_qp *qp, ++ struct ib_udata *udata) ++{ ++ struct qedr_ucontext *ctx = ++ rdma_udata_to_drv_context(udata, struct qedr_ucontext, ++ ibucontext); ++ int rc; ++ ++ if (qp->qp_type != IB_QPT_GSI) { ++ rc = dev->ops->rdma_destroy_qp(dev->rdma_ctx, qp->qed_qp); ++ if (rc) ++ return rc; ++ } ++ ++ if (qp->create_type == QEDR_QP_CREATE_USER) ++ qedr_cleanup_user(dev, ctx, qp); ++ else ++ qedr_cleanup_kernel(dev, qp); ++ ++ return 0; ++} ++ + struct ib_qp *qedr_create_qp(struct ib_pd *ibpd, + struct ib_qp_init_attr *attrs, + struct ib_udata *udata) +@@ -2159,19 +2181,21 @@ struct ib_qp *qedr_create_qp(struct ib_pd *ibpd, + rc = qedr_create_kernel_qp(dev, qp, ibpd, attrs); + + if (rc) +- goto err; ++ goto out_free_qp; + + qp->ibqp.qp_num = qp->qp_id; + + if (rdma_protocol_iwarp(&dev->ibdev, 1)) { + rc = xa_insert(&dev->qps, qp->qp_id, qp, GFP_KERNEL); + if (rc) +- goto err; ++ goto out_free_qp_resources; + } + + return &qp->ibqp; + +-err: ++out_free_qp_resources: ++ qedr_free_qp_resources(dev, qp, udata); ++out_free_qp: + kfree(qp); + + return ERR_PTR(-EFAULT); +@@ -2672,28 +2696,6 @@ int qedr_query_qp(struct ib_qp *ibqp, + return rc; + } + +-static int qedr_free_qp_resources(struct qedr_dev *dev, struct qedr_qp *qp, +- struct ib_udata *udata) +-{ +- struct qedr_ucontext *ctx = +- rdma_udata_to_drv_context(udata, struct qedr_ucontext, +- ibucontext); +- int rc; +- +- if (qp->qp_type != IB_QPT_GSI) { +- rc = dev->ops->rdma_destroy_qp(dev->rdma_ctx, qp->qed_qp); +- if (rc) +- return rc; +- } +- +- if (qp->create_type == QEDR_QP_CREATE_USER) +- qedr_cleanup_user(dev, ctx, qp); +- else +- qedr_cleanup_kernel(dev, qp); +- +- return 0; +-} +- + int qedr_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + { + struct qedr_qp *qp = get_qedr_qp(ibqp); +-- +2.25.1 + diff --git a/queue-5.9/rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch b/queue-5.9/rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch new file mode 100644 index 00000000000..1733b2a0755 --- /dev/null +++ b/queue-5.9/rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch @@ -0,0 +1,49 @@ +From 96ec57d75f056b3876982513f9926b153f90da33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:37 +0300 +Subject: RDMA/qedr: Fix return code if accept is called on a destroyed qp + +From: Michal Kalderon + +[ Upstream commit 8a5a10a1a74465065c75d9de1aa6685e1f1aa117 ] + +In iWARP, accept could be called after a QP is already destroyed. In this +case an error should be returned and not success. + +Fixes: 82af6d19d8d9 ("RDMA/qedr: Fix synchronization methods and memory leaks in qedr") +Link: https://lore.kernel.org/r/20200902165741.8355-5-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/qedr_iw_cm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +index 97fc7dd353b04..c7169d2c69e5b 100644 +--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c ++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +@@ -736,7 +736,7 @@ int qedr_iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + struct qedr_dev *dev = ep->dev; + struct qedr_qp *qp; + struct qed_iwarp_accept_in params; +- int rc = 0; ++ int rc; + + DP_DEBUG(dev, QEDR_MSG_IWARP, "Accept on qpid=%d\n", conn_param->qpn); + +@@ -759,8 +759,10 @@ int qedr_iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + params.ord = conn_param->ord; + + if (test_and_set_bit(QEDR_IWARP_CM_WAIT_FOR_CONNECT, +- &qp->iwarp_cm_flags)) ++ &qp->iwarp_cm_flags)) { ++ rc = -EINVAL; + goto err; /* QP already destroyed */ ++ } + + rc = dev->ops->iwarp_accept(dev->rdma_ctx, ¶ms); + if (rc) { +-- +2.25.1 + diff --git a/queue-5.9/rdma-qedr-fix-use-of-uninitialized-field.patch b/queue-5.9/rdma-qedr-fix-use-of-uninitialized-field.patch new file mode 100644 index 00000000000..e67d963f415 --- /dev/null +++ b/queue-5.9/rdma-qedr-fix-use-of-uninitialized-field.patch @@ -0,0 +1,37 @@ +From a540c90dcc28b14bbc3456d27ff2fba8de14af13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:36 +0300 +Subject: RDMA/qedr: Fix use of uninitialized field + +From: Michal Kalderon + +[ Upstream commit a379ad54e55a12618cae7f6333fd1b3071de9606 ] + +dev->attr.page_size_caps was used uninitialized when setting device +attributes + +Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init") +Link: https://lore.kernel.org/r/20200902165741.8355-4-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c +index d85f992bac299..8e1365951fb6a 100644 +--- a/drivers/infiniband/hw/qedr/main.c ++++ b/drivers/infiniband/hw/qedr/main.c +@@ -602,7 +602,7 @@ static int qedr_set_device_attr(struct qedr_dev *dev) + qed_attr = dev->ops->rdma_query_device(dev->rdma_ctx); + + /* Part 2 - check capabilities */ +- page_size = ~dev->attr.page_size_caps + 1; ++ page_size = ~qed_attr->page_size_caps + 1; + if (page_size > PAGE_SIZE) { + DP_ERR(dev, + "Kernel PAGE_SIZE is %ld which is smaller than minimum page size (%d) required by qedr\n", +-- +2.25.1 + diff --git a/queue-5.9/rdma-restore-ability-to-return-error-for-destroy-wq.patch b/queue-5.9/rdma-restore-ability-to-return-error-for-destroy-wq.patch new file mode 100644 index 00000000000..eaaec08601e --- /dev/null +++ b/queue-5.9/rdma-restore-ability-to-return-error-for-destroy-wq.patch @@ -0,0 +1,211 @@ +From 99f31ecaa4b15b1d849b3ea02312a6f744cb4afd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 15:09:20 +0300 +Subject: RDMA: Restore ability to return error for destroy WQ + +From: Leon Romanovsky + +[ Upstream commit add53535fb3033c249d9327ae3e7c36d3382bbd1 ] + +Make this interface symmetrical to other destroy paths. + +Fixes: a49b1dc7ae44 ("RDMA: Convert destroy_wq to be void") +Link: https://lore.kernel.org/r/20200907120921.476363-9-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs_std_types_wq.c | 2 +- + drivers/infiniband/core/verbs.c | 15 +++++++++------ + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- + drivers/infiniband/hw/mlx4/qp.c | 3 ++- + drivers/infiniband/hw/mlx5/mlx5_ib.h | 2 +- + drivers/infiniband/hw/mlx5/qp.c | 8 ++++++-- + drivers/infiniband/hw/mlx5/qp.h | 4 ++-- + drivers/infiniband/hw/mlx5/qpc.c | 5 +++-- + include/rdma/ib_verbs.h | 4 ++-- + 9 files changed, 27 insertions(+), 18 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_std_types_wq.c b/drivers/infiniband/core/uverbs_std_types_wq.c +index cad842ede077d..f2e6a625724a4 100644 +--- a/drivers/infiniband/core/uverbs_std_types_wq.c ++++ b/drivers/infiniband/core/uverbs_std_types_wq.c +@@ -16,7 +16,7 @@ static int uverbs_free_wq(struct ib_uobject *uobject, + container_of(uobject, struct ib_uwq_object, uevent.uobject); + int ret; + +- ret = ib_destroy_wq(wq, &attrs->driver_udata); ++ ret = ib_destroy_wq_user(wq, &attrs->driver_udata); + if (ib_is_destroy_retryable(ret, why, uobject)) + return ret; + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index b411be9321bdf..6653f92f2df99 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2387,25 +2387,28 @@ struct ib_wq *ib_create_wq(struct ib_pd *pd, + EXPORT_SYMBOL(ib_create_wq); + + /** +- * ib_destroy_wq - Destroys the specified user WQ. ++ * ib_destroy_wq_user - Destroys the specified user WQ. + * @wq: The WQ to destroy. + * @udata: Valid user data + */ +-int ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata) ++int ib_destroy_wq_user(struct ib_wq *wq, struct ib_udata *udata) + { + struct ib_cq *cq = wq->cq; + struct ib_pd *pd = wq->pd; ++ int ret; + + if (atomic_read(&wq->usecnt)) + return -EBUSY; + +- wq->device->ops.destroy_wq(wq, udata); ++ ret = wq->device->ops.destroy_wq(wq, udata); ++ if (ret) ++ return ret; ++ + atomic_dec(&pd->usecnt); + atomic_dec(&cq->usecnt); +- +- return 0; ++ return ret; + } +-EXPORT_SYMBOL(ib_destroy_wq); ++EXPORT_SYMBOL(ib_destroy_wq_user); + + /** + * ib_modify_wq - Modifies the specified WQ. +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index 41d8dcd005c0b..bb64f6d9421c2 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -892,7 +892,7 @@ void mlx4_ib_sl2vl_update(struct mlx4_ib_dev *mdev, int port); + struct ib_wq *mlx4_ib_create_wq(struct ib_pd *pd, + struct ib_wq_init_attr *init_attr, + struct ib_udata *udata); +-void mlx4_ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata); ++int mlx4_ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata); + int mlx4_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr, + u32 wq_attr_mask, struct ib_udata *udata); + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 2975f350b9fd1..b7a0c3f977131 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -4327,7 +4327,7 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr, + return err; + } + +-void mlx4_ib_destroy_wq(struct ib_wq *ibwq, struct ib_udata *udata) ++int mlx4_ib_destroy_wq(struct ib_wq *ibwq, struct ib_udata *udata) + { + struct mlx4_ib_dev *dev = to_mdev(ibwq->device); + struct mlx4_ib_qp *qp = to_mqp((struct ib_qp *)ibwq); +@@ -4338,6 +4338,7 @@ void mlx4_ib_destroy_wq(struct ib_wq *ibwq, struct ib_udata *udata) + destroy_qp_common(dev, qp, MLX4_IB_RWQ_SRC, udata); + + kfree(qp); ++ return 0; + } + + struct ib_rwq_ind_table +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h +index 2f06677adaa2a..884cc7c731253 100644 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h +@@ -1238,7 +1238,7 @@ int mlx5_ib_check_mr_status(struct ib_mr *ibmr, u32 check_mask, + struct ib_wq *mlx5_ib_create_wq(struct ib_pd *pd, + struct ib_wq_init_attr *init_attr, + struct ib_udata *udata); +-void mlx5_ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata); ++int mlx5_ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata); + int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr, + u32 wq_attr_mask, struct ib_udata *udata); + struct ib_rwq_ind_table *mlx5_ib_create_rwq_ind_table(struct ib_device *device, +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index cda7608b6f2d9..7a3e8e6598d34 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -5056,14 +5056,18 @@ struct ib_wq *mlx5_ib_create_wq(struct ib_pd *pd, + return ERR_PTR(err); + } + +-void mlx5_ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata) ++int mlx5_ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata) + { + struct mlx5_ib_dev *dev = to_mdev(wq->device); + struct mlx5_ib_rwq *rwq = to_mrwq(wq); ++ int ret; + +- mlx5_core_destroy_rq_tracked(dev, &rwq->core_qp); ++ ret = mlx5_core_destroy_rq_tracked(dev, &rwq->core_qp); ++ if (ret) ++ return ret; + destroy_user_rq(dev, wq->pd, rwq, udata); + kfree(rwq); ++ return 0; + } + + struct ib_rwq_ind_table *mlx5_ib_create_rwq_ind_table(struct ib_device *device, +diff --git a/drivers/infiniband/hw/mlx5/qp.h b/drivers/infiniband/hw/mlx5/qp.h +index ba899df44c5b4..5d4e140db99ce 100644 +--- a/drivers/infiniband/hw/mlx5/qp.h ++++ b/drivers/infiniband/hw/mlx5/qp.h +@@ -26,8 +26,8 @@ int mlx5_core_dct_query(struct mlx5_ib_dev *dev, struct mlx5_core_dct *dct, + + int mlx5_core_set_delay_drop(struct mlx5_ib_dev *dev, u32 timeout_usec); + +-void mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev, +- struct mlx5_core_qp *rq); ++int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev, ++ struct mlx5_core_qp *rq); + int mlx5_core_create_sq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen, + struct mlx5_core_qp *sq); + void mlx5_core_destroy_sq_tracked(struct mlx5_ib_dev *dev, +diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c +index 7c3968ef9cd10..c683d7000168d 100644 +--- a/drivers/infiniband/hw/mlx5/qpc.c ++++ b/drivers/infiniband/hw/mlx5/qpc.c +@@ -576,11 +576,12 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen, + return err; + } + +-void mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev, +- struct mlx5_core_qp *rq) ++int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev, ++ struct mlx5_core_qp *rq) + { + destroy_resource_common(dev, rq); + destroy_rq_tracked(dev, rq->qpn, rq->uid); ++ return 0; + } + + static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid) +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index 8cccbdef5de2a..5b4f0efc4241f 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -2496,7 +2496,7 @@ struct ib_device_ops { + struct ib_wq *(*create_wq)(struct ib_pd *pd, + struct ib_wq_init_attr *init_attr, + struct ib_udata *udata); +- void (*destroy_wq)(struct ib_wq *wq, struct ib_udata *udata); ++ int (*destroy_wq)(struct ib_wq *wq, struct ib_udata *udata); + int (*modify_wq)(struct ib_wq *wq, struct ib_wq_attr *attr, + u32 wq_attr_mask, struct ib_udata *udata); + struct ib_rwq_ind_table *(*create_rwq_ind_table)( +@@ -4331,7 +4331,7 @@ struct net_device *ib_device_netdev(struct ib_device *dev, u8 port); + + struct ib_wq *ib_create_wq(struct ib_pd *pd, + struct ib_wq_init_attr *init_attr); +-int ib_destroy_wq(struct ib_wq *wq, struct ib_udata *udata); ++int ib_destroy_wq_user(struct ib_wq *wq, struct ib_udata *udata); + int ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *attr, + u32 wq_attr_mask); + int ib_destroy_rwq_ind_table(struct ib_rwq_ind_table *wq_ind_table); +-- +2.25.1 + diff --git a/queue-5.9/rdma-rtrs-srv-incorporate-ib_register_client-into-rt.patch b/queue-5.9/rdma-rtrs-srv-incorporate-ib_register_client-into-rt.patch new file mode 100644 index 00000000000..f3e9330415c --- /dev/null +++ b/queue-5.9/rdma-rtrs-srv-incorporate-ib_register_client-into-rt.patch @@ -0,0 +1,193 @@ +From 85b3c01c700c50864eaa9b50dbbdd22caa696496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 16:01:06 +0530 +Subject: RDMA/rtrs-srv: Incorporate ib_register_client into rtrs server init + +From: Md Haris Iqbal + +[ Upstream commit 558d52b2976b1db3098139aa83ceb9af9066a0e7 ] + +The rnbd_server module's communication manager (cm) initialization depends +on the registration of the "network namespace subsystem" of the RDMA CM +agent module. As such, when the kernel is configured to load the +rnbd_server and the RDMA cma module during initialization; and if the +rnbd_server module is initialized before RDMA cma module, a null ptr +dereference occurs during the RDMA bind operation. + +Call trace: + + Call Trace: + ? xas_load+0xd/0x80 + xa_load+0x47/0x80 + cma_ps_find+0x44/0x70 + rdma_bind_addr+0x782/0x8b0 + ? get_random_bytes+0x35/0x40 + rtrs_srv_cm_init+0x50/0x80 + rtrs_srv_open+0x102/0x180 + ? rnbd_client_init+0x6e/0x6e + rnbd_srv_init_module+0x34/0x84 + ? rnbd_client_init+0x6e/0x6e + do_one_initcall+0x4a/0x200 + kernel_init_freeable+0x1f1/0x26e + ? rest_init+0xb0/0xb0 + kernel_init+0xe/0x100 + ret_from_fork+0x22/0x30 + Modules linked in: + CR2: 0000000000000015 + +All this happens cause the cm init is in the call chain of the module +init, which is not a preferred practice. + +So remove the call to rdma_create_id() from the module init call chain. +Instead register rtrs-srv as an ib client, which makes sure that the +rdma_create_id() is called only when an ib device is added. + +Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality") +Link: https://lore.kernel.org/r/20200907103106.104530-1-haris.iqbal@cloud.ionos.com +Reported-by: kernel test robot +Signed-off-by: Md Haris Iqbal +Reviewed-by: Jack Wang +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-srv.c | 76 +++++++++++++++++++++++++- + drivers/infiniband/ulp/rtrs/rtrs-srv.h | 7 +++ + 2 files changed, 80 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +index 28f6414dfa3dc..d6f93601712e4 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c +@@ -16,6 +16,7 @@ + #include "rtrs-srv.h" + #include "rtrs-log.h" + #include ++#include + + MODULE_DESCRIPTION("RDMA Transport Server"); + MODULE_LICENSE("GPL"); +@@ -31,6 +32,7 @@ MODULE_LICENSE("GPL"); + static struct rtrs_rdma_dev_pd dev_pd; + static mempool_t *chunk_pool; + struct class *rtrs_dev_class; ++static struct rtrs_srv_ib_ctx ib_ctx; + + static int __read_mostly max_chunk_size = DEFAULT_MAX_CHUNK_SIZE; + static int __read_mostly sess_queue_depth = DEFAULT_SESS_QUEUE_DEPTH; +@@ -2042,6 +2044,70 @@ static void free_srv_ctx(struct rtrs_srv_ctx *ctx) + kfree(ctx); + } + ++static int rtrs_srv_add_one(struct ib_device *device) ++{ ++ struct rtrs_srv_ctx *ctx; ++ int ret = 0; ++ ++ mutex_lock(&ib_ctx.ib_dev_mutex); ++ if (ib_ctx.ib_dev_count) ++ goto out; ++ ++ /* ++ * Since our CM IDs are NOT bound to any ib device we will create them ++ * only once ++ */ ++ ctx = ib_ctx.srv_ctx; ++ ret = rtrs_srv_rdma_init(ctx, ib_ctx.port); ++ if (ret) { ++ /* ++ * We errored out here. ++ * According to the ib code, if we encounter an error here then the ++ * error code is ignored, and no more calls to our ops are made. ++ */ ++ pr_err("Failed to initialize RDMA connection"); ++ goto err_out; ++ } ++ ++out: ++ /* ++ * Keep a track on the number of ib devices added ++ */ ++ ib_ctx.ib_dev_count++; ++ ++err_out: ++ mutex_unlock(&ib_ctx.ib_dev_mutex); ++ return ret; ++} ++ ++static void rtrs_srv_remove_one(struct ib_device *device, void *client_data) ++{ ++ struct rtrs_srv_ctx *ctx; ++ ++ mutex_lock(&ib_ctx.ib_dev_mutex); ++ ib_ctx.ib_dev_count--; ++ ++ if (ib_ctx.ib_dev_count) ++ goto out; ++ ++ /* ++ * Since our CM IDs are NOT bound to any ib device we will remove them ++ * only once, when the last device is removed ++ */ ++ ctx = ib_ctx.srv_ctx; ++ rdma_destroy_id(ctx->cm_id_ip); ++ rdma_destroy_id(ctx->cm_id_ib); ++ ++out: ++ mutex_unlock(&ib_ctx.ib_dev_mutex); ++} ++ ++static struct ib_client rtrs_srv_client = { ++ .name = "rtrs_server", ++ .add = rtrs_srv_add_one, ++ .remove = rtrs_srv_remove_one ++}; ++ + /** + * rtrs_srv_open() - open RTRS server context + * @ops: callback functions +@@ -2060,7 +2126,11 @@ struct rtrs_srv_ctx *rtrs_srv_open(struct rtrs_srv_ops *ops, u16 port) + if (!ctx) + return ERR_PTR(-ENOMEM); + +- err = rtrs_srv_rdma_init(ctx, port); ++ mutex_init(&ib_ctx.ib_dev_mutex); ++ ib_ctx.srv_ctx = ctx; ++ ib_ctx.port = port; ++ ++ err = ib_register_client(&rtrs_srv_client); + if (err) { + free_srv_ctx(ctx); + return ERR_PTR(err); +@@ -2099,8 +2169,8 @@ static void close_ctx(struct rtrs_srv_ctx *ctx) + */ + void rtrs_srv_close(struct rtrs_srv_ctx *ctx) + { +- rdma_destroy_id(ctx->cm_id_ip); +- rdma_destroy_id(ctx->cm_id_ib); ++ ib_unregister_client(&rtrs_srv_client); ++ mutex_destroy(&ib_ctx.ib_dev_mutex); + close_ctx(ctx); + free_srv_ctx(ctx); + } +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.h b/drivers/infiniband/ulp/rtrs/rtrs-srv.h +index dc95b0932f0df..08b0b8a6eebe6 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.h ++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.h +@@ -118,6 +118,13 @@ struct rtrs_srv_ctx { + struct list_head srv_list; + }; + ++struct rtrs_srv_ib_ctx { ++ struct rtrs_srv_ctx *srv_ctx; ++ u16 port; ++ struct mutex ib_dev_mutex; ++ int ib_dev_count; ++}; ++ + extern struct class *rtrs_dev_class; + + void close_sess(struct rtrs_srv_sess *sess); +-- +2.25.1 + diff --git a/queue-5.9/rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch b/queue-5.9/rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch new file mode 100644 index 00000000000..19581b38a5c --- /dev/null +++ b/queue-5.9/rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch @@ -0,0 +1,79 @@ +From 6e4322acc7d67b2c1b958b05c7c4457e6d966575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 15:36:52 -0500 +Subject: RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt() + +From: Bob Pearson + +[ Upstream commit e7ec96fc7932f48a6d6cdd05bf82004a1a04285b ] + +The changes referenced below replaced sbk_clone)_ by taking additional +references, passing the skb along and then freeing the skb. This +deleted the packets before they could be processed and additionally +passed bad data in each packet. Since pkt is stored in skb->cb +changing pkt->qp changed it for all the packets. + +Replace skb_get() by sbk_clone() in rxe_rcv_mcast_pkt() for cases where +multiple QPs are receiving multicast packets on the same address. + +Delete kfree_skb() because the packets need to live until they have been +processed by each QP. They are freed later. + +Fixes: 86af61764151 ("IB/rxe: remove unnecessary skb_clone") +Fixes: fe896ceb5772 ("IB/rxe: replace refcount_inc with skb_get") +Link: https://lore.kernel.org/r/20201008203651.256958-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 7e123d3c4d09b..967ee8e1699cd 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -260,6 +260,8 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + struct rxe_mc_elem *mce; + struct rxe_qp *qp; + union ib_gid dgid; ++ struct sk_buff *per_qp_skb; ++ struct rxe_pkt_info *per_qp_pkt; + int err; + + if (skb->protocol == htons(ETH_P_IP)) +@@ -288,21 +290,26 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + if (err) + continue; + +- /* if *not* the last qp in the list +- * increase the users of the skb then post to the next qp ++ /* for all but the last qp create a new clone of the ++ * skb and pass to the qp. + */ + if (mce->qp_list.next != &mcg->qp_list) +- skb_get(skb); ++ per_qp_skb = skb_clone(skb, GFP_ATOMIC); ++ else ++ per_qp_skb = skb; + +- pkt->qp = qp; ++ per_qp_pkt = SKB_TO_PKT(per_qp_skb); ++ per_qp_pkt->qp = qp; + rxe_add_ref(qp); +- rxe_rcv_pkt(pkt, skb); ++ rxe_rcv_pkt(per_qp_pkt, per_qp_skb); + } + + spin_unlock_bh(&mcg->mcg_lock); + + rxe_drop_ref(mcg); /* drop ref from rxe_pool_get_key. */ + ++ return; ++ + err1: + kfree_skb(skb); + } +-- +2.25.1 + diff --git a/queue-5.9/rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch b/queue-5.9/rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch new file mode 100644 index 00000000000..a9aba548f7b --- /dev/null +++ b/queue-5.9/rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch @@ -0,0 +1,43 @@ +From 9b0fe0c6aad5430fe7553a506ec4f16a2facdd1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 13:42:37 -0500 +Subject: RDMA/rxe: Handle skb_clone() failure in rxe_recv.c + +From: Bob Pearson + +[ Upstream commit 71abf20b28ff87fee6951ec2218d5ce7969c4e87 ] + +If skb_clone() is unable to allocate memory for a new sk_buff this is not +detected by the current code. + +Check for a NULL return and continue. This is similar to other errors in +this loop over QPs attached to the multicast address and consistent with +the unreliable UD transport. + +Fixes: e7ec96fc7932f ("RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt()") +Addresses-Coverity-ID: 1497804: Null pointer dereferences (NULL_RETURNS) +Link: https://lore.kernel.org/r/20201013184236.5231-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index 967ee8e1699cd..2da4187db80c9 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -298,6 +298,9 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb) + else + per_qp_skb = skb; + ++ if (unlikely(!per_qp_skb)) ++ continue; ++ + per_qp_pkt = SKB_TO_PKT(per_qp_skb); + per_qp_pkt->qp = qp; + rxe_add_ref(qp); +-- +2.25.1 + diff --git a/queue-5.9/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch b/queue-5.9/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch new file mode 100644 index 00000000000..eae50adb58b --- /dev/null +++ b/queue-5.9/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch @@ -0,0 +1,38 @@ +From 9ca78a574fd3cb58a6621e64c6f67759726856a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:05:22 +0300 +Subject: RDMA/ucma: Add missing locking around rdma_leave_multicast() + +From: Jason Gunthorpe + +[ Upstream commit 38e03d092699891c3237b5aee9e8029d4ede0956 ] + +All entry points to the rdma_cm from a ULP must be single threaded, +even this error unwinds. Add the missing locking. + +Fixes: 7c11910783a1 ("RDMA/ucma: Put a lock around every call to the rdma_cm layer") +Link: https://lore.kernel.org/r/20200818120526.702120-11-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 75ccc31cf0b15..6f42ff8f2ec57 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1512,7 +1512,9 @@ static ssize_t ucma_process_join(struct ucma_file *file, + return 0; + + err3: ++ mutex_lock(&ctx->mutex); + rdma_leave_multicast(ctx->cm_id, (struct sockaddr *) &mc->addr); ++ mutex_unlock(&ctx->mutex); + ucma_cleanup_mc_events(mc); + err2: + xa_erase(&multicast_table, mc->id); +-- +2.25.1 + diff --git a/queue-5.9/rdma-ucma-fix-locking-for-ctx-events_reported.patch b/queue-5.9/rdma-ucma-fix-locking-for-ctx-events_reported.patch new file mode 100644 index 00000000000..1c45595907c --- /dev/null +++ b/queue-5.9/rdma-ucma-fix-locking-for-ctx-events_reported.patch @@ -0,0 +1,58 @@ +From 2abb23e033c5413fce248c757beccfae950ff12f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:05:21 +0300 +Subject: RDMA/ucma: Fix locking for ctx->events_reported + +From: Jason Gunthorpe + +[ Upstream commit 98837c6c3d7285f6eca86480b6f7fac6880e27a8 ] + +This value is locked under the file->mut, ensure it is held whenever +touching it. + +The case in ucma_migrate_id() is a race, while in ucma_free_uctx() it is +already not possible for the write side to run, the movement is just for +clarity. + +Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()") +Link: https://lore.kernel.org/r/20200818120526.702120-10-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 1d184ea05eba1..75ccc31cf0b15 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -586,6 +586,7 @@ static int ucma_free_ctx(struct ucma_context *ctx) + list_move_tail(&uevent->list, &list); + } + list_del(&ctx->list); ++ events_reported = ctx->events_reported; + mutex_unlock(&ctx->file->mut); + + list_for_each_entry_safe(uevent, tmp, &list, list) { +@@ -595,7 +596,6 @@ static int ucma_free_ctx(struct ucma_context *ctx) + kfree(uevent); + } + +- events_reported = ctx->events_reported; + mutex_destroy(&ctx->mutex); + kfree(ctx); + return events_reported; +@@ -1678,7 +1678,9 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, + + cur_file = ctx->file; + if (cur_file == new_file) { ++ mutex_lock(&cur_file->mut); + resp.events_reported = ctx->events_reported; ++ mutex_unlock(&cur_file->mut); + goto response; + } + +-- +2.25.1 + diff --git a/queue-5.9/rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch b/queue-5.9/rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch new file mode 100644 index 00000000000..85394266c9f --- /dev/null +++ b/queue-5.9/rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch @@ -0,0 +1,60 @@ +From fdd6770fb60c12dbaac1c13f24588ef4d74457ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 19:41:42 -0300 +Subject: RDMA/umem: Fix ib_umem_find_best_pgsz() for mappings that cross a + page boundary + +From: Jason Gunthorpe + +[ Upstream commit a40c20dabdf9045270767c75918feb67f0727c89 ] + +It is possible for a single SGL to span an aligned boundary, eg if the SGL +is + + 61440 -> 90112 + +Then the length is 28672, which currently limits the block size to +32k. With a 32k page size the two covering blocks will be: + + 32768->65536 and 65536->98304 + +However, the correct answer is a 128K block size which will span the whole +28672 bytes in a single block. + +Instead of limiting based on length figure out which high IOVA bits don't +change between the start and end addresses. That is the highest useful +page size. + +Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR") +Link: https://lore.kernel.org/r/1-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com +Reviewed-by: Leon Romanovsky +Reviewed-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/umem.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 831bff8d52e54..09539dd764ec0 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -156,8 +156,13 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem, + return 0; + + va = virt; +- /* max page size not to exceed MR length */ +- mask = roundup_pow_of_two(umem->length); ++ /* The best result is the smallest page size that results in the minimum ++ * number of required pages. Compute the largest page size that could ++ * work based on VA address bits that don't change. ++ */ ++ mask = pgsz_bitmap & ++ GENMASK(BITS_PER_LONG - 1, ++ bits_per((umem->length - 1 + virt) ^ virt)); + /* offset into first SGL */ + pgoff = umem->address & ~PAGE_MASK; + +-- +2.25.1 + diff --git a/queue-5.9/rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch b/queue-5.9/rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch new file mode 100644 index 00000000000..7ddf2260b50 --- /dev/null +++ b/queue-5.9/rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch @@ -0,0 +1,44 @@ +From 5199f77b205745df6c4a1c22ee13dd14bd1217b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 15:17:08 -0300 +Subject: RDMA/umem: Fix signature of stub ib_umem_find_best_pgsz() + +From: Jason Gunthorpe + +[ Upstream commit 61690d01db32eb1f94adc9ac2b8bb741d34e4671 ] + +The original function returns unsigned long and 0 on failure. + +Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR") +Link: https://lore.kernel.org/r/0-v1-982a13cc5c6d+501ae-fix_best_pgsz_stub_jgg@nvidia.com +Reviewed-by: Gal Pressman +Acked-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/rdma/ib_umem.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/include/rdma/ib_umem.h b/include/rdma/ib_umem.h +index 71f573a418bf0..07a764eb692ee 100644 +--- a/include/rdma/ib_umem.h ++++ b/include/rdma/ib_umem.h +@@ -68,10 +68,11 @@ static inline int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offs + size_t length) { + return -EINVAL; + } +-static inline int ib_umem_find_best_pgsz(struct ib_umem *umem, +- unsigned long pgsz_bitmap, +- unsigned long virt) { +- return -EINVAL; ++static inline unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem, ++ unsigned long pgsz_bitmap, ++ unsigned long virt) ++{ ++ return 0; + } + + #endif /* CONFIG_INFINIBAND_USER_MEM */ +-- +2.25.1 + diff --git a/queue-5.9/rdma-umem-prevent-small-pages-from-being-returned-by.patch b/queue-5.9/rdma-umem-prevent-small-pages-from-being-returned-by.patch new file mode 100644 index 00000000000..fb747e9310d --- /dev/null +++ b/queue-5.9/rdma-umem-prevent-small-pages-from-being-returned-by.patch @@ -0,0 +1,53 @@ +From 2aad79e09435aef64604e1674e38e76ac0eb6fc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 19:41:43 -0300 +Subject: RDMA/umem: Prevent small pages from being returned by + ib_umem_find_best_pgsz() + +From: Jason Gunthorpe + +[ Upstream commit 10c75ccb54e4fe548cb16d7ed426d7d709e6ae76 ] + +rdma_for_each_block() makes assumptions about how the SGL is constructed +that don't work if the block size is below the page size used to to build +the SGL. + +The rules for umem SGL construction require that the SG's all be PAGE_SIZE +aligned and we don't encode the actual byte offset of the VA range inside +the SGL using offset and length. So rdma_for_each_block() has no idea +where the actual starting/ending point is to compute the first/last block +boundary if the starting address should be within a SGL. + +Fixing the SGL construction turns out to be really hard, and will be the +subject of other patches. For now block smaller pages. + +Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR") +Link: https://lore.kernel.org/r/2-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com +Reviewed-by: Leon Romanovsky +Reviewed-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/umem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index 09539dd764ec0..1d0599997d0fb 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -151,6 +151,12 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem, + dma_addr_t mask; + int i; + ++ /* rdma_for_each_block() has a bug if the page size is smaller than the ++ * page size used to build the umem. For now prevent smaller page sizes ++ * from being returned. ++ */ ++ pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT); ++ + /* At minimum, drivers must support PAGE_SIZE or smaller */ + if (WARN_ON(!(pgsz_bitmap & GENMASK(PAGE_SHIFT, 0)))) + return 0; +-- +2.25.1 + diff --git a/queue-5.9/refperf-avoid-null-pointer-dereference-when-buf-fail.patch b/queue-5.9/refperf-avoid-null-pointer-dereference-when-buf-fail.patch new file mode 100644 index 00000000000..71e9d7b2445 --- /dev/null +++ b/queue-5.9/refperf-avoid-null-pointer-dereference-when-buf-fail.patch @@ -0,0 +1,44 @@ +From d28b2da1bacccb954245d6e56b1da1f2f736dad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 15:38:56 +0100 +Subject: refperf: Avoid null pointer dereference when buf fails to allocate + +From: Colin Ian King + +[ Upstream commit 58db5785b0d76be4582a32a7900acce88e691d36 ] + +Currently in the unlikely event that buf fails to be allocated it +is dereferenced a few times. Use the errexit flag to determine if +buf should be written to to avoid the null pointer dereferences. + +Addresses-Coverity: ("Dereference after null check") +Fixes: f518f154ecef ("refperf: Dynamically allocate experiment-summary output buffer") +Signed-off-by: Colin Ian King +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/refscale.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c +index d9291f883b542..952595c678b37 100644 +--- a/kernel/rcu/refscale.c ++++ b/kernel/rcu/refscale.c +@@ -546,9 +546,11 @@ static int main_func(void *arg) + // Print the average of all experiments + SCALEOUT("END OF TEST. Calculating average duration per loop (nanoseconds)...\n"); + +- buf[0] = 0; +- strcat(buf, "\n"); +- strcat(buf, "Runs\tTime(ns)\n"); ++ if (!errexit) { ++ buf[0] = 0; ++ strcat(buf, "\n"); ++ strcat(buf, "Runs\tTime(ns)\n"); ++ } + + for (exp = 0; exp < nruns; exp++) { + u64 avg; +-- +2.25.1 + diff --git a/queue-5.9/regmap-debugfs-fix-more-error-path-regressions.patch b/queue-5.9/regmap-debugfs-fix-more-error-path-regressions.patch new file mode 100644 index 00000000000..05e390bf6e0 --- /dev/null +++ b/queue-5.9/regmap-debugfs-fix-more-error-path-regressions.patch @@ -0,0 +1,39 @@ +From e09dbdfb3998bd8a3be4d4ff9a54da53b56cf1b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 16:22:12 +0100 +Subject: regmap: debugfs: Fix more error path regressions + +From: Charles Keepax + +[ Upstream commit 1d512ee861b80da63cbc501b973c53131aa22f29 ] + +Many error paths in __regmap_init rely on ret being pre-initialised to +-EINVAL, add an extra initialisation in after the new call to +regmap_set_name. + +Fixes: 94cc89eb8fa5 ("regmap: debugfs: Fix handling of name string for debugfs init delays") +Reported-by: Dan Carpenter +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20200918152212.22200-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index b71f9ecddff5d..fff0547c26c53 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -711,6 +711,8 @@ struct regmap *__regmap_init(struct device *dev, + if (ret) + goto err_map; + ++ ret = -EINVAL; /* Later error paths rely on this */ ++ + if (config->disable_locking) { + map->lock = map->unlock = regmap_lock_unlock_none; + regmap_debugfs_disable(map); +-- +2.25.1 + diff --git a/queue-5.9/regulator-resolve-supply-after-creating-regulator.patch b/queue-5.9/regulator-resolve-supply-after-creating-regulator.patch new file mode 100644 index 00000000000..821f8706af7 --- /dev/null +++ b/queue-5.9/regulator-resolve-supply-after-creating-regulator.patch @@ -0,0 +1,67 @@ +From cdb704ed70a7390b105f3f430d1f6ad20391a718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 23:32:41 +0200 +Subject: regulator: resolve supply after creating regulator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +[ Upstream commit aea6cb99703e17019e025aa71643b4d3e0a24413 ] + +When creating a new regulator its supply cannot create the sysfs link +because the device is not yet published. Remove early supply resolving +since it will be done later anyway. This makes the following error +disappear and the symlinks get created instead. + + DCDC_REG1: supplied by VSYS + VSYS: could not add device link regulator.3 err -2 + +Note: It doesn't fix the problem for bypassed regulators, though. + +Fixes: 45389c47526d ("regulator: core: Add early supply resolution for regulators") +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/ba09e0a8617ffeeb25cb4affffe6f3149319cef8.1601155770.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 7ff507ec875a8..4859cf84c0b2f 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5256,15 +5256,20 @@ regulator_register(const struct regulator_desc *regulator_desc, + else if (regulator_desc->supply_name) + rdev->supply_name = regulator_desc->supply_name; + +- /* +- * Attempt to resolve the regulator supply, if specified, +- * but don't return an error if we fail because we will try +- * to resolve it again later as more regulators are added. +- */ +- if (regulator_resolve_supply(rdev)) +- rdev_dbg(rdev, "unable to resolve supply\n"); +- + ret = set_machine_constraints(rdev, constraints); ++ if (ret == -EPROBE_DEFER) { ++ /* Regulator might be in bypass mode and so needs its supply ++ * to set the constraints */ ++ /* FIXME: this currently triggers a chicken-and-egg problem ++ * when creating -SUPPLY symlink in sysfs to a regulator ++ * that is just being created */ ++ ret = regulator_resolve_supply(rdev); ++ if (!ret) ++ ret = set_machine_constraints(rdev, constraints); ++ else ++ rdev_dbg(rdev, "unable to resolve supply early: %pe\n", ++ ERR_PTR(ret)); ++ } + if (ret < 0) + goto wash; + +-- +2.25.1 + diff --git a/queue-5.9/regulator-set-of_node-for-qcom-vbus-regulator.patch b/queue-5.9/regulator-set-of_node-for-qcom-vbus-regulator.patch new file mode 100644 index 00000000000..7eca96fbed7 --- /dev/null +++ b/queue-5.9/regulator-set-of_node-for-qcom-vbus-regulator.patch @@ -0,0 +1,36 @@ +From b15451ab3d7a7ad5878ad8307e6f6f52e9c5a0b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 12:25:08 -0400 +Subject: regulator: set of_node for qcom vbus regulator + +From: Jonathan Marek + +[ Upstream commit 66c3b96a7bd042427d2e0eaa8704536828f8235f ] + +This allows the regulator to be found by devm_regulator_get(). + +Fixes: 4fe66d5a62fb ("regulator: Add support for QCOM PMIC VBUS booster") + +Signed-off-by: Jonathan Marek +Link: https://lore.kernel.org/r/20200818162508.5246-1-jonathan@marek.ca +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/qcom_usb_vbus-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/qcom_usb_vbus-regulator.c b/drivers/regulator/qcom_usb_vbus-regulator.c +index 8ba947f3585f5..457788b505720 100644 +--- a/drivers/regulator/qcom_usb_vbus-regulator.c ++++ b/drivers/regulator/qcom_usb_vbus-regulator.c +@@ -63,6 +63,7 @@ static int qcom_usb_vbus_regulator_probe(struct platform_device *pdev) + qcom_usb_vbus_rdesc.enable_mask = OTG_EN; + config.dev = dev; + config.init_data = init_data; ++ config.of_node = dev->of_node; + config.regmap = regmap; + + rdev = devm_regulator_register(dev, &qcom_usb_vbus_rdesc, &config); +-- +2.25.1 + diff --git a/queue-5.9/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch b/queue-5.9/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch new file mode 100644 index 00000000000..d9122af1475 --- /dev/null +++ b/queue-5.9/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch @@ -0,0 +1,49 @@ +From 3c6aff4c8c6b37e547fb68cd3542340d09007e72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2020 14:01:44 +0100 +Subject: reiserfs: Fix memory leak in reiserfs_parse_options() + +From: Jan Kara + +[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ] + +When a usrjquota or grpjquota mount option is used multiple times, we +will leak memory allocated for the file name. Make sure the last setting +is used and all the previous ones are properly freed. + +Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index a6bce5b1fb1dc..1b9c7a387dc71 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1258,6 +1258,10 @@ static int reiserfs_parse_options(struct super_block *s, + "turned on."); + return 0; + } ++ if (qf_names[qtype] != ++ REISERFS_SB(s)->s_qf_names[qtype]) ++ kfree(qf_names[qtype]); ++ qf_names[qtype] = NULL; + if (*arg) { /* Some filename specified? */ + if (REISERFS_SB(s)->s_qf_names[qtype] + && strcmp(REISERFS_SB(s)->s_qf_names[qtype], +@@ -1287,10 +1291,6 @@ static int reiserfs_parse_options(struct super_block *s, + else + *mount_options |= 1 << REISERFS_GRPQUOTA; + } else { +- if (qf_names[qtype] != +- REISERFS_SB(s)->s_qf_names[qtype]) +- kfree(qf_names[qtype]); +- qf_names[qtype] = NULL; + if (qtype == USRQUOTA) + *mount_options &= ~(1 << REISERFS_USRQUOTA); + else +-- +2.25.1 + diff --git a/queue-5.9/reiserfs-only-call-unlock_new_inode-if-i_new.patch b/queue-5.9/reiserfs-only-call-unlock_new_inode-if-i_new.patch new file mode 100644 index 00000000000..ec4bb53e174 --- /dev/null +++ b/queue-5.9/reiserfs-only-call-unlock_new_inode-if-i_new.patch @@ -0,0 +1,44 @@ +From db0377e63eff259b839f3ebe6d1809c62a02850e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 00:00:57 -0700 +Subject: reiserfs: only call unlock_new_inode() if I_NEW + +From: Eric Biggers + +[ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ] + +unlock_new_inode() is only meant to be called after a new inode has +already been inserted into the hash table. But reiserfs_new_inode() can +call it even before it has inserted the inode, triggering the WARNING in +unlock_new_inode(). Fix this by only calling unlock_new_inode() if the +inode has the I_NEW flag set, indicating that it's in the table. + +This addresses the syzbot report "WARNING in unlock_new_inode" +(https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7). + +Link: https://lore.kernel.org/r/20200628070057.820213-1-ebiggers@kernel.org +Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c +index e43fed96704d8..c76d563dec0e1 100644 +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -2159,7 +2159,8 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, + out_inserted_sd: + clear_nlink(inode); + th->t_trans_id = 0; /* so the caller can't use this handle later */ +- unlock_new_inode(inode); /* OK to do even if we hadn't locked it */ ++ if (inode->i_state & I_NEW) ++ unlock_new_inode(inode); + iput(inode); + return err; + } +-- +2.25.1 + diff --git a/queue-5.9/remoteproc-mediatek-fix-null-pointer-dereference-on-.patch b/queue-5.9/remoteproc-mediatek-fix-null-pointer-dereference-on-.patch new file mode 100644 index 00000000000..1b2eb5a7c25 --- /dev/null +++ b/queue-5.9/remoteproc-mediatek-fix-null-pointer-dereference-on-.patch @@ -0,0 +1,43 @@ +From 1abeb8108def7190a35e70c410689dbf85eacce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 16:24:28 +0100 +Subject: remoteproc/mediatek: fix null pointer dereference on null scp pointer + +From: Colin Ian King + +[ Upstream commit 434ac4d51407ce3764a6ae96a89d90b8ae2826fb ] + +Currently when pointer scp is null a dev_err is being called that +references the pointer which is the very thing we are trying to +avoid doing. Remove the extraneous error message to avoid this +issue. + +Addresses-Coverity: ("Dereference after null check") +Fixes: 63c13d61eafe ("remoteproc/mediatek: add SCP support for mt8183") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200918152428.27258-1-colin.king@canonical.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/mtk_scp_ipi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/remoteproc/mtk_scp_ipi.c b/drivers/remoteproc/mtk_scp_ipi.c +index 3d3d87210ef2c..58d1d7e571d66 100644 +--- a/drivers/remoteproc/mtk_scp_ipi.c ++++ b/drivers/remoteproc/mtk_scp_ipi.c +@@ -30,10 +30,8 @@ int scp_ipi_register(struct mtk_scp *scp, + scp_ipi_handler_t handler, + void *priv) + { +- if (!scp) { +- dev_err(scp->dev, "scp device is not ready\n"); ++ if (!scp) + return -EPROBE_DEFER; +- } + + if (WARN_ON(id >= SCP_IPI_MAX) || WARN_ON(handler == NULL)) + return -EINVAL; +-- +2.25.1 + diff --git a/queue-5.9/remoteproc-stm32-fix-pointer-assignement.patch b/queue-5.9/remoteproc-stm32-fix-pointer-assignement.patch new file mode 100644 index 00000000000..21a5127b46e --- /dev/null +++ b/queue-5.9/remoteproc-stm32-fix-pointer-assignement.patch @@ -0,0 +1,38 @@ +From 92d9e5ef6b10c90cecd6d5bd77c0ccd7b27b2ba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 15:37:58 -0600 +Subject: remoteproc: stm32: Fix pointer assignement + +From: Mathieu Poirier + +[ Upstream commit cb2d8d5b196c2e96e29343383c8c8d8db68b934e ] + +Fix the assignment of the @state pointer - it is obviously wrong. + +Acked-by: Arnaud Pouliquen +Fixes: 376ffdc04456 ("remoteproc: stm32: Properly set co-processor state when attaching") +Reported-by: kernel test robot +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200831213758.206690-1-mathieu.poirier@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/stm32_rproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/stm32_rproc.c b/drivers/remoteproc/stm32_rproc.c +index f4da42fc0eeb1..d2414cc1d90d6 100644 +--- a/drivers/remoteproc/stm32_rproc.c ++++ b/drivers/remoteproc/stm32_rproc.c +@@ -685,7 +685,7 @@ static int stm32_rproc_get_m4_status(struct stm32_rproc *ddata, + * We couldn't get the coprocessor's state, assume + * it is not running. + */ +- state = M4_STATE_OFF; ++ *state = M4_STATE_OFF; + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/rpmsg-avoid-double-free-in-mtk_rpmsg_register_device.patch b/queue-5.9/rpmsg-avoid-double-free-in-mtk_rpmsg_register_device.patch new file mode 100644 index 00000000000..b9d89ec44d4 --- /dev/null +++ b/queue-5.9/rpmsg-avoid-double-free-in-mtk_rpmsg_register_device.patch @@ -0,0 +1,52 @@ +From e71ffce3ee759e2fce111552bec42a514c86bec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 08:05:58 +0800 +Subject: rpmsg: Avoid double-free in mtk_rpmsg_register_device + +From: Nicolas Boichat + +[ Upstream commit 231331b2dbd71487159a0400d9ffd967eb0d0e08 ] + +If rpmsg_register_device fails, it will call +mtk_rpmsg_release_device which already frees mdev. + +Fixes: 7017996951fd ("rpmsg: add rpmsg support for mt8183 SCP.") +Signed-off-by: Nicolas Boichat +Reviewed-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200903080547.v3.1.I56cf27cd59f4013bd074dc622c8b8248b034a4cc@changeid +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/mtk_rpmsg.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/rpmsg/mtk_rpmsg.c b/drivers/rpmsg/mtk_rpmsg.c +index 83f2b8804ee98..96a17ec291401 100644 +--- a/drivers/rpmsg/mtk_rpmsg.c ++++ b/drivers/rpmsg/mtk_rpmsg.c +@@ -200,7 +200,6 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, + struct rpmsg_device *rpdev; + struct mtk_rpmsg_device *mdev; + struct platform_device *pdev = mtk_subdev->pdev; +- int ret; + + mdev = kzalloc(sizeof(*mdev), GFP_KERNEL); + if (!mdev) +@@ -219,13 +218,7 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, + rpdev->dev.parent = &pdev->dev; + rpdev->dev.release = mtk_rpmsg_release_device; + +- ret = rpmsg_register_device(rpdev); +- if (ret) { +- kfree(mdev); +- return ret; +- } +- +- return 0; ++ return rpmsg_register_device(rpdev); + } + + static void mtk_register_device_work_function(struct work_struct *register_work) +-- +2.25.1 + diff --git a/queue-5.9/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch b/queue-5.9/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch new file mode 100644 index 00000000000..bbb9cd6cc5e --- /dev/null +++ b/queue-5.9/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch @@ -0,0 +1,111 @@ +From 3613edba37e3b07a160ddae7a56e74c513d09074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:18:41 +0300 +Subject: rpmsg: smd: Fix a kobj leak in in qcom_smd_parse_edge() + +From: Dan Carpenter + +[ Upstream commit e69ee0cf655e8e0c4a80f4319e36019b74f17639 ] + +We need to call of_node_put(node) on the error paths for this function. + +Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200908071841.GA294938@mwanda +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index 4abbeea782fa4..19903de6268db 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1338,7 +1338,7 @@ static int qcom_smd_parse_edge(struct device *dev, + ret = of_property_read_u32(node, key, &edge->edge_id); + if (ret) { + dev_err(dev, "edge missing %s property\n", key); +- return -EINVAL; ++ goto put_node; + } + + edge->remote_pid = QCOM_SMEM_HOST_ANY; +@@ -1349,32 +1349,37 @@ static int qcom_smd_parse_edge(struct device *dev, + edge->mbox_client.knows_txdone = true; + edge->mbox_chan = mbox_request_channel(&edge->mbox_client, 0); + if (IS_ERR(edge->mbox_chan)) { +- if (PTR_ERR(edge->mbox_chan) != -ENODEV) +- return PTR_ERR(edge->mbox_chan); ++ if (PTR_ERR(edge->mbox_chan) != -ENODEV) { ++ ret = PTR_ERR(edge->mbox_chan); ++ goto put_node; ++ } + + edge->mbox_chan = NULL; + + syscon_np = of_parse_phandle(node, "qcom,ipc", 0); + if (!syscon_np) { + dev_err(dev, "no qcom,ipc node\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto put_node; + } + + edge->ipc_regmap = syscon_node_to_regmap(syscon_np); +- if (IS_ERR(edge->ipc_regmap)) +- return PTR_ERR(edge->ipc_regmap); ++ if (IS_ERR(edge->ipc_regmap)) { ++ ret = PTR_ERR(edge->ipc_regmap); ++ goto put_node; ++ } + + key = "qcom,ipc"; + ret = of_property_read_u32_index(node, key, 1, &edge->ipc_offset); + if (ret < 0) { + dev_err(dev, "no offset in %s\n", key); +- return -EINVAL; ++ goto put_node; + } + + ret = of_property_read_u32_index(node, key, 2, &edge->ipc_bit); + if (ret < 0) { + dev_err(dev, "no bit in %s\n", key); +- return -EINVAL; ++ goto put_node; + } + } + +@@ -1385,7 +1390,8 @@ static int qcom_smd_parse_edge(struct device *dev, + irq = irq_of_parse_and_map(node, 0); + if (irq < 0) { + dev_err(dev, "required smd interrupt missing\n"); +- return -EINVAL; ++ ret = irq; ++ goto put_node; + } + + ret = devm_request_irq(dev, irq, +@@ -1393,12 +1399,18 @@ static int qcom_smd_parse_edge(struct device *dev, + node->name, edge); + if (ret) { + dev_err(dev, "failed to request smd irq\n"); +- return ret; ++ goto put_node; + } + + edge->irq = irq; + + return 0; ++ ++put_node: ++ of_node_put(node); ++ edge->of_node = NULL; ++ ++ return ret; + } + + /* +-- +2.25.1 + diff --git a/queue-5.9/rtc-ds1307-clear-osf-flag-on-ds1388-when-setting-tim.patch b/queue-5.9/rtc-ds1307-clear-osf-flag-on-ds1388-when-setting-tim.patch new file mode 100644 index 00000000000..8deca08fbff --- /dev/null +++ b/queue-5.9/rtc-ds1307-clear-osf-flag-on-ds1388-when-setting-tim.patch @@ -0,0 +1,38 @@ +From ec3200cd32eab5dd53f4d6695ec4e6ee447431c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 13:35:43 +1200 +Subject: rtc: ds1307: Clear OSF flag on DS1388 when setting time + +From: Chris Packham + +[ Upstream commit f471b05f76e4b1b6ba07ebc7681920a5c5b97c5d ] + +Ensure the OSF flag is cleared on the DS1388 when the clock is set. + +Fixes: df11b323b16f ("rtc: ds1307: handle oscillator failure flags for ds1388 variant") +Signed-off-by: Chris Packham +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20200818013543.4283-1-chris.packham@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index 54c85cdd019dd..c9c3de14bc62f 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -352,6 +352,10 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t) + regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG, + DS1340_BIT_OSF, 0); + break; ++ case ds_1388: ++ regmap_update_bits(ds1307->regmap, DS1388_REG_FLAG, ++ DS1388_BIT_OSF, 0); ++ break; + case mcp794xx: + /* + * these bits were cleared when preparing the date/time +-- +2.25.1 + diff --git a/queue-5.9/rtl8xxxu-prevent-potential-memory-leak.patch b/queue-5.9/rtl8xxxu-prevent-potential-memory-leak.patch new file mode 100644 index 00000000000..8e8b749ac40 --- /dev/null +++ b/queue-5.9/rtl8xxxu-prevent-potential-memory-leak.patch @@ -0,0 +1,65 @@ +From 3cc8c0146216828d0d5f21a1e9b2943abf6a0cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 12:04:24 +0800 +Subject: rtl8xxxu: prevent potential memory leak + +From: Chris Chiu + +[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ] + +Free the skb if usb_submit_urb fails on rx_urb. And free the urb +no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb. + +Signed-off-by: Chris Chiu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 19efae462a242..5cd7ef3625c5e 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5795,7 +5795,6 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + ret = usb_submit_urb(urb, GFP_KERNEL); + if (ret) { + usb_unanchor_urb(urb); +- usb_free_urb(urb); + goto error; + } + +@@ -5804,6 +5803,7 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + rtl8xxxu_write32(priv, REG_USB_HIMR, val32); + + error: ++ usb_free_urb(urb); + return ret; + } + +@@ -6318,6 +6318,7 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + struct rtl8xxxu_priv *priv = hw->priv; + struct rtl8xxxu_rx_urb *rx_urb; + struct rtl8xxxu_tx_urb *tx_urb; ++ struct sk_buff *skb; + unsigned long flags; + int ret, i; + +@@ -6368,6 +6369,13 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + rx_urb->hw = hw; + + ret = rtl8xxxu_submit_rx_urb(priv, rx_urb); ++ if (ret) { ++ if (ret != -ENOMEM) { ++ skb = (struct sk_buff *)rx_urb->urb.context; ++ dev_kfree_skb(skb); ++ } ++ rtl8xxxu_queue_rx_urb(priv, rx_urb); ++ } + } + + schedule_delayed_work(&priv->ra_watchdog, 2 * HZ); +-- +2.25.1 + diff --git a/queue-5.9/rtw88-don-t-treat-null-pointer-as-an-array.patch b/queue-5.9/rtw88-don-t-treat-null-pointer-as-an-array.patch new file mode 100644 index 00000000000..26ae1ab6310 --- /dev/null +++ b/queue-5.9/rtw88-don-t-treat-null-pointer-as-an-array.patch @@ -0,0 +1,46 @@ +From e44ccbd42b695f2ea0b5d05c8c3b4407f03e991b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 14:17:16 -0700 +Subject: rtw88: don't treat NULL pointer as an array + +From: Brian Norris + +[ Upstream commit 22b726cbdd09d9891ede8aa122a950d2d0ae5e09 ] + +I'm not a standards expert, but this really looks to be undefined +behavior, when chip->dig_cck may be NULL. (And, we're trying to do a +NULL check a few lines down, because some chip variants will use NULL.) + +Fixes: fc637a860a82 ("rtw88: 8723d: Set IG register for CCK rate") +Signed-off-by: Brian Norris +Acked-by: Yan-Hsuan Chuang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200821211716.1631556-1-briannorris@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/phy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c +index 8d93f31597469..9687b376d221b 100644 +--- a/drivers/net/wireless/realtek/rtw88/phy.c ++++ b/drivers/net/wireless/realtek/rtw88/phy.c +@@ -147,12 +147,13 @@ void rtw_phy_dig_write(struct rtw_dev *rtwdev, u8 igi) + { + struct rtw_chip_info *chip = rtwdev->chip; + struct rtw_hal *hal = &rtwdev->hal; +- const struct rtw_hw_reg *dig_cck = &chip->dig_cck[0]; + u32 addr, mask; + u8 path; + +- if (dig_cck) ++ if (chip->dig_cck) { ++ const struct rtw_hw_reg *dig_cck = &chip->dig_cck[0]; + rtw_write32_mask(rtwdev, dig_cck->addr, dig_cck->mask, igi >> 1); ++ } + + for (path = 0; path < hal->rf_path_num; path++) { + addr = chip->dig[path].addr; +-- +2.25.1 + diff --git a/queue-5.9/rtw88-fix-potential-probe-error-handling-race-with-w.patch b/queue-5.9/rtw88-fix-potential-probe-error-handling-race-with-w.patch new file mode 100644 index 00000000000..bfc5f69cf11 --- /dev/null +++ b/queue-5.9/rtw88-fix-potential-probe-error-handling-race-with-w.patch @@ -0,0 +1,48 @@ +From b3b9abce26ee34c8aaad81d2029d75d489640859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 15:26:21 +0200 +Subject: rtw88: Fix potential probe error handling race with wow firmware + loading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andreas Färber + +[ Upstream commit ac4bac99161e8f7a7a9faef70d8ca8f69d5493a9 ] + +If rtw_core_init() fails to load the wow firmware, rtw_core_deinit() +will not get called to clean up the regular firmware. + +Ensure that an error loading the wow firmware does not produce an oops +for the regular firmware by waiting on its completion to be signalled +before returning. Also release the loaded firmware. + +Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported") +Cc: Chin-Yen Lee +Cc: Yan-Hsuan Chuang +Signed-off-by: Andreas Färber +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200920132621.26468-3-afaerber@suse.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index 58c760dfd6b80..d69e4c6fc680a 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -1473,6 +1473,9 @@ int rtw_core_init(struct rtw_dev *rtwdev) + ret = rtw_load_firmware(rtwdev, RTW_WOWLAN_FW); + if (ret) { + rtw_warn(rtwdev, "no wow firmware loaded\n"); ++ wait_for_completion(&rtwdev->fw.completion); ++ if (rtwdev->fw.firmware) ++ release_firmware(rtwdev->fw.firmware); + return ret; + } + } +-- +2.25.1 + diff --git a/queue-5.9/rtw88-fix-probe-error-handling-race-with-firmware-lo.patch b/queue-5.9/rtw88-fix-probe-error-handling-race-with-firmware-lo.patch new file mode 100644 index 00000000000..7cd9a39795b --- /dev/null +++ b/queue-5.9/rtw88-fix-probe-error-handling-race-with-firmware-lo.patch @@ -0,0 +1,111 @@ +From a4b5f18f4ab70f0ce5918bd69819bc5d48398e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 15:26:20 +0200 +Subject: rtw88: Fix probe error handling race with firmware loading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andreas Färber + +[ Upstream commit ecda9cda3338b594a1b82d62018c247132a39e57 ] + +In case of rtw8822be, a probe failure after successful rtw_core_init() +has been observed to occasionally lead to an oops from rtw_load_firmware_cb(): + +[ 3.924268] pci 0001:01:00.0: [10ec:b822] type 00 class 0xff0000 +[ 3.930531] pci 0001:01:00.0: reg 0x10: [io 0x0000-0x00ff] +[ 3.936360] pci 0001:01:00.0: reg 0x18: [mem 0x00000000-0x0000ffff 64bit] +[ 3.944042] pci 0001:01:00.0: supports D1 D2 +[ 3.948438] pci 0001:01:00.0: PME# supported from D0 D1 D2 D3hot D3cold +[ 3.957312] pci 0001:01:00.0: BAR 2: no space for [mem size 0x00010000 64bit] +[ 3.964645] pci 0001:01:00.0: BAR 2: failed to assign [mem size 0x00010000 64bit] +[ 3.972332] pci 0001:01:00.0: BAR 0: assigned [io 0x10000-0x100ff] +[ 3.986240] rtw_8822be 0001:01:00.0: enabling device (0000 -> 0001) +[ 3.992735] rtw_8822be 0001:01:00.0: failed to map pci memory +[ 3.998638] rtw_8822be 0001:01:00.0: failed to request pci io region +[ 4.005166] rtw_8822be 0001:01:00.0: failed to setup pci resources +[ 4.011580] rtw_8822be: probe of 0001:01:00.0 failed with error -12 +[ 4.018827] cfg80211: Loading compiled-in X.509 certificates for regulatory database +[ 4.029121] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' +[ 4.050828] Unable to handle kernel paging request at virtual address edafeaac9607952c +[ 4.058975] Mem abort info: +[ 4.058980] ESR = 0x96000004 +[ 4.058990] EC = 0x25: DABT (current EL), IL = 32 bits +[ 4.070353] SET = 0, FnV = 0 +[ 4.073487] EA = 0, S1PTW = 0 +[ 4.073501] dw-apb-uart 98007800.serial: forbid DMA for kernel console +[ 4.076723] Data abort info: +[ 4.086415] ISV = 0, ISS = 0x00000004 +[ 4.087731] Freeing unused kernel memory: 1792K +[ 4.090391] CM = 0, WnR = 0 +[ 4.098091] [edafeaac9607952c] address between user and kernel address ranges +[ 4.105418] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 4.111129] Modules linked in: +[ 4.114275] CPU: 1 PID: 31 Comm: kworker/1:1 Not tainted 5.9.0-rc5-next-20200915+ #700 +[ 4.122386] Hardware name: Realtek Saola EVB (DT) +[ 4.127223] Workqueue: events request_firmware_work_func +[ 4.132676] pstate: 60000005 (nZCv daif -PAN -UAO BTYPE=--) +[ 4.138393] pc : rtw_load_firmware_cb+0x54/0xbc +[ 4.143040] lr : request_firmware_work_func+0x44/0xb4 +[ 4.148217] sp : ffff800010133d70 +[ 4.151616] x29: ffff800010133d70 x28: 0000000000000000 +[ 4.157069] x27: 0000000000000000 x26: 0000000000000000 +[ 4.162520] x25: 0000000000000000 x24: 0000000000000000 +[ 4.167971] x23: ffff00007ac21908 x22: ffff00007ebb2100 +[ 4.173424] x21: ffff00007ad35880 x20: edafeaac96079504 +[ 4.178877] x19: ffff00007ad35870 x18: 0000000000000000 +[ 4.184328] x17: 00000000000044d8 x16: 0000000000004310 +[ 4.189780] x15: 0000000000000800 x14: 00000000ef006305 +[ 4.195231] x13: ffffffff00000000 x12: ffffffffffffffff +[ 4.200682] x11: 0000000000000020 x10: 0000000000000003 +[ 4.206135] x9 : 0000000000000000 x8 : ffff00007e73f680 +[ 4.211585] x7 : 0000000000000000 x6 : ffff80001119b588 +[ 4.217036] x5 : ffff00007e649c80 x4 : ffff00007e649c80 +[ 4.222487] x3 : ffff80001119b588 x2 : ffff8000108d1718 +[ 4.227940] x1 : ffff800011bd5000 x0 : ffff00007ac21600 +[ 4.233391] Call trace: +[ 4.235906] rtw_load_firmware_cb+0x54/0xbc +[ 4.240198] request_firmware_work_func+0x44/0xb4 +[ 4.245027] process_one_work+0x178/0x1e4 +[ 4.249142] worker_thread+0x1d0/0x268 +[ 4.252989] kthread+0xe8/0xf8 +[ 4.256127] ret_from_fork+0x10/0x18 +[ 4.259800] Code: f94013f5 a8c37bfd d65f03c0 f9000260 (f9401681) +[ 4.266049] ---[ end trace f822ebae1a8545c2 ]--- + +To avoid this, wait on the completion callbacks in rtw_core_deinit() +before releasing firmware and continuing teardown. + +Note that rtw_wait_firmware_completion() was introduced with +c8e5695eae9959fc5774c0f490f2450be8bad3de ("rtw88: load wowlan firmware +if wowlan is supported"), so backports to earlier branches may need to +inline wait_for_completion(&rtwdev->fw.completion) instead. + +Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") +Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported") +Cc: Yan-Hsuan Chuang +Signed-off-by: Andreas Färber +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200920132621.26468-2-afaerber@suse.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index 54044abf30d7c..58c760dfd6b80 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -1487,6 +1487,8 @@ void rtw_core_deinit(struct rtw_dev *rtwdev) + struct rtw_rsvd_page *rsvd_pkt, *tmp; + unsigned long flags; + ++ rtw_wait_firmware_completion(rtwdev); ++ + if (fw->firmware) + release_firmware(fw->firmware); + +-- +2.25.1 + diff --git a/queue-5.9/rtw88-increse-the-size-of-rx-buffer-size.patch b/queue-5.9/rtw88-increse-the-size-of-rx-buffer-size.patch new file mode 100644 index 00000000000..789c1eae991 --- /dev/null +++ b/queue-5.9/rtw88-increse-the-size-of-rx-buffer-size.patch @@ -0,0 +1,39 @@ +From f9ffe9ba9f5281b96f12550b753185d0aa83aee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:12:15 +0800 +Subject: rtw88: increse the size of rx buffer size + +From: Tzu-En Huang + +[ Upstream commit ee755732b7a16af018daa77d9562d2493fb7092f ] + +The vht capability of MAX_MPDU_LENGTH is 11454 in rtw88; however, the rx +buffer size for each packet is 8192. When receiving packets that are +larger than rx buffer size, it will leads to rx buffer ring overflow. + +Signed-off-by: Tzu-En Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200925061219.23754-2-tehuang@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/pci.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/pci.h b/drivers/net/wireless/realtek/rtw88/pci.h +index 024c2bc275cbe..ca17aa9cf7dc7 100644 +--- a/drivers/net/wireless/realtek/rtw88/pci.h ++++ b/drivers/net/wireless/realtek/rtw88/pci.h +@@ -9,8 +9,8 @@ + #define RTK_BEQ_TX_DESC_NUM 256 + + #define RTK_MAX_RX_DESC_NUM 512 +-/* 8K + rx desc size */ +-#define RTK_PCI_RX_BUF_SIZE (8192 + 24) ++/* 11K + rx desc size */ ++#define RTK_PCI_RX_BUF_SIZE (11454 + 24) + + #define RTK_PCI_CTRL 0x300 + #define BIT_RST_TRXDMA_INTF BIT(20) +-- +2.25.1 + diff --git a/queue-5.9/rtw88-pci-power-cycle-device-during-shutdown.patch b/queue-5.9/rtw88-pci-power-cycle-device-during-shutdown.patch new file mode 100644 index 00000000000..8e98a05b620 --- /dev/null +++ b/queue-5.9/rtw88-pci-power-cycle-device-during-shutdown.patch @@ -0,0 +1,47 @@ +From c8f8b5dba90c0b9c4472a50108461bf5a2e27bc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 00:55:08 +0800 +Subject: rtw88: pci: Power cycle device during shutdown + +From: Kai-Heng Feng + +[ Upstream commit 44492e70adc8086c42d3745d21d591657a427f04 ] + +There are reports that 8822CE fails to work rtw88 with "failed to read DBI +register" error. Also I have a system with 8723DE which freezes the whole +system when the rtw88 is probing the device. + +According to [1], platform firmware may not properly power manage the +device during shutdown. I did some expirements and putting the device to +D3 can workaround the issue. + +So let's power cycle the device by putting the device to D3 at shutdown +to prevent the issue from happening. + +[1] https://bugzilla.kernel.org/show_bug.cgi?id=206411#c9 + +BugLink: https://bugs.launchpad.net/bugs/1872984 +Signed-off-by: Kai-Heng Feng +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200928165508.20775-1-kai.heng.feng@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c +index 3413973bc4750..7f1f5073b9f4d 100644 +--- a/drivers/net/wireless/realtek/rtw88/pci.c ++++ b/drivers/net/wireless/realtek/rtw88/pci.c +@@ -1599,6 +1599,8 @@ void rtw_pci_shutdown(struct pci_dev *pdev) + + if (chip->ops->shutdown) + chip->ops->shutdown(rtwdev); ++ ++ pci_set_power_state(pdev, PCI_D3hot); + } + EXPORT_SYMBOL(rtw_pci_shutdown); + +-- +2.25.1 + diff --git a/queue-5.9/s390-bpf-fix-multiple-tail-calls.patch b/queue-5.9/s390-bpf-fix-multiple-tail-calls.patch new file mode 100644 index 00000000000..ef673838fe1 --- /dev/null +++ b/queue-5.9/s390-bpf-fix-multiple-tail-calls.patch @@ -0,0 +1,157 @@ +From 424f394d6988f918b4c82e2c136d733f40914947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 01:21:41 +0200 +Subject: s390/bpf: Fix multiple tail calls + +From: Ilya Leoshkevich + +[ Upstream commit d72714c1da138e6755d3bd14662dc5b7f17fae7f ] + +In order to branch around tail calls (due to out-of-bounds index, +exceeding tail call count or missing tail call target), JIT uses +label[0] field, which contains the address of the instruction following +the tail call. When there are multiple tail calls, label[0] value comes +from handling of a previous tail call, which is incorrect. + +Fix by getting rid of label array and resolving the label address +locally: for all 3 branches that jump to it, emit 0 offsets at the +beginning, and then backpatch them with the correct value. + +Also, do not use the long jump infrastructure: the tail call sequence +is known to be short, so make all 3 jumps short. + +Fixes: 6651ee070b31 ("s390/bpf: implement bpf_tail_call() helper") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200909232141.3099367-1-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 61 ++++++++++++++++-------------------- + 1 file changed, 27 insertions(+), 34 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index be4b8532dd3c4..0a41827928769 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -50,7 +50,6 @@ struct bpf_jit { + int r14_thunk_ip; /* Address of expoline thunk for 'br %r14' */ + int tail_call_start; /* Tail call start offset */ + int excnt; /* Number of exception table entries */ +- int labels[1]; /* Labels for local jumps */ + }; + + #define SEEN_MEM BIT(0) /* use mem[] for temporary storage */ +@@ -229,18 +228,18 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1) + REG_SET_SEEN(b3); \ + }) + +-#define EMIT6_PCREL_LABEL(op1, op2, b1, b2, label, mask) \ ++#define EMIT6_PCREL_RIEB(op1, op2, b1, b2, mask, target) \ + ({ \ +- int rel = (jit->labels[label] - jit->prg) >> 1; \ ++ unsigned int rel = (int)((target) - jit->prg) / 2; \ + _EMIT6((op1) | reg(b1, b2) << 16 | (rel & 0xffff), \ + (op2) | (mask) << 12); \ + REG_SET_SEEN(b1); \ + REG_SET_SEEN(b2); \ + }) + +-#define EMIT6_PCREL_IMM_LABEL(op1, op2, b1, imm, label, mask) \ ++#define EMIT6_PCREL_RIEC(op1, op2, b1, imm, mask, target) \ + ({ \ +- int rel = (jit->labels[label] - jit->prg) >> 1; \ ++ unsigned int rel = (int)((target) - jit->prg) / 2; \ + _EMIT6((op1) | (reg_high(b1) | (mask)) << 16 | \ + (rel & 0xffff), (op2) | ((imm) & 0xff) << 8); \ + REG_SET_SEEN(b1); \ +@@ -1282,7 +1281,9 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, + EMIT4(0xb9040000, BPF_REG_0, REG_2); + break; + } +- case BPF_JMP | BPF_TAIL_CALL: ++ case BPF_JMP | BPF_TAIL_CALL: { ++ int patch_1_clrj, patch_2_clij, patch_3_brc; ++ + /* + * Implicit input: + * B1: pointer to ctx +@@ -1300,16 +1301,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, + EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2, + offsetof(struct bpf_array, map.max_entries)); + /* if ((u32)%b3 >= (u32)%w1) goto out; */ +- if (!is_first_pass(jit) && can_use_rel(jit, jit->labels[0])) { +- /* clrj %b3,%w1,0xa,label0 */ +- EMIT6_PCREL_LABEL(0xec000000, 0x0077, BPF_REG_3, +- REG_W1, 0, 0xa); +- } else { +- /* clr %b3,%w1 */ +- EMIT2(0x1500, BPF_REG_3, REG_W1); +- /* brcl 0xa,label0 */ +- EMIT6_PCREL_RILC(0xc0040000, 0xa, jit->labels[0]); +- } ++ /* clrj %b3,%w1,0xa,out */ ++ patch_1_clrj = jit->prg; ++ EMIT6_PCREL_RIEB(0xec000000, 0x0077, BPF_REG_3, REG_W1, 0xa, ++ jit->prg); + + /* + * if (tail_call_cnt++ > MAX_TAIL_CALL_CNT) +@@ -1324,16 +1319,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, + EMIT4_IMM(0xa7080000, REG_W0, 1); + /* laal %w1,%w0,off(%r15) */ + EMIT6_DISP_LH(0xeb000000, 0x00fa, REG_W1, REG_W0, REG_15, off); +- if (!is_first_pass(jit) && can_use_rel(jit, jit->labels[0])) { +- /* clij %w1,MAX_TAIL_CALL_CNT,0x2,label0 */ +- EMIT6_PCREL_IMM_LABEL(0xec000000, 0x007f, REG_W1, +- MAX_TAIL_CALL_CNT, 0, 0x2); +- } else { +- /* clfi %w1,MAX_TAIL_CALL_CNT */ +- EMIT6_IMM(0xc20f0000, REG_W1, MAX_TAIL_CALL_CNT); +- /* brcl 0x2,label0 */ +- EMIT6_PCREL_RILC(0xc0040000, 0x2, jit->labels[0]); +- } ++ /* clij %w1,MAX_TAIL_CALL_CNT,0x2,out */ ++ patch_2_clij = jit->prg; ++ EMIT6_PCREL_RIEC(0xec000000, 0x007f, REG_W1, MAX_TAIL_CALL_CNT, ++ 2, jit->prg); + + /* + * prog = array->ptrs[index]; +@@ -1348,13 +1337,9 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, + /* ltg %r1,prog(%b2,%r1) */ + EMIT6_DISP_LH(0xe3000000, 0x0002, REG_1, BPF_REG_2, + REG_1, offsetof(struct bpf_array, ptrs)); +- if (!is_first_pass(jit) && can_use_rel(jit, jit->labels[0])) { +- /* brc 0x8,label0 */ +- EMIT4_PCREL_RIC(0xa7040000, 0x8, jit->labels[0]); +- } else { +- /* brcl 0x8,label0 */ +- EMIT6_PCREL_RILC(0xc0040000, 0x8, jit->labels[0]); +- } ++ /* brc 0x8,out */ ++ patch_3_brc = jit->prg; ++ EMIT4_PCREL_RIC(0xa7040000, 8, jit->prg); + + /* + * Restore registers before calling function +@@ -1371,8 +1356,16 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, + /* bc 0xf,tail_call_start(%r1) */ + _EMIT4(0x47f01000 + jit->tail_call_start); + /* out: */ +- jit->labels[0] = jit->prg; ++ if (jit->prg_buf) { ++ *(u16 *)(jit->prg_buf + patch_1_clrj + 2) = ++ (jit->prg - patch_1_clrj) >> 1; ++ *(u16 *)(jit->prg_buf + patch_2_clij + 2) = ++ (jit->prg - patch_2_clij) >> 1; ++ *(u16 *)(jit->prg_buf + patch_3_brc + 2) = ++ (jit->prg - patch_3_brc) >> 1; ++ } + break; ++ } + case BPF_JMP | BPF_EXIT: /* return b0 */ + last = (i == fp->len - 1) ? 1 : 0; + if (last) +-- +2.25.1 + diff --git a/queue-5.9/s390-pci-mark-all-vfs-as-not-implementing-pci_comman.patch b/queue-5.9/s390-pci-mark-all-vfs-as-not-implementing-pci_comman.patch new file mode 100644 index 00000000000..56d87f169e4 --- /dev/null +++ b/queue-5.9/s390-pci-mark-all-vfs-as-not-implementing-pci_comman.patch @@ -0,0 +1,45 @@ +From c4d66367cb3c116522e6b90585127e45da2cbafe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:59:56 -0400 +Subject: s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY + +From: Matthew Rosato + +[ Upstream commit 08b6e22b850c28b6032da1e4d767a33116e23dfb ] + +For s390 we can have VFs that are passed-through without the associated +PF. Firmware provides an emulation layer to allow these devices to +operate independently, but is missing emulation of the Memory Space +Enable bit. For these as well as linked VFs, set no_command_memory +which specifies these devices do not implement PCI_COMMAND_MEMORY. + +Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory") +Signed-off-by: Matthew Rosato +Reviewed-by: Niklas Schnelle +Reviewed-by: Pierre Morel +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + arch/s390/pci/pci_bus.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/pci/pci_bus.c b/arch/s390/pci/pci_bus.c +index 5967f30141563..c93486a9989bc 100644 +--- a/arch/s390/pci/pci_bus.c ++++ b/arch/s390/pci/pci_bus.c +@@ -197,9 +197,10 @@ void pcibios_bus_add_device(struct pci_dev *pdev) + * With pdev->no_vf_scan the common PCI probing code does not + * perform PF/VF linking. + */ +- if (zdev->vfn) ++ if (zdev->vfn) { + zpci_bus_setup_virtfn(zdev->zbus, pdev, zdev->vfn); +- ++ pdev->no_command_memory = 1; ++ } + } + + static int zpci_bus_add_device(struct zpci_bus *zbus, struct zpci_dev *zdev) +-- +2.25.1 + diff --git a/queue-5.9/s390-qeth-strictly-order-bridge-address-events.patch b/queue-5.9/s390-qeth-strictly-order-bridge-address-events.patch new file mode 100644 index 00000000000..3203850a8c2 --- /dev/null +++ b/queue-5.9/s390-qeth-strictly-order-bridge-address-events.patch @@ -0,0 +1,215 @@ +From 93764c59c08324b00760bdd7e352aa15bf286252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 10:17:05 +0200 +Subject: s390/qeth: strictly order bridge address events + +From: Julian Wiedmann + +[ Upstream commit 9d6a569a4cbab5a8b4c959d4e312daeecb7c9f09 ] + +The current code for bridge address events has two shortcomings in its +control sequence: + +1. after disabling address events via PNSO, we don't flush the remaining + events from the event_wq. So if the feature is re-enabled fast + enough, stale events could leak over. +2. PNSO and the events' arrival via the READ ccw device are unordered. + So even if we flushed the workqueue, it's difficult to say whether + the READ device might produce more events onto the workqueue + afterwards. + +Fix this by +1. explicitly fencing off the events when we no longer care, in the + READ device's event handler. This ensures that once we flush the + workqueue, it doesn't get additional address events. +2. Flush the workqueue after disabling the events & fencing them off. + As the code that triggers the flush will typically hold the sbp_lock, + we need to rework the worker code to avoid a deadlock here in case + of a 'notifications-stopped' event. In case of lock contention, + requeue such an event with a delay. We'll eventually aquire the lock, + or spot that the feature has been disabled and the event can thus be + discarded. + +This leaves the theoretical race that a stale event could arrive +_after_ we re-enabled ourselves to receive events again. Such an event +would be impossible to distinguish from a 'good' event, nothing we can +do about it. + +Signed-off-by: Julian Wiedmann +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core.h | 6 ++++ + drivers/s390/net/qeth_l2_main.c | 53 ++++++++++++++++++++++++++++----- + drivers/s390/net/qeth_l2_sys.c | 1 + + 3 files changed, 52 insertions(+), 8 deletions(-) + +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index ecfd6d152e862..6b5cf9ba03e5b 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -680,6 +680,11 @@ struct qeth_card_blkt { + int inter_packet_jumbo; + }; + ++enum qeth_pnso_mode { ++ QETH_PNSO_NONE, ++ QETH_PNSO_BRIDGEPORT, ++}; ++ + #define QETH_BROADCAST_WITH_ECHO 0x01 + #define QETH_BROADCAST_WITHOUT_ECHO 0x02 + struct qeth_card_info { +@@ -696,6 +701,7 @@ struct qeth_card_info { + /* no bitfield, we take a pointer on these two: */ + u8 has_lp2lp_cso_v6; + u8 has_lp2lp_cso_v4; ++ enum qeth_pnso_mode pnso_mode; + enum qeth_card_types type; + enum qeth_link_types link_type; + int broadcast_capable; +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 6384f7adba660..9866d01b40fe7 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -273,6 +273,17 @@ static int qeth_l2_vlan_rx_kill_vid(struct net_device *dev, + return qeth_l2_send_setdelvlan(card, vid, IPA_CMD_DELVLAN); + } + ++static void qeth_l2_set_pnso_mode(struct qeth_card *card, ++ enum qeth_pnso_mode mode) ++{ ++ spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ WRITE_ONCE(card->info.pnso_mode, mode); ++ spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card))); ++ ++ if (mode == QETH_PNSO_NONE) ++ drain_workqueue(card->event_wq); ++} ++ + static void qeth_l2_stop_card(struct qeth_card *card) + { + QETH_CARD_TEXT(card, 2, "stopcard"); +@@ -290,7 +301,7 @@ static void qeth_l2_stop_card(struct qeth_card *card) + qeth_qdio_clear_card(card, 0); + qeth_drain_output_queues(card); + qeth_clear_working_pool_list(card); +- flush_workqueue(card->event_wq); ++ qeth_l2_set_pnso_mode(card, QETH_PNSO_NONE); + qeth_flush_local_addrs(card); + card->info.promisc_mode = 0; + } +@@ -1163,19 +1174,34 @@ static void qeth_bridge_state_change(struct qeth_card *card, + } + + struct qeth_addr_change_data { +- struct work_struct worker; ++ struct delayed_work dwork; + struct qeth_card *card; + struct qeth_ipacmd_addr_change ac_event; + }; + + static void qeth_addr_change_event_worker(struct work_struct *work) + { +- struct qeth_addr_change_data *data = +- container_of(work, struct qeth_addr_change_data, worker); ++ struct delayed_work *dwork = to_delayed_work(work); ++ struct qeth_addr_change_data *data; ++ struct qeth_card *card; + int i; + ++ data = container_of(dwork, struct qeth_addr_change_data, dwork); ++ card = data->card; ++ + QETH_CARD_TEXT(data->card, 4, "adrchgew"); ++ ++ if (READ_ONCE(card->info.pnso_mode) == QETH_PNSO_NONE) ++ goto free; ++ + if (data->ac_event.lost_event_mask) { ++ /* Potential re-config in progress, try again later: */ ++ if (!mutex_trylock(&card->sbp_lock)) { ++ queue_delayed_work(card->event_wq, dwork, ++ msecs_to_jiffies(100)); ++ return; ++ } ++ + dev_info(&data->card->gdev->dev, + "Address change notification stopped on %s (%s)\n", + data->card->dev->name, +@@ -1184,8 +1210,9 @@ static void qeth_addr_change_event_worker(struct work_struct *work) + : (data->ac_event.lost_event_mask == 0x02) + ? "Bridge port state change" + : "Unknown reason"); +- mutex_lock(&data->card->sbp_lock); ++ + data->card->options.sbp.hostnotification = 0; ++ card->info.pnso_mode = QETH_PNSO_NONE; + mutex_unlock(&data->card->sbp_lock); + qeth_bridge_emit_host_event(data->card, anev_abort, + 0, NULL, NULL); +@@ -1199,6 +1226,8 @@ static void qeth_addr_change_event_worker(struct work_struct *work) + &entry->token, + &entry->addr_lnid); + } ++ ++free: + kfree(data); + } + +@@ -1210,6 +1239,9 @@ static void qeth_addr_change_event(struct qeth_card *card, + struct qeth_addr_change_data *data; + int extrasize; + ++ if (card->info.pnso_mode == QETH_PNSO_NONE) ++ return; ++ + QETH_CARD_TEXT(card, 4, "adrchgev"); + if (cmd->hdr.return_code != 0x0000) { + if (cmd->hdr.return_code == 0x0010) { +@@ -1229,11 +1261,11 @@ static void qeth_addr_change_event(struct qeth_card *card, + QETH_CARD_TEXT(card, 2, "ACNalloc"); + return; + } +- INIT_WORK(&data->worker, qeth_addr_change_event_worker); ++ INIT_DELAYED_WORK(&data->dwork, qeth_addr_change_event_worker); + data->card = card; + memcpy(&data->ac_event, hostevs, + sizeof(struct qeth_ipacmd_addr_change) + extrasize); +- queue_work(card->event_wq, &data->worker); ++ queue_delayed_work(card->event_wq, &data->dwork, 0); + } + + /* SETBRIDGEPORT support; sending commands */ +@@ -1554,9 +1586,14 @@ int qeth_bridgeport_an_set(struct qeth_card *card, int enable) + + if (enable) { + qeth_bridge_emit_host_event(card, anev_reset, 0, NULL, NULL); ++ qeth_l2_set_pnso_mode(card, QETH_PNSO_BRIDGEPORT); + rc = qeth_l2_pnso(card, 1, qeth_bridgeport_an_set_cb, card); +- } else ++ if (rc) ++ qeth_l2_set_pnso_mode(card, QETH_PNSO_NONE); ++ } else { + rc = qeth_l2_pnso(card, 0, NULL, NULL); ++ qeth_l2_set_pnso_mode(card, QETH_PNSO_NONE); ++ } + return rc; + } + +diff --git a/drivers/s390/net/qeth_l2_sys.c b/drivers/s390/net/qeth_l2_sys.c +index 86bcae992f725..4695d25e54f24 100644 +--- a/drivers/s390/net/qeth_l2_sys.c ++++ b/drivers/s390/net/qeth_l2_sys.c +@@ -157,6 +157,7 @@ static ssize_t qeth_bridgeport_hostnotification_store(struct device *dev, + rc = -EBUSY; + else if (qeth_card_hw_is_reachable(card)) { + rc = qeth_bridgeport_an_set(card, enable); ++ /* sbp_lock ensures ordering vs notifications-stopped events */ + if (!rc) + card->options.sbp.hostnotification = enable; + } else +-- +2.25.1 + diff --git a/queue-5.9/samples-bpf-fix-to-xdpsock-to-avoid-recycling-frames.patch b/queue-5.9/samples-bpf-fix-to-xdpsock-to-avoid-recycling-frames.patch new file mode 100644 index 00000000000..b4ef0a01af3 --- /dev/null +++ b/queue-5.9/samples-bpf-fix-to-xdpsock-to-avoid-recycling-frames.patch @@ -0,0 +1,71 @@ +From b16aab6d3a1a972ac65ef018b2b7223b6b90f440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 00:17:17 +0800 +Subject: samples/bpf: Fix to xdpsock to avoid recycling frames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Weqaar Janjua + +[ Upstream commit b69e56cf765155dcac0037d7d0f162a2afab76c2 ] + +The txpush program in the xdpsock sample application is supposed +to send out all packets in the umem in a round-robin fashion. +The problem is that it only cycled through the first BATCH_SIZE +worth of packets. Fixed this so that it cycles through all buffers +in the umem as intended. + +Fixes: 248c7f9c0e21 ("samples/bpf: convert xdpsock to use libbpf for AF_XDP access") +Signed-off-by: Weqaar Janjua +Signed-off-by: Daniel Borkmann +Acked-by: Björn Töpel +Link: https://lore.kernel.org/bpf/20200828161717.42705-1-weqaar.a.janjua@intel.com +Signed-off-by: Sasha Levin +--- + samples/bpf/xdpsock_user.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/samples/bpf/xdpsock_user.c b/samples/bpf/xdpsock_user.c +index 19c679456a0e2..c821e98671393 100644 +--- a/samples/bpf/xdpsock_user.c ++++ b/samples/bpf/xdpsock_user.c +@@ -1004,7 +1004,7 @@ static void rx_drop_all(void) + } + } + +-static void tx_only(struct xsk_socket_info *xsk, u32 frame_nb, int batch_size) ++static void tx_only(struct xsk_socket_info *xsk, u32 *frame_nb, int batch_size) + { + u32 idx; + unsigned int i; +@@ -1017,14 +1017,14 @@ static void tx_only(struct xsk_socket_info *xsk, u32 frame_nb, int batch_size) + for (i = 0; i < batch_size; i++) { + struct xdp_desc *tx_desc = xsk_ring_prod__tx_desc(&xsk->tx, + idx + i); +- tx_desc->addr = (frame_nb + i) << XSK_UMEM__DEFAULT_FRAME_SHIFT; ++ tx_desc->addr = (*frame_nb + i) << XSK_UMEM__DEFAULT_FRAME_SHIFT; + tx_desc->len = PKT_SIZE; + } + + xsk_ring_prod__submit(&xsk->tx, batch_size); + xsk->outstanding_tx += batch_size; +- frame_nb += batch_size; +- frame_nb %= NUM_FRAMES; ++ *frame_nb += batch_size; ++ *frame_nb %= NUM_FRAMES; + complete_tx_only(xsk, batch_size); + } + +@@ -1080,7 +1080,7 @@ static void tx_only_all(void) + } + + for (i = 0; i < num_socks; i++) +- tx_only(xsks[i], frame_nb[i], batch_size); ++ tx_only(xsks[i], &frame_nb[i], batch_size); + + pkt_cnt += batch_size; + +-- +2.25.1 + diff --git a/queue-5.9/sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch b/queue-5.9/sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch new file mode 100644 index 00000000000..adb0d4b3d5c --- /dev/null +++ b/queue-5.9/sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch @@ -0,0 +1,80 @@ +From fae0ddbc967f28b0cb9ab3f766105a4ffcf2d003 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 14:48:47 +0800 +Subject: sched/fair: Fix wrong cpu selecting from isolated domain + +From: Xunlei Pang + +[ Upstream commit df3cb4ea1fb63ff326488efd671ba3c39034255e ] + +We've met problems that occasionally tasks with full cpumask +(e.g. by putting it into a cpuset or setting to full affinity) +were migrated to our isolated cpus in production environment. + +After some analysis, we found that it is due to the current +select_idle_smt() not considering the sched_domain mask. + +Steps to reproduce on my 31-CPU hyperthreads machine: +1. with boot parameter: "isolcpus=domain,2-31" + (thread lists: 0,16 and 1,17) +2. cgcreate -g cpu:test; cgexec -g cpu:test "test_threads" +3. some threads will be migrated to the isolated cpu16~17. + +Fix it by checking the valid domain mask in select_idle_smt(). + +Fixes: 10e2f1acd010 ("sched/core: Rewrite and improve select_idle_siblings()) +Reported-by: Wetp Zhang +Signed-off-by: Xunlei Pang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Jiang Biao +Reviewed-by: Vincent Guittot +Link: https://lkml.kernel.org/r/1600930127-76857-1-git-send-email-xlpang@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 51408ebd76c27..ea3d20be3e756 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -6075,7 +6075,7 @@ static int select_idle_core(struct task_struct *p, struct sched_domain *sd, int + /* + * Scan the local SMT mask for idle CPUs. + */ +-static int select_idle_smt(struct task_struct *p, int target) ++static int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int target) + { + int cpu; + +@@ -6083,7 +6083,8 @@ static int select_idle_smt(struct task_struct *p, int target) + return -1; + + for_each_cpu(cpu, cpu_smt_mask(target)) { +- if (!cpumask_test_cpu(cpu, p->cpus_ptr)) ++ if (!cpumask_test_cpu(cpu, p->cpus_ptr) || ++ !cpumask_test_cpu(cpu, sched_domain_span(sd))) + continue; + if (available_idle_cpu(cpu) || sched_idle_cpu(cpu)) + return cpu; +@@ -6099,7 +6100,7 @@ static inline int select_idle_core(struct task_struct *p, struct sched_domain *s + return -1; + } + +-static inline int select_idle_smt(struct task_struct *p, int target) ++static inline int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int target) + { + return -1; + } +@@ -6274,7 +6275,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) + if ((unsigned)i < nr_cpumask_bits) + return i; + +- i = select_idle_smt(p, target); ++ i = select_idle_smt(p, sd, target); + if ((unsigned)i < nr_cpumask_bits) + return i; + +-- +2.25.1 + diff --git a/queue-5.9/sched-fair-fix-wrong-negative-conversion-in-find_ene.patch b/queue-5.9/sched-fair-fix-wrong-negative-conversion-in-find_ene.patch new file mode 100644 index 00000000000..16ba0f788d3 --- /dev/null +++ b/queue-5.9/sched-fair-fix-wrong-negative-conversion-in-find_ene.patch @@ -0,0 +1,47 @@ +From 1c63dbec2b68963b66a50d9d3f82221fe31c9d1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 09:30:04 +0100 +Subject: sched/fair: Fix wrong negative conversion in + find_energy_efficient_cpu() + +From: Lukasz Luba + +[ Upstream commit da0777d35f47892f359c3f73ea155870bb595700 ] + +In find_energy_efficient_cpu() 'cpu_cap' could be less that 'util'. +It might be because of RT, DL (so higher sched class than CFS), irq or +thermal pressure signal, which reduce the capacity value. +In such situation the result of 'cpu_cap - util' might be negative but +stored in the unsigned long. Then it might be compared with other unsigned +long when uclamp_rq_util_with() reduced the 'util' such that is passes the +fits_capacity() check. + +Prevent this situation and make the arithmetic more safe. + +Fixes: 1d42509e475cd ("sched/fair: Make EAS wakeup placement consider uclamp restrictions") +Signed-off-by: Lukasz Luba +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Link: https://lkml.kernel.org/r/20200810083004.26420-1-lukasz.luba@arm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 1a68a0536adda..51408ebd76c27 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -6594,7 +6594,8 @@ static int find_energy_efficient_cpu(struct task_struct *p, int prev_cpu) + + util = cpu_util_next(cpu, p, cpu); + cpu_cap = capacity_of(cpu); +- spare_cap = cpu_cap - util; ++ spare_cap = cpu_cap; ++ lsub_positive(&spare_cap, util); + + /* + * Skip CPUs that cannot satisfy the capacity request. +-- +2.25.1 + diff --git a/queue-5.9/sched-fair-use-dst-group-while-checking-imbalance-fo.patch b/queue-5.9/sched-fair-use-dst-group-while-checking-imbalance-fo.patch new file mode 100644 index 00000000000..07e893d5893 --- /dev/null +++ b/queue-5.9/sched-fair-use-dst-group-while-checking-imbalance-fo.patch @@ -0,0 +1,193 @@ +From 3411c6d68cb8717c677ccea4a1dff2c60b2dd451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 23:18:49 +0100 +Subject: sched/fair: Use dst group while checking imbalance for NUMA balancer + +From: Barry Song + +[ Upstream commit 233e7aca4c8a2c764f556bba9644c36154017e7f ] + +Barry Song noted the following + + Something is wrong. In find_busiest_group(), we are checking if + src has higher load, however, in task_numa_find_cpu(), we are + checking if dst will have higher load after balancing. It seems + it is not sensible to check src. + + It maybe cause wrong imbalance value, for example, + + if dst_running = env->dst_stats.nr_running + 1 results in 3 or + above, and src_running = env->src_stats.nr_running - 1 results + in 1; + + The current code is thinking imbalance as 0 since src_running is + smaller than 2. This is inconsistent with load balancer. + +Basically, in find_busiest_group(), the NUMA imbalance is ignored if moving +a task "from an almost idle domain" to a "domain with spare capacity". This +patch forbids movement "from a misplaced domain" to "an almost idle domain" +as that is closer to what the CPU load balancer expects. + +This patch is not a universal win. The old behaviour was intended to allow +a task from an almost idle NUMA node to migrate to its preferred node if +the destination had capacity but there are corner cases. For example, +a NAS compute load could be parallelised to use 1/3rd of available CPUs +but not all those potential tasks are active at all times allowing this +logic to trigger. An obvious example is specjbb 2005 running various +numbers of warehouses on a 2 socket box with 80 cpus. + +specjbb + 5.9.0-rc4 5.9.0-rc4 + vanilla dstbalance-v1r1 +Hmean tput-1 46425.00 ( 0.00%) 43394.00 * -6.53%* +Hmean tput-2 98416.00 ( 0.00%) 96031.00 * -2.42%* +Hmean tput-3 150184.00 ( 0.00%) 148783.00 * -0.93%* +Hmean tput-4 200683.00 ( 0.00%) 197906.00 * -1.38%* +Hmean tput-5 236305.00 ( 0.00%) 245549.00 * 3.91%* +Hmean tput-6 281559.00 ( 0.00%) 285692.00 * 1.47%* +Hmean tput-7 338558.00 ( 0.00%) 334467.00 * -1.21%* +Hmean tput-8 340745.00 ( 0.00%) 372501.00 * 9.32%* +Hmean tput-9 424343.00 ( 0.00%) 413006.00 * -2.67%* +Hmean tput-10 421854.00 ( 0.00%) 434261.00 * 2.94%* +Hmean tput-11 493256.00 ( 0.00%) 485330.00 * -1.61%* +Hmean tput-12 549573.00 ( 0.00%) 529959.00 * -3.57%* +Hmean tput-13 593183.00 ( 0.00%) 555010.00 * -6.44%* +Hmean tput-14 588252.00 ( 0.00%) 599166.00 * 1.86%* +Hmean tput-15 623065.00 ( 0.00%) 642713.00 * 3.15%* +Hmean tput-16 703924.00 ( 0.00%) 660758.00 * -6.13%* +Hmean tput-17 666023.00 ( 0.00%) 697675.00 * 4.75%* +Hmean tput-18 761502.00 ( 0.00%) 758360.00 * -0.41%* +Hmean tput-19 796088.00 ( 0.00%) 798368.00 * 0.29%* +Hmean tput-20 733564.00 ( 0.00%) 823086.00 * 12.20%* +Hmean tput-21 840980.00 ( 0.00%) 856711.00 * 1.87%* +Hmean tput-22 804285.00 ( 0.00%) 872238.00 * 8.45%* +Hmean tput-23 795208.00 ( 0.00%) 889374.00 * 11.84%* +Hmean tput-24 848619.00 ( 0.00%) 966783.00 * 13.92%* +Hmean tput-25 750848.00 ( 0.00%) 903790.00 * 20.37%* +Hmean tput-26 780523.00 ( 0.00%) 962254.00 * 23.28%* +Hmean tput-27 1042245.00 ( 0.00%) 991544.00 * -4.86%* +Hmean tput-28 1090580.00 ( 0.00%) 1035926.00 * -5.01%* +Hmean tput-29 999483.00 ( 0.00%) 1082948.00 * 8.35%* +Hmean tput-30 1098663.00 ( 0.00%) 1113427.00 * 1.34%* +Hmean tput-31 1125671.00 ( 0.00%) 1134175.00 * 0.76%* +Hmean tput-32 968167.00 ( 0.00%) 1250286.00 * 29.14%* +Hmean tput-33 1077676.00 ( 0.00%) 1060893.00 * -1.56%* +Hmean tput-34 1090538.00 ( 0.00%) 1090933.00 * 0.04%* +Hmean tput-35 967058.00 ( 0.00%) 1107421.00 * 14.51%* +Hmean tput-36 1051745.00 ( 0.00%) 1210663.00 * 15.11%* +Hmean tput-37 1019465.00 ( 0.00%) 1351446.00 * 32.56%* +Hmean tput-38 1083102.00 ( 0.00%) 1064541.00 * -1.71%* +Hmean tput-39 1232990.00 ( 0.00%) 1303623.00 * 5.73%* +Hmean tput-40 1175542.00 ( 0.00%) 1340943.00 * 14.07%* +Hmean tput-41 1127826.00 ( 0.00%) 1339492.00 * 18.77%* +Hmean tput-42 1198313.00 ( 0.00%) 1411023.00 * 17.75%* +Hmean tput-43 1163733.00 ( 0.00%) 1228253.00 * 5.54%* +Hmean tput-44 1305562.00 ( 0.00%) 1357886.00 * 4.01%* +Hmean tput-45 1326752.00 ( 0.00%) 1406061.00 * 5.98%* +Hmean tput-46 1339424.00 ( 0.00%) 1418451.00 * 5.90%* +Hmean tput-47 1415057.00 ( 0.00%) 1381570.00 * -2.37%* +Hmean tput-48 1392003.00 ( 0.00%) 1421167.00 * 2.10%* +Hmean tput-49 1408374.00 ( 0.00%) 1418659.00 * 0.73%* +Hmean tput-50 1359822.00 ( 0.00%) 1391070.00 * 2.30%* +Hmean tput-51 1414246.00 ( 0.00%) 1392679.00 * -1.52%* +Hmean tput-52 1432352.00 ( 0.00%) 1354020.00 * -5.47%* +Hmean tput-53 1387563.00 ( 0.00%) 1409563.00 * 1.59%* +Hmean tput-54 1406420.00 ( 0.00%) 1388711.00 * -1.26%* +Hmean tput-55 1438804.00 ( 0.00%) 1387472.00 * -3.57%* +Hmean tput-56 1399465.00 ( 0.00%) 1400296.00 * 0.06%* +Hmean tput-57 1428132.00 ( 0.00%) 1396399.00 * -2.22%* +Hmean tput-58 1432385.00 ( 0.00%) 1386253.00 * -3.22%* +Hmean tput-59 1421612.00 ( 0.00%) 1371416.00 * -3.53%* +Hmean tput-60 1429423.00 ( 0.00%) 1389412.00 * -2.80%* +Hmean tput-61 1396230.00 ( 0.00%) 1351122.00 * -3.23%* +Hmean tput-62 1418396.00 ( 0.00%) 1383098.00 * -2.49%* +Hmean tput-63 1409918.00 ( 0.00%) 1374662.00 * -2.50%* +Hmean tput-64 1410236.00 ( 0.00%) 1376216.00 * -2.41%* +Hmean tput-65 1396405.00 ( 0.00%) 1364418.00 * -2.29%* +Hmean tput-66 1395975.00 ( 0.00%) 1357326.00 * -2.77%* +Hmean tput-67 1392986.00 ( 0.00%) 1349642.00 * -3.11%* +Hmean tput-68 1386541.00 ( 0.00%) 1343261.00 * -3.12%* +Hmean tput-69 1374407.00 ( 0.00%) 1342588.00 * -2.32%* +Hmean tput-70 1377513.00 ( 0.00%) 1334654.00 * -3.11%* +Hmean tput-71 1369319.00 ( 0.00%) 1334952.00 * -2.51%* +Hmean tput-72 1354635.00 ( 0.00%) 1329005.00 * -1.89%* +Hmean tput-73 1350933.00 ( 0.00%) 1318942.00 * -2.37%* +Hmean tput-74 1351714.00 ( 0.00%) 1316347.00 * -2.62%* +Hmean tput-75 1352198.00 ( 0.00%) 1309974.00 * -3.12%* +Hmean tput-76 1349490.00 ( 0.00%) 1286064.00 * -4.70%* +Hmean tput-77 1336131.00 ( 0.00%) 1303684.00 * -2.43%* +Hmean tput-78 1308896.00 ( 0.00%) 1271024.00 * -2.89%* +Hmean tput-79 1326703.00 ( 0.00%) 1290862.00 * -2.70%* +Hmean tput-80 1336199.00 ( 0.00%) 1291629.00 * -3.34%* + +The performance at the mid-point is better but not universally better. The +patch is a mixed bag depending on the workload, machine and overall +levels of utilisation. Sometimes it's better (sometimes much better), +other times it is worse (sometimes much worse). Given that there isn't a +universally good decision in this section and more people seem to prefer +the patch then it may be best to keep the LB decisions consistent and +revisit imbalance handling when the load balancer code changes settle down. + +Jirka Hladky added the following observation. + + Our results are mostly in line with what you see. We observe + big gains (20-50%) when the system is loaded to 1/3 of the + maximum capacity and mixed results at the full load - some + workloads benefit from the patch at the full load, others not, + but performance changes at the full load are mostly within the + noise of results (+/-5%). Overall, we think this patch is helpful. + +[mgorman@techsingularity.net: Rewrote changelog] +Fixes: fb86f5b211 ("sched/numa: Use similar logic to the load balancer for moving between domains with spare capacity") +Signed-off-by: Barry Song +Signed-off-by: Mel Gorman +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200921221849.GI3179@techsingularity.net +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index ea3d20be3e756..48a6d442b4443 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -1548,7 +1548,7 @@ struct task_numa_env { + + static unsigned long cpu_load(struct rq *rq); + static unsigned long cpu_util(int cpu); +-static inline long adjust_numa_imbalance(int imbalance, int src_nr_running); ++static inline long adjust_numa_imbalance(int imbalance, int nr_running); + + static inline enum + numa_type numa_classify(unsigned int imbalance_pct, +@@ -1925,7 +1925,7 @@ static void task_numa_find_cpu(struct task_numa_env *env, + src_running = env->src_stats.nr_running - 1; + dst_running = env->dst_stats.nr_running + 1; + imbalance = max(0, dst_running - src_running); +- imbalance = adjust_numa_imbalance(imbalance, src_running); ++ imbalance = adjust_numa_imbalance(imbalance, dst_running); + + /* Use idle CPU if there is no imbalance */ + if (!imbalance) { +@@ -8959,7 +8959,7 @@ static inline void update_sd_lb_stats(struct lb_env *env, struct sd_lb_stats *sd + } + } + +-static inline long adjust_numa_imbalance(int imbalance, int src_nr_running) ++static inline long adjust_numa_imbalance(int imbalance, int nr_running) + { + unsigned int imbalance_min; + +@@ -8968,7 +8968,7 @@ static inline long adjust_numa_imbalance(int imbalance, int src_nr_running) + * tasks that remain local when the source domain is almost idle. + */ + imbalance_min = 2; +- if (src_nr_running <= imbalance_min) ++ if (nr_running <= imbalance_min) + return 0; + + return imbalance; +-- +2.25.1 + diff --git a/queue-5.9/sched-features-fix-config_jump_label-case.patch b/queue-5.9/sched-features-fix-config_jump_label-case.patch new file mode 100644 index 00000000000..e42ad277d36 --- /dev/null +++ b/queue-5.9/sched-features-fix-config_jump_label-case.patch @@ -0,0 +1,99 @@ +From 31a33b0ad7223b365e1a4ddf6e41d492395d1e1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 07:31:14 +0200 +Subject: sched/features: Fix !CONFIG_JUMP_LABEL case + +From: Juri Lelli + +[ Upstream commit a73f863af4ce9730795eab7097fb2102e6854365 ] + +Commit: + + 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds") + +made sched features static for !CONFIG_SCHED_DEBUG configurations, but +overlooked the CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL cases. + +For the latter echoing changes to /sys/kernel/debug/sched_features has +the nasty effect of effectively changing what sched_features reports, +but without actually changing the scheduler behaviour (since different +translation units get different sysctl_sched_features). + +Fix CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL configurations by properly +restructuring ifdefs. + +Fixes: 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds") +Co-developed-by: Daniel Bristot de Oliveira +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Juri Lelli +Signed-off-by: Ingo Molnar +Acked-by: Patrick Bellasi +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/20201013053114.160628-1-juri.lelli@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + kernel/sched/sched.h | 13 ++++++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 2d95dc3f46444..b1e0da56abcac 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -43,7 +43,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(sched_update_nr_running_tp); + + DEFINE_PER_CPU_SHARED_ALIGNED(struct rq, runqueues); + +-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) ++#ifdef CONFIG_SCHED_DEBUG + /* + * Debugging: various feature bits + * +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 28709f6b0975c..8d1ca65db3b0d 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1629,7 +1629,7 @@ enum { + + #undef SCHED_FEAT + +-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) ++#ifdef CONFIG_SCHED_DEBUG + + /* + * To support run-time toggling of sched features, all the translation units +@@ -1637,6 +1637,7 @@ enum { + */ + extern const_debug unsigned int sysctl_sched_features; + ++#ifdef CONFIG_JUMP_LABEL + #define SCHED_FEAT(name, enabled) \ + static __always_inline bool static_branch_##name(struct static_key *key) \ + { \ +@@ -1649,7 +1650,13 @@ static __always_inline bool static_branch_##name(struct static_key *key) \ + extern struct static_key sched_feat_keys[__SCHED_FEAT_NR]; + #define sched_feat(x) (static_branch_##x(&sched_feat_keys[__SCHED_FEAT_##x])) + +-#else /* !(SCHED_DEBUG && CONFIG_JUMP_LABEL) */ ++#else /* !CONFIG_JUMP_LABEL */ ++ ++#define sched_feat(x) (sysctl_sched_features & (1UL << __SCHED_FEAT_##x)) ++ ++#endif /* CONFIG_JUMP_LABEL */ ++ ++#else /* !SCHED_DEBUG */ + + /* + * Each translation unit has its own copy of sysctl_sched_features to allow +@@ -1665,7 +1672,7 @@ static const_debug __maybe_unused unsigned int sysctl_sched_features = + + #define sched_feat(x) !!(sysctl_sched_features & (1UL << __SCHED_FEAT_##x)) + +-#endif /* SCHED_DEBUG && CONFIG_JUMP_LABEL */ ++#endif /* SCHED_DEBUG */ + + extern struct static_key_false sched_numa_balancing; + extern struct static_key_false sched_schedstats; +-- +2.25.1 + diff --git a/queue-5.9/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch b/queue-5.9/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch new file mode 100644 index 00000000000..08769a09f5d --- /dev/null +++ b/queue-5.9/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch @@ -0,0 +1,62 @@ +From 2dab265772727045ed339d1c34cd8447da09f63b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 12:13:00 +0300 +Subject: scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() + +From: Dan Carpenter + +[ Upstream commit 38b2db564d9ab7797192ef15d7aade30633ceeae ] + +The be_fill_queue() function can only fail when "eq_vaddress" is NULL and +since it's non-NULL here that means the function call can't fail. But +imagine if it could, then in that situation we would want to store the +"paddr" so that dma memory can be released. + +Link: https://lore.kernel.org/r/20200928091300.GD377727@mwanda +Fixes: bfead3b2cb46 ("[SCSI] be2iscsi: Adding msix and mcc_rings V3") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/be2iscsi/be_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c +index 5c3513a4b450e..202ba925c4940 100644 +--- a/drivers/scsi/be2iscsi/be_main.c ++++ b/drivers/scsi/be2iscsi/be_main.c +@@ -3020,6 +3020,7 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba, + goto create_eq_error; + } + ++ mem->dma = paddr; + mem->va = eq_vaddress; + ret = be_fill_queue(eq, phba->params.num_eq_entries, + sizeof(struct be_eq_entry), eq_vaddress); +@@ -3029,7 +3030,6 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba, + goto create_eq_error; + } + +- mem->dma = paddr; + ret = beiscsi_cmd_eq_create(&phba->ctrl, eq, + BEISCSI_EQ_DELAY_DEF); + if (ret) { +@@ -3086,6 +3086,7 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba, + goto create_cq_error; + } + ++ mem->dma = paddr; + ret = be_fill_queue(cq, phba->params.num_cq_entries, + sizeof(struct sol_cqe), cq_vaddress); + if (ret) { +@@ -3095,7 +3096,6 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba, + goto create_cq_error; + } + +- mem->dma = paddr; + ret = beiscsi_cmd_cq_create(&phba->ctrl, cq, eq, false, + false, 0); + if (ret) { +-- +2.25.1 + diff --git a/queue-5.9/scsi-bfa-fix-error-return-in-bfad_pci_init.patch b/queue-5.9/scsi-bfa-fix-error-return-in-bfad_pci_init.patch new file mode 100644 index 00000000000..feaf8a795de --- /dev/null +++ b/queue-5.9/scsi-bfa-fix-error-return-in-bfad_pci_init.patch @@ -0,0 +1,35 @@ +From d6e6c1523fd21614c7b0278e504252fc0663f784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:24:23 +0800 +Subject: scsi: bfa: Fix error return in bfad_pci_init() + +From: Jing Xiangfeng + +[ Upstream commit f0f6c3a4fcb80fcbcce4ff6739996dd98c228afd ] + +Fix to return error code -ENODEV from the error handling case instead of 0. + +Link: https://lore.kernel.org/r/20200925062423.161504-1-jingxiangfeng@huawei.com +Fixes: 11ea3824140c ("scsi: bfa: fix calls to dma_set_mask_and_coherent()") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bfa/bfad.c b/drivers/scsi/bfa/bfad.c +index bc5d84f87d8fc..440ef32be048f 100644 +--- a/drivers/scsi/bfa/bfad.c ++++ b/drivers/scsi/bfa/bfad.c +@@ -749,6 +749,7 @@ bfad_pci_init(struct pci_dev *pdev, struct bfad_s *bfad) + + if (bfad->pci_bar0_kva == NULL) { + printk(KERN_ERR "Fail to map bar0\n"); ++ rc = -ENODEV; + goto out_release_region; + } + +-- +2.25.1 + diff --git a/queue-5.9/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch b/queue-5.9/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch new file mode 100644 index 00000000000..5e0b1331af3 --- /dev/null +++ b/queue-5.9/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch @@ -0,0 +1,38 @@ +From 65d016ef08ad32a5b76ff871c987a95082cfc896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:31 +0800 +Subject: scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() + +From: Tianjia Zhang + +[ Upstream commit 44f4daf8678ae5f08c93bbe70792f90cd88e4649 ] + +On an error exit path, a negative error code should be returned instead of +a positive return value. + +Link: https://lore.kernel.org/r/20200802111531.5065-1-tianjia.zhang@linux.alibaba.com +Fixes: f40e74ffa3de ("csiostor:firmware upgrade fix") +Cc: Praveen Madhavan +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c +index 7fa20609d5e7f..e43c5413ce29b 100644 +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -2384,7 +2384,7 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info, + FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c), + FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k), + FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k)); +- ret = EINVAL; ++ ret = -EINVAL; + goto bye; + } + +-- +2.25.1 + diff --git a/queue-5.9/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch b/queue-5.9/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch new file mode 100644 index 00000000000..5d48af710f1 --- /dev/null +++ b/queue-5.9/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch @@ -0,0 +1,36 @@ +From 09f95f472d2f7d6b39c47ebc0efde5027e26bbfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 16:39:49 +0800 +Subject: scsi: ibmvfc: Fix error return in ibmvfc_probe() + +From: Jing Xiangfeng + +[ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ] + +Fix to return error code PTR_ERR() from the error handling case instead of +0. + +Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com +Acked-by: Tyrel Datwyler +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index ea7c8930592dc..70daa0605082d 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4928,6 +4928,7 @@ static int ibmvfc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + if (IS_ERR(vhost->work_thread)) { + dev_err(dev, "Couldn't create kernel thread: %ld\n", + PTR_ERR(vhost->work_thread)); ++ rc = PTR_ERR(vhost->work_thread); + goto free_host_mem; + } + +-- +2.25.1 + diff --git a/queue-5.9/scsi-mpt3sas-fix-sync-irqs.patch b/queue-5.9/scsi-mpt3sas-fix-sync-irqs.patch new file mode 100644 index 00000000000..675a156bc2a --- /dev/null +++ b/queue-5.9/scsi-mpt3sas-fix-sync-irqs.patch @@ -0,0 +1,60 @@ +From 425975beeadfa5621aa7089a8692afa21e15bde9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 16:21:26 +0200 +Subject: scsi: mpt3sas: Fix sync irqs + +From: Tomas Henzl + +[ Upstream commit 45181eab8ba79ed7a41b549f00500c0093828521 ] + +_base_process_reply_queue() called from _base_interrupt() may schedule a +new irq poll. Fix this by calling synchronize_irq() first. + +Also ensure that enable_irq() is called only when necessary to avoid +"Unbalanced enable for IRQ..." errors. + +Link: https://lore.kernel.org/r/20200910142126.8147-1-thenzl@redhat.com +Fixes: 320e77acb327 ("scsi: mpt3sas: Irq poll to avoid CPU hard lockups") +Acked-by: Sreekanth Reddy +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 8062bd99add85..e86682dc34eca 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -1809,18 +1809,22 @@ mpt3sas_base_sync_reply_irqs(struct MPT3SAS_ADAPTER *ioc) + /* TMs are on msix_index == 0 */ + if (reply_q->msix_index == 0) + continue; ++ synchronize_irq(pci_irq_vector(ioc->pdev, reply_q->msix_index)); + if (reply_q->irq_poll_scheduled) { + /* Calling irq_poll_disable will wait for any pending + * callbacks to have completed. + */ + irq_poll_disable(&reply_q->irqpoll); + irq_poll_enable(&reply_q->irqpoll); +- reply_q->irq_poll_scheduled = false; +- reply_q->irq_line_enable = true; +- enable_irq(reply_q->os_irq); +- continue; ++ /* check how the scheduled poll has ended, ++ * clean up only if necessary ++ */ ++ if (reply_q->irq_poll_scheduled) { ++ reply_q->irq_poll_scheduled = false; ++ reply_q->irq_line_enable = true; ++ enable_irq(reply_q->os_irq); ++ } + } +- synchronize_irq(pci_irq_vector(ioc->pdev, reply_q->msix_index)); + } + } + +-- +2.25.1 + diff --git a/queue-5.9/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch b/queue-5.9/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch new file mode 100644 index 00000000000..f77061bcd8d --- /dev/null +++ b/queue-5.9/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch @@ -0,0 +1,34 @@ +From 2831594a5c3968b4935c884b43c07bff7baade1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 20:38:48 +0800 +Subject: scsi: mvumi: Fix error return in mvumi_io_attach() + +From: Jing Xiangfeng + +[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ] + +Return PTR_ERR() from the error handling case instead of 0. + +Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangfeng@huawei.com +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvumi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c +index 8906aceda4c43..0354898d7cac1 100644 +--- a/drivers/scsi/mvumi.c ++++ b/drivers/scsi/mvumi.c +@@ -2425,6 +2425,7 @@ static int mvumi_io_attach(struct mvumi_hba *mhba) + if (IS_ERR(mhba->dm_thread)) { + dev_err(&mhba->pdev->dev, + "failed to create device scan thread\n"); ++ ret = PTR_ERR(mhba->dm_thread); + mutex_unlock(&mhba->sas_discovery_mutex); + goto fail_create_thread; + } +-- +2.25.1 + diff --git a/queue-5.9/scsi-qedf-return-success-if-stale-rport-is-encounter.patch b/queue-5.9/scsi-qedf-return-success-if-stale-rport-is-encounter.patch new file mode 100644 index 00000000000..f3c06cedbb2 --- /dev/null +++ b/queue-5.9/scsi-qedf-return-success-if-stale-rport-is-encounter.patch @@ -0,0 +1,37 @@ +From 31ac965fa2b1fd9eee3cf2d1b5b4cac2c2bdfec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 05:14:40 -0700 +Subject: scsi: qedf: Return SUCCESS if stale rport is encountered + +From: Saurav Kashyap + +[ Upstream commit 10aff62fab263ad7661780816551420cea956ebb ] + +If SUCCESS is not returned, error handling will escalate. Return SUCCESS +similar to other conditions in this function. + +Link: https://lore.kernel.org/r/20200907121443.5150-6-jhasan@marvell.com +Signed-off-by: Saurav Kashyap +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 5ca424df355c1..bc30e3e039dd2 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -726,7 +726,7 @@ static int qedf_eh_abort(struct scsi_cmnd *sc_cmd) + rdata = fcport->rdata; + if (!rdata || !kref_get_unless_zero(&rdata->kref)) { + QEDF_ERR(&qedf->dbg_ctx, "stale rport, sc_cmd=%p\n", sc_cmd); +- rc = 1; ++ rc = SUCCESS; + goto out; + } + +-- +2.25.1 + diff --git a/queue-5.9/scsi-qedi-fix-list_del-corruption-while-removing-act.patch b/queue-5.9/scsi-qedi-fix-list_del-corruption-while-removing-act.patch new file mode 100644 index 00000000000..63ca6d7d318 --- /dev/null +++ b/queue-5.9/scsi-qedi-fix-list_del-corruption-while-removing-act.patch @@ -0,0 +1,71 @@ +From 543b9a78982affd07412420aac04b370d237cd12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 02:56:52 -0700 +Subject: scsi: qedi: Fix list_del corruption while removing active I/O + +From: Nilesh Javali + +[ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ] + +While aborting the I/O, the firmware cleanup task timed out and driver +deleted the I/O from active command list. Some time later the firmware +sent the cleanup task response and driver again deleted the I/O from +active command list causing firmware to send completion for non-existent +I/O and list_del corruption of active command list. + +Add fix to check if I/O is present before deleting it from the active +command list to ensure firmware sends valid I/O completion and protect +against list_del corruption. + +Link: https://lore.kernel.org/r/20200908095657.26821-4-mrangankar@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_fw.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c +index b9f9f764808f9..f158fde0a43c1 100644 +--- a/drivers/scsi/qedi/qedi_fw.c ++++ b/drivers/scsi/qedi/qedi_fw.c +@@ -824,8 +824,11 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi, + qedi_clear_task_idx(qedi_conn->qedi, rtid); + + spin_lock(&qedi_conn->list_lock); +- list_del_init(&dbg_cmd->io_cmd); +- qedi_conn->active_cmd_count--; ++ if (likely(dbg_cmd->io_cmd_in_list)) { ++ dbg_cmd->io_cmd_in_list = false; ++ list_del_init(&dbg_cmd->io_cmd); ++ qedi_conn->active_cmd_count--; ++ } + spin_unlock(&qedi_conn->list_lock); + qedi_cmd->state = CLEANUP_RECV; + wake_up_interruptible(&qedi_conn->wait_queue); +@@ -1243,6 +1246,7 @@ int qedi_cleanup_all_io(struct qedi_ctx *qedi, struct qedi_conn *qedi_conn, + qedi_conn->cmd_cleanup_req++; + qedi_iscsi_cleanup_task(ctask, true); + ++ cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + QEDI_WARN(&qedi->dbg_ctx, +@@ -1454,8 +1458,11 @@ static void qedi_tmf_work(struct work_struct *work) + spin_unlock_bh(&qedi_conn->tmf_work_lock); + + spin_lock(&qedi_conn->list_lock); +- list_del_init(&cmd->io_cmd); +- qedi_conn->active_cmd_count--; ++ if (likely(cmd->io_cmd_in_list)) { ++ cmd->io_cmd_in_list = false; ++ list_del_init(&cmd->io_cmd); ++ qedi_conn->active_cmd_count--; ++ } + spin_unlock(&qedi_conn->list_lock); + + clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags); +-- +2.25.1 + diff --git a/queue-5.9/scsi-qedi-mark-all-connections-for-recovery-on-link-.patch b/queue-5.9/scsi-qedi-mark-all-connections-for-recovery-on-link-.patch new file mode 100644 index 00000000000..024596c5732 --- /dev/null +++ b/queue-5.9/scsi-qedi-mark-all-connections-for-recovery-on-link-.patch @@ -0,0 +1,56 @@ +From 0f98160c517d6e86a14b07adad23f8c541fe3e9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 02:56:55 -0700 +Subject: scsi: qedi: Mark all connections for recovery on link down event + +From: Nilesh Javali + +[ Upstream commit 4118879be3755b38171063dfd4a57611d4b20a83 ] + +For short time cable pulls, the in-flight I/O to the firmware is never +cleaned up, resulting in the behaviour of stale I/O completion causing +list_del corruption and soft lockup of the system. + +On link down event, mark all the connections for recovery, causing cleanup +of all the in-flight I/O immediately. + +Link: https://lore.kernel.org/r/20200908095657.26821-7-mrangankar@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c +index 6f038ae5efcaf..dfe24b505b402 100644 +--- a/drivers/scsi/qedi/qedi_main.c ++++ b/drivers/scsi/qedi/qedi_main.c +@@ -1127,6 +1127,15 @@ static void qedi_schedule_recovery_handler(void *dev) + schedule_delayed_work(&qedi->recovery_work, 0); + } + ++static void qedi_set_conn_recovery(struct iscsi_cls_session *cls_session) ++{ ++ struct iscsi_session *session = cls_session->dd_data; ++ struct iscsi_conn *conn = session->leadconn; ++ struct qedi_conn *qedi_conn = conn->dd_data; ++ ++ qedi_start_conn_recovery(qedi_conn->qedi, qedi_conn); ++} ++ + static void qedi_link_update(void *dev, struct qed_link_output *link) + { + struct qedi_ctx *qedi = (struct qedi_ctx *)dev; +@@ -1138,6 +1147,7 @@ static void qedi_link_update(void *dev, struct qed_link_output *link) + QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO, + "Link Down event.\n"); + atomic_set(&qedi->link_state, QEDI_LINK_DOWN); ++ iscsi_host_for_each_session(qedi->shost, qedi_set_conn_recovery); + } + } + +-- +2.25.1 + diff --git a/queue-5.9/scsi-qedi-protect-active-command-list-to-avoid-list-.patch b/queue-5.9/scsi-qedi-protect-active-command-list-to-avoid-list-.patch new file mode 100644 index 00000000000..59596d51aee --- /dev/null +++ b/queue-5.9/scsi-qedi-protect-active-command-list-to-avoid-list-.patch @@ -0,0 +1,108 @@ +From cf366526f2d26696d6ab65f260b9fdacae9a4972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 02:56:53 -0700 +Subject: scsi: qedi: Protect active command list to avoid list corruption + +From: Nilesh Javali + +[ Upstream commit c0650e28448d606c84f76c34333dba30f61de993 ] + +Protect active command list for non-I/O commands like login response, +logout response, text response, and recovery cleanup of active list to +avoid list corruption. + +Link: https://lore.kernel.org/r/20200908095657.26821-5-mrangankar@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_fw.c | 8 ++++++++ + drivers/scsi/qedi/qedi_iscsi.c | 2 ++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c +index 6ed74583b1b9b..b9f9f764808f9 100644 +--- a/drivers/scsi/qedi/qedi_fw.c ++++ b/drivers/scsi/qedi/qedi_fw.c +@@ -59,6 +59,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi, + "Freeing tid=0x%x for cid=0x%x\n", + cmd->task_id, qedi_conn->iscsi_conn_id); + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); +@@ -69,6 +70,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi, + cmd->task_id, qedi_conn->iscsi_conn_id, + &cmd->io_cmd); + } ++ spin_unlock(&qedi_conn->list_lock); + + cmd->state = RESPONSE_RECEIVED; + qedi_clear_task_idx(qedi, cmd->task_id); +@@ -122,6 +124,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi, + "Freeing tid=0x%x for cid=0x%x\n", + cmd->task_id, qedi_conn->iscsi_conn_id); + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); +@@ -132,6 +135,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi, + cmd->task_id, qedi_conn->iscsi_conn_id, + &cmd->io_cmd); + } ++ spin_unlock(&qedi_conn->list_lock); + + cmd->state = RESPONSE_RECEIVED; + qedi_clear_task_idx(qedi, cmd->task_id); +@@ -222,11 +226,13 @@ static void qedi_process_tmf_resp(struct qedi_ctx *qedi, + + tmf_hdr = (struct iscsi_tm *)qedi_cmd->task->hdr; + ++ spin_lock(&qedi_conn->list_lock); + if (likely(qedi_cmd->io_cmd_in_list)) { + qedi_cmd->io_cmd_in_list = false; + list_del_init(&qedi_cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + + if (((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) == + ISCSI_TM_FUNC_LOGICAL_UNIT_RESET) || +@@ -288,11 +294,13 @@ static void qedi_process_login_resp(struct qedi_ctx *qedi, + ISCSI_LOGIN_RESPONSE_HDR_DATA_SEG_LEN_MASK; + qedi_conn->gen_pdu.resp_wr_ptr = qedi_conn->gen_pdu.resp_buf + pld_len; + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + + memset(task_ctx, '\0', sizeof(*task_ctx)); + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index c14ac7882afac..10b9a986a41dc 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -975,11 +975,13 @@ static void qedi_cleanup_active_cmd_list(struct qedi_conn *qedi_conn) + { + struct qedi_cmd *cmd, *cmd_tmp; + ++ spin_lock(&qedi_conn->list_lock); + list_for_each_entry_safe(cmd, cmd_tmp, &qedi_conn->active_cmd_list, + io_cmd) { + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + } + + static void qedi_ep_disconnect(struct iscsi_endpoint *ep) +-- +2.25.1 + diff --git a/queue-5.9/scsi-qla2xxx-fix-the-size-used-in-a-dma_free_coheren.patch b/queue-5.9/scsi-qla2xxx-fix-the-size-used-in-a-dma_free_coheren.patch new file mode 100644 index 00000000000..95487fdf33d --- /dev/null +++ b/queue-5.9/scsi-qla2xxx-fix-the-size-used-in-a-dma_free_coheren.patch @@ -0,0 +1,39 @@ +From 5b38b2b1e11933b5cdeaba9f14cd124d54a20409 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 13:07:21 +0200 +Subject: scsi: qla2xxx: Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit 650b323c8e7c3ac4830a20895b1d444fd68dd787 ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +[mkp: removed memset() hunk that has already been addressed] + +Link: https://lore.kernel.org/r/20200802110721.677707-1-christophe.jaillet@wanadoo.fr +Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_mbx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c +index 226f1428d3e52..78ad9827bbb98 100644 +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -4958,7 +4958,7 @@ qla25xx_set_els_cmds_supported(scsi_qla_host_t *vha) + "Done %s.\n", __func__); + } + +- dma_free_coherent(&ha->pdev->dev, DMA_POOL_SIZE, ++ dma_free_coherent(&ha->pdev->dev, ELS_CMD_MAP_SIZE, + els_cmd_map, els_cmd_map_dma); + + return rval; +-- +2.25.1 + diff --git a/queue-5.9/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch b/queue-5.9/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch new file mode 100644 index 00000000000..02f642c6c49 --- /dev/null +++ b/queue-5.9/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch @@ -0,0 +1,38 @@ +From 3135cbd81c76212469ca33f71b8e1297d80946e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:30 +0800 +Subject: scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() + +From: Tianjia Zhang + +[ Upstream commit ca4fb89a3d714a770e9c73c649da830f3f4a5326 ] + +On an error exit path, a negative error code should be returned instead of +a positive return value. + +Link: https://lore.kernel.org/r/20200802111530.5020-1-tianjia.zhang@linux.alibaba.com +Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine") +Cc: Quinn Tran +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_nvme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c +index 90bbc61f361b9..0ded9a778bb0d 100644 +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -683,7 +683,7 @@ int qla_nvme_register_hba(struct scsi_qla_host *vha) + struct nvme_fc_port_template *tmpl; + struct qla_hw_data *ha; + struct nvme_fc_port_info pinfo; +- int ret = EINVAL; ++ int ret = -EINVAL; + + if (!IS_ENABLED(CONFIG_NVME_FC)) + return ret; +-- +2.25.1 + diff --git a/queue-5.9/scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch b/queue-5.9/scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch new file mode 100644 index 00000000000..98730ff1ca8 --- /dev/null +++ b/queue-5.9/scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch @@ -0,0 +1,41 @@ +From bdba2430a681a8780535229adbd9fb815e4f352c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:28 +0800 +Subject: scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg() + +From: Tianjia Zhang + +[ Upstream commit bbf2d06a9d767718bfe6028d6288c03edb98554a ] + +In the case of a failed retry, a positive value EIO is returned here. I +think this is a typo error. It is necessary to return an error value. + +[mkp: caller checks != 0 but the rest of the file uses -Exxx so fix this up +to be consistent] + +Link: https://lore.kernel.org/r/20200802111528.4974-1-tianjia.zhang@linux.alibaba.com +Fixes: 0691094ff3f2 ("scsi: qla2xxx: Add logic to detect ABTS hang and response completion") +Cc: Quinn Tran +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 2d445bdb21290..2a88e7e79bd50 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -5668,7 +5668,7 @@ static int qlt_chk_unresolv_exchg(struct scsi_qla_host *vha, + /* found existing exchange */ + qpair->retry_term_cnt++; + if (qpair->retry_term_cnt >= 5) { +- rc = EIO; ++ rc = -EIO; + qpair->retry_term_cnt = 0; + ql_log(ql_log_warn, vha, 0xffff, + "Unable to send ABTS Respond. Dumping firmware.\n"); +-- +2.25.1 + diff --git a/queue-5.9/scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch b/queue-5.9/scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch new file mode 100644 index 00000000000..b70a0a5dc24 --- /dev/null +++ b/queue-5.9/scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch @@ -0,0 +1,76 @@ +From c1542dd91b22a748a6c069c92fd7674e4f886051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:15:13 +0200 +Subject: scsi: qla2xxx: Warn if done() or free() are called on an already + freed srb + +From: Daniel Wagner + +[ Upstream commit c0014f94218ea3a312f6235febea0d626c5f2154 ] + +Emit a warning when ->done or ->free are called on an already freed +srb. There is a hidden use-after-free bug in the driver which corrupts +the srb memory pool which originates from the cleanup callbacks. + +An extensive search didn't bring any lights on the real problem. The +initial fix was to set both pointers to NULL and try to catch invalid +accesses. But instead the memory corruption was gone and the driver +didn't crash. Since not all calling places check for NULL pointer, add +explicitly default handlers. With this we workaround the memory +corruption and add a debug help. + +Link: https://lore.kernel.org/r/20200908081516.8561-2-dwagner@suse.de +Reviewed-by: Martin Wilck +Reviewed-by: Arun Easi +Signed-off-by: Daniel Wagner +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 10 ++++++++++ + drivers/scsi/qla2xxx/qla_inline.h | 5 +++++ + 2 files changed, 15 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 0bd04a62af836..8d4b651e14422 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -63,6 +63,16 @@ void qla2x00_sp_free(srb_t *sp) + qla2x00_rel_sp(sp); + } + ++void qla2xxx_rel_done_warning(srb_t *sp, int res) ++{ ++ WARN_ONCE(1, "Calling done() of an already freed srb %p object\n", sp); ++} ++ ++void qla2xxx_rel_free_warning(srb_t *sp) ++{ ++ WARN_ONCE(1, "Calling free() of an already freed srb %p object\n", sp); ++} ++ + /* Asynchronous Login/Logout Routines -------------------------------------- */ + + unsigned long +diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h +index 861dc522723ce..2aa6f81f87c43 100644 +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -207,10 +207,15 @@ qla2xxx_get_qpair_sp(scsi_qla_host_t *vha, struct qla_qpair *qpair, + return sp; + } + ++void qla2xxx_rel_done_warning(srb_t *sp, int res); ++void qla2xxx_rel_free_warning(srb_t *sp); ++ + static inline void + qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp) + { + sp->qpair = NULL; ++ sp->done = qla2xxx_rel_done_warning; ++ sp->free = qla2xxx_rel_free_warning; + mempool_free(sp, qpair->srb_mempool); + QLA_QPAIR_MARK_NOT_BUSY(qpair); + } +-- +2.25.1 + diff --git a/queue-5.9/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch b/queue-5.9/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch new file mode 100644 index 00000000000..c270782eb76 --- /dev/null +++ b/queue-5.9/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch @@ -0,0 +1,38 @@ +From e7a5d013462faf105a69782d69c6fb40b72736b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 12:15:27 +0200 +Subject: scsi: qla4xxx: Fix an error handling path in + 'qla4xxx_get_host_stats()' + +From: Christophe JAILLET + +[ Upstream commit 574918e69720fe62ab3eb42ec3750230c8d16b06 ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +Link: https://lore.kernel.org/r/20200802101527.676054-1-christophe.jaillet@wanadoo.fr +Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 676778cbc5509..4775baac43c29 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -1254,7 +1254,7 @@ static int qla4xxx_get_host_stats(struct Scsi_Host *shost, char *buf, int len) + le64_to_cpu(ql_iscsi_stats->iscsi_sequence_error); + exit_host_stats: + if (ql_iscsi_stats) +- dma_free_coherent(&ha->pdev->dev, host_stats_size, ++ dma_free_coherent(&ha->pdev->dev, stats_size, + ql_iscsi_stats, iscsi_stats_dma); + + ql4_printk(KERN_INFO, ha, "%s: Get host stats done\n", +-- +2.25.1 + diff --git a/queue-5.9/scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch b/queue-5.9/scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch new file mode 100644 index 00000000000..89e6ee8933d --- /dev/null +++ b/queue-5.9/scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch @@ -0,0 +1,247 @@ +From e1cc4d618585daeca72bb6c61d5fee2f212b74b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 16:01:33 -0500 +Subject: scsi: smartpqi: Avoid crashing kernel for controller issues + +From: Kevin Barnett + +[ Upstream commit 9e68cccc8ef7206f0bccd590378d0dca8f9b4f57 ] + +Eliminate kernel panics when getting invalid responses from controller. +Take controller offline instead of causing kernel panics. + +Link: https://lore.kernel.org/r/159622929306.30579.16523318707596752828.stgit@brunhilda +Reviewed-by: Scott Teel +Reviewed-by: Scott Benesh +Reviewed-by: Prasad Munirathnam +Reviewed-by: Martin Wilck +Signed-off-by: Kevin Barnett +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi.h | 2 +- + drivers/scsi/smartpqi/smartpqi_init.c | 101 +++++++++++++++++--------- + 2 files changed, 68 insertions(+), 35 deletions(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi.h b/drivers/scsi/smartpqi/smartpqi.h +index 1129fe7a27edd..ee069a8b442a7 100644 +--- a/drivers/scsi/smartpqi/smartpqi.h ++++ b/drivers/scsi/smartpqi/smartpqi.h +@@ -359,7 +359,7 @@ struct pqi_event_response { + struct pqi_iu_header header; + u8 event_type; + u8 reserved2 : 7; +- u8 request_acknowlege : 1; ++ u8 request_acknowledge : 1; + __le16 event_id; + __le32 additional_event_id; + union { +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index ca1e6cf6a38ef..714a3d38fc431 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -542,8 +542,7 @@ static int pqi_build_raid_path_request(struct pqi_ctrl_info *ctrl_info, + put_unaligned_be16(cdb_length, &cdb[7]); + break; + default: +- dev_err(&ctrl_info->pci_dev->dev, "unknown command 0x%c\n", +- cmd); ++ dev_err(&ctrl_info->pci_dev->dev, "unknown command 0x%c\n", cmd); + break; + } + +@@ -2462,7 +2461,6 @@ static int pqi_raid_bypass_submit_scsi_cmd(struct pqi_ctrl_info *ctrl_info, + offload_to_mirror = + (offload_to_mirror >= layout_map_count - 1) ? + 0 : offload_to_mirror + 1; +- WARN_ON(offload_to_mirror >= layout_map_count); + device->offload_to_mirror = offload_to_mirror; + /* + * Avoid direct use of device->offload_to_mirror within this +@@ -2915,10 +2913,14 @@ static int pqi_interpret_task_management_response( + return rc; + } + +-static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, +- struct pqi_queue_group *queue_group) ++static inline void pqi_invalid_response(struct pqi_ctrl_info *ctrl_info) ++{ ++ pqi_take_ctrl_offline(ctrl_info); ++} ++ ++static int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, struct pqi_queue_group *queue_group) + { +- unsigned int num_responses; ++ int num_responses; + pqi_index_t oq_pi; + pqi_index_t oq_ci; + struct pqi_io_request *io_request; +@@ -2930,6 +2932,13 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, + + while (1) { + oq_pi = readl(queue_group->oq_pi); ++ if (oq_pi >= ctrl_info->num_elements_per_oq) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "I/O interrupt: producer index (%u) out of range (0-%u): consumer index: %u\n", ++ oq_pi, ctrl_info->num_elements_per_oq - 1, oq_ci); ++ return -1; ++ } + if (oq_pi == oq_ci) + break; + +@@ -2938,10 +2947,22 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, + (oq_ci * PQI_OPERATIONAL_OQ_ELEMENT_LENGTH); + + request_id = get_unaligned_le16(&response->request_id); +- WARN_ON(request_id >= ctrl_info->max_io_slots); ++ if (request_id >= ctrl_info->max_io_slots) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "request ID in response (%u) out of range (0-%u): producer index: %u consumer index: %u\n", ++ request_id, ctrl_info->max_io_slots - 1, oq_pi, oq_ci); ++ return -1; ++ } + + io_request = &ctrl_info->io_request_pool[request_id]; +- WARN_ON(atomic_read(&io_request->refcount) == 0); ++ if (atomic_read(&io_request->refcount) == 0) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "request ID in response (%u) does not match an outstanding I/O request: producer index: %u consumer index: %u\n", ++ request_id, oq_pi, oq_ci); ++ return -1; ++ } + + switch (response->header.iu_type) { + case PQI_RESPONSE_IU_RAID_PATH_IO_SUCCESS: +@@ -2971,24 +2992,22 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, + io_request->error_info = ctrl_info->error_buffer + + (get_unaligned_le16(&response->error_index) * + PQI_ERROR_BUFFER_ELEMENT_LENGTH); +- pqi_process_io_error(response->header.iu_type, +- io_request); ++ pqi_process_io_error(response->header.iu_type, io_request); + break; + default: ++ pqi_invalid_response(ctrl_info); + dev_err(&ctrl_info->pci_dev->dev, +- "unexpected IU type: 0x%x\n", +- response->header.iu_type); +- break; ++ "unexpected IU type: 0x%x: producer index: %u consumer index: %u\n", ++ response->header.iu_type, oq_pi, oq_ci); ++ return -1; + } + +- io_request->io_complete_callback(io_request, +- io_request->context); ++ io_request->io_complete_callback(io_request, io_request->context); + + /* + * Note that the I/O request structure CANNOT BE TOUCHED after + * returning from the I/O completion callback! + */ +- + oq_ci = (oq_ci + 1) % ctrl_info->num_elements_per_oq; + } + +@@ -3300,9 +3319,9 @@ static void pqi_ofa_capture_event_payload(struct pqi_event *event, + } + } + +-static unsigned int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info) ++static int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info) + { +- unsigned int num_events; ++ int num_events; + pqi_index_t oq_pi; + pqi_index_t oq_ci; + struct pqi_event_queue *event_queue; +@@ -3316,26 +3335,31 @@ static unsigned int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info) + + while (1) { + oq_pi = readl(event_queue->oq_pi); ++ if (oq_pi >= PQI_NUM_EVENT_QUEUE_ELEMENTS) { ++ pqi_invalid_response(ctrl_info); ++ dev_err(&ctrl_info->pci_dev->dev, ++ "event interrupt: producer index (%u) out of range (0-%u): consumer index: %u\n", ++ oq_pi, PQI_NUM_EVENT_QUEUE_ELEMENTS - 1, oq_ci); ++ return -1; ++ } ++ + if (oq_pi == oq_ci) + break; + + num_events++; +- response = event_queue->oq_element_array + +- (oq_ci * PQI_EVENT_OQ_ELEMENT_LENGTH); ++ response = event_queue->oq_element_array + (oq_ci * PQI_EVENT_OQ_ELEMENT_LENGTH); + + event_index = + pqi_event_type_to_event_index(response->event_type); + +- if (event_index >= 0) { +- if (response->request_acknowlege) { +- event = &ctrl_info->events[event_index]; +- event->pending = true; +- event->event_type = response->event_type; +- event->event_id = response->event_id; +- event->additional_event_id = +- response->additional_event_id; ++ if (event_index >= 0 && response->request_acknowledge) { ++ event = &ctrl_info->events[event_index]; ++ event->pending = true; ++ event->event_type = response->event_type; ++ event->event_id = response->event_id; ++ event->additional_event_id = response->additional_event_id; ++ if (event->event_type == PQI_EVENT_TYPE_OFA) + pqi_ofa_capture_event_payload(event, response); +- } + } + + oq_ci = (oq_ci + 1) % PQI_NUM_EVENT_QUEUE_ELEMENTS; +@@ -3450,7 +3474,8 @@ static irqreturn_t pqi_irq_handler(int irq, void *data) + { + struct pqi_ctrl_info *ctrl_info; + struct pqi_queue_group *queue_group; +- unsigned int num_responses_handled; ++ int num_io_responses_handled; ++ int num_events_handled; + + queue_group = data; + ctrl_info = queue_group->ctrl_info; +@@ -3458,17 +3483,25 @@ static irqreturn_t pqi_irq_handler(int irq, void *data) + if (!pqi_is_valid_irq(ctrl_info)) + return IRQ_NONE; + +- num_responses_handled = pqi_process_io_intr(ctrl_info, queue_group); ++ num_io_responses_handled = pqi_process_io_intr(ctrl_info, queue_group); ++ if (num_io_responses_handled < 0) ++ goto out; + +- if (irq == ctrl_info->event_irq) +- num_responses_handled += pqi_process_event_intr(ctrl_info); ++ if (irq == ctrl_info->event_irq) { ++ num_events_handled = pqi_process_event_intr(ctrl_info); ++ if (num_events_handled < 0) ++ goto out; ++ } else { ++ num_events_handled = 0; ++ } + +- if (num_responses_handled) ++ if (num_io_responses_handled + num_events_handled > 0) + atomic_inc(&ctrl_info->num_interrupts); + + pqi_start_io(ctrl_info, queue_group, RAID_PATH, NULL); + pqi_start_io(ctrl_info, queue_group, AIO_PATH, NULL); + ++out: + return IRQ_HANDLED; + } + +-- +2.25.1 + diff --git a/queue-5.9/scsi-target-core-add-control-field-for-trace-events.patch b/queue-5.9/scsi-target-core-add-control-field-for-trace-events.patch new file mode 100644 index 00000000000..8750e29393f --- /dev/null +++ b/queue-5.9/scsi-target-core-add-control-field-for-trace-events.patch @@ -0,0 +1,113 @@ +From 50cf6be51187ba263312c94f6c07d6485ad0034b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 15:59:57 +0300 +Subject: scsi: target: core: Add CONTROL field for trace events + +From: Roman Bolshakov + +[ Upstream commit 7010645ba7256992818b518163f46bd4cdf8002a ] + +trace-cmd report doesn't show events from target subsystem because +scsi_command_size() leaks through event format string: + + [target:target_sequencer_start] function scsi_command_size not defined + [target:target_cmd_complete] function scsi_command_size not defined + +Addition of scsi_command_size() to plugin_scsi.c in trace-cmd doesn't +help because an expression is used inside TP_printk(). trace-cmd event +parser doesn't understand minus sign inside [ ]: + + Error: expected ']' but read '-' + +Rather than duplicating kernel code in plugin_scsi.c, provide a dedicated +field for CONTROL byte. + +Link: https://lore.kernel.org/r/20200929125957.83069-1-r.bolshakov@yadro.com +Reviewed-by: Mike Christie +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + include/scsi/scsi_common.h | 7 +++++++ + include/trace/events/target.h | 12 ++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/scsi/scsi_common.h b/include/scsi/scsi_common.h +index 731ac09ed2313..5b567b43e1b16 100644 +--- a/include/scsi/scsi_common.h ++++ b/include/scsi/scsi_common.h +@@ -25,6 +25,13 @@ scsi_command_size(const unsigned char *cmnd) + scsi_varlen_cdb_length(cmnd) : COMMAND_SIZE(cmnd[0]); + } + ++static inline unsigned char ++scsi_command_control(const unsigned char *cmnd) ++{ ++ return (cmnd[0] == VARIABLE_LENGTH_CMD) ? ++ cmnd[1] : cmnd[COMMAND_SIZE(cmnd[0]) - 1]; ++} ++ + /* Returns a human-readable name for the device */ + extern const char *scsi_device_type(unsigned type); + +diff --git a/include/trace/events/target.h b/include/trace/events/target.h +index 77408edd29d2a..67fad2677ed55 100644 +--- a/include/trace/events/target.h ++++ b/include/trace/events/target.h +@@ -141,6 +141,7 @@ TRACE_EVENT(target_sequencer_start, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) + __string( initiator, cmd->se_sess->se_node_acl->initiatorname ) + ), +@@ -151,6 +152,7 @@ TRACE_EVENT(target_sequencer_start, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + memcpy(__entry->cdb, cmd->t_task_cdb, TCM_MAX_COMMAND_SIZE); + __assign_str(initiator, cmd->se_sess->se_node_acl->initiatorname); + ), +@@ -160,9 +162,7 @@ TRACE_EVENT(target_sequencer_start, + __entry->tag, show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +@@ -178,6 +178,7 @@ TRACE_EVENT(target_cmd_complete, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __field( unsigned char, scsi_status ) + __field( unsigned char, sense_length ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) +@@ -191,6 +192,7 @@ TRACE_EVENT(target_cmd_complete, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + __entry->scsi_status = cmd->scsi_status; + __entry->sense_length = cmd->scsi_status == SAM_STAT_CHECK_CONDITION ? + min(18, ((u8 *) cmd->sense_buffer)[SPC_ADD_SENSE_LEN_OFFSET] + 8) : 0; +@@ -208,9 +210,7 @@ TRACE_EVENT(target_cmd_complete, + show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +-- +2.25.1 + diff --git a/queue-5.9/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch b/queue-5.9/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch new file mode 100644 index 00000000000..294d5a094cb --- /dev/null +++ b/queue-5.9/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch @@ -0,0 +1,39 @@ +From e03a5e6bbd322f5bf44804f016e5efa1c4e4134c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 17:19:20 -0700 +Subject: scsi: target: tcmu: Fix warning: 'page' may be used uninitialized + +From: John Donnelly + +[ Upstream commit 61741d8699e1fc764a309ebd20211bb1cb193110 ] + +Corrects drivers/target/target_core_user.c:688:6: warning: 'page' may be +used uninitialized. + +Link: https://lore.kernel.org/r/20200924001920.43594-1-john.p.donnelly@oracle.com +Fixes: 3c58f737231e ("scsi: target: tcmu: Optimize use of flush_dcache_page") +Cc: Mike Christie +Acked-by: Mike Christie +Signed-off-by: John Donnelly +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 9b75923505020..86b28117787ec 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -681,7 +681,7 @@ static void scatter_data_area(struct tcmu_dev *udev, + void *from, *to = NULL; + size_t copy_bytes, to_offset, offset; + struct scatterlist *sg; +- struct page *page; ++ struct page *page = NULL; + + for_each_sg(data_sg, sg, data_nents, i) { + int sg_remaining = sg->length; +-- +2.25.1 + diff --git a/queue-5.9/scsi-ufs-make-ufshcd_print_trs-consider-ufshcd_quirk.patch b/queue-5.9/scsi-ufs-make-ufshcd_print_trs-consider-ufshcd_quirk.patch new file mode 100644 index 00000000000..042178f1a5b --- /dev/null +++ b/queue-5.9/scsi-ufs-make-ufshcd_print_trs-consider-ufshcd_quirk.patch @@ -0,0 +1,45 @@ +From 432b9a7e726cb3521c8ee3f007a3d6521a009b53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 19:10:40 -0700 +Subject: scsi: ufs: Make ufshcd_print_trs() consider + UFSHCD_QUIRK_PRDT_BYTE_GRAN + +From: Eric Biggers + +[ Upstream commit cc770ce34aeeff21991f162f0db1a758ea672727 ] + +Fix ufshcd_print_trs() to consider UFSHCD_QUIRK_PRDT_BYTE_GRAN when using +utp_transfer_req_desc::prd_table_length, so that it doesn't treat the +number of bytes as the number of entries. + +Originally from Kiwoong Kim +(https://lkml.kernel.org/r/20200218233115.8185-1-kwmad.kim@samsung.com). + +Link: https://lore.kernel.org/r/20200826021040.152148-1-ebiggers@kernel.org +Fixes: 26f968d7de82 ("scsi: ufs: Introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk") +Cc: Alim Akhtar +Cc: Kiwoong Kim +Signed-off-by: Eric Biggers +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 1d157ff58d817..316b861305eae 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -474,6 +474,9 @@ void ufshcd_print_trs(struct ufs_hba *hba, unsigned long bitmap, bool pr_prdt) + + prdt_length = le16_to_cpu( + lrbp->utr_descriptor_ptr->prd_table_length); ++ if (hba->quirks & UFSHCD_QUIRK_PRDT_BYTE_GRAN) ++ prdt_length /= sizeof(struct ufshcd_sg_entry); ++ + dev_err(hba->dev, + "UPIU[%d] - PRDT - %d entries phys@0x%llx\n", + tag, prdt_length, +-- +2.25.1 + diff --git a/queue-5.9/scsi-ufs-ufs-mediatek-eliminate-error-message-for-un.patch b/queue-5.9/scsi-ufs-ufs-mediatek-eliminate-error-message-for-un.patch new file mode 100644 index 00000000000..cec04f40dde --- /dev/null +++ b/queue-5.9/scsi-ufs-ufs-mediatek-eliminate-error-message-for-un.patch @@ -0,0 +1,40 @@ +From a359eec19c5a7201d8619df17ff4a462e6fa6a44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 14:45:04 +0800 +Subject: scsi: ufs: ufs-mediatek: Eliminate error message for unbound mphy + +From: Stanley Chu + +[ Upstream commit 30a90782c105fe498df74161392aa143796b6886 ] + +Some MediaTek platforms does not have to bind MPHY so users shall not see +any unnecessary logs. Simply remove logs for this case. + +Link: https://lore.kernel.org/r/20200908064507.30774-2-stanley.chu@mediatek.com +Fixes: fc4983018fea ("scsi: ufs-mediatek: Allow unbound mphy") +Signed-off-by: Stanley Chu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-mediatek.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufs-mediatek.c b/drivers/scsi/ufs/ufs-mediatek.c +index 1755dd6b04aec..0a50b95315f8f 100644 +--- a/drivers/scsi/ufs/ufs-mediatek.c ++++ b/drivers/scsi/ufs/ufs-mediatek.c +@@ -129,7 +129,10 @@ static int ufs_mtk_bind_mphy(struct ufs_hba *hba) + __func__, err); + } else if (IS_ERR(host->mphy)) { + err = PTR_ERR(host->mphy); +- dev_info(dev, "%s: PHY get failed %d\n", __func__, err); ++ if (err != -ENODEV) { ++ dev_info(dev, "%s: PHY get failed %d\n", __func__, ++ err); ++ } + } + + if (err) +-- +2.25.1 + diff --git a/queue-5.9/scsi-ufs-ufs-mediatek-fix-host_pa_tactivate-quirk.patch b/queue-5.9/scsi-ufs-ufs-mediatek-fix-host_pa_tactivate-quirk.patch new file mode 100644 index 00000000000..5aa89db2c57 --- /dev/null +++ b/queue-5.9/scsi-ufs-ufs-mediatek-fix-host_pa_tactivate-quirk.patch @@ -0,0 +1,42 @@ +From 9e96471991df646f7561614ebb3f2ea71650405d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 14:45:05 +0800 +Subject: scsi: ufs: ufs-mediatek: Fix HOST_PA_TACTIVATE quirk + +From: Stanley Chu + +[ Upstream commit a3e40b80dc951057033dce86f0e675b2b822b513 ] + +Simply add HOST_PA_TACTIVATE quirk back since it was incorrectly removed +before. + +Link: https://lore.kernel.org/r/20200908064507.30774-3-stanley.chu@mediatek.com +Fixes: 47d054580a75 ("scsi: ufs-mediatek: fix HOST_PA_TACTIVATE quirk for Samsung UFS Devices") +Signed-off-by: Stanley Chu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-mediatek.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs-mediatek.c b/drivers/scsi/ufs/ufs-mediatek.c +index 0a50b95315f8f..6b661135c03b5 100644 +--- a/drivers/scsi/ufs/ufs-mediatek.c ++++ b/drivers/scsi/ufs/ufs-mediatek.c +@@ -672,13 +672,7 @@ static int ufs_mtk_apply_dev_quirks(struct ufs_hba *hba) + + static void ufs_mtk_fixup_dev_quirks(struct ufs_hba *hba) + { +- struct ufs_dev_info *dev_info = &hba->dev_info; +- u16 mid = dev_info->wmanufacturerid; +- + ufshcd_fixup_dev_quirks(hba, ufs_mtk_dev_fixups); +- +- if (mid == UFS_VENDOR_SAMSUNG) +- hba->dev_quirks &= ~UFS_DEVICE_QUIRK_HOST_PA_TACTIVATE; + } + + /** +-- +2.25.1 + diff --git a/queue-5.9/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch b/queue-5.9/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch new file mode 100644 index 00000000000..67e5fbb542e --- /dev/null +++ b/queue-5.9/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch @@ -0,0 +1,53 @@ +From 48af0fb683ca19ae12c81bada906415e72e750df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 05:15:48 -0700 +Subject: scsi: ufs: ufs-qcom: Fix race conditions caused by + ufs_qcom_testbus_config() + +From: Can Guo + +[ Upstream commit 89dd87acd40a44de8ff3358138aedf8f73f4efc6 ] + +If ufs_qcom_dump_dbg_regs() calls ufs_qcom_testbus_config() from +ufshcd_suspend/resume and/or clk gate/ungate context, pm_runtime_get_sync() +and ufshcd_hold() will cause a race condition. Fix this by removing the +unnecessary calls of pm_runtime_get_sync() and ufshcd_hold(). + +Link: https://lore.kernel.org/r/1596975355-39813-3-git-send-email-cang@codeaurora.org +Reviewed-by: Hongwu Su +Reviewed-by: Avri Altman +Reviewed-by: Bean Huo +Reviewed-by: Asutosh Das +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-qcom.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c +index d0d75527830e9..823eccfdd00af 100644 +--- a/drivers/scsi/ufs/ufs-qcom.c ++++ b/drivers/scsi/ufs/ufs-qcom.c +@@ -1614,9 +1614,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host) + */ + } + mask <<= offset; +- +- pm_runtime_get_sync(host->hba->dev); +- ufshcd_hold(host->hba, false); + ufshcd_rmwl(host->hba, TEST_BUS_SEL, + (u32)host->testbus.select_major << 19, + REG_UFS_CFG1); +@@ -1629,8 +1626,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host) + * committed before returning. + */ + mb(); +- ufshcd_release(host->hba); +- pm_runtime_put_sync(host->hba->dev); + + return 0; + } +-- +2.25.1 + diff --git a/queue-5.9/selftests-bpf-fix-endianness-issue-in-sk_assign.patch b/queue-5.9/selftests-bpf-fix-endianness-issue-in-sk_assign.patch new file mode 100644 index 00000000000..1c759594a7a --- /dev/null +++ b/queue-5.9/selftests-bpf-fix-endianness-issue-in-sk_assign.patch @@ -0,0 +1,41 @@ +From 7bd5fc5895d906abc36c5cf1cf3c531ddff1dce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 13:38:15 +0200 +Subject: selftests/bpf: Fix endianness issue in sk_assign + +From: Ilya Leoshkevich + +[ Upstream commit b6ed6cf4a3acdeab9aed8e0a524850761ec9b152 ] + +server_map's value size is 8, but the test tries to put an int there. +This sort of works on x86 (unless followed by non-0), but hard fails on +s390. + +Fix by using __s64 instead of int. + +Fixes: 2d7824ffd25c ("selftests: bpf: Add test for sk_assign") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200915113815.3768217-1-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/sk_assign.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/sk_assign.c b/tools/testing/selftests/bpf/prog_tests/sk_assign.c +index 47fa04adc1471..21c2d265c3e8e 100644 +--- a/tools/testing/selftests/bpf/prog_tests/sk_assign.c ++++ b/tools/testing/selftests/bpf/prog_tests/sk_assign.c +@@ -265,7 +265,7 @@ void test_sk_assign(void) + TEST("ipv6 udp port redir", AF_INET6, SOCK_DGRAM, false), + TEST("ipv6 udp addr redir", AF_INET6, SOCK_DGRAM, true), + }; +- int server = -1; ++ __s64 server = -1; + int server_map; + int self_net; + +-- +2.25.1 + diff --git a/queue-5.9/selftests-bpf-fix-endianness-issue-in-test_sockopt_s.patch b/queue-5.9/selftests-bpf-fix-endianness-issue-in-test_sockopt_s.patch new file mode 100644 index 00000000000..065b20e53fa --- /dev/null +++ b/queue-5.9/selftests-bpf-fix-endianness-issue-in-test_sockopt_s.patch @@ -0,0 +1,43 @@ +From 7e104cede32f594027afc0bc80872c9df4e32af9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 13:39:28 +0200 +Subject: selftests/bpf: Fix endianness issue in test_sockopt_sk + +From: Ilya Leoshkevich + +[ Upstream commit fec47bbc10b243690f5d0ee484a0bbdee273e71b ] + +getsetsockopt() calls getsockopt() with optlen == 1, but then checks +the resulting int. It is ok on little endian, but not on big endian. + +Fix by checking char instead. + +Fixes: 8a027dc0d8f5 ("selftests/bpf: add sockopt test that exercises sk helpers") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200915113928.3768496-1-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/sockopt_sk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c +index 5f54c6aec7f07..b25c9c45c1484 100644 +--- a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c ++++ b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c +@@ -45,9 +45,9 @@ static int getsetsockopt(void) + goto err; + } + +- if (*(int *)big_buf != 0x08) { ++ if (*big_buf != 0x08) { + log_err("Unexpected getsockopt(IP_TOS) optval 0x%x != 0x08", +- *(int *)big_buf); ++ (int)*big_buf); + goto err; + } + +-- +2.25.1 + diff --git a/queue-5.9/selftests-bpf-fix-endianness-issues-in-sk_lookup-ctx.patch b/queue-5.9/selftests-bpf-fix-endianness-issues-in-sk_lookup-ctx.patch new file mode 100644 index 00000000000..2123b1c6aa8 --- /dev/null +++ b/queue-5.9/selftests-bpf-fix-endianness-issues-in-sk_lookup-ctx.patch @@ -0,0 +1,311 @@ +From 2995fe6c567f8b7687bf4bcafa0f201354488337 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 22:18:14 +0200 +Subject: selftests/bpf: Fix endianness issues in sk_lookup/ctx_narrow_access + +From: Ilya Leoshkevich + +[ Upstream commit 6458bde368cee77e798d05cccd2316db4d748c41 ] + +This test makes a lot of narrow load checks while assuming little +endian architecture, and therefore fails on s390. + +Fix by introducing LSB and LSW macros and using them to perform narrow +loads. + +Fixes: 0ab5539f8584 ("selftests/bpf: Tests for BPF_SK_LOOKUP attach point") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200929201814.44360-1-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/progs/test_sk_lookup.c | 216 ++++++++---------- + 1 file changed, 101 insertions(+), 115 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_sk_lookup.c b/tools/testing/selftests/bpf/progs/test_sk_lookup.c +index bbf8296f4d663..1032b292af5b7 100644 +--- a/tools/testing/selftests/bpf/progs/test_sk_lookup.c ++++ b/tools/testing/selftests/bpf/progs/test_sk_lookup.c +@@ -19,6 +19,17 @@ + #define IP6(aaaa, bbbb, cccc, dddd) \ + { bpf_htonl(aaaa), bpf_htonl(bbbb), bpf_htonl(cccc), bpf_htonl(dddd) } + ++/* Macros for least-significant byte and word accesses. */ ++#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ ++#define LSE_INDEX(index, size) (index) ++#else ++#define LSE_INDEX(index, size) ((size) - (index) - 1) ++#endif ++#define LSB(value, index) \ ++ (((__u8 *)&(value))[LSE_INDEX((index), sizeof(value))]) ++#define LSW(value, index) \ ++ (((__u16 *)&(value))[LSE_INDEX((index), sizeof(value) / 2)]) ++ + #define MAX_SOCKS 32 + + struct { +@@ -369,171 +380,146 @@ int ctx_narrow_access(struct bpf_sk_lookup *ctx) + { + struct bpf_sock *sk; + int err, family; +- __u16 *half; +- __u8 *byte; + bool v4; + + v4 = (ctx->family == AF_INET); + + /* Narrow loads from family field */ +- byte = (__u8 *)&ctx->family; +- half = (__u16 *)&ctx->family; +- if (byte[0] != (v4 ? AF_INET : AF_INET6) || +- byte[1] != 0 || byte[2] != 0 || byte[3] != 0) ++ if (LSB(ctx->family, 0) != (v4 ? AF_INET : AF_INET6) || ++ LSB(ctx->family, 1) != 0 || LSB(ctx->family, 2) != 0 || LSB(ctx->family, 3) != 0) + return SK_DROP; +- if (half[0] != (v4 ? AF_INET : AF_INET6)) ++ if (LSW(ctx->family, 0) != (v4 ? AF_INET : AF_INET6)) + return SK_DROP; + +- byte = (__u8 *)&ctx->protocol; +- if (byte[0] != IPPROTO_TCP || +- byte[1] != 0 || byte[2] != 0 || byte[3] != 0) ++ /* Narrow loads from protocol field */ ++ if (LSB(ctx->protocol, 0) != IPPROTO_TCP || ++ LSB(ctx->protocol, 1) != 0 || LSB(ctx->protocol, 2) != 0 || LSB(ctx->protocol, 3) != 0) + return SK_DROP; +- half = (__u16 *)&ctx->protocol; +- if (half[0] != IPPROTO_TCP) ++ if (LSW(ctx->protocol, 0) != IPPROTO_TCP) + return SK_DROP; + + /* Narrow loads from remote_port field. Expect non-0 value. */ +- byte = (__u8 *)&ctx->remote_port; +- if (byte[0] == 0 && byte[1] == 0 && byte[2] == 0 && byte[3] == 0) ++ if (LSB(ctx->remote_port, 0) == 0 && LSB(ctx->remote_port, 1) == 0 && ++ LSB(ctx->remote_port, 2) == 0 && LSB(ctx->remote_port, 3) == 0) + return SK_DROP; +- half = (__u16 *)&ctx->remote_port; +- if (half[0] == 0) ++ if (LSW(ctx->remote_port, 0) == 0) + return SK_DROP; + + /* Narrow loads from local_port field. Expect DST_PORT. */ +- byte = (__u8 *)&ctx->local_port; +- if (byte[0] != ((DST_PORT >> 0) & 0xff) || +- byte[1] != ((DST_PORT >> 8) & 0xff) || +- byte[2] != 0 || byte[3] != 0) ++ if (LSB(ctx->local_port, 0) != ((DST_PORT >> 0) & 0xff) || ++ LSB(ctx->local_port, 1) != ((DST_PORT >> 8) & 0xff) || ++ LSB(ctx->local_port, 2) != 0 || LSB(ctx->local_port, 3) != 0) + return SK_DROP; +- half = (__u16 *)&ctx->local_port; +- if (half[0] != DST_PORT) ++ if (LSW(ctx->local_port, 0) != DST_PORT) + return SK_DROP; + + /* Narrow loads from IPv4 fields */ + if (v4) { + /* Expect non-0.0.0.0 in remote_ip4 */ +- byte = (__u8 *)&ctx->remote_ip4; +- if (byte[0] == 0 && byte[1] == 0 && +- byte[2] == 0 && byte[3] == 0) ++ if (LSB(ctx->remote_ip4, 0) == 0 && LSB(ctx->remote_ip4, 1) == 0 && ++ LSB(ctx->remote_ip4, 2) == 0 && LSB(ctx->remote_ip4, 3) == 0) + return SK_DROP; +- half = (__u16 *)&ctx->remote_ip4; +- if (half[0] == 0 && half[1] == 0) ++ if (LSW(ctx->remote_ip4, 0) == 0 && LSW(ctx->remote_ip4, 1) == 0) + return SK_DROP; + + /* Expect DST_IP4 in local_ip4 */ +- byte = (__u8 *)&ctx->local_ip4; +- if (byte[0] != ((DST_IP4 >> 0) & 0xff) || +- byte[1] != ((DST_IP4 >> 8) & 0xff) || +- byte[2] != ((DST_IP4 >> 16) & 0xff) || +- byte[3] != ((DST_IP4 >> 24) & 0xff)) ++ if (LSB(ctx->local_ip4, 0) != ((DST_IP4 >> 0) & 0xff) || ++ LSB(ctx->local_ip4, 1) != ((DST_IP4 >> 8) & 0xff) || ++ LSB(ctx->local_ip4, 2) != ((DST_IP4 >> 16) & 0xff) || ++ LSB(ctx->local_ip4, 3) != ((DST_IP4 >> 24) & 0xff)) + return SK_DROP; +- half = (__u16 *)&ctx->local_ip4; +- if (half[0] != ((DST_IP4 >> 0) & 0xffff) || +- half[1] != ((DST_IP4 >> 16) & 0xffff)) ++ if (LSW(ctx->local_ip4, 0) != ((DST_IP4 >> 0) & 0xffff) || ++ LSW(ctx->local_ip4, 1) != ((DST_IP4 >> 16) & 0xffff)) + return SK_DROP; + } else { + /* Expect 0.0.0.0 IPs when family != AF_INET */ +- byte = (__u8 *)&ctx->remote_ip4; +- if (byte[0] != 0 || byte[1] != 0 && +- byte[2] != 0 || byte[3] != 0) ++ if (LSB(ctx->remote_ip4, 0) != 0 || LSB(ctx->remote_ip4, 1) != 0 || ++ LSB(ctx->remote_ip4, 2) != 0 || LSB(ctx->remote_ip4, 3) != 0) + return SK_DROP; +- half = (__u16 *)&ctx->remote_ip4; +- if (half[0] != 0 || half[1] != 0) ++ if (LSW(ctx->remote_ip4, 0) != 0 || LSW(ctx->remote_ip4, 1) != 0) + return SK_DROP; + +- byte = (__u8 *)&ctx->local_ip4; +- if (byte[0] != 0 || byte[1] != 0 && +- byte[2] != 0 || byte[3] != 0) ++ if (LSB(ctx->local_ip4, 0) != 0 || LSB(ctx->local_ip4, 1) != 0 || ++ LSB(ctx->local_ip4, 2) != 0 || LSB(ctx->local_ip4, 3) != 0) + return SK_DROP; +- half = (__u16 *)&ctx->local_ip4; +- if (half[0] != 0 || half[1] != 0) ++ if (LSW(ctx->local_ip4, 0) != 0 || LSW(ctx->local_ip4, 1) != 0) + return SK_DROP; + } + + /* Narrow loads from IPv6 fields */ + if (!v4) { +- /* Expenct non-:: IP in remote_ip6 */ +- byte = (__u8 *)&ctx->remote_ip6; +- if (byte[0] == 0 && byte[1] == 0 && +- byte[2] == 0 && byte[3] == 0 && +- byte[4] == 0 && byte[5] == 0 && +- byte[6] == 0 && byte[7] == 0 && +- byte[8] == 0 && byte[9] == 0 && +- byte[10] == 0 && byte[11] == 0 && +- byte[12] == 0 && byte[13] == 0 && +- byte[14] == 0 && byte[15] == 0) ++ /* Expect non-:: IP in remote_ip6 */ ++ if (LSB(ctx->remote_ip6[0], 0) == 0 && LSB(ctx->remote_ip6[0], 1) == 0 && ++ LSB(ctx->remote_ip6[0], 2) == 0 && LSB(ctx->remote_ip6[0], 3) == 0 && ++ LSB(ctx->remote_ip6[1], 0) == 0 && LSB(ctx->remote_ip6[1], 1) == 0 && ++ LSB(ctx->remote_ip6[1], 2) == 0 && LSB(ctx->remote_ip6[1], 3) == 0 && ++ LSB(ctx->remote_ip6[2], 0) == 0 && LSB(ctx->remote_ip6[2], 1) == 0 && ++ LSB(ctx->remote_ip6[2], 2) == 0 && LSB(ctx->remote_ip6[2], 3) == 0 && ++ LSB(ctx->remote_ip6[3], 0) == 0 && LSB(ctx->remote_ip6[3], 1) == 0 && ++ LSB(ctx->remote_ip6[3], 2) == 0 && LSB(ctx->remote_ip6[3], 3) == 0) + return SK_DROP; +- half = (__u16 *)&ctx->remote_ip6; +- if (half[0] == 0 && half[1] == 0 && +- half[2] == 0 && half[3] == 0 && +- half[4] == 0 && half[5] == 0 && +- half[6] == 0 && half[7] == 0) ++ if (LSW(ctx->remote_ip6[0], 0) == 0 && LSW(ctx->remote_ip6[0], 1) == 0 && ++ LSW(ctx->remote_ip6[1], 0) == 0 && LSW(ctx->remote_ip6[1], 1) == 0 && ++ LSW(ctx->remote_ip6[2], 0) == 0 && LSW(ctx->remote_ip6[2], 1) == 0 && ++ LSW(ctx->remote_ip6[3], 0) == 0 && LSW(ctx->remote_ip6[3], 1) == 0) + return SK_DROP; +- + /* Expect DST_IP6 in local_ip6 */ +- byte = (__u8 *)&ctx->local_ip6; +- if (byte[0] != ((DST_IP6[0] >> 0) & 0xff) || +- byte[1] != ((DST_IP6[0] >> 8) & 0xff) || +- byte[2] != ((DST_IP6[0] >> 16) & 0xff) || +- byte[3] != ((DST_IP6[0] >> 24) & 0xff) || +- byte[4] != ((DST_IP6[1] >> 0) & 0xff) || +- byte[5] != ((DST_IP6[1] >> 8) & 0xff) || +- byte[6] != ((DST_IP6[1] >> 16) & 0xff) || +- byte[7] != ((DST_IP6[1] >> 24) & 0xff) || +- byte[8] != ((DST_IP6[2] >> 0) & 0xff) || +- byte[9] != ((DST_IP6[2] >> 8) & 0xff) || +- byte[10] != ((DST_IP6[2] >> 16) & 0xff) || +- byte[11] != ((DST_IP6[2] >> 24) & 0xff) || +- byte[12] != ((DST_IP6[3] >> 0) & 0xff) || +- byte[13] != ((DST_IP6[3] >> 8) & 0xff) || +- byte[14] != ((DST_IP6[3] >> 16) & 0xff) || +- byte[15] != ((DST_IP6[3] >> 24) & 0xff)) ++ if (LSB(ctx->local_ip6[0], 0) != ((DST_IP6[0] >> 0) & 0xff) || ++ LSB(ctx->local_ip6[0], 1) != ((DST_IP6[0] >> 8) & 0xff) || ++ LSB(ctx->local_ip6[0], 2) != ((DST_IP6[0] >> 16) & 0xff) || ++ LSB(ctx->local_ip6[0], 3) != ((DST_IP6[0] >> 24) & 0xff) || ++ LSB(ctx->local_ip6[1], 0) != ((DST_IP6[1] >> 0) & 0xff) || ++ LSB(ctx->local_ip6[1], 1) != ((DST_IP6[1] >> 8) & 0xff) || ++ LSB(ctx->local_ip6[1], 2) != ((DST_IP6[1] >> 16) & 0xff) || ++ LSB(ctx->local_ip6[1], 3) != ((DST_IP6[1] >> 24) & 0xff) || ++ LSB(ctx->local_ip6[2], 0) != ((DST_IP6[2] >> 0) & 0xff) || ++ LSB(ctx->local_ip6[2], 1) != ((DST_IP6[2] >> 8) & 0xff) || ++ LSB(ctx->local_ip6[2], 2) != ((DST_IP6[2] >> 16) & 0xff) || ++ LSB(ctx->local_ip6[2], 3) != ((DST_IP6[2] >> 24) & 0xff) || ++ LSB(ctx->local_ip6[3], 0) != ((DST_IP6[3] >> 0) & 0xff) || ++ LSB(ctx->local_ip6[3], 1) != ((DST_IP6[3] >> 8) & 0xff) || ++ LSB(ctx->local_ip6[3], 2) != ((DST_IP6[3] >> 16) & 0xff) || ++ LSB(ctx->local_ip6[3], 3) != ((DST_IP6[3] >> 24) & 0xff)) + return SK_DROP; +- half = (__u16 *)&ctx->local_ip6; +- if (half[0] != ((DST_IP6[0] >> 0) & 0xffff) || +- half[1] != ((DST_IP6[0] >> 16) & 0xffff) || +- half[2] != ((DST_IP6[1] >> 0) & 0xffff) || +- half[3] != ((DST_IP6[1] >> 16) & 0xffff) || +- half[4] != ((DST_IP6[2] >> 0) & 0xffff) || +- half[5] != ((DST_IP6[2] >> 16) & 0xffff) || +- half[6] != ((DST_IP6[3] >> 0) & 0xffff) || +- half[7] != ((DST_IP6[3] >> 16) & 0xffff)) ++ if (LSW(ctx->local_ip6[0], 0) != ((DST_IP6[0] >> 0) & 0xffff) || ++ LSW(ctx->local_ip6[0], 1) != ((DST_IP6[0] >> 16) & 0xffff) || ++ LSW(ctx->local_ip6[1], 0) != ((DST_IP6[1] >> 0) & 0xffff) || ++ LSW(ctx->local_ip6[1], 1) != ((DST_IP6[1] >> 16) & 0xffff) || ++ LSW(ctx->local_ip6[2], 0) != ((DST_IP6[2] >> 0) & 0xffff) || ++ LSW(ctx->local_ip6[2], 1) != ((DST_IP6[2] >> 16) & 0xffff) || ++ LSW(ctx->local_ip6[3], 0) != ((DST_IP6[3] >> 0) & 0xffff) || ++ LSW(ctx->local_ip6[3], 1) != ((DST_IP6[3] >> 16) & 0xffff)) + return SK_DROP; + } else { + /* Expect :: IPs when family != AF_INET6 */ +- byte = (__u8 *)&ctx->remote_ip6; +- if (byte[0] != 0 || byte[1] != 0 || +- byte[2] != 0 || byte[3] != 0 || +- byte[4] != 0 || byte[5] != 0 || +- byte[6] != 0 || byte[7] != 0 || +- byte[8] != 0 || byte[9] != 0 || +- byte[10] != 0 || byte[11] != 0 || +- byte[12] != 0 || byte[13] != 0 || +- byte[14] != 0 || byte[15] != 0) ++ if (LSB(ctx->remote_ip6[0], 0) != 0 || LSB(ctx->remote_ip6[0], 1) != 0 || ++ LSB(ctx->remote_ip6[0], 2) != 0 || LSB(ctx->remote_ip6[0], 3) != 0 || ++ LSB(ctx->remote_ip6[1], 0) != 0 || LSB(ctx->remote_ip6[1], 1) != 0 || ++ LSB(ctx->remote_ip6[1], 2) != 0 || LSB(ctx->remote_ip6[1], 3) != 0 || ++ LSB(ctx->remote_ip6[2], 0) != 0 || LSB(ctx->remote_ip6[2], 1) != 0 || ++ LSB(ctx->remote_ip6[2], 2) != 0 || LSB(ctx->remote_ip6[2], 3) != 0 || ++ LSB(ctx->remote_ip6[3], 0) != 0 || LSB(ctx->remote_ip6[3], 1) != 0 || ++ LSB(ctx->remote_ip6[3], 2) != 0 || LSB(ctx->remote_ip6[3], 3) != 0) + return SK_DROP; +- half = (__u16 *)&ctx->remote_ip6; +- if (half[0] != 0 || half[1] != 0 || +- half[2] != 0 || half[3] != 0 || +- half[4] != 0 || half[5] != 0 || +- half[6] != 0 || half[7] != 0) ++ if (LSW(ctx->remote_ip6[0], 0) != 0 || LSW(ctx->remote_ip6[0], 1) != 0 || ++ LSW(ctx->remote_ip6[1], 0) != 0 || LSW(ctx->remote_ip6[1], 1) != 0 || ++ LSW(ctx->remote_ip6[2], 0) != 0 || LSW(ctx->remote_ip6[2], 1) != 0 || ++ LSW(ctx->remote_ip6[3], 0) != 0 || LSW(ctx->remote_ip6[3], 1) != 0) + return SK_DROP; + +- byte = (__u8 *)&ctx->local_ip6; +- if (byte[0] != 0 || byte[1] != 0 || +- byte[2] != 0 || byte[3] != 0 || +- byte[4] != 0 || byte[5] != 0 || +- byte[6] != 0 || byte[7] != 0 || +- byte[8] != 0 || byte[9] != 0 || +- byte[10] != 0 || byte[11] != 0 || +- byte[12] != 0 || byte[13] != 0 || +- byte[14] != 0 || byte[15] != 0) ++ if (LSB(ctx->local_ip6[0], 0) != 0 || LSB(ctx->local_ip6[0], 1) != 0 || ++ LSB(ctx->local_ip6[0], 2) != 0 || LSB(ctx->local_ip6[0], 3) != 0 || ++ LSB(ctx->local_ip6[1], 0) != 0 || LSB(ctx->local_ip6[1], 1) != 0 || ++ LSB(ctx->local_ip6[1], 2) != 0 || LSB(ctx->local_ip6[1], 3) != 0 || ++ LSB(ctx->local_ip6[2], 0) != 0 || LSB(ctx->local_ip6[2], 1) != 0 || ++ LSB(ctx->local_ip6[2], 2) != 0 || LSB(ctx->local_ip6[2], 3) != 0 || ++ LSB(ctx->local_ip6[3], 0) != 0 || LSB(ctx->local_ip6[3], 1) != 0 || ++ LSB(ctx->local_ip6[3], 2) != 0 || LSB(ctx->local_ip6[3], 3) != 0) + return SK_DROP; +- half = (__u16 *)&ctx->local_ip6; +- if (half[0] != 0 || half[1] != 0 || +- half[2] != 0 || half[3] != 0 || +- half[4] != 0 || half[5] != 0 || +- half[6] != 0 || half[7] != 0) ++ if (LSW(ctx->remote_ip6[0], 0) != 0 || LSW(ctx->remote_ip6[0], 1) != 0 || ++ LSW(ctx->remote_ip6[1], 0) != 0 || LSW(ctx->remote_ip6[1], 1) != 0 || ++ LSW(ctx->remote_ip6[2], 0) != 0 || LSW(ctx->remote_ip6[2], 1) != 0 || ++ LSW(ctx->remote_ip6[3], 0) != 0 || LSW(ctx->remote_ip6[3], 1) != 0) + return SK_DROP; + } + +-- +2.25.1 + diff --git a/queue-5.9/selftests-bpf-fix-overflow-tests-to-reflect-iter-siz.patch b/queue-5.9/selftests-bpf-fix-overflow-tests-to-reflect-iter-siz.patch new file mode 100644 index 00000000000..1b74720b8ff --- /dev/null +++ b/queue-5.9/selftests-bpf-fix-overflow-tests-to-reflect-iter-siz.patch @@ -0,0 +1,62 @@ +From 2e44d65560510500f71cfe93ccbcd93f0ae5f5ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 12:31:08 +0100 +Subject: selftests/bpf: Fix overflow tests to reflect iter size increase + +From: Alan Maguire + +[ Upstream commit eb58bbf2e5c7917aa30bf8818761f26bbeeb2290 ] + +bpf iter size increase to PAGE_SIZE << 3 means overflow tests assuming +page size need to be bumped also. + +Signed-off-by: Alan Maguire +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/1601292670-1616-7-git-send-email-alan.maguire@oracle.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/bpf_iter.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c +index 7375d9a6d2427..a8924cbc7509d 100644 +--- a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c ++++ b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c +@@ -331,7 +331,7 @@ static void test_overflow(bool test_e2big_overflow, bool ret1) + struct bpf_map_info map_info = {}; + struct bpf_iter_test_kern4 *skel; + struct bpf_link *link; +- __u32 page_size; ++ __u32 iter_size; + char *buf; + + skel = bpf_iter_test_kern4__open(); +@@ -353,19 +353,19 @@ static void test_overflow(bool test_e2big_overflow, bool ret1) + "map_creation failed: %s\n", strerror(errno))) + goto free_map1; + +- /* bpf_seq_printf kernel buffer is one page, so one map ++ /* bpf_seq_printf kernel buffer is 8 pages, so one map + * bpf_seq_write will mostly fill it, and the other map + * will partially fill and then trigger overflow and need + * bpf_seq_read restart. + */ +- page_size = sysconf(_SC_PAGE_SIZE); ++ iter_size = sysconf(_SC_PAGE_SIZE) << 3; + + if (test_e2big_overflow) { +- skel->rodata->print_len = (page_size + 8) / 8; +- expected_read_len = 2 * (page_size + 8); ++ skel->rodata->print_len = (iter_size + 8) / 8; ++ expected_read_len = 2 * (iter_size + 8); + } else if (!ret1) { +- skel->rodata->print_len = (page_size - 8) / 8; +- expected_read_len = 2 * (page_size - 8); ++ skel->rodata->print_len = (iter_size - 8) / 8; ++ expected_read_len = 2 * (iter_size - 8); + } else { + skel->rodata->print_len = 1; + expected_read_len = 2 * 8; +-- +2.25.1 + diff --git a/queue-5.9/selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch b/queue-5.9/selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch new file mode 100644 index 00000000000..3f768923008 --- /dev/null +++ b/queue-5.9/selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch @@ -0,0 +1,129 @@ +From f332d3badba625a17b9965754ea448d62b8f7e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 10:15:42 -0700 +Subject: selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change + +From: Yonghong Song + +[ Upstream commit 7fb5eefd76394cfefb380724a87ca40b47d44405 ] + +Andrii reported that with latest clang, when building selftests, we have +error likes: + error: progs/test_sysctl_loop1.c:23:16: in function sysctl_tcp_mem i32 (%struct.bpf_sysctl*): + Looks like the BPF stack limit of 512 bytes is exceeded. + Please move large on stack variables into BPF per-cpu array map. + +The error is triggered by the following LLVM patch: + https://reviews.llvm.org/D87134 + +For example, the following code is from test_sysctl_loop1.c: + static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx) + { + volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string"; + ... + } +Without the above LLVM patch, the compiler did optimization to load the string +(59 bytes long) with 7 64bit loads, 1 8bit load and 1 16bit load, +occupying 64 byte stack size. + +With the above LLVM patch, the compiler only uses 8bit loads, but subregister is 32bit. +So stack requirements become 4 * 59 = 236 bytes. Together with other stuff on +the stack, total stack size exceeds 512 bytes, hence compiler complains and quits. + +To fix the issue, removing "volatile" key word or changing "volatile" to +"const"/"static const" does not work, the string is put in .rodata.str1.1 section, +which libbpf did not process it and errors out with + libbpf: elf: skipping unrecognized data section(6) .rodata.str1.1 + libbpf: prog 'sysctl_tcp_mem': bad map relo against '.L__const.is_tcp_mem.tcp_mem_name' + in section '.rodata.str1.1' + +Defining the string const as global variable can fix the issue as it puts the string constant +in '.rodata' section which is recognized by libbpf. In the future, when libbpf can process +'.rodata.str*.*' properly, the global definition can be changed back to local definition. + +Defining tcp_mem_name as a global, however, triggered a verifier failure. + ./test_progs -n 7/21 + libbpf: load bpf program failed: Permission denied + libbpf: -- BEGIN DUMP LOG --- + libbpf: + invalid stack off=0 size=1 + verification time 6975 usec + stack depth 160+64 + processed 889 insns (limit 1000000) max_states_per_insn 4 total_states + 14 peak_states 14 mark_read 10 + + libbpf: -- END LOG -- + libbpf: failed to load program 'sysctl_tcp_mem' + libbpf: failed to load object 'test_sysctl_loop2.o' + test_bpf_verif_scale:FAIL:114 + #7/21 test_sysctl_loop2.o:FAIL +This actually exposed a bpf program bug. In test_sysctl_loop{1,2}, we have code +like + const char tcp_mem_name[] = "<...long string...>"; + ... + char name[64]; + ... + for (i = 0; i < sizeof(tcp_mem_name); ++i) + if (name[i] != tcp_mem_name[i]) + return 0; +In the above code, if sizeof(tcp_mem_name) > 64, name[i] access may be +out of bound. The sizeof(tcp_mem_name) is 59 for test_sysctl_loop1.c and +79 for test_sysctl_loop2.c. + +Without promotion-to-global change, old compiler generates code where +the overflowed stack access is actually filled with valid value, so hiding +the bpf program bug. With promotion-to-global change, the code is different, +more specifically, the previous loading constants to stack is gone, and +"name" occupies stack[-64:0] and overflow access triggers a verifier error. +To fix the issue, adjust "name" buffer size properly. + +Reported-by: Andrii Nakryiko +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200909171542.3673449-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_sysctl_loop1.c | 4 ++-- + tools/testing/selftests/bpf/progs/test_sysctl_loop2.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c b/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c +index 458b0d69133e4..553a282d816ab 100644 +--- a/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c ++++ b/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c +@@ -18,11 +18,11 @@ + #define MAX_ULONG_STR_LEN 7 + #define MAX_VALUE_STR_LEN (TCP_MEM_LOOPS * MAX_ULONG_STR_LEN) + ++const char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string"; + static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx) + { +- volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string"; + unsigned char i; +- char name[64]; ++ char name[sizeof(tcp_mem_name)]; + int ret; + + memset(name, 0, sizeof(name)); +diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c b/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c +index b2e6f9b0894d8..2b64bc563a12e 100644 +--- a/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c ++++ b/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c +@@ -18,11 +18,11 @@ + #define MAX_ULONG_STR_LEN 7 + #define MAX_VALUE_STR_LEN (TCP_MEM_LOOPS * MAX_ULONG_STR_LEN) + ++const char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string_to_stress_byte_loop"; + static __attribute__((noinline)) int is_tcp_mem(struct bpf_sysctl *ctx) + { +- volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string_to_stress_byte_loop"; + unsigned char i; +- char name[64]; ++ char name[sizeof(tcp_mem_name)]; + int ret; + + memset(name, 0, sizeof(name)); +-- +2.25.1 + diff --git a/queue-5.9/selftests-bpf-fix-test_vmlinux-test-to-use-bpf_probe.patch b/queue-5.9/selftests-bpf-fix-test_vmlinux-test-to-use-bpf_probe.patch new file mode 100644 index 00000000000..edcef509d47 --- /dev/null +++ b/queue-5.9/selftests-bpf-fix-test_vmlinux-test-to-use-bpf_probe.patch @@ -0,0 +1,76 @@ +From 956ec6fb12bb9b783c502163e0bbdaf341a62c8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 14:33:54 -0700 +Subject: selftests/bpf: Fix test_vmlinux test to use bpf_probe_read_user() + +From: Andrii Nakryiko + +[ Upstream commit 02f47faa25db134f6043fb6b12a68b5d4c980bb6 ] + +The test is reading UAPI kernel structure from user-space. So it doesn't need +CO-RE relocations and has to use bpf_probe_read_user(). + +Fixes: acbd06206bbb ("selftests/bpf: Add vmlinux.h selftest exercising tracing of syscalls") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20200818213356.2629020-6-andriin@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_vmlinux.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_vmlinux.c b/tools/testing/selftests/bpf/progs/test_vmlinux.c +index 29fa09d6a6c6d..e9dfa0313d1bb 100644 +--- a/tools/testing/selftests/bpf/progs/test_vmlinux.c ++++ b/tools/testing/selftests/bpf/progs/test_vmlinux.c +@@ -19,12 +19,14 @@ SEC("tp/syscalls/sys_enter_nanosleep") + int handle__tp(struct trace_event_raw_sys_enter *args) + { + struct __kernel_timespec *ts; ++ long tv_nsec; + + if (args->id != __NR_nanosleep) + return 0; + + ts = (void *)args->args[0]; +- if (BPF_CORE_READ(ts, tv_nsec) != MY_TV_NSEC) ++ if (bpf_probe_read_user(&tv_nsec, sizeof(ts->tv_nsec), &ts->tv_nsec) || ++ tv_nsec != MY_TV_NSEC) + return 0; + + tp_called = true; +@@ -35,12 +37,14 @@ SEC("raw_tp/sys_enter") + int BPF_PROG(handle__raw_tp, struct pt_regs *regs, long id) + { + struct __kernel_timespec *ts; ++ long tv_nsec; + + if (id != __NR_nanosleep) + return 0; + + ts = (void *)PT_REGS_PARM1_CORE(regs); +- if (BPF_CORE_READ(ts, tv_nsec) != MY_TV_NSEC) ++ if (bpf_probe_read_user(&tv_nsec, sizeof(ts->tv_nsec), &ts->tv_nsec) || ++ tv_nsec != MY_TV_NSEC) + return 0; + + raw_tp_called = true; +@@ -51,12 +55,14 @@ SEC("tp_btf/sys_enter") + int BPF_PROG(handle__tp_btf, struct pt_regs *regs, long id) + { + struct __kernel_timespec *ts; ++ long tv_nsec; + + if (id != __NR_nanosleep) + return 0; + + ts = (void *)PT_REGS_PARM1_CORE(regs); +- if (BPF_CORE_READ(ts, tv_nsec) != MY_TV_NSEC) ++ if (bpf_probe_read_user(&tv_nsec, sizeof(ts->tv_nsec), &ts->tv_nsec) || ++ tv_nsec != MY_TV_NSEC) + return 0; + + tp_btf_called = true; +-- +2.25.1 + diff --git a/queue-5.9/selftests-ftrace-change-synthetic-event-name-for-int.patch b/queue-5.9/selftests-ftrace-change-synthetic-event-name-for-int.patch new file mode 100644 index 00000000000..c1c2430fa86 --- /dev/null +++ b/queue-5.9/selftests-ftrace-change-synthetic-event-name-for-int.patch @@ -0,0 +1,52 @@ +From 26db25c79c24d025eb6086f30c358fd45c5df3af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 09:17:56 -0500 +Subject: selftests/ftrace: Change synthetic event name for + inter-event-combined test + +From: Tom Zanussi + +[ Upstream commit 96378b2088faea68f1fb05ea6b9a566fc569a44c ] + +This test uses waking+wakeup_latency as an event name, which doesn't +make sense since it includes an operator. Illegal names are now +detected by the synthetic event command parsing, which causes this +test to fail. Change the name to 'waking_plus_wakeup_latency' to +prevent this. + +Link: https://lkml.kernel.org/r/a1ee2f76ff28ef7166fb788ca8be968887808920.1602598160.git.zanussi@kernel.org + +Fixes: f06eec4d0f2c (selftests: ftrace: Add inter-event hist triggers testcases) +Acked-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Signed-off-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + .../inter-event/trigger-inter-event-combined-hist.tc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc +index 7449a4b8f1f9a..9098f1e7433fd 100644 +--- a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc ++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc +@@ -25,12 +25,12 @@ echo 'wakeup_latency u64 lat pid_t pid' >> synthetic_events + echo 'hist:keys=pid:ts1=common_timestamp.usecs if comm=="ping"' >> events/sched/sched_wakeup/trigger + echo 'hist:keys=next_pid:wakeup_lat=common_timestamp.usecs-$ts1:onmatch(sched.sched_wakeup).wakeup_latency($wakeup_lat,next_pid) if next_comm=="ping"' > events/sched/sched_switch/trigger + +-echo 'waking+wakeup_latency u64 lat; pid_t pid' >> synthetic_events +-echo 'hist:keys=pid,lat:sort=pid,lat:ww_lat=$waking_lat+$wakeup_lat:onmatch(synthetic.wakeup_latency).waking+wakeup_latency($ww_lat,pid)' >> events/synthetic/wakeup_latency/trigger +-echo 'hist:keys=pid,lat:sort=pid,lat' >> events/synthetic/waking+wakeup_latency/trigger ++echo 'waking_plus_wakeup_latency u64 lat; pid_t pid' >> synthetic_events ++echo 'hist:keys=pid,lat:sort=pid,lat:ww_lat=$waking_lat+$wakeup_lat:onmatch(synthetic.wakeup_latency).waking_plus_wakeup_latency($ww_lat,pid)' >> events/synthetic/wakeup_latency/trigger ++echo 'hist:keys=pid,lat:sort=pid,lat' >> events/synthetic/waking_plus_wakeup_latency/trigger + + ping $LOCALHOST -c 3 +-if ! grep -q "pid:" events/synthetic/waking+wakeup_latency/hist; then ++if ! grep -q "pid:" events/synthetic/waking_plus_wakeup_latency/hist; then + fail "Failed to create combined histogram" + fi + +-- +2.25.1 + diff --git a/queue-5.9/selftests-livepatch-do-not-check-order-when-using-co.patch b/queue-5.9/selftests-livepatch-do-not-check-order-when-using-co.patch new file mode 100644 index 00000000000..2a8bee1b6a0 --- /dev/null +++ b/queue-5.9/selftests-livepatch-do-not-check-order-when-using-co.patch @@ -0,0 +1,45 @@ +From 32bbcb986d6b5df040ba67178220f231005f4d1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 13:07:09 +0200 +Subject: selftests/livepatch: Do not check order when using "comm" for dmesg + checking + +From: Miroslav Benes + +[ Upstream commit 884ee754f5aedbe54406a4d308a6cc57335747ce ] + +check_result() uses "comm" to check expected results of selftests output +in dmesg. Everything works fine if timestamps in dmesg are unique. If +not, like in this example + +[ 86.844422] test_klp_callbacks_demo: pre_unpatch_callback: test_klp_callbacks_mod -> [MODULE_STATE_LIVE] Normal state +[ 86.844422] livepatch: 'test_klp_callbacks_demo': starting unpatching transition + +, "comm" fails with "comm: file 2 is not in sorted order". Suppress the +order checking with --nocheck-order option. + +Fixes: 2f3f651f3756 ("selftests/livepatch: Use "comm" instead of "diff" for dmesg") +Signed-off-by: Miroslav Benes +Acked-by: Joe Lawrence +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/livepatch/functions.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/livepatch/functions.sh b/tools/testing/selftests/livepatch/functions.sh +index 1aba83c87ad32..846c7ed71556f 100644 +--- a/tools/testing/selftests/livepatch/functions.sh ++++ b/tools/testing/selftests/livepatch/functions.sh +@@ -278,7 +278,7 @@ function check_result { + # help differentiate repeated testing runs. Remove them with a + # post-comparison sed filter. + +- result=$(dmesg | comm -13 "$SAVED_DMESG" - | \ ++ result=$(dmesg | comm --nocheck-order -13 "$SAVED_DMESG" - | \ + grep -e 'livepatch:' -e 'test_klp' | \ + grep -v '\(tainting\|taints\) kernel' | \ + sed 's/^\[[ 0-9.]*\] //') +-- +2.25.1 + diff --git a/queue-5.9/selftests-lkdtm-use-comm-instead-of-diff-for-dmesg.patch b/queue-5.9/selftests-lkdtm-use-comm-instead-of-diff-for-dmesg.patch new file mode 100644 index 00000000000..9592109cfce --- /dev/null +++ b/queue-5.9/selftests-lkdtm-use-comm-instead-of-diff-for-dmesg.patch @@ -0,0 +1,40 @@ +From 39102456467aa3166d49cf2be539e99a5c9e8eda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 14:17:00 -0700 +Subject: selftests/lkdtm: Use "comm" instead of "diff" for dmesg + +From: Kees Cook + +[ Upstream commit d00451c8118f8f7ab8e057bc6ee2f8b7d70b6a1c ] + +Instead of full GNU diff (which smaller boot environments may not have), +use "comm" which is more available. + +Reported-by: Naresh Kamboju +Cc: linux-kselftest@vger.kernel.org +Fixes: f131d9edc29d ("selftests/lkdtm: Don't clear dmesg when running tests") +Signed-off-by: Kees Cook +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20200909211700.2399399-1-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/lkdtm/run.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/lkdtm/run.sh b/tools/testing/selftests/lkdtm/run.sh +index 8383eb89d88a9..bb7a1775307b8 100755 +--- a/tools/testing/selftests/lkdtm/run.sh ++++ b/tools/testing/selftests/lkdtm/run.sh +@@ -82,7 +82,7 @@ dmesg > "$DMESG" + ($SHELL -c 'cat <(echo '"$test"') >'"$TRIGGER" 2>/dev/null) || true + + # Record and dump the results +-dmesg | diff --changed-group-format='%>' --unchanged-group-format='' "$DMESG" - > "$LOG" || true ++dmesg | comm --nocheck-order -13 "$DMESG" - > "$LOG" || true + + cat "$LOG" + # Check for expected output +-- +2.25.1 + diff --git a/queue-5.9/selftests-mptcp-depends-on-built-in-ipv6.patch b/queue-5.9/selftests-mptcp-depends-on-built-in-ipv6.patch new file mode 100644 index 00000000000..c141a935016 --- /dev/null +++ b/queue-5.9/selftests-mptcp-depends-on-built-in-ipv6.patch @@ -0,0 +1,49 @@ +From af37324fb1634cb214037ddb33089093a83c8497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 17:55:49 +0200 +Subject: selftests: mptcp: depends on built-in IPv6 + +From: Matthieu Baerts + +[ Upstream commit 287d35405989cfe0090e3059f7788dc531879a8d ] + +Recently, CONFIG_MPTCP_IPV6 no longer selects CONFIG_IPV6. As a +consequence, if CONFIG_MPTCP_IPV6=y is added to the kconfig, it will no +longer ensure CONFIG_IPV6=y. If it is not enabled, CONFIG_MPTCP_IPV6 +will stay disabled and selftests will fail. + +We also need CONFIG_IPV6 to be built-in. For more details, please see +commit 0ed37ac586c0 ("mptcp: depends on IPV6 but not as a module"). + +Note that 'make kselftest-merge' will take all 'config' files found in +'tools/testsing/selftests'. Because some of them already set +CONFIG_IPV6=y, MPTCP selftests were still passing. But they will fail if +MPTCP selftests are launched manually after having executed this command +to prepare the kernel config: + + ./scripts/kconfig/merge_config.sh -m .config \ + ./tools/testing/selftests/net/mptcp/config + +Fixes: 010b430d5df5 ("mptcp: MPTCP_IPV6 should depend on IPV6 instead of selecting it") +Signed-off-by: Matthieu Baerts +Reviewed-by: Mat Martineau +Link: https://lore.kernel.org/r/20201021155549.933731-1-matthieu.baerts@tessares.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/config | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/mptcp/config b/tools/testing/selftests/net/mptcp/config +index 8df5cb8f71ff9..741a1c4f4ae8f 100644 +--- a/tools/testing/selftests/net/mptcp/config ++++ b/tools/testing/selftests/net/mptcp/config +@@ -1,4 +1,5 @@ + CONFIG_MPTCP=y ++CONFIG_IPV6=y + CONFIG_MPTCP_IPV6=y + CONFIG_INET_DIAG=m + CONFIG_INET_MPTCP_DIAG=m +-- +2.25.1 + diff --git a/queue-5.9/selftests-mptcp-interpret-n-as-a-new-line.patch b/queue-5.9/selftests-mptcp-interpret-n-as-a-new-line.patch new file mode 100644 index 00000000000..c607b9c0480 --- /dev/null +++ b/queue-5.9/selftests-mptcp-interpret-n-as-a-new-line.patch @@ -0,0 +1,66 @@ +From 6e40774ca6dd8a05d074d29557474d35a7b329d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 15:13:51 +0200 +Subject: selftests: mptcp: interpret \n as a new line + +From: Matthieu Baerts + +[ Upstream commit 8b974778f998ab1be23eca7436fc13d2d8c6bd59 ] + +In case of errors, this message was printed: + + (...) + # read: Resource temporarily unavailable + # client exit code 0, server 3 + # \nnetns ns1-0-BJlt5D socket stat for 10003: + (...) + +Obviously, the idea was to add a new line before the socket stat and not +print "\nnetns". + +Fixes: b08fbf241064 ("selftests: add test-cases for MPTCP MP_JOIN") +Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp") +Signed-off-by: Matthieu Baerts +Acked-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/mptcp_connect.sh | 4 ++-- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.sh b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +index 57d75b7f62203..e9449430f98df 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +@@ -444,9 +444,9 @@ do_transfer() + duration=$(printf "(duration %05sms)" $duration) + if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then + echo "$duration [ FAIL ] client exit code $retc, server $rets" 1>&2 +- echo "\nnetns ${listener_ns} socket stat for $port:" 1>&2 ++ echo -e "\nnetns ${listener_ns} socket stat for ${port}:" 1>&2 + ip netns exec ${listener_ns} ss -nita 1>&2 -o "sport = :$port" +- echo "\nnetns ${connector_ns} socket stat for $port:" 1>&2 ++ echo -e "\nnetns ${connector_ns} socket stat for ${port}:" 1>&2 + ip netns exec ${connector_ns} ss -nita 1>&2 -o "dport = :$port" + + cat "$capout" +diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh +index f39c1129ce5f0..c2943e4dfcfe6 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -176,9 +176,9 @@ do_transfer() + + if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then + echo " client exit code $retc, server $rets" 1>&2 +- echo "\nnetns ${listener_ns} socket stat for $port:" 1>&2 ++ echo -e "\nnetns ${listener_ns} socket stat for ${port}:" 1>&2 + ip netns exec ${listener_ns} ss -nita 1>&2 -o "sport = :$port" +- echo "\nnetns ${connector_ns} socket stat for $port:" 1>&2 ++ echo -e "\nnetns ${connector_ns} socket stat for ${port}:" 1>&2 + ip netns exec ${connector_ns} ss -nita 1>&2 -o "dport = :$port" + + cat "$capout" +-- +2.25.1 + diff --git a/queue-5.9/selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch b/queue-5.9/selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch new file mode 100644 index 00000000000..620015d55a6 --- /dev/null +++ b/queue-5.9/selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch @@ -0,0 +1,63 @@ +From b668e97120bdcb93e80ca643b138d89c38ba238d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 13:47:11 +1100 +Subject: selftests/powerpc: Fix eeh-basic.sh exit codes + +From: Oliver O'Halloran + +[ Upstream commit 996f9e0f93f16211945c8d5f18f296a88cb32f91 ] + +The kselftests test running infrastructure expects tests to finish with an +exit code of 4 if the test decided it should be skipped. Currently +eeh-basic.sh exits with the number of devices that failed to recover, so if +four devices didn't recover we'll report a skip instead of a fail. + +Fix this by checking if the return code is non-zero and report success +and failure by returning 0 or 1 respectively. For the cases where should +actually skip return 4. + +Fixes: 85d86c8aa52e ("selftests/powerpc: Add basic EEH selftest") +Signed-off-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201014024711.1138386-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/eeh/eeh-basic.sh | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/eeh/eeh-basic.sh b/tools/testing/selftests/powerpc/eeh/eeh-basic.sh +index 8a8d0f456946c..0d783e1065c86 100755 +--- a/tools/testing/selftests/powerpc/eeh/eeh-basic.sh ++++ b/tools/testing/selftests/powerpc/eeh/eeh-basic.sh +@@ -1,17 +1,19 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0-only + ++KSELFTESTS_SKIP=4 ++ + . ./eeh-functions.sh + + if ! eeh_supported ; then + echo "EEH not supported on this system, skipping" +- exit 0; ++ exit $KSELFTESTS_SKIP; + fi + + if [ ! -e "/sys/kernel/debug/powerpc/eeh_dev_check" ] && \ + [ ! -e "/sys/kernel/debug/powerpc/eeh_dev_break" ] ; then + echo "debugfs EEH testing files are missing. Is debugfs mounted?" +- exit 1; ++ exit $KSELFTESTS_SKIP; + fi + + pre_lspci=`mktemp` +@@ -84,4 +86,5 @@ echo "$failed devices failed to recover ($dev_count tested)" + lspci | diff -u $pre_lspci - + rm -f $pre_lspci + +-exit $failed ++test "$failed" == 0 ++exit $? +-- +2.25.1 + diff --git a/queue-5.9/selftests-powerpc-fix-prefixes-in-alignment_handler-.patch b/queue-5.9/selftests-powerpc-fix-prefixes-in-alignment_handler-.patch new file mode 100644 index 00000000000..2f5dbad296e --- /dev/null +++ b/queue-5.9/selftests-powerpc-fix-prefixes-in-alignment_handler-.patch @@ -0,0 +1,67 @@ +From 289e3a8833b44107acbcf085318ddc461574df29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 23:12:31 +1000 +Subject: selftests/powerpc: Fix prefixes in alignment_handler signal handler + +From: Jordan Niethe + +[ Upstream commit db96221a683342fd4775fd820a4d5376cd2f2ed0 ] + +The signal handler in the alignment handler self test has the ability +to jump over the instruction that triggered the signal. It does this +by incrementing the PT_NIP in the user context by 4. If it were a +prefixed instruction this will mean that the suffix is then executed +which is incorrect. Instead check if the major opcode indicates a +prefixed instruction (e.g. it is 1) and if so increment PT_NIP by 8. + +If ISA v3.1 is not available treat it as a word instruction even if +the major opcode is 1. + +Fixes: 620a6473df36 ("selftests/powerpc: Add prefixed loads/stores to alignment_handler test") +Signed-off-by: Jordan Niethe +[mpe: Fix 32-bit build, rename haveprefixes to prefixes_enabled] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200824131231.14008-1-jniethe5@gmail.com +Signed-off-by: Sasha Levin +--- + .../selftests/powerpc/alignment/alignment_handler.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/powerpc/alignment/alignment_handler.c b/tools/testing/selftests/powerpc/alignment/alignment_handler.c +index 55ef15184057d..386bca731e581 100644 +--- a/tools/testing/selftests/powerpc/alignment/alignment_handler.c ++++ b/tools/testing/selftests/powerpc/alignment/alignment_handler.c +@@ -64,6 +64,7 @@ int bufsize; + int debug; + int testing; + volatile int gotsig; ++bool prefixes_enabled; + char *cipath = "/dev/fb0"; + long cioffset; + +@@ -77,7 +78,12 @@ void sighandler(int sig, siginfo_t *info, void *ctx) + } + gotsig = sig; + #ifdef __powerpc64__ +- ucp->uc_mcontext.gp_regs[PT_NIP] += 4; ++ if (prefixes_enabled) { ++ u32 inst = *(u32 *)ucp->uc_mcontext.gp_regs[PT_NIP]; ++ ucp->uc_mcontext.gp_regs[PT_NIP] += ((inst >> 26 == 1) ? 8 : 4); ++ } else { ++ ucp->uc_mcontext.gp_regs[PT_NIP] += 4; ++ } + #else + ucp->uc_mcontext.uc_regs->gregs[PT_NIP] += 4; + #endif +@@ -648,6 +654,8 @@ int main(int argc, char *argv[]) + exit(1); + } + ++ prefixes_enabled = have_hwcap2(PPC_FEATURE2_ARCH_3_1); ++ + rc |= test_harness(test_alignment_handler_vsx_206, + "test_alignment_handler_vsx_206"); + rc |= test_harness(test_alignment_handler_vsx_207, +-- +2.25.1 + diff --git a/queue-5.9/selftests-remove-fmod_ret-from-test_overhead.patch b/queue-5.9/selftests-remove-fmod_ret-from-test_overhead.patch new file mode 100644 index 00000000000..2ee37f793b2 --- /dev/null +++ b/queue-5.9/selftests-remove-fmod_ret-from-test_overhead.patch @@ -0,0 +1,147 @@ +From 90439a86eab43d9032eacc9dc8face0cd4ca6896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 23:25:11 +0200 +Subject: selftests: Remove fmod_ret from test_overhead +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit b000def2e052fc8ddea31a18019f6ebe044defb3 ] + +The test_overhead prog_test included an fmod_ret program that attached to +__set_task_comm() in the kernel. However, this function was never listed as +allowed for return modification, so this only worked because of the +verifier skipping tests when a trampoline already existed for the attach +point. Now that the verifier checks have been fixed, remove fmod_ret from +the test so it works again. + +Fixes: 4eaf0b5c5e04 ("selftest/bpf: Fmod_ret prog and implement test_overhead as part of bench") +Acked-by: Andrii Nakryiko +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/bench.c | 3 --- + .../testing/selftests/bpf/benchs/bench_rename.c | 17 ----------------- + .../selftests/bpf/prog_tests/test_overhead.c | 14 +------------- + .../testing/selftests/bpf/progs/test_overhead.c | 6 ------ + 4 files changed, 1 insertion(+), 39 deletions(-) + +diff --git a/tools/testing/selftests/bpf/bench.c b/tools/testing/selftests/bpf/bench.c +index 944ad4721c83c..da14eaac71d03 100644 +--- a/tools/testing/selftests/bpf/bench.c ++++ b/tools/testing/selftests/bpf/bench.c +@@ -311,7 +311,6 @@ extern const struct bench bench_rename_kretprobe; + extern const struct bench bench_rename_rawtp; + extern const struct bench bench_rename_fentry; + extern const struct bench bench_rename_fexit; +-extern const struct bench bench_rename_fmodret; + extern const struct bench bench_trig_base; + extern const struct bench bench_trig_tp; + extern const struct bench bench_trig_rawtp; +@@ -332,7 +331,6 @@ static const struct bench *benchs[] = { + &bench_rename_rawtp, + &bench_rename_fentry, + &bench_rename_fexit, +- &bench_rename_fmodret, + &bench_trig_base, + &bench_trig_tp, + &bench_trig_rawtp, +@@ -462,4 +460,3 @@ int main(int argc, char **argv) + + return 0; + } +- +diff --git a/tools/testing/selftests/bpf/benchs/bench_rename.c b/tools/testing/selftests/bpf/benchs/bench_rename.c +index e74cff40f4fea..a967674098ada 100644 +--- a/tools/testing/selftests/bpf/benchs/bench_rename.c ++++ b/tools/testing/selftests/bpf/benchs/bench_rename.c +@@ -106,12 +106,6 @@ static void setup_fexit() + attach_bpf(ctx.skel->progs.prog5); + } + +-static void setup_fmodret() +-{ +- setup_ctx(); +- attach_bpf(ctx.skel->progs.prog6); +-} +- + static void *consumer(void *input) + { + return NULL; +@@ -182,14 +176,3 @@ const struct bench bench_rename_fexit = { + .report_progress = hits_drops_report_progress, + .report_final = hits_drops_report_final, + }; +- +-const struct bench bench_rename_fmodret = { +- .name = "rename-fmodret", +- .validate = validate, +- .setup = setup_fmodret, +- .producer_thread = producer, +- .consumer_thread = consumer, +- .measure = measure, +- .report_progress = hits_drops_report_progress, +- .report_final = hits_drops_report_final, +-}; +diff --git a/tools/testing/selftests/bpf/prog_tests/test_overhead.c b/tools/testing/selftests/bpf/prog_tests/test_overhead.c +index 2702df2b23433..9966685866fdf 100644 +--- a/tools/testing/selftests/bpf/prog_tests/test_overhead.c ++++ b/tools/testing/selftests/bpf/prog_tests/test_overhead.c +@@ -61,10 +61,9 @@ void test_test_overhead(void) + const char *raw_tp_name = "raw_tp/task_rename"; + const char *fentry_name = "fentry/__set_task_comm"; + const char *fexit_name = "fexit/__set_task_comm"; +- const char *fmodret_name = "fmod_ret/__set_task_comm"; + const char *kprobe_func = "__set_task_comm"; + struct bpf_program *kprobe_prog, *kretprobe_prog, *raw_tp_prog; +- struct bpf_program *fentry_prog, *fexit_prog, *fmodret_prog; ++ struct bpf_program *fentry_prog, *fexit_prog; + struct bpf_object *obj; + struct bpf_link *link; + int err, duration = 0; +@@ -97,11 +96,6 @@ void test_test_overhead(void) + if (CHECK(!fexit_prog, "find_probe", + "prog '%s' not found\n", fexit_name)) + goto cleanup; +- fmodret_prog = bpf_object__find_program_by_title(obj, fmodret_name); +- if (CHECK(!fmodret_prog, "find_probe", +- "prog '%s' not found\n", fmodret_name)) +- goto cleanup; +- + err = bpf_object__load(obj); + if (CHECK(err, "obj_load", "err %d\n", err)) + goto cleanup; +@@ -148,12 +142,6 @@ void test_test_overhead(void) + test_run("fexit"); + bpf_link__destroy(link); + +- /* attach fmod_ret */ +- link = bpf_program__attach_trace(fmodret_prog); +- if (CHECK(IS_ERR(link), "attach fmod_ret", "err %ld\n", PTR_ERR(link))) +- goto cleanup; +- test_run("fmod_ret"); +- bpf_link__destroy(link); + cleanup: + prctl(PR_SET_NAME, comm, 0L, 0L, 0L); + bpf_object__close(obj); +diff --git a/tools/testing/selftests/bpf/progs/test_overhead.c b/tools/testing/selftests/bpf/progs/test_overhead.c +index 42403d088abc9..abb7344b531f4 100644 +--- a/tools/testing/selftests/bpf/progs/test_overhead.c ++++ b/tools/testing/selftests/bpf/progs/test_overhead.c +@@ -39,10 +39,4 @@ int BPF_PROG(prog5, struct task_struct *tsk, const char *buf, bool exec) + return 0; + } + +-SEC("fmod_ret/__set_task_comm") +-int BPF_PROG(prog6, struct task_struct *tsk, const char *buf, bool exec) +-{ +- return !tsk; +-} +- + char _license[] SEC("license") = "GPL"; +-- +2.25.1 + diff --git a/queue-5.9/selftests-seccomp-powerpc-fix-seccomp-return-value-t.patch b/queue-5.9/selftests-seccomp-powerpc-fix-seccomp-return-value-t.patch new file mode 100644 index 00000000000..36384780f98 --- /dev/null +++ b/queue-5.9/selftests-seccomp-powerpc-fix-seccomp-return-value-t.patch @@ -0,0 +1,53 @@ +From 29df2a7df8ab633aa1d685728f5ed69f1251b195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Sep 2020 04:08:17 -0700 +Subject: selftests/seccomp: powerpc: Fix seccomp return value testing + +From: Kees Cook + +[ Upstream commit 46138329faeac3598f5a4dc991a174386b6de833 ] + +On powerpc, the errno is not inverted, and depends on ccr.so being +set. Add this to a powerpc definition of SYSCALL_RET_SET(). + +Co-developed-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@canonical.com/ +Fixes: 5d83c2b37d43 ("selftests/seccomp: Add powerpc support") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/lkml/20200912110820.597135-13-keescook@chromium.org +Reviewed-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index e2f38507a0621..9a9eb02539fb4 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -1702,6 +1702,21 @@ TEST_F(TRACE_poke, getpid_runs_normally) + # define ARCH_REGS struct pt_regs + # define SYSCALL_NUM(_regs) (_regs).gpr[0] + # define SYSCALL_RET(_regs) (_regs).gpr[3] ++# define SYSCALL_RET_SET(_regs, _val) \ ++ do { \ ++ typeof(_val) _result = (_val); \ ++ /* \ ++ * A syscall error is signaled by CR0 SO bit \ ++ * and the code is stored as a positive value. \ ++ */ \ ++ if (_result < 0) { \ ++ SYSCALL_RET(_regs) = -result; \ ++ (_regs).ccr |= 0x10000000; \ ++ } else { \ ++ SYSCALL_RET(_regs) = result; \ ++ (_regs).ccr &= ~0x10000000; \ ++ } \ ++ } while (0) + #elif defined(__s390__) + # define ARCH_REGS s390_regs + # define SYSCALL_NUM(_regs) (_regs).gprs[2] +-- +2.25.1 + diff --git a/queue-5.9/selftests-seccomp-refactor-arch-register-macros-to-a.patch b/queue-5.9/selftests-seccomp-refactor-arch-register-macros-to-a.patch new file mode 100644 index 00000000000..663f2e9a990 --- /dev/null +++ b/queue-5.9/selftests-seccomp-refactor-arch-register-macros-to-a.patch @@ -0,0 +1,179 @@ +From 3cb312369ea8256f4706fd08853adac1714ae8c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Sep 2020 04:08:06 -0700 +Subject: selftests/seccomp: Refactor arch register macros to avoid xtensa + special case + +From: Kees Cook + +[ Upstream commit a6a4d78419a04095221ec2b518edefb080218d55 ] + +To avoid an xtensa special-case, refactor all arch register macros to +take the register variable instead of depending on the macro expanding +as a struct member name. + +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/lkml/20200912110820.597135-2-keescook@chromium.org +Acked-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 97 +++++++++---------- + 1 file changed, 47 insertions(+), 50 deletions(-) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 9dc13be8fe5f5..e2f38507a0621 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -1667,64 +1667,64 @@ TEST_F(TRACE_poke, getpid_runs_normally) + } + + #if defined(__x86_64__) +-# define ARCH_REGS struct user_regs_struct +-# define SYSCALL_NUM orig_rax +-# define SYSCALL_RET rax ++# define ARCH_REGS struct user_regs_struct ++# define SYSCALL_NUM(_regs) (_regs).orig_rax ++# define SYSCALL_RET(_regs) (_regs).rax + #elif defined(__i386__) +-# define ARCH_REGS struct user_regs_struct +-# define SYSCALL_NUM orig_eax +-# define SYSCALL_RET eax ++# define ARCH_REGS struct user_regs_struct ++# define SYSCALL_NUM(_regs) (_regs).orig_eax ++# define SYSCALL_RET(_regs) (_regs).eax + #elif defined(__arm__) +-# define ARCH_REGS struct pt_regs +-# define SYSCALL_NUM ARM_r7 +-# define SYSCALL_RET ARM_r0 ++# define ARCH_REGS struct pt_regs ++# define SYSCALL_NUM(_regs) (_regs).ARM_r7 ++# define SYSCALL_RET(_regs) (_regs).ARM_r0 + #elif defined(__aarch64__) +-# define ARCH_REGS struct user_pt_regs +-# define SYSCALL_NUM regs[8] +-# define SYSCALL_RET regs[0] ++# define ARCH_REGS struct user_pt_regs ++# define SYSCALL_NUM(_regs) (_regs).regs[8] ++# define SYSCALL_RET(_regs) (_regs).regs[0] + #elif defined(__riscv) && __riscv_xlen == 64 +-# define ARCH_REGS struct user_regs_struct +-# define SYSCALL_NUM a7 +-# define SYSCALL_RET a0 ++# define ARCH_REGS struct user_regs_struct ++# define SYSCALL_NUM(_regs) (_regs).a7 ++# define SYSCALL_RET(_regs) (_regs).a0 + #elif defined(__csky__) +-# define ARCH_REGS struct pt_regs +-#if defined(__CSKYABIV2__) +-# define SYSCALL_NUM regs[3] +-#else +-# define SYSCALL_NUM regs[9] +-#endif +-# define SYSCALL_RET a0 ++# define ARCH_REGS struct pt_regs ++# if defined(__CSKYABIV2__) ++# define SYSCALL_NUM(_regs) (_regs).regs[3] ++# else ++# define SYSCALL_NUM(_regs) (_regs).regs[9] ++# endif ++# define SYSCALL_RET(_regs) (_regs).a0 + #elif defined(__hppa__) +-# define ARCH_REGS struct user_regs_struct +-# define SYSCALL_NUM gr[20] +-# define SYSCALL_RET gr[28] ++# define ARCH_REGS struct user_regs_struct ++# define SYSCALL_NUM(_regs) (_regs).gr[20] ++# define SYSCALL_RET(_regs) (_regs).gr[28] + #elif defined(__powerpc__) +-# define ARCH_REGS struct pt_regs +-# define SYSCALL_NUM gpr[0] +-# define SYSCALL_RET gpr[3] ++# define ARCH_REGS struct pt_regs ++# define SYSCALL_NUM(_regs) (_regs).gpr[0] ++# define SYSCALL_RET(_regs) (_regs).gpr[3] + #elif defined(__s390__) +-# define ARCH_REGS s390_regs +-# define SYSCALL_NUM gprs[2] +-# define SYSCALL_RET gprs[2] ++# define ARCH_REGS s390_regs ++# define SYSCALL_NUM(_regs) (_regs).gprs[2] ++# define SYSCALL_RET(_regs) (_regs).gprs[2] + # define SYSCALL_NUM_RET_SHARE_REG + #elif defined(__mips__) +-# define ARCH_REGS struct pt_regs +-# define SYSCALL_NUM regs[2] +-# define SYSCALL_SYSCALL_NUM regs[4] +-# define SYSCALL_RET regs[2] ++# define ARCH_REGS struct pt_regs ++# define SYSCALL_NUM(_regs) (_regs).regs[2] ++# define SYSCALL_SYSCALL_NUM regs[4] ++# define SYSCALL_RET(_regs) (_regs).regs[2] + # define SYSCALL_NUM_RET_SHARE_REG + #elif defined(__xtensa__) +-# define ARCH_REGS struct user_pt_regs +-# define SYSCALL_NUM syscall ++# define ARCH_REGS struct user_pt_regs ++# define SYSCALL_NUM(_regs) (_regs).syscall + /* + * On xtensa syscall return value is in the register + * a2 of the current window which is not fixed. + */ +-#define SYSCALL_RET(reg) a[(reg).windowbase * 4 + 2] ++#define SYSCALL_RET(_regs) (_regs).a[(_regs).windowbase * 4 + 2] + #elif defined(__sh__) +-# define ARCH_REGS struct pt_regs +-# define SYSCALL_NUM gpr[3] +-# define SYSCALL_RET gpr[0] ++# define ARCH_REGS struct pt_regs ++# define SYSCALL_NUM(_regs) (_regs).gpr[3] ++# define SYSCALL_RET(_regs) (_regs).gpr[0] + #else + # error "Do not know how to find your architecture's registers and syscalls" + #endif +@@ -1773,10 +1773,10 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee) + #endif + + #if defined(__mips__) +- if (regs.SYSCALL_NUM == __NR_O32_Linux) ++ if (SYSCALL_NUM(regs) == __NR_O32_Linux) + return regs.SYSCALL_SYSCALL_NUM; + #endif +- return regs.SYSCALL_NUM; ++ return SYSCALL_NUM(regs); + } + + /* Architecture-specific syscall changing routine. */ +@@ -1799,14 +1799,14 @@ void change_syscall(struct __test_metadata *_metadata, + defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ + defined(__xtensa__) || defined(__csky__) || defined(__sh__) + { +- regs.SYSCALL_NUM = syscall; ++ SYSCALL_NUM(regs) = syscall; + } + #elif defined(__mips__) + { +- if (regs.SYSCALL_NUM == __NR_O32_Linux) ++ if (SYSCALL_NUM(regs) == __NR_O32_Linux) + regs.SYSCALL_SYSCALL_NUM = syscall; + else +- regs.SYSCALL_NUM = syscall; ++ SYSCALL_NUM(regs) = syscall; + } + + #elif defined(__arm__) +@@ -1840,11 +1840,8 @@ void change_syscall(struct __test_metadata *_metadata, + if (syscall == -1) + #ifdef SYSCALL_NUM_RET_SHARE_REG + TH_LOG("Can't modify syscall return on this architecture"); +- +-#elif defined(__xtensa__) +- regs.SYSCALL_RET(regs) = result; + #else +- regs.SYSCALL_RET = result; ++ SYSCALL_RET(regs) = result; + #endif + + #ifdef HAVE_GETREGS +-- +2.25.1 + diff --git a/queue-5.9/selftests-seccomp-use-__nr_mknodat-instead-of-__nr_m.patch b/queue-5.9/selftests-seccomp-use-__nr_mknodat-instead-of-__nr_m.patch new file mode 100644 index 00000000000..4896da30ef4 --- /dev/null +++ b/queue-5.9/selftests-seccomp-use-__nr_mknodat-instead-of-__nr_m.patch @@ -0,0 +1,37 @@ +From 82baab076cfd5c8f6d22797cffb076e4b3acfecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Sep 2020 04:08:20 -0700 +Subject: selftests/seccomp: Use __NR_mknodat instead of __NR_mknod + +From: Kees Cook + +[ Upstream commit 05b52c6625278cc6ed1245a569167f86a971ff86 ] + +The __NR_mknod syscall doesn't exist on arm64 (only __NR_mknodat). +Switch to the modern syscall. + +Fixes: ad5682184a81 ("selftests/seccomp: Check for EPOLLHUP for user_notif") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/lkml/20200912110820.597135-16-keescook@chromium.org +Acked-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 7a6d40286a421..9dc13be8fe5f5 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -3715,7 +3715,7 @@ TEST(user_notification_filter_empty) + if (pid == 0) { + int listener; + +- listener = user_notif_syscall(__NR_mknod, SECCOMP_FILTER_FLAG_NEW_LISTENER); ++ listener = user_notif_syscall(__NR_mknodat, SECCOMP_FILTER_FLAG_NEW_LISTENER); + if (listener < 0) + _exit(EXIT_FAILURE); + +-- +2.25.1 + diff --git a/queue-5.9/selftests-vm-add-fragment-config_gup_benchmark.patch b/queue-5.9/selftests-vm-add-fragment-config_gup_benchmark.patch new file mode 100644 index 00000000000..79e1850e937 --- /dev/null +++ b/queue-5.9/selftests-vm-add-fragment-config_gup_benchmark.patch @@ -0,0 +1,45 @@ +From a04692d74f20203085d1d8a659e295b6a2c0d3a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 15:26:18 +0300 +Subject: selftests: vm: add fragment CONFIG_GUP_BENCHMARK + +From: Anatoly Pugachev + +[ Upstream commit cae1d5a2c5a491141faa747e9944ba40ab4ab786 ] + +When running gup_benchmark test the following output states that +the config options is missing. + +$ sudo ./gup_benchmark +open: No such file or directory + +$ sudo strace -e trace=file ./gup_benchmark 2>&1 | tail -3 +openat(AT_FDCWD, "/sys/kernel/debug/gup_benchmark", O_RDWR) = -1 ENOENT +(No such file or directory) +open: No such file or directory ++++ exited with 1 +++ + +Fix it by adding config option fragment. + +Fixes: 64c349f4ae78 ("mm: add infrastructure for get_user_pages_fast() benchmarking") +Signed-off-by: Anatoly Pugachev +CC: Jiri Kosina +CC: Shuah Khan +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/config | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/vm/config b/tools/testing/selftests/vm/config +index 3ba674b64fa9f..69dd0d1aa30b2 100644 +--- a/tools/testing/selftests/vm/config ++++ b/tools/testing/selftests/vm/config +@@ -3,3 +3,4 @@ CONFIG_USERFAULTFD=y + CONFIG_TEST_VMALLOC=m + CONFIG_DEVICE_PRIVATE=y + CONFIG_TEST_HMM=m ++CONFIG_GUP_BENCHMARK=y +-- +2.25.1 + diff --git a/queue-5.9/seqlock-unbreak-lockdep.patch b/queue-5.9/seqlock-unbreak-lockdep.patch new file mode 100644 index 00000000000..73f60916464 --- /dev/null +++ b/queue-5.9/seqlock-unbreak-lockdep.patch @@ -0,0 +1,81 @@ +From 881cdeb5cbd9893f98d2992659f2cb6b995707cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 16:30:28 +0200 +Subject: seqlock: Unbreak lockdep + +From: peterz@infradead.org + +[ Upstream commit 267580db047ef428a70bef8287ca62c5a450c139 ] + +seqcount_LOCKNAME_init() needs to be a macro due to the lockdep +annotation in seqcount_init(). Since a macro cannot define another +macro, we need to effectively revert commit: e4e9ab3f9f91 ("seqlock: +Fold seqcount_LOCKNAME_init() definition"). + +Fixes: e4e9ab3f9f91 ("seqlock: Fold seqcount_LOCKNAME_init() definition") +Reported-by: Qian Cai +Debugged-by: Boqun Feng +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Qian Cai +Link: https://lkml.kernel.org/r/20200915143028.GB2674@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + include/linux/seqlock.h | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index 962d9768945f0..7b99e3dba2065 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -154,6 +154,19 @@ static inline void seqcount_lockdep_reader_access(const seqcount_t *s) + * @lock: Pointer to the associated LOCKTYPE + */ + ++#define seqcount_LOCKNAME_init(s, _lock, lockname) \ ++ do { \ ++ seqcount_##lockname##_t *____s = (s); \ ++ seqcount_init(&____s->seqcount); \ ++ __SEQ_LOCK(____s->lock = (_lock)); \ ++ } while (0) ++ ++#define seqcount_raw_spinlock_init(s, lock) seqcount_LOCKNAME_init(s, lock, raw_spinlock) ++#define seqcount_spinlock_init(s, lock) seqcount_LOCKNAME_init(s, lock, spinlock) ++#define seqcount_rwlock_init(s, lock) seqcount_LOCKNAME_init(s, lock, rwlock); ++#define seqcount_mutex_init(s, lock) seqcount_LOCKNAME_init(s, lock, mutex); ++#define seqcount_ww_mutex_init(s, lock) seqcount_LOCKNAME_init(s, lock, ww_mutex); ++ + /* + * SEQCOUNT_LOCKTYPE() - Instantiate seqcount_LOCKNAME_t and helpers + * @locktype: actual typename +@@ -167,13 +180,6 @@ typedef struct seqcount_##lockname { \ + __SEQ_LOCK(locktype *lock); \ + } seqcount_##lockname##_t; \ + \ +-static __always_inline void \ +-seqcount_##lockname##_init(seqcount_##lockname##_t *s, locktype *lock) \ +-{ \ +- seqcount_init(&s->seqcount); \ +- __SEQ_LOCK(s->lock = lock); \ +-} \ +- \ + static __always_inline seqcount_t * \ + __seqcount_##lockname##_ptr(seqcount_##lockname##_t *s) \ + { \ +@@ -228,13 +234,12 @@ SEQCOUNT_LOCKTYPE(struct ww_mutex, ww_mutex, true, &s->lock->base) + __SEQ_LOCK(.lock = (assoc_lock)) \ + } + +-#define SEQCNT_SPINLOCK_ZERO(name, lock) SEQCOUNT_LOCKTYPE_ZERO(name, lock) + #define SEQCNT_RAW_SPINLOCK_ZERO(name, lock) SEQCOUNT_LOCKTYPE_ZERO(name, lock) ++#define SEQCNT_SPINLOCK_ZERO(name, lock) SEQCOUNT_LOCKTYPE_ZERO(name, lock) + #define SEQCNT_RWLOCK_ZERO(name, lock) SEQCOUNT_LOCKTYPE_ZERO(name, lock) + #define SEQCNT_MUTEX_ZERO(name, lock) SEQCOUNT_LOCKTYPE_ZERO(name, lock) + #define SEQCNT_WW_MUTEX_ZERO(name, lock) SEQCOUNT_LOCKTYPE_ZERO(name, lock) + +- + #define __seqprop_case(s, lockname, prop) \ + seqcount_##lockname##_t: __seqcount_##lockname##_##prop((void *)(s)) + +-- +2.25.1 + diff --git a/queue-5.9/serial-8250-discard-rts-dts-setting-from-clock-updat.patch b/queue-5.9/serial-8250-discard-rts-dts-setting-from-clock-updat.patch new file mode 100644 index 00000000000..4061d6725f0 --- /dev/null +++ b/queue-5.9/serial-8250-discard-rts-dts-setting-from-clock-updat.patch @@ -0,0 +1,39 @@ +From a7eb267b603a759a389b68e33b36dbdc066212b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 19:19:48 +0300 +Subject: serial: 8250: Discard RTS/DTS setting from clock update method + +From: Serge Semin + +[ Upstream commit 7718453e36960dadb8dc46f2b514b309659e1270 ] + +It has been a mistake to add the MCR register RTS/DTS fields setting in +the generic method of the UART reference clock update. There is no point +in asserting these lines at that procedure. Just discard the +serial8250_out_MCR() mathod invocation from there then. + +Fixes: 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method") +Tested-by: Hans de Goede +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200923161950.6237-2-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index c71d647eb87a0..1259fb6b66b38 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2665,7 +2665,6 @@ void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk) + + serial8250_set_divisor(port, baud, quot, frac); + serial_port_out(port, UART_LCR, up->lcr); +- serial8250_out_MCR(up, UART_MCR_DTR | UART_MCR_RTS); + + spin_unlock_irqrestore(&port->lock, flags); + serial8250_rpm_put(up); +-- +2.25.1 + diff --git a/queue-5.9/serial-8250-skip-uninitialized-tty-port-baud-rate-up.patch b/queue-5.9/serial-8250-skip-uninitialized-tty-port-baud-rate-up.patch new file mode 100644 index 00000000000..a0a9da77fda --- /dev/null +++ b/queue-5.9/serial-8250-skip-uninitialized-tty-port-baud-rate-up.patch @@ -0,0 +1,47 @@ +From 411250a92943151aed63c48f9482f74269076ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 19:19:49 +0300 +Subject: serial: 8250: Skip uninitialized TTY port baud rate update + +From: Serge Semin + +[ Upstream commit c8dff3aa824177013d90967687f09f713a55d13f ] + +It is erroneous to update the TTY port baud rate if it hasn't been +initialized yet, because in that case the TTY struct isn't set. So there +is no termios structure to get and re-calculate the baud if the current +baud can't be reached. Let's skip the baud rate update then until the port +is fully initialized. + +Note the update UART clock method still sets the uartclk member with a new +ref clock value even if the port is turned off. The new UART ref clock +rate will be used later on the port starting up procedure. + +Fixes: 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method") +Tested-by: Hans de Goede +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200923161950.6237-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 1259fb6b66b38..b0af13074cd36 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2653,6 +2653,10 @@ void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk) + goto out_lock; + + port->uartclk = uartclk; ++ ++ if (!tty_port_initialized(&port->state->port)) ++ goto out_lock; ++ + termios = &port->state->port.tty->termios; + + baud = serial8250_get_baud_rate(port, termios, NULL); +-- +2.25.1 + diff --git a/queue-5.9/serial-8250_dw-fix-clk-notifier-port-suspend-deadloc.patch b/queue-5.9/serial-8250_dw-fix-clk-notifier-port-suspend-deadloc.patch new file mode 100644 index 00000000000..1d3c5eb25e4 --- /dev/null +++ b/queue-5.9/serial-8250_dw-fix-clk-notifier-port-suspend-deadloc.patch @@ -0,0 +1,129 @@ +From 2ea0f7390ca2feab8c0c98d40742d506eae27de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 19:19:50 +0300 +Subject: serial: 8250_dw: Fix clk-notifier/port suspend deadlock + +From: Serge Semin + +[ Upstream commit 85985a3dcd7415dd849cf62ec14f931cd905099a ] + +It has been discovered that there is a potential deadlock between +the clock-change-notifier thread and the UART port suspending one: + + CPU0 (suspend CPU/UART) CPU1 (update clock) + ---- ---- + lock(&port->mutex); + lock((work_completion)(&data->clk_work)); + lock(&port->mutex); + lock((work_completion)(&data->clk_work)); + + *** DEADLOCK *** + +The best way to fix this is to eliminate the CPU0 +port->mutex/work-completion scenario. So we suggest to register and +unregister the clock-notifier during the DW APB UART port probe/remove +procedures, instead of doing that at the points of the port +startup/shutdown. + +Link: https://lore.kernel.org/linux-serial/f1cd5c75-9cda-6896-a4e2-42c5bfc3f5c3@redhat.com + +Fixes: cc816969d7b5 ("serial: 8250_dw: Fix common clocks usage race condition") +Reported-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20200923161950.6237-4-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_dw.c | 54 +++++++++++-------------------- + 1 file changed, 19 insertions(+), 35 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index 87f450b7c1779..9e204f9b799a1 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -373,39 +373,6 @@ static void dw8250_set_ldisc(struct uart_port *p, struct ktermios *termios) + serial8250_do_set_ldisc(p, termios); + } + +-static int dw8250_startup(struct uart_port *p) +-{ +- struct dw8250_data *d = to_dw8250_data(p->private_data); +- int ret; +- +- /* +- * Some platforms may provide a reference clock shared between several +- * devices. In this case before using the serial port first we have to +- * make sure that any clock state change is known to the UART port at +- * least post factum. +- */ +- if (d->clk) { +- ret = clk_notifier_register(d->clk, &d->clk_notifier); +- if (ret) +- dev_warn(p->dev, "Failed to set the clock notifier\n"); +- } +- +- return serial8250_do_startup(p); +-} +- +-static void dw8250_shutdown(struct uart_port *p) +-{ +- struct dw8250_data *d = to_dw8250_data(p->private_data); +- +- serial8250_do_shutdown(p); +- +- if (d->clk) { +- clk_notifier_unregister(d->clk, &d->clk_notifier); +- +- flush_work(&d->clk_work); +- } +-} +- + /* + * dw8250_fallback_dma_filter will prevent the UART from getting just any free + * channel on platforms that have DMA engines, but don't have any channels +@@ -501,8 +468,6 @@ static int dw8250_probe(struct platform_device *pdev) + p->serial_out = dw8250_serial_out; + p->set_ldisc = dw8250_set_ldisc; + p->set_termios = dw8250_set_termios; +- p->startup = dw8250_startup; +- p->shutdown = dw8250_shutdown; + + p->membase = devm_ioremap(dev, regs->start, resource_size(regs)); + if (!p->membase) +@@ -622,6 +587,19 @@ static int dw8250_probe(struct platform_device *pdev) + goto err_reset; + } + ++ /* ++ * Some platforms may provide a reference clock shared between several ++ * devices. In this case any clock state change must be known to the ++ * UART port at least post factum. ++ */ ++ if (data->clk) { ++ err = clk_notifier_register(data->clk, &data->clk_notifier); ++ if (err) ++ dev_warn(p->dev, "Failed to set the clock notifier\n"); ++ else ++ queue_work(system_unbound_wq, &data->clk_work); ++ } ++ + platform_set_drvdata(pdev, data); + + pm_runtime_set_active(dev); +@@ -648,6 +626,12 @@ static int dw8250_remove(struct platform_device *pdev) + + pm_runtime_get_sync(dev); + ++ if (data->clk) { ++ clk_notifier_unregister(data->clk, &data->clk_notifier); ++ ++ flush_work(&data->clk_work); ++ } ++ + serial8250_unregister_port(data->data.line); + + reset_control_assert(data->rst); +-- +2.25.1 + diff --git a/queue-5.9/series b/queue-5.9/series index 5a4e19ba4ea..4a609440f92 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -85,3 +85,666 @@ crypto-caam-jr-add-fallback-for-xts-with-more-than-8b-iv.patch crypto-caam-jr-add-support-for-more-xts-key-lengths.patch crypto-caam-qi2-add-fallback-for-xts-with-more-than-8b-iv.patch crypto-caam-qi2-add-support-for-more-xts-key-lengths.patch +ras-cec-fix-cec_init-prototype.patch +sched-fair-fix-wrong-negative-conversion-in-find_ene.patch +microblaze-fix-kbuild-redundant-file-warning.patch +edac-i5100-fix-error-handling-order-in-i5100_init_on.patch +edac-aspeed-fix-handling-of-platform_get_irq-error.patch +edac-ti-fix-handling-of-platform_get_irq-error.patch +perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch +x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch +irqchip-ti-sci-inta-fix-unsigned-comparison-to-zero.patch +irqchip-ti-sci-intr-fix-unsigned-comparison-to-zero.patch +arm64-kprobe-add-checks-for-armv8.3-pauth-combined-i.patch +seqlock-unbreak-lockdep.patch +drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch +drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch +sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch +sched-fair-use-dst-group-while-checking-imbalance-fo.patch +arm64-perf-add-missing-isb-in-armv8pmu_enable_counte.patch +perf-x86-intel-uncore-update-ice-lake-uncore-units.patch +perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch +perf-x86-intel-uncore-fix-for-iio-mapping-on-skylake.patch +perf-x86-intel-uncore-fix-the-scale-of-the-imc-free-.patch +x86-nmi-fix-nmi_handle-duration-miscalculation.patch +x86-events-amd-iommu-fix-sizeof-mismatch.patch +pinctrl-qcom-set-irqchip_set_type_masked-and-irqchip.patch +pinctrl-qcom-use-return-value-from-irq_set_wake-call.patch +perf-x86-fix-n_pair-for-cancelled-txn.patch +lockdep-fix-usage_traceoverflow.patch +lockdep-fix-lockdep-recursion.patch +lockdep-revert-lockdep-use-raw_cpu_-for-per-cpu-vari.patch +perf-core-fix-race-in-the-perf_mmap_close-function.patch +regulator-set-of_node-for-qcom-vbus-regulator.patch +crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch +crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch +crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch +crypto-picoxcell-fix-potential-race-condition-bug.patch +media-vivid-fix-global-out-of-bounds-read-in-precalc.patch +media-tuner-simple-fix-regression-in-simple_set_radi.patch +crypto-ccree-fix-runtime-pm-imbalance-on-error.patch +media-revert-media-exynos4-is-add-missed-check-for-p.patch +media-hantro-h264-get-the-correct-fallback-reference.patch +media-hantro-postproc-fix-motion-vector-space-alloca.patch +media-ov5640-correct-bit-div-register-in-clock-tree-.patch +media-i2c-fix-error-check-on-max9286_read-call.patch +media-m5mols-check-function-pointer-in-m5mols_sensor.patch +fscrypt-restrict-iv_ino_lblk_32-to-ino_bits-32.patch +media-uvcvideo-set-media-controller-entity-functions.patch +media-uvcvideo-silence-shift-out-of-bounds-warning.patch +media-staging-intel-ipu3-css-correctly-reset-some-me.patch +media-omap3isp-fix-memleak-in-isp_probe.patch +media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch +media-i2c-ov5640-separate-out-mipi-configuration-fro.patch +media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch +media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch +media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch +media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch +media-i2c-max9286-allocate-v4l2_async_subdev-dynamic.patch +crypto-sa2ul-fix-compiler-warning-produced-by-clang.patch +spi-fsi-handle-9-to-15-byte-transfers-lengths.patch +spi-fsi-fix-use-of-the-bneq-sequencer-instruction.patch +spi-fsi-implement-restricted-size-for-certain-contro.patch +spi-dw-pci-free-previously-allocated-irqs-if-desc-se.patch +crypto-sa2ul-select-crypto_authenc.patch +crypto-omap-sham-fix-digcnt-register-handling-with-e.patch +crypto-sa2ul-fix-pm_runtime_get_sync-error-checking.patch +selftests-seccomp-use-__nr_mknodat-instead-of-__nr_m.patch +selftests-seccomp-refactor-arch-register-macros-to-a.patch +selftests-seccomp-powerpc-fix-seccomp-return-value-t.patch +regmap-debugfs-fix-more-error-path-regressions.patch +hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch +hwmon-w83627ehf-fix-a-resource-leak-in-probe.patch +cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch +crypto-stm32-crc32-avoid-lock-if-hardware-is-already.patch +crypto-sun8i-ce-handle-endianness-of-t_common_ctl.patch +media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch +media-mtk-mdp-fix-null-pointer-dereference-when-call.patch +media-tc358743-initialize-variable.patch +media-tc358743-cleanup-tc358743_cec_isr.patch +nvme-fix-error-handling-in-nvme_ns_report_zones.patch +media-rcar-vin-fix-a-reference-count-leak.patch +media-rockchip-rga-fix-a-reference-count-leak.patch +media-platform-fcp-fix-a-reference-count-leak.patch +media-camss-fix-a-reference-count-leak.patch +media-s5p-mfc-fix-a-reference-count-leak.patch +media-stm32-dcmi-fix-a-reference-count-leak.patch +media-ti-vpe-fix-a-missing-check-and-reference-count.patch +regulator-resolve-supply-after-creating-regulator.patch +pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch +spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch +spi-spi-s3c64xx-check-return-values.patch +hwmon-bt1-pvt-test-sensor-power-supply-on-probe.patch +hwmon-bt1-pvt-cache-current-update-timeout.patch +hwmon-bt1-pvt-wait-for-the-completion-with-timeout.patch +spi-imx-fix-freeing-of-dma-channels-if-spi_bitbang_s.patch +btrfs-add-owner-and-fs_info-to-alloc_state-io_tree.patch +blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch +ath10k-provide-survey-info-as-accumulated-data.patch +drm-vkms-fix-xrgb-on-compute-crc.patch +bluetooth-hci_uart-cancel-init-work-before-unregiste.patch +drm-amd-display-fix-wrong-return-value-in-dm_update_.patch +drm-vgem-add-missing-platform_device_unregister-in-v.patch +drm-vkms-add-missing-platform_device_unregister-in-v.patch +drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch +ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch +ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch +ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch +wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch +asoc-qcom-lpass-platform-fix-memory-leak.patch +asoc-qcom-lpass-cpu-fix-concurrency-issue.patch +ath11k-fix-possible-memleak-in-ath11k_qmi_init_servi.patch +brcmfmac-check-ndev-pointer.patch +mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch +drm-malidp-use-struct-drm_gem_object_funcs.get_sg_ta.patch +staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch +drm-amd-display-fix-potential-integer-overflow-when-.patch +selftests-bpf-fix-test_vmlinux-test-to-use-bpf_probe.patch +drm-gma500-fix-error-check.patch +scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch +scsi-qla2xxx-fix-the-size-used-in-a-dma_free_coheren.patch +scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch +scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch +scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch +libbpf-fix-unintentional-success-return-code-in-bpf_.patch +wilc1000-fix-memleak-in-wilc_sdio_probe.patch +wilc1000-fix-memleak-in-wilc_bus_probe.patch +rtw88-don-t-treat-null-pointer-as-an-array.patch +selftests-livepatch-do-not-check-order-when-using-co.patch +drm-radeon-prefer-lower-feedback-dividers.patch +backlight-sky81452-backlight-fix-refcount-imbalance-.patch +staging-wfx-fix-frame-reordering.patch +staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch +vmci-check-return-value-of-get_user_pages_fast-for-e.patch +mm-error_inject-fix-allow_error_inject-function-sign.patch +drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch +samples-bpf-fix-to-xdpsock-to-avoid-recycling-frames.patch +ima-pre-parse-the-list-of-keyrings-in-a-key_check-ru.patch +ima-fail-rule-parsing-when-asymmetric-key-measuremen.patch +drm-crc-debugfs-fix-memleak-in-crc_control_write.patch +bluetooth-clear-suspend-tasks-on-unregister.patch +selftests-vm-add-fragment-config_gup_benchmark.patch +scsi-ufs-make-ufshcd_print_trs-consider-ufshcd_quirk.patch +binder-remove-bogus-warning-on-failed-same-process-t.patch +drm-amdgpu-fix-max_entries-calculation-v4.patch +soundwire-stream-fix-null-is_err-confusion.patch +soundwire-intel-fix-null-err_ptr-confusion.patch +tty-serial-earlycon-dependency.patch +tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch +pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch +pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch +pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch +drivers-virt-fsl_hypervisor-fix-error-handling-path.patch +sfc-don-t-double-down-filters-in-ef100_reset.patch +ath11k-fix-a-double-free-and-a-memory-leak.patch +video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch +video-fbdev-sis-fix-null-ptr-dereference.patch +video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch +asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch +scsi-ufs-ufs-mediatek-eliminate-error-message-for-un.patch +scsi-ufs-ufs-mediatek-fix-host_pa_tactivate-quirk.patch +hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch +ath11k-fix-uninitialized-return-in-ath11k_spectral_p.patch +drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch +drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch +iomap-clear-page-error-before-beginning-a-write.patch +iomap-mark-read-blocks-uptodate-in-write_begin.patch +selftests-lkdtm-use-comm-instead-of-diff-for-dmesg.patch +bluetooth-fix-memory-leak-in-read_adv_mon_features.patch +bluetooth-re-order-clearing-suspend-tasks.patch +pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch +pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch +pinctrl-devicetree-keep-deferring-even-on-timeout.patch +drm-msm-adreno-fix-probe-without-iommu.patch +s390-bpf-fix-multiple-tail-calls.patch +net-mlx5-fix-uninitialized-variable-warning.patch +net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch +scsi-mpt3sas-fix-sync-irqs.patch +net-stmmac-fix-incorrect-location-to-set-real_num_rx.patch +net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch +xfs-force-the-log-after-remapping-a-synchronous-writ.patch +cpufreq-armada-37xx-add-missing-module_device_table.patch +drm-mxsfb-check-framebuffer-pitch.patch +cpufreq-qcom-don-t-add-frequencies-without-an-opp.patch +ima-fix-null-pointer-dereference-in-ima_file_hash.patch +asoc-topology-disable-size-checks-for-bytes_ext-cont.patch +asoc-tlv320adcx140-fix-digital-gain-range.patch +coresight-etm4x-fix-etm4_count-race-by-moving-cpuhp-.patch +coresight-fix-offset-by-one-error-in-counting-ports.patch +coresight-cti-disclaim-device-only-when-it-s-claimed.patch +coresight-cti-remove-pm_runtime_get_sync-from-cpu-ho.patch +coresight-etm4x-ensure-default-perf-settings-filter-.patch +coresight-etm4x-fix-issues-within-reset-interface-of.patch +coresight-cti-write-regsiters-directly-in-cti_enable.patch +coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch +coresight-etm4x-fix-issues-on-trcseqevr-access.patch +nvmem-core-fix-missing-of_node_put-in-of_nvmem_devic.patch +selftests-mptcp-interpret-n-as-a-new-line.patch +dmaengine-ti-k3-udma-glue-fix-channel-enable-functio.patch +selftests-bpf-fix-endianness-issue-in-sk_assign.patch +selftests-bpf-fix-endianness-issue-in-test_sockopt_s.patch +bluetooth-fix-auto-creation-of-hci_conn-at-conn-comp.patch +xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch +drm-msm-fix-the-a650-hw_apriv-check.patch +net-dsa-rtl8366-check-validity-of-passed-vlans.patch +net-dsa-rtl8366-refactor-vlan-pvid-init.patch +net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch +net-wilc1000-clean-up-resource-in-error-path-of-init.patch +asoc-tas2770-fix-calling-reset-in-probe.patch +asoc-tas2770-add-missing-bias-level-power-states.patch +asoc-tas2770-fix-required-dt-properties-in-the-code.patch +asoc-tas2770-fix-error-handling-with-update_bits.patch +asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch +net-dsa-rtl8366rb-support-all-4096-vlans.patch +asoc-sof-control-add-size-checks-for-ext_bytes-contr.patch +asoc-tas2770-fix-unbalanced-calls-to-pm_runtime.patch +spi-omap2-mcspi-improve-performance-waiting-for-chst.patch +ath11k-add-checked-value-for-ath11k_ahb_remove.patch +ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch +drm-rcar-du-put-reference-to-vsp-device.patch +phy-rockchip-dphy-rx0-include-linux-delay.h.patch +dmaengine-dmatest-check-list-for-emptiness-before-ac.patch +asoc-cros_ec_codec-fix-kconfig-dependency-warning-fo.patch +misc-mic-scif-fix-error-handling-path.patch +alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch +net-mlx5e-ipsec-use-kvfree-for-memory-allocated-with.patch +usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch +usb-dwc3-core-properly-default-unspecified-speed.patch +usb-dwc2-add-missing-cleanups-when-usb_add_gadget_ud.patch +rtw88-fix-probe-error-handling-race-with-firmware-lo.patch +rtw88-fix-potential-probe-error-handling-race-with-w.patch +mt76-mt7615-hold-mt76-lock-queueing-wd-in-mt7615_que.patch +mt76-mt7615-release-mutex-in-mt7615_reset_test_set.patch +mt76-mt7663s-fix-resume-failure.patch +mt76-mt7615-fix-possible-memory-leak-in-mt7615_tm_se.patch +mt76-mt7615-fix-a-possible-null-pointer-dereference-.patch +mt76-fix-a-possible-null-pointer-dereference-in-mt76.patch +mt76-mt7663u-fix-dma-header-initialization.patch +mt76-mt7615-move-drv_own-fw_own-in-mt7615_mcu_ops.patch +mt76-mt7622-fix-fw-hang-on-mt7622.patch +mt76-mt7915-fix-possible-memory-leak-in-mt7915_mcu_a.patch +quota-clear-padding-in-v2r1_mem2diskdqb.patch +slimbus-core-check-get_addr-before-removing-laddr-id.patch +slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch +slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch +drm-vc4-crtc-rework-a-bit-the-crtc-state-code.patch +asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch +hid-hid-input-fix-stylus-battery-reporting.patch +tty-hvc-fix-link-error-with-config_serial_core_conso.patch +tty-serial-imx-fix-link-error-with-config_serial_cor.patch +nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch +hv-clocksource-add-notrace-attribute-to-read_hv_sche.patch +nl80211-fix-obss-pd-min-and-max-offset-validation.patch +iomap-use-kzalloc-to-allocate-iomap_page.patch +coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch +coresight-cti-fix-remove-sysfs-link-error.patch +coresight-cti-fix-bug-clearing-sysfs-links-on-callba.patch +coresight-etm4x-fix-save-and-restore-of-trcvmidcctlr.patch +ibmvnic-set-up-200gbps-speed.patch +bpf-disallow-attaching-modify_return-tracing-functio.patch +selftests-remove-fmod_ret-from-test_overhead.patch +qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch +pinctrl-aspeed-use-the-right-pinconf-mask.patch +iommu-qcom-add-missing-put_device-call-in-qcom_iommu.patch +iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch +net-enic-cure-the-enic-api-locking-trainwreck.patch +selftests-bpf-fix-endianness-issues-in-sk_lookup-ctx.patch +pinctrl-tigerlake-fix-register-offsets-for-tgl-h-var.patch +serial-8250-discard-rts-dts-setting-from-clock-updat.patch +serial-8250-skip-uninitialized-tty-port-baud-rate-up.patch +serial-8250_dw-fix-clk-notifier-port-suspend-deadloc.patch +mfd-syscon-don-t-free-allocated-name-for-regmap_conf.patch +mfd-sm501-fix-leaks-in-probe.patch +dm-fix-missing-imposition-of-queue_limits-from-dm_wq.patch +pinctrl-single-fix-pinctrl_spec.args_count-bounds-ch.patch +pinctrl-single-fix-debug-output-when-pinctrl-cells-2.patch +staging-rtl8712-fix-enqueue_reorder_recvframe.patch +asoc-wm_adsp-pass-full-name-to-snd_ctl_notify.patch +iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch +iwlwifi-dbg-remove-no-filter-condition.patch +iwlwifi-dbg-run-init_cfg-function-once-per-driver-lo.patch +usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch +usb-gadget-u_serial-clear-suspended-flag-when-discon.patch +usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch +bus-mhi-core-fix-the-building-of-mhi-module.patch +ocxl-fix-kconfig-dependency-warning-for-ocxl.patch +nl80211-fix-non-split-wiphy-information.patch +usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch +scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch +scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch +dmaengine-ioat-allocate-correct-size-for-descriptor-.patch +staging-qlge-fix-build-breakage-with-dumping-enabled.patch +ipmi_si-fix-wrong-return-value-in-try_smi_init.patch +tracing-fix-parse_synth_field-error-handling.patch +asoc-mediatek-mt8183-da7219-fix-wrong-ops-for-i2s3.patch +staging-wfx-fix-ba-sessions-for-older-firmwares.patch +platform-x86-mlx-platform-remove-psu-eeprom-configur.patch +dm-fix-request-based-dm-to-not-bounce-through-indire.patch +mwifiex-fix-double-free.patch +net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch +drm-panfrost-increase-readl_relaxed_poll_timeout-val.patch +drm-amdgpu-fix-invalid-number-of-character-in-amdgpu.patch +ipvs-clear-skb-tstamp-in-forwarding-path.patch +bpf-sockmap-remove-skb_orphan-and-let-normal-skb_kfr.patch +net-korina-fix-kfree-of-rx-tx-descriptor-array.patch +netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch +mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch +mm-memcg-slab-fix-racy-access-to-page-mem_cgroup-in-.patch +mm-memcg-fix-device-private-memcg-accounting.patch +mm-mmap.c-replace-do_brk-with-do_brk_flags-in-commen.patch +mm-page_alloc.c-fix-freeing-non-compound-pages.patch +mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch +fs-fix-null-dereference-due-to-data-race-in-prepend_.patch +selftests-ftrace-change-synthetic-event-name-for-int.patch +tracing-handle-synthetic-event-array-field-type-chec.patch +i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch +ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch +ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch +powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch +powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch +rcu-tree-force-quiescent-state-on-callback-overload.patch +rcutorture-properly-set-rcu_fwds-for-oom-handling.patch +refperf-avoid-null-pointer-dereference-when-buf-fail.patch +rdma-ucma-fix-locking-for-ctx-events_reported.patch +rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch +mtd-lpddr-fix-excessive-stack-usage-with-clang.patch +rdma-hns-add-a-check-for-current-state-before-modify.patch +rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch +powerpc-pseries-explicitly-reschedule-during-drmem_l.patch +pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch +rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch +mtd-mtdoops-don-t-write-panic-data-twice.patch +selftests-powerpc-fix-prefixes-in-alignment_handler-.patch +perf-tools-make-gtk2-support-opt-in.patch +tools-feature-add-missing-lzstd-to-the-fast-path-fea.patch +arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch +xfs-fix-finobt-btree-block-recovery-ordering.patch +m68knommu-include-sdhc-support-only-when-hardware-ha.patch +arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch +ida-free-allocated-bitmap-in-error-path.patch +xfs-limit-entries-returned-when-counting-fsmap-recor.patch +xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch +nfs-add-missing-posix-local_lock-constant-table-defi.patch +xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch +rdma-rtrs-srv-incorporate-ib_register_client-into-rt.patch +rdma-core-delete-function-indirection-for-alloc-free.patch +rdma-allow-fail-of-destroy-cq.patch +rdma-change-xrcd-destroy-return-value.patch +rdma-restore-ability-to-return-error-for-destroy-wq.patch +rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch +rdma-umem-prevent-small-pages-from-being-returned-by.patch +rdma-qedr-fix-qp-structure-memory-leak.patch +rdma-qedr-fix-doorbell-setting.patch +rdma-qedr-fix-use-of-uninitialized-field.patch +rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch +rdma-qedr-fix-inline-size-returned-for-iwarp.patch +powerpc-pseries-svm-allocate-swiotlb-buffer-anywhere.patch +powerpc-watchpoint-fix-quadword-instruction-handling.patch +powerpc-watchpoint-fix-handling-of-vector-instructio.patch +powerpc-watchpoint-add-hw_len-wherever-missing.patch +powerpc-book3s64-hash-4k-support-large-linear-mappin.patch +powerpc-tau-use-appropriate-temperature-sample-inter.patch +powerpc-tau-convert-from-timer-to-workqueue.patch +powerpc-tau-remove-duplicated-set_thresholds-call.patch +powerpc-tau-check-processor-type-before-enabling-tau.patch +powerpc-tau-disable-tau-between-measurements.patch +powerpc-kasan-fix-config_kasan_vmalloc-for-8xx.patch +powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch +powerpc-papr_scm-fix-warning-triggered-by-perf_stats.patch +rdma-cma-combine-cma_ndev_work-with-cma_work.patch +rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch +rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch +rdma-cma-fix-use-after-free-race-in-roce-multicast-j.patch +perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch +perf-metricgroup-fix-uncore-metric-expressions.patch +rdma-qedr-fix-resource-leak-in-qedr_create_qp.patch +rdma-hns-set-the-unsupported-wr-opcode.patch +rdma-mlx5-use-set_mkc_access_pd_addr_fields-in-reg_c.patch +rdma-mlx5-make-mkeys-always-owned-by-the-kernel-s-pd.patch +rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch +i40iw-add-support-to-make-destroy-qp-synchronous.patch +perf-stat-skip-duration_time-in-setup_system_wide.patch +rdma-hns-add-check-for-the-validity-of-sl-configurat.patch +rdma-hns-solve-the-overflow-of-the-calc_pg_sz.patch +rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch +rdma-hns-fix-configuration-of-ack_req_freq-in-qpc.patch +rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch +rdma-mlx5-fix-type-warning-of-sizeof-in-__mlx5_ib_al.patch +mtd-hyperbus-hbmc-am654-fix-direct-mapping-setup-fla.patch +mtd-rawnand-stm32_fmc2-fix-a-buffer-overflow.patch +mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch +mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch +mtd-spinand-gigadevice-add-qe-bit.patch +mtd-rawnand-ams-delta-fix-non-of-build-warning.patch +kdb-fix-pager-search-for-multi-line-strings.patch +overflow-include-header-file-with-size_max-declarati.patch +mtd-parsers-bcm63xx-do-not-make-it-modular.patch +rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch +powerpc-64-fix-irq-replay-missing-preempt.patch +powerpc-64-fix-irq-replay-pt_regs-softe-value.patch +powerpc-ppc_secure_boot-should-not-require-powernv.patch +powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch +powerpc-perf-hv-gpci-fix-starting-index-value.patch +perf-stat-fix-out-of-bounds-cpu-map-access-when-hand.patch +i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch +powerpc-security-fix-link-stack-flush-instruction.patch +powerpc-book3s64-radix-make-radix_mem_block_size-64b.patch +powerpc-papr_scm-add-papr-command-family-to-pass-thr.patch +cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch +ib-rdmavt-fix-sizeof-mismatch.patch +rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch +f2fs-reject-casefold-inode-flag-without-casefold-fea.patch +um-vector-use-gfp_atomic-under-spin-lock.patch +um-time-travel-fix-irq-handling-in-time_travel_handl.patch +thermal-core-adding-missing-nlmsg_free-in-thermal_ge.patch +maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch +perf-trace-fix-off-by-ones-in-memset-after-realloc-i.patch +selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch +f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch +afs-fix-rapid-cell-addition-removal-by-not-using-rcu.patch +afs-fix-cell-refcounting-by-splitting-the-usage-coun.patch +afs-fix-cell-purging-with-aliases.patch +afs-fix-cell-removal.patch +rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch +mm-page_owner-change-split_page_owner-to-take-a-coun.patch +mm-huge_memory-fix-split-assumption-of-page-size.patch +mm-fix-a-race-during-thp-splitting.patch +mm-mmu_notifier-fix-mmget-assert-in-__mmu_interval_n.patch +lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch +ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch +rapidio-fix-error-handling-path.patch +rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch +mailbox-avoid-timer-start-from-callback.patch +clk-meson-axg-audio-separate-axg-and-g12a-regmap-tab.patch +rtc-ds1307-clear-osf-flag-on-ds1388-when-setting-tim.patch +i2c-rcar-auto-select-reset_controller.patch +clk-meson-g12a-mark-fclk_div2-as-critical.patch +pci-designware-ep-fix-the-header-type-check.patch +pci-aardvark-fix-compilation-on-s390.patch +pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch +pci-iproc-set-affinity-mask-on-msi-interrupts.patch +rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch +rpmsg-avoid-double-free-in-mtk_rpmsg_register_device.patch +remoteproc-stm32-fix-pointer-assignement.patch +pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch +vfio-add-a-singleton-check-for-vfio_group_pin_pages.patch +s390-pci-mark-all-vfs-as-not-implementing-pci_comman.patch +vfio-pci-decouple-pci_command_memory-bit-checks-from.patch +vfio-fix-a-missed-vfio-group-put-in-vfio_pin_pages.patch +vfio-type1-fix-dirty-bitmap-calculation-in-vfio_dma_.patch +clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch +clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch +pwm-rockchip-keep-enabled-pwms-running-while-probing.patch +pwm-img-fix-null-pointer-access-in-probe.patch +nfsd-cache-r-rw-and-w-opens-separately.patch +remoteproc-mediatek-fix-null-pointer-dereference-on-.patch +pci-hv-fix-hibernation-in-case-interrupts-are-not-re.patch +clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch +clk-mediatek-add-uart0-clock-support.patch +module-statically-initialize-init-section-freeing-da.patch +clk-at91-clk-main-update-key-before-writing-at91_ckg.patch +clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch +kbuild-deb-pkg-do-not-build-linux-headers-package-if.patch +watchdog-fix-memleak-in-watchdog_cdev_register.patch +watchdog-use-put_device-on-error.patch +watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch +clk-at91-sam9x60-support-only-two-programmable-clock.patch +svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch +ext4-fix-dead-loop-in-ext4_mb_new_blocks.patch +ext4-discard-preallocations-before-releasing-group-l.patch +ext4-disallow-modifying-dax-inode-flag-if-inline_dat.patch +ext4-limit-entries-returned-when-counting-fsmap-reco.patch +vfio-pci-clear-token-on-bypass-registration-failure.patch +vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch +clk-qcom-gdsc-keep-retain_ff-bit-set-if-gdsc-is-alre.patch +clk-imx8mq-fix-usdhc-parents-order.patch +sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch +nfsv4.2-fix-nfs4err_stale-error-when-doing-inter-ser.patch +platform-chrome-cros_ec_typec-send-enum-values-to-us.patch +platform-chrome-cros_ec_lightbar-reduce-ligthbar-get.patch +input-elants_i2c-fix-typo-for-an-attribute-to-show-c.patch +input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch +input-stmfts-fix-a-vs-typo.patch +input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch +input-omap4-keypad-fix-handling-of-platform_get_irq-.patch +input-twl4030_keypad-fix-handling-of-platform_get_ir.patch +input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch +kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch +kvm-nsvm-cr3-mbz-bits-are-only-63-52.patch +scsi-bfa-fix-error-return-in-bfad_pci_init.patch +arm64-mm-use-single-quantity-to-represent-the-pa-to-.patch +bpf-enforce-id-generation-for-all-may-be-null-regist.patch +net-dsa-seville-the-packet-buffer-is-2-megabits-not-.patch +netfilter-conntrack-connection-timeout-after-re-regi.patch +netfilter-ebtables-fixes-dropping-of-small-packets-i.patch +vdpa-mlx5-make-use-of-a-specific-16-bit-endianness-a.patch +vdpa-mlx5-fix-failure-to-bring-link-up.patch +vdpa-mlx5-setup-driver-only-if-virtio_config_s_drive.patch +selftests-mptcp-depends-on-built-in-ipv6.patch +netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch +soc-xilinx-fix-error-code-in-zynqmp_pm_probe.patch +arm64-dts-meson-vim3-correct-led-polarity.patch +arm-dts-imx6sl-fix-rng-node.patch +arm-at91-pm-of_node_put-after-its-usage.patch +arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch +memory-brcmstb_dpfe-fix-array-index-out-of-bounds.patch +arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch +arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch +memory-omap-gpmc-fix-a-couple-off-by-ones.patch +memory-omap-gpmc-fix-build-error-without-config_of.patch +arm64-dts-qcom-msm8992-fix-uart-interrupt-property.patch +arm64-dts-qcom-sdm845-db845c-fix-hdmi-nodes.patch +arm64-dts-qcom-sm8150-fix-up-primary-usb-nodes.patch +arm64-dts-qcom-sc7180-fix-the-llcc-base-register-siz.patch +memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch +firmware-arm_scmi-fix-null-pointer-dereference-in-ma.patch +arm64-dts-mt8173-elm-fix-supported-values-for-regula.patch +arm64-dts-qcom-sm8250-rename-uart2-node-to-uart12.patch +dmaengine-ti-k3-udma-glue-fix-parameters-for-rx-ring.patch +arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch +arm64-dts-qcom-sc7180-drop-flags-on-mdss-irqs.patch +arm64-dts-sdm845-fixup-opp-table-for-all-qup-devices.patch +soc-qcom-pdr-fixup-array-type-of-get_domain_list_res.patch +arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch +arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch +arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch +soc-qcom-apr-fixup-the-error-displayed-on-lookup-fai.patch +dt-bindings-crypto-specify-that-allwinner-sun8i-a33-.patch +arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch +arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch +arm64-dts-mt8173-elm-fix-nor_flash-node-property.patch +arm64-dts-ti-k3-j721e-rename-mux-header-and-update-m.patch +arm64-dts-actions-limit-address-range-for-pinctrl-no.patch +arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch +soc-fsl-qbman-fix-return-value-on-success.patch +arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch +arm-dts-stm32-fix-sdmmc2-pins-on-av96.patch +arm-dts-stm32-lxa-mc1-fix-kernel-warning-about-phy-d.patch +arm-dts-stm32-move-ethernet-phy-into-dh-som-dt.patch +arm-dts-stm32-swap-phy-reset-gpio-and-tsc2004-irq-on.patch +arm-dts-stm32-fix-dh-pdk2-display-pwm-channel.patch +arm-dts-iwg20d-q7-common-fix-touch-controller-probe-.patch +soc-mediatek-cmdq-add-clear-option-in-cmdq_pkt_wfe-a.patch +drm-mediatek-reduce-clear-event.patch +arm64-dts-zynqmp-remove-additional-compatible-string.patch +arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch +lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch +powerpc-powernv-dump-fix-race-while-processing-opal-.patch +powerpc-64s-remove-tm-from-power10-features.patch +powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch +nvmet-fix-uninitialized-work-for-zero-kato.patch +nvmet-limit-passthru-mtds-by-bio_max_pages.patch +kvm-ioapic-break-infinite-recursion-on-lazy-eoi.patch +ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch +ntb-intel-fix-memleak-in-intel_ntb_pci_probe.patch +sched-features-fix-config_jump_label-case.patch +perf-correct-snoopx-field-offset.patch +random32-make-prandom_u32-output-unpredictable.patch +i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch +md-bitmap-fix-memory-leak-of-temporary-bitmap.patch +block-ratelimit-handle_bad_sector-message.patch +x86-dumpstack-fix-misleading-instruction-pointer-err.patch +crypto-ccp-fix-error-handling.patch +x86-asm-replace-__force_order-with-a-memory-clobber.patch +x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch +media-firewire-fix-memory-leak.patch +media-ati_remote-sanity-check-for-both-endpoints.patch +media-st-delta-fix-reference-count-leak-in-delta_run.patch +media-sti-fix-reference-count-leaks.patch +media-exynos4-is-fix-several-reference-count-leaks-d.patch +media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch +media-exynos4-is-fix-a-reference-count-leak.patch +media-vsp1-fix-runtime-pm-imbalance-on-error.patch +media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch +media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch +media-bdisp-fix-runtime-pm-imbalance-on-error.patch +media-media-pci-prevent-memory-leak-in-bttv_probe.patch +x86-mce-annotate-mce_rd-wrmsrl-with-noinstr.patch +crypto-hisilicon-fixed-memory-allocation-error.patch +spi-fsi-fix-clock-running-too-fast.patch +blk-mq-always-allow-reserved-allocation-in-hctx_may_.patch +x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch +media-uvcvideo-ensure-all-probed-info-is-returned-to.patch +mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch +media-saa7134-avoid-a-shift-overflow.patch +media-atomisp-fix-memleak-in-ia_css_stream_create.patch +media-venus-fixes-for-list-corruption.patch +notifier-fix-broken-error-handling-pattern.patch +fs-dlm-fix-configfs-memory-leak.patch +media-venus-core-fix-error-handling-in-probe.patch +media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch +ntfs-add-check-for-mft-record-size-in-superblock.patch +ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch +mac80211-handle-lack-of-sband-bitrates-in-rates.patch +staging-wfx-fix-handling-of-mmic-error.patch +libbpf-close-map-fd-if-init-map-slots-failed.patch +bpf-use-raw_spin_trylock-for-pcpu_freelist_push-pop-.patch +pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch +scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch +scsi-target-core-add-control-field-for-trace-events.patch +mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch +misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch +usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch +usb-gadget-function-printer-fix-use-after-free-in-__.patch +rtw88-pci-power-cycle-device-during-shutdown.patch +udf-limit-sparing-table-size.patch +udf-avoid-accessing-uninitialized-data-on-failed-ino.patch +rtw88-increse-the-size-of-rx-buffer-size.patch +selftests-bpf-fix-overflow-tests-to-reflect-iter-siz.patch +usb-cdc-acm-handle-broken-union-descriptors.patch +mt76-mt7915-do-not-do-any-work-in-napi-poll-after-ca.patch +usb-dwc3-simple-add-support-for-hikey-970.patch +habanalabs-cast-to-u64-before-shift-31-bits.patch +can-flexcan-flexcan_chip_stop-add-error-handling-and.patch +hid-multitouch-lenovo-x1-tablet-gen3-trackpoint-and-.patch +ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch +drm-panfrost-add-amlogic-gpu-integration-quirks.patch +drm-panfrost-add-amlogic-reset-quirk-callback.patch +drm-panfrost-add-support-for-vendor-quirk.patch +bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch +dma-direct-fix-potential-null-pointer-dereference.patch +misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch +reiserfs-only-call-unlock_new_inode-if-i_new.patch +opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch +xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch +usb-ohci-default-to-per-port-over-current-protection.patch +drm-fix-double-free-for-gbo-in-drm_gem_vram_init-and.patch +bluetooth-only-mark-socket-zapped-after-unlocking.patch +drm-msm-a6xx-fix-a-potential-overflow-issue.patch +drm-xlnx-use-devm_drm_dev_alloc.patch +iomap-fix-warn_on_once-from-unprivileged-users.patch +scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch +scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch +selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch +soundwire-cadence-fix-race-condition-between-suspend.patch +brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch +rtl8xxxu-prevent-potential-memory-leak.patch +fix-use-after-free-in-get_capset_info-callback.patch +hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch +scsi-qedf-return-success-if-stale-rport-is-encounter.patch +scsi-qedi-mark-all-connections-for-recovery-on-link-.patch +scsi-qedi-protect-active-command-list-to-avoid-list-.patch +scsi-qedi-fix-list_del-corruption-while-removing-act.patch +fbmem-add-margin-check-to-fb_check_caps.patch +tty-ipwireless-fix-error-handling.patch +bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch +ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch +reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch +s390-qeth-strictly-order-bridge-address-events.patch +mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch +alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch +alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch +asoc-sof-add-topology-filename-override-based-on-dmi.patch +asoc-intel-sof_rt5682-override-quirk-data-for-tgl_ma.patch +scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch +brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch +usb-core-solve-race-condition-in-anchor-cleanup-func.patch +soundwire-intel-reinitialize-ip-dsp-in-.prepare-but-.patch +scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch +drm-amd-display-screen-corruption-on-dual-displays-d.patch +dmaengine-dw-add-dma-channels-mask-cell-support.patch +dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch +drm-hisilicon-code-refactoring-for-hibmc_drv_de.patch +drm-amd-display-disconnect-pipe-separetely-when-disa.patch +drm-panfrost-perfcnt-fix-ref-count-leak-in-panfrost_.patch +ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch diff --git a/queue-5.9/sfc-don-t-double-down-filters-in-ef100_reset.patch b/queue-5.9/sfc-don-t-double-down-filters-in-ef100_reset.patch new file mode 100644 index 00000000000..5352cca6f12 --- /dev/null +++ b/queue-5.9/sfc-don-t-double-down-filters-in-ef100_reset.patch @@ -0,0 +1,55 @@ +From c11a80b501503f6c1079b2b23db83b8d27d3583a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 17:14:20 +0100 +Subject: sfc: don't double-down() filters in ef100_reset() + +From: Edward Cree + +[ Upstream commit 7dcc9d8a40f85cbd76acdebcc45ccdfe4a84337f ] + +dev_close(), by way of ef100_net_stop(), already brings down the filter + table, so there's no need to do it again (which just causes lots of + WARN_ONs). +Similarly, don't bring it up ourselves, as dev_open() -> ef100_net_open() + will do it, and will fail if it's already been brought up. + +Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins") +Signed-off-by: Edward Cree +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef100_nic.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c +index 19fe86b3b3169..9cf5b8f8fab9a 100644 +--- a/drivers/net/ethernet/sfc/ef100_nic.c ++++ b/drivers/net/ethernet/sfc/ef100_nic.c +@@ -428,24 +428,12 @@ static int ef100_reset(struct efx_nic *efx, enum reset_type reset_type) + __clear_bit(reset_type, &efx->reset_pending); + rc = dev_open(efx->net_dev, NULL); + } else if (reset_type == RESET_TYPE_ALL) { +- /* A RESET_TYPE_ALL will cause filters to be removed, so we remove filters +- * and reprobe after reset to avoid removing filters twice +- */ +- down_write(&efx->filter_sem); +- ef100_filter_table_down(efx); +- up_write(&efx->filter_sem); + rc = efx_mcdi_reset(efx, reset_type); + if (rc) + return rc; + + netif_device_attach(efx->net_dev); + +- down_write(&efx->filter_sem); +- rc = ef100_filter_table_up(efx); +- up_write(&efx->filter_sem); +- if (rc) +- return rc; +- + rc = dev_open(efx->net_dev, NULL); + } else { + rc = 1; /* Leave the device closed */ +-- +2.25.1 + diff --git a/queue-5.9/slimbus-core-check-get_addr-before-removing-laddr-id.patch b/queue-5.9/slimbus-core-check-get_addr-before-removing-laddr-id.patch new file mode 100644 index 00000000000..55cfaa9471a --- /dev/null +++ b/queue-5.9/slimbus-core-check-get_addr-before-removing-laddr-id.patch @@ -0,0 +1,42 @@ +From 0973f7badf2ee18e7a03128637c8114fabf02d1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:18 +0100 +Subject: slimbus: core: check get_addr before removing laddr ida + +From: Srinivas Kandagatla + +[ Upstream commit f97769fde678e111a1b7b165b380d8a3dfe54f4e ] + +logical address can be either assigned by the SLIMBus controller or the core. +Core uses IDA in cases where get_addr callback is not provided by the +controller. +Core already has this check while allocating IDR, however during absence +reporting this is not checked. This patch fixes this issue. + +Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c +index ae1e248a8fb8a..58b63ae0e75a6 100644 +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -326,8 +326,8 @@ void slim_report_absent(struct slim_device *sbdev) + mutex_lock(&ctrl->lock); + sbdev->is_laddr_valid = false; + mutex_unlock(&ctrl->lock); +- +- ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr); ++ if (!ctrl->get_laddr) ++ ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr); + slim_device_update_status(sbdev, SLIM_DEVICE_STATUS_DOWN); + } + EXPORT_SYMBOL_GPL(slim_report_absent); +-- +2.25.1 + diff --git a/queue-5.9/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch b/queue-5.9/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch new file mode 100644 index 00000000000..11b42f6492b --- /dev/null +++ b/queue-5.9/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch @@ -0,0 +1,38 @@ +From 386f39f874ec896cb611c1f8d38046bdc9d7091f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:19 +0100 +Subject: slimbus: core: do not enter to clock pause mode in core + +From: Srinivas Kandagatla + +[ Upstream commit df2c471c4ae07e18a0396db670dca2ef867c5153 ] + +Let the controller logic decide when to enter into clock pause mode! +Entering in to pause mode during unregistration does not really make +sense as the controller is totally going down at that point in time. + +Fixes: 4b14e62ad3c9e ("slimbus: Add support for 'clock-pause' feature") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c +index 58b63ae0e75a6..1d2bc181da050 100644 +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -301,8 +301,6 @@ int slim_unregister_controller(struct slim_controller *ctrl) + { + /* Remove all clients */ + device_for_each_child(ctrl->dev, NULL, slim_ctrl_remove_device); +- /* Enter Clock Pause */ +- slim_ctrl_clk_pause(ctrl, false, 0); + ida_simple_remove(&ctrl_ida, ctrl->id); + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch b/queue-5.9/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch new file mode 100644 index 00000000000..5ac949e7b32 --- /dev/null +++ b/queue-5.9/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch @@ -0,0 +1,45 @@ +From 0cd1e2b36d4ca5b2a79889456e865bcfba72de1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:20 +0100 +Subject: slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback + +From: Srinivas Kandagatla + +[ Upstream commit 709ec3f7fc5773ac4aa6fb22c3f0ac8103c674db ] + +In QMI new server notification we enable the NGD however during +delete server notification we do not disable the NGD. + +This can lead to multiple instances of NGD being enabled, so make +sure that we disable NGD in delete server callback to fix this issue! + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/qcom-ngd-ctrl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c +index 743ee7b4e63f2..218aefc3531cd 100644 +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1277,9 +1277,13 @@ static void qcom_slim_ngd_qmi_del_server(struct qmi_handle *hdl, + { + struct qcom_slim_ngd_qmi *qmi = + container_of(hdl, struct qcom_slim_ngd_qmi, svc_event_hdl); ++ struct qcom_slim_ngd_ctrl *ctrl = ++ container_of(qmi, struct qcom_slim_ngd_ctrl, qmi); + + qmi->svc_info.sq_node = 0; + qmi->svc_info.sq_port = 0; ++ ++ qcom_slim_ngd_enable(ctrl, false); + } + + static struct qmi_ops qcom_slim_ngd_qmi_svc_event_ops = { +-- +2.25.1 + diff --git a/queue-5.9/soc-fsl-qbman-fix-return-value-on-success.patch b/queue-5.9/soc-fsl-qbman-fix-return-value-on-success.patch new file mode 100644 index 00000000000..9f3fdd98ae9 --- /dev/null +++ b/queue-5.9/soc-fsl-qbman-fix-return-value-on-success.patch @@ -0,0 +1,38 @@ +From 9f082a54f7256672a1c038f55a53d1f7e4f8d77a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 22:26:25 +0200 +Subject: soc: fsl: qbman: Fix return value on success + +From: Krzysztof Kozlowski + +[ Upstream commit 750cf40c0f7088f36a8a5d102e0488b1ac47faf5 ] + +On error the function was meant to return -ERRNO. This also fixes +compile warning: + + drivers/soc/fsl/qbman/bman.c:640:6: warning: variable 'err' set but not used [-Wunused-but-set-variable] + +Fixes: 0505d00c8dba ("soc/fsl/qbman: Cleanup buffer pools if BMan was initialized prior to bootup") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/bman.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/fsl/qbman/bman.c b/drivers/soc/fsl/qbman/bman.c +index f4fb527d83018..c5dd026fe889f 100644 +--- a/drivers/soc/fsl/qbman/bman.c ++++ b/drivers/soc/fsl/qbman/bman.c +@@ -660,7 +660,7 @@ int bm_shutdown_pool(u32 bpid) + } + done: + put_affine_portal(); +- return 0; ++ return err; + } + + struct gen_pool *bm_bpalloc; +-- +2.25.1 + diff --git a/queue-5.9/soc-mediatek-cmdq-add-clear-option-in-cmdq_pkt_wfe-a.patch b/queue-5.9/soc-mediatek-cmdq-add-clear-option-in-cmdq_pkt_wfe-a.patch new file mode 100644 index 00000000000..2d9ad9715c7 --- /dev/null +++ b/queue-5.9/soc-mediatek-cmdq-add-clear-option-in-cmdq_pkt_wfe-a.patch @@ -0,0 +1,97 @@ +From 12a6f59a4db3d8bc51be9e5ed2ffff6caf84b907 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 23:45:13 +0800 +Subject: soc: mediatek: cmdq: add clear option in cmdq_pkt_wfe api + +From: Dennis YC Hsieh + +[ Upstream commit 23c22299cd290409c6b78f57c42b64f8dfb6dd92 ] + +Add clear parameter to let client decide if +event should be clear to 0 after GCE receive it. + +Signed-off-by: Dennis YC Hsieh +Acked-by: Chun-Kuang Hu +Link: https://lore.kernel.org/r/1594136714-11650-9-git-send-email-dennis-yc.hsieh@mediatek.com +[mb: fix commit message] +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 2 +- + drivers/soc/mediatek/mtk-cmdq-helper.c | 5 +++-- + include/linux/mailbox/mtk-cmdq-mailbox.h | 3 +-- + include/linux/soc/mediatek/mtk-cmdq.h | 5 +++-- + 4 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index 4d29568be3f53..a4977009d3076 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -481,7 +481,7 @@ static void mtk_drm_crtc_hw_config(struct mtk_drm_crtc *mtk_crtc) + mbox_flush(mtk_crtc->cmdq_client->chan, 2000); + cmdq_handle = cmdq_pkt_create(mtk_crtc->cmdq_client, PAGE_SIZE); + cmdq_pkt_clear_event(cmdq_handle, mtk_crtc->cmdq_event); +- cmdq_pkt_wfe(cmdq_handle, mtk_crtc->cmdq_event); ++ cmdq_pkt_wfe(cmdq_handle, mtk_crtc->cmdq_event, true); + mtk_crtc_ddp_config(crtc, cmdq_handle); + cmdq_pkt_finalize(cmdq_handle); + cmdq_pkt_flush_async(cmdq_handle, ddp_cmdq_cb, cmdq_handle); +diff --git a/drivers/soc/mediatek/mtk-cmdq-helper.c b/drivers/soc/mediatek/mtk-cmdq-helper.c +index dc644cfb6419e..c4609cd562ac4 100644 +--- a/drivers/soc/mediatek/mtk-cmdq-helper.c ++++ b/drivers/soc/mediatek/mtk-cmdq-helper.c +@@ -223,15 +223,16 @@ int cmdq_pkt_write_mask(struct cmdq_pkt *pkt, u8 subsys, + } + EXPORT_SYMBOL(cmdq_pkt_write_mask); + +-int cmdq_pkt_wfe(struct cmdq_pkt *pkt, u16 event) ++int cmdq_pkt_wfe(struct cmdq_pkt *pkt, u16 event, bool clear) + { + struct cmdq_instruction inst = { {0} }; ++ u32 clear_option = clear ? CMDQ_WFE_UPDATE : 0; + + if (event >= CMDQ_MAX_EVENT) + return -EINVAL; + + inst.op = CMDQ_CODE_WFE; +- inst.value = CMDQ_WFE_OPTION; ++ inst.value = CMDQ_WFE_OPTION | clear_option; + inst.event = event; + + return cmdq_pkt_append_command(pkt, inst); +diff --git a/include/linux/mailbox/mtk-cmdq-mailbox.h b/include/linux/mailbox/mtk-cmdq-mailbox.h +index 05eea1aef5aa0..ea35157974187 100644 +--- a/include/linux/mailbox/mtk-cmdq-mailbox.h ++++ b/include/linux/mailbox/mtk-cmdq-mailbox.h +@@ -28,8 +28,7 @@ + * bit 16-27: update value + * bit 31: 1 - update, 0 - no update + */ +-#define CMDQ_WFE_OPTION (CMDQ_WFE_UPDATE | CMDQ_WFE_WAIT | \ +- CMDQ_WFE_WAIT_VALUE) ++#define CMDQ_WFE_OPTION (CMDQ_WFE_WAIT | CMDQ_WFE_WAIT_VALUE) + + /** cmdq event maximum */ + #define CMDQ_MAX_EVENT 0x3ff +diff --git a/include/linux/soc/mediatek/mtk-cmdq.h b/include/linux/soc/mediatek/mtk-cmdq.h +index 2249ecaf77e42..76a3075077533 100644 +--- a/include/linux/soc/mediatek/mtk-cmdq.h ++++ b/include/linux/soc/mediatek/mtk-cmdq.h +@@ -105,11 +105,12 @@ int cmdq_pkt_write_mask(struct cmdq_pkt *pkt, u8 subsys, + /** + * cmdq_pkt_wfe() - append wait for event command to the CMDQ packet + * @pkt: the CMDQ packet +- * @event: the desired event type to "wait and CLEAR" ++ * @event: the desired event type to wait ++ * @clear: clear event or not after event arrive + * + * Return: 0 for success; else the error code is returned + */ +-int cmdq_pkt_wfe(struct cmdq_pkt *pkt, u16 event); ++int cmdq_pkt_wfe(struct cmdq_pkt *pkt, u16 event, bool clear); + + /** + * cmdq_pkt_clear_event() - append clear event command to the CMDQ packet +-- +2.25.1 + diff --git a/queue-5.9/soc-qcom-apr-fixup-the-error-displayed-on-lookup-fai.patch b/queue-5.9/soc-qcom-apr-fixup-the-error-displayed-on-lookup-fai.patch new file mode 100644 index 00000000000..f041f3d43da --- /dev/null +++ b/queue-5.9/soc-qcom-apr-fixup-the-error-displayed-on-lookup-fai.patch @@ -0,0 +1,37 @@ +From 646f5d3b8ff8e0b966d7326d121a7d390bbea40b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 21:12:32 +0530 +Subject: soc: qcom: apr: Fixup the error displayed on lookup failure + +From: Sibi Sankar + +[ Upstream commit ba34f977c333f96c8acd37ec30e232220399f5a5 ] + +APR client incorrectly prints out "ret" variable on pdr_add_lookup failure, +it should be printing the error value returned by the lookup instead. + +Fixes: 8347356626028 ("soc: qcom: apr: Add avs/audio tracking functionality") +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/20200915154232.27523-1-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/apr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c +index 1f35b097c6356..7abfc8c4fdc72 100644 +--- a/drivers/soc/qcom/apr.c ++++ b/drivers/soc/qcom/apr.c +@@ -328,7 +328,7 @@ static int of_apr_add_pd_lookups(struct device *dev) + + pds = pdr_add_lookup(apr->pdr, service_name, service_path); + if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) { +- dev_err(dev, "pdr add lookup failed: %d\n", ret); ++ dev_err(dev, "pdr add lookup failed: %ld\n", PTR_ERR(pds)); + return PTR_ERR(pds); + } + } +-- +2.25.1 + diff --git a/queue-5.9/soc-qcom-pdr-fixup-array-type-of-get_domain_list_res.patch b/queue-5.9/soc-qcom-pdr-fixup-array-type-of-get_domain_list_res.patch new file mode 100644 index 00000000000..0134954c974 --- /dev/null +++ b/queue-5.9/soc-qcom-pdr-fixup-array-type-of-get_domain_list_res.patch @@ -0,0 +1,47 @@ +From b595f2614c46779fa1994513339aa73b9035b763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 20:28:07 +0530 +Subject: soc: qcom: pdr: Fixup array type of get_domain_list_resp message + +From: Sibi Sankar + +[ Upstream commit 7a366707bb6a93baeb1a9ef46c4b9c875e0132d6 ] + +The array type of get_domain_list_resp is incorrectly marked as NO_ARRAY. +Due to which the following error was observed when using pdr helpers with +the downstream proprietary pd-mapper. Fix this up by marking it as +VAR_LEN_ARRAY instead. + +Err logs: +qmi_decode_struct_elem: Fault in decoding: dl(2), db(27), tl(160), i(1), el(1) +failed to decode incoming message +PDR: tms/servreg get domain list txn wait failed: -14 +PDR: service lookup for tms/servreg failed: -14 + +Tested-by: Rishabh Bhatnagar +Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers") +Reported-by: Rishabh Bhatnagar +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/20200914145807.1224-1-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pdr_internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/pdr_internal.h b/drivers/soc/qcom/pdr_internal.h +index 15b5002e4127b..ab9ae8cdfa54c 100644 +--- a/drivers/soc/qcom/pdr_internal.h ++++ b/drivers/soc/qcom/pdr_internal.h +@@ -185,7 +185,7 @@ struct qmi_elem_info servreg_get_domain_list_resp_ei[] = { + .data_type = QMI_STRUCT, + .elem_len = SERVREG_DOMAIN_LIST_LENGTH, + .elem_size = sizeof(struct servreg_location_entry), +- .array_type = NO_ARRAY, ++ .array_type = VAR_LEN_ARRAY, + .tlv_type = 0x12, + .offset = offsetof(struct servreg_get_domain_list_resp, + domain_list), +-- +2.25.1 + diff --git a/queue-5.9/soc-xilinx-fix-error-code-in-zynqmp_pm_probe.patch b/queue-5.9/soc-xilinx-fix-error-code-in-zynqmp_pm_probe.patch new file mode 100644 index 00000000000..7fc093150b3 --- /dev/null +++ b/queue-5.9/soc-xilinx-fix-error-code-in-zynqmp_pm_probe.patch @@ -0,0 +1,37 @@ +From cce95255ed6fa3eed0ffa6881cb1dddc14f989e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 14:00:20 +0300 +Subject: soc: xilinx: Fix error code in zynqmp_pm_probe() + +From: Dan Carpenter + +[ Upstream commit a6f2f0fdc73aacc6e10ae48ae78634dba26702d4 ] + +This should be returning PTR_ERR() but it returns IS_ERR() instead. + +Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback") +Signed-off-by: Dan Carpenter +Reviewed-by: Michal Simek +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/20200605110020.GA978434@mwanda +Signed-off-by: Sasha Levin +--- + drivers/soc/xilinx/zynqmp_power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c +index 31ff49fcd078b..c556623dae024 100644 +--- a/drivers/soc/xilinx/zynqmp_power.c ++++ b/drivers/soc/xilinx/zynqmp_power.c +@@ -205,7 +205,7 @@ static int zynqmp_pm_probe(struct platform_device *pdev) + rx_chan = mbox_request_channel_byname(client, "rx"); + if (IS_ERR(rx_chan)) { + dev_err(&pdev->dev, "Failed to request rx channel\n"); +- return IS_ERR(rx_chan); ++ return PTR_ERR(rx_chan); + } + } else if (of_find_property(pdev->dev.of_node, "interrupts", NULL)) { + irq = platform_get_irq(pdev, 0); +-- +2.25.1 + diff --git a/queue-5.9/soundwire-cadence-fix-race-condition-between-suspend.patch b/queue-5.9/soundwire-cadence-fix-race-condition-between-suspend.patch new file mode 100644 index 00000000000..74812749d02 --- /dev/null +++ b/queue-5.9/soundwire-cadence-fix-race-condition-between-suspend.patch @@ -0,0 +1,95 @@ +From a2912f760b3adb4fec7893191fb8d1d950c2cd72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 06:23:40 +0800 +Subject: soundwire: cadence: fix race condition between suspend and Slave + device alerts + +From: Pierre-Louis Bossart + +[ Upstream commit d2068da5c85697b5880483dd7beaba98e0b62e02 ] + +In system suspend stress cases, the SOF CI reports timeouts. The root +cause is that an alert is generated while the system suspends. The +interrupt handling generates transactions on the bus that will never +be handled because the interrupts are disabled in parallel. + +As a result, the transaction never completes and times out on resume. +This error doesn't seem too problematic since it happens in a work +queue, and the system recovers without issues. + +Nevertheless, this race condition should not happen. When doing a +system suspend, or when disabling interrupts, we should make sure the +current transaction can complete, and prevent new work from being +queued. + +BugLink: https://github.com/thesofproject/linux/issues/2344 +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Rander Wang +Signed-off-by: Bard Liao +Acked-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20200817222340.18042-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/cadence_master.c | 24 +++++++++++++++++++++++- + drivers/soundwire/cadence_master.h | 1 + + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c +index 24eafe0aa1c3e..1330ffc475960 100644 +--- a/drivers/soundwire/cadence_master.c ++++ b/drivers/soundwire/cadence_master.c +@@ -791,7 +791,16 @@ irqreturn_t sdw_cdns_irq(int irq, void *dev_id) + CDNS_MCP_INT_SLAVE_MASK, 0); + + int_status &= ~CDNS_MCP_INT_SLAVE_MASK; +- schedule_work(&cdns->work); ++ ++ /* ++ * Deal with possible race condition between interrupt ++ * handling and disabling interrupts on suspend. ++ * ++ * If the master is in the process of disabling ++ * interrupts, don't schedule a workqueue ++ */ ++ if (cdns->interrupt_enabled) ++ schedule_work(&cdns->work); + } + + cdns_writel(cdns, CDNS_MCP_INTSTAT, int_status); +@@ -924,6 +933,19 @@ int sdw_cdns_enable_interrupt(struct sdw_cdns *cdns, bool state) + slave_state = cdns_readl(cdns, CDNS_MCP_SLAVE_INTSTAT1); + cdns_writel(cdns, CDNS_MCP_SLAVE_INTSTAT1, slave_state); + } ++ cdns->interrupt_enabled = state; ++ ++ /* ++ * Complete any on-going status updates before updating masks, ++ * and cancel queued status updates. ++ * ++ * There could be a race with a new interrupt thrown before ++ * the 3 mask updates below are complete, so in the interrupt ++ * we use the 'interrupt_enabled' status to prevent new work ++ * from being queued. ++ */ ++ if (!state) ++ cancel_work_sync(&cdns->work); + + cdns_writel(cdns, CDNS_MCP_SLAVE_INTMASK0, slave_intmask0); + cdns_writel(cdns, CDNS_MCP_SLAVE_INTMASK1, slave_intmask1); +diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h +index 7638858397df9..15b0834030866 100644 +--- a/drivers/soundwire/cadence_master.h ++++ b/drivers/soundwire/cadence_master.h +@@ -129,6 +129,7 @@ struct sdw_cdns { + + bool link_up; + unsigned int msg_count; ++ bool interrupt_enabled; + + struct work_struct work; + +-- +2.25.1 + diff --git a/queue-5.9/soundwire-intel-fix-null-err_ptr-confusion.patch b/queue-5.9/soundwire-intel-fix-null-err_ptr-confusion.patch new file mode 100644 index 00000000000..176bd40df0f --- /dev/null +++ b/queue-5.9/soundwire-intel-fix-null-err_ptr-confusion.patch @@ -0,0 +1,40 @@ +From f27486227d7cc1d16b3677158de06c409a1a4bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 04:47:37 +0800 +Subject: soundwire: intel: fix NULL/ERR_PTR confusion + +From: Pierre-Louis Bossart + +[ Upstream commit 06dcb4e443643db93b286f861133785ca46f5a19 ] + +snd_soc_dai_get_sdw_stream() can only return the pointer to stream or +an ERR_PTR value, NULL is not a possible value. + +Fixes: 09553140c8d7b ('soundwire: intel: implement get_sdw_stream() operations') +Reported-by: Bard Liao +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Rander Wang +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20200903204739.31206-3-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c +index a283670659a92..10ff166977f8f 100644 +--- a/drivers/soundwire/intel.c ++++ b/drivers/soundwire/intel.c +@@ -1011,7 +1011,7 @@ static void *intel_get_sdw_stream(struct snd_soc_dai *dai, + dma = dai->capture_dma_data; + + if (!dma) +- return NULL; ++ return ERR_PTR(-EINVAL); + + return dma->stream; + } +-- +2.25.1 + diff --git a/queue-5.9/soundwire-intel-reinitialize-ip-dsp-in-.prepare-but-.patch b/queue-5.9/soundwire-intel-reinitialize-ip-dsp-in-.prepare-but-.patch new file mode 100644 index 00000000000..fd84b979c94 --- /dev/null +++ b/queue-5.9/soundwire-intel-reinitialize-ip-dsp-in-.prepare-but-.patch @@ -0,0 +1,177 @@ +From 6cc5ef61e4c52658bc40f9d43e12bd199ed1f724 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 23:29:16 +0800 +Subject: soundwire: intel: reinitialize IP+DSP in .prepare(), but only when + resuming + +From: Bard Liao + +[ Upstream commit a5a0239c27fe1125826c5cad4dec9cd1fd960d4a ] + +The .prepare() callback is invoked for normal streaming, underflows or +during the system resume transition. In the latter case, the context +for the ALH PDIs is lost, and the DSP is not initialized properly +either, but the bus parameters don't need to be recomputed. + +Conversely, when doing a regular .prepare() during an underflow, the +ALH/SHIM registers shall not be changed as the hardware cannot be +reprogrammed after the DMA started (hardware spec requirement). + +This patch adds storage of PDI and hw_params in the DAI dma context, +and the difference between the types of .prepare() usages is handled +via a simple boolean, updated when suspending, and tested for in the +.prepare() case. + +Signed-off-by: Bard Liao +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200817152923.3259-6-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/cadence_master.h | 4 ++ + drivers/soundwire/intel.c | 71 +++++++++++++++++++++++++++++- + 2 files changed, 74 insertions(+), 1 deletion(-) + +diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h +index 15b0834030866..4d1aab5b5ec2d 100644 +--- a/drivers/soundwire/cadence_master.h ++++ b/drivers/soundwire/cadence_master.h +@@ -84,6 +84,8 @@ struct sdw_cdns_stream_config { + * @bus: Bus handle + * @stream_type: Stream type + * @link_id: Master link id ++ * @hw_params: hw_params to be applied in .prepare step ++ * @suspended: status set when suspended, to be used in .prepare + */ + struct sdw_cdns_dma_data { + char *name; +@@ -92,6 +94,8 @@ struct sdw_cdns_dma_data { + struct sdw_bus *bus; + enum sdw_stream_type stream_type; + int link_id; ++ struct snd_pcm_hw_params *hw_params; ++ bool suspended; + }; + + /** +diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c +index 10ff166977f8f..50b9bad8fba7f 100644 +--- a/drivers/soundwire/intel.c ++++ b/drivers/soundwire/intel.c +@@ -856,6 +856,10 @@ static int intel_hw_params(struct snd_pcm_substream *substream, + intel_pdi_alh_configure(sdw, pdi); + sdw_cdns_config_stream(cdns, ch, dir, pdi); + ++ /* store pdi and hw_params, may be needed in prepare step */ ++ dma->suspended = false; ++ dma->pdi = pdi; ++ dma->hw_params = params; + + /* Inform DSP about PDI stream number */ + ret = intel_params_stream(sdw, substream, dai, params, +@@ -899,7 +903,11 @@ static int intel_hw_params(struct snd_pcm_substream *substream, + static int intel_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { ++ struct sdw_cdns *cdns = snd_soc_dai_get_drvdata(dai); ++ struct sdw_intel *sdw = cdns_to_intel(cdns); + struct sdw_cdns_dma_data *dma; ++ int ch, dir; ++ int ret; + + dma = snd_soc_dai_get_dma_data(dai, substream); + if (!dma) { +@@ -908,7 +916,41 @@ static int intel_prepare(struct snd_pcm_substream *substream, + return -EIO; + } + +- return sdw_prepare_stream(dma->stream); ++ if (dma->suspended) { ++ dma->suspended = false; ++ ++ /* ++ * .prepare() is called after system resume, where we ++ * need to reinitialize the SHIM/ALH/Cadence IP. ++ * .prepare() is also called to deal with underflows, ++ * but in those cases we cannot touch ALH/SHIM ++ * registers ++ */ ++ ++ /* configure stream */ ++ ch = params_channels(dma->hw_params); ++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) ++ dir = SDW_DATA_DIR_RX; ++ else ++ dir = SDW_DATA_DIR_TX; ++ ++ intel_pdi_shim_configure(sdw, dma->pdi); ++ intel_pdi_alh_configure(sdw, dma->pdi); ++ sdw_cdns_config_stream(cdns, ch, dir, dma->pdi); ++ ++ /* Inform DSP about PDI stream number */ ++ ret = intel_params_stream(sdw, substream, dai, ++ dma->hw_params, ++ sdw->instance, ++ dma->pdi->intel_alh_id); ++ if (ret) ++ goto err; ++ } ++ ++ ret = sdw_prepare_stream(dma->stream); ++ ++err: ++ return ret; + } + + static int intel_trigger(struct snd_pcm_substream *substream, int cmd, +@@ -979,6 +1021,9 @@ intel_hw_free(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) + return ret; + } + ++ dma->hw_params = NULL; ++ dma->pdi = NULL; ++ + return 0; + } + +@@ -988,6 +1033,29 @@ static void intel_shutdown(struct snd_pcm_substream *substream, + + } + ++static int intel_component_dais_suspend(struct snd_soc_component *component) ++{ ++ struct sdw_cdns_dma_data *dma; ++ struct snd_soc_dai *dai; ++ ++ for_each_component_dais(component, dai) { ++ /* ++ * we don't have a .suspend dai_ops, and we don't have access ++ * to the substream, so let's mark both capture and playback ++ * DMA contexts as suspended ++ */ ++ dma = dai->playback_dma_data; ++ if (dma) ++ dma->suspended = true; ++ ++ dma = dai->capture_dma_data; ++ if (dma) ++ dma->suspended = true; ++ } ++ ++ return 0; ++} ++ + static int intel_pcm_set_sdw_stream(struct snd_soc_dai *dai, + void *stream, int direction) + { +@@ -1040,6 +1108,7 @@ static const struct snd_soc_dai_ops intel_pdm_dai_ops = { + + static const struct snd_soc_component_driver dai_component = { + .name = "soundwire", ++ .suspend = intel_component_dais_suspend + }; + + static int intel_create_dai(struct sdw_cdns *cdns, +-- +2.25.1 + diff --git a/queue-5.9/soundwire-stream-fix-null-is_err-confusion.patch b/queue-5.9/soundwire-stream-fix-null-is_err-confusion.patch new file mode 100644 index 00000000000..6ff39f7a0d3 --- /dev/null +++ b/queue-5.9/soundwire-stream-fix-null-is_err-confusion.patch @@ -0,0 +1,40 @@ +From e7a7091cdb185779e75cfc7a8bc2981e64142292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 04:47:36 +0800 +Subject: soundwire: stream: fix NULL/IS_ERR confusion + +From: Pierre-Louis Bossart + +[ Upstream commit 3471d2a192bace106e4da7bcdcdd5ebcca4267d2 ] + +snd_soc_dai_get_sdw_stream() can only return -ENOTSUPP or the stream, +NULL is not a possible value. + +Fixes: 4550569bd779f ('soundwire: stream: add helper to startup/shutdown streams') +Reported-by: Bard Liao +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Rander Wang +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20200903204739.31206-2-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c +index 6e36deb505b1e..610957f82b39c 100644 +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -1913,7 +1913,7 @@ void sdw_shutdown_stream(void *sdw_substream) + + sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream); + +- if (!sdw_stream) { ++ if (IS_ERR(sdw_stream)) { + dev_err(rtd->dev, "no stream found for DAI %s", dai->name); + return; + } +-- +2.25.1 + diff --git a/queue-5.9/spi-dw-pci-free-previously-allocated-irqs-if-desc-se.patch b/queue-5.9/spi-dw-pci-free-previously-allocated-irqs-if-desc-se.patch new file mode 100644 index 00000000000..a72548e4511 --- /dev/null +++ b/queue-5.9/spi-dw-pci-free-previously-allocated-irqs-if-desc-se.patch @@ -0,0 +1,65 @@ +From 4a4b576372ed991075d912fae06da888776ea267 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:22:49 +0800 +Subject: spi: dw-pci: free previously allocated IRQs if desc->setup() fails + +From: Jay Fang + +[ Upstream commit 9599f341889c87e56bb944659c32490d05e2532f ] + +Free previously allocated IRQs when return an error code of desc->setup() +which is not always successful. And simplify the code by adding a goto +label. + +Fixes: 8f5c285f3ef5 ("SPI: designware: pci: Switch over to MSI interrupts") +CC: Felipe Balbi +Signed-off-by: Jay Fang +Link: https://lore.kernel.org/r/1600132969-53037-1-git-send-email-f.fangjian@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-pci.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi-dw-pci.c b/drivers/spi/spi-dw-pci.c +index 2ea73809ca345..271839a8add0e 100644 +--- a/drivers/spi/spi-dw-pci.c ++++ b/drivers/spi/spi-dw-pci.c +@@ -127,18 +127,16 @@ static int spi_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (desc->setup) { + ret = desc->setup(dws); + if (ret) +- return ret; ++ goto err_free_irq_vectors; + } + } else { +- pci_free_irq_vectors(pdev); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_free_irq_vectors; + } + + ret = dw_spi_add_host(&pdev->dev, dws); +- if (ret) { +- pci_free_irq_vectors(pdev); +- return ret; +- } ++ if (ret) ++ goto err_free_irq_vectors; + + /* PCI hook and SPI hook use the same drv data */ + pci_set_drvdata(pdev, dws); +@@ -152,6 +150,10 @@ static int spi_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + pm_runtime_allow(&pdev->dev); + + return 0; ++ ++err_free_irq_vectors: ++ pci_free_irq_vectors(pdev); ++ return ret; + } + + static void spi_pci_remove(struct pci_dev *pdev) +-- +2.25.1 + diff --git a/queue-5.9/spi-fsi-fix-clock-running-too-fast.patch b/queue-5.9/spi-fsi-fix-clock-running-too-fast.patch new file mode 100644 index 00000000000..fb6447445ef --- /dev/null +++ b/queue-5.9/spi-fsi-fix-clock-running-too-fast.patch @@ -0,0 +1,42 @@ +From 66ff1e91d53cbc66f4d045d69372097e7e863049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 17:28:53 -0500 +Subject: spi: fsi: Fix clock running too fast + +From: Brad Bishop + +[ Upstream commit 0b546bbe9474ff23e6843916ad6d567f703b2396 ] + +Use a clock divider tuned to a 200MHz FSI bus frequency (the maximum). Use +of the previous divider at 200MHz results in corrupt data from endpoint +devices. Ideally the clock divider would be calculated from the FSI clock, +but that would require some significant work on the FSI driver. With FSI +frequencies slower than 200MHz, the SPI clock will simply run slower, but +safely. + +Signed-off-by: Brad Bishop +Signed-off-by: Eddie James +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20200909222857.28653-3-eajames@linux.ibm.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-fsi.c b/drivers/spi/spi-fsi.c +index ef5e0826a53c3..a702e9d7d68c0 100644 +--- a/drivers/spi/spi-fsi.c ++++ b/drivers/spi/spi-fsi.c +@@ -403,7 +403,7 @@ static int fsi_spi_transfer_init(struct fsi_spi *ctx) + u64 status = 0ULL; + u64 wanted_clock_cfg = SPI_FSI_CLOCK_CFG_ECC_DISABLE | + SPI_FSI_CLOCK_CFG_SCK_NO_DEL | +- FIELD_PREP(SPI_FSI_CLOCK_CFG_SCK_DIV, 4); ++ FIELD_PREP(SPI_FSI_CLOCK_CFG_SCK_DIV, 19); + + end = jiffies + msecs_to_jiffies(SPI_FSI_INIT_TIMEOUT_MS); + do { +-- +2.25.1 + diff --git a/queue-5.9/spi-fsi-fix-use-of-the-bneq-sequencer-instruction.patch b/queue-5.9/spi-fsi-fix-use-of-the-bneq-sequencer-instruction.patch new file mode 100644 index 00000000000..b3539370f84 --- /dev/null +++ b/queue-5.9/spi-fsi-fix-use-of-the-bneq-sequencer-instruction.patch @@ -0,0 +1,109 @@ +From d64df1fe71bf5b2ed463534fd55639fe2cee1f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 17:28:54 -0500 +Subject: spi: fsi: Fix use of the bneq+ sequencer instruction + +From: Brad Bishop + +[ Upstream commit 7909eebb2bea7fdbb2de0aa794cf29843761ed5b ] + +All of the switches in N2_count_control in the counter configuration are +required to make the branch if not equal and increment command work. +Set them when using bneq+. + +A side effect of this mode requires a dummy write to TDR when both +transmitting and receiving otherwise the controller won't start shifting +receive data. + +It is likely not possible to avoid TDR underrun errors in this mode and +they are harmless, so do not check for them. + +Fixes: bbb6b2f9865b ("spi: Add FSI-attached SPI controller driver") +Signed-off-by: Brad Bishop +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20200909222857.28653-4-eajames@linux.ibm.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsi.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-fsi.c b/drivers/spi/spi-fsi.c +index 8f64af0140e09..bb18b407cdcf3 100644 +--- a/drivers/spi/spi-fsi.c ++++ b/drivers/spi/spi-fsi.c +@@ -29,6 +29,10 @@ + #define SPI_FSI_ERROR 0x0 + #define SPI_FSI_COUNTER_CFG 0x1 + #define SPI_FSI_COUNTER_CFG_LOOPS(x) (((u64)(x) & 0xffULL) << 32) ++#define SPI_FSI_COUNTER_CFG_N2_RX BIT_ULL(8) ++#define SPI_FSI_COUNTER_CFG_N2_TX BIT_ULL(9) ++#define SPI_FSI_COUNTER_CFG_N2_IMPLICIT BIT_ULL(10) ++#define SPI_FSI_COUNTER_CFG_N2_RELOAD BIT_ULL(11) + #define SPI_FSI_CFG1 0x2 + #define SPI_FSI_CLOCK_CFG 0x3 + #define SPI_FSI_CLOCK_CFG_MM_ENABLE BIT_ULL(32) +@@ -61,7 +65,7 @@ + #define SPI_FSI_STATUS_RDR_OVERRUN BIT_ULL(62) + #define SPI_FSI_STATUS_RDR_FULL BIT_ULL(63) + #define SPI_FSI_STATUS_ANY_ERROR \ +- (SPI_FSI_STATUS_ERROR | SPI_FSI_STATUS_TDR_UNDERRUN | \ ++ (SPI_FSI_STATUS_ERROR | \ + SPI_FSI_STATUS_TDR_OVERRUN | SPI_FSI_STATUS_RDR_UNDERRUN | \ + SPI_FSI_STATUS_RDR_OVERRUN) + #define SPI_FSI_PORT_CTRL 0x9 +@@ -238,6 +242,7 @@ static int fsi_spi_sequence_transfer(struct fsi_spi *ctx, + int rc; + u8 len = min(transfer->len, 8U); + u8 rem = transfer->len % len; ++ u64 cfg = 0ULL; + + loops = transfer->len / len; + +@@ -258,8 +263,14 @@ static int fsi_spi_sequence_transfer(struct fsi_spi *ctx, + if (loops > 1) { + fsi_spi_sequence_add(seq, SPI_FSI_SEQUENCE_BRANCH(idx)); + +- rc = fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, +- SPI_FSI_COUNTER_CFG_LOOPS(loops - 1)); ++ cfg = SPI_FSI_COUNTER_CFG_LOOPS(loops - 1); ++ if (transfer->rx_buf) ++ cfg |= SPI_FSI_COUNTER_CFG_N2_RX | ++ SPI_FSI_COUNTER_CFG_N2_TX | ++ SPI_FSI_COUNTER_CFG_N2_IMPLICIT | ++ SPI_FSI_COUNTER_CFG_N2_RELOAD; ++ ++ rc = fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, cfg); + if (rc) + return rc; + } +@@ -275,6 +286,7 @@ static int fsi_spi_transfer_data(struct fsi_spi *ctx, + { + int rc = 0; + u64 status = 0ULL; ++ u64 cfg = 0ULL; + + if (transfer->tx_buf) { + int nb; +@@ -312,6 +324,16 @@ static int fsi_spi_transfer_data(struct fsi_spi *ctx, + u64 in = 0ULL; + u8 *rx = transfer->rx_buf; + ++ rc = fsi_spi_read_reg(ctx, SPI_FSI_COUNTER_CFG, &cfg); ++ if (rc) ++ return rc; ++ ++ if (cfg & SPI_FSI_COUNTER_CFG_N2_IMPLICIT) { ++ rc = fsi_spi_write_reg(ctx, SPI_FSI_DATA_TX, 0); ++ if (rc) ++ return rc; ++ } ++ + while (transfer->len > recv) { + do { + rc = fsi_spi_read_reg(ctx, SPI_FSI_STATUS, +-- +2.25.1 + diff --git a/queue-5.9/spi-fsi-handle-9-to-15-byte-transfers-lengths.patch b/queue-5.9/spi-fsi-handle-9-to-15-byte-transfers-lengths.patch new file mode 100644 index 00000000000..02063ae024e --- /dev/null +++ b/queue-5.9/spi-fsi-handle-9-to-15-byte-transfers-lengths.patch @@ -0,0 +1,50 @@ +From 69a69fcd03fb3c5b11bddd127b4972595474f723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 17:28:52 -0500 +Subject: spi: fsi: Handle 9 to 15 byte transfers lengths + +From: Brad Bishop + +[ Upstream commit 2b3cef0fc757bd06ed9b83bd4c436bfa55f47370 ] + +The trailing - 8 bytes of transfer data in this size range is no +longer ignored. + +Fixes: bbb6b2f9865b ("spi: Add FSI-attached SPI controller driver") +Signed-off-by: Brad Bishop +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20200909222857.28653-2-eajames@linux.ibm.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-fsi.c b/drivers/spi/spi-fsi.c +index 37a3e0f8e7526..8f64af0140e09 100644 +--- a/drivers/spi/spi-fsi.c ++++ b/drivers/spi/spi-fsi.c +@@ -258,15 +258,15 @@ static int fsi_spi_sequence_transfer(struct fsi_spi *ctx, + if (loops > 1) { + fsi_spi_sequence_add(seq, SPI_FSI_SEQUENCE_BRANCH(idx)); + +- if (rem) +- fsi_spi_sequence_add(seq, rem); +- + rc = fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, + SPI_FSI_COUNTER_CFG_LOOPS(loops - 1)); + if (rc) + return rc; + } + ++ if (rem) ++ fsi_spi_sequence_add(seq, rem); ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.9/spi-fsi-implement-restricted-size-for-certain-contro.patch b/queue-5.9/spi-fsi-implement-restricted-size-for-certain-contro.patch new file mode 100644 index 00000000000..d8b5e12967a --- /dev/null +++ b/queue-5.9/spi-fsi-implement-restricted-size-for-certain-contro.patch @@ -0,0 +1,190 @@ +From 1130cadff9b5f3c56b34cc91a2f6f2d7c861c4a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 17:28:56 -0500 +Subject: spi: fsi: Implement restricted size for certain controllers + +From: Eddie James + +[ Upstream commit 49c9fc1d7c101eceaddb655e4f0e062b0c8f403b ] + +Some of the FSI-attached SPI controllers cannot use the loop command in +programming the sequencer due to security requirements. Check the +devicetree compatibility that indicates this condition and restrict the +size for these controllers. Also, add more transfers directly in the +sequence up to the length of the sequence register. + +Fixes: bbb6b2f9865b ("spi: Add FSI-attached SPI controller driver") +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20200909222857.28653-6-eajames@linux.ibm.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsi.c | 65 +++++++++++++++++++++++++++++++++++-------- + 1 file changed, 53 insertions(+), 12 deletions(-) + +diff --git a/drivers/spi/spi-fsi.c b/drivers/spi/spi-fsi.c +index bb18b407cdcf3..ef5e0826a53c3 100644 +--- a/drivers/spi/spi-fsi.c ++++ b/drivers/spi/spi-fsi.c +@@ -24,7 +24,8 @@ + + #define SPI_FSI_BASE 0x70000 + #define SPI_FSI_INIT_TIMEOUT_MS 1000 +-#define SPI_FSI_MAX_TRANSFER_SIZE 2048 ++#define SPI_FSI_MAX_XFR_SIZE 2048 ++#define SPI_FSI_MAX_XFR_SIZE_RESTRICTED 32 + + #define SPI_FSI_ERROR 0x0 + #define SPI_FSI_COUNTER_CFG 0x1 +@@ -74,6 +75,8 @@ struct fsi_spi { + struct device *dev; /* SPI controller device */ + struct fsi_device *fsi; /* FSI2SPI CFAM engine device */ + u32 base; ++ size_t max_xfr_size; ++ bool restricted; + }; + + struct fsi_spi_sequence { +@@ -209,8 +212,12 @@ static int fsi_spi_reset(struct fsi_spi *ctx) + if (rc) + return rc; + +- return fsi_spi_write_reg(ctx, SPI_FSI_CLOCK_CFG, +- SPI_FSI_CLOCK_CFG_RESET2); ++ rc = fsi_spi_write_reg(ctx, SPI_FSI_CLOCK_CFG, ++ SPI_FSI_CLOCK_CFG_RESET2); ++ if (rc) ++ return rc; ++ ++ return fsi_spi_write_reg(ctx, SPI_FSI_STATUS, 0ULL); + } + + static int fsi_spi_sequence_add(struct fsi_spi_sequence *seq, u8 val) +@@ -218,8 +225,8 @@ static int fsi_spi_sequence_add(struct fsi_spi_sequence *seq, u8 val) + /* + * Add the next byte of instruction to the 8-byte sequence register. + * Then decrement the counter so that the next instruction will go in +- * the right place. Return the number of "slots" left in the sequence +- * register. ++ * the right place. Return the index of the slot we just filled in the ++ * sequence register. + */ + seq->data |= (u64)val << seq->bit; + seq->bit -= 8; +@@ -237,9 +244,11 @@ static int fsi_spi_sequence_transfer(struct fsi_spi *ctx, + struct fsi_spi_sequence *seq, + struct spi_transfer *transfer) + { ++ bool docfg = false; + int loops; + int idx; + int rc; ++ u8 val = 0; + u8 len = min(transfer->len, 8U); + u8 rem = transfer->len % len; + u64 cfg = 0ULL; +@@ -247,22 +256,42 @@ static int fsi_spi_sequence_transfer(struct fsi_spi *ctx, + loops = transfer->len / len; + + if (transfer->tx_buf) { +- idx = fsi_spi_sequence_add(seq, +- SPI_FSI_SEQUENCE_SHIFT_OUT(len)); ++ val = SPI_FSI_SEQUENCE_SHIFT_OUT(len); ++ idx = fsi_spi_sequence_add(seq, val); ++ + if (rem) + rem = SPI_FSI_SEQUENCE_SHIFT_OUT(rem); + } else if (transfer->rx_buf) { +- idx = fsi_spi_sequence_add(seq, +- SPI_FSI_SEQUENCE_SHIFT_IN(len)); ++ val = SPI_FSI_SEQUENCE_SHIFT_IN(len); ++ idx = fsi_spi_sequence_add(seq, val); ++ + if (rem) + rem = SPI_FSI_SEQUENCE_SHIFT_IN(rem); + } else { + return -EINVAL; + } + ++ if (ctx->restricted) { ++ const int eidx = rem ? 5 : 6; ++ ++ while (loops > 1 && idx <= eidx) { ++ idx = fsi_spi_sequence_add(seq, val); ++ loops--; ++ docfg = true; ++ } ++ ++ if (loops > 1) { ++ dev_warn(ctx->dev, "No sequencer slots; aborting.\n"); ++ return -EINVAL; ++ } ++ } ++ + if (loops > 1) { + fsi_spi_sequence_add(seq, SPI_FSI_SEQUENCE_BRANCH(idx)); ++ docfg = true; ++ } + ++ if (docfg) { + cfg = SPI_FSI_COUNTER_CFG_LOOPS(loops - 1); + if (transfer->rx_buf) + cfg |= SPI_FSI_COUNTER_CFG_N2_RX | +@@ -273,6 +302,8 @@ static int fsi_spi_sequence_transfer(struct fsi_spi *ctx, + rc = fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, cfg); + if (rc) + return rc; ++ } else { ++ fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, 0ULL); + } + + if (rem) +@@ -429,7 +460,7 @@ static int fsi_spi_transfer_one_message(struct spi_controller *ctlr, + + /* Sequencer must do shift out (tx) first. */ + if (!transfer->tx_buf || +- transfer->len > SPI_FSI_MAX_TRANSFER_SIZE) { ++ transfer->len > (ctx->max_xfr_size + 8)) { + rc = -EINVAL; + goto error; + } +@@ -453,7 +484,7 @@ static int fsi_spi_transfer_one_message(struct spi_controller *ctlr, + + /* Sequencer can only do shift in (rx) after tx. */ + if (next->rx_buf) { +- if (next->len > SPI_FSI_MAX_TRANSFER_SIZE) { ++ if (next->len > ctx->max_xfr_size) { + rc = -EINVAL; + goto error; + } +@@ -498,7 +529,9 @@ static int fsi_spi_transfer_one_message(struct spi_controller *ctlr, + + static size_t fsi_spi_max_transfer_size(struct spi_device *spi) + { +- return SPI_FSI_MAX_TRANSFER_SIZE; ++ struct fsi_spi *ctx = spi_controller_get_devdata(spi->controller); ++ ++ return ctx->max_xfr_size; + } + + static int fsi_spi_probe(struct device *dev) +@@ -546,6 +579,14 @@ static int fsi_spi_probe(struct device *dev) + ctx->fsi = fsi; + ctx->base = base + SPI_FSI_BASE; + ++ if (of_device_is_compatible(np, "ibm,fsi2spi-restricted")) { ++ ctx->restricted = true; ++ ctx->max_xfr_size = SPI_FSI_MAX_XFR_SIZE_RESTRICTED; ++ } else { ++ ctx->restricted = false; ++ ctx->max_xfr_size = SPI_FSI_MAX_XFR_SIZE; ++ } ++ + rc = devm_spi_register_controller(dev, ctlr); + if (rc) + spi_controller_put(ctlr); +-- +2.25.1 + diff --git a/queue-5.9/spi-imx-fix-freeing-of-dma-channels-if-spi_bitbang_s.patch b/queue-5.9/spi-imx-fix-freeing-of-dma-channels-if-spi_bitbang_s.patch new file mode 100644 index 00000000000..49eee10436b --- /dev/null +++ b/queue-5.9/spi-imx-fix-freeing-of-dma-channels-if-spi_bitbang_s.patch @@ -0,0 +1,53 @@ +From 83eb954cf6ba4c336adf0f11d4393d5cee78d3b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 15:22:29 +0200 +Subject: spi: imx: Fix freeing of DMA channels if spi_bitbang_start() fails + +From: Marek Vasut + +[ Upstream commit 45f0bbdafd26d6d772172563b30bff561cec9133 ] + +If the SPI controller has has_dmamode = true and spi_bitbang_start() fails +in spi_imx_probe(), then the driver must release the DMA channels acquired +in spi_imx_sdma_init() by calling spi_imx_sdma_exit() in the fail path. + +Fixes: f62caccd12c1 ("spi: spi-imx: add DMA support") +Signed-off-by: Marek Vasut +Cc: Fabio Estevam +Cc: Mark Brown +Cc: NXP Linux Team +Cc: Robin Gong +Cc: Shawn Guo +Link: https://lore.kernel.org/r/20201005132229.513119-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 38a5f1304cec4..e38e5ad3c7068 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1707,7 +1707,7 @@ static int spi_imx_probe(struct platform_device *pdev) + ret = spi_bitbang_start(&spi_imx->bitbang); + if (ret) { + dev_err(&pdev->dev, "bitbang start failed with %d\n", ret); +- goto out_runtime_pm_put; ++ goto out_bitbang_start; + } + + dev_info(&pdev->dev, "probed\n"); +@@ -1717,6 +1717,9 @@ static int spi_imx_probe(struct platform_device *pdev) + + return ret; + ++out_bitbang_start: ++ if (spi_imx->devtype_data->has_dmamode) ++ spi_imx_sdma_exit(spi_imx); + out_runtime_pm_put: + pm_runtime_dont_use_autosuspend(spi_imx->dev); + pm_runtime_put_sync(spi_imx->dev); +-- +2.25.1 + diff --git a/queue-5.9/spi-omap2-mcspi-improve-performance-waiting-for-chst.patch b/queue-5.9/spi-omap2-mcspi-improve-performance-waiting-for-chst.patch new file mode 100644 index 00000000000..2dbc9c4b9dc --- /dev/null +++ b/queue-5.9/spi-omap2-mcspi-improve-performance-waiting-for-chst.patch @@ -0,0 +1,74 @@ +From c4d05d64e5324974e07f9e4a663862b09faa909d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 17:56:24 +0530 +Subject: spi: omap2-mcspi: Improve performance waiting for CHSTAT + +From: Aswath Govindraju + +[ Upstream commit 7b1d96813317358312440d0d07abbfbeb0ef8d22 ] + +This reverts commit 13d515c796 (spi: omap2-mcspi: Switch to +readl_poll_timeout()). + +The amount of time spent polling for the MCSPI_CHSTAT bits to be set on +AM335x-icev2 platform is less than 1us (about 0.6us) in most cases, with +or without using DMA. So, in most cases the function need not sleep. +Also, setting the sleep_usecs to zero would not be optimal here because +ktime_add_us() used in readl_poll_timeout() is slower compared to the +direct addition used after the revert. So, it is sub-optimal to use +readl_poll_timeout in this case. + +When DMA is not enabled, this revert results in an increase of about 27% +in throughput and decrease of about 20% in CPU usage. However, the CPU +usage and throughput are almost the same when used with DMA. + +Therefore, fix this by reverting the commit which switched to using +readl_poll_timeout(). + +Fixes: 13d515c796ad ("spi: omap2-mcspi: Switch to readl_poll_timeout()") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20200910122624.8769-1-a-govindraju@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap2-mcspi.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c +index 1c9478e6e5d99..d4c9510af3931 100644 +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -24,7 +24,6 @@ + #include + #include + #include +-#include + + #include + +@@ -348,9 +347,19 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi, + + static int mcspi_wait_for_reg_bit(void __iomem *reg, unsigned long bit) + { +- u32 val; +- +- return readl_poll_timeout(reg, val, val & bit, 1, MSEC_PER_SEC); ++ unsigned long timeout; ++ ++ timeout = jiffies + msecs_to_jiffies(1000); ++ while (!(readl_relaxed(reg) & bit)) { ++ if (time_after(jiffies, timeout)) { ++ if (!(readl_relaxed(reg) & bit)) ++ return -ETIMEDOUT; ++ else ++ return 0; ++ } ++ cpu_relax(); ++ } ++ return 0; + } + + static int mcspi_wait_for_completion(struct omap2_mcspi *mcspi, +-- +2.25.1 + diff --git a/queue-5.9/spi-spi-s3c64xx-check-return-values.patch b/queue-5.9/spi-spi-s3c64xx-check-return-values.patch new file mode 100644 index 00000000000..4961bbecf75 --- /dev/null +++ b/queue-5.9/spi-spi-s3c64xx-check-return-values.patch @@ -0,0 +1,183 @@ +From 71c06d08319408e38cc251d01cf893a3539541d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:22:37 +0200 +Subject: spi: spi-s3c64xx: Check return values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +[ Upstream commit 2f4db6f705c5cba85d23836c19b44d9687dc1334 ] + +Check return values in prepare_dma() and s3c64xx_spi_config() and +propagate errors upwards. + +Fixes: 788437273fa8 ("spi: s3c64xx: move to generic dmaengine API") +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Łukasz Stelmach +Link: https://lore.kernel.org/r/20201002122243.26849-4-l.stelmach@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 50 ++++++++++++++++++++++++++++++++------- + 1 file changed, 41 insertions(+), 9 deletions(-) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 26c7cb79cd784..1f08e32a10fe2 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -122,6 +122,7 @@ + + struct s3c64xx_spi_dma_data { + struct dma_chan *ch; ++ dma_cookie_t cookie; + enum dma_transfer_direction direction; + }; + +@@ -271,12 +272,13 @@ static void s3c64xx_spi_dmacb(void *data) + spin_unlock_irqrestore(&sdd->lock, flags); + } + +-static void prepare_dma(struct s3c64xx_spi_dma_data *dma, ++static int prepare_dma(struct s3c64xx_spi_dma_data *dma, + struct sg_table *sgt) + { + struct s3c64xx_spi_driver_data *sdd; + struct dma_slave_config config; + struct dma_async_tx_descriptor *desc; ++ int ret; + + memset(&config, 0, sizeof(config)); + +@@ -300,12 +302,24 @@ static void prepare_dma(struct s3c64xx_spi_dma_data *dma, + + desc = dmaengine_prep_slave_sg(dma->ch, sgt->sgl, sgt->nents, + dma->direction, DMA_PREP_INTERRUPT); ++ if (!desc) { ++ dev_err(&sdd->pdev->dev, "unable to prepare %s scatterlist", ++ dma->direction == DMA_DEV_TO_MEM ? "rx" : "tx"); ++ return -ENOMEM; ++ } + + desc->callback = s3c64xx_spi_dmacb; + desc->callback_param = dma; + +- dmaengine_submit(desc); ++ dma->cookie = dmaengine_submit(desc); ++ ret = dma_submit_error(dma->cookie); ++ if (ret) { ++ dev_err(&sdd->pdev->dev, "DMA submission failed"); ++ return -EIO; ++ } ++ + dma_async_issue_pending(dma->ch); ++ return 0; + } + + static void s3c64xx_spi_set_cs(struct spi_device *spi, bool enable) +@@ -355,11 +369,12 @@ static bool s3c64xx_spi_can_dma(struct spi_master *master, + return xfer->len > (FIFO_LVL_MASK(sdd) >> 1) + 1; + } + +-static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, ++static int s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + struct spi_transfer *xfer, int dma_mode) + { + void __iomem *regs = sdd->regs; + u32 modecfg, chcfg; ++ int ret = 0; + + modecfg = readl(regs + S3C64XX_SPI_MODE_CFG); + modecfg &= ~(S3C64XX_SPI_MODE_TXDMA_ON | S3C64XX_SPI_MODE_RXDMA_ON); +@@ -385,7 +400,7 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + chcfg |= S3C64XX_SPI_CH_TXCH_ON; + if (dma_mode) { + modecfg |= S3C64XX_SPI_MODE_TXDMA_ON; +- prepare_dma(&sdd->tx_dma, &xfer->tx_sg); ++ ret = prepare_dma(&sdd->tx_dma, &xfer->tx_sg); + } else { + switch (sdd->cur_bpw) { + case 32: +@@ -417,12 +432,17 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + writel(((xfer->len * 8 / sdd->cur_bpw) & 0xffff) + | S3C64XX_SPI_PACKET_CNT_EN, + regs + S3C64XX_SPI_PACKET_CNT); +- prepare_dma(&sdd->rx_dma, &xfer->rx_sg); ++ ret = prepare_dma(&sdd->rx_dma, &xfer->rx_sg); + } + } + ++ if (ret) ++ return ret; ++ + writel(modecfg, regs + S3C64XX_SPI_MODE_CFG); + writel(chcfg, regs + S3C64XX_SPI_CH_CFG); ++ ++ return 0; + } + + static u32 s3c64xx_spi_wait_for_timeout(struct s3c64xx_spi_driver_data *sdd, +@@ -555,9 +575,10 @@ static int s3c64xx_wait_for_pio(struct s3c64xx_spi_driver_data *sdd, + return 0; + } + +-static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) ++static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + { + void __iomem *regs = sdd->regs; ++ int ret; + u32 val; + + /* Disable Clock */ +@@ -605,7 +626,9 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + + if (sdd->port_conf->clk_from_cmu) { + /* The src_clk clock is divided internally by 2 */ +- clk_set_rate(sdd->src_clk, sdd->cur_speed * 2); ++ ret = clk_set_rate(sdd->src_clk, sdd->cur_speed * 2); ++ if (ret) ++ return ret; + } else { + /* Configure Clock */ + val = readl(regs + S3C64XX_SPI_CLK_CFG); +@@ -619,6 +642,8 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + val |= S3C64XX_SPI_ENCLK_ENABLE; + writel(val, regs + S3C64XX_SPI_CLK_CFG); + } ++ ++ return 0; + } + + #define XFER_DMAADDR_INVALID DMA_BIT_MASK(32) +@@ -661,7 +686,9 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + sdd->cur_bpw = bpw; + sdd->cur_speed = speed; + sdd->cur_mode = spi->mode; +- s3c64xx_spi_config(sdd); ++ status = s3c64xx_spi_config(sdd); ++ if (status) ++ return status; + } + + if (!is_polling(sdd) && (xfer->len > fifo_len) && +@@ -688,10 +715,15 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + /* Start the signals */ + s3c64xx_spi_set_cs(spi, true); + +- s3c64xx_enable_datapath(sdd, xfer, use_dma); ++ status = s3c64xx_enable_datapath(sdd, xfer, use_dma); + + spin_unlock_irqrestore(&sdd->lock, flags); + ++ if (status) { ++ dev_err(&spi->dev, "failed to enable data path for transfer: %d\n", status); ++ break; ++ } ++ + if (use_dma) + status = s3c64xx_wait_for_dma(sdd, xfer); + else +-- +2.25.1 + diff --git a/queue-5.9/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch b/queue-5.9/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch new file mode 100644 index 00000000000..2bd2ac36e08 --- /dev/null +++ b/queue-5.9/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch @@ -0,0 +1,47 @@ +From 5aa9dd081035b0227d1d5d0c435502924da05dc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:22:35 +0200 +Subject: spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and + s3c64xx_enable_datapath() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +[ Upstream commit 581e2b41977dfc2d4c26c8e976f89c43bb92f9bf ] + +Fix issues with DMA transfers bigger than 512 bytes on Exynos3250. Without +the patches such transfers fail to complete. This solution to the problem +is found in the vendor kernel for ARTIK5 boards based on Exynos3250. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Łukasz Stelmach +Link: https://lore.kernel.org/r/20201002122243.26849-2-l.stelmach@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 924b24441789a..26c7cb79cd784 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -685,11 +685,11 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + sdd->state &= ~RXBUSY; + sdd->state &= ~TXBUSY; + +- s3c64xx_enable_datapath(sdd, xfer, use_dma); +- + /* Start the signals */ + s3c64xx_spi_set_cs(spi, true); + ++ s3c64xx_enable_datapath(sdd, xfer, use_dma); ++ + spin_unlock_irqrestore(&sdd->lock, flags); + + if (use_dma) +-- +2.25.1 + diff --git a/queue-5.9/staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch b/queue-5.9/staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch new file mode 100644 index 00000000000..5d88e429291 --- /dev/null +++ b/queue-5.9/staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch @@ -0,0 +1,51 @@ +From 5dd3a87d3f9ed84f07a26ed07f6532135812de80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 10:19:28 +0100 +Subject: staging: emxx_udc: Fix passing of NULL to dma_alloc_coherent() + +From: Alex Dewar + +[ Upstream commit cc34073c6248e9cec801bf690d1455f264d12357 ] + +In nbu2ss_eq_queue() memory is allocated with dma_alloc_coherent(), +though, strangely, NULL is passed as the struct device* argument. Pass +the UDC's device instead. Fix up the corresponding call to +dma_free_coherent() in the same way. + +Build-tested on x86 only. + +Fixes: 33aa8d45a4fe ("staging: emxx_udc: Add Emma Mobile USB Gadget driver") +Reported-by: Dan Carpenter +Signed-off-by: Alex Dewar +Link: https://lore.kernel.org/r/20200825091928.55794-1-alex.dewar90@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/emxx_udc/emxx_udc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/emxx_udc/emxx_udc.c b/drivers/staging/emxx_udc/emxx_udc.c +index 03929b9d3a8bc..d0725bc8b48a4 100644 +--- a/drivers/staging/emxx_udc/emxx_udc.c ++++ b/drivers/staging/emxx_udc/emxx_udc.c +@@ -2593,7 +2593,7 @@ static int nbu2ss_ep_queue(struct usb_ep *_ep, + + if (req->unaligned) { + if (!ep->virt_buf) +- ep->virt_buf = dma_alloc_coherent(NULL, PAGE_SIZE, ++ ep->virt_buf = dma_alloc_coherent(udc->dev, PAGE_SIZE, + &ep->phys_buf, + GFP_ATOMIC | GFP_DMA); + if (ep->epnum > 0) { +@@ -3148,7 +3148,7 @@ static int nbu2ss_drv_remove(struct platform_device *pdev) + for (i = 0; i < NUM_ENDPOINTS; i++) { + ep = &udc->ep[i]; + if (ep->virt_buf) +- dma_free_coherent(NULL, PAGE_SIZE, (void *)ep->virt_buf, ++ dma_free_coherent(udc->dev, PAGE_SIZE, (void *)ep->virt_buf, + ep->phys_buf); + } + +-- +2.25.1 + diff --git a/queue-5.9/staging-qlge-fix-build-breakage-with-dumping-enabled.patch b/queue-5.9/staging-qlge-fix-build-breakage-with-dumping-enabled.patch new file mode 100644 index 00000000000..9fe017bb49b --- /dev/null +++ b/queue-5.9/staging-qlge-fix-build-breakage-with-dumping-enabled.patch @@ -0,0 +1,241 @@ +From c449a960fd5239b32bcf4fe4b78ace8b285fe321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 07:59:41 +0800 +Subject: staging: qlge: fix build breakage with dumping enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Coiby Xu + +[ Upstream commit 51c00535537018bddd4b3fb225d18c1ae049c4e9 ] + +This fixes commit 0107635e15ac +("staging: qlge: replace pr_err with netdev_err") which introduced an +build breakage of missing `struct ql_adapter *qdev` for some functions +and a warning of type mismatch with dumping enabled, i.e., + +$ make CFLAGS_MODULE="-DQL_ALL_DUMP -DQL_OB_DUMP -DQL_CB_DUMP \ + -DQL_IB_DUMP -DQL_REG_DUMP -DQL_DEV_DUMP" M=drivers/staging/qlge + +qlge_dbg.c: In function ‘ql_dump_ob_mac_rsp’: +qlge_dbg.c:2051:13: error: ‘qdev’ undeclared (first use in this function); did you mean ‘cdev’? + 2051 | netdev_err(qdev->ndev, "%s\n", __func__); + | ^~~~ +qlge_dbg.c: In function ‘ql_dump_routing_entries’: +qlge_dbg.c:1435:10: warning: format ‘%s’ expects argument of type ‘char *’, but argument 3 has type ‘int’ [-Wformat=] + 1435 | "%s: Routing Mask %d = 0x%.08x\n", + | ~^ + | | + | char * + | %d + 1436 | i, value); + | ~ + | | + | int +qlge_dbg.c:1435:37: warning: format ‘%x’ expects a matching ‘unsigned int’ argument [-Wformat=] + 1435 | "%s: Routing Mask %d = 0x%.08x\n", + | ~~~~^ + | | + | unsigned int + +Note that now ql_dump_rx_ring/ql_dump_tx_ring won't check if the passed +parameter is a null pointer. + +Fixes: 0107635e15ac ("staging: qlge: replace pr_err with netdev_err") +Reported-by: Benjamin Poirier +Suggested-by: Benjamin Poirier +Reviewed-by: Benjamin Poirier +Signed-off-by: Coiby Xu +Link: https://lore.kernel.org/r/20201002235941.77062-1-coiby.xu@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/qlge/qlge.h | 20 ++++++++++---------- + drivers/staging/qlge/qlge_dbg.c | 28 ++++++++++++++++++---------- + drivers/staging/qlge/qlge_main.c | 8 ++++---- + 3 files changed, 32 insertions(+), 24 deletions(-) + +diff --git a/drivers/staging/qlge/qlge.h b/drivers/staging/qlge/qlge.h +index 483ce04789ed0..7f6798b223ef8 100644 +--- a/drivers/staging/qlge/qlge.h ++++ b/drivers/staging/qlge/qlge.h +@@ -2338,21 +2338,21 @@ void ql_dump_hw_cb(struct ql_adapter *qdev, int size, u32 bit, u16 q_id); + #endif + + #ifdef QL_OB_DUMP +-void ql_dump_tx_desc(struct tx_buf_desc *tbd); +-void ql_dump_ob_mac_iocb(struct ob_mac_iocb_req *ob_mac_iocb); +-void ql_dump_ob_mac_rsp(struct ob_mac_iocb_rsp *ob_mac_rsp); +-#define QL_DUMP_OB_MAC_IOCB(ob_mac_iocb) ql_dump_ob_mac_iocb(ob_mac_iocb) +-#define QL_DUMP_OB_MAC_RSP(ob_mac_rsp) ql_dump_ob_mac_rsp(ob_mac_rsp) ++void ql_dump_tx_desc(struct ql_adapter *qdev, struct tx_buf_desc *tbd); ++void ql_dump_ob_mac_iocb(struct ql_adapter *qdev, struct ob_mac_iocb_req *ob_mac_iocb); ++void ql_dump_ob_mac_rsp(struct ql_adapter *qdev, struct ob_mac_iocb_rsp *ob_mac_rsp); ++#define QL_DUMP_OB_MAC_IOCB(qdev, ob_mac_iocb) ql_dump_ob_mac_iocb(qdev, ob_mac_iocb) ++#define QL_DUMP_OB_MAC_RSP(qdev, ob_mac_rsp) ql_dump_ob_mac_rsp(qdev, ob_mac_rsp) + #else +-#define QL_DUMP_OB_MAC_IOCB(ob_mac_iocb) +-#define QL_DUMP_OB_MAC_RSP(ob_mac_rsp) ++#define QL_DUMP_OB_MAC_IOCB(qdev, ob_mac_iocb) ++#define QL_DUMP_OB_MAC_RSP(qdev, ob_mac_rsp) + #endif + + #ifdef QL_IB_DUMP +-void ql_dump_ib_mac_rsp(struct ib_mac_iocb_rsp *ib_mac_rsp); +-#define QL_DUMP_IB_MAC_RSP(ib_mac_rsp) ql_dump_ib_mac_rsp(ib_mac_rsp) ++void ql_dump_ib_mac_rsp(struct ql_adapter *qdev, struct ib_mac_iocb_rsp *ib_mac_rsp); ++#define QL_DUMP_IB_MAC_RSP(qdev, ib_mac_rsp) ql_dump_ib_mac_rsp(qdev, ib_mac_rsp) + #else +-#define QL_DUMP_IB_MAC_RSP(ib_mac_rsp) ++#define QL_DUMP_IB_MAC_RSP(qdev, ib_mac_rsp) + #endif + + #ifdef QL_ALL_DUMP +diff --git a/drivers/staging/qlge/qlge_dbg.c b/drivers/staging/qlge/qlge_dbg.c +index a55bf0b3e9dcc..42fd13990f3a8 100644 +--- a/drivers/staging/qlge/qlge_dbg.c ++++ b/drivers/staging/qlge/qlge_dbg.c +@@ -1431,7 +1431,7 @@ void ql_dump_routing_entries(struct ql_adapter *qdev) + } + if (value) + netdev_err(qdev->ndev, +- "%s: Routing Mask %d = 0x%.08x\n", ++ "Routing Mask %d = 0x%.08x\n", + i, value); + } + ql_sem_unlock(qdev, SEM_RT_IDX_MASK); +@@ -1617,6 +1617,9 @@ void ql_dump_qdev(struct ql_adapter *qdev) + #ifdef QL_CB_DUMP + void ql_dump_wqicb(struct wqicb *wqicb) + { ++ struct tx_ring *tx_ring = container_of(wqicb, struct tx_ring, wqicb); ++ struct ql_adapter *qdev = tx_ring->qdev; ++ + netdev_err(qdev->ndev, "Dumping wqicb stuff...\n"); + netdev_err(qdev->ndev, "wqicb->len = 0x%x\n", le16_to_cpu(wqicb->len)); + netdev_err(qdev->ndev, "wqicb->flags = %x\n", +@@ -1632,8 +1635,8 @@ void ql_dump_wqicb(struct wqicb *wqicb) + + void ql_dump_tx_ring(struct tx_ring *tx_ring) + { +- if (!tx_ring) +- return; ++ struct ql_adapter *qdev = tx_ring->qdev; ++ + netdev_err(qdev->ndev, "===================== Dumping tx_ring %d ===============\n", + tx_ring->wq_id); + netdev_err(qdev->ndev, "tx_ring->base = %p\n", tx_ring->wq_base); +@@ -1657,6 +1660,8 @@ void ql_dump_tx_ring(struct tx_ring *tx_ring) + void ql_dump_ricb(struct ricb *ricb) + { + int i; ++ struct ql_adapter *qdev = ++ container_of(ricb, struct ql_adapter, ricb); + + netdev_err(qdev->ndev, "===================== Dumping ricb ===============\n"); + netdev_err(qdev->ndev, "Dumping ricb stuff...\n"); +@@ -1686,6 +1691,9 @@ void ql_dump_ricb(struct ricb *ricb) + + void ql_dump_cqicb(struct cqicb *cqicb) + { ++ struct rx_ring *rx_ring = container_of(cqicb, struct rx_ring, cqicb); ++ struct ql_adapter *qdev = rx_ring->qdev; ++ + netdev_err(qdev->ndev, "Dumping cqicb stuff...\n"); + + netdev_err(qdev->ndev, "cqicb->msix_vect = %d\n", cqicb->msix_vect); +@@ -1725,8 +1733,8 @@ static const char *qlge_rx_ring_type_name(struct rx_ring *rx_ring) + + void ql_dump_rx_ring(struct rx_ring *rx_ring) + { +- if (!rx_ring) +- return; ++ struct ql_adapter *qdev = rx_ring->qdev; ++ + netdev_err(qdev->ndev, + "===================== Dumping rx_ring %d ===============\n", + rx_ring->cq_id); +@@ -1816,7 +1824,7 @@ void ql_dump_hw_cb(struct ql_adapter *qdev, int size, u32 bit, u16 q_id) + #endif + + #ifdef QL_OB_DUMP +-void ql_dump_tx_desc(struct tx_buf_desc *tbd) ++void ql_dump_tx_desc(struct ql_adapter *qdev, struct tx_buf_desc *tbd) + { + netdev_err(qdev->ndev, "tbd->addr = 0x%llx\n", + le64_to_cpu((u64)tbd->addr)); +@@ -1843,7 +1851,7 @@ void ql_dump_tx_desc(struct tx_buf_desc *tbd) + tbd->len & TX_DESC_E ? "E" : "."); + } + +-void ql_dump_ob_mac_iocb(struct ob_mac_iocb_req *ob_mac_iocb) ++void ql_dump_ob_mac_iocb(struct ql_adapter *qdev, struct ob_mac_iocb_req *ob_mac_iocb) + { + struct ob_mac_tso_iocb_req *ob_mac_tso_iocb = + (struct ob_mac_tso_iocb_req *)ob_mac_iocb; +@@ -1886,10 +1894,10 @@ void ql_dump_ob_mac_iocb(struct ob_mac_iocb_req *ob_mac_iocb) + frame_len = le16_to_cpu(ob_mac_iocb->frame_len); + } + tbd = &ob_mac_iocb->tbd[0]; +- ql_dump_tx_desc(tbd); ++ ql_dump_tx_desc(qdev, tbd); + } + +-void ql_dump_ob_mac_rsp(struct ob_mac_iocb_rsp *ob_mac_rsp) ++void ql_dump_ob_mac_rsp(struct ql_adapter *qdev, struct ob_mac_iocb_rsp *ob_mac_rsp) + { + netdev_err(qdev->ndev, "%s\n", __func__); + netdev_err(qdev->ndev, "opcode = %d\n", ob_mac_rsp->opcode); +@@ -1906,7 +1914,7 @@ void ql_dump_ob_mac_rsp(struct ob_mac_iocb_rsp *ob_mac_rsp) + #endif + + #ifdef QL_IB_DUMP +-void ql_dump_ib_mac_rsp(struct ib_mac_iocb_rsp *ib_mac_rsp) ++void ql_dump_ib_mac_rsp(struct ql_adapter *qdev, struct ib_mac_iocb_rsp *ib_mac_rsp) + { + netdev_err(qdev->ndev, "%s\n", __func__); + netdev_err(qdev->ndev, "opcode = 0x%x\n", ib_mac_rsp->opcode); +diff --git a/drivers/staging/qlge/qlge_main.c b/drivers/staging/qlge/qlge_main.c +index 2028458bea6f0..b351a7eb7a897 100644 +--- a/drivers/staging/qlge/qlge_main.c ++++ b/drivers/staging/qlge/qlge_main.c +@@ -1856,7 +1856,7 @@ static void ql_process_mac_split_rx_intr(struct ql_adapter *qdev, + struct net_device *ndev = qdev->ndev; + struct sk_buff *skb = NULL; + +- QL_DUMP_IB_MAC_RSP(ib_mac_rsp); ++ QL_DUMP_IB_MAC_RSP(qdev, ib_mac_rsp); + + skb = ql_build_rx_skb(qdev, rx_ring, ib_mac_rsp); + if (unlikely(!skb)) { +@@ -1954,7 +1954,7 @@ static unsigned long ql_process_mac_rx_intr(struct ql_adapter *qdev, + ((le16_to_cpu(ib_mac_rsp->vlan_id) & + IB_MAC_IOCB_RSP_VLAN_MASK)) : 0xffff; + +- QL_DUMP_IB_MAC_RSP(ib_mac_rsp); ++ QL_DUMP_IB_MAC_RSP(qdev, ib_mac_rsp); + + if (ib_mac_rsp->flags4 & IB_MAC_IOCB_RSP_HV) { + /* The data and headers are split into +@@ -2001,7 +2001,7 @@ static void ql_process_mac_tx_intr(struct ql_adapter *qdev, + struct tx_ring *tx_ring; + struct tx_ring_desc *tx_ring_desc; + +- QL_DUMP_OB_MAC_RSP(mac_rsp); ++ QL_DUMP_OB_MAC_RSP(qdev, mac_rsp); + tx_ring = &qdev->tx_ring[mac_rsp->txq_idx]; + tx_ring_desc = &tx_ring->q[mac_rsp->tid]; + ql_unmap_send(qdev, tx_ring_desc, tx_ring_desc->map_cnt); +@@ -2593,7 +2593,7 @@ static netdev_tx_t qlge_send(struct sk_buff *skb, struct net_device *ndev) + tx_ring->tx_errors++; + return NETDEV_TX_BUSY; + } +- QL_DUMP_OB_MAC_IOCB(mac_iocb_ptr); ++ QL_DUMP_OB_MAC_IOCB(qdev, mac_iocb_ptr); + tx_ring->prod_idx++; + if (tx_ring->prod_idx == tx_ring->wq_len) + tx_ring->prod_idx = 0; +-- +2.25.1 + diff --git a/queue-5.9/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch b/queue-5.9/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch new file mode 100644 index 00000000000..719ceb3b22a --- /dev/null +++ b/queue-5.9/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch @@ -0,0 +1,47 @@ +From 9ab24a567ce08ae5e99fb57b409ad02c2b172033 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 19:34:58 +0200 +Subject: staging: rtl8192u: Do not use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit acac75bb451fd39344eb54fad6602dfc9482e970 ] + +'rtl8192_irq_rx_tasklet()' is a tasklet initialized in +'rtl8192_init_priv_task()'. +>From this function it is possible to allocate some memory with the +GFP_KERNEL flag, which is not allowed in the atomic context of a tasklet. + +Use GFP_ATOMIC instead. + +The call chain is: + rtl8192_irq_rx_tasklet (in r8192U_core.c) + --> rtl8192_rx_nomal (in r8192U_core.c) + --> ieee80211_rx (in ieee80211/ieee80211_rx.c) + --> RxReorderIndicatePacket (in ieee80211/ieee80211_rx.c) + +Fixes: 79a5ccd97209 ("staging: rtl8192u: fix large frame size compiler warning") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20200813173458.758284-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +index 195d963c4fbb4..b6fee7230ce05 100644 +--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c ++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +@@ -597,7 +597,7 @@ static void RxReorderIndicatePacket(struct ieee80211_device *ieee, + + prxbIndicateArray = kmalloc_array(REORDER_WIN_SIZE, + sizeof(struct ieee80211_rxb *), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!prxbIndicateArray) + return; + +-- +2.25.1 + diff --git a/queue-5.9/staging-rtl8712-fix-enqueue_reorder_recvframe.patch b/queue-5.9/staging-rtl8712-fix-enqueue_reorder_recvframe.patch new file mode 100644 index 00000000000..f6105b67715 --- /dev/null +++ b/queue-5.9/staging-rtl8712-fix-enqueue_reorder_recvframe.patch @@ -0,0 +1,47 @@ +From 3debfbcfe058208f28ba522fa6219a84d28e9631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 13:35:48 +0300 +Subject: staging: rtl8712: Fix enqueue_reorder_recvframe() + +From: Dan Carpenter + +[ Upstream commit 29838144f280fc03ca06a621568f34e1d0a65a4f ] + +The logic of this function was accidentally broken by a checkpatch +inspired cleanup. I've modified the code to restore the original +behavior and also make checkpatch happy. + +Fixes: 98fe05e21a6e ("staging: rtl8712: Remove unnecesary else after return statement.") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200929103548.GA493135@mwanda +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8712/rtl8712_recv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/rtl8712/rtl8712_recv.c b/drivers/staging/rtl8712/rtl8712_recv.c +index d83f421acfc1e..a397dc6231f13 100644 +--- a/drivers/staging/rtl8712/rtl8712_recv.c ++++ b/drivers/staging/rtl8712/rtl8712_recv.c +@@ -477,11 +477,14 @@ static int enqueue_reorder_recvframe(struct recv_reorder_ctrl *preorder_ctrl, + while (!end_of_queue_search(phead, plist)) { + pnextrframe = container_of(plist, union recv_frame, u.list); + pnextattrib = &pnextrframe->u.hdr.attrib; ++ ++ if (SN_EQUAL(pnextattrib->seq_num, pattrib->seq_num)) ++ return false; ++ + if (SN_LESS(pnextattrib->seq_num, pattrib->seq_num)) + plist = plist->next; +- else if (SN_EQUAL(pnextattrib->seq_num, pattrib->seq_num)) +- return false; +- break; ++ else ++ break; + } + list_del_init(&(prframe->u.hdr.list)); + list_add_tail(&(prframe->u.hdr.list), plist); +-- +2.25.1 + diff --git a/queue-5.9/staging-wfx-fix-ba-sessions-for-older-firmwares.patch b/queue-5.9/staging-wfx-fix-ba-sessions-for-older-firmwares.patch new file mode 100644 index 00000000000..f319e27964d --- /dev/null +++ b/queue-5.9/staging-wfx-fix-ba-sessions-for-older-firmwares.patch @@ -0,0 +1,49 @@ +From ac67b52878946dd50350db272a29a2d766e2e484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 12:19:39 +0200 +Subject: staging: wfx: fix BA sessions for older firmwares +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jérôme Pouiller + +[ Upstream commit 4fd1241778b08129f196605c62636a4d6d71c2c7 ] + +Firmwares with API < 3.6 do not forward DELBA requests. Thus, when a +Block Ack session is restarted, the reordering buffer is not flushed and +the received sequence number is not contiguous. Therefore, mac80211 +starts to wait some missing frames that it will never receive. + +This patch disables the reordering buffer for old firmware. It is +harmless when the network is unencrypted. When the network is encrypted, +the non-contiguous frames will be thrown away by the TKIP/CCMP replay +protection. So, the user will observe some packet loss with UDP and +performance drop with TCP. + +Fixes: e5da5fbd7741 ("staging: wfx: fix CCMP/TKIP replay protection") +Signed-off-by: Jérôme Pouiller +Link: https://lore.kernel.org/r/20201007101943.749898-4-Jerome.Pouiller@silabs.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/wfx/data_rx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/staging/wfx/data_rx.c b/drivers/staging/wfx/data_rx.c +index 6fb0788807426..33b715b7b94bb 100644 +--- a/drivers/staging/wfx/data_rx.c ++++ b/drivers/staging/wfx/data_rx.c +@@ -17,6 +17,9 @@ static void wfx_rx_handle_ba(struct wfx_vif *wvif, struct ieee80211_mgmt *mgmt) + { + int params, tid; + ++ if (wfx_api_older_than(wvif->wdev, 3, 6)) ++ return; ++ + switch (mgmt->u.action.u.addba_req.action_code) { + case WLAN_ACTION_ADDBA_REQ: + params = le16_to_cpu(mgmt->u.action.u.addba_req.capab); +-- +2.25.1 + diff --git a/queue-5.9/staging-wfx-fix-frame-reordering.patch b/queue-5.9/staging-wfx-fix-frame-reordering.patch new file mode 100644 index 00000000000..da5b336968b --- /dev/null +++ b/queue-5.9/staging-wfx-fix-frame-reordering.patch @@ -0,0 +1,61 @@ +From 46f41b7b0f4b258ce7317d530dc302ac817beb3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 10:58:23 +0200 +Subject: staging: wfx: fix frame reordering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jérôme Pouiller + +[ Upstream commit 7373f31c4b5e382e5117b71a6792e8005c45aa50 ] + +When mac80211 debug is enabled, the trace below appears: + + [60744.340037] wlan0: Rx A-MPDU request on aa:bb:cc:97:60:24 tid 0 result -524 + +This imply that ___ieee80211_start_rx_ba_session will prematurely exit +and frame reordering won't be enabled. + +Fixes: e5da5fbd77411 ("staging: wfx: fix CCMP/TKIP replay protection") +Signed-off-by: Jérôme Pouiller +Link: https://lore.kernel.org/r/20200825085828.399505-7-Jerome.Pouiller@silabs.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/wfx/sta.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/staging/wfx/sta.c b/drivers/staging/wfx/sta.c +index 4e30ab17a93d4..7dace7c17bf5c 100644 +--- a/drivers/staging/wfx/sta.c ++++ b/drivers/staging/wfx/sta.c +@@ -682,15 +682,16 @@ int wfx_ampdu_action(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + struct ieee80211_ampdu_params *params) + { +- /* Aggregation is implemented fully in firmware, +- * including block ack negotiation. Do not allow +- * mac80211 stack to do anything: it interferes with +- * the firmware. +- */ +- +- /* Note that we still need this function stubbed. */ +- +- return -ENOTSUPP; ++ // Aggregation is implemented fully in firmware ++ switch (params->action) { ++ case IEEE80211_AMPDU_RX_START: ++ case IEEE80211_AMPDU_RX_STOP: ++ // Just acknowledge it to enable frame re-ordering ++ return 0; ++ default: ++ // Leave the firmware doing its business for tx aggregation ++ return -ENOTSUPP; ++ } + } + + int wfx_add_chanctx(struct ieee80211_hw *hw, +-- +2.25.1 + diff --git a/queue-5.9/staging-wfx-fix-handling-of-mmic-error.patch b/queue-5.9/staging-wfx-fix-handling-of-mmic-error.patch new file mode 100644 index 00000000000..6d3823d1422 --- /dev/null +++ b/queue-5.9/staging-wfx-fix-handling-of-mmic-error.patch @@ -0,0 +1,46 @@ +From 1262315133c2186721e1880779a5e3b0f5bc301f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 12:19:37 +0200 +Subject: staging: wfx: fix handling of MMIC error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jérôme Pouiller + +[ Upstream commit 8d350c14ee5eb62ecd40b0991248bfbce511954d ] + +As expected, when the device detect a MMIC error, it returns a specific +status. However, it also strip IV from the frame (don't ask me why). + +So, with the current code, mac80211 detects a corrupted frame and it +drops it before it handle the MMIC error. The expected behavior would be +to detect MMIC error then to renegotiate the EAP session. + +So, this patch correctly informs mac80211 that IV is not available. So, +mac80211 correctly takes into account the MMIC error. + +Signed-off-by: Jérôme Pouiller +Link: https://lore.kernel.org/r/20201007101943.749898-2-Jerome.Pouiller@silabs.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/wfx/data_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/wfx/data_rx.c b/drivers/staging/wfx/data_rx.c +index 33b715b7b94bb..ef0cc1e474ae6 100644 +--- a/drivers/staging/wfx/data_rx.c ++++ b/drivers/staging/wfx/data_rx.c +@@ -44,7 +44,7 @@ void wfx_rx_cb(struct wfx_vif *wvif, + memset(hdr, 0, sizeof(*hdr)); + + if (arg->status == HIF_STATUS_RX_FAIL_MIC) +- hdr->flag |= RX_FLAG_MMIC_ERROR; ++ hdr->flag |= RX_FLAG_MMIC_ERROR | RX_FLAG_IV_STRIPPED; + else if (arg->status) + goto drop; + +-- +2.25.1 + diff --git a/queue-5.9/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch b/queue-5.9/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch new file mode 100644 index 00000000000..dba52a560f2 --- /dev/null +++ b/queue-5.9/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch @@ -0,0 +1,84 @@ +From 82387cb24d948075183d7002bf313d22f78c03d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 13:42:27 +0200 +Subject: SUNRPC: fix copying of multiple pages in gss_read_proxy_verf() + +From: Martijn de Gouw + +[ Upstream commit d48c8124749c9a5081fe68680f83605e272c984b ] + +When the passed token is longer than 4032 bytes, the remaining part +of the token must be copied from the rqstp->rq_arg.pages. But the +copy must make sure it happens in a consecutive way. + +With the existing code, the first memcpy copies 'length' bytes from +argv->iobase, but since the header is in front, this never fills the +whole first page of in_token->pages. + +The mecpy in the loop copies the following bytes, but starts writing at +the next page of in_token->pages. This leaves the last bytes of page 0 +unwritten. + +Symptoms were that users with many groups were not able to access NFS +exports, when using Active Directory as the KDC. + +Signed-off-by: Martijn de Gouw +Fixes: 5866efa8cbfb "SUNRPC: Fix svcauth_gss_proxy_init()" +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/svcauth_gss.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 258b04372f854..bd4678db9d76b 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1147,9 +1147,9 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, + struct gssp_in_token *in_token) + { + struct kvec *argv = &rqstp->rq_arg.head[0]; +- unsigned int page_base, length; +- int pages, i, res; +- size_t inlen; ++ unsigned int length, pgto_offs, pgfrom_offs; ++ int pages, i, res, pgto, pgfrom; ++ size_t inlen, to_offs, from_offs; + + res = gss_read_common_verf(gc, argv, authp, in_handle); + if (res) +@@ -1177,17 +1177,24 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, + memcpy(page_address(in_token->pages[0]), argv->iov_base, length); + inlen -= length; + +- i = 1; +- page_base = rqstp->rq_arg.page_base; ++ to_offs = length; ++ from_offs = rqstp->rq_arg.page_base; + while (inlen) { +- length = min_t(unsigned int, inlen, PAGE_SIZE); +- memcpy(page_address(in_token->pages[i]), +- page_address(rqstp->rq_arg.pages[i]) + page_base, ++ pgto = to_offs >> PAGE_SHIFT; ++ pgfrom = from_offs >> PAGE_SHIFT; ++ pgto_offs = to_offs & ~PAGE_MASK; ++ pgfrom_offs = from_offs & ~PAGE_MASK; ++ ++ length = min_t(unsigned int, inlen, ++ min_t(unsigned int, PAGE_SIZE - pgto_offs, ++ PAGE_SIZE - pgfrom_offs)); ++ memcpy(page_address(in_token->pages[pgto]) + pgto_offs, ++ page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs, + length); + ++ to_offs += length; ++ from_offs += length; + inlen -= length; +- page_base = 0; +- i++; + } + return 0; + } +-- +2.25.1 + diff --git a/queue-5.9/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch b/queue-5.9/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch new file mode 100644 index 00000000000..5e0b4b9b167 --- /dev/null +++ b/queue-5.9/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch @@ -0,0 +1,40 @@ +From 9448a7c89d45cd791c233704fad4790050f4ba93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 22:33:43 +0300 +Subject: svcrdma: fix bounce buffers for unaligned offsets and multiple pages + +From: Dan Aloni + +[ Upstream commit c327a310ec4d6ecbea13185ed56c11def441d9ab ] + +This was discovered using O_DIRECT at the client side, with small +unaligned file offsets or IOs that span multiple file pages. + +Fixes: e248aa7be86 ("svcrdma: Remove max_sge check at connect time") +Signed-off-by: Dan Aloni +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +index 7b94d971feb3b..c3d588b149aaa 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +@@ -638,10 +638,11 @@ static int svc_rdma_pull_up_reply_msg(struct svcxprt_rdma *rdma, + while (remaining) { + len = min_t(u32, PAGE_SIZE - pageoff, remaining); + +- memcpy(dst, page_address(*ppages), len); ++ memcpy(dst, page_address(*ppages) + pageoff, len); + remaining -= len; + dst += len; + pageoff = 0; ++ ppages++; + } + } + +-- +2.25.1 + diff --git a/queue-5.9/thermal-core-adding-missing-nlmsg_free-in-thermal_ge.patch b/queue-5.9/thermal-core-adding-missing-nlmsg_free-in-thermal_ge.patch new file mode 100644 index 00000000000..d0206bea66e --- /dev/null +++ b/queue-5.9/thermal-core-adding-missing-nlmsg_free-in-thermal_ge.patch @@ -0,0 +1,47 @@ +From 322a024974f4ae5265d42af103daae9c3372cda7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 16:26:52 +0800 +Subject: thermal: core: Adding missing nlmsg_free() in + thermal_genl_sampling_temp() + +From: Jing Xiangfeng + +[ Upstream commit 48b458591749d35c927351b4960b49e35af30fe6 ] + +thermal_genl_sampling_temp() misses to call nlmsg_free() in an error path. + +Jump to out_free to fix it. + +Fixes: 1ce50e7d408ef2 ("thermal: core: genetlink support for events/cmd/sampling") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200929082652.59876-1-jingxiangfeng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/thermal/thermal_netlink.c b/drivers/thermal/thermal_netlink.c +index af7b2383e8f6b..019f4812def6c 100644 +--- a/drivers/thermal/thermal_netlink.c ++++ b/drivers/thermal/thermal_netlink.c +@@ -78,7 +78,7 @@ int thermal_genl_sampling_temp(int id, int temp) + hdr = genlmsg_put(skb, 0, 0, &thermal_gnl_family, 0, + THERMAL_GENL_SAMPLING_TEMP); + if (!hdr) +- return -EMSGSIZE; ++ goto out_free; + + if (nla_put_u32(skb, THERMAL_GENL_ATTR_TZ_ID, id)) + goto out_cancel; +@@ -93,6 +93,7 @@ int thermal_genl_sampling_temp(int id, int temp) + return 0; + out_cancel: + genlmsg_cancel(skb, hdr); ++out_free: + nlmsg_free(skb); + + return -EMSGSIZE; +-- +2.25.1 + diff --git a/queue-5.9/tools-feature-add-missing-lzstd-to-the-fast-path-fea.patch b/queue-5.9/tools-feature-add-missing-lzstd-to-the-fast-path-fea.patch new file mode 100644 index 00000000000..1cfd1f05476 --- /dev/null +++ b/queue-5.9/tools-feature-add-missing-lzstd-to-the-fast-path-fea.patch @@ -0,0 +1,57 @@ +From 55123b8d60310f29fe8ba02378cfbc7dd15736f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 17:20:02 -0300 +Subject: tools feature: Add missing -lzstd to the fast path feature detection + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 6c014694b1d2702cdc736d17b60746e7b95ba664 ] + +We were failing that due to GTK2+ and then for the ZSTD test, which made +test-all.c, the fast path feature detection file to fail and thus +trigger building all of the feature tests, slowing down the test. + +Eventually the ZSTD test would be built and would succeed, since it had +the needed -lzstd, avoiding: + + $ cat /tmp/build/perf/feature/test-all.make.output + /usr/bin/ld: /tmp/ccRRJQ4u.o: in function `main_test_libzstd': + /home/acme/git/perf/tools/build/feature/test-libzstd.c:8: undefined reference to `ZSTD_createCStream' + /usr/bin/ld: /home/acme/git/perf/tools/build/feature/test-libzstd.c:9: undefined reference to `ZSTD_freeCStream' + collect2: error: ld returned 1 exit status + $ + +Fix it by adding -lzstd to the test-all target. + +Now I need an entry to 'perf test' to make sure that +/tmp/build/perf/feature/test-all.make.output is empty... + +Fixes: 3b1c5d9659718263 ("tools build: Implement libzstd feature check, LIBZSTD_DIR and NO_LIBZSTD defines") +Reviewed-by: Alexei Budankov +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20200904202611.GJ3753976@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/feature/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile +index 9ee2bcb8d560a..8da2556cdbfac 100644 +--- a/tools/build/feature/Makefile ++++ b/tools/build/feature/Makefile +@@ -90,7 +90,7 @@ __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$( + ############################### + + $(OUTPUT)test-all.bin: +- $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -I/usr/include/slang -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma ++ $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -I/usr/include/slang -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma -lzstd + + $(OUTPUT)test-hello.bin: + $(BUILD) +-- +2.25.1 + diff --git a/queue-5.9/tracing-fix-parse_synth_field-error-handling.patch b/queue-5.9/tracing-fix-parse_synth_field-error-handling.patch new file mode 100644 index 00000000000..e3817b0b413 --- /dev/null +++ b/queue-5.9/tracing-fix-parse_synth_field-error-handling.patch @@ -0,0 +1,61 @@ +From fc9c3d74ea7b3d3665e7703a8fec5cdfd5a6517a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 17:14:04 -0500 +Subject: tracing: Fix parse_synth_field() error handling + +From: Tom Zanussi + +[ Upstream commit 8fbeb52a598c7ab5aa603d6bb083b8a8d16d607a ] + +synth_field_size() returns either a positive size or an error (zero or +a negative value). However, the existing code assumes the only error +value is 0. It doesn't handle negative error codes, as it assigns +directly to field->size (a size_t; unsigned), thereby interpreting the +error code as a valid size instead. + +Do the test before assignment to field->size. + +[ axelrasmussen@google.com: changelog addition, first paragraph above ] + +Link: https://lkml.kernel.org/r/9b6946d9776b2eeb43227678158196de1c3c6e1d.1601848695.git.zanussi@kernel.org + +Fixes: 4b147936fa50 (tracing: Add support for 'synthetic' events) +Reviewed-by: Masami Hiramatsu +Tested-by: Axel Rasmussen +Signed-off-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_synth.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c +index c6cca0d1d5840..46a96686e93c6 100644 +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -465,6 +465,7 @@ static struct synth_field *parse_synth_field(int argc, const char **argv, + struct synth_field *field; + const char *prefix = NULL, *field_type = argv[0], *field_name, *array; + int len, ret = 0; ++ ssize_t size; + + if (field_type[0] == ';') + field_type++; +@@ -520,11 +521,12 @@ static struct synth_field *parse_synth_field(int argc, const char **argv, + field->type[len - 1] = '\0'; + } + +- field->size = synth_field_size(field->type); +- if (!field->size) { ++ size = synth_field_size(field->type); ++ if (size <= 0) { + ret = -EINVAL; + goto free; + } ++ field->size = size; + + if (synth_field_is_string(field->type)) + field->is_string = true; +-- +2.25.1 + diff --git a/queue-5.9/tracing-handle-synthetic-event-array-field-type-chec.patch b/queue-5.9/tracing-handle-synthetic-event-array-field-type-chec.patch new file mode 100644 index 00000000000..4dd9b5a2148 --- /dev/null +++ b/queue-5.9/tracing-handle-synthetic-event-array-field-type-chec.patch @@ -0,0 +1,105 @@ +From c3e6a8fda27295c86b222d05d145d02769018f91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 09:17:57 -0500 +Subject: tracing: Handle synthetic event array field type checking correctly + +From: Tom Zanussi + +[ Upstream commit 10819e25799aae564005b6049a45e9808797b3bb ] + +Since synthetic event array types are derived from the field name, +there may be a semicolon at the end of the type which should be +stripped off. + +If there are more characters following that, normal type string +checking will result in an invalid type. + +Without this patch, you can end up with an invalid field type string +that gets displayed in both the synthetic event description and the +event format: + +Before: + + # echo 'myevent char str[16]; int v' >> synthetic_events + # cat synthetic_events + myevent char[16]; str; int v + + name: myevent + ID: 1936 + format: + field:unsigned short common_type; offset:0; size:2; signed:0; + field:unsigned char common_flags; offset:2; size:1; signed:0; + field:unsigned char common_preempt_count; offset:3; size:1; signed:0; + field:int common_pid; offset:4; size:4; signed:1; + + field:char str[16];; offset:8; size:16; signed:1; + field:int v; offset:40; size:4; signed:1; + + print fmt: "str=%s, v=%d", REC->str, REC->v + +After: + + # echo 'myevent char str[16]; int v' >> synthetic_events + # cat synthetic_events + myevent char[16] str; int v + + # cat events/synthetic/myevent/format + name: myevent + ID: 1936 + format: + field:unsigned short common_type; offset:0; size:2; signed:0; + field:unsigned char common_flags; offset:2; size:1; signed:0; + field:unsigned char common_preempt_count; offset:3; size:1; signed:0; + field:int common_pid; offset:4; size:4; signed:1; + + field:char str[16]; offset:8; size:16; signed:1; + field:int v; offset:40; size:4; signed:1; + + print fmt: "str=%s, v=%d", REC->str, REC->v + +Link: https://lkml.kernel.org/r/6587663b56c2d45ab9d8c8472a2110713cdec97d.1602598160.git.zanussi@kernel.org + +[ : wrote parse_synth_field() snippet. ] +Fixes: 4b147936fa50 (tracing: Add support for 'synthetic' events) +Reported-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Signed-off-by: Tom Zanussi +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_synth.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c +index 46a96686e93c6..c8892156db341 100644 +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -132,7 +132,7 @@ static int synth_field_string_size(char *type) + start += sizeof("char[") - 1; + + end = strchr(type, ']'); +- if (!end || end < start) ++ if (!end || end < start || type + strlen(type) > end + 1) + return -EINVAL; + + len = end - start; +@@ -502,8 +502,14 @@ static struct synth_field *parse_synth_field(int argc, const char **argv, + if (field_type[0] == ';') + field_type++; + len = strlen(field_type) + 1; +- if (array) +- len += strlen(array); ++ ++ if (array) { ++ int l = strlen(array); ++ ++ if (l && array[l - 1] == ';') ++ l--; ++ len += l; ++ } + if (prefix) + len += strlen(prefix); + +-- +2.25.1 + diff --git a/queue-5.9/tty-hvc-fix-link-error-with-config_serial_core_conso.patch b/queue-5.9/tty-hvc-fix-link-error-with-config_serial_core_conso.patch new file mode 100644 index 00000000000..8ca2bfb9ead --- /dev/null +++ b/queue-5.9/tty-hvc-fix-link-error-with-config_serial_core_conso.patch @@ -0,0 +1,41 @@ +From a74606cdbc02551fe5b03e8efecb7a5a662827ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 14:35:35 +0800 +Subject: tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n + +From: Yang Yingliang + +[ Upstream commit 75fc65079d8253e1c25a5f8348111a85d71e0f01 ] + +aarch64-linux-gnu-ld: drivers/tty/hvc/hvc_dcc.o: in function `dcc_early_write': +hvc_dcc.c:(.text+0x164): undefined reference to `uart_console_write' + +The driver uses the uart_console_write(), but SERIAL_CORE_CONSOLE is not +selected, so uart_console_write is not defined, then we get the error. +Fix this by selecting SERIAL_CORE_CONSOLE. + +Fixes: d1a1af2cdf19 ("hvc: dcc: Add earlycon support") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20200919063535.2809707-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/hvc/Kconfig b/drivers/tty/hvc/Kconfig +index d1b27b0522a3c..8d60e0ff67b4d 100644 +--- a/drivers/tty/hvc/Kconfig ++++ b/drivers/tty/hvc/Kconfig +@@ -81,6 +81,7 @@ config HVC_DCC + bool "ARM JTAG DCC console" + depends on ARM || ARM64 + select HVC_DRIVER ++ select SERIAL_CORE_CONSOLE + help + This console uses the JTAG DCC on ARM to create a console under the HVC + driver. This console is used through a JTAG only on ARM. If you don't have +-- +2.25.1 + diff --git a/queue-5.9/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch b/queue-5.9/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch new file mode 100644 index 00000000000..3fb878b52b0 --- /dev/null +++ b/queue-5.9/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch @@ -0,0 +1,66 @@ +From 6da30fded8f8c18fe9cfe0a493f69de1953b8acf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:46:38 -0500 +Subject: tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() + +From: Tyrel Datwyler + +[ Upstream commit 63ffcbdad738e3d1c857027789a2273df3337624 ] + +The code currently NULLs tty->driver_data in hvcs_close() with the +intent of informing the next call to hvcs_open() that device needs to be +reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from +tty->driver_data which was previoulsy NULLed by hvcs_close() and our +call to tty_port_put(&hvcsd->port) doesn't actually do anything since +&hvcsd->port ends up translating to NULL by chance. This has the side +effect that when hvcs_remove() is called we have one too many port +references preventing hvcs_destuct_port() from ever being called. This +also prevents us from reusing the /dev/hvcsX node in a future +hvcs_probe() and we can eventually run out of /dev/hvcsX devices. + +Fix this by waiting to NULL tty->driver_data in hvcs_cleanup(). + +Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install") +Signed-off-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20200820234643.70412-1-tyreld@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvcs.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index 55105ac38f89b..509d1042825a1 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -1216,13 +1216,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp) + + tty_wait_until_sent(tty, HVCS_CLOSE_WAIT); + +- /* +- * This line is important because it tells hvcs_open that this +- * device needs to be re-configured the next time hvcs_open is +- * called. +- */ +- tty->driver_data = NULL; +- + free_irq(irq, hvcsd); + return; + } else if (hvcsd->port.count < 0) { +@@ -1237,6 +1230,13 @@ static void hvcs_cleanup(struct tty_struct * tty) + { + struct hvcs_struct *hvcsd = tty->driver_data; + ++ /* ++ * This line is important because it tells hvcs_open that this ++ * device needs to be re-configured the next time hvcs_open is ++ * called. ++ */ ++ tty->driver_data = NULL; ++ + tty_port_put(&hvcsd->port); + } + +-- +2.25.1 + diff --git a/queue-5.9/tty-ipwireless-fix-error-handling.patch b/queue-5.9/tty-ipwireless-fix-error-handling.patch new file mode 100644 index 00000000000..b6dab3df901 --- /dev/null +++ b/queue-5.9/tty-ipwireless-fix-error-handling.patch @@ -0,0 +1,60 @@ +From 75756a7a2ba1c45eb2313e560de903c03b1fb26d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 12:19:40 -0400 +Subject: tty: ipwireless: fix error handling + +From: Tong Zhang + +[ Upstream commit db332356222d9429731ab9395c89cca403828460 ] + +ipwireless_send_packet() can only return 0 on success and -ENOMEM on +error, the caller should check non zero for error condition + +Signed-off-by: Tong Zhang +Acked-by: David Sterba +Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/ipwireless/network.c | 4 ++-- + drivers/tty/ipwireless/tty.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/ipwireless/network.c b/drivers/tty/ipwireless/network.c +index cf20616340a1a..fe569f6294a24 100644 +--- a/drivers/tty/ipwireless/network.c ++++ b/drivers/tty/ipwireless/network.c +@@ -117,7 +117,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + skb->len, + notify_packet_sent, + network); +- if (ret == -1) { ++ if (ret < 0) { + skb_pull(skb, 2); + return 0; + } +@@ -134,7 +134,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + notify_packet_sent, + network); + kfree(buf); +- if (ret == -1) ++ if (ret < 0) + return 0; + } + kfree_skb(skb); +diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c +index fad3401e604d9..23584769fc292 100644 +--- a/drivers/tty/ipwireless/tty.c ++++ b/drivers/tty/ipwireless/tty.c +@@ -218,7 +218,7 @@ static int ipw_write(struct tty_struct *linux_tty, + ret = ipwireless_send_packet(tty->hardware, IPW_CHANNEL_RAS, + buf, count, + ipw_write_packet_sent_callback, tty); +- if (ret == -1) { ++ if (ret < 0) { + mutex_unlock(&tty->ipw_tty_mutex); + return 0; + } +-- +2.25.1 + diff --git a/queue-5.9/tty-serial-earlycon-dependency.patch b/queue-5.9/tty-serial-earlycon-dependency.patch new file mode 100644 index 00000000000..28b3081f37f --- /dev/null +++ b/queue-5.9/tty-serial-earlycon-dependency.patch @@ -0,0 +1,38 @@ +From d70ae06dff5f17f73998b37e8f0063040125a76d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 08:39:50 -0400 +Subject: tty: serial: earlycon dependency + +From: Tong Zhang + +[ Upstream commit 0fb9342d06b0f667b915ba58bfefc030e534a218 ] + +parse_options() in drivers/tty/serial/earlycon.c calls uart_parse_earlycon +in drivers/tty/serial/serial_core.c therefore selecting SERIAL_EARLYCON +should automatically select SERIAL_CORE, otherwise will result in symbol +not found error during linking if SERIAL_CORE is not configured as builtin + +Fixes: 9aac5887595b ("tty/serial: add generic serial earlycon") +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20200828123949.2642-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig +index 9409be982aa64..54586c1aba60b 100644 +--- a/drivers/tty/serial/Kconfig ++++ b/drivers/tty/serial/Kconfig +@@ -8,6 +8,7 @@ menu "Serial drivers" + + config SERIAL_EARLYCON + bool ++ depends on SERIAL_CORE + help + Support for early consoles with the earlycon parameter. This enables + the console before standard serial driver is probed. The console is +-- +2.25.1 + diff --git a/queue-5.9/tty-serial-imx-fix-link-error-with-config_serial_cor.patch b/queue-5.9/tty-serial-imx-fix-link-error-with-config_serial_cor.patch new file mode 100644 index 00000000000..d7ba059697b --- /dev/null +++ b/queue-5.9/tty-serial-imx-fix-link-error-with-config_serial_cor.patch @@ -0,0 +1,41 @@ +From 2ee7d898137b3866f0c5d3fde228828eadb7d3b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 14:32:40 +0800 +Subject: tty: serial: imx: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n + +From: Yang Yingliang + +[ Upstream commit 24c796926e2f88b383a76ddc871a7cdd62484f3a ] + +aarch64-linux-gnu-ld: drivers/tty/serial/imx_earlycon.o: in function `imx_uart_console_early_write': +imx_earlycon.c:(.text+0x84): undefined reference to `uart_console_write' + +The driver uses the uart_console_write(), but SERIAL_CORE_CONSOLE is not +selected, so uart_console_write is not defined, then we get the error. +Fix this by selecting SERIAL_CORE_CONSOLE. + +Fixes: 699cc4dfd140 ("tty: serial: imx: add imx earlycon driver") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20200919063240.2754965-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig +index 54586c1aba60b..20b98a3ba0466 100644 +--- a/drivers/tty/serial/Kconfig ++++ b/drivers/tty/serial/Kconfig +@@ -521,6 +521,7 @@ config SERIAL_IMX_EARLYCON + depends on ARCH_MXC || COMPILE_TEST + depends on OF + select SERIAL_EARLYCON ++ select SERIAL_CORE_CONSOLE + help + If you have enabled the earlycon on the Freescale IMX + CPU you can make it the earlycon by answering Y to this option. +-- +2.25.1 + diff --git a/queue-5.9/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch b/queue-5.9/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch new file mode 100644 index 00000000000..d487be7ac0a --- /dev/null +++ b/queue-5.9/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch @@ -0,0 +1,62 @@ +From d3dafcfbf216faa42c4c60585fedbb9ad41ada63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 12:14:03 +0200 +Subject: udf: Avoid accessing uninitialized data on failed inode read + +From: Jan Kara + +[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ] + +When we fail to read inode, some data accessed in udf_evict_inode() may +be uninitialized. Move the accesses to !is_bad_inode() branch. + +Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index adaba8e8b326e..566118417e562 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -139,21 +139,24 @@ void udf_evict_inode(struct inode *inode) + struct udf_inode_info *iinfo = UDF_I(inode); + int want_delete = 0; + +- if (!inode->i_nlink && !is_bad_inode(inode)) { +- want_delete = 1; +- udf_setsize(inode, 0); +- udf_update_inode(inode, IS_SYNC(inode)); ++ if (!is_bad_inode(inode)) { ++ if (!inode->i_nlink) { ++ want_delete = 1; ++ udf_setsize(inode, 0); ++ udf_update_inode(inode, IS_SYNC(inode)); ++ } ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && ++ inode->i_size != iinfo->i_lenExtents) { ++ udf_warn(inode->i_sb, ++ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", ++ inode->i_ino, inode->i_mode, ++ (unsigned long long)inode->i_size, ++ (unsigned long long)iinfo->i_lenExtents); ++ } + } + truncate_inode_pages_final(&inode->i_data); + invalidate_inode_buffers(inode); + clear_inode(inode); +- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && +- inode->i_size != iinfo->i_lenExtents) { +- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", +- inode->i_ino, inode->i_mode, +- (unsigned long long)inode->i_size, +- (unsigned long long)iinfo->i_lenExtents); +- } + kfree(iinfo->i_ext.i_data); + iinfo->i_ext.i_data = NULL; + udf_clear_extent_cache(inode); +-- +2.25.1 + diff --git a/queue-5.9/udf-limit-sparing-table-size.patch b/queue-5.9/udf-limit-sparing-table-size.patch new file mode 100644 index 00000000000..be5f6ecf8f4 --- /dev/null +++ b/queue-5.9/udf-limit-sparing-table-size.patch @@ -0,0 +1,40 @@ +From b33ea0705211b621906008d3cc5b5456aa748c77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:53:08 +0200 +Subject: udf: Limit sparing table size + +From: Jan Kara + +[ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ] + +Although UDF standard allows it, we don't support sparing table larger +than a single block. Check it during mount so that we don't try to +access memory beyond end of buffer. + +Reported-by: syzbot+9991561e714f597095da@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 1c42f544096d8..a03b8ce5ef0fd 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1353,6 +1353,12 @@ static int udf_load_sparable_map(struct super_block *sb, + (int)spm->numSparingTables); + return -EIO; + } ++ if (le32_to_cpu(spm->sizeSparingTable) > sb->s_blocksize) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too big sparing table size (%u)\n", ++ le32_to_cpu(spm->sizeSparingTable)); ++ return -EIO; ++ } + + for (i = 0; i < spm->numSparingTables; i++) { + loc = le32_to_cpu(spm->locSparingTable[i]); +-- +2.25.1 + diff --git a/queue-5.9/um-time-travel-fix-irq-handling-in-time_travel_handl.patch b/queue-5.9/um-time-travel-fix-irq-handling-in-time_travel_handl.patch new file mode 100644 index 00000000000..cd7a6e30de1 --- /dev/null +++ b/queue-5.9/um-time-travel-fix-irq-handling-in-time_travel_handl.patch @@ -0,0 +1,57 @@ +From 5800e1f1f358f595f1b5b05ccceb6b3c9973b9d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 11:31:12 +0200 +Subject: um: time-travel: Fix IRQ handling in time_travel_handle_message() + +From: Johannes Berg + +[ Upstream commit ebef8ea2ba967026192a26f4529890893919bc57 ] + +As the comment here indicates, we need to do the polling in the +idle loop without blocking interrupts, since interrupts can be +vhost-user messages that we must process even while in our idle +loop. + +I don't know why I explained one thing and implemented another, +but we have indeed observed random hangs due to this, depending +on the timing of the messages. + +Fixes: 88ce64249233 ("um: Implement time-travel=ext") +Signed-off-by: Johannes Berg +Acked-By: Anton Ivanov +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/kernel/time.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/um/kernel/time.c b/arch/um/kernel/time.c +index 25eaa6a0c6583..c07436e89e599 100644 +--- a/arch/um/kernel/time.c ++++ b/arch/um/kernel/time.c +@@ -70,13 +70,17 @@ static void time_travel_handle_message(struct um_timetravel_msg *msg, + * read of the message and write of the ACK. + */ + if (mode != TTMH_READ) { ++ bool disabled = irqs_disabled(); ++ ++ BUG_ON(mode == TTMH_IDLE && !disabled); ++ ++ if (disabled) ++ local_irq_enable(); + while (os_poll(1, &time_travel_ext_fd) != 0) { +- if (mode == TTMH_IDLE) { +- BUG_ON(!irqs_disabled()); +- local_irq_enable(); +- local_irq_disable(); +- } ++ /* nothing */ + } ++ if (disabled) ++ local_irq_disable(); + } + + ret = os_read_file(time_travel_ext_fd, msg, sizeof(*msg)); +-- +2.25.1 + diff --git a/queue-5.9/um-vector-use-gfp_atomic-under-spin-lock.patch b/queue-5.9/um-vector-use-gfp_atomic-under-spin-lock.patch new file mode 100644 index 00000000000..5387db24f33 --- /dev/null +++ b/queue-5.9/um-vector-use-gfp_atomic-under-spin-lock.patch @@ -0,0 +1,46 @@ +From c6f2ceec5edea402ec668d798b194dfcd15091c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 13:20:07 +0800 +Subject: um: vector: Use GFP_ATOMIC under spin lock + +From: Tiezhu Yang + +[ Upstream commit e4e721fe4ccb504a29d1e8d4047667557281d932 ] + +Use GFP_ATOMIC instead of GFP_KERNEL under spin lock to fix possible +sleep-in-atomic-context bugs. + +Fixes: 9807019a62dc ("um: Loadable BPF "Firmware" for vector drivers") +Signed-off-by: Tiezhu Yang +Acked-By: Anton Ivanov +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/vector_kern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c +index 8735c468230a5..555203e3e7b45 100644 +--- a/arch/um/drivers/vector_kern.c ++++ b/arch/um/drivers/vector_kern.c +@@ -1403,7 +1403,7 @@ static int vector_net_load_bpf_flash(struct net_device *dev, + kfree(vp->bpf->filter); + vp->bpf->filter = NULL; + } else { +- vp->bpf = kmalloc(sizeof(struct sock_fprog), GFP_KERNEL); ++ vp->bpf = kmalloc(sizeof(struct sock_fprog), GFP_ATOMIC); + if (vp->bpf == NULL) { + netdev_err(dev, "failed to allocate memory for firmware\n"); + goto flash_fail; +@@ -1415,7 +1415,7 @@ static int vector_net_load_bpf_flash(struct net_device *dev, + if (request_firmware(&fw, efl->data, &vdevice->pdev.dev)) + goto flash_fail; + +- vp->bpf->filter = kmemdup(fw->data, fw->size, GFP_KERNEL); ++ vp->bpf->filter = kmemdup(fw->data, fw->size, GFP_ATOMIC); + if (!vp->bpf->filter) + goto free_buffer; + +-- +2.25.1 + diff --git a/queue-5.9/usb-cdc-acm-handle-broken-union-descriptors.patch b/queue-5.9/usb-cdc-acm-handle-broken-union-descriptors.patch new file mode 100644 index 00000000000..c95d4ab34e5 --- /dev/null +++ b/queue-5.9/usb-cdc-acm-handle-broken-union-descriptors.patch @@ -0,0 +1,61 @@ +From 7c79350eac6c2fc08071aa16d13959f908ca2e50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 15:59:49 +0200 +Subject: USB: cdc-acm: handle broken union descriptors + +From: Johan Hovold + +[ Upstream commit 960c7339de27c6d6fec13b54880501c3576bb08d ] + +Handle broken union functional descriptors where the master-interface +doesn't exist or where its class is of neither Communication or Data +type (as required by the specification) by falling back to +"combined-interface" probing. + +Note that this still allows for handling union descriptors with switched +interfaces. + +This specifically makes the Whistler radio scanners TRX series devices +work with the driver without adding further quirks to the device-id +table. + +Reported-by: Daniel Caujolle-Bert +Tested-by: Daniel Caujolle-Bert +Acked-by: Oliver Neukum +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20200921135951.24045-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/class/cdc-acm.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 7f6f3ab5b8a67..c8fb85a71c3ad 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1243,9 +1243,21 @@ static int acm_probe(struct usb_interface *intf, + } + } + } else { ++ int class = -1; ++ + data_intf_num = union_header->bSlaveInterface0; + control_interface = usb_ifnum_to_if(usb_dev, union_header->bMasterInterface0); + data_interface = usb_ifnum_to_if(usb_dev, data_intf_num); ++ ++ if (control_interface) ++ class = control_interface->cur_altsetting->desc.bInterfaceClass; ++ ++ if (class != USB_CLASS_COMM && class != USB_CLASS_CDC_DATA) { ++ dev_dbg(&intf->dev, "Broken union descriptor, assuming single interface\n"); ++ combined_interfaces = 1; ++ control_interface = data_interface = intf; ++ goto look_for_collapsed_interface; ++ } + } + + if (!control_interface || !data_interface) { +-- +2.25.1 + diff --git a/queue-5.9/usb-core-solve-race-condition-in-anchor-cleanup-func.patch b/queue-5.9/usb-core-solve-race-condition-in-anchor-cleanup-func.patch new file mode 100644 index 00000000000..0ac7ff03bd6 --- /dev/null +++ b/queue-5.9/usb-core-solve-race-condition-in-anchor-cleanup-func.patch @@ -0,0 +1,202 @@ +From 7c92a874a8ed44fcf2ee99bf11cb776f35aeadff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 08:46:50 +0300 +Subject: usb: core: Solve race condition in anchor cleanup functions + +From: Eli Billauer + +[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ] + +usb_kill_anchored_urbs() is commonly used to cancel all URBs on an +anchor just before releasing resources which the URBs rely on. By doing +so, users of this function rely on that no completer callbacks will take +place from any URB on the anchor after it returns. + +However if this function is called in parallel with __usb_hcd_giveback_urb +processing a URB on the anchor, the latter may call the completer +callback after usb_kill_anchored_urbs() returns. This can lead to a +kernel panic due to use after release of memory in interrupt context. + +The race condition is that __usb_hcd_giveback_urb() first unanchors the URB +and then makes the completer callback. Such URB is hence invisible to +usb_kill_anchored_urbs(), allowing it to return before the completer has +been called, since the anchor's urb_list is empty. + +Even worse, if the racing completer callback resubmits the URB, it may +remain in the system long after usb_kill_anchored_urbs() returns. + +Hence list_empty(&anchor->urb_list), which is used in the existing +while-loop, doesn't reliably ensure that all URBs of the anchor are gone. + +A similar problem exists with usb_poison_anchored_urbs() and +usb_scuttle_anchored_urbs(). + +This patch adds an external do-while loop, which ensures that all URBs +are indeed handled before these three functions return. This change has +no effect at all unless the race condition occurs, in which case the +loop will busy-wait until the racing completer callback has finished. +This is a rare condition, so the CPU waste of this spinning is +negligible. + +The additional do-while loop relies on usb_anchor_check_wakeup(), which +returns true iff the anchor list is empty, and there is no +__usb_hcd_giveback_urb() in the system that is in the middle of the +unanchor-before-complete phase. The @suspend_wakeups member of +struct usb_anchor is used for this purpose, which was introduced to solve +another problem which the same race condition causes, in commit +6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up +till completion is done"). + +The surely_empty variable is necessary, because usb_anchor_check_wakeup() +must be called with the lock held to prevent races. However the spinlock +must be released and reacquired if the outer loop spins with an empty +URB list while waiting for the unanchor-before-complete passage to finish: +The completer callback may very well attempt to take the very same lock. + +To summarize, using usb_anchor_check_wakeup() means that the patched +functions can return only when the anchor's list is empty, and there is +no invisible URB being processed. Since the inner while loop finishes on +the empty list condition, the new do-while loop will terminate as well, +except for when the said race condition occurs. + +Signed-off-by: Eli Billauer +Acked-by: Oliver Neukum +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/urb.c | 89 +++++++++++++++++++++++++----------------- + 1 file changed, 54 insertions(+), 35 deletions(-) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 7bc23469f4e4e..27e83e55a5901 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -772,11 +772,12 @@ void usb_block_urb(struct urb *urb) + EXPORT_SYMBOL_GPL(usb_block_urb); + + /** +- * usb_kill_anchored_urbs - cancel transfer requests en masse ++ * usb_kill_anchored_urbs - kill all URBs associated with an anchor + * @anchor: anchor the requests are bound to + * +- * this allows all outstanding URBs to be killed starting +- * from the back of the queue ++ * This kills all outstanding URBs starting from the back of the queue, ++ * with guarantee that no completer callbacks will take place from the ++ * anchor after this function returns. + * + * This routine should not be called by a driver after its disconnect + * method has returned. +@@ -784,20 +785,26 @@ EXPORT_SYMBOL_GPL(usb_block_urb); + void usb_kill_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_kill_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_kill_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + +@@ -816,21 +823,27 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + void usb_poison_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- anchor->poisoned = 1; +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_poison_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ anchor->poisoned = 1; ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_poison_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs); + +@@ -970,14 +983,20 @@ void usb_scuttle_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; + unsigned long flags; ++ int surely_empty; ++ ++ do { ++ spin_lock_irqsave(&anchor->lock, flags); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ __usb_unanchor_urb(victim, anchor); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); + +- spin_lock_irqsave(&anchor->lock, flags); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- __usb_unanchor_urb(victim, anchor); +- } +- spin_unlock_irqrestore(&anchor->lock, flags); ++ spin_unlock_irqrestore(&anchor->lock, flags); ++ cpu_relax(); ++ } while (!surely_empty); + } + + EXPORT_SYMBOL_GPL(usb_scuttle_anchored_urbs); +-- +2.25.1 + diff --git a/queue-5.9/usb-dwc2-add-missing-cleanups-when-usb_add_gadget_ud.patch b/queue-5.9/usb-dwc2-add-missing-cleanups-when-usb_add_gadget_ud.patch new file mode 100644 index 00000000000..dc6f40c54a2 --- /dev/null +++ b/queue-5.9/usb-dwc2-add-missing-cleanups-when-usb_add_gadget_ud.patch @@ -0,0 +1,48 @@ +From 3cbd922e4a1d7fe4f621bb82beeacacb611cd515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jul 2020 00:50:43 +0200 +Subject: usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails + +From: Martin Blumenstingl + +[ Upstream commit e1c08cf23172ed6fb228d75efc9f4c80a6812116 ] + +Call dwc2_debugfs_exit() and dwc2_hcd_remove() (if the HCD was enabled +earlier) when usb_add_gadget_udc() has failed. This ensures that the +debugfs entries created by dwc2_debugfs_init() as well as the HCD are +cleaned up in the error path. + +Fixes: 207324a321a866 ("usb: dwc2: Postponed gadget registration to the udc class driver") +Acked-by: Minas Harutyunyan +Signed-off-by: Martin Blumenstingl +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/platform.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c +index db9fd4bd1a38c..b28e90e0b685d 100644 +--- a/drivers/usb/dwc2/platform.c ++++ b/drivers/usb/dwc2/platform.c +@@ -584,12 +584,16 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (retval) { + hsotg->gadget.udc = NULL; + dwc2_hsotg_remove(hsotg); +- goto error_init; ++ goto error_debugfs; + } + } + #endif /* CONFIG_USB_DWC2_PERIPHERAL || CONFIG_USB_DWC2_DUAL_ROLE */ + return 0; + ++error_debugfs: ++ dwc2_debugfs_exit(hsotg); ++ if (hsotg->hcd_enabled) ++ dwc2_hcd_remove(hsotg); + error_init: + if (hsotg->params.activate_stm_id_vb_detection) + regulator_disable(hsotg->usb33d); +-- +2.25.1 + diff --git a/queue-5.9/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch b/queue-5.9/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch new file mode 100644 index 00000000000..e970cab68e5 --- /dev/null +++ b/queue-5.9/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch @@ -0,0 +1,143 @@ +From b281286af197d4afa13efe0377bb94f27dd0eb62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 18:08:39 +0400 +Subject: usb: dwc2: Fix INTR OUT transfers in DDMA mode. + +From: Minas Harutyunyan + +[ Upstream commit b2c586eb07efab982419f32b7c3bd96829bc8bcd ] + +In DDMA mode if INTR OUT transfers mps not multiple of 4 then single packet +corresponds to single descriptor. + +Descriptor limit set to mps and desc chain limit set to mps * +MAX_DMA_DESC_NUM_GENERIC. On that descriptors complete, to calculate +transfer size should be considered correction value for each descriptor. + +In start request function, if "continue" is true then dma buffer address +should be incremmented by offset for all type of transfers, not only for +Control DATA_OUT transfers. + +Fixes: cf77b5fb9b394 ("usb: dwc2: gadget: Transfer length limit checking for DDMA") +Fixes: e02f9aa6119e0 ("usb: dwc2: gadget: EP 0 specific DDMA programming") +Fixes: aa3e8bc81311e ("usb: dwc2: gadget: DDMA transfer start and complete") + +Signed-off-by: Minas Harutyunyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 40 ++++++++++++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index 5b9d23991c99d..d367da4c6f850 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -713,8 +713,11 @@ static u32 dwc2_hsotg_read_frameno(struct dwc2_hsotg *hsotg) + */ + static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + int is_isoc = hs_ep->isochronous; + unsigned int maxsize; ++ u32 mps = hs_ep->ep.maxpacket; ++ int dir_in = hs_ep->dir_in; + + if (is_isoc) + maxsize = (hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT : +@@ -723,6 +726,11 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + else + maxsize = DEV_DMA_NBYTES_LIMIT * MAX_DMA_DESC_NUM_GENERIC; + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) ++ maxsize = mps * MAX_DMA_DESC_NUM_GENERIC; ++ + return maxsize; + } + +@@ -738,11 +746,14 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + * Isochronous - descriptor rx/tx bytes bitfield limit, + * Control In/Bulk/Interrupt - multiple of mps. This will allow to not + * have concatenations from various descriptors within one packet. ++ * Interrupt OUT - if mps not multiple of 4 then a single packet corresponds ++ * to a single descriptor. + * + * Selects corresponding mask for RX/TX bytes as well. + */ + static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + u32 mps = hs_ep->ep.maxpacket; + int dir_in = hs_ep->dir_in; + u32 desc_size = 0; +@@ -766,6 +777,13 @@ static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask) + desc_size -= desc_size % mps; + } + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) { ++ desc_size = mps; ++ *mask = DEV_DMA_NBYTES_MASK; ++ } ++ + return desc_size; + } + +@@ -1123,13 +1141,7 @@ static void dwc2_hsotg_start_req(struct dwc2_hsotg *hsotg, + length += (mps - (length % mps)); + } + +- /* +- * If more data to send, adjust DMA for EP0 out data stage. +- * ureq->dma stays unchanged, hence increment it by already +- * passed passed data count before starting new transaction. +- */ +- if (!index && hsotg->ep0_state == DWC2_EP0_DATA_OUT && +- continuing) ++ if (continuing) + offset = ureq->actual; + + /* Fill DDMA chain entries */ +@@ -2320,22 +2332,36 @@ static void dwc2_hsotg_change_ep_iso_parity(struct dwc2_hsotg *hsotg, + */ + static unsigned int dwc2_gadget_get_xfersize_ddma(struct dwc2_hsotg_ep *hs_ep) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + struct dwc2_hsotg *hsotg = hs_ep->parent; + unsigned int bytes_rem = 0; ++ unsigned int bytes_rem_correction = 0; + struct dwc2_dma_desc *desc = hs_ep->desc_list; + int i; + u32 status; ++ u32 mps = hs_ep->ep.maxpacket; ++ int dir_in = hs_ep->dir_in; + + if (!desc) + return -EINVAL; + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) ++ bytes_rem_correction = 4 - (mps % 4); ++ + for (i = 0; i < hs_ep->desc_count; ++i) { + status = desc->status; + bytes_rem += status & DEV_DMA_NBYTES_MASK; ++ bytes_rem -= bytes_rem_correction; + + if (status & DEV_DMA_STS_MASK) + dev_err(hsotg->dev, "descriptor %d closed with %x\n", + i, status & DEV_DMA_STS_MASK); ++ ++ if (status & DEV_DMA_L) ++ break; ++ + desc++; + } + +-- +2.25.1 + diff --git a/queue-5.9/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch b/queue-5.9/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch new file mode 100644 index 00000000000..0c56294bcda --- /dev/null +++ b/queue-5.9/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch @@ -0,0 +1,88 @@ +From 368884326c6e9938d5a3bc47dc089b82eb7e47e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 23:03:54 -0700 +Subject: usb: dwc2: Fix parameter type in function pointer prototype + +From: Nathan Chancellor + +[ Upstream commit 362b9398c962c9ec563653444e15ef9032ef3a90 ] + +When booting up on a Raspberry Pi 4 with Control Flow Integrity checking +enabled, the following warning/panic happens: + +[ 1.626435] CFI failure (target: dwc2_set_bcm_params+0x0/0x4): +[ 1.632408] WARNING: CPU: 0 PID: 32 at kernel/cfi.c:30 __cfi_check_fail+0x54/0x5c +[ 1.640021] Modules linked in: +[ 1.643137] CPU: 0 PID: 32 Comm: kworker/0:1 Not tainted 5.8.0-rc6-next-20200724-00051-g89ba619726de #1 +[ 1.652693] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT) +[ 1.658637] Workqueue: events deferred_probe_work_func +[ 1.663870] pstate: 60000005 (nZCv daif -PAN -UAO BTYPE=--) +[ 1.669542] pc : __cfi_check_fail+0x54/0x5c +[ 1.673798] lr : __cfi_check_fail+0x54/0x5c +[ 1.678050] sp : ffff8000102bbaa0 +[ 1.681419] x29: ffff8000102bbaa0 x28: ffffab09e21c7000 +[ 1.686829] x27: 0000000000000402 x26: ffff0000f6e7c228 +[ 1.692238] x25: 00000000fb7cdb0d x24: 0000000000000005 +[ 1.697647] x23: ffffab09e2515000 x22: ffffab09e069a000 +[ 1.703055] x21: 4c550309df1cf4c1 x20: ffffab09e2433c60 +[ 1.708462] x19: ffffab09e160dc50 x18: ffff0000f6e8cc78 +[ 1.713870] x17: 0000000000000041 x16: ffffab09e0bce6f8 +[ 1.719278] x15: ffffab09e1c819b7 x14: 0000000000000003 +[ 1.724686] x13: 00000000ffffefff x12: 0000000000000000 +[ 1.730094] x11: 0000000000000000 x10: 00000000ffffffff +[ 1.735501] x9 : c932f7abfc4bc600 x8 : c932f7abfc4bc600 +[ 1.740910] x7 : 077207610770075f x6 : ffff0000f6c38f00 +[ 1.746317] x5 : 0000000000000000 x4 : 0000000000000000 +[ 1.751723] x3 : 0000000000000000 x2 : 0000000000000000 +[ 1.757129] x1 : ffff8000102bb7d8 x0 : 0000000000000032 +[ 1.762539] Call trace: +[ 1.765030] __cfi_check_fail+0x54/0x5c +[ 1.768938] __cfi_check+0x5fa6c/0x66afc +[ 1.772932] dwc2_init_params+0xd74/0xd78 +[ 1.777012] dwc2_driver_probe+0x484/0x6ec +[ 1.781180] platform_drv_probe+0xb4/0x100 +[ 1.785350] really_probe+0x228/0x63c +[ 1.789076] driver_probe_device+0x80/0xc0 +[ 1.793247] __device_attach_driver+0x114/0x160 +[ 1.797857] bus_for_each_drv+0xa8/0x128 +[ 1.801851] __device_attach.llvm.14901095709067289134+0xc0/0x170 +[ 1.808050] bus_probe_device+0x44/0x100 +[ 1.812044] deferred_probe_work_func+0x78/0xb8 +[ 1.816656] process_one_work+0x204/0x3c4 +[ 1.820736] worker_thread+0x2f0/0x4c4 +[ 1.824552] kthread+0x174/0x184 +[ 1.827837] ret_from_fork+0x10/0x18 + +CFI validates that all indirect calls go to a function with the same +exact function pointer prototype. In this case, dwc2_set_bcm_params +is the target, which has a parameter of type 'struct dwc2_hsotg *', +but it is being implicitly cast to have a parameter of type 'void *' +because that is the set_params function pointer prototype. Make the +function pointer protoype match the definitions so that there is no +more violation. + +Fixes: 7de1debcd2de ("usb: dwc2: Remove platform static params") +Link: https://github.com/ClangBuiltLinux/linux/issues/1107 +Signed-off-by: Nathan Chancellor +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/params.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c +index 8f9d061c4d5fa..a3611cdd1deaa 100644 +--- a/drivers/usb/dwc2/params.c ++++ b/drivers/usb/dwc2/params.c +@@ -860,7 +860,7 @@ int dwc2_get_hwparams(struct dwc2_hsotg *hsotg) + int dwc2_init_params(struct dwc2_hsotg *hsotg) + { + const struct of_device_id *match; +- void (*set_params)(void *data); ++ void (*set_params)(struct dwc2_hsotg *data); + + dwc2_set_default_params(hsotg); + dwc2_get_device_properties(hsotg); +-- +2.25.1 + diff --git a/queue-5.9/usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch b/queue-5.9/usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch new file mode 100644 index 00000000000..36982513a0d --- /dev/null +++ b/queue-5.9/usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch @@ -0,0 +1,126 @@ +From 696b712235d4bd8f477215e2479fba387fda5005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 09:20:56 +0200 +Subject: usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc + +From: Yu Chen + +[ Upstream commit f580170f135af14e287560d94045624d4242d712 ] + +SPLIT_BOUNDARY_DISABLE should be set for DesignWare USB3 DRD Core +of Hisilicon Kirin Soc when dwc3 core act as host. + +[mchehab: dropped a dev_dbg() as only traces are now allowwed on this driver] + +Signed-off-by: Yu Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 25 +++++++++++++++++++++++++ + drivers/usb/dwc3/core.h | 7 +++++++ + 2 files changed, 32 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index c8e0ef2c1db33..2f9f4ad562d4e 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -119,6 +119,7 @@ static void __dwc3_set_mode(struct work_struct *work) + struct dwc3 *dwc = work_to_dwc(work); + unsigned long flags; + int ret; ++ u32 reg; + + if (dwc->dr_mode != USB_DR_MODE_OTG) + return; +@@ -172,6 +173,11 @@ static void __dwc3_set_mode(struct work_struct *work) + otg_set_vbus(dwc->usb2_phy->otg, true); + phy_set_mode(dwc->usb2_generic_phy, PHY_MODE_USB_HOST); + phy_set_mode(dwc->usb3_generic_phy, PHY_MODE_USB_HOST); ++ if (dwc->dis_split_quirk) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL3); ++ reg |= DWC3_GUCTL3_SPLITDISABLE; ++ dwc3_writel(dwc->regs, DWC3_GUCTL3, reg); ++ } + } + break; + case DWC3_GCTL_PRTCAP_DEVICE: +@@ -1349,6 +1355,9 @@ static void dwc3_get_properties(struct dwc3 *dwc) + dwc->dis_metastability_quirk = device_property_read_bool(dev, + "snps,dis_metastability_quirk"); + ++ dwc->dis_split_quirk = device_property_read_bool(dev, ++ "snps,dis-split-quirk"); ++ + dwc->lpm_nyet_threshold = lpm_nyet_threshold; + dwc->tx_de_emphasis = tx_de_emphasis; + +@@ -1866,10 +1875,26 @@ static int dwc3_resume(struct device *dev) + + return 0; + } ++ ++static void dwc3_complete(struct device *dev) ++{ ++ struct dwc3 *dwc = dev_get_drvdata(dev); ++ u32 reg; ++ ++ if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST && ++ dwc->dis_split_quirk) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL3); ++ reg |= DWC3_GUCTL3_SPLITDISABLE; ++ dwc3_writel(dwc->regs, DWC3_GUCTL3, reg); ++ } ++} ++#else ++#define dwc3_complete NULL + #endif /* CONFIG_PM_SLEEP */ + + static const struct dev_pm_ops dwc3_dev_pm_ops = { + SET_SYSTEM_SLEEP_PM_OPS(dwc3_suspend, dwc3_resume) ++ .complete = dwc3_complete, + SET_RUNTIME_PM_OPS(dwc3_runtime_suspend, dwc3_runtime_resume, + dwc3_runtime_idle) + }; +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 2f04b3e42bf1c..ba0f743f35528 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -138,6 +138,7 @@ + #define DWC3_GEVNTCOUNT(n) (0xc40c + ((n) * 0x10)) + + #define DWC3_GHWPARAMS8 0xc600 ++#define DWC3_GUCTL3 0xc60c + #define DWC3_GFLADJ 0xc630 + + /* Device Registers */ +@@ -380,6 +381,9 @@ + /* Global User Control Register 2 */ + #define DWC3_GUCTL2_RST_ACTBITLATER BIT(14) + ++/* Global User Control Register 3 */ ++#define DWC3_GUCTL3_SPLITDISABLE BIT(14) ++ + /* Device Configuration Register */ + #define DWC3_DCFG_DEVADDR(addr) ((addr) << 3) + #define DWC3_DCFG_DEVADDR_MASK DWC3_DCFG_DEVADDR(0x7f) +@@ -1052,6 +1056,7 @@ struct dwc3_scratchpad_array { + * 2 - No de-emphasis + * 3 - Reserved + * @dis_metastability_quirk: set to disable metastability quirk. ++ * @dis_split_quirk: set to disable split boundary. + * @imod_interval: set the interrupt moderation interval in 250ns + * increments or 0 to disable. + */ +@@ -1245,6 +1250,8 @@ struct dwc3 { + + unsigned dis_metastability_quirk:1; + ++ unsigned dis_split_quirk:1; ++ + u16 imod_interval; + }; + +-- +2.25.1 + diff --git a/queue-5.9/usb-dwc3-core-properly-default-unspecified-speed.patch b/queue-5.9/usb-dwc3-core-properly-default-unspecified-speed.patch new file mode 100644 index 00000000000..72b0a7c28a1 --- /dev/null +++ b/queue-5.9/usb-dwc3-core-properly-default-unspecified-speed.patch @@ -0,0 +1,87 @@ +From d17597cd4a80a0dfbdb02ad09ccef8979f33136d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 14:01:02 -0700 +Subject: usb: dwc3: core: Properly default unspecified speed + +From: Thinh Nguyen + +[ Upstream commit b574ce3ee45937f4a01edc98c59213bfc7effe50 ] + +If the maximum_speed is not specified, default the device speed base on +its HW capability. Don't prematurely check HW capability before +validating the maximum_speed device property. The device property takes +precedence in dwc->maximum_speed. + +Fixes: 0e1e5c47f7a9 ("usb: dwc3: add support for USB 2.0-only core configuration") +Reported-by: Chunfeng Yun +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 2eb34c8b4065f..c8e0ef2c1db33 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -929,13 +929,6 @@ static int dwc3_core_init(struct dwc3 *dwc) + */ + dwc3_writel(dwc->regs, DWC3_GUID, LINUX_VERSION_CODE); + +- /* Handle USB2.0-only core configuration */ +- if (DWC3_GHWPARAMS3_SSPHY_IFC(dwc->hwparams.hwparams3) == +- DWC3_GHWPARAMS3_SSPHY_IFC_DIS) { +- if (dwc->maximum_speed == USB_SPEED_SUPER) +- dwc->maximum_speed = USB_SPEED_HIGH; +- } +- + ret = dwc3_phy_setup(dwc); + if (ret) + goto err0; +@@ -1381,6 +1374,8 @@ bool dwc3_has_imod(struct dwc3 *dwc) + static void dwc3_check_params(struct dwc3 *dwc) + { + struct device *dev = dwc->dev; ++ unsigned int hwparam_gen = ++ DWC3_GHWPARAMS3_SSPHY_IFC(dwc->hwparams.hwparams3); + + /* Check for proper value of imod_interval */ + if (dwc->imod_interval && !dwc3_has_imod(dwc)) { +@@ -1412,17 +1407,23 @@ static void dwc3_check_params(struct dwc3 *dwc) + dwc->maximum_speed); + fallthrough; + case USB_SPEED_UNKNOWN: +- /* default to superspeed */ +- dwc->maximum_speed = USB_SPEED_SUPER; +- +- /* +- * default to superspeed plus if we are capable. +- */ +- if ((DWC3_IP_IS(DWC31) || DWC3_IP_IS(DWC32)) && +- (DWC3_GHWPARAMS3_SSPHY_IFC(dwc->hwparams.hwparams3) == +- DWC3_GHWPARAMS3_SSPHY_IFC_GEN2)) ++ switch (hwparam_gen) { ++ case DWC3_GHWPARAMS3_SSPHY_IFC_GEN2: + dwc->maximum_speed = USB_SPEED_SUPER_PLUS; +- ++ break; ++ case DWC3_GHWPARAMS3_SSPHY_IFC_GEN1: ++ if (DWC3_IP_IS(DWC32)) ++ dwc->maximum_speed = USB_SPEED_SUPER_PLUS; ++ else ++ dwc->maximum_speed = USB_SPEED_SUPER; ++ break; ++ case DWC3_GHWPARAMS3_SSPHY_IFC_DIS: ++ dwc->maximum_speed = USB_SPEED_HIGH; ++ break; ++ default: ++ dwc->maximum_speed = USB_SPEED_SUPER; ++ break; ++ } + break; + } + } +-- +2.25.1 + diff --git a/queue-5.9/usb-dwc3-simple-add-support-for-hikey-970.patch b/queue-5.9/usb-dwc3-simple-add-support-for-hikey-970.patch new file mode 100644 index 00000000000..b3bc8c09636 --- /dev/null +++ b/queue-5.9/usb-dwc3-simple-add-support-for-hikey-970.patch @@ -0,0 +1,95 @@ +From 9d2b7c56b13cf536a01b96abe3d12b64457d611d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 11:58:23 +0200 +Subject: usb: dwc3: simple: add support for Hikey 970 + +From: Mauro Carvalho Chehab + +[ Upstream commit b68d9251561f33661e53dd618f1cafe7ec9ec3c2 ] + +This binding driver is needed for Hikey 970 to work, +as otherwise a Serror is produced: + + [ 1.837458] SError Interrupt on CPU0, code 0xbf000002 -- SError + [ 1.837462] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205 + [ 1.837463] Hardware name: HiKey970 (DT) + [ 1.837465] Workqueue: events deferred_probe_work_func + [ 1.837467] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--) + [ 1.837468] pc : _raw_spin_unlock_irqrestore+0x18/0x50 + [ 1.837469] lr : regmap_unlock_spinlock+0x14/0x20 + [ 1.837470] sp : ffff8000124dba60 + [ 1.837471] x29: ffff8000124dba60 x28: 0000000000000000 + [ 1.837474] x27: ffff0001b7e854c8 x26: ffff80001204ea18 + [ 1.837476] x25: 0000000000000005 x24: ffff800011f918f8 + [ 1.837479] x23: ffff800011fbb588 x22: ffff0001b7e40e00 + [ 1.837481] x21: 0000000000000100 x20: 0000000000000000 + [ 1.837483] x19: ffff0001b767ec00 x18: 00000000ff10c000 + [ 1.837485] x17: 0000000000000002 x16: 0000b0740fdb9950 + [ 1.837488] x15: ffff8000116c1198 x14: ffffffffffffffff + [ 1.837490] x13: 0000000000000030 x12: 0101010101010101 + [ 1.837493] x11: 0000000000000020 x10: ffff0001bf17d130 + [ 1.837495] x9 : 0000000000000000 x8 : ffff0001b6938080 + [ 1.837497] x7 : 0000000000000000 x6 : 000000000000003f + [ 1.837500] x5 : 0000000000000000 x4 : 0000000000000000 + [ 1.837502] x3 : ffff80001096a880 x2 : 0000000000000000 + [ 1.837505] x1 : ffff0001b7e40e00 x0 : 0000000100000001 + [ 1.837507] Kernel panic - not syncing: Asynchronous SError Interrupt + [ 1.837509] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205 + [ 1.837510] Hardware name: HiKey970 (DT) + [ 1.837511] Workqueue: events deferred_probe_work_func + [ 1.837513] Call trace: + [ 1.837514] dump_backtrace+0x0/0x1e0 + [ 1.837515] show_stack+0x18/0x24 + [ 1.837516] dump_stack+0xc0/0x11c + [ 1.837517] panic+0x15c/0x324 + [ 1.837518] nmi_panic+0x8c/0x90 + [ 1.837519] arm64_serror_panic+0x78/0x84 + [ 1.837520] do_serror+0x158/0x15c + [ 1.837521] el1_error+0x84/0x100 + [ 1.837522] _raw_spin_unlock_irqrestore+0x18/0x50 + [ 1.837523] regmap_write+0x58/0x80 + [ 1.837524] hi3660_reset_deassert+0x28/0x34 + [ 1.837526] reset_control_deassert+0x50/0x260 + [ 1.837527] reset_control_deassert+0xf4/0x260 + [ 1.837528] dwc3_probe+0x5dc/0xe6c + [ 1.837529] platform_drv_probe+0x54/0xb0 + [ 1.837530] really_probe+0xe0/0x490 + [ 1.837531] driver_probe_device+0xf4/0x160 + [ 1.837532] __device_attach_driver+0x8c/0x114 + [ 1.837533] bus_for_each_drv+0x78/0xcc + [ 1.837534] __device_attach+0x108/0x1a0 + [ 1.837535] device_initial_probe+0x14/0x20 + [ 1.837537] bus_probe_device+0x98/0xa0 + [ 1.837538] deferred_probe_work_func+0x88/0xe0 + [ 1.837539] process_one_work+0x1cc/0x350 + [ 1.837540] worker_thread+0x2c0/0x470 + [ 1.837541] kthread+0x154/0x160 + [ 1.837542] ret_from_fork+0x10/0x30 + [ 1.837569] SMP: stopping secondary CPUs + [ 1.837570] Kernel Offset: 0x1d0000 from 0xffff800010000000 + [ 1.837571] PHYS_OFFSET: 0x0 + [ 1.837572] CPU features: 0x240002,20882004 + [ 1.837573] Memory Limit: none + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-of-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/dwc3-of-simple.c b/drivers/usb/dwc3/dwc3-of-simple.c +index 7df1150129354..2816e4a9813ad 100644 +--- a/drivers/usb/dwc3/dwc3-of-simple.c ++++ b/drivers/usb/dwc3/dwc3-of-simple.c +@@ -176,6 +176,7 @@ static const struct of_device_id of_dwc3_simple_match[] = { + { .compatible = "cavium,octeon-7130-usb-uctl" }, + { .compatible = "sprd,sc9860-dwc3" }, + { .compatible = "allwinner,sun50i-h6-dwc3" }, ++ { .compatible = "hisilicon,hi3670-dwc3" }, + { /* Sentinel */ } + }; + MODULE_DEVICE_TABLE(of, of_dwc3_simple_match); +-- +2.25.1 + diff --git a/queue-5.9/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch b/queue-5.9/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch new file mode 100644 index 00000000000..d763445cd04 --- /dev/null +++ b/queue-5.9/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch @@ -0,0 +1,70 @@ +From 47f98d3362bf238c4790a794ff4c3881790a6470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 14:55:03 +0900 +Subject: usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Colitti + +[ Upstream commit 986499b1569af980a819817f17238015b27793f6 ] + +Currently, SuperSpeed NCM gadgets report a speed of 851 Mbps +in USB_CDC_NOTIFY_SPEED_CHANGE. But the calculation appears to +assume 16 packets per microframe, and USB 3 and above no longer +use microframes. + +Maximum speed is actually much higher. On a direct connection, +theoretical throughput is at most 3.86 Gbps for gen1x1 and +9.36 Gbps for gen2x1, and I have seen gadget->host iperf +throughput of >2 Gbps for gen1x1 and >4 Gbps for gen2x1. + +Unfortunately the ConnectionSpeedChange defined in the CDC spec +only uses 32-bit values, so we can't report accurate numbers for +10Gbps and above. So, report 3.75Gbps for SuperSpeed (which is +roughly maximum theoretical performance) and 4.25Gbps for +SuperSpeed Plus (which is close to the maximum that we can report +in a 32-bit unsigned integer). + +This results in: + +[50879.191272] cdc_ncm 2-2:1.0 enx228b127e050c: renamed from usb0 +[50879.234778] cdc_ncm 2-2:1.0 enx228b127e050c: 3750 mbit/s downlink 3750 mbit/s uplink + +on SuperSpeed and: + +[50798.434527] cdc_ncm 8-2:1.0 enx228b127e050c: renamed from usb0 +[50798.524278] cdc_ncm 8-2:1.0 enx228b127e050c: 4250 mbit/s downlink 4250 mbit/s uplink + +on SuperSpeed Plus. + +Fixes: 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM") +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Lorenzo Colitti +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_ncm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c +index 1f638759a9533..7672fa25085b0 100644 +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -85,8 +85,10 @@ static inline struct f_ncm *func_to_ncm(struct usb_function *f) + /* peak (theoretical) bulk transfer rate in bits-per-second */ + static inline unsigned ncm_bitrate(struct usb_gadget *g) + { +- if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER) +- return 13 * 1024 * 8 * 1000 * 8; ++ if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS) ++ return 4250000000U; ++ else if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER) ++ return 3750000000U; + else if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH) + return 13 * 512 * 8 * 1000 * 8; + else +-- +2.25.1 + diff --git a/queue-5.9/usb-gadget-function-printer-fix-use-after-free-in-__.patch b/queue-5.9/usb-gadget-function-printer-fix-use-after-free-in-__.patch new file mode 100644 index 00000000000..c4080cbd90a --- /dev/null +++ b/queue-5.9/usb-gadget-function-printer-fix-use-after-free-in-__.patch @@ -0,0 +1,181 @@ +From bc03476ad4136faabc22d281ea4e014400dbb31c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 11:05:33 +0800 +Subject: usb: gadget: function: printer: fix use-after-free in __lock_acquire + +From: Zqiang + +[ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ] + +Fix this by increase object reference count. + +BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180 +kernel/locking/lockdep.c:3831 +Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377 + +CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 + __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 + lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 + printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723 + vfs_ioctl fs/ioctl.c:47 [inline] + ksys_ioctl+0xfb/0x130 fs/ioctl.c:763 + __do_sys_ioctl fs/ioctl.c:772 [inline] + __se_sys_ioctl fs/ioctl.c:770 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4531a9 +Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9 +RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003 +RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61 +R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff + +Allocated by task 2393: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416 + usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 + config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444 + configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202 + vfs_symlink+0x33d/0x5b0 fs/namei.c:4201 + do_symlinkat+0x11b/0x1d0 fs/namei.c:4228 + __do_sys_symlinkat fs/namei.c:4242 [inline] + __se_sys_symlinkat fs/namei.c:4239 [inline] + __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 3368: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + slab_free_hook mm/slub.c:1444 [inline] + slab_free_freelist_hook mm/slub.c:1477 [inline] + slab_free mm/slub.c:3034 [inline] + kfree+0xf7/0x410 mm/slub.c:3995 + gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353 + usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 + config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485 + configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250 + vfs_unlink+0x287/0x570 fs/namei.c:4073 + do_unlinkat+0x4f9/0x620 fs/namei.c:4137 + __do_sys_unlink fs/namei.c:4184 [inline] + __se_sys_unlink fs/namei.c:4182 [inline] + __x64_sys_unlink+0x42/0x50 fs/namei.c:4182 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880683b0000 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 24 bytes inside of + 1024-byte region [ffff8880683b0000, ffff8880683b0400) +The buggy address belongs to the page: +page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300 +index:0xffff8880683b1800 compound_mapcount: 0 +flags: 0x100000000010200(slab|head) +raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300 +raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Reported-by: Kyungtae Kim +Signed-off-by: Zqiang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_printer.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c +index 68697f596066c..64a4112068fc8 100644 +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -64,7 +65,7 @@ struct printer_dev { + struct usb_gadget *gadget; + s8 interface; + struct usb_ep *in_ep, *out_ep; +- ++ struct kref kref; + struct list_head rx_reqs; /* List of free RX structs */ + struct list_head rx_reqs_active; /* List of Active RX xfers */ + struct list_head rx_buffers; /* List of completed xfers */ +@@ -218,6 +219,13 @@ static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget, + + /*-------------------------------------------------------------------------*/ + ++static void printer_dev_free(struct kref *kref) ++{ ++ struct printer_dev *dev = container_of(kref, struct printer_dev, kref); ++ ++ kfree(dev); ++} ++ + static struct usb_request * + printer_req_alloc(struct usb_ep *ep, unsigned len, gfp_t gfp_flags) + { +@@ -353,6 +361,7 @@ printer_open(struct inode *inode, struct file *fd) + + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_get(&dev->kref); + DBG(dev, "printer_open returned %x\n", ret); + return ret; + } +@@ -370,6 +379,7 @@ printer_close(struct inode *inode, struct file *fd) + dev->printer_status &= ~PRINTER_SELECTED; + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_put(&dev->kref, printer_dev_free); + DBG(dev, "printer_close\n"); + + return 0; +@@ -1386,7 +1396,8 @@ static void gprinter_free(struct usb_function *f) + struct f_printer_opts *opts; + + opts = container_of(f->fi, struct f_printer_opts, func_inst); +- kfree(dev); ++ ++ kref_put(&dev->kref, printer_dev_free); + mutex_lock(&opts->lock); + --opts->refcnt; + mutex_unlock(&opts->lock); +@@ -1455,6 +1466,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) + return ERR_PTR(-ENOMEM); + } + ++ kref_init(&dev->kref); + ++opts->refcnt; + dev->minor = opts->minor; + dev->pnp_string = opts->pnp_string; +-- +2.25.1 + diff --git a/queue-5.9/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch b/queue-5.9/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch new file mode 100644 index 00000000000..f10fab29ac6 --- /dev/null +++ b/queue-5.9/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch @@ -0,0 +1,56 @@ +From 49c500304ac3a9cef9f8c80258ee4a20002e650e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 01:19:49 +0900 +Subject: usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Colitti + +[ Upstream commit 4eea21dc67b0c6ba15ae41b1defa113a680a858e ] + +The u_ether driver has a qmult setting that multiplies the +transmit queue length (which by default is 2). + +The intent is that it should be enabled at high/super speed, but +because the code does not explicitly check for USB_SUPER_PLUS, +it is disabled at that speed. + +Fix this by ensuring that the queue multiplier is enabled for any +wired link at high speed or above. Using >= for USB_SPEED_* +constants seems correct because it is what the gadget_is_xxxspeed +functions do. + +The queue multiplier substantially helps performance at higher +speeds. On a direct SuperSpeed Plus link to a Linux laptop, +iperf3 single TCP stream: + +Before (qmult=1): 1.3 Gbps +After (qmult=5): 3.2 Gbps + +Fixes: 04617db7aa68 ("usb: gadget: add SS descriptors to Ethernet gadget") +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Lorenzo Colitti +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_ether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index c3cc6bd14e615..31ea76adcc0db 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -93,7 +93,7 @@ struct eth_dev { + static inline int qlen(struct usb_gadget *gadget, unsigned qmult) + { + if (gadget_is_dualspeed(gadget) && (gadget->speed == USB_SPEED_HIGH || +- gadget->speed == USB_SPEED_SUPER)) ++ gadget->speed >= USB_SPEED_SUPER)) + return qmult * DEFAULT_QLEN; + else + return DEFAULT_QLEN; +-- +2.25.1 + diff --git a/queue-5.9/usb-gadget-u_serial-clear-suspended-flag-when-discon.patch b/queue-5.9/usb-gadget-u_serial-clear-suspended-flag-when-discon.patch new file mode 100644 index 00000000000..17260fb3138 --- /dev/null +++ b/queue-5.9/usb-gadget-u_serial-clear-suspended-flag-when-discon.patch @@ -0,0 +1,41 @@ +From d8d981fb12c6f6962ea14be79b419e0a1e6c93fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 09:01:32 +0900 +Subject: usb: gadget: u_serial: clear suspended flag when disconnecting + +From: Yoshihiro Shimoda + +[ Upstream commit d98ef43bfb65b5201e1afe36aaf8c4f9d71b4307 ] + +The commit aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume +callbacks") set/cleared the suspended flag in USB bus suspend/resume +only. But, when a USB cable is disconnected in the suspend, since some +controllers will not detect USB bus resume, the suspended flag is not +cleared. After that, user cannot send any data. To fix the issue, +clears the suspended flag in the gserial_disconnect(). + +Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks") +Signed-off-by: Yoshihiro Shimoda +Tested-by: Linh Phung +Tested-by: Tam Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_serial.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c +index 127ecc2b43176..2caccbb6e0140 100644 +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1391,6 +1391,7 @@ void gserial_disconnect(struct gserial *gser) + if (port->port.tty) + tty_hangup(port->port.tty); + } ++ port->suspended = false; + spin_unlock_irqrestore(&port->port_lock, flags); + + /* disable endpoints, aborting down any active I/O */ +-- +2.25.1 + diff --git a/queue-5.9/usb-ohci-default-to-per-port-over-current-protection.patch b/queue-5.9/usb-ohci-default-to-per-port-over-current-protection.patch new file mode 100644 index 00000000000..5eb1b36a6e5 --- /dev/null +++ b/queue-5.9/usb-ohci-default-to-per-port-over-current-protection.patch @@ -0,0 +1,78 @@ +From 2c77e264a0186790c1fa137be76b61e3f00a6321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 09:25:11 +1200 +Subject: usb: ohci: Default to per-port over-current protection + +From: Hamish Martin + +[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ] + +Some integrated OHCI controller hubs do not expose all ports of the hub +to pins on the SoC. In some cases the unconnected ports generate +spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC +contains a nominally 3 port hub but only the first port is wired. + +Default behaviour for ohci-platform driver is to use global over-current +protection mode (AKA "ganged"). This leads to the spurious over-current +events affecting all ports in the hub. + +We now alter the default to use per-port over-current protection. + +This patch results in the following configuration changes depending +on quirks: +- For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up + for ganged power switching and no over-current protection. +- For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching + remains at none, while over-current protection is now guaranteed to be + set to per-port rather than the previous behaviour where it was either + none or global over-current protection depending on the value at + function entry. + +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Hamish Martin +Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-hcd.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c +index dd37e77dae001..2845ea328a064 100644 +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -673,20 +673,24 @@ static int ohci_run (struct ohci_hcd *ohci) + + /* handle root hub init quirks ... */ + val = roothub_a (ohci); +- val &= ~(RH_A_PSM | RH_A_OCPM); ++ /* Configure for per-port over-current protection by default */ ++ val &= ~RH_A_NOCP; ++ val |= RH_A_OCPM; + if (ohci->flags & OHCI_QUIRK_SUPERIO) { +- /* NSC 87560 and maybe others */ ++ /* NSC 87560 and maybe others. ++ * Ganged power switching, no over-current protection. ++ */ + val |= RH_A_NOCP; +- val &= ~(RH_A_POTPGT | RH_A_NPS); +- ohci_writel (ohci, val, &ohci->regs->roothub.a); ++ val &= ~(RH_A_POTPGT | RH_A_NPS | RH_A_PSM | RH_A_OCPM); + } else if ((ohci->flags & OHCI_QUIRK_AMD756) || + (ohci->flags & OHCI_QUIRK_HUB_POWER)) { + /* hub power always on; required for AMD-756 and some +- * Mac platforms. ganged overcurrent reporting, if any. ++ * Mac platforms. + */ + val |= RH_A_NPS; +- ohci_writel (ohci, val, &ohci->regs->roothub.a); + } ++ ohci_writel(ohci, val, &ohci->regs->roothub.a); ++ + ohci_writel (ohci, RH_HS_LPSC, &ohci->regs->roothub.status); + ohci_writel (ohci, (val & RH_A_NPS) ? 0 : RH_B_PPCM, + &ohci->regs->roothub.b); +-- +2.25.1 + diff --git a/queue-5.9/vdpa-mlx5-fix-failure-to-bring-link-up.patch b/queue-5.9/vdpa-mlx5-fix-failure-to-bring-link-up.patch new file mode 100644 index 00000000000..1e6900267e1 --- /dev/null +++ b/queue-5.9/vdpa-mlx5-fix-failure-to-bring-link-up.patch @@ -0,0 +1,37 @@ +From 8346adfcb8bc35397eb809cf2ae10a9890c0eece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 15:15:40 +0300 +Subject: vdpa/mlx5: Fix failure to bring link up + +From: Eli Cohen + +[ Upstream commit 36b02df2d204da9f7a571f16ed9e91a4d083f207 ] + +Set VIRTIO_NET_S_LINK_UP in config status to allow the get the bring the +net device's link up. + +Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") +Signed-off-by: Eli Cohen +Link: https://lore.kernel.org/r/20200917121540.GA98184@mtl-vdi-166.wap.labs.mlnx +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index 56228467d7ec6..5ca309473c03d 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -1541,6 +1541,7 @@ static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features) + + ndev->mvdev.actual_features = features & ndev->mvdev.mlx_features; + ndev->config.mtu = cpu_to_mlx5vdpa16(mvdev, ndev->mtu); ++ ndev->config.status |= cpu_to_mlx5vdpa16(mvdev, VIRTIO_NET_S_LINK_UP); + return err; + } + +-- +2.25.1 + diff --git a/queue-5.9/vdpa-mlx5-make-use-of-a-specific-16-bit-endianness-a.patch b/queue-5.9/vdpa-mlx5-make-use-of-a-specific-16-bit-endianness-a.patch new file mode 100644 index 00000000000..64e80e9f89f --- /dev/null +++ b/queue-5.9/vdpa-mlx5-make-use-of-a-specific-16-bit-endianness-a.patch @@ -0,0 +1,50 @@ +From bbf593655666e1079b5f1da93a8dd7ae3dd51650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 15:14:25 +0300 +Subject: vdpa/mlx5: Make use of a specific 16 bit endianness API + +From: Eli Cohen + +[ Upstream commit 36bdcf318bc21af24de10b68e32cdea6b9a8d17f ] + +Introduce a dedicated function to be used for setting 16 bit fields per +virio endianness requirements and use it to set the mtu field. + +Signed-off-by: Eli Cohen +Link: https://lore.kernel.org/r/20200917121425.GA98139@mtl-vdi-166.wap.labs.mlnx +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index 74264e5906951..56228467d7ec6 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -1522,6 +1522,11 @@ static inline bool mlx5_vdpa_is_little_endian(struct mlx5_vdpa_dev *mvdev) + (mvdev->actual_features & (1ULL << VIRTIO_F_VERSION_1)); + } + ++static __virtio16 cpu_to_mlx5vdpa16(struct mlx5_vdpa_dev *mvdev, u16 val) ++{ ++ return __cpu_to_virtio16(mlx5_vdpa_is_little_endian(mvdev), val); ++} ++ + static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features) + { + struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev); +@@ -1535,8 +1540,7 @@ static int mlx5_vdpa_set_features(struct vdpa_device *vdev, u64 features) + return err; + + ndev->mvdev.actual_features = features & ndev->mvdev.mlx_features; +- ndev->config.mtu = __cpu_to_virtio16(mlx5_vdpa_is_little_endian(mvdev), +- ndev->mtu); ++ ndev->config.mtu = cpu_to_mlx5vdpa16(mvdev, ndev->mtu); + return err; + } + +-- +2.25.1 + diff --git a/queue-5.9/vdpa-mlx5-setup-driver-only-if-virtio_config_s_drive.patch b/queue-5.9/vdpa-mlx5-setup-driver-only-if-virtio_config_s_drive.patch new file mode 100644 index 00000000000..79bff70aafc --- /dev/null +++ b/queue-5.9/vdpa-mlx5-setup-driver-only-if-virtio_config_s_drive.patch @@ -0,0 +1,46 @@ +From 21f632936dce16ad9210e81dc80c49df22f8ea7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 15:33:46 +0300 +Subject: vdpa/mlx5: Setup driver only if VIRTIO_CONFIG_S_DRIVER_OK + +From: Eli Cohen + +[ Upstream commit 1897f0b618b0af0eb9dca709ab6bdf9ef1969ef7 ] + +set_map() is used by mlx5 vdpa to create a memory region based on the +address map passed by the iotlb argument. If we get successive calls, we +will destroy the current memory region and build another one based on +the new address mapping. We also need to setup the hardware resources +since they depend on the memory region. + +If these calls happen before DRIVER_OK, It means that driver VQs may +also not been setup and we may not create them yet. In this case we want +to avoid setting up the other resources and defer this till we get +DRIVER OK. + +Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") +Signed-off-by: Eli Cohen +Link: https://lore.kernel.org/r/20200908123346.GA169007@mtl-vdi-166.wap.labs.mlnx +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index 5ca309473c03d..1fa6fcac82992 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -1658,6 +1658,9 @@ static int mlx5_vdpa_change_map(struct mlx5_vdpa_net *ndev, struct vhost_iotlb * + if (err) + goto err_mr; + ++ if (!(ndev->mvdev.status & VIRTIO_CONFIG_S_DRIVER_OK)) ++ return 0; ++ + restore_channels_info(ndev); + err = setup_driver(ndev); + if (err) +-- +2.25.1 + diff --git a/queue-5.9/vfio-add-a-singleton-check-for-vfio_group_pin_pages.patch b/queue-5.9/vfio-add-a-singleton-check-for-vfio_group_pin_pages.patch new file mode 100644 index 00000000000..baefb3d1484 --- /dev/null +++ b/queue-5.9/vfio-add-a-singleton-check-for-vfio_group_pin_pages.patch @@ -0,0 +1,43 @@ +From 8b6848ba5a5e43a2396539f283fb0e0cdd7689e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 10:28:33 +0800 +Subject: vfio: add a singleton check for vfio_group_pin_pages + +From: Yan Zhao + +[ Upstream commit 7ef32e52368f62a4e041a4f0abefb4fb64e7fd4a ] + +Page pinning is used both to translate and pin device mappings for DMA +purpose, as well as to indicate to the IOMMU backend to limit the dirty +page scope to those pages that have been pinned, in the case of an IOMMU +backed device. +To support this, the vfio_pin_pages() interface limits itself to only +singleton groups such that the IOMMU backend can consider dirty page +scope only at the group level. Implement the same requirement for the +vfio_group_pin_pages() interface. + +Fixes: 95fc87b44104 ("vfio: Selective dirty page tracking if IOMMU backed device pins pages") +Signed-off-by: Yan Zhao +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 262ab0efd06c6..532bcaf28c11d 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -2051,6 +2051,9 @@ int vfio_group_pin_pages(struct vfio_group *group, + if (!group || !user_iova_pfn || !phys_pfn || !npage) + return -EINVAL; + ++ if (group->dev_counter > 1) ++ return -EINVAL; ++ + if (npage > VFIO_PIN_PAGES_MAX_ENTRIES) + return -E2BIG; + +-- +2.25.1 + diff --git a/queue-5.9/vfio-fix-a-missed-vfio-group-put-in-vfio_pin_pages.patch b/queue-5.9/vfio-fix-a-missed-vfio-group-put-in-vfio_pin_pages.patch new file mode 100644 index 00000000000..f803bb9185c --- /dev/null +++ b/queue-5.9/vfio-fix-a-missed-vfio-group-put-in-vfio_pin_pages.patch @@ -0,0 +1,40 @@ +From 350c1ba38c7700a4caf78db20f3bd07c4c1db02b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 10:29:27 +0800 +Subject: vfio: fix a missed vfio group put in vfio_pin_pages + +From: Yan Zhao + +[ Upstream commit 28b130244061863cf0437b7af1625fb45ec1a71e ] + +When error occurs, need to put vfio group after a successful get. + +Fixes: 95fc87b44104 ("vfio: Selective dirty page tracking if IOMMU backed device pins pages") +Signed-off-by: Yan Zhao +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 532bcaf28c11d..2151bc7f87ab1 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1949,8 +1949,10 @@ int vfio_pin_pages(struct device *dev, unsigned long *user_pfn, int npage, + if (!group) + return -ENODEV; + +- if (group->dev_counter > 1) +- return -EINVAL; ++ if (group->dev_counter > 1) { ++ ret = -EINVAL; ++ goto err_pin_pages; ++ } + + ret = vfio_group_add_container_user(group); + if (ret) +-- +2.25.1 + diff --git a/queue-5.9/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch b/queue-5.9/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch new file mode 100644 index 00000000000..f4a602bc880 --- /dev/null +++ b/queue-5.9/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch @@ -0,0 +1,39 @@ +From 54b54c0ea2034d4ef59099db1999040d6a6008df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 17:35:58 +0800 +Subject: vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages + +From: Xiaoyang Xu + +[ Upstream commit 2e6cfd496f5b57034cf2aec738799571b5a52124 ] + +pfn is not added to pfn_list when vfio_add_to_pfn_list fails. +vfio_unpin_page_external will exit directly without calling +vfio_iova_put_vfio_pfn. This will lead to a memory leak. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Signed-off-by: Xiaoyang Xu +[aw: simplified logic, add Fixes] +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index d0438388feebe..9dde5ed852fd0 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -693,7 +693,8 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data, + + ret = vfio_add_to_pfn_list(dma, iova, phys_pfn[i]); + if (ret) { +- vfio_unpin_page_external(dma, iova, do_accounting); ++ if (put_pfn(phys_pfn[i], dma->prot) && do_accounting) ++ vfio_lock_acct(dma, -1, true); + goto pin_unwind; + } + +-- +2.25.1 + diff --git a/queue-5.9/vfio-pci-clear-token-on-bypass-registration-failure.patch b/queue-5.9/vfio-pci-clear-token-on-bypass-registration-failure.patch new file mode 100644 index 00000000000..1fed8af7c84 --- /dev/null +++ b/queue-5.9/vfio-pci-clear-token-on-bypass-registration-failure.patch @@ -0,0 +1,47 @@ +From 4831f82126167196d64e51acdf28fb24888f746b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 07:13:55 -0600 +Subject: vfio/pci: Clear token on bypass registration failure + +From: Alex Williamson + +[ Upstream commit 852b1beecb6ff9326f7ca4bc0fe69ae860ebdb9e ] + +The eventfd context is used as our irqbypass token, therefore if an +eventfd is re-used, our token is the same. The irqbypass code will +return an -EBUSY in this case, but we'll still attempt to unregister +the producer, where if that duplicate token still exists, results in +removing the wrong object. Clear the token of failed producers so +that they harmlessly fall out when unregistered. + +Fixes: 6d7425f109d2 ("vfio: Register/unregister irq_bypass_producer") +Reported-by: guomin chen +Tested-by: guomin chen +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_intrs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index 1d9fb25929459..869dce5f134dd 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -352,11 +352,13 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + vdev->ctx[vector].producer.token = trigger; + vdev->ctx[vector].producer.irq = irq; + ret = irq_bypass_register_producer(&vdev->ctx[vector].producer); +- if (unlikely(ret)) ++ if (unlikely(ret)) { + dev_info(&pdev->dev, + "irq bypass producer (token %p) registration fails: %d\n", + vdev->ctx[vector].producer.token, ret); + ++ vdev->ctx[vector].producer.token = NULL; ++ } + vdev->ctx[vector].trigger = trigger; + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/vfio-pci-decouple-pci_command_memory-bit-checks-from.patch b/queue-5.9/vfio-pci-decouple-pci_command_memory-bit-checks-from.patch new file mode 100644 index 00000000000..c191f9e7901 --- /dev/null +++ b/queue-5.9/vfio-pci-decouple-pci_command_memory-bit-checks-from.patch @@ -0,0 +1,88 @@ +From 9f5e78c6e878d41a30ef187a53096e125fa370a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:59:57 -0400 +Subject: vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn + +From: Matthew Rosato + +[ Upstream commit 515ecd5368f1510152fa4f9b9ce55b66ac56c334 ] + +While it is true that devices with is_virtfn=1 will have a Memory Space +Enable bit that is hard-wired to 0, this is not the only case where we +see this behavior -- For example some bare-metal hypervisors lack +Memory Space Enable bit emulation for devices not setting is_virtfn +(s390). Fix this by instead checking for the newly-added +no_command_memory bit which directly denotes the need for +PCI_COMMAND_MEMORY emulation in vfio. + +Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory") +Signed-off-by: Matthew Rosato +Reviewed-by: Niklas Schnelle +Reviewed-by: Pierre Morel +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index d98843feddce0..5076d0155bc3f 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -406,7 +406,7 @@ bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev) + * PF SR-IOV capability, there's therefore no need to trigger + * faults based on the virtual value. + */ +- return pdev->is_virtfn || (cmd & PCI_COMMAND_MEMORY); ++ return pdev->no_command_memory || (cmd & PCI_COMMAND_MEMORY); + } + + /* +@@ -520,8 +520,8 @@ static int vfio_basic_config_read(struct vfio_pci_device *vdev, int pos, + + count = vfio_default_config_read(vdev, pos, count, perm, offset, val); + +- /* Mask in virtual memory enable for SR-IOV devices */ +- if (offset == PCI_COMMAND && vdev->pdev->is_virtfn) { ++ /* Mask in virtual memory enable */ ++ if (offset == PCI_COMMAND && vdev->pdev->no_command_memory) { + u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]); + u32 tmp_val = le32_to_cpu(*val); + +@@ -589,9 +589,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos, + * shows it disabled (phys_mem/io, then the device has + * undergone some kind of backdoor reset and needs to be + * restored before we allow it to enable the bars. +- * SR-IOV devices will trigger this, but we catch them later ++ * SR-IOV devices will trigger this - for mem enable let's ++ * catch this now and for io enable it will be caught later + */ +- if ((new_mem && virt_mem && !phys_mem) || ++ if ((new_mem && virt_mem && !phys_mem && ++ !pdev->no_command_memory) || + (new_io && virt_io && !phys_io) || + vfio_need_bar_restore(vdev)) + vfio_bar_restore(vdev); +@@ -1734,12 +1736,14 @@ int vfio_config_init(struct vfio_pci_device *vdev) + vconfig[PCI_INTERRUPT_PIN]); + + vconfig[PCI_INTERRUPT_PIN] = 0; /* Gratuitous for good VFs */ +- ++ } ++ if (pdev->no_command_memory) { + /* +- * VFs do no implement the memory enable bit of the COMMAND +- * register therefore we'll not have it set in our initial +- * copy of config space after pci_enable_device(). For +- * consistency with PFs, set the virtual enable bit here. ++ * VFs and devices that set pdev->no_command_memory do not ++ * implement the memory enable bit of the COMMAND register ++ * therefore we'll not have it set in our initial copy of ++ * config space after pci_enable_device(). For consistency ++ * with PFs, set the virtual enable bit here. + */ + *(__le16 *)&vconfig[PCI_COMMAND] |= + cpu_to_le16(PCI_COMMAND_MEMORY); +-- +2.25.1 + diff --git a/queue-5.9/vfio-type1-fix-dirty-bitmap-calculation-in-vfio_dma_.patch b/queue-5.9/vfio-type1-fix-dirty-bitmap-calculation-in-vfio_dma_.patch new file mode 100644 index 00000000000..bbc201d2dad --- /dev/null +++ b/queue-5.9/vfio-type1-fix-dirty-bitmap-calculation-in-vfio_dma_.patch @@ -0,0 +1,40 @@ +From 7f798bb1e4b6d7712841b4986b1320f1c203753c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 10:30:05 +0800 +Subject: vfio/type1: fix dirty bitmap calculation in vfio_dma_rw + +From: Yan Zhao + +[ Upstream commit 2c5af98592f65517170c7bcc714566590d3f7397 ] + +The count of dirtied pages is not only determined by count of copied +pages, but also by the start offset. + +e.g. if offset = PAGE_SIZE - 1, and *copied=2, the dirty pages count +is 2, instead of 1 or 0. + +Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking") +Signed-off-by: Yan Zhao +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 5fbf0c1f74338..d0438388feebe 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -2933,7 +2933,8 @@ static int vfio_iommu_type1_dma_rw_chunk(struct vfio_iommu *iommu, + * size + */ + bitmap_set(dma->bitmap, offset >> pgshift, +- *copied >> pgshift); ++ ((offset + *copied - 1) >> pgshift) - ++ (offset >> pgshift) + 1); + } + } else + *copied = copy_from_user(data, (void __user *)vaddr, +-- +2.25.1 + diff --git a/queue-5.9/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch b/queue-5.9/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch new file mode 100644 index 00000000000..b07985c9482 --- /dev/null +++ b/queue-5.9/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch @@ -0,0 +1,40 @@ +From d3d825d1e0bac5ccd9a7d5665df283b5b78e7a44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 14:29:00 +0800 +Subject: video: fbdev: radeon: Fix memleak in radeonfb_pci_register + +From: Dinghao Liu + +[ Upstream commit fe6c6a4af2be8c15bac77f7ea160f947c04840d1 ] + +When radeon_kick_out_firmware_fb() fails, info should be +freed just like the subsequent error paths. + +Fixes: 069ee21a82344 ("fbdev: Fix loading of module radeonfb on PowerMac") +Signed-off-by: Dinghao Liu +Reviewed-by: Mathieu Malaterre +Cc: Kangjie Lu +Cc: Benjamin Herrenschmidt +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200825062900.11210-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/aty/radeon_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c +index 3fe509cb9b874..13bd2bd5c043a 100644 +--- a/drivers/video/fbdev/aty/radeon_base.c ++++ b/drivers/video/fbdev/aty/radeon_base.c +@@ -2307,7 +2307,7 @@ static int radeonfb_pci_register(struct pci_dev *pdev, + + ret = radeon_kick_out_firmware_fb(pdev); + if (ret) +- return ret; ++ goto err_release_fb; + + /* request the mem regions */ + ret = pci_request_region(pdev, 0, "radeonfb framebuffer"); +-- +2.25.1 + diff --git a/queue-5.9/video-fbdev-sis-fix-null-ptr-dereference.patch b/queue-5.9/video-fbdev-sis-fix-null-ptr-dereference.patch new file mode 100644 index 00000000000..752ed10203b --- /dev/null +++ b/queue-5.9/video-fbdev-sis-fix-null-ptr-dereference.patch @@ -0,0 +1,78 @@ +From 40f0e848133d6a6a76b67dbd2335ce974ad7d620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 07:52:08 -0700 +Subject: video: fbdev: sis: fix null ptr dereference + +From: Tom Rix + +[ Upstream commit ad6f93e9cd56f0b10e9b22e3e137d17a1a035242 ] + +Clang static analysis reports this representative error + +init.c:2501:18: warning: Array access (from variable 'queuedata') results + in a null pointer dereference + templ |= ((queuedata[i] & 0xc0) << 3); + +This is the problem block of code + + if(ModeNo > 0x13) { + ... + if(SiS_Pr->ChipType == SIS_730) { + queuedata = &FQBQData730[0]; + } else { + queuedata = &FQBQData[0]; + } + } else { + + } + +queuedata is not set in the else block + +Reviewing the old code, the arrays FQBQData730 and FQBQData were +used directly. + +So hoist the setting of queuedata out of the if-else block. + +Fixes: 544393fe584d ("[PATCH] sisfb update") +Signed-off-by: Tom Rix +Cc: Thomas Winischhofer +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200805145208.17727-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c +index dfe3eb769638b..fde27feae5d0c 100644 +--- a/drivers/video/fbdev/sis/init.c ++++ b/drivers/video/fbdev/sis/init.c +@@ -2428,6 +2428,11 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + + i = 0; + ++ if (SiS_Pr->ChipType == SIS_730) ++ queuedata = &FQBQData730[0]; ++ else ++ queuedata = &FQBQData[0]; ++ + if(ModeNo > 0x13) { + + /* Get VCLK */ +@@ -2445,12 +2450,6 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + /* Get half colordepth */ + colorth = colortharray[(SiS_Pr->SiS_ModeType - ModeEGA)]; + +- if(SiS_Pr->ChipType == SIS_730) { +- queuedata = &FQBQData730[0]; +- } else { +- queuedata = &FQBQData[0]; +- } +- + do { + templ = SiS_CalcDelay2(SiS_Pr, queuedata[i]) * VCLK * colorth; + +-- +2.25.1 + diff --git a/queue-5.9/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch b/queue-5.9/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch new file mode 100644 index 00000000000..c8c62e0c75e --- /dev/null +++ b/queue-5.9/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch @@ -0,0 +1,87 @@ +From 35604bec6a01ea7baf6429c3781765c5b4393ed9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:02:27 +0100 +Subject: video: fbdev: vga16fb: fix setting of pixclock because a + pass-by-value error + +From: Colin Ian King + +[ Upstream commit c72fab81ceaa54408b827a2f0486d9a0f4be34cf ] + +The pixclock is being set locally because it is being passed as a +pass-by-value argument rather than pass-by-reference, so the computed +pixclock is never being set in var->pixclock. Fix this by passing +by reference. + +[This dates back to 2002, I found the offending commit from the git +history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git ] + +Addresses-Coverity: ("Unused value") +Signed-off-by: Colin Ian King +Cc: Daniel Vetter +Cc: Jani Nikula +[b.zolnierkie: minor patch summary fixup] +[b.zolnierkie: removed "Fixes:" tag (not in upstream tree)] +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200723170227.996229-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/vga16fb.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c +index 578d3541e3d6f..1e8a38a7967d8 100644 +--- a/drivers/video/fbdev/vga16fb.c ++++ b/drivers/video/fbdev/vga16fb.c +@@ -243,7 +243,7 @@ static void vga16fb_update_fix(struct fb_info *info) + } + + static void vga16fb_clock_chip(struct vga16fb_par *par, +- unsigned int pixclock, ++ unsigned int *pixclock, + const struct fb_info *info, + int mul, int div) + { +@@ -259,14 +259,14 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + { 0 /* bad */, 0x00, 0x00}}; + int err; + +- pixclock = (pixclock * mul) / div; ++ *pixclock = (*pixclock * mul) / div; + best = vgaclocks; +- err = pixclock - best->pixclock; ++ err = *pixclock - best->pixclock; + if (err < 0) err = -err; + for (ptr = vgaclocks + 1; ptr->pixclock; ptr++) { + int tmp; + +- tmp = pixclock - ptr->pixclock; ++ tmp = *pixclock - ptr->pixclock; + if (tmp < 0) tmp = -tmp; + if (tmp < err) { + err = tmp; +@@ -275,7 +275,7 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + } + par->misc |= best->misc; + par->clkdiv = best->seq_clock_mode; +- pixclock = (best->pixclock * div) / mul; ++ *pixclock = (best->pixclock * div) / mul; + } + + #define FAIL(X) return -EINVAL +@@ -497,10 +497,10 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var, + + if (mode & MODE_8BPP) + /* pixel clock == vga clock / 2 */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 2); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 2); + else + /* pixel clock == vga clock */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 1); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 1); + + var->red.offset = var->green.offset = var->blue.offset = + var->transp.offset = 0; +-- +2.25.1 + diff --git a/queue-5.9/vmci-check-return-value-of-get_user_pages_fast-for-e.patch b/queue-5.9/vmci-check-return-value-of-get_user_pages_fast-for-e.patch new file mode 100644 index 00000000000..7c3f87aeb87 --- /dev/null +++ b/queue-5.9/vmci-check-return-value-of-get_user_pages_fast-for-e.patch @@ -0,0 +1,57 @@ +From 649263e0dc1d43ecf0f5cd5eed58ef703e4eb4ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:45:18 +0100 +Subject: VMCI: check return value of get_user_pages_fast() for errors + +From: Alex Dewar + +[ Upstream commit 90ca6333fd65f318c47bff425e1ea36c0a5539f6 ] + +In a couple of places in qp_host_get_user_memory(), +get_user_pages_fast() is called without properly checking for errors. If +e.g. -EFAULT is returned, this negative value will then be passed on to +qp_release_pages(), which expects a u64 as input. + +Fix this by only calling qp_release_pages() when we have a positive +number returned. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Signed-off-by: Alex Dewar +Link: https://lore.kernel.org/r/20200825164522.412392-1-alex.dewar90@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index 8531ae7811956..c49065887e8f5 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -657,8 +657,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)produce_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(produce) failed (retval=%d)", + retval); +- qp_release_pages(produce_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(produce_q->kernel_if->u.h.header_page, ++ retval, false); + err = VMCI_ERROR_NO_MEM; + goto out; + } +@@ -670,8 +671,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)consume_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(consume) failed (retval=%d)", + retval); +- qp_release_pages(consume_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(consume_q->kernel_if->u.h.header_page, ++ retval, false); + qp_release_pages(produce_q->kernel_if->u.h.header_page, + produce_q->kernel_if->num_pages, false); + err = VMCI_ERROR_NO_MEM; +-- +2.25.1 + diff --git a/queue-5.9/watchdog-fix-memleak-in-watchdog_cdev_register.patch b/queue-5.9/watchdog-fix-memleak-in-watchdog_cdev_register.patch new file mode 100644 index 00000000000..b38215932a6 --- /dev/null +++ b/queue-5.9/watchdog-fix-memleak-in-watchdog_cdev_register.patch @@ -0,0 +1,42 @@ +From 7c08ef6fb9c4632440b675653353360ddd0df27f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 10:40:01 +0800 +Subject: watchdog: Fix memleak in watchdog_cdev_register + +From: Dinghao Liu + +[ Upstream commit 5afb6d203d0293512aa2c6ae098274a2a4f6ed02 ] + +When watchdog_kworker is NULL, we should free wd_data +before the function returns to prevent memleak. + +Fixes: 664a39236e718 ("watchdog: Introduce hardware maximum heartbeat in watchdog core") +Signed-off-by: Dinghao Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200824024001.25474-1-dinghao.liu@zju.edu.cn +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 6798addabd5a0..785270ee337cb 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -994,8 +994,10 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + wd_data->wdd = wdd; + wdd->wd_data = wd_data; + +- if (IS_ERR_OR_NULL(watchdog_kworker)) ++ if (IS_ERR_OR_NULL(watchdog_kworker)) { ++ kfree(wd_data); + return -ENODEV; ++ } + + device_initialize(&wd_data->dev); + wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); +-- +2.25.1 + diff --git a/queue-5.9/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch b/queue-5.9/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch new file mode 100644 index 00000000000..4bd1d6686dd --- /dev/null +++ b/queue-5.9/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch @@ -0,0 +1,39 @@ +From ed58389b3c5ffb69e89e1e3119731d4d9b0ca3da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 09:31:08 -0700 +Subject: watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 + +From: Guenter Roeck + +[ Upstream commit 08c619b4923056b5dd2d5045757468c76ad0e3fe ] + +EFCH_PM_DECODEEN3 is supposed to access DECODEEN register bits 24..31, +in other words the register at byte offset 3. + +Cc: Jan Kiszka +Fixes: 887d2ec51e34b ("watchdog: sp5100_tco: Add support for recent FCH versions") +Tested-by: Jan Kiszka +Link: https://lore.kernel.org/r/20200910163109.235136-1-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/sp5100_tco.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/sp5100_tco.h b/drivers/watchdog/sp5100_tco.h +index 87eaf357ae01f..adf015aa4126f 100644 +--- a/drivers/watchdog/sp5100_tco.h ++++ b/drivers/watchdog/sp5100_tco.h +@@ -70,7 +70,7 @@ + #define EFCH_PM_DECODEEN_WDT_TMREN BIT(7) + + +-#define EFCH_PM_DECODEEN3 0x00 ++#define EFCH_PM_DECODEEN3 0x03 + #define EFCH_PM_DECODEEN_SECOND_RES GENMASK(1, 0) + #define EFCH_PM_WATCHDOG_DISABLE ((u8)GENMASK(3, 2)) + +-- +2.25.1 + diff --git a/queue-5.9/watchdog-use-put_device-on-error.patch b/queue-5.9/watchdog-use-put_device-on-error.patch new file mode 100644 index 00000000000..49632eef9f4 --- /dev/null +++ b/queue-5.9/watchdog-use-put_device-on-error.patch @@ -0,0 +1,39 @@ +From a4d587d474b28ce94b8639e9e07b1c43cf962037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:12:30 +0800 +Subject: watchdog: Use put_device on error + +From: Dinghao Liu + +[ Upstream commit 937425d4cd3ae4e2882b41e332bbbab616bcf0ad ] + +We should use put_device() instead of freeing device +directly after device_initialize(). + +Fixes: cb36e29bb0e4b ("watchdog: initialize device before misc_register") +Signed-off-by: Dinghao Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200824031230.31050-1-dinghao.liu@zju.edu.cn +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 785270ee337cb..bcf01af3fa6a8 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -1023,7 +1023,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + pr_err("%s: a legacy watchdog module is probably present.\n", + wdd->info->identity); + old_wd_data = NULL; +- kfree(wd_data); ++ put_device(&wd_data->dev); + return err; + } + } +-- +2.25.1 + diff --git a/queue-5.9/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch b/queue-5.9/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch new file mode 100644 index 00000000000..672798419fb --- /dev/null +++ b/queue-5.9/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch @@ -0,0 +1,41 @@ +From a9f20c7d60b08b75fc809e47fded8583b1398a9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 01:48:24 +0100 +Subject: wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 + +From: Bryan O'Donoghue + +[ Upstream commit 3b9fb6791e7113679b1eb472e6ce1659e80f5797 ] + +Qualcomm's document "80-WL007-1 Rev. J" states that the highest rx rate for +the WCN3660 and WCN3680 on MCS 7 is 150 Mbps not the 72 Mbps stated here. + +This patch fixes the data-rate declared in the 5GHz table. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 +hardware") + +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802004824.1307124-1-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 702b689c06df3..f3ea629764fa8 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -163,7 +163,7 @@ static struct ieee80211_supported_band wcn_band_5ghz = { + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16, + .mcs = { + .rx_mask = { 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, }, +- .rx_highest = cpu_to_le16(72), ++ .rx_highest = cpu_to_le16(150), + .tx_params = IEEE80211_HT_MCS_TX_DEFINED, + } + } +-- +2.25.1 + diff --git a/queue-5.9/wilc1000-fix-memleak-in-wilc_bus_probe.patch b/queue-5.9/wilc1000-fix-memleak-in-wilc_bus_probe.patch new file mode 100644 index 00000000000..6c830e4db55 --- /dev/null +++ b/queue-5.9/wilc1000-fix-memleak-in-wilc_bus_probe.patch @@ -0,0 +1,43 @@ +From 5720c093ea74cc2e7f664ec334f4b60acd9f2316 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 13:52:56 +0800 +Subject: wilc1000: Fix memleak in wilc_bus_probe + +From: Dinghao Liu + +[ Upstream commit 9a19a939abfa7d949f584a7ad872e683473fdc14 ] + +When devm_clk_get() returns -EPROBE_DEFER, spi_priv +should be freed just like when wilc_cfg80211_init() +fails. + +Fixes: 854d66df74aed ("staging: wilc1000: look for rtc_clk clock in spi mode") +Signed-off-by: Dinghao Liu +Acked-by: Ajay Singh +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200820055256.24333-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/spi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/spi.c b/drivers/net/wireless/microchip/wilc1000/spi.c +index 3f19e3f38a397..a18dac0aa6b67 100644 +--- a/drivers/net/wireless/microchip/wilc1000/spi.c ++++ b/drivers/net/wireless/microchip/wilc1000/spi.c +@@ -112,9 +112,10 @@ static int wilc_bus_probe(struct spi_device *spi) + wilc->dev_irq_num = spi->irq; + + wilc->rtc_clk = devm_clk_get(&spi->dev, "rtc_clk"); +- if (PTR_ERR_OR_ZERO(wilc->rtc_clk) == -EPROBE_DEFER) ++ if (PTR_ERR_OR_ZERO(wilc->rtc_clk) == -EPROBE_DEFER) { ++ kfree(spi_priv); + return -EPROBE_DEFER; +- else if (!IS_ERR(wilc->rtc_clk)) ++ } else if (!IS_ERR(wilc->rtc_clk)) + clk_prepare_enable(wilc->rtc_clk); + + return 0; +-- +2.25.1 + diff --git a/queue-5.9/wilc1000-fix-memleak-in-wilc_sdio_probe.patch b/queue-5.9/wilc1000-fix-memleak-in-wilc_sdio_probe.patch new file mode 100644 index 00000000000..8ddb72e1ec5 --- /dev/null +++ b/queue-5.9/wilc1000-fix-memleak-in-wilc_sdio_probe.patch @@ -0,0 +1,43 @@ +From 53e926a6277cf00f701e8bb2b6fd067ec3d382b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 13:48:19 +0800 +Subject: wilc1000: Fix memleak in wilc_sdio_probe + +From: Dinghao Liu + +[ Upstream commit 8d95ab34b21ee0f870a9185b6457e8f6eb54914c ] + +When devm_clk_get() returns -EPROBE_DEFER, sdio_priv +should be freed just like when wilc_cfg80211_init() +fails. + +Fixes: 8692b047e86cf ("staging: wilc1000: look for rtc_clk clock") +Signed-off-by: Dinghao Liu +Acked-by: Ajay Singh +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200820054819.23365-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/sdio.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c +index 3ece7b0b03929..351ff909ab1c7 100644 +--- a/drivers/net/wireless/microchip/wilc1000/sdio.c ++++ b/drivers/net/wireless/microchip/wilc1000/sdio.c +@@ -149,9 +149,10 @@ static int wilc_sdio_probe(struct sdio_func *func, + wilc->dev = &func->dev; + + wilc->rtc_clk = devm_clk_get(&func->card->dev, "rtc"); +- if (PTR_ERR_OR_ZERO(wilc->rtc_clk) == -EPROBE_DEFER) ++ if (PTR_ERR_OR_ZERO(wilc->rtc_clk) == -EPROBE_DEFER) { ++ kfree(sdio_priv); + return -EPROBE_DEFER; +- else if (!IS_ERR(wilc->rtc_clk)) ++ } else if (!IS_ERR(wilc->rtc_clk)) + clk_prepare_enable(wilc->rtc_clk); + + dev_info(&func->dev, "Driver Initializing success\n"); +-- +2.25.1 + diff --git a/queue-5.9/x86-asm-replace-__force_order-with-a-memory-clobber.patch b/queue-5.9/x86-asm-replace-__force_order-with-a-memory-clobber.patch new file mode 100644 index 00000000000..57bd166df01 --- /dev/null +++ b/queue-5.9/x86-asm-replace-__force_order-with-a-memory-clobber.patch @@ -0,0 +1,177 @@ +From a9ae38495811bd0e702efb92fc10c45ca6c1bca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:21:52 -0400 +Subject: x86/asm: Replace __force_order with a memory clobber + +From: Arvind Sankar + +[ Upstream commit aa5cacdc29d76a005cbbee018a47faa6e724dd2d ] + +The CRn accessor functions use __force_order as a dummy operand to +prevent the compiler from reordering CRn reads/writes with respect to +each other. + +The fact that the asm is volatile should be enough to prevent this: +volatile asm statements should be executed in program order. However GCC +4.9.x and 5.x have a bug that might result in reordering. This was fixed +in 8.1, 7.3 and 6.5. Versions prior to these, including 5.x and 4.9.x, +may reorder volatile asm statements with respect to each other. + +There are some issues with __force_order as implemented: +- It is used only as an input operand for the write functions, and hence + doesn't do anything additional to prevent reordering writes. +- It allows memory accesses to be cached/reordered across write + functions, but CRn writes affect the semantics of memory accesses, so + this could be dangerous. +- __force_order is not actually defined in the kernel proper, but the + LLVM toolchain can in some cases require a definition: LLVM (as well + as GCC 4.9) requires it for PIE code, which is why the compressed + kernel has a definition, but also the clang integrated assembler may + consider the address of __force_order to be significant, resulting in + a reference that requires a definition. + +Fix this by: +- Using a memory clobber for the write functions to additionally prevent + caching/reordering memory accesses across CRn writes. +- Using a dummy input operand with an arbitrary constant address for the + read functions, instead of a global variable. This will prevent reads + from being reordered across writes, while allowing memory loads to be + cached/reordered across CRn reads, which should be safe. + +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Reviewed-by: Kees Cook +Reviewed-by: Miguel Ojeda +Tested-by: Nathan Chancellor +Tested-by: Sedat Dilek +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82602 +Link: https://lore.kernel.org/lkml/20200527135329.1172644-1-arnd@arndb.de/ +Link: https://lkml.kernel.org/r/20200902232152.3709896-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/pgtable_64.c | 9 --------- + arch/x86/include/asm/special_insns.h | 28 ++++++++++++++------------- + arch/x86/kernel/cpu/common.c | 4 ++-- + 3 files changed, 17 insertions(+), 24 deletions(-) + +diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c +index c8862696a47b9..7d0394f4ebf97 100644 +--- a/arch/x86/boot/compressed/pgtable_64.c ++++ b/arch/x86/boot/compressed/pgtable_64.c +@@ -5,15 +5,6 @@ + #include "pgtable.h" + #include "../string.h" + +-/* +- * __force_order is used by special_insns.h asm code to force instruction +- * serialization. +- * +- * It is not referenced from the code, but GCC < 5 with -fPIE would fail +- * due to an undefined symbol. Define it to make these ancient GCCs work. +- */ +-unsigned long __force_order; +- + #define BIOS_START_MIN 0x20000U /* 128K, less than this is insane */ + #define BIOS_START_MAX 0x9f000U /* 640K, absolute maximum */ + +diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h +index 59a3e13204c34..d6e3bb9363d22 100644 +--- a/arch/x86/include/asm/special_insns.h ++++ b/arch/x86/include/asm/special_insns.h +@@ -11,45 +11,47 @@ + #include + + /* +- * Volatile isn't enough to prevent the compiler from reordering the +- * read/write functions for the control registers and messing everything up. +- * A memory clobber would solve the problem, but would prevent reordering of +- * all loads stores around it, which can hurt performance. Solution is to +- * use a variable and mimic reads and writes to it to enforce serialization ++ * The compiler should not reorder volatile asm statements with respect to each ++ * other: they should execute in program order. However GCC 4.9.x and 5.x have ++ * a bug (which was fixed in 8.1, 7.3 and 6.5) where they might reorder ++ * volatile asm. The write functions are not affected since they have memory ++ * clobbers preventing reordering. To prevent reads from being reordered with ++ * respect to writes, use a dummy memory operand. + */ +-extern unsigned long __force_order; ++ ++#define __FORCE_ORDER "m"(*(unsigned int *)0x1000UL) + + void native_write_cr0(unsigned long val); + + static inline unsigned long native_read_cr0(void) + { + unsigned long val; +- asm volatile("mov %%cr0,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr0,%0\n\t" : "=r" (val) : __FORCE_ORDER); + return val; + } + + static __always_inline unsigned long native_read_cr2(void) + { + unsigned long val; +- asm volatile("mov %%cr2,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr2,%0\n\t" : "=r" (val) : __FORCE_ORDER); + return val; + } + + static __always_inline void native_write_cr2(unsigned long val) + { +- asm volatile("mov %0,%%cr2": : "r" (val), "m" (__force_order)); ++ asm volatile("mov %0,%%cr2": : "r" (val) : "memory"); + } + + static inline unsigned long __native_read_cr3(void) + { + unsigned long val; +- asm volatile("mov %%cr3,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr3,%0\n\t" : "=r" (val) : __FORCE_ORDER); + return val; + } + + static inline void native_write_cr3(unsigned long val) + { +- asm volatile("mov %0,%%cr3": : "r" (val), "m" (__force_order)); ++ asm volatile("mov %0,%%cr3": : "r" (val) : "memory"); + } + + static inline unsigned long native_read_cr4(void) +@@ -64,10 +66,10 @@ static inline unsigned long native_read_cr4(void) + asm volatile("1: mov %%cr4, %0\n" + "2:\n" + _ASM_EXTABLE(1b, 2b) +- : "=r" (val), "=m" (__force_order) : "0" (0)); ++ : "=r" (val) : "0" (0), __FORCE_ORDER); + #else + /* CR4 always exists on x86_64. */ +- asm volatile("mov %%cr4,%0\n\t" : "=r" (val), "=m" (__force_order)); ++ asm volatile("mov %%cr4,%0\n\t" : "=r" (val) : __FORCE_ORDER); + #endif + return val; + } +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index c5d6f17d9b9d3..178499f903661 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -359,7 +359,7 @@ void native_write_cr0(unsigned long val) + unsigned long bits_missing = 0; + + set_register: +- asm volatile("mov %0,%%cr0": "+r" (val), "+m" (__force_order)); ++ asm volatile("mov %0,%%cr0": "+r" (val) : : "memory"); + + if (static_branch_likely(&cr_pinning)) { + if (unlikely((val & X86_CR0_WP) != X86_CR0_WP)) { +@@ -378,7 +378,7 @@ void native_write_cr4(unsigned long val) + unsigned long bits_changed = 0; + + set_register: +- asm volatile("mov %0,%%cr4": "+r" (val), "+m" (cr4_pinned_bits)); ++ asm volatile("mov %0,%%cr4": "+r" (val) : : "memory"); + + if (static_branch_likely(&cr_pinning)) { + if (unlikely((val & cr4_pinned_mask) != cr4_pinned_bits)) { +-- +2.25.1 + diff --git a/queue-5.9/x86-dumpstack-fix-misleading-instruction-pointer-err.patch b/queue-5.9/x86-dumpstack-fix-misleading-instruction-pointer-err.patch new file mode 100644 index 00000000000..a6631f6a018 --- /dev/null +++ b/queue-5.9/x86-dumpstack-fix-misleading-instruction-pointer-err.patch @@ -0,0 +1,50 @@ +From 698bb07146fe4443685d9ea48dfb16d07e37e3f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 04:29:16 +0000 +Subject: x86/dumpstack: Fix misleading instruction pointer error message + +From: Mark Mossberg + +[ Upstream commit 238c91115cd05c71447ea071624a4c9fe661f970 ] + +Printing "Bad RIP value" if copy_code() fails can be misleading for +userspace pointers, since copy_code() can fail if the instruction +pointer is valid but the code is paged out. This is because copy_code() +calls copy_from_user_nmi() for userspace pointers, which disables page +fault handling. + +This is reproducible in OOM situations, where it's plausible that the +code may be reclaimed in the time between entry into the kernel and when +this message is printed. This leaves a misleading log in dmesg that +suggests instruction pointer corruption has occurred, which may alarm +users. + +Change the message to state the error condition more precisely. + + [ bp: Massage a bit. ] + +Signed-off-by: Mark Mossberg +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20201002042915.403558-1-mark.mossberg@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/dumpstack.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c +index 48ce44576947c..ea8d51ec251bb 100644 +--- a/arch/x86/kernel/dumpstack.c ++++ b/arch/x86/kernel/dumpstack.c +@@ -115,7 +115,8 @@ void show_opcodes(struct pt_regs *regs, const char *loglvl) + unsigned long prologue = regs->ip - PROLOGUE_SIZE; + + if (copy_code(regs, opcodes, prologue, sizeof(opcodes))) { +- printk("%sCode: Bad RIP value.\n", loglvl); ++ printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n", ++ loglvl, prologue); + } else { + printk("%sCode: %" __stringify(PROLOGUE_SIZE) "ph <%02x> %" + __stringify(EPILOGUE_SIZE) "ph\n", loglvl, opcodes, +-- +2.25.1 + diff --git a/queue-5.9/x86-events-amd-iommu-fix-sizeof-mismatch.patch b/queue-5.9/x86-events-amd-iommu-fix-sizeof-mismatch.patch new file mode 100644 index 00000000000..a373bac6789 --- /dev/null +++ b/queue-5.9/x86-events-amd-iommu-fix-sizeof-mismatch.patch @@ -0,0 +1,40 @@ +From dd8c8fd9e2402cda0a33ee5dc2072ad94542ddb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 12:39:00 +0100 +Subject: x86/events/amd/iommu: Fix sizeof mismatch + +From: Colin Ian King + +[ Upstream commit 59d5396a4666195f89a67e118e9e627ddd6f53a1 ] + +An incorrect sizeof is being used, struct attribute ** is not correct, +it should be struct attribute *. Note that since ** is the same size as +* this is not causing any issues. Improve this fix by using sizeof(*attrs) +as this allows us to not even reference the type of the pointer. + +Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") +Fixes: 51686546304f ("x86/events/amd/iommu: Fix sysfs perf attribute groups") +Signed-off-by: Colin Ian King +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20201001113900.58889-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/amd/iommu.c b/arch/x86/events/amd/iommu.c +index fb616203ce427..be50ef8572cce 100644 +--- a/arch/x86/events/amd/iommu.c ++++ b/arch/x86/events/amd/iommu.c +@@ -379,7 +379,7 @@ static __init int _init_events_attrs(void) + while (amd_iommu_v2_event_descs[i].attr.attr.name) + i++; + +- attrs = kcalloc(i + 1, sizeof(struct attribute **), GFP_KERNEL); ++ attrs = kcalloc(i + 1, sizeof(*attrs), GFP_KERNEL); + if (!attrs) + return -ENOMEM; + +-- +2.25.1 + diff --git a/queue-5.9/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch b/queue-5.9/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch new file mode 100644 index 00000000000..6a955427962 --- /dev/null +++ b/queue-5.9/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch @@ -0,0 +1,102 @@ +From 1960d39b9edd34c7b27659c24101a942d8899882 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 17:39:19 -0400 +Subject: x86/fpu: Allow multiple bits in clearcpuid= parameter + +From: Arvind Sankar + +[ Upstream commit 0a4bb5e5507a585532cc413125b921c8546fc39f ] + +Commit + + 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") + +changed clearcpuid parsing from __setup() to cmdline_find_option(). +While the __setup() function would have been called for each clearcpuid= +parameter on the command line, cmdline_find_option() will only return +the last one, so the change effectively made it impossible to disable +more than one bit. + +Allow a comma-separated list of bit numbers as the argument for +clearcpuid to allow multiple bits to be disabled again. Log the bits +being disabled for informational purposes. + +Also fix the check on the return value of cmdline_find_option(). It +returns -1 when the option is not found, so testing as a boolean is +incorrect. + +Fixes: 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200907213919.2423441-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 2 +- + arch/x86/kernel/fpu/init.c | 30 ++++++++++++++----- + 2 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index a1068742a6df1..ffe864390c5ac 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -577,7 +577,7 @@ + loops can be debugged more effectively on production + systems. + +- clearcpuid=BITNUM [X86] ++ clearcpuid=BITNUM[,BITNUM...] [X86] + Disable CPUID feature X for the kernel. See + arch/x86/include/asm/cpufeatures.h for the valid bit + numbers. Note the Linux specific bits are not necessarily +diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c +index 61ddc3a5e5c2b..f8ff895aaf7e1 100644 +--- a/arch/x86/kernel/fpu/init.c ++++ b/arch/x86/kernel/fpu/init.c +@@ -243,9 +243,9 @@ static void __init fpu__init_system_ctx_switch(void) + */ + static void __init fpu__init_parse_early_param(void) + { +- char arg[32]; ++ char arg[128]; + char *argptr = arg; +- int bit; ++ int arglen, res, bit; + + #ifdef CONFIG_X86_32 + if (cmdline_find_option_bool(boot_command_line, "no387")) +@@ -268,12 +268,26 @@ static void __init fpu__init_parse_early_param(void) + if (cmdline_find_option_bool(boot_command_line, "noxsaves")) + setup_clear_cpu_cap(X86_FEATURE_XSAVES); + +- if (cmdline_find_option(boot_command_line, "clearcpuid", arg, +- sizeof(arg)) && +- get_option(&argptr, &bit) && +- bit >= 0 && +- bit < NCAPINTS * 32) +- setup_clear_cpu_cap(bit); ++ arglen = cmdline_find_option(boot_command_line, "clearcpuid", arg, sizeof(arg)); ++ if (arglen <= 0) ++ return; ++ ++ pr_info("Clearing CPUID bits:"); ++ do { ++ res = get_option(&argptr, &bit); ++ if (res == 0 || res == 3) ++ break; ++ ++ /* If the argument was too long, the last bit may be cut off */ ++ if (res == 1 && arglen >= sizeof(arg)) ++ break; ++ ++ if (bit >= 0 && bit < NCAPINTS * 32) { ++ pr_cont(" " X86_CAP_FMT, x86_cap_flag(bit)); ++ setup_clear_cpu_cap(bit); ++ } ++ } while (res == 2); ++ pr_cont("\n"); + } + + /* +-- +2.25.1 + diff --git a/queue-5.9/x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch b/queue-5.9/x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch new file mode 100644 index 00000000000..d5f8a11b7fd --- /dev/null +++ b/queue-5.9/x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch @@ -0,0 +1,108 @@ +From 2bd2bb9e023b6056e75d01bf329544e23e335b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 19:13:12 -0700 +Subject: x86/mce: Add Skylake quirk for patrol scrub reported errors + +From: Borislav Petkov + +[ Upstream commit fd258dc4442c5c1c069c6b5b42bfe7d10cddda95 ] + +The patrol scrubber in Skylake and Cascade Lake systems can be configured +to report uncorrected errors using a special signature in the machine +check bank and to signal using CMCI instead of machine check. + +Update the severity calculation mechanism to allow specifying the model, +minimum stepping and range of machine check bank numbers. + +Add a new rule to detect the special signature (on model 0x55, stepping +>=4 in any of the memory controller banks). + + [ bp: Rewrite it. + aegl: Productize it. ] + +Suggested-by: Youquan Song +Signed-off-by: Borislav Petkov +Co-developed-by: Tony Luck +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200930021313.31810-2-tony.luck@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/severity.c | 28 ++++++++++++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c +index e1da619add192..567ce09a02868 100644 +--- a/arch/x86/kernel/cpu/mce/severity.c ++++ b/arch/x86/kernel/cpu/mce/severity.c +@@ -9,9 +9,11 @@ + #include + #include + #include +-#include + #include + ++#include ++#include ++ + #include "internal.h" + + /* +@@ -40,9 +42,14 @@ static struct severity { + unsigned char context; + unsigned char excp; + unsigned char covered; ++ unsigned char cpu_model; ++ unsigned char cpu_minstepping; ++ unsigned char bank_lo, bank_hi; + char *msg; + } severities[] = { + #define MCESEV(s, m, c...) { .sev = MCE_ ## s ## _SEVERITY, .msg = m, ## c } ++#define BANK_RANGE(l, h) .bank_lo = l, .bank_hi = h ++#define MODEL_STEPPING(m, s) .cpu_model = m, .cpu_minstepping = s + #define KERNEL .context = IN_KERNEL + #define USER .context = IN_USER + #define KERNEL_RECOV .context = IN_KERNEL_RECOV +@@ -97,7 +104,6 @@ static struct severity { + KEEP, "Corrected error", + NOSER, BITCLR(MCI_STATUS_UC) + ), +- + /* + * known AO MCACODs reported via MCE or CMC: + * +@@ -113,6 +119,18 @@ static struct severity { + AO, "Action optional: last level cache writeback error", + SER, MASK(MCI_UC_AR|MCACOD, MCI_STATUS_UC|MCACOD_L3WB) + ), ++ /* ++ * Quirk for Skylake/Cascade Lake. Patrol scrubber may be configured ++ * to report uncorrected errors using CMCI with a special signature. ++ * UC=0, MSCOD=0x0010, MCACOD=binary(000X 0000 1100 XXXX) reported ++ * in one of the memory controller banks. ++ * Set severity to "AO" for same action as normal patrol scrub error. ++ */ ++ MCESEV( ++ AO, "Uncorrected Patrol Scrub Error", ++ SER, MASK(MCI_STATUS_UC|MCI_ADDR|0xffffeff0, MCI_ADDR|0x001000c0), ++ MODEL_STEPPING(INTEL_FAM6_SKYLAKE_X, 4), BANK_RANGE(13, 18) ++ ), + + /* ignore OVER for UCNA */ + MCESEV( +@@ -324,6 +342,12 @@ static int mce_severity_intel(struct mce *m, int tolerant, char **msg, bool is_e + continue; + if (s->excp && excp != s->excp) + continue; ++ if (s->cpu_model && boot_cpu_data.x86_model != s->cpu_model) ++ continue; ++ if (s->cpu_minstepping && boot_cpu_data.x86_stepping < s->cpu_minstepping) ++ continue; ++ if (s->bank_lo && (m->bank < s->bank_lo || m->bank > s->bank_hi)) ++ continue; + if (msg) + *msg = s->msg; + s->covered = 1; +-- +2.25.1 + diff --git a/queue-5.9/x86-mce-annotate-mce_rd-wrmsrl-with-noinstr.patch b/queue-5.9/x86-mce-annotate-mce_rd-wrmsrl-with-noinstr.patch new file mode 100644 index 00000000000..507a597b097 --- /dev/null +++ b/queue-5.9/x86-mce-annotate-mce_rd-wrmsrl-with-noinstr.patch @@ -0,0 +1,87 @@ +From 5cf29d1242daec58dc6f43e8074f36bf5dd92661 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 19:21:28 +0200 +Subject: x86/mce: Annotate mce_rd/wrmsrl() with noinstr + +From: Borislav Petkov + +[ Upstream commit e100777016fdf6ec3a9d7c1773b15a2b5eca6c55 ] + +They do get called from the #MC handler which is already marked +"noinstr". + +Commit + + e2def7d49d08 ("x86/mce: Make mce_rdmsrl() panic on an inaccessible MSR") + +already got rid of the instrumentation in the MSR accessors, fix the +annotation now too, in order to get rid of: + + vmlinux.o: warning: objtool: do_machine_check()+0x4a: call to mce_rdmsrl() leaves .noinstr.text section + +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200915194020.28807-1-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index fc4f8c04bdb56..4288645425f15 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -374,16 +374,25 @@ static int msr_to_offset(u32 msr) + } + + /* MSR access wrappers used for error injection */ +-static u64 mce_rdmsrl(u32 msr) ++static noinstr u64 mce_rdmsrl(u32 msr) + { + u64 v; + + if (__this_cpu_read(injectm.finished)) { +- int offset = msr_to_offset(msr); ++ int offset; ++ u64 ret; + ++ instrumentation_begin(); ++ ++ offset = msr_to_offset(msr); + if (offset < 0) +- return 0; +- return *(u64 *)((char *)this_cpu_ptr(&injectm) + offset); ++ ret = 0; ++ else ++ ret = *(u64 *)((char *)this_cpu_ptr(&injectm) + offset); ++ ++ instrumentation_end(); ++ ++ return ret; + } + + if (rdmsrl_safe(msr, &v)) { +@@ -399,13 +408,19 @@ static u64 mce_rdmsrl(u32 msr) + return v; + } + +-static void mce_wrmsrl(u32 msr, u64 v) ++static noinstr void mce_wrmsrl(u32 msr, u64 v) + { + if (__this_cpu_read(injectm.finished)) { +- int offset = msr_to_offset(msr); ++ int offset; + ++ instrumentation_begin(); ++ ++ offset = msr_to_offset(msr); + if (offset >= 0) + *(u64 *)((char *)this_cpu_ptr(&injectm) + offset) = v; ++ ++ instrumentation_end(); ++ + return; + } + wrmsrl(msr, v); +-- +2.25.1 + diff --git a/queue-5.9/x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch b/queue-5.9/x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch new file mode 100644 index 00000000000..12b17315b77 --- /dev/null +++ b/queue-5.9/x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch @@ -0,0 +1,178 @@ +From 9622451e02b85350cede5adac0193b034fd28713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 23:02:52 +0200 +Subject: x86/mce: Make mce_rdmsrl() panic on an inaccessible MSR + +From: Borislav Petkov + +[ Upstream commit e2def7d49d0812ea40a224161b2001b2e815dce2 ] + +If an exception needs to be handled while reading an MSR - which is in +most of the cases caused by a #GP on a non-existent MSR - then this +is most likely the incarnation of a BIOS or a hardware bug. Such bug +violates the architectural guarantee that MCA banks are present with all +MSRs belonging to them. + +The proper fix belongs in the hardware/firmware - not in the kernel. + +Handling an #MC exception which is raised while an NMI is being handled +would cause the nasty NMI nesting issue because of the shortcoming of +IRET of reenabling NMIs when executed. And the machine is in an #MC +context already so be at its side. + +Tracing MSR accesses while in #MC is another no-no due to tracing being +inherently a bad idea in atomic context: + + vmlinux.o: warning: objtool: do_machine_check()+0x4a: call to mce_rdmsrl() leaves .noinstr.text section + +so remove all that "additional" functionality from mce_rdmsrl() and +provide it with a special exception handler which panics the machine +when that MSR is not accessible. + +The exception handler prints a human-readable message explaining what +the panic reason is but, what is more, it panics while in the #GP +handler and latter won't have executed an IRET, thus opening the NMI +nesting issue in the case when the #MC has happened while handling +an NMI. (#MC itself won't be reenabled until MCG_STATUS hasn't been +cleared). + +Suggested-by: Andy Lutomirski +Suggested-by: Peter Zijlstra +[ Add missing prototypes for ex_handler_* ] +Reported-by: kernel test robot +Signed-off-by: Borislav Petkov +Reviewed-by: Tony Luck +Link: https://lkml.kernel.org/r/20200906212130.GA28456@zn.tnic +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 72 +++++++++++++++++++++++++----- + arch/x86/kernel/cpu/mce/internal.h | 10 +++++ + 2 files changed, 70 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 4288645425f15..84eef4fa95990 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -373,10 +373,28 @@ static int msr_to_offset(u32 msr) + return -1; + } + ++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr) ++{ ++ pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n", ++ (unsigned int)regs->cx, regs->ip, (void *)regs->ip); ++ ++ show_stack_regs(regs); ++ ++ panic("MCA architectural violation!\n"); ++ ++ while (true) ++ cpu_relax(); ++ ++ return true; ++} ++ + /* MSR access wrappers used for error injection */ + static noinstr u64 mce_rdmsrl(u32 msr) + { +- u64 v; ++ DECLARE_ARGS(val, low, high); + + if (__this_cpu_read(injectm.finished)) { + int offset; +@@ -395,21 +413,43 @@ static noinstr u64 mce_rdmsrl(u32 msr) + return ret; + } + +- if (rdmsrl_safe(msr, &v)) { +- WARN_ONCE(1, "mce: Unable to read MSR 0x%x!\n", msr); +- /* +- * Return zero in case the access faulted. This should +- * not happen normally but can happen if the CPU does +- * something weird, or if the code is buggy. +- */ +- v = 0; +- } ++ /* ++ * RDMSR on MCA MSRs should not fault. If they do, this is very much an ++ * architectural violation and needs to be reported to hw vendor. Panic ++ * the box to not allow any further progress. ++ */ ++ asm volatile("1: rdmsr\n" ++ "2:\n" ++ _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_rdmsr_fault) ++ : EAX_EDX_RET(val, low, high) : "c" (msr)); + +- return v; ++ ++ return EAX_EDX_VAL(val, low, high); ++} ++ ++__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr) ++{ ++ pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n", ++ (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax, ++ regs->ip, (void *)regs->ip); ++ ++ show_stack_regs(regs); ++ ++ panic("MCA architectural violation!\n"); ++ ++ while (true) ++ cpu_relax(); ++ ++ return true; + } + + static noinstr void mce_wrmsrl(u32 msr, u64 v) + { ++ u32 low, high; ++ + if (__this_cpu_read(injectm.finished)) { + int offset; + +@@ -423,7 +463,15 @@ static noinstr void mce_wrmsrl(u32 msr, u64 v) + + return; + } +- wrmsrl(msr, v); ++ ++ low = (u32)v; ++ high = (u32)(v >> 32); ++ ++ /* See comment in mce_rdmsrl() */ ++ asm volatile("1: wrmsr\n" ++ "2:\n" ++ _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_wrmsr_fault) ++ : : "c" (msr), "a"(low), "d" (high) : "memory"); + } + + /* +diff --git a/arch/x86/kernel/cpu/mce/internal.h b/arch/x86/kernel/cpu/mce/internal.h +index 6473070b5da49..b122610e9046a 100644 +--- a/arch/x86/kernel/cpu/mce/internal.h ++++ b/arch/x86/kernel/cpu/mce/internal.h +@@ -185,4 +185,14 @@ extern bool amd_filter_mce(struct mce *m); + static inline bool amd_filter_mce(struct mce *m) { return false; }; + #endif + ++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr); ++ ++__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup, ++ struct pt_regs *regs, int trapnr, ++ unsigned long error_code, ++ unsigned long fault_addr); ++ + #endif /* __X86_MCE_INTERNAL_H__ */ +-- +2.25.1 + diff --git a/queue-5.9/x86-nmi-fix-nmi_handle-duration-miscalculation.patch b/queue-5.9/x86-nmi-fix-nmi_handle-duration-miscalculation.patch new file mode 100644 index 00000000000..c097165dc5a --- /dev/null +++ b/queue-5.9/x86-nmi-fix-nmi_handle-duration-miscalculation.patch @@ -0,0 +1,57 @@ +From d2b0d86e6213bf791d2948930bef918da14fde4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 10:56:41 +0800 +Subject: x86/nmi: Fix nmi_handle() duration miscalculation + +From: Libing Zhou + +[ Upstream commit f94c91f7ba3ba7de2bc8aa31be28e1abb22f849e ] + +When nmi_check_duration() is checking the time an NMI handler took to +execute, the whole_msecs value used should be read from the @duration +argument, not from the ->max_duration, the latter being used to store +the current maximal duration. + + [ bp: Rewrite commit message. ] + +Fixes: 248ed51048c4 ("x86/nmi: Remove irq_work from the long duration NMI handler") +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Libing Zhou +Signed-off-by: Borislav Petkov +Cc: Changbin Du +Link: https://lkml.kernel.org/r/20200820025641.44075-1-libing.zhou@nokia-sbell.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/nmi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c +index 4fc9954a95600..47381666d6a55 100644 +--- a/arch/x86/kernel/nmi.c ++++ b/arch/x86/kernel/nmi.c +@@ -102,7 +102,6 @@ fs_initcall(nmi_warning_debugfs); + + static void nmi_check_duration(struct nmiaction *action, u64 duration) + { +- u64 whole_msecs = READ_ONCE(action->max_duration); + int remainder_ns, decimal_msecs; + + if (duration < nmi_longest_ns || duration < action->max_duration) +@@ -110,12 +109,12 @@ static void nmi_check_duration(struct nmiaction *action, u64 duration) + + action->max_duration = duration; + +- remainder_ns = do_div(whole_msecs, (1000 * 1000)); ++ remainder_ns = do_div(duration, (1000 * 1000)); + decimal_msecs = remainder_ns / 1000; + + printk_ratelimited(KERN_INFO + "INFO: NMI handler (%ps) took too long to run: %lld.%03d msecs\n", +- action->handler, whole_msecs, decimal_msecs); ++ action->handler, duration, decimal_msecs); + } + + static int nmi_handle(unsigned int type, struct pt_regs *regs) +-- +2.25.1 + diff --git a/queue-5.9/xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch b/queue-5.9/xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch new file mode 100644 index 00000000000..4cc2c4341f4 --- /dev/null +++ b/queue-5.9/xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch @@ -0,0 +1,341 @@ +From e721e2aeaa324cc1b69fbe0a905194e3d3273931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 10:56:07 -0700 +Subject: xfs: fix deadlock and streamline xfs_getfsmap performance + +From: Darrick J. Wong + +[ Upstream commit 8ffa90e1145c70c7ac47f14b59583b2296d89e72 ] + +Refactor xfs_getfsmap to improve its performance: instead of indirectly +calling a function that copies one record to userspace at a time, create +a shadow buffer in the kernel and copy the whole array once at the end. +On the author's computer, this reduces the runtime on his /home by ~20%. + +This also eliminates a deadlock when running GETFSMAP against the +realtime device. The current code locks the rtbitmap to create +fsmappings and copies them into userspace, having not released the +rtbitmap lock. If the userspace buffer is an mmap of a sparse file that +itself resides on the realtime device, the write page fault will recurse +into the fs for allocation, which will deadlock on the rtbitmap lock. + +Fixes: 4c934c7dd60c ("xfs: report realtime space information via the rtbitmap") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_fsmap.c | 45 +++++++------- + fs/xfs/xfs_fsmap.h | 6 +- + fs/xfs/xfs_ioctl.c | 144 ++++++++++++++++++++++++++++++--------------- + 3 files changed, 124 insertions(+), 71 deletions(-) + +diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c +index aa36e7daf82c4..9ce5e7d5bf8f2 100644 +--- a/fs/xfs/xfs_fsmap.c ++++ b/fs/xfs/xfs_fsmap.c +@@ -26,7 +26,7 @@ + #include "xfs_rtalloc.h" + + /* Convert an xfs_fsmap to an fsmap. */ +-void ++static void + xfs_fsmap_from_internal( + struct fsmap *dest, + struct xfs_fsmap *src) +@@ -155,8 +155,7 @@ xfs_fsmap_owner_from_rmap( + /* getfsmap query state */ + struct xfs_getfsmap_info { + struct xfs_fsmap_head *head; +- xfs_fsmap_format_t formatter; /* formatting fn */ +- void *format_arg; /* format buffer */ ++ struct fsmap *fsmap_recs; /* mapping records */ + struct xfs_buf *agf_bp; /* AGF, for refcount queries */ + xfs_daddr_t next_daddr; /* next daddr we expect */ + u64 missing_owner; /* owner of holes */ +@@ -224,6 +223,20 @@ xfs_getfsmap_is_shared( + return 0; + } + ++static inline void ++xfs_getfsmap_format( ++ struct xfs_mount *mp, ++ struct xfs_fsmap *xfm, ++ struct xfs_getfsmap_info *info) ++{ ++ struct fsmap *rec; ++ ++ trace_xfs_getfsmap_mapping(mp, xfm); ++ ++ rec = &info->fsmap_recs[info->head->fmh_entries++]; ++ xfs_fsmap_from_internal(rec, xfm); ++} ++ + /* + * Format a reverse mapping for getfsmap, having translated rm_startblock + * into the appropriate daddr units. +@@ -288,10 +301,7 @@ xfs_getfsmap_helper( + fmr.fmr_offset = 0; + fmr.fmr_length = rec_daddr - info->next_daddr; + fmr.fmr_flags = FMR_OF_SPECIAL_OWNER; +- error = info->formatter(&fmr, info->format_arg); +- if (error) +- return error; +- info->head->fmh_entries++; ++ xfs_getfsmap_format(mp, &fmr, info); + } + + if (info->last) +@@ -323,11 +333,8 @@ xfs_getfsmap_helper( + if (shared) + fmr.fmr_flags |= FMR_OF_SHARED; + } +- error = info->formatter(&fmr, info->format_arg); +- if (error) +- return error; +- info->head->fmh_entries++; + ++ xfs_getfsmap_format(mp, &fmr, info); + out: + rec_daddr += XFS_FSB_TO_BB(mp, rec->rm_blockcount); + if (info->next_daddr < rec_daddr) +@@ -795,11 +802,11 @@ xfs_getfsmap_check_keys( + #endif /* CONFIG_XFS_RT */ + + /* +- * Get filesystem's extents as described in head, and format for +- * output. Calls formatter to fill the user's buffer until all +- * extents are mapped, until the passed-in head->fmh_count slots have +- * been filled, or until the formatter short-circuits the loop, if it +- * is tracking filled-in extents on its own. ++ * Get filesystem's extents as described in head, and format for output. Fills ++ * in the supplied records array until there are no more reverse mappings to ++ * return or head.fmh_entries == head.fmh_count. In the second case, this ++ * function returns -ECANCELED to indicate that more records would have been ++ * returned. + * + * Key to Confusion + * ---------------- +@@ -819,8 +826,7 @@ int + xfs_getfsmap( + struct xfs_mount *mp, + struct xfs_fsmap_head *head, +- xfs_fsmap_format_t formatter, +- void *arg) ++ struct fsmap *fsmap_recs) + { + struct xfs_trans *tp = NULL; + struct xfs_fsmap dkeys[2]; /* per-dev keys */ +@@ -895,8 +901,7 @@ xfs_getfsmap( + + info.next_daddr = head->fmh_keys[0].fmr_physical + + head->fmh_keys[0].fmr_length; +- info.formatter = formatter; +- info.format_arg = arg; ++ info.fsmap_recs = fsmap_recs; + info.head = head; + + /* +diff --git a/fs/xfs/xfs_fsmap.h b/fs/xfs/xfs_fsmap.h +index c6c57739b8626..a0775788e7b13 100644 +--- a/fs/xfs/xfs_fsmap.h ++++ b/fs/xfs/xfs_fsmap.h +@@ -27,13 +27,9 @@ struct xfs_fsmap_head { + struct xfs_fsmap fmh_keys[2]; /* low and high keys */ + }; + +-void xfs_fsmap_from_internal(struct fsmap *dest, struct xfs_fsmap *src); + void xfs_fsmap_to_internal(struct xfs_fsmap *dest, struct fsmap *src); + +-/* fsmap to userspace formatter - copy to user & advance pointer */ +-typedef int (*xfs_fsmap_format_t)(struct xfs_fsmap *, void *); +- + int xfs_getfsmap(struct xfs_mount *mp, struct xfs_fsmap_head *head, +- xfs_fsmap_format_t formatter, void *arg); ++ struct fsmap *out_recs); + + #endif /* __XFS_FSMAP_H__ */ +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index 6f22a66777cd0..b0882f8a787f1 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -1715,39 +1715,17 @@ xfs_ioc_getbmap( + return error; + } + +-struct getfsmap_info { +- struct xfs_mount *mp; +- struct fsmap_head __user *data; +- unsigned int idx; +- __u32 last_flags; +-}; +- +-STATIC int +-xfs_getfsmap_format(struct xfs_fsmap *xfm, void *priv) +-{ +- struct getfsmap_info *info = priv; +- struct fsmap fm; +- +- trace_xfs_getfsmap_mapping(info->mp, xfm); +- +- info->last_flags = xfm->fmr_flags; +- xfs_fsmap_from_internal(&fm, xfm); +- if (copy_to_user(&info->data->fmh_recs[info->idx++], &fm, +- sizeof(struct fsmap))) +- return -EFAULT; +- +- return 0; +-} +- + STATIC int + xfs_ioc_getfsmap( + struct xfs_inode *ip, + struct fsmap_head __user *arg) + { +- struct getfsmap_info info = { NULL }; + struct xfs_fsmap_head xhead = {0}; + struct fsmap_head head; +- bool aborted = false; ++ struct fsmap *recs; ++ unsigned int count; ++ __u32 last_flags = 0; ++ bool done = false; + int error; + + if (copy_from_user(&head, arg, sizeof(struct fsmap_head))) +@@ -1759,38 +1737,112 @@ xfs_ioc_getfsmap( + sizeof(head.fmh_keys[1].fmr_reserved))) + return -EINVAL; + ++ /* ++ * Use an internal memory buffer so that we don't have to copy fsmap ++ * data to userspace while holding locks. Start by trying to allocate ++ * up to 128k for the buffer, but fall back to a single page if needed. ++ */ ++ count = min_t(unsigned int, head.fmh_count, ++ 131072 / sizeof(struct fsmap)); ++ recs = kvzalloc(count * sizeof(struct fsmap), GFP_KERNEL); ++ if (!recs) { ++ count = min_t(unsigned int, head.fmh_count, ++ PAGE_SIZE / sizeof(struct fsmap)); ++ recs = kvzalloc(count * sizeof(struct fsmap), GFP_KERNEL); ++ if (!recs) ++ return -ENOMEM; ++ } ++ + xhead.fmh_iflags = head.fmh_iflags; +- xhead.fmh_count = head.fmh_count; + xfs_fsmap_to_internal(&xhead.fmh_keys[0], &head.fmh_keys[0]); + xfs_fsmap_to_internal(&xhead.fmh_keys[1], &head.fmh_keys[1]); + + trace_xfs_getfsmap_low_key(ip->i_mount, &xhead.fmh_keys[0]); + trace_xfs_getfsmap_high_key(ip->i_mount, &xhead.fmh_keys[1]); + +- info.mp = ip->i_mount; +- info.data = arg; +- error = xfs_getfsmap(ip->i_mount, &xhead, xfs_getfsmap_format, &info); +- if (error == -ECANCELED) { +- error = 0; +- aborted = true; +- } else if (error) +- return error; ++ head.fmh_entries = 0; ++ do { ++ struct fsmap __user *user_recs; ++ struct fsmap *last_rec; ++ ++ user_recs = &arg->fmh_recs[head.fmh_entries]; ++ xhead.fmh_entries = 0; ++ xhead.fmh_count = min_t(unsigned int, count, ++ head.fmh_count - head.fmh_entries); ++ ++ /* Run query, record how many entries we got. */ ++ error = xfs_getfsmap(ip->i_mount, &xhead, recs); ++ switch (error) { ++ case 0: ++ /* ++ * There are no more records in the result set. Copy ++ * whatever we got to userspace and break out. ++ */ ++ done = true; ++ break; ++ case -ECANCELED: ++ /* ++ * The internal memory buffer is full. Copy whatever ++ * records we got to userspace and go again if we have ++ * not yet filled the userspace buffer. ++ */ ++ error = 0; ++ break; ++ default: ++ goto out_free; ++ } ++ head.fmh_entries += xhead.fmh_entries; ++ head.fmh_oflags = xhead.fmh_oflags; + +- /* If we didn't abort, set the "last" flag in the last fmx */ +- if (!aborted && info.idx) { +- info.last_flags |= FMR_OF_LAST; +- if (copy_to_user(&info.data->fmh_recs[info.idx - 1].fmr_flags, +- &info.last_flags, sizeof(info.last_flags))) +- return -EFAULT; ++ /* ++ * If the caller wanted a record count or there aren't any ++ * new records to return, we're done. ++ */ ++ if (head.fmh_count == 0 || xhead.fmh_entries == 0) ++ break; ++ ++ /* Copy all the records we got out to userspace. */ ++ if (copy_to_user(user_recs, recs, ++ xhead.fmh_entries * sizeof(struct fsmap))) { ++ error = -EFAULT; ++ goto out_free; ++ } ++ ++ /* Remember the last record flags we copied to userspace. */ ++ last_rec = &recs[xhead.fmh_entries - 1]; ++ last_flags = last_rec->fmr_flags; ++ ++ /* Set up the low key for the next iteration. */ ++ xfs_fsmap_to_internal(&xhead.fmh_keys[0], last_rec); ++ trace_xfs_getfsmap_low_key(ip->i_mount, &xhead.fmh_keys[0]); ++ } while (!done && head.fmh_entries < head.fmh_count); ++ ++ /* ++ * If there are no more records in the query result set and we're not ++ * in counting mode, mark the last record returned with the LAST flag. ++ */ ++ if (done && head.fmh_count > 0 && head.fmh_entries > 0) { ++ struct fsmap __user *user_rec; ++ ++ last_flags |= FMR_OF_LAST; ++ user_rec = &arg->fmh_recs[head.fmh_entries - 1]; ++ ++ if (copy_to_user(&user_rec->fmr_flags, &last_flags, ++ sizeof(last_flags))) { ++ error = -EFAULT; ++ goto out_free; ++ } + } + + /* copy back header */ +- head.fmh_entries = xhead.fmh_entries; +- head.fmh_oflags = xhead.fmh_oflags; +- if (copy_to_user(arg, &head, sizeof(struct fsmap_head))) +- return -EFAULT; ++ if (copy_to_user(arg, &head, sizeof(struct fsmap_head))) { ++ error = -EFAULT; ++ goto out_free; ++ } + +- return 0; ++out_free: ++ kmem_free(recs); ++ return error; + } + + STATIC int +-- +2.25.1 + diff --git a/queue-5.9/xfs-fix-finobt-btree-block-recovery-ordering.patch b/queue-5.9/xfs-fix-finobt-btree-block-recovery-ordering.patch new file mode 100644 index 00000000000..fb3bf976a4a --- /dev/null +++ b/queue-5.9/xfs-fix-finobt-btree-block-recovery-ordering.patch @@ -0,0 +1,49 @@ +From db21c05618547ed9db5cda777a64e8929201a20b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 07:28:52 -0700 +Subject: xfs: fix finobt btree block recovery ordering + +From: Dave Chinner + +[ Upstream commit 671459676ab0e1d371c8d6b184ad1faa05b6941e ] + +Nathan popped up on #xfs and pointed out that we fail to handle +finobt btree blocks in xlog_recover_get_buf_lsn(). This means they +always fall through the entire magic number matching code to "recover +immediately". Whilst most of the time this is the correct behaviour, +occasionally it will be incorrect and could potentially overwrite +more recent metadata because we don't check the LSN in the on disk +metadata at all. + +This bug has been present since the finobt was first introduced, and +is a potential cause of the occasional xfs_iget_check_free_state() +failures we see that indicate that the inode btree state does not +match the on disk inode state. + +Fixes: aafc3c246529 ("xfs: support the XFS_BTNUM_FINOBT free inode btree type") +Reported-by: Nathan Scott +Signed-off-by: Dave Chinner +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_buf_item_recover.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/xfs/xfs_buf_item_recover.c b/fs/xfs/xfs_buf_item_recover.c +index 8f0457d67d779..de2772394de21 100644 +--- a/fs/xfs/xfs_buf_item_recover.c ++++ b/fs/xfs/xfs_buf_item_recover.c +@@ -719,6 +719,8 @@ xlog_recover_get_buf_lsn( + case XFS_ABTC_MAGIC: + case XFS_RMAP_CRC_MAGIC: + case XFS_REFC_CRC_MAGIC: ++ case XFS_FIBT_CRC_MAGIC: ++ case XFS_FIBT_MAGIC: + case XFS_IBT_CRC_MAGIC: + case XFS_IBT_MAGIC: { + struct xfs_btree_block *btb = blk; +-- +2.25.1 + diff --git a/queue-5.9/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch b/queue-5.9/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch new file mode 100644 index 00000000000..9a0ba92ace0 --- /dev/null +++ b/queue-5.9/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch @@ -0,0 +1,100 @@ +From 56dbc14f1caaa1e65a0fc3538e0a381c2c3e6eec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 08:46:27 -0700 +Subject: xfs: fix high key handling in the rt allocator's query_range function + +From: Darrick J. Wong + +[ Upstream commit d88850bd5516a77c6f727e8b6cefb64e0cc929c7 ] + +Fix some off-by-one errors in xfs_rtalloc_query_range. The highest key +in the realtime bitmap is always one less than the number of rt extents, +which means that the key clamp at the start of the function is wrong. +The 4th argument to xfs_rtfind_forw is the highest rt extent that we +want to probe, which means that passing 1 less than the high key is +wrong. Finally, drop the rem variable that controls the loop because we +can compare the iteration point (rtstart) against the high key directly. + +The sordid history of this function is that the original commit (fb3c3) +incorrectly passed (high_rec->ar_startblock - 1) as the 'limit' parameter +to xfs_rtfind_forw. This was wrong because the "high key" is supposed +to be the largest key for which the caller wants result rows, not the +key for the first row that could possibly be outside the range that the +caller wants to see. + +A subsequent attempt (8ad56) to strengthen the parameter checking added +incorrect clamping of the parameters to the number of rt blocks in the +system (despite the bitmap functions all taking units of rt extents) to +avoid querying ranges past the end of rt bitmap file but failed to fix +the incorrect _rtfind_forw parameter. The original _rtfind_forw +parameter error then survived the conversion of the startblock and +blockcount fields to rt extents (a0e5c), and the most recent off-by-one +fix (a3a37) thought it was patching a problem when the end of the rt +volume is not in use, but none of these fixes actually solved the +original problem that the author was confused about the "limit" argument +to xfs_rtfind_forw. + +Sadly, all four of these patches were written by this author and even +his own usage of this function and rt testing were inadequate to get +this fixed quickly. + +Original-problem: fb3c3de2f65c ("xfs: add a couple of queries to iterate free extents in the rtbitmap") +Not-fixed-by: 8ad560d2565e ("xfs: strengthen rtalloc query range checks") +Not-fixed-by: a0e5c435babd ("xfs: fix xfs_rtalloc_rec units") +Fixes: a3a374bf1889 ("xfs: fix off-by-one error in xfs_rtalloc_query_range") +Signed-off-by: Darrick J. Wong +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_rtbitmap.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c +index 1d9fa8a300f15..6c1aba16113c5 100644 +--- a/fs/xfs/libxfs/xfs_rtbitmap.c ++++ b/fs/xfs/libxfs/xfs_rtbitmap.c +@@ -1018,7 +1018,6 @@ xfs_rtalloc_query_range( + struct xfs_mount *mp = tp->t_mountp; + xfs_rtblock_t rtstart; + xfs_rtblock_t rtend; +- xfs_rtblock_t rem; + int is_free; + int error = 0; + +@@ -1027,13 +1026,12 @@ xfs_rtalloc_query_range( + if (low_rec->ar_startext >= mp->m_sb.sb_rextents || + low_rec->ar_startext == high_rec->ar_startext) + return 0; +- if (high_rec->ar_startext > mp->m_sb.sb_rextents) +- high_rec->ar_startext = mp->m_sb.sb_rextents; ++ high_rec->ar_startext = min(high_rec->ar_startext, ++ mp->m_sb.sb_rextents - 1); + + /* Iterate the bitmap, looking for discrepancies. */ + rtstart = low_rec->ar_startext; +- rem = high_rec->ar_startext - rtstart; +- while (rem) { ++ while (rtstart <= high_rec->ar_startext) { + /* Is the first block free? */ + error = xfs_rtcheck_range(mp, tp, rtstart, 1, 1, &rtend, + &is_free); +@@ -1042,7 +1040,7 @@ xfs_rtalloc_query_range( + + /* How long does the extent go for? */ + error = xfs_rtfind_forw(mp, tp, rtstart, +- high_rec->ar_startext - 1, &rtend); ++ high_rec->ar_startext, &rtend); + if (error) + break; + +@@ -1055,7 +1053,6 @@ xfs_rtalloc_query_range( + break; + } + +- rem -= rtend - rtstart + 1; + rtstart = rtend + 1; + } + +-- +2.25.1 + diff --git a/queue-5.9/xfs-force-the-log-after-remapping-a-synchronous-writ.patch b/queue-5.9/xfs-force-the-log-after-remapping-a-synchronous-writ.patch new file mode 100644 index 00000000000..54e4efaab39 --- /dev/null +++ b/queue-5.9/xfs-force-the-log-after-remapping-a-synchronous-writ.patch @@ -0,0 +1,66 @@ +From 76f1cc4ebd6117dab59b426f5a7a5e1d77e5f5ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 10:20:16 -0700 +Subject: xfs: force the log after remapping a synchronous-writes file + +From: Darrick J. Wong + +[ Upstream commit 5ffce3cc22a0e89813ed0c7162a68b639aef9ab6 ] + +Commit 5833112df7e9 tried to make it so that a remap operation would +force the log out to disk if the filesystem is mounted with mandatory +synchronous writes. Unfortunately, that commit failed to handle the +case where the inode or the file descriptor require mandatory +synchronous writes. + +Refactor the check into into a helper that will look for all three +conditions, and now we can treat reflink just like any other synchronous +write. + +Fixes: 5833112df7e9 ("xfs: reflink should force the log out if mounted with wsync") +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_file.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c +index a29f78a663ca5..3d1b951247440 100644 +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -1008,6 +1008,21 @@ xfs_file_fadvise( + return ret; + } + ++/* Does this file, inode, or mount want synchronous writes? */ ++static inline bool xfs_file_sync_writes(struct file *filp) ++{ ++ struct xfs_inode *ip = XFS_I(file_inode(filp)); ++ ++ if (ip->i_mount->m_flags & XFS_MOUNT_WSYNC) ++ return true; ++ if (filp->f_flags & (__O_SYNC | O_DSYNC)) ++ return true; ++ if (IS_SYNC(file_inode(filp))) ++ return true; ++ ++ return false; ++} ++ + STATIC loff_t + xfs_file_remap_range( + struct file *file_in, +@@ -1065,7 +1080,7 @@ xfs_file_remap_range( + if (ret) + goto out_unlock; + +- if (mp->m_flags & XFS_MOUNT_WSYNC) ++ if (xfs_file_sync_writes(file_in) || xfs_file_sync_writes(file_out)) + xfs_log_force_inode(dest); + out_unlock: + xfs_iunlock2_io_mmap(src, dest); +-- +2.25.1 + diff --git a/queue-5.9/xfs-limit-entries-returned-when-counting-fsmap-recor.patch b/queue-5.9/xfs-limit-entries-returned-when-counting-fsmap-recor.patch new file mode 100644 index 00000000000..023b8d77fc8 --- /dev/null +++ b/queue-5.9/xfs-limit-entries-returned-when-counting-fsmap-recor.patch @@ -0,0 +1,40 @@ +From c62468a016dc930a57840af8fdce2086fa007cc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 10:56:07 -0700 +Subject: xfs: limit entries returned when counting fsmap records + +From: Darrick J. Wong + +[ Upstream commit acd1ac3aa22fd58803a12d26b1ab7f70232f8d8d ] + +If userspace asked fsmap to count the number of entries, we cannot +return more than UINT_MAX entries because fmh_entries is u32. +Therefore, stop counting if we hit this limit or else we will waste time +to return truncated results. + +Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_fsmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c +index 4eebcec4aae6c..aa36e7daf82c4 100644 +--- a/fs/xfs/xfs_fsmap.c ++++ b/fs/xfs/xfs_fsmap.c +@@ -256,6 +256,9 @@ xfs_getfsmap_helper( + + /* Are we just counting mappings? */ + if (info->head->fmh_count == 0) { ++ if (info->head->fmh_entries == UINT_MAX) ++ return -ECANCELED; ++ + if (rec_daddr > info->next_daddr) + info->head->fmh_entries++; + +-- +2.25.1 + diff --git a/queue-5.9/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch b/queue-5.9/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch new file mode 100644 index 00000000000..10ed9f65643 --- /dev/null +++ b/queue-5.9/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch @@ -0,0 +1,58 @@ +From cd85493f43016f8283adc290012ae7184223f536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 14:21:06 -0700 +Subject: xfs: make sure the rt allocator doesn't run off the end + +From: Darrick J. Wong + +[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ] + +There's an overflow bug in the realtime allocator. If the rt volume is +large enough to handle a single allocation request that is larger than +the maximum bmap extent length and the rt bitmap ends exactly on a +bitmap block boundary, it's possible that the near allocator will try to +check the freeness of a range that extends past the end of the bitmap. +This fails with a corruption error and shuts down the fs. + +Therefore, constrain maxlen so that the range scan cannot run off the +end of the rt bitmap. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 6209e7b6b895b..86994d7f7cba3 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -247,6 +247,9 @@ xfs_rtallocate_extent_block( + end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1; + i <= end; + i++) { ++ /* Make sure we don't scan off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i; ++ + /* + * See if there's a free extent of maxlen starting at i. + * If it's not so then next will contain the first non-free. +@@ -442,6 +445,14 @@ xfs_rtallocate_extent_near( + */ + if (bno >= mp->m_sb.sb_rextents) + bno = mp->m_sb.sb_rextents - 1; ++ ++ /* Make sure we don't run off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno; ++ if (maxlen < minlen) { ++ *rtblock = NULLRTBLOCK; ++ return 0; ++ } ++ + /* + * Try the exact allocation first. + */ +-- +2.25.1 + diff --git a/queue-5.9/xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch b/queue-5.9/xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch new file mode 100644 index 00000000000..89aefa346bd --- /dev/null +++ b/queue-5.9/xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch @@ -0,0 +1,51 @@ +From f9cb041f886a0125a36a3b3469feab83c66d6ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 16:17:51 +0300 +Subject: xhci: don't create endpoint debugfs entry before ring buffer is set. + +From: Mathias Nyman + +[ Upstream commit 167657a1bb5fcde53ac304ce6c564bd90a2f9185 ] + +Make sure xHC completes the configure endpoint command and xhci driver +sets the ring pointers correctly before we create the user readable +debugfs file. + +In theory there was a small gap where a user could have read the +debugfs file and cause a NULL pointer dereference error as ring +pointer was not yet set, in practise we want this change to simplify +the upcoming streams debugfs support. + +Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200918131752.16488-10-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index f4cedcaee14b3..e534f524b7f87 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1915,8 +1915,6 @@ static int xhci_add_endpoint(struct usb_hcd *hcd, struct usb_device *udev, + ep_ctx = xhci_get_ep_ctx(xhci, virt_dev->in_ctx, ep_index); + trace_xhci_add_endpoint(ep_ctx); + +- xhci_debugfs_create_endpoint(xhci, virt_dev, ep_index); +- + xhci_dbg(xhci, "add ep 0x%x, slot id %d, new drop flags = %#x, new add flags = %#x\n", + (unsigned int) ep->desc.bEndpointAddress, + udev->slot_id, +@@ -2949,6 +2947,7 @@ static int xhci_check_bandwidth(struct usb_hcd *hcd, struct usb_device *udev) + xhci_check_bw_drop_ep_streams(xhci, virt_dev, i); + virt_dev->eps[i].ring = virt_dev->eps[i].new_ring; + virt_dev->eps[i].new_ring = NULL; ++ xhci_debugfs_create_endpoint(xhci, virt_dev, i); + } + command_cleanup: + kfree(command->completion); +-- +2.25.1 +