From: Greg Kroah-Hartman Date: Sun, 27 Oct 2019 08:55:27 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.198~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=78d1aadc12c81c79c6d259de902280a96cee05c0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: acpi-cppc-set-pcc_data-to-null-in-acpi_cppc_processor_exit.patch asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch cfg80211-wext-avoid-copying-malformed-ssids.patch drivers-base-memory.c-don-t-access-uninitialized-memmaps-in-soft_offline_page_store.patch drm-amdgpu-bail-earlier-when-amdgpu.cik_-si_support-is-not-set-to-1.patch drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch drm-ttm-restore-ttm-prefaulting.patch fs-proc-page.c-don-t-access-uninitialized-memmaps-in-fs-proc-page.c.patch input-da9063-fix-capability-and-drop-key_sleep.patch input-synaptics-rmi4-avoid-processing-unknown-irqs.patch mac80211-reject-malformed-ssid-elements.patch mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch scsi-ch-make-it-possible-to-open-a-ch-device-multiple-times-again.patch scsi-core-save-restore-command-resid-for-error-handling.patch scsi-core-try-to-get-module-before-removing-device.patch scsi-sd-ignore-a-failure-to-sync-cache-due-to-lack-of-authorization.patch scsi-zfcp-fix-reaction-on-bit-error-threshold-notification.patch staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch --- diff --git a/queue-4.19/acpi-cppc-set-pcc_data-to-null-in-acpi_cppc_processor_exit.patch b/queue-4.19/acpi-cppc-set-pcc_data-to-null-in-acpi_cppc_processor_exit.patch new file mode 100644 index 00000000000..cc0827c11a9 --- /dev/null +++ b/queue-4.19/acpi-cppc-set-pcc_data-to-null-in-acpi_cppc_processor_exit.patch @@ -0,0 +1,130 @@ +From 56a0b978d42f58c7e3ba715cf65af487d427524d Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Tue, 15 Oct 2019 22:07:31 +0800 +Subject: ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() + +From: John Garry + +commit 56a0b978d42f58c7e3ba715cf65af487d427524d upstream. + +When enabling KASAN and DEBUG_TEST_DRIVER_REMOVE, I find this KASAN +warning: + +[ 20.872057] BUG: KASAN: use-after-free in pcc_data_alloc+0x40/0xb8 +[ 20.878226] Read of size 4 at addr ffff00236cdeb684 by task swapper/0/1 +[ 20.884826] +[ 20.886309] CPU: 19 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00009-ge7f7df3db5bf-dirty #289 +[ 20.894994] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 +[ 20.903505] Call trace: +[ 20.905942] dump_backtrace+0x0/0x200 +[ 20.909593] show_stack+0x14/0x20 +[ 20.912899] dump_stack+0xd4/0x130 +[ 20.916291] print_address_description.isra.9+0x6c/0x3b8 +[ 20.921592] __kasan_report+0x12c/0x23c +[ 20.925417] kasan_report+0xc/0x18 +[ 20.928808] __asan_load4+0x94/0xb8 +[ 20.932286] pcc_data_alloc+0x40/0xb8 +[ 20.935938] acpi_cppc_processor_probe+0x4e8/0xb08 +[ 20.940717] __acpi_processor_start+0x48/0xb0 +[ 20.945062] acpi_processor_start+0x40/0x60 +[ 20.949235] really_probe+0x118/0x548 +[ 20.952887] driver_probe_device+0x7c/0x148 +[ 20.957059] device_driver_attach+0x94/0xa0 +[ 20.961231] __driver_attach+0xa4/0x110 +[ 20.965055] bus_for_each_dev+0xe8/0x158 +[ 20.968966] driver_attach+0x30/0x40 +[ 20.972531] bus_add_driver+0x234/0x2f0 +[ 20.976356] driver_register+0xbc/0x1d0 +[ 20.980182] acpi_processor_driver_init+0x40/0xe4 +[ 20.984875] do_one_initcall+0xb4/0x254 +[ 20.988700] kernel_init_freeable+0x24c/0x2f8 +[ 20.993047] kernel_init+0x10/0x118 +[ 20.996524] ret_from_fork+0x10/0x18 +[ 21.000087] +[ 21.001567] Allocated by task 1: +[ 21.004785] save_stack+0x28/0xc8 +[ 21.008089] __kasan_kmalloc.isra.9+0xbc/0xd8 +[ 21.012435] kasan_kmalloc+0xc/0x18 +[ 21.015913] pcc_data_alloc+0x94/0xb8 +[ 21.019564] acpi_cppc_processor_probe+0x4e8/0xb08 +[ 21.024343] __acpi_processor_start+0x48/0xb0 +[ 21.028689] acpi_processor_start+0x40/0x60 +[ 21.032860] really_probe+0x118/0x548 +[ 21.036512] driver_probe_device+0x7c/0x148 +[ 21.040684] device_driver_attach+0x94/0xa0 +[ 21.044855] __driver_attach+0xa4/0x110 +[ 21.048680] bus_for_each_dev+0xe8/0x158 +[ 21.052591] driver_attach+0x30/0x40 +[ 21.056155] bus_add_driver+0x234/0x2f0 +[ 21.059980] driver_register+0xbc/0x1d0 +[ 21.063805] acpi_processor_driver_init+0x40/0xe4 +[ 21.068497] do_one_initcall+0xb4/0x254 +[ 21.072322] kernel_init_freeable+0x24c/0x2f8 +[ 21.076667] kernel_init+0x10/0x118 +[ 21.080144] ret_from_fork+0x10/0x18 +[ 21.083707] +[ 21.085186] Freed by task 1: +[ 21.088056] save_stack+0x28/0xc8 +[ 21.091360] __kasan_slab_free+0x118/0x180 +[ 21.095445] kasan_slab_free+0x10/0x18 +[ 21.099183] kfree+0x80/0x268 +[ 21.102139] acpi_cppc_processor_exit+0x1a8/0x1b8 +[ 21.106832] acpi_processor_stop+0x70/0x80 +[ 21.110917] really_probe+0x174/0x548 +[ 21.114568] driver_probe_device+0x7c/0x148 +[ 21.118740] device_driver_attach+0x94/0xa0 +[ 21.122912] __driver_attach+0xa4/0x110 +[ 21.126736] bus_for_each_dev+0xe8/0x158 +[ 21.130648] driver_attach+0x30/0x40 +[ 21.134212] bus_add_driver+0x234/0x2f0 +[ 21.0x10/0x18 +[ 21.161764] +[ 21.163244] The buggy address belongs to the object at ffff00236cdeb600 +[ 21.163244] which belongs to the cache kmalloc-256 of size 256 +[ 21.175750] The buggy address is located 132 bytes inside of +[ 21.175750] 256-byte region [ffff00236cdeb600, ffff00236cdeb700) +[ 21.187473] The buggy address belongs to the page: +[ 21.192254] page:fffffe008d937a00 refcount:1 mapcount:0 mapping:ffff002370c0fa00 index:0x0 compound_mapcount: 0 +[ 21.202331] flags: 0x1ffff00000010200(slab|head) +[ 21.206940] raw: 1ffff00000010200 dead000000000100 dead000000000122 ffff002370c0fa00 +[ 21.214671] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 +[ 21.222400] page dumped because: kasan: bad access detected +[ 21.227959] +[ 21.229438] Memory state around the buggy address: +[ 21.234218] ffff00236cdeb580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 21.241427] ffff00236cdeb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 21.248637] >ffff00236cdeb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 21.255845] ^ +[ 21.259062] ffff00236cdeb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 21.266272] ffff00236cdeb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 21.273480] ================================================================== + +It seems that global pcc_data[pcc_ss_id] can be freed in +acpi_cppc_processor_exit(), but we may later reference this value, so +NULLify it when freed. + +Also remove the useless setting of data "pcc_channel_acquired", which +we're about to free. + +Fixes: 85b1407bf6d2 ("ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs") +Signed-off-by: John Garry +Cc: 4.15+ # 4.15+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/cppc_acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -909,8 +909,8 @@ void acpi_cppc_processor_exit(struct acp + pcc_data[pcc_ss_id]->refcount--; + if (!pcc_data[pcc_ss_id]->refcount) { + pcc_mbox_free_channel(pcc_data[pcc_ss_id]->pcc_channel); +- pcc_data[pcc_ss_id]->pcc_channel_acquired = 0; + kfree(pcc_data[pcc_ss_id]); ++ pcc_data[pcc_ss_id] = NULL; + } + } + } diff --git a/queue-4.19/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch b/queue-4.19/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch new file mode 100644 index 00000000000..f8db457e4b9 --- /dev/null +++ b/queue-4.19/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch @@ -0,0 +1,42 @@ +From 22e58665a01006d05f0239621f7d41cacca96cc4 Mon Sep 17 00:00:00 2001 +From: Junya Monden +Date: Wed, 16 Oct 2019 14:42:55 +0200 +Subject: ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting + +From: Junya Monden + +commit 22e58665a01006d05f0239621f7d41cacca96cc4 upstream. + +Unlike other format-related DAI parameters, rdai->bit_clk_inv flag +is not properly re-initialized when setting format for new stream +processing. The inversion, if requested, is then applied not to default, +but to a previous value, which leads to SCKP bit in SSICR register being +set incorrectly. +Fix this by re-setting the flag to its initial value, determined by format. + +Fixes: 1a7889ca8aba3 ("ASoC: rsnd: fixup SND_SOC_DAIFMT_xB_xF behavior") +Cc: Andrew Gabbasov +Cc: Jiada Wang +Cc: Timo Wischer +Cc: stable@vger.kernel.org # v3.17+ +Signed-off-by: Junya Monden +Signed-off-by: Eugeniu Rosca +Acked-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20191016124255.7442-1-erosca@de.adit-jv.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sh/rcar/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -674,6 +674,7 @@ static int rsnd_soc_dai_set_fmt(struct s + } + + /* set format */ ++ rdai->bit_clk_inv = 0; + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: + rdai->sys_delay = 0; diff --git a/queue-4.19/cfg80211-wext-avoid-copying-malformed-ssids.patch b/queue-4.19/cfg80211-wext-avoid-copying-malformed-ssids.patch new file mode 100644 index 00000000000..c74e87f7f4d --- /dev/null +++ b/queue-4.19/cfg80211-wext-avoid-copying-malformed-ssids.patch @@ -0,0 +1,56 @@ +From 4ac2813cc867ae563a1ba5a9414bfb554e5796fa Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 4 Oct 2019 10:51:32 +0100 +Subject: cfg80211: wext: avoid copying malformed SSIDs + +From: Will Deacon + +commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream. + +Ensure the SSID element is bounds-checked prior to invoking memcpy() +with its length field, when copying to userspace. + +Cc: +Cc: Kees Cook +Reported-by: Nicolas Waisman +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org +[adjust commit log a bit] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-sme.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/wireless/wext-sme.c ++++ b/net/wireless/wext-sme.c +@@ -202,6 +202,7 @@ int cfg80211_mgd_wext_giwessid(struct ne + struct iw_point *data, char *ssid) + { + struct wireless_dev *wdev = dev->ieee80211_ptr; ++ int ret = 0; + + /* call only for station! */ + if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION)) +@@ -219,7 +220,10 @@ int cfg80211_mgd_wext_giwessid(struct ne + if (ie) { + data->flags = 1; + data->length = ie[1]; +- memcpy(ssid, ie + 2, data->length); ++ if (data->length > IW_ESSID_MAX_SIZE) ++ ret = -EINVAL; ++ else ++ memcpy(ssid, ie + 2, data->length); + } + rcu_read_unlock(); + } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) { +@@ -229,7 +233,7 @@ int cfg80211_mgd_wext_giwessid(struct ne + } + wdev_unlock(wdev); + +- return 0; ++ return ret; + } + + int cfg80211_mgd_wext_siwap(struct net_device *dev, diff --git a/queue-4.19/drivers-base-memory.c-don-t-access-uninitialized-memmaps-in-soft_offline_page_store.patch b/queue-4.19/drivers-base-memory.c-don-t-access-uninitialized-memmaps-in-soft_offline_page_store.patch new file mode 100644 index 00000000000..d7f7ab61fe4 --- /dev/null +++ b/queue-4.19/drivers-base-memory.c-don-t-access-uninitialized-memmaps-in-soft_offline_page_store.patch @@ -0,0 +1,55 @@ +From 641fe2e9387a36f9ee01d7c69382d1fe147a5e98 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Fri, 18 Oct 2019 20:19:16 -0700 +Subject: drivers/base/memory.c: don't access uninitialized memmaps in soft_offline_page_store() + +From: David Hildenbrand + +commit 641fe2e9387a36f9ee01d7c69382d1fe147a5e98 upstream. + +Uninitialized memmaps contain garbage and in the worst case trigger kernel +BUGs, especially with CONFIG_PAGE_POISONING. They should not get touched. + +Right now, when trying to soft-offline a PFN that resides on a memory +block that was never onlined, one gets a misleading error with +CONFIG_PAGE_POISONING: + + :/# echo 5637144576 > /sys/devices/system/memory/soft_offline_page + [ 23.097167] soft offline: 0x150000 page already poisoned + +But the actual result depends on the garbage in the memmap. + +soft_offline_page() can only work with online pages, it returns -EIO in +case of ZONE_DEVICE. Make sure to only forward pages that are online +(iow, managed by the buddy) and, therefore, have an initialized memmap. + +Add a check against pfn_to_online_page() and similarly return -EIO. + +Link: http://lkml.kernel.org/r/20191010141200.8985-1-david@redhat.com +Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") [visible after d0dc12e86b319] +Signed-off-by: David Hildenbrand +Acked-by: Naoya Horiguchi +Acked-by: Michal Hocko +Cc: Greg Kroah-Hartman +Cc: "Rafael J. Wysocki" +Cc: [4.13+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -554,6 +554,9 @@ store_soft_offline_page(struct device *d + pfn >>= PAGE_SHIFT; + if (!pfn_valid(pfn)) + return -ENXIO; ++ /* Only online pages can be soft-offlined (esp., not ZONE_DEVICE). */ ++ if (!pfn_to_online_page(pfn)) ++ return -EIO; + ret = soft_offline_page(pfn_to_page(pfn), 0); + return ret == 0 ? count : ret; + } diff --git a/queue-4.19/drm-amdgpu-bail-earlier-when-amdgpu.cik_-si_support-is-not-set-to-1.patch b/queue-4.19/drm-amdgpu-bail-earlier-when-amdgpu.cik_-si_support-is-not-set-to-1.patch new file mode 100644 index 00000000000..462a803fb63 --- /dev/null +++ b/queue-4.19/drm-amdgpu-bail-earlier-when-amdgpu.cik_-si_support-is-not-set-to-1.patch @@ -0,0 +1,123 @@ +From 984d7a929ad68b7be9990fc9c5cfa5d5c9fc7942 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 10 Oct 2019 18:28:17 +0200 +Subject: drm/amdgpu: Bail earlier when amdgpu.cik_/si_support is not set to 1 + +From: Hans de Goede + +commit 984d7a929ad68b7be9990fc9c5cfa5d5c9fc7942 upstream. + +Bail from the pci_driver probe function instead of from the drm_driver +load function. + +This avoid /dev/dri/card0 temporarily getting registered and then +unregistered again, sending unwanted add / remove udev events to +userspace. + +Specifically this avoids triggering the (userspace) bug fixed by this +plymouth merge-request: +https://gitlab.freedesktop.org/plymouth/plymouth/merge_requests/59 + +Note that despite that being a userspace bug, not sending unnecessary +udev events is a good idea in general. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1490490 +Reviewed-by: Daniel Vetter +Signed-off-by: Hans de Goede +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 35 ++++++++++++++++++++++++++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 35 -------------------------------- + 2 files changed, 35 insertions(+), 35 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -841,6 +841,41 @@ static int amdgpu_pci_probe(struct pci_d + if (ret == -EPROBE_DEFER) + return ret; + ++#ifdef CONFIG_DRM_AMDGPU_SI ++ if (!amdgpu_si_support) { ++ switch (flags & AMD_ASIC_MASK) { ++ case CHIP_TAHITI: ++ case CHIP_PITCAIRN: ++ case CHIP_VERDE: ++ case CHIP_OLAND: ++ case CHIP_HAINAN: ++ dev_info(&pdev->dev, ++ "SI support provided by radeon.\n"); ++ dev_info(&pdev->dev, ++ "Use radeon.si_support=0 amdgpu.si_support=1 to override.\n" ++ ); ++ return -ENODEV; ++ } ++ } ++#endif ++#ifdef CONFIG_DRM_AMDGPU_CIK ++ if (!amdgpu_cik_support) { ++ switch (flags & AMD_ASIC_MASK) { ++ case CHIP_KAVERI: ++ case CHIP_BONAIRE: ++ case CHIP_HAWAII: ++ case CHIP_KABINI: ++ case CHIP_MULLINS: ++ dev_info(&pdev->dev, ++ "CIK support provided by radeon.\n"); ++ dev_info(&pdev->dev, ++ "Use radeon.cik_support=0 amdgpu.cik_support=1 to override.\n" ++ ); ++ return -ENODEV; ++ } ++ } ++#endif ++ + /* Get rid of things like offb */ + ret = amdgpu_kick_out_firmware_fb(pdev); + if (ret) +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -87,41 +87,6 @@ int amdgpu_driver_load_kms(struct drm_de + struct amdgpu_device *adev; + int r, acpi_status; + +-#ifdef CONFIG_DRM_AMDGPU_SI +- if (!amdgpu_si_support) { +- switch (flags & AMD_ASIC_MASK) { +- case CHIP_TAHITI: +- case CHIP_PITCAIRN: +- case CHIP_VERDE: +- case CHIP_OLAND: +- case CHIP_HAINAN: +- dev_info(dev->dev, +- "SI support provided by radeon.\n"); +- dev_info(dev->dev, +- "Use radeon.si_support=0 amdgpu.si_support=1 to override.\n" +- ); +- return -ENODEV; +- } +- } +-#endif +-#ifdef CONFIG_DRM_AMDGPU_CIK +- if (!amdgpu_cik_support) { +- switch (flags & AMD_ASIC_MASK) { +- case CHIP_KAVERI: +- case CHIP_BONAIRE: +- case CHIP_HAWAII: +- case CHIP_KABINI: +- case CHIP_MULLINS: +- dev_info(dev->dev, +- "CIK support provided by radeon.\n"); +- dev_info(dev->dev, +- "Use radeon.cik_support=0 amdgpu.cik_support=1 to override.\n" +- ); +- return -ENODEV; +- } +- } +-#endif +- + adev = kzalloc(sizeof(struct amdgpu_device), GFP_KERNEL); + if (adev == NULL) { + return -ENOMEM; diff --git a/queue-4.19/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch b/queue-4.19/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch new file mode 100644 index 00000000000..ed93d1aa41c --- /dev/null +++ b/queue-4.19/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch @@ -0,0 +1,35 @@ +From 11bcf5f78905b90baae8fb01e16650664ed0cb00 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 2 Apr 2019 11:30:37 +0800 +Subject: drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 + +From: Kai-Heng Feng + +commit 11bcf5f78905b90baae8fb01e16650664ed0cb00 upstream. + +Another panel that needs 6BPC quirk. + +BugLink: https://bugs.launchpad.net/bugs/1819968 +Cc: # v4.8+ +Reviewed-by: Alex Deucher +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20190402033037.21877-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -166,6 +166,9 @@ static const struct edid_quirk { + /* Medion MD 30217 PG */ + { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 }, + ++ /* Lenovo G50 */ ++ { "SDC", 18514, EDID_QUIRK_FORCE_6BPC }, ++ + /* Panel in Samsung NP700G7A-S01PL notebook reports 6bpc */ + { "SEC", 0xd033, EDID_QUIRK_FORCE_8BPC }, + diff --git a/queue-4.19/drm-ttm-restore-ttm-prefaulting.patch b/queue-4.19/drm-ttm-restore-ttm-prefaulting.patch new file mode 100644 index 00000000000..0ad5bea17c1 --- /dev/null +++ b/queue-4.19/drm-ttm-restore-ttm-prefaulting.patch @@ -0,0 +1,60 @@ +From 941f2f72dbbe0cf8c2d6e0b180a8021a0ec477fa Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Thu, 12 Sep 2019 20:38:54 +0200 +Subject: drm/ttm: Restore ttm prefaulting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Hellstrom + +commit 941f2f72dbbe0cf8c2d6e0b180a8021a0ec477fa upstream. + +Commit 4daa4fba3a38 ("gpu: drm: ttm: Adding new return type vm_fault_t") +broke TTM prefaulting. Since vmf_insert_mixed() typically always returns +VM_FAULT_NOPAGE, prefaulting stops after the second PTE. + +Restore (almost) the original behaviour. Unfortunately we can no longer +with the new vm_fault_t return type determine whether a prefaulting +PTE insertion hit an already populated PTE, and terminate the insertion +loop. Instead we continue with the pre-determined number of prefaults. + +Fixes: 4daa4fba3a38 ("gpu: drm: ttm: Adding new return type vm_fault_t") +Cc: Souptick Joarder +Cc: Christian König +Signed-off-by: Thomas Hellstrom +Reviewed-by: Christian König +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Christian König +Link: https://patchwork.freedesktop.org/patch/330387/ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ttm/ttm_bo_vm.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c ++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c +@@ -273,15 +273,13 @@ static vm_fault_t ttm_bo_vm_fault(struct + else + ret = vmf_insert_pfn(&cvma, address, pfn); + +- /* +- * Somebody beat us to this PTE or prefaulting to +- * an already populated PTE, or prefaulting error. +- */ +- +- if (unlikely((ret == VM_FAULT_NOPAGE && i > 0))) +- break; +- else if (unlikely(ret & VM_FAULT_ERROR)) +- goto out_io_unlock; ++ /* Never error on prefaulted PTEs */ ++ if (unlikely((ret & VM_FAULT_ERROR))) { ++ if (i == 0) ++ goto out_io_unlock; ++ else ++ break; ++ } + + address += PAGE_SIZE; + if (unlikely(++page_offset >= page_last)) diff --git a/queue-4.19/fs-proc-page.c-don-t-access-uninitialized-memmaps-in-fs-proc-page.c.patch b/queue-4.19/fs-proc-page.c-don-t-access-uninitialized-memmaps-in-fs-proc-page.c.patch new file mode 100644 index 00000000000..c8a2b249359 --- /dev/null +++ b/queue-4.19/fs-proc-page.c-don-t-access-uninitialized-memmaps-in-fs-proc-page.c.patch @@ -0,0 +1,147 @@ +From aad5f69bc161af489dbb5934868bd347282f0764 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Fri, 18 Oct 2019 20:19:20 -0700 +Subject: fs/proc/page.c: don't access uninitialized memmaps in fs/proc/page.c + +From: David Hildenbrand + +commit aad5f69bc161af489dbb5934868bd347282f0764 upstream. + +There are three places where we access uninitialized memmaps, namely: +- /proc/kpagecount +- /proc/kpageflags +- /proc/kpagecgroup + +We have initialized memmaps either when the section is online or when the +page was initialized to the ZONE_DEVICE. Uninitialized memmaps contain +garbage and in the worst case trigger kernel BUGs, especially with +CONFIG_PAGE_POISONING. + +For example, not onlining a DIMM during boot and calling /proc/kpagecount +with CONFIG_PAGE_POISONING: + + :/# cat /proc/kpagecount > tmp.test + BUG: unable to handle page fault for address: fffffffffffffffe + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 114616067 P4D 114616067 PUD 114618067 PMD 0 + Oops: 0000 [#1] SMP NOPTI + CPU: 0 PID: 469 Comm: cat Not tainted 5.4.0-rc1-next-20191004+ #11 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.4 + RIP: 0010:kpagecount_read+0xce/0x1e0 + Code: e8 09 83 e0 3f 48 0f a3 02 73 2d 4c 89 e7 48 c1 e7 06 48 03 3d ab 51 01 01 74 1d 48 8b 57 08 480 + RSP: 0018:ffffa14e409b7e78 EFLAGS: 00010202 + RAX: fffffffffffffffe RBX: 0000000000020000 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: 00007f76b5595000 RDI: fffff35645000000 + RBP: 00007f76b5595000 R08: 0000000000000001 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000140000 + R13: 0000000000020000 R14: 00007f76b5595000 R15: ffffa14e409b7f08 + FS: 00007f76b577d580(0000) GS:ffff8f41bd400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: fffffffffffffffe CR3: 0000000078960000 CR4: 00000000000006f0 + Call Trace: + proc_reg_read+0x3c/0x60 + vfs_read+0xc5/0x180 + ksys_read+0x68/0xe0 + do_syscall_64+0x5c/0xa0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +For now, let's drop support for ZONE_DEVICE from the three pseudo files +in order to fix this. To distinguish offline memory (with garbage +memmap) from ZONE_DEVICE memory with properly initialized memmaps, we +would have to check get_dev_pagemap() and pfn_zone_device_reserved() +right now. The usage of both (especially, special casing devmem) is +frowned upon and needs to be reworked. + +The fundamental issue we have is: + + if (pfn_to_online_page(pfn)) { + /* memmap initialized */ + } else if (pfn_valid(pfn)) { + /* + * ??? + * a) offline memory. memmap garbage. + * b) devmem: memmap initialized to ZONE_DEVICE. + * c) devmem: reserved for driver. memmap garbage. + * (d) devmem: memmap currently initializing - garbage) + */ + } + +We'll leave the pfn_zone_device_reserved() check in stable_page_flags() +in place as that function is also used from memory failure. We now no +longer dump information about pages that are not in use anymore - +offline. + +Link: http://lkml.kernel.org/r/20191009142435.3975-2-david@redhat.com +Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") [visible after d0dc12e86b319] +Signed-off-by: David Hildenbrand +Reported-by: Qian Cai +Acked-by: Michal Hocko +Cc: Dan Williams +Cc: Alexey Dobriyan +Cc: Stephen Rothwell +Cc: Toshiki Fukasawa +Cc: Pankaj gupta +Cc: Mike Rapoport +Cc: Anthony Yznaga +Cc: "Aneesh Kumar K.V" +Cc: [4.13+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/page.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +--- a/fs/proc/page.c ++++ b/fs/proc/page.c +@@ -42,10 +42,12 @@ static ssize_t kpagecount_read(struct fi + return -EINVAL; + + while (count > 0) { +- if (pfn_valid(pfn)) +- ppage = pfn_to_page(pfn); +- else +- ppage = NULL; ++ /* ++ * TODO: ZONE_DEVICE support requires to identify ++ * memmaps that were actually initialized. ++ */ ++ ppage = pfn_to_online_page(pfn); ++ + if (!ppage || PageSlab(ppage)) + pcount = 0; + else +@@ -216,10 +218,11 @@ static ssize_t kpageflags_read(struct fi + return -EINVAL; + + while (count > 0) { +- if (pfn_valid(pfn)) +- ppage = pfn_to_page(pfn); +- else +- ppage = NULL; ++ /* ++ * TODO: ZONE_DEVICE support requires to identify ++ * memmaps that were actually initialized. ++ */ ++ ppage = pfn_to_online_page(pfn); + + if (put_user(stable_page_flags(ppage), out)) { + ret = -EFAULT; +@@ -261,10 +264,11 @@ static ssize_t kpagecgroup_read(struct f + return -EINVAL; + + while (count > 0) { +- if (pfn_valid(pfn)) +- ppage = pfn_to_page(pfn); +- else +- ppage = NULL; ++ /* ++ * TODO: ZONE_DEVICE support requires to identify ++ * memmaps that were actually initialized. ++ */ ++ ppage = pfn_to_online_page(pfn); + + if (ppage) + ino = page_cgroup_ino(ppage); diff --git a/queue-4.19/input-da9063-fix-capability-and-drop-key_sleep.patch b/queue-4.19/input-da9063-fix-capability-and-drop-key_sleep.patch new file mode 100644 index 00000000000..f5cdf9c02d6 --- /dev/null +++ b/queue-4.19/input-da9063-fix-capability-and-drop-key_sleep.patch @@ -0,0 +1,41 @@ +From afce285b859cea91c182015fc9858ea58c26cd0e Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Mon, 16 Sep 2019 12:45:48 -0700 +Subject: Input: da9063 - fix capability and drop KEY_SLEEP + +From: Marco Felsch + +commit afce285b859cea91c182015fc9858ea58c26cd0e upstream. + +Since commit f889beaaab1c ("Input: da9063 - report KEY_POWER instead of +KEY_SLEEP during power key-press") KEY_SLEEP isn't supported anymore. This +caused input device to not generate any events if "dlg,disable-key-power" +is set. + +Fix this by unconditionally setting KEY_POWER capability, and not +declaring KEY_SLEEP. + +Fixes: f889beaaab1c ("Input: da9063 - report KEY_POWER instead of KEY_SLEEP during power key-press") +Signed-off-by: Marco Felsch +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/da9063_onkey.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/input/misc/da9063_onkey.c ++++ b/drivers/input/misc/da9063_onkey.c +@@ -248,10 +248,7 @@ static int da9063_onkey_probe(struct pla + onkey->input->phys = onkey->phys; + onkey->input->dev.parent = &pdev->dev; + +- if (onkey->key_power) +- input_set_capability(onkey->input, EV_KEY, KEY_POWER); +- +- input_set_capability(onkey->input, EV_KEY, KEY_SLEEP); ++ input_set_capability(onkey->input, EV_KEY, KEY_POWER); + + INIT_DELAYED_WORK(&onkey->work, da9063_poll_on); + diff --git a/queue-4.19/input-synaptics-rmi4-avoid-processing-unknown-irqs.patch b/queue-4.19/input-synaptics-rmi4-avoid-processing-unknown-irqs.patch new file mode 100644 index 00000000000..e58376cefb7 --- /dev/null +++ b/queue-4.19/input-synaptics-rmi4-avoid-processing-unknown-irqs.patch @@ -0,0 +1,68 @@ +From 363c53875aef8fce69d4a2d0873919ccc7d9e2ad Mon Sep 17 00:00:00 2001 +From: Evan Green +Date: Fri, 11 Oct 2019 17:22:09 -0700 +Subject: Input: synaptics-rmi4 - avoid processing unknown IRQs + +From: Evan Green + +commit 363c53875aef8fce69d4a2d0873919ccc7d9e2ad upstream. + +rmi_process_interrupt_requests() calls handle_nested_irq() for +each interrupt status bit it finds. If the irq domain mapping for +this bit had not yet been set up, then it ends up calling +handle_nested_irq(0), which causes a NULL pointer dereference. + +There's already code that masks the irq_status bits coming out of the +hardware with current_irq_mask, presumably to avoid this situation. +However current_irq_mask seems to more reflect the actual mask set +in the hardware rather than the IRQs software has set up and registered +for. For example, in rmi_driver_reset_handler(), the current_irq_mask +is initialized based on what is read from the hardware. If the reset +value of this mask enables IRQs that Linux has not set up yet, then +we end up in this situation. + +There appears to be a third unused bitmask that used to serve this +purpose, fn_irq_bits. Use that bitmask instead of current_irq_mask +to avoid calling handle_nested_irq() on IRQs that have not yet been +set up. + +Signed-off-by: Evan Green +Reviewed-by: Andrew Duggan +Link: https://lore.kernel.org/r/20191008223657.163366-1-evgreen@chromium.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/rmi4/rmi_driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -149,7 +149,7 @@ static int rmi_process_interrupt_request + } + + mutex_lock(&data->irq_mutex); +- bitmap_and(data->irq_status, data->irq_status, data->current_irq_mask, ++ bitmap_and(data->irq_status, data->irq_status, data->fn_irq_bits, + data->irq_count); + /* + * At this point, irq_status has all bits that are set in the +@@ -388,6 +388,8 @@ static int rmi_driver_set_irq_bits(struc + bitmap_copy(data->current_irq_mask, data->new_irq_mask, + data->num_of_irq_regs); + ++ bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); ++ + error_unlock: + mutex_unlock(&data->irq_mutex); + return error; +@@ -401,6 +403,8 @@ static int rmi_driver_clear_irq_bits(str + struct device *dev = &rmi_dev->dev; + + mutex_lock(&data->irq_mutex); ++ bitmap_andnot(data->fn_irq_bits, ++ data->fn_irq_bits, mask, data->irq_count); + bitmap_andnot(data->new_irq_mask, + data->current_irq_mask, mask, data->irq_count); + diff --git a/queue-4.19/mac80211-reject-malformed-ssid-elements.patch b/queue-4.19/mac80211-reject-malformed-ssid-elements.patch new file mode 100644 index 00000000000..7839b02134c --- /dev/null +++ b/queue-4.19/mac80211-reject-malformed-ssid-elements.patch @@ -0,0 +1,46 @@ +From 4152561f5da3fca92af7179dd538ea89e248f9d0 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 4 Oct 2019 10:51:31 +0100 +Subject: mac80211: Reject malformed SSID elements + +From: Will Deacon + +commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream. + +Although this shouldn't occur in practice, it's a good idea to bounds +check the length field of the SSID element prior to using it for things +like allocations or memcpy operations. + +Cc: +Cc: Kees Cook +Reported-by: Nicolas Waisman +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2554,7 +2554,8 @@ struct sk_buff *ieee80211_ap_probereq_ge + + rcu_read_lock(); + ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); +- if (WARN_ON_ONCE(ssid == NULL)) ++ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, ++ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) + ssid_len = 0; + else + ssid_len = ssid[1]; +@@ -5039,7 +5040,7 @@ int ieee80211_mgd_assoc(struct ieee80211 + + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); +- if (!ssidie) { ++ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { + rcu_read_unlock(); + kfree(assoc_data); + return -EINVAL; diff --git a/queue-4.19/mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch b/queue-4.19/mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch new file mode 100644 index 00000000000..9e5c62bc4af --- /dev/null +++ b/queue-4.19/mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch @@ -0,0 +1,105 @@ +From b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 18 Oct 2019 15:38:48 -0700 +Subject: MIPS: tlbex: Fix build_restore_pagemask KScratch restore + +From: Paul Burton + +commit b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 upstream. + +build_restore_pagemask() will restore the value of register $1/$at when +its restore_scratch argument is non-zero, and aims to do so by filling a +branch delay slot. Commit 0b24cae4d535 ("MIPS: Add missing EHB in mtc0 +-> mfc0 sequence.") added an EHB instruction (Execution Hazard Barrier) +prior to restoring $1 from a KScratch register, in order to resolve a +hazard that can result in stale values of the KScratch register being +observed. In particular, P-class CPUs from MIPS with out of order +execution pipelines such as the P5600 & P6600 are affected. + +Unfortunately this EHB instruction was inserted in the branch delay slot +causing the MFC0 instruction which performs the restoration to no longer +execute along with the branch. The result is that the $1 register isn't +actually restored, ie. the TLB refill exception handler clobbers it - +which is exactly the problem the EHB is meant to avoid for the P-class +CPUs. + +Similarly build_get_pgd_vmalloc() will restore the value of $1/$at when +its mode argument equals refill_scratch, and suffers from the same +problem. + +Fix this by in both cases moving the EHB earlier in the emitted code. +There's no reason it needs to immediately precede the MFC0 - it simply +needs to be between the MTC0 & MFC0. + +This bug only affects Cavium Octeon systems which use +build_fast_tlb_refill_handler(). + +Signed-off-by: Paul Burton +Fixes: 0b24cae4d535 ("MIPS: Add missing EHB in mtc0 -> mfc0 sequence.") +Cc: Dmitry Korotin +Cc: stable@vger.kernel.org # v3.15+ +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -654,6 +654,13 @@ static void build_restore_pagemask(u32 * + int restore_scratch) + { + if (restore_scratch) { ++ /* ++ * Ensure the MFC0 below observes the value written to the ++ * KScratch register by the prior MTC0. ++ */ ++ if (scratch_reg >= 0) ++ uasm_i_ehb(p); ++ + /* Reset default page size */ + if (PM_DEFAULT_MASK >> 16) { + uasm_i_lui(p, tmp, PM_DEFAULT_MASK >> 16); +@@ -668,12 +675,10 @@ static void build_restore_pagemask(u32 * + uasm_i_mtc0(p, 0, C0_PAGEMASK); + uasm_il_b(p, r, lid); + } +- if (scratch_reg >= 0) { +- uasm_i_ehb(p); ++ if (scratch_reg >= 0) + UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg); +- } else { ++ else + UASM_i_LW(p, 1, scratchpad_offset(0), 0); +- } + } else { + /* Reset default page size */ + if (PM_DEFAULT_MASK >> 16) { +@@ -922,6 +927,10 @@ build_get_pgd_vmalloc64(u32 **p, struct + } + if (mode != not_refill && check_for_high_segbits) { + uasm_l_large_segbits_fault(l, *p); ++ ++ if (mode == refill_scratch && scratch_reg >= 0) ++ uasm_i_ehb(p); ++ + /* + * We get here if we are an xsseg address, or if we are + * an xuseg address above (PGDIR_SHIFT+PGDIR_BITS) boundary. +@@ -938,12 +947,10 @@ build_get_pgd_vmalloc64(u32 **p, struct + uasm_i_jr(p, ptr); + + if (mode == refill_scratch) { +- if (scratch_reg >= 0) { +- uasm_i_ehb(p); ++ if (scratch_reg >= 0) + UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg); +- } else { ++ else + UASM_i_LW(p, 1, scratchpad_offset(0), 0); +- } + } else { + uasm_i_nop(p); + } diff --git a/queue-4.19/scsi-ch-make-it-possible-to-open-a-ch-device-multiple-times-again.patch b/queue-4.19/scsi-ch-make-it-possible-to-open-a-ch-device-multiple-times-again.patch new file mode 100644 index 00000000000..d4758bb1f0e --- /dev/null +++ b/queue-4.19/scsi-ch-make-it-possible-to-open-a-ch-device-multiple-times-again.patch @@ -0,0 +1,49 @@ +From 6a0990eaa768dfb7064f06777743acc6d392084b Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 9 Oct 2019 10:35:36 -0700 +Subject: scsi: ch: Make it possible to open a ch device multiple times again + +From: Bart Van Assche + +commit 6a0990eaa768dfb7064f06777743acc6d392084b upstream. + +Clearing ch->device in ch_release() is wrong because that pointer must +remain valid until ch_remove() is called. This patch fixes the following +crash the second time a ch device is opened: + +BUG: kernel NULL pointer dereference, address: 0000000000000790 +RIP: 0010:scsi_device_get+0x5/0x60 +Call Trace: + ch_open+0x4c/0xa0 [ch] + chrdev_open+0xa2/0x1c0 + do_dentry_open+0x13a/0x380 + path_openat+0x591/0x1470 + do_filp_open+0x91/0x100 + do_sys_open+0x184/0x220 + do_syscall_64+0x5f/0x1a0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 085e56766f74 ("scsi: ch: add refcounting") +Cc: Hannes Reinecke +Cc: +Link: https://lore.kernel.org/r/20191009173536.247889-1-bvanassche@acm.org +Reported-by: Rob Turk +Suggested-by: Rob Turk +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ch.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/ch.c ++++ b/drivers/scsi/ch.c +@@ -578,7 +578,6 @@ ch_release(struct inode *inode, struct f + scsi_changer *ch = file->private_data; + + scsi_device_put(ch->device); +- ch->device = NULL; + file->private_data = NULL; + kref_put(&ch->ref, ch_destroy); + return 0; diff --git a/queue-4.19/scsi-core-save-restore-command-resid-for-error-handling.patch b/queue-4.19/scsi-core-save-restore-command-resid-for-error-handling.patch new file mode 100644 index 00000000000..a1d11874bed --- /dev/null +++ b/queue-4.19/scsi-core-save-restore-command-resid-for-error-handling.patch @@ -0,0 +1,73 @@ +From 8f8fed0cdbbd6cdbf28d9ebe662f45765d2f7d39 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 1 Oct 2019 16:48:39 +0900 +Subject: scsi: core: save/restore command resid for error handling + +From: Damien Le Moal + +commit 8f8fed0cdbbd6cdbf28d9ebe662f45765d2f7d39 upstream. + +When a non-passthrough command is terminated with CHECK CONDITION, request +sense is executed by hijacking the command descriptor. Since +scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() do not save/restore the +original command resid, the value returned on failure of the original +command is lost and replaced with the value set by the execution of the +request sense command. This value may in many instances be unaligned to the +device sector size, causing sd_done() to print a warning message about the +incorrect unaligned resid before the command is retried. + +Fix this problem by saving the original command residual in struct +scsi_eh_save using scsi_eh_prep_cmnd() and restoring it in +scsi_eh_restore_cmnd(). In addition, to make sure that the request sense +command is executed with a correctly initialized command structure, also +reset the residual to 0 in scsi_eh_prep_cmnd() after saving the original +command value in struct scsi_eh_save. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191001074839.1994-1-damien.lemoal@wdc.com +Signed-off-by: Damien Le Moal +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_error.c | 3 +++ + include/scsi/scsi_eh.h | 1 + + 2 files changed, 4 insertions(+) + +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -970,6 +970,7 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd + ses->sdb = scmd->sdb; + ses->next_rq = scmd->request->next_rq; + ses->result = scmd->result; ++ ses->resid_len = scmd->req.resid_len; + ses->underflow = scmd->underflow; + ses->prot_op = scmd->prot_op; + ses->eh_eflags = scmd->eh_eflags; +@@ -981,6 +982,7 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd + memset(&scmd->sdb, 0, sizeof(scmd->sdb)); + scmd->request->next_rq = NULL; + scmd->result = 0; ++ scmd->req.resid_len = 0; + + if (sense_bytes) { + scmd->sdb.length = min_t(unsigned, SCSI_SENSE_BUFFERSIZE, +@@ -1034,6 +1036,7 @@ void scsi_eh_restore_cmnd(struct scsi_cm + scmd->sdb = ses->sdb; + scmd->request->next_rq = ses->next_rq; + scmd->result = ses->result; ++ scmd->req.resid_len = ses->resid_len; + scmd->underflow = ses->underflow; + scmd->prot_op = ses->prot_op; + scmd->eh_eflags = ses->eh_eflags; +--- a/include/scsi/scsi_eh.h ++++ b/include/scsi/scsi_eh.h +@@ -32,6 +32,7 @@ extern int scsi_ioctl_reset(struct scsi_ + struct scsi_eh_save { + /* saved state */ + int result; ++ unsigned int resid_len; + int eh_eflags; + enum dma_data_direction data_direction; + unsigned underflow; diff --git a/queue-4.19/scsi-core-try-to-get-module-before-removing-device.patch b/queue-4.19/scsi-core-try-to-get-module-before-removing-device.patch new file mode 100644 index 00000000000..c9ef28e8110 --- /dev/null +++ b/queue-4.19/scsi-core-try-to-get-module-before-removing-device.patch @@ -0,0 +1,94 @@ +From 77c301287ebae86cc71d03eb3806f271cb14da79 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 15 Oct 2019 21:05:56 +0800 +Subject: scsi: core: try to get module before removing device + +From: Yufen Yu + +commit 77c301287ebae86cc71d03eb3806f271cb14da79 upstream. + +We have a test case like block/001 in blktests, which will create a scsi +device by loading scsi_debug module and then try to delete the device by +sysfs interface. At the same time, it may remove the scsi_debug module. + +And getting a invalid paging request BUG_ON as following: + +[ 34.625854] BUG: unable to handle page fault for address: ffffffffa0016bb8 +[ 34.629189] Oops: 0000 [#1] SMP PTI +[ 34.629618] CPU: 1 PID: 450 Comm: bash Tainted: G W 5.4.0-rc3+ #473 +[ 34.632524] RIP: 0010:scsi_proc_hostdir_rm+0x5/0xa0 +[ 34.643555] CR2: ffffffffa0016bb8 CR3: 000000012cd88000 CR4: 00000000000006e0 +[ 34.644545] Call Trace: +[ 34.644907] scsi_host_dev_release+0x6b/0x1f0 +[ 34.645511] device_release+0x74/0x110 +[ 34.646046] kobject_put+0x116/0x390 +[ 34.646559] put_device+0x17/0x30 +[ 34.647041] scsi_target_dev_release+0x2b/0x40 +[ 34.647652] device_release+0x74/0x110 +[ 34.648186] kobject_put+0x116/0x390 +[ 34.648691] put_device+0x17/0x30 +[ 34.649157] scsi_device_dev_release_usercontext+0x2e8/0x360 +[ 34.649953] execute_in_process_context+0x29/0x80 +[ 34.650603] scsi_device_dev_release+0x20/0x30 +[ 34.651221] device_release+0x74/0x110 +[ 34.651732] kobject_put+0x116/0x390 +[ 34.652230] sysfs_unbreak_active_protection+0x3f/0x50 +[ 34.652935] sdev_store_delete.cold.4+0x71/0x8f +[ 34.653579] dev_attr_store+0x1b/0x40 +[ 34.654103] sysfs_kf_write+0x3d/0x60 +[ 34.654603] kernfs_fop_write+0x174/0x250 +[ 34.655165] __vfs_write+0x1f/0x60 +[ 34.655639] vfs_write+0xc7/0x280 +[ 34.656117] ksys_write+0x6d/0x140 +[ 34.656591] __x64_sys_write+0x1e/0x30 +[ 34.657114] do_syscall_64+0xb1/0x400 +[ 34.657627] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 34.658335] RIP: 0033:0x7f156f337130 + +During deleting scsi target, the scsi_debug module have been removed. Then, +sdebug_driver_template belonged to the module cannot be accessd, resulting +in scsi_proc_hostdir_rm() BUG_ON. + +To fix the bug, we add scsi_device_get() in sdev_store_delete() to try to +increase refcount of module, avoiding the module been removed. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191015130556.18061-1-yuyufen@huawei.com +Signed-off-by: Yufen Yu +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_sysfs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -723,6 +723,14 @@ sdev_store_delete(struct device *dev, st + const char *buf, size_t count) + { + struct kernfs_node *kn; ++ struct scsi_device *sdev = to_scsi_device(dev); ++ ++ /* ++ * We need to try to get module, avoiding the module been removed ++ * during delete. ++ */ ++ if (scsi_device_get(sdev)) ++ return -ENODEV; + + kn = sysfs_break_active_protection(&dev->kobj, &attr->attr); + WARN_ON_ONCE(!kn); +@@ -737,9 +745,10 @@ sdev_store_delete(struct device *dev, st + * state into SDEV_DEL. + */ + device_remove_file(dev, attr); +- scsi_remove_device(to_scsi_device(dev)); ++ scsi_remove_device(sdev); + if (kn) + sysfs_unbreak_active_protection(kn); ++ scsi_device_put(sdev); + return count; + }; + static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete); diff --git a/queue-4.19/scsi-sd-ignore-a-failure-to-sync-cache-due-to-lack-of-authorization.patch b/queue-4.19/scsi-sd-ignore-a-failure-to-sync-cache-due-to-lack-of-authorization.patch new file mode 100644 index 00000000000..955e136430d --- /dev/null +++ b/queue-4.19/scsi-sd-ignore-a-failure-to-sync-cache-due-to-lack-of-authorization.patch @@ -0,0 +1,38 @@ +From 21e3d6c81179bbdfa279efc8de456c34b814cfd2 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 3 Sep 2019 12:18:39 +0200 +Subject: scsi: sd: Ignore a failure to sync cache due to lack of authorization + +From: Oliver Neukum + +commit 21e3d6c81179bbdfa279efc8de456c34b814cfd2 upstream. + +I've got a report about a UAS drive enclosure reporting back Sense: Logical +unit access not authorized if the drive it holds is password protected. +While the drive is obviously unusable in that state as a mass storage +device, it still exists as a sd device and when the system is asked to +perform a suspend of the drive, it will be sent a SYNCHRONIZE CACHE. If +that fails due to password protection, the error must be ignored. + +Cc: +Link: https://lore.kernel.org/r/20190903101840.16483-1-oneukum@suse.com +Signed-off-by: Oliver Neukum +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1646,7 +1646,8 @@ static int sd_sync_cache(struct scsi_dis + /* we need to evaluate the error return */ + if (scsi_sense_valid(sshdr) && + (sshdr->asc == 0x3a || /* medium not present */ +- sshdr->asc == 0x20)) /* invalid command */ ++ sshdr->asc == 0x20 || /* invalid command */ ++ (sshdr->asc == 0x74 && sshdr->ascq == 0x71))) /* drive is password locked */ + /* this is no error here */ + return 0; + diff --git a/queue-4.19/scsi-zfcp-fix-reaction-on-bit-error-threshold-notification.patch b/queue-4.19/scsi-zfcp-fix-reaction-on-bit-error-threshold-notification.patch new file mode 100644 index 00000000000..053d3d8178c --- /dev/null +++ b/queue-4.19/scsi-zfcp-fix-reaction-on-bit-error-threshold-notification.patch @@ -0,0 +1,82 @@ +From 2190168aaea42c31bff7b9a967e7b045f07df095 Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 1 Oct 2019 12:49:49 +0200 +Subject: scsi: zfcp: fix reaction on bit error threshold notification + +From: Steffen Maier + +commit 2190168aaea42c31bff7b9a967e7b045f07df095 upstream. + +On excessive bit errors for the FCP channel ingress fibre path, the channel +notifies us. Previously, we only emitted a kernel message and a trace +record. Since performance can become suboptimal with I/O timeouts due to +bit errors, we now stop using an FCP device by default on channel +notification so multipath on top can timely failover to other paths. A new +module parameter zfcp.ber_stop can be used to get zfcp old behavior. + +User explanation of new kernel message: + + * Description: + * The FCP channel reported that its bit error threshold has been exceeded. + * These errors might result from a problem with the physical components + * of the local fibre link into the FCP channel. + * The problem might be damage or malfunction of the cable or + * cable connection between the FCP channel and + * the adjacent fabric switch port or the point-to-point peer. + * Find details about the errors in the HBA trace for the FCP device. + * The zfcp device driver closed down the FCP device + * to limit the performance impact from possible I/O command timeouts. + * User action: + * Check for problems on the local fibre link, ensure that fibre optics are + * clean and functional, and all cables are properly plugged. + * After the repair action, you can manually recover the FCP device by + * writing "0" into its "failed" sysfs attribute. + * If recovery through sysfs is not possible, set the CHPID of the device + * offline and back online on the service element. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: #2.6.30+ +Link: https://lore.kernel.org/r/20191001104949.42810-1-maier@linux.ibm.com +Reviewed-by: Jens Remus +Reviewed-by: Benjamin Block +Signed-off-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_fsf.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/s390/scsi/zfcp_fsf.c ++++ b/drivers/s390/scsi/zfcp_fsf.c +@@ -21,6 +21,11 @@ + + struct kmem_cache *zfcp_fsf_qtcb_cache; + ++static bool ber_stop = true; ++module_param(ber_stop, bool, 0600); ++MODULE_PARM_DESC(ber_stop, ++ "Shuts down FCP devices for FCP channels that report a bit-error count in excess of its threshold (default on)"); ++ + static void zfcp_fsf_request_timeout_handler(struct timer_list *t) + { + struct zfcp_fsf_req *fsf_req = from_timer(fsf_req, t, timer); +@@ -230,10 +235,15 @@ static void zfcp_fsf_status_read_handler + case FSF_STATUS_READ_SENSE_DATA_AVAIL: + break; + case FSF_STATUS_READ_BIT_ERROR_THRESHOLD: +- dev_warn(&adapter->ccw_device->dev, +- "The error threshold for checksum statistics " +- "has been exceeded\n"); + zfcp_dbf_hba_bit_err("fssrh_3", req); ++ if (ber_stop) { ++ dev_warn(&adapter->ccw_device->dev, ++ "All paths over this FCP device are disused because of excessive bit errors\n"); ++ zfcp_erp_adapter_shutdown(adapter, 0, "fssrh_b"); ++ } else { ++ dev_warn(&adapter->ccw_device->dev, ++ "The error threshold for checksum statistics has been exceeded\n"); ++ } + break; + case FSF_STATUS_READ_LINK_DOWN: + zfcp_fsf_status_read_link_down(req); diff --git a/queue-4.19/series b/queue-4.19/series index 656d632cf3b..cc079269ce9 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -43,3 +43,21 @@ usb-serial-ti_usb_3410_5052-fix-port-close-races.patch usb-ldusb-fix-memleak-on-disconnect.patch usb-usblp-fix-use-after-free-on-disconnect.patch usb-ldusb-fix-read-info-leaks.patch +mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch +staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch +scsi-zfcp-fix-reaction-on-bit-error-threshold-notification.patch +scsi-sd-ignore-a-failure-to-sync-cache-due-to-lack-of-authorization.patch +scsi-core-save-restore-command-resid-for-error-handling.patch +scsi-core-try-to-get-module-before-removing-device.patch +scsi-ch-make-it-possible-to-open-a-ch-device-multiple-times-again.patch +input-da9063-fix-capability-and-drop-key_sleep.patch +input-synaptics-rmi4-avoid-processing-unknown-irqs.patch +asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch +acpi-cppc-set-pcc_data-to-null-in-acpi_cppc_processor_exit.patch +cfg80211-wext-avoid-copying-malformed-ssids.patch +mac80211-reject-malformed-ssid-elements.patch +drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch +drm-ttm-restore-ttm-prefaulting.patch +drm-amdgpu-bail-earlier-when-amdgpu.cik_-si_support-is-not-set-to-1.patch +drivers-base-memory.c-don-t-access-uninitialized-memmaps-in-soft_offline_page_store.patch +fs-proc-page.c-don-t-access-uninitialized-memmaps-in-fs-proc-page.c.patch diff --git a/queue-4.19/staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch b/queue-4.19/staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch new file mode 100644 index 00000000000..cb5eba902c4 --- /dev/null +++ b/queue-4.19/staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch @@ -0,0 +1,40 @@ +From 153c5d8191c26165dbbd2646448ca7207f7796d0 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 14 Oct 2019 12:02:01 +0100 +Subject: staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS + +From: Colin Ian King + +commit 153c5d8191c26165dbbd2646448ca7207f7796d0 upstream. + +Currently the exit return path when sme->key_idx >= NUM_WEPKEYS is via +label 'exit' and this checks if result is non-zero, however result has +not been initialized and contains garbage. Fix this by replacing the +goto with a return with the error code. + +Addresses-Coverity: ("Uninitialized scalar variable") +Fixes: 0ca6d8e74489 ("Staging: wlan-ng: replace switch-case statements with macro") +Signed-off-by: Colin Ian King +Cc: stable +Link: https://lore.kernel.org/r/20191014110201.9874-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/cfg80211.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/staging/wlan-ng/cfg80211.c ++++ b/drivers/staging/wlan-ng/cfg80211.c +@@ -476,10 +476,8 @@ static int prism2_connect(struct wiphy * + /* Set the encryption - we only support wep */ + if (is_wep) { + if (sme->key) { +- if (sme->key_idx >= NUM_WEPKEYS) { +- err = -EINVAL; +- goto exit; +- } ++ if (sme->key_idx >= NUM_WEPKEYS) ++ return -EINVAL; + + result = prism2_domibset_uint32(wlandev, + DIDmib_dot11smt_dot11PrivacyTable_dot11WEPDefaultKeyID,