From: Greg Kroah-Hartman Date: Tue, 8 Sep 2020 12:52:42 +0000 (+0200) Subject: 5.8-stable patches X-Git-Tag: v4.14.197~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d94a9f7697a22ed5755567d3598e18673c805d88;p=thirdparty%2Fkernel%2Fstable-queue.git 5.8-stable patches added patches: affs-fix-basic-permission-bits-to-actually-work.patch alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch alsa-firewire-tascam-exclude-tascam-fe-8-from-detection.patch alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-ion-nt950xcj-x716a.patch alsa-hda-realtek-improved-routing-for-thinkpad-x1-7th-8th-gen.patch alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch alsa-usb-audio-add-basic-capture-support-for-pioneer-dj-djm-250mk2.patch alsa-usb-audio-add-implicit-feedback-quirk-for-ur22c.patch arm64-dts-mt7622-add-reset-node-for-mmc-device.patch blk-iocost-ioc_pd_free-shouldn-t-assume-irq-disabled.patch blk-stat-make-q-stats-lock-irqsafe.patch block-allow-for_each_bvec-to-support-zero-len-bvec.patch block-ensure-bdi-io_pages-is-always-initialized.patch dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch dm-crypt-initialize-crypto-wait-structures.patch dm-integrity-fix-error-reporting-in-bitmap-mode-after-creation.patch dm-mpath-fix-racey-management-of-pg-initialization.patch dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch dm-thin-metadata-fix-use-after-free-in-dm_bm_set_read_only.patch dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch dmaengine-dw-edma-fix-scatter-gather-address-calculation.patch drm-amd-pm-avoid-false-alarm-due-to-confusing-softwareshutdowntemp-setting.patch drm-amdgpu-specify-get_argument-function-for-ci_smu_funcs.patch drm-i915-fix-sha_text-population-code.patch io_uring-fix-removing-the-wrong-file-in-__io_sqe_files_update.patch io_uring-set-table-files-to-null-when-io_sqe_file_register-failed.patch libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch mips-oprofile-fix-fallthrough-placement.patch mm-madvise-fix-vma-user-after-free.patch mm-rmap-fixup-copying-of-soft-dirty-and-uffd-ptes.patch mm-slub-fix-conversion-of-freelist_corrupted.patch mm-track-page-table-modifications-in-__apply_to_page_range.patch mmc-dt-bindings-add-resets-reset-names-for-mediatek-mmc-bindings.patch mmc-mediatek-add-optional-module-reset-property.patch mmc-sdhci-pci-fix-sdhci_reset_all-for-cqhci-for-intel-glk-based-controllers.patch s390-fix-generic_lockbreak-dependency-typo-in-kconfig.patch --- diff --git a/queue-5.8/affs-fix-basic-permission-bits-to-actually-work.patch b/queue-5.8/affs-fix-basic-permission-bits-to-actually-work.patch new file mode 100644 index 00000000000..9e07cce750f --- /dev/null +++ b/queue-5.8/affs-fix-basic-permission-bits-to-actually-work.patch @@ -0,0 +1,171 @@ +From d3a84a8d0dde4e26bc084b36ffcbdc5932ac85e2 Mon Sep 17 00:00:00 2001 +From: Max Staudt +Date: Thu, 27 Aug 2020 17:49:00 +0200 +Subject: affs: fix basic permission bits to actually work + +From: Max Staudt + +commit d3a84a8d0dde4e26bc084b36ffcbdc5932ac85e2 upstream. + +The basic permission bits (protection bits in AmigaOS) have been broken +in Linux' AFFS - it would only set bits, but never delete them. +Also, contrary to the documentation, the Archived bit was not handled. + +Let's fix this for good, and set the bits such that Linux and classic +AmigaOS can coexist in the most peaceful manner. + +Also, update the documentation to represent the current state of things. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Max Staudt +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/filesystems/affs.rst | 16 ++++++++++------ + fs/affs/amigaffs.c | 27 +++++++++++++++++++++++++++ + fs/affs/file.c | 26 +++++++++++++++++++++++++- + 3 files changed, 62 insertions(+), 7 deletions(-) + +--- a/Documentation/filesystems/affs.rst ++++ b/Documentation/filesystems/affs.rst +@@ -110,13 +110,15 @@ The Amiga protection flags RWEDRWEDHSPAR + + - R maps to r for user, group and others. On directories, R implies x. + +- - If both W and D are allowed, w will be set. ++ - W maps to w. + + - E maps to x. + +- - H and P are always retained and ignored under Linux. ++ - D is ignored. + +- - A is always reset when a file is written to. ++ - H, S and P are always retained and ignored under Linux. ++ ++ - A is cleared when a file is written to. + + User id and group id will be used unless set[gu]id are given as mount + options. Since most of the Amiga file systems are single user systems +@@ -128,11 +130,13 @@ Linux -> Amiga: + + The Linux rwxrwxrwx file mode is handled as follows: + +- - r permission will set R for user, group and others. ++ - r permission will allow R for user, group and others. ++ ++ - w permission will allow W for user, group and others. + +- - w permission will set W and D for user, group and others. ++ - x permission of the user will allow E for plain files. + +- - x permission of the user will set E for plain files. ++ - D will be allowed for user, group and others. + + - All other flags (suid, sgid, ...) are ignored and will + not be retained. +--- a/fs/affs/amigaffs.c ++++ b/fs/affs/amigaffs.c +@@ -420,24 +420,51 @@ affs_mode_to_prot(struct inode *inode) + u32 prot = AFFS_I(inode)->i_protect; + umode_t mode = inode->i_mode; + ++ /* ++ * First, clear all RWED bits for owner, group, other. ++ * Then, recalculate them afresh. ++ * ++ * We'll always clear the delete-inhibit bit for the owner, as that is ++ * the classic single-user mode AmigaOS protection bit and we need to ++ * stay compatible with all scenarios. ++ * ++ * Since multi-user AmigaOS is an extension, we'll only set the ++ * delete-allow bit if any of the other bits in the same user class ++ * (group/other) are used. ++ */ ++ prot &= ~(FIBF_NOEXECUTE | FIBF_NOREAD ++ | FIBF_NOWRITE | FIBF_NODELETE ++ | FIBF_GRP_EXECUTE | FIBF_GRP_READ ++ | FIBF_GRP_WRITE | FIBF_GRP_DELETE ++ | FIBF_OTR_EXECUTE | FIBF_OTR_READ ++ | FIBF_OTR_WRITE | FIBF_OTR_DELETE); ++ ++ /* Classic single-user AmigaOS flags. These are inverted. */ + if (!(mode & 0100)) + prot |= FIBF_NOEXECUTE; + if (!(mode & 0400)) + prot |= FIBF_NOREAD; + if (!(mode & 0200)) + prot |= FIBF_NOWRITE; ++ ++ /* Multi-user extended flags. Not inverted. */ + if (mode & 0010) + prot |= FIBF_GRP_EXECUTE; + if (mode & 0040) + prot |= FIBF_GRP_READ; + if (mode & 0020) + prot |= FIBF_GRP_WRITE; ++ if (mode & 0070) ++ prot |= FIBF_GRP_DELETE; ++ + if (mode & 0001) + prot |= FIBF_OTR_EXECUTE; + if (mode & 0004) + prot |= FIBF_OTR_READ; + if (mode & 0002) + prot |= FIBF_OTR_WRITE; ++ if (mode & 0007) ++ prot |= FIBF_OTR_DELETE; + + AFFS_I(inode)->i_protect = prot; + } +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -428,6 +428,24 @@ static int affs_write_begin(struct file + return ret; + } + ++static int affs_write_end(struct file *file, struct address_space *mapping, ++ loff_t pos, unsigned int len, unsigned int copied, ++ struct page *page, void *fsdata) ++{ ++ struct inode *inode = mapping->host; ++ int ret; ++ ++ ret = generic_write_end(file, mapping, pos, len, copied, page, fsdata); ++ ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ ++ return ret; ++} ++ + static sector_t _affs_bmap(struct address_space *mapping, sector_t block) + { + return generic_block_bmap(mapping,block,affs_get_block); +@@ -437,7 +455,7 @@ const struct address_space_operations af + .readpage = affs_readpage, + .writepage = affs_writepage, + .write_begin = affs_write_begin, +- .write_end = generic_write_end, ++ .write_end = affs_write_end, + .direct_IO = affs_direct_IO, + .bmap = _affs_bmap + }; +@@ -794,6 +812,12 @@ done: + if (tmp > inode->i_size) + inode->i_size = AFFS_I(inode)->mmu_private = tmp; + ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ + err_first_bh: + unlock_page(page); + put_page(page); diff --git a/queue-5.8/alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch b/queue-5.8/alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch new file mode 100644 index 00000000000..7880078d641 --- /dev/null +++ b/queue-5.8/alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch @@ -0,0 +1,109 @@ +From acd46a6b6de88569654567810acad2b0a0a25cea Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 23 Aug 2020 16:55:45 +0900 +Subject: ALSA: firewire-digi00x: exclude Avid Adrenaline from detection + +From: Takashi Sakamoto + +commit acd46a6b6de88569654567810acad2b0a0a25cea upstream. + +Avid Adrenaline is reported that ALSA firewire-digi00x driver is bound to. +However, as long as he investigated, the design of this model is hardly +similar to the one of Digi 00x family. It's better to exclude the model +from modalias of ALSA firewire-digi00x driver. + +This commit changes device entries so that the model is excluded. + +$ python3 crpp < ~/git/am-config-rom/misc/avid-adrenaline.img + ROM header and bus information block + ----------------------------------------------------------------- +400 04203a9c bus_info_length 4, crc_length 32, crc 15004 +404 31333934 bus_name "1394" +408 e064a002 irmc 1, cmc 1, isc 1, bmc 0, cyc_clk_acc 100, max_rec 10 (2048) +40c 00a07e01 company_id 00a07e | +410 00085257 device_id 0100085257 | EUI-64 00a07e0100085257 + + root directory + ----------------------------------------------------------------- +414 0005d08c directory_length 5, crc 53388 +418 0300a07e vendor +41c 8100000c --> descriptor leaf at 44c +420 0c008380 node capabilities +424 8d000002 --> eui-64 leaf at 42c +428 d1000004 --> unit directory at 438 + + eui-64 leaf at 42c + ----------------------------------------------------------------- +42c 0002410f leaf_length 2, crc 16655 +430 00a07e01 company_id 00a07e | +434 00085257 device_id 0100085257 | EUI-64 00a07e0100085257 + + unit directory at 438 + ----------------------------------------------------------------- +438 0004d6c9 directory_length 4, crc 54985 +43c 1200a02d specifier id: 1394 TA +440 13014001 version: Vender Unique and AV/C +444 17000001 model +448 81000009 --> descriptor leaf at 46c + + descriptor leaf at 44c + ----------------------------------------------------------------- +44c 00077205 leaf_length 7, crc 29189 +450 00000000 textual descriptor +454 00000000 minimal ASCII +458 41766964 "Avid" +45c 20546563 " Tec" +460 686e6f6c "hnol" +464 6f677900 "ogy" +468 00000000 + + descriptor leaf at 46c + ----------------------------------------------------------------- +46c 000599a5 leaf_length 5, crc 39333 +470 00000000 textual descriptor +474 00000000 minimal ASCII +478 41647265 "Adre" +47c 6e616c69 "nali" +480 6e650000 "ne" + +Reported-by: Simon Wood +Fixes: 9edf723fd858 ("ALSA: firewire-digi00x: add skeleton for Digi 002/003 family") +Cc: # 4.4+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20200823075545.56305-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/digi00x/digi00x.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/firewire/digi00x/digi00x.c ++++ b/sound/firewire/digi00x/digi00x.c +@@ -14,6 +14,7 @@ MODULE_LICENSE("GPL v2"); + #define VENDOR_DIGIDESIGN 0x00a07e + #define MODEL_CONSOLE 0x000001 + #define MODEL_RACK 0x000002 ++#define SPEC_VERSION 0x000001 + + static int name_card(struct snd_dg00x *dg00x) + { +@@ -175,14 +176,18 @@ static const struct ieee1394_device_id s + /* Both of 002/003 use the same ID. */ + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_CONSOLE, + }, + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_RACK, + }, + {} diff --git a/queue-5.8/alsa-firewire-tascam-exclude-tascam-fe-8-from-detection.patch b/queue-5.8/alsa-firewire-tascam-exclude-tascam-fe-8-from-detection.patch new file mode 100644 index 00000000000..206f2df59b8 --- /dev/null +++ b/queue-5.8/alsa-firewire-tascam-exclude-tascam-fe-8-from-detection.patch @@ -0,0 +1,85 @@ +From 0bd8bce897b6697bbc286b8ba473aa0705fe394b Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 23 Aug 2020 16:55:37 +0900 +Subject: ALSA; firewire-tascam: exclude Tascam FE-8 from detection + +From: Takashi Sakamoto + +commit 0bd8bce897b6697bbc286b8ba473aa0705fe394b upstream. + +Tascam FE-8 is known to support communication by asynchronous transaction +only. The support can be implemented in userspace application and +snd-firewire-ctl-services project has the support. However, ALSA +firewire-tascam driver is bound to the model. + +This commit changes device entries so that the model is excluded. In a +commit 53b3ffee7885 ("ALSA: firewire-tascam: change device probing +processing"), I addressed to the concern that version field in +configuration differs depending on installed firmware. However, as long +as I checked, the version number is fixed. It's safe to return version +number back to modalias. + +Fixes: 53b3ffee7885 ("ALSA: firewire-tascam: change device probing processing") +Cc: # 4.4+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20200823075537.56255-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/tascam/tascam.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/sound/firewire/tascam/tascam.c ++++ b/sound/firewire/tascam/tascam.c +@@ -39,9 +39,6 @@ static const struct snd_tscm_spec model_ + .midi_capture_ports = 2, + .midi_playback_ports = 4, + }, +- // This kernel module doesn't support FE-8 because the most of features +- // can be implemented in userspace without any specific support of this +- // module. + }; + + static int identify_model(struct snd_tscm *tscm) +@@ -211,11 +208,39 @@ static void snd_tscm_remove(struct fw_un + } + + static const struct ieee1394_device_id snd_tscm_id_table[] = { ++ // Tascam, FW-1884. ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, ++ .vendor_id = 0x00022e, ++ .specifier_id = 0x00022e, ++ .version = 0x800000, ++ }, ++ // Tascam, FE-8 (.version = 0x800001) ++ // This kernel module doesn't support FE-8 because the most of features ++ // can be implemented in userspace without any specific support of this ++ // module. ++ // ++ // .version = 0x800002 is unknown. ++ // ++ // Tascam, FW-1082. ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, ++ .vendor_id = 0x00022e, ++ .specifier_id = 0x00022e, ++ .version = 0x800003, ++ }, ++ // Tascam, FW-1804. + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | +- IEEE1394_MATCH_SPECIFIER_ID, ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, + .vendor_id = 0x00022e, + .specifier_id = 0x00022e, ++ .version = 0x800004, + }, + {} + }; diff --git a/queue-5.8/alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch b/queue-5.8/alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch new file mode 100644 index 00000000000..cafe7651d67 --- /dev/null +++ b/queue-5.8/alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch @@ -0,0 +1,39 @@ +From 15cbff3fbbc631952c346744f862fb294504b5e2 Mon Sep 17 00:00:00 2001 +From: Dan Crawford +Date: Sat, 29 Aug 2020 12:49:46 +1000 +Subject: ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO + +From: Dan Crawford + +commit 15cbff3fbbc631952c346744f862fb294504b5e2 upstream. + +Following Christian Lachner's patch for Gigabyte X570-based motherboards, +also patch the MSI X570-A PRO motherboard; the ALC1220 codec requires the +same workaround for Clevo laptops to enforce the DAC/mixer connection +path. Set up a quirk entry for that. + +I suspect most if all X570 motherboards will require similar patches. + +[ The entries reordered in the SSID order -- tiwai ] + +Related buglink: https://bugzilla.kernel.org/show_bug.cgi?id=205275 +Signed-off-by: Dan Crawford +Cc: +Link: https://lore.kernel.org/r/20200829024946.5691-1-dnlcrwfrd@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2467,6 +2467,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), ++ SND_PCI_QUIRK(0x1462, 0x9c37, "MSI X570-A PRO", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX), diff --git a/queue-5.8/alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch b/queue-5.8/alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch new file mode 100644 index 00000000000..8ce6755fde5 --- /dev/null +++ b/queue-5.8/alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch @@ -0,0 +1,44 @@ +From 858e0ad9301d1270c02b5aca97537d2d6ee9dd68 Mon Sep 17 00:00:00 2001 +From: Kai Vehmanen +Date: Wed, 26 Aug 2020 20:03:06 +0300 +Subject: ALSA: hda/hdmi: always check pin power status in i915 pin fixup + +From: Kai Vehmanen + +commit 858e0ad9301d1270c02b5aca97537d2d6ee9dd68 upstream. + +When system is suspended with active audio playback to HDMI/DP, two +alternative sequences can happen at resume: + a) monitor is detected first and ALSA prepare follows normal + stream setup sequence, or + b) ALSA prepare is called first, but monitor is not yet detected, + so PCM is restarted without a pin, + +In case of (b), on i915 systems, haswell_verify_D0() is not called at +resume and the pin power state may be incorrect. Result is lack of audio +after resume with no error reported back to user-space. + +Fix the problem by always verifying converter and pin state in the +i915_pin_cvt_fixup(). + +BugLink: https://github.com/thesofproject/linux/issues/2388 +Signed-off-by: Kai Vehmanen +Cc: +Link: https://lore.kernel.org/r/20200826170306.701566-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2737,6 +2737,7 @@ static void i915_pin_cvt_fixup(struct hd + hda_nid_t cvt_nid) + { + if (per_pin) { ++ haswell_verify_D0(codec, per_pin->cvt_nid, per_pin->pin_nid); + snd_hda_set_dev_select(codec, per_pin->pin_nid, + per_pin->dev_id); + intel_verify_pin_cvt_connect(codec, per_pin); diff --git a/queue-5.8/alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-ion-nt950xcj-x716a.patch b/queue-5.8/alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-ion-nt950xcj-x716a.patch new file mode 100644 index 00000000000..8a23a758809 --- /dev/null +++ b/queue-5.8/alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-ion-nt950xcj-x716a.patch @@ -0,0 +1,41 @@ +From 8bcea6cb2cbc1f749e574954569323dec5e2920e Mon Sep 17 00:00:00 2001 +From: Adrien Crivelli +Date: Wed, 26 Aug 2020 17:40:14 +0900 +Subject: ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A + +From: Adrien Crivelli + +commit 8bcea6cb2cbc1f749e574954569323dec5e2920e upstream. + +The Galaxy Book Ion NT950XCJ-X716A (15 inches) uses the same ALC298 +codec as other Samsung laptops which have the no headphone sound bug. I +confirmed on my own hardware that this fixes the bug. + +This also correct the model name for the 13 inches version. It was +incorrectly referenced as NT950XCJ-X716A in commit e17f02d05. But it +should have been NP930XCJ-K01US. + +Fixes: e17f02d0559c ("ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207423 +Signed-off-by: Adrien Crivelli +Cc: +Link: https://lore.kernel.org/r/20200826084014.211217-1-adrien.crivelli@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7708,7 +7708,8 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), +- SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), diff --git a/queue-5.8/alsa-hda-realtek-improved-routing-for-thinkpad-x1-7th-8th-gen.patch b/queue-5.8/alsa-hda-realtek-improved-routing-for-thinkpad-x1-7th-8th-gen.patch new file mode 100644 index 00000000000..8226eec74eb --- /dev/null +++ b/queue-5.8/alsa-hda-realtek-improved-routing-for-thinkpad-x1-7th-8th-gen.patch @@ -0,0 +1,136 @@ +From 6a6660d049f88b89fd9a4b9db3581b245f7782fa Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 3 Sep 2020 10:33:00 +0200 +Subject: ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen + +From: Takashi Iwai + +commit 6a6660d049f88b89fd9a4b9db3581b245f7782fa upstream. + +There've been quite a few regression reports about the lowered volume +(reduced to ca 65% from the previous level) on Lenovo Thinkpad X1 +after the commit d2cd795c4ece ("ALSA: hda - fixup for the bass speaker +on Lenovo Carbon X1 7th gen"). Although the commit itself does the +right thing from HD-audio POV in order to have a volume control for +bass speakers, it seems that the machine has some secret recipe under +the hood. + +Through experiments, Benjamin Poirier found out that the following +routing gives the best result: +* DAC1 (NID 0x02) -> Speaker pin (NID 0x14) +* DAC2 (NID 0x03) -> Shared by both Bass Speaker pin (NID 0x17) & + Headphone pin (0x21) +* DAC3 (NID 0x06) -> Unused + +DAC1 seems to have some equalizer internally applied, and you'd get +again the output in a bad quality if you connect this to the +headphone pin. Hence the headphone is connected to DAC2, which is now +shared with the bass speaker pin. DAC3 has no volume amp, hence it's +not connected at all. + +For achieving the routing above, this patch introduced a couple of +workarounds: + +* The connection list of bass speaker pin (NID 0x17) is reduced not to + include DAC3 (NID 0x06) +* Pass preferred_pairs array to specify the fixed connection + +Here, both workarounds are needed because the generic parser prefers +the individual DAC assignment over others. + +When the routing above is applied, the generic parser creates the two +volume controls "Front" and "Bass Speaker". Since we have only two +DACs for three output pins, those are not fully controlling each +output individually, and it would confuse PulseAudio. For avoiding +the pitfall, in this patch, we rename those volume controls to some +unique ones ("DAC1" and "DAC2"). Then PulseAudio ignore them and +concentrate only on the still good-working "Master" volume control. +If a user still wants to control each DAC volume, they can still +change manually via "DAC1" and "DAC2" volume controls. + +Fixes: d2cd795c4ece ("ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen") +Reported-by: Benjamin Poirier +Reviewed-by: Jaroslav Kysela +Tested-by: Benjamin Poirier +Cc: +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207407#c10 +BugLink: https://gist.github.com/hamidzr/dd81e429dc86f4327ded7a2030e7d7d9#gistcomment-3214171 +BugLink: https://gist.github.com/hamidzr/dd81e429dc86f4327ded7a2030e7d7d9#gistcomment-3276276 +Link: https://lore/kernel.org/r/20200829112746.3118-1-benjamin.poirier@gmail.com +Link: https://lore.kernel.org/r/20200903083300.6333-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 42 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 41 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5880,6 +5880,39 @@ static void alc275_fixup_gpio4_off(struc + } + } + ++/* Quirk for Thinkpad X1 7th and 8th Gen ++ * The following fixed routing needed ++ * DAC1 (NID 0x02) -> Speaker (NID 0x14); some eq applied secretly ++ * DAC2 (NID 0x03) -> Bass (NID 0x17) & Headphone (NID 0x21); sharing a DAC ++ * DAC3 (NID 0x06) -> Unused, due to the lack of volume amp ++ */ ++static void alc285_fixup_thinkpad_x1_gen7(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ static const hda_nid_t conn[] = { 0x02, 0x03 }; /* exclude 0x06 */ ++ static const hda_nid_t preferred_pairs[] = { ++ 0x14, 0x02, 0x17, 0x03, 0x21, 0x03, 0 ++ }; ++ struct alc_spec *spec = codec->spec; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn); ++ spec->gen.preferred_dacs = preferred_pairs; ++ break; ++ case HDA_FIXUP_ACT_BUILD: ++ /* The generic parser creates somewhat unintuitive volume ctls ++ * with the fixed routing above, and the shared DAC2 may be ++ * confusing for PA. ++ * Rename those to unique names so that PA doesn't touch them ++ * and use only Master volume. ++ */ ++ rename_ctl(codec, "Front Playback Volume", "DAC1 Playback Volume"); ++ rename_ctl(codec, "Bass Speaker Playback Volume", "DAC2 Playback Volume"); ++ break; ++ } ++} ++ + static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec, + const struct hda_fixup *fix, + int action) +@@ -6148,6 +6181,7 @@ enum { + ALC289_FIXUP_DUAL_SPK, + ALC294_FIXUP_SPK2_TO_DAC1, + ALC294_FIXUP_ASUS_DUAL_SPK, ++ ALC285_FIXUP_THINKPAD_X1_GEN7, + ALC285_FIXUP_THINKPAD_HEADSET_JACK, + ALC294_FIXUP_ASUS_HPE, + ALC294_FIXUP_ASUS_COEF_1B, +@@ -7293,11 +7327,17 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 + }, ++ [ALC285_FIXUP_THINKPAD_X1_GEN7] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_thinkpad_x1_gen7, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI ++ }, + [ALC285_FIXUP_THINKPAD_HEADSET_JACK] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_headset_jack, + .chained = true, +- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1 ++ .chain_id = ALC285_FIXUP_THINKPAD_X1_GEN7 + }, + [ALC294_FIXUP_ASUS_HPE] = { + .type = HDA_FIXUP_VERBS, diff --git a/queue-5.8/alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch b/queue-5.8/alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch new file mode 100644 index 00000000000..776fd0bffcd --- /dev/null +++ b/queue-5.8/alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch @@ -0,0 +1,40 @@ +From 949a1ebe8cea7b342085cb6a4946b498306b9493 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 1 Sep 2020 15:18:02 +0200 +Subject: ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check + +From: Takashi Iwai + +commit 949a1ebe8cea7b342085cb6a4946b498306b9493 upstream. + +The PCM OSS mulaw plugin has a check of the format of the counter part +whether it's a linear format. The check is with snd_BUG_ON() that +emits WARN_ON() when the debug config is set, and it confuses +syzkaller as if it were a serious issue. Let's drop snd_BUG_ON() for +avoiding that. + +While we're at it, correct the error code to a more suitable, EINVAL. + +Reported-by: syzbot+23b22dc2e0b81cbfcc95@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20200901131802.18157-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/mulaw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/oss/mulaw.c ++++ b/sound/core/oss/mulaw.c +@@ -329,8 +329,8 @@ int snd_pcm_plugin_build_mulaw(struct sn + snd_BUG(); + return -EINVAL; + } +- if (snd_BUG_ON(!snd_pcm_format_linear(format->format))) +- return -ENXIO; ++ if (!snd_pcm_format_linear(format->format)) ++ return -EINVAL; + + err = snd_pcm_plugin_build(plug, "Mu-Law<->linear conversion", + src_format, dst_format, diff --git a/queue-5.8/alsa-usb-audio-add-basic-capture-support-for-pioneer-dj-djm-250mk2.patch b/queue-5.8/alsa-usb-audio-add-basic-capture-support-for-pioneer-dj-djm-250mk2.patch new file mode 100644 index 00000000000..f5b5094dbcc --- /dev/null +++ b/queue-5.8/alsa-usb-audio-add-basic-capture-support-for-pioneer-dj-djm-250mk2.patch @@ -0,0 +1,124 @@ +From 14335d8b9e1a2bf006f9d969a103f9731cabb210 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Franti=C5=A1ek=20Ku=C4=8Dera?= +Date: Tue, 25 Aug 2020 17:31:13 +0200 +Subject: ALSA: usb-audio: Add basic capture support for Pioneer DJ DJM-250MK2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: František Kučera + +commit 14335d8b9e1a2bf006f9d969a103f9731cabb210 upstream. + +This patch extends support for DJM-250MK2 and allows recording. +However, DVS is not possible yet (see the comment in code). + +Signed-off-by: František Kučera +Cc: +Link: https://lore.kernel.org/r/20200825153113.6352-1-konference@frantovo.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 1 + sound/usb/quirks-table.h | 60 +++++++++++++++++++++++++++++++++++++++++------ + sound/usb/quirks.c | 1 + 3 files changed, 55 insertions(+), 7 deletions(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -374,6 +374,7 @@ static int set_sync_ep_implicit_fb_quirk + ifnum = 2; + goto add_sync_ep_from_ifnum; + case USB_ID(0x2b73, 0x000a): /* Pioneer DJ DJM-900NXS2 */ ++ case USB_ID(0x2b73, 0x0017): /* Pioneer DJ DJM-250MK2 */ + ep = 0x82; + ifnum = 0; + goto add_sync_ep_from_ifnum; +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3532,14 +3532,40 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + { + /* + * Pioneer DJ DJM-250MK2 +- * PCM is 8 channels out @ 48 fixed (endpoints 0x01). +- * The output from computer to the mixer is usable. ++ * PCM is 8 channels out @ 48 fixed (endpoint 0x01) ++ * and 8 channels in @ 48 fixed (endpoint 0x82). + * +- * The input (phono or line to computer) is not working. +- * It should be at endpoint 0x82 and probably also 8 channels, +- * but it seems that it works only with Pioneer proprietary software. +- * Even on officially supported OS, the Audacity was unable to record +- * and Mixxx to recognize the control vinyls. ++ * Both playback and recording is working, even simultaneously. ++ * ++ * Playback channels could be mapped to: ++ * - CH1 ++ * - CH2 ++ * - AUX ++ * ++ * Recording channels could be mapped to: ++ * - Post CH1 Fader ++ * - Post CH2 Fader ++ * - Cross Fader A ++ * - Cross Fader B ++ * - MIC ++ * - AUX ++ * - REC OUT ++ * ++ * There is remaining problem with recording directly from PHONO/LINE. ++ * If we map a channel to: ++ * - CH1 Control Tone PHONO ++ * - CH1 Control Tone LINE ++ * - CH2 Control Tone PHONO ++ * - CH2 Control Tone LINE ++ * it is silent. ++ * There is no signal even on other operating systems with official drivers. ++ * The signal appears only when a supported application is started. ++ * This needs to be investigated yet... ++ * (there is quite a lot communication on the USB in both directions) ++ * ++ * In current version this mixer could be used for playback ++ * and for recording from vinyls (through Post CH* Fader) ++ * but not for DVS (Digital Vinyl Systems) like in Mixxx. + */ + USB_DEVICE_VENDOR_SPEC(0x2b73, 0x0017), + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { +@@ -3561,6 +3587,26 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + .rates = SNDRV_PCM_RATE_48000, + .rate_min = 48000, + .rate_max = 48000, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { 48000 } ++ } ++ }, ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 8, // inputs ++ .iface = 0, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x82, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC| ++ USB_ENDPOINT_SYNC_ASYNC| ++ USB_ENDPOINT_USAGE_IMPLICIT_FB, ++ .rates = SNDRV_PCM_RATE_48000, ++ .rate_min = 48000, ++ .rate_max = 48000, + .nr_rates = 1, + .rate_table = (unsigned int[]) { 48000 } + } +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1493,6 +1493,7 @@ void snd_usb_set_format_quirk(struct snd + set_format_emu_quirk(subs, fmt); + break; + case USB_ID(0x2b73, 0x000a): /* Pioneer DJ DJM-900NXS2 */ ++ case USB_ID(0x2b73, 0x0017): /* Pioneer DJ DJM-250MK2 */ + pioneer_djm_set_format_quirk(subs); + break; + case USB_ID(0x534d, 0x2109): /* MacroSilicon MS2109 */ diff --git a/queue-5.8/alsa-usb-audio-add-implicit-feedback-quirk-for-ur22c.patch b/queue-5.8/alsa-usb-audio-add-implicit-feedback-quirk-for-ur22c.patch new file mode 100644 index 00000000000..14ea99e9bbe --- /dev/null +++ b/queue-5.8/alsa-usb-audio-add-implicit-feedback-quirk-for-ur22c.patch @@ -0,0 +1,35 @@ +From 7c5b892e0871655fea3294ffac6fa3cc3400b60d Mon Sep 17 00:00:00 2001 +From: Joshua Sivec +Date: Tue, 25 Aug 2020 18:55:18 +0200 +Subject: ALSA: usb-audio: Add implicit feedback quirk for UR22C + +From: Joshua Sivec + +commit 7c5b892e0871655fea3294ffac6fa3cc3400b60d upstream. + +This uses the same quirk as the Motu and SSL2 devices. +Tested on the UR22C. + +Fixes bug 208851. + +Signed-off-by: Joshua Sivec +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208851 +Cc: +Link: https://lore.kernel.org/r/20200825165515.8239-1-sivec@posteo.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -369,6 +369,7 @@ static int set_sync_ep_implicit_fb_quirk + case USB_ID(0x07fd, 0x0008): /* MOTU M Series */ + case USB_ID(0x31e9, 0x0001): /* Solid State Logic SSL2 */ + case USB_ID(0x31e9, 0x0002): /* Solid State Logic SSL2+ */ ++ case USB_ID(0x0499, 0x172f): /* Steinberg UR22C */ + case USB_ID(0x0d9a, 0x00df): /* RTX6001 */ + ep = 0x81; + ifnum = 2; diff --git a/queue-5.8/arm64-dts-mt7622-add-reset-node-for-mmc-device.patch b/queue-5.8/arm64-dts-mt7622-add-reset-node-for-mmc-device.patch new file mode 100644 index 00000000000..1275f9c01ee --- /dev/null +++ b/queue-5.8/arm64-dts-mt7622-add-reset-node-for-mmc-device.patch @@ -0,0 +1,35 @@ +From d6f6cbeee4e5ee6976792851e0461c19f1ede864 Mon Sep 17 00:00:00 2001 +From: Wenbin Mei +Date: Fri, 14 Aug 2020 09:43:45 +0800 +Subject: arm64: dts: mt7622: add reset node for mmc device + +From: Wenbin Mei + +commit d6f6cbeee4e5ee6976792851e0461c19f1ede864 upstream. + +This commit adds reset node for mmc device. + +Cc: # v5.4+ +Fixes: 966580ad236e ("mmc: mediatek: add support for MT7622 SoC") +Signed-off-by: Wenbin Mei +Tested-by: Frank Wunderlich +Acked-by: Matthias Brugger +Link: https://lore.kernel.org/r/20200814014346.6496-3-wenbin.mei@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/mediatek/mt7622.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -686,6 +686,8 @@ + clocks = <&pericfg CLK_PERI_MSDC30_0_PD>, + <&topckgen CLK_TOP_MSDC50_0_SEL>; + clock-names = "source", "hclk"; ++ resets = <&pericfg MT7622_PERI_MSDC0_SW_RST>; ++ reset-names = "hrst"; + status = "disabled"; + }; + diff --git a/queue-5.8/blk-iocost-ioc_pd_free-shouldn-t-assume-irq-disabled.patch b/queue-5.8/blk-iocost-ioc_pd_free-shouldn-t-assume-irq-disabled.patch new file mode 100644 index 00000000000..784ade66e24 --- /dev/null +++ b/queue-5.8/blk-iocost-ioc_pd_free-shouldn-t-assume-irq-disabled.patch @@ -0,0 +1,44 @@ +From 5aeac7c4b16069aae49005f0a8d4526baa83341b Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 1 Sep 2020 14:52:31 -0400 +Subject: blk-iocost: ioc_pd_free() shouldn't assume irq disabled + +From: Tejun Heo + +commit 5aeac7c4b16069aae49005f0a8d4526baa83341b upstream. + +ioc_pd_free() grabs irq-safe ioc->lock without ensuring that irq is disabled +when it can be called with irq disabled or enabled. This has a small chance +of causing A-A deadlocks and triggers lockdep splats. Use irqsave operations +instead. + +Signed-off-by: Tejun Heo +Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-iocost.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -2094,14 +2094,15 @@ static void ioc_pd_free(struct blkg_poli + { + struct ioc_gq *iocg = pd_to_iocg(pd); + struct ioc *ioc = iocg->ioc; ++ unsigned long flags; + + if (ioc) { +- spin_lock(&ioc->lock); ++ spin_lock_irqsave(&ioc->lock, flags); + if (!list_empty(&iocg->active_list)) { + propagate_active_weight(iocg, 0, 0); + list_del_init(&iocg->active_list); + } +- spin_unlock(&ioc->lock); ++ spin_unlock_irqrestore(&ioc->lock, flags); + + hrtimer_cancel(&iocg->waitq_timer); + hrtimer_cancel(&iocg->delay_timer); diff --git a/queue-5.8/blk-stat-make-q-stats-lock-irqsafe.patch b/queue-5.8/blk-stat-make-q-stats-lock-irqsafe.patch new file mode 100644 index 00000000000..56b4ef3126f --- /dev/null +++ b/queue-5.8/blk-stat-make-q-stats-lock-irqsafe.patch @@ -0,0 +1,75 @@ +From e11d80a849e010f78243bb6f6af7dccef3a71a90 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 1 Sep 2020 14:52:32 -0400 +Subject: blk-stat: make q->stats->lock irqsafe + +From: Tejun Heo + +commit e11d80a849e010f78243bb6f6af7dccef3a71a90 upstream. + +blk-iocost calls blk_stat_enable_accounting() while holding an irqsafe lock +which triggers a lockdep splat because q->stats->lock isn't irqsafe. Let's +make it irqsafe. + +Signed-off-by: Tejun Heo +Fixes: cd006509b0a9 ("blk-iocost: account for IO size when testing latencies") +Cc: stable@vger.kernel.org # v5.8+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-stat.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/block/blk-stat.c ++++ b/block/blk-stat.c +@@ -137,6 +137,7 @@ void blk_stat_add_callback(struct reques + struct blk_stat_callback *cb) + { + unsigned int bucket; ++ unsigned long flags; + int cpu; + + for_each_possible_cpu(cpu) { +@@ -147,20 +148,22 @@ void blk_stat_add_callback(struct reques + blk_rq_stat_init(&cpu_stat[bucket]); + } + +- spin_lock(&q->stats->lock); ++ spin_lock_irqsave(&q->stats->lock, flags); + list_add_tail_rcu(&cb->list, &q->stats->callbacks); + blk_queue_flag_set(QUEUE_FLAG_STATS, q); +- spin_unlock(&q->stats->lock); ++ spin_unlock_irqrestore(&q->stats->lock, flags); + } + + void blk_stat_remove_callback(struct request_queue *q, + struct blk_stat_callback *cb) + { +- spin_lock(&q->stats->lock); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&q->stats->lock, flags); + list_del_rcu(&cb->list); + if (list_empty(&q->stats->callbacks) && !q->stats->enable_accounting) + blk_queue_flag_clear(QUEUE_FLAG_STATS, q); +- spin_unlock(&q->stats->lock); ++ spin_unlock_irqrestore(&q->stats->lock, flags); + + del_timer_sync(&cb->timer); + } +@@ -183,10 +186,12 @@ void blk_stat_free_callback(struct blk_s + + void blk_stat_enable_accounting(struct request_queue *q) + { +- spin_lock(&q->stats->lock); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&q->stats->lock, flags); + q->stats->enable_accounting = true; + blk_queue_flag_set(QUEUE_FLAG_STATS, q); +- spin_unlock(&q->stats->lock); ++ spin_unlock_irqrestore(&q->stats->lock, flags); + } + EXPORT_SYMBOL_GPL(blk_stat_enable_accounting); + diff --git a/queue-5.8/block-allow-for_each_bvec-to-support-zero-len-bvec.patch b/queue-5.8/block-allow-for_each_bvec-to-support-zero-len-bvec.patch new file mode 100644 index 00000000000..10b5aff6fde --- /dev/null +++ b/queue-5.8/block-allow-for_each_bvec-to-support-zero-len-bvec.patch @@ -0,0 +1,54 @@ +From 7e24969022cbd61ddc586f14824fc205661bb124 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Mon, 17 Aug 2020 18:00:55 +0800 +Subject: block: allow for_each_bvec to support zero len bvec + +From: Ming Lei + +commit 7e24969022cbd61ddc586f14824fc205661bb124 upstream. + +Block layer usually doesn't support or allow zero-length bvec. Since +commit 1bdc76aea115 ("iov_iter: use bvec iterator to implement +iterate_bvec()"), iterate_bvec() switches to bvec iterator. However, +Al mentioned that 'Zero-length segments are not disallowed' in iov_iter. + +Fixes for_each_bvec() so that it can move on after seeing one zero +length bvec. + +Fixes: 1bdc76aea115 ("iov_iter: use bvec iterator to implement iterate_bvec()") +Reported-by: syzbot +Signed-off-by: Ming Lei +Tested-by: Tetsuo Handa +Cc: Al Viro +Cc: Matthew Wilcox +Cc: +Link: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2262077.html +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/bvec.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/include/linux/bvec.h ++++ b/include/linux/bvec.h +@@ -117,11 +117,18 @@ static inline bool bvec_iter_advance(con + return true; + } + ++static inline void bvec_iter_skip_zero_bvec(struct bvec_iter *iter) ++{ ++ iter->bi_bvec_done = 0; ++ iter->bi_idx++; ++} ++ + #define for_each_bvec(bvl, bio_vec, iter, start) \ + for (iter = (start); \ + (iter).bi_size && \ + ((bvl = bvec_iter_bvec((bio_vec), (iter))), 1); \ +- bvec_iter_advance((bio_vec), &(iter), (bvl).bv_len)) ++ (bvl).bv_len ? (void)bvec_iter_advance((bio_vec), &(iter), \ ++ (bvl).bv_len) : bvec_iter_skip_zero_bvec(&(iter))) + + /* for iterating one bio from start to end */ + #define BVEC_ITER_ALL_INIT (struct bvec_iter) \ diff --git a/queue-5.8/block-ensure-bdi-io_pages-is-always-initialized.patch b/queue-5.8/block-ensure-bdi-io_pages-is-always-initialized.patch new file mode 100644 index 00000000000..5941a9046b4 --- /dev/null +++ b/queue-5.8/block-ensure-bdi-io_pages-is-always-initialized.patch @@ -0,0 +1,36 @@ +From de1b0ee490eafdf65fac9eef9925391a8369f2dc Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 31 Aug 2020 11:20:02 -0600 +Subject: block: ensure bdi->io_pages is always initialized + +From: Jens Axboe + +commit de1b0ee490eafdf65fac9eef9925391a8369f2dc upstream. + +If a driver leaves the limit settings as the defaults, then we don't +initialize bdi->io_pages. This means that file systems may need to +work around bdi->io_pages == 0, which is somewhat messy. + +Initialize the default value just like we do for ->ra_pages. + +Cc: stable@vger.kernel.org +Fixes: 9491ae4aade6 ("mm: don't cap request size based on read-ahead setting") +Reported-by: OGAWA Hirofumi +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -526,6 +526,7 @@ struct request_queue *__blk_alloc_queue( + goto fail_stats; + + q->backing_dev_info->ra_pages = VM_READAHEAD_PAGES; ++ q->backing_dev_info->io_pages = VM_READAHEAD_PAGES; + q->backing_dev_info->capabilities = BDI_CAP_CGROUP_WRITEBACK; + q->node = node_id; + diff --git a/queue-5.8/dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch b/queue-5.8/dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch new file mode 100644 index 00000000000..bfe5ac1bf46 --- /dev/null +++ b/queue-5.8/dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch @@ -0,0 +1,42 @@ +From d16ff19e69ab57e08bf908faaacbceaf660249de Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Tue, 1 Sep 2020 14:25:42 +0800 +Subject: dm cache metadata: Avoid returning cmd->bm wild pointer on error + +From: Ye Bin + +commit d16ff19e69ab57e08bf908faaacbceaf660249de upstream. + +Maybe __create_persistent_data_objects() caller will use PTR_ERR as a +pointer, it will lead to some strange things. + +Signed-off-by: Ye Bin +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -537,12 +537,16 @@ static int __create_persistent_data_obje + CACHE_MAX_CONCURRENT_LOCKS); + if (IS_ERR(cmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(cmd->bm); ++ r = PTR_ERR(cmd->bm); ++ cmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(cmd, may_format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(cmd->bm); ++ cmd->bm = NULL; ++ } + + return r; + } diff --git a/queue-5.8/dm-crypt-initialize-crypto-wait-structures.patch b/queue-5.8/dm-crypt-initialize-crypto-wait-structures.patch new file mode 100644 index 00000000000..7ad66e26fd3 --- /dev/null +++ b/queue-5.8/dm-crypt-initialize-crypto-wait-structures.patch @@ -0,0 +1,44 @@ +From 7785a9e4c228db6d01086a52d5685cd7336a08b7 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 31 Aug 2020 14:55:55 +0900 +Subject: dm crypt: Initialize crypto wait structures + +From: Damien Le Moal + +commit 7785a9e4c228db6d01086a52d5685cd7336a08b7 upstream. + +Use the DECLARE_CRYPTO_WAIT() macro to properly initialize the crypto +wait structures declared on stack before their use with +crypto_wait_req(). + +Fixes: 39d13a1ac41d ("dm crypt: reuse eboiv skcipher for IV generation") +Fixes: bbb1658461ac ("dm crypt: Implement Elephant diffuser for Bitlocker compatibility") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -736,7 +736,7 @@ static int crypt_iv_eboiv_gen(struct cry + u8 buf[MAX_CIPHER_BLOCKSIZE] __aligned(__alignof__(__le64)); + struct skcipher_request *req; + struct scatterlist src, dst; +- struct crypto_wait wait; ++ DECLARE_CRYPTO_WAIT(wait); + int err; + + req = skcipher_request_alloc(any_tfm(cc), GFP_NOIO); +@@ -933,7 +933,7 @@ static int crypt_iv_elephant(struct cryp + u8 *es, *ks, *data, *data2, *data_offset; + struct skcipher_request *req; + struct scatterlist *sg, *sg2, src, dst; +- struct crypto_wait wait; ++ DECLARE_CRYPTO_WAIT(wait); + int i, r; + + req = skcipher_request_alloc(elephant->tfm, GFP_NOIO); diff --git a/queue-5.8/dm-integrity-fix-error-reporting-in-bitmap-mode-after-creation.patch b/queue-5.8/dm-integrity-fix-error-reporting-in-bitmap-mode-after-creation.patch new file mode 100644 index 00000000000..4cc2a1a7c1e --- /dev/null +++ b/queue-5.8/dm-integrity-fix-error-reporting-in-bitmap-mode-after-creation.patch @@ -0,0 +1,54 @@ +From e27fec66f0a94e35a35548bd0b29ae616e62ec62 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 31 Aug 2020 09:25:41 -0400 +Subject: dm integrity: fix error reporting in bitmap mode after creation + +From: Mikulas Patocka + +commit e27fec66f0a94e35a35548bd0b29ae616e62ec62 upstream. + +The dm-integrity target did not report errors in bitmap mode just after +creation. The reason is that the function integrity_recalc didn't clean up +ic->recalc_bitmap as it proceeded with recalculation. + +Fix this by updating the bitmap accordingly -- the double shift serves +to rounddown. + +Signed-off-by: Mikulas Patocka +Fixes: 468dfca38b1a ("dm integrity: add a bitmap mode") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-integrity.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -2487,6 +2487,7 @@ next_chunk: + range.logical_sector = le64_to_cpu(ic->sb->recalc_sector); + if (unlikely(range.logical_sector >= ic->provided_data_sectors)) { + if (ic->mode == 'B') { ++ block_bitmap_op(ic, ic->recalc_bitmap, 0, ic->provided_data_sectors, BITMAP_OP_CLEAR); + DEBUG_print("queue_delayed_work: bitmap_flush_work\n"); + queue_delayed_work(ic->commit_wq, &ic->bitmap_flush_work, 0); + } +@@ -2564,6 +2565,17 @@ next_chunk: + goto err; + } + ++ if (ic->mode == 'B') { ++ sector_t start, end; ++ start = (range.logical_sector >> ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit)) << ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit); ++ end = ((range.logical_sector + range.n_sectors) >> ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit)) << ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit); ++ block_bitmap_op(ic, ic->recalc_bitmap, start, end - start, BITMAP_OP_CLEAR); ++ } ++ + advance_and_next: + cond_resched(); + diff --git a/queue-5.8/dm-mpath-fix-racey-management-of-pg-initialization.patch b/queue-5.8/dm-mpath-fix-racey-management-of-pg-initialization.patch new file mode 100644 index 00000000000..21b0d6be3a5 --- /dev/null +++ b/queue-5.8/dm-mpath-fix-racey-management-of-pg-initialization.patch @@ -0,0 +1,73 @@ +From c322ee9320eaa4013ca3620b1130992916b19b31 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Mon, 24 Aug 2020 14:19:55 -0400 +Subject: dm mpath: fix racey management of PG initialization + +From: Mike Snitzer + +commit c322ee9320eaa4013ca3620b1130992916b19b31 upstream. + +Commit 935fcc56abc3 ("dm mpath: only flush workqueue when needed") +changed flush_multipath_work() to avoid needless workqueue +flushing (of a multipath global workqueue). But that change didn't +realize the surrounding flush_multipath_work() code should also only +run if 'pg_init_in_progress' is set. + +Fix this by only doing all of flush_multipath_work()'s PG init related +work if 'pg_init_in_progress' is set. + +Otherwise multipath_wait_for_pg_init_completion() will run +unconditionally but the preceeding flush_workqueue(kmpath_handlerd) +may not. This could lead to deadlock (though only if kmpath_handlerd +never runs a corresponding work to decrement 'pg_init_in_progress'). + +It could also be, though highly unlikely, that the kmpath_handlerd +work that does PG init completes before 'pg_init_in_progress' is set, +and then an intervening DM table reload's multipath_postsuspend() +triggers flush_multipath_work(). + +Fixes: 935fcc56abc3 ("dm mpath: only flush workqueue when needed") +Cc: stable@vger.kernel.org +Reported-by: Ben Marzinski +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1247,17 +1247,25 @@ static void multipath_wait_for_pg_init_c + static void flush_multipath_work(struct multipath *m) + { + if (m->hw_handler_name) { +- set_bit(MPATHF_PG_INIT_DISABLED, &m->flags); +- smp_mb__after_atomic(); ++ unsigned long flags; ++ ++ if (!atomic_read(&m->pg_init_in_progress)) ++ goto skip; ++ ++ spin_lock_irqsave(&m->lock, flags); ++ if (atomic_read(&m->pg_init_in_progress) && ++ !test_and_set_bit(MPATHF_PG_INIT_DISABLED, &m->flags)) { ++ spin_unlock_irqrestore(&m->lock, flags); + +- if (atomic_read(&m->pg_init_in_progress)) + flush_workqueue(kmpath_handlerd); +- multipath_wait_for_pg_init_completion(m); ++ multipath_wait_for_pg_init_completion(m); + +- clear_bit(MPATHF_PG_INIT_DISABLED, &m->flags); +- smp_mb__after_atomic(); ++ spin_lock_irqsave(&m->lock, flags); ++ clear_bit(MPATHF_PG_INIT_DISABLED, &m->flags); ++ } ++ spin_unlock_irqrestore(&m->lock, flags); + } +- ++skip: + if (m->queue_mode == DM_TYPE_BIO_BASED) + flush_work(&m->process_queued_bios); + flush_work(&m->trigger_event); diff --git a/queue-5.8/dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch b/queue-5.8/dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch new file mode 100644 index 00000000000..ea95c5d1121 --- /dev/null +++ b/queue-5.8/dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch @@ -0,0 +1,42 @@ +From 219403d7e56f9b716ad80ab87db85d29547ee73e Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Tue, 1 Sep 2020 14:25:43 +0800 +Subject: dm thin metadata: Avoid returning cmd->bm wild pointer on error + +From: Ye Bin + +commit 219403d7e56f9b716ad80ab87db85d29547ee73e upstream. + +Maybe __create_persistent_data_objects() caller will use PTR_ERR as a +pointer, it will lead to some strange things. + +Signed-off-by: Ye Bin +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -739,12 +739,16 @@ static int __create_persistent_data_obje + THIN_MAX_CONCURRENT_LOCKS); + if (IS_ERR(pmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(pmd->bm); ++ r = PTR_ERR(pmd->bm); ++ pmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(pmd, format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(pmd->bm); ++ pmd->bm = NULL; ++ } + + return r; + } diff --git a/queue-5.8/dm-thin-metadata-fix-use-after-free-in-dm_bm_set_read_only.patch b/queue-5.8/dm-thin-metadata-fix-use-after-free-in-dm_bm_set_read_only.patch new file mode 100644 index 00000000000..2a55fc96028 --- /dev/null +++ b/queue-5.8/dm-thin-metadata-fix-use-after-free-in-dm_bm_set_read_only.patch @@ -0,0 +1,110 @@ +From 3a653b205f29b3f9827a01a0c88bfbcb0d169494 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Tue, 1 Sep 2020 14:25:44 +0800 +Subject: dm thin metadata: Fix use-after-free in dm_bm_set_read_only + +From: Ye Bin + +commit 3a653b205f29b3f9827a01a0c88bfbcb0d169494 upstream. + +The following error ocurred when testing disk online/offline: + +[ 301.798344] device-mapper: thin: 253:5: aborting current metadata transaction +[ 301.848441] device-mapper: thin: 253:5: failed to abort metadata transaction +[ 301.849206] Aborting journal on device dm-26-8. +[ 301.850489] EXT4-fs error (device dm-26) in __ext4_new_inode:943: Journal has aborted +[ 301.851095] EXT4-fs (dm-26): Delayed block allocation failed for inode 398742 at logical offset 181 with max blocks 19 with error 30 +[ 301.854476] BUG: KASAN: use-after-free in dm_bm_set_read_only+0x3a/0x40 [dm_persistent_data] + +Reason is: + + metadata_operation_failed + abort_transaction + dm_pool_abort_metadata + __create_persistent_data_objects + r = __open_or_format_metadata + if (r) --> If failed will free pmd->bm but pmd->bm not set NULL + dm_block_manager_destroy(pmd->bm); + set_pool_mode + dm_pool_metadata_read_only(pool->pmd); + dm_bm_set_read_only(pmd->bm); --> use-after-free + +Add checks to see if pmd->bm is NULL in dm_bm_set_read_only and +dm_bm_set_read_write functions. If bm is NULL it means creating the +bm failed and so dm_bm_is_read_only must return true. + +Signed-off-by: Ye Bin +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 2 +- + drivers/md/persistent-data/dm-block-manager.c | 14 ++++++++------ + 2 files changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -958,7 +958,7 @@ int dm_pool_metadata_close(struct dm_poo + } + + pmd_write_lock_in_core(pmd); +- if (!dm_bm_is_read_only(pmd->bm) && !pmd->fail_io) { ++ if (!pmd->fail_io && !dm_bm_is_read_only(pmd->bm)) { + r = __commit_transaction(pmd); + if (r < 0) + DMWARN("%s: __commit_transaction() failed, error = %d", +--- a/drivers/md/persistent-data/dm-block-manager.c ++++ b/drivers/md/persistent-data/dm-block-manager.c +@@ -493,7 +493,7 @@ int dm_bm_write_lock(struct dm_block_man + void *p; + int r; + +- if (bm->read_only) ++ if (dm_bm_is_read_only(bm)) + return -EPERM; + + p = dm_bufio_read(bm->bufio, b, (struct dm_buffer **) result); +@@ -562,7 +562,7 @@ int dm_bm_write_lock_zero(struct dm_bloc + struct buffer_aux *aux; + void *p; + +- if (bm->read_only) ++ if (dm_bm_is_read_only(bm)) + return -EPERM; + + p = dm_bufio_new(bm->bufio, b, (struct dm_buffer **) result); +@@ -602,7 +602,7 @@ EXPORT_SYMBOL_GPL(dm_bm_unlock); + + int dm_bm_flush(struct dm_block_manager *bm) + { +- if (bm->read_only) ++ if (dm_bm_is_read_only(bm)) + return -EPERM; + + return dm_bufio_write_dirty_buffers(bm->bufio); +@@ -616,19 +616,21 @@ void dm_bm_prefetch(struct dm_block_mana + + bool dm_bm_is_read_only(struct dm_block_manager *bm) + { +- return bm->read_only; ++ return (bm ? bm->read_only : true); + } + EXPORT_SYMBOL_GPL(dm_bm_is_read_only); + + void dm_bm_set_read_only(struct dm_block_manager *bm) + { +- bm->read_only = true; ++ if (bm) ++ bm->read_only = true; + } + EXPORT_SYMBOL_GPL(dm_bm_set_read_only); + + void dm_bm_set_read_write(struct dm_block_manager *bm) + { +- bm->read_only = false; ++ if (bm) ++ bm->read_only = false; + } + EXPORT_SYMBOL_GPL(dm_bm_set_read_write); + diff --git a/queue-5.8/dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch b/queue-5.8/dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch new file mode 100644 index 00000000000..766413b8fbd --- /dev/null +++ b/queue-5.8/dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch @@ -0,0 +1,62 @@ +From f9e040efcc28309e5c592f7e79085a9a52e31f58 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 24 Aug 2020 11:09:47 -0400 +Subject: dm writecache: handle DAX to partitions on persistent memory correctly + +From: Mikulas Patocka + +commit f9e040efcc28309e5c592f7e79085a9a52e31f58 upstream. + +The function dax_direct_access doesn't take partitions into account, +it always maps pages from the beginning of the device. Therefore, +persistent_memory_claim() must get the partition offset using +get_start_sect() and add it to the page offsets passed to +dax_direct_access(). + +Signed-off-by: Mikulas Patocka +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # 4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -231,6 +231,7 @@ static int persistent_memory_claim(struc + pfn_t pfn; + int id; + struct page **pages; ++ sector_t offset; + + wc->memory_vmapped = false; + +@@ -245,9 +246,16 @@ static int persistent_memory_claim(struc + goto err1; + } + ++ offset = get_start_sect(wc->ssd_dev->bdev); ++ if (offset & (PAGE_SIZE / 512 - 1)) { ++ r = -EINVAL; ++ goto err1; ++ } ++ offset >>= PAGE_SHIFT - 9; ++ + id = dax_read_lock(); + +- da = dax_direct_access(wc->ssd_dev->dax_dev, 0, p, &wc->memory_map, &pfn); ++ da = dax_direct_access(wc->ssd_dev->dax_dev, offset, p, &wc->memory_map, &pfn); + if (da < 0) { + wc->memory_map = NULL; + r = da; +@@ -269,7 +277,7 @@ static int persistent_memory_claim(struc + i = 0; + do { + long daa; +- daa = dax_direct_access(wc->ssd_dev->dax_dev, i, p - i, ++ daa = dax_direct_access(wc->ssd_dev->dax_dev, offset + i, p - i, + NULL, &pfn); + if (daa <= 0) { + r = daa ? daa : -EINVAL; diff --git a/queue-5.8/dmaengine-dw-edma-fix-scatter-gather-address-calculation.patch b/queue-5.8/dmaengine-dw-edma-fix-scatter-gather-address-calculation.patch new file mode 100644 index 00000000000..6bd74627edd --- /dev/null +++ b/queue-5.8/dmaengine-dw-edma-fix-scatter-gather-address-calculation.patch @@ -0,0 +1,71 @@ +From 05655541c9503bfd01af4e6cbd7f5a29ac748e6c Mon Sep 17 00:00:00 2001 +From: Gustavo Pimentel +Date: Thu, 13 Aug 2020 16:14:04 +0200 +Subject: dmaengine: dw-edma: Fix scatter-gather address calculation + +From: Gustavo Pimentel + +commit 05655541c9503bfd01af4e6cbd7f5a29ac748e6c upstream. + +Fix the source and destination physical address calculation of a +peripheral device on scatter-gather implementation. + +This issue manifested during tests using a 64 bits architecture system. +The abnormal behavior wasn't visible before due to all previous tests +were done using 32 bits architecture system, that masked his effect. + +Fixes: e63d79d1ffcd ("dmaengine: Add Synopsys eDMA IP core driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo Pimentel +Link: https://lore.kernel.org/r/8d3ab7e2ba96563fe3495b32f60077fffb85307d.1597327623.git.gustavo.pimentel@synopsys.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/dw-edma/dw-edma-core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/dma/dw-edma/dw-edma-core.c ++++ b/drivers/dma/dw-edma/dw-edma-core.c +@@ -405,7 +405,7 @@ dw_edma_device_transfer(struct dw_edma_t + if (xfer->cyclic) { + burst->dar = xfer->xfer.cyclic.paddr; + } else { +- burst->dar = sg_dma_address(sg); ++ burst->dar = dst_addr; + /* Unlike the typical assumption by other + * drivers/IPs the peripheral memory isn't + * a FIFO memory, in this case, it's a +@@ -413,14 +413,13 @@ dw_edma_device_transfer(struct dw_edma_t + * and destination addresses are increased + * by the same portion (data length) + */ +- src_addr += sg_dma_len(sg); + } + } else { + burst->dar = dst_addr; + if (xfer->cyclic) { + burst->sar = xfer->xfer.cyclic.paddr; + } else { +- burst->sar = sg_dma_address(sg); ++ burst->sar = src_addr; + /* Unlike the typical assumption by other + * drivers/IPs the peripheral memory isn't + * a FIFO memory, in this case, it's a +@@ -428,12 +427,14 @@ dw_edma_device_transfer(struct dw_edma_t + * and destination addresses are increased + * by the same portion (data length) + */ +- dst_addr += sg_dma_len(sg); + } + } + +- if (!xfer->cyclic) ++ if (!xfer->cyclic) { ++ src_addr += sg_dma_len(sg); ++ dst_addr += sg_dma_len(sg); + sg = sg_next(sg); ++ } + } + + return vchan_tx_prep(&chan->vc, &desc->vd, xfer->flags); diff --git a/queue-5.8/drm-amd-pm-avoid-false-alarm-due-to-confusing-softwareshutdowntemp-setting.patch b/queue-5.8/drm-amd-pm-avoid-false-alarm-due-to-confusing-softwareshutdowntemp-setting.patch new file mode 100644 index 00000000000..d390117849e --- /dev/null +++ b/queue-5.8/drm-amd-pm-avoid-false-alarm-due-to-confusing-softwareshutdowntemp-setting.patch @@ -0,0 +1,47 @@ +From 971df65cbf32da9bc9af52c1196ca504dd316086 Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Tue, 25 Aug 2020 13:51:29 +0800 +Subject: drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting + +From: Evan Quan + +commit 971df65cbf32da9bc9af52c1196ca504dd316086 upstream. + +Normally softwareshutdowntemp should be greater than Thotspotlimit. +However, on some VEGA10 ASIC, the softwareshutdowntemp is 91C while +Thotspotlimit is 105C. This seems not right and may trigger some +false alarms. + +Signed-off-by: Evan Quan +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c +@@ -374,8 +374,18 @@ static int vega10_thermal_set_temperatur + /* compare them in unit celsius degree */ + if (low < range->min / PP_TEMPERATURE_UNITS_PER_CENTIGRADES) + low = range->min / PP_TEMPERATURE_UNITS_PER_CENTIGRADES; +- if (high > tdp_table->usSoftwareShutdownTemp) +- high = tdp_table->usSoftwareShutdownTemp; ++ ++ /* ++ * As a common sense, usSoftwareShutdownTemp should be bigger ++ * than ThotspotLimit. For any invalid usSoftwareShutdownTemp, ++ * we will just use the max possible setting VEGA10_THERMAL_MAXIMUM_ALERT_TEMP ++ * to avoid false alarms. ++ */ ++ if ((tdp_table->usSoftwareShutdownTemp > ++ range->hotspot_crit_max / PP_TEMPERATURE_UNITS_PER_CENTIGRADES)) { ++ if (high > tdp_table->usSoftwareShutdownTemp) ++ high = tdp_table->usSoftwareShutdownTemp; ++ } + + if (low > high) + return -EINVAL; diff --git a/queue-5.8/drm-amdgpu-specify-get_argument-function-for-ci_smu_funcs.patch b/queue-5.8/drm-amdgpu-specify-get_argument-function-for-ci_smu_funcs.patch new file mode 100644 index 00000000000..1bdd34c2071 --- /dev/null +++ b/queue-5.8/drm-amdgpu-specify-get_argument-function-for-ci_smu_funcs.patch @@ -0,0 +1,47 @@ +From f7b2e34b4afb8d712913dc199d3292ea9e078637 Mon Sep 17 00:00:00 2001 +From: Sandeep Raghuraman +Date: Thu, 27 Aug 2020 17:07:33 +0530 +Subject: drm/amdgpu: Specify get_argument function for ci_smu_funcs + +From: Sandeep Raghuraman + +commit f7b2e34b4afb8d712913dc199d3292ea9e078637 upstream. + +Starting in Linux 5.8, the graphics and memory clock frequency were not being +reported for CIK cards. This is a regression, since they were reported correctly +in Linux 5.7. + +After investigation, I discovered that the smum_send_msg_to_smc() function, +attempts to call the corresponding get_argument() function of ci_smu_funcs. +However, the get_argument() function is not defined in ci_smu_funcs. + +This patch fixes the bug by specifying the correct get_argument() function. + +Fixes: a0ec225633d9f6 ("drm/amd/powerplay: unified interfaces for message issuing and response checking") +Signed-off-by: Sandeep Raghuraman +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c +@@ -37,6 +37,7 @@ + #include "cgs_common.h" + #include "atombios.h" + #include "pppcielanes.h" ++#include "smu7_smumgr.h" + + #include "smu/smu_7_0_1_d.h" + #include "smu/smu_7_0_1_sh_mask.h" +@@ -2948,6 +2949,7 @@ const struct pp_smumgr_func ci_smu_funcs + .request_smu_load_specific_fw = NULL, + .send_msg_to_smc = ci_send_msg_to_smc, + .send_msg_to_smc_with_parameter = ci_send_msg_to_smc_with_parameter, ++ .get_argument = smu7_get_argument, + .download_pptable_settings = NULL, + .upload_pptable_settings = NULL, + .get_offsetof = ci_get_offsetof, diff --git a/queue-5.8/drm-i915-fix-sha_text-population-code.patch b/queue-5.8/drm-i915-fix-sha_text-population-code.patch new file mode 100644 index 00000000000..0381e7c8d4b --- /dev/null +++ b/queue-5.8/drm-i915-fix-sha_text-population-code.patch @@ -0,0 +1,120 @@ +From 9ab57658a608f879469ffa22b723c4539c05a58f Mon Sep 17 00:00:00 2001 +From: Sean Paul +Date: Tue, 18 Aug 2020 11:38:49 -0400 +Subject: drm/i915: Fix sha_text population code + +From: Sean Paul + +commit 9ab57658a608f879469ffa22b723c4539c05a58f upstream. + +This patch fixes a few bugs: + +1- We weren't taking into account sha_leftovers when adding multiple + ksvs to sha_text. As such, we were or'ing the end of ksv[j - 1] with + the beginning of ksv[j] + +2- In the sha_leftovers == 2 and sha_leftovers == 3 case, bstatus was + being placed on the wrong half of sha_text, overlapping the leftover + ksv value + +3- In the sha_leftovers == 2 case, we need to manually terminate the + byte stream with 0x80 since the hardware doesn't have enough room to + add it after writing M0 + +The upside is that all of the HDCP supported HDMI repeaters I could +find on Amazon just strip HDCP anyways, so it turns out to be _really_ +hard to hit any of these cases without an MST hub, which is not (yet) +supported. Oh, and the sha_leftovers == 1 case works perfectly! + +Fixes: ee5e5e7a5e0f ("drm/i915: Add HDCP framework + base implementation") +Cc: Chris Wilson +Cc: Ramalingam C +Cc: Daniel Vetter +Cc: Sean Paul +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: intel-gfx@lists.freedesktop.org +Cc: # v4.17+ +Reviewed-by: Ramalingam C +Signed-off-by: Sean Paul +Signed-off-by: Ramalingam C +Link: https://patchwork.freedesktop.org/patch/msgid/20200818153910.27894-2-sean@poorly.run +(cherry picked from commit 1f0882214fd0037b74f245d9be75c31516fed040) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/display/intel_hdcp.c | 26 ++++++++++++++++++++------ + include/drm/drm_hdcp.h | 3 +++ + 2 files changed, 23 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_hdcp.c ++++ b/drivers/gpu/drm/i915/display/intel_hdcp.c +@@ -336,8 +336,10 @@ int intel_hdcp_validate_v_prime(struct i + + /* Fill up the empty slots in sha_text and write it out */ + sha_empty = sizeof(sha_text) - sha_leftovers; +- for (j = 0; j < sha_empty; j++) +- sha_text |= ksv[j] << ((sizeof(sha_text) - j - 1) * 8); ++ for (j = 0; j < sha_empty; j++) { ++ u8 off = ((sizeof(sha_text) - j - 1 - sha_leftovers) * 8); ++ sha_text |= ksv[j] << off; ++ } + + ret = intel_write_sha_text(dev_priv, sha_text); + if (ret < 0) +@@ -435,7 +437,7 @@ int intel_hdcp_validate_v_prime(struct i + /* Write 32 bits of text */ + intel_de_write(dev_priv, HDCP_REP_CTL, + rep_ctl | HDCP_SHA1_TEXT_32); +- sha_text |= bstatus[0] << 24 | bstatus[1] << 16; ++ sha_text |= bstatus[0] << 8 | bstatus[1]; + ret = intel_write_sha_text(dev_priv, sha_text); + if (ret < 0) + return ret; +@@ -450,17 +452,29 @@ int intel_hdcp_validate_v_prime(struct i + return ret; + sha_idx += sizeof(sha_text); + } ++ ++ /* ++ * Terminate the SHA-1 stream by hand. For the other leftover ++ * cases this is appended by the hardware. ++ */ ++ intel_de_write(dev_priv, HDCP_REP_CTL, ++ rep_ctl | HDCP_SHA1_TEXT_32); ++ sha_text = DRM_HDCP_SHA1_TERMINATOR << 24; ++ ret = intel_write_sha_text(dev_priv, sha_text); ++ if (ret < 0) ++ return ret; ++ sha_idx += sizeof(sha_text); + } else if (sha_leftovers == 3) { +- /* Write 32 bits of text */ ++ /* Write 32 bits of text (filled from LSB) */ + intel_de_write(dev_priv, HDCP_REP_CTL, + rep_ctl | HDCP_SHA1_TEXT_32); +- sha_text |= bstatus[0] << 24; ++ sha_text |= bstatus[0]; + ret = intel_write_sha_text(dev_priv, sha_text); + if (ret < 0) + return ret; + sha_idx += sizeof(sha_text); + +- /* Write 8 bits of text, 24 bits of M0 */ ++ /* Write 8 bits of text (filled from LSB), 24 bits of M0 */ + intel_de_write(dev_priv, HDCP_REP_CTL, + rep_ctl | HDCP_SHA1_TEXT_8); + ret = intel_write_sha_text(dev_priv, bstatus[1]); +--- a/include/drm/drm_hdcp.h ++++ b/include/drm/drm_hdcp.h +@@ -29,6 +29,9 @@ + /* Slave address for the HDCP registers in the receiver */ + #define DRM_HDCP_DDC_ADDR 0x3A + ++/* Value to use at the end of the SHA-1 bytestream used for repeaters */ ++#define DRM_HDCP_SHA1_TERMINATOR 0x80 ++ + /* HDCP register offsets for HDMI/DVI devices */ + #define DRM_HDCP_DDC_BKSV 0x00 + #define DRM_HDCP_DDC_RI_PRIME 0x08 diff --git a/queue-5.8/io_uring-fix-removing-the-wrong-file-in-__io_sqe_files_update.patch b/queue-5.8/io_uring-fix-removing-the-wrong-file-in-__io_sqe_files_update.patch new file mode 100644 index 00000000000..422bfc43145 --- /dev/null +++ b/queue-5.8/io_uring-fix-removing-the-wrong-file-in-__io_sqe_files_update.patch @@ -0,0 +1,34 @@ +From 98dfd5024a2e9e170b85c07078e2d89f20a5dfbd Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Tue, 1 Sep 2020 13:35:02 +0800 +Subject: io_uring: fix removing the wrong file in __io_sqe_files_update() + +From: Jiufei Xue + +commit 98dfd5024a2e9e170b85c07078e2d89f20a5dfbd upstream. + +Index here is already the position of the file in fixed_file_table, we +should not use io_file_from_index() again to get it. Otherwise, the +wrong file which still in use may be released unexpectedly. + +Cc: stable@vger.kernel.org # v5.6 +Fixes: 05f3fb3c5397 ("io_uring: avoid ring quiesce for fixed file set unregister and update") +Signed-off-by: Jiufei Xue +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -6928,7 +6928,7 @@ static int __io_sqe_files_update(struct + table = &ctx->file_data->table[i >> IORING_FILE_TABLE_SHIFT]; + index = i & IORING_FILE_TABLE_MASK; + if (table->files[index]) { +- file = io_file_from_index(ctx, index); ++ file = table->files[index]; + err = io_queue_file_removal(data, file); + if (err) + break; diff --git a/queue-5.8/io_uring-set-table-files-to-null-when-io_sqe_file_register-failed.patch b/queue-5.8/io_uring-set-table-files-to-null-when-io_sqe_file_register-failed.patch new file mode 100644 index 00000000000..04c9aaa1cd9 --- /dev/null +++ b/queue-5.8/io_uring-set-table-files-to-null-when-io_sqe_file_register-failed.patch @@ -0,0 +1,33 @@ +From 95d1c8e5f801e959a89181a2548a3efa60a1a6ce Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Wed, 2 Sep 2020 17:59:39 +0800 +Subject: io_uring: set table->files[i] to NULL when io_sqe_file_register failed + +From: Jiufei Xue + +commit 95d1c8e5f801e959a89181a2548a3efa60a1a6ce upstream. + +While io_sqe_file_register() failed in __io_sqe_files_update(), +table->files[i] still point to the original file which may freed +soon, and that will trigger use-after-free problems. + +Cc: stable@vger.kernel.org +Fixes: f3bd9dae3708 ("io_uring: fix memleak in __io_sqe_files_update()") +Signed-off-by: Jiufei Xue +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -6957,6 +6957,7 @@ static int __io_sqe_files_update(struct + table->files[index] = file; + err = io_sqe_file_register(ctx, file, i); + if (err) { ++ table->files[index] = NULL; + fput(file); + break; + } diff --git a/queue-5.8/libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch b/queue-5.8/libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch new file mode 100644 index 00000000000..3133986883b --- /dev/null +++ b/queue-5.8/libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch @@ -0,0 +1,79 @@ +From 3b5455636fe26ea21b4189d135a424a6da016418 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 2 Sep 2020 12:32:45 -0400 +Subject: libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks + +From: Tejun Heo + +commit 3b5455636fe26ea21b4189d135a424a6da016418 upstream. + +All three generations of Sandisk SSDs lock up hard intermittently. +Experiments showed that disabling NCQ lowered the failure rate significantly +and the kernel has been disabling NCQ for some models of SD7's and 8's, +which is obviously undesirable. + +Karthik worked with Sandisk to root cause the hard lockups to trim commands +larger than 128M. This patch implements ATA_HORKAGE_MAX_TRIM_128M which +limits max trim size to 128M and applies it to all three generations of +Sandisk SSDs. + +Signed-off-by: Tejun Heo +Cc: Karthik Shivaram +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 5 ++--- + drivers/ata/libata-scsi.c | 8 +++++++- + include/linux/libata.h | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3868,9 +3868,8 @@ static const struct ata_blacklist_entry + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, }, + +- /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on +- SD7SN6S256G and SD8SN8U256G */ +- { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, ++ /* Sandisk SD7/8/9s lock up hard on large trims */ ++ { "SanDisk SD[789]*", NULL, ATA_HORKAGE_MAX_TRIM_128M, }, + + /* devices which puke on READ_NATIVE_MAX */ + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2080,6 +2080,7 @@ static unsigned int ata_scsiop_inq_89(st + + static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf) + { ++ struct ata_device *dev = args->dev; + u16 min_io_sectors; + + rbuf[1] = 0xb0; +@@ -2105,7 +2106,12 @@ static unsigned int ata_scsiop_inq_b0(st + * with the unmap bit set. + */ + if (ata_id_has_trim(args->id)) { +- put_unaligned_be64(65535 * ATA_MAX_TRIM_RNUM, &rbuf[36]); ++ u64 max_blocks = 65535 * ATA_MAX_TRIM_RNUM; ++ ++ if (dev->horkage & ATA_HORKAGE_MAX_TRIM_128M) ++ max_blocks = 128 << (20 - SECTOR_SHIFT); ++ ++ put_unaligned_be64(max_blocks, &rbuf[36]); + put_unaligned_be32(1, &rbuf[28]); + } + +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -421,6 +421,7 @@ enum { + ATA_HORKAGE_NO_DMA_LOG = (1 << 23), /* don't use DMA for log read */ + ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */ + ATA_HORKAGE_MAX_SEC_1024 = (1 << 25), /* Limit max sects to 1024 */ ++ ATA_HORKAGE_MAX_TRIM_128M = (1 << 26), /* Limit max trim size to 128M */ + + /* DMA mask for user DMA control: User visible values; DO NOT + renumber */ diff --git a/queue-5.8/media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch b/queue-5.8/media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch new file mode 100644 index 00000000000..315dc4197f4 --- /dev/null +++ b/queue-5.8/media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch @@ -0,0 +1,57 @@ +From a2e2d73fa28136598e84db9d021091f1b98cbb1a Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sat, 8 Aug 2020 13:38:02 +0200 +Subject: media: rc: do not access device via sysfs after rc_unregister_device() + +From: Sean Young + +commit a2e2d73fa28136598e84db9d021091f1b98cbb1a upstream. + +Device drivers do not expect to have change_protocol or wakeup +re-programming to be accesed after rc_unregister_device(). This can +cause the device driver to access deallocated resources. + +Cc: # 4.16+ +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-main.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1292,6 +1292,10 @@ static ssize_t store_protocols(struct de + } + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + old_protocols = *current_protocols; + new_protocols = old_protocols; +@@ -1430,6 +1434,10 @@ static ssize_t store_filter(struct devic + return -EINVAL; + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + new_filter = *filter; + if (fattr->mask) +@@ -1544,6 +1552,10 @@ static ssize_t store_wakeup_protocols(st + int i; + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + allowed = dev->allowed_wakeup_protocols; + diff --git a/queue-5.8/media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch b/queue-5.8/media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch new file mode 100644 index 00000000000..5ecd8e0b4cc --- /dev/null +++ b/queue-5.8/media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch @@ -0,0 +1,82 @@ +From 4f0835d6677dc69263f90f976524cb92b257d9f4 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sat, 8 Aug 2020 13:19:12 +0200 +Subject: media: rc: uevent sysfs file races with rc_unregister_device() + +From: Sean Young + +commit 4f0835d6677dc69263f90f976524cb92b257d9f4 upstream. + +Only report uevent file contents if device still registered, else we +might read freed memory. + +Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com +Cc: Hillf Danton +Cc: # 4.16+ +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-main.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1613,25 +1613,25 @@ static void rc_dev_release(struct device + kfree(dev); + } + +-#define ADD_HOTPLUG_VAR(fmt, val...) \ +- do { \ +- int err = add_uevent_var(env, fmt, val); \ +- if (err) \ +- return err; \ +- } while (0) +- + static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env) + { + struct rc_dev *dev = to_rc_dev(device); ++ int ret = 0; + +- if (dev->rc_map.name) +- ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name); +- if (dev->driver_name) +- ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name); +- if (dev->device_name) +- ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name); ++ mutex_lock(&dev->lock); + +- return 0; ++ if (!dev->registered) ++ ret = -ENODEV; ++ if (ret == 0 && dev->rc_map.name) ++ ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name); ++ if (ret == 0 && dev->driver_name) ++ ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name); ++ if (ret == 0 && dev->device_name) ++ ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name); ++ ++ mutex_unlock(&dev->lock); ++ ++ return ret; + } + + /* +@@ -2023,14 +2023,14 @@ void rc_unregister_device(struct rc_dev + del_timer_sync(&dev->timer_keyup); + del_timer_sync(&dev->timer_repeat); + +- rc_free_rx_device(dev); +- + mutex_lock(&dev->lock); + if (dev->users && dev->close) + dev->close(dev); + dev->registered = false; + mutex_unlock(&dev->lock); + ++ rc_free_rx_device(dev); ++ + /* + * lirc device should be freed with dev->registered = false, so + * that userspace polling will get notified. diff --git a/queue-5.8/mips-oprofile-fix-fallthrough-placement.patch b/queue-5.8/mips-oprofile-fix-fallthrough-placement.patch new file mode 100644 index 00000000000..aaa5547c0e1 --- /dev/null +++ b/queue-5.8/mips-oprofile-fix-fallthrough-placement.patch @@ -0,0 +1,60 @@ +From 91dbd73a1739039fa7e9fe5c0169f2817a7f7670 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Thu, 20 Aug 2020 20:54:40 +0800 +Subject: mips/oprofile: Fix fallthrough placement + +From: He Zhe + +commit 91dbd73a1739039fa7e9fe5c0169f2817a7f7670 upstream. + +We want neither +" +include/linux/compiler_attributes.h:201:41: warning: statement will never +be executed [-Wswitch-unreachable] + 201 | # define fallthrough __attribute__((__fallthrough__)) + | ^~~~~~~~~~~~~ +" +nor +" +include/linux/compiler_attributes.h:201:41: warning: attribute +'fallthrough' not preceding a case label or default label + 201 | # define fallthrough __attribute__((__fallthrough__)) + | ^~~~~~~~~~~~~ +" + +It's not worth adding one more macro. Let's simply place the fallthrough +in between the expansions. + +Fixes: c9b029903466 ("MIPS: Use fallthrough for arch/mips") +Cc: stable@vger.kernel.org +Signed-off-by: He Zhe +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/oprofile/op_model_mipsxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/mips/oprofile/op_model_mipsxx.c ++++ b/arch/mips/oprofile/op_model_mipsxx.c +@@ -245,7 +245,6 @@ static int mipsxx_perfcount_handler(void + + switch (counters) { + #define HANDLE_COUNTER(n) \ +- fallthrough; \ + case n + 1: \ + control = r_c0_perfctrl ## n(); \ + counter = r_c0_perfcntr ## n(); \ +@@ -256,8 +255,11 @@ static int mipsxx_perfcount_handler(void + handled = IRQ_HANDLED; \ + } + HANDLE_COUNTER(3) ++ fallthrough; + HANDLE_COUNTER(2) ++ fallthrough; + HANDLE_COUNTER(1) ++ fallthrough; + HANDLE_COUNTER(0) + } + diff --git a/queue-5.8/mm-madvise-fix-vma-user-after-free.patch b/queue-5.8/mm-madvise-fix-vma-user-after-free.patch new file mode 100644 index 00000000000..1f8f23e4bfb --- /dev/null +++ b/queue-5.8/mm-madvise-fix-vma-user-after-free.patch @@ -0,0 +1,90 @@ +From 7867fd7cc44e63c6673cd0f8fea155456d34d0de Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Fri, 4 Sep 2020 16:35:55 -0700 +Subject: mm: madvise: fix vma user-after-free + +From: Yang Shi + +commit 7867fd7cc44e63c6673cd0f8fea155456d34d0de upstream. + +The syzbot reported the below use-after-free: + + BUG: KASAN: use-after-free in madvise_willneed mm/madvise.c:293 [inline] + BUG: KASAN: use-after-free in madvise_vma mm/madvise.c:942 [inline] + BUG: KASAN: use-after-free in do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145 + Read of size 8 at addr ffff8880a6163eb0 by task syz-executor.0/9996 + + CPU: 0 PID: 9996 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x18f/0x20d lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + madvise_willneed mm/madvise.c:293 [inline] + madvise_vma mm/madvise.c:942 [inline] + do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145 + do_madvise mm/madvise.c:1169 [inline] + __do_sys_madvise mm/madvise.c:1171 [inline] + __se_sys_madvise mm/madvise.c:1169 [inline] + __x64_sys_madvise+0xd9/0x110 mm/madvise.c:1169 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + Allocated by task 9992: + kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482 + vm_area_alloc+0x1c/0x110 kernel/fork.c:347 + mmap_region+0x8e5/0x1780 mm/mmap.c:1743 + do_mmap+0xcf9/0x11d0 mm/mmap.c:1545 + vm_mmap_pgoff+0x195/0x200 mm/util.c:506 + ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + Freed by task 9992: + kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693 + remove_vma+0x132/0x170 mm/mmap.c:184 + remove_vma_list mm/mmap.c:2613 [inline] + __do_munmap+0x743/0x1170 mm/mmap.c:2869 + do_munmap mm/mmap.c:2877 [inline] + mmap_region+0x257/0x1780 mm/mmap.c:1716 + do_mmap+0xcf9/0x11d0 mm/mmap.c:1545 + vm_mmap_pgoff+0x195/0x200 mm/util.c:506 + ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +It is because vma is accessed after releasing mmap_lock, but someone +else acquired the mmap_lock and the vma is gone. + +Releasing mmap_lock after accessing vma should fix the problem. + +Fixes: 692fe62433d4c ("mm: Handle MADV_WILLNEED through vfs_fadvise()") +Reported-by: syzbot+b90df26038d1d5d85c97@syzkaller.appspotmail.com +Signed-off-by: Yang Shi +Signed-off-by: Andrew Morton +Reviewed-by: Andrew Morton +Reviewed-by: Jan Kara +Cc: [5.4+] +Link: https://lkml.kernel.org/r/20200816141204.162624-1-shy828301@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/madvise.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -289,9 +289,9 @@ static long madvise_willneed(struct vm_a + */ + *prev = NULL; /* tell sys_madvise we drop mmap_lock */ + get_file(file); +- mmap_read_unlock(current->mm); + offset = (loff_t)(start - vma->vm_start) + + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); ++ mmap_read_unlock(current->mm); + vfs_fadvise(file, offset, end - start, POSIX_FADV_WILLNEED); + fput(file); + mmap_read_lock(current->mm); diff --git a/queue-5.8/mm-rmap-fixup-copying-of-soft-dirty-and-uffd-ptes.patch b/queue-5.8/mm-rmap-fixup-copying-of-soft-dirty-and-uffd-ptes.patch new file mode 100644 index 00000000000..ce7a8ee82be --- /dev/null +++ b/queue-5.8/mm-rmap-fixup-copying-of-soft-dirty-and-uffd-ptes.patch @@ -0,0 +1,90 @@ +From ad7df764b7e1c7dc64e016da7ada2e3e1bb90700 Mon Sep 17 00:00:00 2001 +From: Alistair Popple +Date: Fri, 4 Sep 2020 16:36:01 -0700 +Subject: mm/rmap: fixup copying of soft dirty and uffd ptes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alistair Popple + +commit ad7df764b7e1c7dc64e016da7ada2e3e1bb90700 upstream. + +During memory migration a pte is temporarily replaced with a migration +swap pte. Some pte bits from the existing mapping such as the soft-dirty +and uffd write-protect bits are preserved by copying these to the +temporary migration swap pte. + +However these bits are not stored at the same location for swap and +non-swap ptes. Therefore testing these bits requires using the +appropriate helper function for the given pte type. + +Unfortunately several code locations were found where the wrong helper +function is being used to test soft_dirty and uffd_wp bits which leads to +them getting incorrectly set or cleared during page-migration. + +Fix these by using the correct tests based on pte type. + +Fixes: a5430dda8a3a ("mm/migrate: support un-addressable ZONE_DEVICE page in migration") +Fixes: 8c3328f1f36a ("mm/migrate: migrate_vma() unmap page from vma while collecting pages") +Fixes: f45ec5ff16a7 ("userfaultfd: wp: support swap and page migration") +Signed-off-by: Alistair Popple +Signed-off-by: Andrew Morton +Reviewed-by: Peter Xu +Cc: Jérôme Glisse +Cc: John Hubbard +Cc: Ralph Campbell +Cc: Alistair Popple +Cc: +Link: https://lkml.kernel.org/r/20200825064232.10023-2-alistair@popple.id.au +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/migrate.c | 15 +++++++++++---- + mm/rmap.c | 9 +++++++-- + 2 files changed, 18 insertions(+), 6 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -2330,10 +2330,17 @@ again: + entry = make_migration_entry(page, mpfn & + MIGRATE_PFN_WRITE); + swp_pte = swp_entry_to_pte(entry); +- if (pte_soft_dirty(pte)) +- swp_pte = pte_swp_mksoft_dirty(swp_pte); +- if (pte_uffd_wp(pte)) +- swp_pte = pte_swp_mkuffd_wp(swp_pte); ++ if (pte_present(pte)) { ++ if (pte_soft_dirty(pte)) ++ swp_pte = pte_swp_mksoft_dirty(swp_pte); ++ if (pte_uffd_wp(pte)) ++ swp_pte = pte_swp_mkuffd_wp(swp_pte); ++ } else { ++ if (pte_swp_soft_dirty(pte)) ++ swp_pte = pte_swp_mksoft_dirty(swp_pte); ++ if (pte_swp_uffd_wp(pte)) ++ swp_pte = pte_swp_mkuffd_wp(swp_pte); ++ } + set_pte_at(mm, addr, ptep, swp_pte); + + /* +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -1511,9 +1511,14 @@ static bool try_to_unmap_one(struct page + */ + entry = make_migration_entry(page, 0); + swp_pte = swp_entry_to_pte(entry); +- if (pte_soft_dirty(pteval)) ++ ++ /* ++ * pteval maps a zone device page and is therefore ++ * a swap pte. ++ */ ++ if (pte_swp_soft_dirty(pteval)) + swp_pte = pte_swp_mksoft_dirty(swp_pte); +- if (pte_uffd_wp(pteval)) ++ if (pte_swp_uffd_wp(pteval)) + swp_pte = pte_swp_mkuffd_wp(swp_pte); + set_pte_at(mm, pvmw.address, pvmw.pte, swp_pte); + /* diff --git a/queue-5.8/mm-slub-fix-conversion-of-freelist_corrupted.patch b/queue-5.8/mm-slub-fix-conversion-of-freelist_corrupted.patch new file mode 100644 index 00000000000..e8fe9770e43 --- /dev/null +++ b/queue-5.8/mm-slub-fix-conversion-of-freelist_corrupted.patch @@ -0,0 +1,76 @@ +From dc07a728d49cf025f5da2c31add438d839d076c0 Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Fri, 4 Sep 2020 16:35:30 -0700 +Subject: mm: slub: fix conversion of freelist_corrupted() + +From: Eugeniu Rosca + +commit dc07a728d49cf025f5da2c31add438d839d076c0 upstream. + +Commit 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in +deactivate_slab()") suffered an update when picked up from LKML [1]. + +Specifically, relocating 'freelist = NULL' into 'freelist_corrupted()' +created a no-op statement. Fix it by sticking to the behavior intended +in the original patch [1]. In addition, make freelist_corrupted() +immune to passing NULL instead of &freelist. + +The issue has been spotted via static analysis and code review. + +[1] https://lore.kernel.org/linux-mm/20200331031450.12182-1-dongli.zhang@oracle.com/ + +Fixes: 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in deactivate_slab()") +Signed-off-by: Eugeniu Rosca +Signed-off-by: Andrew Morton +Cc: Dongli Zhang +Cc: Joe Jin +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: +Link: https://lkml.kernel.org/r/20200824130643.10291-1-erosca@de.adit-jv.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -680,12 +680,12 @@ static void slab_fix(struct kmem_cache * + } + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + if ((s->flags & SLAB_CONSISTENCY_CHECKS) && +- !check_valid_pointer(s, page, nextfree)) { +- object_err(s, page, freelist, "Freechain corrupt"); +- freelist = NULL; ++ !check_valid_pointer(s, page, nextfree) && freelist) { ++ object_err(s, page, *freelist, "Freechain corrupt"); ++ *freelist = NULL; + slab_fix(s, "Isolate corrupted freechain"); + return true; + } +@@ -1425,7 +1425,7 @@ static inline void dec_slabs_node(struct + int objects) {} + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + return false; + } +@@ -2117,7 +2117,7 @@ static void deactivate_slab(struct kmem_ + * 'freelist' is already corrupted. So isolate all objects + * starting at 'freelist'. + */ +- if (freelist_corrupted(s, page, freelist, nextfree)) ++ if (freelist_corrupted(s, page, &freelist, nextfree)) + break; + + do { diff --git a/queue-5.8/mm-track-page-table-modifications-in-__apply_to_page_range.patch b/queue-5.8/mm-track-page-table-modifications-in-__apply_to_page_range.patch new file mode 100644 index 00000000000..d18cca76a69 --- /dev/null +++ b/queue-5.8/mm-track-page-table-modifications-in-__apply_to_page_range.patch @@ -0,0 +1,226 @@ +From e80d3909be42f7e38cc350c1ba109cf0aa51956a Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Fri, 4 Sep 2020 16:35:43 -0700 +Subject: mm: track page table modifications in __apply_to_page_range() + +From: Joerg Roedel + +commit e80d3909be42f7e38cc350c1ba109cf0aa51956a upstream. + +__apply_to_page_range() is also used to change and/or allocate +page-table pages in the vmalloc area of the address space. Make sure +these changes get synchronized to other page-tables in the system by +calling arch_sync_kernel_mappings() when necessary. + +The impact appears limited to x86-32, where apply_to_page_range may miss +updating the PMD. That leads to explosions in drivers like + + BUG: unable to handle page fault for address: fe036000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + *pde = 00000000 + Oops: 0002 [#1] SMP + CPU: 3 PID: 1300 Comm: gem_concurrent_ Not tainted 5.9.0-rc1+ #16 + Hardware name: /NUC6i3SYB, BIOS SYSKLi35.86A.0024.2015.1027.2142 10/27/2015 + EIP: __execlists_context_alloc+0x132/0x2d0 [i915] + Code: 31 d2 89 f0 e8 2f 55 02 00 89 45 e8 3d 00 f0 ff ff 0f 87 11 01 00 00 8b 4d e8 03 4b 30 b8 5a 5a 5a 5a ba 01 00 00 00 8d 79 04 01 5a 5a 5a 5a c7 81 fc 0f 00 00 5a 5a 5a 5a 83 e7 fc 29 f9 81 + EAX: 5a5a5a5a EBX: f60ca000 ECX: fe036000 EDX: 00000001 + ESI: f43b7340 EDI: fe036004 EBP: f6389cb8 ESP: f6389c9c + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010286 + CR0: 80050033 CR2: fe036000 CR3: 2d361000 CR4: 001506d0 + DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 + DR6: fffe0ff0 DR7: 00000400 + Call Trace: + execlists_context_alloc+0x10/0x20 [i915] + intel_context_alloc_state+0x3f/0x70 [i915] + __intel_context_do_pin+0x117/0x170 [i915] + i915_gem_do_execbuffer+0xcc7/0x2500 [i915] + i915_gem_execbuffer2_ioctl+0xcd/0x1f0 [i915] + drm_ioctl_kernel+0x8f/0xd0 + drm_ioctl+0x223/0x3d0 + __ia32_sys_ioctl+0x1ab/0x760 + __do_fast_syscall_32+0x3f/0x70 + do_fast_syscall_32+0x29/0x60 + do_SYSENTER_32+0x15/0x20 + entry_SYSENTER_32+0x9f/0xf2 + EIP: 0xb7f28559 + Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76 + EAX: ffffffda EBX: 00000005 ECX: c0406469 EDX: bf95556c + ESI: b7e68000 EDI: c0406469 EBP: 00000005 ESP: bf9554d8 + DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296 + Modules linked in: i915 x86_pkg_temp_thermal intel_powerclamp crc32_pclmul crc32c_intel intel_cstate intel_uncore intel_gtt drm_kms_helper intel_pch_thermal video button autofs4 i2c_i801 i2c_smbus fan + CR2: 00000000fe036000 + +It looks like kasan, xen and i915 are vulnerable. + +Actual impact is "on thinkpad X60 in 5.9-rc1, screen starts blinking +after 30-or-so minutes, and machine is unusable" + +[sfr@canb.auug.org.au: ARCH_PAGE_TABLE_SYNC_MASK needs vmalloc.h] + Link: https://lkml.kernel.org/r/20200825172508.16800a4f@canb.auug.org.au +[chris@chris-wilson.co.uk: changelog addition] +[pavel@ucw.cz: changelog addition] + +Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") +Fixes: 86cf69f1d893 ("x86/mm/32: implement arch_sync_kernel_mappings()") +Signed-off-by: Joerg Roedel +Signed-off-by: Stephen Rothwell +Signed-off-by: Andrew Morton +Tested-by: Chris Wilson [x86-32] +Tested-by: Pavel Machek +Acked-by: Linus Torvalds +Cc: [5.8+] +Link: https://lkml.kernel.org/r/20200821123746.16904-1-joro@8bytes.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -71,6 +71,7 @@ + #include + #include + #include ++#include + + #include + +@@ -2201,7 +2202,8 @@ EXPORT_SYMBOL(vm_iomap_memory); + + static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd, + unsigned long addr, unsigned long end, +- pte_fn_t fn, void *data, bool create) ++ pte_fn_t fn, void *data, bool create, ++ pgtbl_mod_mask *mask) + { + pte_t *pte; + int err = 0; +@@ -2209,7 +2211,7 @@ static int apply_to_pte_range(struct mm_ + + if (create) { + pte = (mm == &init_mm) ? +- pte_alloc_kernel(pmd, addr) : ++ pte_alloc_kernel_track(pmd, addr, mask) : + pte_alloc_map_lock(mm, pmd, addr, &ptl); + if (!pte) + return -ENOMEM; +@@ -2230,6 +2232,7 @@ static int apply_to_pte_range(struct mm_ + break; + } + } while (addr += PAGE_SIZE, addr != end); ++ *mask |= PGTBL_PTE_MODIFIED; + + arch_leave_lazy_mmu_mode(); + +@@ -2240,7 +2243,8 @@ static int apply_to_pte_range(struct mm_ + + static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, + unsigned long addr, unsigned long end, +- pte_fn_t fn, void *data, bool create) ++ pte_fn_t fn, void *data, bool create, ++ pgtbl_mod_mask *mask) + { + pmd_t *pmd; + unsigned long next; +@@ -2249,7 +2253,7 @@ static int apply_to_pmd_range(struct mm_ + BUG_ON(pud_huge(*pud)); + + if (create) { +- pmd = pmd_alloc(mm, pud, addr); ++ pmd = pmd_alloc_track(mm, pud, addr, mask); + if (!pmd) + return -ENOMEM; + } else { +@@ -2259,7 +2263,7 @@ static int apply_to_pmd_range(struct mm_ + next = pmd_addr_end(addr, end); + if (create || !pmd_none_or_clear_bad(pmd)) { + err = apply_to_pte_range(mm, pmd, addr, next, fn, data, +- create); ++ create, mask); + if (err) + break; + } +@@ -2269,14 +2273,15 @@ static int apply_to_pmd_range(struct mm_ + + static int apply_to_pud_range(struct mm_struct *mm, p4d_t *p4d, + unsigned long addr, unsigned long end, +- pte_fn_t fn, void *data, bool create) ++ pte_fn_t fn, void *data, bool create, ++ pgtbl_mod_mask *mask) + { + pud_t *pud; + unsigned long next; + int err = 0; + + if (create) { +- pud = pud_alloc(mm, p4d, addr); ++ pud = pud_alloc_track(mm, p4d, addr, mask); + if (!pud) + return -ENOMEM; + } else { +@@ -2286,7 +2291,7 @@ static int apply_to_pud_range(struct mm_ + next = pud_addr_end(addr, end); + if (create || !pud_none_or_clear_bad(pud)) { + err = apply_to_pmd_range(mm, pud, addr, next, fn, data, +- create); ++ create, mask); + if (err) + break; + } +@@ -2296,14 +2301,15 @@ static int apply_to_pud_range(struct mm_ + + static int apply_to_p4d_range(struct mm_struct *mm, pgd_t *pgd, + unsigned long addr, unsigned long end, +- pte_fn_t fn, void *data, bool create) ++ pte_fn_t fn, void *data, bool create, ++ pgtbl_mod_mask *mask) + { + p4d_t *p4d; + unsigned long next; + int err = 0; + + if (create) { +- p4d = p4d_alloc(mm, pgd, addr); ++ p4d = p4d_alloc_track(mm, pgd, addr, mask); + if (!p4d) + return -ENOMEM; + } else { +@@ -2313,7 +2319,7 @@ static int apply_to_p4d_range(struct mm_ + next = p4d_addr_end(addr, end); + if (create || !p4d_none_or_clear_bad(p4d)) { + err = apply_to_pud_range(mm, p4d, addr, next, fn, data, +- create); ++ create, mask); + if (err) + break; + } +@@ -2326,8 +2332,9 @@ static int __apply_to_page_range(struct + void *data, bool create) + { + pgd_t *pgd; +- unsigned long next; ++ unsigned long start = addr, next; + unsigned long end = addr + size; ++ pgtbl_mod_mask mask = 0; + int err = 0; + + if (WARN_ON(addr >= end)) +@@ -2338,11 +2345,14 @@ static int __apply_to_page_range(struct + next = pgd_addr_end(addr, end); + if (!create && pgd_none_or_clear_bad(pgd)) + continue; +- err = apply_to_p4d_range(mm, pgd, addr, next, fn, data, create); ++ err = apply_to_p4d_range(mm, pgd, addr, next, fn, data, create, &mask); + if (err) + break; + } while (pgd++, addr = next, addr != end); + ++ if (mask & ARCH_PAGE_TABLE_SYNC_MASK) ++ arch_sync_kernel_mappings(start, start + size); ++ + return err; + } + diff --git a/queue-5.8/mmc-dt-bindings-add-resets-reset-names-for-mediatek-mmc-bindings.patch b/queue-5.8/mmc-dt-bindings-add-resets-reset-names-for-mediatek-mmc-bindings.patch new file mode 100644 index 00000000000..2d5eff4c3f4 --- /dev/null +++ b/queue-5.8/mmc-dt-bindings-add-resets-reset-names-for-mediatek-mmc-bindings.patch @@ -0,0 +1,34 @@ +From 65557383191de46611dd3d6b639cbcfbade43c4a Mon Sep 17 00:00:00 2001 +From: Wenbin Mei +Date: Fri, 14 Aug 2020 09:43:44 +0800 +Subject: mmc: dt-bindings: Add resets/reset-names for Mediatek MMC bindings + +From: Wenbin Mei + +commit 65557383191de46611dd3d6b639cbcfbade43c4a upstream. + +Add description for resets/reset-names. + +Cc: # v5.4+ +Fixes: 966580ad236e ("mmc: mediatek: add support for MT7622 SoC") +Signed-off-by: Wenbin Mei +Tested-by: Frank Wunderlich +Link: https://lore.kernel.org/r/20200814014346.6496-2-wenbin.mei@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/mmc/mtk-sd.txt | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/Documentation/devicetree/bindings/mmc/mtk-sd.txt ++++ b/Documentation/devicetree/bindings/mmc/mtk-sd.txt +@@ -49,6 +49,8 @@ Optional properties: + error caused by stop clock(fifo full) + Valid range = [0:0x7]. if not present, default value is 0. + applied to compatible "mediatek,mt2701-mmc". ++- resets: Phandle and reset specifier pair to softreset line of MSDC IP. ++- reset-names: Should be "hrst". + + Examples: + mmc0: mmc@11230000 { diff --git a/queue-5.8/mmc-mediatek-add-optional-module-reset-property.patch b/queue-5.8/mmc-mediatek-add-optional-module-reset-property.patch new file mode 100644 index 00000000000..503a1b5159d --- /dev/null +++ b/queue-5.8/mmc-mediatek-add-optional-module-reset-property.patch @@ -0,0 +1,75 @@ +From 855d388df217989fbf1f18c781ae6490dbb48e86 Mon Sep 17 00:00:00 2001 +From: Wenbin Mei +Date: Fri, 14 Aug 2020 09:43:46 +0800 +Subject: mmc: mediatek: add optional module reset property + +From: Wenbin Mei + +commit 855d388df217989fbf1f18c781ae6490dbb48e86 upstream. + +This patch fixs eMMC-Access on mt7622/Bpi-64. +Before we got these Errors on mounting eMMC ion R64: +[ 48.664925] blk_update_request: I/O error, dev mmcblk0, sector 204800 op 0x1:(WRITE) +flags 0x800 phys_seg 1 prio class 0 +[ 48.676019] Buffer I/O error on dev mmcblk0p1, logical block 0, lost sync page write + +This patch adds a optional reset management for msdc. +Sometimes the bootloader does not bring msdc register +to default state, so need reset the msdc controller. + +Cc: # v5.4+ +Fixes: 966580ad236e ("mmc: mediatek: add support for MT7622 SoC") +Signed-off-by: Wenbin Mei +Reviewed-by: Philipp Zabel +Tested-by: Frank Wunderlich +Link: https://lore.kernel.org/r/20200814014346.6496-4-wenbin.mei@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/mtk-sd.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -414,6 +415,7 @@ struct msdc_host { + struct pinctrl_state *pins_uhs; + struct delayed_work req_timeout; + int irq; /* host interrupt */ ++ struct reset_control *reset; + + struct clk *src_clk; /* msdc source clock */ + struct clk *h_clk; /* msdc h_clk */ +@@ -1516,6 +1518,12 @@ static void msdc_init_hw(struct msdc_hos + u32 val; + u32 tune_reg = host->dev_comp->pad_tune_reg; + ++ if (host->reset) { ++ reset_control_assert(host->reset); ++ usleep_range(10, 50); ++ reset_control_deassert(host->reset); ++ } ++ + /* Configure to MMC/SD mode, clock free running */ + sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_MODE | MSDC_CFG_CKPDN); + +@@ -2273,6 +2281,11 @@ static int msdc_drv_probe(struct platfor + if (IS_ERR(host->src_clk_cg)) + host->src_clk_cg = NULL; + ++ host->reset = devm_reset_control_get_optional_exclusive(&pdev->dev, ++ "hrst"); ++ if (IS_ERR(host->reset)) ++ return PTR_ERR(host->reset); ++ + host->irq = platform_get_irq(pdev, 0); + if (host->irq < 0) { + ret = -EINVAL; diff --git a/queue-5.8/mmc-sdhci-pci-fix-sdhci_reset_all-for-cqhci-for-intel-glk-based-controllers.patch b/queue-5.8/mmc-sdhci-pci-fix-sdhci_reset_all-for-cqhci-for-intel-glk-based-controllers.patch new file mode 100644 index 00000000000..702e824933a --- /dev/null +++ b/queue-5.8/mmc-sdhci-pci-fix-sdhci_reset_all-for-cqhci-for-intel-glk-based-controllers.patch @@ -0,0 +1,60 @@ +From df57d73276b863af1debc48546b0e59e44998a55 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 19 Aug 2020 15:18:48 +0300 +Subject: mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers + +From: Adrian Hunter + +commit df57d73276b863af1debc48546b0e59e44998a55 upstream. + +For Intel controllers, SDHCI_RESET_ALL resets also CQHCI registers. +Normally, SDHCI_RESET_ALL is not used while CQHCI is enabled, but that can +happen on the error path. e.g. if mmc_cqe_recovery() fails, mmc_blk_reset() +is called which, for a eMMC that does not support HW Reset, will cycle the +bus power and the driver will perform SDHCI_RESET_ALL. + +So whenever performing SDHCI_RESET_ALL ensure CQHCI is deactivated. +That will force the driver to reinitialize CQHCI when it is next used. + +A similar change was done already for sdhci-msm, and other drivers using +CQHCI might benefit from a similar change, if they also have CQHCI reset +by SDHCI_RESET_ALL. + +Fixes: 8ee82bda230fc9 ("mmc: sdhci-pci: Add CQHCI support for Intel GLK") +Cc: stable@vger.kernel.org # 5.4.x: 0ffa6cfbd949: mmc: cqhci: Add cqhci_deactivate() +Cc: stable@vger.kernel.org # 5.4+ +Signed-off-by: Adrian Hunter +Link: https://lore.kernel.org/r/20200819121848.16967-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pci-core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -232,6 +232,14 @@ static void sdhci_pci_dumpregs(struct mm + sdhci_dumpregs(mmc_priv(mmc)); + } + ++static void sdhci_cqhci_reset(struct sdhci_host *host, u8 mask) ++{ ++ if ((host->mmc->caps2 & MMC_CAP2_CQE) && (mask & SDHCI_RESET_ALL) && ++ host->mmc->cqe_private) ++ cqhci_deactivate(host->mmc); ++ sdhci_reset(host, mask); ++} ++ + /*****************************************************************************\ + * * + * Hardware specific quirk handling * +@@ -718,7 +726,7 @@ static const struct sdhci_ops sdhci_inte + .set_power = sdhci_intel_set_power, + .enable_dma = sdhci_pci_enable_dma, + .set_bus_width = sdhci_set_bus_width, +- .reset = sdhci_reset, ++ .reset = sdhci_cqhci_reset, + .set_uhs_signaling = sdhci_set_uhs_signaling, + .hw_reset = sdhci_pci_hw_reset, + .irq = sdhci_cqhci_irq, diff --git a/queue-5.8/s390-fix-generic_lockbreak-dependency-typo-in-kconfig.patch b/queue-5.8/s390-fix-generic_lockbreak-dependency-typo-in-kconfig.patch new file mode 100644 index 00000000000..60ced0b1087 --- /dev/null +++ b/queue-5.8/s390-fix-generic_lockbreak-dependency-typo-in-kconfig.patch @@ -0,0 +1,36 @@ +From 114b9df419bf5db097b322ebb03fcf2f502f9380 Mon Sep 17 00:00:00 2001 +From: Eric Farman +Date: Tue, 25 Aug 2020 03:59:39 +0200 +Subject: s390: fix GENERIC_LOCKBREAK dependency typo in Kconfig + +From: Eric Farman + +commit 114b9df419bf5db097b322ebb03fcf2f502f9380 upstream. + +Commit fa686453053b ("sched/rt, s390: Use CONFIG_PREEMPTION") +changed a bunch of uses of CONFIG_PREEMPT to _PREEMPTION. +Except in the Kconfig it used two T's. That's the only place +in the system where that spelling exists, so let's fix that. + +Fixes: fa686453053b ("sched/rt, s390: Use CONFIG_PREEMPTION") +Cc: # 5.6 +Signed-off-by: Eric Farman +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -30,7 +30,7 @@ config GENERIC_BUG_RELATIVE_POINTERS + def_bool y + + config GENERIC_LOCKBREAK +- def_bool y if PREEMPTTION ++ def_bool y if PREEMPTION + + config PGSTE + def_bool y if KVM diff --git a/queue-5.8/series b/queue-5.8/series index 21bd1cdb350..a3c67d9e3dd 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -133,3 +133,43 @@ bluetooth-return-notify_done-for-hci_suspend_notifie.patch x86-mm-32-bring-back-vmalloc-faulting-on-x86_32.patch revert-alsa-hda-add-support-for-loongson-7a1000-controller.patch alsa-ca0106-fix-error-code-handling.patch +alsa-usb-audio-add-basic-capture-support-for-pioneer-dj-djm-250mk2.patch +alsa-usb-audio-add-implicit-feedback-quirk-for-ur22c.patch +alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch +alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch +alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch +alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch +alsa-firewire-tascam-exclude-tascam-fe-8-from-detection.patch +alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-ion-nt950xcj-x716a.patch +alsa-hda-realtek-improved-routing-for-thinkpad-x1-7th-8th-gen.patch +arm64-dts-mt7622-add-reset-node-for-mmc-device.patch +mmc-mediatek-add-optional-module-reset-property.patch +mmc-dt-bindings-add-resets-reset-names-for-mediatek-mmc-bindings.patch +mmc-sdhci-pci-fix-sdhci_reset_all-for-cqhci-for-intel-glk-based-controllers.patch +media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch +media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch +affs-fix-basic-permission-bits-to-actually-work.patch +block-allow-for_each_bvec-to-support-zero-len-bvec.patch +block-ensure-bdi-io_pages-is-always-initialized.patch +io_uring-set-table-files-to-null-when-io_sqe_file_register-failed.patch +io_uring-fix-removing-the-wrong-file-in-__io_sqe_files_update.patch +s390-fix-generic_lockbreak-dependency-typo-in-kconfig.patch +libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch +mips-oprofile-fix-fallthrough-placement.patch +blk-iocost-ioc_pd_free-shouldn-t-assume-irq-disabled.patch +blk-stat-make-q-stats-lock-irqsafe.patch +dmaengine-dw-edma-fix-scatter-gather-address-calculation.patch +drm-i915-fix-sha_text-population-code.patch +drm-amd-pm-avoid-false-alarm-due-to-confusing-softwareshutdowntemp-setting.patch +drm-amdgpu-specify-get_argument-function-for-ci_smu_funcs.patch +dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch +dm-mpath-fix-racey-management-of-pg-initialization.patch +dm-integrity-fix-error-reporting-in-bitmap-mode-after-creation.patch +dm-crypt-initialize-crypto-wait-structures.patch +dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch +dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch +dm-thin-metadata-fix-use-after-free-in-dm_bm_set_read_only.patch +mm-slub-fix-conversion-of-freelist_corrupted.patch +mm-track-page-table-modifications-in-__apply_to_page_range.patch +mm-madvise-fix-vma-user-after-free.patch +mm-rmap-fixup-copying-of-soft-dirty-and-uffd-ptes.patch