From: Greg Kroah-Hartman Date: Sun, 23 Jan 2022 15:05:56 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.300~135 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69f5fc180ce83f9407cec305b56c0e500c8f2f1b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch dma_fence_array-fix-pending_error-leak-in-dma_fence_array_signaled.patch drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch drm-rockchip-dsi-reconfigure-hardware-on-resume.patch f2fs-fix-to-do-sanity-check-in-is_alive.patch iommu-io-pgtable-arm-v7s-add-error-handle-for-page-table-allocation-failure.patch lkdtm-fix-content-of-section-containing-lkdtm_rodata_do_nothing.patch media-cpia2-fix-control-message-timeouts.patch media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch media-em28xx-fix-control-message-timeouts.patch media-flexcop-usb-fix-control-message-timeouts.patch media-mceusb-fix-control-message-timeouts.patch media-pvrusb2-fix-control-message-timeouts.patch media-redrat3-fix-control-message-timeouts.patch media-s2255-fix-control-message-timeouts.patch media-stk1160-fix-control-message-timeouts.patch media-v4l2-ioctl.c-readbuffers-depends-on-v4l2_cap_readwrite.patch mm-page_alloc.c-do-not-warn-allocation-failure-on-zone-dma-if-no-managed-pages.patch mm_zone-add-function-to-check-if-managed-dma-zone-exists.patch mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch shmem-fix-a-race-between-shmem_unused_huge_shrink-and-shmem_evict_inode.patch tools-nolibc-fix-incorrect-truncation-of-exit-code.patch tools-nolibc-i386-fix-initial-stack-alignment.patch tools-nolibc-x86-64-fix-startup-code-bug.patch x86-gpu-reserve-stolen-memory-for-first-integrated-intel-gpu.patch --- diff --git a/queue-5.4/can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch b/queue-5.4/can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch new file mode 100644 index 00000000000..6c9b6a91a6c --- /dev/null +++ b/queue-5.4/can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch @@ -0,0 +1,36 @@ +From ced4913efb0acc844ed65cc01d091a85d83a2082 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Dec 2021 11:48:43 +0100 +Subject: can: softing_cs: softingcs_probe(): fix memleak on registration failure + +From: Johan Hovold + +commit ced4913efb0acc844ed65cc01d091a85d83a2082 upstream. + +In case device registration fails during probe, the driver state and +the embedded platform device structure needs to be freed using +platform_device_put() to properly free all resources (e.g. the device +name). + +Fixes: 0a0b7a5f7a04 ("can: add driver for Softing card") +Link: https://lore.kernel.org/all/20211222104843.6105-1-johan@kernel.org +Cc: stable@vger.kernel.org # 2.6.38 +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/softing/softing_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/softing/softing_cs.c ++++ b/drivers/net/can/softing/softing_cs.c +@@ -293,7 +293,7 @@ static int softingcs_probe(struct pcmcia + return 0; + + platform_failed: +- kfree(dev); ++ platform_device_put(pdev); + mem_failed: + pcmcia_bad: + pcmcia_failed: diff --git a/queue-5.4/dma_fence_array-fix-pending_error-leak-in-dma_fence_array_signaled.patch b/queue-5.4/dma_fence_array-fix-pending_error-leak-in-dma_fence_array_signaled.patch new file mode 100644 index 00000000000..8e7dd1b422c --- /dev/null +++ b/queue-5.4/dma_fence_array-fix-pending_error-leak-in-dma_fence_array_signaled.patch @@ -0,0 +1,54 @@ +From 95d35838880fb040ccb9fe4a48816bd0c8b62df5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= +Date: Mon, 29 Nov 2021 16:27:27 +0100 +Subject: dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Hellström + +commit 95d35838880fb040ccb9fe4a48816bd0c8b62df5 upstream. + +If a dma_fence_array is reported signaled by a call to +dma_fence_is_signaled(), it may leak the PENDING_ERROR status. + +Fix this by clearing the PENDING_ERROR status if we return true in +dma_fence_array_signaled(). + +v2: +- Update Cc list, and add R-b. + +Fixes: 1f70b8b812f3 ("dma-fence: Propagate errors to dma-fence-array container") +Cc: Chris Wilson +Cc: Sumit Semwal +Cc: Gustavo Padovan +Cc: Christian König +Cc: "Christian König" +Cc: linux-media@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: linaro-mm-sig@lists.linaro.org +Cc: # v5.4+ +Signed-off-by: Thomas Hellström +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20211129152727.448908-1-thomas.hellstrom@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-fence-array.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/dma-buf/dma-fence-array.c ++++ b/drivers/dma-buf/dma-fence-array.c +@@ -104,7 +104,11 @@ static bool dma_fence_array_signaled(str + { + struct dma_fence_array *array = to_dma_fence_array(fence); + +- return atomic_read(&array->num_pending) <= 0; ++ if (atomic_read(&array->num_pending) > 0) ++ return false; ++ ++ dma_fence_array_clear_pending_error(array); ++ return true; + } + + static void dma_fence_array_release(struct dma_fence *fence) diff --git a/queue-5.4/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch b/queue-5.4/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch new file mode 100644 index 00000000000..6270f98a2b5 --- /dev/null +++ b/queue-5.4/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch @@ -0,0 +1,151 @@ +From 514db871922f103886ad4d221cf406b4fcc5e74a Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 28 Sep 2021 14:35:49 -0700 +Subject: drm/rockchip: dsi: Hold pm-runtime across bind/unbind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Norris + +commit 514db871922f103886ad4d221cf406b4fcc5e74a upstream. + +In commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except +LCDC mux to bind()"), we moved most HW configuration to bind(), but we +didn't move the runtime PM management. Therefore, depending on initial +boot state, runtime-PM workqueue delays, and other timing factors, we +may disable our power domain in between the hardware configuration +(bind()) and when we enable the display. This can cause us to lose +hardware state and fail to configure our display. For example: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-innolux-p079zca ff960000.mipi.0: failed to write command 0 + +or: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110 + +We should match the runtime PM to the lifetime of the bind()/unbind() +cycle. + +Tested on Acer Chrometab 10 (RK3399 Gru-Scarlet), with panel drivers +built either as modules or built-in. + +Side notes: it seems one is more likely to see this problem when the +panel driver is built into the kernel. I've also seen this problem +bisect down to commits that simply changed Kconfig dependencies, because +it changed the order in which driver init functions were compiled into +the kernel, and therefore the ordering and timing of built-in device +probe. + +Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()") +Link: https://lore.kernel.org/linux-rockchip/9aedfb528600ecf871885f7293ca4207c84d16c1.camel@gmail.com/ +Reported-by: +Cc: +Signed-off-by: Brian Norris +Tested-by: Nícolas F. R. A. Prado +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.1.Ic2904d37f30013a7f3d8476203ad3733c186827e@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 37 ++++++++++++------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -625,10 +625,6 @@ static void dw_mipi_dsi_encoder_enable(s + if (mux < 0) + return; + +- pm_runtime_get_sync(dsi->dev); +- if (dsi->slave) +- pm_runtime_get_sync(dsi->slave->dev); +- + /* + * For the RK3399, the clk of grf must be enabled before writing grf + * register. And for RK3288 or other soc, this grf_clk must be NULL, +@@ -647,20 +643,10 @@ static void dw_mipi_dsi_encoder_enable(s + clk_disable_unprepare(dsi->grf_clk); + } + +-static void dw_mipi_dsi_encoder_disable(struct drm_encoder *encoder) +-{ +- struct dw_mipi_dsi_rockchip *dsi = to_dsi(encoder); +- +- if (dsi->slave) +- pm_runtime_put(dsi->slave->dev); +- pm_runtime_put(dsi->dev); +-} +- + static const struct drm_encoder_helper_funcs + dw_mipi_dsi_encoder_helper_funcs = { + .atomic_check = dw_mipi_dsi_encoder_atomic_check, + .enable = dw_mipi_dsi_encoder_enable, +- .disable = dw_mipi_dsi_encoder_disable, + }; + + static const struct drm_encoder_funcs dw_mipi_dsi_encoder_funcs = { +@@ -795,10 +781,14 @@ static int dw_mipi_dsi_rockchip_bind(str + put_device(second); + } + ++ pm_runtime_get_sync(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_get_sync(dsi->slave->dev); ++ + ret = clk_prepare_enable(dsi->pllref_clk); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to enable pllref_clk: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + /* +@@ -810,7 +800,7 @@ static int dw_mipi_dsi_rockchip_bind(str + ret = clk_prepare_enable(dsi->grf_clk); + if (ret) { + DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + dw_mipi_dsi_rockchip_config(dsi); +@@ -822,16 +812,23 @@ static int dw_mipi_dsi_rockchip_bind(str + ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to create drm encoder\n"); +- return ret; ++ goto out_pm_runtime; + } + + ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder); + if (ret) { + DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret); +- return ret; ++ goto out_pm_runtime; + } + + return 0; ++ ++out_pm_runtime: ++ pm_runtime_put(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_put(dsi->slave->dev); ++ ++ return ret; + } + + static void dw_mipi_dsi_rockchip_unbind(struct device *dev, +@@ -846,6 +843,10 @@ static void dw_mipi_dsi_rockchip_unbind( + dw_mipi_dsi_unbind(dsi->dmd); + + clk_disable_unprepare(dsi->pllref_clk); ++ ++ pm_runtime_put(dsi->dev); ++ if (dsi->slave) ++ pm_runtime_put(dsi->slave->dev); + } + + static const struct component_ops dw_mipi_dsi_rockchip_ops = { diff --git a/queue-5.4/drm-rockchip-dsi-reconfigure-hardware-on-resume.patch b/queue-5.4/drm-rockchip-dsi-reconfigure-hardware-on-resume.patch new file mode 100644 index 00000000000..b0c938553d0 --- /dev/null +++ b/queue-5.4/drm-rockchip-dsi-reconfigure-hardware-on-resume.patch @@ -0,0 +1,115 @@ +From e584cdc1549932f87a2707b56bc588cfac5d89e0 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 28 Sep 2021 14:35:50 -0700 +Subject: drm/rockchip: dsi: Reconfigure hardware on resume() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Norris + +commit e584cdc1549932f87a2707b56bc588cfac5d89e0 upstream. + +Since commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except +LCDC mux to bind()"), we perform most HW configuration in the bind() +function. This configuration may be lost on suspend/resume, so we +need to call it again. That may lead to errors like this after system +suspend/resume: + + dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO + panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110 + +Tested on Acer Chromebook Tab 10 (RK3399 Gru-Scarlet). + +Note that early mailing list versions of this driver borrowed Rockchip's +downstream/BSP solution, to do HW configuration in mode_set() (which +*is* called at the appropriate pre-enable() times), but that was +discarded along the way. I've avoided that still, because mode_set() +documentation doesn't suggest this kind of purpose as far as I can tell. + +Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()") +Cc: +Signed-off-by: Brian Norris +Reviewed-by: Chen-Yu Tsai +Tested-by: Nícolas F. R. A. Prado +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.2.I4e9d93aadb00b1ffc7d506e3186a25492bf0b732@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 37 ++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c +@@ -231,6 +231,8 @@ struct dw_mipi_dsi_rockchip { + struct dw_mipi_dsi *dmd; + const struct rockchip_dw_dsi_chip_data *cdata; + struct dw_mipi_dsi_plat_data pdata; ++ ++ bool dsi_bound; + }; + + struct dphy_pll_parameter_map { +@@ -821,6 +823,8 @@ static int dw_mipi_dsi_rockchip_bind(str + goto out_pm_runtime; + } + ++ dsi->dsi_bound = true; ++ + return 0; + + out_pm_runtime: +@@ -840,6 +844,8 @@ static void dw_mipi_dsi_rockchip_unbind( + if (dsi->is_slave) + return; + ++ dsi->dsi_bound = false; ++ + dw_mipi_dsi_unbind(dsi->dmd); + + clk_disable_unprepare(dsi->pllref_clk); +@@ -904,6 +910,36 @@ static const struct dw_mipi_dsi_host_ops + .detach = dw_mipi_dsi_rockchip_host_detach, + }; + ++static int __maybe_unused dw_mipi_dsi_rockchip_resume(struct device *dev) ++{ ++ struct dw_mipi_dsi_rockchip *dsi = dev_get_drvdata(dev); ++ int ret; ++ ++ /* ++ * Re-configure DSI state, if we were previously initialized. We need ++ * to do this before rockchip_drm_drv tries to re-enable() any panels. ++ */ ++ if (dsi->dsi_bound) { ++ ret = clk_prepare_enable(dsi->grf_clk); ++ if (ret) { ++ DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret); ++ return ret; ++ } ++ ++ dw_mipi_dsi_rockchip_config(dsi); ++ if (dsi->slave) ++ dw_mipi_dsi_rockchip_config(dsi->slave); ++ ++ clk_disable_unprepare(dsi->grf_clk); ++ } ++ ++ return 0; ++} ++ ++static const struct dev_pm_ops dw_mipi_dsi_rockchip_pm_ops = { ++ SET_LATE_SYSTEM_SLEEP_PM_OPS(NULL, dw_mipi_dsi_rockchip_resume) ++}; ++ + static int dw_mipi_dsi_rockchip_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -1089,6 +1125,7 @@ struct platform_driver dw_mipi_dsi_rockc + .remove = dw_mipi_dsi_rockchip_remove, + .driver = { + .of_match_table = dw_mipi_dsi_rockchip_dt_ids, ++ .pm = &dw_mipi_dsi_rockchip_pm_ops, + .name = "dw-mipi-dsi-rockchip", + }, + }; diff --git a/queue-5.4/f2fs-fix-to-do-sanity-check-in-is_alive.patch b/queue-5.4/f2fs-fix-to-do-sanity-check-in-is_alive.patch new file mode 100644 index 00000000000..13663dd5ebe --- /dev/null +++ b/queue-5.4/f2fs-fix-to-do-sanity-check-in-is_alive.patch @@ -0,0 +1,34 @@ +From 77900c45ee5cd5da63bd4d818a41dbdf367e81cd Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 6 Dec 2021 22:44:21 +0800 +Subject: f2fs: fix to do sanity check in is_alive() + +From: Chao Yu + +commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd upstream. + +In fuzzed image, SSA table may indicate that a data block belongs to +invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in +order to avoid migrating inconsistent data in such corrupted image, +let's do sanity check anyway before data block migration. + +Cc: stable@vger.kernel.org +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -633,6 +633,9 @@ static bool is_alive(struct f2fs_sb_info + set_sbi_flag(sbi, SBI_NEED_FSCK); + } + ++ if (f2fs_check_nid_range(sbi, dni->ino)) ++ return false; ++ + *nofs = ofs_of_node(node_page); + source_blkaddr = datablock_addr(NULL, node_page, ofs_in_node); + f2fs_put_page(node_page, 1); diff --git a/queue-5.4/iommu-io-pgtable-arm-v7s-add-error-handle-for-page-table-allocation-failure.patch b/queue-5.4/iommu-io-pgtable-arm-v7s-add-error-handle-for-page-table-allocation-failure.patch new file mode 100644 index 00000000000..4d7be8c9f91 --- /dev/null +++ b/queue-5.4/iommu-io-pgtable-arm-v7s-add-error-handle-for-page-table-allocation-failure.patch @@ -0,0 +1,49 @@ +From a556cfe4cabc6d79cbb7733f118bbb420b376fe6 Mon Sep 17 00:00:00 2001 +From: Yunfei Wang +Date: Tue, 7 Dec 2021 19:33:15 +0800 +Subject: iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure + +From: Yunfei Wang + +commit a556cfe4cabc6d79cbb7733f118bbb420b376fe6 upstream. + +In __arm_v7s_alloc_table function: +iommu call kmem_cache_alloc to allocate page table, this function +allocate memory may fail, when kmem_cache_alloc fails to allocate +table, call virt_to_phys will be abnomal and return unexpected phys +and goto out_free, then call kmem_cache_free to release table will +trigger KE, __get_free_pages and free_pages have similar problem, +so add error handle for page table allocation failure. + +Fixes: 29859aeb8a6e ("iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE") +Signed-off-by: Yunfei Wang +Cc: # 5.10.* +Acked-by: Robin Murphy +Link: https://lore.kernel.org/r/20211207113315.29109-1-yf.wang@mediatek.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/io-pgtable-arm-v7s.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/io-pgtable-arm-v7s.c ++++ b/drivers/iommu/io-pgtable-arm-v7s.c +@@ -244,13 +244,17 @@ static void *__arm_v7s_alloc_table(int l + __GFP_ZERO | ARM_V7S_TABLE_GFP_DMA, get_order(size)); + else if (lvl == 2) + table = kmem_cache_zalloc(data->l2_tables, gfp); ++ ++ if (!table) ++ return NULL; ++ + phys = virt_to_phys(table); + if (phys != (arm_v7s_iopte)phys) { + /* Doesn't fit in PTE */ + dev_err(dev, "Page table does not fit in PTE: %pa", &phys); + goto out_free; + } +- if (table && !cfg->coherent_walk) { ++ if (!cfg->coherent_walk) { + dma = dma_map_single(dev, table, size, DMA_TO_DEVICE); + if (dma_mapping_error(dev, dma)) + goto out_free; diff --git a/queue-5.4/lkdtm-fix-content-of-section-containing-lkdtm_rodata_do_nothing.patch b/queue-5.4/lkdtm-fix-content-of-section-containing-lkdtm_rodata_do_nothing.patch new file mode 100644 index 00000000000..78c0279453f --- /dev/null +++ b/queue-5.4/lkdtm-fix-content-of-section-containing-lkdtm_rodata_do_nothing.patch @@ -0,0 +1,55 @@ +From bc93a22a19eb2b68a16ecf04cdf4b2ed65aaf398 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 8 Oct 2021 18:58:40 +0200 +Subject: lkdtm: Fix content of section containing lkdtm_rodata_do_nothing() + +From: Christophe Leroy + +commit bc93a22a19eb2b68a16ecf04cdf4b2ed65aaf398 upstream. + +On a kernel without CONFIG_STRICT_KERNEL_RWX, running EXEC_RODATA +test leads to "Illegal instruction" failure. + +Looking at the content of rodata_objcopy.o, we see that the +function content zeroes only: + + Disassembly of section .rodata: + + 0000000000000000 <.lkdtm_rodata_do_nothing>: + 0: 00 00 00 00 .long 0x0 + +Add the contents flag in order to keep the content of the section +while renaming it. + + Disassembly of section .rodata: + + 0000000000000000 <.lkdtm_rodata_do_nothing>: + 0: 4e 80 00 20 blr + +Fixes: e9e08a07385e ("lkdtm: support llvm-objcopy") +Cc: stable@vger.kernel.org +Cc: Kees Cook +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Cc: Nick Desaulniers +Cc: Nathan Chancellor +Signed-off-by: Christophe Leroy +Reviewed-by: Nick Desaulniers +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/8900731fbc05fb8b0de18af7133a8fc07c3c53a1.1633712176.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/lkdtm/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/lkdtm/Makefile ++++ b/drivers/misc/lkdtm/Makefile +@@ -16,7 +16,7 @@ KCOV_INSTRUMENT_rodata.o := n + + OBJCOPYFLAGS := + OBJCOPYFLAGS_rodata_objcopy.o := \ +- --rename-section .noinstr.text=.rodata,alloc,readonly,load ++ --rename-section .noinstr.text=.rodata,alloc,readonly,load,contents + targets += rodata.o rodata_objcopy.o + $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE + $(call if_changed,objcopy) diff --git a/queue-5.4/media-cpia2-fix-control-message-timeouts.patch b/queue-5.4/media-cpia2-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..2c7f1de1ff7 --- /dev/null +++ b/queue-5.4/media-cpia2-fix-control-message-timeouts.patch @@ -0,0 +1,42 @@ +From 10729be03327f53258cb196362015ad5c6eabe02 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:37 +0100 +Subject: media: cpia2: fix control-message timeouts + +From: Johan Hovold + +commit 10729be03327f53258cb196362015ad5c6eabe02 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: ab33d5071de7 ("V4L/DVB (3376): Add cpia2 camera support") +Cc: stable@vger.kernel.org # 2.6.17 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/cpia2/cpia2_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -550,7 +550,7 @@ static int write_packet(struct usb_devic + 0, /* index */ + buf, /* buffer */ + size, +- HZ); ++ 1000); + + kfree(buf); + return ret; +@@ -582,7 +582,7 @@ static int read_packet(struct usb_device + 0, /* index */ + buf, /* buffer */ + size, +- HZ); ++ 1000); + + if (ret >= 0) + memcpy(registers, buf, size); diff --git a/queue-5.4/media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch b/queue-5.4/media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch new file mode 100644 index 00000000000..c61025614d0 --- /dev/null +++ b/queue-5.4/media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch @@ -0,0 +1,51 @@ +From f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 Mon Sep 17 00:00:00 2001 +From: Michael Kuron +Date: Sun, 26 Sep 2021 21:51:26 +0100 +Subject: media: dib0700: fix undefined behavior in tuner shutdown + +From: Michael Kuron + +commit f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 upstream. + +This fixes a problem where closing the tuner would leave it in a state +where it would not tune to any channel when reopened. This problem was +discovered as part of https://github.com/hselasky/webcamd/issues/16. + +Since adap->id is 0 or 1, this bit-shift overflows, which is undefined +behavior. The driver still worked in practice as the overflow would in +most environments result in 0, which rendered the line a no-op. When +running the driver as part of webcamd however, the overflow could lead +to 0xff due to optimizations by the compiler, which would, in the end, +improperly shut down the tuner. + +The bug is a regression introduced in the commit referenced below. The +present patch causes identical behavior to before that commit for +adap->id equal to 0 or 1. The driver does not contain support for +dib0700 devices with more adapters, assuming such even exist. + +Tests have been performed with the Xbox One Digital TV Tuner on amd64. +Not all dib0700 devices are expected to be affected by the regression; +this code path is only taken by those with incorrect endpoint numbers. + +Link: https://lore.kernel.org/linux-media/1d2fc36d94ced6f67c7cc21dcc469d5e5bdd8201.1632689033.git.mchehab+huawei@kernel.org + +Cc: stable@vger.kernel.org +Fixes: 7757ddda6f4f ("[media] DiB0700: add function to change I2C-speed") +Signed-off-by: Michael Kuron +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb/dib0700_core.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -616,8 +616,6 @@ int dib0700_streaming_ctrl(struct dvb_us + deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint); + if (onoff) + st->channel_state |= 1 << (adap->id); +- else +- st->channel_state |= 1 << ~(adap->id); + } else { + if (onoff) + st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2); diff --git a/queue-5.4/media-em28xx-fix-control-message-timeouts.patch b/queue-5.4/media-em28xx-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..4ce3744ba3d --- /dev/null +++ b/queue-5.4/media-em28xx-fix-control-message-timeouts.patch @@ -0,0 +1,42 @@ +From d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:38 +0100 +Subject: media: em28xx: fix control-message timeouts + +From: Johan Hovold + +commit d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: a6c2ba283565 ("[PATCH] v4l: 716: support for em28xx board family") +Cc: stable@vger.kernel.org # 2.6.16 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -89,7 +89,7 @@ int em28xx_read_reg_req_len(struct em28x + mutex_lock(&dev->ctrl_urb_lock); + ret = usb_control_msg(udev, pipe, req, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + if (ret < 0) { + em28xx_regdbg("(pipe 0x%08x): IN: %02x %02x %02x %02x %02x %02x %02x %02x failed with error %i\n", + pipe, +@@ -158,7 +158,7 @@ int em28xx_write_regs_req(struct em28xx + memcpy(dev->urb_buf, buf, len); + ret = usb_control_msg(udev, pipe, req, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + mutex_unlock(&dev->ctrl_urb_lock); + + if (ret < 0) { diff --git a/queue-5.4/media-flexcop-usb-fix-control-message-timeouts.patch b/queue-5.4/media-flexcop-usb-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..51f894423c8 --- /dev/null +++ b/queue-5.4/media-flexcop-usb-fix-control-message-timeouts.patch @@ -0,0 +1,95 @@ +From cd1798a387825cc4a51282f5a611ad05bb1ad75f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:36 +0100 +Subject: media: flexcop-usb: fix control-message timeouts + +From: Johan Hovold + +commit cd1798a387825cc4a51282f5a611ad05bb1ad75f upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Note that the driver was multiplying some of the timeout values with HZ +twice resulting in 3000-second timeouts with HZ=1000. + +Also note that two of the timeout defines are currently unused. + +Fixes: 2154be651b90 ("[media] redrat3: new rc-core IR transceiver device driver") +Cc: stable@vger.kernel.org # 3.0 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/b2c2/flexcop-usb.c | 10 +++++----- + drivers/media/usb/b2c2/flexcop-usb.h | 12 ++++++------ + 2 files changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/media/usb/b2c2/flexcop-usb.c ++++ b/drivers/media/usb/b2c2/flexcop-usb.c +@@ -87,7 +87,7 @@ static int flexcop_usb_readwrite_dw(stru + 0, + fc_usb->data, + sizeof(u32), +- B2C2_WAIT_FOR_OPERATION_RDW * HZ); ++ B2C2_WAIT_FOR_OPERATION_RDW); + + if (ret != sizeof(u32)) { + err("error while %s dword from %d (%d).", read ? "reading" : +@@ -155,7 +155,7 @@ static int flexcop_usb_v8_memory_req(str + wIndex, + fc_usb->data, + buflen, +- nWaitTime * HZ); ++ nWaitTime); + if (ret != buflen) + ret = -EIO; + +@@ -249,13 +249,13 @@ static int flexcop_usb_i2c_req(struct fl + /* DKT 020208 - add this to support special case of DiSEqC */ + case USB_FUNC_I2C_CHECKWRITE: + pipe = B2C2_USB_CTRL_PIPE_OUT; +- nWaitTime = 2; ++ nWaitTime = 2000; + request_type |= USB_DIR_OUT; + break; + case USB_FUNC_I2C_READ: + case USB_FUNC_I2C_REPEATREAD: + pipe = B2C2_USB_CTRL_PIPE_IN; +- nWaitTime = 2; ++ nWaitTime = 2000; + request_type |= USB_DIR_IN; + break; + default: +@@ -282,7 +282,7 @@ static int flexcop_usb_i2c_req(struct fl + wIndex, + fc_usb->data, + buflen, +- nWaitTime * HZ); ++ nWaitTime); + + if (ret != buflen) + ret = -EIO; +--- a/drivers/media/usb/b2c2/flexcop-usb.h ++++ b/drivers/media/usb/b2c2/flexcop-usb.h +@@ -91,13 +91,13 @@ typedef enum { + UTILITY_SRAM_TESTVERIFY = 0x16, + } flexcop_usb_utility_function_t; + +-#define B2C2_WAIT_FOR_OPERATION_RW (1*HZ) +-#define B2C2_WAIT_FOR_OPERATION_RDW (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_WDW (1*HZ) ++#define B2C2_WAIT_FOR_OPERATION_RW 1000 ++#define B2C2_WAIT_FOR_OPERATION_RDW 3000 ++#define B2C2_WAIT_FOR_OPERATION_WDW 1000 + +-#define B2C2_WAIT_FOR_OPERATION_V8READ (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_V8WRITE (3*HZ) +-#define B2C2_WAIT_FOR_OPERATION_V8FLASH (3*HZ) ++#define B2C2_WAIT_FOR_OPERATION_V8READ 3000 ++#define B2C2_WAIT_FOR_OPERATION_V8WRITE 3000 ++#define B2C2_WAIT_FOR_OPERATION_V8FLASH 3000 + + typedef enum { + V8_MEMORY_PAGE_DVB_CI = 0x20, diff --git a/queue-5.4/media-mceusb-fix-control-message-timeouts.patch b/queue-5.4/media-mceusb-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..5053f2f0497 --- /dev/null +++ b/queue-5.4/media-mceusb-fix-control-message-timeouts.patch @@ -0,0 +1,57 @@ +From 16394e998cbb050730536bdf7e89f5a70efbd974 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:34 +0100 +Subject: media: mceusb: fix control-message timeouts + +From: Johan Hovold + +commit 16394e998cbb050730536bdf7e89f5a70efbd974 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver") +Cc: stable@vger.kernel.org # 2.6.36 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/mceusb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1430,7 +1430,7 @@ static void mceusb_gen1_init(struct mceu + */ + ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0), + USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0, +- data, USB_CTRL_MSG_SZ, HZ * 3); ++ data, USB_CTRL_MSG_SZ, 3000); + dev_dbg(dev, "set address - ret = %d", ret); + dev_dbg(dev, "set address - data[0] = %d, data[1] = %d", + data[0], data[1]); +@@ -1438,20 +1438,20 @@ static void mceusb_gen1_init(struct mceu + /* set feature: bit rate 38400 bps */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + USB_REQ_SET_FEATURE, USB_TYPE_VENDOR, +- 0xc04e, 0x0000, NULL, 0, HZ * 3); ++ 0xc04e, 0x0000, NULL, 0, 3000); + + dev_dbg(dev, "set feature - ret = %d", ret); + + /* bRequest 4: set char length to 8 bits */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 4, USB_TYPE_VENDOR, +- 0x0808, 0x0000, NULL, 0, HZ * 3); ++ 0x0808, 0x0000, NULL, 0, 3000); + dev_dbg(dev, "set char length - retB = %d", ret); + + /* bRequest 2: set handshaking to use DTR/DSR */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 2, USB_TYPE_VENDOR, +- 0x0000, 0x0100, NULL, 0, HZ * 3); ++ 0x0000, 0x0100, NULL, 0, 3000); + dev_dbg(dev, "set handshake - retC = %d", ret); + + /* device resume */ diff --git a/queue-5.4/media-pvrusb2-fix-control-message-timeouts.patch b/queue-5.4/media-pvrusb2-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..fc66eba4dd1 --- /dev/null +++ b/queue-5.4/media-pvrusb2-fix-control-message-timeouts.patch @@ -0,0 +1,60 @@ +From b82bf9b9dc305d7d3d93eab106d70dbf2171b43e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:39 +0100 +Subject: media: pvrusb2: fix control-message timeouts + +From: Johan Hovold + +commit b82bf9b9dc305d7d3d93eab106d70dbf2171b43e upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") +Cc: stable@vger.kernel.org # 2.6.18 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -1468,7 +1468,7 @@ static int pvr2_upload_firmware1(struct + for (address = 0; address < fwsize; address += 0x800) { + memcpy(fw_ptr, fw_entry->data + address, 0x800); + ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address, +- 0, fw_ptr, 0x800, HZ); ++ 0, fw_ptr, 0x800, 1000); + } + + trace_firmware("Upload done, releasing device's CPU"); +@@ -1606,7 +1606,7 @@ int pvr2_upload_firmware2(struct pvr2_hd + ((u32 *)fw_ptr)[icnt] = swab32(((u32 *)fw_ptr)[icnt]); + + ret |= usb_bulk_msg(hdw->usb_dev, pipe, fw_ptr,bcnt, +- &actual_length, HZ); ++ &actual_length, 1000); + ret |= (actual_length != bcnt); + if (ret) break; + fw_done += bcnt; +@@ -3439,7 +3439,7 @@ void pvr2_hdw_cpufw_set_enabled(struct p + 0xa0,0xc0, + address,0, + hdw->fw_buffer+address, +- 0x800,HZ); ++ 0x800,1000); + if (ret < 0) break; + } + +@@ -3978,7 +3978,7 @@ void pvr2_hdw_cpureset_assert(struct pvr + /* Write the CPUCS register on the 8051. The lsb of the register + is the reset bit; a 1 asserts reset while a 0 clears it. */ + pipe = usb_sndctrlpipe(hdw->usb_dev, 0); +- ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,HZ); ++ ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,1000); + if (ret < 0) { + pvr2_trace(PVR2_TRACE_ERROR_LEGS, + "cpureset_assert(%d) error=%d",val,ret); diff --git a/queue-5.4/media-redrat3-fix-control-message-timeouts.patch b/queue-5.4/media-redrat3-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..5e5d9429e3c --- /dev/null +++ b/queue-5.4/media-redrat3-fix-control-message-timeouts.patch @@ -0,0 +1,115 @@ +From 2adc965c8bfa224e11ecccf9c92fd458c4236428 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:35 +0100 +Subject: media: redrat3: fix control-message timeouts + +From: Johan Hovold + +commit 2adc965c8bfa224e11ecccf9c92fd458c4236428 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 2154be651b90 ("[media] redrat3: new rc-core IR transceiver device driver") +Cc: stable@vger.kernel.org # 3.0 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/redrat3.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/media/rc/redrat3.c ++++ b/drivers/media/rc/redrat3.c +@@ -405,7 +405,7 @@ static int redrat3_send_cmd(int cmd, str + udev = rr3->udev; + res = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), cmd, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0x0000, 0x0000, data, sizeof(u8), HZ * 10); ++ 0x0000, 0x0000, data, sizeof(u8), 10000); + + if (res < 0) { + dev_err(rr3->dev, "%s: Error sending rr3 cmd res %d, data %d", +@@ -481,7 +481,7 @@ static u32 redrat3_get_timeout(struct re + pipe = usb_rcvctrlpipe(rr3->udev, 0); + ret = usb_control_msg(rr3->udev, pipe, RR3_GET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, HZ * 5); ++ RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, 5000); + if (ret != len) + dev_warn(rr3->dev, "Failed to read timeout from hardware\n"); + else { +@@ -511,7 +511,7 @@ static int redrat3_set_timeout(struct rc + ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + RR3_IR_IO_SIG_TIMEOUT, 0, timeout, sizeof(*timeout), +- HZ * 25); ++ 25000); + dev_dbg(dev, "set ir parm timeout %d ret 0x%02x\n", + be32_to_cpu(*timeout), ret); + +@@ -543,32 +543,32 @@ static void redrat3_reset(struct redrat3 + *val = 0x01; + rc = usb_control_msg(udev, rxpipe, RR3_RESET, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- RR3_CPUCS_REG_ADDR, 0, val, len, HZ * 25); ++ RR3_CPUCS_REG_ADDR, 0, val, len, 25000); + dev_dbg(dev, "reset returned 0x%02x\n", rc); + + *val = length_fuzz; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_LENGTH_FUZZ, 0, val, len, HZ * 25); ++ RR3_IR_IO_LENGTH_FUZZ, 0, val, len, 25000); + dev_dbg(dev, "set ir parm len fuzz %d rc 0x%02x\n", *val, rc); + + *val = (65536 - (minimum_pause * 2000)) / 256; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_MIN_PAUSE, 0, val, len, HZ * 25); ++ RR3_IR_IO_MIN_PAUSE, 0, val, len, 25000); + dev_dbg(dev, "set ir parm min pause %d rc 0x%02x\n", *val, rc); + + *val = periods_measure_carrier; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_PERIODS_MF, 0, val, len, HZ * 25); ++ RR3_IR_IO_PERIODS_MF, 0, val, len, 25000); + dev_dbg(dev, "set ir parm periods measure carrier %d rc 0x%02x", *val, + rc); + + *val = RR3_DRIVER_MAXLENS; + rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +- RR3_IR_IO_MAX_LENGTHS, 0, val, len, HZ * 25); ++ RR3_IR_IO_MAX_LENGTHS, 0, val, len, 25000); + dev_dbg(dev, "set ir parm max lens %d rc 0x%02x\n", *val, rc); + + kfree(val); +@@ -586,7 +586,7 @@ static void redrat3_get_firmware_rev(str + rc = usb_control_msg(rr3->udev, usb_rcvctrlpipe(rr3->udev, 0), + RR3_FW_VERSION, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0, 0, buffer, RR3_FW_VERSION_LEN, HZ * 5); ++ 0, 0, buffer, RR3_FW_VERSION_LEN, 5000); + + if (rc >= 0) + dev_info(rr3->dev, "Firmware rev: %s", buffer); +@@ -826,14 +826,14 @@ static int redrat3_transmit_ir(struct rc + + pipe = usb_sndbulkpipe(rr3->udev, rr3->ep_out->bEndpointAddress); + ret = usb_bulk_msg(rr3->udev, pipe, irdata, +- sendbuf_len, &ret_len, 10 * HZ); ++ sendbuf_len, &ret_len, 10000); + dev_dbg(dev, "sent %d bytes, (ret %d)\n", ret_len, ret); + + /* now tell the hardware to transmit what we sent it */ + pipe = usb_rcvctrlpipe(rr3->udev, 0); + ret = usb_control_msg(rr3->udev, pipe, RR3_TX_SEND_SIGNAL, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN, +- 0, 0, irdata, 2, HZ * 10); ++ 0, 0, irdata, 2, 10000); + + if (ret < 0) + dev_err(dev, "Error: control msg send failed, rc %d\n", ret); diff --git a/queue-5.4/media-s2255-fix-control-message-timeouts.patch b/queue-5.4/media-s2255-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..66921e087e7 --- /dev/null +++ b/queue-5.4/media-s2255-fix-control-message-timeouts.patch @@ -0,0 +1,45 @@ +From f71d272ad4e354097020a4e6b1dc6e4b59feb50f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:40 +0100 +Subject: media: s2255: fix control-message timeouts + +From: Johan Hovold + +commit f71d272ad4e354097020a4e6b1dc6e4b59feb50f upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout define for the five-second +timeouts. + +Fixes: 38f993ad8b1f ("V4L/DVB (8125): This driver adds support for the Sensoray 2255 devices.") +Cc: stable@vger.kernel.org # 2.6.27 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/s2255/s2255drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/s2255/s2255drv.c ++++ b/drivers/media/usb/s2255/s2255drv.c +@@ -1884,7 +1884,7 @@ static long s2255_vendor_req(struct s225 + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + Value, Index, buf, +- TransferBufferLength, HZ * 5); ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT); + + if (r >= 0) + memcpy(TransferBuffer, buf, TransferBufferLength); +@@ -1893,7 +1893,7 @@ static long s2255_vendor_req(struct s225 + r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), + Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE, + Value, Index, buf, +- TransferBufferLength, HZ * 5); ++ TransferBufferLength, USB_CTRL_SET_TIMEOUT); + } + kfree(buf); + return r; diff --git a/queue-5.4/media-stk1160-fix-control-message-timeouts.patch b/queue-5.4/media-stk1160-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..18eeb6f44e4 --- /dev/null +++ b/queue-5.4/media-stk1160-fix-control-message-timeouts.patch @@ -0,0 +1,42 @@ +From 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:41 +0100 +Subject: media: stk1160: fix control-message timeouts + +From: Johan Hovold + +commit 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)") +Cc: stable@vger.kernel.org # 3.7 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/stk1160/stk1160-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/stk1160/stk1160-core.c ++++ b/drivers/media/usb/stk1160/stk1160-core.c +@@ -65,7 +65,7 @@ int stk1160_read_reg(struct stk1160 *dev + return -ENOMEM; + ret = usb_control_msg(dev->udev, pipe, 0x00, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x00, reg, buf, sizeof(u8), HZ); ++ 0x00, reg, buf, sizeof(u8), 1000); + if (ret < 0) { + stk1160_err("read failed on reg 0x%x (%d)\n", + reg, ret); +@@ -85,7 +85,7 @@ int stk1160_write_reg(struct stk1160 *de + + ret = usb_control_msg(dev->udev, pipe, 0x01, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, reg, NULL, 0, HZ); ++ value, reg, NULL, 0, 1000); + if (ret < 0) { + stk1160_err("write failed on reg 0x%x (%d)\n", + reg, ret); diff --git a/queue-5.4/media-v4l2-ioctl.c-readbuffers-depends-on-v4l2_cap_readwrite.patch b/queue-5.4/media-v4l2-ioctl.c-readbuffers-depends-on-v4l2_cap_readwrite.patch new file mode 100644 index 00000000000..95a78eef251 --- /dev/null +++ b/queue-5.4/media-v4l2-ioctl.c-readbuffers-depends-on-v4l2_cap_readwrite.patch @@ -0,0 +1,46 @@ +From cd9d9377ed235b294a492a094e1666178a5e78fd Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 3 Nov 2021 12:28:31 +0000 +Subject: media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE + +From: Hans Verkuil + +commit cd9d9377ed235b294a492a094e1666178a5e78fd upstream. + +If V4L2_CAP_READWRITE is not set, then readbuffers must be set to 0, +otherwise v4l2-compliance will complain. + +A note on the Fixes tag below: this patch does not really fix that commit, +but it can be applied from that commit onwards. For older code there is no +guarantee that device_caps is set, so even though this patch would apply, +it will not work reliably. + +Signed-off-by: Hans Verkuil +Fixes: 049e684f2de9 (media: v4l2-dev: fix WARN_ON(!vdev->device_caps)) +Cc: +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -2046,6 +2046,7 @@ static int v4l_prepare_buf(const struct + static int v4l_g_parm(const struct v4l2_ioctl_ops *ops, + struct file *file, void *fh, void *arg) + { ++ struct video_device *vfd = video_devdata(file); + struct v4l2_streamparm *p = arg; + v4l2_std_id std; + int ret = check_fmt(file, p->type); +@@ -2057,7 +2058,8 @@ static int v4l_g_parm(const struct v4l2_ + if (p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE && + p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) + return -EINVAL; +- p->parm.capture.readbuffers = 2; ++ if (vfd->device_caps & V4L2_CAP_READWRITE) ++ p->parm.capture.readbuffers = 2; + ret = ops->vidioc_g_std(file, fh, &std); + if (ret == 0) + v4l2_video_std_frame_period(std, &p->parm.capture.timeperframe); diff --git a/queue-5.4/mm-page_alloc.c-do-not-warn-allocation-failure-on-zone-dma-if-no-managed-pages.patch b/queue-5.4/mm-page_alloc.c-do-not-warn-allocation-failure-on-zone-dma-if-no-managed-pages.patch new file mode 100644 index 00000000000..6485bc6e901 --- /dev/null +++ b/queue-5.4/mm-page_alloc.c-do-not-warn-allocation-failure-on-zone-dma-if-no-managed-pages.patch @@ -0,0 +1,98 @@ +From c4dc63f0032c77464fbd4e7a6afc22fa6913c4a7 Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Fri, 14 Jan 2022 14:07:44 -0800 +Subject: mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages + +From: Baoquan He + +commit c4dc63f0032c77464fbd4e7a6afc22fa6913c4a7 upstream. + +In kdump kernel of x86_64, page allocation failure is observed: + + kworker/u2:2: page allocation failure: order:0, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0 + CPU: 0 PID: 55 Comm: kworker/u2:2 Not tainted 5.16.0-rc4+ #5 + Hardware name: AMD Dinar/Dinar, BIOS RDN1505B 06/05/2013 + Workqueue: events_unbound async_run_entry_fn + Call Trace: + + dump_stack_lvl+0x48/0x5e + warn_alloc.cold+0x72/0xd6 + __alloc_pages_slowpath.constprop.0+0xc69/0xcd0 + __alloc_pages+0x1df/0x210 + new_slab+0x389/0x4d0 + ___slab_alloc+0x58f/0x770 + __slab_alloc.constprop.0+0x4a/0x80 + kmem_cache_alloc_trace+0x24b/0x2c0 + sr_probe+0x1db/0x620 + ...... + device_add+0x405/0x920 + ...... + __scsi_add_device+0xe5/0x100 + ata_scsi_scan_host+0x97/0x1d0 + async_run_entry_fn+0x30/0x130 + process_one_work+0x1e8/0x3c0 + worker_thread+0x50/0x3b0 + ? rescuer_thread+0x350/0x350 + kthread+0x16b/0x190 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x22/0x30 + + Mem-Info: + ...... + +The above failure happened when calling kmalloc() to allocate buffer with +GFP_DMA. It requests to allocate slab page from DMA zone while no managed +pages at all in there. + + sr_probe() + --> get_capabilities() + --> buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); + +Because in the current kernel, dma-kmalloc will be created as long as +CONFIG_ZONE_DMA is enabled. However, kdump kernel of x86_64 doesn't have +managed pages on DMA zone since commit 6f599d84231f ("x86/kdump: Always +reserve the low 1M when the crashkernel option is specified"). The +failure can be always reproduced. + +For now, let's mute the warning of allocation failure if requesting pages +from DMA zone while no managed pages. + +[akpm@linux-foundation.org: fix warning] + +Link: https://lkml.kernel.org/r/20211223094435.248523-4-bhe@redhat.com +Fixes: 6f599d84231f ("x86/kdump: Always reserve the low 1M when the crashkernel option is specified") +Signed-off-by: Baoquan He +Acked-by: John Donnelly +Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Vlastimil Babka +Cc: Borislav Petkov +Cc: Christoph Hellwig +Cc: David Hildenbrand +Cc: David Laight +Cc: Marek Szyprowski +Cc: Robin Murphy +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3767,7 +3767,9 @@ void warn_alloc(gfp_t gfp_mask, nodemask + va_list args; + static DEFINE_RATELIMIT_STATE(nopage_rs, 10*HZ, 1); + +- if ((gfp_mask & __GFP_NOWARN) || !__ratelimit(&nopage_rs)) ++ if ((gfp_mask & __GFP_NOWARN) || ++ !__ratelimit(&nopage_rs) || ++ ((gfp_mask & __GFP_DMA) && !has_managed_dma())) + return; + + va_start(args, fmt); diff --git a/queue-5.4/mm_zone-add-function-to-check-if-managed-dma-zone-exists.patch b/queue-5.4/mm_zone-add-function-to-check-if-managed-dma-zone-exists.patch new file mode 100644 index 00000000000..08ccc77c3f6 --- /dev/null +++ b/queue-5.4/mm_zone-add-function-to-check-if-managed-dma-zone-exists.patch @@ -0,0 +1,169 @@ +From 62b3107073646e0946bd97ff926832bafb846d17 Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Fri, 14 Jan 2022 14:07:37 -0800 +Subject: mm_zone: add function to check if managed dma zone exists + +From: Baoquan He + +commit 62b3107073646e0946bd97ff926832bafb846d17 upstream. + +Patch series "Handle warning of allocation failure on DMA zone w/o +managed pages", v4. + +**Problem observed: +On x86_64, when crash is triggered and entering into kdump kernel, page +allocation failure can always be seen. + + --------------------------------- + DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations + swapper/0: page allocation failure: order:5, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0 + CPU: 0 PID: 1 Comm: swapper/0 + Call Trace: + dump_stack+0x7f/0xa1 + warn_alloc.cold+0x72/0xd6 + ...... + __alloc_pages+0x24d/0x2c0 + ...... + dma_atomic_pool_init+0xdb/0x176 + do_one_initcall+0x67/0x320 + ? rcu_read_lock_sched_held+0x3f/0x80 + kernel_init_freeable+0x290/0x2dc + ? rest_init+0x24f/0x24f + kernel_init+0xa/0x111 + ret_from_fork+0x22/0x30 + Mem-Info: + ------------------------------------ + +***Root cause: +In the current kernel, it assumes that DMA zone must have managed pages +and try to request pages if CONFIG_ZONE_DMA is enabled. While this is not +always true. E.g in kdump kernel of x86_64, only low 1M is presented and +locked down at very early stage of boot, so that this low 1M won't be +added into buddy allocator to become managed pages of DMA zone. This +exception will always cause page allocation failure if page is requested +from DMA zone. + +***Investigation: +This failure happens since below commit merged into linus's tree. + 1a6a9044b967 x86/setup: Remove CONFIG_X86_RESERVE_LOW and reservelow= options + 23721c8e92f7 x86/crash: Remove crash_reserve_low_1M() + f1d4d47c5851 x86/setup: Always reserve the first 1M of RAM + 7c321eb2b843 x86/kdump: Remove the backup region handling + 6f599d84231f x86/kdump: Always reserve the low 1M when the crashkernel option is specified + +Before them, on x86_64, the low 640K area will be reused by kdump kernel. +So in kdump kernel, the content of low 640K area is copied into a backup +region for dumping before jumping into kdump. Then except of those firmware +reserved region in [0, 640K], the left area will be added into buddy +allocator to become available managed pages of DMA zone. + +However, after above commits applied, in kdump kernel of x86_64, the low +1M is reserved by memblock, but not released to buddy allocator. So any +later page allocation requested from DMA zone will fail. + +At the beginning, if crashkernel is reserved, the low 1M need be locked +down because AMD SME encrypts memory making the old backup region +mechanims impossible when switching into kdump kernel. + +Later, it was also observed that there are BIOSes corrupting memory +under 1M. To solve this, in commit f1d4d47c5851, the entire region of +low 1M is always reserved after the real mode trampoline is allocated. + +Besides, recently, Intel engineer mentioned their TDX (Trusted domain +extensions) which is under development in kernel also needs to lock down +the low 1M. So we can't simply revert above commits to fix the page allocation +failure from DMA zone as someone suggested. + +***Solution: +Currently, only DMA atomic pool and dma-kmalloc will initialize and +request page allocation with GFP_DMA during bootup. + +So only initializ DMA atomic pool when DMA zone has available managed +pages, otherwise just skip the initialization. + +For dma-kmalloc(), for the time being, let's mute the warning of +allocation failure if requesting pages from DMA zone while no manged +pages. Meanwhile, change code to use dma_alloc_xx/dma_map_xx API to +replace kmalloc(GFP_DMA), or do not use GFP_DMA when calling kmalloc() if +not necessary. Christoph is posting patches to fix those under +drivers/scsi/. Finally, we can remove the need of dma-kmalloc() as people +suggested. + +This patch (of 3): + +In some places of the current kernel, it assumes that dma zone must have +managed pages if CONFIG_ZONE_DMA is enabled. While this is not always +true. E.g in kdump kernel of x86_64, only low 1M is presented and locked +down at very early stage of boot, so that there's no managed pages at all +in DMA zone. This exception will always cause page allocation failure if +page is requested from DMA zone. + +Here add function has_managed_dma() and the relevant helper functions to +check if there's DMA zone with managed pages. It will be used in later +patches. + +Link: https://lkml.kernel.org/r/20211223094435.248523-1-bhe@redhat.com +Link: https://lkml.kernel.org/r/20211223094435.248523-2-bhe@redhat.com +Fixes: 6f599d84231f ("x86/kdump: Always reserve the low 1M when the crashkernel option is specified") +Signed-off-by: Baoquan He +Reviewed-by: David Hildenbrand +Acked-by: John Donnelly +Cc: Christoph Hellwig +Cc: Christoph Lameter +Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Vlastimil Babka +Cc: David Laight +Cc: Borislav Petkov +Cc: Marek Szyprowski +Cc: Robin Murphy +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mmzone.h | 9 +++++++++ + mm/page_alloc.c | 15 +++++++++++++++ + 2 files changed, 24 insertions(+) + +--- a/include/linux/mmzone.h ++++ b/include/linux/mmzone.h +@@ -929,6 +929,15 @@ static inline int is_highmem_idx(enum zo + #endif + } + ++#ifdef CONFIG_ZONE_DMA ++bool has_managed_dma(void); ++#else ++static inline bool has_managed_dma(void) ++{ ++ return false; ++} ++#endif ++ + /** + * is_highmem - helper function to quickly check if a struct zone is a + * highmem zone or not. This is an attempt to keep references +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -8694,3 +8694,18 @@ bool set_hwpoison_free_buddy_page(struct + return hwpoisoned; + } + #endif ++ ++#ifdef CONFIG_ZONE_DMA ++bool has_managed_dma(void) ++{ ++ struct pglist_data *pgdat; ++ ++ for_each_online_pgdat(pgdat) { ++ struct zone *zone = &pgdat->node_zones[ZONE_DMA]; ++ ++ if (managed_zone(zone)) ++ return true; ++ } ++ return false; ++} ++#endif /* CONFIG_ZONE_DMA */ diff --git a/queue-5.4/mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch b/queue-5.4/mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch new file mode 100644 index 00000000000..d216b45332a --- /dev/null +++ b/queue-5.4/mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch @@ -0,0 +1,103 @@ +From f53d4c109a666bf1a4883b45d546fba079258717 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Tue, 2 Nov 2021 21:20:22 +0100 +Subject: mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings + +From: Christian Eggers + +commit f53d4c109a666bf1a4883b45d546fba079258717 upstream. + +gpmi_io clock needs to be gated off when changing the parent/dividers of +enfc_clk_root (i.MX6Q/i.MX6UL) respectively qspi2_clk_root (i.MX6SX). +Otherwise this rate change can lead to an unresponsive GPMI core which +results in DMA timeouts and failed driver probe: + +[ 4.072318] gpmi-nand 112000.gpmi-nand: DMA timeout, last DMA +... +[ 4.370355] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -110 +... +[ 4.375988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22 +[ 4.381524] gpmi-nand 112000.gpmi-nand: Error in ECC-based read: -22 +[ 4.387988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22 +[ 4.393535] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22 +... + +Other than stated in i.MX 6 erratum ERR007117, it should be sufficient +to gate only gpmi_io because all other bch/nand clocks are derived from +different clock roots. + +The i.MX6 reference manuals state that changing clock muxers can cause +glitches but are silent about changing dividers. But tests showed that +these glitches can definitely happen on i.MX6ULL. For i.MX7D/8MM in turn, +the manual guarantees that no glitches can happen when changing +dividers. + +Co-developed-by: Stefan Riedmueller +Signed-off-by: Stefan Riedmueller +Signed-off-by: Christian Eggers +Cc: stable@vger.kernel.org +Acked-by: Han Xu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-2-ceggers@arri.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c +@@ -710,14 +710,32 @@ static void gpmi_nfc_compute_timings(str + (use_half_period ? BM_GPMI_CTRL1_HALF_PERIOD : 0); + } + +-static void gpmi_nfc_apply_timings(struct gpmi_nand_data *this) ++static int gpmi_nfc_apply_timings(struct gpmi_nand_data *this) + { + struct gpmi_nfc_hardware_timing *hw = &this->hw; + struct resources *r = &this->resources; + void __iomem *gpmi_regs = r->gpmi_regs; + unsigned int dll_wait_time_us; ++ int ret; ++ ++ /* Clock dividers do NOT guarantee a clean clock signal on its output ++ * during the change of the divide factor on i.MX6Q/UL/SX. On i.MX7/8, ++ * all clock dividers provide these guarantee. ++ */ ++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this)) ++ clk_disable_unprepare(r->clock[0]); ++ ++ ret = clk_set_rate(r->clock[0], hw->clk_rate); ++ if (ret) { ++ dev_err(this->dev, "cannot set clock rate to %lu Hz: %d\n", hw->clk_rate, ret); ++ return ret; ++ } + +- clk_set_rate(r->clock[0], hw->clk_rate); ++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this)) { ++ ret = clk_prepare_enable(r->clock[0]); ++ if (ret) ++ return ret; ++ } + + writel(hw->timing0, gpmi_regs + HW_GPMI_TIMING0); + writel(hw->timing1, gpmi_regs + HW_GPMI_TIMING1); +@@ -736,6 +754,8 @@ static void gpmi_nfc_apply_timings(struc + + /* Wait for the DLL to settle. */ + udelay(dll_wait_time_us); ++ ++ return 0; + } + + static int gpmi_setup_data_interface(struct nand_chip *chip, int chipnr, +@@ -2429,7 +2449,9 @@ static int gpmi_nfc_exec_op(struct nand_ + */ + if (this->hw.must_apply_timings) { + this->hw.must_apply_timings = false; +- gpmi_nfc_apply_timings(this); ++ ret = gpmi_nfc_apply_timings(this); ++ if (ret) ++ return ret; + } + + dev_dbg(this->dev, "%s: %d instructions\n", __func__, op->ninstrs); diff --git a/queue-5.4/mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch b/queue-5.4/mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch new file mode 100644 index 00000000000..c231e8e33ab --- /dev/null +++ b/queue-5.4/mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch @@ -0,0 +1,40 @@ +From aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b Mon Sep 17 00:00:00 2001 +From: Stefan Riedmueller +Date: Tue, 2 Nov 2021 21:20:21 +0100 +Subject: mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 + +From: Stefan Riedmueller + +commit aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b upstream. + +There is no need to explicitly set the default gpmi clock rate during +boot for the i.MX 6 since this is done during nand_detect anyway. + +Signed-off-by: Stefan Riedmueller +Cc: stable@vger.kernel.org +Acked-by: Han Xu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-1-ceggers@arri.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c +@@ -1204,15 +1204,6 @@ static int gpmi_get_clks(struct gpmi_nan + r->clock[i] = clk; + } + +- if (GPMI_IS_MX6(this)) +- /* +- * Set the default value for the gpmi clock. +- * +- * If you want to use the ONFI nand which is in the +- * Synchronous Mode, you should change the clock as you need. +- */ +- clk_set_rate(r->clock[0], 22000000); +- + return 0; + + err_clock: diff --git a/queue-5.4/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch b/queue-5.4/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch new file mode 100644 index 00000000000..c59f823e24a --- /dev/null +++ b/queue-5.4/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch @@ -0,0 +1,102 @@ +From dded08927ca3c31a5c37f8e7f95fe98770475dd4 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 19 Jan 2022 08:48:16 +0100 +Subject: nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() + +From: Krzysztof Kozlowski + +commit dded08927ca3c31a5c37f8e7f95fe98770475dd4 upstream. + +Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer +(which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after +a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM. + +KASAN report: + + BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0 + Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899 + + CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + Call Trace: + + dump_stack_lvl+0x45/0x59 + ? nfc_alloc_send_skb+0x2d/0xc0 + __kasan_report.cold+0x117/0x11c + ? mark_lock+0x480/0x4f0 + ? nfc_alloc_send_skb+0x2d/0xc0 + kasan_report+0x38/0x50 + nfc_alloc_send_skb+0x2d/0xc0 + nfc_llcp_send_ui_frame+0x18c/0x2a0 + ? nfc_llcp_send_i_frame+0x230/0x230 + ? __local_bh_enable_ip+0x86/0xe0 + ? llcp_sock_connect+0x470/0x470 + ? llcp_sock_connect+0x470/0x470 + sock_sendmsg+0x8e/0xa0 + ____sys_sendmsg+0x253/0x3f0 + ... + +The issue was visible only with multiple simultaneous calls to bind() and +sendmsg(), which resulted in most of the bind() calls to fail. The +bind() was failing on checking if there is available WKS/SDP/SAP +(respective bit in 'struct nfc_llcp_local' fields). When there was no +available WKS/SDP/SAP, the bind returned error but the sendmsg() to such +socket was able to trigger mentioned NULL pointer dereference of +nfc_llcp_sock->dev. + +The code looks simply racy and currently it protects several paths +against race with checks for (!nfc_llcp_sock->local) which is NULL-ified +in error paths of bind(). The llcp_sock_sendmsg() did not have such +check but called function nfc_llcp_send_ui_frame() had, although not +protected with lock_sock(). + +Therefore the race could look like (same socket is used all the time): + CPU0 CPU1 + ==== ==== + llcp_sock_bind() + - lock_sock() + - success + - release_sock() + - return 0 + llcp_sock_sendmsg() + - lock_sock() + - release_sock() + llcp_sock_bind(), same socket + - lock_sock() + - error + - nfc_llcp_send_ui_frame() + - if (!llcp_sock->local) + - llcp_sock->local = NULL + - nfc_put_device(dev) + - dereference llcp_sock->dev + - release_sock() + - return -ERRNO + +The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the +lock, which is racy and ineffective check. Instead, its caller +llcp_sock_sendmsg(), should perform the check inside lock_sock(). + +Reported-and-tested-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com +Fixes: b874dec21d1c ("NFC: Implement LLCP connection less Tx path") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -789,6 +789,11 @@ static int llcp_sock_sendmsg(struct sock + + lock_sock(sk); + ++ if (!llcp_sock->local) { ++ release_sock(sk); ++ return -ENODEV; ++ } ++ + if (sk->sk_type == SOCK_DGRAM) { + DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr, + msg->msg_name); diff --git a/queue-5.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch b/queue-5.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch new file mode 100644 index 00000000000..9c2441948c0 --- /dev/null +++ b/queue-5.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch @@ -0,0 +1,57 @@ +From e445375882883f69018aa669b67cbb37ec873406 Mon Sep 17 00:00:00 2001 +From: Yifeng Li +Date: Thu, 2 Dec 2021 06:35:21 +0000 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yifeng Li + +commit e445375882883f69018aa669b67cbb37ec873406 upstream. + +Like other SATA controller chips in the Marvell 88SE91xx series, the +Marvell 88SE9125 has the same DMA requester ID hardware bug that prevents +it from working under IOMMU. Add it to the list of devices that need the +quirk. + +Without this patch, device initialization fails with DMA errors: + + ata8: softreset failed (1st FIS failed) + DMAR: DRHD: handling fault status reg 2 + DMAR: [DMA Write NO_PASID] Request device [03:00.1] fault addr 0xfffc0000 [fault reason 0x02] Present bit in context entry is clear + DMAR: DRHD: handling fault status reg 2 + DMAR: [DMA Read NO_PASID] Request device [03:00.1] fault addr 0xfffc0000 [fault reason 0x02] Present bit in context entry is clear + +After applying the patch, the controller can be successfully initialized: + + ata8: SATA link up 1.5 Gbps (SStatus 113 SControl 330) + ata8.00: ATAPI: PIONEER BD-RW BDR-207M, 1.21, max UDMA/100 + ata8.00: configured for UDMA/100 + scsi 7:0:0:0: CD-ROM PIONEER BD-RW BDR-207M 1.21 PQ: 0 ANSI: 5 + +Link: https://lore.kernel.org/r/YahpKVR+McJVDdkD@work +Reported-by: Sam Bingner +Tested-by: Sam Bingner +Tested-by: Yifeng Li +Signed-off-by: Yifeng Li +Signed-off-by: Bjorn Helgaas +Reviewed-by: Krzysztof Wilczyński +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4134,6 +4134,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c136 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9125, ++ quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, + quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ diff --git a/queue-5.4/rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch b/queue-5.4/rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch new file mode 100644 index 00000000000..805222c1085 --- /dev/null +++ b/queue-5.4/rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch @@ -0,0 +1,49 @@ +From 454f47ff464325223129b9b5b8d0b61946ec704d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mateusz=20Jo=C5=84czyk?= +Date: Fri, 10 Dec 2021 21:01:23 +0100 +Subject: rtc: cmos: take rtc_lock while reading from CMOS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Jończyk + +commit 454f47ff464325223129b9b5b8d0b61946ec704d upstream. + +Reading from the CMOS involves writing to the index register and then +reading from the data register. Therefore access to the CMOS has to be +serialized with rtc_lock. This invocation of CMOS_READ was not +serialized, which could cause trouble when other code is accessing CMOS +at the same time. + +Use spin_lock_irq() like the rest of the function. + +Nothing in kernel modifies the RTC_DM_BINARY bit, so there could be a +separate pair of spin_lock_irq() / spin_unlock_irq() before doing the +math. + +Signed-off-by: Mateusz Jończyk +Reviewed-by: Nobuhiro Iwamatsu +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: stable@vger.kernel.org +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20211210200131.153887-2-mat.jonczyk@o2.pl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-cmos.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -463,7 +463,10 @@ static int cmos_set_alarm(struct device + min = t->time.tm_min; + sec = t->time.tm_sec; + ++ spin_lock_irq(&rtc_lock); + rtc_control = CMOS_READ(RTC_CONTROL); ++ spin_unlock_irq(&rtc_lock); ++ + if (!(rtc_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) { + /* Writing 0xff means "don't care" or "match all". */ + mon = (mon <= 12) ? bin2bcd(mon) : 0xff; diff --git a/queue-5.4/series b/queue-5.4/series index b51a63f8c4f..f23fac9bc2b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,32 @@ hid-uhid-fix-worker-destroying-device-without-any-protection.patch hid-wacom-reset-expected-and-received-contact-counts-at-the-same-time.patch hid-wacom-ignore-the-confidence-flag-when-a-touch-is-removed.patch hid-wacom-avoid-using-stale-array-indicies-to-read-contact-count.patch +f2fs-fix-to-do-sanity-check-in-is_alive.patch +nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch +mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch +mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch +x86-gpu-reserve-stolen-memory-for-first-integrated-intel-gpu.patch +tools-nolibc-x86-64-fix-startup-code-bug.patch +tools-nolibc-i386-fix-initial-stack-alignment.patch +tools-nolibc-fix-incorrect-truncation-of-exit-code.patch +rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch +media-v4l2-ioctl.c-readbuffers-depends-on-v4l2_cap_readwrite.patch +media-flexcop-usb-fix-control-message-timeouts.patch +media-mceusb-fix-control-message-timeouts.patch +media-em28xx-fix-control-message-timeouts.patch +media-cpia2-fix-control-message-timeouts.patch +media-s2255-fix-control-message-timeouts.patch +media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch +media-redrat3-fix-control-message-timeouts.patch +media-pvrusb2-fix-control-message-timeouts.patch +media-stk1160-fix-control-message-timeouts.patch +can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch +lkdtm-fix-content-of-section-containing-lkdtm_rodata_do_nothing.patch +iommu-io-pgtable-arm-v7s-add-error-handle-for-page-table-allocation-failure.patch +dma_fence_array-fix-pending_error-leak-in-dma_fence_array_signaled.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch +mm_zone-add-function-to-check-if-managed-dma-zone-exists.patch +mm-page_alloc.c-do-not-warn-allocation-failure-on-zone-dma-if-no-managed-pages.patch +shmem-fix-a-race-between-shmem_unused_huge_shrink-and-shmem_evict_inode.patch +drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch +drm-rockchip-dsi-reconfigure-hardware-on-resume.patch diff --git a/queue-5.4/shmem-fix-a-race-between-shmem_unused_huge_shrink-and-shmem_evict_inode.patch b/queue-5.4/shmem-fix-a-race-between-shmem_unused_huge_shrink-and-shmem_evict_inode.patch new file mode 100644 index 00000000000..6d46ac39c0c --- /dev/null +++ b/queue-5.4/shmem-fix-a-race-between-shmem_unused_huge_shrink-and-shmem_evict_inode.patch @@ -0,0 +1,172 @@ +From 62c9827cbb996c2c04f615ecd783ce28bcea894b Mon Sep 17 00:00:00 2001 +From: Gang Li +Date: Fri, 14 Jan 2022 14:05:23 -0800 +Subject: shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode + +From: Gang Li + +commit 62c9827cbb996c2c04f615ecd783ce28bcea894b upstream. + +Fix a data race in commit 779750d20b93 ("shmem: split huge pages beyond +i_size under memory pressure"). + +Here are call traces causing race: + + Call Trace 1: + shmem_unused_huge_shrink+0x3ae/0x410 + ? __list_lru_walk_one.isra.5+0x33/0x160 + super_cache_scan+0x17c/0x190 + shrink_slab.part.55+0x1ef/0x3f0 + shrink_node+0x10e/0x330 + kswapd+0x380/0x740 + kthread+0xfc/0x130 + ? mem_cgroup_shrink_node+0x170/0x170 + ? kthread_create_on_node+0x70/0x70 + ret_from_fork+0x1f/0x30 + + Call Trace 2: + shmem_evict_inode+0xd8/0x190 + evict+0xbe/0x1c0 + do_unlinkat+0x137/0x330 + do_syscall_64+0x76/0x120 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +A simple explanation: + +Image there are 3 items in the local list (@list). In the first +traversal, A is not deleted from @list. + + 1) A->B->C + ^ + | + pos (leave) + +In the second traversal, B is deleted from @list. Concurrently, A is +deleted from @list through shmem_evict_inode() since last reference +counter of inode is dropped by other thread. Then the @list is corrupted. + + 2) A->B->C + ^ ^ + | | + evict pos (drop) + +We should make sure the inode is either on the global list or deleted from +any local list before iput(). + +Fixed by moving inodes back to global list before we put them. + +[akpm@linux-foundation.org: coding style fixes] + +Link: https://lkml.kernel.org/r/20211125064502.99983-1-ligang.bdlg@bytedance.com +Fixes: 779750d20b93 ("shmem: split huge pages beyond i_size under memory pressure") +Signed-off-by: Gang Li +Reviewed-by: Muchun Song +Acked-by: Kirill A. Shutemov +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -466,7 +466,7 @@ static unsigned long shmem_unused_huge_s + struct shmem_inode_info *info; + struct page *page; + unsigned long batch = sc ? sc->nr_to_scan : 128; +- int removed = 0, split = 0; ++ int split = 0; + + if (list_empty(&sbinfo->shrinklist)) + return SHRINK_STOP; +@@ -481,7 +481,6 @@ static unsigned long shmem_unused_huge_s + /* inode is about to be evicted */ + if (!inode) { + list_del_init(&info->shrinklist); +- removed++; + goto next; + } + +@@ -489,12 +488,12 @@ static unsigned long shmem_unused_huge_s + if (round_up(inode->i_size, PAGE_SIZE) == + round_up(inode->i_size, HPAGE_PMD_SIZE)) { + list_move(&info->shrinklist, &to_remove); +- removed++; + goto next; + } + + list_move(&info->shrinklist, &list); + next: ++ sbinfo->shrinklist_len--; + if (!--batch) + break; + } +@@ -514,7 +513,7 @@ next: + inode = &info->vfs_inode; + + if (nr_to_split && split >= nr_to_split) +- goto leave; ++ goto move_back; + + page = find_get_page(inode->i_mapping, + (inode->i_size & HPAGE_PMD_MASK) >> PAGE_SHIFT); +@@ -528,38 +527,44 @@ next: + } + + /* +- * Leave the inode on the list if we failed to lock +- * the page at this time. ++ * Move the inode on the list back to shrinklist if we failed ++ * to lock the page at this time. + * + * Waiting for the lock may lead to deadlock in the + * reclaim path. + */ + if (!trylock_page(page)) { + put_page(page); +- goto leave; ++ goto move_back; + } + + ret = split_huge_page(page); + unlock_page(page); + put_page(page); + +- /* If split failed leave the inode on the list */ ++ /* If split failed move the inode on the list back to shrinklist */ + if (ret) +- goto leave; ++ goto move_back; + + split++; + drop: + list_del_init(&info->shrinklist); +- removed++; +-leave: ++ goto put; ++move_back: ++ /* ++ * Make sure the inode is either on the global list or deleted ++ * from any local list before iput() since it could be deleted ++ * in another thread once we put the inode (then the local list ++ * is corrupted). ++ */ ++ spin_lock(&sbinfo->shrinklist_lock); ++ list_move(&info->shrinklist, &sbinfo->shrinklist); ++ sbinfo->shrinklist_len++; ++ spin_unlock(&sbinfo->shrinklist_lock); ++put: + iput(inode); + } + +- spin_lock(&sbinfo->shrinklist_lock); +- list_splice_tail(&list, &sbinfo->shrinklist); +- sbinfo->shrinklist_len -= removed; +- spin_unlock(&sbinfo->shrinklist_lock); +- + return split; + } + diff --git a/queue-5.4/tools-nolibc-fix-incorrect-truncation-of-exit-code.patch b/queue-5.4/tools-nolibc-fix-incorrect-truncation-of-exit-code.patch new file mode 100644 index 00000000000..11bc9003ac3 --- /dev/null +++ b/queue-5.4/tools-nolibc-fix-incorrect-truncation-of-exit-code.patch @@ -0,0 +1,91 @@ +From de0244ae40ae91145faaf164a4252347607c3711 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Sun, 24 Oct 2021 19:28:16 +0200 +Subject: tools/nolibc: fix incorrect truncation of exit code + +From: Willy Tarreau + +commit de0244ae40ae91145faaf164a4252347607c3711 upstream. + +Ammar Faizi reported that our exit code handling is wrong. We truncate +it to the lowest 8 bits but the syscall itself is expected to take a +regular 32-bit signed integer, not an unsigned char. It's the kernel +that later truncates it to the lowest 8 bits. The difference is visible +in strace, where the program below used to show exit(255) instead of +exit(-1): + + int main(void) + { + return -1; + } + +This patch applies the fix to all archs. x86_64, i386, arm64, armv7 and +mips were all tested and confirmed to work fine now. Risc-v was not +tested but the change is trivial and exactly the same as for other archs. + +Reported-by: Ammar Faizi +Cc: stable@vger.kernel.org +Signed-off-by: Willy Tarreau +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/nolibc.h | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/tools/include/nolibc/nolibc.h ++++ b/tools/include/nolibc/nolibc.h +@@ -437,7 +437,7 @@ asm(".section .text\n" + "xor %ebp, %ebp\n" // zero the stack frame + "and $-16, %rsp\n" // x86 ABI : esp must be 16-byte aligned before call + "call main\n" // main() returns the status code, we'll exit with it. +- "movzb %al, %rdi\n" // retrieve exit code from 8 lower bits ++ "mov %eax, %edi\n" // retrieve exit code (32 bit) + "mov $60, %rax\n" // NR_exit == 60 + "syscall\n" // really exit + "hlt\n" // ensure it does not return +@@ -625,9 +625,9 @@ asm(".section .text\n" + "push %ebx\n" // support both regparm and plain stack modes + "push %eax\n" + "call main\n" // main() returns the status code in %eax +- "movzbl %al, %ebx\n" // retrieve exit code from lower 8 bits +- "movl $1, %eax\n" // NR_exit == 1 +- "int $0x80\n" // exit now ++ "mov %eax, %ebx\n" // retrieve exit code (32-bit int) ++ "movl $1, %eax\n" // NR_exit == 1 ++ "int $0x80\n" // exit now + "hlt\n" // ensure it does not + ""); + +@@ -811,7 +811,6 @@ asm(".section .text\n" + "and %r3, %r1, $-8\n" // AAPCS : sp must be 8-byte aligned in the + "mov %sp, %r3\n" // callee, an bl doesn't push (lr=pc) + "bl main\n" // main() returns the status code, we'll exit with it. +- "and %r0, %r0, $0xff\n" // limit exit code to 8 bits + "movs r7, $1\n" // NR_exit == 1 + "svc $0x00\n" + ""); +@@ -1008,7 +1007,6 @@ asm(".section .text\n" + "add x2, x2, x1\n" // + argv + "and sp, x1, -16\n" // sp must be 16-byte aligned in the callee + "bl main\n" // main() returns the status code, we'll exit with it. +- "and x0, x0, 0xff\n" // limit exit code to 8 bits + "mov x8, 93\n" // NR_exit == 93 + "svc #0\n" + ""); +@@ -1213,7 +1211,7 @@ asm(".section .text\n" + "addiu $sp,$sp,-16\n" // the callee expects to save a0..a3 there! + "jal main\n" // main() returns the status code, we'll exit with it. + "nop\n" // delayed slot +- "and $a0, $v0, 0xff\n" // limit exit code to 8 bits ++ "move $a0, $v0\n" // retrieve 32-bit exit code from v0 + "li $v0, 4001\n" // NR_exit == 4001 + "syscall\n" + ".end __start\n" +@@ -1411,7 +1409,6 @@ asm(".section .text\n" + "add a2,a2,a1\n" // + argv + "andi sp,a1,-16\n" // sp must be 16-byte aligned + "call main\n" // main() returns the status code, we'll exit with it. +- "andi a0, a0, 0xff\n" // limit exit code to 8 bits + "li a7, 93\n" // NR_exit == 93 + "ecall\n" + ""); diff --git a/queue-5.4/tools-nolibc-i386-fix-initial-stack-alignment.patch b/queue-5.4/tools-nolibc-i386-fix-initial-stack-alignment.patch new file mode 100644 index 00000000000..9986edc10cd --- /dev/null +++ b/queue-5.4/tools-nolibc-i386-fix-initial-stack-alignment.patch @@ -0,0 +1,51 @@ +From ebbe0d8a449d183fa43b42d84fcb248e25303985 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Sun, 24 Oct 2021 19:28:15 +0200 +Subject: tools/nolibc: i386: fix initial stack alignment + +From: Willy Tarreau + +commit ebbe0d8a449d183fa43b42d84fcb248e25303985 upstream. + +After re-checking in the spec and comparing stack offsets with glibc, +The last pushed argument must be 16-byte aligned (i.e. aligned before the +call) so that in the callee esp+4 is multiple of 16, so the principle is +the 32-bit equivalent to what Ammar fixed for x86_64. It's possible that +32-bit code using SSE2 or MMX could have been affected. In addition the +frame pointer ought to be zero at the deepest level. + +Link: https://gitlab.com/x86-psABIs/i386-ABI/-/wikis/Intel386-psABI +Cc: Ammar Faizi +Cc: stable@vger.kernel.org +Signed-off-by: Willy Tarreau +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/nolibc.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/include/nolibc/nolibc.h ++++ b/tools/include/nolibc/nolibc.h +@@ -606,13 +606,21 @@ struct sys_stat_struct { + }) + + /* startup code */ ++/* ++ * i386 System V ABI mandates: ++ * 1) last pushed argument must be 16-byte aligned. ++ * 2) The deepest stack frame should be set to zero ++ * ++ */ + asm(".section .text\n" + ".global _start\n" + "_start:\n" + "pop %eax\n" // argc (first arg, %eax) + "mov %esp, %ebx\n" // argv[] (second arg, %ebx) + "lea 4(%ebx,%eax,4),%ecx\n" // then a NULL then envp (third arg, %ecx) +- "and $-16, %esp\n" // x86 ABI : esp must be 16-byte aligned when ++ "xor %ebp, %ebp\n" // zero the stack frame ++ "and $-16, %esp\n" // x86 ABI : esp must be 16-byte aligned before ++ "sub $4, %esp\n" // the call instruction (args are aligned) + "push %ecx\n" // push all registers on the stack so that we + "push %ebx\n" // support both regparm and plain stack modes + "push %eax\n" diff --git a/queue-5.4/tools-nolibc-x86-64-fix-startup-code-bug.patch b/queue-5.4/tools-nolibc-x86-64-fix-startup-code-bug.patch new file mode 100644 index 00000000000..f78d21cdf28 --- /dev/null +++ b/queue-5.4/tools-nolibc-x86-64-fix-startup-code-bug.patch @@ -0,0 +1,97 @@ +From 937ed91c712273131de6d2a02caafd3ee84e0c72 Mon Sep 17 00:00:00 2001 +From: Ammar Faizi +Date: Sun, 24 Oct 2021 19:28:14 +0200 +Subject: tools/nolibc: x86-64: Fix startup code bug + +From: Ammar Faizi + +commit 937ed91c712273131de6d2a02caafd3ee84e0c72 upstream. + +Before this patch, the `_start` function looks like this: +``` +0000000000001170 <_start>: + 1170: pop %rdi + 1171: mov %rsp,%rsi + 1174: lea 0x8(%rsi,%rdi,8),%rdx + 1179: and $0xfffffffffffffff0,%rsp + 117d: sub $0x8,%rsp + 1181: call 1000
+ 1186: movzbq %al,%rdi + 118a: mov $0x3c,%rax + 1191: syscall + 1193: hlt + 1194: data16 cs nopw 0x0(%rax,%rax,1) + 119f: nop +``` +Note the "and" to %rsp with $-16, it makes the %rsp be 16-byte aligned, +but then there is a "sub" with $0x8 which makes the %rsp no longer +16-byte aligned, then it calls main. That's the bug! + +What actually the x86-64 System V ABI mandates is that right before the +"call", the %rsp must be 16-byte aligned, not after the "call". So the +"sub" with $0x8 here breaks the alignment. Remove it. + +An example where this rule matters is when the callee needs to align +its stack at 16-byte for aligned move instruction, like `movdqa` and +`movaps`. If the callee can't align its stack properly, it will result +in segmentation fault. + +x86-64 System V ABI also mandates the deepest stack frame should be +zero. Just to be safe, let's zero the %rbp on startup as the content +of %rbp may be unspecified when the program starts. Now it looks like +this: +``` +0000000000001170 <_start>: + 1170: pop %rdi + 1171: mov %rsp,%rsi + 1174: lea 0x8(%rsi,%rdi,8),%rdx + 1179: xor %ebp,%ebp # zero the %rbp + 117b: and $0xfffffffffffffff0,%rsp # align the %rsp + 117f: call 1000
+ 1184: movzbq %al,%rdi + 1188: mov $0x3c,%rax + 118f: syscall + 1191: hlt + 1192: data16 cs nopw 0x0(%rax,%rax,1) + 119d: nopl (%rax) +``` + +Cc: Bedirhan KURT +Cc: Louvian Lyndal +Reported-by: Peter Cordes +Signed-off-by: Ammar Faizi +[wt: I did this on purpose due to a misunderstanding of the spec, other + archs will thus have to be rechecked, particularly i386] +Cc: stable@vger.kernel.org +Signed-off-by: Willy Tarreau +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/nolibc.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/tools/include/nolibc/nolibc.h ++++ b/tools/include/nolibc/nolibc.h +@@ -422,14 +422,20 @@ struct stat { + }) + + /* startup code */ ++/* ++ * x86-64 System V ABI mandates: ++ * 1) %rsp must be 16-byte aligned right before the function call. ++ * 2) The deepest stack frame should be zero (the %rbp). ++ * ++ */ + asm(".section .text\n" + ".global _start\n" + "_start:\n" + "pop %rdi\n" // argc (first arg, %rdi) + "mov %rsp, %rsi\n" // argv[] (second arg, %rsi) + "lea 8(%rsi,%rdi,8),%rdx\n" // then a NULL then envp (third arg, %rdx) +- "and $-16, %rsp\n" // x86 ABI : esp must be 16-byte aligned when +- "sub $8, %rsp\n" // entering the callee ++ "xor %ebp, %ebp\n" // zero the stack frame ++ "and $-16, %rsp\n" // x86 ABI : esp must be 16-byte aligned before call + "call main\n" // main() returns the status code, we'll exit with it. + "movzb %al, %rdi\n" // retrieve exit code from 8 lower bits + "mov $60, %rax\n" // NR_exit == 60 diff --git a/queue-5.4/x86-gpu-reserve-stolen-memory-for-first-integrated-intel-gpu.patch b/queue-5.4/x86-gpu-reserve-stolen-memory-for-first-integrated-intel-gpu.patch new file mode 100644 index 00000000000..4c9ce556229 --- /dev/null +++ b/queue-5.4/x86-gpu-reserve-stolen-memory-for-first-integrated-intel-gpu.patch @@ -0,0 +1,76 @@ +From 9c494ca4d3a535f9ca11ad6af1813983c1c6cbdd Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Thu, 13 Jan 2022 16:28:39 -0800 +Subject: x86/gpu: Reserve stolen memory for first integrated Intel GPU + +From: Lucas De Marchi + +commit 9c494ca4d3a535f9ca11ad6af1813983c1c6cbdd upstream. + +"Stolen memory" is memory set aside for use by an Intel integrated GPU. +The intel_graphics_quirks() early quirk reserves this memory when it is +called for a GPU that appears in the intel_early_ids[] table of integrated +GPUs. + +Previously intel_graphics_quirks() was marked as QFLAG_APPLY_ONCE, so it +was called only for the first Intel GPU found. If a discrete GPU happened +to be enumerated first, intel_graphics_quirks() was called for it but not +for any integrated GPU found later. Therefore, stolen memory for such an +integrated GPU was never reserved. + +For example, this problem occurs in this Alderlake-P (integrated) + DG2 +(discrete) topology where the DG2 is found first, but stolen memory is +associated with the integrated GPU: + + - 00:01.0 Bridge + `- 03:00.0 DG2 discrete GPU + - 00:02.0 Integrated GPU (with stolen memory) + +Remove the QFLAG_APPLY_ONCE flag and call intel_graphics_quirks() for every +Intel GPU. Reserve stolen memory for the first GPU that appears in +intel_early_ids[]. + +[bhelgaas: commit log, add code comment, squash in +https://lore.kernel.org/r/20220118190558.2ququ4vdfjuahicm@ldmartin-desk2] +Link: https://lore.kernel.org/r/20220114002843.2083382-1-lucas.demarchi@intel.com +Signed-off-by: Lucas De Marchi +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/early-quirks.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/early-quirks.c ++++ b/arch/x86/kernel/early-quirks.c +@@ -515,6 +515,7 @@ static const struct intel_early_ops gen1 + .stolen_size = gen9_stolen_size, + }; + ++/* Intel integrated GPUs for which we need to reserve "stolen memory" */ + static const struct pci_device_id intel_early_ids[] __initconst = { + INTEL_I830_IDS(&i830_early_ops), + INTEL_I845G_IDS(&i845_early_ops), +@@ -587,6 +588,13 @@ static void __init intel_graphics_quirks + u16 device; + int i; + ++ /* ++ * Reserve "stolen memory" for an integrated GPU. If we've already ++ * found one, there's nothing to do for other (discrete) GPUs. ++ */ ++ if (resource_size(&intel_graphics_stolen_res)) ++ return; ++ + device = read_pci_config_16(num, slot, func, PCI_DEVICE_ID); + + for (i = 0; i < ARRAY_SIZE(intel_early_ids); i++) { +@@ -699,7 +707,7 @@ static struct chipset early_qrk[] __init + { PCI_VENDOR_ID_INTEL, 0x3406, PCI_CLASS_BRIDGE_HOST, + PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check }, + { PCI_VENDOR_ID_INTEL, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA, PCI_ANY_ID, +- QFLAG_APPLY_ONCE, intel_graphics_quirks }, ++ 0, intel_graphics_quirks }, + /* + * HPET on the current version of the Baytrail platform has accuracy + * problems: it will halt in deep idle state - so we disable it.