From 55e4797a7e249428c9406422d92e9af72f2cafb5 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 9 Jul 2020 20:37:24 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...oid4-fix-spi-configuration-and-incre.patch | 52 ++++ ...sing-put_device-call-in-imx6q_suspen.patch | 71 +++++ ...e-an-sb-sequence-following-an-eret-i.patch | 97 +++++++ ...ase-bip-in-a-right-way-in-error-path.patch | 72 +++++ ...date-ctime-and-mtime-during-truncate.patch | 49 ++++ ...ation-quirks-add-quirk-for-asus-t101.patch | 41 +++ ...ation-quirks-use-generic-orientation.patch | 53 ++++ ...call-of_dma_configure-if-there-s-an-.patch | 55 ++++ ...-do-not-enable-orphaned-window-group.patch | 52 ++++ ...u-host1x-detach-driver-on-unregister.patch | 55 ++++ ...ng-accesses-with-read-and-write_once.patch | 110 ++++++++ ...ng-accesses-with-read-and-write_once.patch | 112 ++++++++ ...a-assign-completion-vector-correctly.patch | 40 +++ queue-4.19/regmap-fix-alignment-issue.patch | 258 ++++++++++++++++++ ...ix-early-pgm-check-handler-execution.patch | 42 +++ ...si-mptscsih-fix-read-sense-data-size.patch | 50 ++++ queue-4.19/series | 20 ++ ...-potential-use-after-free-in-spidev_.patch | 76 ++++++ ...-race-between-spidev_release-and-spi.patch | 62 +++++ ...-reference-count-leak-in-dwc3_pci_re.patch | 39 +++ ...ease-entry_stack-size-to-a-full-page.patch | 40 +++ 21 files changed, 1446 insertions(+) create mode 100644 queue-4.19/arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch create mode 100644 queue-4.19/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch create mode 100644 queue-4.19/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch create mode 100644 queue-4.19/block-release-bip-in-a-right-way-in-error-path.patch create mode 100644 queue-4.19/cifs-update-ctime-and-mtime-during-truncate.patch create mode 100644 queue-4.19/drm-panel-orientation-quirks-add-quirk-for-asus-t101.patch create mode 100644 queue-4.19/drm-panel-orientation-quirks-use-generic-orientation.patch create mode 100644 queue-4.19/drm-sun4i-mixer-call-of_dma_configure-if-there-s-an-.patch create mode 100644 queue-4.19/drm-tegra-hub-do-not-enable-orphaned-window-group.patch create mode 100644 queue-4.19/gpu-host1x-detach-driver-on-unregister.patch create mode 100644 queue-4.19/i40e-protect-ring-accesses-with-read-and-write_once.patch create mode 100644 queue-4.19/ixgbe-protect-ring-accesses-with-read-and-write_once.patch create mode 100644 queue-4.19/nvme-rdma-assign-completion-vector-correctly.patch create mode 100644 queue-4.19/regmap-fix-alignment-issue.patch create mode 100644 queue-4.19/s390-kasan-fix-early-pgm-check-handler-execution.patch create mode 100644 queue-4.19/scsi-mptscsih-fix-read-sense-data-size.patch create mode 100644 queue-4.19/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch create mode 100644 queue-4.19/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch create mode 100644 queue-4.19/usb-dwc3-pci-fix-reference-count-leak-in-dwc3_pci_re.patch create mode 100644 queue-4.19/x86-entry-increase-entry_stack-size-to-a-full-page.patch diff --git a/queue-4.19/arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch b/queue-4.19/arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch new file mode 100644 index 00000000000..8f5b5c31808 --- /dev/null +++ b/queue-4.19/arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch @@ -0,0 +1,52 @@ +From b52f9d7b3b801dbee89d7282fb34e5f2559e4af3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 17:18:56 -0700 +Subject: ARM: dts: omap4-droid4: Fix spi configuration and increase rate + +From: Tony Lindgren + +[ Upstream commit 0df12a01f4857495816b05f048c4c31439446e35 ] + +We can currently sometimes get "RXS timed out" errors and "EOT timed out" +errors with spi transfers. + +These errors can be made easy to reproduce by reading the cpcap iio +values in a loop while keeping the CPUs busy by also reading /dev/urandom. + +The "RXS timed out" errors we can fix by adding spi-cpol and spi-cpha +in addition to the spi-cs-high property we already have. + +The "EOT timed out" errors we can fix by increasing the spi clock rate +to 9.6 MHz. Looks similar MC13783 PMIC says it works at spi clock rates +up to 20 MHz, so let's assume we can pick any rate up to 20 MHz also +for cpcap. + +Cc: maemo-leste@lists.dyne.org +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi +index f57acf8f66b95..75de8134b1d1f 100644 +--- a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi ++++ b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi +@@ -16,8 +16,10 @@ + #interrupt-cells = <2>; + #address-cells = <1>; + #size-cells = <0>; +- spi-max-frequency = <3000000>; ++ spi-max-frequency = <9600000>; + spi-cs-high; ++ spi-cpol; ++ spi-cpha; + + cpcap_adc: adc { + compatible = "motorola,mapphone-cpcap-adc"; +-- +2.25.1 + diff --git a/queue-4.19/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch b/queue-4.19/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch new file mode 100644 index 00000000000..3d8494c5f73 --- /dev/null +++ b/queue-4.19/arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch @@ -0,0 +1,71 @@ +From 0df1d094a775318c1ffa4dd7ef4639264916f593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:54:49 +0800 +Subject: ARM: imx6: add missing put_device() call in imx6q_suspend_init() + +From: yu kuai + +[ Upstream commit 4845446036fc9c13f43b54a65c9b757c14f5141b ] + +if of_find_device_by_node() succeed, imx6q_suspend_init() doesn't have a +corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Signed-off-by: yu kuai +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/pm-imx6.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c +index 529f4b5bbd3a7..4bfefbec971a6 100644 +--- a/arch/arm/mach-imx/pm-imx6.c ++++ b/arch/arm/mach-imx/pm-imx6.c +@@ -497,14 +497,14 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, MX6Q_SUSPEND_OCRAM_SIZE); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -527,7 +527,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + ret = imx6_pm_get_base(&pm_info->mmdc_base, socdata->mmdc_compat); + if (ret) { + pr_warn("%s: failed to get mmdc base %d!\n", __func__, ret); +- goto put_node; ++ goto put_device; + } + + ret = imx6_pm_get_base(&pm_info->src_base, socdata->src_compat); +@@ -574,7 +574,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata) + &imx6_suspend, + MX6Q_SUSPEND_OCRAM_SIZE - sizeof(*pm_info)); + +- goto put_node; ++ goto put_device; + + pl310_cache_map_failed: + iounmap(pm_info->gpc_base.vbase); +@@ -584,6 +584,8 @@ iomuxc_map_failed: + iounmap(pm_info->src_base.vbase); + src_map_failed: + iounmap(pm_info->mmdc_base.vbase); ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(node); + +-- +2.25.1 + diff --git a/queue-4.19/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch b/queue-4.19/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch new file mode 100644 index 00000000000..52143d15c93 --- /dev/null +++ b/queue-4.19/arm64-entry-place-an-sb-sequence-following-an-eret-i.patch @@ -0,0 +1,97 @@ +From 93b953dc1d489d1802312434f36e502793729084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jun 2018 11:23:38 +0100 +Subject: arm64: entry: Place an SB sequence following an ERET instruction + +From: Will Deacon + +[ Upstream commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 ] + +Some CPUs can speculate past an ERET instruction and potentially perform +speculative accesses to memory before processing the exception return. +Since the register state is often controlled by a lower privilege level +at the point of an ERET, this could potentially be used as part of a +side-channel attack. + +This patch emits an SB sequence after each ERET so that speculation is +held up on exception return. + +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry.S | 2 ++ + arch/arm64/kvm/hyp/entry.S | 1 + + arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++ + 3 files changed, 7 insertions(+) + +diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S +index 5f800384cb9a8..49f80b5627fac 100644 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -363,6 +363,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0 + .else + eret + .endif ++ sb + .endm + + .macro irq_stack_entry +@@ -994,6 +995,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 + mrs x30, far_el1 + .endif + eret ++ sb + .endm + + .align 11 +diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S +index fad1e164fe488..675fdc186e3ba 100644 +--- a/arch/arm64/kvm/hyp/entry.S ++++ b/arch/arm64/kvm/hyp/entry.S +@@ -83,6 +83,7 @@ ENTRY(__guest_enter) + + // Do not touch any register after this! + eret ++ sb + ENDPROC(__guest_enter) + + ENTRY(__guest_exit) +diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S +index 24b4fbafe3e4a..e35abf84eb960 100644 +--- a/arch/arm64/kvm/hyp/hyp-entry.S ++++ b/arch/arm64/kvm/hyp/hyp-entry.S +@@ -96,6 +96,7 @@ el1_sync: // Guest trapped into EL2 + do_el2_call + + eret ++ sb + + el1_hvc_guest: + /* +@@ -146,6 +147,7 @@ wa_epilogue: + mov x0, xzr + add sp, sp, #16 + eret ++ sb + + el1_trap: + get_vcpu_ptr x1, x0 +@@ -185,6 +187,7 @@ el2_error: + b.ne __hyp_panic + mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT) + eret ++ sb + + ENTRY(__hyp_do_panic) + mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\ +@@ -193,6 +196,7 @@ ENTRY(__hyp_do_panic) + ldr lr, =panic + msr elr_el2, lr + eret ++ sb + ENDPROC(__hyp_do_panic) + + ENTRY(__hyp_panic) +-- +2.25.1 + diff --git a/queue-4.19/block-release-bip-in-a-right-way-in-error-path.patch b/queue-4.19/block-release-bip-in-a-right-way-in-error-path.patch new file mode 100644 index 00000000000..4a3f4ce904a --- /dev/null +++ b/queue-4.19/block-release-bip-in-a-right-way-in-error-path.patch @@ -0,0 +1,72 @@ +From f87f2a473caea46caf7d2c7e3a500dd478e0289e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 18:21:39 +0800 +Subject: block: release bip in a right way in error path + +From: Chengguang Xu + +[ Upstream commit 0b8eb629a700c0ef15a437758db8255f8444e76c ] + +Release bip using kfree() in error path when that was allocated +by kmalloc(). + +Signed-off-by: Chengguang Xu +Reviewed-by: Christoph Hellwig +Acked-by: Martin K. Petersen +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio-integrity.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/block/bio-integrity.c b/block/bio-integrity.c +index a059fad53f1b0..0b96220d0efd4 100644 +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -38,6 +38,18 @@ void blk_flush_integrity(void) + flush_workqueue(kintegrityd_wq); + } + ++void __bio_integrity_free(struct bio_set *bs, struct bio_integrity_payload *bip) ++{ ++ if (bs && mempool_initialized(&bs->bio_integrity_pool)) { ++ if (bip->bip_vec) ++ bvec_free(&bs->bvec_integrity_pool, bip->bip_vec, ++ bip->bip_slab); ++ mempool_free(bip, &bs->bio_integrity_pool); ++ } else { ++ kfree(bip); ++ } ++} ++ + /** + * bio_integrity_alloc - Allocate integrity payload and attach it to bio + * @bio: bio to attach integrity metadata to +@@ -90,7 +102,7 @@ struct bio_integrity_payload *bio_integrity_alloc(struct bio *bio, + + return bip; + err: +- mempool_free(bip, &bs->bio_integrity_pool); ++ __bio_integrity_free(bs, bip); + return ERR_PTR(-ENOMEM); + } + EXPORT_SYMBOL(bio_integrity_alloc); +@@ -111,14 +123,7 @@ static void bio_integrity_free(struct bio *bio) + kfree(page_address(bip->bip_vec->bv_page) + + bip->bip_vec->bv_offset); + +- if (bs && mempool_initialized(&bs->bio_integrity_pool)) { +- bvec_free(&bs->bvec_integrity_pool, bip->bip_vec, bip->bip_slab); +- +- mempool_free(bip, &bs->bio_integrity_pool); +- } else { +- kfree(bip); +- } +- ++ __bio_integrity_free(bs, bip); + bio->bi_integrity = NULL; + bio->bi_opf &= ~REQ_INTEGRITY; + } +-- +2.25.1 + diff --git a/queue-4.19/cifs-update-ctime-and-mtime-during-truncate.patch b/queue-4.19/cifs-update-ctime-and-mtime-during-truncate.patch new file mode 100644 index 00000000000..546a757d2c5 --- /dev/null +++ b/queue-4.19/cifs-update-ctime-and-mtime-during-truncate.patch @@ -0,0 +1,49 @@ +From 0cff1a1159fba73d79cd861bae33baab08a9c6fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 22:51:29 -0400 +Subject: cifs: update ctime and mtime during truncate + +From: Zhang Xiaoxu + +[ Upstream commit 5618303d8516f8ac5ecfe53ee8e8bc9a40eaf066 ] + +As the man description of the truncate, if the size changed, +then the st_ctime and st_mtime fields should be updated. But +in cifs, we doesn't do it. + +It lead the xfstests generic/313 failed. + +So, add the ATTR_MTIME|ATTR_CTIME flags on attrs when change +the file size + +Reported-by: Hulk Robot +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 44fb9ae6d1055..1d951936b0923 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2225,6 +2225,15 @@ set_size_out: + if (rc == 0) { + cifsInode->server_eof = attrs->ia_size; + cifs_setsize(inode, attrs->ia_size); ++ ++ /* ++ * The man page of truncate says if the size changed, ++ * then the st_ctime and st_mtime fields for the file ++ * are updated. ++ */ ++ attrs->ia_ctime = attrs->ia_mtime = current_time(inode); ++ attrs->ia_valid |= ATTR_CTIME | ATTR_MTIME; ++ + cifs_truncate_page(inode->i_mapping, inode->i_size); + } + +-- +2.25.1 + diff --git a/queue-4.19/drm-panel-orientation-quirks-add-quirk-for-asus-t101.patch b/queue-4.19/drm-panel-orientation-quirks-add-quirk-for-asus-t101.patch new file mode 100644 index 00000000000..8663a4e26de --- /dev/null +++ b/queue-4.19/drm-panel-orientation-quirks-add-quirk-for-asus-t101.patch @@ -0,0 +1,41 @@ +From 160c5ccf4bd74780c7963cfa7ba3d33f440e43fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 11:30:24 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for Asus T101HA panel + +From: Hans de Goede + +[ Upstream commit 6c22bc18a3b93a38018844636557ad02e588e055 ] + +Like the Asus T100HA the Asus T101HA also uses a panel which has been +mounted 90 degrees rotated, albeit in the opposite direction. +Add a quirk for this. + +Reviewed-by: Emil Velikov +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200531093025.28050-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index cc354b4917742..de7837efbbfce 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -107,6 +107,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100HAN"), + }, + .driver_data = (void *)&asus_t100ha, ++ }, { /* Asus T101HA */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T101HA"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* GPD MicroPC (generic strings, also match on bios date) */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Default string"), +-- +2.25.1 + diff --git a/queue-4.19/drm-panel-orientation-quirks-use-generic-orientation.patch b/queue-4.19/drm-panel-orientation-quirks-use-generic-orientation.patch new file mode 100644 index 00000000000..05c8f57eee9 --- /dev/null +++ b/queue-4.19/drm-panel-orientation-quirks-use-generic-orientation.patch @@ -0,0 +1,53 @@ +From bcb67e659c2c7e2881ca737e4e87cc891057b5da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 11:30:25 +0200 +Subject: drm: panel-orientation-quirks: Use generic orientation-data for Acer + S1003 + +From: Hans de Goede + +[ Upstream commit a05caf9e62a85d12da27e814ac13195f4683f21c ] + +The Acer S1003 has proper DMI strings for sys-vendor and product-name, +so we do not need to match by BIOS-date. + +This means that the Acer S1003 can use the generic lcd800x1280_rightside_up +drm_dmi_panel_orientation_data struct which is also used by other quirks. + +Reviewed-by: Emil Velikov +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200531093025.28050-2-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index de7837efbbfce..fa5c25d36d3dc 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -30,12 +30,6 @@ struct drm_dmi_panel_orientation_data { + int orientation; + }; + +-static const struct drm_dmi_panel_orientation_data acer_s1003 = { +- .width = 800, +- .height = 1280, +- .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, +-}; +- + static const struct drm_dmi_panel_orientation_data asus_t100ha = { + .width = 800, + .height = 1280, +@@ -100,7 +94,7 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Acer"), + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "One S1003"), + }, +- .driver_data = (void *)&acer_s1003, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* Asus T100HA */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +-- +2.25.1 + diff --git a/queue-4.19/drm-sun4i-mixer-call-of_dma_configure-if-there-s-an-.patch b/queue-4.19/drm-sun4i-mixer-call-of_dma_configure-if-there-s-an-.patch new file mode 100644 index 00000000000..8aca2658413 --- /dev/null +++ b/queue-4.19/drm-sun4i-mixer-call-of_dma_configure-if-there-s-an-.patch @@ -0,0 +1,55 @@ +From f4b463d04e8b5c2992a5282e37e91d6cb137ba5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 16:07:24 +0200 +Subject: drm/sun4i: mixer: Call of_dma_configure if there's an IOMMU + +From: Maxime Ripard + +[ Upstream commit 842ec61f4006a6477a9deaedd69131e9f46e4cb5 ] + +The main DRM device is actually a virtual device so it doesn't have the +iommus property, which is instead on the DMA masters, in this case the +mixers. + +Add a call to of_dma_configure with the mixers DT node but on the DRM +virtual device to configure it in the same way than the mixers. + +Reviewed-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/9a4daf438dd3f2fe07afb23688bfb793a0613d7d.1589378833.git-series.maxime@cerno.tech +(cherry picked from commit b718102dbdfd0285ad559687a30e27cc9124e592) +[Maxime: Applied to -fixes since it missed the merge window and display is + broken without it] +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun8i_mixer.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/gpu/drm/sun4i/sun8i_mixer.c b/drivers/gpu/drm/sun4i/sun8i_mixer.c +index 71a798e5d5591..ddab3fab36a1a 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_mixer.c ++++ b/drivers/gpu/drm/sun4i/sun8i_mixer.c +@@ -435,6 +435,19 @@ static int sun8i_mixer_bind(struct device *dev, struct device *master, + mixer->engine.ops = &sun8i_engine_ops; + mixer->engine.node = dev->of_node; + ++ if (of_find_property(dev->of_node, "iommus", NULL)) { ++ /* ++ * This assume we have the same DMA constraints for ++ * all our the mixers in our pipeline. This sounds ++ * bad, but it has always been the case for us, and ++ * DRM doesn't do per-device allocation either, so we ++ * would need to fix DRM first... ++ */ ++ ret = of_dma_configure(drm->dev, dev->of_node, true); ++ if (ret) ++ return ret; ++ } ++ + /* + * While this function can fail, we shouldn't do anything + * if this happens. Some early DE2 DT entries don't provide +-- +2.25.1 + diff --git a/queue-4.19/drm-tegra-hub-do-not-enable-orphaned-window-group.patch b/queue-4.19/drm-tegra-hub-do-not-enable-orphaned-window-group.patch new file mode 100644 index 00000000000..fe2cf712650 --- /dev/null +++ b/queue-4.19/drm-tegra-hub-do-not-enable-orphaned-window-group.patch @@ -0,0 +1,52 @@ +From 0abc0fccfce37e027d18147f74a23c8c274603f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 02:03:01 -0700 +Subject: drm/tegra: hub: Do not enable orphaned window group + +From: Nicolin Chen + +[ Upstream commit ef4e417eb3ec7fe657928f10ac1d2154d8a5fb38 ] + +Though the unconditional enable/disable code is not a final solution, +we don't want to run into a NULL pointer situation when window group +doesn't link to its DC parent if the DC is disabled in Device Tree. + +So this patch simply adds a check to make sure that window group has +a valid parent before running into tegra_windowgroup_enable/disable. + +Signed-off-by: Nicolin Chen +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/hub.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/hub.c b/drivers/gpu/drm/tegra/hub.c +index bb97cad1eb699..b08ce1125996d 100644 +--- a/drivers/gpu/drm/tegra/hub.c ++++ b/drivers/gpu/drm/tegra/hub.c +@@ -143,7 +143,9 @@ int tegra_display_hub_prepare(struct tegra_display_hub *hub) + for (i = 0; i < hub->soc->num_wgrps; i++) { + struct tegra_windowgroup *wgrp = &hub->wgrps[i]; + +- tegra_windowgroup_enable(wgrp); ++ /* Skip orphaned window group whose parent DC is disabled */ ++ if (wgrp->parent) ++ tegra_windowgroup_enable(wgrp); + } + + return 0; +@@ -160,7 +162,9 @@ void tegra_display_hub_cleanup(struct tegra_display_hub *hub) + for (i = 0; i < hub->soc->num_wgrps; i++) { + struct tegra_windowgroup *wgrp = &hub->wgrps[i]; + +- tegra_windowgroup_disable(wgrp); ++ /* Skip orphaned window group whose parent DC is disabled */ ++ if (wgrp->parent) ++ tegra_windowgroup_disable(wgrp); + } + } + +-- +2.25.1 + diff --git a/queue-4.19/gpu-host1x-detach-driver-on-unregister.patch b/queue-4.19/gpu-host1x-detach-driver-on-unregister.patch new file mode 100644 index 00000000000..0a4495beb03 --- /dev/null +++ b/queue-4.19/gpu-host1x-detach-driver-on-unregister.patch @@ -0,0 +1,55 @@ +From 93f2090ef94bbf3f44b7c360e4d67970adf644b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 19:38:02 +0200 +Subject: gpu: host1x: Detach driver on unregister + +From: Thierry Reding + +[ Upstream commit d9a0a05bf8c76e6dc79230669a8b5d685b168c30 ] + +Currently when a host1x device driver is unregistered, it is not +detached from the host1x controller, which means that the device +will stay around and when the driver is registered again, it may +bind to the old, stale device rather than the new one that was +created from scratch upon driver registration. This in turn can +cause various weird crashes within the driver core because it is +confronted with a device that was already deleted. + +Fix this by detaching the driver from the host1x controller when +it is unregistered. This ensures that the deleted device also is +no longer present in the device list that drivers will bind to. + +Reported-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Tested-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/bus.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c +index 0121fe7a4548d..02f896b50ed07 100644 +--- a/drivers/gpu/host1x/bus.c ++++ b/drivers/gpu/host1x/bus.c +@@ -632,8 +632,17 @@ EXPORT_SYMBOL(host1x_driver_register_full); + */ + void host1x_driver_unregister(struct host1x_driver *driver) + { ++ struct host1x *host1x; ++ + driver_unregister(&driver->driver); + ++ mutex_lock(&devices_lock); ++ ++ list_for_each_entry(host1x, &devices, list) ++ host1x_detach_driver(host1x, driver); ++ ++ mutex_unlock(&devices_lock); ++ + mutex_lock(&drivers_lock); + list_del_init(&driver->list); + mutex_unlock(&drivers_lock); +-- +2.25.1 + diff --git a/queue-4.19/i40e-protect-ring-accesses-with-read-and-write_once.patch b/queue-4.19/i40e-protect-ring-accesses-with-read-and-write_once.patch new file mode 100644 index 00000000000..5e1260f81e9 --- /dev/null +++ b/queue-4.19/i40e-protect-ring-accesses-with-read-and-write_once.patch @@ -0,0 +1,110 @@ +From 389e6455ded7679a7408f97934a1aa2ed76664f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 13:19:44 +0000 +Subject: i40e: protect ring accesses with READ- and WRITE_ONCE + +From: Ciara Loftus + +[ Upstream commit d59e267912cd90b0adf33b4659050d831e746317 ] + +READ_ONCE should be used when reading rings prior to accessing the +statistics pointer. Introduce this as well as the corresponding WRITE_ONCE +usage when allocating and freeing the rings, to ensure protected access. + +Signed-off-by: Ciara Loftus +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 29 ++++++++++++++------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 23b31b2ff5ccd..a74b01bf581e9 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -446,11 +446,15 @@ static void i40e_get_netdev_stats_struct(struct net_device *netdev, + i40e_get_netdev_stats_struct_tx(ring, stats); + + if (i40e_enabled_xdp_vsi(vsi)) { +- ring++; ++ ring = READ_ONCE(vsi->xdp_rings[i]); ++ if (!ring) ++ continue; + i40e_get_netdev_stats_struct_tx(ring, stats); + } + +- ring++; ++ ring = READ_ONCE(vsi->rx_rings[i]); ++ if (!ring) ++ continue; + do { + start = u64_stats_fetch_begin_irq(&ring->syncp); + packets = ring->stats.packets; +@@ -793,6 +797,8 @@ static void i40e_update_vsi_stats(struct i40e_vsi *vsi) + for (q = 0; q < vsi->num_queue_pairs; q++) { + /* locate Tx ring */ + p = READ_ONCE(vsi->tx_rings[q]); ++ if (!p) ++ continue; + + do { + start = u64_stats_fetch_begin_irq(&p->syncp); +@@ -806,8 +812,11 @@ static void i40e_update_vsi_stats(struct i40e_vsi *vsi) + tx_linearize += p->tx_stats.tx_linearize; + tx_force_wb += p->tx_stats.tx_force_wb; + +- /* Rx queue is part of the same block as Tx queue */ +- p = &p[1]; ++ /* locate Rx ring */ ++ p = READ_ONCE(vsi->rx_rings[q]); ++ if (!p) ++ continue; ++ + do { + start = u64_stats_fetch_begin_irq(&p->syncp); + packets = p->stats.packets; +@@ -10196,10 +10205,10 @@ static void i40e_vsi_clear_rings(struct i40e_vsi *vsi) + if (vsi->tx_rings && vsi->tx_rings[0]) { + for (i = 0; i < vsi->alloc_queue_pairs; i++) { + kfree_rcu(vsi->tx_rings[i], rcu); +- vsi->tx_rings[i] = NULL; +- vsi->rx_rings[i] = NULL; ++ WRITE_ONCE(vsi->tx_rings[i], NULL); ++ WRITE_ONCE(vsi->rx_rings[i], NULL); + if (vsi->xdp_rings) +- vsi->xdp_rings[i] = NULL; ++ WRITE_ONCE(vsi->xdp_rings[i], NULL); + } + } + } +@@ -10233,7 +10242,7 @@ static int i40e_alloc_rings(struct i40e_vsi *vsi) + if (vsi->back->hw_features & I40E_HW_WB_ON_ITR_CAPABLE) + ring->flags = I40E_TXR_FLAGS_WB_ON_ITR; + ring->itr_setting = pf->tx_itr_default; +- vsi->tx_rings[i] = ring++; ++ WRITE_ONCE(vsi->tx_rings[i], ring++); + + if (!i40e_enabled_xdp_vsi(vsi)) + goto setup_rx; +@@ -10251,7 +10260,7 @@ static int i40e_alloc_rings(struct i40e_vsi *vsi) + ring->flags = I40E_TXR_FLAGS_WB_ON_ITR; + set_ring_xdp(ring); + ring->itr_setting = pf->tx_itr_default; +- vsi->xdp_rings[i] = ring++; ++ WRITE_ONCE(vsi->xdp_rings[i], ring++); + + setup_rx: + ring->queue_index = i; +@@ -10264,7 +10273,7 @@ setup_rx: + ring->size = 0; + ring->dcb_tc = 0; + ring->itr_setting = pf->rx_itr_default; +- vsi->rx_rings[i] = ring; ++ WRITE_ONCE(vsi->rx_rings[i], ring); + } + + return 0; +-- +2.25.1 + diff --git a/queue-4.19/ixgbe-protect-ring-accesses-with-read-and-write_once.patch b/queue-4.19/ixgbe-protect-ring-accesses-with-read-and-write_once.patch new file mode 100644 index 00000000000..d53e5199294 --- /dev/null +++ b/queue-4.19/ixgbe-protect-ring-accesses-with-read-and-write_once.patch @@ -0,0 +1,112 @@ +From 245c46a589bbdf8bdc57aaca98deef200b917123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 13:19:43 +0000 +Subject: ixgbe: protect ring accesses with READ- and WRITE_ONCE + +From: Ciara Loftus + +[ Upstream commit f140ad9fe2ae16f385f8fe4dc9cf67bb4c51d794 ] + +READ_ONCE should be used when reading rings prior to accessing the +statistics pointer. Introduce this as well as the corresponding WRITE_ONCE +usage when allocating and freeing the rings, to ensure protected access. + +Signed-off-by: Ciara Loftus +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c | 12 ++++++------ + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 14 +++++++++++--- + 2 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c +index d361f570ca37b..952630cb882c2 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c +@@ -923,7 +923,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter, + ring->queue_index = txr_idx; + + /* assign ring to adapter */ +- adapter->tx_ring[txr_idx] = ring; ++ WRITE_ONCE(adapter->tx_ring[txr_idx], ring); + + /* update count and index */ + txr_count--; +@@ -950,7 +950,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter, + set_ring_xdp(ring); + + /* assign ring to adapter */ +- adapter->xdp_ring[xdp_idx] = ring; ++ WRITE_ONCE(adapter->xdp_ring[xdp_idx], ring); + + /* update count and index */ + xdp_count--; +@@ -993,7 +993,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter, + ring->queue_index = rxr_idx; + + /* assign ring to adapter */ +- adapter->rx_ring[rxr_idx] = ring; ++ WRITE_ONCE(adapter->rx_ring[rxr_idx], ring); + + /* update count and index */ + rxr_count--; +@@ -1022,13 +1022,13 @@ static void ixgbe_free_q_vector(struct ixgbe_adapter *adapter, int v_idx) + + ixgbe_for_each_ring(ring, q_vector->tx) { + if (ring_is_xdp(ring)) +- adapter->xdp_ring[ring->queue_index] = NULL; ++ WRITE_ONCE(adapter->xdp_ring[ring->queue_index], NULL); + else +- adapter->tx_ring[ring->queue_index] = NULL; ++ WRITE_ONCE(adapter->tx_ring[ring->queue_index], NULL); + } + + ixgbe_for_each_ring(ring, q_vector->rx) +- adapter->rx_ring[ring->queue_index] = NULL; ++ WRITE_ONCE(adapter->rx_ring[ring->queue_index], NULL); + + adapter->q_vector[v_idx] = NULL; + napi_hash_del(&q_vector->napi); +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 7d723b70fcf6d..4243ff4ec4b1d 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -7005,7 +7005,10 @@ void ixgbe_update_stats(struct ixgbe_adapter *adapter) + } + + for (i = 0; i < adapter->num_rx_queues; i++) { +- struct ixgbe_ring *rx_ring = adapter->rx_ring[i]; ++ struct ixgbe_ring *rx_ring = READ_ONCE(adapter->rx_ring[i]); ++ ++ if (!rx_ring) ++ continue; + non_eop_descs += rx_ring->rx_stats.non_eop_descs; + alloc_rx_page += rx_ring->rx_stats.alloc_rx_page; + alloc_rx_page_failed += rx_ring->rx_stats.alloc_rx_page_failed; +@@ -7026,15 +7029,20 @@ void ixgbe_update_stats(struct ixgbe_adapter *adapter) + packets = 0; + /* gather some stats to the adapter struct that are per queue */ + for (i = 0; i < adapter->num_tx_queues; i++) { +- struct ixgbe_ring *tx_ring = adapter->tx_ring[i]; ++ struct ixgbe_ring *tx_ring = READ_ONCE(adapter->tx_ring[i]); ++ ++ if (!tx_ring) ++ continue; + restart_queue += tx_ring->tx_stats.restart_queue; + tx_busy += tx_ring->tx_stats.tx_busy; + bytes += tx_ring->stats.bytes; + packets += tx_ring->stats.packets; + } + for (i = 0; i < adapter->num_xdp_queues; i++) { +- struct ixgbe_ring *xdp_ring = adapter->xdp_ring[i]; ++ struct ixgbe_ring *xdp_ring = READ_ONCE(adapter->xdp_ring[i]); + ++ if (!xdp_ring) ++ continue; + restart_queue += xdp_ring->tx_stats.restart_queue; + tx_busy += xdp_ring->tx_stats.tx_busy; + bytes += xdp_ring->stats.bytes; +-- +2.25.1 + diff --git a/queue-4.19/nvme-rdma-assign-completion-vector-correctly.patch b/queue-4.19/nvme-rdma-assign-completion-vector-correctly.patch new file mode 100644 index 00000000000..c2d1fa519a3 --- /dev/null +++ b/queue-4.19/nvme-rdma-assign-completion-vector-correctly.patch @@ -0,0 +1,40 @@ +From 4e1fec40f8b21597a6da12215a92637e4fd5ed1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 17:55:25 +0300 +Subject: nvme-rdma: assign completion vector correctly + +From: Max Gurtovoy + +[ Upstream commit 032a9966a22a3596addf81dacf0c1736dfedc32a ] + +The completion vector index that is given during CQ creation can't +exceed the number of support vectors by the underlying RDMA device. This +violation currently can accure, for example, in case one will try to +connect with N regular read/write queues and M poll queues and the sum +of N + M > num_supported_vectors. This will lead to failure in establish +a connection to remote target. Instead, in that case, share a completion +vector between queues. + +Signed-off-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 9711bfbdf4316..f393a6193252e 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -447,7 +447,7 @@ static int nvme_rdma_create_queue_ib(struct nvme_rdma_queue *queue) + * Spread I/O queues completion vectors according their queue index. + * Admin queues can always go on completion vector 0. + */ +- comp_vector = idx == 0 ? idx : idx - 1; ++ comp_vector = (idx == 0 ? idx : idx - 1) % ibdev->num_comp_vectors; + + /* +1 for ib_stop_cq */ + queue->ib_cq = ib_alloc_cq(ibdev, queue, +-- +2.25.1 + diff --git a/queue-4.19/regmap-fix-alignment-issue.patch b/queue-4.19/regmap-fix-alignment-issue.patch new file mode 100644 index 00000000000..ca2d183083e --- /dev/null +++ b/queue-4.19/regmap-fix-alignment-issue.patch @@ -0,0 +1,258 @@ +From 039e239ec261514423dfda40c0a045a45367e86a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 11:53:00 +0200 +Subject: regmap: fix alignment issue + +From: Jens Thoms Toerring + +[ Upstream commit 53d860952c8215cf9ae1ea33409c8cb71ad6ad3d ] + +The assembly and disassembly of data to be sent to or received from +a device invoke functions regmap_format_XX() and regmap_parse_XX() +that extract or insert data items from or into a buffer, using +assignments. In some cases the functions are called with a buffer +pointer with an odd address. On architectures with strict alignment +requirements this can result in a kernel crash. The assignments +have been replaced by functions that take alignment into account. + +Signed-off-by: Jens Thoms Toerring +Link: https://lore.kernel.org/r/20200531095300.GA27570@toerring.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 100 ++++++++++++++++------------------- + 1 file changed, 46 insertions(+), 54 deletions(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index b38b2d8c333d5..c7d946b745efe 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #define CREATE_TRACE_POINTS + #include "trace.h" +@@ -232,22 +233,20 @@ static void regmap_format_8(void *buf, unsigned int val, unsigned int shift) + + static void regmap_format_16_be(void *buf, unsigned int val, unsigned int shift) + { +- __be16 *b = buf; +- +- b[0] = cpu_to_be16(val << shift); ++ put_unaligned_be16(val << shift, buf); + } + + static void regmap_format_16_le(void *buf, unsigned int val, unsigned int shift) + { +- __le16 *b = buf; +- +- b[0] = cpu_to_le16(val << shift); ++ put_unaligned_le16(val << shift, buf); + } + + static void regmap_format_16_native(void *buf, unsigned int val, + unsigned int shift) + { +- *(u16 *)buf = val << shift; ++ u16 v = val << shift; ++ ++ memcpy(buf, &v, sizeof(v)); + } + + static void regmap_format_24(void *buf, unsigned int val, unsigned int shift) +@@ -263,43 +262,39 @@ static void regmap_format_24(void *buf, unsigned int val, unsigned int shift) + + static void regmap_format_32_be(void *buf, unsigned int val, unsigned int shift) + { +- __be32 *b = buf; +- +- b[0] = cpu_to_be32(val << shift); ++ put_unaligned_be32(val << shift, buf); + } + + static void regmap_format_32_le(void *buf, unsigned int val, unsigned int shift) + { +- __le32 *b = buf; +- +- b[0] = cpu_to_le32(val << shift); ++ put_unaligned_le32(val << shift, buf); + } + + static void regmap_format_32_native(void *buf, unsigned int val, + unsigned int shift) + { +- *(u32 *)buf = val << shift; ++ u32 v = val << shift; ++ ++ memcpy(buf, &v, sizeof(v)); + } + + #ifdef CONFIG_64BIT + static void regmap_format_64_be(void *buf, unsigned int val, unsigned int shift) + { +- __be64 *b = buf; +- +- b[0] = cpu_to_be64((u64)val << shift); ++ put_unaligned_be64((u64) val << shift, buf); + } + + static void regmap_format_64_le(void *buf, unsigned int val, unsigned int shift) + { +- __le64 *b = buf; +- +- b[0] = cpu_to_le64((u64)val << shift); ++ put_unaligned_le64((u64) val << shift, buf); + } + + static void regmap_format_64_native(void *buf, unsigned int val, + unsigned int shift) + { +- *(u64 *)buf = (u64)val << shift; ++ u64 v = (u64) val << shift; ++ ++ memcpy(buf, &v, sizeof(v)); + } + #endif + +@@ -316,35 +311,34 @@ static unsigned int regmap_parse_8(const void *buf) + + static unsigned int regmap_parse_16_be(const void *buf) + { +- const __be16 *b = buf; +- +- return be16_to_cpu(b[0]); ++ return get_unaligned_be16(buf); + } + + static unsigned int regmap_parse_16_le(const void *buf) + { +- const __le16 *b = buf; +- +- return le16_to_cpu(b[0]); ++ return get_unaligned_le16(buf); + } + + static void regmap_parse_16_be_inplace(void *buf) + { +- __be16 *b = buf; ++ u16 v = get_unaligned_be16(buf); + +- b[0] = be16_to_cpu(b[0]); ++ memcpy(buf, &v, sizeof(v)); + } + + static void regmap_parse_16_le_inplace(void *buf) + { +- __le16 *b = buf; ++ u16 v = get_unaligned_le16(buf); + +- b[0] = le16_to_cpu(b[0]); ++ memcpy(buf, &v, sizeof(v)); + } + + static unsigned int regmap_parse_16_native(const void *buf) + { +- return *(u16 *)buf; ++ u16 v; ++ ++ memcpy(&v, buf, sizeof(v)); ++ return v; + } + + static unsigned int regmap_parse_24(const void *buf) +@@ -359,69 +353,67 @@ static unsigned int regmap_parse_24(const void *buf) + + static unsigned int regmap_parse_32_be(const void *buf) + { +- const __be32 *b = buf; +- +- return be32_to_cpu(b[0]); ++ return get_unaligned_be32(buf); + } + + static unsigned int regmap_parse_32_le(const void *buf) + { +- const __le32 *b = buf; +- +- return le32_to_cpu(b[0]); ++ return get_unaligned_le32(buf); + } + + static void regmap_parse_32_be_inplace(void *buf) + { +- __be32 *b = buf; ++ u32 v = get_unaligned_be32(buf); + +- b[0] = be32_to_cpu(b[0]); ++ memcpy(buf, &v, sizeof(v)); + } + + static void regmap_parse_32_le_inplace(void *buf) + { +- __le32 *b = buf; ++ u32 v = get_unaligned_le32(buf); + +- b[0] = le32_to_cpu(b[0]); ++ memcpy(buf, &v, sizeof(v)); + } + + static unsigned int regmap_parse_32_native(const void *buf) + { +- return *(u32 *)buf; ++ u32 v; ++ ++ memcpy(&v, buf, sizeof(v)); ++ return v; + } + + #ifdef CONFIG_64BIT + static unsigned int regmap_parse_64_be(const void *buf) + { +- const __be64 *b = buf; +- +- return be64_to_cpu(b[0]); ++ return get_unaligned_be64(buf); + } + + static unsigned int regmap_parse_64_le(const void *buf) + { +- const __le64 *b = buf; +- +- return le64_to_cpu(b[0]); ++ return get_unaligned_le64(buf); + } + + static void regmap_parse_64_be_inplace(void *buf) + { +- __be64 *b = buf; ++ u64 v = get_unaligned_be64(buf); + +- b[0] = be64_to_cpu(b[0]); ++ memcpy(buf, &v, sizeof(v)); + } + + static void regmap_parse_64_le_inplace(void *buf) + { +- __le64 *b = buf; ++ u64 v = get_unaligned_le64(buf); + +- b[0] = le64_to_cpu(b[0]); ++ memcpy(buf, &v, sizeof(v)); + } + + static unsigned int regmap_parse_64_native(const void *buf) + { +- return *(u64 *)buf; ++ u64 v; ++ ++ memcpy(&v, buf, sizeof(v)); ++ return v; + } + #endif + +-- +2.25.1 + diff --git a/queue-4.19/s390-kasan-fix-early-pgm-check-handler-execution.patch b/queue-4.19/s390-kasan-fix-early-pgm-check-handler-execution.patch new file mode 100644 index 00000000000..e3530601e5d --- /dev/null +++ b/queue-4.19/s390-kasan-fix-early-pgm-check-handler-execution.patch @@ -0,0 +1,42 @@ +From 343b46654d4294da5cc81ca40791b658b596af94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 15:05:49 +0200 +Subject: s390/kasan: fix early pgm check handler execution + +From: Vasily Gorbik + +[ Upstream commit 998f5bbe3dbdab81c1cfb1aef7c3892f5d24f6c7 ] + +Currently if early_pgm_check_handler is called it ends up in pgm check +loop. The problem is that early_pgm_check_handler is instrumented by +KASAN but executed without DAT flag enabled which leads to addressing +exception when KASAN checks try to access shadow memory. + +Fix that by executing early handlers with DAT flag on under KASAN as +expected. + +Reported-and-tested-by: Alexander Egorenkov +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/early.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index e7e6608b996c6..ad88bed743954 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -155,6 +155,8 @@ static noinline __init void setup_lowcore_early(void) + psw_t psw; + + psw.mask = PSW_MASK_BASE | PSW_DEFAULT_KEY | PSW_MASK_EA | PSW_MASK_BA; ++ if (IS_ENABLED(CONFIG_KASAN)) ++ psw.mask |= PSW_MASK_DAT; + psw.addr = (unsigned long) s390_base_ext_handler; + S390_lowcore.external_new_psw = psw; + psw.addr = (unsigned long) s390_base_pgm_handler; +-- +2.25.1 + diff --git a/queue-4.19/scsi-mptscsih-fix-read-sense-data-size.patch b/queue-4.19/scsi-mptscsih-fix-read-sense-data-size.patch new file mode 100644 index 00000000000..83b9fff47dc --- /dev/null +++ b/queue-4.19/scsi-mptscsih-fix-read-sense-data-size.patch @@ -0,0 +1,50 @@ +From e09db99b60d9bf2b14f3186504d4766414dc0929 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 17:04:46 +0200 +Subject: scsi: mptscsih: Fix read sense data size + +From: Tomas Henzl + +[ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ] + +The sense data buffer in sense_buf_pool is allocated with size of +MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96) +is used when reading the data. That may lead to a read from unallocated +area, sometimes from another (unallocated) page. To fix this, limit the +read size to MPT_SENSE_BUFFER_ALLOC. + +Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com +Co-developed-by: Stanislav Saner +Signed-off-by: Stanislav Saner +Signed-off-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/message/fusion/mptscsih.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c +index 6ba07c7feb92b..2af7ae13449d3 100644 +--- a/drivers/message/fusion/mptscsih.c ++++ b/drivers/message/fusion/mptscsih.c +@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state); + int mptscsih_resume(struct pci_dev *pdev); + #endif + +-#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE +- + + /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/ + /* +@@ -2420,7 +2418,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR + /* Copy the sense received into the scsi command block. */ + req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx); + sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC)); +- memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc)); ++ memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC); + + /* Log SMART data (asc = 0x5D, non-IM case only) if required. + */ +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 253dba996b6..972ed506409 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -3,3 +3,23 @@ spi-spi-fsl-dspi-adding-shutdown-hook.patch spi-spi-fsl-dspi-fix-lockup-if-device-is-removed-dur.patch spi-spi-fsl-dspi-use-irqf_shared-mode-to-request-irq.patch spi-spi-fsl-dspi-fix-external-abort-on-interrupt-in-.patch +arm64-entry-place-an-sb-sequence-following-an-eret-i.patch +regmap-fix-alignment-issue.patch +arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch +drm-tegra-hub-do-not-enable-orphaned-window-group.patch +gpu-host1x-detach-driver-on-unregister.patch +spi-spidev-fix-a-race-between-spidev_release-and-spi.patch +spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch +ixgbe-protect-ring-accesses-with-read-and-write_once.patch +i40e-protect-ring-accesses-with-read-and-write_once.patch +drm-panel-orientation-quirks-add-quirk-for-asus-t101.patch +drm-panel-orientation-quirks-use-generic-orientation.patch +s390-kasan-fix-early-pgm-check-handler-execution.patch +drm-sun4i-mixer-call-of_dma_configure-if-there-s-an-.patch +cifs-update-ctime-and-mtime-during-truncate.patch +arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch +scsi-mptscsih-fix-read-sense-data-size.patch +usb-dwc3-pci-fix-reference-count-leak-in-dwc3_pci_re.patch +block-release-bip-in-a-right-way-in-error-path.patch +nvme-rdma-assign-completion-vector-correctly.patch +x86-entry-increase-entry_stack-size-to-a-full-page.patch diff --git a/queue-4.19/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch b/queue-4.19/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch new file mode 100644 index 00000000000..c2345b46a48 --- /dev/null +++ b/queue-4.19/spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch @@ -0,0 +1,76 @@ +From 6a06d49987b33f676e934f397714de2facf6a5a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 11:21:25 +0800 +Subject: spi: spidev: fix a potential use-after-free in spidev_release() + +From: Zhenzhong Duan + +[ Upstream commit 06096cc6c5a84ced929634b0d79376b94c65a4bd ] + +If an spi device is unbounded from the driver before the release +process, there will be an NULL pointer reference when it's +referenced in spi_slave_abort(). + +Fix it by checking it's already freed before reference. + +Signed-off-by: Zhenzhong Duan +Link: https://lore.kernel.org/r/20200618032125.4650-2-zhenzhong.duan@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 5edf4029a3486..167047760d79a 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -607,15 +607,20 @@ err_find_dev: + static int spidev_release(struct inode *inode, struct file *filp) + { + struct spidev_data *spidev; ++ int dofree; + + mutex_lock(&device_list_lock); + spidev = filp->private_data; + filp->private_data = NULL; + ++ spin_lock_irq(&spidev->spi_lock); ++ /* ... after we unbound from the underlying device? */ ++ dofree = (spidev->spi == NULL); ++ spin_unlock_irq(&spidev->spi_lock); ++ + /* last close? */ + spidev->users--; + if (!spidev->users) { +- int dofree; + + kfree(spidev->tx_buffer); + spidev->tx_buffer = NULL; +@@ -623,19 +628,14 @@ static int spidev_release(struct inode *inode, struct file *filp) + kfree(spidev->rx_buffer); + spidev->rx_buffer = NULL; + +- spin_lock_irq(&spidev->spi_lock); +- if (spidev->spi) +- spidev->speed_hz = spidev->spi->max_speed_hz; +- +- /* ... after we unbound from the underlying device? */ +- dofree = (spidev->spi == NULL); +- spin_unlock_irq(&spidev->spi_lock); +- + if (dofree) + kfree(spidev); ++ else ++ spidev->speed_hz = spidev->spi->max_speed_hz; + } + #ifdef CONFIG_SPI_SLAVE +- spi_slave_abort(spidev->spi); ++ if (!dofree) ++ spi_slave_abort(spidev->spi); + #endif + mutex_unlock(&device_list_lock); + +-- +2.25.1 + diff --git a/queue-4.19/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch b/queue-4.19/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch new file mode 100644 index 00000000000..c71deebb223 --- /dev/null +++ b/queue-4.19/spi-spidev-fix-a-race-between-spidev_release-and-spi.patch @@ -0,0 +1,62 @@ +From fa85079bca9b5c93b2851e9517c0661e9eab4b5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jun 2020 11:21:24 +0800 +Subject: spi: spidev: fix a race between spidev_release and spidev_remove + +From: Zhenzhong Duan + +[ Upstream commit abd42781c3d2155868821f1b947ae45bbc33330d ] + +Imagine below scene, spidev is referenced after it's freed. + +spidev_release() spidev_remove() +... + spin_lock_irq(&spidev->spi_lock); + spidev->spi = NULL; + spin_unlock_irq(&spidev->spi_lock); +mutex_lock(&device_list_lock); +dofree = (spidev->spi == NULL); +if (dofree) + kfree(spidev); +mutex_unlock(&device_list_lock); + mutex_lock(&device_list_lock); + list_del(&spidev->device_entry); + device_destroy(spidev_class, spidev->devt); + clear_bit(MINOR(spidev->devt), minors); + if (spidev->users == 0) + kfree(spidev); + mutex_unlock(&device_list_lock); + +Fix it by resetting spidev->spi in device_list_lock's protection. + +Signed-off-by: Zhenzhong Duan +Link: https://lore.kernel.org/r/20200618032125.4650-1-zhenzhong.duan@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 028725573e632..5edf4029a3486 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -782,13 +782,13 @@ static int spidev_remove(struct spi_device *spi) + { + struct spidev_data *spidev = spi_get_drvdata(spi); + ++ /* prevent new opens */ ++ mutex_lock(&device_list_lock); + /* make sure ops on existing fds can abort cleanly */ + spin_lock_irq(&spidev->spi_lock); + spidev->spi = NULL; + spin_unlock_irq(&spidev->spi_lock); + +- /* prevent new opens */ +- mutex_lock(&device_list_lock); + list_del(&spidev->device_entry); + device_destroy(spidev_class, spidev->devt); + clear_bit(MINOR(spidev->devt), minors); +-- +2.25.1 + diff --git a/queue-4.19/usb-dwc3-pci-fix-reference-count-leak-in-dwc3_pci_re.patch b/queue-4.19/usb-dwc3-pci-fix-reference-count-leak-in-dwc3_pci_re.patch new file mode 100644 index 00000000000..2eadd31e93b --- /dev/null +++ b/queue-4.19/usb-dwc3-pci-fix-reference-count-leak-in-dwc3_pci_re.patch @@ -0,0 +1,39 @@ +From 1f3a84ad5be753cc1253c82532dcd95ea5eed503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 22:15:25 -0500 +Subject: usb: dwc3: pci: Fix reference count leak in dwc3_pci_resume_work + +From: Aditya Pakki + +[ Upstream commit 2655971ad4b34e97dd921df16bb0b08db9449df7 ] + +dwc3_pci_resume_work() calls pm_runtime_get_sync() that increments +the reference counter. In case of failure, decrement the reference +before returning. + +Signed-off-by: Aditya Pakki +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index b2fd505938a0c..389ec4c689c44 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -204,8 +204,10 @@ static void dwc3_pci_resume_work(struct work_struct *work) + int ret; + + ret = pm_runtime_get_sync(&dwc3->dev); +- if (ret) ++ if (ret) { ++ pm_runtime_put_sync_autosuspend(&dwc3->dev); + return; ++ } + + pm_runtime_mark_last_busy(&dwc3->dev); + pm_runtime_put_sync_autosuspend(&dwc3->dev); +-- +2.25.1 + diff --git a/queue-4.19/x86-entry-increase-entry_stack-size-to-a-full-page.patch b/queue-4.19/x86-entry-increase-entry_stack-size-to-a-full-page.patch new file mode 100644 index 00000000000..dec52536e13 --- /dev/null +++ b/queue-4.19/x86-entry-increase-entry_stack-size-to-a-full-page.patch @@ -0,0 +1,40 @@ +From 738f016b8ad711779932a79ae6aafddbc0f9da47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 18:25:57 +0200 +Subject: x86/entry: Increase entry_stack size to a full page + +From: Peter Zijlstra + +[ Upstream commit c7aadc09321d8f9a1d3bd1e6d8a47222ecddf6c5 ] + +Marco crashed in bad_iret with a Clang11/KCSAN build due to +overflowing the stack. Now that we run C code on it, expand it to a +full page. + +Suggested-by: Andy Lutomirski +Reported-by: Marco Elver +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Lai Jiangshan +Tested-by: Marco Elver +Link: https://lkml.kernel.org/r/20200618144801.819246178@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index efb44bd3a7140..0f750e7b24071 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -336,7 +336,7 @@ struct x86_hw_tss { + #define INVALID_IO_BITMAP_OFFSET 0x8000 + + struct entry_stack { +- unsigned long words[64]; ++ char stack[PAGE_SIZE]; + }; + + struct entry_stack_page { +-- +2.25.1 + -- 2.47.3