From: Greg Kroah-Hartman Date: Mon, 23 Dec 2019 17:36:14 +0000 (-0500) Subject: 5.4-stable patches X-Git-Tag: v4.14.161~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6def908c3980fa9b8b751570ad59425fecb9f204;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: can-flexcan-fix-possible-deadlock-and-out-of-order-reception-after-wakeup.patch can-flexcan-poll-mcr_lpm_ack-instead-of-gpr-ack-for-stop-mode-acknowledgment.patch can-j1939-j1939_sk_bind-take-priv-after-lock-is-held.patch can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch can-m_can-tcan4x5x-add-required-delay-after-reset.patch can-xilinx_can-fix-missing-rx-can-packets-on-canfd2.0.patch iommu-fix-kasan-use-after-free-in-iommu_insert_resv_region.patch iommu-set-group-default-domain-before-creating-direct-mappings.patch iommu-vt-d-allocate-reserved-region-for-isa-with-correct-permission.patch iommu-vt-d-fix-dmar-pte-read-access-not-set-error.patch iommu-vt-d-set-isa-bridge-reserved-region-as-relaxable.patch mmc-mediatek-fix-cmd_ta-to-2-for-mt8173-hs200-hs400-mode.patch revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch tpm-fix-invalid-locking-in-nonblocking-mode.patch tpm_tis-reserve-chip-for-duration-of-tpm_tis_core_init.patch --- diff --git a/queue-5.4/can-flexcan-fix-possible-deadlock-and-out-of-order-reception-after-wakeup.patch b/queue-5.4/can-flexcan-fix-possible-deadlock-and-out-of-order-reception-after-wakeup.patch new file mode 100644 index 00000000000..5481bf0a397 --- /dev/null +++ b/queue-5.4/can-flexcan-fix-possible-deadlock-and-out-of-order-reception-after-wakeup.patch @@ -0,0 +1,82 @@ +From e707180ae2df1c87e26ec7a6fd70d07483bde7fd Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Wed, 4 Dec 2019 11:36:06 +0000 +Subject: can: flexcan: fix possible deadlock and out-of-order reception after wakeup + +From: Sean Nyekjaer + +commit e707180ae2df1c87e26ec7a6fd70d07483bde7fd upstream. + +When suspending, and there is still CAN traffic on the interfaces the +flexcan immediately wakes the platform again. As it should :-). But it +throws this error msg: + +[ 3169.378661] PM: noirq suspend of devices failed + +On the way down to suspend the interface that throws the error message +calls flexcan_suspend() but fails to call flexcan_noirq_suspend(). That +means flexcan_enter_stop_mode() is called, but on the way out of suspend +the driver only calls flexcan_resume() and skips flexcan_noirq_resume(), +thus it doesn't call flexcan_exit_stop_mode(). This leaves the flexcan +in stop mode, and with the current driver it can't recover from this +even with a soft reboot, it requires a hard reboot. + +This patch fixes the deadlock when using self wakeup, by calling +flexcan_exit_stop_mode() from flexcan_resume() instead of +flexcan_noirq_resume(). + +This also fixes another issue: CAN frames are received out-of-order in +first IRQ handler run after wakeup. + +The problem is that the wakeup latency from frame reception to the IRQ +handler (where the CAN frames are sorted by timestamp) is much bigger +than the time stamp counter wrap around time. This means it's +impossible to sort the CAN frames by timestamp. + +The reason is that the controller exits stop mode during noirq resume, +which means it receives frames immediately, but interrupt handling is +still not possible. + +So exit stop mode during resume stage instead of noirq resume fixes this +issue. + +Fixes: de3578c198c6 ("can: flexcan: add self wakeup support") +Signed-off-by: Sean Nyekjaer +Tested-by: Sean Nyekjaer +Signed-off-by: Joakim Zhang +Cc: linux-stable # >= v5.0 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/flexcan.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1703,6 +1703,9 @@ static int __maybe_unused flexcan_resume + netif_start_queue(dev); + if (device_may_wakeup(device)) { + disable_irq_wake(dev->irq); ++ err = flexcan_exit_stop_mode(priv); ++ if (err) ++ return err; + } else { + err = pm_runtime_force_resume(device); + if (err) +@@ -1748,14 +1751,9 @@ static int __maybe_unused flexcan_noirq_ + { + struct net_device *dev = dev_get_drvdata(device); + struct flexcan_priv *priv = netdev_priv(dev); +- int err; + +- if (netif_running(dev) && device_may_wakeup(device)) { ++ if (netif_running(dev) && device_may_wakeup(device)) + flexcan_enable_wakeup_irq(priv, false); +- err = flexcan_exit_stop_mode(priv); +- if (err) +- return err; +- } + + return 0; + } diff --git a/queue-5.4/can-flexcan-poll-mcr_lpm_ack-instead-of-gpr-ack-for-stop-mode-acknowledgment.patch b/queue-5.4/can-flexcan-poll-mcr_lpm_ack-instead-of-gpr-ack-for-stop-mode-acknowledgment.patch new file mode 100644 index 00000000000..c92c378ef7d --- /dev/null +++ b/queue-5.4/can-flexcan-poll-mcr_lpm_ack-instead-of-gpr-ack-for-stop-mode-acknowledgment.patch @@ -0,0 +1,80 @@ +From 048e3a34a2e7669bf475eb56c7345ad9d8d2b8e3 Mon Sep 17 00:00:00 2001 +From: Joakim Zhang +Date: Wed, 4 Dec 2019 11:36:14 +0000 +Subject: can: flexcan: poll MCR_LPM_ACK instead of GPR ACK for stop mode acknowledgment + +From: Joakim Zhang + +commit 048e3a34a2e7669bf475eb56c7345ad9d8d2b8e3 upstream. + +Stop Mode is entered when Stop Mode is requested at chip level and +MCR[LPM_ACK] is asserted by the FlexCAN. + +Double check with IP owner, the MCR[LPM_ACK] bit should be polled for +stop mode acknowledgment, not the acknowledgment from chip level which +is used to gate flexcan clocks. + +This patch depends on: + + b7603d080ffc ("can: flexcan: add low power enter/exit acknowledgment helper") + +Fixes: 5f186c257fa4 (can: flexcan: fix stop mode acknowledgment) +Tested-by: Sean Nyekjaer +Signed-off-by: Joakim Zhang +Cc: linux-stable # >= v5.0 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/flexcan.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -407,7 +407,6 @@ static void flexcan_enable_wakeup_irq(st + static inline int flexcan_enter_stop_mode(struct flexcan_priv *priv) + { + struct flexcan_regs __iomem *regs = priv->regs; +- unsigned int ackval; + u32 reg_mcr; + + reg_mcr = priv->read(®s->mcr); +@@ -418,36 +417,24 @@ static inline int flexcan_enter_stop_mod + regmap_update_bits(priv->stm.gpr, priv->stm.req_gpr, + 1 << priv->stm.req_bit, 1 << priv->stm.req_bit); + +- /* get stop acknowledgment */ +- if (regmap_read_poll_timeout(priv->stm.gpr, priv->stm.ack_gpr, +- ackval, ackval & (1 << priv->stm.ack_bit), +- 0, FLEXCAN_TIMEOUT_US)) +- return -ETIMEDOUT; +- +- return 0; ++ return flexcan_low_power_enter_ack(priv); + } + + static inline int flexcan_exit_stop_mode(struct flexcan_priv *priv) + { + struct flexcan_regs __iomem *regs = priv->regs; +- unsigned int ackval; + u32 reg_mcr; + + /* remove stop request */ + regmap_update_bits(priv->stm.gpr, priv->stm.req_gpr, + 1 << priv->stm.req_bit, 0); + +- /* get stop acknowledgment */ +- if (regmap_read_poll_timeout(priv->stm.gpr, priv->stm.ack_gpr, +- ackval, !(ackval & (1 << priv->stm.ack_bit)), +- 0, FLEXCAN_TIMEOUT_US)) +- return -ETIMEDOUT; + + reg_mcr = priv->read(®s->mcr); + reg_mcr &= ~FLEXCAN_MCR_SLF_WAK; + priv->write(reg_mcr, ®s->mcr); + +- return 0; ++ return flexcan_low_power_exit_ack(priv); + } + + static inline void flexcan_error_irq_enable(const struct flexcan_priv *priv) diff --git a/queue-5.4/can-j1939-j1939_sk_bind-take-priv-after-lock-is-held.patch b/queue-5.4/can-j1939-j1939_sk_bind-take-priv-after-lock-is-held.patch new file mode 100644 index 00000000000..b3de799ab77 --- /dev/null +++ b/queue-5.4/can-j1939-j1939_sk_bind-take-priv-after-lock-is-held.patch @@ -0,0 +1,123 @@ +From 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 6 Dec 2019 15:18:35 +0100 +Subject: can: j1939: j1939_sk_bind(): take priv after lock is held + +From: Oleksij Rempel + +commit 00d4e14d2e4caf5f7254a505fee5eeca8cd37bd4 upstream. + +syzbot reproduced following crash: + +=============================================================================== +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 9844 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:__lock_acquire+0x1254/0x4a00 kernel/locking/lockdep.c:3828 +Code: 00 0f 85 96 24 00 00 48 81 c4 f0 00 00 00 5b 41 5c 41 5d 41 5e 41 +5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 +00 0f 85 0b 28 00 00 49 81 3e 20 19 78 8a 0f 84 5f ee ff +RSP: 0018:ffff888099c3fb48 EFLAGS: 00010006 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000218 RSI: 0000000000000000 RDI: 0000000000000001 +RBP: ffff888099c3fc60 R08: 0000000000000001 R09: 0000000000000001 +R10: fffffbfff146e1d0 R11: ffff888098720400 R12: 00000000000010c0 +R13: 0000000000000000 R14: 00000000000010c0 R15: 0000000000000000 +FS: 00007f0559e98700(0000) GS:ffff8880ae800000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe4d89e0000 CR3: 0000000099606000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] + _raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:175 + spin_lock_bh include/linux/spinlock.h:343 [inline] + j1939_jsk_del+0x32/0x210 net/can/j1939/socket.c:89 + j1939_sk_bind+0x2ea/0x8f0 net/can/j1939/socket.c:448 + __sys_bind+0x239/0x290 net/socket.c:1648 + __do_sys_bind net/socket.c:1659 [inline] + __se_sys_bind net/socket.c:1657 [inline] + __x64_sys_bind+0x73/0xb0 net/socket.c:1657 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x45a679 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f0559e97c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 +RDX: 0000000000000018 RSI: 0000000020000240 RDI: 0000000000000003 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0559e986d4 +R13: 00000000004c09e9 R14: 00000000004d37d0 R15: 00000000ffffffff +Modules linked in: +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 9844 at kernel/locking/mutex.c:1419 +mutex_trylock+0x279/0x2f0 kernel/locking/mutex.c:1427 +=============================================================================== + +This issues was caused by null pointer deference. Where j1939_sk_bind() +was using currently not existing priv. + +Possible scenario may look as following: +cpu0 cpu1 +bind() + bind() + j1939_sk_bind() + j1939_sk_bind() + priv = jsk->priv; + priv = jsk->priv; + lock_sock(sock->sk); + priv = j1939_netdev_start(ndev); + j1939_jsk_add(priv, jsk); + jsk->priv = priv; + relase_sock(sock->sk); + lock_sock(sock->sk); + j1939_jsk_del(priv, jsk); + ..... ooops ...... + +With this patch we move "priv = jsk->priv;" after the lock, to avoid +assigning of wrong priv pointer. + +Reported-by: syzbot+99e9e1b200a1e363237d@syzkaller.appspotmail.com +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Oleksij Rempel +Cc: linux-stable # >= v5.4 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/j1939/socket.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -423,9 +423,9 @@ static int j1939_sk_bind(struct socket * + { + struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; + struct j1939_sock *jsk = j1939_sk(sock->sk); +- struct j1939_priv *priv = jsk->priv; +- struct sock *sk = sock->sk; +- struct net *net = sock_net(sk); ++ struct j1939_priv *priv; ++ struct sock *sk; ++ struct net *net; + int ret = 0; + + ret = j1939_sk_sanity_check(addr, len); +@@ -434,6 +434,10 @@ static int j1939_sk_bind(struct socket * + + lock_sock(sock->sk); + ++ priv = jsk->priv; ++ sk = sock->sk; ++ net = sock_net(sk); ++ + /* Already bound to an interface? */ + if (jsk->state & J1939_SOCK_BOUND) { + /* A re-bind() to a different interface is not diff --git a/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..c416ad4fc4f --- /dev/null +++ b/queue-5.4/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch @@ -0,0 +1,52 @@ +From da2311a6385c3b499da2ed5d9be59ce331fa93e9 Mon Sep 17 00:00:00 2001 +From: Xiaolong Huang +Date: Sat, 7 Dec 2019 22:40:24 +0800 +Subject: can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices + +From: Xiaolong Huang + +commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix this by using kzalloc() instead of kmalloc(). + +Signed-off-by: Xiaolong Huang +Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c") +Cc: linux-stable # >= v4.19 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -608,7 +608,7 @@ static int kvaser_usb_leaf_simple_cmd_as + struct kvaser_cmd *cmd; + int err; + +- cmd = kmalloc(sizeof(*cmd), GFP_ATOMIC); ++ cmd = kzalloc(sizeof(*cmd), GFP_ATOMIC); + if (!cmd) + return -ENOMEM; + +@@ -1140,7 +1140,7 @@ static int kvaser_usb_leaf_set_opt_mode( + struct kvaser_cmd *cmd; + int rc; + +- cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); + if (!cmd) + return -ENOMEM; + +@@ -1206,7 +1206,7 @@ static int kvaser_usb_leaf_flush_queue(s + struct kvaser_cmd *cmd; + int rc; + +- cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); + if (!cmd) + return -ENOMEM; + diff --git a/queue-5.4/can-m_can-tcan4x5x-add-required-delay-after-reset.patch b/queue-5.4/can-m_can-tcan4x5x-add-required-delay-after-reset.patch new file mode 100644 index 00000000000..a91a6deb201 --- /dev/null +++ b/queue-5.4/can-m_can-tcan4x5x-add-required-delay-after-reset.patch @@ -0,0 +1,33 @@ +From 60552253e29c8860ee5bf1e6064591b0917c0394 Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Fri, 6 Dec 2019 16:29:22 +0100 +Subject: can: m_can: tcan4x5x: add required delay after reset + +From: Sean Nyekjaer + +commit 60552253e29c8860ee5bf1e6064591b0917c0394 upstream. + +According to section "8.3.8 RST Pin" in the datasheet we are required to +wait >700us after the device is reset. + +Signed-off-by: Sean Nyekjaer +Acked-by: Dan Murphy +Cc: linux-stable # >= v5.4 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/m_can/tcan4x5x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/m_can/tcan4x5x.c ++++ b/drivers/net/can/m_can/tcan4x5x.c +@@ -354,6 +354,8 @@ static int tcan4x5x_parse_config(struct + if (IS_ERR(tcan4x5x->reset_gpio)) + tcan4x5x->reset_gpio = NULL; + ++ usleep_range(700, 1000); ++ + tcan4x5x->device_state_gpio = devm_gpiod_get_optional(cdev->dev, + "device-state", + GPIOD_IN); diff --git a/queue-5.4/can-xilinx_can-fix-missing-rx-can-packets-on-canfd2.0.patch b/queue-5.4/can-xilinx_can-fix-missing-rx-can-packets-on-canfd2.0.patch new file mode 100644 index 00000000000..ded6fcdb56f --- /dev/null +++ b/queue-5.4/can-xilinx_can-fix-missing-rx-can-packets-on-canfd2.0.patch @@ -0,0 +1,51 @@ +From 9ab79b06ddf3cdf6484d60b3e5fe113e733145c8 Mon Sep 17 00:00:00 2001 +From: Srinivas Neeli +Date: Tue, 3 Dec 2019 17:46:36 +0530 +Subject: can: xilinx_can: Fix missing Rx can packets on CANFD2.0 + +From: Srinivas Neeli + +commit 9ab79b06ddf3cdf6484d60b3e5fe113e733145c8 upstream. + +CANFD2.0 core uses BRAM for storing acceptance filter ID(AFID) and MASK +(AFMASK)registers. So by default AFID and AFMASK registers contain random +data. Due to random data, we are not able to receive all CAN ids. + +Initializing AFID and AFMASK registers with Zero before enabling +acceptance filter to receive all packets irrespective of ID and Mask. + +Fixes: 0db9071353a0 ("can: xilinx: add can 2.0 support") +Signed-off-by: Michal Simek +Signed-off-by: Srinivas Neeli +Reviewed-by: Naga Sureshkumar Relli +Cc: linux-stable # >= v5.0 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/xilinx_can.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -60,6 +60,8 @@ enum xcan_reg { + XCAN_TXMSG_BASE_OFFSET = 0x0100, /* TX Message Space */ + XCAN_RXMSG_BASE_OFFSET = 0x1100, /* RX Message Space */ + XCAN_RXMSG_2_BASE_OFFSET = 0x2100, /* RX Message Space */ ++ XCAN_AFR_2_MASK_OFFSET = 0x0A00, /* Acceptance Filter MASK */ ++ XCAN_AFR_2_ID_OFFSET = 0x0A04, /* Acceptance Filter ID */ + }; + + #define XCAN_FRAME_ID_OFFSET(frame_base) ((frame_base) + 0x00) +@@ -1803,6 +1805,11 @@ static int xcan_probe(struct platform_de + + pm_runtime_put(&pdev->dev); + ++ if (priv->devtype.flags & XCAN_FLAG_CANFD_2) { ++ priv->write_reg(priv, XCAN_AFR_2_ID_OFFSET, 0x00000000); ++ priv->write_reg(priv, XCAN_AFR_2_MASK_OFFSET, 0x00000000); ++ } ++ + netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx buffers: actual %d, using %d\n", + priv->reg_base, ndev->irq, priv->can.clock.freq, + hw_tx_max, priv->tx_max); diff --git a/queue-5.4/iommu-fix-kasan-use-after-free-in-iommu_insert_resv_region.patch b/queue-5.4/iommu-fix-kasan-use-after-free-in-iommu_insert_resv_region.patch new file mode 100644 index 00000000000..1905307e280 --- /dev/null +++ b/queue-5.4/iommu-fix-kasan-use-after-free-in-iommu_insert_resv_region.patch @@ -0,0 +1,38 @@ +From 4c80ba392bf603d468ea827d902f8e7b2505fbf4 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Tue, 26 Nov 2019 18:54:13 +0100 +Subject: iommu: fix KASAN use-after-free in iommu_insert_resv_region + +From: Eric Auger + +commit 4c80ba392bf603d468ea827d902f8e7b2505fbf4 upstream. + +In case the new region gets merged into another one, the nr list node is +freed. Checking its type while completing the merge algorithm leads to +a use-after-free. Use new->type instead. + +Fixes: 4dbd258ff63e ("iommu: Revisit iommu_insert_resv_region() implementation") +Signed-off-by: Eric Auger +Reported-by: Qian Cai +Reviewed-by: Jerry Snitselaar +Cc: Stable #v5.3+ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -312,8 +312,8 @@ int iommu_insert_resv_region(struct iomm + list_for_each_entry_safe(iter, tmp, regions, list) { + phys_addr_t top_end, iter_end = iter->start + iter->length - 1; + +- /* no merge needed on elements of different types than @nr */ +- if (iter->type != nr->type) { ++ /* no merge needed on elements of different types than @new */ ++ if (iter->type != new->type) { + list_move_tail(&iter->list, &stack); + continue; + } diff --git a/queue-5.4/iommu-set-group-default-domain-before-creating-direct-mappings.patch b/queue-5.4/iommu-set-group-default-domain-before-creating-direct-mappings.patch new file mode 100644 index 00000000000..8e67b1ce201 --- /dev/null +++ b/queue-5.4/iommu-set-group-default-domain-before-creating-direct-mappings.patch @@ -0,0 +1,48 @@ +From d360211524bece6db9920f32c91808235290b51c Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Tue, 10 Dec 2019 11:56:06 -0700 +Subject: iommu: set group default domain before creating direct mappings + +From: Jerry Snitselaar + +commit d360211524bece6db9920f32c91808235290b51c upstream. + +iommu_group_create_direct_mappings uses group->default_domain, but +right after it is called, request_default_domain_for_dev calls +iommu_domain_free for the default domain, and sets the group default +domain to a different domain. Move the +iommu_group_create_direct_mappings call to after the group default +domain is set, so the direct mappings get associated with that domain. + +Cc: Joerg Roedel +Cc: Lu Baolu +Cc: iommu@lists.linux-foundation.org +Cc: stable@vger.kernel.org +Fixes: 7423e01741dd ("iommu: Add API to request DMA domain for device") +Signed-off-by: Jerry Snitselaar +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -2221,13 +2221,13 @@ request_default_domain_for_dev(struct de + goto out; + } + +- iommu_group_create_direct_mappings(group, dev); +- + /* Make the domain the default for this group */ + if (group->default_domain) + iommu_domain_free(group->default_domain); + group->default_domain = domain; + ++ iommu_group_create_direct_mappings(group, dev); ++ + dev_info(dev, "Using iommu %s mapping\n", + type == IOMMU_DOMAIN_DMA ? "dma" : "direct"); + diff --git a/queue-5.4/iommu-vt-d-allocate-reserved-region-for-isa-with-correct-permission.patch b/queue-5.4/iommu-vt-d-allocate-reserved-region-for-isa-with-correct-permission.patch new file mode 100644 index 00000000000..2e855d0df70 --- /dev/null +++ b/queue-5.4/iommu-vt-d-allocate-reserved-region-for-isa-with-correct-permission.patch @@ -0,0 +1,38 @@ +From cde9319e884eb6267a0df446f3c131fe1108defb Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Thu, 12 Dec 2019 22:36:42 -0700 +Subject: iommu/vt-d: Allocate reserved region for ISA with correct permission + +From: Jerry Snitselaar + +commit cde9319e884eb6267a0df446f3c131fe1108defb upstream. + +Currently the reserved region for ISA is allocated with no +permissions. If a dma domain is being used, mapping this region will +fail. Set the permissions to DMA_PTE_READ|DMA_PTE_WRITE. + +Cc: Joerg Roedel +Cc: Lu Baolu +Cc: iommu@lists.linux-foundation.org +Cc: stable@vger.kernel.org # v5.3+ +Fixes: d850c2ee5fe2 ("iommu/vt-d: Expose ISA direct mapping region via iommu_get_resv_regions") +Signed-off-by: Jerry Snitselaar +Acked-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5697,7 +5697,7 @@ static void intel_iommu_get_resv_regions + struct pci_dev *pdev = to_pci_dev(device); + + if ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA) { +- reg = iommu_alloc_resv_region(0, 1UL << 24, 0, ++ reg = iommu_alloc_resv_region(0, 1UL << 24, prot, + IOMMU_RESV_DIRECT_RELAXABLE); + if (reg) + list_add_tail(®->list, head); diff --git a/queue-5.4/iommu-vt-d-fix-dmar-pte-read-access-not-set-error.patch b/queue-5.4/iommu-vt-d-fix-dmar-pte-read-access-not-set-error.patch new file mode 100644 index 00000000000..dde18b52e8c --- /dev/null +++ b/queue-5.4/iommu-vt-d-fix-dmar-pte-read-access-not-set-error.patch @@ -0,0 +1,63 @@ +From 75d18385394f56db76845d91a192532aba421875 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Wed, 11 Dec 2019 09:40:15 +0800 +Subject: iommu/vt-d: Fix dmar pte read access not set error + +From: Lu Baolu + +commit 75d18385394f56db76845d91a192532aba421875 upstream. + +If the default DMA domain of a group doesn't fit a device, it +will still sit in the group but use a private identity domain. +When map/unmap/iova_to_phys come through iommu API, the driver +should still serve them, otherwise, other devices in the same +group will be impacted. Since identity domain has been mapped +with the whole available memory space and RMRRs, we don't need +to worry about the impact on it. + +Link: https://www.spinics.net/lists/iommu/msg40416.html +Cc: Jerry Snitselaar +Reported-by: Jerry Snitselaar +Fixes: 942067f1b6b97 ("iommu/vt-d: Identify default domains replaced with private") +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Lu Baolu +Reviewed-by: Jerry Snitselaar +Tested-by: Jerry Snitselaar +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5447,9 +5447,6 @@ static int intel_iommu_map(struct iommu_ + int prot = 0; + int ret; + +- if (dmar_domain->flags & DOMAIN_FLAG_LOSE_CHILDREN) +- return -EINVAL; +- + if (iommu_prot & IOMMU_READ) + prot |= DMA_PTE_READ; + if (iommu_prot & IOMMU_WRITE) +@@ -5492,8 +5489,6 @@ static size_t intel_iommu_unmap(struct i + /* Cope with horrid API which requires us to unmap more than the + size argument if it happens to be a large-page mapping. */ + BUG_ON(!pfn_to_dma_pte(dmar_domain, iova >> VTD_PAGE_SHIFT, &level)); +- if (dmar_domain->flags & DOMAIN_FLAG_LOSE_CHILDREN) +- return 0; + + if (size < VTD_PAGE_SIZE << level_to_offset_bits(level)) + size = VTD_PAGE_SIZE << level_to_offset_bits(level); +@@ -5525,9 +5520,6 @@ static phys_addr_t intel_iommu_iova_to_p + int level = 0; + u64 phys = 0; + +- if (dmar_domain->flags & DOMAIN_FLAG_LOSE_CHILDREN) +- return 0; +- + pte = pfn_to_dma_pte(dmar_domain, iova >> VTD_PAGE_SHIFT, &level); + if (pte) + phys = dma_pte_addr(pte); diff --git a/queue-5.4/iommu-vt-d-set-isa-bridge-reserved-region-as-relaxable.patch b/queue-5.4/iommu-vt-d-set-isa-bridge-reserved-region-as-relaxable.patch new file mode 100644 index 00000000000..e0cf65117b6 --- /dev/null +++ b/queue-5.4/iommu-vt-d-set-isa-bridge-reserved-region-as-relaxable.patch @@ -0,0 +1,62 @@ +From d8018a0e9195ba9f0fb9cf0fd3843807c8b952d5 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 11 Dec 2019 13:28:29 -0700 +Subject: iommu/vt-d: Set ISA bridge reserved region as relaxable + +From: Alex Williamson + +commit d8018a0e9195ba9f0fb9cf0fd3843807c8b952d5 upstream. + +Commit d850c2ee5fe2 ("iommu/vt-d: Expose ISA direct mapping region via +iommu_get_resv_regions") created a direct-mapped reserved memory region +in order to replace the static identity mapping of the ISA address +space, where the latter was then removed in commit df4f3c603aeb +("iommu/vt-d: Remove static identity map code"). According to the +history of this code and the Kconfig option surrounding it, this direct +mapping exists for the benefit of legacy ISA drivers that are not +compatible with the DMA API. + +In conjuntion with commit 9b77e5c79840 ("vfio/type1: check dma map +request is within a valid iova range") this change introduced a +regression where the vfio IOMMU backend enforces reserved memory regions +per IOMMU group, preventing userspace from creating IOMMU mappings +conflicting with prescribed reserved regions. A necessary prerequisite +for the vfio change was the introduction of "relaxable" direct mappings +introduced by commit adfd37382090 ("iommu: Introduce +IOMMU_RESV_DIRECT_RELAXABLE reserved memory regions"). These relaxable +direct mappings provide the same identity mapping support in the default +domain, but also indicate that the reservation is software imposed and +may be relaxed under some conditions, such as device assignment. + +Convert the ISA bridge direct-mapped reserved region to relaxable to +reflect that the restriction is self imposed and need not be enforced +by drivers such as vfio. + +Fixes: 1c5c59fbad20 ("iommu/vt-d: Differentiate relaxable and non relaxable RMRRs") +Cc: stable@vger.kernel.org # v5.3+ +Link: https://lore.kernel.org/linux-iommu/20191211082304.2d4fab45@x1.home +Reported-by: cprt +Tested-by: cprt +Signed-off-by: Alex Williamson +Acked-by: Lu Baolu +Reviewed-by: Eric Auger +Tested-by: Jerry Snitselaar +Reviewed-by: Jerry Snitselaar +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5698,7 +5698,7 @@ static void intel_iommu_get_resv_regions + + if ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA) { + reg = iommu_alloc_resv_region(0, 1UL << 24, 0, +- IOMMU_RESV_DIRECT); ++ IOMMU_RESV_DIRECT_RELAXABLE); + if (reg) + list_add_tail(®->list, head); + } diff --git a/queue-5.4/mmc-mediatek-fix-cmd_ta-to-2-for-mt8173-hs200-hs400-mode.patch b/queue-5.4/mmc-mediatek-fix-cmd_ta-to-2-for-mt8173-hs200-hs400-mode.patch new file mode 100644 index 00000000000..81b9e121396 --- /dev/null +++ b/queue-5.4/mmc-mediatek-fix-cmd_ta-to-2-for-mt8173-hs200-hs400-mode.patch @@ -0,0 +1,43 @@ +From 8f34e5bd7024d1ffebddd82d7318b1be17be9e9a Mon Sep 17 00:00:00 2001 +From: Chaotian Jing +Date: Wed, 4 Dec 2019 15:19:58 +0800 +Subject: mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode + +From: Chaotian Jing + +commit 8f34e5bd7024d1ffebddd82d7318b1be17be9e9a upstream. + +there is a chance that always get response CRC error after HS200 tuning, +the reason is that need set CMD_TA to 2. this modification is only for +MT8173. + +Signed-off-by: Chaotian Jing +Tested-by: Hsin-Yi Wang +Cc: stable@vger.kernel.org +Fixes: 1ede5cb88a29 ("mmc: mediatek: Use data tune for CMD line tune") +Link: https://lore.kernel.org/r/20191204071958.18553-1-chaotian.jing@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/mtk-sd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -228,6 +228,7 @@ + #define MSDC_PATCH_BIT_SPCPUSH (0x1 << 29) /* RW */ + #define MSDC_PATCH_BIT_DECRCTMO (0x1 << 30) /* RW */ + ++#define MSDC_PATCH_BIT1_CMDTA (0x7 << 3) /* RW */ + #define MSDC_PATCH_BIT1_STOP_DLY (0xf << 8) /* RW */ + + #define MSDC_PATCH_BIT2_CFGRESP (0x1 << 15) /* RW */ +@@ -1881,6 +1882,7 @@ static int hs400_tune_response(struct mm + + /* select EMMC50 PAD CMD tune */ + sdr_set_bits(host->base + PAD_CMD_TUNE, BIT(0)); ++ sdr_set_field(host->base + MSDC_PATCH_BIT1, MSDC_PATCH_BIT1_CMDTA, 2); + + if (mmc->ios.timing == MMC_TIMING_MMC_HS200 || + mmc->ios.timing == MMC_TIMING_UHS_SDR104) diff --git a/queue-5.4/revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch b/queue-5.4/revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch new file mode 100644 index 00000000000..a04a08c7ccc --- /dev/null +++ b/queue-5.4/revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch @@ -0,0 +1,42 @@ +From 07bcc411567cb96f9d1fc84fff8d387118a2920d Mon Sep 17 00:00:00 2001 +From: Faiz Abbas +Date: Thu, 28 Nov 2019 16:34:22 +0530 +Subject: Revert "mmc: sdhci: Fix incorrect switch to HS mode" + +From: Faiz Abbas + +commit 07bcc411567cb96f9d1fc84fff8d387118a2920d upstream. + +This reverts commit c894e33ddc1910e14d6f2a2016f60ab613fd8b37. + +This commit aims to treat SD High speed and SDR25 as the same while +setting UHS Timings in HOST_CONTROL2 which leads to failures with some +SD cards in AM65x. Revert this commit. + +The issue this commit was trying to fix can be implemented in a platform +specific callback instead of common sdhci code. + +Cc: +Signed-off-by: Faiz Abbas +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20191128110422.25917-1-faiz_abbas@ti.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1871,9 +1871,7 @@ void sdhci_set_uhs_signaling(struct sdhc + ctrl_2 |= SDHCI_CTRL_UHS_SDR104; + else if (timing == MMC_TIMING_UHS_SDR12) + ctrl_2 |= SDHCI_CTRL_UHS_SDR12; +- else if (timing == MMC_TIMING_SD_HS || +- timing == MMC_TIMING_MMC_HS || +- timing == MMC_TIMING_UHS_SDR25) ++ else if (timing == MMC_TIMING_UHS_SDR25) + ctrl_2 |= SDHCI_CTRL_UHS_SDR25; + else if (timing == MMC_TIMING_UHS_SDR50) + ctrl_2 |= SDHCI_CTRL_UHS_SDR50; diff --git a/queue-5.4/series b/queue-5.4/series index a0677d1bf89..e707c4ae9b8 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -339,3 +339,18 @@ net-wireless-intel-iwlwifi-fix-gro_normal-packet-sta.patch mips-futex-restore-n-after-sync-instructions.patch btrfs-don-t-prematurely-free-work-in-reada_start_mac.patch btrfs-don-t-prematurely-free-work-in-scrub_missing_r.patch +revert-mmc-sdhci-fix-incorrect-switch-to-hs-mode.patch +mmc-mediatek-fix-cmd_ta-to-2-for-mt8173-hs200-hs400-mode.patch +tpm_tis-reserve-chip-for-duration-of-tpm_tis_core_init.patch +tpm-fix-invalid-locking-in-nonblocking-mode.patch +iommu-fix-kasan-use-after-free-in-iommu_insert_resv_region.patch +iommu-set-group-default-domain-before-creating-direct-mappings.patch +iommu-vt-d-fix-dmar-pte-read-access-not-set-error.patch +iommu-vt-d-set-isa-bridge-reserved-region-as-relaxable.patch +iommu-vt-d-allocate-reserved-region-for-isa-with-correct-permission.patch +can-xilinx_can-fix-missing-rx-can-packets-on-canfd2.0.patch +can-m_can-tcan4x5x-add-required-delay-after-reset.patch +can-j1939-j1939_sk_bind-take-priv-after-lock-is-held.patch +can-flexcan-fix-possible-deadlock-and-out-of-order-reception-after-wakeup.patch +can-flexcan-poll-mcr_lpm_ack-instead-of-gpr-ack-for-stop-mode-acknowledgment.patch +can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch diff --git a/queue-5.4/tpm-fix-invalid-locking-in-nonblocking-mode.patch b/queue-5.4/tpm-fix-invalid-locking-in-nonblocking-mode.patch new file mode 100644 index 00000000000..1882e85138b --- /dev/null +++ b/queue-5.4/tpm-fix-invalid-locking-in-nonblocking-mode.patch @@ -0,0 +1,60 @@ +From d23d12484307b40eea549b8a858f5fffad913897 Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Thu, 12 Dec 2019 09:48:47 -0800 +Subject: tpm: fix invalid locking in NONBLOCKING mode + +From: Tadeusz Struk + +commit d23d12484307b40eea549b8a858f5fffad913897 upstream. + +When an application sends TPM commands in NONBLOCKING mode +the driver holds chip->tpm_mutex returning from write(), +which triggers: "WARNING: lock held when returning to user space". +To fix this issue the driver needs to release the mutex before +returning and acquire it again in tpm_dev_async_work() before +sending the command. + +Cc: stable@vger.kernel.org +Fixes: 9e1b74a63f776 (tpm: add support for nonblocking operation) +Reported-by: Jeffrin Jose T +Tested-by: Jeffrin Jose T +Signed-off-by: Tadeusz Struk +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-dev-common.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -61,6 +61,12 @@ static void tpm_dev_async_work(struct wo + + mutex_lock(&priv->buffer_mutex); + priv->command_enqueued = false; ++ ret = tpm_try_get_ops(priv->chip); ++ if (ret) { ++ priv->response_length = ret; ++ goto out; ++ } ++ + ret = tpm_dev_transmit(priv->chip, priv->space, priv->data_buffer, + sizeof(priv->data_buffer)); + tpm_put_ops(priv->chip); +@@ -68,6 +74,7 @@ static void tpm_dev_async_work(struct wo + priv->response_length = ret; + mod_timer(&priv->user_read_timer, jiffies + (120 * HZ)); + } ++out: + mutex_unlock(&priv->buffer_mutex); + wake_up_interruptible(&priv->async_wait); + } +@@ -204,6 +211,7 @@ ssize_t tpm_common_write(struct file *fi + if (file->f_flags & O_NONBLOCK) { + priv->command_enqueued = true; + queue_work(tpm_dev_wq, &priv->async_work); ++ tpm_put_ops(priv->chip); + mutex_unlock(&priv->buffer_mutex); + return size; + } diff --git a/queue-5.4/tpm_tis-reserve-chip-for-duration-of-tpm_tis_core_init.patch b/queue-5.4/tpm_tis-reserve-chip-for-duration-of-tpm_tis_core_init.patch new file mode 100644 index 00000000000..8f29c23f2ad --- /dev/null +++ b/queue-5.4/tpm_tis-reserve-chip-for-duration-of-tpm_tis_core_init.patch @@ -0,0 +1,134 @@ +From 21df4a8b6018b842d4db181a8b24166006bad3cd Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Wed, 11 Dec 2019 16:54:55 -0700 +Subject: tpm_tis: reserve chip for duration of tpm_tis_core_init + +From: Jerry Snitselaar + +commit 21df4a8b6018b842d4db181a8b24166006bad3cd upstream. + +Instead of repeatedly calling tpm_chip_start/tpm_chip_stop when +issuing commands to the tpm during initialization, just reserve the +chip after wait_startup, and release it when we are ready to call +tpm_chip_register. + +Cc: Christian Bundy +Cc: Dan Williams +Cc: Peter Huewe +Cc: Jarkko Sakkinen +Cc: Jason Gunthorpe +Cc: Stefan Berger +Cc: stable@vger.kernel.org +Cc: linux-integrity@vger.kernel.org +Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()") +Fixes: 5b359c7c4372 ("tpm_tis_core: Turn on the TPM before probing IRQ's") +Suggested-by: Jarkko Sakkinen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jerry Snitselaar +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_tis_core.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -899,13 +899,13 @@ int tpm_tis_core_init(struct device *dev + + if (wait_startup(chip, 0) != 0) { + rc = -ENODEV; +- goto out_err; ++ goto err_start; + } + + /* Take control of the TPM's interrupt hardware and shut it off */ + rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask); + if (rc < 0) +- goto out_err; ++ goto err_start; + + intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | + TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT; +@@ -914,21 +914,21 @@ int tpm_tis_core_init(struct device *dev + + rc = tpm_chip_start(chip); + if (rc) +- goto out_err; ++ goto err_start; ++ + rc = tpm2_probe(chip); +- tpm_chip_stop(chip); + if (rc) +- goto out_err; ++ goto err_probe; + + rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor); + if (rc < 0) +- goto out_err; ++ goto err_probe; + + priv->manufacturer_id = vendor; + + rc = tpm_tis_read8(priv, TPM_RID(0), &rid); + if (rc < 0) +- goto out_err; ++ goto err_probe; + + dev_info(dev, "%s TPM (device-id 0x%X, rev-id %d)\n", + (chip->flags & TPM_CHIP_FLAG_TPM2) ? "2.0" : "1.2", +@@ -937,13 +937,13 @@ int tpm_tis_core_init(struct device *dev + probe = probe_itpm(chip); + if (probe < 0) { + rc = -ENODEV; +- goto out_err; ++ goto err_probe; + } + + /* Figure out the capabilities */ + rc = tpm_tis_read32(priv, TPM_INTF_CAPS(priv->locality), &intfcaps); + if (rc < 0) +- goto out_err; ++ goto err_probe; + + dev_dbg(dev, "TPM interface capabilities (0x%x):\n", + intfcaps); +@@ -977,10 +977,9 @@ int tpm_tis_core_init(struct device *dev + if (tpm_get_timeouts(chip)) { + dev_err(dev, "Could not get TPM timeouts and durations\n"); + rc = -ENODEV; +- goto out_err; ++ goto err_probe; + } + +- tpm_chip_start(chip); + chip->flags |= TPM_CHIP_FLAG_IRQ; + if (irq) { + tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED, +@@ -991,18 +990,20 @@ int tpm_tis_core_init(struct device *dev + } else { + tpm_tis_probe_irq(chip, intmask); + } +- tpm_chip_stop(chip); + } + ++ tpm_chip_stop(chip); ++ + rc = tpm_chip_register(chip); + if (rc) +- goto out_err; +- +- if (chip->ops->clk_enable != NULL) +- chip->ops->clk_enable(chip, false); ++ goto err_start; + + return 0; +-out_err: ++ ++err_probe: ++ tpm_chip_stop(chip); ++ ++err_start: + if ((chip->ops != NULL) && (chip->ops->clk_enable != NULL)) + chip->ops->clk_enable(chip, false); +