From 3045298b4d0f2faa59f48679fbb8565c14b3b431 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 7 Aug 2020 16:10:51 -0400 Subject: [PATCH] Fixes for 5.7 Signed-off-by: Sasha Levin --- ...l-pointer-dereference-during-suspend.patch | 54 ++++++++ ...refcnt-leaks-in-atmtcp_remove_persis.patch | 54 ++++++++ ...nter-dereference-in-__btf_resolve_he.patch | 42 +++++++ ...endor-command-doit-pointer-before-us.patch | 50 ++++++++ ...adv7511-set-the-bridge-type-properly.patch | 40 ++++++ ...drm_fb_helper-fix-fbdev-with-sparc64.patch | 115 ++++++++++++++++++ ...n-fix-module-unload-when-fbcon-init-.patch | 33 +++++ ...n-zero-initialise-the-mode_cmd2-stru.patch | 33 +++++ ...tu102-wait-for-core-update-to-comple.patch | 35 ++++++ ...o-kd101n80-45na-horizontal-noise-on-.patch | 39 ++++++ .../firmware-fix-a-reference-count-leak.patch | 51 ++++++++ ...-add-sanity-check-when-unregistering.patch | 34 ++++++ ...mprove-sanity-check-when-registering.patch | 38 ++++++ ...cked-should-be-called-with-rtnl_lock.patch | 92 ++++++++++++++ ...io_uring-fix-lockup-in-io_fail_links.patch | 56 +++++++++ .../net-9p-validate-fds-in-p9_fd_open.patch | 70 +++++++++++ ..._eth_soc-always-call-mtk_gmac0_rgmii.patch | 69 +++++++++++ ...fix-hardware-timestamp-dequeue-logic.patch | 57 +++++++++ ...-sk-hynix-pc400-from-using-write-zer.patch | 51 ++++++++ queue-5.7/series | 21 ++++ ...vent-fix-memory-leak-in-process_dyna.patch | 72 +++++++++++ ...r-return-value-in-hso_serial_common_.patch | 53 ++++++++ 22 files changed, 1159 insertions(+) create mode 100644 queue-5.7/alsa-hda-fix-null-pointer-dereference-during-suspend.patch create mode 100644 queue-5.7/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch create mode 100644 queue-5.7/bpf-fix-null-pointer-dereference-in-__btf_resolve_he.patch create mode 100644 queue-5.7/cfg80211-check-vendor-command-doit-pointer-before-us.patch create mode 100644 queue-5.7/drm-bridge-adv7511-set-the-bridge-type-properly.patch create mode 100644 queue-5.7/drm-drm_fb_helper-fix-fbdev-with-sparc64.patch create mode 100644 queue-5.7/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch create mode 100644 queue-5.7/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch create mode 100644 queue-5.7/drm-nouveau-kms-tu102-wait-for-core-update-to-comple.patch create mode 100644 queue-5.7/drm-panel-fix-auo-kd101n80-45na-horizontal-noise-on-.patch create mode 100644 queue-5.7/firmware-fix-a-reference-count-leak.patch create mode 100644 queue-5.7/i2c-slave-add-sanity-check-when-unregistering.patch create mode 100644 queue-5.7/i2c-slave-improve-sanity-check-when-registering.patch create mode 100644 queue-5.7/igb-reinit_locked-should-be-called-with-rtnl_lock.patch create mode 100644 queue-5.7/io_uring-fix-lockup-in-io_fail_links.patch create mode 100644 queue-5.7/net-9p-validate-fds-in-p9_fd_open.patch create mode 100644 queue-5.7/net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch create mode 100644 queue-5.7/net-mscc-ocelot-fix-hardware-timestamp-dequeue-logic.patch create mode 100644 queue-5.7/nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch create mode 100644 queue-5.7/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch create mode 100644 queue-5.7/usb-hso-check-for-return-value-in-hso_serial_common_.patch diff --git a/queue-5.7/alsa-hda-fix-null-pointer-dereference-during-suspend.patch b/queue-5.7/alsa-hda-fix-null-pointer-dereference-during-suspend.patch new file mode 100644 index 00000000000..451203841d7 --- /dev/null +++ b/queue-5.7/alsa-hda-fix-null-pointer-dereference-during-suspend.patch @@ -0,0 +1,54 @@ +From 00306dae40d032ad6eaeac18254ab270ee8705ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jul 2020 16:10:11 -0700 +Subject: ALSA: hda: fix NULL pointer dereference during suspend + +From: Ranjani Sridharan + +[ Upstream commit 7fcd9bb5acd01250bcae1ecc0cb8b8d4bb5b7e63 ] + +When the ASoC card registration fails and the codec component driver +never probes, the codec device is not initialized and therefore +memory for codec->wcaps is not allocated. This results in a NULL pointer +dereference when the codec driver suspend callback is invoked during +system suspend. Fix this by returning without performing any actions +during codec suspend/resume if the card was not registered successfully. + +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Ranjani Sridharan +Link: https://lore.kernel.org/r/20200728231011.1454066-1-ranjani.sridharan@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_codec.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 7e3ae4534df91..803978d69e3c4 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -2935,6 +2935,10 @@ static int hda_codec_runtime_suspend(struct device *dev) + struct hda_codec *codec = dev_to_hda_codec(dev); + unsigned int state; + ++ /* Nothing to do if card registration fails and the component driver never probes */ ++ if (!codec->card) ++ return 0; ++ + cancel_delayed_work_sync(&codec->jackpoll_work); + state = hda_call_codec_suspend(codec); + if (codec->link_down_at_suspend || +@@ -2949,6 +2953,10 @@ static int hda_codec_runtime_resume(struct device *dev) + { + struct hda_codec *codec = dev_to_hda_codec(dev); + ++ /* Nothing to do if card registration fails and the component driver never probes */ ++ if (!codec->card) ++ return 0; ++ + codec_display_power(codec, true); + snd_hdac_codec_link_up(&codec->core); + hda_call_codec_resume(codec); +-- +2.25.1 + diff --git a/queue-5.7/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch b/queue-5.7/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch new file mode 100644 index 00000000000..48f963cd5a7 --- /dev/null +++ b/queue-5.7/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch @@ -0,0 +1,54 @@ +From 6d14fe15ce0ebee9df8be23de904ebf8d9b02bb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 21:06:59 +0800 +Subject: atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent + +From: Xin Xiong + +[ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ] + +atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a +reference of atm_dev with increased refcount or NULL if fails. + +The refcount leaks issues occur in two error handling paths. If +dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function +returns 0 without decreasing the refcount kept by a local variable, +resulting in refcount leaks. + +Fix the issue by adding atm_dev_put() before returning 0 both when +dev_data->persist is zero or PRIV(dev)->vcc isn't NULL. + +Signed-off-by: Xin Xiong +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/atmtcp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c +index d9fd70280482c..7f814da3c2d06 100644 +--- a/drivers/atm/atmtcp.c ++++ b/drivers/atm/atmtcp.c +@@ -433,9 +433,15 @@ static int atmtcp_remove_persistent(int itf) + return -EMEDIUMTYPE; + } + dev_data = PRIV(dev); +- if (!dev_data->persist) return 0; ++ if (!dev_data->persist) { ++ atm_dev_put(dev); ++ return 0; ++ } + dev_data->persist = 0; +- if (PRIV(dev)->vcc) return 0; ++ if (PRIV(dev)->vcc) { ++ atm_dev_put(dev); ++ return 0; ++ } + kfree(dev_data); + atm_dev_put(dev); + atm_dev_deregister(dev); +-- +2.25.1 + diff --git a/queue-5.7/bpf-fix-null-pointer-dereference-in-__btf_resolve_he.patch b/queue-5.7/bpf-fix-null-pointer-dereference-in-__btf_resolve_he.patch new file mode 100644 index 00000000000..a9f1123f29b --- /dev/null +++ b/queue-5.7/bpf-fix-null-pointer-dereference-in-__btf_resolve_he.patch @@ -0,0 +1,42 @@ +From 0567652cb156ae0a5b7e3f83cdac9c1040eb6931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 14:09:04 -0400 +Subject: bpf: Fix NULL pointer dereference in __btf_resolve_helper_id() + +From: Peilin Ye + +[ Upstream commit 5b801dfb7feb2738975d80223efc2fc193e55573 ] + +Prevent __btf_resolve_helper_id() from dereferencing `btf_vmlinux` +as NULL. This patch fixes the following syzbot bug: + + https://syzkaller.appspot.com/bug?id=f823224ada908fa5c207902a5a62065e53ca0fcc + +Reported-by: syzbot+ee09bda7017345f1fbe6@syzkaller.appspotmail.com +Signed-off-by: Peilin Ye +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20200714180904.277512-1-yepeilin.cs@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index d1f5d428c9fe2..6cafc596631c3 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -4011,6 +4011,11 @@ static int __btf_resolve_helper_id(struct bpf_verifier_log *log, void *fn, + const char *tname, *sym; + u32 btf_id, i; + ++ if (!btf_vmlinux) { ++ bpf_log(log, "btf_vmlinux doesn't exist\n"); ++ return -EINVAL; ++ } ++ + if (IS_ERR(btf_vmlinux)) { + bpf_log(log, "btf_vmlinux is malformed\n"); + return -EINVAL; +-- +2.25.1 + diff --git a/queue-5.7/cfg80211-check-vendor-command-doit-pointer-before-us.patch b/queue-5.7/cfg80211-check-vendor-command-doit-pointer-before-us.patch new file mode 100644 index 00000000000..129fa8b1f35 --- /dev/null +++ b/queue-5.7/cfg80211-check-vendor-command-doit-pointer-before-us.patch @@ -0,0 +1,50 @@ +From b992aeec1c9ee519813d9341bbe1c94c96ce68ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 17:13:53 -0400 +Subject: cfg80211: check vendor command doit pointer before use + +From: Julian Squires + +[ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] + +In the case where a vendor command does not implement doit, and has no +flags set, doit would not be validated and a NULL pointer dereference +would occur, for example when invoking the vendor command via iw. + +I encountered this while developing new vendor commands. Perhaps in +practice it is advisable to always implement doit along with dumpit, +but it seems reasonable to me to always check doit anyway, not just +when NEED_WDEV. + +Signed-off-by: Julian Squires +Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 7ae6b90e0d264..970f05c4150ea 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -13190,13 +13190,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info) + if (!wdev_running(wdev)) + return -ENETDOWN; + } +- +- if (!vcmd->doit) +- return -EOPNOTSUPP; + } else { + wdev = NULL; + } + ++ if (!vcmd->doit) ++ return -EOPNOTSUPP; ++ + if (info->attrs[NL80211_ATTR_VENDOR_DATA]) { + data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]); + len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]); +-- +2.25.1 + diff --git a/queue-5.7/drm-bridge-adv7511-set-the-bridge-type-properly.patch b/queue-5.7/drm-bridge-adv7511-set-the-bridge-type-properly.patch new file mode 100644 index 00000000000..0a9e1d80fc0 --- /dev/null +++ b/queue-5.7/drm-bridge-adv7511-set-the-bridge-type-properly.patch @@ -0,0 +1,40 @@ +From 043d625fc289394240baa5c3b6353715876db8c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 15:42:27 +0300 +Subject: drm/bridge/adv7511: set the bridge type properly + +From: Laurentiu Palcu + +[ Upstream commit f10761c9df96a882438faa09dcd25261281d69ca ] + +After the drm_bridge_connector_init() helper function has been added, +the ADV driver has been changed accordingly. However, the 'type' +field of the bridge structure was left unset, which makes the helper +function always return -EINVAL. + +Signed-off-by: Laurentiu Palcu +Reviewed-by: Laurent Pinchart +Reviewed-by: Vinod Koul +Tested-by: Vinod Koul # tested on DragonBoard 410c +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200720124228.12552-1-laurentiu.palcu@oss.nxp.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index 87b58c1acff4a..648eb23d07848 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -1224,6 +1224,7 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id) + + adv7511->bridge.funcs = &adv7511_bridge_funcs; + adv7511->bridge.of_node = dev->of_node; ++ adv7511->bridge.type = DRM_MODE_CONNECTOR_HDMIA; + + drm_bridge_add(&adv7511->bridge); + +-- +2.25.1 + diff --git a/queue-5.7/drm-drm_fb_helper-fix-fbdev-with-sparc64.patch b/queue-5.7/drm-drm_fb_helper-fix-fbdev-with-sparc64.patch new file mode 100644 index 00000000000..9899d0b0ac4 --- /dev/null +++ b/queue-5.7/drm-drm_fb_helper-fix-fbdev-with-sparc64.patch @@ -0,0 +1,115 @@ +From 3924ecfb86cf746ecc04068fdcdcd51d37a228dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 21:30:16 +0200 +Subject: drm/drm_fb_helper: fix fbdev with sparc64 + +From: Sam Ravnborg + +[ Upstream commit 2a1658bf922ffd9b7907e270a7d9cdc9643fc45d ] + +Recent kernels have been reported to panic using the bochs_drm +framebuffer under qemu-system-sparc64 which was bisected to +commit 7a0483ac4ffc ("drm/bochs: switch to generic drm fbdev emulation"). + +The backtrace indicates that the shadow framebuffer copy in +drm_fb_helper_dirty_blit_real() is trying to access the real +framebuffer using a virtual address rather than use an IO access +typically implemented using a physical (ASI_PHYS) access on SPARC. + +The fix is to replace the memcpy with memcpy_toio() from io.h. + +memcpy_toio() uses writeb() where the original fbdev code +used sbus_memcpy_toio(). The latter uses sbus_writeb(). + +The difference between writeb() and sbus_memcpy_toio() is +that writeb() writes bytes in little-endian, where sbus_writeb() writes +bytes in big-endian. As endian does not matter for byte writes they are +the same. So we can safely use memcpy_toio() here. + +Note that this only fixes bochs, in general fbdev helpers still have +issues with mixing up system memory and __iomem space. Fixing that will +require a lot more work. + +v3: + - Improved changelog (Daniel) + - Added FIXME to fbdev_use_iomem (Daniel) + +v2: + - Added missing __iomem cast (kernel test robot) + - Made changelog readable and fix typos (Mark) + - Add flag to select iomem - and set it in the bochs driver + +Signed-off-by: Sam Ravnborg +Reported-by: Mark Cave-Ayland +Reported-by: kernel test robot +Tested-by: Mark Cave-Ayland +Reviewed-by: Daniel Vetter +Cc: Mark Cave-Ayland +Cc: Thomas Zimmermann +Cc: Gerd Hoffmann +Cc: "David S. Miller" +Cc: sparclinux@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20200709193016.291267-1-sam@ravnborg.org +Link: https://patchwork.freedesktop.org/patch/msgid/20200725191012.GA434957@ravnborg.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bochs/bochs_kms.c | 1 + + drivers/gpu/drm/drm_fb_helper.c | 6 +++++- + include/drm/drm_mode_config.h | 12 ++++++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bochs/bochs_kms.c b/drivers/gpu/drm/bochs/bochs_kms.c +index 8066d7d370d5b..200d55fa97656 100644 +--- a/drivers/gpu/drm/bochs/bochs_kms.c ++++ b/drivers/gpu/drm/bochs/bochs_kms.c +@@ -143,6 +143,7 @@ int bochs_kms_init(struct bochs_device *bochs) + bochs->dev->mode_config.preferred_depth = 24; + bochs->dev->mode_config.prefer_shadow = 0; + bochs->dev->mode_config.prefer_shadow_fbdev = 1; ++ bochs->dev->mode_config.fbdev_use_iomem = true; + bochs->dev->mode_config.quirk_addfb_prefer_host_byte_order = true; + + bochs->dev->mode_config.funcs = &bochs_mode_funcs; +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c +index c7be39a00d437..4dd12a069474a 100644 +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -399,7 +399,11 @@ static void drm_fb_helper_dirty_blit_real(struct drm_fb_helper *fb_helper, + unsigned int y; + + for (y = clip->y1; y < clip->y2; y++) { +- memcpy(dst, src, len); ++ if (!fb_helper->dev->mode_config.fbdev_use_iomem) ++ memcpy(dst, src, len); ++ else ++ memcpy_toio((void __iomem *)dst, src, len); ++ + src += fb->pitches[0]; + dst += fb->pitches[0]; + } +diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h +index 3bcbe30339f04..198b9d0600081 100644 +--- a/include/drm/drm_mode_config.h ++++ b/include/drm/drm_mode_config.h +@@ -865,6 +865,18 @@ struct drm_mode_config { + */ + bool prefer_shadow_fbdev; + ++ /** ++ * @fbdev_use_iomem: ++ * ++ * Set to true if framebuffer reside in iomem. ++ * When set to true memcpy_toio() is used when copying the framebuffer in ++ * drm_fb_helper.drm_fb_helper_dirty_blit_real(). ++ * ++ * FIXME: This should be replaced with a per-mapping is_iomem ++ * flag (like ttm does), and then used everywhere in fbdev code. ++ */ ++ bool fbdev_use_iomem; ++ + /** + * @quirk_addfb_prefer_xbgr_30bpp: + * +-- +2.25.1 + diff --git a/queue-5.7/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch b/queue-5.7/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch new file mode 100644 index 00000000000..4356845ad6f --- /dev/null +++ b/queue-5.7/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch @@ -0,0 +1,33 @@ +From 805bc46781c5ff966d5b6d4ed33aad519fe36df0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 17:01:39 +1000 +Subject: drm/nouveau/fbcon: fix module unload when fbcon init has failed for + some reason + +From: Ben Skeggs + +[ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ] + +Stale pointer was tripping up the unload path. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 24d543a01f435..e42100a2425fd 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -588,6 +588,7 @@ fini: + drm_fb_helper_fini(&fbcon->helper); + free: + kfree(fbcon); ++ drm->fbcon = NULL; + return ret; + } + +-- +2.25.1 + diff --git a/queue-5.7/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch b/queue-5.7/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch new file mode 100644 index 00000000000..1df4f030ebd --- /dev/null +++ b/queue-5.7/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch @@ -0,0 +1,33 @@ +From 15d15221ebc2c2f2c69853e8fd6c06827cb7d85a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 17:02:48 +1000 +Subject: drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure + +From: Ben Skeggs + +[ Upstream commit 15fbc3b938534cc8eaac584a7b0c1183fc968b86 ] + +This is tripping up the format modifier patches. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index e42100a2425fd..47883f225941d 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -315,7 +315,7 @@ nouveau_fbcon_create(struct drm_fb_helper *helper, + struct nouveau_framebuffer *fb; + struct nouveau_channel *chan; + struct nouveau_bo *nvbo; +- struct drm_mode_fb_cmd2 mode_cmd; ++ struct drm_mode_fb_cmd2 mode_cmd = {}; + int ret; + + mode_cmd.width = sizes->surface_width; +-- +2.25.1 + diff --git a/queue-5.7/drm-nouveau-kms-tu102-wait-for-core-update-to-comple.patch b/queue-5.7/drm-nouveau-kms-tu102-wait-for-core-update-to-comple.patch new file mode 100644 index 00000000000..fbc66f07c73 --- /dev/null +++ b/queue-5.7/drm-nouveau-kms-tu102-wait-for-core-update-to-comple.patch @@ -0,0 +1,35 @@ +From 36bf89c58bd1523d26c31a4f8e9eb6a59145ccda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 20:10:42 +1000 +Subject: drm/nouveau/kms/tu102: wait for core update to complete when + assigning windows + +From: Ben Skeggs + +[ Upstream commit 705d9d022949e3cdae82d89db6a8fc773eb23dad ] + +Fixes a race on Turing between the core cross-channel error checks and +the following window update. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv50/disp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c +index 2625ed84fc44d..5835d19e1c45f 100644 +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -2041,7 +2041,7 @@ nv50_disp_atomic_commit_tail(struct drm_atomic_state *state) + */ + if (core->assign_windows) { + core->func->wndw.owner(core); +- core->func->update(core, interlock, false); ++ nv50_disp_atomic_commit_core(state, interlock); + core->assign_windows = false; + interlock[NV50_DISP_INTERLOCK_CORE] = 0; + } +-- +2.25.1 + diff --git a/queue-5.7/drm-panel-fix-auo-kd101n80-45na-horizontal-noise-on-.patch b/queue-5.7/drm-panel-fix-auo-kd101n80-45na-horizontal-noise-on-.patch new file mode 100644 index 00000000000..ba91975e493 --- /dev/null +++ b/queue-5.7/drm-panel-fix-auo-kd101n80-45na-horizontal-noise-on-.patch @@ -0,0 +1,39 @@ +From 41d7349fe4a7da15484012e296ea10ce950b29c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 20:33:32 +0800 +Subject: drm/panel: Fix auo, kd101n80-45na horizontal noise on edges of panel + +From: Jitao Shi + +[ Upstream commit d76acc9fcddeda53b985b029c890976a87fcc3fc ] + +Fine tune the HBP and HFP to avoid the dot noise on the left and right edges. + +Signed-off-by: Jitao Shi +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200714123332.37609-1-jitao.shi@mediatek.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +index 48a164257d18c..3edb33e619088 100644 +--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c ++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +@@ -615,9 +615,9 @@ static const struct panel_desc boe_tv101wum_nl6_desc = { + static const struct drm_display_mode auo_kd101n80_45na_default_mode = { + .clock = 157000, + .hdisplay = 1200, +- .hsync_start = 1200 + 80, +- .hsync_end = 1200 + 80 + 24, +- .htotal = 1200 + 80 + 24 + 36, ++ .hsync_start = 1200 + 60, ++ .hsync_end = 1200 + 60 + 24, ++ .htotal = 1200 + 60 + 24 + 56, + .vdisplay = 1920, + .vsync_start = 1920 + 16, + .vsync_end = 1920 + 16 + 4, +-- +2.25.1 + diff --git a/queue-5.7/firmware-fix-a-reference-count-leak.patch b/queue-5.7/firmware-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..a1f6a79bbbb --- /dev/null +++ b/queue-5.7/firmware-fix-a-reference-count-leak.patch @@ -0,0 +1,51 @@ +From 4d35f920f4693285df42dd1c0d5548f78baeda5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 14:05:33 -0500 +Subject: firmware: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit fe3c60684377d5ad9b0569b87ed3e26e12c8173b ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. +Callback function fw_cfg_sysfs_release_entry() in kobject_put() +can handle the pointer "entry" properly. + +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200613190533.15712-1-wu000273@umn.edu +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/firmware/qemu_fw_cfg.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c +index 039e0f91dba8f..6945c3c966375 100644 +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -605,8 +605,10 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f) + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, + fw_cfg_sel_ko, "%d", entry->select); +- if (err) +- goto err_register; ++ if (err) { ++ kobject_put(&entry->kobj); ++ return err; ++ } + + /* add raw binary content access */ + err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw); +@@ -622,7 +624,6 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f) + + err_add_raw: + kobject_del(&entry->kobj); +-err_register: + kfree(entry); + return err; + } +-- +2.25.1 + diff --git a/queue-5.7/i2c-slave-add-sanity-check-when-unregistering.patch b/queue-5.7/i2c-slave-add-sanity-check-when-unregistering.patch new file mode 100644 index 00000000000..47dc225b2ec --- /dev/null +++ b/queue-5.7/i2c-slave-add-sanity-check-when-unregistering.patch @@ -0,0 +1,34 @@ +From c8c30a74137521a0fa3f7292084a16fb87cbda91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 21:50:53 +0200 +Subject: i2c: slave: add sanity check when unregistering + +From: Wolfram Sang + +[ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ] + +Signed-off-by: Wolfram Sang +Reviewed-by: Alain Volmat +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-slave.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c +index 549751347e6c7..1589179d5eb92 100644 +--- a/drivers/i2c/i2c-core-slave.c ++++ b/drivers/i2c/i2c-core-slave.c +@@ -58,6 +58,9 @@ int i2c_slave_unregister(struct i2c_client *client) + { + int ret; + ++ if (IS_ERR_OR_NULL(client)) ++ return -EINVAL; ++ + if (!client->adapter->algo->unreg_slave) { + dev_err(&client->dev, "%s: not supported by adapter\n", __func__); + return -EOPNOTSUPP; +-- +2.25.1 + diff --git a/queue-5.7/i2c-slave-improve-sanity-check-when-registering.patch b/queue-5.7/i2c-slave-improve-sanity-check-when-registering.patch new file mode 100644 index 00000000000..f6ecad0412a --- /dev/null +++ b/queue-5.7/i2c-slave-improve-sanity-check-when-registering.patch @@ -0,0 +1,38 @@ +From 7af748dd5102730578d3a1a6ae0adf60808657b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 21:50:52 +0200 +Subject: i2c: slave: improve sanity check when registering + +From: Wolfram Sang + +[ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ] + +Add check for ERR_PTR and simplify code while here. + +Signed-off-by: Wolfram Sang +Reviewed-by: Alain Volmat +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-slave.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c +index 5427f047faf06..549751347e6c7 100644 +--- a/drivers/i2c/i2c-core-slave.c ++++ b/drivers/i2c/i2c-core-slave.c +@@ -18,10 +18,8 @@ int i2c_slave_register(struct i2c_client *client, i2c_slave_cb_t slave_cb) + { + int ret; + +- if (!client || !slave_cb) { +- WARN(1, "insufficient data\n"); ++ if (WARN(IS_ERR_OR_NULL(client) || !slave_cb, "insufficient data\n")) + return -EINVAL; +- } + + if (!(client->flags & I2C_CLIENT_SLAVE)) + dev_warn(&client->dev, "%s: client slave flag not set. You might see address collisions\n", +-- +2.25.1 + diff --git a/queue-5.7/igb-reinit_locked-should-be-called-with-rtnl_lock.patch b/queue-5.7/igb-reinit_locked-should-be-called-with-rtnl_lock.patch new file mode 100644 index 00000000000..4f039109cfa --- /dev/null +++ b/queue-5.7/igb-reinit_locked-should-be-called-with-rtnl_lock.patch @@ -0,0 +1,92 @@ +From 271a690336db6a6aa419686323db7b124272bddd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 15:39:06 -0700 +Subject: igb: reinit_locked() should be called with rtnl_lock + +From: Francesco Ruggeri + +[ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ] + +We observed two panics involving races with igb_reset_task. +The first panic is caused by this race condition: + + kworker reboot -f + + igb_reset_task + igb_reinit_locked + igb_down + napi_synchronize + __igb_shutdown + igb_clear_interrupt_scheme + igb_free_q_vectors + igb_free_q_vector + adapter->q_vector[v_idx] = NULL; + napi_disable + Panics trying to access + adapter->q_vector[v_idx].napi_state + +The second panic (a divide error) is caused by this race: + +kworker reboot -f tx packet + +igb_reset_task + __igb_shutdown + rtnl_lock() + ... + igb_clear_interrupt_scheme + igb_free_q_vectors + adapter->num_tx_queues = 0 + ... + rtnl_unlock() +rtnl_lock() +igb_reinit_locked +igb_down +igb_up +netif_tx_start_all_queues + dev_hard_start_xmit + igb_xmit_frame + igb_tx_queue_mapping + Panics on + r_idx % adapter->num_tx_queues + +This commit applies to igb_reset_task the same changes that +were applied to ixgbe in commit 2f90b8657ec9 ("ixgbe: this patch +adds support for DCB to the kernel and ixgbe driver"), +commit 8f4c5c9fb87a ("ixgbe: reinit_locked() should be called with +rtnl_lock") and commit 88adce4ea8f9 ("ixgbe: fix possible race in +reset subtask"). + +Signed-off-by: Francesco Ruggeri +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index b46bff8fe0568..b35d599fc78ea 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6224,9 +6224,18 @@ static void igb_reset_task(struct work_struct *work) + struct igb_adapter *adapter; + adapter = container_of(work, struct igb_adapter, reset_task); + ++ rtnl_lock(); ++ /* If we're already down or resetting, just bail */ ++ if (test_bit(__IGB_DOWN, &adapter->state) || ++ test_bit(__IGB_RESETTING, &adapter->state)) { ++ rtnl_unlock(); ++ return; ++ } ++ + igb_dump(adapter); + netdev_err(adapter->netdev, "Reset adapter\n"); + igb_reinit_locked(adapter); ++ rtnl_unlock(); + } + + /** +-- +2.25.1 + diff --git a/queue-5.7/io_uring-fix-lockup-in-io_fail_links.patch b/queue-5.7/io_uring-fix-lockup-in-io_fail_links.patch new file mode 100644 index 00000000000..d7a18837d09 --- /dev/null +++ b/queue-5.7/io_uring-fix-lockup-in-io_fail_links.patch @@ -0,0 +1,56 @@ +From 2d95646b29ddf38f555674cf2ce1b332fae8a9f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 20:07:21 +0300 +Subject: io_uring: fix lockup in io_fail_links() + +From: Pavel Begunkov + +[ Upstream commit 4ae6dbd683860b9edc254ea8acf5e04b5ae242e5 ] + +io_fail_links() doesn't consider REQ_F_COMP_LOCKED leading to nested +spin_lock(completion_lock) and lockup. + +[ 197.680409] rcu: INFO: rcu_preempt detected expedited stalls on + CPUs/tasks: { 6-... } 18239 jiffies s: 1421 root: 0x40/. +[ 197.680411] rcu: blocking rcu_node structures: +[ 197.680412] Task dump for CPU 6: +[ 197.680413] link-timeout R running task 0 1669 + 1 0x8000008a +[ 197.680414] Call Trace: +[ 197.680420] ? io_req_find_next+0xa0/0x200 +[ 197.680422] ? io_put_req_find_next+0x2a/0x50 +[ 197.680423] ? io_poll_task_func+0xcf/0x140 +[ 197.680425] ? task_work_run+0x67/0xa0 +[ 197.680426] ? do_exit+0x35d/0xb70 +[ 197.680429] ? syscall_trace_enter+0x187/0x2c0 +[ 197.680430] ? do_group_exit+0x43/0xa0 +[ 197.680448] ? __x64_sys_exit_group+0x18/0x20 +[ 197.680450] ? do_syscall_64+0x52/0xa0 +[ 197.680452] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 4e09af1d5d223..fb9dc865c9eaa 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4260,10 +4260,9 @@ static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt) + + hash_del(&req->hash_node); + io_poll_complete(req, req->result, 0); +- req->flags |= REQ_F_COMP_LOCKED; +- io_put_req_find_next(req, nxt); + spin_unlock_irq(&ctx->completion_lock); + ++ io_put_req_find_next(req, nxt); + io_cqring_ev_posted(ctx); + } + +-- +2.25.1 + diff --git a/queue-5.7/net-9p-validate-fds-in-p9_fd_open.patch b/queue-5.7/net-9p-validate-fds-in-p9_fd_open.patch new file mode 100644 index 00000000000..39b69465027 --- /dev/null +++ b/queue-5.7/net-9p-validate-fds-in-p9_fd_open.patch @@ -0,0 +1,70 @@ +From 8f9a8ead2eeb0a484a962e5bfe1a1bd2ffd3464f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 10:57:22 +0200 +Subject: net/9p: validate fds in p9_fd_open + +From: Christoph Hellwig + +[ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ] + +p9_fd_open just fgets file descriptors passed in from userspace, but +doesn't verify that they are valid for read or writing. This gets +cought down in the VFS when actually attempting a read or write, but +a new warning added in linux-next upsets syzcaller. + +Fix this by just verifying the fds early on. + +Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de +Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +[Dominique: amend goto as per Doug Nazar's review] +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 3f67803123be2..12ecacf0c55fb 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -816,20 +816,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) + return -ENOMEM; + + ts->rd = fget(rfd); ++ if (!ts->rd) ++ goto out_free_ts; ++ if (!(ts->rd->f_mode & FMODE_READ)) ++ goto out_put_rd; + ts->wr = fget(wfd); +- if (!ts->rd || !ts->wr) { +- if (ts->rd) +- fput(ts->rd); +- if (ts->wr) +- fput(ts->wr); +- kfree(ts); +- return -EIO; +- } ++ if (!ts->wr) ++ goto out_put_rd; ++ if (!(ts->wr->f_mode & FMODE_WRITE)) ++ goto out_put_wr; + + client->trans = ts; + client->status = Connected; + + return 0; ++ ++out_put_wr: ++ fput(ts->wr); ++out_put_rd: ++ fput(ts->rd); ++out_free_ts: ++ kfree(ts); ++ return -EIO; + } + + static int p9_socket_open(struct p9_client *client, struct socket *csocket) +-- +2.25.1 + diff --git a/queue-5.7/net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch b/queue-5.7/net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch new file mode 100644 index 00000000000..3abae787894 --- /dev/null +++ b/queue-5.7/net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch @@ -0,0 +1,69 @@ +From a73b499362b460ea4ffc96b7129edaf95b28fd8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 20:07:10 +0100 +Subject: net: ethernet: mtk_eth_soc: Always call mtk_gmac0_rgmii_adjust() for + mt7623 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René van Dorst + +[ Upstream commit 19016d93bfc335f0c158c0d9e3b9d06c4dd53d39 ] + +Modify mtk_gmac0_rgmii_adjust() so it can always be called. +mtk_gmac0_rgmii_adjust() sets-up the TRGMII clocks. + +Signed-off-by: René van Dorst +Signed-off-By: David Woodhouse +Tested-by: Frank Wunderlich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index b743d8b56c848..82f5690ff4d30 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -171,11 +171,21 @@ static int mt7621_gmac0_rgmii_adjust(struct mtk_eth *eth, + return 0; + } + +-static void mtk_gmac0_rgmii_adjust(struct mtk_eth *eth, int speed) ++static void mtk_gmac0_rgmii_adjust(struct mtk_eth *eth, ++ phy_interface_t interface, int speed) + { + u32 val; + int ret; + ++ if (interface == PHY_INTERFACE_MODE_TRGMII) { ++ mtk_w32(eth, TRGMII_MODE, INTF_MODE); ++ val = 500000000; ++ ret = clk_set_rate(eth->clks[MTK_CLK_TRGPLL], val); ++ if (ret) ++ dev_err(eth->dev, "Failed to set trgmii pll: %d\n", ret); ++ return; ++ } ++ + val = (speed == SPEED_1000) ? + INTF_MODE_RGMII_1000 : INTF_MODE_RGMII_10_100; + mtk_w32(eth, val, INTF_MODE); +@@ -262,10 +272,9 @@ static void mtk_mac_config(struct phylink_config *config, unsigned int mode, + state->interface)) + goto err_phy; + } else { +- if (state->interface != +- PHY_INTERFACE_MODE_TRGMII) +- mtk_gmac0_rgmii_adjust(mac->hw, +- state->speed); ++ mtk_gmac0_rgmii_adjust(mac->hw, ++ state->interface, ++ state->speed); + + /* mt7623_pad_clk_setup */ + for (i = 0 ; i < NUM_TRGMII_CTRL; i++) +-- +2.25.1 + diff --git a/queue-5.7/net-mscc-ocelot-fix-hardware-timestamp-dequeue-logic.patch b/queue-5.7/net-mscc-ocelot-fix-hardware-timestamp-dequeue-logic.patch new file mode 100644 index 00000000000..5bb405ba395 --- /dev/null +++ b/queue-5.7/net-mscc-ocelot-fix-hardware-timestamp-dequeue-logic.patch @@ -0,0 +1,57 @@ +From d8dc8b35a1497df0594cedbd157e5502cb583761 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 18:26:14 +0800 +Subject: net: mscc: ocelot: fix hardware timestamp dequeue logic + +From: laurent brando + +[ Upstream commit 5fd82200d870a5dd3e509c98ef2041f580b2c0e1 ] + +The next hw timestamp should be snapshoot to the read registers +only once the current timestamp has been read. +If none of the pending skbs matches the current HW timestamp +just gracefully flush the available timestamp by reading it. + +Signed-off-by: laurent brando +Signed-off-by: Vladimir Oltean +Signed-off-by: Yangbo Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index efb3965a3e42b..76dbf9ac8ad50 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -749,21 +749,21 @@ void ocelot_get_txtstamp(struct ocelot *ocelot) + + spin_unlock_irqrestore(&port->tx_skbs.lock, flags); + +- /* Next ts */ +- ocelot_write(ocelot, SYS_PTP_NXT_PTP_NXT, SYS_PTP_NXT); ++ /* Get the h/w timestamp */ ++ ocelot_get_hwtimestamp(ocelot, &ts); + + if (unlikely(!skb_match)) + continue; + +- /* Get the h/w timestamp */ +- ocelot_get_hwtimestamp(ocelot, &ts); +- + /* Set the timestamp into the skb */ + memset(&shhwtstamps, 0, sizeof(shhwtstamps)); + shhwtstamps.hwtstamp = ktime_set(ts.tv_sec, ts.tv_nsec); + skb_tstamp_tx(skb_match, &shhwtstamps); + + dev_kfree_skb_any(skb_match); ++ ++ /* Next ts */ ++ ocelot_write(ocelot, SYS_PTP_NXT_PTP_NXT, SYS_PTP_NXT); + } + } + EXPORT_SYMBOL(ocelot_get_txtstamp); +-- +2.25.1 + diff --git a/queue-5.7/nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch b/queue-5.7/nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch new file mode 100644 index 00000000000..99045ad2792 --- /dev/null +++ b/queue-5.7/nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch @@ -0,0 +1,51 @@ +From 0252d493ed43b2de0df64524082ac5f9c59b9204 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 01:29:10 +0800 +Subject: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command + +From: Kai-Heng Feng + +[ Upstream commit 5611ec2b9814bc91f7b0a8d804c1fc152e2025d9 ] + +After commit 6e02318eaea5 ("nvme: add support for the Write Zeroes +command"), SK hynix PC400 becomes very slow with the following error +message: + +[ 224.567695] blk_update_request: operation not supported error, dev nvme1n1, sector 499384320 op 0x9:(WRITE_ZEROES) flags 0x1000000 phys_seg 0 prio class 0] + +SK Hynix PC400 has a buggy firmware that treats NLB as max value instead +of a range, so the NLB passed isn't a valid value to the firmware. + +According to SK hynix there are three commands are affected: +- Write Zeroes +- Compare +- Write Uncorrectable + +Right now only Write Zeroes is implemented, so disable it completely on +SK hynix PC400. + +BugLink: https://bugs.launchpad.net/bugs/1872383 +Cc: kyounghwan sohn +Signed-off-by: Kai-Heng Feng +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 10d65f27879fd..45e29c6c3234c 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3130,6 +3130,8 @@ static const struct pci_device_id nvme_id_table[] = { + { PCI_DEVICE(0x1cc1, 0x8201), /* ADATA SX8200PNP 512GB */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS | + NVME_QUIRK_IGNORE_DEV_SUBNQN, }, ++ { PCI_DEVICE(0x1c5c, 0x1504), /* SK Hynix PC400 */ ++ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001), + .driver_data = NVME_QUIRK_SINGLE_VECTOR }, +-- +2.25.1 + diff --git a/queue-5.7/series b/queue-5.7/series index bd1591a07fe..c7fcf9ca0a0 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -28,3 +28,24 @@ leds-da903x-fix-use-after-free-on-unbind.patch leds-lm3533-fix-use-after-free-on-unbind.patch leds-88pm860x-fix-use-after-free-on-unbind.patch gpio-max77620-fix-missing-release-of-interrupt.patch +bpf-fix-null-pointer-dereference-in-__btf_resolve_he.patch +net-9p-validate-fds-in-p9_fd_open.patch +drm-nouveau-kms-tu102-wait-for-core-update-to-comple.patch +drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch +drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch +io_uring-fix-lockup-in-io_fail_links.patch +nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch +drm-bridge-adv7511-set-the-bridge-type-properly.patch +drm-panel-fix-auo-kd101n80-45na-horizontal-noise-on-.patch +drm-drm_fb_helper-fix-fbdev-with-sparc64.patch +net-mscc-ocelot-fix-hardware-timestamp-dequeue-logic.patch +i2c-slave-improve-sanity-check-when-registering.patch +i2c-slave-add-sanity-check-when-unregistering.patch +usb-hso-check-for-return-value-in-hso_serial_common_.patch +net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch +alsa-hda-fix-null-pointer-dereference-during-suspend.patch +firmware-fix-a-reference-count-leak.patch +cfg80211-check-vendor-command-doit-pointer-before-us.patch +igb-reinit_locked-should-be-called-with-rtnl_lock.patch +atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch +tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch diff --git a/queue-5.7/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch b/queue-5.7/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch new file mode 100644 index 00000000000..cb83580687f --- /dev/null +++ b/queue-5.7/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch @@ -0,0 +1,72 @@ +From 0eae2fa6804929eac6174553502e5f7525bc86b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 11:02:36 -0400 +Subject: tools lib traceevent: Fix memory leak in process_dynamic_array_len + +From: Philippe Duplessis-Guindon + +[ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ] + +I compiled with AddressSanitizer and I had these memory leaks while I +was using the tep_parse_format function: + + Direct leak of 28 byte(s) in 4 object(s) allocated from: + #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe) + #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985 + #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140 + #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206 + #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291 + #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299 + #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849 + #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161 + #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207 + #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786 + #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285 + #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369 + #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335 + #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389 + #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431 + #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251 + #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284 + #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593 + #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727 + #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048 + #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127 + #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152 + #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252 + #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347 + #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461 + #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673 + #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + +The token variable in the process_dynamic_array_len function is +allocated in the read_expect_type function, but is not freed before +calling the read_token function. + +Free the token variable before calling read_token in order to plug the +leak. + +Signed-off-by: Philippe Duplessis-Guindon +Reviewed-by: Steven Rostedt (VMware) +Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/event-parse.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 010e60d5a0817..cb0d29865ee93 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2861,6 +2861,7 @@ process_dynamic_array_len(struct tep_event *event, struct tep_print_arg *arg, + if (read_expected(TEP_EVENT_DELIM, ")") < 0) + goto out_err; + ++ free_token(token); + type = read_token(&token); + *tok = token; + +-- +2.25.1 + diff --git a/queue-5.7/usb-hso-check-for-return-value-in-hso_serial_common_.patch b/queue-5.7/usb-hso-check-for-return-value-in-hso_serial_common_.patch new file mode 100644 index 00000000000..58d1035fdf6 --- /dev/null +++ b/queue-5.7/usb-hso-check-for-return-value-in-hso_serial_common_.patch @@ -0,0 +1,53 @@ +From 4884e44fa4cfdebc19837bdfd46c9b6f16e247c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 23:42:17 -0700 +Subject: usb: hso: check for return value in hso_serial_common_create() + +From: Rustam Kovhaev + +[ Upstream commit e911e99a0770f760377c263bc7bac1b1593c6147 ] + +in case of an error tty_register_device_attr() returns ERR_PTR(), +add IS_ERR() check + +Reported-and-tested-by: syzbot+67b2bd0e34f952d0321e@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e +Signed-off-by: Rustam Kovhaev +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/hso.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 5f123a8cf68ed..d2fdb5430d272 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2261,12 +2261,14 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, + + minor = get_free_serial_index(); + if (minor < 0) +- goto exit; ++ goto exit2; + + /* register our minor number */ + serial->parent->dev = tty_port_register_device_attr(&serial->port, + tty_drv, minor, &serial->parent->interface->dev, + serial->parent, hso_serial_dev_groups); ++ if (IS_ERR(serial->parent->dev)) ++ goto exit2; + + /* fill in specific data for later use */ + serial->minor = minor; +@@ -2311,6 +2313,7 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, + return 0; + exit: + hso_serial_tty_unregister(serial); ++exit2: + hso_serial_common_free(serial); + return -1; + } +-- +2.25.1 + -- 2.47.3