From: Greg Kroah-Hartman Date: Mon, 6 Jan 2020 12:21:47 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.14.163~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6060bf9dc5b163bd87e2608f491d2ca705504ad;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch drm-sun4i-hdmi-remove-duplicate-cleanup-calls.patch media-cec-avoid-decrementing-transmit_queue_sz-if-it-is-0.patch media-cec-cec-2.0-only-bcast-messages-were-ignored.patch media-pulse8-cec-fix-lost-cec_transmit_attempt_done-call.patch mips-avoid-vdso-abi-breakage-due-to-global-register-variable.patch --- diff --git a/queue-4.14/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch b/queue-4.14/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch new file mode 100644 index 00000000000..8d2b2caafa0 --- /dev/null +++ b/queue-4.14/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch @@ -0,0 +1,64 @@ +From 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 18 Dec 2019 20:26:06 +0100 +Subject: ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code + +From: Takashi Iwai + +commit 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd upstream. + +Jia-Ju Bai reported a possible sleep-in-atomic scenario in the ice1724 +driver with Infrasonic Quartet support code: namely, ice->set_rate +callback gets called inside ice->reg_lock spinlock, while the callback +in quartet.c holds ice->gpio_mutex. + +This patch fixes the invalid call: it simply moves the calls of +ice->set_rate and ice->set_mclk callbacks outside the spinlock. + +Reported-by: Jia-Ju Bai +Cc: +Link: https://lore.kernel.org/r/5d43135e-73b9-a46a-2155-9e91d0dcdf83@gmail.com +Link: https://lore.kernel.org/r/20191218192606.12866-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ice1712/ice1724.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/pci/ice1712/ice1724.c ++++ b/sound/pci/ice1712/ice1724.c +@@ -661,6 +661,7 @@ static int snd_vt1724_set_pro_rate(struc + unsigned long flags; + unsigned char mclk_change; + unsigned int i, old_rate; ++ bool call_set_rate = false; + + if (rate > ice->hw_rates->list[ice->hw_rates->count - 1]) + return -EINVAL; +@@ -684,7 +685,7 @@ static int snd_vt1724_set_pro_rate(struc + * setting clock rate for internal clock mode */ + old_rate = ice->get_rate(ice); + if (force || (old_rate != rate)) +- ice->set_rate(ice, rate); ++ call_set_rate = true; + else if (rate == ice->cur_rate) { + spin_unlock_irqrestore(&ice->reg_lock, flags); + return 0; +@@ -692,12 +693,14 @@ static int snd_vt1724_set_pro_rate(struc + } + + ice->cur_rate = rate; ++ spin_unlock_irqrestore(&ice->reg_lock, flags); ++ ++ if (call_set_rate) ++ ice->set_rate(ice, rate); + + /* setting master clock */ + mclk_change = ice->set_mclk(ice, rate); + +- spin_unlock_irqrestore(&ice->reg_lock, flags); +- + if (mclk_change && ice->gpio.i2s_mclk_changed) + ice->gpio.i2s_mclk_changed(ice); + if (ice->gpio.set_pro_rate) diff --git a/queue-4.14/drm-sun4i-hdmi-remove-duplicate-cleanup-calls.patch b/queue-4.14/drm-sun4i-hdmi-remove-duplicate-cleanup-calls.patch new file mode 100644 index 00000000000..239f2f20e50 --- /dev/null +++ b/queue-4.14/drm-sun4i-hdmi-remove-duplicate-cleanup-calls.patch @@ -0,0 +1,38 @@ +From 57177d214ee0816c4436c23d6c933ccb32c571f1 Mon Sep 17 00:00:00 2001 +From: Stefan Mavrodiev +Date: Tue, 17 Dec 2019 14:46:32 +0200 +Subject: drm/sun4i: hdmi: Remove duplicate cleanup calls + +From: Stefan Mavrodiev + +commit 57177d214ee0816c4436c23d6c933ccb32c571f1 upstream. + +When the HDMI unbinds drm_connector_cleanup() and drm_encoder_cleanup() +are called. This also happens when the connector and the encoder are +destroyed. This double call triggers a NULL pointer exception. + +The patch fixes this by removing the cleanup calls in the unbind +function. + +Cc: +Fixes: 9c5681011a0c ("drm/sun4i: Add HDMI support") +Signed-off-by: Stefan Mavrodiev +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20191217124632.20820-1-stefan@olimex.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c ++++ b/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c +@@ -438,8 +438,6 @@ static void sun4i_hdmi_unbind(struct dev + struct sun4i_hdmi *hdmi = dev_get_drvdata(dev); + + cec_unregister_adapter(hdmi->cec_adap); +- drm_connector_cleanup(&hdmi->connector); +- drm_encoder_cleanup(&hdmi->encoder); + i2c_del_adapter(hdmi->i2c); + clk_disable_unprepare(hdmi->mod_clk); + clk_disable_unprepare(hdmi->bus_clk); diff --git a/queue-4.14/media-cec-avoid-decrementing-transmit_queue_sz-if-it-is-0.patch b/queue-4.14/media-cec-avoid-decrementing-transmit_queue_sz-if-it-is-0.patch new file mode 100644 index 00000000000..89a48315b87 --- /dev/null +++ b/queue-4.14/media-cec-avoid-decrementing-transmit_queue_sz-if-it-is-0.patch @@ -0,0 +1,63 @@ +From 95c29d46ab2a517e4c26d0a07300edca6768db17 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sat, 7 Dec 2019 23:48:09 +0100 +Subject: media: cec: avoid decrementing transmit_queue_sz if it is 0 + +From: Hans Verkuil + +commit 95c29d46ab2a517e4c26d0a07300edca6768db17 upstream. + +WARN if transmit_queue_sz is 0 but do not decrement it. +The CEC adapter will become unresponsive if it goes below +0 since then it thinks there are 4 billion messages in the +queue. + +Obviously this should not happen, but a driver bug could +cause this. + +Signed-off-by: Hans Verkuil +Cc: # for v4.12 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/cec/cec-adap.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -330,7 +330,8 @@ static void cec_data_cancel(struct cec_d + } else { + list_del_init(&data->list); + if (!(data->msg.tx_status & CEC_TX_STATUS_OK)) +- data->adap->transmit_queue_sz--; ++ if (!WARN_ON(!data->adap->transmit_queue_sz)) ++ data->adap->transmit_queue_sz--; + } + + /* Mark it as an error */ +@@ -377,6 +378,14 @@ static void cec_flush(struct cec_adapter + * need to do anything special in that case. + */ + } ++ /* ++ * If something went wrong and this counter isn't what it should ++ * be, then this will reset it back to 0. Warn if it is not 0, ++ * since it indicates a bug, either in this framework or in a ++ * CEC driver. ++ */ ++ if (WARN_ON(adap->transmit_queue_sz)) ++ adap->transmit_queue_sz = 0; + } + + /* +@@ -465,7 +474,8 @@ int cec_thread_func(void *_adap) + data = list_first_entry(&adap->transmit_queue, + struct cec_data, list); + list_del_init(&data->list); +- adap->transmit_queue_sz--; ++ if (!WARN_ON(!data->adap->transmit_queue_sz)) ++ adap->transmit_queue_sz--; + + /* Make this the current transmitting message */ + adap->transmitting = data; diff --git a/queue-4.14/media-cec-cec-2.0-only-bcast-messages-were-ignored.patch b/queue-4.14/media-cec-cec-2.0-only-bcast-messages-were-ignored.patch new file mode 100644 index 00000000000..f235e246094 --- /dev/null +++ b/queue-4.14/media-cec-cec-2.0-only-bcast-messages-were-ignored.patch @@ -0,0 +1,41 @@ +From cec935ce69fc386f13959578deb40963ebbb85c3 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 4 Dec 2019 08:52:08 +0100 +Subject: media: cec: CEC 2.0-only bcast messages were ignored + +From: Hans Verkuil + +commit cec935ce69fc386f13959578deb40963ebbb85c3 upstream. + +Some messages are allowed to be a broadcast message in CEC 2.0 +only, and should be ignored by CEC 1.4 devices. + +Unfortunately, the check was wrong, causing such messages to be +marked as invalid under CEC 2.0. + +Signed-off-by: Hans Verkuil +Cc: # for v4.10 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/cec/cec-adap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -1031,11 +1031,11 @@ void cec_received_msg_ts(struct cec_adap + valid_la = false; + else if (!cec_msg_is_broadcast(msg) && !(dir_fl & DIRECTED)) + valid_la = false; +- else if (cec_msg_is_broadcast(msg) && !(dir_fl & BCAST1_4)) ++ else if (cec_msg_is_broadcast(msg) && !(dir_fl & BCAST)) + valid_la = false; + else if (cec_msg_is_broadcast(msg) && +- adap->log_addrs.cec_version >= CEC_OP_CEC_VERSION_2_0 && +- !(dir_fl & BCAST2_0)) ++ adap->log_addrs.cec_version < CEC_OP_CEC_VERSION_2_0 && ++ !(dir_fl & BCAST1_4)) + valid_la = false; + } + if (valid_la && min_len) { diff --git a/queue-4.14/media-pulse8-cec-fix-lost-cec_transmit_attempt_done-call.patch b/queue-4.14/media-pulse8-cec-fix-lost-cec_transmit_attempt_done-call.patch new file mode 100644 index 00000000000..0c71da43f0f --- /dev/null +++ b/queue-4.14/media-pulse8-cec-fix-lost-cec_transmit_attempt_done-call.patch @@ -0,0 +1,81 @@ +From e5a52a1d15c79bb48a430fb263852263ec1d3f11 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sat, 7 Dec 2019 23:43:23 +0100 +Subject: media: pulse8-cec: fix lost cec_transmit_attempt_done() call + +From: Hans Verkuil + +commit e5a52a1d15c79bb48a430fb263852263ec1d3f11 upstream. + +The periodic PING command could interfere with the result of +a CEC transmit, causing a lost cec_transmit_attempt_done() +call. + +Signed-off-by: Hans Verkuil +Cc: # for v4.10 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/pulse8-cec/pulse8-cec.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/media/usb/pulse8-cec/pulse8-cec.c ++++ b/drivers/media/usb/pulse8-cec/pulse8-cec.c +@@ -121,6 +121,7 @@ struct pulse8 { + unsigned int vers; + struct completion cmd_done; + struct work_struct work; ++ u8 work_result; + struct delayed_work ping_eeprom_work; + struct cec_msg rx_msg; + u8 data[DATA_SIZE]; +@@ -142,8 +143,10 @@ static void pulse8_irq_work_handler(stru + { + struct pulse8 *pulse8 = + container_of(work, struct pulse8, work); ++ u8 result = pulse8->work_result; + +- switch (pulse8->data[0] & 0x3f) { ++ pulse8->work_result = 0; ++ switch (result & 0x3f) { + case MSGCODE_FRAME_DATA: + cec_received_msg(pulse8->adap, &pulse8->rx_msg); + break; +@@ -177,12 +180,12 @@ static irqreturn_t pulse8_interrupt(stru + pulse8->escape = false; + } else if (data == MSGEND) { + struct cec_msg *msg = &pulse8->rx_msg; ++ u8 msgcode = pulse8->buf[0]; + + if (debug) + dev_info(pulse8->dev, "received: %*ph\n", + pulse8->idx, pulse8->buf); +- pulse8->data[0] = pulse8->buf[0]; +- switch (pulse8->buf[0] & 0x3f) { ++ switch (msgcode & 0x3f) { + case MSGCODE_FRAME_START: + msg->len = 1; + msg->msg[0] = pulse8->buf[1]; +@@ -191,14 +194,20 @@ static irqreturn_t pulse8_interrupt(stru + if (msg->len == CEC_MAX_MSG_SIZE) + break; + msg->msg[msg->len++] = pulse8->buf[1]; +- if (pulse8->buf[0] & MSGCODE_FRAME_EOM) ++ if (msgcode & MSGCODE_FRAME_EOM) { ++ WARN_ON(pulse8->work_result); ++ pulse8->work_result = msgcode; + schedule_work(&pulse8->work); ++ break; ++ } + break; + case MSGCODE_TRANSMIT_SUCCEEDED: + case MSGCODE_TRANSMIT_FAILED_LINE: + case MSGCODE_TRANSMIT_FAILED_ACK: + case MSGCODE_TRANSMIT_FAILED_TIMEOUT_DATA: + case MSGCODE_TRANSMIT_FAILED_TIMEOUT_LINE: ++ WARN_ON(pulse8->work_result); ++ pulse8->work_result = msgcode; + schedule_work(&pulse8->work); + break; + case MSGCODE_HIGH_ERROR: diff --git a/queue-4.14/mips-avoid-vdso-abi-breakage-due-to-global-register-variable.patch b/queue-4.14/mips-avoid-vdso-abi-breakage-due-to-global-register-variable.patch new file mode 100644 index 00000000000..ae97cbd61be --- /dev/null +++ b/queue-4.14/mips-avoid-vdso-abi-breakage-due-to-global-register-variable.patch @@ -0,0 +1,97 @@ +From bbcc5672b0063b0e9d65dc8787a4f09c3b5bb5cc Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Wed, 1 Jan 2020 20:50:38 -0800 +Subject: MIPS: Avoid VDSO ABI breakage due to global register variable + +From: Paul Burton + +commit bbcc5672b0063b0e9d65dc8787a4f09c3b5bb5cc upstream. + +Declaring __current_thread_info as a global register variable has the +effect of preventing GCC from saving & restoring its value in cases +where the ABI would typically do so. + +To quote GCC documentation: + +> If the register is a call-saved register, call ABI is affected: the +> register will not be restored in function epilogue sequences after the +> variable has been assigned. Therefore, functions cannot safely return +> to callers that assume standard ABI. + +When our position independent VDSO is built for the n32 or n64 ABIs all +functions it exposes should be preserving the value of $gp/$28 for their +caller, but in the presence of the __current_thread_info global register +variable GCC stops doing so & simply clobbers $gp/$28 when calculating +the address of the GOT. + +In cases where the VDSO returns success this problem will typically be +masked by the caller in libc returning & restoring $gp/$28 itself, but +that is by no means guaranteed. In cases where the VDSO returns an error +libc will typically contain a fallback path which will now fail +(typically with a bad memory access) if it attempts anything which +relies upon the value of $gp/$28 - eg. accessing anything via the GOT. + +One fix for this would be to move the declaration of +__current_thread_info inside the current_thread_info() function, +demoting it from global register variable to local register variable & +avoiding inadvertently creating a non-standard calling ABI for the VDSO. +Unfortunately this causes issues for clang, which doesn't support local +register variables as pointed out by commit fe92da0f355e ("MIPS: Changed +current_thread_info() to an equivalent supported by both clang and GCC") +which introduced the global register variable before we had a VDSO to +worry about. + +Instead, fix this by continuing to use the global register variable for +the kernel proper but declare __current_thread_info as a simple extern +variable when building the VDSO. It should never be referenced, and will +cause a link error if it is. This resolves the calling convention issue +for the VDSO without having any impact upon the build of the kernel +itself for either clang or gcc. + +Signed-off-by: Paul Burton +Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") +Reported-by: Jason A. Donenfeld +Reviewed-by: Jason A. Donenfeld +Tested-by: Jason A. Donenfeld +Cc: Arnd Bergmann +Cc: Christian Brauner +Cc: Vincenzo Frascino +Cc: # v4.4+ +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/thread_info.h | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/arch/mips/include/asm/thread_info.h ++++ b/arch/mips/include/asm/thread_info.h +@@ -52,8 +52,26 @@ struct thread_info { + #define init_thread_info (init_thread_union.thread_info) + #define init_stack (init_thread_union.stack) + +-/* How to get the thread information struct from C. */ ++/* ++ * A pointer to the struct thread_info for the currently executing thread is ++ * held in register $28/$gp. ++ * ++ * We declare __current_thread_info as a global register variable rather than a ++ * local register variable within current_thread_info() because clang doesn't ++ * support explicit local register variables. ++ * ++ * When building the VDSO we take care not to declare the global register ++ * variable because this causes GCC to not preserve the value of $28/$gp in ++ * functions that change its value (which is common in the PIC VDSO when ++ * accessing the GOT). Since the VDSO shouldn't be accessing ++ * __current_thread_info anyway we declare it extern in order to cause a link ++ * failure if it's referenced. ++ */ ++#ifdef __VDSO__ ++extern struct thread_info *__current_thread_info; ++#else + register struct thread_info *__current_thread_info __asm__("$28"); ++#endif + + static inline struct thread_info *current_thread_info(void) + { diff --git a/queue-4.14/series b/queue-4.14/series index b7d430753e8..e4fabc3b075 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -20,3 +20,9 @@ pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch taskstats-fix-data-race.patch drm-limit-to-int_max-in-create_blob-ioctl.patch +alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch +drm-sun4i-hdmi-remove-duplicate-cleanup-calls.patch +mips-avoid-vdso-abi-breakage-due-to-global-register-variable.patch +media-pulse8-cec-fix-lost-cec_transmit_attempt_done-call.patch +media-cec-cec-2.0-only-bcast-messages-were-ignored.patch +media-cec-avoid-decrementing-transmit_queue_sz-if-it-is-0.patch