From: Greg Kroah-Hartman Date: Mon, 2 Mar 2020 18:40:33 +0000 (+0100) Subject: 5.5-stable patches X-Git-Tag: v4.19.108~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1dacd39e273906ccb6fb4207e79b2cd7a7d0e0d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.5-stable patches added patches: acpi-watchdog-fix-gas-access_width-usage.patch acpica-introduce-acpi_access_byte_width-macro.patch amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch audit-fix-error-handling-in-audit_data_to_entry.patch blktrace-protect-q-blk_trace-with-rcu.patch cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch docs-fix-empty-parallelism-argument.patch drm-amdgpu-drop-driver_use_agp.patch drm-radeon-inline-drm_get_pci_dev.patch ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch hid-core-increase-hid-report-buffer-size-to-8kib.patch hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch scsi-sd_sbc-fix-sd_zbc_report_zones.patch scsi-zfcp-fix-wrong-data-and-display-format-of-sfp-temperature.patch tracing-disable-trace_printk-on-post-poned-tests.patch --- diff --git a/queue-5.5/acpi-watchdog-fix-gas-access_width-usage.patch b/queue-5.5/acpi-watchdog-fix-gas-access_width-usage.patch new file mode 100644 index 00000000000..0ed64531623 --- /dev/null +++ b/queue-5.5/acpi-watchdog-fix-gas-access_width-usage.patch @@ -0,0 +1,54 @@ +From 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Feb 2020 17:59:40 +0300 +Subject: ACPI: watchdog: Fix gas->access_width usage + +From: Mika Westerberg + +commit 2ba33a4e9e22ac4dda928d3e9b5978a3a2ded4e0 upstream. + +ACPI Generic Address Structure (GAS) access_width field is not in bytes +as the driver seems to expect in few places so fix this by using the +newly introduced macro ACPI_ACCESS_BYTE_WIDTH(). + +Fixes: b1abf6fc4982 ("ACPI / watchdog: Fix off-by-one error at resource assignment") +Fixes: 058dfc767008 ("ACPI / watchdog: Add support for WDAT hardware watchdog") +Reported-by: Jean Delvare +Signed-off-by: Mika Westerberg +Reviewed-by: Jean Delvare +Cc: 4.16+ # 4.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_watchdog.c | 3 +-- + drivers/watchdog/wdat_wdt.c | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -126,12 +126,11 @@ void __init acpi_watchdog_init(void) + gas = &entries[i].register_region; + + res.start = gas->address; ++ res.end = res.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1; + if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + res.flags = IORESOURCE_MEM; +- res.end = res.start + ALIGN(gas->access_width, 4) - 1; + } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { + res.flags = IORESOURCE_IO; +- res.end = res.start + gas->access_width - 1; + } else { + pr_warn("Unsupported address space: %u\n", + gas->space_id); +--- a/drivers/watchdog/wdat_wdt.c ++++ b/drivers/watchdog/wdat_wdt.c +@@ -389,7 +389,7 @@ static int wdat_wdt_probe(struct platfor + + memset(&r, 0, sizeof(r)); + r.start = gas->address; +- r.end = r.start + gas->access_width - 1; ++ r.end = r.start + ACPI_ACCESS_BYTE_WIDTH(gas->access_width) - 1; + if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) { + r.flags = IORESOURCE_MEM; + } else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { diff --git a/queue-5.5/acpica-introduce-acpi_access_byte_width-macro.patch b/queue-5.5/acpica-introduce-acpi_access_byte_width-macro.patch new file mode 100644 index 00000000000..5d681d00194 --- /dev/null +++ b/queue-5.5/acpica-introduce-acpi_access_byte_width-macro.patch @@ -0,0 +1,39 @@ +From 1dade3a7048ccfc675650cd2cf13d578b095e5fb Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 12 Feb 2020 17:59:39 +0300 +Subject: ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro + +From: Mika Westerberg + +commit 1dade3a7048ccfc675650cd2cf13d578b095e5fb upstream. + +Sometimes it is useful to find the access_width field value in bytes and +not in bits so add a helper that can be used for this purpose. + +Suggested-by: Jean Delvare +Signed-off-by: Mika Westerberg +Reviewed-by: Jean Delvare +Cc: 4.16+ # 4.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + include/acpi/actypes.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -532,11 +532,12 @@ typedef u64 acpi_integer; + strnlen (a, ACPI_NAMESEG_SIZE) == ACPI_NAMESEG_SIZE) + + /* +- * Algorithm to obtain access bit width. ++ * Algorithm to obtain access bit or byte width. + * Can be used with access_width of struct acpi_generic_address and access_size of + * struct acpi_resource_generic_register. + */ + #define ACPI_ACCESS_BIT_WIDTH(size) (1 << ((size) + 2)) ++#define ACPI_ACCESS_BYTE_WIDTH(size) (1 << ((size) - 1)) + + /******************************************************************************* + * diff --git a/queue-5.5/amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch b/queue-5.5/amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch new file mode 100644 index 00000000000..f446d236f62 --- /dev/null +++ b/queue-5.5/amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch @@ -0,0 +1,114 @@ +From a3ed353cf8015ba84a0407a5dc3ffee038166ab0 Mon Sep 17 00:00:00 2001 +From: Shirish S +Date: Mon, 27 Jan 2020 16:35:24 +0530 +Subject: amdgpu/gmc_v9: save/restore sdpif regs during S3 + +From: Shirish S + +commit a3ed353cf8015ba84a0407a5dc3ffee038166ab0 upstream. + +fixes S3 issue with IOMMU + S/G enabled @ 64M VRAM. + +Suggested-by: Alex Deucher +Signed-off-by: Shirish S +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h | 1 + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 37 ++++++++++++- + drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h | 2 + 3 files changed, 39 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.h +@@ -192,6 +192,7 @@ struct amdgpu_gmc { + uint32_t srbm_soft_reset; + bool prt_warning; + uint64_t stolen_size; ++ uint32_t sdpif_register; + /* apertures */ + u64 shared_aperture_start; + u64 shared_aperture_end; +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -1204,6 +1204,19 @@ static void gmc_v9_0_init_golden_registe + } + + /** ++ * gmc_v9_0_restore_registers - restores regs ++ * ++ * @adev: amdgpu_device pointer ++ * ++ * This restores register values, saved at suspend. ++ */ ++static void gmc_v9_0_restore_registers(struct amdgpu_device *adev) ++{ ++ if (adev->asic_type == CHIP_RAVEN) ++ WREG32(mmDCHUBBUB_SDPIF_MMIO_CNTRL_0, adev->gmc.sdpif_register); ++} ++ ++/** + * gmc_v9_0_gart_enable - gart enable + * + * @adev: amdgpu_device pointer +@@ -1308,6 +1321,20 @@ static int gmc_v9_0_hw_init(void *handle + } + + /** ++ * gmc_v9_0_save_registers - saves regs ++ * ++ * @adev: amdgpu_device pointer ++ * ++ * This saves potential register values that should be ++ * restored upon resume ++ */ ++static void gmc_v9_0_save_registers(struct amdgpu_device *adev) ++{ ++ if (adev->asic_type == CHIP_RAVEN) ++ adev->gmc.sdpif_register = RREG32(mmDCHUBBUB_SDPIF_MMIO_CNTRL_0); ++} ++ ++/** + * gmc_v9_0_gart_disable - gart disable + * + * @adev: amdgpu_device pointer +@@ -1343,9 +1370,16 @@ static int gmc_v9_0_hw_fini(void *handle + + static int gmc_v9_0_suspend(void *handle) + { ++ int r; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + +- return gmc_v9_0_hw_fini(adev); ++ r = gmc_v9_0_hw_fini(adev); ++ if (r) ++ return r; ++ ++ gmc_v9_0_save_registers(adev); ++ ++ return 0; + } + + static int gmc_v9_0_resume(void *handle) +@@ -1353,6 +1387,7 @@ static int gmc_v9_0_resume(void *handle) + int r; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ gmc_v9_0_restore_registers(adev); + r = gmc_v9_0_hw_init(adev); + if (r) + return r; +--- a/drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h ++++ b/drivers/gpu/drm/amd/include/asic_reg/dce/dce_12_0_offset.h +@@ -7376,6 +7376,8 @@ + #define mmCRTC4_CRTC_DRR_CONTROL 0x0f3e + #define mmCRTC4_CRTC_DRR_CONTROL_BASE_IDX 2 + ++#define mmDCHUBBUB_SDPIF_MMIO_CNTRL_0 0x395d ++#define mmDCHUBBUB_SDPIF_MMIO_CNTRL_0_BASE_IDX 2 + + // addressBlock: dce_dc_fmt4_dispdec + // base address: 0x2000 diff --git a/queue-5.5/audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch b/queue-5.5/audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch new file mode 100644 index 00000000000..eb7bd245c3f --- /dev/null +++ b/queue-5.5/audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch @@ -0,0 +1,148 @@ +From 756125289285f6e55a03861bf4b6257aa3d19a93 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Mon, 24 Feb 2020 16:38:57 -0500 +Subject: audit: always check the netlink payload length in audit_receive_msg() + +From: Paul Moore + +commit 756125289285f6e55a03861bf4b6257aa3d19a93 upstream. + +This patch ensures that we always check the netlink payload length +in audit_receive_msg() before we take any action on the payload +itself. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com +Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 40 +++++++++++++++++++++------------------- + 1 file changed, 21 insertions(+), 19 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1100,13 +1100,11 @@ static void audit_log_feature_change(int + audit_log_end(ab); + } + +-static int audit_set_feature(struct sk_buff *skb) ++static int audit_set_feature(struct audit_features *uaf) + { +- struct audit_features *uaf; + int i; + + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); +- uaf = nlmsg_data(nlmsg_hdr(skb)); + + /* if there is ever a version 2 we should handle that here */ + +@@ -1174,6 +1172,7 @@ static int audit_receive_msg(struct sk_b + { + u32 seq; + void *data; ++ int data_len; + int err; + struct audit_buffer *ab; + u16 msg_type = nlh->nlmsg_type; +@@ -1187,6 +1186,7 @@ static int audit_receive_msg(struct sk_b + + seq = nlh->nlmsg_seq; + data = nlmsg_data(nlh); ++ data_len = nlmsg_len(nlh); + + switch (msg_type) { + case AUDIT_GET: { +@@ -1210,7 +1210,7 @@ static int audit_receive_msg(struct sk_b + struct audit_status s; + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); + if (s.mask & AUDIT_STATUS_ENABLED) { + err = audit_set_enabled(s.enabled); + if (err < 0) +@@ -1314,7 +1314,9 @@ static int audit_receive_msg(struct sk_b + return err; + break; + case AUDIT_SET_FEATURE: +- err = audit_set_feature(skb); ++ if (data_len < sizeof(struct audit_features)) ++ return -EINVAL; ++ err = audit_set_feature(data); + if (err) + return err; + break; +@@ -1326,6 +1328,8 @@ static int audit_receive_msg(struct sk_b + + err = audit_filter(msg_type, AUDIT_FILTER_USER); + if (err == 1) { /* match or error */ ++ char *str = data; ++ + err = 0; + if (msg_type == AUDIT_USER_TTY) { + err = tty_audit_push(); +@@ -1333,26 +1337,24 @@ static int audit_receive_msg(struct sk_b + break; + } + audit_log_user_recv_msg(&ab, msg_type); +- if (msg_type != AUDIT_USER_TTY) ++ if (msg_type != AUDIT_USER_TTY) { ++ /* ensure NULL termination */ ++ str[data_len - 1] = '\0'; + audit_log_format(ab, " msg='%.*s'", + AUDIT_MESSAGE_TEXT_MAX, +- (char *)data); +- else { +- int size; +- ++ str); ++ } else { + audit_log_format(ab, " data="); +- size = nlmsg_len(nlh); +- if (size > 0 && +- ((unsigned char *)data)[size - 1] == '\0') +- size--; +- audit_log_n_untrustedstring(ab, data, size); ++ if (data_len > 0 && str[data_len - 1] == '\0') ++ data_len--; ++ audit_log_n_untrustedstring(ab, str, data_len); + } + audit_log_end(ab); + } + break; + case AUDIT_ADD_RULE: + case AUDIT_DEL_RULE: +- if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) ++ if (data_len < sizeof(struct audit_rule_data)) + return -EINVAL; + if (audit_enabled == AUDIT_LOCKED) { + audit_log_common_recv_msg(audit_context(), &ab, +@@ -1364,7 +1366,7 @@ static int audit_receive_msg(struct sk_b + audit_log_end(ab); + return -EPERM; + } +- err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh)); ++ err = audit_rule_change(msg_type, seq, data, data_len); + break; + case AUDIT_LIST_RULES: + err = audit_list_rules_send(skb, seq); +@@ -1379,7 +1381,7 @@ static int audit_receive_msg(struct sk_b + case AUDIT_MAKE_EQUIV: { + void *bufp = data; + u32 sizes[2]; +- size_t msglen = nlmsg_len(nlh); ++ size_t msglen = data_len; + char *old, *new; + + err = -EINVAL; +@@ -1455,7 +1457,7 @@ static int audit_receive_msg(struct sk_b + + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); ++ memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); + /* check if new data is valid */ + if ((s.enabled != 0 && s.enabled != 1) || + (s.log_passwd != 0 && s.log_passwd != 1)) diff --git a/queue-5.5/audit-fix-error-handling-in-audit_data_to_entry.patch b/queue-5.5/audit-fix-error-handling-in-audit_data_to_entry.patch new file mode 100644 index 00000000000..2c84b8b2a97 --- /dev/null +++ b/queue-5.5/audit-fix-error-handling-in-audit_data_to_entry.patch @@ -0,0 +1,203 @@ +From 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Sat, 22 Feb 2020 20:36:47 -0500 +Subject: audit: fix error handling in audit_data_to_entry() + +From: Paul Moore + +commit 2ad3e17ebf94b7b7f3f64c050ff168f9915345eb upstream. + +Commit 219ca39427bf ("audit: use union for audit_field values since +they are mutually exclusive") combined a number of separate fields in +the audit_field struct into a single union. Generally this worked +just fine because they are generally mutually exclusive. +Unfortunately in audit_data_to_entry() the overlap can be a problem +when a specific error case is triggered that causes the error path +code to attempt to cleanup an audit_field struct and the cleanup +involves attempting to free a stored LSM string (the lsm_str field). +Currently the code always has a non-NULL value in the +audit_field.lsm_str field as the top of the for-loop transfers a +value into audit_field.val (both .lsm_str and .val are part of the +same union); if audit_data_to_entry() fails and the audit_field +struct is specified to contain a LSM string, but the +audit_field.lsm_str has not yet been properly set, the error handling +code will attempt to free the bogus audit_field.lsm_str value that +was set with audit_field.val at the top of the for-loop. + +This patch corrects this by ensuring that the audit_field.val is only +set when needed (it is cleared when the audit_field struct is +allocated with kcalloc()). It also corrects a few other issues to +ensure that in case of error the proper error code is returned. + +Cc: stable@vger.kernel.org +Fixes: 219ca39427bf ("audit: use union for audit_field values since they are mutually exclusive") +Reported-by: syzbot+1f4d90ead370d72e450b@syzkaller.appspotmail.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditfilter.c | 71 ++++++++++++++++++++++++++++----------------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -456,6 +456,7 @@ static struct audit_entry *audit_data_to + bufp = data->buf; + for (i = 0; i < data->field_count; i++) { + struct audit_field *f = &entry->rule.fields[i]; ++ u32 f_val; + + err = -EINVAL; + +@@ -464,12 +465,12 @@ static struct audit_entry *audit_data_to + goto exit_free; + + f->type = data->fields[i]; +- f->val = data->values[i]; ++ f_val = data->values[i]; + + /* Support legacy tests for a valid loginuid */ +- if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { ++ if ((f->type == AUDIT_LOGINUID) && (f_val == AUDIT_UID_UNSET)) { + f->type = AUDIT_LOGINUID_SET; +- f->val = 0; ++ f_val = 0; + entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; + } + +@@ -485,7 +486,7 @@ static struct audit_entry *audit_data_to + case AUDIT_SUID: + case AUDIT_FSUID: + case AUDIT_OBJ_UID: +- f->uid = make_kuid(current_user_ns(), f->val); ++ f->uid = make_kuid(current_user_ns(), f_val); + if (!uid_valid(f->uid)) + goto exit_free; + break; +@@ -494,11 +495,12 @@ static struct audit_entry *audit_data_to + case AUDIT_SGID: + case AUDIT_FSGID: + case AUDIT_OBJ_GID: +- f->gid = make_kgid(current_user_ns(), f->val); ++ f->gid = make_kgid(current_user_ns(), f_val); + if (!gid_valid(f->gid)) + goto exit_free; + break; + case AUDIT_ARCH: ++ f->val = f_val; + entry->rule.arch_f = f; + break; + case AUDIT_SUBJ_USER: +@@ -511,11 +513,13 @@ static struct audit_entry *audit_data_to + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- ++ } ++ entry->rule.buflen += f_val; ++ f->lsm_str = str; + err = security_audit_rule_init(f->type, f->op, str, + (void **)&f->lsm_rule); + /* Keep currently invalid fields around in case they +@@ -524,68 +528,71 @@ static struct audit_entry *audit_data_to + pr_warn("audit rule for LSM \'%s\' is invalid\n", + str); + err = 0; +- } +- if (err) { +- kfree(str); ++ } else if (err) + goto exit_free; +- } else +- f->lsm_str = str; + break; + case AUDIT_WATCH: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- +- err = audit_to_watch(&entry->rule, str, f->val, f->op); ++ } ++ err = audit_to_watch(&entry->rule, str, f_val, f->op); + if (err) { + kfree(str); + goto exit_free; + } ++ entry->rule.buflen += f_val; + break; + case AUDIT_DIR: +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; +- ++ } + err = audit_make_tree(&entry->rule, str, f->op); + kfree(str); + if (err) + goto exit_free; ++ entry->rule.buflen += f_val; + break; + case AUDIT_INODE: ++ f->val = f_val; + err = audit_to_inode(&entry->rule, f); + if (err) + goto exit_free; + break; + case AUDIT_FILTERKEY: +- if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) ++ if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN) + goto exit_free; +- str = audit_unpack_string(&bufp, &remain, f->val); +- if (IS_ERR(str)) ++ str = audit_unpack_string(&bufp, &remain, f_val); ++ if (IS_ERR(str)) { ++ err = PTR_ERR(str); + goto exit_free; +- entry->rule.buflen += f->val; ++ } ++ entry->rule.buflen += f_val; + entry->rule.filterkey = str; + break; + case AUDIT_EXE: +- if (entry->rule.exe || f->val > PATH_MAX) ++ if (entry->rule.exe || f_val > PATH_MAX) + goto exit_free; +- str = audit_unpack_string(&bufp, &remain, f->val); ++ str = audit_unpack_string(&bufp, &remain, f_val); + if (IS_ERR(str)) { + err = PTR_ERR(str); + goto exit_free; + } +- entry->rule.buflen += f->val; +- +- audit_mark = audit_alloc_mark(&entry->rule, str, f->val); ++ audit_mark = audit_alloc_mark(&entry->rule, str, f_val); + if (IS_ERR(audit_mark)) { + kfree(str); + err = PTR_ERR(audit_mark); + goto exit_free; + } ++ entry->rule.buflen += f_val; + entry->rule.exe = audit_mark; + break; ++ default: ++ f->val = f_val; ++ break; + } + } + diff --git a/queue-5.5/blktrace-protect-q-blk_trace-with-rcu.patch b/queue-5.5/blktrace-protect-q-blk_trace-with-rcu.patch new file mode 100644 index 00000000000..dc4725c326f --- /dev/null +++ b/queue-5.5/blktrace-protect-q-blk_trace-with-rcu.patch @@ -0,0 +1,424 @@ +From c780e86dd48ef6467a1146cf7d0fe1e05a635039 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 6 Feb 2020 15:28:12 +0100 +Subject: blktrace: Protect q->blk_trace with RCU + +From: Jan Kara + +commit c780e86dd48ef6467a1146cf7d0fe1e05a635039 upstream. + +KASAN is reporting that __blk_add_trace() has a use-after-free issue +when accessing q->blk_trace. Indeed the switching of block tracing (and +thus eventual freeing of q->blk_trace) is completely unsynchronized with +the currently running tracing and thus it can happen that the blk_trace +structure is being freed just while __blk_add_trace() works on it. +Protect accesses to q->blk_trace by RCU during tracing and make sure we +wait for the end of RCU grace period when shutting down tracing. Luckily +that is rare enough event that we can afford that. Note that postponing +the freeing of blk_trace to an RCU callback should better be avoided as +it could have unexpected user visible side-effects as debugfs files +would be still existing for a short while block tracing has been shut +down. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=205711 +CC: stable@vger.kernel.org +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Ming Lei +Tested-by: Ming Lei +Reviewed-by: Bart Van Assche +Reported-by: Tristan Madani +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/blkdev.h | 2 + include/linux/blktrace_api.h | 18 ++++-- + kernel/trace/blktrace.c | 114 +++++++++++++++++++++++++++++++------------ + 3 files changed, 97 insertions(+), 37 deletions(-) + +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -524,7 +524,7 @@ struct request_queue { + unsigned int sg_reserved_size; + int node; + #ifdef CONFIG_BLK_DEV_IO_TRACE +- struct blk_trace *blk_trace; ++ struct blk_trace __rcu *blk_trace; + struct mutex blk_trace_mutex; + #endif + /* +--- a/include/linux/blktrace_api.h ++++ b/include/linux/blktrace_api.h +@@ -51,9 +51,13 @@ void __trace_note_message(struct blk_tra + **/ + #define blk_add_cgroup_trace_msg(q, cg, fmt, ...) \ + do { \ +- struct blk_trace *bt = (q)->blk_trace; \ ++ struct blk_trace *bt; \ ++ \ ++ rcu_read_lock(); \ ++ bt = rcu_dereference((q)->blk_trace); \ + if (unlikely(bt)) \ + __trace_note_message(bt, cg, fmt, ##__VA_ARGS__);\ ++ rcu_read_unlock(); \ + } while (0) + #define blk_add_trace_msg(q, fmt, ...) \ + blk_add_cgroup_trace_msg(q, NULL, fmt, ##__VA_ARGS__) +@@ -61,10 +65,14 @@ void __trace_note_message(struct blk_tra + + static inline bool blk_trace_note_message_enabled(struct request_queue *q) + { +- struct blk_trace *bt = q->blk_trace; +- if (likely(!bt)) +- return false; +- return bt->act_mask & BLK_TC_NOTIFY; ++ struct blk_trace *bt; ++ bool ret; ++ ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); ++ ret = bt && (bt->act_mask & BLK_TC_NOTIFY); ++ rcu_read_unlock(); ++ return ret; + } + + extern void blk_add_driver_data(struct request_queue *q, struct request *rq, +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -335,6 +335,7 @@ static void put_probe_ref(void) + + static void blk_trace_cleanup(struct blk_trace *bt) + { ++ synchronize_rcu(); + blk_trace_free(bt); + put_probe_ref(); + } +@@ -629,8 +630,10 @@ static int compat_blk_trace_setup(struct + static int __blk_trace_startstop(struct request_queue *q, int start) + { + int ret; +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + ++ bt = rcu_dereference_protected(q->blk_trace, ++ lockdep_is_held(&q->blk_trace_mutex)); + if (bt == NULL) + return -EINVAL; + +@@ -740,8 +743,8 @@ int blk_trace_ioctl(struct block_device + void blk_trace_shutdown(struct request_queue *q) + { + mutex_lock(&q->blk_trace_mutex); +- +- if (q->blk_trace) { ++ if (rcu_dereference_protected(q->blk_trace, ++ lockdep_is_held(&q->blk_trace_mutex))) { + __blk_trace_startstop(q, 0); + __blk_trace_remove(q); + } +@@ -752,8 +755,10 @@ void blk_trace_shutdown(struct request_q + #ifdef CONFIG_BLK_CGROUP + static u64 blk_trace_bio_get_cgid(struct request_queue *q, struct bio *bio) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + ++ /* We don't use the 'bt' value here except as an optimization... */ ++ bt = rcu_dereference_protected(q->blk_trace, 1); + if (!bt || !(blk_tracer_flags.val & TRACE_BLK_OPT_CGROUP)) + return 0; + +@@ -796,10 +801,14 @@ blk_trace_request_get_cgid(struct reques + static void blk_add_trace_rq(struct request *rq, int error, + unsigned int nr_bytes, u32 what, u64 cgid) + { +- struct blk_trace *bt = rq->q->blk_trace; ++ struct blk_trace *bt; + +- if (likely(!bt)) ++ rcu_read_lock(); ++ bt = rcu_dereference(rq->q->blk_trace); ++ if (likely(!bt)) { ++ rcu_read_unlock(); + return; ++ } + + if (blk_rq_is_passthrough(rq)) + what |= BLK_TC_ACT(BLK_TC_PC); +@@ -808,6 +817,7 @@ static void blk_add_trace_rq(struct requ + + __blk_add_trace(bt, blk_rq_trace_sector(rq), nr_bytes, req_op(rq), + rq->cmd_flags, what, error, 0, NULL, cgid); ++ rcu_read_unlock(); + } + + static void blk_add_trace_rq_insert(void *ignore, +@@ -853,14 +863,19 @@ static void blk_add_trace_rq_complete(vo + static void blk_add_trace_bio(struct request_queue *q, struct bio *bio, + u32 what, int error) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + +- if (likely(!bt)) ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); ++ if (likely(!bt)) { ++ rcu_read_unlock(); + return; ++ } + + __blk_add_trace(bt, bio->bi_iter.bi_sector, bio->bi_iter.bi_size, + bio_op(bio), bio->bi_opf, what, error, 0, NULL, + blk_trace_bio_get_cgid(q, bio)); ++ rcu_read_unlock(); + } + + static void blk_add_trace_bio_bounce(void *ignore, +@@ -905,11 +920,14 @@ static void blk_add_trace_getrq(void *ig + if (bio) + blk_add_trace_bio(q, bio, BLK_TA_GETRQ, 0); + else { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); + if (bt) + __blk_add_trace(bt, 0, 0, rw, 0, BLK_TA_GETRQ, 0, 0, + NULL, 0); ++ rcu_read_unlock(); + } + } + +@@ -921,27 +939,35 @@ static void blk_add_trace_sleeprq(void * + if (bio) + blk_add_trace_bio(q, bio, BLK_TA_SLEEPRQ, 0); + else { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); + if (bt) + __blk_add_trace(bt, 0, 0, rw, 0, BLK_TA_SLEEPRQ, + 0, 0, NULL, 0); ++ rcu_read_unlock(); + } + } + + static void blk_add_trace_plug(void *ignore, struct request_queue *q) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); + if (bt) + __blk_add_trace(bt, 0, 0, 0, 0, BLK_TA_PLUG, 0, 0, NULL, 0); ++ rcu_read_unlock(); + } + + static void blk_add_trace_unplug(void *ignore, struct request_queue *q, + unsigned int depth, bool explicit) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); + if (bt) { + __be64 rpdu = cpu_to_be64(depth); + u32 what; +@@ -953,14 +979,17 @@ static void blk_add_trace_unplug(void *i + + __blk_add_trace(bt, 0, 0, 0, 0, what, 0, sizeof(rpdu), &rpdu, 0); + } ++ rcu_read_unlock(); + } + + static void blk_add_trace_split(void *ignore, + struct request_queue *q, struct bio *bio, + unsigned int pdu) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); + if (bt) { + __be64 rpdu = cpu_to_be64(pdu); + +@@ -969,6 +998,7 @@ static void blk_add_trace_split(void *ig + BLK_TA_SPLIT, bio->bi_status, sizeof(rpdu), + &rpdu, blk_trace_bio_get_cgid(q, bio)); + } ++ rcu_read_unlock(); + } + + /** +@@ -988,11 +1018,15 @@ static void blk_add_trace_bio_remap(void + struct request_queue *q, struct bio *bio, + dev_t dev, sector_t from) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + struct blk_io_trace_remap r; + +- if (likely(!bt)) ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); ++ if (likely(!bt)) { ++ rcu_read_unlock(); + return; ++ } + + r.device_from = cpu_to_be32(dev); + r.device_to = cpu_to_be32(bio_dev(bio)); +@@ -1001,6 +1035,7 @@ static void blk_add_trace_bio_remap(void + __blk_add_trace(bt, bio->bi_iter.bi_sector, bio->bi_iter.bi_size, + bio_op(bio), bio->bi_opf, BLK_TA_REMAP, bio->bi_status, + sizeof(r), &r, blk_trace_bio_get_cgid(q, bio)); ++ rcu_read_unlock(); + } + + /** +@@ -1021,11 +1056,15 @@ static void blk_add_trace_rq_remap(void + struct request *rq, dev_t dev, + sector_t from) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + struct blk_io_trace_remap r; + +- if (likely(!bt)) ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); ++ if (likely(!bt)) { ++ rcu_read_unlock(); + return; ++ } + + r.device_from = cpu_to_be32(dev); + r.device_to = cpu_to_be32(disk_devt(rq->rq_disk)); +@@ -1034,6 +1073,7 @@ static void blk_add_trace_rq_remap(void + __blk_add_trace(bt, blk_rq_pos(rq), blk_rq_bytes(rq), + rq_data_dir(rq), 0, BLK_TA_REMAP, 0, + sizeof(r), &r, blk_trace_request_get_cgid(q, rq)); ++ rcu_read_unlock(); + } + + /** +@@ -1051,14 +1091,19 @@ void blk_add_driver_data(struct request_ + struct request *rq, + void *data, size_t len) + { +- struct blk_trace *bt = q->blk_trace; ++ struct blk_trace *bt; + +- if (likely(!bt)) ++ rcu_read_lock(); ++ bt = rcu_dereference(q->blk_trace); ++ if (likely(!bt)) { ++ rcu_read_unlock(); + return; ++ } + + __blk_add_trace(bt, blk_rq_trace_sector(rq), blk_rq_bytes(rq), 0, 0, + BLK_TA_DRV_DATA, 0, len, data, + blk_trace_request_get_cgid(q, rq)); ++ rcu_read_unlock(); + } + EXPORT_SYMBOL_GPL(blk_add_driver_data); + +@@ -1597,6 +1642,7 @@ static int blk_trace_remove_queue(struct + return -EINVAL; + + put_probe_ref(); ++ synchronize_rcu(); + blk_trace_free(bt); + return 0; + } +@@ -1758,6 +1804,7 @@ static ssize_t sysfs_blk_trace_attr_show + struct hd_struct *p = dev_to_part(dev); + struct request_queue *q; + struct block_device *bdev; ++ struct blk_trace *bt; + ssize_t ret = -ENXIO; + + bdev = bdget(part_devt(p)); +@@ -1770,21 +1817,23 @@ static ssize_t sysfs_blk_trace_attr_show + + mutex_lock(&q->blk_trace_mutex); + ++ bt = rcu_dereference_protected(q->blk_trace, ++ lockdep_is_held(&q->blk_trace_mutex)); + if (attr == &dev_attr_enable) { +- ret = sprintf(buf, "%u\n", !!q->blk_trace); ++ ret = sprintf(buf, "%u\n", !!bt); + goto out_unlock_bdev; + } + +- if (q->blk_trace == NULL) ++ if (bt == NULL) + ret = sprintf(buf, "disabled\n"); + else if (attr == &dev_attr_act_mask) +- ret = blk_trace_mask2str(buf, q->blk_trace->act_mask); ++ ret = blk_trace_mask2str(buf, bt->act_mask); + else if (attr == &dev_attr_pid) +- ret = sprintf(buf, "%u\n", q->blk_trace->pid); ++ ret = sprintf(buf, "%u\n", bt->pid); + else if (attr == &dev_attr_start_lba) +- ret = sprintf(buf, "%llu\n", q->blk_trace->start_lba); ++ ret = sprintf(buf, "%llu\n", bt->start_lba); + else if (attr == &dev_attr_end_lba) +- ret = sprintf(buf, "%llu\n", q->blk_trace->end_lba); ++ ret = sprintf(buf, "%llu\n", bt->end_lba); + + out_unlock_bdev: + mutex_unlock(&q->blk_trace_mutex); +@@ -1801,6 +1850,7 @@ static ssize_t sysfs_blk_trace_attr_stor + struct block_device *bdev; + struct request_queue *q; + struct hd_struct *p; ++ struct blk_trace *bt; + u64 value; + ssize_t ret = -EINVAL; + +@@ -1831,8 +1881,10 @@ static ssize_t sysfs_blk_trace_attr_stor + + mutex_lock(&q->blk_trace_mutex); + ++ bt = rcu_dereference_protected(q->blk_trace, ++ lockdep_is_held(&q->blk_trace_mutex)); + if (attr == &dev_attr_enable) { +- if (!!value == !!q->blk_trace) { ++ if (!!value == !!bt) { + ret = 0; + goto out_unlock_bdev; + } +@@ -1844,18 +1896,18 @@ static ssize_t sysfs_blk_trace_attr_stor + } + + ret = 0; +- if (q->blk_trace == NULL) ++ if (bt == NULL) + ret = blk_trace_setup_queue(q, bdev); + + if (ret == 0) { + if (attr == &dev_attr_act_mask) +- q->blk_trace->act_mask = value; ++ bt->act_mask = value; + else if (attr == &dev_attr_pid) +- q->blk_trace->pid = value; ++ bt->pid = value; + else if (attr == &dev_attr_start_lba) +- q->blk_trace->start_lba = value; ++ bt->start_lba = value; + else if (attr == &dev_attr_end_lba) +- q->blk_trace->end_lba = value; ++ bt->end_lba = value; + } + + out_unlock_bdev: diff --git a/queue-5.5/cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch b/queue-5.5/cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch new file mode 100644 index 00000000000..bc07f6be529 --- /dev/null +++ b/queue-5.5/cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch @@ -0,0 +1,52 @@ +From f5739cb0b56590d68d8df8a44659893b6d0084c3 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 26 Feb 2020 22:39:27 +0100 +Subject: cpufreq: Fix policy initialization for internal governor drivers + +From: Rafael J. Wysocki + +commit f5739cb0b56590d68d8df8a44659893b6d0084c3 upstream. + +Before commit 1e4f63aecb53 ("cpufreq: Avoid creating excessively +large stack frames") the initial value of the policy field in struct +cpufreq_policy set by the driver's ->init() callback was implicitly +passed from cpufreq_init_policy() to cpufreq_set_policy() if the +default governor was neither "performance" nor "powersave". After +that commit, however, cpufreq_init_policy() must take that case into +consideration explicitly and handle it as appropriate, so make that +happen. + +Fixes: 1e4f63aecb53 ("cpufreq: Avoid creating excessively large stack frames") +Link: https://lore.kernel.org/linux-pm/39fb762880c27da110086741315ca8b111d781cd.camel@gmail.com/ +Reported-by: Artem Bityutskiy +Cc: 5.4+ # 5.4+ +Signed-off-by: Rafael J. Wysocki +Acked-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/cpufreq.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1074,9 +1074,17 @@ static int cpufreq_init_policy(struct cp + pol = policy->last_policy; + } else if (def_gov) { + pol = cpufreq_parse_policy(def_gov->name); +- } else { +- return -ENODATA; ++ /* ++ * In case the default governor is neiter "performance" ++ * nor "powersave", fall back to the initial policy ++ * value set by the driver. ++ */ ++ if (pol == CPUFREQ_POLICY_UNKNOWN) ++ pol = policy->policy; + } ++ if (pol != CPUFREQ_POLICY_PERFORMANCE && ++ pol != CPUFREQ_POLICY_POWERSAVE) ++ return -ENODATA; + } + + return cpufreq_set_policy(policy, gov, pol); diff --git a/queue-5.5/docs-fix-empty-parallelism-argument.patch b/queue-5.5/docs-fix-empty-parallelism-argument.patch new file mode 100644 index 00000000000..304f93a341a --- /dev/null +++ b/queue-5.5/docs-fix-empty-parallelism-argument.patch @@ -0,0 +1,33 @@ +From adc10f5b0a03606e30c704cff1f0283a696d0260 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 21 Feb 2020 16:02:39 -0800 +Subject: docs: Fix empty parallelism argument + +From: Kees Cook + +commit adc10f5b0a03606e30c704cff1f0283a696d0260 upstream. + +When there was no parallelism (no top-level -j arg and a pre-1.7 +sphinx-build), the argument passed would be empty ("") instead of just +being missing, which would (understandably) badly confuse sphinx-build. +Fix this by removing the quotes. + +Reported-by: Rafael J. Wysocki +Fixes: 51e46c7a4007 ("docs, parallelism: Rearrange how jobserver reservations are made") +Cc: stable@vger.kernel.org # v5.5 only +Signed-off-by: Kees Cook +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sphinx/parallel-wrapper.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/sphinx/parallel-wrapper.sh ++++ b/Documentation/sphinx/parallel-wrapper.sh +@@ -30,4 +30,4 @@ if [ -n "$parallel" ] ; then + parallel="-j$parallel" + fi + +-exec "$sphinx" "$parallel" "$@" ++exec "$sphinx" $parallel "$@" diff --git a/queue-5.5/drm-amdgpu-drop-driver_use_agp.patch b/queue-5.5/drm-amdgpu-drop-driver_use_agp.patch new file mode 100644 index 00000000000..3f53092db13 --- /dev/null +++ b/queue-5.5/drm-amdgpu-drop-driver_use_agp.patch @@ -0,0 +1,56 @@ +From 8a3bddf67ce88b96531fb22c5a75d7f4dc41d155 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sat, 22 Feb 2020 18:54:31 +0100 +Subject: drm/amdgpu: Drop DRIVER_USE_AGP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +commit 8a3bddf67ce88b96531fb22c5a75d7f4dc41d155 upstream. + +This doesn't do anything except auto-init drm_agp support when you +call drm_get_pci_dev(). Which amdgpu stopped doing with + +commit b58c11314a1706bf094c489ef5cb28f76478c704 +Author: Alex Deucher +Date: Fri Jun 2 17:16:31 2017 -0400 + + drm/amdgpu: drop deprecated drm_get_pci_dev and drm_put_dev + +No idea whether this was intentional or accidental breakage, but I +guess anyone who manages to boot a this modern gpu behind an agp +bridge deserves a price. A price I never expect anyone to ever collect +:-) + +Cc: Alex Deucher +Cc: "Christian König" +Cc: Hawking Zhang +Cc: Xiaojie Yuan +Cc: Evan Quan +Cc: "Tianci.Yin" +Cc: "Marek Olšák" +Cc: Hans de Goede +Reviewed-by: Emil Velikov +Reviewed-by: Alex Deucher +Signed-off-by: Daniel Vetter +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1357,7 +1357,7 @@ amdgpu_get_crtc_scanout_position(struct + + static struct drm_driver kms_driver = { + .driver_features = +- DRIVER_USE_AGP | DRIVER_ATOMIC | ++ DRIVER_ATOMIC | + DRIVER_GEM | + DRIVER_RENDER | DRIVER_MODESET | DRIVER_SYNCOBJ | + DRIVER_SYNCOBJ_TIMELINE, diff --git a/queue-5.5/drm-radeon-inline-drm_get_pci_dev.patch b/queue-5.5/drm-radeon-inline-drm_get_pci_dev.patch new file mode 100644 index 00000000000..1f37ae9e5d7 --- /dev/null +++ b/queue-5.5/drm-radeon-inline-drm_get_pci_dev.patch @@ -0,0 +1,135 @@ +From eb12c957735b582607e5842a06d1f4c62e185c1d Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sat, 22 Feb 2020 18:54:32 +0100 +Subject: drm/radeon: Inline drm_get_pci_dev +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +commit eb12c957735b582607e5842a06d1f4c62e185c1d upstream. + +It's the last user, and more importantly, it's the last non-legacy +user of anything in drm_pci.c. + +The only tricky bit is the agp initialization. But a close look shows +that radeon does not use the drm_agp midlayer (the main use of that is +drm_bufs for legacy drivers), and instead could use the agp subsystem +directly (like nouveau does already). Hence we can just pull this in +too. + +A further step would be to entirely drop the use of drm_device->agp, +but feels like too much churn just for this patch. + +Signed-off-by: Daniel Vetter +Cc: Alex Deucher +Cc: "Christian König" +Cc: "David (ChunMing) Zhou" +Cc: amd-gfx@lists.freedesktop.org +Reviewed-by: Alex Deucher +Reviewed-by: Emil Velikov +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_drv.c | 43 ++++++++++++++++++++++++++++++++++-- + drivers/gpu/drm/radeon/radeon_kms.c | 6 +++++ + 2 files changed, 47 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -37,6 +37,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -325,6 +326,7 @@ static int radeon_pci_probe(struct pci_d + const struct pci_device_id *ent) + { + unsigned long flags = 0; ++ struct drm_device *dev; + int ret; + + if (!ent) +@@ -365,7 +367,44 @@ static int radeon_pci_probe(struct pci_d + if (ret) + return ret; + +- return drm_get_pci_dev(pdev, ent, &kms_driver); ++ dev = drm_dev_alloc(&kms_driver, &pdev->dev); ++ if (IS_ERR(dev)) ++ return PTR_ERR(dev); ++ ++ ret = pci_enable_device(pdev); ++ if (ret) ++ goto err_free; ++ ++ dev->pdev = pdev; ++#ifdef __alpha__ ++ dev->hose = pdev->sysdata; ++#endif ++ ++ pci_set_drvdata(pdev, dev); ++ ++ if (pci_find_capability(dev->pdev, PCI_CAP_ID_AGP)) ++ dev->agp = drm_agp_init(dev); ++ if (dev->agp) { ++ dev->agp->agp_mtrr = arch_phys_wc_add( ++ dev->agp->agp_info.aper_base, ++ dev->agp->agp_info.aper_size * ++ 1024 * 1024); ++ } ++ ++ ret = drm_dev_register(dev, ent->driver_data); ++ if (ret) ++ goto err_agp; ++ ++ return 0; ++ ++err_agp: ++ if (dev->agp) ++ arch_phys_wc_del(dev->agp->agp_mtrr); ++ kfree(dev->agp); ++ pci_disable_device(pdev); ++err_free: ++ drm_dev_put(dev); ++ return ret; + } + + static void +@@ -575,7 +614,7 @@ radeon_get_crtc_scanout_position(struct + + static struct drm_driver kms_driver = { + .driver_features = +- DRIVER_USE_AGP | DRIVER_GEM | DRIVER_RENDER, ++ DRIVER_GEM | DRIVER_RENDER, + .load = radeon_driver_load_kms, + .open = radeon_driver_open_kms, + .postclose = radeon_driver_postclose_kms, +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -31,6 +31,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -77,6 +78,11 @@ void radeon_driver_unload_kms(struct drm + radeon_modeset_fini(rdev); + radeon_device_fini(rdev); + ++ if (dev->agp) ++ arch_phys_wc_del(dev->agp->agp_mtrr); ++ kfree(dev->agp); ++ dev->agp = NULL; ++ + done_free: + kfree(rdev); + dev->dev_private = NULL; diff --git a/queue-5.5/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch b/queue-5.5/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch new file mode 100644 index 00000000000..03f745dbf78 --- /dev/null +++ b/queue-5.5/ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch @@ -0,0 +1,50 @@ +From 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 28 Feb 2020 12:22:56 +0300 +Subject: ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() + +From: Dan Carpenter + +commit 37b0b6b8b99c0e1c1f11abbe7cf49b6d03795b3f upstream. + +If sbi->s_flex_groups_allocated is zero and the first allocation fails +then this code will crash. The problem is that "i--" will set "i" to +-1 but when we compare "i >= sbi->s_flex_groups_allocated" then the -1 +is type promoted to unsigned and becomes UINT_MAX. Since UINT_MAX +is more than zero, the condition is true so we call kvfree(new_groups[-1]). +The loop will carry on freeing invalid memory until it crashes. + +Fixes: 7c990728b99e ("ext4: fix potential race between s_flex_groups online resizing and access") +Reviewed-by: Suraj Jitindar Singh +Signed-off-by: Dan Carpenter +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20200228092142.7irbc44yaz3by7nb@kili.mountain +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2346,7 +2346,7 @@ int ext4_alloc_flex_bg_array(struct supe + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct flex_groups **old_groups, **new_groups; +- int size, i; ++ int size, i, j; + + if (!sbi->s_log_groups_per_flex) + return 0; +@@ -2367,8 +2367,8 @@ int ext4_alloc_flex_bg_array(struct supe + sizeof(struct flex_groups)), + GFP_KERNEL); + if (!new_groups[i]) { +- for (i--; i >= sbi->s_flex_groups_allocated; i--) +- kvfree(new_groups[i]); ++ for (j = sbi->s_flex_groups_allocated; j < i; j++) ++ kvfree(new_groups[j]); + kvfree(new_groups); + ext4_msg(sb, KERN_ERR, + "not enough memory for %d flex groups", size); diff --git a/queue-5.5/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch b/queue-5.5/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch new file mode 100644 index 00000000000..39b4bfe3561 --- /dev/null +++ b/queue-5.5/hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch @@ -0,0 +1,46 @@ +From 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f Mon Sep 17 00:00:00 2001 +From: Johan Korsnes +Date: Fri, 17 Jan 2020 13:08:35 +0100 +Subject: HID: core: fix off-by-one memset in hid_report_raw_event() + +From: Johan Korsnes + +commit 5ebdffd25098898aff1249ae2f7dbfddd76d8f8f upstream. + +In case a report is greater than HID_MAX_BUFFER_SIZE, it is truncated, +but the report-number byte is not correctly handled. This results in a +off-by-one in the following memset, causing a kernel Oops and ensuing +system crash. + +Note: With commit 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in +hid_field_extract") I no longer hit the kernel Oops as we instead fail +"controlled" at probe if there is a report too long in the HID +report-descriptor. hid_report_raw_event() is an exported symbol, so +presumabely we cannot always rely on this being the case. + +Fixes: 966922f26c7f ("HID: fix a crash in hid_report_raw_event() + function.") +Signed-off-by: Johan Korsnes +Cc: Armando Visconti +Cc: Jiri Kosina +Cc: Alan Stern +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1741,7 +1741,9 @@ int hid_report_raw_event(struct hid_devi + + rsize = ((report->size - 1) >> 3) + 1; + +- if (rsize > HID_MAX_BUFFER_SIZE) ++ if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE) ++ rsize = HID_MAX_BUFFER_SIZE - 1; ++ else if (rsize > HID_MAX_BUFFER_SIZE) + rsize = HID_MAX_BUFFER_SIZE; + + if (csize < rsize) { diff --git a/queue-5.5/hid-core-increase-hid-report-buffer-size-to-8kib.patch b/queue-5.5/hid-core-increase-hid-report-buffer-size-to-8kib.patch new file mode 100644 index 00000000000..950cf9838c2 --- /dev/null +++ b/queue-5.5/hid-core-increase-hid-report-buffer-size-to-8kib.patch @@ -0,0 +1,37 @@ +From 84a4062632462c4320704fcdf8e99e89e94c0aba Mon Sep 17 00:00:00 2001 +From: Johan Korsnes +Date: Fri, 17 Jan 2020 13:08:36 +0100 +Subject: HID: core: increase HID report buffer size to 8KiB + +From: Johan Korsnes + +commit 84a4062632462c4320704fcdf8e99e89e94c0aba upstream. + +We have a HID touch device that reports its opens and shorts test +results in HID buffers of size 8184 bytes. The maximum size of the HID +buffer is currently set to 4096 bytes, causing probe of this device to +fail. With this patch we increase the maximum size of the HID buffer to +8192 bytes, making device probe and acquisition of said buffers succeed. + +Signed-off-by: Johan Korsnes +Cc: Alan Stern +Cc: Armando Visconti +Cc: Jiri Kosina +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hid.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -492,7 +492,7 @@ struct hid_report_enum { + }; + + #define HID_MIN_BUFFER_SIZE 64 /* make sure there is at least a packet size of space */ +-#define HID_MAX_BUFFER_SIZE 4096 /* 4kb */ ++#define HID_MAX_BUFFER_SIZE 8192 /* 8kb */ + #define HID_CONTROL_FIFO_SIZE 256 /* to init devices with >100 reports */ + #define HID_OUTPUT_FIFO_SIZE 64 + diff --git a/queue-5.5/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch b/queue-5.5/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch new file mode 100644 index 00000000000..b3ec0f0d646 --- /dev/null +++ b/queue-5.5/hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch @@ -0,0 +1,64 @@ +From beae56192a2570578ae45050e73c5ff9254f63e6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 1 Feb 2020 12:56:48 +0100 +Subject: HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit beae56192a2570578ae45050e73c5ff9254f63e6 upstream. + +Commit 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard +dock") added the USB id for the Acer SW5-012's keyboard dock to the +hid-ite driver to fix the rfkill driver not working. + +Most keyboard docks with an ITE 8595 keyboard/touchpad controller have the +"Wireless Radio Control" bits which need the special hid-ite driver on the +second USB interface (the mouse interface) and their touchpad only supports +mouse emulation, so using generic hid-input handling for anything but +the "Wireless Radio Control" bits is fine. On these devices we simply bind +to all USB interfaces. + +But unlike other ITE8595 using keyboard docks, the Acer Aspire Switch 10 +(SW5-012)'s touchpad not only does mouse emulation it also supports +HID-multitouch and all the keys including the "Wireless Radio Control" +bits have been moved to the first USB interface (the keyboard intf). + +So we need hid-ite to handle the first (keyboard) USB interface and have +it NOT bind to the second (mouse) USB interface so that that can be +handled by hid-multitouch.c and we get proper multi-touch support. + +This commit changes the hid_device_id for the SW5-012 keyboard dock to +only match on hid devices from the HID_GROUP_GENERIC group, this way +hid-ite will not bind the the mouse/multi-touch interface which has +HID_GROUP_MULTITOUCH_WIN_8 as group. +This fixes the regression to mouse-emulation mode introduced by adding +the keyboard dock USB id. + +Cc: stable@vger.kernel.org +Fixes: 8f18eca9ebc5 ("HID: ite: Add USB id match for Acer SW5-012 keyboard dock") +Reported-by: Zdeněk Rampas +Signed-off-by: Hans de Goede +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ite.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-ite.c ++++ b/drivers/hid/hid-ite.c +@@ -41,8 +41,9 @@ static const struct hid_device_id ite_de + { HID_USB_DEVICE(USB_VENDOR_ID_ITE, USB_DEVICE_ID_ITE8595) }, + { HID_USB_DEVICE(USB_VENDOR_ID_258A, USB_DEVICE_ID_258A_6A88) }, + /* ITE8595 USB kbd ctlr, with Synaptics touchpad connected to it. */ +- { HID_USB_DEVICE(USB_VENDOR_ID_SYNAPTICS, +- USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_SYNAPTICS, ++ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) }, + { } + }; + MODULE_DEVICE_TABLE(hid, ite_devices); diff --git a/queue-5.5/io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch b/queue-5.5/io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch new file mode 100644 index 00000000000..d2c571ffdab --- /dev/null +++ b/queue-5.5/io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch @@ -0,0 +1,51 @@ +From d876836204897b6d7d911f942084f69a1e9d5c4d Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 27 Feb 2020 14:17:49 -0700 +Subject: io_uring: fix 32-bit compatability with sendmsg/recvmsg + +From: Jens Axboe + +commit d876836204897b6d7d911f942084f69a1e9d5c4d upstream. + +We must set MSG_CMSG_COMPAT if we're in compatability mode, otherwise +the iovec import for these commands will not do the right thing and fail +the command with -EINVAL. + +Found by running the test suite compiled as 32-bit. + +Cc: stable@vger.kernel.org +Fixes: aa1fa28fc73e ("io_uring: add support for recvmsg()") +Fixes: 0fa03c624d8f ("io_uring: add support for sendmsg()") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2166,6 +2166,11 @@ static int io_sendmsg_prep(struct io_kio + sr->msg_flags = READ_ONCE(sqe->msg_flags); + sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr)); + ++#ifdef CONFIG_COMPAT ++ if (req->ctx->compat) ++ sr->msg_flags |= MSG_CMSG_COMPAT; ++#endif ++ + if (!io) + return 0; + +@@ -2258,6 +2263,11 @@ static int io_recvmsg_prep(struct io_kio + sr->msg_flags = READ_ONCE(sqe->msg_flags); + sr->msg = u64_to_user_ptr(READ_ONCE(sqe->addr)); + ++#ifdef CONFIG_COMPAT ++ if (req->ctx->compat) ++ sr->msg_flags |= MSG_CMSG_COMPAT; ++#endif ++ + if (!io) + return 0; + diff --git a/queue-5.5/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch b/queue-5.5/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch new file mode 100644 index 00000000000..7392463daa4 --- /dev/null +++ b/queue-5.5/kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch @@ -0,0 +1,61 @@ +From 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Sat, 29 Feb 2020 11:30:14 -0800 +Subject: KVM: VMX: check descriptor table exits on instruction emulation + +From: Oliver Upton + +commit 86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c upstream. + +KVM emulates UMIP on hardware that doesn't support it by setting the +'descriptor table exiting' VM-execution control and performing +instruction emulation. When running nested, this emulation is broken as +KVM refuses to emulate L2 instructions by default. + +Correct this regression by allowing the emulation of descriptor table +instructions if L1 hasn't requested 'descriptor table exiting'. + +Fixes: 07721feee46b ("KVM: nVMX: Don't emulate instructions in guest mode") +Reported-by: Jan Kiszka +Cc: stable@vger.kernel.org +Cc: Paolo Bonzini +Cc: Jim Mattson +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/vmx.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -7179,6 +7179,7 @@ static int vmx_check_intercept_io(struct + else + intercept = nested_vmx_check_io_bitmaps(vcpu, port, size); + ++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */ + return intercept ? X86EMUL_UNHANDLEABLE : X86EMUL_CONTINUE; + } + +@@ -7208,6 +7209,20 @@ static int vmx_check_intercept(struct kv + case x86_intercept_outs: + return vmx_check_intercept_io(vcpu, info); + ++ case x86_intercept_lgdt: ++ case x86_intercept_lidt: ++ case x86_intercept_lldt: ++ case x86_intercept_ltr: ++ case x86_intercept_sgdt: ++ case x86_intercept_sidt: ++ case x86_intercept_sldt: ++ case x86_intercept_str: ++ if (!nested_cpu_has2(vmcs12, SECONDARY_EXEC_DESC)) ++ return X86EMUL_CONTINUE; ++ ++ /* FIXME: produce nested vmexit and return X86EMUL_INTERCEPTED. */ ++ break; ++ + /* TODO: check more intercepts... */ + default: + break; diff --git a/queue-5.5/macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch b/queue-5.5/macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch new file mode 100644 index 00000000000..69076c50925 --- /dev/null +++ b/queue-5.5/macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch @@ -0,0 +1,136 @@ +From 38b17afb0ebb9ecd41418d3c08bcf9198af4349d Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Tue, 25 Feb 2020 15:12:29 +0100 +Subject: macintosh: therm_windtunnel: fix regression when instantiating devices + +From: Wolfram Sang + +commit 38b17afb0ebb9ecd41418d3c08bcf9198af4349d upstream. + +Removing attach_adapter from this driver caused a regression for at +least some machines. Those machines had the sensors described in their +DT, too, so they didn't need manual creation of the sensor devices. The +old code worked, though, because manual creation came first. Creation of +DT devices then failed later and caused error logs, but the sensors +worked nonetheless because of the manually created devices. + +When removing attach_adaper, manual creation now comes later and loses +the race. The sensor devices were already registered via DT, yet with +another binding, so the driver could not be bound to it. + +This fix refactors the code to remove the race and only manually creates +devices if there are no DT nodes present. Also, the DT binding is updated +to match both, the DT and manually created devices. Because we don't +know which device creation will be used at runtime, the code to start +the kthread is moved to do_probe() which will be called by both methods. + +Fixes: 3e7bed52719d ("macintosh: therm_windtunnel: drop using attach_adapter") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201723 +Reported-by: Erhard Furtner +Tested-by: Erhard Furtner +Acked-by: Michael Ellerman (powerpc) +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org # v4.19+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/macintosh/therm_windtunnel.c | 52 ++++++++++++++++++++--------------- + 1 file changed, 31 insertions(+), 21 deletions(-) + +--- a/drivers/macintosh/therm_windtunnel.c ++++ b/drivers/macintosh/therm_windtunnel.c +@@ -300,9 +300,11 @@ static int control_loop(void *dummy) + /* i2c probing and setup */ + /************************************************************************/ + +-static int +-do_attach( struct i2c_adapter *adapter ) ++static void do_attach(struct i2c_adapter *adapter) + { ++ struct i2c_board_info info = { }; ++ struct device_node *np; ++ + /* scan 0x48-0x4f (DS1775) and 0x2c-2x2f (ADM1030) */ + static const unsigned short scan_ds1775[] = { + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, +@@ -313,25 +315,24 @@ do_attach( struct i2c_adapter *adapter ) + I2C_CLIENT_END + }; + +- if( strncmp(adapter->name, "uni-n", 5) ) +- return 0; +- +- if( !x.running ) { +- struct i2c_board_info info; ++ if (x.running || strncmp(adapter->name, "uni-n", 5)) ++ return; + +- memset(&info, 0, sizeof(struct i2c_board_info)); +- strlcpy(info.type, "therm_ds1775", I2C_NAME_SIZE); ++ np = of_find_compatible_node(adapter->dev.of_node, NULL, "MAC,ds1775"); ++ if (np) { ++ of_node_put(np); ++ } else { ++ strlcpy(info.type, "MAC,ds1775", I2C_NAME_SIZE); + i2c_new_probed_device(adapter, &info, scan_ds1775, NULL); ++ } + +- strlcpy(info.type, "therm_adm1030", I2C_NAME_SIZE); ++ np = of_find_compatible_node(adapter->dev.of_node, NULL, "MAC,adm1030"); ++ if (np) { ++ of_node_put(np); ++ } else { ++ strlcpy(info.type, "MAC,adm1030", I2C_NAME_SIZE); + i2c_new_probed_device(adapter, &info, scan_adm1030, NULL); +- +- if( x.thermostat && x.fan ) { +- x.running = 1; +- x.poll_task = kthread_run(control_loop, NULL, "g4fand"); +- } + } +- return 0; + } + + static int +@@ -404,8 +405,8 @@ out: + enum chip { ds1775, adm1030 }; + + static const struct i2c_device_id therm_windtunnel_id[] = { +- { "therm_ds1775", ds1775 }, +- { "therm_adm1030", adm1030 }, ++ { "MAC,ds1775", ds1775 }, ++ { "MAC,adm1030", adm1030 }, + { } + }; + MODULE_DEVICE_TABLE(i2c, therm_windtunnel_id); +@@ -414,6 +415,7 @@ static int + do_probe(struct i2c_client *cl, const struct i2c_device_id *id) + { + struct i2c_adapter *adapter = cl->adapter; ++ int ret = 0; + + if( !i2c_check_functionality(adapter, I2C_FUNC_SMBUS_WORD_DATA + | I2C_FUNC_SMBUS_WRITE_BYTE) ) +@@ -421,11 +423,19 @@ do_probe(struct i2c_client *cl, const st + + switch (id->driver_data) { + case adm1030: +- return attach_fan( cl ); ++ ret = attach_fan(cl); ++ break; + case ds1775: +- return attach_thermostat(cl); ++ ret = attach_thermostat(cl); ++ break; + } +- return 0; ++ ++ if (!x.running && x.thermostat && x.fan) { ++ x.running = 1; ++ x.poll_task = kthread_run(control_loop, NULL, "g4fand"); ++ } ++ ++ return ret; + } + + static struct i2c_driver g4fan_driver = { diff --git a/queue-5.5/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch b/queue-5.5/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch new file mode 100644 index 00000000000..dfaa1a8de34 --- /dev/null +++ b/queue-5.5/revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch @@ -0,0 +1,54 @@ +From 66d0e797bf095d407479c89952d42b1d96ef0a7f Mon Sep 17 00:00:00 2001 +From: Orson Zhai +Date: Fri, 21 Feb 2020 01:37:04 +0800 +Subject: Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" + +From: Orson Zhai + +commit 66d0e797bf095d407479c89952d42b1d96ef0a7f upstream. + +This reverts commit 4585fbcb5331fc910b7e553ad3efd0dd7b320d14. + +The name changing as devfreq(X) breaks some user space applications, +such as Android HAL from Unisoc and Hikey [1]. +The device name will be changed unexpectly after every boot depending +on module init sequence. It will make trouble to setup some system +configuration like selinux for Android. + +So we'd like to revert it back to old naming rule before any better +way being found. + +[1] https://lkml.org/lkml/2018/5/8/1042 + +Cc: John Stultz +Cc: Greg Kroah-Hartman +Cc: stable@vger.kernel.org +Signed-off-by: Orson Zhai +Acked-by: Greg Kroah-Hartman +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/devfreq/devfreq.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -738,7 +738,6 @@ struct devfreq *devfreq_add_device(struc + { + struct devfreq *devfreq; + struct devfreq_governor *governor; +- static atomic_t devfreq_no = ATOMIC_INIT(-1); + int err = 0; + + if (!dev || !profile || !governor_name) { +@@ -800,8 +799,7 @@ struct devfreq *devfreq_add_device(struc + devfreq->suspend_freq = dev_pm_opp_get_suspend_opp_freq(dev); + atomic_set(&devfreq->suspend_count, 0); + +- dev_set_name(&devfreq->dev, "devfreq%d", +- atomic_inc_return(&devfreq_no)); ++ dev_set_name(&devfreq->dev, "%s", dev_name(dev)); + err = device_register(&devfreq->dev); + if (err) { + mutex_unlock(&devfreq->lock); diff --git a/queue-5.5/scsi-sd_sbc-fix-sd_zbc_report_zones.patch b/queue-5.5/scsi-sd_sbc-fix-sd_zbc_report_zones.patch new file mode 100644 index 00000000000..19647792239 --- /dev/null +++ b/queue-5.5/scsi-sd_sbc-fix-sd_zbc_report_zones.patch @@ -0,0 +1,76 @@ +From 51fdaa0490241e8cd41b40cbf43a336d1a014460 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Wed, 19 Feb 2020 15:38:00 +0900 +Subject: scsi: sd_sbc: Fix sd_zbc_report_zones() + +From: Damien Le Moal + +commit 51fdaa0490241e8cd41b40cbf43a336d1a014460 upstream. + +The block layer generic blk_revalidate_disk_zones() checks the validity of +zone descriptors reported by a disk using the blk_revalidate_zone_cb() +callback function executed for each zone descriptor. If a ZBC disk reports +invalid zone descriptors, blk_revalidate_disk_zones() returns an error and +sd_zbc_read_zones() changes the disk capacity to 0, which in turn results +in the gendisk structure capacity to be set to 0. This all works well for +the first revalidate pass on a disk and the block layer detects the +capactiy change. + +On the second revalidate pass, blk_revalidate_disk_zones() is called again +and sd_zbc_report_zones() executed to check the zones a second time. +However, for this second pass, the gendisk capacity is now 0, which results +in sd_zbc_report_zones() to do nothing and to report success and no +zones. blk_revalidate_disk_zones() in turn returns success and sets the +disk queue chunk_sectors limit with zero as no zones were checked, causing +a oops to trigger on the BUG_ON(!is_power_of_2(chunk_sectors)) in +blk_queue_chunk_sectors(). + +Fix this by using the sdkp capacity field rather than the gendisk capacity +for the report zones loop in sd_zbc_report_zones(). Also add a check to +return immediately an error if the sdkp capacity is 0. With this fix, +invalid/buggy ZBC disk scan does not trigger a oops and are exposed with a +0 capacity. This change also preserve the chance for the disk to be +correctly revalidated on the second revalidate pass as the scsi disk +structure capacity field is always set to the disk reported value when +sd_zbc_report_zones() is called. + +Link: https://lore.kernel.org/r/20200219063800.880834-1-damien.lemoal@wdc.com +Fixes: d41003513e61 ("block: rework zone reporting") +Cc: Cc: # v5.5 +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Signed-off-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd_zbc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -161,6 +161,7 @@ int sd_zbc_report_zones(struct gendisk * + unsigned int nr_zones, report_zones_cb cb, void *data) + { + struct scsi_disk *sdkp = scsi_disk(disk); ++ sector_t capacity = logical_to_sectors(sdkp->device, sdkp->capacity); + unsigned int nr, i; + unsigned char *buf; + size_t offset, buflen = 0; +@@ -171,11 +172,15 @@ int sd_zbc_report_zones(struct gendisk * + /* Not a zoned device */ + return -EOPNOTSUPP; + ++ if (!capacity) ++ /* Device gone or invalid */ ++ return -ENODEV; ++ + buf = sd_zbc_alloc_report_buffer(sdkp, nr_zones, &buflen); + if (!buf) + return -ENOMEM; + +- while (zone_idx < nr_zones && sector < get_capacity(disk)) { ++ while (zone_idx < nr_zones && sector < capacity) { + ret = sd_zbc_do_report_zones(sdkp, buf, buflen, + sectors_to_logical(sdkp->device, sector), true); + if (ret) diff --git a/queue-5.5/scsi-zfcp-fix-wrong-data-and-display-format-of-sfp-temperature.patch b/queue-5.5/scsi-zfcp-fix-wrong-data-and-display-format-of-sfp-temperature.patch new file mode 100644 index 00000000000..b9a81218822 --- /dev/null +++ b/queue-5.5/scsi-zfcp-fix-wrong-data-and-display-format-of-sfp-temperature.patch @@ -0,0 +1,63 @@ +From a3fd4bfe85fbb67cf4ec1232d0af625ece3c508b Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Wed, 19 Feb 2020 16:09:25 +0100 +Subject: scsi: zfcp: fix wrong data and display format of SFP+ temperature +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Block + +commit a3fd4bfe85fbb67cf4ec1232d0af625ece3c508b upstream. + +When implementing support for retrieval of local diagnostic data from the +FCP channel, the wrong data format was assumed for the temperature of the +local SFP+ connector. The Fibre Channel Link Services (FC-LS-3) +specification is not clear on the format of the stored integer, and only +after consulting the SNIA specification SFF-8472 did we realize it is +stored as two's complement. Thus, the used data and display format is +wrong, and highly misleading for users when the temperature should drop +below 0°C (however unlikely that may be). + +To fix this, change the data format in `struct fsf_qtcb_bottom_port` from +unsigned to signed, and change the printf format string used to generate +`zfcp_sysfs_adapter_diag_sfp_temperature_show()` from `%hu` to `%hd`. + +Link: https://lore.kernel.org/r/d6e3be5428da5c9490cfff4df7cae868bc9f1a7e.1582039501.git.bblock@linux.ibm.com +Fixes: a10a61e807b0 ("scsi: zfcp: support retrieval of SFP Data via Exchange Port Data") +Fixes: 6028f7c4cd87 ("scsi: zfcp: introduce sysfs interface for diagnostics of local SFP transceiver") +Cc: # 5.5+ +Reviewed-by: Jens Remus +Reviewed-by: Fedor Loshakov +Reviewed-by: Steffen Maier +Signed-off-by: Benjamin Block +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_fsf.h | 2 +- + drivers/s390/scsi/zfcp_sysfs.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/s390/scsi/zfcp_fsf.h ++++ b/drivers/s390/scsi/zfcp_fsf.h +@@ -410,7 +410,7 @@ struct fsf_qtcb_bottom_port { + u8 cb_util; + u8 a_util; + u8 res2; +- u16 temperature; ++ s16 temperature; + u16 vcc; + u16 tx_bias; + u16 tx_power; +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -800,7 +800,7 @@ static ZFCP_DEV_ATTR(adapter_diag, b2b_c + static ZFCP_DEV_ATTR(adapter_diag_sfp, _name, 0400, \ + zfcp_sysfs_adapter_diag_sfp_##_name##_show, NULL) + +-ZFCP_DEFINE_DIAG_SFP_ATTR(temperature, temperature, 5, "%hu"); ++ZFCP_DEFINE_DIAG_SFP_ATTR(temperature, temperature, 6, "%hd"); + ZFCP_DEFINE_DIAG_SFP_ATTR(vcc, vcc, 5, "%hu"); + ZFCP_DEFINE_DIAG_SFP_ATTR(tx_bias, tx_bias, 5, "%hu"); + ZFCP_DEFINE_DIAG_SFP_ATTR(tx_power, tx_power, 5, "%hu"); diff --git a/queue-5.5/series b/queue-5.5/series index 18beade6baf..cc286c29d29 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -78,3 +78,24 @@ net-hns3-fix-a-copying-ipv6-address-error-in-hclge_f.patch nvme-tcp-fix-bug-on-double-requeue-when-send-fails.patch nvme-prevent-warning-triggered-by-nvme_stop_keep_ali.patch nvme-pci-move-cqe-check-after-device-shutdown.patch +scsi-sd_sbc-fix-sd_zbc_report_zones.patch +scsi-zfcp-fix-wrong-data-and-display-format-of-sfp-temperature.patch +docs-fix-empty-parallelism-argument.patch +ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch +audit-fix-error-handling-in-audit_data_to_entry.patch +audit-always-check-the-netlink-payload-length-in-audit_receive_msg.patch +acpica-introduce-acpi_access_byte_width-macro.patch +acpi-watchdog-fix-gas-access_width-usage.patch +kvm-vmx-check-descriptor-table-exits-on-instruction-emulation.patch +hid-ite-only-bind-to-keyboard-usb-interface-on-acer-sw5-012-keyboard-dock.patch +hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch +hid-core-increase-hid-report-buffer-size-to-8kib.patch +drm-amdgpu-drop-driver_use_agp.patch +drm-radeon-inline-drm_get_pci_dev.patch +macintosh-therm_windtunnel-fix-regression-when-instantiating-devices.patch +blktrace-protect-q-blk_trace-with-rcu.patch +tracing-disable-trace_printk-on-post-poned-tests.patch +revert-pm-devfreq-modify-the-device-name-as-devfreq-x-for-sysfs.patch +amdgpu-gmc_v9-save-restore-sdpif-regs-during-s3.patch +cpufreq-fix-policy-initialization-for-internal-governor-drivers.patch +io_uring-fix-32-bit-compatability-with-sendmsg-recvmsg.patch diff --git a/queue-5.5/tracing-disable-trace_printk-on-post-poned-tests.patch b/queue-5.5/tracing-disable-trace_printk-on-post-poned-tests.patch new file mode 100644 index 00000000000..0e858463b03 --- /dev/null +++ b/queue-5.5/tracing-disable-trace_printk-on-post-poned-tests.patch @@ -0,0 +1,51 @@ +From 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 20 Feb 2020 15:38:01 -0500 +Subject: tracing: Disable trace_printk() on post poned tests + +From: Steven Rostedt (VMware) + +commit 78041c0c9e935d9ce4086feeff6c569ed88ddfd4 upstream. + +The tracing seftests checks various aspects of the tracing infrastructure, +and one is filtering. If trace_printk() is active during a self test, it can +cause the filtering to fail, which will disable that part of the trace. + +To keep the selftests from failing because of trace_printk() calls, +trace_printk() checks the variable tracing_selftest_running, and if set, it +does not write to the tracing buffer. + +As some tracers were registered earlier in boot, the selftest they triggered +would fail because not all the infrastructure was set up for the full +selftest. Thus, some of the tests were post poned to when their +infrastructure was ready (namely file system code). The postpone code did +not set the tracing_seftest_running variable, and could fail if a +trace_printk() was added and executed during their run. + +Cc: stable@vger.kernel.org +Fixes: 9afecfbb95198 ("tracing: Postpone tracer start-up tests till the system is more robust") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1827,6 +1827,7 @@ static __init int init_trace_selftests(v + + pr_info("Running postponed tracer tests:\n"); + ++ tracing_selftest_running = true; + list_for_each_entry_safe(p, n, &postponed_selftests, list) { + /* This loop can take minutes when sanitizers are enabled, so + * lets make sure we allow RCU processing. +@@ -1849,6 +1850,7 @@ static __init int init_trace_selftests(v + list_del(&p->list); + kfree(p); + } ++ tracing_selftest_running = false; + + out: + mutex_unlock(&trace_types_lock);