From 8eaeaf464114a939bf2c63ff19bcc37968d23478 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 27 Aug 2020 12:38:43 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...pport-for-loongson-7a1000-controller.patch | 35 +++ ...hdmi-add-quirk-to-force-connectivity.patch | 94 ++++++++ ...e-force-connectivity-quirk-on-anothe.patch | 37 ++++ ...-fix-pin-default-on-intel-nuc-8-rugg.patch | 68 ++++++ ...ci-delete-repeated-words-in-comments.patch | 120 +++++++++++ ...-ls1021a-output-pps-signal-on-fiper2.patch | 51 +++++ ...sm8916-pull-down-pdm-gpios-during-sl.patch | 44 ++++ ...eference-count-leak-in-img_i2s_in_se.patch | 41 ++++ ...allel-out-fix-a-reference-count-leak.patch | 41 ++++ ...asoc-tegra-fix-reference-count-leaks.patch | 58 +++++ ...ktrace-ensure-our-debugfs-dir-exists.patch | 66 ++++++ ...ve-qgroup-space-after-the-hole-punch.patch | 61 ++++++ ..._qgroup_check_reserved_leak-take-btr.patch | 91 ++++++++ ...leaking-memory-through-hole-in-struc.patch | 43 ++++ ...-access-the-kiocb-after-aio-requests.patch | 58 +++++ ...-potential-mdsc-use-after-free-crash.patch | 64 ++++++ ...fix-ref-count-leak-in-amdgpu_drm_ioc.patch | 41 ++++ ...ay-fix-ref-count-leak-when-pm_runtim.patch | 75 +++++++ ...ef-count-leak-in-amdgpu_display_crtc.patch | 53 +++++ ...ef-count-leak-in-amdgpu_driver_open_.patch | 44 ++++ ...drm-amdkfd-fix-reference-count-leaks.patch | 89 ++++++++ ...noveau-fix-reference-count-leak-in-n.patch | 40 ++++ ...reference-count-leak-in-nouveau_conn.patch | 39 ++++ ...reference-count-leak-in-nv50_disp_at.patch | 39 ++++ ...on-fix-multiple-reference-count-leak.patch | 87 ++++++++ ...lback-if-host-bridge-device-is-alrea.patch | 127 +++++++++++ ...fs-fix-error-path-in-do_recover_data.patch | 163 ++++++++++++++ queue-5.4/f2fs-fix-use-after-free-issue.patch | 50 +++++ ...s-add-noget-quirk-for-logitech-group.patch | 52 +++++ ...ent-filesystem-stacking-of-hugetlbfs.patch | 52 +++++ ...iommu-iova-don-t-bug-on-invalid-pfns.patch | 50 +++++ ...fix-overflow-in-presentation-of-aver.patch | 42 ++++ ...av7110-fix-possible-buffer-overflow-.patch | 52 +++++ ...pss-add-intel-emmitsburg-pch-pci-ids.patch | 36 ++++ ...s-add-intel-tiger-lake-pch-h-pci-ids.patch | 49 +++++ ...vdso-fix-resource-leaks-in-genvdso.c.patch | 98 +++++++++ ...ple-reference-count-leaks-due-to-pm_.patch | 145 +++++++++++++ ...pci_create_slot-reference-count-leak.patch | 59 +++++ ...xive-ignore-kmemleak-false-positives.patch | 63 ++++++ ...tlwifi-rtl8192cu-prevent-leaking-urb.patch | 40 ++++ ...emory-leak-fix-in-fcoe_sysfs_fcf_del.patch | 44 ++++ ...t-put-host-in-iscsi_set_flashnode_pa.patch | 37 ++++ ...ost-refcount-mismatch-when-deleting-.patch | 86 ++++++++ ...i-target-fix-xcopy-sess-release-leak.patch | 98 +++++++++ ...-fix-crash-on-arm-during-cmd-complet.patch | 57 +++++ ...c-purge-extra-count_pmc-calls-of-ebb.patch | 204 ++++++++++++++++++ queue-5.4/series | 47 ++++ ...t-allow-logging-of-xfs_istale-inodes.patch | 166 ++++++++++++++ 48 files changed, 3296 insertions(+) create mode 100644 queue-5.4/alsa-hda-add-support-for-loongson-7a1000-controller.patch create mode 100644 queue-5.4/alsa-hda-hdmi-add-quirk-to-force-connectivity.patch create mode 100644 queue-5.4/alsa-hda-hdmi-use-force-connectivity-quirk-on-anothe.patch create mode 100644 queue-5.4/alsa-hda-realtek-fix-pin-default-on-intel-nuc-8-rugg.patch create mode 100644 queue-5.4/alsa-pci-delete-repeated-words-in-comments.patch create mode 100644 queue-5.4/arm-dts-ls1021a-output-pps-signal-on-fiper2.patch create mode 100644 queue-5.4/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch create mode 100644 queue-5.4/asoc-img-fix-a-reference-count-leak-in-img_i2s_in_se.patch create mode 100644 queue-5.4/asoc-img-parallel-out-fix-a-reference-count-leak.patch create mode 100644 queue-5.4/asoc-tegra-fix-reference-count-leaks.patch create mode 100644 queue-5.4/blktrace-ensure-our-debugfs-dir-exists.patch create mode 100644 queue-5.4/btrfs-file-reserve-qgroup-space-after-the-hole-punch.patch create mode 100644 queue-5.4/btrfs-make-btrfs_qgroup_check_reserved_leak-take-btr.patch create mode 100644 queue-5.4/cec-api-prevent-leaking-memory-through-hole-in-struc.patch create mode 100644 queue-5.4/ceph-do-not-access-the-kiocb-after-aio-requests.patch create mode 100644 queue-5.4/ceph-fix-potential-mdsc-use-after-free-crash.patch create mode 100644 queue-5.4/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch create mode 100644 queue-5.4/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch create mode 100644 queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch create mode 100644 queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch create mode 100644 queue-5.4/drm-amdkfd-fix-reference-count-leaks.patch create mode 100644 queue-5.4/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch create mode 100644 queue-5.4/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch create mode 100644 queue-5.4/drm-nouveau-fix-reference-count-leak-in-nv50_disp_at.patch create mode 100644 queue-5.4/drm-radeon-fix-multiple-reference-count-leak.patch create mode 100644 queue-5.4/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch create mode 100644 queue-5.4/f2fs-fix-error-path-in-do_recover_data.patch create mode 100644 queue-5.4/f2fs-fix-use-after-free-issue.patch create mode 100644 queue-5.4/hid-quirks-add-noget-quirk-for-logitech-group.patch create mode 100644 queue-5.4/hugetlbfs-prevent-filesystem-stacking-of-hugetlbfs.patch create mode 100644 queue-5.4/iommu-iova-don-t-bug-on-invalid-pfns.patch create mode 100644 queue-5.4/locking-lockdep-fix-overflow-in-presentation-of-aver.patch create mode 100644 queue-5.4/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch create mode 100644 queue-5.4/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch create mode 100644 queue-5.4/mfd-intel-lpss-add-intel-tiger-lake-pch-h-pci-ids.patch create mode 100644 queue-5.4/mips-vdso-fix-resource-leaks-in-genvdso.c.patch create mode 100644 queue-5.4/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch create mode 100644 queue-5.4/pci-fix-pci_create_slot-reference-count-leak.patch create mode 100644 queue-5.4/powerpc-xive-ignore-kmemleak-false-positives.patch create mode 100644 queue-5.4/rtlwifi-rtl8192cu-prevent-leaking-urb.patch create mode 100644 queue-5.4/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch create mode 100644 queue-5.4/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch create mode 100644 queue-5.4/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch create mode 100644 queue-5.4/scsi-target-fix-xcopy-sess-release-leak.patch create mode 100644 queue-5.4/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch create mode 100644 queue-5.4/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch create mode 100644 queue-5.4/xfs-don-t-allow-logging-of-xfs_istale-inodes.patch diff --git a/queue-5.4/alsa-hda-add-support-for-loongson-7a1000-controller.patch b/queue-5.4/alsa-hda-add-support-for-loongson-7a1000-controller.patch new file mode 100644 index 00000000000..87f3eb86787 --- /dev/null +++ b/queue-5.4/alsa-hda-add-support-for-loongson-7a1000-controller.patch @@ -0,0 +1,35 @@ +From 0c25b6c13b10b55032784e140b2d8113c2deb2b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 10:51:32 +0800 +Subject: ALSA: hda: Add support for Loongson 7A1000 controller + +From: Kaige Li + +[ Upstream commit 61eee4a7fc406f94e441778c3cecbbed30373c89 ] + +Add the new PCI ID 0x0014 0x7a07 to support Loongson 7A1000 controller. + +Signed-off-by: Kaige Li +Link: https://lore.kernel.org/r/1594954292-1703-2-git-send-email-likaige@loongson.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 7353d2ec359ae..3a456410937b5 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2671,6 +2671,8 @@ static const struct pci_device_id azx_ids[] = { + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_HDMI }, + /* Zhaoxin */ + { PCI_DEVICE(0x1d17, 0x3288), .driver_data = AZX_DRIVER_ZHAOXIN }, ++ /* Loongson */ ++ { PCI_DEVICE(0x0014, 0x7a07), .driver_data = AZX_DRIVER_GENERIC }, + { 0, } + }; + MODULE_DEVICE_TABLE(pci, azx_ids); +-- +2.25.1 + diff --git a/queue-5.4/alsa-hda-hdmi-add-quirk-to-force-connectivity.patch b/queue-5.4/alsa-hda-hdmi-add-quirk-to-force-connectivity.patch new file mode 100644 index 00000000000..0a56281d569 --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-add-quirk-to-force-connectivity.patch @@ -0,0 +1,94 @@ +From 6ef36be589eba5c8c88cf2cb5b50026cfb10b292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 23:58:34 +0800 +Subject: ALSA: hda/hdmi: Add quirk to force connectivity + +From: Kai-Heng Feng + +[ Upstream commit cd72c317a0a11f64225b9a3f1fe503bb8c7327b5 ] + +HDMI on some platforms doesn't enable audio support because its Port +Connectivity [31:30] is set to AC_JACK_PORT_NONE: +Node 0x05 [Pin Complex] wcaps 0x40778d: 8-Channels Digital Amp-Out CP + Amp-Out caps: ofs=0x00, nsteps=0x00, stepsize=0x00, mute=1 + Amp-Out vals: [0x00 0x00] + Pincap 0x0b000094: OUT Detect HBR HDMI DP + Pin Default 0x58560010: [N/A] Digital Out at Int HDMI + Conn = Digital, Color = Unknown + DefAssociation = 0x1, Sequence = 0x0 + Pin-ctls: 0x40: OUT + Unsolicited: tag=00, enabled=0 + Power states: D0 D3 EPSS + Power: setting=D0, actual=D0 + Devices: 0 + Connection: 3 + 0x02 0x03* 0x04 + +For now, use a quirk to force connectivity based on SSID. If there are +more platforms affected by the same issue, we can eye for a more generic +solution. + +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20200804155836.16252-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 908b68fda24c9..a9559fb29e209 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -176,6 +176,7 @@ struct hdmi_spec { + bool use_jack_detect; /* jack detection enabled */ + bool use_acomp_notifier; /* use eld_notify callback for hotplug */ + bool acomp_registered; /* audio component registered in this driver */ ++ bool force_connect; /* force connectivity */ + struct drm_audio_component_audio_ops drm_audio_ops; + int (*port2pin)(struct hda_codec *, int); /* reverse port/pin mapping */ + +@@ -1711,7 +1712,8 @@ static int hdmi_add_pin(struct hda_codec *codec, hda_nid_t pin_nid) + * all device entries on the same pin + */ + config = snd_hda_codec_get_pincfg(codec, pin_nid); +- if (get_defcfg_connect(config) == AC_JACK_PORT_NONE) ++ if (get_defcfg_connect(config) == AC_JACK_PORT_NONE && ++ !spec->force_connect) + return 0; + + /* +@@ -1815,11 +1817,18 @@ static int hdmi_add_cvt(struct hda_codec *codec, hda_nid_t cvt_nid) + return 0; + } + ++static const struct snd_pci_quirk force_connect_list[] = { ++ SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), ++ {} ++}; ++ + static int hdmi_parse_codec(struct hda_codec *codec) + { ++ struct hdmi_spec *spec = codec->spec; + hda_nid_t start_nid; + unsigned int caps; + int i, nodes; ++ const struct snd_pci_quirk *q; + + nodes = snd_hda_get_sub_nodes(codec, codec->core.afg, &start_nid); + if (!start_nid || nodes < 0) { +@@ -1827,6 +1836,11 @@ static int hdmi_parse_codec(struct hda_codec *codec) + return -EINVAL; + } + ++ q = snd_pci_quirk_lookup(codec->bus->pci, force_connect_list); ++ ++ if (q && q->value) ++ spec->force_connect = true; ++ + /* + * hdmi_add_pin() assumes total amount of converters to + * be known, so first discover all converters +-- +2.25.1 + diff --git a/queue-5.4/alsa-hda-hdmi-use-force-connectivity-quirk-on-anothe.patch b/queue-5.4/alsa-hda-hdmi-use-force-connectivity-quirk-on-anothe.patch new file mode 100644 index 00000000000..0596f033221 --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-use-force-connectivity-quirk-on-anothe.patch @@ -0,0 +1,37 @@ +From 85ca7d8cde3d9fb1b8fb30eda5ee09f65995e661 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 17:53:34 +0800 +Subject: ALSA: hda/hdmi: Use force connectivity quirk on another HP desktop + +From: Kai-Heng Feng + +[ Upstream commit d96f27c80b65437a7b572647ecb4717ec9a50c98 ] + +There's another HP desktop has buggy BIOS which flags the Port +Connectivity bit as no connection. + +Apply force connectivity quirk to enable DP/HDMI audio. + +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20200811095336.32396-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index a9559fb29e209..ec9460f3a288e 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1818,6 +1818,7 @@ static int hdmi_add_cvt(struct hda_codec *codec, hda_nid_t cvt_nid) + } + + static const struct snd_pci_quirk force_connect_list[] = { ++ SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), + {} + }; +-- +2.25.1 + diff --git a/queue-5.4/alsa-hda-realtek-fix-pin-default-on-intel-nuc-8-rugg.patch b/queue-5.4/alsa-hda-realtek-fix-pin-default-on-intel-nuc-8-rugg.patch new file mode 100644 index 00000000000..be9aa43bebf --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-fix-pin-default-on-intel-nuc-8-rugg.patch @@ -0,0 +1,68 @@ +From 2fe1e92001b26f3ae8b618ccd558b134214fd449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 16:05:12 +0800 +Subject: ALSA: hda/realtek: Fix pin default on Intel NUC 8 Rugged + +From: Kai-Heng Feng + +[ Upstream commit e2d2fded6bdf3f7bb40718a208140dba8b4ec574 ] + +The jack on Intel NUC 8 Rugged rear panel doesn't work. + +The spec [1] states that the jack supports both headphone and +microphone, so override a Pin Complex which has both Amp-In and Amp-Out +to make the jack work. + +Node 0x1b fits the requirement, and user confirmed the jack now works +with new pin config. + +[1] https://www.intel.com/content/dam/support/us/en/documents/mini-pcs/NUC8CCH_TechProdSpec.pdf +BugLink: https://bugs.launchpad.net/bugs/1875199 + +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20200807080514.15293-1-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 06bbcfbb28153..3c7bc398c0cbc 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6137,6 +6137,7 @@ enum { + ALC269_FIXUP_CZC_L101, + ALC269_FIXUP_LEMOTE_A1802, + ALC269_FIXUP_LEMOTE_A190X, ++ ALC256_FIXUP_INTEL_NUC8_RUGGED, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -7458,6 +7459,15 @@ static const struct hda_fixup alc269_fixups[] = { + }, + .chain_id = ALC269_FIXUP_DMIC, + }, ++ [ALC256_FIXUP_INTEL_NUC8_RUGGED] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1b, 0x01a1913c }, /* use as headset mic, without its own jack detect */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MODE ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -7757,6 +7767,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE), + SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802), + SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X), ++ SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED), + + #if 0 + /* Below is a quirk table taken from the old code. +-- +2.25.1 + diff --git a/queue-5.4/alsa-pci-delete-repeated-words-in-comments.patch b/queue-5.4/alsa-pci-delete-repeated-words-in-comments.patch new file mode 100644 index 00000000000..cb339c5e73a --- /dev/null +++ b/queue-5.4/alsa-pci-delete-repeated-words-in-comments.patch @@ -0,0 +1,120 @@ +From 9f53b0b6291de7356223113c4374105e481fcdca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 19:19:26 -0700 +Subject: ALSA: pci: delete repeated words in comments + +From: Randy Dunlap + +[ Upstream commit c7fabbc51352f50cc58242a6dc3b9c1a3599849b ] + +Drop duplicated words in sound/pci/. +{and, the, at} + +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20200806021926.32418-1-rdunlap@infradead.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/cs46xx/cs46xx_lib.c | 2 +- + sound/pci/cs46xx/dsp_spos_scb_lib.c | 2 +- + sound/pci/hda/hda_codec.c | 2 +- + sound/pci/hda/hda_generic.c | 2 +- + sound/pci/hda/patch_sigmatel.c | 2 +- + sound/pci/ice1712/prodigy192.c | 2 +- + sound/pci/oxygen/xonar_dg.c | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/pci/cs46xx/cs46xx_lib.c b/sound/pci/cs46xx/cs46xx_lib.c +index 5b888b795f7ee..c07a9e735733a 100644 +--- a/sound/pci/cs46xx/cs46xx_lib.c ++++ b/sound/pci/cs46xx/cs46xx_lib.c +@@ -766,7 +766,7 @@ static void snd_cs46xx_set_capture_sample_rate(struct snd_cs46xx *chip, unsigned + rate = 48000 / 9; + + /* +- * We can not capture at at rate greater than the Input Rate (48000). ++ * We can not capture at a rate greater than the Input Rate (48000). + * Return an error if an attempt is made to stray outside that limit. + */ + if (rate > 48000) +diff --git a/sound/pci/cs46xx/dsp_spos_scb_lib.c b/sound/pci/cs46xx/dsp_spos_scb_lib.c +index 715ead59613da..0bef823c5f61f 100644 +--- a/sound/pci/cs46xx/dsp_spos_scb_lib.c ++++ b/sound/pci/cs46xx/dsp_spos_scb_lib.c +@@ -1716,7 +1716,7 @@ int cs46xx_iec958_pre_open (struct snd_cs46xx *chip) + struct dsp_spos_instance * ins = chip->dsp_spos_instance; + + if ( ins->spdif_status_out & DSP_SPDIF_STATUS_OUTPUT_ENABLED ) { +- /* remove AsynchFGTxSCB and and PCMSerialInput_II */ ++ /* remove AsynchFGTxSCB and PCMSerialInput_II */ + cs46xx_dsp_disable_spdif_out (chip); + + /* save state */ +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 801abf0fc98b3..103011e7285a3 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3420,7 +3420,7 @@ EXPORT_SYMBOL_GPL(snd_hda_set_power_save); + * @nid: NID to check / update + * + * Check whether the given NID is in the amp list. If it's in the list, +- * check the current AMP status, and update the the power-status according ++ * check the current AMP status, and update the power-status according + * to the mute status. + * + * This function is supposed to be set or called from the check_power_status +diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c +index 6815f9dc8545d..e1750bdbe51f6 100644 +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -813,7 +813,7 @@ static void activate_amp_in(struct hda_codec *codec, struct nid_path *path, + } + } + +-/* sync power of each widget in the the given path */ ++/* sync power of each widget in the given path */ + static hda_nid_t path_power_update(struct hda_codec *codec, + struct nid_path *path, + bool allow_powerdown) +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 4b9300babc7d0..bfd3fe5eff31c 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -832,7 +832,7 @@ static int stac_auto_create_beep_ctls(struct hda_codec *codec, + static struct snd_kcontrol_new beep_vol_ctl = + HDA_CODEC_VOLUME(NULL, 0, 0, 0); + +- /* check for mute support for the the amp */ ++ /* check for mute support for the amp */ + if ((caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT) { + const struct snd_kcontrol_new *temp; + if (spec->anabeep_nid == nid) +diff --git a/sound/pci/ice1712/prodigy192.c b/sound/pci/ice1712/prodigy192.c +index 98f8ac6587962..243f757da3edb 100644 +--- a/sound/pci/ice1712/prodigy192.c ++++ b/sound/pci/ice1712/prodigy192.c +@@ -32,7 +32,7 @@ + * Experimentally I found out that only a combination of + * OCKS0=1, OCKS1=1 (128fs, 64fs output) and ice1724 - + * VT1724_MT_I2S_MCLK_128X=0 (256fs input) yields correct +- * sampling rate. That means the the FPGA doubles the ++ * sampling rate. That means that the FPGA doubles the + * MCK01 rate. + * + * Copyright (c) 2003 Takashi Iwai +diff --git a/sound/pci/oxygen/xonar_dg.c b/sound/pci/oxygen/xonar_dg.c +index c3f8721624cd4..b90421a1d909a 100644 +--- a/sound/pci/oxygen/xonar_dg.c ++++ b/sound/pci/oxygen/xonar_dg.c +@@ -29,7 +29,7 @@ + * GPIO 4 <- headphone detect + * GPIO 5 -> enable ADC analog circuit for the left channel + * GPIO 6 -> enable ADC analog circuit for the right channel +- * GPIO 7 -> switch green rear output jack between CS4245 and and the first ++ * GPIO 7 -> switch green rear output jack between CS4245 and the first + * channel of CS4361 (mechanical relay) + * GPIO 8 -> enable output to speakers + * +-- +2.25.1 + diff --git a/queue-5.4/arm-dts-ls1021a-output-pps-signal-on-fiper2.patch b/queue-5.4/arm-dts-ls1021a-output-pps-signal-on-fiper2.patch new file mode 100644 index 00000000000..537d05592f6 --- /dev/null +++ b/queue-5.4/arm-dts-ls1021a-output-pps-signal-on-fiper2.patch @@ -0,0 +1,51 @@ +From 0c120608c08d22d9b413584417e8dc5887fa748c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 09:30:52 +0800 +Subject: ARM: dts: ls1021a: output PPS signal on FIPER2 + +From: Yangbo Lu + +[ Upstream commit 5656bb3857c4904d1dec6e1b8f876c1c0337274e ] + +The timer fixed interval period pulse generator register +is used to generate periodic pulses. The down count +register loads the value programmed in the fixed period +interval (FIPER). At every tick of the timer accumulator +overflow, the counter decrements by the value of +TMR_CTRL[TCLK_PERIOD]. It generates a pulse when the down +counter value reaches zero. It reloads the down counter +in the cycle following a pulse. + +To use the TMR_FIPER register to generate desired periodic +pulses. The value should programmed is, +desired_period - tclk_period + +Current tmr-fiper2 value is to generate 100us periodic pulses. +(But the value should have been 99995, not 99990. The tclk_period is 5.) +This patch is to generate 1 second periodic pulses with value +999999995 programmed which is more desired by user. + +Signed-off-by: Yangbo Lu +Acked-by: Richard Cochran +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ls1021a.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/ls1021a.dtsi b/arch/arm/boot/dts/ls1021a.dtsi +index 63d9f4a066e38..5a8e58b663420 100644 +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -753,7 +753,7 @@ + fsl,tmr-prsc = <2>; + fsl,tmr-add = <0xaaaaaaab>; + fsl,tmr-fiper1 = <999999995>; +- fsl,tmr-fiper2 = <99990>; ++ fsl,tmr-fiper2 = <999999995>; + fsl,max-adj = <499999999>; + fsl,extts-fifo; + }; +-- +2.25.1 + diff --git a/queue-5.4/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch b/queue-5.4/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch new file mode 100644 index 00000000000..edb4c865358 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch @@ -0,0 +1,44 @@ +From 9dee7c053d7e6bff7652f87a6076fdde4813b9a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 20:59:15 +0200 +Subject: arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep + +From: Stephan Gerhold + +[ Upstream commit e2ee9edc282961783d519c760bbaa20fed4dec38 ] + +The original qcom kernel changed the PDM GPIOs to be pull-down +during sleep at some point. Reportedly this was done because +there was some "leakage at PDM outputs during sleep": + + https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0f87e08c1cd3e6484a6f7fb3e74e37340bdcdee0 + +I cannot say how effective this is, but everything seems to work +fine with this change so let's apply the same to mainline just +to be sure. + +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200605185916.318494-3-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index 1235830ffd0b7..38c0d74767e3f 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -521,7 +521,7 @@ + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <2>; +- bias-disable; ++ bias-pull-down; + }; + }; + }; +-- +2.25.1 + diff --git a/queue-5.4/asoc-img-fix-a-reference-count-leak-in-img_i2s_in_se.patch b/queue-5.4/asoc-img-fix-a-reference-count-leak-in-img_i2s_in_se.patch new file mode 100644 index 00000000000..010ffe1fb03 --- /dev/null +++ b/queue-5.4/asoc-img-fix-a-reference-count-leak-in-img_i2s_in_se.patch @@ -0,0 +1,41 @@ +From ba96ce7a1508ff86583776ba8df9d0e9a05c18c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 22:37:48 -0500 +Subject: ASoC: img: Fix a reference count leak in img_i2s_in_set_fmt + +From: Qiushi Wu + +[ Upstream commit c4c59b95b7f7d4cef5071b151be2dadb33f3287b ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200614033749.2975-1-wu000273@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/img/img-i2s-in.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/img/img-i2s-in.c b/sound/soc/img/img-i2s-in.c +index 869fe0068cbd3..bb668551dd4b2 100644 +--- a/sound/soc/img/img-i2s-in.c ++++ b/sound/soc/img/img-i2s-in.c +@@ -343,8 +343,10 @@ static int img_i2s_in_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + chan_control_mask = IMG_I2S_IN_CH_CTL_CLK_TRANS_MASK; + + ret = pm_runtime_get_sync(i2s->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(i2s->dev); + return ret; ++ } + + for (i = 0; i < i2s->active_channels; i++) + img_i2s_in_ch_disable(i2s, i); +-- +2.25.1 + diff --git a/queue-5.4/asoc-img-parallel-out-fix-a-reference-count-leak.patch b/queue-5.4/asoc-img-parallel-out-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..3436bb3167e --- /dev/null +++ b/queue-5.4/asoc-img-parallel-out-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From 29e3068af766d79c31b250af1c17d44f05a1f6ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 22:33:43 -0500 +Subject: ASoC: img-parallel-out: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 6b9fbb073636906eee9fe4d4c05a4f445b9e2a23 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200614033344.1814-1-wu000273@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/img/img-parallel-out.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/img/img-parallel-out.c b/sound/soc/img/img-parallel-out.c +index 5ddbe3a31c2e9..4da49a42e8547 100644 +--- a/sound/soc/img/img-parallel-out.c ++++ b/sound/soc/img/img-parallel-out.c +@@ -163,8 +163,10 @@ static int img_prl_out_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + } + + ret = pm_runtime_get_sync(prl->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(prl->dev); + return ret; ++ } + + reg = img_prl_out_readl(prl, IMG_PRL_OUT_CTL); + reg = (reg & ~IMG_PRL_OUT_CTL_EDGE_MASK) | control_set; +-- +2.25.1 + diff --git a/queue-5.4/asoc-tegra-fix-reference-count-leaks.patch b/queue-5.4/asoc-tegra-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..220ca75464e --- /dev/null +++ b/queue-5.4/asoc-tegra-fix-reference-count-leaks.patch @@ -0,0 +1,58 @@ +From a9ff0d6cd47579e36119794d62a1fce81ed58904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 15:44:19 -0500 +Subject: ASoC: tegra: Fix reference count leaks. + +From: Qiushi Wu + +[ Upstream commit deca195383a6085be62cb453079e03e04d618d6e ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not called in +error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails. + +Signed-off-by: Qiushi Wu +Reviewed-by: Jon Hunter +Link: https://lore.kernel.org/r/20200613204422.24484-1-wu000273@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/tegra/tegra30_ahub.c | 4 +++- + sound/soc/tegra/tegra30_i2s.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/tegra/tegra30_ahub.c b/sound/soc/tegra/tegra30_ahub.c +index 635eacbd28d47..156e3b9d613c6 100644 +--- a/sound/soc/tegra/tegra30_ahub.c ++++ b/sound/soc/tegra/tegra30_ahub.c +@@ -643,8 +643,10 @@ static int tegra30_ahub_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(ahub->regmap_ahub); + ret |= regcache_sync(ahub->regmap_apbif); + pm_runtime_put(dev); +diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c +index e6d548fa980b6..8894b7c16a01a 100644 +--- a/sound/soc/tegra/tegra30_i2s.c ++++ b/sound/soc/tegra/tegra30_i2s.c +@@ -538,8 +538,10 @@ static int tegra30_i2s_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(dev); + return ret; ++ } + ret = regcache_sync(i2s->regmap); + pm_runtime_put(dev); + +-- +2.25.1 + diff --git a/queue-5.4/blktrace-ensure-our-debugfs-dir-exists.patch b/queue-5.4/blktrace-ensure-our-debugfs-dir-exists.patch new file mode 100644 index 00000000000..55c225ac905 --- /dev/null +++ b/queue-5.4/blktrace-ensure-our-debugfs-dir-exists.patch @@ -0,0 +1,66 @@ +From da9eddff626ad2fd24388e0f655ff0532ec91d8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 20:47:29 +0000 +Subject: blktrace: ensure our debugfs dir exists + +From: Luis Chamberlain + +[ Upstream commit b431ef837e3374da0db8ff6683170359aaa0859c ] + +We make an assumption that a debugfs directory exists, but since +this can fail ensure it exists before allowing blktrace setup to +complete. Otherwise we end up stuffing blktrace files on the debugfs +root directory. In the worst case scenario this *in theory* can create +an eventual panic *iff* in the future a similarly named file is created +prior on the debugfs root directory. This theoretical crash can happen +due to a recursive removal followed by a specific dentry removal. + +This doesn't fix any known crash, however I have seen the files +go into the main debugfs root directory in cases where the debugfs +directory was not created due to other internal bugs with blktrace +now fixed. + +blktrace is also completely useless without this directory, so +this ensures to userspace we only setup blktrace if the kernel +can stuff files where they are supposed to go into. + +debugfs directory creations typically aren't checked for, and we have +maintainers doing sweep removals of these checks, but since we need this +check to ensure proper userspace blktrace functionality we make sure +to annotate the justification for the check. + +Signed-off-by: Luis Chamberlain +Reviewed-by: Christoph Hellwig +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index a4c8f9d9522e4..884333b9fc767 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -535,6 +535,18 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + #endif + bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root); + ++ /* ++ * As blktrace relies on debugfs for its interface the debugfs directory ++ * is required, contrary to the usual mantra of not checking for debugfs ++ * files or directories. ++ */ ++ if (IS_ERR_OR_NULL(dir)) { ++ pr_warn("debugfs_dir not present for %s so skipping\n", ++ buts->name); ++ ret = -ENOENT; ++ goto err; ++ } ++ + bt->dev = dev; + atomic_set(&bt->dropped, 0); + INIT_LIST_HEAD(&bt->running_list); +-- +2.25.1 + diff --git a/queue-5.4/btrfs-file-reserve-qgroup-space-after-the-hole-punch.patch b/queue-5.4/btrfs-file-reserve-qgroup-space-after-the-hole-punch.patch new file mode 100644 index 00000000000..47ca50d8b0f --- /dev/null +++ b/queue-5.4/btrfs-file-reserve-qgroup-space-after-the-hole-punch.patch @@ -0,0 +1,61 @@ +From b498c9e91e8577c0808570355930f08a9801d77b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jun 2020 09:04:42 +0800 +Subject: btrfs: file: reserve qgroup space after the hole punch range is + locked + +From: Qu Wenruo + +[ Upstream commit a7f8b1c2ac21bf081b41264c9cfd6260dffa6246 ] + +The incoming qgroup reserved space timing will move the data reservation +to ordered extent completely. + +However in btrfs_punch_hole_lock_range() will call +btrfs_invalidate_page(), which will clear QGROUP_RESERVED bit for the +range. + +In current stage it's OK, but if we're making ordered extents handle the +reserved space, then btrfs_punch_hole_lock_range() can clear the +QGROUP_RESERVED bit before we submit ordered extent, leading to qgroup +reserved space leakage. + +So here change the timing to make reserve data space after +btrfs_punch_hole_lock_range(). +The new timing is fine for either current code or the new code. + +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 3cfbccacef7fd..a02c44b6a2be5 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -3130,14 +3130,14 @@ reserve_space: + if (ret < 0) + goto out; + space_reserved = true; +- ret = btrfs_qgroup_reserve_data(inode, &data_reserved, +- alloc_start, bytes_to_reserve); +- if (ret) +- goto out; + ret = btrfs_punch_hole_lock_range(inode, lockstart, lockend, + &cached_state); + if (ret) + goto out; ++ ret = btrfs_qgroup_reserve_data(inode, &data_reserved, ++ alloc_start, bytes_to_reserve); ++ if (ret) ++ goto out; + ret = btrfs_prealloc_file_range(inode, mode, alloc_start, + alloc_end - alloc_start, + i_blocksize(inode), +-- +2.25.1 + diff --git a/queue-5.4/btrfs-make-btrfs_qgroup_check_reserved_leak-take-btr.patch b/queue-5.4/btrfs-make-btrfs_qgroup_check_reserved_leak-take-btr.patch new file mode 100644 index 00000000000..4f179add824 --- /dev/null +++ b/queue-5.4/btrfs-make-btrfs_qgroup_check_reserved_leak-take-btr.patch @@ -0,0 +1,91 @@ +From 8751ee503bbeeeb73ac425c0f3a09e737962652c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 08:55:46 +0300 +Subject: btrfs: make btrfs_qgroup_check_reserved_leak take btrfs_inode + +From: Nikolay Borisov + +[ Upstream commit cfdd45921571eb24073e0737fa0bd44b4218f914 ] + +vfs_inode is used only for the inode number everything else requires +btrfs_inode. + +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +[ use btrfs_ino ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 2 +- + fs/btrfs/qgroup.c | 14 +++++++------- + fs/btrfs/qgroup.h | 2 +- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index fa7f3a59813ea..411ec3e3a7dc1 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9568,7 +9568,7 @@ void btrfs_destroy_inode(struct inode *inode) + btrfs_put_ordered_extent(ordered); + } + } +- btrfs_qgroup_check_reserved_leak(inode); ++ btrfs_qgroup_check_reserved_leak(BTRFS_I(inode)); + inode_tree_del(inode); + btrfs_drop_extent_cache(BTRFS_I(inode), 0, (u64)-1, 0); + } +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index b94f6f99e90d0..04fd02e6124dd 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3769,7 +3769,7 @@ void btrfs_qgroup_convert_reserved_meta(struct btrfs_root *root, int num_bytes) + * Check qgroup reserved space leaking, normally at destroy inode + * time + */ +-void btrfs_qgroup_check_reserved_leak(struct inode *inode) ++void btrfs_qgroup_check_reserved_leak(struct btrfs_inode *inode) + { + struct extent_changeset changeset; + struct ulist_node *unode; +@@ -3777,19 +3777,19 @@ void btrfs_qgroup_check_reserved_leak(struct inode *inode) + int ret; + + extent_changeset_init(&changeset); +- ret = clear_record_extent_bits(&BTRFS_I(inode)->io_tree, 0, (u64)-1, ++ ret = clear_record_extent_bits(&inode->io_tree, 0, (u64)-1, + EXTENT_QGROUP_RESERVED, &changeset); + + WARN_ON(ret < 0); + if (WARN_ON(changeset.bytes_changed)) { + ULIST_ITER_INIT(&iter); + while ((unode = ulist_next(&changeset.range_changed, &iter))) { +- btrfs_warn(BTRFS_I(inode)->root->fs_info, +- "leaking qgroup reserved space, ino: %lu, start: %llu, end: %llu", +- inode->i_ino, unode->val, unode->aux); ++ btrfs_warn(inode->root->fs_info, ++ "leaking qgroup reserved space, ino: %llu, start: %llu, end: %llu", ++ btrfs_ino(inode), unode->val, unode->aux); + } +- btrfs_qgroup_free_refroot(BTRFS_I(inode)->root->fs_info, +- BTRFS_I(inode)->root->root_key.objectid, ++ btrfs_qgroup_free_refroot(inode->root->fs_info, ++ inode->root->root_key.objectid, + changeset.bytes_changed, BTRFS_QGROUP_RSV_DATA); + + } +diff --git a/fs/btrfs/qgroup.h b/fs/btrfs/qgroup.h +index 17e8ac992c502..b0420c4f5d0ef 100644 +--- a/fs/btrfs/qgroup.h ++++ b/fs/btrfs/qgroup.h +@@ -399,7 +399,7 @@ void btrfs_qgroup_free_meta_all_pertrans(struct btrfs_root *root); + */ + void btrfs_qgroup_convert_reserved_meta(struct btrfs_root *root, int num_bytes); + +-void btrfs_qgroup_check_reserved_leak(struct inode *inode); ++void btrfs_qgroup_check_reserved_leak(struct btrfs_inode *inode); + + /* btrfs_qgroup_swapped_blocks related functions */ + void btrfs_qgroup_init_swapped_blocks( +-- +2.25.1 + diff --git a/queue-5.4/cec-api-prevent-leaking-memory-through-hole-in-struc.patch b/queue-5.4/cec-api-prevent-leaking-memory-through-hole-in-struc.patch new file mode 100644 index 00000000000..a3291665f8f --- /dev/null +++ b/queue-5.4/cec-api-prevent-leaking-memory-through-hole-in-struc.patch @@ -0,0 +1,43 @@ +From d9cae3b5485faa7e90ca2be0e052bc8e9017e1dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 12:44:26 +0200 +Subject: cec-api: prevent leaking memory through hole in structure + +From: Hans Verkuil + +[ Upstream commit 6c42227c3467549ddc65efe99c869021d2f4a570 ] + +Fix this smatch warning: + +drivers/media/cec/core/cec-api.c:156 cec_adap_g_log_addrs() warn: check that 'log_addrs' doesn't leak information (struct has a hole after +'features') + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-api.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c +index 12d6764844724..ed75636a6fb34 100644 +--- a/drivers/media/cec/cec-api.c ++++ b/drivers/media/cec/cec-api.c +@@ -147,7 +147,13 @@ static long cec_adap_g_log_addrs(struct cec_adapter *adap, + struct cec_log_addrs log_addrs; + + mutex_lock(&adap->lock); +- log_addrs = adap->log_addrs; ++ /* ++ * We use memcpy here instead of assignment since there is a ++ * hole at the end of struct cec_log_addrs that an assignment ++ * might ignore. So when we do copy_to_user() we could leak ++ * one byte of memory. ++ */ ++ memcpy(&log_addrs, &adap->log_addrs, sizeof(log_addrs)); + if (!adap->is_configured) + memset(log_addrs.log_addr, CEC_LOG_ADDR_INVALID, + sizeof(log_addrs.log_addr)); +-- +2.25.1 + diff --git a/queue-5.4/ceph-do-not-access-the-kiocb-after-aio-requests.patch b/queue-5.4/ceph-do-not-access-the-kiocb-after-aio-requests.patch new file mode 100644 index 00000000000..d42fca41081 --- /dev/null +++ b/queue-5.4/ceph-do-not-access-the-kiocb-after-aio-requests.patch @@ -0,0 +1,58 @@ +From 50a550df73e7245111f1caee8da3e779d9f2d71b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 08:51:35 -0400 +Subject: ceph: do not access the kiocb after aio requests + +From: Xiubo Li + +[ Upstream commit d1d9655052606fd9078e896668ec90191372d513 ] + +In aio case, if the completion comes very fast just before the +ceph_read_iter() returns to fs/aio.c, the kiocb will be freed in +the completion callback, then if ceph_read_iter() access again +we will potentially hit the use-after-free bug. + +[ jlayton: initialize direct_lock early, and use it everywhere ] + +URL: https://tracker.ceph.com/issues/45649 +Signed-off-by: Xiubo Li +Signed-off-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index ce54a1b12819b..4a6b14a2bd7f9 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1260,6 +1260,7 @@ static ssize_t ceph_read_iter(struct kiocb *iocb, struct iov_iter *to) + struct inode *inode = file_inode(filp); + struct ceph_inode_info *ci = ceph_inode(inode); + struct page *pinned_page = NULL; ++ bool direct_lock = iocb->ki_flags & IOCB_DIRECT; + ssize_t ret; + int want, got = 0; + int retry_op = 0, read = 0; +@@ -1268,7 +1269,7 @@ again: + dout("aio_read %p %llx.%llx %llu~%u trying to get caps on %p\n", + inode, ceph_vinop(inode), iocb->ki_pos, (unsigned)len, inode); + +- if (iocb->ki_flags & IOCB_DIRECT) ++ if (direct_lock) + ceph_start_io_direct(inode); + else + ceph_start_io_read(inode); +@@ -1325,7 +1326,7 @@ again: + } + ceph_put_cap_refs(ci, got); + +- if (iocb->ki_flags & IOCB_DIRECT) ++ if (direct_lock) + ceph_end_io_direct(inode); + else + ceph_end_io_read(inode); +-- +2.25.1 + diff --git a/queue-5.4/ceph-fix-potential-mdsc-use-after-free-crash.patch b/queue-5.4/ceph-fix-potential-mdsc-use-after-free-crash.patch new file mode 100644 index 00000000000..4578cc7af06 --- /dev/null +++ b/queue-5.4/ceph-fix-potential-mdsc-use-after-free-crash.patch @@ -0,0 +1,64 @@ +From a214ff0fd56c592dc0b7aac142b74e2129b15106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 01:52:48 -0400 +Subject: ceph: fix potential mdsc use-after-free crash + +From: Xiubo Li + +[ Upstream commit fa9967734227b44acb1b6918033f9122dc7825b9 ] + +Make sure the delayed work stopped before releasing the resources. + +cancel_delayed_work_sync() will only guarantee that the work finishes +executing if the work is already in the ->worklist. That means after +the cancel_delayed_work_sync() returns, it will leave the work requeued +if it was rearmed at the end. That can lead to a use after free once the +work struct is freed. + +Fix it by flushing the delayed work instead of trying to cancel it, and +ensure that the work doesn't rearm if the mdsc is stopping. + +URL: https://tracker.ceph.com/issues/46293 +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index b0077f5a31688..0f21073a51a1b 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -4068,6 +4068,9 @@ static void delayed_work(struct work_struct *work) + + dout("mdsc delayed_work\n"); + ++ if (mdsc->stopping) ++ return; ++ + mutex_lock(&mdsc->mutex); + renew_interval = mdsc->mdsmap->m_session_timeout >> 2; + renew_caps = time_after_eq(jiffies, HZ*renew_interval + +@@ -4433,7 +4436,16 @@ void ceph_mdsc_force_umount(struct ceph_mds_client *mdsc) + static void ceph_mdsc_stop(struct ceph_mds_client *mdsc) + { + dout("stop\n"); +- cancel_delayed_work_sync(&mdsc->delayed_work); /* cancel timer */ ++ /* ++ * Make sure the delayed work stopped before releasing ++ * the resources. ++ * ++ * Because the cancel_delayed_work_sync() will only ++ * guarantee that the work finishes executing. But the ++ * delayed work will re-arm itself again after that. ++ */ ++ flush_delayed_work(&mdsc->delayed_work); ++ + if (mdsc->mdsmap) + ceph_mdsmap_destroy(mdsc->mdsmap); + kfree(mdsc->sessions); +-- +2.25.1 + diff --git a/queue-5.4/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch b/queue-5.4/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch new file mode 100644 index 00000000000..42394a60303 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch @@ -0,0 +1,41 @@ +From 45140d8f20d47e96fe20535abd49cf9a49a8a4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:14:50 -0500 +Subject: drm/amd/display: fix ref count leak in amdgpu_drm_ioctl + +From: Navid Emamdoost + +[ Upstream commit 5509ac65f2fe5aa3c0003237ec629ca55024307c ] + +in amdgpu_drm_ioctl the call to pm_runtime_get_sync increments the +counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 05d114a72ca1e..fa2c0f29ad4de 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1286,11 +1286,12 @@ long amdgpu_drm_ioctl(struct file *filp, + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_ioctl(filp, cmd, arg); + + pm_runtime_mark_last_busy(dev->dev); ++out: + pm_runtime_put_autosuspend(dev->dev); + return ret; + } +-- +2.25.1 + diff --git a/queue-5.4/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch b/queue-5.4/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch new file mode 100644 index 00000000000..42d5f2a734f --- /dev/null +++ b/queue-5.4/drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch @@ -0,0 +1,75 @@ +From 6a32aea39f0ff515785f2792c2d33a56ddf76161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:05:28 -0500 +Subject: drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails + +From: Navid Emamdoost + +[ Upstream commit f79f94765f8c39db0b7dec1d335ab046aac03f20 ] + +The call to pm_runtime_get_sync increments the counter even in case of +failure, leading to incorrect ref count. +In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index ece55c8fa6733..cda0a76a733d3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -719,8 +719,10 @@ amdgpu_connector_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -857,8 +859,10 @@ amdgpu_connector_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = amdgpu_connector_best_single_encoder(connector); +@@ -980,8 +984,10 @@ amdgpu_connector_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +@@ -1330,8 +1336,10 @@ amdgpu_connector_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { +-- +2.25.1 + diff --git a/queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch b/queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch new file mode 100644 index 00000000000..a53d33b73ff --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch @@ -0,0 +1,53 @@ +From 5c9fb7b2a5a7372ea8d4b14f7989ee17c082f321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:09:44 -0500 +Subject: drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config + +From: Navid Emamdoost + +[ Upstream commit e008fa6fb41544b63973a529b704ef342f47cc65 ] + +in amdgpu_display_crtc_set_config, the call to pm_runtime_get_sync +increments the counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index 82efc1e22e611..e0aed42d9cbda 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -282,7 +282,7 @@ int amdgpu_display_crtc_set_config(struct drm_mode_set *set, + + ret = pm_runtime_get_sync(dev->dev); + if (ret < 0) +- return ret; ++ goto out; + + ret = drm_crtc_helper_set_config(set, ctx); + +@@ -297,7 +297,7 @@ int amdgpu_display_crtc_set_config(struct drm_mode_set *set, + take the current one */ + if (active && !adev->have_disp_power_ref) { + adev->have_disp_power_ref = true; +- return ret; ++ goto out; + } + /* if we have no active crtcs, then drop the power ref + we got before */ +@@ -306,6 +306,7 @@ int amdgpu_display_crtc_set_config(struct drm_mode_set *set, + adev->have_disp_power_ref = false; + } + ++out: + /* drop the power reference we got coming in here */ + pm_runtime_put_autosuspend(dev->dev); + return ret; +-- +2.25.1 + diff --git a/queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch b/queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch new file mode 100644 index 00000000000..02d48e97eb2 --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch @@ -0,0 +1,44 @@ +From 3794c316071348777a3a4d93d9ab3ccd429f1f63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 02:12:29 -0500 +Subject: drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms + +From: Navid Emamdoost + +[ Upstream commit 9ba8923cbbe11564dd1bf9f3602add9a9cfbb5c6 ] + +in amdgpu_driver_open_kms the call to pm_runtime_get_sync increments the +counter even in case of failure, leading to incorrect +ref count. In case of failure, decrement the ref count before returning. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index 2a7da26008a27..fcc5905a7535d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -976,7 +976,7 @@ int amdgpu_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + + r = pm_runtime_get_sync(dev->dev); + if (r < 0) +- return r; ++ goto pm_put; + + fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL); + if (unlikely(!fpriv)) { +@@ -1027,6 +1027,7 @@ error_pasid: + + out_suspend: + pm_runtime_mark_last_busy(dev->dev); ++pm_put: + pm_runtime_put_autosuspend(dev->dev); + + return r; +-- +2.25.1 + diff --git a/queue-5.4/drm-amdkfd-fix-reference-count-leaks.patch b/queue-5.4/drm-amdkfd-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..4c9b84530d3 --- /dev/null +++ b/queue-5.4/drm-amdkfd-fix-reference-count-leaks.patch @@ -0,0 +1,89 @@ +From dd1ad42b27bdffb9631a47f8ff32f0c42a8f84c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 14:32:26 -0500 +Subject: drm/amdkfd: Fix reference count leaks. + +From: Qiushi Wu + +[ Upstream commit 20eca0123a35305e38b344d571cf32768854168c ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. + +Signed-off-by: Qiushi Wu +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +index 7551761f2aa97..a49e2ab071d68 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -612,8 +612,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + + ret = kobject_init_and_add(dev->kobj_node, &node_type, + sys_props.kobj_nodes, "%d", id); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(dev->kobj_node); + return ret; ++ } + + dev->kobj_mem = kobject_create_and_add("mem_banks", dev->kobj_node); + if (!dev->kobj_mem) +@@ -660,8 +662,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(mem->kobj, &mem_type, + dev->kobj_mem, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(mem->kobj); + return ret; ++ } + + mem->attr.name = "properties"; + mem->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -679,8 +683,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(cache->kobj, &cache_type, + dev->kobj_cache, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(cache->kobj); + return ret; ++ } + + cache->attr.name = "properties"; + cache->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -698,8 +704,10 @@ static int kfd_build_sysfs_node_entry(struct kfd_topology_device *dev, + return -ENOMEM; + ret = kobject_init_and_add(iolink->kobj, &iolink_type, + dev->kobj_iolink, "%d", i); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(iolink->kobj); + return ret; ++ } + + iolink->attr.name = "properties"; + iolink->attr.mode = KFD_SYSFS_FILE_MODE; +@@ -779,8 +787,10 @@ static int kfd_topology_update_sysfs(void) + ret = kobject_init_and_add(sys_props.kobj_topology, + &sysprops_type, &kfd_device->kobj, + "topology"); +- if (ret < 0) ++ if (ret < 0) { ++ kobject_put(sys_props.kobj_topology); + return ret; ++ } + + sys_props.kobj_nodes = kobject_create_and_add("nodes", + sys_props.kobj_topology); +-- +2.25.1 + diff --git a/queue-5.4/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch b/queue-5.4/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch new file mode 100644 index 00000000000..248d4fa1bae --- /dev/null +++ b/queue-5.4/drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch @@ -0,0 +1,40 @@ +From 62a7cccaec5e7662895211879b74f7ba69a75c36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:33:42 -0500 +Subject: drm/nouveau/drm/noveau: fix reference count leak in + nouveau_fbcon_open + +From: Aditya Pakki + +[ Upstream commit bfad51c7633325b5d4b32444efe04329d53297b2 ] + +nouveau_fbcon_open() calls calls pm_runtime_get_sync() that +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 5cf2381f667e2..c09ea357e88f0 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -189,8 +189,10 @@ nouveau_fbcon_open(struct fb_info *info, int user) + struct nouveau_fbdev *fbcon = info->par; + struct nouveau_drm *drm = nouveau_drm(fbcon->helper.dev); + int ret = pm_runtime_get_sync(drm->dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put(drm->dev->dev); + return ret; ++ } + return 0; + } + +-- +2.25.1 + diff --git a/queue-5.4/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch b/queue-5.4/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch new file mode 100644 index 00000000000..4dbdaa2cd49 --- /dev/null +++ b/queue-5.4/drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch @@ -0,0 +1,39 @@ +From 08fc771c2f4fea3cd0ccda4a3268b740d1ec7d77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:22:23 -0500 +Subject: drm/nouveau: Fix reference count leak in nouveau_connector_detect + +From: Aditya Pakki + +[ Upstream commit 990a1162986e8eff7ca18cc5a0e03b4304392ae2 ] + +nouveau_connector_detect() calls pm_runtime_get_sync and in turn +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c +index eb31c5b6c8e93..0994aee7671ad 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -568,8 +568,10 @@ nouveau_connector_detect(struct drm_connector *connector, bool force) + pm_runtime_get_noresume(dev->dev); + } else { + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return conn_status; ++ } + } + + nv_encoder = nouveau_connector_ddc_detect(connector); +-- +2.25.1 + diff --git a/queue-5.4/drm-nouveau-fix-reference-count-leak-in-nv50_disp_at.patch b/queue-5.4/drm-nouveau-fix-reference-count-leak-in-nv50_disp_at.patch new file mode 100644 index 00000000000..11157dce88f --- /dev/null +++ b/queue-5.4/drm-nouveau-fix-reference-count-leak-in-nv50_disp_at.patch @@ -0,0 +1,39 @@ +From 29b3d1eff463adf881faedef7ec29ef0bccf1652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:29:18 -0500 +Subject: drm/nouveau: fix reference count leak in nv50_disp_atomic_commit + +From: Aditya Pakki + +[ Upstream commit a2cdf39536b0d21fb06113f5e16692513d7bcb9c ] + +nv50_disp_atomic_commit() calls calls pm_runtime_get_sync and in turn +increments the reference count. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c +index d735ea7e2d886..419a02260bfa7 100644 +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -2032,8 +2032,10 @@ nv50_disp_atomic_commit(struct drm_device *dev, + int ret, i; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_atomic_helper_setup_commit(state, nonblock); + if (ret) +-- +2.25.1 + diff --git a/queue-5.4/drm-radeon-fix-multiple-reference-count-leak.patch b/queue-5.4/drm-radeon-fix-multiple-reference-count-leak.patch new file mode 100644 index 00000000000..4053fef9212 --- /dev/null +++ b/queue-5.4/drm-radeon-fix-multiple-reference-count-leak.patch @@ -0,0 +1,87 @@ +From e89b176396c94c940d15cb11a6b0859a2b719d2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:55:39 -0500 +Subject: drm/radeon: fix multiple reference count leak + +From: Aditya Pakki + +[ Upstream commit 6f2e8acdb48ed166b65d47837c31b177460491ec ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index b684cd719612b..bc63f4cecf5d5 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -883,8 +883,10 @@ radeon_lvds_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (encoder) { +@@ -1029,8 +1031,10 @@ radeon_vga_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1167,8 +1171,10 @@ radeon_tv_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + encoder = radeon_best_single_encoder(connector); +@@ -1251,8 +1257,10 @@ radeon_dvi_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (radeon_connector->detected_hpd_without_ddc) { +@@ -1666,8 +1674,10 @@ radeon_dp_detect(struct drm_connector *connector, bool force) + + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + } + + if (!force && radeon_check_hpd_status_unchanged(connector)) { +-- +2.25.1 + diff --git a/queue-5.4/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch b/queue-5.4/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch new file mode 100644 index 00000000000..6e70748ac4f --- /dev/null +++ b/queue-5.4/edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch @@ -0,0 +1,127 @@ +From a1927c61ef64c42f81cdfbca369a8935e2465521 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 14:25:11 -0400 +Subject: EDAC/ie31200: Fallback if host bridge device is already initialized + +From: Jason Baron + +[ Upstream commit 709ed1bcef12398ac1a35c149f3e582db04456c2 ] + +The Intel uncore driver may claim some of the pci ids from ie31200 which +means that the ie31200 edac driver will not initialize them as part of +pci_register_driver(). + +Let's add a fallback for this case to 'pci_get_device()' to get a +reference on the device such that it can still be configured. This is +similar in approach to other edac drivers. + +Signed-off-by: Jason Baron +Cc: Borislav Petkov +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/1594923911-10885-1-git-send-email-jbaron@akamai.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 50 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 47 insertions(+), 3 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index d26300f9cb07d..9be43b4f9c506 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -170,6 +170,8 @@ + (n << (28 + (2 * skl) - PAGE_SHIFT)) + + static int nr_channels; ++static struct pci_dev *mci_pdev; ++static int ie31200_registered = 1; + + struct ie31200_priv { + void __iomem *window; +@@ -541,12 +543,16 @@ fail_free: + static int ie31200_init_one(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +- edac_dbg(0, "MC:\n"); ++ int rc; + ++ edac_dbg(0, "MC:\n"); + if (pci_enable_device(pdev) < 0) + return -EIO; ++ rc = ie31200_probe1(pdev, ent->driver_data); ++ if (rc == 0 && !mci_pdev) ++ mci_pdev = pci_dev_get(pdev); + +- return ie31200_probe1(pdev, ent->driver_data); ++ return rc; + } + + static void ie31200_remove_one(struct pci_dev *pdev) +@@ -555,6 +561,8 @@ static void ie31200_remove_one(struct pci_dev *pdev) + struct ie31200_priv *priv; + + edac_dbg(0, "\n"); ++ pci_dev_put(mci_pdev); ++ mci_pdev = NULL; + mci = edac_mc_del_mc(&pdev->dev); + if (!mci) + return; +@@ -596,17 +604,53 @@ static struct pci_driver ie31200_driver = { + + static int __init ie31200_init(void) + { ++ int pci_rc, i; ++ + edac_dbg(3, "MC:\n"); + /* Ensure that the OPSTATE is set correctly for POLL or NMI */ + opstate_init(); + +- return pci_register_driver(&ie31200_driver); ++ pci_rc = pci_register_driver(&ie31200_driver); ++ if (pci_rc < 0) ++ goto fail0; ++ ++ if (!mci_pdev) { ++ ie31200_registered = 0; ++ for (i = 0; ie31200_pci_tbl[i].vendor != 0; i++) { ++ mci_pdev = pci_get_device(ie31200_pci_tbl[i].vendor, ++ ie31200_pci_tbl[i].device, ++ NULL); ++ if (mci_pdev) ++ break; ++ } ++ if (!mci_pdev) { ++ edac_dbg(0, "ie31200 pci_get_device fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]); ++ if (pci_rc < 0) { ++ edac_dbg(0, "ie31200 init fail\n"); ++ pci_rc = -ENODEV; ++ goto fail1; ++ } ++ } ++ return 0; ++ ++fail1: ++ pci_unregister_driver(&ie31200_driver); ++fail0: ++ pci_dev_put(mci_pdev); ++ ++ return pci_rc; + } + + static void __exit ie31200_exit(void) + { + edac_dbg(3, "MC:\n"); + pci_unregister_driver(&ie31200_driver); ++ if (!ie31200_registered) ++ ie31200_remove_one(mci_pdev); + } + + module_init(ie31200_init); +-- +2.25.1 + diff --git a/queue-5.4/f2fs-fix-error-path-in-do_recover_data.patch b/queue-5.4/f2fs-fix-error-path-in-do_recover_data.patch new file mode 100644 index 00000000000..5d1084306c4 --- /dev/null +++ b/queue-5.4/f2fs-fix-error-path-in-do_recover_data.patch @@ -0,0 +1,163 @@ +From aeb615ded25a0f4e5a56636359ef4e26d3ca994a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 18:23:36 +0800 +Subject: f2fs: fix error path in do_recover_data() + +From: Chao Yu + +[ Upstream commit 9627a7b31f3c4ff8bc8f3be3683983ffe6eaebe6 ] + +- don't panic kernel if f2fs_get_node_page() fails in +f2fs_recover_inline_data() or f2fs_recover_inline_xattr(); +- return error number of f2fs_truncate_blocks() to +f2fs_recover_inline_data()'s caller; + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 4 ++-- + fs/f2fs/inline.c | 19 ++++++++++++------- + fs/f2fs/node.c | 6 ++++-- + fs/f2fs/recovery.c | 10 ++++++++-- + 4 files changed, 26 insertions(+), 13 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 03693d6b1c104..b3b7e63394be7 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3061,7 +3061,7 @@ bool f2fs_alloc_nid(struct f2fs_sb_info *sbi, nid_t *nid); + void f2fs_alloc_nid_done(struct f2fs_sb_info *sbi, nid_t nid); + void f2fs_alloc_nid_failed(struct f2fs_sb_info *sbi, nid_t nid); + int f2fs_try_to_free_nids(struct f2fs_sb_info *sbi, int nr_shrink); +-void f2fs_recover_inline_xattr(struct inode *inode, struct page *page); ++int f2fs_recover_inline_xattr(struct inode *inode, struct page *page); + int f2fs_recover_xattr_data(struct inode *inode, struct page *page); + int f2fs_recover_inode_page(struct f2fs_sb_info *sbi, struct page *page); + int f2fs_restore_node_summary(struct f2fs_sb_info *sbi, +@@ -3487,7 +3487,7 @@ int f2fs_read_inline_data(struct inode *inode, struct page *page); + int f2fs_convert_inline_page(struct dnode_of_data *dn, struct page *page); + int f2fs_convert_inline_inode(struct inode *inode); + int f2fs_write_inline_data(struct inode *inode, struct page *page); +-bool f2fs_recover_inline_data(struct inode *inode, struct page *npage); ++int f2fs_recover_inline_data(struct inode *inode, struct page *npage); + struct f2fs_dir_entry *f2fs_find_in_inline_dir(struct inode *dir, + struct fscrypt_name *fname, struct page **res_page); + int f2fs_make_empty_inline_dir(struct inode *inode, struct inode *parent, +diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c +index 896db0416f0e6..183388393c6a8 100644 +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -252,7 +252,7 @@ int f2fs_write_inline_data(struct inode *inode, struct page *page) + return 0; + } + +-bool f2fs_recover_inline_data(struct inode *inode, struct page *npage) ++int f2fs_recover_inline_data(struct inode *inode, struct page *npage) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct f2fs_inode *ri = NULL; +@@ -274,7 +274,8 @@ bool f2fs_recover_inline_data(struct inode *inode, struct page *npage) + ri && (ri->i_inline & F2FS_INLINE_DATA)) { + process_inline: + ipage = f2fs_get_node_page(sbi, inode->i_ino); +- f2fs_bug_on(sbi, IS_ERR(ipage)); ++ if (IS_ERR(ipage)) ++ return PTR_ERR(ipage); + + f2fs_wait_on_page_writeback(ipage, NODE, true, true); + +@@ -287,21 +288,25 @@ process_inline: + + set_page_dirty(ipage); + f2fs_put_page(ipage, 1); +- return true; ++ return 1; + } + + if (f2fs_has_inline_data(inode)) { + ipage = f2fs_get_node_page(sbi, inode->i_ino); +- f2fs_bug_on(sbi, IS_ERR(ipage)); ++ if (IS_ERR(ipage)) ++ return PTR_ERR(ipage); + f2fs_truncate_inline_inode(inode, ipage, 0); + clear_inode_flag(inode, FI_INLINE_DATA); + f2fs_put_page(ipage, 1); + } else if (ri && (ri->i_inline & F2FS_INLINE_DATA)) { +- if (f2fs_truncate_blocks(inode, 0, false)) +- return false; ++ int ret; ++ ++ ret = f2fs_truncate_blocks(inode, 0, false); ++ if (ret) ++ return ret; + goto process_inline; + } +- return false; ++ return 0; + } + + struct f2fs_dir_entry *f2fs_find_in_inline_dir(struct inode *dir, +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 90a20bd129614..daeac4268c1ab 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -2512,7 +2512,7 @@ int f2fs_try_to_free_nids(struct f2fs_sb_info *sbi, int nr_shrink) + return nr - nr_shrink; + } + +-void f2fs_recover_inline_xattr(struct inode *inode, struct page *page) ++int f2fs_recover_inline_xattr(struct inode *inode, struct page *page) + { + void *src_addr, *dst_addr; + size_t inline_size; +@@ -2520,7 +2520,8 @@ void f2fs_recover_inline_xattr(struct inode *inode, struct page *page) + struct f2fs_inode *ri; + + ipage = f2fs_get_node_page(F2FS_I_SB(inode), inode->i_ino); +- f2fs_bug_on(F2FS_I_SB(inode), IS_ERR(ipage)); ++ if (IS_ERR(ipage)) ++ return PTR_ERR(ipage); + + ri = F2FS_INODE(page); + if (ri->i_inline & F2FS_INLINE_XATTR) { +@@ -2539,6 +2540,7 @@ void f2fs_recover_inline_xattr(struct inode *inode, struct page *page) + update_inode: + f2fs_update_inode(inode, ipage); + f2fs_put_page(ipage, 1); ++ return 0; + } + + int f2fs_recover_xattr_data(struct inode *inode, struct page *page) +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 783773e4560de..5f230e981c483 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -514,7 +514,9 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, + + /* step 1: recover xattr */ + if (IS_INODE(page)) { +- f2fs_recover_inline_xattr(inode, page); ++ err = f2fs_recover_inline_xattr(inode, page); ++ if (err) ++ goto out; + } else if (f2fs_has_xattr_block(ofs_of_node(page))) { + err = f2fs_recover_xattr_data(inode, page); + if (!err) +@@ -523,8 +525,12 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, + } + + /* step 2: recover inline data */ +- if (f2fs_recover_inline_data(inode, page)) ++ err = f2fs_recover_inline_data(inode, page); ++ if (err) { ++ if (err == 1) ++ err = 0; + goto out; ++ } + + /* step 3: recover data indices */ + start = f2fs_start_bidx_of_node(ofs_of_node(page), inode); +-- +2.25.1 + diff --git a/queue-5.4/f2fs-fix-use-after-free-issue.patch b/queue-5.4/f2fs-fix-use-after-free-issue.patch new file mode 100644 index 00000000000..92401819538 --- /dev/null +++ b/queue-5.4/f2fs-fix-use-after-free-issue.patch @@ -0,0 +1,50 @@ +From 408e20571f4823d7239e307ae8b47643af7c4e06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 09:38:11 +0800 +Subject: f2fs: fix use-after-free issue + +From: Li Guifu + +[ Upstream commit 99c787cfd2bd04926f1f553b30bd7dcea2caaba1 ] + +During umount, f2fs_put_super() unregisters procfs entries after +f2fs_destroy_segment_manager(), it may cause use-after-free +issue when umount races with procfs accessing, fix it by relocating +f2fs_unregister_sysfs(). + +[Chao Yu: change commit title/message a bit] + +Signed-off-by: Li Guifu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index f4b882ee48ddf..fa461db696e79 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1075,6 +1075,9 @@ static void f2fs_put_super(struct super_block *sb) + int i; + bool dropped; + ++ /* unregister procfs/sysfs entries in advance to avoid race case */ ++ f2fs_unregister_sysfs(sbi); ++ + f2fs_quota_off_umount(sb); + + /* prevent remaining shrinker jobs */ +@@ -1138,8 +1141,6 @@ static void f2fs_put_super(struct super_block *sb) + + kvfree(sbi->ckpt); + +- f2fs_unregister_sysfs(sbi); +- + sb->s_fs_info = NULL; + if (sbi->s_chksum_driver) + crypto_free_shash(sbi->s_chksum_driver); +-- +2.25.1 + diff --git a/queue-5.4/hid-quirks-add-noget-quirk-for-logitech-group.patch b/queue-5.4/hid-quirks-add-noget-quirk-for-logitech-group.patch new file mode 100644 index 00000000000..a841d9e430c --- /dev/null +++ b/queue-5.4/hid-quirks-add-noget-quirk-for-logitech-group.patch @@ -0,0 +1,52 @@ +From 58d2fb1ade794ed85ecd93f159651728ab423f45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 14:54:09 +0800 +Subject: HID: quirks: add NOGET quirk for Logitech GROUP + +From: Ikjoon Jang + +[ Upstream commit 68f775ddd2a6f513e225f9a565b054ab48fef142 ] + +Add HID_QUIRK_NOGET for Logitech GROUP device. + +Logitech GROUP is a compound with camera and audio. +When the HID interface in an audio device is requested to get +specific report id, all following control transfers are stalled +and never be restored back. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=203419 +Signed-off-by: Ikjoon Jang +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 73e4590ea9c94..09df5ecc2c79b 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -771,6 +771,7 @@ + #define USB_DEVICE_ID_LOGITECH_G27_WHEEL 0xc29b + #define USB_DEVICE_ID_LOGITECH_WII_WHEEL 0xc29c + #define USB_DEVICE_ID_LOGITECH_ELITE_KBD 0xc30a ++#define USB_DEVICE_ID_LOGITECH_GROUP_AUDIO 0x0882 + #define USB_DEVICE_ID_S510_RECEIVER 0xc50c + #define USB_DEVICE_ID_S510_RECEIVER_2 0xc517 + #define USB_DEVICE_ID_LOGITECH_CORDLESS_DESKTOP_LX500 0xc512 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index a49fa2b047cba..b3dd60897ffda 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -179,6 +179,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_WISEGROUP_LTD2, USB_DEVICE_ID_SMARTJOY_DUAL_PLUS), HID_QUIRK_NOGET | HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_WISEGROUP, USB_DEVICE_ID_QUAD_USB_JOYPAD), HID_QUIRK_NOGET | HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE), HID_QUIRK_MULTI_INPUT }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_GROUP_AUDIO), HID_QUIRK_NOGET }, + + { 0 } + }; +-- +2.25.1 + diff --git a/queue-5.4/hugetlbfs-prevent-filesystem-stacking-of-hugetlbfs.patch b/queue-5.4/hugetlbfs-prevent-filesystem-stacking-of-hugetlbfs.patch new file mode 100644 index 00000000000..edba33beb83 --- /dev/null +++ b/queue-5.4/hugetlbfs-prevent-filesystem-stacking-of-hugetlbfs.patch @@ -0,0 +1,52 @@ +From 964d4e1da596f467dbc466a6241037c8167ff13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:31:35 -0700 +Subject: hugetlbfs: prevent filesystem stacking of hugetlbfs + +From: Mike Kravetz + +[ Upstream commit 15568299b7d9988063afce60731df605ab236e2a ] + +syzbot found issues with having hugetlbfs on a union/overlay as reported +in [1]. Due to the limitations (no write) and special functionality of +hugetlbfs, it does not work well in filesystem stacking. There are no +know use cases for hugetlbfs stacking. Rather than making modifications +to get hugetlbfs working in such environments, simply prevent stacking. + +[1] https://lore.kernel.org/linux-mm/000000000000b4684e05a2968ca6@google.com/ + +Reported-by: syzbot+d6ec23007e951dadf3de@syzkaller.appspotmail.com +Suggested-by: Amir Goldstein +Signed-off-by: Mike Kravetz +Signed-off-by: Andrew Morton +Acked-by: Miklos Szeredi +Cc: Al Viro +Cc: Matthew Wilcox +Cc: Colin Walters +Link: http://lkml.kernel.org/r/80f869aa-810d-ef6c-8888-b46cee135907@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hugetlbfs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index 40306c1eab07c..5fff7cb3582f0 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -1284,6 +1284,12 @@ hugetlbfs_fill_super(struct super_block *sb, struct fs_context *fc) + sb->s_magic = HUGETLBFS_MAGIC; + sb->s_op = &hugetlbfs_ops; + sb->s_time_gran = 1; ++ ++ /* ++ * Due to the special and limited functionality of hugetlbfs, it does ++ * not work well as a stacking filesystem. ++ */ ++ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH; + sb->s_root = d_make_root(hugetlbfs_get_root(sb, ctx)); + if (!sb->s_root) + goto out_free; +-- +2.25.1 + diff --git a/queue-5.4/iommu-iova-don-t-bug-on-invalid-pfns.patch b/queue-5.4/iommu-iova-don-t-bug-on-invalid-pfns.patch new file mode 100644 index 00000000000..fb606683f17 --- /dev/null +++ b/queue-5.4/iommu-iova-don-t-bug-on-invalid-pfns.patch @@ -0,0 +1,50 @@ +From d6c6df69fbed00dc124bf7ae3cd0e1f6f73483b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 14:08:18 +0100 +Subject: iommu/iova: Don't BUG on invalid PFNs + +From: Robin Murphy + +[ Upstream commit d3e3d2be688b4b5864538de61e750721a311e4fc ] + +Unlike the other instances which represent a complete loss of +consistency within the rcache mechanism itself, or a fundamental +and obvious misconfiguration by an IOMMU driver, the BUG_ON() in +iova_magazine_free_pfns() can be provoked at more or less any time +in a "spooky action-at-a-distance" manner by any old device driver +passing nonsense to dma_unmap_*() which then propagates through to +queue_iova(). + +Not only is this well outside the IOVA layer's control, it's also +nowhere near fatal enough to justify panicking anyway - all that +really achieves is to make debugging the offending driver more +difficult. Let's simply WARN and otherwise ignore bogus PFNs. + +Reported-by: Prakash Gupta +Signed-off-by: Robin Murphy +Reviewed-by: Prakash Gupta +Link: https://lore.kernel.org/r/acbd2d092b42738a03a21b417ce64e27f8c91c86.1591103298.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iova.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c +index 0e6a9536eca62..612cbf668adf8 100644 +--- a/drivers/iommu/iova.c ++++ b/drivers/iommu/iova.c +@@ -811,7 +811,9 @@ iova_magazine_free_pfns(struct iova_magazine *mag, struct iova_domain *iovad) + for (i = 0 ; i < mag->size; ++i) { + struct iova *iova = private_find_iova(iovad, mag->pfns[i]); + +- BUG_ON(!iova); ++ if (WARN_ON(!iova)) ++ continue; ++ + private_free_iova(iovad, iova); + } + +-- +2.25.1 + diff --git a/queue-5.4/locking-lockdep-fix-overflow-in-presentation-of-aver.patch b/queue-5.4/locking-lockdep-fix-overflow-in-presentation-of-aver.patch new file mode 100644 index 00000000000..f8a122f21f8 --- /dev/null +++ b/queue-5.4/locking-lockdep-fix-overflow-in-presentation-of-aver.patch @@ -0,0 +1,42 @@ +From 6c7582b2ed835b5e2e1b17e25abe6e457eb6c843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 19:51:10 +0100 +Subject: locking/lockdep: Fix overflow in presentation of average lock-time + +From: Chris Wilson + +[ Upstream commit a7ef9b28aa8d72a1656fa6f0a01bbd1493886317 ] + +Though the number of lock-acquisitions is tracked as unsigned long, this +is passed as the divisor to div_s64() which interprets it as a s32, +giving nonsense values with more than 2 billion acquisitons. E.g. + + acquisitions holdtime-min holdtime-max holdtime-total holdtime-avg + ------------------------------------------------------------------------- + 2350439395 0.07 353.38 649647067.36 0.-32 + +Signed-off-by: Chris Wilson +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20200725185110.11588-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index 9bb6d2497b040..581f818181386 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -400,7 +400,7 @@ static void seq_lock_time(struct seq_file *m, struct lock_time *lt) + seq_time(m, lt->min); + seq_time(m, lt->max); + seq_time(m, lt->total); +- seq_time(m, lt->nr ? div_s64(lt->total, lt->nr) : 0); ++ seq_time(m, lt->nr ? div64_u64(lt->total, lt->nr) : 0); + } + + static void seq_stats(struct seq_file *m, struct lock_stat_data *data) +-- +2.25.1 + diff --git a/queue-5.4/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch b/queue-5.4/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch new file mode 100644 index 00000000000..ea49239e681 --- /dev/null +++ b/queue-5.4/media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch @@ -0,0 +1,52 @@ +From 887eb3c712dbc0f08fb60a21927cbbae135ba78e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 16:42:08 +0200 +Subject: media: pci: ttpci: av7110: fix possible buffer overflow caused by bad + DMA value in debiirq() + +From: Jia-Ju Bai + +[ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] + +The value av7110->debi_virt is stored in DMA memory, and it is assigned +to data, and thus data[0] can be modified at any time by malicious +hardware. In this case, "if (data[0] < 2)" can be passed, but then +data[0] can be changed into a large number, which may cause buffer +overflow when the code "av7110->ci_slot[data[0]]" is used. + +To fix this possible bug, data[0] is assigned to a local variable, which +replaces the use of data[0]. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ttpci/av7110.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c +index d0cdee1c6eb0b..bf36b1e22b635 100644 +--- a/drivers/media/pci/ttpci/av7110.c ++++ b/drivers/media/pci/ttpci/av7110.c +@@ -406,14 +406,15 @@ static void debiirq(unsigned long cookie) + case DATA_CI_GET: + { + u8 *data = av7110->debi_virt; ++ u8 data_0 = data[0]; + +- if ((data[0] < 2) && data[2] == 0xff) { ++ if (data_0 < 2 && data[2] == 0xff) { + int flags = 0; + if (data[5] > 0) + flags |= CA_CI_MODULE_PRESENT; + if (data[5] > 5) + flags |= CA_CI_MODULE_READY; +- av7110->ci_slot[data[0]].flags = flags; ++ av7110->ci_slot[data_0].flags = flags; + } else + ci_get_data(&av7110->ci_rbuffer, + av7110->debi_virt, +-- +2.25.1 + diff --git a/queue-5.4/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch b/queue-5.4/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch new file mode 100644 index 00000000000..7b82c0c6a1f --- /dev/null +++ b/queue-5.4/mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch @@ -0,0 +1,36 @@ +From 32e091b54fe3ddf996f948a1f4b0da68af5d5d63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 19:10:32 +0300 +Subject: mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs + +From: Andy Shevchenko + +[ Upstream commit 3ea2e4eab64cefa06055bb0541fcdedad4b48565 ] + +Intel Emmitsburg PCH has the same LPSS than Intel Ice Lake. +Add the new IDs to the list of supported devices. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel-lpss-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/intel-lpss-pci.c b/drivers/mfd/intel-lpss-pci.c +index b33030e3385c7..bc0f3c22021b7 100644 +--- a/drivers/mfd/intel-lpss-pci.c ++++ b/drivers/mfd/intel-lpss-pci.c +@@ -196,6 +196,9 @@ static const struct pci_device_id intel_lpss_pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x1ac4), (kernel_ulong_t)&bxt_info }, + { PCI_VDEVICE(INTEL, 0x1ac6), (kernel_ulong_t)&bxt_info }, + { PCI_VDEVICE(INTEL, 0x1aee), (kernel_ulong_t)&bxt_uart_info }, ++ /* EBG */ ++ { PCI_VDEVICE(INTEL, 0x1bad), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x1bae), (kernel_ulong_t)&bxt_uart_info }, + /* GLK */ + { PCI_VDEVICE(INTEL, 0x31ac), (kernel_ulong_t)&glk_i2c_info }, + { PCI_VDEVICE(INTEL, 0x31ae), (kernel_ulong_t)&glk_i2c_info }, +-- +2.25.1 + diff --git a/queue-5.4/mfd-intel-lpss-add-intel-tiger-lake-pch-h-pci-ids.patch b/queue-5.4/mfd-intel-lpss-add-intel-tiger-lake-pch-h-pci-ids.patch new file mode 100644 index 00000000000..ea6a99a25df --- /dev/null +++ b/queue-5.4/mfd-intel-lpss-add-intel-tiger-lake-pch-h-pci-ids.patch @@ -0,0 +1,49 @@ +From 4f7d50a90bef01763ccbd374e8deb378c292ffef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 16:10:36 +0300 +Subject: mfd: intel-lpss: Add Intel Tiger Lake PCH-H PCI IDs + +From: Andy Shevchenko + +[ Upstream commit bb7fcad48d3804d814b97c785514e2d1657e157f ] + +Intel Tiger Lake PCH-H has the same LPSS than Intel Broxton. +Add the new IDs to the list of supported devices. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel-lpss-pci.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/mfd/intel-lpss-pci.c b/drivers/mfd/intel-lpss-pci.c +index bc0f3c22021b7..da91965b8f7b2 100644 +--- a/drivers/mfd/intel-lpss-pci.c ++++ b/drivers/mfd/intel-lpss-pci.c +@@ -228,6 +228,22 @@ static const struct pci_device_id intel_lpss_pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x34ea), (kernel_ulong_t)&bxt_i2c_info }, + { PCI_VDEVICE(INTEL, 0x34eb), (kernel_ulong_t)&bxt_i2c_info }, + { PCI_VDEVICE(INTEL, 0x34fb), (kernel_ulong_t)&spt_info }, ++ /* TGL-H */ ++ { PCI_VDEVICE(INTEL, 0x43a7), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x43a8), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x43a9), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x43aa), (kernel_ulong_t)&bxt_info }, ++ { PCI_VDEVICE(INTEL, 0x43ab), (kernel_ulong_t)&bxt_info }, ++ { PCI_VDEVICE(INTEL, 0x43ad), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x43ae), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x43d8), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x43da), (kernel_ulong_t)&bxt_uart_info }, ++ { PCI_VDEVICE(INTEL, 0x43e8), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x43e9), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x43ea), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x43eb), (kernel_ulong_t)&bxt_i2c_info }, ++ { PCI_VDEVICE(INTEL, 0x43fb), (kernel_ulong_t)&bxt_info }, ++ { PCI_VDEVICE(INTEL, 0x43fd), (kernel_ulong_t)&bxt_info }, + /* EHL */ + { PCI_VDEVICE(INTEL, 0x4b28), (kernel_ulong_t)&bxt_uart_info }, + { PCI_VDEVICE(INTEL, 0x4b29), (kernel_ulong_t)&bxt_uart_info }, +-- +2.25.1 + diff --git a/queue-5.4/mips-vdso-fix-resource-leaks-in-genvdso.c.patch b/queue-5.4/mips-vdso-fix-resource-leaks-in-genvdso.c.patch new file mode 100644 index 00000000000..b1418de724e --- /dev/null +++ b/queue-5.4/mips-vdso-fix-resource-leaks-in-genvdso.c.patch @@ -0,0 +1,98 @@ +From eccae758a4a746e33468933c41942da69180fe6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 20:30:18 +0800 +Subject: mips/vdso: Fix resource leaks in genvdso.c + +From: Peng Fan + +[ Upstream commit a859647b4e6bfeb192284d27d24b6a0c914cae1d ] + +Close "fd" before the return of map_vdso() and close "out_file" +in main(). + +Signed-off-by: Peng Fan +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/vdso/genvdso.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/vdso/genvdso.c b/arch/mips/vdso/genvdso.c +index b66b6b1c4aeb9..8f581a2c8578b 100644 +--- a/arch/mips/vdso/genvdso.c ++++ b/arch/mips/vdso/genvdso.c +@@ -122,6 +122,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (fstat(fd, &stat) != 0) { + fprintf(stderr, "%s: Failed to stat '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -130,6 +131,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (addr == MAP_FAILED) { + fprintf(stderr, "%s: Failed to map '%s': %s\n", program_name, + path, strerror(errno)); ++ close(fd); + return NULL; + } + +@@ -139,6 +141,7 @@ static void *map_vdso(const char *path, size_t *_size) + if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0) { + fprintf(stderr, "%s: '%s' is not an ELF file\n", program_name, + path); ++ close(fd); + return NULL; + } + +@@ -150,6 +153,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF class\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -161,6 +165,7 @@ static void *map_vdso(const char *path, size_t *_size) + default: + fprintf(stderr, "%s: '%s' has invalid ELF data order\n", + program_name, path); ++ close(fd); + return NULL; + } + +@@ -168,15 +173,18 @@ static void *map_vdso(const char *path, size_t *_size) + fprintf(stderr, + "%s: '%s' has invalid ELF machine (expected EM_MIPS)\n", + program_name, path); ++ close(fd); + return NULL; + } else if (swap_uint16(ehdr->e_type) != ET_DYN) { + fprintf(stderr, + "%s: '%s' has invalid ELF type (expected ET_DYN)\n", + program_name, path); ++ close(fd); + return NULL; + } + + *_size = stat.st_size; ++ close(fd); + return addr; + } + +@@ -280,10 +288,12 @@ int main(int argc, char **argv) + /* Calculate and write symbol offsets to */ + if (!get_symbols(dbg_vdso_path, dbg_vdso)) { + unlink(out_path); ++ fclose(out_file); + return EXIT_FAILURE; + } + + fprintf(out_file, "};\n"); ++ fclose(out_file); + + return EXIT_SUCCESS; + } +-- +2.25.1 + diff --git a/queue-5.4/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch b/queue-5.4/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch new file mode 100644 index 00000000000..a05f35c9b1a --- /dev/null +++ b/queue-5.4/omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch @@ -0,0 +1,145 @@ +From 124dfd7d9d2b6bae739196fce4988217dfc3ee37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 22:05:18 -0500 +Subject: omapfb: fix multiple reference count leaks due to pm_runtime_get_sync + +From: Aditya Pakki + +[ Upstream commit 78c2ce9bde70be5be7e3615a2ae7024ed8173087 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Aditya Pakki +Cc: kjlu@umn.edu +Cc: wu000273@umn.edu +Cc: Allison Randal +Cc: Thomas Gleixner +Cc: Enrico Weigelt +cc: "Andrew F. Davis" +Cc: Tomi Valkeinen +Cc: Alexios Zavras +Cc: Greg Kroah-Hartman +Cc: YueHaibing +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200614030528.128064-1-pakki001@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/dsi.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/dss.c | 7 +++++-- + drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c | 5 +++-- + drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c | 5 +++-- + drivers/video/fbdev/omap2/omapfb/dss/venc.c | 7 +++++-- + 6 files changed, 26 insertions(+), 12 deletions(-) + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +index 376ee5bc3ddc9..34e8171856e95 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +@@ -520,8 +520,11 @@ int dispc_runtime_get(void) + DSSDBG("dispc_runtime_get\n"); + + r = pm_runtime_get_sync(&dispc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dispc.pdev->dev); ++ return r; ++ } ++ return 0; + } + EXPORT_SYMBOL(dispc_runtime_get); + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +index d620376216e1d..6f9c25fec9946 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dsi.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dsi.c +@@ -1137,8 +1137,11 @@ static int dsi_runtime_get(struct platform_device *dsidev) + DSSDBG("dsi_runtime_get\n"); + + r = pm_runtime_get_sync(&dsi->pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dsi->pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void dsi_runtime_put(struct platform_device *dsidev) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss.c b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +index bfc5c4c5a26ad..a6b1c1598040d 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c +@@ -768,8 +768,11 @@ int dss_runtime_get(void) + DSSDBG("dss_runtime_get\n"); + + r = pm_runtime_get_sync(&dss.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&dss.pdev->dev); ++ return r; ++ } ++ return 0; + } + + void dss_runtime_put(void) +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +index 7060ae56c062c..4804aab342981 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c +@@ -39,9 +39,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +index ac49531e47327..a06b6f1355bdb 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c +@@ -43,9 +43,10 @@ static int hdmi_runtime_get(void) + DSSDBG("hdmi_runtime_get\n"); + + r = pm_runtime_get_sync(&hdmi.pdev->dev); +- WARN_ON(r < 0); +- if (r < 0) ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&hdmi.pdev->dev); + return r; ++ } + + return 0; + } +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/venc.c b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +index f81e2a46366dd..3717dac3dcc83 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/venc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/venc.c +@@ -391,8 +391,11 @@ static int venc_runtime_get(void) + DSSDBG("venc_runtime_get\n"); + + r = pm_runtime_get_sync(&venc.pdev->dev); +- WARN_ON(r < 0); +- return r < 0 ? r : 0; ++ if (WARN_ON(r < 0)) { ++ pm_runtime_put_sync(&venc.pdev->dev); ++ return r; ++ } ++ return 0; + } + + static void venc_runtime_put(void) +-- +2.25.1 + diff --git a/queue-5.4/pci-fix-pci_create_slot-reference-count-leak.patch b/queue-5.4/pci-fix-pci_create_slot-reference-count-leak.patch new file mode 100644 index 00000000000..cf2e4537dac --- /dev/null +++ b/queue-5.4/pci-fix-pci_create_slot-reference-count-leak.patch @@ -0,0 +1,59 @@ +From 02676251fa770ee3ddc82e49d6ccc9dde9621f27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 21:13:22 -0500 +Subject: PCI: Fix pci_create_slot() reference count leak + +From: Qiushi Wu + +[ Upstream commit 8a94644b440eef5a7b9c104ac8aa7a7f413e35e5 ] + +kobject_init_and_add() takes a reference even when it fails. If it returns +an error, kobject_put() must be called to clean up the memory associated +with the object. + +When kobject_init_and_add() fails, call kobject_put() instead of kfree(). + +b8eb718348b8 ("net-sysfs: Fix reference count leak in +rx|netdev_queue_add_kobject") fixed a similar problem. + +Link: https://lore.kernel.org/r/20200528021322.1984-1-wu000273@umn.edu +Signed-off-by: Qiushi Wu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/slot.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c +index ae4aa0e1f2f42..1f087746b7bb0 100644 +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -304,13 +304,16 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ kfree(slot); + goto err; + } + + err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL, + "%s", slot_name); +- if (err) ++ if (err) { ++ kobject_put(&slot->kobj); + goto err; ++ } + + INIT_LIST_HEAD(&slot->list); + list_add(&slot->list, &parent->slots); +@@ -329,7 +332,6 @@ out: + mutex_unlock(&pci_slot_mutex); + return slot; + err: +- kfree(slot); + slot = ERR_PTR(err); + goto out; + } +-- +2.25.1 + diff --git a/queue-5.4/powerpc-xive-ignore-kmemleak-false-positives.patch b/queue-5.4/powerpc-xive-ignore-kmemleak-false-positives.patch new file mode 100644 index 00000000000..8c1f2727598 --- /dev/null +++ b/queue-5.4/powerpc-xive-ignore-kmemleak-false-positives.patch @@ -0,0 +1,63 @@ +From 0a6528ecdcd851fea6fccd8bb6c30855305c4168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jun 2020 14:33:03 +1000 +Subject: powerpc/xive: Ignore kmemleak false positives + +From: Alexey Kardashevskiy + +[ Upstream commit f0993c839e95dd6c7f054a1015e693c87e33e4fb ] + +xive_native_provision_pages() allocates memory and passes the pointer to +OPAL so kmemleak cannot find the pointer usage in the kernel memory and +produces a false positive report (below) (even if the kernel did scan +OPAL memory, it is unable to deal with __pa() addresses anyway). + +This silences the warning. + +unreferenced object 0xc000200350c40000 (size 65536): + comm "qemu-system-ppc", pid 2725, jiffies 4294946414 (age 70776.530s) + hex dump (first 32 bytes): + 02 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... + 01 00 08 07 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000081ff046c>] xive_native_alloc_vp_block+0x120/0x250 + [<00000000d555d524>] kvmppc_xive_compute_vp_id+0x248/0x350 [kvm] + [<00000000d69b9c9f>] kvmppc_xive_connect_vcpu+0xc0/0x520 [kvm] + [<000000006acbc81c>] kvm_arch_vcpu_ioctl+0x308/0x580 [kvm] + [<0000000089c69580>] kvm_vcpu_ioctl+0x19c/0xae0 [kvm] + [<00000000902ae91e>] ksys_ioctl+0x184/0x1b0 + [<00000000f3e68bd7>] sys_ioctl+0x48/0xb0 + [<0000000001b2c127>] system_call_exception+0x124/0x1f0 + [<00000000d2b2ee40>] system_call_common+0xe8/0x214 + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200612043303.84894-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xive/native.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/xive/native.c b/arch/powerpc/sysdev/xive/native.c +index 50e1a8e02497d..3fd086533dcfc 100644 +--- a/arch/powerpc/sysdev/xive/native.c ++++ b/arch/powerpc/sysdev/xive/native.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -646,6 +647,7 @@ static bool xive_native_provision_pages(void) + pr_err("Failed to allocate provisioning page\n"); + return false; + } ++ kmemleak_ignore(p); + opal_xive_donate_page(chip, __pa(p)); + } + return true; +-- +2.25.1 + diff --git a/queue-5.4/rtlwifi-rtl8192cu-prevent-leaking-urb.patch b/queue-5.4/rtlwifi-rtl8192cu-prevent-leaking-urb.patch new file mode 100644 index 00000000000..ed88caadad4 --- /dev/null +++ b/queue-5.4/rtlwifi-rtl8192cu-prevent-leaking-urb.patch @@ -0,0 +1,40 @@ +From 02adf5eba65cfee5536ffc451a19cc063def848b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jun 2020 15:21:12 +0200 +Subject: rtlwifi: rtl8192cu: Prevent leaking urb + +From: Reto Schneider + +[ Upstream commit 03128643eb5453a798db5770952c73dc64fcaf00 ] + +If usb_submit_urb fails the allocated urb should be unanchored and +released. + +Signed-off-by: Reto Schneider +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200622132113.14508-3-code@reto-schneider.ch +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index c66c6dc003783..bad06939a247c 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -718,8 +718,11 @@ static int _rtl_usb_receive(struct ieee80211_hw *hw) + + usb_anchor_urb(urb, &rtlusb->rx_submitted); + err = usb_submit_urb(urb, GFP_KERNEL); +- if (err) ++ if (err) { ++ usb_unanchor_urb(urb); ++ usb_free_urb(urb); + goto err_out; ++ } + usb_free_urb(urb); + } + return 0; +-- +2.25.1 + diff --git a/queue-5.4/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch b/queue-5.4/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch new file mode 100644 index 00000000000..07d195f35bf --- /dev/null +++ b/queue-5.4/scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch @@ -0,0 +1,44 @@ +From 9fd412d26fce746ebd9ec26ca3c136d82e190904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 01:18:24 -0700 +Subject: scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() + +From: Javed Hasan + +[ Upstream commit e95b4789ff4380733006836d28e554dc296b2298 ] + +In fcoe_sysfs_fcf_del(), we first deleted the fcf from the list and then +freed it if ctlr_dev was not NULL. This was causing a memory leak. + +Free the fcf even if ctlr_dev is NULL. + +Link: https://lore.kernel.org/r/20200729081824.30996-3-jhasan@marvell.com +Reviewed-by: Girish Basrur +Reviewed-by: Santosh Vernekar +Reviewed-by: Saurav Kashyap +Reviewed-by: Shyam Sundar +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index 1791a393795da..07a0dadc75bf5 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -255,9 +255,9 @@ static void fcoe_sysfs_fcf_del(struct fcoe_fcf *new) + WARN_ON(!fcf_dev); + new->fcf_dev = NULL; + fcoe_fcf_device_delete(fcf_dev); +- kfree(new); + mutex_unlock(&cdev->lock); + } ++ kfree(new); + } + + /** +-- +2.25.1 + diff --git a/queue-5.4/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch b/queue-5.4/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch new file mode 100644 index 00000000000..548d0f4704e --- /dev/null +++ b/queue-5.4/scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch @@ -0,0 +1,37 @@ +From 0ac4619d1ebfcc1bd4756ae8cb78f1a95eccc57c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 16:12:26 +0800 +Subject: scsi: iscsi: Do not put host in iscsi_set_flashnode_param() + +From: Jing Xiangfeng + +[ Upstream commit 68e12e5f61354eb42cfffbc20a693153fc39738e ] + +If scsi_host_lookup() fails we will jump to put_host which may cause a +panic. Jump to exit_set_fnode instead. + +Link: https://lore.kernel.org/r/20200615081226.183068-1-jingxiangfeng@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index a5c78b38d3022..dbad926e8f87f 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3174,7 +3174,7 @@ static int iscsi_set_flashnode_param(struct iscsi_transport *transport, + pr_err("%s could not find host no %u\n", + __func__, ev->u.set_flashnode.host_no); + err = -ENODEV; +- goto put_host; ++ goto exit_set_fnode; + } + + idx = ev->u.set_flashnode.flashnode_idx; +-- +2.25.1 + diff --git a/queue-5.4/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch b/queue-5.4/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch new file mode 100644 index 00000000000..fb079120972 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch @@ -0,0 +1,86 @@ +From 0871cfbc9bf99b054932837b01278d726c78c914 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 14:49:54 -0700 +Subject: scsi: lpfc: Fix shost refcount mismatch when deleting vport + +From: Dick Kennedy + +[ Upstream commit 03dbfe0668e6692917ac278883e0586cd7f7d753 ] + +When vports are deleted, it is observed that there is memory/kthread +leakage as the vport isn't fully being released. + +There is a shost reference taken in scsi_add_host_dma that is not released +during scsi_remove_host. It was noticed that other drivers resolve this by +doing a scsi_host_put after calling scsi_remove_host. + +The vport_delete routine is taking two references one that corresponds to +an access to the scsi_host in the vport_delete routine and another that is +released after the adapter mailbox command completes that destroys the VPI +that corresponds to the vport. + +Remove one of the references taken such that the second reference that is +put will complete the missing scsi_add_host_dma reference and the shost +will be terminated. + +Link: https://lore.kernel.org/r/20200630215001.70793-8-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_vport.c | 26 ++++++++------------------ + 1 file changed, 8 insertions(+), 18 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c +index b766463579800..d0296f7cf45fc 100644 +--- a/drivers/scsi/lpfc/lpfc_vport.c ++++ b/drivers/scsi/lpfc/lpfc_vport.c +@@ -642,27 +642,16 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + vport->port_state < LPFC_VPORT_READY) + return -EAGAIN; + } ++ + /* +- * This is a bit of a mess. We want to ensure the shost doesn't get +- * torn down until we're done with the embedded lpfc_vport structure. +- * +- * Beyond holding a reference for this function, we also need a +- * reference for outstanding I/O requests we schedule during delete +- * processing. But once we scsi_remove_host() we can no longer obtain +- * a reference through scsi_host_get(). +- * +- * So we take two references here. We release one reference at the +- * bottom of the function -- after delinking the vport. And we +- * release the other at the completion of the unreg_vpi that get's +- * initiated after we've disposed of all other resources associated +- * with the port. ++ * Take early refcount for outstanding I/O requests we schedule during ++ * delete processing for unreg_vpi. Always keep this before ++ * scsi_remove_host() as we can no longer obtain a reference through ++ * scsi_host_get() after scsi_host_remove as shost is set to SHOST_DEL. + */ + if (!scsi_host_get(shost)) + return VPORT_INVAL; +- if (!scsi_host_get(shost)) { +- scsi_host_put(shost); +- return VPORT_INVAL; +- } ++ + lpfc_free_sysfs_attr(vport); + + lpfc_debugfs_terminate(vport); +@@ -809,8 +798,9 @@ skip_logo: + if (!(vport->vpi_state & LPFC_VPI_REGISTERED) || + lpfc_mbx_unreg_vpi(vport)) + scsi_host_put(shost); +- } else ++ } else { + scsi_host_put(shost); ++ } + + lpfc_free_vpi(phba, vport->vpi); + vport->work_port_events = 0; +-- +2.25.1 + diff --git a/queue-5.4/scsi-target-fix-xcopy-sess-release-leak.patch b/queue-5.4/scsi-target-fix-xcopy-sess-release-leak.patch new file mode 100644 index 00000000000..0e426319106 --- /dev/null +++ b/queue-5.4/scsi-target-fix-xcopy-sess-release-leak.patch @@ -0,0 +1,98 @@ +From ecd3705133fa168c1807e613593495de8fae455b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 20:43:18 -0500 +Subject: scsi: target: Fix xcopy sess release leak + +From: Mike Christie + +[ Upstream commit 3c006c7d23aac928279f7cbe83bbac4361255d53 ] + +transport_init_session can allocate memory via percpu_ref_init, and +target_xcopy_release_pt never frees it. This adds a +transport_uninit_session function to handle cleanup of resources allocated +in the init function. + +Link: https://lore.kernel.org/r/1593654203-12442-3-git-send-email-michael.christie@oracle.com +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_internal.h | 1 + + drivers/target/target_core_transport.c | 7 ++++++- + drivers/target/target_core_xcopy.c | 11 +++++++++-- + 3 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h +index 8533444159635..e7b3c6e5d5744 100644 +--- a/drivers/target/target_core_internal.h ++++ b/drivers/target/target_core_internal.h +@@ -138,6 +138,7 @@ int init_se_kmem_caches(void); + void release_se_kmem_caches(void); + u32 scsi_get_new_index(scsi_index_t); + void transport_subsystem_check_init(void); ++void transport_uninit_session(struct se_session *); + unsigned char *transport_dump_cmd_direction(struct se_cmd *); + void transport_dump_dev_state(struct se_device *, char *, int *); + void transport_dump_dev_info(struct se_device *, struct se_lun *, +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 7c78a5d02c083..b1f4be055f838 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -236,6 +236,11 @@ int transport_init_session(struct se_session *se_sess) + } + EXPORT_SYMBOL(transport_init_session); + ++void transport_uninit_session(struct se_session *se_sess) ++{ ++ percpu_ref_exit(&se_sess->cmd_count); ++} ++ + /** + * transport_alloc_session - allocate a session object and initialize it + * @sup_prot_ops: bitmask that defines which T10-PI modes are supported. +@@ -579,7 +584,7 @@ void transport_free_session(struct se_session *se_sess) + sbitmap_queue_free(&se_sess->sess_tag_pool); + kvfree(se_sess->sess_cmd_map); + } +- percpu_ref_exit(&se_sess->cmd_count); ++ transport_uninit_session(se_sess); + kmem_cache_free(se_sess_cache, se_sess); + } + EXPORT_SYMBOL(transport_free_session); +diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c +index b9b1e92c6f8db..9d24e85b08631 100644 +--- a/drivers/target/target_core_xcopy.c ++++ b/drivers/target/target_core_xcopy.c +@@ -479,7 +479,7 @@ int target_xcopy_setup_pt(void) + memset(&xcopy_pt_sess, 0, sizeof(struct se_session)); + ret = transport_init_session(&xcopy_pt_sess); + if (ret < 0) +- return ret; ++ goto destroy_wq; + + xcopy_pt_nacl.se_tpg = &xcopy_pt_tpg; + xcopy_pt_nacl.nacl_sess = &xcopy_pt_sess; +@@ -488,12 +488,19 @@ int target_xcopy_setup_pt(void) + xcopy_pt_sess.se_node_acl = &xcopy_pt_nacl; + + return 0; ++ ++destroy_wq: ++ destroy_workqueue(xcopy_wq); ++ xcopy_wq = NULL; ++ return ret; + } + + void target_xcopy_release_pt(void) + { +- if (xcopy_wq) ++ if (xcopy_wq) { + destroy_workqueue(xcopy_wq); ++ transport_uninit_session(&xcopy_pt_sess); ++ } + } + + /* +-- +2.25.1 + diff --git a/queue-5.4/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch b/queue-5.4/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch new file mode 100644 index 00000000000..bca6a57a613 --- /dev/null +++ b/queue-5.4/scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch @@ -0,0 +1,57 @@ +From d9b54c222eda3f1fd8e46854583a0f22612a0fe0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 11:37:56 +0200 +Subject: scsi: target: tcmu: Fix crash on ARM during cmd completion + +From: Bodo Stroesser + +[ Upstream commit 5a0c256d96f020e4771f6fd5524b80f89a2d3132 ] + +If tcmu_handle_completions() has to process a padding shorter than +sizeof(struct tcmu_cmd_entry), the current call to +tcmu_flush_dcache_range() with sizeof(struct tcmu_cmd_entry) as length +param is wrong and causes crashes on e.g. ARM, because +tcmu_flush_dcache_range() in this case calls +flush_dcache_page(vmalloc_to_page(start)); with start being an invalid +address above the end of the vmalloc'ed area. + +The fix is to use the minimum of remaining ring space and sizeof(struct +tcmu_cmd_entry) as the length param. + +The patch was tested on kernel 4.19.118. + +See https://bugzilla.kernel.org/show_bug.cgi?id=208045#c10 + +Link: https://lore.kernel.org/r/20200629093756.8947-1-bstroesser@ts.fujitsu.com +Tested-by: JiangYu +Acked-by: Mike Christie +Signed-off-by: Bodo Stroesser +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index d766fb14942b3..8888cdf3eead9 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -1220,7 +1220,14 @@ static unsigned int tcmu_handle_completions(struct tcmu_dev *udev) + + struct tcmu_cmd_entry *entry = (void *) mb + CMDR_OFF + udev->cmdr_last_cleaned; + +- tcmu_flush_dcache_range(entry, sizeof(*entry)); ++ /* ++ * Flush max. up to end of cmd ring since current entry might ++ * be a padding that is shorter than sizeof(*entry) ++ */ ++ size_t ring_left = head_to_end(udev->cmdr_last_cleaned, ++ udev->cmdr_size); ++ tcmu_flush_dcache_range(entry, ring_left < sizeof(*entry) ? ++ ring_left : sizeof(*entry)); + + if (tcmu_hdr_get_op(entry->hdr.len_op) == TCMU_OP_PAD) { + UPDATE_HEAD(udev->cmdr_last_cleaned, +-- +2.25.1 + diff --git a/queue-5.4/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch b/queue-5.4/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch new file mode 100644 index 00000000000..2fcc4985d30 --- /dev/null +++ b/queue-5.4/selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch @@ -0,0 +1,204 @@ +From fada773d7279cc7f45a5b29d941a428bfd048c0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 13:47:37 -0300 +Subject: selftests/powerpc: Purge extra count_pmc() calls of ebb selftests + +From: Desnes A. Nunes do Rosario + +[ Upstream commit 3337bf41e0dd70b4064cdf60acdfcdc2d050066c ] + +An extra count on ebb_state.stats.pmc_count[PMC_INDEX(pmc)] is being per- +formed when count_pmc() is used to reset PMCs on a few selftests. This +extra pmc_count can occasionally invalidate results, such as the ones from +cycles_test shown hereafter. The ebb_check_count() failed with an above +the upper limit error due to the extra value on ebb_state.stats.pmc_count. + +Furthermore, this extra count is also indicated by extra PMC1 trace_log on +the output of the cycle test (as well as on pmc56_overflow_test): + +========== + ... + [21]: counter = 8 + [22]: register SPRN_MMCR0 = 0x0000000080000080 + [23]: register SPRN_PMC1 = 0x0000000080000004 + [24]: counter = 9 + [25]: register SPRN_MMCR0 = 0x0000000080000080 + [26]: register SPRN_PMC1 = 0x0000000080000004 + [27]: counter = 10 + [28]: register SPRN_MMCR0 = 0x0000000080000080 + [29]: register SPRN_PMC1 = 0x0000000080000004 +>> [30]: register SPRN_PMC1 = 0x000000004000051e +PMC1 count (0x280000546) above upper limit 0x2800003e8 (+0x15e) +[FAIL] Test FAILED on line 52 +failure: cycles +========== + +Signed-off-by: Desnes A. Nunes do Rosario +Tested-by: Sachin Sant +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200626164737.21943-1-desnesn@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c | 2 -- + tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c | 2 -- + tools/testing/selftests/powerpc/pmu/ebb/ebb.c | 2 -- + .../selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/lost_exception_test.c | 1 - + .../testing/selftests/powerpc/pmu/ebb/multi_counter_test.c | 7 ------- + .../selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c | 2 -- + .../testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c | 2 -- + .../selftests/powerpc/pmu/ebb/pmc56_overflow_test.c | 2 -- + 11 files changed, 26 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +index a2d7b0e3dca97..a26ac122c759f 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/back_to_back_ebbs_test.c +@@ -91,8 +91,6 @@ int back_to_back_ebbs(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +index bc893813483ee..bb9f587fa76e8 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_test.c +@@ -42,8 +42,6 @@ int cycles(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +index dcd351d203289..9ae795ce314e6 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_freeze_test.c +@@ -99,8 +99,6 @@ int cycles_with_freeze(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + printf("EBBs while frozen %d\n", ebbs_while_frozen); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +index 94c99c12c0f23..4b45a2e70f62b 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/cycles_with_mmcr2_test.c +@@ -71,8 +71,6 @@ int cycles_with_mmcr2(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +index dfbc5c3ad52d7..21537d6eb6b7d 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb.c +@@ -396,8 +396,6 @@ int ebb_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +index ca2f7d729155b..b208bf6ad58d3 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/ebb_on_willing_child_test.c +@@ -38,8 +38,6 @@ static int victim_child(union pipe read_pipe, union pipe write_pipe) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + FAIL_IF(ebb_state.stats.ebb_count == 0); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +index ac3e6e182614a..ba2681a12cc7b 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/lost_exception_test.c +@@ -75,7 +75,6 @@ static int test_body(void) + ebb_freeze_pmcs(); + ebb_global_disable(); + +- count_pmc(4, sample_period); + mtspr(SPRN_PMC4, 0xdead); + + dump_summary_ebb_state(); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +index b8242e9d97d2d..791d37ba327b5 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_counter_test.c +@@ -70,13 +70,6 @@ int multi_counter(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- count_pmc(2, sample_period); +- count_pmc(3, sample_period); +- count_pmc(4, sample_period); +- count_pmc(5, sample_period); +- count_pmc(6, sample_period); +- + dump_ebb_state(); + + for (i = 0; i < 6; i++) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +index a05c0e18ded63..9b0f70d597020 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/multi_ebb_procs_test.c +@@ -61,8 +61,6 @@ static int cycles_child(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_summary_ebb_state(); + + event_close(&event); +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +index 153ebc92234fd..2904c741e04e5 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmae_handling_test.c +@@ -82,8 +82,6 @@ static int test_body(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(1, sample_period); +- + dump_ebb_state(); + + if (mmcr0_mismatch) +diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +index eadad75ed7e6f..b29f8ba22d1e6 100644 +--- a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c ++++ b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c +@@ -76,8 +76,6 @@ int pmc56_overflow(void) + ebb_global_disable(); + ebb_freeze_pmcs(); + +- count_pmc(2, sample_period); +- + dump_ebb_state(); + + printf("PMC5/6 overflow %d\n", pmc56_overflowed); +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 63b64d1c9c0..8eee0b896c3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -10,3 +10,50 @@ tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch net-ena-make-missed_tx-stat-incremental.patch net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch ipvlan-fix-device-features.patch +alsa-hda-hdmi-add-quirk-to-force-connectivity.patch +alsa-pci-delete-repeated-words-in-comments.patch +alsa-hda-realtek-fix-pin-default-on-intel-nuc-8-rugg.patch +alsa-hda-hdmi-use-force-connectivity-quirk-on-anothe.patch +asoc-img-fix-a-reference-count-leak-in-img_i2s_in_se.patch +asoc-img-parallel-out-fix-a-reference-count-leak.patch +asoc-tegra-fix-reference-count-leaks.patch +mfd-intel-lpss-add-intel-emmitsburg-pch-pci-ids.patch +arm64-dts-qcom-msm8916-pull-down-pdm-gpios-during-sl.patch +powerpc-xive-ignore-kmemleak-false-positives.patch +media-pci-ttpci-av7110-fix-possible-buffer-overflow-.patch +blktrace-ensure-our-debugfs-dir-exists.patch +scsi-target-tcmu-fix-crash-on-arm-during-cmd-complet.patch +mfd-intel-lpss-add-intel-tiger-lake-pch-h-pci-ids.patch +iommu-iova-don-t-bug-on-invalid-pfns.patch +drm-amdkfd-fix-reference-count-leaks.patch +drm-radeon-fix-multiple-reference-count-leak.patch +drm-amdgpu-fix-ref-count-leak-in-amdgpu_driver_open_.patch +drm-amd-display-fix-ref-count-leak-in-amdgpu_drm_ioc.patch +drm-amdgpu-fix-ref-count-leak-in-amdgpu_display_crtc.patch +drm-amdgpu-display-fix-ref-count-leak-when-pm_runtim.patch +scsi-lpfc-fix-shost-refcount-mismatch-when-deleting-.patch +xfs-don-t-allow-logging-of-xfs_istale-inodes.patch +scsi-target-fix-xcopy-sess-release-leak.patch +selftests-powerpc-purge-extra-count_pmc-calls-of-ebb.patch +f2fs-fix-error-path-in-do_recover_data.patch +omapfb-fix-multiple-reference-count-leaks-due-to-pm_.patch +pci-fix-pci_create_slot-reference-count-leak.patch +arm-dts-ls1021a-output-pps-signal-on-fiper2.patch +rtlwifi-rtl8192cu-prevent-leaking-urb.patch +mips-vdso-fix-resource-leaks-in-genvdso.c.patch +alsa-hda-add-support-for-loongson-7a1000-controller.patch +cec-api-prevent-leaking-memory-through-hole-in-struc.patch +hid-quirks-add-noget-quirk-for-logitech-group.patch +f2fs-fix-use-after-free-issue.patch +drm-nouveau-drm-noveau-fix-reference-count-leak-in-n.patch +drm-nouveau-fix-reference-count-leak-in-nv50_disp_at.patch +drm-nouveau-fix-reference-count-leak-in-nouveau_conn.patch +locking-lockdep-fix-overflow-in-presentation-of-aver.patch +btrfs-file-reserve-qgroup-space-after-the-hole-punch.patch +btrfs-make-btrfs_qgroup_check_reserved_leak-take-btr.patch +scsi-iscsi-do-not-put-host-in-iscsi_set_flashnode_pa.patch +ceph-fix-potential-mdsc-use-after-free-crash.patch +ceph-do-not-access-the-kiocb-after-aio-requests.patch +scsi-fcoe-memory-leak-fix-in-fcoe_sysfs_fcf_del.patch +edac-ie31200-fallback-if-host-bridge-device-is-alrea.patch +hugetlbfs-prevent-filesystem-stacking-of-hugetlbfs.patch diff --git a/queue-5.4/xfs-don-t-allow-logging-of-xfs_istale-inodes.patch b/queue-5.4/xfs-don-t-allow-logging-of-xfs_istale-inodes.patch new file mode 100644 index 00000000000..b6b5c468b10 --- /dev/null +++ b/queue-5.4/xfs-don-t-allow-logging-of-xfs_istale-inodes.patch @@ -0,0 +1,166 @@ +From 408ea6ceacd6053f7571d7d55013f67503cf27d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 14:48:45 -0700 +Subject: xfs: Don't allow logging of XFS_ISTALE inodes + +From: Dave Chinner + +[ Upstream commit 96355d5a1f0ee6dcc182c37db4894ec0c29f1692 ] + +In tracking down a problem in this patchset, I discovered we are +reclaiming dirty stale inodes. This wasn't discovered until inodes +were always attached to the cluster buffer and then the rcu callback +that freed inodes was assert failing because the inode still had an +active pointer to the cluster buffer after it had been reclaimed. + +Debugging the issue indicated that this was a pre-existing issue +resulting from the way the inodes are handled in xfs_inactive_ifree. +When we free a cluster buffer from xfs_ifree_cluster, all the inodes +in cache are marked XFS_ISTALE. Those that are clean have nothing +else done to them and so eventually get cleaned up by background +reclaim. i.e. it is assumed we'll never dirty/relog an inode marked +XFS_ISTALE. + +On journal commit dirty stale inodes as are handled by both +buffer and inode log items to run though xfs_istale_done() and +removed from the AIL (buffer log item commit) or the log item will +simply unpin it because the buffer log item will clean it. What happens +to any specific inode is entirely dependent on which log item wins +the commit race, but the result is the same - stale inodes are +clean, not attached to the cluster buffer, and not in the AIL. Hence +inode reclaim can just free these inodes without further care. + +However, if the stale inode is relogged, it gets dirtied again and +relogged into the CIL. Most of the time this isn't an issue, because +relogging simply changes the inode's location in the current +checkpoint. Problems arise, however, when the CIL checkpoints +between two transactions in the xfs_inactive_ifree() deferops +processing. This results in the XFS_ISTALE inode being redirtied +and inserted into the CIL without any of the other stale cluster +buffer infrastructure being in place. + +Hence on journal commit, it simply gets unpinned, so it remains +dirty in memory. Everything in inode writeback avoids XFS_ISTALE +inodes so it can't be written back, and it is not tracked in the AIL +so there's not even a trigger to attempt to clean the inode. Hence +the inode just sits dirty in memory until inode reclaim comes along, +sees that it is XFS_ISTALE, and goes to reclaim it. This reclaiming +of a dirty inode caused use after free, list corruptions and other +nasty issues later in this patchset. + +Hence this patch addresses a violation of the "never log XFS_ISTALE +inodes" caused by the deferops processing rolling a transaction +and relogging a stale inode in xfs_inactive_free. It also adds a +bunch of asserts to catch this problem in debug kernels so that +we don't reintroduce this problem in future. + +Reproducer for this issue was generic/558 on a v4 filesystem. + +Signed-off-by: Dave Chinner +Reviewed-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_trans_inode.c | 2 ++ + fs/xfs/xfs_icache.c | 3 ++- + fs/xfs/xfs_inode.c | 25 ++++++++++++++++++++++--- + 3 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_trans_inode.c b/fs/xfs/libxfs/xfs_trans_inode.c +index a9ad90926b873..6c7354abd0aea 100644 +--- a/fs/xfs/libxfs/xfs_trans_inode.c ++++ b/fs/xfs/libxfs/xfs_trans_inode.c +@@ -36,6 +36,7 @@ xfs_trans_ijoin( + + ASSERT(iip->ili_lock_flags == 0); + iip->ili_lock_flags = lock_flags; ++ ASSERT(!xfs_iflags_test(ip, XFS_ISTALE)); + + /* + * Get a log_item_desc to point at the new item. +@@ -91,6 +92,7 @@ xfs_trans_log_inode( + + ASSERT(ip->i_itemp != NULL); + ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); ++ ASSERT(!xfs_iflags_test(ip, XFS_ISTALE)); + + /* + * Don't bother with i_lock for the I_DIRTY_TIME check here, as races +diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c +index d95dc9b0f0bba..a1135b86e79f9 100644 +--- a/fs/xfs/xfs_icache.c ++++ b/fs/xfs/xfs_icache.c +@@ -1132,7 +1132,7 @@ restart: + goto out_ifunlock; + xfs_iunpin_wait(ip); + } +- if (xfs_iflags_test(ip, XFS_ISTALE) || xfs_inode_clean(ip)) { ++ if (xfs_inode_clean(ip)) { + xfs_ifunlock(ip); + goto reclaim; + } +@@ -1219,6 +1219,7 @@ reclaim: + xfs_ilock(ip, XFS_ILOCK_EXCL); + xfs_qm_dqdetach(ip); + xfs_iunlock(ip, XFS_ILOCK_EXCL); ++ ASSERT(xfs_inode_clean(ip)); + + __xfs_inode_free(ip); + return error; +diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c +index 18f4b262e61ce..b339ff93df997 100644 +--- a/fs/xfs/xfs_inode.c ++++ b/fs/xfs/xfs_inode.c +@@ -1761,10 +1761,31 @@ xfs_inactive_ifree( + return error; + } + ++ /* ++ * We do not hold the inode locked across the entire rolling transaction ++ * here. We only need to hold it for the first transaction that ++ * xfs_ifree() builds, which may mark the inode XFS_ISTALE if the ++ * underlying cluster buffer is freed. Relogging an XFS_ISTALE inode ++ * here breaks the relationship between cluster buffer invalidation and ++ * stale inode invalidation on cluster buffer item journal commit ++ * completion, and can result in leaving dirty stale inodes hanging ++ * around in memory. ++ * ++ * We have no need for serialising this inode operation against other ++ * operations - we freed the inode and hence reallocation is required ++ * and that will serialise on reallocating the space the deferops need ++ * to free. Hence we can unlock the inode on the first commit of ++ * the transaction rather than roll it right through the deferops. This ++ * avoids relogging the XFS_ISTALE inode. ++ * ++ * We check that xfs_ifree() hasn't grown an internal transaction roll ++ * by asserting that the inode is still locked when it returns. ++ */ + xfs_ilock(ip, XFS_ILOCK_EXCL); +- xfs_trans_ijoin(tp, ip, 0); ++ xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL); + + error = xfs_ifree(tp, ip); ++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); + if (error) { + /* + * If we fail to free the inode, shut down. The cancel +@@ -1777,7 +1798,6 @@ xfs_inactive_ifree( + xfs_force_shutdown(mp, SHUTDOWN_META_IO_ERROR); + } + xfs_trans_cancel(tp); +- xfs_iunlock(ip, XFS_ILOCK_EXCL); + return error; + } + +@@ -1795,7 +1815,6 @@ xfs_inactive_ifree( + xfs_notice(mp, "%s: xfs_trans_commit returned error %d", + __func__, error); + +- xfs_iunlock(ip, XFS_ILOCK_EXCL); + return 0; + } + +-- +2.25.1 + -- 2.47.2