From 0e4bd13325a7ce1974cdbe3750e04f8e9d38b71b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 27 Jul 2020 15:31:07 +0200 Subject: [PATCH] 5.7-stable patches added patches: arm64-vdso32-fix-prefix-value-for-newer-versions-of-clang.patch asoc-intel-bdw-rt5677-fix-non-be-conversion.patch asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch asoc-topology-fix-kernel-oops-on-route-addition-error.patch asoc-topology-fix-tlvs-in-error-handling-for-widget_dmixer.patch ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-regression-with-atheros-9271.patch dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch io-mapping-indicate-mapping-failure.patch khugepaged-fix-null-pointer-dereference-due-to-race.patch mm-hugetlb-avoid-hardcoding-while-checking-if-cma-is-enabled.patch mm-memcg-fix-refcount-error-while-moving-and-swapping.patch mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch mm-mmap.c-close-race-between-munmap-and-expand_upwards-downwards.patch mmc-sdhci-of-aspeed-fix-clock-divider-calculation.patch parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch vfs-xattr-mm-shmem-kernfs-release-simple-xattr-entry-in-a-right-way.patch x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch --- ...ix-value-for-newer-versions-of-clang.patch | 51 +++++ ...tel-bdw-rt5677-fix-non-be-conversion.patch | 41 ++++ ...s_dma-dependency-to-fix-link-failure.patch | 57 +++++ ...nd-enable-it-on-the-lenovo-miix-2-10.patch | 166 ++++++++++++++ ...-kernel-oops-on-route-addition-error.patch | 69 ++++++ ...-in-error-handling-for-widget_dmixer.patch | 43 ++++ ...tection-fault-in-ath9k_hif_usb_rx_cb.patch | 216 ++++++++++++++++++ ...h9k-fix-regression-with-atheros-9271.patch | 44 ++++ ...lculation-that-is-improperly-skipped.patch | 128 +++++++++++ ...fix-a-crash-when-overclocking-vega-m.patch | 52 +++++ ...ll-dereference-in-dpm-sysfs-handlers.patch | 61 +++++ .../io-mapping-indicate-mapping-failure.patch | 73 ++++++ ...null-pointer-dereference-due-to-race.patch | 58 +++++ ...ing-while-checking-if-cma-is-enabled.patch | 94 ++++++++ ...ount-error-while-moving-and-swapping.patch | 61 +++++ ...-leak-at-non-root-kmem_cache-destroy.patch | 125 ++++++++++ ...-munmap-and-expand_upwards-downwards.patch | 89 ++++++++ ...aspeed-fix-clock-divider-calculation.patch | 37 +++ ...ase-define-to-avoid-cpu-soft-lockups.patch | 84 +++++++ queue-5.7/series | 21 ++ ...se-simple-xattr-entry-in-a-right-way.patch | 63 +++++ ...align-end-of-..page_aligned-sections.patch | 78 +++++++ 22 files changed, 1711 insertions(+) create mode 100644 queue-5.7/arm64-vdso32-fix-prefix-value-for-newer-versions-of-clang.patch create mode 100644 queue-5.7/asoc-intel-bdw-rt5677-fix-non-be-conversion.patch create mode 100644 queue-5.7/asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch create mode 100644 queue-5.7/asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch create mode 100644 queue-5.7/asoc-topology-fix-kernel-oops-on-route-addition-error.patch create mode 100644 queue-5.7/asoc-topology-fix-tlvs-in-error-handling-for-widget_dmixer.patch create mode 100644 queue-5.7/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch create mode 100644 queue-5.7/ath9k-fix-regression-with-atheros-9271.patch create mode 100644 queue-5.7/dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch create mode 100644 queue-5.7/drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch create mode 100644 queue-5.7/drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch create mode 100644 queue-5.7/io-mapping-indicate-mapping-failure.patch create mode 100644 queue-5.7/khugepaged-fix-null-pointer-dereference-due-to-race.patch create mode 100644 queue-5.7/mm-hugetlb-avoid-hardcoding-while-checking-if-cma-is-enabled.patch create mode 100644 queue-5.7/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch create mode 100644 queue-5.7/mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch create mode 100644 queue-5.7/mm-mmap.c-close-race-between-munmap-and-expand_upwards-downwards.patch create mode 100644 queue-5.7/mmc-sdhci-of-aspeed-fix-clock-divider-calculation.patch create mode 100644 queue-5.7/parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch create mode 100644 queue-5.7/vfs-xattr-mm-shmem-kernfs-release-simple-xattr-entry-in-a-right-way.patch create mode 100644 queue-5.7/x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch diff --git a/queue-5.7/arm64-vdso32-fix-prefix-value-for-newer-versions-of-clang.patch b/queue-5.7/arm64-vdso32-fix-prefix-value-for-newer-versions-of-clang.patch new file mode 100644 index 00000000000..edd8bcfe3eb --- /dev/null +++ b/queue-5.7/arm64-vdso32-fix-prefix-value-for-newer-versions-of-clang.patch @@ -0,0 +1,51 @@ +From 7b7891c7bdfd61fc9ed6747a0a05efe2394dddc6 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 22 Jul 2020 21:15:10 -0700 +Subject: arm64: vdso32: Fix '--prefix=' value for newer versions of clang + +From: Nathan Chancellor + +commit 7b7891c7bdfd61fc9ed6747a0a05efe2394dddc6 upstream. + +Newer versions of clang only look for $(COMPAT_GCC_TOOLCHAIN_DIR)as [1], +rather than $(COMPAT_GCC_TOOLCHAIN_DIR)$(CROSS_COMPILE_COMPAT)as, +resulting in the following build error: + +$ make -skj"$(nproc)" ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- \ +CROSS_COMPILE_COMPAT=arm-linux-gnueabi- LLVM=1 O=out/aarch64 distclean \ +defconfig arch/arm64/kernel/vdso32/ +... +/home/nathan/cbl/toolchains/llvm-binutils/bin/as: unrecognized option '-EL' +clang-12: error: assembler command failed with exit code 1 (use -v to see invocation) +make[3]: *** [arch/arm64/kernel/vdso32/Makefile:181: arch/arm64/kernel/vdso32/note.o] Error 1 +... + +Adding the value of CROSS_COMPILE_COMPAT (adding notdir to account for a +full path for CROSS_COMPILE_COMPAT) fixes this issue, which matches the +solution done for the main Makefile [2]. + +[1]: https://github.com/llvm/llvm-project/commit/3452a0d8c17f7166f479706b293caf6ac76ffd90 +[2]: https://lore.kernel.org/lkml/20200721173125.1273884-1-maskray@google.com/ + +Signed-off-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/1099 +Link: https://lore.kernel.org/r/20200723041509.400450-1-natechancellor@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/vdso32/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/vdso32/Makefile ++++ b/arch/arm64/kernel/vdso32/Makefile +@@ -14,7 +14,7 @@ COMPAT_GCC_TOOLCHAIN_DIR := $(dir $(shel + COMPAT_GCC_TOOLCHAIN := $(realpath $(COMPAT_GCC_TOOLCHAIN_DIR)/..) + + CC_COMPAT_CLANG_FLAGS := --target=$(notdir $(CROSS_COMPILE_COMPAT:%-=%)) +-CC_COMPAT_CLANG_FLAGS += --prefix=$(COMPAT_GCC_TOOLCHAIN_DIR) ++CC_COMPAT_CLANG_FLAGS += --prefix=$(COMPAT_GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE_COMPAT)) + CC_COMPAT_CLANG_FLAGS += -no-integrated-as -Qunused-arguments + ifneq ($(COMPAT_GCC_TOOLCHAIN),) + CC_COMPAT_CLANG_FLAGS += --gcc-toolchain=$(COMPAT_GCC_TOOLCHAIN) diff --git a/queue-5.7/asoc-intel-bdw-rt5677-fix-non-be-conversion.patch b/queue-5.7/asoc-intel-bdw-rt5677-fix-non-be-conversion.patch new file mode 100644 index 00000000000..b7849b5206a --- /dev/null +++ b/queue-5.7/asoc-intel-bdw-rt5677-fix-non-be-conversion.patch @@ -0,0 +1,41 @@ +From fffebe8a8339c7e56db4126653a3bc0c0c5592cf Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Tue, 7 Jul 2020 16:04:38 -0500 +Subject: ASoC: Intel: bdw-rt5677: fix non BE conversion + +From: Pierre-Louis Bossart + +commit fffebe8a8339c7e56db4126653a3bc0c0c5592cf upstream. + +When SOF is used, the normal links are converted into DPCM ones. This +generates an error + +[ 58.276668] bdw-rt5677 bdw-rt5677: CPU DAI spi-RT5677AA:00 for rtd +Wake on Voice does not support playback +[ 58.276676] bdw-rt5677 bdw-rt5677: ASoC: can't create pcm Wake on +Voice :-22 + +Fix by forcing the capture direction. + +Fixes: b73287f0b0745 ('ASoC: soc-pcm: dpcm: fix playback/capture checks') +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Guennadi Liakhovetski +Reviewed-by: Curtis Malainey +Link: https://lore.kernel.org/r/20200707210439.115300-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/boards/bdw-rt5677.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/intel/boards/bdw-rt5677.c ++++ b/sound/soc/intel/boards/bdw-rt5677.c +@@ -328,6 +328,7 @@ static struct snd_soc_dai_link bdw_rt567 + { + .name = "Codec DSP", + .stream_name = "Wake on Voice", ++ .capture_only = 1, + .ops = &bdw_rt5677_dsp_ops, + SND_SOC_DAILINK_REG(dsp), + }, diff --git a/queue-5.7/asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch b/queue-5.7/asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch new file mode 100644 index 00000000000..3c464e8ff8a --- /dev/null +++ b/queue-5.7/asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch @@ -0,0 +1,57 @@ +From b6aa06de7757667bac88997a8807b143b8436035 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 29 Jun 2020 14:24:43 +0200 +Subject: ASoC: qcom: Drop HAS_DMA dependency to fix link failure + +From: Geert Uytterhoeven + +commit b6aa06de7757667bac88997a8807b143b8436035 upstream. + +When building on allyesconfig kernel for a NO_DMA=y platform (e.g. +Sun-3), CONFIG_SND_SOC_QCOM_COMMON=y, but CONFIG_SND_SOC_QDSP6_AFE=n, +leading to a link failure: + + sound/soc/qcom/common.o: In function `qcom_snd_parse_of': + common.c:(.text+0x2e2): undefined reference to `q6afe_is_rx_port' + +While SND_SOC_QDSP6 depends on HAS_DMA, SND_SOC_MSM8996 and SND_SOC_SDM845 +don't, so the following warning is seen: + + WARNING: unmet direct dependencies detected for SND_SOC_QDSP6 + Depends on [n]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && HAS_DMA [=n] + Selected by [y]: + - SND_SOC_MSM8996 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] + - SND_SOC_SDM845 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && CROS_EC [=y] && I2C [=y] && SOUNDWIRE [=y] + +Until recently, this warning was harmless (from a compile-testing +point-of-view), but the new user of q6afe_is_rx_port() turned this into +a hard failure. + +As the QDSP6 driver itself builds fine if NO_DMA=y, and it depends on +QCOM_APR (which in turns depends on ARCH_QCOM || COMPILE_TEST), it is +safe to increase compile testing coverage. Hence fix the link failure +by dropping the HAS_DMA dependency of SND_SOC_QDSP6. + +Fixes: a2120089251f1fe2 ("ASoC: qcom: common: set correct directions for dailinks") +Fixes: 6b1687bf76ef84cb ("ASoC: qcom: add sdm845 sound card support") +Fixes: a6f933f63f2ffdb2 ("ASoC: qcom: apq8096: Add db820c machine driver") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20200629122443.21736-1-geert@linux-m68k.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/qcom/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/qcom/Kconfig ++++ b/sound/soc/qcom/Kconfig +@@ -72,7 +72,7 @@ config SND_SOC_QDSP6_ASM_DAI + + config SND_SOC_QDSP6 + tristate "SoC ALSA audio driver for QDSP6" +- depends on QCOM_APR && HAS_DMA ++ depends on QCOM_APR + select SND_SOC_QDSP6_COMMON + select SND_SOC_QDSP6_CORE + select SND_SOC_QDSP6_AFE diff --git a/queue-5.7/asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch b/queue-5.7/asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch new file mode 100644 index 00000000000..34b09de8cf2 --- /dev/null +++ b/queue-5.7/asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch @@ -0,0 +1,166 @@ +From 85ca6b17e2bb96b19caac3b02c003d670b66de96 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 28 Jun 2020 17:52:28 +0200 +Subject: ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo Miix 2 10 + +From: Hans de Goede + +commit 85ca6b17e2bb96b19caac3b02c003d670b66de96 upstream. + +The Lenovo Miix 2 10 has a keyboard dock with extra speakers in the dock. +Rather then the ACL5672's GPIO1 pin being used as IRQ to the CPU, it is +actually used to enable the amplifier for these speakers +(the IRQ to the CPU comes directly from the jack-detect switch). + +Add a quirk for having an ext speaker-amplifier enable pin on GPIO1 +and replace the Lenovo Miix 2 10's dmi_system_id table entry's wrong +GPIO_DEV quirk (which needs to be renamed to GPIO1_IS_IRQ) with the +new RT5670_GPIO1_IS_EXT_SPK_EN quirk, so that we enable the external +speaker-amplifier as necessary. + +Also update the ident field for the dmi_system_id table entry, the +Miix models are not Thinkpads. + +Fixes: 67e03ff3f32f ("ASoC: codecs: rt5670: add Thinkpad Tablet 10 quirk") +Signed-off-by: Hans de Goede +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1786723 +Link: https://lore.kernel.org/r/20200628155231.71089-4-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/rt5670.h | 1 + sound/soc/codecs/rt5670.c | 71 ++++++++++++++++++++++++++++++++++++---------- + 2 files changed, 57 insertions(+), 15 deletions(-) + +--- a/include/sound/rt5670.h ++++ b/include/sound/rt5670.h +@@ -12,6 +12,7 @@ struct rt5670_platform_data { + int jd_mode; + bool in2_diff; + bool dev_gpio; ++ bool gpio1_is_ext_spk_en; + + bool dmic_en; + unsigned int dmic1_data_pin; +--- a/sound/soc/codecs/rt5670.c ++++ b/sound/soc/codecs/rt5670.c +@@ -31,18 +31,19 @@ + #include "rt5670.h" + #include "rt5670-dsp.h" + +-#define RT5670_DEV_GPIO BIT(0) +-#define RT5670_IN2_DIFF BIT(1) +-#define RT5670_DMIC_EN BIT(2) +-#define RT5670_DMIC1_IN2P BIT(3) +-#define RT5670_DMIC1_GPIO6 BIT(4) +-#define RT5670_DMIC1_GPIO7 BIT(5) +-#define RT5670_DMIC2_INR BIT(6) +-#define RT5670_DMIC2_GPIO8 BIT(7) +-#define RT5670_DMIC3_GPIO5 BIT(8) +-#define RT5670_JD_MODE1 BIT(9) +-#define RT5670_JD_MODE2 BIT(10) +-#define RT5670_JD_MODE3 BIT(11) ++#define RT5670_DEV_GPIO BIT(0) ++#define RT5670_IN2_DIFF BIT(1) ++#define RT5670_DMIC_EN BIT(2) ++#define RT5670_DMIC1_IN2P BIT(3) ++#define RT5670_DMIC1_GPIO6 BIT(4) ++#define RT5670_DMIC1_GPIO7 BIT(5) ++#define RT5670_DMIC2_INR BIT(6) ++#define RT5670_DMIC2_GPIO8 BIT(7) ++#define RT5670_DMIC3_GPIO5 BIT(8) ++#define RT5670_JD_MODE1 BIT(9) ++#define RT5670_JD_MODE2 BIT(10) ++#define RT5670_JD_MODE3 BIT(11) ++#define RT5670_GPIO1_IS_EXT_SPK_EN BIT(12) + + static unsigned long rt5670_quirk; + static unsigned int quirk_override; +@@ -1447,6 +1448,33 @@ static int rt5670_hp_event(struct snd_so + return 0; + } + ++static int rt5670_spk_event(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) ++{ ++ struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); ++ struct rt5670_priv *rt5670 = snd_soc_component_get_drvdata(component); ++ ++ if (!rt5670->pdata.gpio1_is_ext_spk_en) ++ return 0; ++ ++ switch (event) { ++ case SND_SOC_DAPM_POST_PMU: ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, ++ RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_HI); ++ break; ++ ++ case SND_SOC_DAPM_PRE_PMD: ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, ++ RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_LO); ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 0; ++} ++ + static int rt5670_bst1_event(struct snd_soc_dapm_widget *w, + struct snd_kcontrol *kcontrol, int event) + { +@@ -1860,7 +1888,9 @@ static const struct snd_soc_dapm_widget + }; + + static const struct snd_soc_dapm_widget rt5672_specific_dapm_widgets[] = { +- SND_SOC_DAPM_PGA("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0), ++ SND_SOC_DAPM_PGA_E("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0, ++ rt5670_spk_event, SND_SOC_DAPM_PRE_PMD | ++ SND_SOC_DAPM_POST_PMU), + SND_SOC_DAPM_OUTPUT("SPOLP"), + SND_SOC_DAPM_OUTPUT("SPOLN"), + SND_SOC_DAPM_OUTPUT("SPORP"), +@@ -2857,14 +2887,14 @@ static const struct dmi_system_id dmi_pl + }, + { + .callback = rt5670_quirk_cb, +- .ident = "Lenovo Thinkpad Tablet 10", ++ .ident = "Lenovo Miix 2 10", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Miix 2 10"), + }, + .driver_data = (unsigned long *)(RT5670_DMIC_EN | + RT5670_DMIC1_IN2P | +- RT5670_DEV_GPIO | ++ RT5670_GPIO1_IS_EXT_SPK_EN | + RT5670_JD_MODE2), + }, + { +@@ -2924,6 +2954,10 @@ static int rt5670_i2c_probe(struct i2c_c + rt5670->pdata.dev_gpio = true; + dev_info(&i2c->dev, "quirk dev_gpio\n"); + } ++ if (rt5670_quirk & RT5670_GPIO1_IS_EXT_SPK_EN) { ++ rt5670->pdata.gpio1_is_ext_spk_en = true; ++ dev_info(&i2c->dev, "quirk GPIO1 is external speaker enable\n"); ++ } + if (rt5670_quirk & RT5670_IN2_DIFF) { + rt5670->pdata.in2_diff = true; + dev_info(&i2c->dev, "quirk IN2_DIFF\n"); +@@ -3022,6 +3056,13 @@ static int rt5670_i2c_probe(struct i2c_c + regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, + RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT); + } ++ ++ if (rt5670->pdata.gpio1_is_ext_spk_en) { ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL1, ++ RT5670_GP1_PIN_MASK, RT5670_GP1_PIN_GPIO1); ++ regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, ++ RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT); ++ } + + if (rt5670->pdata.jd_mode) { + regmap_update_bits(rt5670->regmap, RT5670_GLB_CLK, diff --git a/queue-5.7/asoc-topology-fix-kernel-oops-on-route-addition-error.patch b/queue-5.7/asoc-topology-fix-kernel-oops-on-route-addition-error.patch new file mode 100644 index 00000000000..c3051b2d7e0 --- /dev/null +++ b/queue-5.7/asoc-topology-fix-kernel-oops-on-route-addition-error.patch @@ -0,0 +1,69 @@ +From 6f0307df83f2aa6bdf656c2219c89ce96502d20e Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Tue, 7 Jul 2020 15:37:45 -0500 +Subject: ASoC: topology: fix kernel oops on route addition error + +From: Pierre-Louis Bossart + +commit 6f0307df83f2aa6bdf656c2219c89ce96502d20e upstream. + +When errors happens while loading graph components, the kernel oopses +while trying to remove all topology components. This can be +root-caused to a list pointing to memory that was already freed on +error. + +remove_route() is already called on errors and will perform the +required cleanups so there's no need to free the route memory in +soc_tplg_dapm_graph_elems_load() if the route was added to the +list. We do however want to free the routes allocated but not added to +the list. + +Fixes: 7df04ea7a31ea ('ASoC: topology: modify dapm route loading routine and add dapm route unloading') +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200707203749.113883-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-topology.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1285,17 +1285,29 @@ static int soc_tplg_dapm_graph_elems_loa + list_add(&routes[i]->dobj.list, &tplg->comp->dobj_list); + + ret = soc_tplg_add_route(tplg, routes[i]); +- if (ret < 0) ++ if (ret < 0) { ++ /* ++ * this route was added to the list, it will ++ * be freed in remove_route() so increment the ++ * counter to skip it in the error handling ++ * below. ++ */ ++ i++; + break; ++ } + + /* add route, but keep going if some fail */ + snd_soc_dapm_add_routes(dapm, routes[i], 1); + } + +- /* free memory allocated for all dapm routes in case of error */ +- if (ret < 0) +- for (i = 0; i < count ; i++) +- kfree(routes[i]); ++ /* ++ * free memory allocated for all dapm routes not added to the ++ * list in case of error ++ */ ++ if (ret < 0) { ++ while (i < count) ++ kfree(routes[i++]); ++ } + + /* + * free pointer to array of dapm routes as this is no longer needed. diff --git a/queue-5.7/asoc-topology-fix-tlvs-in-error-handling-for-widget_dmixer.patch b/queue-5.7/asoc-topology-fix-tlvs-in-error-handling-for-widget_dmixer.patch new file mode 100644 index 00000000000..732906da6da --- /dev/null +++ b/queue-5.7/asoc-topology-fix-tlvs-in-error-handling-for-widget_dmixer.patch @@ -0,0 +1,43 @@ +From 8edac489e7c3fce44208373bb3e7b5835a672c66 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Tue, 7 Jul 2020 15:37:46 -0500 +Subject: ASoC: topology: fix tlvs in error handling for widget_dmixer + +From: Pierre-Louis Bossart + +commit 8edac489e7c3fce44208373bb3e7b5835a672c66 upstream. + +we need to free all allocated tlvs, not just the one allocated in +the loop before releasing kcontrols - other the tlvs references will +leak. + +Fixes: 9f90af3a995298 ('ASoC: topology: Consolidate and fix asoc_tplg_dapm_widget_*_create flow') +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200707203749.113883-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1395,7 +1395,6 @@ static struct snd_kcontrol_new *soc_tplg + if (err < 0) { + dev_err(tplg->dev, "ASoC: failed to init %s\n", + mc->hdr.name); +- soc_tplg_free_tlv(tplg, &kc[i]); + goto err_sm; + } + } +@@ -1403,6 +1402,7 @@ static struct snd_kcontrol_new *soc_tplg + + err_sm: + for (; i >= 0; i--) { ++ soc_tplg_free_tlv(tplg, &kc[i]); + sm = (struct soc_mixer_control *)kc[i].private_value; + kfree(sm); + kfree(kc[i].name); diff --git a/queue-5.7/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch b/queue-5.7/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch new file mode 100644 index 00000000000..a664ddf0d38 --- /dev/null +++ b/queue-5.7/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch @@ -0,0 +1,216 @@ +From 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Sat, 4 Apr 2020 12:18:38 +0800 +Subject: ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb + +From: Qiujun Huang + +commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream. + +In ath9k_hif_usb_rx_cb interface number is assumed to be 0. +usb_ifnum_to_if(urb->dev, 0) +But it isn't always true. + +The case reported by syzbot: +https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com +usb 2-1: new high-speed USB device number 2 using dummy_hcd +usb 2-1: config 1 has an invalid interface number: 2 but max is 0 +usb 2-1: config 1 has no interface number 0 +usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= +1.08 +usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +general protection fault, probably for non-canonical address +0xdffffc0000000015: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0 + +Call Trace +__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 +usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 +dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 +call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 +expire_timers kernel/time/timer.c:1449 [inline] +__run_timers kernel/time/timer.c:1773 [inline] +__run_timers kernel/time/timer.c:1740 [inline] +run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 +__do_softirq+0x21e/0x950 kernel/softirq.c:292 +invoke_softirq kernel/softirq.c:373 [inline] +irq_exit+0x178/0x1a0 kernel/softirq.c:413 +exiting_irq arch/x86/include/asm/apic.h:546 [inline] +smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 +apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 + +Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com +Cc: Viktor Jägersküpper +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 48 +++++++++++++++++++++++-------- + drivers/net/wireless/ath/ath9k/hif_usb.h | 5 +++ + 2 files changed, 42 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -643,9 +643,9 @@ err: + + static void ath9k_hif_usb_rx_cb(struct urb *urb) + { +- struct sk_buff *skb = (struct sk_buff *) urb->context; +- struct hif_device_usb *hif_dev = +- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); ++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context; ++ struct hif_device_usb *hif_dev = rx_buf->hif_dev; ++ struct sk_buff *skb = rx_buf->skb; + int ret; + + if (!skb) +@@ -685,14 +685,15 @@ resubmit: + return; + free: + kfree_skb(skb); ++ kfree(rx_buf); + } + + static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + { +- struct sk_buff *skb = (struct sk_buff *) urb->context; ++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context; ++ struct hif_device_usb *hif_dev = rx_buf->hif_dev; ++ struct sk_buff *skb = rx_buf->skb; + struct sk_buff *nskb; +- struct hif_device_usb *hif_dev = +- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); + int ret; + + if (!skb) +@@ -750,6 +751,7 @@ resubmit: + return; + free: + kfree_skb(skb); ++ kfree(rx_buf); + urb->context = NULL; + } + +@@ -795,7 +797,7 @@ static int ath9k_hif_usb_alloc_tx_urbs(s + init_usb_anchor(&hif_dev->mgmt_submitted); + + for (i = 0; i < MAX_TX_URB_NUM; i++) { +- tx_buf = kzalloc(sizeof(struct tx_buf), GFP_KERNEL); ++ tx_buf = kzalloc(sizeof(*tx_buf), GFP_KERNEL); + if (!tx_buf) + goto err; + +@@ -832,8 +834,9 @@ static void ath9k_hif_usb_dealloc_rx_urb + + static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) + { +- struct urb *urb = NULL; ++ struct rx_buf *rx_buf = NULL; + struct sk_buff *skb = NULL; ++ struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->rx_submitted); +@@ -841,6 +844,12 @@ static int ath9k_hif_usb_alloc_rx_urbs(s + + for (i = 0; i < MAX_RX_URB_NUM; i++) { + ++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); ++ if (!rx_buf) { ++ ret = -ENOMEM; ++ goto err_rxb; ++ } ++ + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -855,11 +864,14 @@ static int ath9k_hif_usb_alloc_rx_urbs(s + goto err_skb; + } + ++ rx_buf->hif_dev = hif_dev; ++ rx_buf->skb = skb; ++ + usb_fill_bulk_urb(urb, hif_dev->udev, + usb_rcvbulkpipe(hif_dev->udev, + USB_WLAN_RX_PIPE), + skb->data, MAX_RX_BUF_SIZE, +- ath9k_hif_usb_rx_cb, skb); ++ ath9k_hif_usb_rx_cb, rx_buf); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->rx_submitted); +@@ -885,6 +897,8 @@ err_submit: + err_skb: + usb_free_urb(urb); + err_urb: ++ kfree(rx_buf); ++err_rxb: + ath9k_hif_usb_dealloc_rx_urbs(hif_dev); + return ret; + } +@@ -896,14 +910,21 @@ static void ath9k_hif_usb_dealloc_reg_in + + static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) + { +- struct urb *urb = NULL; ++ struct rx_buf *rx_buf = NULL; + struct sk_buff *skb = NULL; ++ struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->reg_in_submitted); + + for (i = 0; i < MAX_REG_IN_URB_NUM; i++) { + ++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); ++ if (!rx_buf) { ++ ret = -ENOMEM; ++ goto err_rxb; ++ } ++ + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -918,11 +939,14 @@ static int ath9k_hif_usb_alloc_reg_in_ur + goto err_skb; + } + ++ rx_buf->hif_dev = hif_dev; ++ rx_buf->skb = skb; ++ + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), + skb->data, MAX_REG_IN_BUF_SIZE, +- ath9k_hif_usb_reg_in_cb, skb, 1); ++ ath9k_hif_usb_reg_in_cb, rx_buf, 1); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->reg_in_submitted); +@@ -948,6 +972,8 @@ err_submit: + err_skb: + usb_free_urb(urb); + err_urb: ++ kfree(rx_buf); ++err_rxb: + ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev); + return ret; + } +--- a/drivers/net/wireless/ath/ath9k/hif_usb.h ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.h +@@ -86,6 +86,11 @@ struct tx_buf { + struct list_head list; + }; + ++struct rx_buf { ++ struct sk_buff *skb; ++ struct hif_device_usb *hif_dev; ++}; ++ + #define HIF_USB_TX_STOP BIT(0) + #define HIF_USB_TX_FLUSH BIT(1) + diff --git a/queue-5.7/ath9k-fix-regression-with-atheros-9271.patch b/queue-5.7/ath9k-fix-regression-with-atheros-9271.patch new file mode 100644 index 00000000000..5f0faf5b9ae --- /dev/null +++ b/queue-5.7/ath9k-fix-regression-with-atheros-9271.patch @@ -0,0 +1,44 @@ +From 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab Mon Sep 17 00:00:00 2001 +From: Mark O'Donovan +Date: Sat, 11 Jul 2020 05:33:24 +0100 +Subject: ath9k: Fix regression with Atheros 9271 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mark O'Donovan + +commit 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab upstream. + +This fix allows ath9k_htc modules to connect to WLAN once again. + +Fixes: 2bbcaaee1fcb ("ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=208251 +Signed-off-by: Mark O'Donovan +Reported-by: Roman Mamedov +Tested-by: Viktor Jägersküpper +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200711043324.8079-1-shiftee@posteo.net +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -733,11 +733,13 @@ static void ath9k_hif_usb_reg_in_cb(stru + return; + } + ++ rx_buf->skb = nskb; ++ + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), + nskb->data, MAX_REG_IN_BUF_SIZE, +- ath9k_hif_usb_reg_in_cb, nskb, 1); ++ ath9k_hif_usb_reg_in_cb, rx_buf, 1); + } + + resubmit: diff --git a/queue-5.7/dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch b/queue-5.7/dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch new file mode 100644 index 00000000000..c5f9f8028e8 --- /dev/null +++ b/queue-5.7/dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch @@ -0,0 +1,128 @@ +From 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 23 Jul 2020 10:42:09 -0400 +Subject: dm integrity: fix integrity recalculation that is improperly skipped + +From: Mikulas Patocka + +commit 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 upstream. + +Commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 ("dm: report suspended +device during destroy") broke integrity recalculation. + +The problem is dm_suspended() returns true not only during suspend, +but also during resume. So this race condition could occur: +1. dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work) +2. integrity_recalc (&ic->recalc_work) preempts the current thread +3. integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret; +4. integrity_recalc exits and no recalculating is done. + +To fix this race condition, add a function dm_post_suspending that is +only true during the postsuspend phase and use it instead of +dm_suspended(). + +Signed-off-by: Mikulas Patocka +Fixes: adc0daad366b ("dm: report suspended device during destroy") +Cc: stable vger kernel org # v4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-integrity.c | 4 ++-- + drivers/md/dm.c | 17 +++++++++++++++++ + include/linux/device-mapper.h | 1 + + 3 files changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -2424,7 +2424,7 @@ static void integrity_writer(struct work + unsigned prev_free_sectors; + + /* the following test is not needed, but it tests the replay code */ +- if (unlikely(dm_suspended(ic->ti)) && !ic->meta_dev) ++ if (unlikely(dm_post_suspending(ic->ti)) && !ic->meta_dev) + return; + + spin_lock_irq(&ic->endio_wait.lock); +@@ -2485,7 +2485,7 @@ static void integrity_recalc(struct work + + next_chunk: + +- if (unlikely(dm_suspended(ic->ti))) ++ if (unlikely(dm_post_suspending(ic->ti))) + goto unlock_ret; + + range.logical_sector = le64_to_cpu(ic->sb->recalc_sector); +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -142,6 +142,7 @@ EXPORT_SYMBOL_GPL(dm_bio_get_target_bio_ + #define DMF_NOFLUSH_SUSPENDING 5 + #define DMF_DEFERRED_REMOVE 6 + #define DMF_SUSPENDED_INTERNALLY 7 ++#define DMF_POST_SUSPENDING 8 + + #define DM_NUMA_NODE NUMA_NO_NODE + static int dm_numa_node = DM_NUMA_NODE; +@@ -2385,6 +2386,7 @@ static void __dm_destroy(struct mapped_d + if (!dm_suspended_md(md)) { + dm_table_presuspend_targets(map); + set_bit(DMF_SUSPENDED, &md->flags); ++ set_bit(DMF_POST_SUSPENDING, &md->flags); + dm_table_postsuspend_targets(map); + } + /* dm_put_live_table must be before msleep, otherwise deadlock is possible */ +@@ -2743,7 +2745,9 @@ retry: + if (r) + goto out_unlock; + ++ set_bit(DMF_POST_SUSPENDING, &md->flags); + dm_table_postsuspend_targets(map); ++ clear_bit(DMF_POST_SUSPENDING, &md->flags); + + out_unlock: + mutex_unlock(&md->suspend_lock); +@@ -2840,7 +2844,9 @@ static void __dm_internal_suspend(struct + (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE, + DMF_SUSPENDED_INTERNALLY); + ++ set_bit(DMF_POST_SUSPENDING, &md->flags); + dm_table_postsuspend_targets(map); ++ clear_bit(DMF_POST_SUSPENDING, &md->flags); + } + + static void __dm_internal_resume(struct mapped_device *md) +@@ -3001,6 +3007,11 @@ int dm_suspended_md(struct mapped_device + return test_bit(DMF_SUSPENDED, &md->flags); + } + ++static int dm_post_suspending_md(struct mapped_device *md) ++{ ++ return test_bit(DMF_POST_SUSPENDING, &md->flags); ++} ++ + int dm_suspended_internally_md(struct mapped_device *md) + { + return test_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); +@@ -3017,6 +3028,12 @@ int dm_suspended(struct dm_target *ti) + } + EXPORT_SYMBOL_GPL(dm_suspended); + ++int dm_post_suspending(struct dm_target *ti) ++{ ++ return dm_post_suspending_md(dm_table_get_md(ti->table)); ++} ++EXPORT_SYMBOL_GPL(dm_post_suspending); ++ + int dm_noflush_suspending(struct dm_target *ti) + { + return __noflush_suspending(dm_table_get_md(ti->table)); +--- a/include/linux/device-mapper.h ++++ b/include/linux/device-mapper.h +@@ -426,6 +426,7 @@ const char *dm_device_name(struct mapped + int dm_copy_name_and_uuid(struct mapped_device *md, char *name, char *uuid); + struct gendisk *dm_disk(struct mapped_device *md); + int dm_suspended(struct dm_target *ti); ++int dm_post_suspending(struct dm_target *ti); + int dm_noflush_suspending(struct dm_target *ti); + void dm_accept_partial_bio(struct bio *bio, unsigned n_sectors); + union map_info *dm_get_rq_mapinfo(struct request *rq); diff --git a/queue-5.7/drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch b/queue-5.7/drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch new file mode 100644 index 00000000000..3fb44cc7034 --- /dev/null +++ b/queue-5.7/drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch @@ -0,0 +1,52 @@ +From 88bb16ad998a0395fe4b346b7d3f621aaa0a2324 Mon Sep 17 00:00:00 2001 +From: Qiu Wenbo +Date: Fri, 17 Jul 2020 15:09:57 +0800 +Subject: drm/amd/powerplay: fix a crash when overclocking Vega M + +From: Qiu Wenbo + +commit 88bb16ad998a0395fe4b346b7d3f621aaa0a2324 upstream. + +Avoid kernel crash when vddci_control is SMU7_VOLTAGE_CONTROL_NONE and +vddci_voltage_table is empty. It has been tested on Intel Hades Canyon +(i7-8809G). + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=208489 +Fixes: ac7822b0026f ("drm/amd/powerplay: add smumgr support for VEGAM (v2)") +Reviewed-by: Evan Quan +Signed-off-by: Qiu Wenbo +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c +@@ -642,9 +642,6 @@ static int vegam_get_dependency_volt_by_ + + /* sclk is bigger than max sclk in the dependence table */ + *voltage |= (dep_table->entries[i - 1].vddc * VOLTAGE_SCALE) << VDDC_SHIFT; +- vddci = phm_find_closest_vddci(&(data->vddci_voltage_table), +- (dep_table->entries[i - 1].vddc - +- (uint16_t)VDDC_VDDCI_DELTA)); + + if (SMU7_VOLTAGE_CONTROL_NONE == data->vddci_control) + *voltage |= (data->vbios_boot_state.vddci_bootup_value * +@@ -652,8 +649,13 @@ static int vegam_get_dependency_volt_by_ + else if (dep_table->entries[i - 1].vddci) + *voltage |= (dep_table->entries[i - 1].vddci * + VOLTAGE_SCALE) << VDDC_SHIFT; +- else ++ else { ++ vddci = phm_find_closest_vddci(&(data->vddci_voltage_table), ++ (dep_table->entries[i - 1].vddc - ++ (uint16_t)VDDC_VDDCI_DELTA)); ++ + *voltage |= (vddci * VOLTAGE_SCALE) << VDDCI_SHIFT; ++ } + + if (SMU7_VOLTAGE_CONTROL_NONE == data->mvdd_control) + *mvdd = data->vbios_boot_state.mvdd_bootup_value * VOLTAGE_SCALE; diff --git a/queue-5.7/drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch b/queue-5.7/drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch new file mode 100644 index 00000000000..ff358d6cc06 --- /dev/null +++ b/queue-5.7/drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch @@ -0,0 +1,61 @@ +From 38e0c89a19fd13f28d2b4721035160a3e66e270b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= +Date: Sun, 19 Jul 2020 17:54:53 +0200 +Subject: drm/amdgpu: Fix NULL dereference in dpm sysfs handlers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paweł Gronowski + +commit 38e0c89a19fd13f28d2b4721035160a3e66e270b upstream. + +NULL dereference occurs when string that is not ended with space or +newline is written to some dpm sysfs interface (for example pp_dpm_sclk). +This happens because strsep replaces the tmp with NULL if the delimiter +is not present in string, which is then dereferenced by tmp[0]. + +Reproduction example: +sudo sh -c 'echo -n 1 > /sys/class/drm/card0/device/pp_dpm_sclk' + +Signed-off-by: Paweł Gronowski +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +@@ -775,8 +775,7 @@ static ssize_t amdgpu_set_pp_od_clk_volt + tmp_str++; + while (isspace(*++tmp_str)); + +- while (tmp_str[0]) { +- sub_str = strsep(&tmp_str, delimiter); ++ while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; +@@ -1036,8 +1035,7 @@ static ssize_t amdgpu_read_mask(const ch + memcpy(buf_cpy, buf, bytes); + buf_cpy[bytes] = '\0'; + tmp = buf_cpy; +- while (tmp[0]) { +- sub_str = strsep(&tmp, delimiter); ++ while ((sub_str = strsep(&tmp, delimiter)) != NULL) { + if (strlen(sub_str)) { + ret = kstrtol(sub_str, 0, &level); + if (ret) +@@ -1634,8 +1632,7 @@ static ssize_t amdgpu_set_pp_power_profi + i++; + memcpy(buf_cpy, buf, count-i); + tmp_str = buf_cpy; +- while (tmp_str[0]) { +- sub_str = strsep(&tmp_str, delimiter); ++ while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; diff --git a/queue-5.7/io-mapping-indicate-mapping-failure.patch b/queue-5.7/io-mapping-indicate-mapping-failure.patch new file mode 100644 index 00000000000..daedb52c149 --- /dev/null +++ b/queue-5.7/io-mapping-indicate-mapping-failure.patch @@ -0,0 +1,73 @@ +From e0b3e0b1a04367fc15c07f44e78361545b55357c Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Thu, 23 Jul 2020 21:15:46 -0700 +Subject: io-mapping: indicate mapping failure + +From: Michael J. Ruhl + +commit e0b3e0b1a04367fc15c07f44e78361545b55357c upstream. + +The !ATOMIC_IOMAP version of io_maping_init_wc will always return +success, even when the ioremap fails. + +Since the ATOMIC_IOMAP version returns NULL when the init fails, and +callers check for a NULL return on error this is unexpected. + +During a device probe, where the ioremap failed, a crash can look like +this: + + BUG: unable to handle page fault for address: 0000000000210000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + Oops: 0002 [#1] PREEMPT SMP + CPU: 0 PID: 177 Comm: + RIP: 0010:fill_page_dma [i915] + gen8_ppgtt_create [i915] + i915_ppgtt_create [i915] + intel_gt_init [i915] + i915_gem_init [i915] + i915_driver_probe [i915] + pci_device_probe + really_probe + driver_probe_device + +The remap failure occurred much earlier in the probe. If it had been +propagated, the driver would have exited with an error. + +Return NULL on ioremap failure. + +[akpm@linux-foundation.org: detect ioremap_wc() errors earlier] + +Fixes: cafaf14a5d8f ("io-mapping: Always create a struct to hold metadata about the io-mapping") +Signed-off-by: Michael J. Ruhl +Signed-off-by: Andrew Morton +Reviewed-by: Andrew Morton +Cc: Mike Rapoport +Cc: Andy Shevchenko +Cc: Chris Wilson +Cc: Daniel Vetter +Cc: +Link: http://lkml.kernel.org/r/20200721171936.81563-1-michael.j.ruhl@intel.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/io-mapping.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/io-mapping.h ++++ b/include/linux/io-mapping.h +@@ -107,9 +107,12 @@ io_mapping_init_wc(struct io_mapping *io + resource_size_t base, + unsigned long size) + { ++ iomap->iomem = ioremap_wc(base, size); ++ if (!iomap->iomem) ++ return NULL; ++ + iomap->base = base; + iomap->size = size; +- iomap->iomem = ioremap_wc(base, size); + #if defined(pgprot_noncached_wc) /* archs can't agree on a name ... */ + iomap->prot = pgprot_noncached_wc(PAGE_KERNEL); + #elif defined(pgprot_writecombine) diff --git a/queue-5.7/khugepaged-fix-null-pointer-dereference-due-to-race.patch b/queue-5.7/khugepaged-fix-null-pointer-dereference-due-to-race.patch new file mode 100644 index 00000000000..23d2fa058c1 --- /dev/null +++ b/queue-5.7/khugepaged-fix-null-pointer-dereference-due-to-race.patch @@ -0,0 +1,58 @@ +From 594cced14ad3903166c8b091ff96adac7552f0b3 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 23 Jul 2020 21:15:34 -0700 +Subject: khugepaged: fix null-pointer dereference due to race + +From: Kirill A. Shutemov + +commit 594cced14ad3903166c8b091ff96adac7552f0b3 upstream. + +khugepaged has to drop mmap lock several times while collapsing a page. +The situation can change while the lock is dropped and we need to +re-validate that the VMA is still in place and the PMD is still subject +for collapse. + +But we miss one corner case: while collapsing an anonymous pages the VMA +could be replaced with file VMA. If the file VMA doesn't have any +private pages we get NULL pointer dereference: + + general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + anon_vma_lock_write include/linux/rmap.h:120 [inline] + collapse_huge_page mm/khugepaged.c:1110 [inline] + khugepaged_scan_pmd mm/khugepaged.c:1349 [inline] + khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline] + khugepaged_do_scan mm/khugepaged.c:2193 [inline] + khugepaged+0x3bba/0x5a10 mm/khugepaged.c:2238 + +The fix is to make sure that the VMA is anonymous in +hugepage_vma_revalidate(). The helper is only used for collapsing +anonymous pages. + +Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS") +Reported-by: syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Andrew Morton +Reviewed-by: David Hildenbrand +Acked-by: Yang Shi +Cc: +Link: http://lkml.kernel.org/r/20200722121439.44328-1-kirill.shutemov@linux.intel.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/khugepaged.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -873,6 +873,9 @@ static int hugepage_vma_revalidate(struc + return SCAN_ADDRESS_RANGE; + if (!hugepage_vma_check(vma, vma->vm_flags)) + return SCAN_VMA_CHECK; ++ /* Anon VMA expected */ ++ if (!vma->anon_vma || vma->vm_ops) ++ return SCAN_VMA_CHECK; + return 0; + } + diff --git a/queue-5.7/mm-hugetlb-avoid-hardcoding-while-checking-if-cma-is-enabled.patch b/queue-5.7/mm-hugetlb-avoid-hardcoding-while-checking-if-cma-is-enabled.patch new file mode 100644 index 00000000000..8d122c51d54 --- /dev/null +++ b/queue-5.7/mm-hugetlb-avoid-hardcoding-while-checking-if-cma-is-enabled.patch @@ -0,0 +1,94 @@ +From dbda8feadfa46b3d8dd7a2304f84ccbc036effe9 Mon Sep 17 00:00:00 2001 +From: Barry Song +Date: Thu, 23 Jul 2020 21:15:30 -0700 +Subject: mm/hugetlb: avoid hardcoding while checking if cma is enabled + +From: Barry Song + +commit dbda8feadfa46b3d8dd7a2304f84ccbc036effe9 upstream. + +hugetlb_cma[0] can be NULL due to various reasons, for example, node0 +has no memory. so NULL hugetlb_cma[0] doesn't necessarily mean cma is +not enabled. gigantic pages might have been reserved on other nodes. +This patch fixes possible double reservation and CMA leak. + +[akpm@linux-foundation.org: fix CONFIG_CMA=n warning] +[sfr@canb.auug.org.au: better checks before using hugetlb_cma] + Link: http://lkml.kernel.org/r/20200721205716.6dbaa56b@canb.auug.org.au + +Fixes: cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma") +Signed-off-by: Barry Song +Signed-off-by: Andrew Morton +Reviewed-by: Mike Kravetz +Acked-by: Roman Gushchin +Cc: Jonathan Cameron +Cc: +Link: http://lkml.kernel.org/r/20200710005726.36068-1-song.bao.hua@hisilicon.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -46,7 +46,10 @@ int hugetlb_max_hstate __read_mostly; + unsigned int default_hstate_idx; + struct hstate hstates[HUGE_MAX_HSTATE]; + ++#ifdef CONFIG_CMA + static struct cma *hugetlb_cma[MAX_NUMNODES]; ++#endif ++static unsigned long hugetlb_cma_size __initdata; + + /* + * Minimum page order among possible hugepage sizes, set to a proper value +@@ -1236,9 +1239,10 @@ static void free_gigantic_page(struct pa + * If the page isn't allocated using the cma allocator, + * cma_release() returns false. + */ +- if (IS_ENABLED(CONFIG_CMA) && +- cma_release(hugetlb_cma[page_to_nid(page)], page, 1 << order)) ++#ifdef CONFIG_CMA ++ if (cma_release(hugetlb_cma[page_to_nid(page)], page, 1 << order)) + return; ++#endif + + free_contig_range(page_to_pfn(page), 1 << order); + } +@@ -1249,7 +1253,8 @@ static struct page *alloc_gigantic_page( + { + unsigned long nr_pages = 1UL << huge_page_order(h); + +- if (IS_ENABLED(CONFIG_CMA)) { ++#ifdef CONFIG_CMA ++ { + struct page *page; + int node; + +@@ -1263,6 +1268,7 @@ static struct page *alloc_gigantic_page( + return page; + } + } ++#endif + + return alloc_contig_pages(nr_pages, gfp_mask, nid, nodemask); + } +@@ -2572,7 +2578,7 @@ static void __init hugetlb_hstate_alloc_ + + for (i = 0; i < h->max_huge_pages; ++i) { + if (hstate_is_gigantic(h)) { +- if (IS_ENABLED(CONFIG_CMA) && hugetlb_cma[0]) { ++ if (hugetlb_cma_size) { + pr_warn_once("HugeTLB: hugetlb_cma is enabled, skip boot time allocation\n"); + break; + } +@@ -5548,7 +5554,6 @@ void move_hugetlb_state(struct page *old + } + + #ifdef CONFIG_CMA +-static unsigned long hugetlb_cma_size __initdata; + static bool cma_reserve_called __initdata; + + static int __init cmdline_parse_hugetlb_cma(char *p) diff --git a/queue-5.7/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch b/queue-5.7/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch new file mode 100644 index 00000000000..9d58485a017 --- /dev/null +++ b/queue-5.7/mm-memcg-fix-refcount-error-while-moving-and-swapping.patch @@ -0,0 +1,61 @@ +From 8d22a9351035ef2ff12ef163a1091b8b8cf1e49c Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 23 Jul 2020 21:15:24 -0700 +Subject: mm/memcg: fix refcount error while moving and swapping + +From: Hugh Dickins + +commit 8d22a9351035ef2ff12ef163a1091b8b8cf1e49c upstream. + +It was hard to keep a test running, moving tasks between memcgs with +move_charge_at_immigrate, while swapping: mem_cgroup_id_get_many()'s +refcount is discovered to be 0 (supposedly impossible), so it is then +forced to REFCOUNT_SATURATED, and after thousands of warnings in quick +succession, the test is at last put out of misery by being OOM killed. + +This is because of the way moved_swap accounting was saved up until the +task move gets completed in __mem_cgroup_clear_mc(), deferred from when +mem_cgroup_move_swap_account() actually exchanged old and new ids. +Concurrent activity can free up swap quicker than the task is scanned, +bringing id refcount down 0 (which should only be possible when +offlining). + +Just skip that optimization: do that part of the accounting immediately. + +Fixes: 615d66c37c75 ("mm: memcontrol: fix memcg id ref counter on swap charge move") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Reviewed-by: Alex Shi +Cc: Johannes Weiner +Cc: Alex Shi +Cc: Shakeel Butt +Cc: Michal Hocko +Cc: +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2007071431050.4726@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5658,7 +5658,6 @@ static void __mem_cgroup_clear_mc(void) + if (!mem_cgroup_is_root(mc.to)) + page_counter_uncharge(&mc.to->memory, mc.moved_swap); + +- mem_cgroup_id_get_many(mc.to, mc.moved_swap); + css_put_many(&mc.to->css, mc.moved_swap); + + mc.moved_swap = 0; +@@ -5849,7 +5848,8 @@ put: /* get_mctgt_type() gets the page + ent = target.ent; + if (!mem_cgroup_move_swap_account(ent, mc.from, mc.to)) { + mc.precharge--; +- /* we fixup refcnts and charges later. */ ++ mem_cgroup_id_get_many(mc.to, 1); ++ /* we fixup other refcnts and charges later. */ + mc.moved_swap++; + } + break; diff --git a/queue-5.7/mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch b/queue-5.7/mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch new file mode 100644 index 00000000000..ca3f2a3b82e --- /dev/null +++ b/queue-5.7/mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch @@ -0,0 +1,125 @@ +From d38a2b7a9c939e6d7329ab92b96559ccebf7b135 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Thu, 23 Jul 2020 21:15:27 -0700 +Subject: mm: memcg/slab: fix memory leak at non-root kmem_cache destroy + +From: Muchun Song + +commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream. + +If the kmem_cache refcount is greater than one, we should not mark the +root kmem_cache as dying. If we mark the root kmem_cache dying +incorrectly, the non-root kmem_cache can never be destroyed. It +resulted in memory leak when memcg was destroyed. We can use the +following steps to reproduce. + + 1) Use kmem_cache_create() to create a new kmem_cache named A. + 2) Coincidentally, the kmem_cache A is an alias for kmem_cache B, + so the refcount of B is just increased. + 3) Use kmem_cache_destroy() to destroy the kmem_cache A, just + decrease the B's refcount but mark the B as dying. + 4) Create a new memory cgroup and alloc memory from the kmem_cache + B. It leads to create a non-root kmem_cache for allocating memory. + 5) When destroy the memory cgroup created in the step 4), the + non-root kmem_cache can never be destroyed. + +If we repeat steps 4) and 5), this will cause a lot of memory leak. So +only when refcount reach zero, we mark the root kmem_cache as dying. + +Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate") +Signed-off-by: Muchun Song +Signed-off-by: Andrew Morton +Reviewed-by: Shakeel Butt +Acked-by: Roman Gushchin +Cc: Vlastimil Babka +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Shakeel Butt +Cc: +Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab_common.c | 35 ++++++++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 7 deletions(-) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -326,6 +326,14 @@ int slab_unmergeable(struct kmem_cache * + if (s->refcount < 0) + return 1; + ++#ifdef CONFIG_MEMCG_KMEM ++ /* ++ * Skip the dying kmem_cache. ++ */ ++ if (s->memcg_params.dying) ++ return 1; ++#endif ++ + return 0; + } + +@@ -886,12 +894,15 @@ static int shutdown_memcg_caches(struct + return 0; + } + +-static void flush_memcg_workqueue(struct kmem_cache *s) ++static void memcg_set_kmem_cache_dying(struct kmem_cache *s) + { + spin_lock_irq(&memcg_kmem_wq_lock); + s->memcg_params.dying = true; + spin_unlock_irq(&memcg_kmem_wq_lock); ++} + ++static void flush_memcg_workqueue(struct kmem_cache *s) ++{ + /* + * SLAB and SLUB deactivate the kmem_caches through call_rcu. Make + * sure all registered rcu callbacks have been invoked. +@@ -923,10 +934,6 @@ static inline int shutdown_memcg_caches( + { + return 0; + } +- +-static inline void flush_memcg_workqueue(struct kmem_cache *s) +-{ +-} + #endif /* CONFIG_MEMCG_KMEM */ + + void slab_kmem_cache_release(struct kmem_cache *s) +@@ -944,8 +951,6 @@ void kmem_cache_destroy(struct kmem_cach + if (unlikely(!s)) + return; + +- flush_memcg_workqueue(s); +- + get_online_cpus(); + get_online_mems(); + +@@ -955,6 +960,22 @@ void kmem_cache_destroy(struct kmem_cach + if (s->refcount) + goto out_unlock; + ++#ifdef CONFIG_MEMCG_KMEM ++ memcg_set_kmem_cache_dying(s); ++ ++ mutex_unlock(&slab_mutex); ++ ++ put_online_mems(); ++ put_online_cpus(); ++ ++ flush_memcg_workqueue(s); ++ ++ get_online_cpus(); ++ get_online_mems(); ++ ++ mutex_lock(&slab_mutex); ++#endif ++ + err = shutdown_memcg_caches(s); + if (!err) + err = shutdown_cache(s); diff --git a/queue-5.7/mm-mmap.c-close-race-between-munmap-and-expand_upwards-downwards.patch b/queue-5.7/mm-mmap.c-close-race-between-munmap-and-expand_upwards-downwards.patch new file mode 100644 index 00000000000..69a4c8cf49e --- /dev/null +++ b/queue-5.7/mm-mmap.c-close-race-between-munmap-and-expand_upwards-downwards.patch @@ -0,0 +1,89 @@ +From 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 23 Jul 2020 21:15:11 -0700 +Subject: mm/mmap.c: close race between munmap() and expand_upwards()/downwards() + +From: Kirill A. Shutemov + +commit 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c upstream. + +VMA with VM_GROWSDOWN or VM_GROWSUP flag set can change their size under +mmap_read_lock(). It can lead to race with __do_munmap(): + + Thread A Thread B +__do_munmap() + detach_vmas_to_be_unmapped() + mmap_write_downgrade() + expand_downwards() + vma->vm_start = address; + // The VMA now overlaps with + // VMAs detached by the Thread A + // page fault populates expanded part + // of the VMA + unmap_region() + // Zaps pagetables partly + // populated by Thread B + +Similar race exists for expand_upwards(). + +The fix is to avoid downgrading mmap_lock in __do_munmap() if detached +VMAs are next to VM_GROWSDOWN or VM_GROWSUP VMA. + +[akpm@linux-foundation.org: s/mmap_sem/mmap_lock/ in comment] + +Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") +Reported-by: Jann Horn +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Andrew Morton +Reviewed-by: Yang Shi +Acked-by: Vlastimil Babka +Cc: Oleg Nesterov +Cc: Matthew Wilcox +Cc: [4.20+] +Link: http://lkml.kernel.org/r/20200709105309.42495-1-kirill.shutemov@linux.intel.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mmap.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2620,7 +2620,7 @@ static void unmap_region(struct mm_struc + * Create a list of vma's touched by the unmap, removing them from the mm's + * vma list as we go.. + */ +-static void ++static bool + detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + struct vm_area_struct *prev, unsigned long end) + { +@@ -2645,6 +2645,17 @@ detach_vmas_to_be_unmapped(struct mm_str + + /* Kill the cache */ + vmacache_invalidate(mm); ++ ++ /* ++ * Do not downgrade mmap_lock if we are next to VM_GROWSDOWN or ++ * VM_GROWSUP VMA. Such VMAs can change their size under ++ * down_read(mmap_lock) and collide with the VMA we are about to unmap. ++ */ ++ if (vma && (vma->vm_flags & VM_GROWSDOWN)) ++ return false; ++ if (prev && (prev->vm_flags & VM_GROWSUP)) ++ return false; ++ return true; + } + + /* +@@ -2825,7 +2836,8 @@ int __do_munmap(struct mm_struct *mm, un + } + + /* Detach vmas from rbtree */ +- detach_vmas_to_be_unmapped(mm, vma, prev, end); ++ if (!detach_vmas_to_be_unmapped(mm, vma, prev, end)) ++ downgrade = false; + + if (downgrade) + downgrade_write(&mm->mmap_sem); diff --git a/queue-5.7/mmc-sdhci-of-aspeed-fix-clock-divider-calculation.patch b/queue-5.7/mmc-sdhci-of-aspeed-fix-clock-divider-calculation.patch new file mode 100644 index 00000000000..04d32c3e2d5 --- /dev/null +++ b/queue-5.7/mmc-sdhci-of-aspeed-fix-clock-divider-calculation.patch @@ -0,0 +1,37 @@ +From ebd4050c6144b38098d8eed34df461e5e3fa82a9 Mon Sep 17 00:00:00 2001 +From: Eddie James +Date: Thu, 9 Jul 2020 14:57:06 -0500 +Subject: mmc: sdhci-of-aspeed: Fix clock divider calculation + +From: Eddie James + +commit ebd4050c6144b38098d8eed34df461e5e3fa82a9 upstream. + +When calculating the clock divider, start dividing at 2 instead of 1. +The divider is divided by two at the end of the calculation, so starting +at 1 may result in a divider of 0, which shouldn't happen. + +Signed-off-by: Eddie James +Reviewed-by: Andrew Jeffery +Acked-by: Joel Stanley +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20200709195706.12741-3-eajames@linux.ibm.com +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-aspeed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-aspeed.c ++++ b/drivers/mmc/host/sdhci-of-aspeed.c +@@ -68,7 +68,7 @@ static void aspeed_sdhci_set_clock(struc + if (WARN_ON(clock > host->max_clk)) + clock = host->max_clk; + +- for (div = 1; div < 256; div *= 2) { ++ for (div = 2; div < 256; div *= 2) { + if ((parent / div) <= clock) + break; + } diff --git a/queue-5.7/parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch b/queue-5.7/parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch new file mode 100644 index 00000000000..cf2ba4b0cc1 --- /dev/null +++ b/queue-5.7/parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch @@ -0,0 +1,84 @@ +From be6577af0cef934ccb036445314072e8cb9217b9 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Tue, 21 Jul 2020 07:36:59 -0400 +Subject: parisc: Add atomic64_set_release() define to avoid CPU soft lockups + +From: John David Anglin + +commit be6577af0cef934ccb036445314072e8cb9217b9 upstream. + +Stalls are quite frequent with recent kernels. I enabled +CONFIG_SOFTLOCKUP_DETECTOR and I caught the following stall: + +watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [cc1:22803] +CPU: 0 PID: 22803 Comm: cc1 Not tainted 5.6.17+ #3 +Hardware name: 9000/800/rp3440 + IAOQ[0]: d_alloc_parallel+0x384/0x688 + IAOQ[1]: d_alloc_parallel+0x388/0x688 + RP(r2): d_alloc_parallel+0x134/0x688 +Backtrace: + [<000000004036974c>] __lookup_slow+0xa4/0x200 + [<0000000040369fc8>] walk_component+0x288/0x458 + [<000000004036a9a0>] path_lookupat+0x88/0x198 + [<000000004036e748>] filename_lookup+0xa0/0x168 + [<000000004036e95c>] user_path_at_empty+0x64/0x80 + [<000000004035d93c>] vfs_statx+0x104/0x158 + [<000000004035dfcc>] __do_sys_lstat64+0x44/0x80 + [<000000004035e5a0>] sys_lstat64+0x20/0x38 + [<0000000040180054>] syscall_exit+0x0/0x14 + +The code was stuck in this loop in d_alloc_parallel: + + 4037d414: 0e 00 10 dc ldd 0(r16),ret0 + 4037d418: c7 fc 5f ed bb,< ret0,1f,4037d414 + 4037d41c: 08 00 02 40 nop + +This is the inner loop of bit_spin_lock which is called by hlist_bl_unlock in +d_alloc_parallel: + +static inline void bit_spin_lock(int bitnum, unsigned long *addr) +{ + /* + * Assuming the lock is uncontended, this never enters + * the body of the outer loop. If it is contended, then + * within the inner loop a non-atomic test is used to + * busywait with less bus contention for a good time to + * attempt to acquire the lock bit. + */ + preempt_disable(); +#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK) + while (unlikely(test_and_set_bit_lock(bitnum, addr))) { + preempt_enable(); + do { + cpu_relax(); + } while (test_bit(bitnum, addr)); + preempt_disable(); + } +#endif + __acquire(bitlock); +} + +After consideration, I realized that we must be losing bit unlocks. +Then, I noticed that we missed defining atomic64_set_release(). +Adding this define fixes the stalls in bit operations. + +Signed-off-by: Dave Anglin +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/atomic.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/parisc/include/asm/atomic.h ++++ b/arch/parisc/include/asm/atomic.h +@@ -212,6 +212,8 @@ atomic64_set(atomic64_t *v, s64 i) + _atomic_spin_unlock_irqrestore(v, flags); + } + ++#define atomic64_set_release(v, i) atomic64_set((v), (i)) ++ + static __inline__ s64 + atomic64_read(const atomic64_t *v) + { diff --git a/queue-5.7/series b/queue-5.7/series index ce54b47abd9..4e94dabb5a6 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -156,3 +156,24 @@ dev-mem-add-missing-memory-barriers-for-devmem_inode.patch fbdev-detect-integer-underflow-at-struct-fbcon_ops-clear_margins.patch vt-reject-zero-sized-screen-buffer-size.patch makefile-fix-gcc_toolchain_dir-prefix-for-clang-cross-compilation.patch +mm-mmap.c-close-race-between-munmap-and-expand_upwards-downwards.patch +vfs-xattr-mm-shmem-kernfs-release-simple-xattr-entry-in-a-right-way.patch +mm-memcg-fix-refcount-error-while-moving-and-swapping.patch +mm-memcg-slab-fix-memory-leak-at-non-root-kmem_cache-destroy.patch +mm-hugetlb-avoid-hardcoding-while-checking-if-cma-is-enabled.patch +khugepaged-fix-null-pointer-dereference-due-to-race.patch +io-mapping-indicate-mapping-failure.patch +mmc-sdhci-of-aspeed-fix-clock-divider-calculation.patch +drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch +drm-amd-powerplay-fix-a-crash-when-overclocking-vega-m.patch +arm64-vdso32-fix-prefix-value-for-newer-versions-of-clang.patch +parisc-add-atomic64_set_release-define-to-avoid-cpu-soft-lockups.patch +x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch +asoc-rt5670-add-new-gpio1_is_ext_spk_en-quirk-and-enable-it-on-the-lenovo-miix-2-10.patch +asoc-qcom-drop-has_dma-dependency-to-fix-link-failure.patch +asoc-topology-fix-kernel-oops-on-route-addition-error.patch +asoc-topology-fix-tlvs-in-error-handling-for-widget_dmixer.patch +asoc-intel-bdw-rt5677-fix-non-be-conversion.patch +dm-integrity-fix-integrity-recalculation-that-is-improperly-skipped.patch +ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch +ath9k-fix-regression-with-atheros-9271.patch diff --git a/queue-5.7/vfs-xattr-mm-shmem-kernfs-release-simple-xattr-entry-in-a-right-way.patch b/queue-5.7/vfs-xattr-mm-shmem-kernfs-release-simple-xattr-entry-in-a-right-way.patch new file mode 100644 index 00000000000..4e3fa889a6e --- /dev/null +++ b/queue-5.7/vfs-xattr-mm-shmem-kernfs-release-simple-xattr-entry-in-a-right-way.patch @@ -0,0 +1,63 @@ +From 3bef735ad7b7d987069181e7b58588043cbd1509 Mon Sep 17 00:00:00 2001 +From: Chengguang Xu +Date: Thu, 23 Jul 2020 21:15:14 -0700 +Subject: vfs/xattr: mm/shmem: kernfs: release simple xattr entry in a right way + +From: Chengguang Xu + +commit 3bef735ad7b7d987069181e7b58588043cbd1509 upstream. + +After commit fdc85222d58e ("kernfs: kvmalloc xattr value instead of +kmalloc"), simple xattr entry is allocated with kvmalloc() instead of +kmalloc(), so we should release it with kvfree() instead of kfree(). + +Fixes: fdc85222d58e ("kernfs: kvmalloc xattr value instead of kmalloc") +Signed-off-by: Chengguang Xu +Signed-off-by: Andrew Morton +Acked-by: Hugh Dickins +Acked-by: Tejun Heo +Cc: Daniel Xu +Cc: Chris Down +Cc: Andreas Dilger +Cc: Greg Kroah-Hartman +Cc: Al Viro +Cc: [5.7] +Link: http://lkml.kernel.org/r/20200704051608.15043-1-cgxu519@mykernel.net +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/xattr.h | 3 ++- + mm/shmem.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/include/linux/xattr.h ++++ b/include/linux/xattr.h +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + + struct inode; +@@ -94,7 +95,7 @@ static inline void simple_xattrs_free(st + + list_for_each_entry_safe(xattr, node, &xattrs->head, list) { + kfree(xattr->name); +- kfree(xattr); ++ kvfree(xattr); + } + } + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -3205,7 +3205,7 @@ static int shmem_initxattrs(struct inode + new_xattr->name = kmalloc(XATTR_SECURITY_PREFIX_LEN + len, + GFP_KERNEL); + if (!new_xattr->name) { +- kfree(new_xattr); ++ kvfree(new_xattr); + return -ENOMEM; + } + diff --git a/queue-5.7/x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch b/queue-5.7/x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch new file mode 100644 index 00000000000..994efbe4eb2 --- /dev/null +++ b/queue-5.7/x86-vmlinux.lds-page-align-end-of-..page_aligned-sections.patch @@ -0,0 +1,78 @@ +From de2b41be8fcccb2f5b6c480d35df590476344201 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Tue, 21 Jul 2020 11:34:48 +0200 +Subject: x86, vmlinux.lds: Page-align end of ..page_aligned sections + +From: Joerg Roedel + +commit de2b41be8fcccb2f5b6c480d35df590476344201 upstream. + +On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is +page-aligned, but the end of the .bss..page_aligned section is not +guaranteed to be page-aligned. + +As a result, objects from other .bss sections may end up on the same 4k +page as the idt_table, and will accidentially get mapped read-only during +boot, causing unexpected page-faults when the kernel writes to them. + +This could be worked around by making the objects in the page aligned +sections page sized, but that's wrong. + +Explicit sections which store only page aligned objects have an implicit +guarantee that the object is alone in the page in which it is placed. That +works for all objects except the last one. That's inconsistent. + +Enforcing page sized objects for these sections would wreckage memory +sanitizers, because the object becomes artificially larger than it should +be and out of bound access becomes legit. + +Align the end of the .bss..page_aligned and .data..page_aligned section on +page-size so all objects places in these sections are guaranteed to have +their own page. + +[ tglx: Amended changelog ] + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Reviewed-by: Kees Cook +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200721093448.10417-1-joro@8bytes.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/vmlinux.lds.S | 1 + + include/asm-generic/vmlinux.lds.h | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -359,6 +359,7 @@ SECTIONS + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { + __bss_start = .; + *(.bss..page_aligned) ++ . = ALIGN(PAGE_SIZE); + *(BSS_MAIN) + BSS_DECRYPTED + . = ALIGN(PAGE_SIZE); +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -341,7 +341,8 @@ + + #define PAGE_ALIGNED_DATA(page_align) \ + . = ALIGN(page_align); \ +- *(.data..page_aligned) ++ *(.data..page_aligned) \ ++ . = ALIGN(page_align); + + #define READ_MOSTLY_DATA(align) \ + . = ALIGN(align); \ +@@ -727,7 +728,9 @@ + . = ALIGN(bss_align); \ + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \ + BSS_FIRST_SECTIONS \ ++ . = ALIGN(PAGE_SIZE); \ + *(.bss..page_aligned) \ ++ . = ALIGN(PAGE_SIZE); \ + *(.dynbss) \ + *(BSS_MAIN) \ + *(COMMON) \ -- 2.47.3