From: Greg Kroah-Hartman Date: Sun, 31 Jan 2021 14:46:28 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.255~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ed085f3d2e5178489484690b1bcd37e1b20d16b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: arm-dts-imx6qdl-gw52xx-fix-duplicate-regulator-naming.patch media-rc-ensure-that-uevent-can-be-read-directly-after-rc-device-register.patch net-usb-qmi_wwan-added-support-for-thales-cinterion-plsx3-modem-family.patch pm-hibernate-flush-swap-writer-after-marking.patch s390-vfio-ap-clean-up-vfio_ap-resources-when-kvm-pointer-invalidated.patch s390-vfio-ap-no-need-to-disable-irq-after-queue-reset.patch wext-fix-null-ptr-dereference-with-cfg80211-s-lack-of-commit.patch --- diff --git a/queue-5.4/arm-dts-imx6qdl-gw52xx-fix-duplicate-regulator-naming.patch b/queue-5.4/arm-dts-imx6qdl-gw52xx-fix-duplicate-regulator-naming.patch new file mode 100644 index 00000000000..7cf5826bac8 --- /dev/null +++ b/queue-5.4/arm-dts-imx6qdl-gw52xx-fix-duplicate-regulator-naming.patch @@ -0,0 +1,38 @@ +From 5a22747b76ca2384057d8e783265404439d31d7f Mon Sep 17 00:00:00 2001 +From: Koen Vandeputte +Date: Thu, 7 Jan 2021 10:19:06 +0100 +Subject: ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming + +From: Koen Vandeputte + +commit 5a22747b76ca2384057d8e783265404439d31d7f upstream. + +2 regulator descriptions carry identical naming. + +This leads to following boot warning: +[ 0.173138] debugfs: Directory 'vdd1p8' with parent 'regulator' already present! + +Fix this by renaming the one used for audio. + +Fixes: 5051bff33102 ("ARM: dts: imx: ventana: add LTC3676 PMIC support") +Signed-off-by: Tim Harvey +Signed-off-by: Koen Vandeputte +Cc: stable@vger.kernel.org # v4.11 +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6qdl-gw52xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6qdl-gw52xx.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-gw52xx.dtsi +@@ -273,7 +273,7 @@ + + /* VDD_AUD_1P8: Audio codec */ + reg_aud_1p8v: ldo3 { +- regulator-name = "vdd1p8"; ++ regulator-name = "vdd1p8a"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-boot-on; diff --git a/queue-5.4/media-rc-ensure-that-uevent-can-be-read-directly-after-rc-device-register.patch b/queue-5.4/media-rc-ensure-that-uevent-can-be-read-directly-after-rc-device-register.patch new file mode 100644 index 00000000000..53452d89e9f --- /dev/null +++ b/queue-5.4/media-rc-ensure-that-uevent-can-be-read-directly-after-rc-device-register.patch @@ -0,0 +1,44 @@ +From 896111dc4bcf887b835b3ef54f48b450d4692a1d Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 20 Dec 2020 13:29:54 +0100 +Subject: media: rc: ensure that uevent can be read directly after rc device register + +From: Sean Young + +commit 896111dc4bcf887b835b3ef54f48b450d4692a1d upstream. + +There is a race condition where if the /sys/class/rc0/uevent file is read +before rc_dev->registered is set to true, -ENODEV will be returned. + +Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1901089 + +Cc: stable@vger.kernel.org +Fixes: a2e2d73fa281 ("media: rc: do not access device via sysfs after rc_unregister_device()") +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1892,6 +1892,8 @@ int rc_register_device(struct rc_dev *de + goto out_raw; + } + ++ dev->registered = true; ++ + rc = device_add(&dev->dev); + if (rc) + goto out_rx_free; +@@ -1901,8 +1903,6 @@ int rc_register_device(struct rc_dev *de + dev->device_name ?: "Unspecified device", path ?: "N/A"); + kfree(path); + +- dev->registered = true; +- + /* + * once the the input device is registered in rc_setup_rx_device, + * userspace can open the input device and rc_open() will be called diff --git a/queue-5.4/net-usb-qmi_wwan-added-support-for-thales-cinterion-plsx3-modem-family.patch b/queue-5.4/net-usb-qmi_wwan-added-support-for-thales-cinterion-plsx3-modem-family.patch new file mode 100644 index 00000000000..f6dcfcac47e --- /dev/null +++ b/queue-5.4/net-usb-qmi_wwan-added-support-for-thales-cinterion-plsx3-modem-family.patch @@ -0,0 +1,400 @@ +From 7e0e63d09516e96994c879f07c5a3c3269d7015e Mon Sep 17 00:00:00 2001 +From: Giacinto Cifelli +Date: Wed, 20 Jan 2021 05:56:50 +0100 +Subject: net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Giacinto Cifelli + +commit 7e0e63d09516e96994c879f07c5a3c3269d7015e upstream. + +Bus 003 Device 009: ID 1e2d:006f +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 ? + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x1e2d + idProduct 0x006f + bcdDevice 0.00 + iManufacturer 3 Cinterion Wireless Modules + iProduct 2 PLSx3 + iSerial 4 fa3c1419 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 303 + bNumInterfaces 9 + bConfigurationValue 1 + iConfiguration 1 Cinterion Configuration + bmAttributes 0xe0 + Self Powered + Remote Wakeup + MaxPower 500mA + Interface Association: + bLength 8 + bDescriptorType 11 + bFirstInterface 0 + bInterfaceCount 2 + bFunctionClass 2 Communications + bFunctionSubClass 2 Abstract (modem) + bFunctionProtocol 1 AT-commands (v.25ter) + iFunction 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 1 AT-commands (v.25ter) + iInterface 0 + CDC Header: + bcdCDC 1.10 + CDC ACM: + bmCapabilities 0x02 + line coding and serial state + CDC Call Management: + bmCapabilities 0x03 + call management + use DataInterface + bDataInterface 1 + CDC Union: + bMasterInterface 0 + bSlaveInterface 1 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 10 CDC Data + bInterfaceSubClass 0 Unused + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Interface Association: + bLength 8 + bDescriptorType 11 + bFirstInterface 2 + bInterfaceCount 2 + bFunctionClass 2 Communications + bFunctionSubClass 2 Abstract (modem) + bFunctionProtocol 1 AT-commands (v.25ter) + iFunction 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 2 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 1 AT-commands (v.25ter) + iInterface 0 + CDC Header: + bcdCDC 1.10 + CDC ACM: + bmCapabilities 0x02 + line coding and serial state + CDC Call Management: + bmCapabilities 0x03 + call management + use DataInterface + bDataInterface 3 + CDC Union: + bMasterInterface 2 + bSlaveInterface 3 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x83 EP 3 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 3 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 10 CDC Data + bInterfaceSubClass 0 Unused + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x84 EP 4 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Interface Association: + bLength 8 + bDescriptorType 11 + bFirstInterface 4 + bInterfaceCount 2 + bFunctionClass 2 Communications + bFunctionSubClass 2 Abstract (modem) + bFunctionProtocol 1 AT-commands (v.25ter) + iFunction 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 4 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 1 AT-commands (v.25ter) + iInterface 0 + CDC Header: + bcdCDC 1.10 + CDC ACM: + bmCapabilities 0x02 + line coding and serial state + CDC Call Management: + bmCapabilities 0x03 + call management + use DataInterface + bDataInterface 5 + CDC Union: + bMasterInterface 4 + bSlaveInterface 5 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x85 EP 5 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 5 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 10 CDC Data + bInterfaceSubClass 0 Unused + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x86 EP 6 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x03 EP 3 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Interface Association: + bLength 8 + bDescriptorType 11 + bFirstInterface 6 + bInterfaceCount 2 + bFunctionClass 2 Communications + bFunctionSubClass 2 Abstract (modem) + bFunctionProtocol 1 AT-commands (v.25ter) + iFunction 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 6 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 1 AT-commands (v.25ter) + iInterface 0 + CDC Header: + bcdCDC 1.10 + CDC ACM: + bmCapabilities 0x02 + line coding and serial state + CDC Call Management: + bmCapabilities 0x03 + call management + use DataInterface + bDataInterface 7 + CDC Union: + bMasterInterface 6 + bSlaveInterface 7 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x87 EP 7 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 7 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 10 CDC Data + bInterfaceSubClass 0 Unused + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x88 EP 8 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x04 EP 4 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 8 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x89 EP 9 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x8a EP 10 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x05 EP 5 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 +Device Qualifier (for other device speed): + bLength 10 + bDescriptorType 6 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 ? + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + bNumConfigurations 1 +Device Status: 0x0000 + (Bus Powered) + +Cc: stable@vger.kernel.org +Signed-off-by: Giacinto Cifelli +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20210120045650.10855-1-gciofono@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1347,6 +1347,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x0b3c, 0xc00a, 6)}, /* Olivetti Olicard 160 */ + {QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */ + {QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */ ++ {QMI_QUIRK_SET_DTR(0x1e2d, 0x006f, 8)}, /* Cinterion PLS83/PLS63 */ + {QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */ + {QMI_FIXED_INTF(0x1e2d, 0x0063, 10)}, /* Cinterion ALASxx (1 RmNet) */ + {QMI_FIXED_INTF(0x1e2d, 0x0082, 4)}, /* Cinterion PHxx,PXxx (2 RmNet) */ diff --git a/queue-5.4/pm-hibernate-flush-swap-writer-after-marking.patch b/queue-5.4/pm-hibernate-flush-swap-writer-after-marking.patch new file mode 100644 index 00000000000..e43bfb583c6 --- /dev/null +++ b/queue-5.4/pm-hibernate-flush-swap-writer-after-marking.patch @@ -0,0 +1,39 @@ +From fef9c8d28e28a808274a18fbd8cc2685817fd62a Mon Sep 17 00:00:00 2001 +From: Laurent Badel +Date: Fri, 22 Jan 2021 17:19:41 +0100 +Subject: PM: hibernate: flush swap writer after marking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laurent Badel + +commit fef9c8d28e28a808274a18fbd8cc2685817fd62a upstream. + +Flush the swap writer after, not before, marking the files, to ensure the +signature is properly written. + +Fixes: 6f612af57821 ("PM / Hibernate: Group swap ops") +Signed-off-by: Laurent Badel +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/swap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -489,10 +489,10 @@ static int swap_writer_finish(struct swa + unsigned int flags, int error) + { + if (!error) { +- flush_swap_writer(handle); + pr_info("S"); + error = mark_swapfiles(handle, flags); + pr_cont("|\n"); ++ flush_swap_writer(handle); + } + + if (error) diff --git a/queue-5.4/s390-vfio-ap-clean-up-vfio_ap-resources-when-kvm-pointer-invalidated.patch b/queue-5.4/s390-vfio-ap-clean-up-vfio_ap-resources-when-kvm-pointer-invalidated.patch new file mode 100644 index 00000000000..34c3bd4293c --- /dev/null +++ b/queue-5.4/s390-vfio-ap-clean-up-vfio_ap-resources-when-kvm-pointer-invalidated.patch @@ -0,0 +1,140 @@ +From f21916ec4826766463fe9fb55a5f43d2a365811d Mon Sep 17 00:00:00 2001 +From: Tony Krowiak +Date: Tue, 22 Dec 2020 20:20:13 -0500 +Subject: s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated + +From: Tony Krowiak + +commit f21916ec4826766463fe9fb55a5f43d2a365811d upstream. + +The vfio_ap device driver registers a group notifier with VFIO when the +file descriptor for a VFIO mediated device for a KVM guest is opened to +receive notification that the KVM pointer is set (VFIO_GROUP_NOTIFY_SET_KVM +event). When the KVM pointer is set, the vfio_ap driver takes the +following actions: +1. Stashes the KVM pointer in the vfio_ap_mdev struct that holds the state + of the mediated device. +2. Calls the kvm_get_kvm() function to increment its reference counter. +3. Sets the function pointer to the function that handles interception of + the instruction that enables/disables interrupt processing. +4. Sets the masks in the KVM guest's CRYCB to pass AP resources through to + the guest. + +In order to avoid memory leaks, when the notifier is called to receive +notification that the KVM pointer has been set to NULL, the vfio_ap device +driver should reverse the actions taken when the KVM pointer was set. + +Fixes: 258287c994de ("s390: vfio-ap: implement mediated device open callback") +Signed-off-by: Tony Krowiak +Reviewed-by: Halil Pasic +Reviewed-by: Cornelia Huck +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201223012013.5418-1-akrowiak@linux.ibm.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/crypto/vfio_ap_ops.c | 49 +++++++++++++++++++++----------------- + 1 file changed, 28 insertions(+), 21 deletions(-) + +--- a/drivers/s390/crypto/vfio_ap_ops.c ++++ b/drivers/s390/crypto/vfio_ap_ops.c +@@ -1038,19 +1038,14 @@ static int vfio_ap_mdev_set_kvm(struct a + { + struct ap_matrix_mdev *m; + +- mutex_lock(&matrix_dev->lock); +- + list_for_each_entry(m, &matrix_dev->mdev_list, node) { +- if ((m != matrix_mdev) && (m->kvm == kvm)) { +- mutex_unlock(&matrix_dev->lock); ++ if ((m != matrix_mdev) && (m->kvm == kvm)) + return -EPERM; +- } + } + + matrix_mdev->kvm = kvm; + kvm_get_kvm(kvm); + kvm->arch.crypto.pqap_hook = &matrix_mdev->pqap_hook; +- mutex_unlock(&matrix_dev->lock); + + return 0; + } +@@ -1084,35 +1079,52 @@ static int vfio_ap_mdev_iommu_notifier(s + return NOTIFY_DONE; + } + ++static void vfio_ap_mdev_unset_kvm(struct ap_matrix_mdev *matrix_mdev) ++{ ++ kvm_arch_crypto_clear_masks(matrix_mdev->kvm); ++ matrix_mdev->kvm->arch.crypto.pqap_hook = NULL; ++ vfio_ap_mdev_reset_queues(matrix_mdev->mdev); ++ kvm_put_kvm(matrix_mdev->kvm); ++ matrix_mdev->kvm = NULL; ++} ++ + static int vfio_ap_mdev_group_notifier(struct notifier_block *nb, + unsigned long action, void *data) + { +- int ret; ++ int ret, notify_rc = NOTIFY_OK; + struct ap_matrix_mdev *matrix_mdev; + + if (action != VFIO_GROUP_NOTIFY_SET_KVM) + return NOTIFY_OK; + + matrix_mdev = container_of(nb, struct ap_matrix_mdev, group_notifier); ++ mutex_lock(&matrix_dev->lock); + + if (!data) { +- matrix_mdev->kvm = NULL; +- return NOTIFY_OK; ++ if (matrix_mdev->kvm) ++ vfio_ap_mdev_unset_kvm(matrix_mdev); ++ goto notify_done; + } + + ret = vfio_ap_mdev_set_kvm(matrix_mdev, data); +- if (ret) +- return NOTIFY_DONE; ++ if (ret) { ++ notify_rc = NOTIFY_DONE; ++ goto notify_done; ++ } + + /* If there is no CRYCB pointer, then we can't copy the masks */ +- if (!matrix_mdev->kvm->arch.crypto.crycbd) +- return NOTIFY_DONE; ++ if (!matrix_mdev->kvm->arch.crypto.crycbd) { ++ notify_rc = NOTIFY_DONE; ++ goto notify_done; ++ } + + kvm_arch_crypto_set_masks(matrix_mdev->kvm, matrix_mdev->matrix.apm, + matrix_mdev->matrix.aqm, + matrix_mdev->matrix.adm); + +- return NOTIFY_OK; ++notify_done: ++ mutex_unlock(&matrix_dev->lock); ++ return notify_rc; + } + + static struct vfio_ap_queue *vfio_ap_find_queue(int apqn) +@@ -1246,13 +1258,8 @@ static void vfio_ap_mdev_release(struct + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + + mutex_lock(&matrix_dev->lock); +- if (matrix_mdev->kvm) { +- kvm_arch_crypto_clear_masks(matrix_mdev->kvm); +- matrix_mdev->kvm->arch.crypto.pqap_hook = NULL; +- vfio_ap_mdev_reset_queues(mdev); +- kvm_put_kvm(matrix_mdev->kvm); +- matrix_mdev->kvm = NULL; +- } ++ if (matrix_mdev->kvm) ++ vfio_ap_mdev_unset_kvm(matrix_mdev); + mutex_unlock(&matrix_dev->lock); + + vfio_unregister_notifier(mdev_dev(mdev), VFIO_IOMMU_NOTIFY, diff --git a/queue-5.4/s390-vfio-ap-no-need-to-disable-irq-after-queue-reset.patch b/queue-5.4/s390-vfio-ap-no-need-to-disable-irq-after-queue-reset.patch new file mode 100644 index 00000000000..d31a44c5a6e --- /dev/null +++ b/queue-5.4/s390-vfio-ap-no-need-to-disable-irq-after-queue-reset.patch @@ -0,0 +1,267 @@ +From 6c12a6384e0c0b96debd88b24028e58f2ebd417b Mon Sep 17 00:00:00 2001 +From: Tony Krowiak +Date: Tue, 22 Dec 2020 20:15:53 -0500 +Subject: s390/vfio-ap: No need to disable IRQ after queue reset + +From: Tony Krowiak + +commit 6c12a6384e0c0b96debd88b24028e58f2ebd417b upstream. + +The queues assigned to a matrix mediated device are currently reset when: + +* The VFIO_DEVICE_RESET ioctl is invoked +* The mdev fd is closed by userspace (QEMU) +* The mdev is removed from sysfs. + +Immediately after the reset of a queue, a call is made to disable +interrupts for the queue. This is entirely unnecessary because the reset of +a queue disables interrupts, so this will be removed. + +Furthermore, vfio_ap_irq_disable() does an unconditional PQAP/AQIC which +can result in a specification exception (when the corresponding facility +is not available), so this is actually a bugfix. + +Signed-off-by: Tony Krowiak +[pasic@linux.ibm.com: minor rework before merging] +Signed-off-by: Halil Pasic +Fixes: ec89b55e3bce ("s390: ap: implement PAPQ AQIC interception in kernel") +Cc: +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/crypto/vfio_ap_drv.c | 6 -- + drivers/s390/crypto/vfio_ap_ops.c | 100 +++++++++++++++++++++------------- + drivers/s390/crypto/vfio_ap_private.h | 12 ++-- + 3 files changed, 69 insertions(+), 49 deletions(-) + +--- a/drivers/s390/crypto/vfio_ap_drv.c ++++ b/drivers/s390/crypto/vfio_ap_drv.c +@@ -71,15 +71,11 @@ static int vfio_ap_queue_dev_probe(struc + static void vfio_ap_queue_dev_remove(struct ap_device *apdev) + { + struct vfio_ap_queue *q; +- int apid, apqi; + + mutex_lock(&matrix_dev->lock); + q = dev_get_drvdata(&apdev->device); ++ vfio_ap_mdev_reset_queue(q, 1); + dev_set_drvdata(&apdev->device, NULL); +- apid = AP_QID_CARD(q->apqn); +- apqi = AP_QID_QUEUE(q->apqn); +- vfio_ap_mdev_reset_queue(apid, apqi, 1); +- vfio_ap_irq_disable(q); + kfree(q); + mutex_unlock(&matrix_dev->lock); + } +--- a/drivers/s390/crypto/vfio_ap_ops.c ++++ b/drivers/s390/crypto/vfio_ap_ops.c +@@ -25,6 +25,7 @@ + #define VFIO_AP_MDEV_NAME_HWVIRT "VFIO AP Passthrough Device" + + static int vfio_ap_mdev_reset_queues(struct mdev_device *mdev); ++static struct vfio_ap_queue *vfio_ap_find_queue(int apqn); + + static int match_apqn(struct device *dev, const void *data) + { +@@ -49,20 +50,15 @@ static struct vfio_ap_queue *vfio_ap_get + int apqn) + { + struct vfio_ap_queue *q; +- struct device *dev; + + if (!test_bit_inv(AP_QID_CARD(apqn), matrix_mdev->matrix.apm)) + return NULL; + if (!test_bit_inv(AP_QID_QUEUE(apqn), matrix_mdev->matrix.aqm)) + return NULL; + +- dev = driver_find_device(&matrix_dev->vfio_ap_drv->driver, NULL, +- &apqn, match_apqn); +- if (!dev) +- return NULL; +- q = dev_get_drvdata(dev); +- q->matrix_mdev = matrix_mdev; +- put_device(dev); ++ q = vfio_ap_find_queue(apqn); ++ if (q) ++ q->matrix_mdev = matrix_mdev; + + return q; + } +@@ -119,13 +115,18 @@ static void vfio_ap_wait_for_irqclear(in + */ + static void vfio_ap_free_aqic_resources(struct vfio_ap_queue *q) + { +- if (q->saved_isc != VFIO_AP_ISC_INVALID && q->matrix_mdev) ++ if (!q) ++ return; ++ if (q->saved_isc != VFIO_AP_ISC_INVALID && ++ !WARN_ON(!(q->matrix_mdev && q->matrix_mdev->kvm))) { + kvm_s390_gisc_unregister(q->matrix_mdev->kvm, q->saved_isc); +- if (q->saved_pfn && q->matrix_mdev) ++ q->saved_isc = VFIO_AP_ISC_INVALID; ++ } ++ if (q->saved_pfn && !WARN_ON(!q->matrix_mdev)) { + vfio_unpin_pages(mdev_dev(q->matrix_mdev->mdev), + &q->saved_pfn, 1); +- q->saved_pfn = 0; +- q->saved_isc = VFIO_AP_ISC_INVALID; ++ q->saved_pfn = 0; ++ } + } + + /** +@@ -144,7 +145,7 @@ static void vfio_ap_free_aqic_resources( + * Returns if ap_aqic function failed with invalid, deconfigured or + * checkstopped AP. + */ +-struct ap_queue_status vfio_ap_irq_disable(struct vfio_ap_queue *q) ++static struct ap_queue_status vfio_ap_irq_disable(struct vfio_ap_queue *q) + { + struct ap_qirq_ctrl aqic_gisa = {}; + struct ap_queue_status status; +@@ -1114,48 +1115,70 @@ static int vfio_ap_mdev_group_notifier(s + return NOTIFY_OK; + } + +-static void vfio_ap_irq_disable_apqn(int apqn) ++static struct vfio_ap_queue *vfio_ap_find_queue(int apqn) + { + struct device *dev; +- struct vfio_ap_queue *q; ++ struct vfio_ap_queue *q = NULL; + + dev = driver_find_device(&matrix_dev->vfio_ap_drv->driver, NULL, + &apqn, match_apqn); + if (dev) { + q = dev_get_drvdata(dev); +- vfio_ap_irq_disable(q); + put_device(dev); + } ++ ++ return q; + } + +-int vfio_ap_mdev_reset_queue(unsigned int apid, unsigned int apqi, ++int vfio_ap_mdev_reset_queue(struct vfio_ap_queue *q, + unsigned int retry) + { + struct ap_queue_status status; ++ int ret; + int retry2 = 2; +- int apqn = AP_MKQID(apid, apqi); + +- do { +- status = ap_zapq(apqn); +- switch (status.response_code) { +- case AP_RESPONSE_NORMAL: +- while (!status.queue_empty && retry2--) { +- msleep(20); +- status = ap_tapq(apqn, NULL); +- } +- WARN_ON_ONCE(retry2 <= 0); +- return 0; +- case AP_RESPONSE_RESET_IN_PROGRESS: +- case AP_RESPONSE_BUSY: ++ if (!q) ++ return 0; ++ ++retry_zapq: ++ status = ap_zapq(q->apqn); ++ switch (status.response_code) { ++ case AP_RESPONSE_NORMAL: ++ ret = 0; ++ break; ++ case AP_RESPONSE_RESET_IN_PROGRESS: ++ if (retry--) { + msleep(20); +- break; +- default: +- /* things are really broken, give up */ +- return -EIO; ++ goto retry_zapq; + } +- } while (retry--); ++ ret = -EBUSY; ++ break; ++ case AP_RESPONSE_Q_NOT_AVAIL: ++ case AP_RESPONSE_DECONFIGURED: ++ case AP_RESPONSE_CHECKSTOPPED: ++ WARN_ON_ONCE(status.irq_enabled); ++ ret = -EBUSY; ++ goto free_resources; ++ default: ++ /* things are really broken, give up */ ++ WARN(true, "PQAP/ZAPQ completed with invalid rc (%x)\n", ++ status.response_code); ++ return -EIO; ++ } ++ ++ /* wait for the reset to take effect */ ++ while (retry2--) { ++ if (status.queue_empty && !status.irq_enabled) ++ break; ++ msleep(20); ++ status = ap_tapq(q->apqn, NULL); ++ } ++ WARN_ON_ONCE(retry2 <= 0); + +- return -EBUSY; ++free_resources: ++ vfio_ap_free_aqic_resources(q); ++ ++ return ret; + } + + static int vfio_ap_mdev_reset_queues(struct mdev_device *mdev) +@@ -1163,13 +1186,15 @@ static int vfio_ap_mdev_reset_queues(str + int ret; + int rc = 0; + unsigned long apid, apqi; ++ struct vfio_ap_queue *q; + struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev); + + for_each_set_bit_inv(apid, matrix_mdev->matrix.apm, + matrix_mdev->matrix.apm_max + 1) { + for_each_set_bit_inv(apqi, matrix_mdev->matrix.aqm, + matrix_mdev->matrix.aqm_max + 1) { +- ret = vfio_ap_mdev_reset_queue(apid, apqi, 1); ++ q = vfio_ap_find_queue(AP_MKQID(apid, apqi)); ++ ret = vfio_ap_mdev_reset_queue(q, 1); + /* + * Regardless whether a queue turns out to be busy, or + * is not operational, we need to continue resetting +@@ -1177,7 +1202,6 @@ static int vfio_ap_mdev_reset_queues(str + */ + if (ret) + rc = ret; +- vfio_ap_irq_disable_apqn(AP_MKQID(apid, apqi)); + } + } + +--- a/drivers/s390/crypto/vfio_ap_private.h ++++ b/drivers/s390/crypto/vfio_ap_private.h +@@ -88,11 +88,6 @@ struct ap_matrix_mdev { + struct mdev_device *mdev; + }; + +-extern int vfio_ap_mdev_register(void); +-extern void vfio_ap_mdev_unregister(void); +-int vfio_ap_mdev_reset_queue(unsigned int apid, unsigned int apqi, +- unsigned int retry); +- + struct vfio_ap_queue { + struct ap_matrix_mdev *matrix_mdev; + unsigned long saved_pfn; +@@ -100,5 +95,10 @@ struct vfio_ap_queue { + #define VFIO_AP_ISC_INVALID 0xff + unsigned char saved_isc; + }; +-struct ap_queue_status vfio_ap_irq_disable(struct vfio_ap_queue *q); ++ ++int vfio_ap_mdev_register(void); ++void vfio_ap_mdev_unregister(void); ++int vfio_ap_mdev_reset_queue(struct vfio_ap_queue *q, ++ unsigned int retry); ++ + #endif /* _VFIO_AP_PRIVATE_H_ */ diff --git a/queue-5.4/series b/queue-5.4/series index 2391a048551..f14b6b532ba 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -5,3 +5,10 @@ acpi-sysfs-prefer-compatible-modalias.patch kernel-kexec-remove-the-lock-operation-of-system_transition_mutex.patch alsa-hda-realtek-enable-headset-of-asus-b1400cepe-with-alc256.patch alsa-hda-via-apply-the-workaround-generically-for-clevo-machines.patch +media-rc-ensure-that-uevent-can-be-read-directly-after-rc-device-register.patch +arm-dts-imx6qdl-gw52xx-fix-duplicate-regulator-naming.patch +wext-fix-null-ptr-dereference-with-cfg80211-s-lack-of-commit.patch +net-usb-qmi_wwan-added-support-for-thales-cinterion-plsx3-modem-family.patch +s390-vfio-ap-no-need-to-disable-irq-after-queue-reset.patch +s390-vfio-ap-clean-up-vfio_ap-resources-when-kvm-pointer-invalidated.patch +pm-hibernate-flush-swap-writer-after-marking.patch diff --git a/queue-5.4/wext-fix-null-ptr-dereference-with-cfg80211-s-lack-of-commit.patch b/queue-5.4/wext-fix-null-ptr-dereference-with-cfg80211-s-lack-of-commit.patch new file mode 100644 index 00000000000..47f585ab9b1 --- /dev/null +++ b/queue-5.4/wext-fix-null-ptr-dereference-with-cfg80211-s-lack-of-commit.patch @@ -0,0 +1,50 @@ +From 5122565188bae59d507d90a9a9fd2fd6107f4439 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 21 Jan 2021 17:16:22 +0100 +Subject: wext: fix NULL-ptr-dereference with cfg80211's lack of commit() + +From: Johannes Berg + +commit 5122565188bae59d507d90a9a9fd2fd6107f4439 upstream. + +Since cfg80211 doesn't implement commit, we never really cared about +that code there (and it's configured out w/o CONFIG_WIRELESS_EXT). +After all, since it has no commit, it shouldn't return -EIWCOMMIT to +indicate commit is needed. + +However, EIWCOMMIT is actually an alias for EINPROGRESS, which _can_ +happen if e.g. we try to change the frequency but we're already in +the process of connecting to some network, and drivers could return +that value (or even cfg80211 itself might). + +This then causes us to crash because dev->wireless_handlers is NULL +but we try to check dev->wireless_handlers->standard[0]. + +Fix this by also checking dev->wireless_handlers. Also simplify the +code a little bit. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com +Reported-by: syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20210121171621.2076e4a37d5a.I5d9c72220fe7bb133fb718751da0180a57ecba4e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -896,8 +896,9 @@ out: + int call_commit_handler(struct net_device *dev) + { + #ifdef CONFIG_WIRELESS_EXT +- if ((netif_running(dev)) && +- (dev->wireless_handlers->standard[0] != NULL)) ++ if (netif_running(dev) && ++ dev->wireless_handlers && ++ dev->wireless_handlers->standard[0]) + /* Call the commit handler on the driver */ + return dev->wireless_handlers->standard[0](dev, NULL, + NULL, NULL);