From: Greg Kroah-Hartman Date: Mon, 4 Nov 2019 10:19:25 +0000 (+0100) Subject: 5.3-stable patches X-Git-Tag: v4.4.199~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2bf0eb6cdbe8ca51973ddf6504c832be7751ca0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.3-stable patches added patches: arc-perf-accommodate-big-endian-cpu.patch arm64-cpufeature-enable-qualcomm-falkor-kryo-errata-1003.patch arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch dmaengine-imx-sdma-fix-size-check-for-sdma-script_number.patch dmaengine-qcom-bam_dma-fix-resource-leak.patch dmaengine-tegra210-adma-fix-transfer-failure.patch drm-amdgpu-fix-sdma-hang-when-performing-vkexample-test.patch drm-amdgpu-gfx10-update-gfx-golden-settings.patch drm-amdgpu-gmc10-properly-set-bank_select-and-fragment_size.patch drm-amdgpu-powerplay-vega10-allow-undervolting-in-p7.patch drm-i915-fix-pch-reference-clock-for-fdi-on-hsw-bdw.patch hid-logitech-hidpp-do-all-ff-cleanup-in-hidpp_ff_destroy.patch hid-logitech-hidpp-rework-device-validation.patch hid-logitech-hidpp-split-g920_get_config.patch ib-hfi1-avoid-excessive-retry-for-tid-rdma-read-request.patch io_uring-ensure-we-clear-io_kiocb-result-before-each-issue.patch iommu-vt-d-fix-panic-after-kexec-p-for-kdump.patch kvm-vmx-svm-always-run-with-efer.nxe-1-when-shadow-paging-is-active.patch nfs-fix-an-rcu-lock-leak-in-nfs4_refresh_delegation_stateid.patch rtlwifi-fix-potential-overflow-on-p2p-code.patch rtlwifi-rtl_pci-fix-problem-of-too-small-skb-len.patch s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch s390-idle-fix-cpu-idle-time-calculation.patch s390-unwind-fix-mixing-regs-and-sp.patch um-ubd-entrust-re-queue-to-the-upper-layers.patch virtio_ring-fix-stalls-for-packed-rings.patch --- diff --git a/queue-5.3/arc-perf-accommodate-big-endian-cpu.patch b/queue-5.3/arc-perf-accommodate-big-endian-cpu.patch new file mode 100644 index 00000000000..4b95cb61107 --- /dev/null +++ b/queue-5.3/arc-perf-accommodate-big-endian-cpu.patch @@ -0,0 +1,78 @@ +From 5effc09c4907901f0e71e68e5f2e14211d9a203f Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Tue, 22 Oct 2019 17:04:11 +0300 +Subject: ARC: perf: Accommodate big-endian CPU + +From: Alexey Brodkin + +commit 5effc09c4907901f0e71e68e5f2e14211d9a203f upstream. + +8-letter strings representing ARC perf events are stores in two +32-bit registers as ASCII characters like that: "IJMP", "IALL", "IJMPTAK" etc. + +And the same order of bytes in the word is used regardless CPU endianness. + +Which means in case of big-endian CPU core we need to swap bytes to get +the same order as if it was on little-endian CPU. + +Otherwise we're seeing the following error message on boot: +------------------------->8---------------------- +ARC perf : 8 counters (32 bits), 40 conditions, [overflow IRQ support] +sysfs: cannot create duplicate filename '/devices/arc_pct/events/pmji' +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3 +Stack Trace: + arc_unwind_core+0xd4/0xfc + dump_stack+0x64/0x80 + sysfs_warn_dup+0x46/0x58 + sysfs_add_file_mode_ns+0xb2/0x168 + create_files+0x70/0x2a0 +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1 at kernel/events/core.c:12144 perf_event_sysfs_init+0x70/0xa0 +Failed to register pmu: arc_pct, reason -17 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3 +Stack Trace: + arc_unwind_core+0xd4/0xfc + dump_stack+0x64/0x80 + __warn+0x9c/0xd4 + warn_slowpath_fmt+0x22/0x2c + perf_event_sysfs_init+0x70/0xa0 +---[ end trace a75fb9a9837bd1ec ]--- +------------------------->8---------------------- + +What happens here we're trying to register more than one raw perf event +with the same name "PMJI". Why? Because ARC perf events are 4 to 8 letters +and encoded into two 32-bit words. In this particular case we deal with 2 +events: + * "IJMP____" which counts all jump & branch instructions + * "IJMPC___" which counts only conditional jumps & branches + +Those strings are split in two 32-bit words this way "IJMP" + "____" & +"IJMP" + "C___" correspondingly. Now if we read them swapped due to CPU core +being big-endian then we read "PMJI" + "____" & "PMJI" + "___C". + +And since we interpret read array of ASCII letters as a null-terminated string +on big-endian CPU we end up with 2 events of the same name "PMJI". + +Signed-off-by: Alexey Brodkin +Cc: stable@vger.kernel.org +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/perf_event.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arc/kernel/perf_event.c ++++ b/arch/arc/kernel/perf_event.c +@@ -614,8 +614,8 @@ static int arc_pmu_device_probe(struct p + /* loop thru all available h/w condition indexes */ + for (i = 0; i < cc_bcr.c; i++) { + write_aux_reg(ARC_REG_CC_INDEX, i); +- cc_name.indiv.word0 = read_aux_reg(ARC_REG_CC_NAME0); +- cc_name.indiv.word1 = read_aux_reg(ARC_REG_CC_NAME1); ++ cc_name.indiv.word0 = le32_to_cpu(read_aux_reg(ARC_REG_CC_NAME0)); ++ cc_name.indiv.word1 = le32_to_cpu(read_aux_reg(ARC_REG_CC_NAME1)); + + arc_pmu_map_hw_event(i, cc_name.str); + arc_pmu_add_raw_event_attr(i, cc_name.str); diff --git a/queue-5.3/arm64-cpufeature-enable-qualcomm-falkor-kryo-errata-1003.patch b/queue-5.3/arm64-cpufeature-enable-qualcomm-falkor-kryo-errata-1003.patch new file mode 100644 index 00000000000..3eb631c2faa --- /dev/null +++ b/queue-5.3/arm64-cpufeature-enable-qualcomm-falkor-kryo-errata-1003.patch @@ -0,0 +1,41 @@ +From d4af3c4b81f4cd5662baa6f1492f998d89783318 Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Tue, 29 Oct 2019 10:15:39 -0700 +Subject: arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003 + +From: Bjorn Andersson + +commit d4af3c4b81f4cd5662baa6f1492f998d89783318 upstream. + +With the introduction of 'cce360b54ce6 ("arm64: capabilities: Filter the +entries based on a given mask")' the Qualcomm Falkor/Kryo errata 1003 is +no long applied. + +The result of not applying errata 1003 is that MSM8996 runs into various +RCU stalls and fails to boot most of the times. + +Give 1003 a "type" to ensure they are not filtered out in +update_cpu_capabilities(). + +Fixes: cce360b54ce6 ("arm64: capabilities: Filter the entries based on a given mask") +Cc: stable@vger.kernel.org +Reported-by: Mark Brown +Suggested-by: Will Deacon +Signed-off-by: Bjorn Andersson +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/cpu_errata.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -816,6 +816,7 @@ const struct arm64_cpu_capabilities arm6 + { + .desc = "Qualcomm Technologies Falkor/Kryo erratum 1003", + .capability = ARM64_WORKAROUND_QCOM_FALKOR_E1003, ++ .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, + .matches = cpucap_multi_entry_cap_matches, + .match_list = qcom_erratum_1003_list, + }, diff --git a/queue-5.3/arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch b/queue-5.3/arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch new file mode 100644 index 00000000000..2978145627c --- /dev/null +++ b/queue-5.3/arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch @@ -0,0 +1,71 @@ +From aa57157be69fb599bd4c38a4b75c5aad74a60ec0 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 29 Oct 2019 15:30:51 +0000 +Subject: arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default + +From: Catalin Marinas + +commit aa57157be69fb599bd4c38a4b75c5aad74a60ec0 upstream. + +Shared and writable mappings (__S.1.) should be clean (!dirty) initially +and made dirty on a subsequent write either through the hardware DBM +(dirty bit management) mechanism or through a write page fault. A clean +pte for the arm64 kernel is one that has PTE_RDONLY set and PTE_DIRTY +clear. + +The PAGE_SHARED{,_EXEC} attributes have PTE_WRITE set (PTE_DBM) and +PTE_DIRTY clear. Prior to commit 73e86cb03cf2 ("arm64: Move PTE_RDONLY +bit handling out of set_pte_at()"), it was the responsibility of +set_pte_at() to set the PTE_RDONLY bit and mark the pte clean if the +software PTE_DIRTY bit was not set. However, the above commit removed +the pte_sw_dirty() check and the subsequent setting of PTE_RDONLY in +set_pte_at() while leaving the PAGE_SHARED{,_EXEC} definitions +unchanged. The result is that shared+writable mappings are now dirty by +default + +Fix the above by explicitly setting PTE_RDONLY in PAGE_SHARED{,_EXEC}. +In addition, remove the superfluous PTE_DIRTY bit from the kernel PROT_* +attributes. + +Fixes: 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()") +Cc: # 4.14.x- +Cc: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/pgtable-prot.h | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -32,11 +32,11 @@ + #define PROT_DEFAULT (_PROT_DEFAULT | PTE_MAYBE_NG) + #define PROT_SECT_DEFAULT (_PROT_SECT_DEFAULT | PMD_MAYBE_NG) + +-#define PROT_DEVICE_nGnRnE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE)) +-#define PROT_DEVICE_nGnRE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE)) +-#define PROT_NORMAL_NC (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_NC)) +-#define PROT_NORMAL_WT (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_WT)) +-#define PROT_NORMAL (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_DIRTY | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL)) ++#define PROT_DEVICE_nGnRnE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRnE)) ++#define PROT_DEVICE_nGnRE (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_DEVICE_nGnRE)) ++#define PROT_NORMAL_NC (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_NC)) ++#define PROT_NORMAL_WT (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL_WT)) ++#define PROT_NORMAL (PROT_DEFAULT | PTE_PXN | PTE_UXN | PTE_WRITE | PTE_ATTRINDX(MT_NORMAL)) + + #define PROT_SECT_DEVICE_nGnRE (PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_DEVICE_nGnRE)) + #define PROT_SECT_NORMAL (PROT_SECT_DEFAULT | PMD_SECT_PXN | PMD_SECT_UXN | PMD_ATTRINDX(MT_NORMAL)) +@@ -80,8 +80,9 @@ + #define PAGE_S2_DEVICE __pgprot(_PROT_DEFAULT | PAGE_S2_MEMATTR(DEVICE_nGnRE) | PTE_S2_RDONLY | PAGE_S2_XN) + + #define PAGE_NONE __pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) | PTE_PROT_NONE | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) +-#define PAGE_SHARED __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE) +-#define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_NG | PTE_PXN | PTE_WRITE) ++/* shared+writable pages are clean by default, hence PTE_RDONLY|PTE_WRITE */ ++#define PAGE_SHARED __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE) ++#define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE) + #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) + #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN) + #define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN) diff --git a/queue-5.3/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch b/queue-5.3/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch new file mode 100644 index 00000000000..87140b9cfaf --- /dev/null +++ b/queue-5.3/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch @@ -0,0 +1,74 @@ +From bacdcb6675e170bb2e8d3824da220e10274f42a7 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Wed, 23 Oct 2019 08:31:38 -0700 +Subject: dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle + +From: Tony Lindgren + +commit bacdcb6675e170bb2e8d3824da220e10274f42a7 upstream. + +Yegor Yefremov reported that musb and ftdi +uart can fail for the first open of the uart unless connected using +a hub. + +This is because the first dma call done by musb_ep_program() must wait +if cppi41 is PM runtime suspended. Otherwise musb_ep_program() continues +with other non-dma packets before the DMA transfer is started causing at +least ftdi uarts to fail to receive data. + +Let's fix the issue by waking up cppi41 with PM runtime calls added to +cppi41_dma_prep_slave_sg() and return NULL if still idled. This way we +have musb_ep_program() continue with PIO until cppi41 is awake. + +Fixes: fdea2d09b997 ("dmaengine: cppi41: Add basic PM runtime support") +Reported-by: Yegor Yefremov +Signed-off-by: Tony Lindgren +Cc: stable@vger.kernel.org # v4.9+ +Link: https://lore.kernel.org/r/20191023153138.23442-1-tony@atomide.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ti/cppi41.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/drivers/dma/ti/cppi41.c ++++ b/drivers/dma/ti/cppi41.c +@@ -586,9 +586,22 @@ static struct dma_async_tx_descriptor *c + enum dma_transfer_direction dir, unsigned long tx_flags, void *context) + { + struct cppi41_channel *c = to_cpp41_chan(chan); ++ struct dma_async_tx_descriptor *txd = NULL; ++ struct cppi41_dd *cdd = c->cdd; + struct cppi41_desc *d; + struct scatterlist *sg; + unsigned int i; ++ int error; ++ ++ error = pm_runtime_get(cdd->ddev.dev); ++ if (error < 0) { ++ pm_runtime_put_noidle(cdd->ddev.dev); ++ ++ return NULL; ++ } ++ ++ if (cdd->is_suspended) ++ goto err_out_not_ready; + + d = c->desc; + for_each_sg(sgl, sg, sg_len, i) { +@@ -611,7 +624,13 @@ static struct dma_async_tx_descriptor *c + d++; + } + +- return &c->txd; ++ txd = &c->txd; ++ ++err_out_not_ready: ++ pm_runtime_mark_last_busy(cdd->ddev.dev); ++ pm_runtime_put_autosuspend(cdd->ddev.dev); ++ ++ return txd; + } + + static void cppi41_compute_td_desc(struct cppi41_desc *d) diff --git a/queue-5.3/dmaengine-imx-sdma-fix-size-check-for-sdma-script_number.patch b/queue-5.3/dmaengine-imx-sdma-fix-size-check-for-sdma-script_number.patch new file mode 100644 index 00000000000..f91c9e6e47b --- /dev/null +++ b/queue-5.3/dmaengine-imx-sdma-fix-size-check-for-sdma-script_number.patch @@ -0,0 +1,67 @@ +From bd73dfabdda280fc5f05bdec79b6721b4b2f035f Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Tue, 24 Sep 2019 09:49:18 +0000 +Subject: dmaengine: imx-sdma: fix size check for sdma script_number + +From: Robin Gong + +commit bd73dfabdda280fc5f05bdec79b6721b4b2f035f upstream. + +Illegal memory will be touch if SDMA_SCRIPT_ADDRS_ARRAY_SIZE_V3 +(41) exceed the size of structure sdma_script_start_addrs(40), +thus cause memory corrupt such as slob block header so that kernel +trap into while() loop forever in slob_free(). Please refer to below +code piece in imx-sdma.c: +for (i = 0; i < sdma->script_number; i++) + if (addr_arr[i] > 0) + saddr_arr[i] = addr_arr[i]; /* memory corrupt here */ +That issue was brought by commit a572460be9cf ("dmaengine: imx-sdma: Add +support for version 3 firmware") because SDMA_SCRIPT_ADDRS_ARRAY_SIZE_V3 +(38->41 3 scripts added) not align with script number added in +sdma_script_start_addrs(2 scripts). + +Fixes: a572460be9cf ("dmaengine: imx-sdma: Add support for version 3 firmware") +Cc: stable@vger.kernel +Link: https://www.spinics.net/lists/arm-kernel/msg754895.html +Signed-off-by: Robin Gong +Reported-by: Jurgen Lambrecht +Link: https://lore.kernel.org/r/1569347584-3478-1-git-send-email-yibin.gong@nxp.com +[vkoul: update the patch title] +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/imx-sdma.c | 8 ++++++++ + include/linux/platform_data/dma-imx-sdma.h | 3 +++ + 2 files changed, 11 insertions(+) + +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1707,6 +1707,14 @@ static void sdma_add_scripts(struct sdma + if (!sdma->script_number) + sdma->script_number = SDMA_SCRIPT_ADDRS_ARRAY_SIZE_V1; + ++ if (sdma->script_number > sizeof(struct sdma_script_start_addrs) ++ / sizeof(s32)) { ++ dev_err(sdma->dev, ++ "SDMA script number %d not match with firmware.\n", ++ sdma->script_number); ++ return; ++ } ++ + for (i = 0; i < sdma->script_number; i++) + if (addr_arr[i] > 0) + saddr_arr[i] = addr_arr[i]; +--- a/include/linux/platform_data/dma-imx-sdma.h ++++ b/include/linux/platform_data/dma-imx-sdma.h +@@ -51,7 +51,10 @@ struct sdma_script_start_addrs { + /* End of v2 array */ + s32 zcanfd_2_mcu_addr; + s32 zqspi_2_mcu_addr; ++ s32 mcu_2_ecspi_addr; + /* End of v3 array */ ++ s32 mcu_2_zqspi_addr; ++ /* End of v4 array */ + }; + + /** diff --git a/queue-5.3/dmaengine-qcom-bam_dma-fix-resource-leak.patch b/queue-5.3/dmaengine-qcom-bam_dma-fix-resource-leak.patch new file mode 100644 index 00000000000..b9fb58d229f --- /dev/null +++ b/queue-5.3/dmaengine-qcom-bam_dma-fix-resource-leak.patch @@ -0,0 +1,57 @@ +From 7667819385457b4aeb5fac94f67f52ab52cc10d5 Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Thu, 17 Oct 2019 08:26:06 -0700 +Subject: dmaengine: qcom: bam_dma: Fix resource leak + +From: Jeffrey Hugo + +commit 7667819385457b4aeb5fac94f67f52ab52cc10d5 upstream. + +bam_dma_terminate_all() will leak resources if any of the transactions are +committed to the hardware (present in the desc fifo), and not complete. +Since bam_dma_terminate_all() does not cause the hardware to be updated, +the hardware will still operate on any previously committed transactions. +This can cause memory corruption if the memory for the transaction has been +reassigned, and will cause a sync issue between the BAM and its client(s). + +Fix this by properly updating the hardware in bam_dma_terminate_all(). + +Fixes: e7c0fe2a5c84 ("dmaengine: add Qualcomm BAM dma driver") +Signed-off-by: Jeffrey Hugo +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191017152606.34120-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/qcom/bam_dma.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -694,6 +694,25 @@ static int bam_dma_terminate_all(struct + + /* remove all transactions, including active transaction */ + spin_lock_irqsave(&bchan->vc.lock, flag); ++ /* ++ * If we have transactions queued, then some might be committed to the ++ * hardware in the desc fifo. The only way to reset the desc fifo is ++ * to do a hardware reset (either by pipe or the entire block). ++ * bam_chan_init_hw() will trigger a pipe reset, and also reinit the ++ * pipe. If the pipe is left disabled (default state after pipe reset) ++ * and is accessed by a connected hardware engine, a fatal error in ++ * the BAM will occur. There is a small window where this could happen ++ * with bam_chan_init_hw(), but it is assumed that the caller has ++ * stopped activity on any attached hardware engine. Make sure to do ++ * this first so that the BAM hardware doesn't cause memory corruption ++ * by accessing freed resources. ++ */ ++ if (!list_empty(&bchan->desc_list)) { ++ async_desc = list_first_entry(&bchan->desc_list, ++ struct bam_async_desc, desc_node); ++ bam_chan_init_hw(bchan, async_desc->dir); ++ } ++ + list_for_each_entry_safe(async_desc, tmp, + &bchan->desc_list, desc_node) { + list_add(&async_desc->vd.node, &bchan->vc.desc_issued); diff --git a/queue-5.3/dmaengine-tegra210-adma-fix-transfer-failure.patch b/queue-5.3/dmaengine-tegra210-adma-fix-transfer-failure.patch new file mode 100644 index 00000000000..7b406cfd23a --- /dev/null +++ b/queue-5.3/dmaengine-tegra210-adma-fix-transfer-failure.patch @@ -0,0 +1,83 @@ +From 9ec691f48b5ef741a48af8932ccaec859c67e8f1 Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Mon, 16 Sep 2019 15:05:13 +0530 +Subject: dmaengine: tegra210-adma: fix transfer failure + +From: Sameer Pujar + +commit 9ec691f48b5ef741a48af8932ccaec859c67e8f1 upstream. + +>From Tegra186 onwards OUTSTANDING_REQUESTS field is added in channel +configuration register(bits 7:4) which defines the maximum number of reads +from the source and writes to the destination that may be outstanding at +any given point of time. This field must be programmed with a value +between 1 and 8. A value of 0 will prevent any transfers from happening. + +Thus added 'has_outstanding_reqs' bool member in chip data structure and is +set to false for Tegra210, since the field is not applicable. For Tegra186 +it is set to true and channel configuration is updated with maximum +outstanding requests. + +Fixes: 433de642a76c ("dmaengine: tegra210-adma: add support for Tegra186/Tegra194") +Cc: stable@vger.kernel.org +Signed-off-by: Sameer Pujar +Acked-by: Jon Hunter +Link: https://lore.kernel.org/r/1568626513-16541-1-git-send-email-spujar@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/tegra210-adma.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -40,6 +40,7 @@ + #define ADMA_CH_CONFIG_MAX_BURST_SIZE 16 + #define ADMA_CH_CONFIG_WEIGHT_FOR_WRR(val) ((val) & 0xf) + #define ADMA_CH_CONFIG_MAX_BUFS 8 ++#define TEGRA186_ADMA_CH_CONFIG_OUTSTANDING_REQS(reqs) (reqs << 4) + + #define ADMA_CH_FIFO_CTRL 0x2c + #define TEGRA210_ADMA_CH_FIFO_CTRL_OFLWTHRES(val) (((val) & 0xf) << 24) +@@ -85,6 +86,7 @@ struct tegra_adma; + * @ch_req_tx_shift: Register offset for AHUB transmit channel select. + * @ch_req_rx_shift: Register offset for AHUB receive channel select. + * @ch_base_offset: Register offset of DMA channel registers. ++ * @has_outstanding_reqs: If DMA channel can have outstanding requests. + * @ch_fifo_ctrl: Default value for channel FIFO CTRL register. + * @ch_req_mask: Mask for Tx or Rx channel select. + * @ch_req_max: Maximum number of Tx or Rx channels available. +@@ -103,6 +105,7 @@ struct tegra_adma_chip_data { + unsigned int ch_req_max; + unsigned int ch_reg_size; + unsigned int nr_channels; ++ bool has_outstanding_reqs; + }; + + /* +@@ -602,6 +605,8 @@ static int tegra_adma_set_xfer_params(st + ADMA_CH_CTRL_FLOWCTRL_EN; + ch_regs->config |= cdata->adma_get_burst_config(burst_size); + ch_regs->config |= ADMA_CH_CONFIG_WEIGHT_FOR_WRR(1); ++ if (cdata->has_outstanding_reqs) ++ ch_regs->config |= TEGRA186_ADMA_CH_CONFIG_OUTSTANDING_REQS(8); + ch_regs->fifo_ctrl = cdata->ch_fifo_ctrl; + ch_regs->tc = desc->period_len & ADMA_CH_TC_COUNT_MASK; + +@@ -786,6 +791,7 @@ static const struct tegra_adma_chip_data + .ch_req_tx_shift = 28, + .ch_req_rx_shift = 24, + .ch_base_offset = 0, ++ .has_outstanding_reqs = false, + .ch_fifo_ctrl = TEGRA210_FIFO_CTRL_DEFAULT, + .ch_req_mask = 0xf, + .ch_req_max = 10, +@@ -800,6 +806,7 @@ static const struct tegra_adma_chip_data + .ch_req_tx_shift = 27, + .ch_req_rx_shift = 22, + .ch_base_offset = 0x10000, ++ .has_outstanding_reqs = true, + .ch_fifo_ctrl = TEGRA186_FIFO_CTRL_DEFAULT, + .ch_req_mask = 0x1f, + .ch_req_max = 20, diff --git a/queue-5.3/drm-amdgpu-fix-sdma-hang-when-performing-vkexample-test.patch b/queue-5.3/drm-amdgpu-fix-sdma-hang-when-performing-vkexample-test.patch new file mode 100644 index 00000000000..bf62c3aed18 --- /dev/null +++ b/queue-5.3/drm-amdgpu-fix-sdma-hang-when-performing-vkexample-test.patch @@ -0,0 +1,32 @@ +From e5574f61e9d8274c49e9a5d943abde8e938d57e1 Mon Sep 17 00:00:00 2001 +From: chen gong +Date: Wed, 23 Oct 2019 13:54:32 +0800 +Subject: drm/amdgpu: Fix SDMA hang when performing VKexample test + +From: chen gong + +commit e5574f61e9d8274c49e9a5d943abde8e938d57e1 upstream. + +VKexample test hang during Occlusion/SDMA/Varia runs. +Clear XNACK_WATERMK in reg SDMA0_UTCL1_WATERMK to fix this issue. + +Signed-off-by: chen gong +Reviewed-by: Aaron Liu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -159,6 +159,7 @@ static const struct soc15_reg_golden gol + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC7_RB_RPTR_ADDR_LO, 0xfffffffd, 0x00000001), + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_RLC7_RB_WPTR_POLL_CNTL, 0xfffffff7, 0x00403000), + SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_PAGE, 0x000003ff, 0x000003c0), ++ SOC15_REG_GOLDEN_VALUE(SDMA0, 0, mmSDMA0_UTCL1_WATERMK, 0xfc000000, 0x00000000) + }; + + static const struct soc15_reg_golden golden_settings_sdma1_4_2[] = { diff --git a/queue-5.3/drm-amdgpu-gfx10-update-gfx-golden-settings.patch b/queue-5.3/drm-amdgpu-gfx10-update-gfx-golden-settings.patch new file mode 100644 index 00000000000..4d2e2bda53d --- /dev/null +++ b/queue-5.3/drm-amdgpu-gfx10-update-gfx-golden-settings.patch @@ -0,0 +1,32 @@ +From f52ebe1f888dfae68d7cffabf5ac898f8cb64fb3 Mon Sep 17 00:00:00 2001 +From: "Tianci.Yin" +Date: Thu, 24 Oct 2019 18:03:17 +0800 +Subject: drm/amdgpu/gfx10: update gfx golden settings + +From: Tianci.Yin + +commit f52ebe1f888dfae68d7cffabf5ac898f8cb64fb3 upstream. + +update registers: mmCGTT_SPI_CLK_CTRL + +Reviewed-by: Feifei Xu +Signed-off-by: Tianci.Yin +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -67,7 +67,7 @@ static const struct soc15_reg_golden gol + { + SOC15_REG_GOLDEN_VALUE(GC, 0, mmCB_HW_CONTROL_4, 0xffffffff, 0x00400014), + SOC15_REG_GOLDEN_VALUE(GC, 0, mmCGTT_CPF_CLK_CTRL, 0xfcff8fff, 0xf8000100), +- SOC15_REG_GOLDEN_VALUE(GC, 0, mmCGTT_SPI_CLK_CTRL, 0xc0000000, 0xc0000100), ++ SOC15_REG_GOLDEN_VALUE(GC, 0, mmCGTT_SPI_CLK_CTRL, 0xcd000000, 0x0d000100), + SOC15_REG_GOLDEN_VALUE(GC, 0, mmCGTT_SQ_CLK_CTRL, 0x60000ff0, 0x60000100), + SOC15_REG_GOLDEN_VALUE(GC, 0, mmCGTT_SQG_CLK_CTRL, 0x40000000, 0x40000100), + SOC15_REG_GOLDEN_VALUE(GC, 0, mmCGTT_VGT_CLK_CTRL, 0xffff8fff, 0xffff8100), diff --git a/queue-5.3/drm-amdgpu-gmc10-properly-set-bank_select-and-fragment_size.patch b/queue-5.3/drm-amdgpu-gmc10-properly-set-bank_select-and-fragment_size.patch new file mode 100644 index 00000000000..d69539f90f7 --- /dev/null +++ b/queue-5.3/drm-amdgpu-gmc10-properly-set-bank_select-and-fragment_size.patch @@ -0,0 +1,61 @@ +From 30ef5c7eaba0ddafc6c23eca65ebe52169dfcc60 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 29 Oct 2019 17:14:15 -0400 +Subject: drm/amdgpu/gmc10: properly set BANK_SELECT and FRAGMENT_SIZE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 30ef5c7eaba0ddafc6c23eca65ebe52169dfcc60 upstream. + +These were not aligned for optimal performance for GPUVM. + +Acked-by: Christian König +Reviewed-by: Tianci Yin +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c | 9 +++++++++ + drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c | 9 +++++++++ + 2 files changed, 18 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c +@@ -151,6 +151,15 @@ static void gfxhub_v2_0_init_cache_regs( + WREG32_SOC15(GC, 0, mmGCVM_L2_CNTL2, tmp); + + tmp = mmGCVM_L2_CNTL3_DEFAULT; ++ if (adev->gmc.translate_further) { ++ tmp = REG_SET_FIELD(tmp, GCVM_L2_CNTL3, BANK_SELECT, 12); ++ tmp = REG_SET_FIELD(tmp, GCVM_L2_CNTL3, ++ L2_CACHE_BIGK_FRAGMENT_SIZE, 9); ++ } else { ++ tmp = REG_SET_FIELD(tmp, GCVM_L2_CNTL3, BANK_SELECT, 9); ++ tmp = REG_SET_FIELD(tmp, GCVM_L2_CNTL3, ++ L2_CACHE_BIGK_FRAGMENT_SIZE, 6); ++ } + WREG32_SOC15(GC, 0, mmGCVM_L2_CNTL3, tmp); + + tmp = mmGCVM_L2_CNTL4_DEFAULT; +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c +@@ -137,6 +137,15 @@ static void mmhub_v2_0_init_cache_regs(s + WREG32_SOC15(MMHUB, 0, mmMMVM_L2_CNTL2, tmp); + + tmp = mmMMVM_L2_CNTL3_DEFAULT; ++ if (adev->gmc.translate_further) { ++ tmp = REG_SET_FIELD(tmp, MMVM_L2_CNTL3, BANK_SELECT, 12); ++ tmp = REG_SET_FIELD(tmp, MMVM_L2_CNTL3, ++ L2_CACHE_BIGK_FRAGMENT_SIZE, 9); ++ } else { ++ tmp = REG_SET_FIELD(tmp, MMVM_L2_CNTL3, BANK_SELECT, 9); ++ tmp = REG_SET_FIELD(tmp, MMVM_L2_CNTL3, ++ L2_CACHE_BIGK_FRAGMENT_SIZE, 6); ++ } + WREG32_SOC15(MMHUB, 0, mmMMVM_L2_CNTL3, tmp); + + tmp = mmMMVM_L2_CNTL4_DEFAULT; diff --git a/queue-5.3/drm-amdgpu-powerplay-vega10-allow-undervolting-in-p7.patch b/queue-5.3/drm-amdgpu-powerplay-vega10-allow-undervolting-in-p7.patch new file mode 100644 index 00000000000..a1c2cbd8795 --- /dev/null +++ b/queue-5.3/drm-amdgpu-powerplay-vega10-allow-undervolting-in-p7.patch @@ -0,0 +1,37 @@ +From e6f4e274c1e52d1f0bfe293fb44ddf59de6c0374 Mon Sep 17 00:00:00 2001 +From: Pelle van Gils +Date: Thu, 24 Oct 2019 16:04:31 +0200 +Subject: drm/amdgpu/powerplay/vega10: allow undervolting in p7 + +From: Pelle van Gils + +commit e6f4e274c1e52d1f0bfe293fb44ddf59de6c0374 upstream. + +The vega10_odn_update_soc_table() function does not allow the SCLK +dependent voltage to be set for power-state 7 to a value below the default +in pptable. Change the for-loop condition to allow undervolting in the +highest state. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205277 +Signed-off-by: Pelle van Gils +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c +@@ -5097,9 +5097,7 @@ static void vega10_odn_update_soc_table( + + if (type == PP_OD_EDIT_SCLK_VDDC_TABLE) { + podn_vdd_dep = &data->odn_dpm_table.vdd_dep_on_sclk; +- for (i = 0; i < podn_vdd_dep->count - 1; i++) +- od_vddc_lookup_table->entries[i].us_vdd = podn_vdd_dep->entries[i].vddc; +- if (od_vddc_lookup_table->entries[i].us_vdd < podn_vdd_dep->entries[i].vddc) ++ for (i = 0; i < podn_vdd_dep->count; i++) + od_vddc_lookup_table->entries[i].us_vdd = podn_vdd_dep->entries[i].vddc; + } else if (type == PP_OD_EDIT_MCLK_VDDC_TABLE) { + podn_vdd_dep = &data->odn_dpm_table.vdd_dep_on_mclk; diff --git a/queue-5.3/drm-i915-fix-pch-reference-clock-for-fdi-on-hsw-bdw.patch b/queue-5.3/drm-i915-fix-pch-reference-clock-for-fdi-on-hsw-bdw.patch new file mode 100644 index 00000000000..87556e7179c --- /dev/null +++ b/queue-5.3/drm-i915-fix-pch-reference-clock-for-fdi-on-hsw-bdw.patch @@ -0,0 +1,118 @@ +From 59cd826fb5e7889515bf5771e295e0624c348571 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Tue, 22 Oct 2019 21:56:43 +0300 +Subject: drm/i915: Fix PCH reference clock for FDI on HSW/BDW +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 59cd826fb5e7889515bf5771e295e0624c348571 upstream. + +The change to skip the PCH reference initialization during fastboot +did end up breaking FDI. To fix that let's try to do the PCH reference +init whenever we're disabling a DPLL that was using said reference +previously. + +Cc: stable@vger.kernel.org +Tested-by: Andrija +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=112084 +Fixes: b16c7ed95caf ("drm/i915: Do not touch the PCH SSC reference if a PLL is using it") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20191022185643.1483-1-ville.syrjala@linux.intel.com +Reviewed-by: Imre Deak +(cherry picked from commit dd5279c71405533d4ddbb9453effc60f0f5bf211) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/display/intel_display.c | 11 ++++++----- + drivers/gpu/drm/i915/display/intel_dpll_mgr.c | 15 +++++++++++++++ + drivers/gpu/drm/i915/i915_drv.h | 2 ++ + 3 files changed, 23 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_display.c ++++ b/drivers/gpu/drm/i915/display/intel_display.c +@@ -9186,7 +9186,6 @@ static bool wrpll_uses_pch_ssc(struct dr + static void lpt_init_pch_refclk(struct drm_i915_private *dev_priv) + { + struct intel_encoder *encoder; +- bool pch_ssc_in_use = false; + bool has_fdi = false; + + for_each_intel_encoder(&dev_priv->drm, encoder) { +@@ -9214,22 +9213,24 @@ static void lpt_init_pch_refclk(struct d + * clock hierarchy. That would also allow us to do + * clock bending finally. + */ ++ dev_priv->pch_ssc_use = 0; ++ + if (spll_uses_pch_ssc(dev_priv)) { + DRM_DEBUG_KMS("SPLL using PCH SSC\n"); +- pch_ssc_in_use = true; ++ dev_priv->pch_ssc_use |= BIT(DPLL_ID_SPLL); + } + + if (wrpll_uses_pch_ssc(dev_priv, DPLL_ID_WRPLL1)) { + DRM_DEBUG_KMS("WRPLL1 using PCH SSC\n"); +- pch_ssc_in_use = true; ++ dev_priv->pch_ssc_use |= BIT(DPLL_ID_WRPLL1); + } + + if (wrpll_uses_pch_ssc(dev_priv, DPLL_ID_WRPLL2)) { + DRM_DEBUG_KMS("WRPLL2 using PCH SSC\n"); +- pch_ssc_in_use = true; ++ dev_priv->pch_ssc_use |= BIT(DPLL_ID_WRPLL2); + } + +- if (pch_ssc_in_use) ++ if (dev_priv->pch_ssc_use) + return; + + if (has_fdi) { +--- a/drivers/gpu/drm/i915/display/intel_dpll_mgr.c ++++ b/drivers/gpu/drm/i915/display/intel_dpll_mgr.c +@@ -498,16 +498,31 @@ static void hsw_ddi_wrpll_disable(struct + val = I915_READ(WRPLL_CTL(id)); + I915_WRITE(WRPLL_CTL(id), val & ~WRPLL_PLL_ENABLE); + POSTING_READ(WRPLL_CTL(id)); ++ ++ /* ++ * Try to set up the PCH reference clock once all DPLLs ++ * that depend on it have been shut down. ++ */ ++ if (dev_priv->pch_ssc_use & BIT(id)) ++ intel_init_pch_refclk(dev_priv); + } + + static void hsw_ddi_spll_disable(struct drm_i915_private *dev_priv, + struct intel_shared_dpll *pll) + { ++ enum intel_dpll_id id = pll->info->id; + u32 val; + + val = I915_READ(SPLL_CTL); + I915_WRITE(SPLL_CTL, val & ~SPLL_PLL_ENABLE); + POSTING_READ(SPLL_CTL); ++ ++ /* ++ * Try to set up the PCH reference clock once all DPLLs ++ * that depend on it have been shut down. ++ */ ++ if (dev_priv->pch_ssc_use & BIT(id)) ++ intel_init_pch_refclk(dev_priv); + } + + static bool hsw_ddi_wrpll_get_hw_state(struct drm_i915_private *dev_priv, +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -1881,6 +1881,8 @@ struct drm_i915_private { + struct work_struct idle_work; + } gem; + ++ u8 pch_ssc_use; ++ + /* For i945gm vblank irq vs. C3 workaround */ + struct { + struct work_struct work; diff --git a/queue-5.3/hid-logitech-hidpp-do-all-ff-cleanup-in-hidpp_ff_destroy.patch b/queue-5.3/hid-logitech-hidpp-do-all-ff-cleanup-in-hidpp_ff_destroy.patch new file mode 100644 index 00000000000..9f7e06df158 --- /dev/null +++ b/queue-5.3/hid-logitech-hidpp-do-all-ff-cleanup-in-hidpp_ff_destroy.patch @@ -0,0 +1,88 @@ +From 08c453f6d073f069cf8e30e03cd3c16262c9b953 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 17 Oct 2019 21:45:17 -0700 +Subject: HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() + +From: Andrey Smirnov + +commit 08c453f6d073f069cf8e30e03cd3c16262c9b953 upstream. + +All of the FF-related resources belong to corresponding FF device, so +they should be freed as a part of hidpp_ff_destroy() to avoid +potential race condidions. + +Fixes: ff21a635dd1a ("HID: logitech-hidpp: Force feedback support for the Logitech G920") +Suggested-by: Benjamin Tissoires +Signed-off-by: Andrey Smirnov +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: Henrik Rydberg +Cc: Pierre-Loup A. Griffais +Cc: Austin Palmer +Cc: linux-input@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 5.2+ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-logitech-hidpp.c | 33 +++++---------------------------- + 1 file changed, 5 insertions(+), 28 deletions(-) + +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -2078,7 +2078,12 @@ static DEVICE_ATTR(range, S_IRUSR | S_IW + static void hidpp_ff_destroy(struct ff_device *ff) + { + struct hidpp_ff_private_data *data = ff->private; ++ struct hid_device *hid = data->hidpp->hid_dev; + ++ hid_info(hid, "Unloading HID++ force feedback.\n"); ++ ++ device_remove_file(&hid->dev, &dev_attr_range); ++ destroy_workqueue(data->wq); + kfree(data->effect_ids); + } + +@@ -2170,31 +2175,6 @@ static int hidpp_ff_init(struct hidpp_de + return 0; + } + +-static int hidpp_ff_deinit(struct hid_device *hid) +-{ +- struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct input_dev *dev = hidinput->input; +- struct hidpp_ff_private_data *data; +- +- if (!dev) { +- hid_err(hid, "Struct input_dev not found!\n"); +- return -EINVAL; +- } +- +- hid_info(hid, "Unloading HID++ force feedback.\n"); +- data = dev->ff->private; +- if (!data) { +- hid_err(hid, "Private data not found!\n"); +- return -EINVAL; +- } +- +- destroy_workqueue(data->wq); +- device_remove_file(&hid->dev, &dev_attr_range); +- +- return 0; +-} +- +- + /* ************************************************************************** */ + /* */ + /* Device Support */ +@@ -3713,9 +3693,6 @@ static void hidpp_remove(struct hid_devi + + sysfs_remove_group(&hdev->dev.kobj, &ps_attribute_group); + +- if (hidpp->quirks & HIDPP_QUIRK_CLASS_G920) +- hidpp_ff_deinit(hdev); +- + hid_hw_stop(hdev); + cancel_work_sync(&hidpp->work); + mutex_destroy(&hidpp->send_mutex); diff --git a/queue-5.3/hid-logitech-hidpp-rework-device-validation.patch b/queue-5.3/hid-logitech-hidpp-rework-device-validation.patch new file mode 100644 index 00000000000..5400ff761d9 --- /dev/null +++ b/queue-5.3/hid-logitech-hidpp-rework-device-validation.patch @@ -0,0 +1,134 @@ +From 905d754c53a522aacf806ea1d3e7c929148c1910 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 17 Oct 2019 21:45:16 -0700 +Subject: HID: logitech-hidpp: rework device validation + +From: Andrey Smirnov + +commit 905d754c53a522aacf806ea1d3e7c929148c1910 upstream. + +G920 device only advertises REPORT_ID_HIDPP_LONG and +REPORT_ID_HIDPP_VERY_LONG in its HID report descriptor, so querying +for REPORT_ID_HIDPP_SHORT with optional=false will always fail and +prevent G920 to be recognized as a valid HID++ device. + +To fix this and improve some other aspects, modify +hidpp_validate_device() as follows: + + - Inline the code of hidpp_validate_report() to simplify + distingushing between non-present and invalid report descriptors + + - Drop the check for id >= HID_MAX_IDS || id < 0 since all of our + IDs are static and known to satisfy that at compile time + + - Change the algorithms to check all possible report + types (including very long report) and deem the device as a valid + HID++ device if it supports at least one + + - Treat invalid report length as a hard stop for the validation + algorithm, meaning that if any of the supported reports has + invalid length we assume the worst and treat the device as a + generic HID device. + + - Fold initialization of hidpp->very_long_report_length into + hidpp_validate_device() since it already fetches very long report + length and validates its value + +Fixes: fe3ee1ec007b ("HID: logitech-hidpp: allow non HID++ devices to be handled by this module") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204191 +Reported-by: Sam Bazely +Signed-off-by: Andrey Smirnov +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: Henrik Rydberg +Cc: Pierre-Loup A. Griffais +Cc: Austin Palmer +Cc: linux-input@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 5.2+ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-logitech-hidpp.c | 54 +++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 24 deletions(-) + +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -3498,34 +3498,45 @@ static int hidpp_get_report_length(struc + return report->field[0]->report_count + 1; + } + +-static bool hidpp_validate_report(struct hid_device *hdev, int id, +- int expected_length, bool optional) ++static bool hidpp_validate_device(struct hid_device *hdev) + { +- int report_length; ++ struct hidpp_device *hidpp = hid_get_drvdata(hdev); ++ int id, report_length, supported_reports = 0; ++ ++ id = REPORT_ID_HIDPP_SHORT; ++ report_length = hidpp_get_report_length(hdev, id); ++ if (report_length) { ++ if (report_length < HIDPP_REPORT_SHORT_LENGTH) ++ goto bad_device; + +- if (id >= HID_MAX_IDS || id < 0) { +- hid_err(hdev, "invalid HID report id %u\n", id); +- return false; ++ supported_reports++; + } + ++ id = REPORT_ID_HIDPP_LONG; + report_length = hidpp_get_report_length(hdev, id); +- if (!report_length) +- return optional; ++ if (report_length) { ++ if (report_length < HIDPP_REPORT_LONG_LENGTH) ++ goto bad_device; + +- if (report_length < expected_length) { +- hid_warn(hdev, "not enough values in hidpp report %d\n", id); +- return false; ++ supported_reports++; + } + +- return true; +-} ++ id = REPORT_ID_HIDPP_VERY_LONG; ++ report_length = hidpp_get_report_length(hdev, id); ++ if (report_length) { ++ if (report_length < HIDPP_REPORT_LONG_LENGTH || ++ report_length > HIDPP_REPORT_VERY_LONG_MAX_LENGTH) ++ goto bad_device; + +-static bool hidpp_validate_device(struct hid_device *hdev) +-{ +- return hidpp_validate_report(hdev, REPORT_ID_HIDPP_SHORT, +- HIDPP_REPORT_SHORT_LENGTH, false) && +- hidpp_validate_report(hdev, REPORT_ID_HIDPP_LONG, +- HIDPP_REPORT_LONG_LENGTH, true); ++ supported_reports++; ++ hidpp->very_long_report_length = report_length; ++ } ++ ++ return supported_reports; ++ ++bad_device: ++ hid_warn(hdev, "not enough values in hidpp report %d\n", id); ++ return false; + } + + static bool hidpp_application_equals(struct hid_device *hdev, +@@ -3572,11 +3583,6 @@ static int hidpp_probe(struct hid_device + return hid_hw_start(hdev, HID_CONNECT_DEFAULT); + } + +- hidpp->very_long_report_length = +- hidpp_get_report_length(hdev, REPORT_ID_HIDPP_VERY_LONG); +- if (hidpp->very_long_report_length > HIDPP_REPORT_VERY_LONG_MAX_LENGTH) +- hidpp->very_long_report_length = HIDPP_REPORT_VERY_LONG_MAX_LENGTH; +- + if (id->group == HID_GROUP_LOGITECH_DJ_DEVICE) + hidpp->quirks |= HIDPP_QUIRK_UNIFYING; + diff --git a/queue-5.3/hid-logitech-hidpp-split-g920_get_config.patch b/queue-5.3/hid-logitech-hidpp-split-g920_get_config.patch new file mode 100644 index 00000000000..4e01d45d59c --- /dev/null +++ b/queue-5.3/hid-logitech-hidpp-split-g920_get_config.patch @@ -0,0 +1,381 @@ +From abdd3d0b344fdf72a4904d09b97bc964d74c4419 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 17 Oct 2019 21:45:15 -0700 +Subject: HID: logitech-hidpp: split g920_get_config() + +From: Andrey Smirnov + +commit abdd3d0b344fdf72a4904d09b97bc964d74c4419 upstream. + +Original version of g920_get_config() contained two kind of actions: + + 1. Device specific communication to query/set some parameters + which requires active communication channel with the device, + or, put in other way, for the call to be sandwiched between + hid_device_io_start() and hid_device_io_stop(). + + 2. Input subsystem specific FF controller initialization which, in + order to access a valid 'struct hid_input' via + 'hid->inputs.next', requires claimed hidinput which means be + executed after the call to hid_hw_start() with connect_mask + containing HID_CONNECT_HIDINPUT. + +Location of g920_get_config() can only fulfill requirements for #1 and +not #2, which might result in following backtrace: + +[ 88.312258] logitech-hidpp-device 0003:046D:C262.0005: HID++ 4.2 device connected. +[ 88.320298] BUG: kernel NULL pointer dereference, address: 0000000000000018 +[ 88.320304] #PF: supervisor read access in kernel mode +[ 88.320307] #PF: error_code(0x0000) - not-present page +[ 88.320309] PGD 0 P4D 0 +[ 88.320315] Oops: 0000 [#1] SMP PTI +[ 88.320320] CPU: 1 PID: 3080 Comm: systemd-udevd Not tainted 5.4.0-rc1+ #31 +[ 88.320322] Hardware name: Apple Inc. MacBookPro11,1/Mac-189A3D4F975D5FFC, BIOS 149.0.0.0.0 09/17/2018 +[ 88.320334] RIP: 0010:hidpp_probe+0x61f/0x948 [hid_logitech_hidpp] +[ 88.320338] Code: 81 00 00 48 89 ef e8 f0 d6 ff ff 41 89 c6 85 c0 75 b5 0f b6 44 24 28 48 8b 5d 00 88 44 24 1e 89 44 24 0c 48 8b 83 18 1c 00 00 <48> 8b 48 18 48 8b 83 10 19 00 00 48 8b 40 40 48 89 0c 24 0f b7 80 +[ 88.320341] RSP: 0018:ffffb0a6824aba68 EFLAGS: 00010246 +[ 88.320345] RAX: 0000000000000000 RBX: ffff93a50756e000 RCX: 0000000000010408 +[ 88.320347] RDX: 0000000000000000 RSI: ffff93a51f0ad0a0 RDI: 000000000002d0a0 +[ 88.320350] RBP: ffff93a50416da28 R08: ffff93a50416da70 R09: ffff93a50416da70 +[ 88.320352] R10: 000000148ae9e60c R11: 00000000000f1525 R12: ffff93a50756e000 +[ 88.320354] R13: ffff93a50756f8d0 R14: 0000000000000000 R15: ffff93a50756fc38 +[ 88.320358] FS: 00007f8d8c1e0940(0000) GS:ffff93a51f080000(0000) knlGS:0000000000000000 +[ 88.320361] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 88.320363] CR2: 0000000000000018 CR3: 00000003996d8003 CR4: 00000000001606e0 +[ 88.320366] Call Trace: +[ 88.320377] ? _cond_resched+0x15/0x30 +[ 88.320387] ? create_pinctrl+0x2f/0x3c0 +[ 88.320393] ? kernfs_link_sibling+0x94/0xe0 +[ 88.320398] ? _cond_resched+0x15/0x30 +[ 88.320402] ? kernfs_activate+0x5f/0x80 +[ 88.320406] ? kernfs_add_one+0xe2/0x130 +[ 88.320411] hid_device_probe+0x106/0x170 +[ 88.320419] really_probe+0x147/0x3c0 +[ 88.320424] driver_probe_device+0xb6/0x100 +[ 88.320428] device_driver_attach+0x53/0x60 +[ 88.320433] __driver_attach+0x8a/0x150 +[ 88.320437] ? device_driver_attach+0x60/0x60 +[ 88.320440] bus_for_each_dev+0x78/0xc0 +[ 88.320445] bus_add_driver+0x14d/0x1f0 +[ 88.320450] driver_register+0x6c/0xc0 +[ 88.320453] ? 0xffffffffc0d67000 +[ 88.320457] __hid_register_driver+0x4c/0x80 +[ 88.320464] do_one_initcall+0x46/0x1f4 +[ 88.320469] ? _cond_resched+0x15/0x30 +[ 88.320474] ? kmem_cache_alloc_trace+0x162/0x220 +[ 88.320481] ? do_init_module+0x23/0x230 +[ 88.320486] do_init_module+0x5c/0x230 +[ 88.320491] load_module+0x26e1/0x2990 +[ 88.320502] ? ima_post_read_file+0xf0/0x100 +[ 88.320508] ? __do_sys_finit_module+0xaa/0x110 +[ 88.320512] __do_sys_finit_module+0xaa/0x110 +[ 88.320520] do_syscall_64+0x5b/0x180 +[ 88.320525] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 88.320528] RIP: 0033:0x7f8d8d1f01fd +[ 88.320532] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b 8c 0c 00 f7 d8 64 89 01 48 +[ 88.320535] RSP: 002b:00007ffefa3bb068 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 88.320539] RAX: ffffffffffffffda RBX: 000055922040cb40 RCX: 00007f8d8d1f01fd +[ 88.320541] RDX: 0000000000000000 RSI: 00007f8d8ce4984d RDI: 0000000000000006 +[ 88.320543] RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000007 +[ 88.320545] R10: 0000000000000006 R11: 0000000000000246 R12: 00007f8d8ce4984d +[ 88.320547] R13: 0000000000000000 R14: 000055922040efc0 R15: 000055922040cb40 +[ 88.320551] Modules linked in: hid_logitech_hidpp(+) fuse rfcomm ccm xt_CHECKSUM xt_MASQUERADE bridge stp llc nf_nat_tftp nf_conntrack_tftp nf_conntrack_netbios_ns nf_conntrack_broadcast xt_CT ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat tun iptable_mangle iptable_raw iptable_security nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables cmac bnep sunrpc dm_crypt nls_utf8 hfsplus intel_rapl_msr intel_rapl_common ath9k_htc ath9k_common x86_pkg_temp_thermal intel_powerclamp b43 ath9k_hw coretemp snd_hda_codec_hdmi cordic kvm_intel snd_hda_codec_cirrus mac80211 snd_hda_codec_generic ledtrig_audio kvm snd_hda_intel snd_intel_nhlt irqbypass snd_hda_codec btusb btrtl snd_hda_core ath btbcm ssb snd_hwdep btintel snd_seq crct10dif_pclmul iTCO_wdt snd_seq_device crc32_pclmul bluetooth mmc_core iTCO_vendor_support joydev cfg80211 +[ 88.320602] applesmc ghash_clmulni_intel ecdh_generic snd_pcm input_polldev intel_cstate ecc intel_uncore thunderbolt snd_timer i2c_i801 libarc4 rfkill intel_rapl_perf lpc_ich mei_me pcspkr bcm5974 snd bcma mei soundcore acpi_als sbs kfifo_buf sbshc industrialio apple_bl i915 i2c_algo_bit drm_kms_helper drm uas crc32c_intel usb_storage video hid_apple +[ 88.320630] CR2: 0000000000000018 +[ 88.320633] ---[ end trace 933491c8a4fadeb7 ]--- +[ 88.320642] RIP: 0010:hidpp_probe+0x61f/0x948 [hid_logitech_hidpp] +[ 88.320645] Code: 81 00 00 48 89 ef e8 f0 d6 ff ff 41 89 c6 85 c0 75 b5 0f b6 44 24 28 48 8b 5d 00 88 44 24 1e 89 44 24 0c 48 8b 83 18 1c 00 00 <48> 8b 48 18 48 8b 83 10 19 00 00 48 8b 40 40 48 89 0c 24 0f b7 80 +[ 88.320647] RSP: 0018:ffffb0a6824aba68 EFLAGS: 00010246 +[ 88.320650] RAX: 0000000000000000 RBX: ffff93a50756e000 RCX: 0000000000010408 +[ 88.320652] RDX: 0000000000000000 RSI: ffff93a51f0ad0a0 RDI: 000000000002d0a0 +[ 88.320655] RBP: ffff93a50416da28 R08: ffff93a50416da70 R09: ffff93a50416da70 +[ 88.320657] R10: 000000148ae9e60c R11: 00000000000f1525 R12: ffff93a50756e000 +[ 88.320659] R13: ffff93a50756f8d0 R14: 0000000000000000 R15: ffff93a50756fc38 +[ 88.320662] FS: 00007f8d8c1e0940(0000) GS:ffff93a51f080000(0000) knlGS:0000000000000000 +[ 88.320664] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 88.320667] CR2: 0000000000000018 CR3: 00000003996d8003 CR4: 00000000001606e0 + +To solve this issue: + + 1. Split g920_get_config() such that all of the device specific + communication remains a part of the function and input subsystem + initialization bits go to hidpp_ff_init() + + 2. Move call to hidpp_ff_init() from being a part of + g920_get_config() to be the last step of .probe(), right after a + call to hid_hw_start() with connect_mask containing + HID_CONNECT_HIDINPUT. + +Fixes: 91cf9a98ae41 ("HID: logitech-hidpp: make .probe usbhid capable") +Signed-off-by: Andrey Smirnov +Tested-by: Sam Bazley +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: Henrik Rydberg +Cc: Pierre-Loup A. Griffais +Cc: Austin Palmer +Cc: linux-input@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 5.2+ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-logitech-hidpp.c | 150 ++++++++++++++++++++++++--------------- + 1 file changed, 96 insertions(+), 54 deletions(-) + +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -1669,6 +1669,7 @@ static void hidpp_touchpad_raw_xy_event( + + #define HIDPP_FF_EFFECTID_NONE -1 + #define HIDPP_FF_EFFECTID_AUTOCENTER -2 ++#define HIDPP_AUTOCENTER_PARAMS_LENGTH 18 + + #define HIDPP_FF_MAX_PARAMS 20 + #define HIDPP_FF_RESERVED_SLOTS 1 +@@ -2009,7 +2010,7 @@ static int hidpp_ff_erase_effect(struct + static void hidpp_ff_set_autocenter(struct input_dev *dev, u16 magnitude) + { + struct hidpp_ff_private_data *data = dev->ff->private; +- u8 params[18]; ++ u8 params[HIDPP_AUTOCENTER_PARAMS_LENGTH]; + + dbg_hid("Setting autocenter to %d.\n", magnitude); + +@@ -2081,7 +2082,8 @@ static void hidpp_ff_destroy(struct ff_d + kfree(data->effect_ids); + } + +-static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) ++static int hidpp_ff_init(struct hidpp_device *hidpp, ++ struct hidpp_ff_private_data *data) + { + struct hid_device *hid = hidpp->hid_dev; + struct hid_input *hidinput; +@@ -2089,9 +2091,7 @@ static int hidpp_ff_init(struct hidpp_de + const struct usb_device_descriptor *udesc = &(hid_to_usb_dev(hid)->descriptor); + const u16 bcdDevice = le16_to_cpu(udesc->bcdDevice); + struct ff_device *ff; +- struct hidpp_report response; +- struct hidpp_ff_private_data *data; +- int error, j, num_slots; ++ int error, j, num_slots = data->num_effects; + u8 version; + + if (list_empty(&hid->inputs)) { +@@ -2116,27 +2116,17 @@ static int hidpp_ff_init(struct hidpp_de + for (j = 0; hidpp_ff_effects_v2[j] >= 0; j++) + set_bit(hidpp_ff_effects_v2[j], dev->ffbit); + +- /* Read number of slots available in device */ +- error = hidpp_send_fap_command_sync(hidpp, feature_index, +- HIDPP_FF_GET_INFO, NULL, 0, &response); +- if (error) { +- if (error < 0) +- return error; +- hid_err(hidpp->hid_dev, "%s: received protocol error 0x%02x\n", +- __func__, error); +- return -EPROTO; +- } +- +- num_slots = response.fap.params[0] - HIDPP_FF_RESERVED_SLOTS; +- + error = input_ff_create(dev, num_slots); + + if (error) { + hid_err(dev, "Failed to create FF device!\n"); + return error; + } +- +- data = kzalloc(sizeof(*data), GFP_KERNEL); ++ /* ++ * Create a copy of passed data, so we can transfer memory ++ * ownership to FF core ++ */ ++ data = kmemdup(data, sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + data->effect_ids = kcalloc(num_slots, sizeof(int), GFP_KERNEL); +@@ -2152,10 +2142,7 @@ static int hidpp_ff_init(struct hidpp_de + } + + data->hidpp = hidpp; +- data->feature_index = feature_index; + data->version = version; +- data->slot_autocenter = 0; +- data->num_effects = num_slots; + for (j = 0; j < num_slots; j++) + data->effect_ids[j] = -1; + +@@ -2169,37 +2156,14 @@ static int hidpp_ff_init(struct hidpp_de + ff->set_autocenter = hidpp_ff_set_autocenter; + ff->destroy = hidpp_ff_destroy; + +- +- /* reset all forces */ +- error = hidpp_send_fap_command_sync(hidpp, feature_index, +- HIDPP_FF_RESET_ALL, NULL, 0, &response); +- +- /* Read current Range */ +- error = hidpp_send_fap_command_sync(hidpp, feature_index, +- HIDPP_FF_GET_APERTURE, NULL, 0, &response); +- if (error) +- hid_warn(hidpp->hid_dev, "Failed to read range from device!\n"); +- data->range = error ? 900 : get_unaligned_be16(&response.fap.params[0]); +- + /* Create sysfs interface */ + error = device_create_file(&(hidpp->hid_dev->dev), &dev_attr_range); + if (error) + hid_warn(hidpp->hid_dev, "Unable to create sysfs interface for \"range\", errno %d!\n", error); + +- /* Read the current gain values */ +- error = hidpp_send_fap_command_sync(hidpp, feature_index, +- HIDPP_FF_GET_GLOBAL_GAINS, NULL, 0, &response); +- if (error) +- hid_warn(hidpp->hid_dev, "Failed to read gain values from device!\n"); +- data->gain = error ? 0xffff : get_unaligned_be16(&response.fap.params[0]); +- /* ignore boost value at response.fap.params[2] */ +- + /* init the hardware command queue */ + atomic_set(&data->workqueue_size, 0); + +- /* initialize with zero autocenter to get wheel in usable state */ +- hidpp_ff_set_autocenter(dev, 0); +- + hid_info(hid, "Force feedback support loaded (firmware release %d).\n", + version); + +@@ -2732,24 +2696,93 @@ static int k400_connect(struct hid_devic + + #define HIDPP_PAGE_G920_FORCE_FEEDBACK 0x8123 + +-static int g920_get_config(struct hidpp_device *hidpp) ++static int g920_ff_set_autocenter(struct hidpp_device *hidpp, ++ struct hidpp_ff_private_data *data) + { ++ struct hidpp_report response; ++ u8 params[HIDPP_AUTOCENTER_PARAMS_LENGTH] = { ++ [1] = HIDPP_FF_EFFECT_SPRING | HIDPP_FF_EFFECT_AUTOSTART, ++ }; ++ int ret; ++ ++ /* initialize with zero autocenter to get wheel in usable state */ ++ ++ dbg_hid("Setting autocenter to 0.\n"); ++ ret = hidpp_send_fap_command_sync(hidpp, data->feature_index, ++ HIDPP_FF_DOWNLOAD_EFFECT, ++ params, ARRAY_SIZE(params), ++ &response); ++ if (ret) ++ hid_warn(hidpp->hid_dev, "Failed to autocenter device!\n"); ++ else ++ data->slot_autocenter = response.fap.params[0]; ++ ++ return ret; ++} ++ ++static int g920_get_config(struct hidpp_device *hidpp, ++ struct hidpp_ff_private_data *data) ++{ ++ struct hidpp_report response; + u8 feature_type; +- u8 feature_index; + int ret; + ++ memset(data, 0, sizeof(*data)); ++ + /* Find feature and store for later use */ + ret = hidpp_root_get_feature(hidpp, HIDPP_PAGE_G920_FORCE_FEEDBACK, +- &feature_index, &feature_type); ++ &data->feature_index, &feature_type); + if (ret) + return ret; + +- ret = hidpp_ff_init(hidpp, feature_index); ++ /* Read number of slots available in device */ ++ ret = hidpp_send_fap_command_sync(hidpp, data->feature_index, ++ HIDPP_FF_GET_INFO, ++ NULL, 0, ++ &response); ++ if (ret) { ++ if (ret < 0) ++ return ret; ++ hid_err(hidpp->hid_dev, ++ "%s: received protocol error 0x%02x\n", __func__, ret); ++ return -EPROTO; ++ } ++ ++ data->num_effects = response.fap.params[0] - HIDPP_FF_RESERVED_SLOTS; ++ ++ /* reset all forces */ ++ ret = hidpp_send_fap_command_sync(hidpp, data->feature_index, ++ HIDPP_FF_RESET_ALL, ++ NULL, 0, ++ &response); + if (ret) +- hid_warn(hidpp->hid_dev, "Unable to initialize force feedback support, errno %d\n", +- ret); ++ hid_warn(hidpp->hid_dev, "Failed to reset all forces!\n"); + +- return 0; ++ ret = hidpp_send_fap_command_sync(hidpp, data->feature_index, ++ HIDPP_FF_GET_APERTURE, ++ NULL, 0, ++ &response); ++ if (ret) { ++ hid_warn(hidpp->hid_dev, ++ "Failed to read range from device!\n"); ++ } ++ data->range = ret ? ++ 900 : get_unaligned_be16(&response.fap.params[0]); ++ ++ /* Read the current gain values */ ++ ret = hidpp_send_fap_command_sync(hidpp, data->feature_index, ++ HIDPP_FF_GET_GLOBAL_GAINS, ++ NULL, 0, ++ &response); ++ if (ret) ++ hid_warn(hidpp->hid_dev, ++ "Failed to read gain values from device!\n"); ++ data->gain = ret ? ++ 0xffff : get_unaligned_be16(&response.fap.params[0]); ++ ++ /* ignore boost value at response.fap.params[2] */ ++ ++ return g920_ff_set_autocenter(hidpp, data); + } + + /* -------------------------------------------------------------------------- */ +@@ -3512,6 +3545,7 @@ static int hidpp_probe(struct hid_device + int ret; + bool connected; + unsigned int connect_mask = HID_CONNECT_DEFAULT; ++ struct hidpp_ff_private_data data; + + /* report_fixup needs drvdata to be set before we call hid_parse */ + hidpp = devm_kzalloc(&hdev->dev, sizeof(*hidpp), GFP_KERNEL); +@@ -3621,7 +3655,7 @@ static int hidpp_probe(struct hid_device + if (ret) + goto hid_hw_init_fail; + } else if (connected && (hidpp->quirks & HIDPP_QUIRK_CLASS_G920)) { +- ret = g920_get_config(hidpp); ++ ret = g920_get_config(hidpp, &data); + if (ret) + goto hid_hw_init_fail; + } +@@ -3643,6 +3677,14 @@ static int hidpp_probe(struct hid_device + goto hid_hw_start_fail; + } + ++ if (hidpp->quirks & HIDPP_QUIRK_CLASS_G920) { ++ ret = hidpp_ff_init(hidpp, &data); ++ if (ret) ++ hid_warn(hidpp->hid_dev, ++ "Unable to initialize force feedback support, errno %d\n", ++ ret); ++ } ++ + return ret; + + hid_hw_init_fail: diff --git a/queue-5.3/ib-hfi1-avoid-excessive-retry-for-tid-rdma-read-request.patch b/queue-5.3/ib-hfi1-avoid-excessive-retry-for-tid-rdma-read-request.patch new file mode 100644 index 00000000000..4df9aebfde2 --- /dev/null +++ b/queue-5.3/ib-hfi1-avoid-excessive-retry-for-tid-rdma-read-request.patch @@ -0,0 +1,61 @@ +From 9ed5bd7d22241ad232fd3a5be404e83eb6cadc04 Mon Sep 17 00:00:00 2001 +From: Kaike Wan +Date: Fri, 4 Oct 2019 16:40:35 -0400 +Subject: IB/hfi1: Avoid excessive retry for TID RDMA READ request + +From: Kaike Wan + +commit 9ed5bd7d22241ad232fd3a5be404e83eb6cadc04 upstream. + +A TID RDMA READ request could be retried under one of the following +conditions: +- The RC retry timer expires; +- A later TID RDMA READ RESP packet is received before the next + expected one. +For the latter, under normal conditions, the PSN in IB space is used +for comparison. More specifically, the IB PSN in the incoming TID RDMA +READ RESP packet is compared with the last IB PSN of a given TID RDMA +READ request to determine if the request should be retried. This is +similar to the retry logic for noraml RDMA READ request. + +However, if a TID RDMA READ RESP packet is lost due to congestion, +header suppresion will be disabled and each incoming packet will raise +an interrupt until the hardware flow is reloaded. Under this condition, +each packet KDETH PSN will be checked by software against r_next_psn +and a retry will be requested if the packet KDETH PSN is later than +r_next_psn. Since each TID RDMA READ segment could have up to 64 +packets and each TID RDMA READ request could have many segments, we +could make far more retries under such conditions, and thus leading to +RETRY_EXC_ERR status. + +This patch fixes the issue by removing the retry when the incoming +packet KDETH PSN is later than r_next_psn. Instead, it resorts to +RC timer and normal IB PSN comparison for any request retry. + +Fixes: 9905bf06e890 ("IB/hfi1: Add functions to receive TID RDMA READ response") +Cc: +Reviewed-by: Mike Marciniszyn +Signed-off-by: Kaike Wan +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/20191004204035.26542.41684.stgit@awfm-01.aw.intel.com +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/tid_rdma.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/tid_rdma.c ++++ b/drivers/infiniband/hw/hfi1/tid_rdma.c +@@ -2728,11 +2728,6 @@ static bool handle_read_kdeth_eflags(str + diff = cmp_psn(psn, + flow->flow_state.r_next_psn); + if (diff > 0) { +- if (!(qp->r_flags & RVT_R_RDMAR_SEQ)) +- restart_tid_rdma_read_req(rcd, +- qp, +- wqe); +- + /* Drop the packet.*/ + goto s_unlock; + } else if (diff < 0) { diff --git a/queue-5.3/io_uring-ensure-we-clear-io_kiocb-result-before-each-issue.patch b/queue-5.3/io_uring-ensure-we-clear-io_kiocb-result-before-each-issue.patch new file mode 100644 index 00000000000..34307da1a60 --- /dev/null +++ b/queue-5.3/io_uring-ensure-we-clear-io_kiocb-result-before-each-issue.patch @@ -0,0 +1,38 @@ +From 6873e0bd6a9cb14ecfadd89d9ed9698ff1761902 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 30 Oct 2019 13:53:09 -0600 +Subject: io_uring: ensure we clear io_kiocb->result before each issue + +From: Jens Axboe + +commit 6873e0bd6a9cb14ecfadd89d9ed9698ff1761902 upstream. + +We use io_kiocb->result == -EAGAIN as a way to know if we need to +re-submit a polled request, as -EAGAIN reporting happens out-of-line +for IO submission failures. This field is cleared when we originally +allocate the request, but it isn't reset when we retry the submission +from async context. This can cause issues where we think something +needs a re-issue, but we're really just reading stale data. + +Reset ->result whenever we re-prep a request for polled submission. + +Cc: stable@vger.kernel.org +Fixes: 9e645e1105ca ("io_uring: add support for sqe links") +Reported-by: Bijan Mottahedeh +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1078,6 +1078,7 @@ static int io_prep_rw(struct io_kiocb *r + + kiocb->ki_flags |= IOCB_HIPRI; + kiocb->ki_complete = io_complete_rw_iopoll; ++ req->result = 0; + } else { + if (kiocb->ki_flags & IOCB_HIPRI) + return -EINVAL; diff --git a/queue-5.3/iommu-vt-d-fix-panic-after-kexec-p-for-kdump.patch b/queue-5.3/iommu-vt-d-fix-panic-after-kexec-p-for-kdump.patch new file mode 100644 index 00000000000..69a46a99112 --- /dev/null +++ b/queue-5.3/iommu-vt-d-fix-panic-after-kexec-p-for-kdump.patch @@ -0,0 +1,104 @@ +From 160c63f909ffbc797c0bbe23310ac1eaf2349d2f Mon Sep 17 00:00:00 2001 +From: John Donnelly +Date: Mon, 21 Oct 2019 21:48:10 -0500 +Subject: iommu/vt-d: Fix panic after kexec -p for kdump + +From: John Donnelly + +commit 160c63f909ffbc797c0bbe23310ac1eaf2349d2f upstream. + +This cures a panic on restart after a kexec operation on 5.3 and 5.4 +kernels. + +The underlying state of the iommu registers (iommu->flags & +VTD_FLAG_TRANS_PRE_ENABLED) on a restart results in a domain being marked as +"DEFER_DEVICE_DOMAIN_INFO" that produces an Oops in identity_mapping(). + +[ 43.654737] BUG: kernel NULL pointer dereference, address: +0000000000000056 +[ 43.655720] #PF: supervisor read access in kernel mode +[ 43.655720] #PF: error_code(0x0000) - not-present page +[ 43.655720] PGD 0 P4D 0 +[ 43.655720] Oops: 0000 [#1] SMP PTI +[ 43.655720] CPU: 0 PID: 1 Comm: swapper/0 Not tainted +5.3.2-1940.el8uek.x86_64 #1 +[ 43.655720] Hardware name: Oracle Corporation ORACLE SERVER +X5-2/ASM,MOTHERBOARD,1U, BIOS 30140300 09/20/2018 +[ 43.655720] RIP: 0010:iommu_need_mapping+0x29/0xd0 +[ 43.655720] Code: 00 0f 1f 44 00 00 48 8b 97 70 02 00 00 48 83 fa ff +74 53 48 8d 4a ff b8 01 00 00 00 48 83 f9 fd 76 01 c3 48 8b 35 7f 58 e0 +01 <48> 39 72 58 75 f2 55 48 89 e5 41 54 53 48 8b 87 28 02 00 00 4c 8b +[ 43.655720] RSP: 0018:ffffc9000001b9b0 EFLAGS: 00010246 +[ 43.655720] RAX: 0000000000000001 RBX: 0000000000001000 RCX: +fffffffffffffffd +[ 43.655720] RDX: fffffffffffffffe RSI: ffff8880719b8000 RDI: +ffff8880477460b0 +[ 43.655720] RBP: ffffc9000001b9e8 R08: 0000000000000000 R09: +ffff888047c01700 +[ 43.655720] R10: 00002194036fc692 R11: 0000000000000000 R12: +0000000000000000 +[ 43.655720] R13: ffff8880477460b0 R14: 0000000000000cc0 R15: +ffff888072d2b558 +[ 43.655720] FS: 0000000000000000(0000) GS:ffff888071c00000(0000) +knlGS:0000000000000000 +[ 43.655720] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 43.655720] CR2: 0000000000000056 CR3: 000000007440a002 CR4: +00000000001606b0 +[ 43.655720] Call Trace: +[ 43.655720] ? intel_alloc_coherent+0x2a/0x180 +[ 43.655720] ? __schedule+0x2c2/0x650 +[ 43.655720] dma_alloc_attrs+0x8c/0xd0 +[ 43.655720] dma_pool_alloc+0xdf/0x200 +[ 43.655720] ehci_qh_alloc+0x58/0x130 +[ 43.655720] ehci_setup+0x287/0x7ba +[ 43.655720] ? _dev_info+0x6c/0x83 +[ 43.655720] ehci_pci_setup+0x91/0x436 +[ 43.655720] usb_add_hcd.cold.48+0x1d4/0x754 +[ 43.655720] usb_hcd_pci_probe+0x2bc/0x3f0 +[ 43.655720] ehci_pci_probe+0x39/0x40 +[ 43.655720] local_pci_probe+0x47/0x80 +[ 43.655720] pci_device_probe+0xff/0x1b0 +[ 43.655720] really_probe+0xf5/0x3a0 +[ 43.655720] driver_probe_device+0xbb/0x100 +[ 43.655720] device_driver_attach+0x58/0x60 +[ 43.655720] __driver_attach+0x8f/0x150 +[ 43.655720] ? device_driver_attach+0x60/0x60 +[ 43.655720] bus_for_each_dev+0x74/0xb0 +[ 43.655720] driver_attach+0x1e/0x20 +[ 43.655720] bus_add_driver+0x151/0x1f0 +[ 43.655720] ? ehci_hcd_init+0xb2/0xb2 +[ 43.655720] ? do_early_param+0x95/0x95 +[ 43.655720] driver_register+0x70/0xc0 +[ 43.655720] ? ehci_hcd_init+0xb2/0xb2 +[ 43.655720] __pci_register_driver+0x57/0x60 +[ 43.655720] ehci_pci_init+0x6a/0x6c +[ 43.655720] do_one_initcall+0x4a/0x1fa +[ 43.655720] ? do_early_param+0x95/0x95 +[ 43.655720] kernel_init_freeable+0x1bd/0x262 +[ 43.655720] ? rest_init+0xb0/0xb0 +[ 43.655720] kernel_init+0xe/0x110 +[ 43.655720] ret_from_fork+0x24/0x50 + +Fixes: 8af46c784ecfe ("iommu/vt-d: Implement is_attach_deferred iommu ops entry") +Cc: stable@vger.kernel.org # v5.3+ + +Signed-off-by: John Donnelly +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2783,7 +2783,7 @@ static int identity_mapping(struct devic + struct device_domain_info *info; + + info = dev->archdata.iommu; +- if (info && info != DUMMY_DEVICE_DOMAIN_INFO) ++ if (info && info != DUMMY_DEVICE_DOMAIN_INFO && info != DEFER_DEVICE_DOMAIN_INFO) + return (info->domain == si_domain); + + return 0; diff --git a/queue-5.3/kvm-vmx-svm-always-run-with-efer.nxe-1-when-shadow-paging-is-active.patch b/queue-5.3/kvm-vmx-svm-always-run-with-efer.nxe-1-when-shadow-paging-is-active.patch new file mode 100644 index 00000000000..a7f83575ee8 --- /dev/null +++ b/queue-5.3/kvm-vmx-svm-always-run-with-efer.nxe-1-when-shadow-paging-is-active.patch @@ -0,0 +1,71 @@ +From 9167ab79936206118cc60e47dcb926c3489f3bd5 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Sun, 27 Oct 2019 16:23:23 +0100 +Subject: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active + +From: Paolo Bonzini + +commit 9167ab79936206118cc60e47dcb926c3489f3bd5 upstream. + +VMX already does so if the host has SMEP, in order to support the combination of +CR0.WP=1 and CR4.SMEP=1. However, it is perfectly safe to always do so, and in +fact VMX already ends up running with EFER.NXE=1 on old processors that lack the +"load EFER" controls, because it may help avoiding a slow MSR write. Removing +all the conditionals simplifies the code. + +SVM does not have similar code, but it should since recent AMD processors do +support SMEP. So this patch also makes the code for the two vendors more similar +while fixing NPT=0, CR0.WP=1 and CR4.SMEP=1 on AMD processors. + +Cc: stable@vger.kernel.org +Cc: Joerg Roedel +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 10 ++++++++-- + arch/x86/kvm/vmx/vmx.c | 14 +++----------- + 2 files changed, 11 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -736,8 +736,14 @@ static int get_npt_level(struct kvm_vcpu + static void svm_set_efer(struct kvm_vcpu *vcpu, u64 efer) + { + vcpu->arch.efer = efer; +- if (!npt_enabled && !(efer & EFER_LMA)) +- efer &= ~EFER_LME; ++ ++ if (!npt_enabled) { ++ /* Shadow paging assumes NX to be available. */ ++ efer |= EFER_NX; ++ ++ if (!(efer & EFER_LMA)) ++ efer &= ~EFER_LME; ++ } + + to_svm(vcpu)->vmcb->save.efer = efer | EFER_SVME; + mark_dirty(to_svm(vcpu)->vmcb, VMCB_CR); +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -897,17 +897,9 @@ static bool update_transition_efer(struc + u64 guest_efer = vmx->vcpu.arch.efer; + u64 ignore_bits = 0; + +- if (!enable_ept) { +- /* +- * NX is needed to handle CR0.WP=1, CR4.SMEP=1. Testing +- * host CPUID is more efficient than testing guest CPUID +- * or CR4. Host SMEP is anyway a requirement for guest SMEP. +- */ +- if (boot_cpu_has(X86_FEATURE_SMEP)) +- guest_efer |= EFER_NX; +- else if (!(guest_efer & EFER_NX)) +- ignore_bits |= EFER_NX; +- } ++ /* Shadow paging assumes NX to be available. */ ++ if (!enable_ept) ++ guest_efer |= EFER_NX; + + /* + * LMA and LME handled by hardware; SCE meaningless outside long mode. diff --git a/queue-5.3/nfs-fix-an-rcu-lock-leak-in-nfs4_refresh_delegation_stateid.patch b/queue-5.3/nfs-fix-an-rcu-lock-leak-in-nfs4_refresh_delegation_stateid.patch new file mode 100644 index 00000000000..272e6179752 --- /dev/null +++ b/queue-5.3/nfs-fix-an-rcu-lock-leak-in-nfs4_refresh_delegation_stateid.patch @@ -0,0 +1,35 @@ +From 79cc55422ce99be5964bde208ba8557174720893 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 31 Oct 2019 18:40:33 -0400 +Subject: NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() + +From: Trond Myklebust + +commit 79cc55422ce99be5964bde208ba8557174720893 upstream. + +A typo in nfs4_refresh_delegation_stateid() means we're leaking an +RCU lock, and always returning a value of 'false'. As the function +description states, we were always supposed to return 'true' if a +matching delegation was found. + +Fixes: 12f275cdd163 ("NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID.") +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/delegation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -1181,7 +1181,7 @@ bool nfs4_refresh_delegation_stateid(nfs + if (delegation != NULL && + nfs4_stateid_match_other(dst, &delegation->stateid)) { + dst->seqid = delegation->stateid.seqid; +- return ret; ++ ret = true; + } + rcu_read_unlock(); + out: diff --git a/queue-5.3/rtlwifi-fix-potential-overflow-on-p2p-code.patch b/queue-5.3/rtlwifi-fix-potential-overflow-on-p2p-code.patch new file mode 100644 index 00000000000..62cafa7f9c0 --- /dev/null +++ b/queue-5.3/rtlwifi-fix-potential-overflow-on-p2p-code.patch @@ -0,0 +1,46 @@ +From 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Fri, 18 Oct 2019 07:43:21 -0400 +Subject: rtlwifi: Fix potential overflow on P2P code + +From: Laura Abbott + +commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream. + +Nicolas Waisman noticed that even though noa_len is checked for +a compatible length it's still possible to overrun the buffers +of p2pinfo since there's no check on the upper bound of noa_num. +Bound noa_num against P2P_MAX_NOA_NUM. + +Reported-by: Nicolas Waisman +Signed-off-by: Laura Abbott +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/ps.c ++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c +@@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80 + return; + } else { + noa_num = (noa_len - 2) / 13; ++ if (noa_num > P2P_MAX_NOA_NUM) ++ noa_num = P2P_MAX_NOA_NUM; ++ + } + noa_index = ie[3]; + if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == +@@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct iee + return; + } else { + noa_num = (noa_len - 2) / 13; ++ if (noa_num > P2P_MAX_NOA_NUM) ++ noa_num = P2P_MAX_NOA_NUM; ++ + } + noa_index = ie[3]; + if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == diff --git a/queue-5.3/rtlwifi-rtl_pci-fix-problem-of-too-small-skb-len.patch b/queue-5.3/rtlwifi-rtl_pci-fix-problem-of-too-small-skb-len.patch new file mode 100644 index 00000000000..9b0b4b25992 --- /dev/null +++ b/queue-5.3/rtlwifi-rtl_pci-fix-problem-of-too-small-skb-len.patch @@ -0,0 +1,43 @@ +From b43f4a169f220e459edf3ea8f8cd3ec4ae7fa82d Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 20 Oct 2019 19:56:58 -0500 +Subject: rtlwifi: rtl_pci: Fix problem of too small skb->len + +From: Larry Finger + +commit b43f4a169f220e459edf3ea8f8cd3ec4ae7fa82d upstream. + +In commit 8020919a9b99 ("mac80211: Properly handle SKB with radiotap +only"), buffers whose length is too short cause a WARN_ON(1) to be +executed. This change exposed a fault in rtlwifi drivers, which is fixed +by regarding packets with skb->len <= FCS_LEN as though they are in error +and dropping them. The test is now annotated as likely. + +Cc: Stable # v5.0+ +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -822,7 +822,7 @@ static void _rtl_pci_rx_interrupt(struct + hdr = rtl_get_hdr(skb); + fc = rtl_get_fc(skb); + +- if (!stats.crc && !stats.hwerror) { ++ if (!stats.crc && !stats.hwerror && (skb->len > FCS_LEN)) { + memcpy(IEEE80211_SKB_RXCB(skb), &rx_status, + sizeof(rx_status)); + +@@ -859,6 +859,7 @@ static void _rtl_pci_rx_interrupt(struct + _rtl_pci_rx_to_mac80211(hw, skb, rx_status); + } + } else { ++ /* drop packets with errors or those too short */ + dev_kfree_skb_any(skb); + } + new_trx_end: diff --git a/queue-5.3/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch b/queue-5.3/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch new file mode 100644 index 00000000000..add36545956 --- /dev/null +++ b/queue-5.3/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch @@ -0,0 +1,66 @@ +From b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f Mon Sep 17 00:00:00 2001 +From: Yihui ZENG +Date: Fri, 25 Oct 2019 12:31:48 +0300 +Subject: s390/cmm: fix information leak in cmm_timeout_handler() + +From: Yihui ZENG + +commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream. + +The problem is that we were putting the NUL terminator too far: + + buf[sizeof(buf) - 1] = '\0'; + +If the user input isn't NUL terminated and they haven't initialized the +whole buffer then it leads to an info leak. The NUL terminator should +be: + + buf[len - 1] = '\0'; + +Signed-off-by: Yihui Zeng +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/cmm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/s390/mm/cmm.c ++++ b/arch/s390/mm/cmm.c +@@ -298,16 +298,16 @@ static int cmm_timeout_handler(struct ct + } + + if (write) { +- len = *lenp; +- if (copy_from_user(buf, buffer, +- len > sizeof(buf) ? sizeof(buf) : len)) ++ len = min(*lenp, sizeof(buf)); ++ if (copy_from_user(buf, buffer, len)) + return -EFAULT; +- buf[sizeof(buf) - 1] = '\0'; ++ buf[len - 1] = '\0'; + cmm_skip_blanks(buf, &p); + nr = simple_strtoul(p, &p, 0); + cmm_skip_blanks(p, &p); + seconds = simple_strtoul(p, &p, 0); + cmm_set_timeout(nr, seconds); ++ *ppos += *lenp; + } else { + len = sprintf(buf, "%ld %ld\n", + cmm_timeout_pages, cmm_timeout_seconds); +@@ -315,9 +315,9 @@ static int cmm_timeout_handler(struct ct + len = *lenp; + if (copy_to_user(buffer, buf, len)) + return -EFAULT; ++ *lenp = len; ++ *ppos += len; + } +- *lenp = len; +- *ppos += len; + return 0; + } + diff --git a/queue-5.3/s390-idle-fix-cpu-idle-time-calculation.patch b/queue-5.3/s390-idle-fix-cpu-idle-time-calculation.patch new file mode 100644 index 00000000000..41344b7fee1 --- /dev/null +++ b/queue-5.3/s390-idle-fix-cpu-idle-time-calculation.patch @@ -0,0 +1,98 @@ +From 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 28 Oct 2019 11:03:27 +0100 +Subject: s390/idle: fix cpu idle time calculation + +From: Heiko Carstens + +commit 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f upstream. + +The idle time reported in /proc/stat sometimes incorrectly contains +huge values on s390. This is caused by a bug in arch_cpu_idle_time(). + +The kernel tries to figure out when a different cpu entered idle by +accessing its per-cpu data structure. There is an ordering problem: if +the remote cpu has an idle_enter value which is not zero, and an +idle_exit value which is zero, it is assumed it is idle since +"now". The "now" timestamp however is taken before the idle_enter +value is read. + +Which in turn means that "now" can be smaller than idle_enter of the +remote cpu. Unconditionally subtracting idle_enter from "now" can thus +lead to a negative value (aka large unsigned value). + +Fix this by moving the get_tod_clock() invocation out of the +loop. While at it also make the code a bit more readable. + +A similar bug also exists for show_idle_time(). Fix this is as well. + +Cc: +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/idle.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +--- a/arch/s390/kernel/idle.c ++++ b/arch/s390/kernel/idle.c +@@ -69,18 +69,26 @@ DEVICE_ATTR(idle_count, 0444, show_idle_ + static ssize_t show_idle_time(struct device *dev, + struct device_attribute *attr, char *buf) + { ++ unsigned long long now, idle_time, idle_enter, idle_exit, in_idle; + struct s390_idle_data *idle = &per_cpu(s390_idle, dev->id); +- unsigned long long now, idle_time, idle_enter, idle_exit; + unsigned int seq; + + do { +- now = get_tod_clock(); + seq = read_seqcount_begin(&idle->seqcount); + idle_time = READ_ONCE(idle->idle_time); + idle_enter = READ_ONCE(idle->clock_idle_enter); + idle_exit = READ_ONCE(idle->clock_idle_exit); + } while (read_seqcount_retry(&idle->seqcount, seq)); +- idle_time += idle_enter ? ((idle_exit ? : now) - idle_enter) : 0; ++ in_idle = 0; ++ now = get_tod_clock(); ++ if (idle_enter) { ++ if (idle_exit) { ++ in_idle = idle_exit - idle_enter; ++ } else if (now > idle_enter) { ++ in_idle = now - idle_enter; ++ } ++ } ++ idle_time += in_idle; + return sprintf(buf, "%llu\n", idle_time >> 12); + } + DEVICE_ATTR(idle_time_us, 0444, show_idle_time, NULL); +@@ -88,17 +96,24 @@ DEVICE_ATTR(idle_time_us, 0444, show_idl + u64 arch_cpu_idle_time(int cpu) + { + struct s390_idle_data *idle = &per_cpu(s390_idle, cpu); +- unsigned long long now, idle_enter, idle_exit; ++ unsigned long long now, idle_enter, idle_exit, in_idle; + unsigned int seq; + + do { +- now = get_tod_clock(); + seq = read_seqcount_begin(&idle->seqcount); + idle_enter = READ_ONCE(idle->clock_idle_enter); + idle_exit = READ_ONCE(idle->clock_idle_exit); + } while (read_seqcount_retry(&idle->seqcount, seq)); +- +- return cputime_to_nsecs(idle_enter ? ((idle_exit ?: now) - idle_enter) : 0); ++ in_idle = 0; ++ now = get_tod_clock(); ++ if (idle_enter) { ++ if (idle_exit) { ++ in_idle = idle_exit - idle_enter; ++ } else if (now > idle_enter) { ++ in_idle = now - idle_enter; ++ } ++ } ++ return cputime_to_nsecs(in_idle); + } + + void arch_cpu_idle_enter(void) diff --git a/queue-5.3/s390-unwind-fix-mixing-regs-and-sp.patch b/queue-5.3/s390-unwind-fix-mixing-regs-and-sp.patch new file mode 100644 index 00000000000..2166701bfa4 --- /dev/null +++ b/queue-5.3/s390-unwind-fix-mixing-regs-and-sp.patch @@ -0,0 +1,96 @@ +From a1d863ac3e1085e1fea9caafd87252d08731de2e Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Wed, 2 Oct 2019 13:29:57 +0200 +Subject: s390/unwind: fix mixing regs and sp + +From: Ilya Leoshkevich + +commit a1d863ac3e1085e1fea9caafd87252d08731de2e upstream. + +unwind_for_each_frame stops after the first frame if regs->gprs[15] <= +sp. + +The reason is that in case regs are specified, the first frame should be +regs->psw.addr and the second frame should be sp->gprs[8]. However, +currently the second frame is regs->gprs[15], which confuses +outside_of_stack(). + +Fix by introducing a flag to distinguish this special case from +unwinding the interrupt handler, for which the current behavior is +appropriate. + +Fixes: 78c98f907413 ("s390/unwind: introduce stack unwind API") +Signed-off-by: Ilya Leoshkevich +Cc: stable@vger.kernel.org # v5.2+ +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/unwind.h | 1 + + arch/s390/kernel/unwind_bc.c | 18 +++++++++++++----- + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/arch/s390/include/asm/unwind.h ++++ b/arch/s390/include/asm/unwind.h +@@ -35,6 +35,7 @@ struct unwind_state { + struct task_struct *task; + struct pt_regs *regs; + unsigned long sp, ip; ++ bool reuse_sp; + int graph_idx; + bool reliable; + bool error; +--- a/arch/s390/kernel/unwind_bc.c ++++ b/arch/s390/kernel/unwind_bc.c +@@ -46,10 +46,15 @@ bool unwind_next_frame(struct unwind_sta + + regs = state->regs; + if (unlikely(regs)) { +- sp = READ_ONCE_NOCHECK(regs->gprs[15]); +- if (unlikely(outside_of_stack(state, sp))) { +- if (!update_stack_info(state, sp)) +- goto out_err; ++ if (state->reuse_sp) { ++ sp = state->sp; ++ state->reuse_sp = false; ++ } else { ++ sp = READ_ONCE_NOCHECK(regs->gprs[15]); ++ if (unlikely(outside_of_stack(state, sp))) { ++ if (!update_stack_info(state, sp)) ++ goto out_err; ++ } + } + sf = (struct stack_frame *) sp; + ip = READ_ONCE_NOCHECK(sf->gprs[8]); +@@ -107,9 +112,9 @@ void __unwind_start(struct unwind_state + { + struct stack_info *info = &state->stack_info; + unsigned long *mask = &state->stack_mask; ++ bool reliable, reuse_sp; + struct stack_frame *sf; + unsigned long ip; +- bool reliable; + + memset(state, 0, sizeof(*state)); + state->task = task; +@@ -134,10 +139,12 @@ void __unwind_start(struct unwind_state + if (regs) { + ip = READ_ONCE_NOCHECK(regs->psw.addr); + reliable = true; ++ reuse_sp = true; + } else { + sf = (struct stack_frame *) sp; + ip = READ_ONCE_NOCHECK(sf->gprs[8]); + reliable = false; ++ reuse_sp = false; + } + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +@@ -151,5 +158,6 @@ void __unwind_start(struct unwind_state + state->sp = sp; + state->ip = ip; + state->reliable = reliable; ++ state->reuse_sp = reuse_sp; + } + EXPORT_SYMBOL_GPL(__unwind_start); diff --git a/queue-5.3/series b/queue-5.3/series index 4a8b9ab1179..0bcacb6aafa 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -115,3 +115,30 @@ scsi-target-cxgbit-fix-cxgbit_fw4_ack.patch hid-i2c-hid-add-trekstor-primebook-c11b-to-descriptor-override.patch hid-fix-assumption-that-devices-have-inputs.patch hid-fix-error-message-in-hid_open_report.patch +hid-logitech-hidpp-split-g920_get_config.patch +hid-logitech-hidpp-rework-device-validation.patch +hid-logitech-hidpp-do-all-ff-cleanup-in-hidpp_ff_destroy.patch +um-ubd-entrust-re-queue-to-the-upper-layers.patch +s390-unwind-fix-mixing-regs-and-sp.patch +s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch +s390-idle-fix-cpu-idle-time-calculation.patch +arc-perf-accommodate-big-endian-cpu.patch +ib-hfi1-avoid-excessive-retry-for-tid-rdma-read-request.patch +arm64-ensure-vm_write-vm_shared-ptes-are-clean-by-default.patch +arm64-cpufeature-enable-qualcomm-falkor-kryo-errata-1003.patch +virtio_ring-fix-stalls-for-packed-rings.patch +rtlwifi-rtl_pci-fix-problem-of-too-small-skb-len.patch +rtlwifi-fix-potential-overflow-on-p2p-code.patch +kvm-vmx-svm-always-run-with-efer.nxe-1-when-shadow-paging-is-active.patch +dmaengine-qcom-bam_dma-fix-resource-leak.patch +dmaengine-tegra210-adma-fix-transfer-failure.patch +dmaengine-imx-sdma-fix-size-check-for-sdma-script_number.patch +dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch +drm-amdgpu-gmc10-properly-set-bank_select-and-fragment_size.patch +drm-i915-fix-pch-reference-clock-for-fdi-on-hsw-bdw.patch +drm-amdgpu-gfx10-update-gfx-golden-settings.patch +drm-amdgpu-powerplay-vega10-allow-undervolting-in-p7.patch +drm-amdgpu-fix-sdma-hang-when-performing-vkexample-test.patch +nfs-fix-an-rcu-lock-leak-in-nfs4_refresh_delegation_stateid.patch +io_uring-ensure-we-clear-io_kiocb-result-before-each-issue.patch +iommu-vt-d-fix-panic-after-kexec-p-for-kdump.patch diff --git a/queue-5.3/um-ubd-entrust-re-queue-to-the-upper-layers.patch b/queue-5.3/um-ubd-entrust-re-queue-to-the-upper-layers.patch new file mode 100644 index 00000000000..7c41af9615b --- /dev/null +++ b/queue-5.3/um-ubd-entrust-re-queue-to-the-upper-layers.patch @@ -0,0 +1,39 @@ +From d848074b2f1eb11a38691285f7366bce83087014 Mon Sep 17 00:00:00 2001 +From: Anton Ivanov +Date: Tue, 29 Oct 2019 09:13:34 +0000 +Subject: um-ubd: Entrust re-queue to the upper layers + +From: Anton Ivanov + +commit d848074b2f1eb11a38691285f7366bce83087014 upstream. + +Fixes crashes due to ubd requeue logic conflicting with the block-mq +logic. Crash is reproducible in 5.0 - 5.3. + +Fixes: 53766defb8c8 ("um: Clean-up command processing in UML UBD driver") +Cc: stable@vger.kernel.org # v5.0+ +Signed-off-by: Anton Ivanov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/ubd_kern.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -1403,8 +1403,12 @@ static blk_status_t ubd_queue_rq(struct + + spin_unlock_irq(&ubd_dev->lock); + +- if (ret < 0) +- blk_mq_requeue_request(req, true); ++ if (ret < 0) { ++ if (ret == -ENOMEM) ++ res = BLK_STS_RESOURCE; ++ else ++ res = BLK_STS_DEV_RESOURCE; ++ } + + return res; + } diff --git a/queue-5.3/virtio_ring-fix-stalls-for-packed-rings.patch b/queue-5.3/virtio_ring-fix-stalls-for-packed-rings.patch new file mode 100644 index 00000000000..92fec6518ca --- /dev/null +++ b/queue-5.3/virtio_ring-fix-stalls-for-packed-rings.patch @@ -0,0 +1,79 @@ +From 40ce7919d8730f5936da2bc8a21b46bd07db6411 Mon Sep 17 00:00:00 2001 +From: Marvin Liu +Date: Tue, 22 Oct 2019 01:10:04 +0800 +Subject: virtio_ring: fix stalls for packed rings + +From: Marvin Liu + +commit 40ce7919d8730f5936da2bc8a21b46bd07db6411 upstream. + +When VIRTIO_F_RING_EVENT_IDX is negotiated, virtio devices can +use virtqueue_enable_cb_delayed_packed to reduce the number of device +interrupts. At the moment, this is the case for virtio-net when the +napi_tx module parameter is set to false. + +In this case, the virtio driver selects an event offset and expects that +the device will send a notification when rolling over the event offset +in the ring. However, if this roll-over happens before the event +suppression structure update, the notification won't be sent. To address +this race condition the driver needs to check wether the device rolled +over the offset after updating the event suppression structure. + +With VIRTIO_F_RING_PACKED, the virtio driver did this by reading the +flags field of the descriptor at the specified offset. + +Unfortunately, checking at the event offset isn't reliable: if +descriptors are chained (e.g. when INDIRECT is off) not all descriptors +are overwritten by the device, so it's possible that the device skipped +the specific descriptor driver is checking when writing out used +descriptors. If this happens, the driver won't detect the race condition +and will incorrectly expect the device to send a notification. + +For virtio-net, the result will be a TX queue stall, with the +transmission getting blocked forever. + +With the packed ring, it isn't easy to find a location which is +guaranteed to change upon the roll-over, except the next device +descriptor, as described in the spec: + + Writes of device and driver descriptors can generally be + reordered, but each side (driver and device) are only required to + poll (or test) a single location in memory: the next device descriptor after + the one they processed previously, in circular order. + +while this might be sub-optimal, let's do exactly this for now. + +Cc: stable@vger.kernel.org +Cc: Jason Wang +Fixes: f51f982682e2a ("virtio_ring: leverage event idx in packed ring") +Signed-off-by: Marvin Liu +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_ring.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -1499,9 +1499,6 @@ static bool virtqueue_enable_cb_delayed_ + * counter first before updating event flags. + */ + virtio_wmb(vq->weak_barriers); +- } else { +- used_idx = vq->last_used_idx; +- wrap_counter = vq->packed.used_wrap_counter; + } + + if (vq->packed.event_flags_shadow == VRING_PACKED_EVENT_FLAG_DISABLE) { +@@ -1518,7 +1515,9 @@ static bool virtqueue_enable_cb_delayed_ + */ + virtio_mb(vq->weak_barriers); + +- if (is_used_desc_packed(vq, used_idx, wrap_counter)) { ++ if (is_used_desc_packed(vq, ++ vq->last_used_idx, ++ vq->packed.used_wrap_counter)) { + END_USE(vq); + return false; + }