From: Greg Kroah-Hartman Date: Wed, 19 Aug 2020 13:34:09 +0000 (+0200) Subject: 5.8-stable patches X-Git-Tag: v4.14.194~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49b96518f9e3727a564ec9ecfa3f89404fbca29a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.8-stable patches added patches: bootconfig-fix-to-find-the-initargs-correctly.patch dm-don-t-call-report-zones-for-more-than-the-user-requested.patch dm-ebs-fix-incorrect-checking-for-req_op_flush.patch drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch drm-ingenic-fix-incorrect-assumption-about-plane-index.patch gfs2-fix-refcount-leak-in-gfs2_glock_poke.patch gfs2-never-call-gfs2_block_zero_range-with-an-open-transaction.patch libnvdimm-validate-command-family-indices.patch module-correctly-truncate-sysfs-sections-output.patch perf-intel-pt-fix-duplicate-branch-after-cbr.patch perf-intel-pt-fix-fup-packet-state.patch perf-probe-fix-memory-leakage-when-the-probe-point-is-not-found.patch perf-probe-fix-wrong-variable-warning-when-the-probe-point-is-not-found.patch remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch --- diff --git a/queue-5.8/bootconfig-fix-to-find-the-initargs-correctly.patch b/queue-5.8/bootconfig-fix-to-find-the-initargs-correctly.patch new file mode 100644 index 00000000000..972e4382e0d --- /dev/null +++ b/queue-5.8/bootconfig-fix-to-find-the-initargs-correctly.patch @@ -0,0 +1,72 @@ +From 477d08478170469d10b533624342d13701e24b34 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Tue, 4 Aug 2020 11:52:13 +0900 +Subject: bootconfig: Fix to find the initargs correctly + +From: Masami Hiramatsu + +commit 477d08478170469d10b533624342d13701e24b34 upstream. + +Since the parse_args() stops parsing at '--', bootconfig_params() +will never get the '--' as param and initargs_found never be true. +In the result, if we pass some init arguments via the bootconfig, +those are always appended to the kernel command line with '--' +even if the kernel command line already has '--'. + +To fix this correctly, check the return value of parse_args() +and set initargs_found true if the return value is not an error +but a valid address. + +Link: https://lkml.kernel.org/r/159650953285.270383.14822353843556363851.stgit@devnote2 + +Fixes: f61872bb58a1 ("bootconfig: Use parse_args() to find bootconfig and '--'") +Cc: stable@vger.kernel.org +Reported-by: Arvind Sankar +Suggested-by: Arvind Sankar +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + init/main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/init/main.c ++++ b/init/main.c +@@ -387,8 +387,6 @@ static int __init bootconfig_params(char + { + if (strcmp(param, "bootconfig") == 0) { + bootconfig_found = true; +- } else if (strcmp(param, "--") == 0) { +- initargs_found = true; + } + return 0; + } +@@ -399,19 +397,23 @@ static void __init setup_boot_config(con + const char *msg; + int pos; + u32 size, csum; +- char *data, *copy; ++ char *data, *copy, *err; + int ret; + + /* Cut out the bootconfig data even if we have no bootconfig option */ + data = get_boot_config_from_initrd(&size, &csum); + + strlcpy(tmp_cmdline, boot_command_line, COMMAND_LINE_SIZE); +- parse_args("bootconfig", tmp_cmdline, NULL, 0, 0, 0, NULL, +- bootconfig_params); ++ err = parse_args("bootconfig", tmp_cmdline, NULL, 0, 0, 0, NULL, ++ bootconfig_params); + +- if (!bootconfig_found) ++ if (IS_ERR(err) || !bootconfig_found) + return; + ++ /* parse_args() stops at '--' and returns an address */ ++ if (err) ++ initargs_found = true; ++ + if (!data) { + pr_err("'bootconfig' found on command line, but no bootconfig found\n"); + return; diff --git a/queue-5.8/dm-don-t-call-report-zones-for-more-than-the-user-requested.patch b/queue-5.8/dm-don-t-call-report-zones-for-more-than-the-user-requested.patch new file mode 100644 index 00000000000..a96503df5f5 --- /dev/null +++ b/queue-5.8/dm-don-t-call-report-zones-for-more-than-the-user-requested.patch @@ -0,0 +1,45 @@ +From a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Tue, 4 Aug 2020 18:25:01 +0900 +Subject: dm: don't call report zones for more than the user requested + +From: Johannes Thumshirn + +commit a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d upstream. + +Don't call report zones for more zones than the user actually requested, +otherwise this can lead to out-of-bounds accesses in the callback +functions. + +Such a situation can happen if the target's ->report_zones() callback +function returns 0 because we've reached the end of the target and then +restart the report zones on the second target. + +We're again calling into ->report_zones() and ultimately into the user +supplied callback function but when we're not subtracting the number of +zones already processed this may lead to out-of-bounds accesses in the +user callbacks. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Damien Le Moal +Fixes: d41003513e61 ("block: rework zone reporting") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -504,7 +504,8 @@ static int dm_blk_report_zones(struct ge + } + + args.tgt = tgt; +- ret = tgt->type->report_zones(tgt, &args, nr_zones); ++ ret = tgt->type->report_zones(tgt, &args, ++ nr_zones - args.zone_idx); + if (ret < 0) + goto out; + } while (args.zone_idx < nr_zones && diff --git a/queue-5.8/dm-ebs-fix-incorrect-checking-for-req_op_flush.patch b/queue-5.8/dm-ebs-fix-incorrect-checking-for-req_op_flush.patch new file mode 100644 index 00000000000..5cc94c23dd1 --- /dev/null +++ b/queue-5.8/dm-ebs-fix-incorrect-checking-for-req_op_flush.patch @@ -0,0 +1,36 @@ +From 4cb6f22612511ff2aba4c33fb0f281cae7c23772 Mon Sep 17 00:00:00 2001 +From: John Dorminy +Date: Fri, 31 Jul 2020 18:46:45 -0400 +Subject: dm ebs: Fix incorrect checking for REQ_OP_FLUSH + +From: John Dorminy + +commit 4cb6f22612511ff2aba4c33fb0f281cae7c23772 upstream. + +REQ_OP_FLUSH was being treated as a flag, but the operation +part of bio->bi_opf must be treated as a whole. Change to +accessing the operation part via bio_op(bio) and checking +for equality. + +Signed-off-by: John Dorminy +Acked-by: Heinz Mauelshagen +Fixes: d3c7b35c20d60 ("dm: add emulated block size target") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-ebs-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -363,7 +363,7 @@ static int ebs_map(struct dm_target *ti, + bio_set_dev(bio, ec->dev->bdev); + bio->bi_iter.bi_sector = ec->start + dm_target_offset(ti, bio->bi_iter.bi_sector); + +- if (unlikely(bio->bi_opf & REQ_OP_FLUSH)) ++ if (unlikely(bio_op(bio) == REQ_OP_FLUSH)) + return DM_MAPIO_REMAPPED; + /* + * Only queue for bufio processing in case of partial or overlapping buffers diff --git a/queue-5.8/drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch b/queue-5.8/drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch new file mode 100644 index 00000000000..5bc450b7932 --- /dev/null +++ b/queue-5.8/drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch @@ -0,0 +1,52 @@ +From 3b2a999582c467d1883716b37ffcc00178a13713 Mon Sep 17 00:00:00 2001 +From: Liu Ying +Date: Thu, 9 Jul 2020 10:28:52 +0800 +Subject: drm/imx: imx-ldb: Disable both channels for split mode in enc->disable() + +From: Liu Ying + +commit 3b2a999582c467d1883716b37ffcc00178a13713 upstream. + +Both of the two LVDS channels should be disabled for split mode +in the encoder's ->disable() callback, because they are enabled +in the encoder's ->enable() callback. + +Fixes: 6556f7f82b9c ("drm: imx: Move imx-drm driver out of staging") +Cc: Philipp Zabel +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: NXP Linux Team +Cc: +Signed-off-by: Liu Ying +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/imx/imx-ldb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -304,18 +304,19 @@ static void imx_ldb_encoder_disable(stru + { + struct imx_ldb_channel *imx_ldb_ch = enc_to_imx_ldb_ch(encoder); + struct imx_ldb *ldb = imx_ldb_ch->ldb; ++ int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN; + int mux, ret; + + drm_panel_disable(imx_ldb_ch->panel); + +- if (imx_ldb_ch == &ldb->channel[0]) ++ if (imx_ldb_ch == &ldb->channel[0] || dual) + ldb->ldb_ctrl &= ~LDB_CH0_MODE_EN_MASK; +- else if (imx_ldb_ch == &ldb->channel[1]) ++ if (imx_ldb_ch == &ldb->channel[1] || dual) + ldb->ldb_ctrl &= ~LDB_CH1_MODE_EN_MASK; + + regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl); + +- if (ldb->ldb_ctrl & LDB_SPLIT_MODE_EN) { ++ if (dual) { + clk_disable_unprepare(ldb->clk[0]); + clk_disable_unprepare(ldb->clk[1]); + } diff --git a/queue-5.8/drm-ingenic-fix-incorrect-assumption-about-plane-index.patch b/queue-5.8/drm-ingenic-fix-incorrect-assumption-about-plane-index.patch new file mode 100644 index 00000000000..0cb9cb3394a --- /dev/null +++ b/queue-5.8/drm-ingenic-fix-incorrect-assumption-about-plane-index.patch @@ -0,0 +1,37 @@ +From ca43f274e03f91c533643299ae4984965ce03205 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Thu, 16 Jul 2020 18:38:35 +0200 +Subject: drm/ingenic: Fix incorrect assumption about plane->index + +From: Paul Cercueil + +commit ca43f274e03f91c533643299ae4984965ce03205 upstream. + +plane->index is NOT the index of the color plane in a YUV frame. +Actually, a YUV frame is represented by a single drm_plane, even though +it contains three Y, U, V planes. + +v2-v3: No change + +Cc: stable@vger.kernel.org # v5.3 +Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs") +Signed-off-by: Paul Cercueil +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200716163846.174790-1-paul@crapouillou.net +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ingenic/ingenic-drm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ingenic/ingenic-drm.c ++++ b/drivers/gpu/drm/ingenic/ingenic-drm.c +@@ -386,7 +386,7 @@ static void ingenic_drm_plane_atomic_upd + addr = drm_fb_cma_get_gem_addr(state->fb, state, 0); + width = state->src_w >> 16; + height = state->src_h >> 16; +- cpp = state->fb->format->cpp[plane->index]; ++ cpp = state->fb->format->cpp[0]; + + priv->dma_hwdesc->addr = addr; + priv->dma_hwdesc->cmd = width * height * cpp / 4; diff --git a/queue-5.8/gfs2-fix-refcount-leak-in-gfs2_glock_poke.patch b/queue-5.8/gfs2-fix-refcount-leak-in-gfs2_glock_poke.patch new file mode 100644 index 00000000000..e775ab022d1 --- /dev/null +++ b/queue-5.8/gfs2-fix-refcount-leak-in-gfs2_glock_poke.patch @@ -0,0 +1,36 @@ +From c07bfb4d8fa1ee11c6d18b093d0bb6c8832d3626 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 27 Jul 2020 19:18:57 +0200 +Subject: gfs2: Fix refcount leak in gfs2_glock_poke + +From: Andreas Gruenbacher + +commit c07bfb4d8fa1ee11c6d18b093d0bb6c8832d3626 upstream. + +In gfs2_glock_poke, make sure gfs2_holder_uninit is called on the local +glock holder. Without that, we're leaking a glock and a pid reference. + +Fixes: 9e8990dea926 ("gfs2: Smarter iopen glock waiting") +Cc: stable@vger.kernel.org # v5.8+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/glock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -790,9 +790,11 @@ static void gfs2_glock_poke(struct gfs2_ + struct gfs2_holder gh; + int error; + +- error = gfs2_glock_nq_init(gl, LM_ST_SHARED, flags, &gh); ++ gfs2_holder_init(gl, LM_ST_SHARED, flags, &gh); ++ error = gfs2_glock_nq(&gh); + if (!error) + gfs2_glock_dq(&gh); ++ gfs2_holder_uninit(&gh); + } + + static bool gfs2_try_evict(struct gfs2_glock *gl) diff --git a/queue-5.8/gfs2-never-call-gfs2_block_zero_range-with-an-open-transaction.patch b/queue-5.8/gfs2-never-call-gfs2_block_zero_range-with-an-open-transaction.patch new file mode 100644 index 00000000000..e59e00eb22a --- /dev/null +++ b/queue-5.8/gfs2-never-call-gfs2_block_zero_range-with-an-open-transaction.patch @@ -0,0 +1,154 @@ +From 70499cdfeb3625c87eebe4f7a7ea06fa7447e5df Mon Sep 17 00:00:00 2001 +From: Bob Peterson +Date: Fri, 24 Jul 2020 12:06:31 -0500 +Subject: gfs2: Never call gfs2_block_zero_range with an open transaction + +From: Bob Peterson + +commit 70499cdfeb3625c87eebe4f7a7ea06fa7447e5df upstream. + +Before this patch, some functions started transactions then they called +gfs2_block_zero_range. However, gfs2_block_zero_range, like writes, can +start transactions, which results in a recursive transaction error. +For example: + +do_shrink + trunc_start + gfs2_trans_begin <------------------------------------------------ + gfs2_block_zero_range + iomap_zero_range(inode, from, length, NULL, &gfs2_iomap_ops); + iomap_apply ... iomap_zero_range_actor + iomap_begin + gfs2_iomap_begin + gfs2_iomap_begin_write + actor (iomap_zero_range_actor) + iomap_zero + iomap_write_begin + gfs2_iomap_page_prepare + gfs2_trans_begin <------------------------ + +This patch reorders the callers of gfs2_block_zero_range so that they +only start their transactions after the call. It also adds a BUG_ON to +ensure this doesn't happen again. + +Fixes: 2257e468a63b ("gfs2: implement gfs2_block_zero_range using iomap_zero_range") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/bmap.c | 69 ++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 39 insertions(+), 30 deletions(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1351,9 +1351,15 @@ int gfs2_extent_map(struct inode *inode, + return ret; + } + ++/* ++ * NOTE: Never call gfs2_block_zero_range with an open transaction because it ++ * uses iomap write to perform its actions, which begin their own transactions ++ * (iomap_begin, page_prepare, etc.) ++ */ + static int gfs2_block_zero_range(struct inode *inode, loff_t from, + unsigned int length) + { ++ BUG_ON(current->journal_info); + return iomap_zero_range(inode, from, length, NULL, &gfs2_iomap_ops); + } + +@@ -1414,6 +1420,16 @@ static int trunc_start(struct inode *ino + u64 oldsize = inode->i_size; + int error; + ++ if (!gfs2_is_stuffed(ip)) { ++ unsigned int blocksize = i_blocksize(inode); ++ unsigned int offs = newsize & (blocksize - 1); ++ if (offs) { ++ error = gfs2_block_zero_range(inode, newsize, ++ blocksize - offs); ++ if (error) ++ return error; ++ } ++ } + if (journaled) + error = gfs2_trans_begin(sdp, RES_DINODE + RES_JDATA, GFS2_JTRUNC_REVOKES); + else +@@ -1427,19 +1443,10 @@ static int trunc_start(struct inode *ino + + gfs2_trans_add_meta(ip->i_gl, dibh); + +- if (gfs2_is_stuffed(ip)) { ++ if (gfs2_is_stuffed(ip)) + gfs2_buffer_clear_tail(dibh, sizeof(struct gfs2_dinode) + newsize); +- } else { +- unsigned int blocksize = i_blocksize(inode); +- unsigned int offs = newsize & (blocksize - 1); +- if (offs) { +- error = gfs2_block_zero_range(inode, newsize, +- blocksize - offs); +- if (error) +- goto out; +- } ++ else + ip->i_diskflags |= GFS2_DIF_TRUNC_IN_PROG; +- } + + i_size_write(inode, newsize); + ip->i_inode.i_mtime = ip->i_inode.i_ctime = current_time(&ip->i_inode); +@@ -2448,25 +2455,7 @@ int __gfs2_punch_hole(struct file *file, + loff_t start, end; + int error; + +- start = round_down(offset, blocksize); +- end = round_up(offset + length, blocksize) - 1; +- error = filemap_write_and_wait_range(inode->i_mapping, start, end); +- if (error) +- return error; +- +- if (gfs2_is_jdata(ip)) +- error = gfs2_trans_begin(sdp, RES_DINODE + 2 * RES_JDATA, +- GFS2_JTRUNC_REVOKES); +- else +- error = gfs2_trans_begin(sdp, RES_DINODE, 0); +- if (error) +- return error; +- +- if (gfs2_is_stuffed(ip)) { +- error = stuffed_zero_range(inode, offset, length); +- if (error) +- goto out; +- } else { ++ if (!gfs2_is_stuffed(ip)) { + unsigned int start_off, end_len; + + start_off = offset & (blocksize - 1); +@@ -2489,6 +2478,26 @@ int __gfs2_punch_hole(struct file *file, + } + } + ++ start = round_down(offset, blocksize); ++ end = round_up(offset + length, blocksize) - 1; ++ error = filemap_write_and_wait_range(inode->i_mapping, start, end); ++ if (error) ++ return error; ++ ++ if (gfs2_is_jdata(ip)) ++ error = gfs2_trans_begin(sdp, RES_DINODE + 2 * RES_JDATA, ++ GFS2_JTRUNC_REVOKES); ++ else ++ error = gfs2_trans_begin(sdp, RES_DINODE, 0); ++ if (error) ++ return error; ++ ++ if (gfs2_is_stuffed(ip)) { ++ error = stuffed_zero_range(inode, offset, length); ++ if (error) ++ goto out; ++ } ++ + if (gfs2_is_jdata(ip)) { + BUG_ON(!current->journal_info); + gfs2_journaled_truncate_range(inode, offset, length); diff --git a/queue-5.8/libnvdimm-validate-command-family-indices.patch b/queue-5.8/libnvdimm-validate-command-family-indices.patch new file mode 100644 index 00000000000..d46f6e32813 --- /dev/null +++ b/queue-5.8/libnvdimm-validate-command-family-indices.patch @@ -0,0 +1,152 @@ +From 92fe2aa859f52ce6aa595ca97fec110dc7100e63 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 20 Jul 2020 15:07:30 -0700 +Subject: libnvdimm: Validate command family indices + +From: Dan Williams + +commit 92fe2aa859f52ce6aa595ca97fec110dc7100e63 upstream. + +The ND_CMD_CALL format allows for a general passthrough of passlisted +commands targeting a given command set. However there is no validation +of the family index relative to what the bus supports. + +- Update the NFIT bus implementation (the only one that supports + ND_CMD_CALL passthrough) to also passlist the valid set of command + family indices. + +- Update the generic __nd_ioctl() path to validate that field on behalf + of all implementations. + +Fixes: 31eca76ba2fc ("nfit, libnvdimm: limited/whitelisted dimm command marshaling mechanism") +Cc: Vishal Verma +Cc: Dave Jiang +Cc: Ira Weiny +Cc: "Rafael J. Wysocki" +Cc: Len Brown +Cc: +Signed-off-by: Dan Williams +Signed-off-by: Vishal Verma +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit/core.c | 11 +++++++++-- + drivers/acpi/nfit/nfit.h | 1 - + drivers/nvdimm/bus.c | 16 ++++++++++++++++ + include/linux/libnvdimm.h | 2 ++ + include/uapi/linux/ndctl.h | 4 ++++ + 5 files changed, 31 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1823,6 +1823,7 @@ static void populate_shutdown_status(str + static int acpi_nfit_add_dimm(struct acpi_nfit_desc *acpi_desc, + struct nfit_mem *nfit_mem, u32 device_handle) + { ++ struct nvdimm_bus_descriptor *nd_desc = &acpi_desc->nd_desc; + struct acpi_device *adev, *adev_dimm; + struct device *dev = acpi_desc->dev; + unsigned long dsm_mask, label_mask; +@@ -1834,6 +1835,7 @@ static int acpi_nfit_add_dimm(struct acp + /* nfit test assumes 1:1 relationship between commands and dsms */ + nfit_mem->dsm_mask = acpi_desc->dimm_cmd_force_en; + nfit_mem->family = NVDIMM_FAMILY_INTEL; ++ set_bit(NVDIMM_FAMILY_INTEL, &nd_desc->dimm_family_mask); + + if (dcr->valid_fields & ACPI_NFIT_CONTROL_MFG_INFO_VALID) + sprintf(nfit_mem->id, "%04x-%02x-%04x-%08x", +@@ -1886,10 +1888,13 @@ static int acpi_nfit_add_dimm(struct acp + * Note, that checking for function0 (bit0) tells us if any commands + * are reachable through this GUID. + */ ++ clear_bit(NVDIMM_FAMILY_INTEL, &nd_desc->dimm_family_mask); + for (i = 0; i <= NVDIMM_FAMILY_MAX; i++) +- if (acpi_check_dsm(adev_dimm->handle, to_nfit_uuid(i), 1, 1)) ++ if (acpi_check_dsm(adev_dimm->handle, to_nfit_uuid(i), 1, 1)) { ++ set_bit(i, &nd_desc->dimm_family_mask); + if (family < 0 || i == default_dsm_family) + family = i; ++ } + + /* limit the supported commands to those that are publicly documented */ + nfit_mem->family = family; +@@ -2153,6 +2158,9 @@ static void acpi_nfit_init_dsms(struct a + + nd_desc->cmd_mask = acpi_desc->bus_cmd_force_en; + nd_desc->bus_dsm_mask = acpi_desc->bus_nfit_cmd_force_en; ++ set_bit(ND_CMD_CALL, &nd_desc->cmd_mask); ++ set_bit(NVDIMM_BUS_FAMILY_NFIT, &nd_desc->bus_family_mask); ++ + adev = to_acpi_dev(acpi_desc); + if (!adev) + return; +@@ -2160,7 +2168,6 @@ static void acpi_nfit_init_dsms(struct a + for (i = ND_CMD_ARS_CAP; i <= ND_CMD_CLEAR_ERROR; i++) + if (acpi_check_dsm(adev->handle, guid, 1, 1ULL << i)) + set_bit(i, &nd_desc->cmd_mask); +- set_bit(ND_CMD_CALL, &nd_desc->cmd_mask); + + dsm_mask = + (1 << ND_CMD_ARS_CAP) | +--- a/drivers/acpi/nfit/nfit.h ++++ b/drivers/acpi/nfit/nfit.h +@@ -33,7 +33,6 @@ + | ACPI_NFIT_MEM_RESTORE_FAILED | ACPI_NFIT_MEM_FLUSH_FAILED \ + | ACPI_NFIT_MEM_NOT_ARMED | ACPI_NFIT_MEM_MAP_FAILED) + +-#define NVDIMM_FAMILY_MAX NVDIMM_FAMILY_HYPERV + #define NVDIMM_CMD_MAX 31 + + #define NVDIMM_STANDARD_CMDMASK \ +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -1037,9 +1037,25 @@ static int __nd_ioctl(struct nvdimm_bus + dimm_name = "bus"; + } + ++ /* Validate command family support against bus declared support */ + if (cmd == ND_CMD_CALL) { ++ unsigned long *mask; ++ + if (copy_from_user(&pkg, p, sizeof(pkg))) + return -EFAULT; ++ ++ if (nvdimm) { ++ if (pkg.nd_family > NVDIMM_FAMILY_MAX) ++ return -EINVAL; ++ mask = &nd_desc->dimm_family_mask; ++ } else { ++ if (pkg.nd_family > NVDIMM_BUS_FAMILY_MAX) ++ return -EINVAL; ++ mask = &nd_desc->bus_family_mask; ++ } ++ ++ if (!test_bit(pkg.nd_family, mask)) ++ return -EINVAL; + } + + if (!desc || +--- a/include/linux/libnvdimm.h ++++ b/include/linux/libnvdimm.h +@@ -78,6 +78,8 @@ struct nvdimm_bus_descriptor { + const struct attribute_group **attr_groups; + unsigned long bus_dsm_mask; + unsigned long cmd_mask; ++ unsigned long dimm_family_mask; ++ unsigned long bus_family_mask; + struct module *module; + char *provider_name; + struct device_node *of_node; +--- a/include/uapi/linux/ndctl.h ++++ b/include/uapi/linux/ndctl.h +@@ -245,6 +245,10 @@ struct nd_cmd_pkg { + #define NVDIMM_FAMILY_MSFT 3 + #define NVDIMM_FAMILY_HYPERV 4 + #define NVDIMM_FAMILY_PAPR 5 ++#define NVDIMM_FAMILY_MAX NVDIMM_FAMILY_PAPR ++ ++#define NVDIMM_BUS_FAMILY_NFIT 0 ++#define NVDIMM_BUS_FAMILY_MAX NVDIMM_BUS_FAMILY_NFIT + + #define ND_IOCTL_CALL _IOWR(ND_IOCTL, ND_CMD_CALL,\ + struct nd_cmd_pkg) diff --git a/queue-5.8/module-correctly-truncate-sysfs-sections-output.patch b/queue-5.8/module-correctly-truncate-sysfs-sections-output.patch new file mode 100644 index 00000000000..56332ce030a --- /dev/null +++ b/queue-5.8/module-correctly-truncate-sysfs-sections-output.patch @@ -0,0 +1,77 @@ +From 11990a5bd7e558e9203c1070fc52fb6f0488e75b Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 6 Aug 2020 14:15:23 -0700 +Subject: module: Correctly truncate sysfs sections output + +From: Kees Cook + +commit 11990a5bd7e558e9203c1070fc52fb6f0488e75b upstream. + +The only-root-readable /sys/module/$module/sections/$section files +did not truncate their output to the available buffer size. While most +paths into the kernfs read handlers end up using PAGE_SIZE buffers, +it's possible to get there through other paths (e.g. splice, sendfile). +Actually limit the output to the "count" passed into the read function, +and report it back correctly. *sigh* + +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/20200805002015.GE23458@shao2-debian +Fixes: ed66f991bb19 ("module: Refactor section attr into bin attribute") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Acked-by: Jessica Yu +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/module.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1520,18 +1520,34 @@ struct module_sect_attrs { + struct module_sect_attr attrs[]; + }; + ++#define MODULE_SECT_READ_SIZE (3 /* "0x", "\n" */ + (BITS_PER_LONG / 4)) + static ssize_t module_sect_read(struct file *file, struct kobject *kobj, + struct bin_attribute *battr, + char *buf, loff_t pos, size_t count) + { + struct module_sect_attr *sattr = + container_of(battr, struct module_sect_attr, battr); ++ char bounce[MODULE_SECT_READ_SIZE + 1]; ++ size_t wrote; + + if (pos != 0) + return -EINVAL; + +- return sprintf(buf, "0x%px\n", +- kallsyms_show_value(file->f_cred) ? (void *)sattr->address : NULL); ++ /* ++ * Since we're a binary read handler, we must account for the ++ * trailing NUL byte that sprintf will write: if "buf" is ++ * too small to hold the NUL, or the NUL is exactly the last ++ * byte, the read will look like it got truncated by one byte. ++ * Since there is no way to ask sprintf nicely to not write ++ * the NUL, we have to use a bounce buffer. ++ */ ++ wrote = scnprintf(bounce, sizeof(bounce), "0x%px\n", ++ kallsyms_show_value(file->f_cred) ++ ? (void *)sattr->address : NULL); ++ count = min(count, wrote); ++ memcpy(buf, bounce, count); ++ ++ return count; + } + + static void free_sect_attrs(struct module_sect_attrs *sect_attrs) +@@ -1580,7 +1596,7 @@ static void add_sect_attrs(struct module + goto out; + sect_attrs->nsections++; + sattr->battr.read = module_sect_read; +- sattr->battr.size = 3 /* "0x", "\n" */ + (BITS_PER_LONG / 4); ++ sattr->battr.size = MODULE_SECT_READ_SIZE; + sattr->battr.attr.mode = 0400; + *(gattr++) = &(sattr++)->battr; + } diff --git a/queue-5.8/perf-intel-pt-fix-duplicate-branch-after-cbr.patch b/queue-5.8/perf-intel-pt-fix-duplicate-branch-after-cbr.patch new file mode 100644 index 00000000000..53c8b97ba33 --- /dev/null +++ b/queue-5.8/perf-intel-pt-fix-duplicate-branch-after-cbr.patch @@ -0,0 +1,77 @@ +From a58a057ce65b52125dd355b7d8b0d540ea267a5f Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 10 Jul 2020 18:10:54 +0300 +Subject: perf intel-pt: Fix duplicate branch after CBR + +From: Adrian Hunter + +commit a58a057ce65b52125dd355b7d8b0d540ea267a5f upstream. + +CBR events can result in a duplicate branch event, because the state +type defaults to a branch. Fix by clearing the state type. + +Example: trace 'sleep' and hope for a frequency change + + Before: + + $ perf record -e intel_pt//u sleep 0.1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.034 MB perf.data ] + $ perf script --itrace=bpe > before.txt + + After: + + $ perf script --itrace=bpe > after.txt + $ diff -u before.txt after.txt +# --- before.txt 2020-07-07 14:42:18.191508098 +0300 +# +++ after.txt 2020-07-07 14:42:36.587891753 +0300 + @@ -29673,7 +29673,6 @@ + sleep 93431 [007] 15411.619905: 1 branches:u: 0 [unknown] ([unknown]) => 7f0818abb2e0 clock_nanosleep@@GLIBC_2.17+0x0 (/usr/lib/x86_64-linux-gnu/libc-2.31.so) + sleep 93431 [007] 15411.619905: 1 branches:u: 7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 0 [unknown] ([unknown]) + sleep 93431 [007] 15411.720069: cbr: cbr: 15 freq: 1507 MHz ( 56%) 7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so) + - sleep 93431 [007] 15411.720069: 1 branches:u: 7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 0 [unknown] ([unknown]) + sleep 93431 [007] 15411.720076: 1 branches:u: 0 [unknown] ([unknown]) => 7f0818abb30e clock_nanosleep@@GLIBC_2.17+0x2e (/usr/lib/x86_64-linux-gnu/libc-2.31.so) + sleep 93431 [007] 15411.720077: 1 branches:u: 7f0818abb323 clock_nanosleep@@GLIBC_2.17+0x43 (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 7f0818ac0eb7 __nanosleep+0x17 (/usr/lib/x86_64-linux-gnu/libc-2.31.so) + sleep 93431 [007] 15411.720077: 1 branches:u: 7f0818ac0ebf __nanosleep+0x1f (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 55cb7e4c2827 rpl_nanosleep+0x97 (/usr/bin/sleep) + +Fixes: 91de8684f1cff ("perf intel-pt: Cater for CBR change in PSB+") +Fixes: abe5a1d3e4bee ("perf intel-pt: Decoder to output CBR changes immediately") +Signed-off-by: Adrian Hunter +Reviewed-by: Andi Kleen +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/20200710151104.15137-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1977,8 +1977,10 @@ next: + * possibility of another CBR change that gets caught up + * in the PSB+. + */ +- if (decoder->cbr != decoder->cbr_seen) ++ if (decoder->cbr != decoder->cbr_seen) { ++ decoder->state.type = 0; + return 0; ++ } + break; + + case INTEL_PT_PIP: +@@ -2019,8 +2021,10 @@ next: + + case INTEL_PT_CBR: + intel_pt_calc_cbr(decoder); +- if (decoder->cbr != decoder->cbr_seen) ++ if (decoder->cbr != decoder->cbr_seen) { ++ decoder->state.type = 0; + return 0; ++ } + break; + + case INTEL_PT_MODE_EXEC: diff --git a/queue-5.8/perf-intel-pt-fix-fup-packet-state.patch b/queue-5.8/perf-intel-pt-fix-fup-packet-state.patch new file mode 100644 index 00000000000..7c8011187c2 --- /dev/null +++ b/queue-5.8/perf-intel-pt-fix-fup-packet-state.patch @@ -0,0 +1,76 @@ +From 401136bb084fd021acd9f8c51b52fe0a25e326b2 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 10 Jul 2020 18:10:53 +0300 +Subject: perf intel-pt: Fix FUP packet state + +From: Adrian Hunter + +commit 401136bb084fd021acd9f8c51b52fe0a25e326b2 upstream. + +While walking code towards a FUP ip, the packet state is +INTEL_PT_STATE_FUP or INTEL_PT_STATE_FUP_NO_TIP. That was mishandled +resulting in the state becoming INTEL_PT_STATE_IN_SYNC prematurely. The +result was an occasional lost EXSTOP event. + +Signed-off-by: Adrian Hunter +Reviewed-by: Andi Kleen +Cc: Jiri Olsa +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/20200710151104.15137-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 21 ++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1164,6 +1164,7 @@ static int intel_pt_walk_fup(struct inte + return 0; + if (err == -EAGAIN || + intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) { ++ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; + if (intel_pt_fup_event(decoder)) + return 0; + return -EAGAIN; +@@ -1942,17 +1943,13 @@ next: + } + if (decoder->set_fup_mwait) + no_tip = true; ++ if (no_tip) ++ decoder->pkt_state = INTEL_PT_STATE_FUP_NO_TIP; ++ else ++ decoder->pkt_state = INTEL_PT_STATE_FUP; + err = intel_pt_walk_fup(decoder); +- if (err != -EAGAIN) { +- if (err) +- return err; +- if (no_tip) +- decoder->pkt_state = +- INTEL_PT_STATE_FUP_NO_TIP; +- else +- decoder->pkt_state = INTEL_PT_STATE_FUP; +- return 0; +- } ++ if (err != -EAGAIN) ++ return err; + if (no_tip) { + no_tip = false; + break; +@@ -2599,15 +2596,11 @@ const struct intel_pt_state *intel_pt_de + err = intel_pt_walk_tip(decoder); + break; + case INTEL_PT_STATE_FUP: +- decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; + err = intel_pt_walk_fup(decoder); + if (err == -EAGAIN) + err = intel_pt_walk_fup_tip(decoder); +- else if (!err) +- decoder->pkt_state = INTEL_PT_STATE_FUP; + break; + case INTEL_PT_STATE_FUP_NO_TIP: +- decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; + err = intel_pt_walk_fup(decoder); + if (err == -EAGAIN) + err = intel_pt_walk_trace(decoder); diff --git a/queue-5.8/perf-probe-fix-memory-leakage-when-the-probe-point-is-not-found.patch b/queue-5.8/perf-probe-fix-memory-leakage-when-the-probe-point-is-not-found.patch new file mode 100644 index 00000000000..33aa2843c35 --- /dev/null +++ b/queue-5.8/perf-probe-fix-memory-leakage-when-the-probe-point-is-not-found.patch @@ -0,0 +1,48 @@ +From 12d572e785b15bc764e956caaa8a4c846fd15694 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 10 Jul 2020 22:11:23 +0900 +Subject: perf probe: Fix memory leakage when the probe point is not found + +From: Masami Hiramatsu + +commit 12d572e785b15bc764e956caaa8a4c846fd15694 upstream. + +Fix the memory leakage in debuginfo__find_trace_events() when the probe +point is not found in the debuginfo. If there is no probe point found in +the debuginfo, debuginfo__find_probes() will NOT return -ENOENT, but 0. + +Thus the caller of debuginfo__find_probes() must check the tf.ntevs and +release the allocated memory for the array of struct probe_trace_event. + +The current code releases the memory only if the debuginfo__find_probes() +hits an error but not checks tf.ntevs. In the result, the memory allocated +on *tevs are not released if tf.ntevs == 0. + +This fixes the memory leakage by checking tf.ntevs == 0 in addition to +ret < 0. + +Fixes: ff741783506c ("perf probe: Introduce debuginfo to encapsulate dwarf information") +Signed-off-by: Masami Hiramatsu +Reviewed-by: Srikar Dronamraju +Cc: Andi Kleen +Cc: Oleg Nesterov +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/159438668346.62703.10887420400718492503.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1467,7 +1467,7 @@ int debuginfo__find_trace_events(struct + if (ret >= 0 && tf.pf.skip_empty_arg) + ret = fill_empty_trace_arg(pev, tf.tevs, tf.ntevs); + +- if (ret < 0) { ++ if (ret < 0 || tf.ntevs == 0) { + for (i = 0; i < tf.ntevs; i++) + clear_probe_trace_event(&tf.tevs[i]); + zfree(tevs); diff --git a/queue-5.8/perf-probe-fix-wrong-variable-warning-when-the-probe-point-is-not-found.patch b/queue-5.8/perf-probe-fix-wrong-variable-warning-when-the-probe-point-is-not-found.patch new file mode 100644 index 00000000000..a07c4f56a99 --- /dev/null +++ b/queue-5.8/perf-probe-fix-wrong-variable-warning-when-the-probe-point-is-not-found.patch @@ -0,0 +1,69 @@ +From 11fd3eb874e73ee8069bcfd54e3c16fa7ce56fe6 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 10 Jul 2020 22:11:13 +0900 +Subject: perf probe: Fix wrong variable warning when the probe point is not found + +From: Masami Hiramatsu + +commit 11fd3eb874e73ee8069bcfd54e3c16fa7ce56fe6 upstream. + +Fix a wrong "variable not found" warning when the probe point is not +found in the debuginfo. + +Since the debuginfo__find_probes() can return 0 even if it does not find +given probe point in the debuginfo, fill_empty_trace_arg() can be called +with tf.ntevs == 0 and it can emit a wrong warning. To fix this, reject +ntevs == 0 in fill_empty_trace_arg(). + +E.g. without this patch; + + # perf probe -x /lib64/libc-2.30.so -a "memcpy arg1=%di" + Failed to find the location of the '%di' variable at this address. + Perhaps it has been optimized out. + Use -V with the --range option to show '%di' location range. + Added new events: + probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di) + probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di) + + You can now use it in all perf tools, such as: + + perf record -e probe_libc:memcpy -aR sleep 1 + +With this; + + # perf probe -x /lib64/libc-2.30.so -a "memcpy arg1=%di" + Added new events: + probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di) + probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di) + + You can now use it in all perf tools, such as: + + perf record -e probe_libc:memcpy -aR sleep 1 + +Fixes: cb4027308570 ("perf probe: Trace a magic number if variable is not found") +Reported-by: Andi Kleen +Signed-off-by: Masami Hiramatsu +Reviewed-by: Srikar Dronamraju +Tested-by: Andi Kleen +Cc: Oleg Nesterov +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/159438667364.62703.2200642186798763202.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/probe-finder.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1408,6 +1408,9 @@ static int fill_empty_trace_arg(struct p + char *type; + int i, j, ret; + ++ if (!ntevs) ++ return -ENOENT; ++ + for (i = 0; i < pev->nargs; i++) { + type = NULL; + for (j = 0; j < ntevs; j++) { diff --git a/queue-5.8/remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch b/queue-5.8/remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch new file mode 100644 index 00000000000..00476c8c9be --- /dev/null +++ b/queue-5.8/remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch @@ -0,0 +1,44 @@ +From 5b7be880074c73540948f8fc597e0407b98fabfa Mon Sep 17 00:00:00 2001 +From: Sibi Sankar +Date: Tue, 2 Jun 2020 22:02:56 +0530 +Subject: remoteproc: qcom: q6v5: Update running state before requesting stop + +From: Sibi Sankar + +commit 5b7be880074c73540948f8fc597e0407b98fabfa upstream. + +Sometimes the stop triggers a watchdog rather than a stop-ack. Update +the running state to false on requesting stop to skip the watchdog +instead. + +Error Logs: +$ echo stop > /sys/class/remoteproc/remoteproc0/state +ipa 1e40000.ipa: received modem stopping event +remoteproc-modem: watchdog received: sys_m_smsm_mpss.c:291:APPS force stop +qcom-q6v5-mss 4080000.remoteproc-modem: port failed halt +ipa 1e40000.ipa: received modem offline event +remoteproc0: stopped remote processor 4080000.remoteproc-modem + +Reviewed-by: Evan Green +Fixes: 3b415c8fb263 ("remoteproc: q6v5: Extract common resource handling") +Cc: stable@vger.kernel.org +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/20200602163257.26978-1-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/qcom_q6v5.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/remoteproc/qcom_q6v5.c ++++ b/drivers/remoteproc/qcom_q6v5.c +@@ -153,6 +153,8 @@ int qcom_q6v5_request_stop(struct qcom_q + { + int ret; + ++ q6v5->running = false; ++ + qcom_smem_state_update_bits(q6v5->state, + BIT(q6v5->stop_bit), BIT(q6v5->stop_bit)); + diff --git a/queue-5.8/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch b/queue-5.8/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch new file mode 100644 index 00000000000..1bb64f8bed1 --- /dev/null +++ b/queue-5.8/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch @@ -0,0 +1,60 @@ +From e013f455d95add874f310dc47c608e8c70692ae5 Mon Sep 17 00:00:00 2001 +From: Sibi Sankar +Date: Thu, 23 Jul 2020 01:40:45 +0530 +Subject: remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load + +From: Sibi Sankar + +commit e013f455d95add874f310dc47c608e8c70692ae5 upstream. + +The following mem abort is observed when the mba firmware size exceeds +the allocated mba region. MBA firmware size is restricted to a maximum +size of 1M and remaining memory region is used by modem debug policy +firmware when available. Hence verify whether the MBA firmware size lies +within the allocated memory region and is not greater than 1M before +loading. + +Err Logs: +Unable to handle kernel paging request at virtual address +Mem abort info: +... +Call trace: + __memcpy+0x110/0x180 + rproc_start+0x40/0x218 + rproc_boot+0x5b4/0x608 + state_store+0x54/0xf8 + dev_attr_store+0x44/0x60 + sysfs_kf_write+0x58/0x80 + kernfs_fop_write+0x140/0x230 + vfs_write+0xc4/0x208 + ksys_write+0x74/0xf8 + __arm64_sys_write+0x24/0x30 +... + +Reviewed-by: Bjorn Andersson +Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") +Cc: stable@vger.kernel.org +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/qcom_q6v5_mss.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/remoteproc/qcom_q6v5_mss.c ++++ b/drivers/remoteproc/qcom_q6v5_mss.c +@@ -407,6 +407,12 @@ static int q6v5_load(struct rproc *rproc + { + struct q6v5 *qproc = rproc->priv; + ++ /* MBA is restricted to a maximum size of 1M */ ++ if (fw->size > qproc->mba_size || fw->size > SZ_1M) { ++ dev_err(qproc->dev, "MBA firmware load failed\n"); ++ return -EINVAL; ++ } ++ + memcpy(qproc->mba_region, fw->data, fw->size); + + return 0; diff --git a/queue-5.8/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch b/queue-5.8/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch new file mode 100644 index 00000000000..2e9d9c6846a --- /dev/null +++ b/queue-5.8/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch @@ -0,0 +1,61 @@ +From 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 Mon Sep 17 00:00:00 2001 +From: Sibi Sankar +Date: Thu, 23 Jul 2020 01:40:46 +0530 +Subject: remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load + +From: Sibi Sankar + +commit 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 upstream. + +The following mem abort is observed when one of the modem blob firmware +size exceeds the allocated mpss region. Fix this by restricting the copy +size to segment size using request_firmware_into_buf before load. + +Err Logs: +Unable to handle kernel paging request at virtual address +Mem abort info: +... +Call trace: + __memcpy+0x110/0x180 + rproc_start+0xd0/0x190 + rproc_boot+0x404/0x550 + state_store+0x54/0xf8 + dev_attr_store+0x44/0x60 + sysfs_kf_write+0x58/0x80 + kernfs_fop_write+0x140/0x230 + vfs_write+0xc4/0x208 + ksys_write+0x74/0xf8 +... + +Reviewed-by: Bjorn Andersson +Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") +Cc: stable@vger.kernel.org +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/20200722201047.12975-3-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/qcom_q6v5_mss.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/remoteproc/qcom_q6v5_mss.c ++++ b/drivers/remoteproc/qcom_q6v5_mss.c +@@ -1144,15 +1144,14 @@ static int q6v5_mpss_load(struct q6v5 *q + } else if (phdr->p_filesz) { + /* Replace "xxx.xxx" with "xxx.bxx" */ + sprintf(fw_name + fw_name_len - 3, "b%02d", i); +- ret = request_firmware(&seg_fw, fw_name, qproc->dev); ++ ret = request_firmware_into_buf(&seg_fw, fw_name, qproc->dev, ++ ptr, phdr->p_filesz); + if (ret) { + dev_err(qproc->dev, "failed to load %s\n", fw_name); + iounmap(ptr); + goto release_firmware; + } + +- memcpy(ptr, seg_fw->data, seg_fw->size); +- + release_firmware(seg_fw); + } + diff --git a/queue-5.8/series b/queue-5.8/series index 25ff3449fdc..1b03564febb 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -96,3 +96,19 @@ watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch ceph-set-sec_context-xattr-on-symlink-creation.patch ceph-handle-zero-length-feature-mask-in-session-messages.patch pseries-fix-64-bit-logical-memory-block-panic.patch +dm-ebs-fix-incorrect-checking-for-req_op_flush.patch +dm-don-t-call-report-zones-for-more-than-the-user-requested.patch +module-correctly-truncate-sysfs-sections-output.patch +bootconfig-fix-to-find-the-initargs-correctly.patch +perf-probe-fix-wrong-variable-warning-when-the-probe-point-is-not-found.patch +perf-probe-fix-memory-leakage-when-the-probe-point-is-not-found.patch +perf-intel-pt-fix-fup-packet-state.patch +perf-intel-pt-fix-duplicate-branch-after-cbr.patch +gfs2-fix-refcount-leak-in-gfs2_glock_poke.patch +gfs2-never-call-gfs2_block_zero_range-with-an-open-transaction.patch +remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch +remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch +remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch +libnvdimm-validate-command-family-indices.patch +drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch +drm-ingenic-fix-incorrect-assumption-about-plane-index.patch