From: Greg Kroah-Hartman Date: Thu, 27 Feb 2020 10:15:24 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.215~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bf045b4e859b9b6697855f0d9c364af1a70e5bf;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: arm64-lse-fix-lse-atomics-with-llvm.patch asoc-atmel-fix-atmel_ssc_set_audio-link-failure.patch asoc-fsl_sai-fix-exiting-path-on-probing-failure.patch bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch crypto-rename-sm3-256-to-sm3-in-hash_algo_name.patch drm-bridge-tc358767-fix-poll-timeouts.patch drm-i915-execlists-always-force-a-context-reload-when-rewinding-ring_tail.patch drm-i915-gt-detect-if-we-miss-waidleliterestore.patch drm-i915-gt-protect-defer_request-from-new-waiters.patch drm-i915-gvt-more-locking-for-ppgtt-mm-lru-list.patch drm-msm-dpu-fix-bgr565-vs-rgb565-confusion.patch ecryptfs-replace-bug_on-with-error-handling-code.patch genirq-proc-reject-invalid-affinity-masks-again.patch io_uring-fix-__io_iopoll_check-deadlock-in-io_sq_thread.patch iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch revert-dmaengine-imx-sdma-fix-memory-leak.patch scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch staging-rtl8723bs-fix-copy-of-overlapping-memory.patch usb-dwc2-fix-in-isoc-request-length-checking.patch usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch --- diff --git a/queue-5.4/arm64-lse-fix-lse-atomics-with-llvm.patch b/queue-5.4/arm64-lse-fix-lse-atomics-with-llvm.patch new file mode 100644 index 00000000000..65093b0a12c --- /dev/null +++ b/queue-5.4/arm64-lse-fix-lse-atomics-with-llvm.patch @@ -0,0 +1,60 @@ +From dd1f6308b28edf0452dd5dc7877992903ec61e69 Mon Sep 17 00:00:00 2001 +From: Vincenzo Frascino +Date: Tue, 18 Feb 2020 16:49:06 +0000 +Subject: arm64: lse: Fix LSE atomics with LLVM + +From: Vincenzo Frascino + +commit dd1f6308b28edf0452dd5dc7877992903ec61e69 upstream. + +Commit e0d5896bd356 ("arm64: lse: fix LSE atomics with LLVM's integrated +assembler") broke the build when clang is used in connjunction with the +binutils assembler ("-no-integrated-as"). This happens because +__LSE_PREAMBLE is defined as ".arch armv8-a+lse", which overrides the +version of the CPU architecture passed via the "-march" paramter to gas: + +$ aarch64-none-linux-gnu-as -EL -I ./arch/arm64/include + -I ./arch/arm64/include/generated + -I ./include -I ./include + -I ./arch/arm64/include/uapi + -I ./arch/arm64/include/generated/uapi + -I ./include/uapi -I ./include/generated/uapi + -I ./init -I ./init + -march=armv8.3-a -o init/do_mounts.o + /tmp/do_mounts-d7992a.s +/tmp/do_mounts-d7992a.s: Assembler messages: +/tmp/do_mounts-d7992a.s:1959: Error: selected processor does not support `autiasp' +/tmp/do_mounts-d7992a.s:2021: Error: selected processor does not support `paciasp' +/tmp/do_mounts-d7992a.s:2157: Error: selected processor does not support `autiasp' +/tmp/do_mounts-d7992a.s:2175: Error: selected processor does not support `paciasp' +/tmp/do_mounts-d7992a.s:2494: Error: selected processor does not support `autiasp' + +Fix the issue by replacing ".arch armv8-a+lse" with ".arch_extension lse". +Sami confirms that the clang integrated assembler does now support the +'.arch_extension' directive, so this change will be fine even for LTO +builds in future. + +Fixes: e0d5896bd356cd ("arm64: lse: fix LSE atomics with LLVM's integrated assembler") +Cc: Catalin Marinas +Cc: Will Deacon +Reported-by: Amit Kachhap +Tested-by: Sami Tolvanen +Signed-off-by: Vincenzo Frascino +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/lse.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/lse.h ++++ b/arch/arm64/include/asm/lse.h +@@ -6,7 +6,7 @@ + + #if defined(CONFIG_AS_LSE) && defined(CONFIG_ARM64_LSE_ATOMICS) + +-#define __LSE_PREAMBLE ".arch armv8-a+lse\n" ++#define __LSE_PREAMBLE ".arch_extension lse\n" + + #include + #include diff --git a/queue-5.4/asoc-atmel-fix-atmel_ssc_set_audio-link-failure.patch b/queue-5.4/asoc-atmel-fix-atmel_ssc_set_audio-link-failure.patch new file mode 100644 index 00000000000..8b589730a9a --- /dev/null +++ b/queue-5.4/asoc-atmel-fix-atmel_ssc_set_audio-link-failure.patch @@ -0,0 +1,71 @@ +From 9437bfda00f3b26eb5f475737ddaaf4dc07fee4f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 30 Jan 2020 15:05:45 +0200 +Subject: ASoC: atmel: fix atmel_ssc_set_audio link failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +commit 9437bfda00f3b26eb5f475737ddaaf4dc07fee4f upstream. + +The ssc audio driver can call into both pdc and dma backends. With the +latest rework, the logic to do this in a safe way avoiding link errors +was removed, bringing back link errors that were fixed long ago in commit +061981ff8cc8 ("ASoC: atmel: properly select dma driver state") such as + +sound/soc/atmel/atmel_ssc_dai.o: In function `atmel_ssc_set_audio': +atmel_ssc_dai.c:(.text+0xac): undefined reference to `atmel_pcm_pdc_platform_register' + +Fix it this time using Makefile hacks and a comment to prevent this +from accidentally getting removed again rather than Kconfig hacks. + +Fixes: 18291410557f ("ASoC: atmel: enable SOC_SSC_PDC and SOC_SSC_DMA in Kconfig") +Signed-off-by: Arnd Bergmann +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20200130130545.31148-1-codrin.ciubotariu@microchip.com +Reviewed-by: Michał Mirosław +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/atmel/Kconfig | 4 ++-- + sound/soc/atmel/Makefile | 10 ++++++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/sound/soc/atmel/Kconfig ++++ b/sound/soc/atmel/Kconfig +@@ -10,11 +10,11 @@ config SND_ATMEL_SOC + if SND_ATMEL_SOC + + config SND_ATMEL_SOC_PDC +- tristate ++ bool + depends on HAS_DMA + + config SND_ATMEL_SOC_DMA +- tristate ++ bool + select SND_SOC_GENERIC_DMAENGINE_PCM + + config SND_ATMEL_SOC_SSC +--- a/sound/soc/atmel/Makefile ++++ b/sound/soc/atmel/Makefile +@@ -6,8 +6,14 @@ snd-soc-atmel_ssc_dai-objs := atmel_ssc_ + snd-soc-atmel-i2s-objs := atmel-i2s.o + snd-soc-mchp-i2s-mcc-objs := mchp-i2s-mcc.o + +-obj-$(CONFIG_SND_ATMEL_SOC_PDC) += snd-soc-atmel-pcm-pdc.o +-obj-$(CONFIG_SND_ATMEL_SOC_DMA) += snd-soc-atmel-pcm-dma.o ++# pdc and dma need to both be built-in if any user of ++# ssc is built-in. ++ifdef CONFIG_SND_ATMEL_SOC_PDC ++obj-$(CONFIG_SND_ATMEL_SOC_SSC) += snd-soc-atmel-pcm-pdc.o ++endif ++ifdef CONFIG_SND_ATMEL_SOC_DMA ++obj-$(CONFIG_SND_ATMEL_SOC_SSC) += snd-soc-atmel-pcm-dma.o ++endif + obj-$(CONFIG_SND_ATMEL_SOC_SSC) += snd-soc-atmel_ssc_dai.o + obj-$(CONFIG_SND_ATMEL_SOC_I2S) += snd-soc-atmel-i2s.o + obj-$(CONFIG_SND_MCHP_SOC_I2S_MCC) += snd-soc-mchp-i2s-mcc.o diff --git a/queue-5.4/asoc-fsl_sai-fix-exiting-path-on-probing-failure.patch b/queue-5.4/asoc-fsl_sai-fix-exiting-path-on-probing-failure.patch new file mode 100644 index 00000000000..be54343cf11 --- /dev/null +++ b/queue-5.4/asoc-fsl_sai-fix-exiting-path-on-probing-failure.patch @@ -0,0 +1,65 @@ +From d1520889782dff58610c0b6b54d4cf3211ceb690 Mon Sep 17 00:00:00 2001 +From: Oleksandr Suvorov +Date: Wed, 5 Feb 2020 18:04:36 +0200 +Subject: ASoC: fsl_sai: Fix exiting path on probing failure + +From: Oleksandr Suvorov + +commit d1520889782dff58610c0b6b54d4cf3211ceb690 upstream. + +If the imx-sdma driver is built as a module, the fsl-sai device doesn't +disable on probing failure, which causes the warning in the next probing: + +================================================================== +fsl-sai 308a0000.sai: Unbalanced pm_runtime_enable! +fsl-sai 308a0000.sai: Unbalanced pm_runtime_enable! +fsl-sai 308a0000.sai: Unbalanced pm_runtime_enable! +fsl-sai 308a0000.sai: Unbalanced pm_runtime_enable! +fsl-sai 308a0000.sai: Unbalanced pm_runtime_enable! +fsl-sai 308a0000.sai: Unbalanced pm_runtime_enable! +================================================================== + +Disabling the device properly fixes the issue. + +Fixes: 812ad463e089 ("ASoC: fsl_sai: Add support for runtime pm") +Signed-off-by: Oleksandr Suvorov +Link: https://lore.kernel.org/r/20200205160436.3813642-1-oleksandr.suvorov@toradex.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/fsl/fsl_sai.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -1019,12 +1019,24 @@ static int fsl_sai_probe(struct platform + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_component, + &fsl_sai_dai, 1); + if (ret) +- return ret; ++ goto err_pm_disable; + +- if (sai->soc_data->use_imx_pcm) +- return imx_pcm_dma_init(pdev, IMX_SAI_DMABUF_SIZE); +- else +- return devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); ++ if (sai->soc_data->use_imx_pcm) { ++ ret = imx_pcm_dma_init(pdev, IMX_SAI_DMABUF_SIZE); ++ if (ret) ++ goto err_pm_disable; ++ } else { ++ ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); ++ if (ret) ++ goto err_pm_disable; ++ } ++ ++ return ret; ++ ++err_pm_disable: ++ pm_runtime_disable(&pdev->dev); ++ ++ return ret; + } + + static int fsl_sai_remove(struct platform_device *pdev) diff --git a/queue-5.4/bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch b/queue-5.4/bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch new file mode 100644 index 00000000000..a167cfc4ce7 --- /dev/null +++ b/queue-5.4/bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch @@ -0,0 +1,37 @@ +From e20d3a055a457a10a4c748ce5b7c2ed3173a1324 Mon Sep 17 00:00:00 2001 +From: Johannes Krude +Date: Wed, 12 Feb 2020 20:32:27 +0100 +Subject: bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill + +From: Johannes Krude + +commit e20d3a055a457a10a4c748ce5b7c2ed3173a1324 upstream. + +This if guards whether user-space wants a copy of the offload-jited +bytecode and whether this bytecode exists. By erroneously doing a bitwise +AND instead of a logical AND on user- and kernel-space buffer-size can lead +to no data being copied to user-space especially when user-space size is a +power of two and bigger then the kernel-space buffer. + +Fixes: fcfb126defda ("bpf: add new jited info fields in bpf_dev_offload and bpf_prog_info") +Signed-off-by: Johannes Krude +Signed-off-by: Daniel Borkmann +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20200212193227.GA3769@phlox.h.transitiv.net +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/offload.c ++++ b/kernel/bpf/offload.c +@@ -321,7 +321,7 @@ int bpf_prog_offload_info_fill(struct bp + + ulen = info->jited_prog_len; + info->jited_prog_len = aux->offload->jited_len; +- if (info->jited_prog_len & ulen) { ++ if (info->jited_prog_len && ulen) { + uinsns = u64_to_user_ptr(info->jited_prog_insns); + ulen = min_t(u32, info->jited_prog_len, ulen); + if (copy_to_user(uinsns, aux->offload->jited_image, ulen)) { diff --git a/queue-5.4/crypto-rename-sm3-256-to-sm3-in-hash_algo_name.patch b/queue-5.4/crypto-rename-sm3-256-to-sm3-in-hash_algo_name.patch new file mode 100644 index 00000000000..0cf9327551b --- /dev/null +++ b/queue-5.4/crypto-rename-sm3-256-to-sm3-in-hash_algo_name.patch @@ -0,0 +1,37 @@ +From 6a30e1b1dcad0ba94fae757f797812d7d8dcb72c Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Mon, 10 Feb 2020 20:44:39 +0800 +Subject: crypto: rename sm3-256 to sm3 in hash_algo_name + +From: Tianjia Zhang + +commit 6a30e1b1dcad0ba94fae757f797812d7d8dcb72c upstream. + +The name sm3-256 is defined in hash_algo_name in hash_info, but the +algorithm name implemented in sm3_generic.c is sm3, which will cause +the sm3-256 algorithm to be not found in some application scenarios of +the hash algorithm, and an ENOENT error will occur. For example, +IMA, keys, and other subsystems that reference hash_algo_name all use +the hash algorithm of sm3. + +Fixes: 5ca4c20cfd37 ("keys, trusted: select hash algorithm for TPM2 chips") +Signed-off-by: Tianjia Zhang +Reviewed-by: Pascal van Leeuwen +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/hash_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/hash_info.c ++++ b/crypto/hash_info.c +@@ -26,7 +26,7 @@ const char *const hash_algo_name[HASH_AL + [HASH_ALGO_TGR_128] = "tgr128", + [HASH_ALGO_TGR_160] = "tgr160", + [HASH_ALGO_TGR_192] = "tgr192", +- [HASH_ALGO_SM3_256] = "sm3-256", ++ [HASH_ALGO_SM3_256] = "sm3", + [HASH_ALGO_STREEBOG_256] = "streebog256", + [HASH_ALGO_STREEBOG_512] = "streebog512", + }; diff --git a/queue-5.4/drm-bridge-tc358767-fix-poll-timeouts.patch b/queue-5.4/drm-bridge-tc358767-fix-poll-timeouts.patch new file mode 100644 index 00000000000..a32b99da8c2 --- /dev/null +++ b/queue-5.4/drm-bridge-tc358767-fix-poll-timeouts.patch @@ -0,0 +1,86 @@ +From 8a6483ac634acda3f599f50082c652d2d37199c7 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Mon, 9 Dec 2019 10:27:07 +0200 +Subject: drm/bridge: tc358767: fix poll timeouts + +From: Tomi Valkeinen + +commit 8a6483ac634acda3f599f50082c652d2d37199c7 upstream. + +Link training fails with: + + Link training timeout waiting for LT_LOOPDONE! + main link enable error: -110 + +This is caused by too tight timeouts, which were changed recently in +aa92213f388b ("drm/bridge: tc358767: Simplify polling in tc_link_training()"). + +With a quick glance, the commit does not change the timeouts. However, +the method of delaying/sleeping is different, and as the timeout in the +previous implementation was not explicit, the new version in practice +has much tighter timeout. + +The same change was made to other parts in the driver, but the link +training timeout is the only one I have seen causing issues. +Nevertheless, 1 us sleep is not very sane, and the timeouts look pretty +tight, so lets fix all the timeouts. + +One exception was the aux busy poll, where the poll sleep was much +longer than necessary (or optimal). + +I measured the times on my setup, and now the sleep times are set to +such values that they result in multiple loops, but not too many (say, +5-10 loops). The timeouts were all increased to 100ms, which should be +more than enough for all of these, but in case of bad errors, shouldn't +stop the driver as multi-second timeouts could do. + +Signed-off-by: Tomi Valkeinen +Fixes: aa92213f388b ("drm/bridge: tc358767: Simplify polling in tc_link_training()") +Tested-by: Andrey Smirnov +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20191209082707.24531-1-tomi.valkeinen@ti.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/bridge/tc358767.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -294,7 +294,7 @@ static inline int tc_poll_timeout(struct + + static int tc_aux_wait_busy(struct tc_data *tc) + { +- return tc_poll_timeout(tc, DP0_AUXSTATUS, AUX_BUSY, 0, 1000, 100000); ++ return tc_poll_timeout(tc, DP0_AUXSTATUS, AUX_BUSY, 0, 100, 100000); + } + + static int tc_aux_write_data(struct tc_data *tc, const void *data, +@@ -637,7 +637,7 @@ static int tc_aux_link_setup(struct tc_d + if (ret) + goto err; + +- ret = tc_poll_timeout(tc, DP_PHY_CTRL, PHY_RDY, PHY_RDY, 1, 1000); ++ ret = tc_poll_timeout(tc, DP_PHY_CTRL, PHY_RDY, PHY_RDY, 100, 100000); + if (ret == -ETIMEDOUT) { + dev_err(tc->dev, "Timeout waiting for PHY to become ready"); + return ret; +@@ -861,7 +861,7 @@ static int tc_wait_link_training(struct + int ret; + + ret = tc_poll_timeout(tc, DP0_LTSTAT, LT_LOOPDONE, +- LT_LOOPDONE, 1, 1000); ++ LT_LOOPDONE, 500, 100000); + if (ret) { + dev_err(tc->dev, "Link training timeout waiting for LT_LOOPDONE!\n"); + return ret; +@@ -934,7 +934,7 @@ static int tc_main_link_enable(struct tc + dp_phy_ctrl &= ~(DP_PHY_RST | PHY_M1_RST | PHY_M0_RST); + ret = regmap_write(tc->regmap, DP_PHY_CTRL, dp_phy_ctrl); + +- ret = tc_poll_timeout(tc, DP_PHY_CTRL, PHY_RDY, PHY_RDY, 1, 1000); ++ ret = tc_poll_timeout(tc, DP_PHY_CTRL, PHY_RDY, PHY_RDY, 500, 100000); + if (ret) { + dev_err(dev, "timeout waiting for phy become ready"); + return ret; diff --git a/queue-5.4/drm-i915-execlists-always-force-a-context-reload-when-rewinding-ring_tail.patch b/queue-5.4/drm-i915-execlists-always-force-a-context-reload-when-rewinding-ring_tail.patch new file mode 100644 index 00000000000..343c6d487a3 --- /dev/null +++ b/queue-5.4/drm-i915-execlists-always-force-a-context-reload-when-rewinding-ring_tail.patch @@ -0,0 +1,142 @@ +From b1339ecac661e1cf3e1dc78ac56bff3aeeaeb92c Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 7 Feb 2020 21:14:52 +0000 +Subject: drm/i915/execlists: Always force a context reload when rewinding RING_TAIL + +From: Chris Wilson + +commit b1339ecac661e1cf3e1dc78ac56bff3aeeaeb92c upstream. + +If we rewind the RING_TAIL on a context, due to a preemption event, we +must force the context restore for the RING_TAIL update to be properly +handled. Rather than note which preemption events may cause us to rewind +the tail, compare the new request's tail with the previously submitted +RING_TAIL, as it turns out that timeslicing was causing unexpected +rewinds. + + -0 0d.s2 1280851190us : __execlists_submission_tasklet: 0000:00:02.0 rcs0: expired last=130:4698, prio=3, hint=3 + -0 0d.s2 1280851192us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 66:119966, current 119964 + -0 0d.s2 1280851195us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 130:4698, current 4695 + -0 0d.s2 1280851198us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 130:4696, current 4695 +^---- Note we unwind 2 requests from the same context + + -0 0d.s2 1280851208us : __i915_request_submit: 0000:00:02.0 rcs0: fence 130:4696, current 4695 + -0 0d.s2 1280851213us : __i915_request_submit: 0000:00:02.0 rcs0: fence 134:1508, current 1506 +^---- But to apply the new timeslice, we have to replay the first request + before the new client can start -- the unexpected RING_TAIL rewind + + -0 0d.s2 1280851219us : trace_ports: 0000:00:02.0 rcs0: submit { 130:4696*, 134:1508 } + synmark2-5425 2..s. 1280851239us : process_csb: 0000:00:02.0 rcs0: cs-irq head=5, tail=0 + synmark2-5425 2..s. 1280851240us : process_csb: 0000:00:02.0 rcs0: csb[0]: status=0x00008002:0x00000000 +^---- Preemption event for the ELSP update; note the lite-restore + + synmark2-5425 2..s. 1280851243us : trace_ports: 0000:00:02.0 rcs0: preempted { 130:4698, 66:119966 } + synmark2-5425 2..s. 1280851246us : trace_ports: 0000:00:02.0 rcs0: promote { 130:4696*, 134:1508 } + synmark2-5425 2.... 1280851462us : __i915_request_commit: 0000:00:02.0 rcs0: fence 130:4700, current 4695 + synmark2-5425 2.... 1280852111us : __i915_request_commit: 0000:00:02.0 rcs0: fence 130:4702, current 4695 + synmark2-5425 2.Ns1 1280852296us : process_csb: 0000:00:02.0 rcs0: cs-irq head=0, tail=2 + synmark2-5425 2.Ns1 1280852297us : process_csb: 0000:00:02.0 rcs0: csb[1]: status=0x00000814:0x00000000 + synmark2-5425 2.Ns1 1280852299us : trace_ports: 0000:00:02.0 rcs0: completed { 130:4696!, 134:1508 } + synmark2-5425 2.Ns1 1280852301us : process_csb: 0000:00:02.0 rcs0: csb[2]: status=0x00000818:0x00000040 + synmark2-5425 2.Ns1 1280852302us : trace_ports: 0000:00:02.0 rcs0: completed { 134:1508, 0:0 } + synmark2-5425 2.Ns1 1280852313us : process_csb: process_csb:2336 GEM_BUG_ON(!i915_request_completed(*execlists->active) && !reset_in_progress(execlists)) + +Fixes: 8ee36e048c98 ("drm/i915/execlists: Minimalistic timeslicing") +Referenecs: 82c69bf58650 ("drm/i915/gt: Detect if we miss WaIdleLiteRestore") +Signed-off-by: Chris Wilson +Cc: Mika Kuoppala +Reviewed-by: Mika Kuoppala +Cc: # v5.4+ +Link: https://patchwork.freedesktop.org/patch/msgid/20200207211452.2860634-1-chris@chris-wilson.co.uk +(cherry picked from commit 5ba32c7be81e53ea8a27190b0f6be98e6c6779af) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_engine.h | 8 ++++++++ + drivers/gpu/drm/i915/gt/intel_engine_types.h | 1 + + drivers/gpu/drm/i915/gt/intel_lrc.c | 18 ++++++++---------- + drivers/gpu/drm/i915/gt/intel_ringbuffer.c | 2 ++ + 4 files changed, 19 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_engine.h ++++ b/drivers/gpu/drm/i915/gt/intel_engine.h +@@ -250,6 +250,14 @@ static inline u32 intel_ring_wrap(const + return pos & (ring->size - 1); + } + ++static inline int intel_ring_direction(const struct intel_ring *ring, ++ u32 next, u32 prev) ++{ ++ typecheck(typeof(ring->size), next); ++ typecheck(typeof(ring->size), prev); ++ return (next - prev) << ring->wrap; ++} ++ + static inline bool + intel_ring_offset_valid(const struct intel_ring *ring, + unsigned int pos) +--- a/drivers/gpu/drm/i915/gt/intel_engine_types.h ++++ b/drivers/gpu/drm/i915/gt/intel_engine_types.h +@@ -107,6 +107,7 @@ struct intel_ring { + + u32 space; + u32 size; ++ u32 wrap; + u32 effective_size; + }; + +--- a/drivers/gpu/drm/i915/gt/intel_lrc.c ++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c +@@ -647,7 +647,7 @@ static u64 execlists_update_context(stru + { + struct intel_context *ce = rq->hw_context; + u64 desc = ce->lrc_desc; +- u32 tail; ++ u32 tail, prev; + + /* + * WaIdleLiteRestore:bdw,skl +@@ -660,9 +660,15 @@ static u64 execlists_update_context(stru + * subsequent resubmissions (for lite restore). Should that fail us, + * and we try and submit the same tail again, force the context + * reload. ++ * ++ * If we need to return to a preempted context, we need to skip the ++ * lite-restore and force it to reload the RING_TAIL. Otherwise, the ++ * HW has a tendency to ignore us rewinding the TAIL to the end of ++ * an earlier request. + */ + tail = intel_ring_set_tail(rq->ring, rq->tail); +- if (unlikely(ce->lrc_reg_state[CTX_RING_TAIL + 1] == tail)) ++ prev = ce->lrc_reg_state[CTX_RING_TAIL + 1]; ++ if (unlikely(intel_ring_direction(rq->ring, tail, prev) <= 0)) + desc |= CTX_DESC_FORCE_RESTORE; + ce->lrc_reg_state[CTX_RING_TAIL + 1] = tail; + rq->tail = rq->wa_tail; +@@ -1110,14 +1116,6 @@ static void execlists_dequeue(struct int + */ + __unwind_incomplete_requests(engine); + +- /* +- * If we need to return to the preempted context, we +- * need to skip the lite-restore and force it to +- * reload the RING_TAIL. Otherwise, the HW has a +- * tendency to ignore us rewinding the TAIL to the +- * end of an earlier request. +- */ +- last->hw_context->lrc_desc |= CTX_DESC_FORCE_RESTORE; + last = NULL; + } else if (need_timeslice(engine, last) && + !timer_pending(&engine->execlists.timer)) { +--- a/drivers/gpu/drm/i915/gt/intel_ringbuffer.c ++++ b/drivers/gpu/drm/i915/gt/intel_ringbuffer.c +@@ -1312,6 +1312,8 @@ intel_engine_create_ring(struct intel_en + kref_init(&ring->ref); + + ring->size = size; ++ ring->wrap = BITS_PER_TYPE(ring->size) - ilog2(size); ++ + /* Workaround an erratum on the i830 which causes a hang if + * the TAIL pointer points to within the last 2 cachelines + * of the buffer. diff --git a/queue-5.4/drm-i915-gt-detect-if-we-miss-waidleliterestore.patch b/queue-5.4/drm-i915-gt-detect-if-we-miss-waidleliterestore.patch new file mode 100644 index 00000000000..29281ccb146 --- /dev/null +++ b/queue-5.4/drm-i915-gt-detect-if-we-miss-waidleliterestore.patch @@ -0,0 +1,130 @@ +From 82c69bf58650e644c61aa2bf5100b63a1070fd2f Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Mon, 9 Dec 2019 02:32:15 +0000 +Subject: drm/i915/gt: Detect if we miss WaIdleLiteRestore + +From: Chris Wilson + +commit 82c69bf58650e644c61aa2bf5100b63a1070fd2f upstream. + +In order to avoid confusing the HW, we must never submit an empty ring +during lite-restore, that is we should always advance the RING_TAIL +before submitting to stay ahead of the RING_HEAD. + +Normally this is prevented by keeping a couple of spare NOPs in the +request->wa_tail so that on resubmission we can advance the tail. This +relies on the request only being resubmitted once, which is the normal +condition as it is seen once for ELSP[1] and then later in ELSP[0]. On +preemption, the requests are unwound and the tail reset back to the +normal end point (as we know the request is incomplete and therefore its +RING_HEAD is even earlier). + +However, if this w/a should fail we would try and resubmit the request +with the RING_TAIL already set to the location of this request's wa_tail +potentially causing a GPU hang. We can spot when we do try and +incorrectly resubmit without advancing the RING_TAIL and spare any +embarrassment by forcing the context restore. + +In the case of preempt-to-busy, we leave the requests running on the HW +while we unwind. As the ring is still live, we cannot rewind our +rq->tail without forcing a reload so leave it set to rq->wa_tail and +only force a reload if we resubmit after a lite-restore. (Normally, the +forced reload will be a part of the preemption event.) + +Fixes: 22b7a426bbe1 ("drm/i915/execlists: Preempt-to-busy") +Closes: https://gitlab.freedesktop.org/drm/intel/issues/673 +Signed-off-by: Chris Wilson +Cc: Mika Kuoppala +Cc: Tvrtko Ursulin +Reviewed-by: Tvrtko Ursulin +Cc: stable@kernel.vger.org +Link: https://patchwork.freedesktop.org/patch/msgid/20191209023215.3519970-1-chris@chris-wilson.co.uk +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/gpu/drm/i915/gt/intel_lrc.c | 42 +++++++++++++++++------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_lrc.c ++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c +@@ -471,12 +471,6 @@ lrc_descriptor(struct intel_context *ce, + return desc; + } + +-static void unwind_wa_tail(struct i915_request *rq) +-{ +- rq->tail = intel_ring_wrap(rq->ring, rq->wa_tail - WA_TAIL_BYTES); +- assert_ring_tail_valid(rq->ring, rq->tail); +-} +- + static struct i915_request * + __unwind_incomplete_requests(struct intel_engine_cs *engine) + { +@@ -495,7 +489,6 @@ __unwind_incomplete_requests(struct inte + continue; /* XXX */ + + __i915_request_unsubmit(rq); +- unwind_wa_tail(rq); + + /* + * Push the request back into the queue for later resubmission. +@@ -650,13 +643,29 @@ execlists_schedule_out(struct i915_reque + i915_request_put(rq); + } + +-static u64 execlists_update_context(const struct i915_request *rq) ++static u64 execlists_update_context(struct i915_request *rq) + { + struct intel_context *ce = rq->hw_context; +- u64 desc; ++ u64 desc = ce->lrc_desc; ++ u32 tail; + +- ce->lrc_reg_state[CTX_RING_TAIL + 1] = +- intel_ring_set_tail(rq->ring, rq->tail); ++ /* ++ * WaIdleLiteRestore:bdw,skl ++ * ++ * We should never submit the context with the same RING_TAIL twice ++ * just in case we submit an empty ring, which confuses the HW. ++ * ++ * We append a couple of NOOPs (gen8_emit_wa_tail) after the end of ++ * the normal request to be able to always advance the RING_TAIL on ++ * subsequent resubmissions (for lite restore). Should that fail us, ++ * and we try and submit the same tail again, force the context ++ * reload. ++ */ ++ tail = intel_ring_set_tail(rq->ring, rq->tail); ++ if (unlikely(ce->lrc_reg_state[CTX_RING_TAIL + 1] == tail)) ++ desc |= CTX_DESC_FORCE_RESTORE; ++ ce->lrc_reg_state[CTX_RING_TAIL + 1] = tail; ++ rq->tail = rq->wa_tail; + + /* + * Make sure the context image is complete before we submit it to HW. +@@ -675,7 +684,6 @@ static u64 execlists_update_context(cons + */ + mb(); + +- desc = ce->lrc_desc; + ce->lrc_desc &= ~CTX_DESC_FORCE_RESTORE; + + return desc; +@@ -1150,16 +1158,6 @@ static void execlists_dequeue(struct int + if (!list_is_last(&last->sched.link, + &engine->active.requests)) + return; +- +- /* +- * WaIdleLiteRestore:bdw,skl +- * Apply the wa NOOPs to prevent +- * ring:HEAD == rq:TAIL as we resubmit the +- * request. See gen8_emit_fini_breadcrumb() for +- * where we prepare the padding after the +- * end of the request. +- */ +- last->tail = last->wa_tail; + } + } + diff --git a/queue-5.4/drm-i915-gt-protect-defer_request-from-new-waiters.patch b/queue-5.4/drm-i915-gt-protect-defer_request-from-new-waiters.patch new file mode 100644 index 00000000000..9357f0401bb --- /dev/null +++ b/queue-5.4/drm-i915-gt-protect-defer_request-from-new-waiters.patch @@ -0,0 +1,95 @@ +From 19b5f3b419a61808ff2713f1f30b8a88fe14ac9b Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 6 Feb 2020 20:49:13 +0000 +Subject: drm/i915/gt: Protect defer_request() from new waiters + +From: Chris Wilson + +commit 19b5f3b419a61808ff2713f1f30b8a88fe14ac9b upstream. + +Mika spotted + +<4>[17436.705441] general protection fault: 0000 [#1] PREEMPT SMP PTI +<4>[17436.705447] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.5.0+ #1 +<4>[17436.705449] Hardware name: System manufacturer System Product Name/Z170M-PLUS, BIOS 3805 05/16/2018 +<4>[17436.705512] RIP: 0010:__execlists_submission_tasklet+0xc4d/0x16e0 [i915] +<4>[17436.705516] Code: c5 4c 8d 60 e0 75 17 e9 8c 07 00 00 49 8b 44 24 20 49 39 c5 4c 8d 60 e0 0f 84 7a 07 00 00 49 8b 5c 24 08 49 8b 87 80 00 00 00 <48> 39 83 d8 fe ff ff 75 d9 48 8b 83 88 fe ff ff a8 01 0f 84 b6 05 +<4>[17436.705518] RSP: 0018:ffffc9000012ce80 EFLAGS: 00010083 +<4>[17436.705521] RAX: ffff88822ae42000 RBX: 5a5a5a5a5a5a5a5a RCX: dead000000000122 +<4>[17436.705523] RDX: ffff88822ae42588 RSI: ffff8881e32a7908 RDI: ffff8881c429fd48 +<4>[17436.705525] RBP: ffffc9000012cf00 R08: ffff88822ae42588 R09: 00000000fffffffe +<4>[17436.705527] R10: ffff8881c429fb80 R11: 00000000a677cf08 R12: ffff8881c42a0aa8 +<4>[17436.705529] R13: ffff8881c429fd38 R14: ffff88822ae42588 R15: ffff8881c429fb80 +<4>[17436.705532] FS: 0000000000000000(0000) GS:ffff88822ed00000(0000) knlGS:0000000000000000 +<4>[17436.705534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +<4>[17436.705536] CR2: 00007f858c76d000 CR3: 0000000005610003 CR4: 00000000003606e0 +<4>[17436.705538] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +<4>[17436.705540] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +<4>[17436.705542] Call Trace: +<4>[17436.705545] +<4>[17436.705603] execlists_submission_tasklet+0xc0/0x130 [i915] + +which is us consuming a partially initialised new waiter in +defer_requests(). We can prevent this by initialising the i915_dependency +prior to making it visible, and since we are using a concurrent +list_add/iterator mark them up to the compiler. + +Fixes: 8ee36e048c98 ("drm/i915/execlists: Minimalistic timeslicing") +Signed-off-by: Chris Wilson +Cc: Mika Kuoppala +Reviewed-by: Mika Kuoppala +Link: https://patchwork.freedesktop.org/patch/msgid/20200206204915.2636606-2-chris@chris-wilson.co.uk +(cherry picked from commit f14f27b1663269a81ed62d3961fe70250a1a0623) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_lrc.c | 7 ++++++- + drivers/gpu/drm/i915/i915_scheduler.c | 6 ++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/intel_lrc.c ++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c +@@ -933,6 +933,11 @@ last_active(const struct intel_engine_ex + return *last; + } + ++#define for_each_waiter(p__, rq__) \ ++ list_for_each_entry_lockless(p__, \ ++ &(rq__)->sched.waiters_list, \ ++ wait_link) ++ + static void defer_request(struct i915_request *rq, struct list_head * const pl) + { + LIST_HEAD(list); +@@ -950,7 +955,7 @@ static void defer_request(struct i915_re + GEM_BUG_ON(i915_request_is_active(rq)); + list_move_tail(&rq->sched.link, pl); + +- list_for_each_entry(p, &rq->sched.waiters_list, wait_link) { ++ for_each_waiter(p, rq) { + struct i915_request *w = + container_of(p->waiter, typeof(*w), sched); + +--- a/drivers/gpu/drm/i915/i915_scheduler.c ++++ b/drivers/gpu/drm/i915/i915_scheduler.c +@@ -418,8 +418,6 @@ bool __i915_sched_node_add_dependency(st + + if (!node_signaled(signal)) { + INIT_LIST_HEAD(&dep->dfs_link); +- list_add(&dep->wait_link, &signal->waiters_list); +- list_add(&dep->signal_link, &node->signalers_list); + dep->signaler = signal; + dep->waiter = node; + dep->flags = flags; +@@ -429,6 +427,10 @@ bool __i915_sched_node_add_dependency(st + !node_started(signal)) + node->flags |= I915_SCHED_HAS_SEMAPHORE_CHAIN; + ++ /* All set, now publish. Beware the lockless walkers. */ ++ list_add(&dep->signal_link, &node->signalers_list); ++ list_add_rcu(&dep->wait_link, &signal->waiters_list); ++ + /* + * As we do not allow WAIT to preempt inflight requests, + * once we have executed a request, along with triggering diff --git a/queue-5.4/drm-i915-gvt-more-locking-for-ppgtt-mm-lru-list.patch b/queue-5.4/drm-i915-gvt-more-locking-for-ppgtt-mm-lru-list.patch new file mode 100644 index 00000000000..305e775ed2b --- /dev/null +++ b/queue-5.4/drm-i915-gvt-more-locking-for-ppgtt-mm-lru-list.patch @@ -0,0 +1,37 @@ +From 0e9d7bb293f3f9c3ee376b126141407efb265f31 Mon Sep 17 00:00:00 2001 +From: Igor Druzhinin +Date: Mon, 3 Feb 2020 15:07:01 +0000 +Subject: drm/i915/gvt: more locking for ppgtt mm LRU list + +From: Igor Druzhinin + +commit 0e9d7bb293f3f9c3ee376b126141407efb265f31 upstream. + +When the lock was introduced in commit 72aabfb862e40 ("drm/i915/gvt: Add mutual +lock for ppgtt mm LRU list") one place got lost. + +Fixes: 72aabfb862e4 ("drm/i915/gvt: Add mutual lock for ppgtt mm LRU list") +Signed-off-by: Igor Druzhinin +Reviewed-by: Zhenyu Wang +Signed-off-by: Zhenyu Wang +Link: http://patchwork.freedesktop.org/patch/msgid/1580742421-25194-1-git-send-email-igor.druzhinin@citrix.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/gtt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/gvt/gtt.c ++++ b/drivers/gpu/drm/i915/gvt/gtt.c +@@ -1956,7 +1956,11 @@ void _intel_vgpu_mm_release(struct kref + + if (mm->type == INTEL_GVT_MM_PPGTT) { + list_del(&mm->ppgtt_mm.list); ++ ++ mutex_lock(&mm->vgpu->gvt->gtt.ppgtt_mm_lock); + list_del(&mm->ppgtt_mm.lru_list); ++ mutex_unlock(&mm->vgpu->gvt->gtt.ppgtt_mm_lock); ++ + invalidate_ppgtt_mm(mm); + } else { + vfree(mm->ggtt_mm.virtual_ggtt); diff --git a/queue-5.4/drm-msm-dpu-fix-bgr565-vs-rgb565-confusion.patch b/queue-5.4/drm-msm-dpu-fix-bgr565-vs-rgb565-confusion.patch new file mode 100644 index 00000000000..1b7178323a0 --- /dev/null +++ b/queue-5.4/drm-msm-dpu-fix-bgr565-vs-rgb565-confusion.patch @@ -0,0 +1,41 @@ +From 8fc7036ee652207ca992fbb9abb64090c355a9e0 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Thu, 13 Feb 2020 12:01:35 -0800 +Subject: drm/msm/dpu: fix BGR565 vs RGB565 confusion + +From: Rob Clark + +commit 8fc7036ee652207ca992fbb9abb64090c355a9e0 upstream. + +The component order between the two was swapped, resulting in incorrect +color when games with 565 visual hit the overlay path instead of GPU +composition. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Rob Clark +Reviewed-by: Sean Paul +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c +@@ -255,13 +255,13 @@ static const struct dpu_format dpu_forma + + INTERLEAVED_RGB_FMT(RGB565, + 0, COLOR_5BIT, COLOR_6BIT, COLOR_5BIT, +- C2_R_Cr, C0_G_Y, C1_B_Cb, 0, 3, ++ C1_B_Cb, C0_G_Y, C2_R_Cr, 0, 3, + false, 2, 0, + DPU_FETCH_LINEAR, 1), + + INTERLEAVED_RGB_FMT(BGR565, + 0, COLOR_5BIT, COLOR_6BIT, COLOR_5BIT, +- C1_B_Cb, C0_G_Y, C2_R_Cr, 0, 3, ++ C2_R_Cr, C0_G_Y, C1_B_Cb, 0, 3, + false, 2, 0, + DPU_FETCH_LINEAR, 1), + diff --git a/queue-5.4/ecryptfs-replace-bug_on-with-error-handling-code.patch b/queue-5.4/ecryptfs-replace-bug_on-with-error-handling-code.patch new file mode 100644 index 00000000000..07af7e98b99 --- /dev/null +++ b/queue-5.4/ecryptfs-replace-bug_on-with-error-handling-code.patch @@ -0,0 +1,39 @@ +From 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Fri, 14 Feb 2020 12:21:01 -0600 +Subject: ecryptfs: replace BUG_ON with error handling code + +From: Aditya Pakki + +commit 2c2a7552dd6465e8fde6bc9cccf8d66ed1c1eb72 upstream. + +In crypt_scatterlist, if the crypt_stat argument is not set up +correctly, the kernel crashes. Instead, by returning an error code +upstream, the error is handled safely. + +The issue is detected via a static analysis tool written by us. + +Fixes: 237fead619984 (ecryptfs: fs/Makefile and fs/Kconfig) +Signed-off-by: Aditya Pakki +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -311,8 +311,10 @@ static int crypt_scatterlist(struct ecry + struct extent_crypt_result ecr; + int rc = 0; + +- BUG_ON(!crypt_stat || !crypt_stat->tfm +- || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)); ++ if (!crypt_stat || !crypt_stat->tfm ++ || !(crypt_stat->flags & ECRYPTFS_STRUCT_INITIALIZED)) ++ return -EINVAL; ++ + if (unlikely(ecryptfs_verbosity > 0)) { + ecryptfs_printk(KERN_DEBUG, "Key size [%zd]; key:\n", + crypt_stat->key_size); diff --git a/queue-5.4/genirq-proc-reject-invalid-affinity-masks-again.patch b/queue-5.4/genirq-proc-reject-invalid-affinity-masks-again.patch new file mode 100644 index 00000000000..f5ef13d1c5b --- /dev/null +++ b/queue-5.4/genirq-proc-reject-invalid-affinity-masks-again.patch @@ -0,0 +1,128 @@ +From cba6437a1854fde5934098ec3bd0ee83af3129f5 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 12 Feb 2020 12:19:41 +0100 +Subject: genirq/proc: Reject invalid affinity masks (again) + +From: Thomas Gleixner + +commit cba6437a1854fde5934098ec3bd0ee83af3129f5 upstream. + +Qian Cai reported that the WARN_ON() in the x86/msi affinity setting code, +which catches cases where the affinity setting is not done on the CPU which +is the current target of the interrupt, triggers during CPU hotplug stress +testing. + +It turns out that the warning which was added with the commit addressing +the MSI affinity race unearthed yet another long standing bug. + +If user space writes a bogus affinity mask, i.e. it contains no online CPUs, +then it calls irq_select_affinity_usr(). This was introduced for ALPHA in + + eee45269b0f5 ("[PATCH] Alpha: convert to generic irq framework (generic part)") + +and subsequently made available for all architectures in + + 18404756765c ("genirq: Expose default irq affinity mask (take 3)") + +which introduced the circumvention of the affinity setting restrictions for +interrupt which cannot be moved in process context. + +The whole exercise is bogus in various aspects: + + 1) If the interrupt is already started up then there is absolutely + no point to honour a bogus interrupt affinity setting from user + space. The interrupt is already assigned to an online CPU and it + does not make any sense to reassign it to some other randomly + chosen online CPU. + + 2) If the interupt is not yet started up then there is no point + either. A subsequent startup of the interrupt will invoke + irq_setup_affinity() anyway which will chose a valid target CPU. + +So the only correct solution is to just return -EINVAL in case user space +wrote an affinity mask which does not contain any online CPUs, except for +ALPHA which has it's own magic sauce for this. + +Fixes: 18404756765c ("genirq: Expose default irq affinity mask (take 3)") +Reported-by: Qian Cai +Signed-off-by: Thomas Gleixner +Tested-by: Qian Cai +Link: https://lkml.kernel.org/r/878sl8xdbm.fsf@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/internals.h | 2 -- + kernel/irq/manage.c | 18 ++---------------- + kernel/irq/proc.c | 22 ++++++++++++++++++++++ + 3 files changed, 24 insertions(+), 18 deletions(-) + +--- a/kernel/irq/internals.h ++++ b/kernel/irq/internals.h +@@ -128,8 +128,6 @@ static inline void unregister_handler_pr + + extern bool irq_can_set_affinity_usr(unsigned int irq); + +-extern int irq_select_affinity_usr(unsigned int irq); +- + extern void irq_set_thread_affinity(struct irq_desc *desc); + + extern int irq_do_set_affinity(struct irq_data *data, +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -442,23 +442,9 @@ int irq_setup_affinity(struct irq_desc * + { + return irq_select_affinity(irq_desc_get_irq(desc)); + } +-#endif ++#endif /* CONFIG_AUTO_IRQ_AFFINITY */ ++#endif /* CONFIG_SMP */ + +-/* +- * Called when a bogus affinity is set via /proc/irq +- */ +-int irq_select_affinity_usr(unsigned int irq) +-{ +- struct irq_desc *desc = irq_to_desc(irq); +- unsigned long flags; +- int ret; +- +- raw_spin_lock_irqsave(&desc->lock, flags); +- ret = irq_setup_affinity(desc); +- raw_spin_unlock_irqrestore(&desc->lock, flags); +- return ret; +-} +-#endif + + /** + * irq_set_vcpu_affinity - Set vcpu affinity for the interrupt +--- a/kernel/irq/proc.c ++++ b/kernel/irq/proc.c +@@ -111,6 +111,28 @@ static int irq_affinity_list_proc_show(s + return show_irq_affinity(AFFINITY_LIST, m); + } + ++#ifndef CONFIG_AUTO_IRQ_AFFINITY ++static inline int irq_select_affinity_usr(unsigned int irq) ++{ ++ /* ++ * If the interrupt is started up already then this fails. The ++ * interrupt is assigned to an online CPU already. There is no ++ * point to move it around randomly. Tell user space that the ++ * selected mask is bogus. ++ * ++ * If not then any change to the affinity is pointless because the ++ * startup code invokes irq_setup_affinity() which will select ++ * a online CPU anyway. ++ */ ++ return -EINVAL; ++} ++#else ++/* ALPHA magic affinity auto selector. Keep it for historical reasons. */ ++static inline int irq_select_affinity_usr(unsigned int irq) ++{ ++ return irq_select_affinity(irq); ++} ++#endif + + static ssize_t write_irq_affinity(int type, struct file *file, + const char __user *buffer, size_t count, loff_t *pos) diff --git a/queue-5.4/io_uring-fix-__io_iopoll_check-deadlock-in-io_sq_thread.patch b/queue-5.4/io_uring-fix-__io_iopoll_check-deadlock-in-io_sq_thread.patch new file mode 100644 index 00000000000..d113c899367 --- /dev/null +++ b/queue-5.4/io_uring-fix-__io_iopoll_check-deadlock-in-io_sq_thread.patch @@ -0,0 +1,83 @@ +From c7849be9cc2dd2754c48ddbaca27c2de6d80a95d Mon Sep 17 00:00:00 2001 +From: Xiaoguang Wang +Date: Sat, 22 Feb 2020 14:46:05 +0800 +Subject: io_uring: fix __io_iopoll_check deadlock in io_sq_thread + +From: Xiaoguang Wang + +commit c7849be9cc2dd2754c48ddbaca27c2de6d80a95d upstream. + +Since commit a3a0e43fd770 ("io_uring: don't enter poll loop if we have +CQEs pending"), if we already events pending, we won't enter poll loop. +In case SETUP_IOPOLL and SETUP_SQPOLL are both enabled, if app has +been terminated and don't reap pending events which are already in cq +ring, and there are some reqs in poll_list, io_sq_thread will enter +__io_iopoll_check(), and find pending events, then return, this loop +will never have a chance to exit. + +I have seen this issue in fio stress tests, to fix this issue, let +io_sq_thread call io_iopoll_getevents() with argument 'min' being zero, +and remove __io_iopoll_check(). + +Fixes: a3a0e43fd770 ("io_uring: don't enter poll loop if we have CQEs pending") +Signed-off-by: Xiaoguang Wang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -882,11 +882,17 @@ static void io_iopoll_reap_events(struct + mutex_unlock(&ctx->uring_lock); + } + +-static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, +- long min) ++static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, ++ long min) + { + int iters = 0, ret = 0; + ++ /* ++ * We disallow the app entering submit/complete with polling, but we ++ * still need to lock the ring to prevent racing with polled issue ++ * that got punted to a workqueue. ++ */ ++ mutex_lock(&ctx->uring_lock); + do { + int tmin = 0; + +@@ -922,21 +928,6 @@ static int __io_iopoll_check(struct io_r + ret = 0; + } while (min && !*nr_events && !need_resched()); + +- return ret; +-} +- +-static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, +- long min) +-{ +- int ret; +- +- /* +- * We disallow the app entering submit/complete with polling, but we +- * still need to lock the ring to prevent racing with polled issue +- * that got punted to a workqueue. +- */ +- mutex_lock(&ctx->uring_lock); +- ret = __io_iopoll_check(ctx, nr_events, min); + mutex_unlock(&ctx->uring_lock); + return ret; + } +@@ -2721,7 +2712,7 @@ static int io_sq_thread(void *data) + */ + mutex_lock(&ctx->uring_lock); + if (!list_empty(&ctx->poll_list)) +- __io_iopoll_check(ctx, &nr_events, 0); ++ io_iopoll_getevents(ctx, &nr_events, 0); + else + inflight = 0; + mutex_unlock(&ctx->uring_lock); diff --git a/queue-5.4/iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch b/queue-5.4/iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch new file mode 100644 index 00000000000..56366c738e2 --- /dev/null +++ b/queue-5.4/iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch @@ -0,0 +1,41 @@ +From e7598fac323aad0e502415edeffd567315994dd6 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Mon, 10 Feb 2020 10:36:56 +0100 +Subject: iommu/vt-d: Fix compile warning from intel-svm.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joerg Roedel + +commit e7598fac323aad0e502415edeffd567315994dd6 upstream. + +The intel_svm_is_pasid_valid() needs to be marked inline, otherwise it +causes the compile warning below: + + CC [M] drivers/dma/idxd/cdev.o +In file included from drivers/dma/idxd/cdev.c:9:0: +./include/linux/intel-svm.h:125:12: warning: ‘intel_svm_is_pasid_valid’ defined but not used [-Wunused-function] + static int intel_svm_is_pasid_valid(struct device *dev, int pasid) + ^~~~~~~~~~~~~~~~~~~~~~~~ + +Reported-by: Borislav Petkov +Fixes: 15060aba71711 ('iommu/vt-d: Helper function to query if a pasid has any active users') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/intel-svm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/intel-svm.h ++++ b/include/linux/intel-svm.h +@@ -122,7 +122,7 @@ static inline int intel_svm_unbind_mm(st + BUG(); + } + +-static int intel_svm_is_pasid_valid(struct device *dev, int pasid) ++static inline int intel_svm_is_pasid_valid(struct device *dev, int pasid) + { + return -EINVAL; + } diff --git a/queue-5.4/revert-dmaengine-imx-sdma-fix-memory-leak.patch b/queue-5.4/revert-dmaengine-imx-sdma-fix-memory-leak.patch new file mode 100644 index 00000000000..e610b51291a --- /dev/null +++ b/queue-5.4/revert-dmaengine-imx-sdma-fix-memory-leak.patch @@ -0,0 +1,70 @@ +From 495d2bbb11d2842917951961abb06e6ba45af6ae Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 27 Feb 2020 10:45:54 +0100 +Subject: Revert "dmaengine: imx-sdma: Fix memory leak" + +From: Greg Kroah-Hartman + +This reverts commit 8a7aa4feeaeabc12181e1997a298eb73d2ed2d65 which is +commit 02939cd167095f16328a1bd5cab5a90b550606df upstream. + +Andreas writes: + This patch breaks our imx6 board with the attached trace. + Reverting the patch makes it boot again. + +Reported-by: Andreas Tobler +Cc: Sascha Hauer +Cc: Robin Gong +Cc: Vinod Koul +Cc: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/imx-sdma.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -760,8 +760,12 @@ static void sdma_start_desc(struct sdma_ + return; + } + sdmac->desc = desc = to_sdma_desc(&vd->tx); +- +- list_del(&vd->node); ++ /* ++ * Do not delete the node in desc_issued list in cyclic mode, otherwise ++ * the desc allocated will never be freed in vchan_dma_desc_free_list ++ */ ++ if (!(sdmac->flags & IMX_DMA_SG_LOOP)) ++ list_del(&vd->node); + + sdma->channel_control[channel].base_bd_ptr = desc->bd_phys; + sdma->channel_control[channel].current_bd_ptr = desc->bd_phys; +@@ -1067,6 +1071,7 @@ static void sdma_channel_terminate_work( + + spin_lock_irqsave(&sdmac->vc.lock, flags); + vchan_get_all_descriptors(&sdmac->vc, &head); ++ sdmac->desc = NULL; + spin_unlock_irqrestore(&sdmac->vc.lock, flags); + vchan_dma_desc_free_list(&sdmac->vc, &head); + sdmac->context_loaded = false; +@@ -1075,19 +1080,11 @@ static void sdma_channel_terminate_work( + static int sdma_disable_channel_async(struct dma_chan *chan) + { + struct sdma_channel *sdmac = to_sdma_chan(chan); +- unsigned long flags; +- +- spin_lock_irqsave(&sdmac->vc.lock, flags); + + sdma_disable_channel(chan); + +- if (sdmac->desc) { +- vchan_terminate_vdesc(&sdmac->desc->vd); +- sdmac->desc = NULL; ++ if (sdmac->desc) + schedule_work(&sdmac->terminate_worker); +- } +- +- spin_unlock_irqrestore(&sdmac->vc.lock, flags); + + return 0; + } diff --git a/queue-5.4/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch b/queue-5.4/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch new file mode 100644 index 00000000000..0e8ec49cac7 --- /dev/null +++ b/queue-5.4/scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch @@ -0,0 +1,77 @@ +From 76261ada16dcc3be610396a46d35acc3efbda682 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 12 Feb 2020 21:08:59 -0800 +Subject: scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout" + +From: Bart Van Assche + +commit 76261ada16dcc3be610396a46d35acc3efbda682 upstream. + +Since commit 04060db41178 introduces soft lockups when toggling network +interfaces, revert it. + +Link: https://marc.info/?l=target-devel&m=158157054906196 +Cc: Rahul Kundu +Cc: Mike Marciniszyn +Cc: Sagi Grimberg +Reported-by: Dakshaja Uppalapati +Fixes: 04060db41178 ("scsi: RDMA/isert: Fix a recently introduced regression related to logout") +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 12 ++++++++++++ + drivers/target/iscsi/iscsi_target.c | 6 +++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2575,6 +2575,17 @@ isert_wait4logout(struct isert_conn *ise + } + } + ++static void ++isert_wait4cmds(struct iscsi_conn *conn) ++{ ++ isert_info("iscsi_conn %p\n", conn); ++ ++ if (conn->sess) { ++ target_sess_cmd_list_set_waiting(conn->sess->se_sess); ++ target_wait_for_sess_cmds(conn->sess->se_sess); ++ } ++} ++ + /** + * isert_put_unsol_pending_cmds() - Drop commands waiting for + * unsolicitate dataout +@@ -2622,6 +2633,7 @@ static void isert_wait_conn(struct iscsi + + ib_drain_qp(isert_conn->qp); + isert_put_unsol_pending_cmds(conn); ++ isert_wait4cmds(conn); + isert_wait4logout(isert_conn); + + queue_work(isert_release_wq, &isert_conn->release_work); +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4151,6 +4151,9 @@ int iscsit_close_connection( + iscsit_stop_nopin_response_timer(conn); + iscsit_stop_nopin_timer(conn); + ++ if (conn->conn_transport->iscsit_wait_conn) ++ conn->conn_transport->iscsit_wait_conn(conn); ++ + /* + * During Connection recovery drop unacknowledged out of order + * commands for this connection, and prepare the other commands +@@ -4236,9 +4239,6 @@ int iscsit_close_connection( + target_sess_cmd_list_set_waiting(sess->se_sess); + target_wait_for_sess_cmds(sess->se_sess); + +- if (conn->conn_transport->iscsit_wait_conn) +- conn->conn_transport->iscsit_wait_conn(conn); +- + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { + struct crypto_ahash *tfm; diff --git a/queue-5.4/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch b/queue-5.4/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch new file mode 100644 index 00000000000..257c41243e3 --- /dev/null +++ b/queue-5.4/scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch @@ -0,0 +1,70 @@ +From 807b9515b7d044cf77df31f1af9d842a76ecd5cb Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 12 Feb 2020 21:09:00 -0800 +Subject: scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" + +From: Bart Van Assche + +commit 807b9515b7d044cf77df31f1af9d842a76ecd5cb upstream. + +Since commit e9d3009cb936 introduced a regression and since the fix for +that regression was not perfect, revert this commit. + +Link: https://marc.info/?l=target-devel&m=158157054906195 +Cc: Rahul Kundu +Cc: Mike Marciniszyn +Cc: Sagi Grimberg +Reported-by: Dakshaja Uppalapati +Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session") +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 10 ++-------- + include/scsi/iscsi_proto.h | 1 - + 2 files changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1165,9 +1165,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_c + hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length, + conn->cid); + +- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) +- return iscsit_add_reject_cmd(cmd, +- ISCSI_REASON_WAITING_FOR_LOGOUT, buf); ++ target_get_sess_cmd(&cmd->se_cmd, true); + + cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd, + scsilun_to_int(&hdr->lun)); +@@ -2004,9 +2002,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + conn->sess->se_sess, 0, DMA_NONE, + TCM_SIMPLE_TAG, cmd->sense_buffer + 2); + +- if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) +- return iscsit_add_reject_cmd(cmd, +- ISCSI_REASON_WAITING_FOR_LOGOUT, buf); ++ target_get_sess_cmd(&cmd->se_cmd, true); + + /* + * TASK_REASSIGN for ERL=2 / connection stays inside of +@@ -4236,8 +4232,6 @@ int iscsit_close_connection( + * must wait until they have completed. + */ + iscsit_check_conn_usage_count(conn); +- target_sess_cmd_list_set_waiting(sess->se_sess); +- target_wait_for_sess_cmds(sess->se_sess); + + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { +--- a/include/scsi/iscsi_proto.h ++++ b/include/scsi/iscsi_proto.h +@@ -627,7 +627,6 @@ struct iscsi_reject { + #define ISCSI_REASON_BOOKMARK_INVALID 9 + #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10 + #define ISCSI_REASON_NEGOTIATION_RESET 11 +-#define ISCSI_REASON_WAITING_FOR_LOGOUT 12 + + /* Max. number of Key=Value pairs in a text message */ + #define MAX_KEY_VALUE_PAIRS 8192 diff --git a/queue-5.4/series b/queue-5.4/series index 6c9f24a2755..7147d9487c0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -97,3 +97,25 @@ btrfs-fix-btrfs_wait_ordered_range-so-that-it-waits-for-all-ordered-extents.patc btrfs-fix-race-between-shrinking-truncate-and-fiemap.patch btrfs-don-t-set-path-leave_spinning-for-truncate.patch btrfs-fix-deadlock-during-fast-fsync-when-logging-prealloc-extents-beyond-eof.patch +revert-dmaengine-imx-sdma-fix-memory-leak.patch +drm-i915-gt-detect-if-we-miss-waidleliterestore.patch +drm-i915-execlists-always-force-a-context-reload-when-rewinding-ring_tail.patch +drm-i915-gvt-more-locking-for-ppgtt-mm-lru-list.patch +drm-bridge-tc358767-fix-poll-timeouts.patch +drm-i915-gt-protect-defer_request-from-new-waiters.patch +drm-msm-dpu-fix-bgr565-vs-rgb565-confusion.patch +scsi-revert-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch +scsi-revert-target-iscsi-wait-for-all-commands-to-finish-before-freeing-a-session.patch +usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch +usb-dwc2-fix-in-isoc-request-length-checking.patch +staging-rtl8723bs-fix-copy-of-overlapping-memory.patch +staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch +asoc-atmel-fix-atmel_ssc_set_audio-link-failure.patch +asoc-fsl_sai-fix-exiting-path-on-probing-failure.patch +ecryptfs-replace-bug_on-with-error-handling-code.patch +iommu-vt-d-fix-compile-warning-from-intel-svm.h.patch +crypto-rename-sm3-256-to-sm3-in-hash_algo_name.patch +genirq-proc-reject-invalid-affinity-masks-again.patch +bpf-offload-replace-bitwise-and-by-logical-and-in-bpf_prog_offload_info_fill.patch +arm64-lse-fix-lse-atomics-with-llvm.patch +io_uring-fix-__io_iopoll_check-deadlock-in-io_sq_thread.patch diff --git a/queue-5.4/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch b/queue-5.4/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch new file mode 100644 index 00000000000..4126abb4530 --- /dev/null +++ b/queue-5.4/staging-greybus-use-after-free-in-gb_audio_manager_remove_all.patch @@ -0,0 +1,36 @@ +From b7db58105b80fa9232719c8329b995b3addfab55 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 5 Feb 2020 15:32:17 +0300 +Subject: staging: greybus: use after free in gb_audio_manager_remove_all() + +From: Dan Carpenter + +commit b7db58105b80fa9232719c8329b995b3addfab55 upstream. + +When we call kobject_put() and it's the last reference to the kobject +then it calls gb_audio_module_release() and frees module. We dereference +"module" on the next line which is a use after free. + +Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'") +Signed-off-by: Dan Carpenter +Acked-by: Viresh Kumar +Reviewed-by: Vaibhav Agarwal +Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/greybus/audio_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/greybus/audio_manager.c ++++ b/drivers/staging/greybus/audio_manager.c +@@ -92,8 +92,8 @@ void gb_audio_manager_remove_all(void) + + list_for_each_entry_safe(module, next, &modules_list, list) { + list_del(&module->list); +- kobject_put(&module->kobj); + ida_simple_remove(&module_id, module->id); ++ kobject_put(&module->kobj); + } + + is_empty = list_empty(&modules_list); diff --git a/queue-5.4/staging-rtl8723bs-fix-copy-of-overlapping-memory.patch b/queue-5.4/staging-rtl8723bs-fix-copy-of-overlapping-memory.patch new file mode 100644 index 00000000000..c899f529acd --- /dev/null +++ b/queue-5.4/staging-rtl8723bs-fix-copy-of-overlapping-memory.patch @@ -0,0 +1,45 @@ +From 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 26 Jan 2020 22:05:49 +0000 +Subject: staging: rtl8723bs: fix copy of overlapping memory + +From: Colin Ian King + +commit 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 upstream. + +Currently the rtw_sprintf prints the contents of thread_name +onto thread_name and this can lead to a potential copy of a +string over itself. Avoid this by printing the literal string RTWHALXT +instread of the contents of thread_name. + +Addresses-Coverity: ("copy of overlapping memory") +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Colin Ian King +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20200126220549.9849-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c ++++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_xmit.c +@@ -476,14 +476,13 @@ int rtl8723bs_xmit_thread(void *context) + s32 ret; + struct adapter *padapter; + struct xmit_priv *pxmitpriv; +- u8 thread_name[20] = "RTWHALXT"; +- ++ u8 thread_name[20]; + + ret = _SUCCESS; + padapter = context; + pxmitpriv = &padapter->xmitpriv; + +- rtw_sprintf(thread_name, 20, "%s-"ADPT_FMT, thread_name, ADPT_ARG(padapter)); ++ rtw_sprintf(thread_name, 20, "RTWHALXT-" ADPT_FMT, ADPT_ARG(padapter)); + thread_enter(thread_name); + + DBG_871X("start "FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter)); diff --git a/queue-5.4/usb-dwc2-fix-in-isoc-request-length-checking.patch b/queue-5.4/usb-dwc2-fix-in-isoc-request-length-checking.patch new file mode 100644 index 00000000000..d413ccd7cc6 --- /dev/null +++ b/queue-5.4/usb-dwc2-fix-in-isoc-request-length-checking.patch @@ -0,0 +1,49 @@ +From 860ef6cd3f90b84a1832f8a6485c90c34d3b588b Mon Sep 17 00:00:00 2001 +From: Minas Harutyunyan +Date: Tue, 21 Jan 2020 14:24:04 +0400 +Subject: usb: dwc2: Fix in ISOC request length checking + +From: Minas Harutyunyan + +commit 860ef6cd3f90b84a1832f8a6485c90c34d3b588b upstream. + +Moved ISOC request length checking from dwc2_hsotg_start_req() function to +dwc2_hsotg_ep_queue(). + +Fixes: 4fca54aa58293 ("usb: gadget: s3c-hsotg: add multi count support") +Signed-off-by: Minas Harutyunyan +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc2/gadget.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -1083,11 +1083,6 @@ static void dwc2_hsotg_start_req(struct + else + packets = 1; /* send one packet if length is zero. */ + +- if (hs_ep->isochronous && length > (hs_ep->mc * hs_ep->ep.maxpacket)) { +- dev_err(hsotg->dev, "req length > maxpacket*mc\n"); +- return; +- } +- + if (dir_in && index != 0) + if (hs_ep->isochronous) + epsize = DXEPTSIZ_MC(packets); +@@ -1391,6 +1386,13 @@ static int dwc2_hsotg_ep_queue(struct us + req->actual = 0; + req->status = -EINPROGRESS; + ++ /* Don't queue ISOC request if length greater than mps*mc */ ++ if (hs_ep->isochronous && ++ req->length > (hs_ep->mc * hs_ep->ep.maxpacket)) { ++ dev_err(hs->dev, "req length > maxpacket*mc\n"); ++ return -EINVAL; ++ } ++ + /* In DDMA mode for ISOC's don't queue request if length greater + * than descriptor limits. + */ diff --git a/queue-5.4/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch b/queue-5.4/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch new file mode 100644 index 00000000000..55fbbe9379f --- /dev/null +++ b/queue-5.4/usb-gadget-composite-fix-bmaxpower-for-superspeedplus.patch @@ -0,0 +1,43 @@ +From c724417baf162bd3e035659e22cdf990cfb0d917 Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Thu, 30 Jan 2020 19:10:35 -0800 +Subject: usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus + +From: Jack Pham + +commit c724417baf162bd3e035659e22cdf990cfb0d917 upstream. + +SuperSpeedPlus peripherals must report their bMaxPower of the +configuration descriptor in units of 8mA as per the USB 3.2 +specification. The current switch statement in encode_bMaxPower() +only checks for USB_SPEED_SUPER but not USB_SPEED_SUPER_PLUS so +the latter falls back to USB 2.0 encoding which uses 2mA units. +Replace the switch with a simple if/else. + +Fixes: eae5820b852f ("usb: gadget: composite: Write SuperSpeedPlus config descriptors") +Signed-off-by: Jack Pham +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -437,12 +437,10 @@ static u8 encode_bMaxPower(enum usb_devi + val = CONFIG_USB_GADGET_VBUS_DRAW; + if (!val) + return 0; +- switch (speed) { +- case USB_SPEED_SUPER: +- return DIV_ROUND_UP(val, 8); +- default: ++ if (speed < USB_SPEED_SUPER) + return DIV_ROUND_UP(val, 2); +- } ++ else ++ return DIV_ROUND_UP(val, 8); + } + + static int config_buf(struct usb_configuration *config,